1 diff -urNp linux-2.6.38.1/arch/alpha/include/asm/dma-mapping.h linux-2.6.38.1/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.38.1/arch/alpha/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3 +++ linux-2.6.38.1/arch/alpha/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.38.1/arch/alpha/include/asm/elf.h linux-2.6.38.1/arch/alpha/include/asm/elf.h
17 --- linux-2.6.38.1/arch/alpha/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
18 +++ linux-2.6.38.1/arch/alpha/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.38.1/arch/alpha/include/asm/pgtable.h linux-2.6.38.1/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.38.1/arch/alpha/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
35 +++ linux-2.6.38.1/arch/alpha/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.38.1/arch/alpha/kernel/module.c linux-2.6.38.1/arch/alpha/kernel/module.c
55 --- linux-2.6.38.1/arch/alpha/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
56 +++ linux-2.6.38.1/arch/alpha/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.38.1/arch/alpha/kernel/osf_sys.c linux-2.6.38.1/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.38.1/arch/alpha/kernel/osf_sys.c 2011-03-14 21:20:32.000000000 -0400
68 +++ linux-2.6.38.1/arch/alpha/kernel/osf_sys.c 2011-03-21 18:31:35.000000000 -0400
69 @@ -1162,7 +1162,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1198,6 +1198,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1205,8 +1209,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.38.1/arch/alpha/kernel/pci_iommu.c linux-2.6.38.1/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.38.1/arch/alpha/kernel/pci_iommu.c 2011-03-14 21:20:32.000000000 -0400
102 +++ linux-2.6.38.1/arch/alpha/kernel/pci_iommu.c 2011-03-21 18:31:35.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.38.1/arch/alpha/kernel/pci-noop.c linux-2.6.38.1/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.38.1/arch/alpha/kernel/pci-noop.c 2011-03-14 21:20:32.000000000 -0400
121 +++ linux-2.6.38.1/arch/alpha/kernel/pci-noop.c 2011-03-21 18:31:35.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.38.1/arch/alpha/mm/fault.c linux-2.6.38.1/arch/alpha/mm/fault.c
141 --- linux-2.6.38.1/arch/alpha/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
142 +++ linux-2.6.38.1/arch/alpha/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.38.1/arch/arm/include/asm/elf.h linux-2.6.38.1/arch/arm/include/asm/elf.h
300 --- linux-2.6.38.1/arch/arm/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
301 +++ linux-2.6.38.1/arch/arm/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
302 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
319 extern void elf_set_personality(const struct elf32_hdr *);
320 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
323 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
324 -#define arch_randomize_brk arch_randomize_brk
326 extern int vectors_user_mapping(void);
327 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
328 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
329 diff -urNp linux-2.6.38.1/arch/arm/include/asm/kmap_types.h linux-2.6.38.1/arch/arm/include/asm/kmap_types.h
330 --- linux-2.6.38.1/arch/arm/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
331 +++ linux-2.6.38.1/arch/arm/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
332 @@ -21,6 +21,7 @@ enum km_type {
340 diff -urNp linux-2.6.38.1/arch/arm/include/asm/uaccess.h linux-2.6.38.1/arch/arm/include/asm/uaccess.h
341 --- linux-2.6.38.1/arch/arm/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
342 +++ linux-2.6.38.1/arch/arm/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
343 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
345 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
350 if (access_ok(VERIFY_READ, from, n))
351 n = __copy_from_user(to, from, n);
352 else /* security hole - plug it */
353 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
355 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
360 if (access_ok(VERIFY_WRITE, to, n))
361 n = __copy_to_user(to, from, n);
363 diff -urNp linux-2.6.38.1/arch/arm/kernel/kgdb.c linux-2.6.38.1/arch/arm/kernel/kgdb.c
364 --- linux-2.6.38.1/arch/arm/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
365 +++ linux-2.6.38.1/arch/arm/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
366 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
367 * and we handle the normal undef case within the do_undefinstr
370 -struct kgdb_arch arch_kgdb_ops = {
371 +const struct kgdb_arch arch_kgdb_ops = {
373 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
374 #else /* ! __ARMEB__ */
375 diff -urNp linux-2.6.38.1/arch/arm/kernel/process.c linux-2.6.38.1/arch/arm/kernel/process.c
376 --- linux-2.6.38.1/arch/arm/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
377 +++ linux-2.6.38.1/arch/arm/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
379 #include <linux/tick.h>
380 #include <linux/utsname.h>
381 #include <linux/uaccess.h>
382 -#include <linux/random.h>
383 #include <linux/hw_breakpoint.h>
385 #include <asm/cacheflush.h>
386 @@ -477,12 +476,6 @@ unsigned long get_wchan(struct task_stru
390 -unsigned long arch_randomize_brk(struct mm_struct *mm)
392 - unsigned long range_end = mm->brk + 0x02000000;
393 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
398 * The vectors page is always readable from user space for the
399 diff -urNp linux-2.6.38.1/arch/arm/mach-msm/last_radio_log.c linux-2.6.38.1/arch/arm/mach-msm/last_radio_log.c
400 --- linux-2.6.38.1/arch/arm/mach-msm/last_radio_log.c 2011-03-14 21:20:32.000000000 -0400
401 +++ linux-2.6.38.1/arch/arm/mach-msm/last_radio_log.c 2011-03-21 18:31:35.000000000 -0400
402 @@ -47,7 +47,7 @@ static ssize_t last_radio_log_read(struc
406 -static struct file_operations last_radio_log_fops = {
407 +static struct file_operations last_radio_log_fops = { /* cannot be const, see msm_init_last_radio_log */
408 .read = last_radio_log_read,
409 .llseek = default_llseek,
411 diff -urNp linux-2.6.38.1/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.38.1/arch/arm/mach-ux500/mbox-db5500.c
412 --- linux-2.6.38.1/arch/arm/mach-ux500/mbox-db5500.c 2011-03-14 21:20:32.000000000 -0400
413 +++ linux-2.6.38.1/arch/arm/mach-ux500/mbox-db5500.c 2011-03-21 18:31:35.000000000 -0400
414 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
415 return sprintf(buf, "0x%X\n", mbox_value);
418 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
419 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
421 static int mbox_show(struct seq_file *s, void *data)
423 diff -urNp linux-2.6.38.1/arch/arm/mm/fault.c linux-2.6.38.1/arch/arm/mm/fault.c
424 --- linux-2.6.38.1/arch/arm/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
425 +++ linux-2.6.38.1/arch/arm/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
426 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
430 +#ifdef CONFIG_PAX_PAGEEXEC
431 + if (fsr & FSR_LNX_PF) {
432 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
433 + do_group_exit(SIGKILL);
437 tsk->thread.address = addr;
438 tsk->thread.error_code = fsr;
439 tsk->thread.trap_no = 14;
440 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
442 #endif /* CONFIG_MMU */
444 +#ifdef CONFIG_PAX_PAGEEXEC
445 +void pax_report_insns(void *pc, void *sp)
449 + printk(KERN_ERR "PAX: bytes at PC: ");
450 + for (i = 0; i < 20; i++) {
452 + if (get_user(c, (__force unsigned char __user *)pc+i))
453 + printk(KERN_CONT "?? ");
455 + printk(KERN_CONT "%02x ", c);
459 + printk(KERN_ERR "PAX: bytes at SP-4: ");
460 + for (i = -1; i < 20; i++) {
462 + if (get_user(c, (__force unsigned long __user *)sp+i))
463 + printk(KERN_CONT "???????? ");
465 + printk(KERN_CONT "%08lx ", c);
472 * First Level Translation Fault Handler
474 diff -urNp linux-2.6.38.1/arch/arm/mm/mmap.c linux-2.6.38.1/arch/arm/mm/mmap.c
475 --- linux-2.6.38.1/arch/arm/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
476 +++ linux-2.6.38.1/arch/arm/mm/mmap.c 2011-03-21 18:31:35.000000000 -0400
477 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
481 +#ifdef CONFIG_PAX_RANDMMAP
482 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
487 addr = COLOUR_ALIGN(addr, pgoff);
488 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
489 addr = PAGE_ALIGN(addr);
491 vma = find_vma(mm, addr);
492 - if (TASK_SIZE - len >= addr &&
493 - (!vma || addr + len <= vma->vm_start))
494 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
497 if (len > mm->cached_hole_size) {
498 - start_addr = addr = mm->free_area_cache;
499 + start_addr = addr = mm->free_area_cache;
501 - start_addr = addr = TASK_UNMAPPED_BASE;
502 - mm->cached_hole_size = 0;
503 + start_addr = addr = mm->mmap_base;
504 + mm->cached_hole_size = 0;
506 /* 8 bits of randomness in 20 address space bits */
507 if (current->flags & PF_RANDOMIZE)
508 @@ -98,14 +101,14 @@ full_search:
509 * Start a new search - just in case we missed
512 - if (start_addr != TASK_UNMAPPED_BASE) {
513 - start_addr = addr = TASK_UNMAPPED_BASE;
514 + if (start_addr != mm->mmap_base) {
515 + start_addr = addr = mm->mmap_base;
516 mm->cached_hole_size = 0;
521 - if (!vma || addr + len <= vma->vm_start) {
522 + if (check_heap_stack_gap(vma, addr, len)) {
524 * Remember the place where we stopped the search:
526 diff -urNp linux-2.6.38.1/arch/avr32/include/asm/elf.h linux-2.6.38.1/arch/avr32/include/asm/elf.h
527 --- linux-2.6.38.1/arch/avr32/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
528 +++ linux-2.6.38.1/arch/avr32/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
529 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
530 the loader. We need to make sure that it is out of the way of the program
531 that it will "exec", and that there is sufficient room for the brk. */
533 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
534 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
536 +#ifdef CONFIG_PAX_ASLR
537 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
539 +#define PAX_DELTA_MMAP_LEN 15
540 +#define PAX_DELTA_STACK_LEN 15
543 /* This yields a mask that user programs can use to figure out what
544 instruction set this CPU supports. This could be done in user space,
545 diff -urNp linux-2.6.38.1/arch/avr32/include/asm/kmap_types.h linux-2.6.38.1/arch/avr32/include/asm/kmap_types.h
546 --- linux-2.6.38.1/arch/avr32/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
547 +++ linux-2.6.38.1/arch/avr32/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
548 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
558 diff -urNp linux-2.6.38.1/arch/avr32/mm/fault.c linux-2.6.38.1/arch/avr32/mm/fault.c
559 --- linux-2.6.38.1/arch/avr32/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
560 +++ linux-2.6.38.1/arch/avr32/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
561 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
563 int exception_trace = 1;
565 +#ifdef CONFIG_PAX_PAGEEXEC
566 +void pax_report_insns(void *pc, void *sp)
570 + printk(KERN_ERR "PAX: bytes at PC: ");
571 + for (i = 0; i < 20; i++) {
573 + if (get_user(c, (unsigned char *)pc+i))
574 + printk(KERN_CONT "???????? ");
576 + printk(KERN_CONT "%02x ", c);
583 * This routine handles page faults. It determines the address and the
584 * problem, and then passes it off to one of the appropriate routines.
585 @@ -156,6 +173,16 @@ bad_area:
586 up_read(&mm->mmap_sem);
588 if (user_mode(regs)) {
590 +#ifdef CONFIG_PAX_PAGEEXEC
591 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
592 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
593 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
594 + do_group_exit(SIGKILL);
599 if (exception_trace && printk_ratelimit())
600 printk("%s%s[%d]: segfault at %08lx pc %08lx "
601 "sp %08lx ecr %lu\n",
602 diff -urNp linux-2.6.38.1/arch/blackfin/kernel/kgdb.c linux-2.6.38.1/arch/blackfin/kernel/kgdb.c
603 --- linux-2.6.38.1/arch/blackfin/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
604 +++ linux-2.6.38.1/arch/blackfin/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
605 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
606 return -1; /* this means that we do not want to exit from the handler */
609 -struct kgdb_arch arch_kgdb_ops = {
610 +const struct kgdb_arch arch_kgdb_ops = {
611 .gdb_bpt_instr = {0xa1},
613 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
614 diff -urNp linux-2.6.38.1/arch/blackfin/mm/maccess.c linux-2.6.38.1/arch/blackfin/mm/maccess.c
615 --- linux-2.6.38.1/arch/blackfin/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
616 +++ linux-2.6.38.1/arch/blackfin/mm/maccess.c 2011-03-21 18:31:35.000000000 -0400
617 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
618 return bfin_mem_access_type(addr, size);
621 -long probe_kernel_read(void *dst, void *src, size_t size)
622 +long probe_kernel_read(void *dst, const void *src, size_t size)
624 unsigned long lsrc = (unsigned long)src;
626 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
630 -long probe_kernel_write(void *dst, void *src, size_t size)
631 +long probe_kernel_write(void *dst, const void *src, size_t size)
633 unsigned long ldst = (unsigned long)dst;
635 diff -urNp linux-2.6.38.1/arch/frv/include/asm/kmap_types.h linux-2.6.38.1/arch/frv/include/asm/kmap_types.h
636 --- linux-2.6.38.1/arch/frv/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
637 +++ linux-2.6.38.1/arch/frv/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
638 @@ -23,6 +23,7 @@ enum km_type {
646 diff -urNp linux-2.6.38.1/arch/frv/mm/elf-fdpic.c linux-2.6.38.1/arch/frv/mm/elf-fdpic.c
647 --- linux-2.6.38.1/arch/frv/mm/elf-fdpic.c 2011-03-14 21:20:32.000000000 -0400
648 +++ linux-2.6.38.1/arch/frv/mm/elf-fdpic.c 2011-03-21 18:31:35.000000000 -0400
649 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
651 addr = PAGE_ALIGN(addr);
652 vma = find_vma(current->mm, addr);
653 - if (TASK_SIZE - len >= addr &&
654 - (!vma || addr + len <= vma->vm_start))
655 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
659 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
660 for (; vma; vma = vma->vm_next) {
663 - if (addr + len <= vma->vm_start)
664 + if (check_heap_stack_gap(vma, addr, len))
668 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
669 for (; vma; vma = vma->vm_next) {
672 - if (addr + len <= vma->vm_start)
673 + if (check_heap_stack_gap(vma, addr, len))
677 diff -urNp linux-2.6.38.1/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.38.1/arch/ia64/hp/common/hwsw_iommu.c
678 --- linux-2.6.38.1/arch/ia64/hp/common/hwsw_iommu.c 2011-03-14 21:20:32.000000000 -0400
679 +++ linux-2.6.38.1/arch/ia64/hp/common/hwsw_iommu.c 2011-03-21 18:31:35.000000000 -0400
681 #include <linux/swiotlb.h>
682 #include <asm/machvec.h>
684 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
685 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
687 /* swiotlb declarations & definitions: */
688 extern int swiotlb_late_init_with_default_size (size_t size);
689 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
690 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
693 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
694 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
696 if (use_swiotlb(dev))
697 return &swiotlb_dma_ops;
698 diff -urNp linux-2.6.38.1/arch/ia64/hp/common/sba_iommu.c linux-2.6.38.1/arch/ia64/hp/common/sba_iommu.c
699 --- linux-2.6.38.1/arch/ia64/hp/common/sba_iommu.c 2011-03-14 21:20:32.000000000 -0400
700 +++ linux-2.6.38.1/arch/ia64/hp/common/sba_iommu.c 2011-03-21 18:31:35.000000000 -0400
701 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
705 -extern struct dma_map_ops swiotlb_dma_ops;
706 +extern const struct dma_map_ops swiotlb_dma_ops;
710 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
712 __setup("sbapagesize=",sba_page_override);
714 -struct dma_map_ops sba_dma_ops = {
715 +const struct dma_map_ops sba_dma_ops = {
716 .alloc_coherent = sba_alloc_coherent,
717 .free_coherent = sba_free_coherent,
718 .map_page = sba_map_page,
719 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/dma-mapping.h linux-2.6.38.1/arch/ia64/include/asm/dma-mapping.h
720 --- linux-2.6.38.1/arch/ia64/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
721 +++ linux-2.6.38.1/arch/ia64/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
724 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
726 -extern struct dma_map_ops *dma_ops;
727 +extern const struct dma_map_ops *dma_ops;
728 extern struct ia64_machine_vector ia64_mv;
729 extern void set_iommu_machvec(void);
731 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
732 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
733 dma_addr_t *daddr, gfp_t gfp)
735 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
736 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
739 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
740 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
741 static inline void dma_free_coherent(struct device *dev, size_t size,
742 void *caddr, dma_addr_t daddr)
744 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
745 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
746 debug_dma_free_coherent(dev, size, caddr, daddr);
747 ops->free_coherent(dev, size, caddr, daddr);
749 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
751 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
753 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
754 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
755 return ops->mapping_error(dev, daddr);
758 static inline int dma_supported(struct device *dev, u64 mask)
760 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
761 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
762 return ops->dma_supported(dev, mask);
765 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/elf.h linux-2.6.38.1/arch/ia64/include/asm/elf.h
766 --- linux-2.6.38.1/arch/ia64/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
767 +++ linux-2.6.38.1/arch/ia64/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
770 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
772 +#ifdef CONFIG_PAX_ASLR
773 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
775 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
776 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
779 #define PT_IA_64_UNWIND 0x70000001
781 /* IA-64 relocations: */
782 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/machvec.h linux-2.6.38.1/arch/ia64/include/asm/machvec.h
783 --- linux-2.6.38.1/arch/ia64/include/asm/machvec.h 2011-03-14 21:20:32.000000000 -0400
784 +++ linux-2.6.38.1/arch/ia64/include/asm/machvec.h 2011-03-21 18:31:35.000000000 -0400
785 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
786 /* DMA-mapping interface: */
787 typedef void ia64_mv_dma_init (void);
788 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
789 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
790 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
793 * WARNING: The legacy I/O space is _architected_. Platforms are
794 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
795 # endif /* CONFIG_IA64_GENERIC */
797 extern void swiotlb_dma_init(void);
798 -extern struct dma_map_ops *dma_get_ops(struct device *);
799 +extern const struct dma_map_ops *dma_get_ops(struct device *);
802 * Define default versions so we can extend machvec for new platforms without having
803 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/pgtable.h linux-2.6.38.1/arch/ia64/include/asm/pgtable.h
804 --- linux-2.6.38.1/arch/ia64/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
805 +++ linux-2.6.38.1/arch/ia64/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
807 * David Mosberger-Tang <davidm@hpl.hp.com>
811 +#include <linux/const.h>
812 #include <asm/mman.h>
813 #include <asm/page.h>
814 #include <asm/processor.h>
816 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
817 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
818 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
820 +#ifdef CONFIG_PAX_PAGEEXEC
821 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
822 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
823 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
825 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
826 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
827 +# define PAGE_COPY_NOEXEC PAGE_COPY
830 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
831 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
832 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
833 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/spinlock.h linux-2.6.38.1/arch/ia64/include/asm/spinlock.h
834 --- linux-2.6.38.1/arch/ia64/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
835 +++ linux-2.6.38.1/arch/ia64/include/asm/spinlock.h 2011-03-21 18:31:35.000000000 -0400
836 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
837 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
839 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
840 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
841 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
844 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
845 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/uaccess.h linux-2.6.38.1/arch/ia64/include/asm/uaccess.h
846 --- linux-2.6.38.1/arch/ia64/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
847 +++ linux-2.6.38.1/arch/ia64/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
848 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
849 const void *__cu_from = (from); \
850 long __cu_len = (n); \
852 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
853 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
854 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
857 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
858 long __cu_len = (n); \
860 __chk_user_ptr(__cu_from); \
861 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
862 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
863 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
866 diff -urNp linux-2.6.38.1/arch/ia64/kernel/dma-mapping.c linux-2.6.38.1/arch/ia64/kernel/dma-mapping.c
867 --- linux-2.6.38.1/arch/ia64/kernel/dma-mapping.c 2011-03-14 21:20:32.000000000 -0400
868 +++ linux-2.6.38.1/arch/ia64/kernel/dma-mapping.c 2011-03-21 18:31:35.000000000 -0400
870 /* Set this to 1 if there is a HW IOMMU in the system */
871 int iommu_detected __read_mostly;
873 -struct dma_map_ops *dma_ops;
874 +const struct dma_map_ops *dma_ops;
875 EXPORT_SYMBOL(dma_ops);
877 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
878 @@ -16,7 +16,7 @@ static int __init dma_init(void)
880 fs_initcall(dma_init);
882 -struct dma_map_ops *dma_get_ops(struct device *dev)
883 +const struct dma_map_ops *dma_get_ops(struct device *dev)
887 diff -urNp linux-2.6.38.1/arch/ia64/kernel/module.c linux-2.6.38.1/arch/ia64/kernel/module.c
888 --- linux-2.6.38.1/arch/ia64/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
889 +++ linux-2.6.38.1/arch/ia64/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
890 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
892 module_free (struct module *mod, void *module_region)
894 - if (mod && mod->arch.init_unw_table &&
895 - module_region == mod->module_init) {
896 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
897 unw_remove_unwind_table(mod->arch.init_unw_table);
898 mod->arch.init_unw_table = NULL;
900 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
904 +in_init_rx (const struct module *mod, uint64_t addr)
906 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
910 +in_init_rw (const struct module *mod, uint64_t addr)
912 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
916 in_init (const struct module *mod, uint64_t addr)
918 - return addr - (uint64_t) mod->module_init < mod->init_size;
919 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
923 +in_core_rx (const struct module *mod, uint64_t addr)
925 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
929 +in_core_rw (const struct module *mod, uint64_t addr)
931 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
935 in_core (const struct module *mod, uint64_t addr)
937 - return addr - (uint64_t) mod->module_core < mod->core_size;
938 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
942 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
946 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
947 + if (in_init_rx(mod, val))
948 + val -= (uint64_t) mod->module_init_rx;
949 + else if (in_init_rw(mod, val))
950 + val -= (uint64_t) mod->module_init_rw;
951 + else if (in_core_rx(mod, val))
952 + val -= (uint64_t) mod->module_core_rx;
953 + else if (in_core_rw(mod, val))
954 + val -= (uint64_t) mod->module_core_rw;
958 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
959 * addresses have been selected...
962 - if (mod->core_size > MAX_LTOFF)
963 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
965 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
966 * at the end of the module.
968 - gp = mod->core_size - MAX_LTOFF / 2;
969 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
971 - gp = mod->core_size / 2;
972 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
973 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
974 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
976 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
978 diff -urNp linux-2.6.38.1/arch/ia64/kernel/pci-dma.c linux-2.6.38.1/arch/ia64/kernel/pci-dma.c
979 --- linux-2.6.38.1/arch/ia64/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
980 +++ linux-2.6.38.1/arch/ia64/kernel/pci-dma.c 2011-03-21 18:31:35.000000000 -0400
981 @@ -43,7 +43,7 @@ struct device fallback_dev = {
982 .dma_mask = &fallback_dev.coherent_dma_mask,
985 -extern struct dma_map_ops intel_dma_ops;
986 +extern const struct dma_map_ops intel_dma_ops;
988 static int __init pci_iommu_init(void)
990 diff -urNp linux-2.6.38.1/arch/ia64/kernel/pci-swiotlb.c linux-2.6.38.1/arch/ia64/kernel/pci-swiotlb.c
991 --- linux-2.6.38.1/arch/ia64/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
992 +++ linux-2.6.38.1/arch/ia64/kernel/pci-swiotlb.c 2011-03-21 18:31:35.000000000 -0400
993 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
994 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
997 -struct dma_map_ops swiotlb_dma_ops = {
998 +const struct dma_map_ops swiotlb_dma_ops = {
999 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1000 .free_coherent = swiotlb_free_coherent,
1001 .map_page = swiotlb_map_page,
1002 diff -urNp linux-2.6.38.1/arch/ia64/kernel/sys_ia64.c linux-2.6.38.1/arch/ia64/kernel/sys_ia64.c
1003 --- linux-2.6.38.1/arch/ia64/kernel/sys_ia64.c 2011-03-14 21:20:32.000000000 -0400
1004 +++ linux-2.6.38.1/arch/ia64/kernel/sys_ia64.c 2011-03-21 18:31:35.000000000 -0400
1005 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1006 if (REGION_NUMBER(addr) == RGN_HPAGE)
1010 +#ifdef CONFIG_PAX_RANDMMAP
1011 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1012 + addr = mm->free_area_cache;
1017 addr = mm->free_area_cache;
1019 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1020 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1021 /* At this point: (!vma || addr < vma->vm_end). */
1022 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1023 - if (start_addr != TASK_UNMAPPED_BASE) {
1024 + if (start_addr != mm->mmap_base) {
1025 /* Start a new search --- just in case we missed some holes. */
1026 - addr = TASK_UNMAPPED_BASE;
1027 + addr = mm->mmap_base;
1032 - if (!vma || addr + len <= vma->vm_start) {
1033 + if (check_heap_stack_gap(vma, addr, len)) {
1034 /* Remember the address where we stopped this search: */
1035 mm->free_area_cache = addr + len;
1037 diff -urNp linux-2.6.38.1/arch/ia64/kernel/vmlinux.lds.S linux-2.6.38.1/arch/ia64/kernel/vmlinux.lds.S
1038 --- linux-2.6.38.1/arch/ia64/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
1039 +++ linux-2.6.38.1/arch/ia64/kernel/vmlinux.lds.S 2011-03-21 18:31:35.000000000 -0400
1040 @@ -199,7 +199,7 @@ SECTIONS {
1042 . = ALIGN(PERCPU_PAGE_SIZE);
1043 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1044 - __phys_per_cpu_start = __per_cpu_load;
1045 + __phys_per_cpu_start = per_cpu_load;
1047 * ensure percpu data fits
1048 * into percpu page size
1049 diff -urNp linux-2.6.38.1/arch/ia64/mm/fault.c linux-2.6.38.1/arch/ia64/mm/fault.c
1050 --- linux-2.6.38.1/arch/ia64/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1051 +++ linux-2.6.38.1/arch/ia64/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
1052 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1053 return pte_present(pte);
1056 +#ifdef CONFIG_PAX_PAGEEXEC
1057 +void pax_report_insns(void *pc, void *sp)
1061 + printk(KERN_ERR "PAX: bytes at PC: ");
1062 + for (i = 0; i < 8; i++) {
1064 + if (get_user(c, (unsigned int *)pc+i))
1065 + printk(KERN_CONT "???????? ");
1067 + printk(KERN_CONT "%08x ", c);
1074 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1076 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1077 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1078 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1080 - if ((vma->vm_flags & mask) != mask)
1081 + if ((vma->vm_flags & mask) != mask) {
1083 +#ifdef CONFIG_PAX_PAGEEXEC
1084 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1085 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1088 + up_read(&mm->mmap_sem);
1089 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1090 + do_group_exit(SIGKILL);
1099 * If for any reason at all we couldn't handle the fault, make
1100 * sure we exit gracefully rather than endlessly redo the
1101 diff -urNp linux-2.6.38.1/arch/ia64/mm/hugetlbpage.c linux-2.6.38.1/arch/ia64/mm/hugetlbpage.c
1102 --- linux-2.6.38.1/arch/ia64/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
1103 +++ linux-2.6.38.1/arch/ia64/mm/hugetlbpage.c 2011-03-21 18:31:35.000000000 -0400
1104 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1105 /* At this point: (!vmm || addr < vmm->vm_end). */
1106 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1108 - if (!vmm || (addr + len) <= vmm->vm_start)
1109 + if (check_heap_stack_gap(vmm, addr, len))
1111 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1113 diff -urNp linux-2.6.38.1/arch/ia64/mm/init.c linux-2.6.38.1/arch/ia64/mm/init.c
1114 --- linux-2.6.38.1/arch/ia64/mm/init.c 2011-03-14 21:20:32.000000000 -0400
1115 +++ linux-2.6.38.1/arch/ia64/mm/init.c 2011-03-21 18:31:35.000000000 -0400
1116 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1117 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1118 vma->vm_end = vma->vm_start + PAGE_SIZE;
1119 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1121 +#ifdef CONFIG_PAX_PAGEEXEC
1122 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1123 + vma->vm_flags &= ~VM_EXEC;
1125 +#ifdef CONFIG_PAX_MPROTECT
1126 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1127 + vma->vm_flags &= ~VM_MAYEXEC;
1133 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1134 down_write(¤t->mm->mmap_sem);
1135 if (insert_vm_struct(current->mm, vma)) {
1136 diff -urNp linux-2.6.38.1/arch/ia64/sn/pci/pci_dma.c linux-2.6.38.1/arch/ia64/sn/pci/pci_dma.c
1137 --- linux-2.6.38.1/arch/ia64/sn/pci/pci_dma.c 2011-03-14 21:20:32.000000000 -0400
1138 +++ linux-2.6.38.1/arch/ia64/sn/pci/pci_dma.c 2011-03-21 18:31:35.000000000 -0400
1139 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1143 -static struct dma_map_ops sn_dma_ops = {
1144 +static const struct dma_map_ops sn_dma_ops = {
1145 .alloc_coherent = sn_dma_alloc_coherent,
1146 .free_coherent = sn_dma_free_coherent,
1147 .map_page = sn_dma_map_page,
1148 diff -urNp linux-2.6.38.1/arch/m32r/lib/usercopy.c linux-2.6.38.1/arch/m32r/lib/usercopy.c
1149 --- linux-2.6.38.1/arch/m32r/lib/usercopy.c 2011-03-14 21:20:32.000000000 -0400
1150 +++ linux-2.6.38.1/arch/m32r/lib/usercopy.c 2011-03-21 18:31:35.000000000 -0400
1153 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1159 if (access_ok(VERIFY_WRITE, to, n))
1160 __copy_user(to,from,n);
1161 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1163 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1169 if (access_ok(VERIFY_READ, from, n))
1170 __copy_user_zeroing(to,from,n);
1171 diff -urNp linux-2.6.38.1/arch/microblaze/include/asm/device.h linux-2.6.38.1/arch/microblaze/include/asm/device.h
1172 --- linux-2.6.38.1/arch/microblaze/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1173 +++ linux-2.6.38.1/arch/microblaze/include/asm/device.h 2011-03-21 18:31:35.000000000 -0400
1174 @@ -13,7 +13,7 @@ struct device_node;
1176 struct dev_archdata {
1177 /* DMA operations on that device */
1178 - struct dma_map_ops *dma_ops;
1179 + const struct dma_map_ops *dma_ops;
1183 diff -urNp linux-2.6.38.1/arch/microblaze/include/asm/dma-mapping.h linux-2.6.38.1/arch/microblaze/include/asm/dma-mapping.h
1184 --- linux-2.6.38.1/arch/microblaze/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1185 +++ linux-2.6.38.1/arch/microblaze/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
1186 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1187 return 0xfffffffful;
1190 -extern struct dma_map_ops *dma_ops;
1191 +extern const struct dma_map_ops *dma_ops;
1194 * Available generic sets of operations
1196 -extern struct dma_map_ops dma_direct_ops;
1197 +extern const struct dma_map_ops dma_direct_ops;
1199 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1200 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1202 /* We don't handle the NULL dev case for ISA for now. We could
1203 * do it via an out of line call but it is not needed for now. The
1204 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1205 return dev->archdata.dma_ops;
1208 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1209 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1211 dev->archdata.dma_ops = ops;
1214 static inline int dma_supported(struct device *dev, u64 mask)
1216 - struct dma_map_ops *ops = get_dma_ops(dev);
1217 + const struct dma_map_ops *ops = get_dma_ops(dev);
1221 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1223 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1225 - struct dma_map_ops *ops = get_dma_ops(dev);
1226 + const struct dma_map_ops *ops = get_dma_ops(dev);
1228 if (unlikely(ops == NULL))
1230 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1232 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1234 - struct dma_map_ops *ops = get_dma_ops(dev);
1235 + const struct dma_map_ops *ops = get_dma_ops(dev);
1236 if (ops->mapping_error)
1237 return ops->mapping_error(dev, dma_addr);
1239 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1240 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1241 dma_addr_t *dma_handle, gfp_t flag)
1243 - struct dma_map_ops *ops = get_dma_ops(dev);
1244 + const struct dma_map_ops *ops = get_dma_ops(dev);
1248 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1249 static inline void dma_free_coherent(struct device *dev, size_t size,
1250 void *cpu_addr, dma_addr_t dma_handle)
1252 - struct dma_map_ops *ops = get_dma_ops(dev);
1253 + const struct dma_map_ops *ops = get_dma_ops(dev);
1256 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1257 diff -urNp linux-2.6.38.1/arch/microblaze/include/asm/pci.h linux-2.6.38.1/arch/microblaze/include/asm/pci.h
1258 --- linux-2.6.38.1/arch/microblaze/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
1259 +++ linux-2.6.38.1/arch/microblaze/include/asm/pci.h 2011-03-21 18:31:35.000000000 -0400
1260 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1264 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1265 -extern struct dma_map_ops *get_pci_dma_ops(void);
1266 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1267 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1268 #else /* CONFIG_PCI */
1269 #define set_pci_dma_ops(d)
1270 #define get_pci_dma_ops() NULL
1271 diff -urNp linux-2.6.38.1/arch/microblaze/kernel/dma.c linux-2.6.38.1/arch/microblaze/kernel/dma.c
1272 --- linux-2.6.38.1/arch/microblaze/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
1273 +++ linux-2.6.38.1/arch/microblaze/kernel/dma.c 2011-03-21 18:31:35.000000000 -0400
1274 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1275 __dma_sync_page(dma_address, 0 , size, direction);
1278 -struct dma_map_ops dma_direct_ops = {
1279 +const struct dma_map_ops dma_direct_ops = {
1280 .alloc_coherent = dma_direct_alloc_coherent,
1281 .free_coherent = dma_direct_free_coherent,
1282 .map_sg = dma_direct_map_sg,
1283 diff -urNp linux-2.6.38.1/arch/microblaze/kernel/kgdb.c linux-2.6.38.1/arch/microblaze/kernel/kgdb.c
1284 --- linux-2.6.38.1/arch/microblaze/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1285 +++ linux-2.6.38.1/arch/microblaze/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
1286 @@ -141,10 +141,11 @@ void kgdb_arch_exit(void)
1290 -struct kgdb_arch arch_kgdb_ops = {
1291 +const struct kgdb_arch arch_kgdb_ops = {
1292 #ifdef __MICROBLAZEEL__
1293 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
1296 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1299 diff -urNp linux-2.6.38.1/arch/microblaze/pci/pci-common.c linux-2.6.38.1/arch/microblaze/pci/pci-common.c
1300 --- linux-2.6.38.1/arch/microblaze/pci/pci-common.c 2011-03-14 21:20:32.000000000 -0400
1301 +++ linux-2.6.38.1/arch/microblaze/pci/pci-common.c 2011-03-21 18:31:35.000000000 -0400
1302 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1303 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1304 unsigned int pci_flags;
1306 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1307 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1309 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1310 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1312 pci_dma_ops = dma_ops;
1315 -struct dma_map_ops *get_pci_dma_ops(void)
1316 +const struct dma_map_ops *get_pci_dma_ops(void)
1320 diff -urNp linux-2.6.38.1/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.38.1/arch/mips/cavium-octeon/dma-octeon.c
1321 --- linux-2.6.38.1/arch/mips/cavium-octeon/dma-octeon.c 2011-03-14 21:20:32.000000000 -0400
1322 +++ linux-2.6.38.1/arch/mips/cavium-octeon/dma-octeon.c 2011-03-21 18:31:35.000000000 -0400
1323 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
1326 struct octeon_dma_map_ops {
1327 - struct dma_map_ops dma_map_ops;
1328 + const struct dma_map_ops dma_map_ops;
1329 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
1330 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
1332 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
1336 -struct dma_map_ops *octeon_pci_dma_map_ops;
1337 +const struct dma_map_ops *octeon_pci_dma_map_ops;
1339 void __init octeon_pci_dma_init(void)
1341 diff -urNp linux-2.6.38.1/arch/mips/include/asm/device.h linux-2.6.38.1/arch/mips/include/asm/device.h
1342 --- linux-2.6.38.1/arch/mips/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1343 +++ linux-2.6.38.1/arch/mips/include/asm/device.h 2011-03-21 18:31:35.000000000 -0400
1344 @@ -10,7 +10,7 @@ struct dma_map_ops;
1346 struct dev_archdata {
1347 /* DMA operations on that device */
1348 - struct dma_map_ops *dma_ops;
1349 + const struct dma_map_ops *dma_ops;
1352 struct pdev_archdata {
1353 diff -urNp linux-2.6.38.1/arch/mips/include/asm/dma-mapping.h linux-2.6.38.1/arch/mips/include/asm/dma-mapping.h
1354 --- linux-2.6.38.1/arch/mips/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1355 +++ linux-2.6.38.1/arch/mips/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
1358 #include <dma-coherence.h>
1360 -extern struct dma_map_ops *mips_dma_map_ops;
1361 +extern const struct dma_map_ops *mips_dma_map_ops;
1363 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1364 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1366 if (dev && dev->archdata.dma_ops)
1367 return dev->archdata.dma_ops;
1368 @@ -31,13 +31,13 @@ static inline void dma_mark_clean(void *
1370 static inline int dma_supported(struct device *dev, u64 mask)
1372 - struct dma_map_ops *ops = get_dma_ops(dev);
1373 + const struct dma_map_ops *ops = get_dma_ops(dev);
1374 return ops->dma_supported(dev, mask);
1377 static inline int dma_mapping_error(struct device *dev, u64 mask)
1379 - struct dma_map_ops *ops = get_dma_ops(dev);
1380 + const struct dma_map_ops *ops = get_dma_ops(dev);
1381 return ops->mapping_error(dev, mask);
1384 @@ -59,7 +59,7 @@ static inline void *dma_alloc_coherent(s
1385 dma_addr_t *dma_handle, gfp_t gfp)
1388 - struct dma_map_ops *ops = get_dma_ops(dev);
1389 + const struct dma_map_ops *ops = get_dma_ops(dev);
1391 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
1393 @@ -71,7 +71,7 @@ static inline void *dma_alloc_coherent(s
1394 static inline void dma_free_coherent(struct device *dev, size_t size,
1395 void *vaddr, dma_addr_t dma_handle)
1397 - struct dma_map_ops *ops = get_dma_ops(dev);
1398 + const struct dma_map_ops *ops = get_dma_ops(dev);
1400 ops->free_coherent(dev, size, vaddr, dma_handle);
1402 diff -urNp linux-2.6.38.1/arch/mips/include/asm/elf.h linux-2.6.38.1/arch/mips/include/asm/elf.h
1403 --- linux-2.6.38.1/arch/mips/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1404 +++ linux-2.6.38.1/arch/mips/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
1405 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1406 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1409 +#ifdef CONFIG_PAX_ASLR
1410 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1412 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1413 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1416 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1417 struct linux_binprm;
1418 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1422 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1423 -#define arch_randomize_brk arch_randomize_brk
1425 #endif /* _ASM_ELF_H */
1426 diff -urNp linux-2.6.38.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.38.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
1427 --- linux-2.6.38.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-03-14 21:20:32.000000000 -0400
1428 +++ linux-2.6.38.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-03-21 18:31:35.000000000 -0400
1429 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
1430 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
1433 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
1434 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
1435 extern char *octeon_swiotlb;
1437 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
1438 diff -urNp linux-2.6.38.1/arch/mips/include/asm/page.h linux-2.6.38.1/arch/mips/include/asm/page.h
1439 --- linux-2.6.38.1/arch/mips/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
1440 +++ linux-2.6.38.1/arch/mips/include/asm/page.h 2011-03-21 18:31:35.000000000 -0400
1441 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1442 #ifdef CONFIG_CPU_MIPS32
1443 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1444 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1445 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1446 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1448 typedef struct { unsigned long long pte; } pte_t;
1449 #define pte_val(x) ((x).pte)
1450 diff -urNp linux-2.6.38.1/arch/mips/include/asm/system.h linux-2.6.38.1/arch/mips/include/asm/system.h
1451 --- linux-2.6.38.1/arch/mips/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
1452 +++ linux-2.6.38.1/arch/mips/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
1454 #include <asm/dsp.h>
1455 #include <asm/watch.h>
1456 #include <asm/war.h>
1457 +#include <asm/asm.h>
1461 @@ -230,6 +231,6 @@ extern void per_cpu_trap_init(void);
1463 #define __ARCH_WANT_UNLOCKED_CTXSW
1465 -extern unsigned long arch_align_stack(unsigned long sp);
1466 +#define arch_align_stack(x) ((x) & ALMASK)
1468 #endif /* _ASM_SYSTEM_H */
1469 diff -urNp linux-2.6.38.1/arch/mips/kernel/binfmt_elfn32.c linux-2.6.38.1/arch/mips/kernel/binfmt_elfn32.c
1470 --- linux-2.6.38.1/arch/mips/kernel/binfmt_elfn32.c 2011-03-14 21:20:32.000000000 -0400
1471 +++ linux-2.6.38.1/arch/mips/kernel/binfmt_elfn32.c 2011-03-21 18:31:35.000000000 -0400
1472 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1473 #undef ELF_ET_DYN_BASE
1474 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1476 +#ifdef CONFIG_PAX_ASLR
1477 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1479 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1480 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1483 #include <asm/processor.h>
1484 #include <linux/module.h>
1485 #include <linux/elfcore.h>
1486 diff -urNp linux-2.6.38.1/arch/mips/kernel/binfmt_elfo32.c linux-2.6.38.1/arch/mips/kernel/binfmt_elfo32.c
1487 --- linux-2.6.38.1/arch/mips/kernel/binfmt_elfo32.c 2011-03-14 21:20:32.000000000 -0400
1488 +++ linux-2.6.38.1/arch/mips/kernel/binfmt_elfo32.c 2011-03-21 18:31:35.000000000 -0400
1489 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1490 #undef ELF_ET_DYN_BASE
1491 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1493 +#ifdef CONFIG_PAX_ASLR
1494 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1496 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1497 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1500 #include <asm/processor.h>
1503 diff -urNp linux-2.6.38.1/arch/mips/kernel/kgdb.c linux-2.6.38.1/arch/mips/kernel/kgdb.c
1504 --- linux-2.6.38.1/arch/mips/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1505 +++ linux-2.6.38.1/arch/mips/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
1506 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1510 -struct kgdb_arch arch_kgdb_ops;
1511 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
1514 * We use kgdb_early_setup so that functions we need to call now don't
1515 diff -urNp linux-2.6.38.1/arch/mips/kernel/process.c linux-2.6.38.1/arch/mips/kernel/process.c
1516 --- linux-2.6.38.1/arch/mips/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
1517 +++ linux-2.6.38.1/arch/mips/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
1518 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1524 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1525 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1527 -unsigned long arch_align_stack(unsigned long sp)
1529 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1530 - sp -= get_random_int() & ~PAGE_MASK;
1532 - return sp & ALMASK;
1534 diff -urNp linux-2.6.38.1/arch/mips/kernel/syscall.c linux-2.6.38.1/arch/mips/kernel/syscall.c
1535 --- linux-2.6.38.1/arch/mips/kernel/syscall.c 2011-03-14 21:20:32.000000000 -0400
1536 +++ linux-2.6.38.1/arch/mips/kernel/syscall.c 2011-03-21 18:31:35.000000000 -0400
1537 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1539 if (filp || (flags & MAP_SHARED))
1542 +#ifdef CONFIG_PAX_RANDMMAP
1543 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1548 addr = COLOUR_ALIGN(addr, pgoff);
1550 addr = PAGE_ALIGN(addr);
1551 vmm = find_vma(current->mm, addr);
1552 - if (task_size - len >= addr &&
1553 - (!vmm || addr + len <= vmm->vm_start))
1554 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1557 addr = current->mm->mmap_base;
1558 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1559 /* At this point: (!vmm || addr < vmm->vm_end). */
1560 if (task_size - len < addr)
1562 - if (!vmm || addr + len <= vmm->vm_start)
1563 + if (check_heap_stack_gap(vmm, addr, len))
1567 @@ -168,19 +172,6 @@ static inline unsigned long brk_rnd(void
1571 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1573 - unsigned long base = mm->brk;
1574 - unsigned long ret;
1576 - ret = PAGE_ALIGN(base + brk_rnd());
1578 - if (ret < mm->brk)
1584 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
1585 unsigned long, prot, unsigned long, flags, unsigned long,
1587 diff -urNp linux-2.6.38.1/arch/mips/mm/dma-default.c linux-2.6.38.1/arch/mips/mm/dma-default.c
1588 --- linux-2.6.38.1/arch/mips/mm/dma-default.c 2011-03-14 21:20:32.000000000 -0400
1589 +++ linux-2.6.38.1/arch/mips/mm/dma-default.c 2011-03-21 18:31:35.000000000 -0400
1590 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
1592 EXPORT_SYMBOL(dma_cache_sync);
1594 -static struct dma_map_ops mips_default_dma_map_ops = {
1595 +static const struct dma_map_ops mips_default_dma_map_ops = {
1596 .alloc_coherent = mips_dma_alloc_coherent,
1597 .free_coherent = mips_dma_free_coherent,
1598 .map_page = mips_dma_map_page,
1599 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
1600 .dma_supported = mips_dma_supported
1603 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1604 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1605 EXPORT_SYMBOL(mips_dma_map_ops);
1607 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1608 diff -urNp linux-2.6.38.1/arch/mips/mm/fault.c linux-2.6.38.1/arch/mips/mm/fault.c
1609 --- linux-2.6.38.1/arch/mips/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1610 +++ linux-2.6.38.1/arch/mips/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
1612 #include <asm/highmem.h> /* For VMALLOC_END */
1613 #include <linux/kdebug.h>
1615 +#ifdef CONFIG_PAX_PAGEEXEC
1616 +void pax_report_insns(void *pc, void *sp)
1620 + printk(KERN_ERR "PAX: bytes at PC: ");
1621 + for (i = 0; i < 5; i++) {
1623 + if (get_user(c, (unsigned int *)pc+i))
1624 + printk(KERN_CONT "???????? ");
1626 + printk(KERN_CONT "%08x ", c);
1633 * This routine handles page faults. It determines the address,
1634 * and the problem, and then passes it off to one of the appropriate
1635 diff -urNp linux-2.6.38.1/arch/parisc/include/asm/elf.h linux-2.6.38.1/arch/parisc/include/asm/elf.h
1636 --- linux-2.6.38.1/arch/parisc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1637 +++ linux-2.6.38.1/arch/parisc/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
1638 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1640 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1642 +#ifdef CONFIG_PAX_ASLR
1643 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1645 +#define PAX_DELTA_MMAP_LEN 16
1646 +#define PAX_DELTA_STACK_LEN 16
1649 /* This yields a mask that user programs can use to figure out what
1650 instruction set this CPU supports. This could be done in user space,
1651 but it's not easy, and we've already done it here. */
1652 diff -urNp linux-2.6.38.1/arch/parisc/include/asm/pgtable.h linux-2.6.38.1/arch/parisc/include/asm/pgtable.h
1653 --- linux-2.6.38.1/arch/parisc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
1654 +++ linux-2.6.38.1/arch/parisc/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
1655 @@ -209,6 +209,17 @@ struct vm_area_struct;
1656 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1657 #define PAGE_COPY PAGE_EXECREAD
1658 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1660 +#ifdef CONFIG_PAX_PAGEEXEC
1661 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1662 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1663 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1665 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1666 +# define PAGE_COPY_NOEXEC PAGE_COPY
1667 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1670 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1671 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1672 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1673 diff -urNp linux-2.6.38.1/arch/parisc/kernel/module.c linux-2.6.38.1/arch/parisc/kernel/module.c
1674 --- linux-2.6.38.1/arch/parisc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
1675 +++ linux-2.6.38.1/arch/parisc/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
1678 /* three functions to determine where in the module core
1679 * or init pieces the location is */
1680 +static inline int in_init_rx(struct module *me, void *loc)
1682 + return (loc >= me->module_init_rx &&
1683 + loc < (me->module_init_rx + me->init_size_rx));
1686 +static inline int in_init_rw(struct module *me, void *loc)
1688 + return (loc >= me->module_init_rw &&
1689 + loc < (me->module_init_rw + me->init_size_rw));
1692 static inline int in_init(struct module *me, void *loc)
1694 - return (loc >= me->module_init &&
1695 - loc <= (me->module_init + me->init_size));
1696 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1699 +static inline int in_core_rx(struct module *me, void *loc)
1701 + return (loc >= me->module_core_rx &&
1702 + loc < (me->module_core_rx + me->core_size_rx));
1705 +static inline int in_core_rw(struct module *me, void *loc)
1707 + return (loc >= me->module_core_rw &&
1708 + loc < (me->module_core_rw + me->core_size_rw));
1711 static inline int in_core(struct module *me, void *loc)
1713 - return (loc >= me->module_core &&
1714 - loc <= (me->module_core + me->core_size));
1715 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1718 static inline int in_local(struct module *me, void *loc)
1719 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1722 /* align things a bit */
1723 - me->core_size = ALIGN(me->core_size, 16);
1724 - me->arch.got_offset = me->core_size;
1725 - me->core_size += gots * sizeof(struct got_entry);
1727 - me->core_size = ALIGN(me->core_size, 16);
1728 - me->arch.fdesc_offset = me->core_size;
1729 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1730 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1731 + me->arch.got_offset = me->core_size_rw;
1732 + me->core_size_rw += gots * sizeof(struct got_entry);
1734 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1735 + me->arch.fdesc_offset = me->core_size_rw;
1736 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1738 me->arch.got_max = gots;
1739 me->arch.fdesc_max = fdescs;
1740 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1744 - got = me->module_core + me->arch.got_offset;
1745 + got = me->module_core_rw + me->arch.got_offset;
1746 for (i = 0; got[i].addr; i++)
1747 if (got[i].addr == value)
1749 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1751 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1753 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1754 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1757 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1758 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1760 /* Create new one */
1761 fdesc->addr = value;
1762 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1763 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1764 return (Elf_Addr)fdesc;
1766 #endif /* CONFIG_64BIT */
1767 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1769 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1770 end = table + sechdrs[me->arch.unwind_section].sh_size;
1771 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1772 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1774 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1775 me->arch.unwind_section, table, end, gp);
1776 diff -urNp linux-2.6.38.1/arch/parisc/kernel/sys_parisc.c linux-2.6.38.1/arch/parisc/kernel/sys_parisc.c
1777 --- linux-2.6.38.1/arch/parisc/kernel/sys_parisc.c 2011-03-14 21:20:32.000000000 -0400
1778 +++ linux-2.6.38.1/arch/parisc/kernel/sys_parisc.c 2011-03-21 18:31:35.000000000 -0400
1779 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1780 /* At this point: (!vma || addr < vma->vm_end). */
1781 if (TASK_SIZE - len < addr)
1783 - if (!vma || addr + len <= vma->vm_start)
1784 + if (check_heap_stack_gap(vma, addr, len))
1788 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1789 /* At this point: (!vma || addr < vma->vm_end). */
1790 if (TASK_SIZE - len < addr)
1792 - if (!vma || addr + len <= vma->vm_start)
1793 + if (check_heap_stack_gap(vma, addr, len))
1795 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1796 if (addr < vma->vm_end) /* handle wraparound */
1797 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1798 if (flags & MAP_FIXED)
1801 - addr = TASK_UNMAPPED_BASE;
1802 + addr = current->mm->mmap_base;
1805 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1806 diff -urNp linux-2.6.38.1/arch/parisc/kernel/traps.c linux-2.6.38.1/arch/parisc/kernel/traps.c
1807 --- linux-2.6.38.1/arch/parisc/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
1808 +++ linux-2.6.38.1/arch/parisc/kernel/traps.c 2011-03-21 18:31:35.000000000 -0400
1809 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1811 down_read(¤t->mm->mmap_sem);
1812 vma = find_vma(current->mm,regs->iaoq[0]);
1813 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1814 - && (vma->vm_flags & VM_EXEC)) {
1816 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1817 fault_address = regs->iaoq[0];
1818 fault_space = regs->iasq[0];
1820 diff -urNp linux-2.6.38.1/arch/parisc/mm/fault.c linux-2.6.38.1/arch/parisc/mm/fault.c
1821 --- linux-2.6.38.1/arch/parisc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1822 +++ linux-2.6.38.1/arch/parisc/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
1824 #include <linux/sched.h>
1825 #include <linux/interrupt.h>
1826 #include <linux/module.h>
1827 +#include <linux/unistd.h>
1829 #include <asm/uaccess.h>
1830 #include <asm/traps.h>
1831 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1832 static unsigned long
1833 parisc_acctyp(unsigned long code, unsigned int inst)
1835 - if (code == 6 || code == 16)
1836 + if (code == 6 || code == 7 || code == 16)
1839 switch (inst & 0xf0000000) {
1840 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1844 +#ifdef CONFIG_PAX_PAGEEXEC
1846 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1848 + * returns 1 when task should be killed
1849 + * 2 when rt_sigreturn trampoline was detected
1850 + * 3 when unpatched PLT trampoline was detected
1852 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1855 +#ifdef CONFIG_PAX_EMUPLT
1858 + do { /* PaX: unpatched PLT emulation */
1859 + unsigned int bl, depwi;
1861 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1862 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1867 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1868 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1870 + err = get_user(ldw, (unsigned int *)addr);
1871 + err |= get_user(bv, (unsigned int *)(addr+4));
1872 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1877 + if (ldw == 0x0E801096U &&
1878 + bv == 0xEAC0C000U &&
1879 + ldw2 == 0x0E881095U)
1881 + unsigned int resolver, map;
1883 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1884 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1888 + regs->gr[20] = instruction_pointer(regs)+8;
1889 + regs->gr[21] = map;
1890 + regs->gr[22] = resolver;
1891 + regs->iaoq[0] = resolver | 3UL;
1892 + regs->iaoq[1] = regs->iaoq[0] + 4;
1899 +#ifdef CONFIG_PAX_EMUTRAMP
1901 +#ifndef CONFIG_PAX_EMUSIGRT
1902 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1906 + do { /* PaX: rt_sigreturn emulation */
1907 + unsigned int ldi1, ldi2, bel, nop;
1909 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1910 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1911 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1912 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1917 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1918 + ldi2 == 0x3414015AU &&
1919 + bel == 0xE4008200U &&
1920 + nop == 0x08000240U)
1922 + regs->gr[25] = (ldi1 & 2) >> 1;
1923 + regs->gr[20] = __NR_rt_sigreturn;
1924 + regs->gr[31] = regs->iaoq[1] + 16;
1925 + regs->sr[0] = regs->iasq[1];
1926 + regs->iaoq[0] = 0x100UL;
1927 + regs->iaoq[1] = regs->iaoq[0] + 4;
1928 + regs->iasq[0] = regs->sr[2];
1929 + regs->iasq[1] = regs->sr[2];
1938 +void pax_report_insns(void *pc, void *sp)
1942 + printk(KERN_ERR "PAX: bytes at PC: ");
1943 + for (i = 0; i < 5; i++) {
1945 + if (get_user(c, (unsigned int *)pc+i))
1946 + printk(KERN_CONT "???????? ");
1948 + printk(KERN_CONT "%08x ", c);
1954 int fixup_exception(struct pt_regs *regs)
1956 const struct exception_table_entry *fix;
1957 @@ -192,8 +303,33 @@ good_area:
1959 acc_type = parisc_acctyp(code,regs->iir);
1961 - if ((vma->vm_flags & acc_type) != acc_type)
1962 + if ((vma->vm_flags & acc_type) != acc_type) {
1964 +#ifdef CONFIG_PAX_PAGEEXEC
1965 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1966 + (address & ~3UL) == instruction_pointer(regs))
1968 + up_read(&mm->mmap_sem);
1969 + switch (pax_handle_fetch_fault(regs)) {
1971 +#ifdef CONFIG_PAX_EMUPLT
1976 +#ifdef CONFIG_PAX_EMUTRAMP
1982 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1983 + do_group_exit(SIGKILL);
1991 * If for any reason at all we couldn't handle the fault, make
1992 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/device.h linux-2.6.38.1/arch/powerpc/include/asm/device.h
1993 --- linux-2.6.38.1/arch/powerpc/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1994 +++ linux-2.6.38.1/arch/powerpc/include/asm/device.h 2011-03-21 18:31:35.000000000 -0400
1995 @@ -17,7 +17,7 @@ struct device_node;
1997 struct dev_archdata {
1998 /* DMA operations on that device */
1999 - struct dma_map_ops *dma_ops;
2000 + const struct dma_map_ops *dma_ops;
2003 * When an iommu is in use, dma_data is used as a ptr to the base of the
2004 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/dma-mapping.h linux-2.6.38.1/arch/powerpc/include/asm/dma-mapping.h
2005 --- linux-2.6.38.1/arch/powerpc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
2006 +++ linux-2.6.38.1/arch/powerpc/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
2007 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2009 * Available generic sets of operations
2011 +/* cannot be const */
2013 -extern struct dma_map_ops dma_iommu_ops;
2014 +extern const struct dma_map_ops dma_iommu_ops;
2016 -extern struct dma_map_ops dma_direct_ops;
2017 +extern const struct dma_map_ops dma_direct_ops;
2019 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2020 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2022 /* We don't handle the NULL dev case for ISA for now. We could
2023 * do it via an out of line call but it is not needed for now. The
2024 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2025 return dev->archdata.dma_ops;
2028 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2029 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2031 dev->archdata.dma_ops = ops;
2033 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2035 static inline int dma_supported(struct device *dev, u64 mask)
2037 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2038 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2040 if (unlikely(dma_ops == NULL))
2042 @@ -132,7 +133,7 @@ extern int dma_set_mask(struct device *d
2043 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2044 dma_addr_t *dma_handle, gfp_t flag)
2046 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2047 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2051 @@ -147,7 +148,7 @@ static inline void *dma_alloc_coherent(s
2052 static inline void dma_free_coherent(struct device *dev, size_t size,
2053 void *cpu_addr, dma_addr_t dma_handle)
2055 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2056 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2060 @@ -158,7 +159,7 @@ static inline void dma_free_coherent(str
2062 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2064 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2065 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2067 if (dma_ops->mapping_error)
2068 return dma_ops->mapping_error(dev, dma_addr);
2069 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/elf.h linux-2.6.38.1/arch/powerpc/include/asm/elf.h
2070 --- linux-2.6.38.1/arch/powerpc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
2071 +++ linux-2.6.38.1/arch/powerpc/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
2072 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2073 the loader. We need to make sure that it is out of the way of the program
2074 that it will "exec", and that there is sufficient room for the brk. */
2076 -extern unsigned long randomize_et_dyn(unsigned long base);
2077 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2078 +#define ELF_ET_DYN_BASE (0x20000000)
2080 +#ifdef CONFIG_PAX_ASLR
2081 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2083 +#ifdef __powerpc64__
2084 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
2085 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
2087 +#define PAX_DELTA_MMAP_LEN 15
2088 +#define PAX_DELTA_STACK_LEN 15
2093 * Our registers are always unsigned longs, whether we're a 32 bit
2094 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2095 (0x7ff >> (PAGE_SHIFT - 12)) : \
2096 (0x3ffff >> (PAGE_SHIFT - 12)))
2098 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2099 -#define arch_randomize_brk arch_randomize_brk
2101 #endif /* __KERNEL__ */
2104 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/iommu.h linux-2.6.38.1/arch/powerpc/include/asm/iommu.h
2105 --- linux-2.6.38.1/arch/powerpc/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
2106 +++ linux-2.6.38.1/arch/powerpc/include/asm/iommu.h 2011-03-21 18:31:35.000000000 -0400
2107 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2108 extern void iommu_init_early_dart(void);
2109 extern void iommu_init_early_pasemi(void);
2112 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2115 extern void pci_iommu_init(void);
2116 extern void pci_direct_iommu_init(void);
2117 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/kmap_types.h linux-2.6.38.1/arch/powerpc/include/asm/kmap_types.h
2118 --- linux-2.6.38.1/arch/powerpc/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
2119 +++ linux-2.6.38.1/arch/powerpc/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
2120 @@ -27,6 +27,7 @@ enum km_type {
2128 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/page_64.h linux-2.6.38.1/arch/powerpc/include/asm/page_64.h
2129 --- linux-2.6.38.1/arch/powerpc/include/asm/page_64.h 2011-03-14 21:20:32.000000000 -0400
2130 +++ linux-2.6.38.1/arch/powerpc/include/asm/page_64.h 2011-03-21 18:31:35.000000000 -0400
2131 @@ -172,15 +172,18 @@ do { \
2132 * stack by default, so in the absense of a PT_GNU_STACK program header
2133 * we turn execute permission off.
2135 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2136 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2137 +#define VM_STACK_DEFAULT_FLAGS32 \
2138 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2139 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2141 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2142 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2144 +#ifndef CONFIG_PAX_PAGEEXEC
2145 #define VM_STACK_DEFAULT_FLAGS \
2146 (is_32bit_task() ? \
2147 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2150 #include <asm-generic/getorder.h>
2152 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/page.h linux-2.6.38.1/arch/powerpc/include/asm/page.h
2153 --- linux-2.6.38.1/arch/powerpc/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
2154 +++ linux-2.6.38.1/arch/powerpc/include/asm/page.h 2011-03-21 18:31:35.000000000 -0400
2155 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2156 * and needs to be executable. This means the whole heap ends
2157 * up being executable.
2159 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2160 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2161 +#define VM_DATA_DEFAULT_FLAGS32 \
2162 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2163 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2165 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2166 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2167 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2168 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2171 +#define ktla_ktva(addr) (addr)
2172 +#define ktva_ktla(addr) (addr)
2174 #ifndef __ASSEMBLY__
2176 #undef STRICT_MM_TYPECHECKS
2177 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/pci.h linux-2.6.38.1/arch/powerpc/include/asm/pci.h
2178 --- linux-2.6.38.1/arch/powerpc/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
2179 +++ linux-2.6.38.1/arch/powerpc/include/asm/pci.h 2011-03-21 18:31:35.000000000 -0400
2180 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2184 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2185 -extern struct dma_map_ops *get_pci_dma_ops(void);
2186 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2187 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2188 #else /* CONFIG_PCI */
2189 #define set_pci_dma_ops(d)
2190 #define get_pci_dma_ops() NULL
2191 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/pgtable.h linux-2.6.38.1/arch/powerpc/include/asm/pgtable.h
2192 --- linux-2.6.38.1/arch/powerpc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
2193 +++ linux-2.6.38.1/arch/powerpc/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
2195 #define _ASM_POWERPC_PGTABLE_H
2198 +#include <linux/const.h>
2199 #ifndef __ASSEMBLY__
2200 #include <asm/processor.h> /* For TASK_SIZE */
2201 #include <asm/mmu.h>
2202 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/pte-hash32.h linux-2.6.38.1/arch/powerpc/include/asm/pte-hash32.h
2203 --- linux-2.6.38.1/arch/powerpc/include/asm/pte-hash32.h 2011-03-14 21:20:32.000000000 -0400
2204 +++ linux-2.6.38.1/arch/powerpc/include/asm/pte-hash32.h 2011-03-21 18:31:35.000000000 -0400
2206 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2207 #define _PAGE_USER 0x004 /* usermode access allowed */
2208 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2209 +#define _PAGE_EXEC _PAGE_GUARDED
2210 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2211 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2212 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2213 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/reg.h linux-2.6.38.1/arch/powerpc/include/asm/reg.h
2214 --- linux-2.6.38.1/arch/powerpc/include/asm/reg.h 2011-03-23 17:20:06.000000000 -0400
2215 +++ linux-2.6.38.1/arch/powerpc/include/asm/reg.h 2011-03-23 17:21:43.000000000 -0400
2217 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2218 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2219 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2220 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2221 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2222 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2223 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2224 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/swiotlb.h linux-2.6.38.1/arch/powerpc/include/asm/swiotlb.h
2225 --- linux-2.6.38.1/arch/powerpc/include/asm/swiotlb.h 2011-03-14 21:20:32.000000000 -0400
2226 +++ linux-2.6.38.1/arch/powerpc/include/asm/swiotlb.h 2011-03-21 18:31:35.000000000 -0400
2229 #include <linux/swiotlb.h>
2231 -extern struct dma_map_ops swiotlb_dma_ops;
2232 +extern const struct dma_map_ops swiotlb_dma_ops;
2234 static inline void dma_mark_clean(void *addr, size_t size) {}
2236 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/system.h linux-2.6.38.1/arch/powerpc/include/asm/system.h
2237 --- linux-2.6.38.1/arch/powerpc/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
2238 +++ linux-2.6.38.1/arch/powerpc/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
2239 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2240 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2243 -extern unsigned long arch_align_stack(unsigned long sp);
2244 +#define arch_align_stack(x) ((x) & ~0xfUL)
2246 /* Used in very early kernel initialization. */
2247 extern unsigned long reloc_offset(void);
2248 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/uaccess.h linux-2.6.38.1/arch/powerpc/include/asm/uaccess.h
2249 --- linux-2.6.38.1/arch/powerpc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
2250 +++ linux-2.6.38.1/arch/powerpc/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
2252 #define VERIFY_READ 0
2253 #define VERIFY_WRITE 1
2255 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2258 * The fs value determines whether argument validity checking should be
2259 * performed or not. If get_fs() == USER_DS, checking is performed, with
2260 @@ -327,52 +329,6 @@ do { \
2261 extern unsigned long __copy_tofrom_user(void __user *to,
2262 const void __user *from, unsigned long size);
2264 -#ifndef __powerpc64__
2266 -static inline unsigned long copy_from_user(void *to,
2267 - const void __user *from, unsigned long n)
2269 - unsigned long over;
2271 - if (access_ok(VERIFY_READ, from, n))
2272 - return __copy_tofrom_user((__force void __user *)to, from, n);
2273 - if ((unsigned long)from < TASK_SIZE) {
2274 - over = (unsigned long)from + n - TASK_SIZE;
2275 - return __copy_tofrom_user((__force void __user *)to, from,
2281 -static inline unsigned long copy_to_user(void __user *to,
2282 - const void *from, unsigned long n)
2284 - unsigned long over;
2286 - if (access_ok(VERIFY_WRITE, to, n))
2287 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2288 - if ((unsigned long)to < TASK_SIZE) {
2289 - over = (unsigned long)to + n - TASK_SIZE;
2290 - return __copy_tofrom_user(to, (__force void __user *)from,
2296 -#else /* __powerpc64__ */
2298 -#define __copy_in_user(to, from, size) \
2299 - __copy_tofrom_user((to), (from), (size))
2301 -extern unsigned long copy_from_user(void *to, const void __user *from,
2303 -extern unsigned long copy_to_user(void __user *to, const void *from,
2305 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2308 -#endif /* __powerpc64__ */
2310 static inline unsigned long __copy_from_user_inatomic(void *to,
2311 const void __user *from, unsigned long n)
2313 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2318 + if (!__builtin_constant_p(n))
2319 + check_object_size(to, n, false);
2321 return __copy_tofrom_user((__force void __user *)to, from, n);
2324 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2329 + if (!__builtin_constant_p(n))
2330 + check_object_size(from, n, true);
2332 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2335 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2336 return __copy_to_user_inatomic(to, from, size);
2339 +#ifndef __powerpc64__
2341 +static inline unsigned long __must_check copy_from_user(void *to,
2342 + const void __user *from, unsigned long n)
2344 + unsigned long over;
2349 + if (access_ok(VERIFY_READ, from, n)) {
2350 + if (!__builtin_constant_p(n))
2351 + check_object_size(to, n, false);
2352 + return __copy_tofrom_user((__force void __user *)to, from, n);
2354 + if ((unsigned long)from < TASK_SIZE) {
2355 + over = (unsigned long)from + n - TASK_SIZE;
2356 + if (!__builtin_constant_p(n - over))
2357 + check_object_size(to, n - over, false);
2358 + return __copy_tofrom_user((__force void __user *)to, from,
2364 +static inline unsigned long __must_check copy_to_user(void __user *to,
2365 + const void *from, unsigned long n)
2367 + unsigned long over;
2372 + if (access_ok(VERIFY_WRITE, to, n)) {
2373 + if (!__builtin_constant_p(n))
2374 + check_object_size(from, n, true);
2375 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2377 + if ((unsigned long)to < TASK_SIZE) {
2378 + over = (unsigned long)to + n - TASK_SIZE;
2379 + if (!__builtin_constant_p(n))
2380 + check_object_size(from, n - over, true);
2381 + return __copy_tofrom_user(to, (__force void __user *)from,
2387 +#else /* __powerpc64__ */
2389 +#define __copy_in_user(to, from, size) \
2390 + __copy_tofrom_user((to), (from), (size))
2392 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2394 + if ((long)n < 0 || n > INT_MAX)
2397 + if (!__builtin_constant_p(n))
2398 + check_object_size(to, n, false);
2400 + if (likely(access_ok(VERIFY_READ, from, n)))
2401 + n = __copy_from_user(to, from, n);
2407 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2409 + if ((long)n < 0 || n > INT_MAX)
2412 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2413 + if (!__builtin_constant_p(n))
2414 + check_object_size(from, n, true);
2415 + n = __copy_to_user(to, from, n);
2420 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2423 +#endif /* __powerpc64__ */
2425 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2427 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2428 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/dma.c linux-2.6.38.1/arch/powerpc/kernel/dma.c
2429 --- linux-2.6.38.1/arch/powerpc/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
2430 +++ linux-2.6.38.1/arch/powerpc/kernel/dma.c 2011-03-21 18:31:35.000000000 -0400
2431 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
2435 -struct dma_map_ops dma_direct_ops = {
2436 +const struct dma_map_ops dma_direct_ops = {
2437 .alloc_coherent = dma_direct_alloc_coherent,
2438 .free_coherent = dma_direct_free_coherent,
2439 .map_sg = dma_direct_map_sg,
2440 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
2442 int dma_set_mask(struct device *dev, u64 dma_mask)
2444 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2445 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2447 if (ppc_md.dma_set_mask)
2448 return ppc_md.dma_set_mask(dev, dma_mask);
2449 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/dma-iommu.c linux-2.6.38.1/arch/powerpc/kernel/dma-iommu.c
2450 --- linux-2.6.38.1/arch/powerpc/kernel/dma-iommu.c 2011-03-14 21:20:32.000000000 -0400
2451 +++ linux-2.6.38.1/arch/powerpc/kernel/dma-iommu.c 2011-03-21 18:31:35.000000000 -0400
2452 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2455 /* We support DMA to/from any memory page via the iommu */
2456 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2457 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2459 struct iommu_table *tbl = get_iommu_table_base(dev);
2461 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
2465 -struct dma_map_ops dma_iommu_ops = {
2466 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2467 .alloc_coherent = dma_iommu_alloc_coherent,
2468 .free_coherent = dma_iommu_free_coherent,
2469 .map_sg = dma_iommu_map_sg,
2470 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.38.1/arch/powerpc/kernel/dma-swiotlb.c
2471 --- linux-2.6.38.1/arch/powerpc/kernel/dma-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
2472 +++ linux-2.6.38.1/arch/powerpc/kernel/dma-swiotlb.c 2011-03-21 18:31:35.000000000 -0400
2473 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2474 * map_page, and unmap_page on highmem, use normal dma_ops
2475 * for everything else.
2477 -struct dma_map_ops swiotlb_dma_ops = {
2478 +const struct dma_map_ops swiotlb_dma_ops = {
2479 .alloc_coherent = dma_direct_alloc_coherent,
2480 .free_coherent = dma_direct_free_coherent,
2481 .map_sg = swiotlb_map_sg_attrs,
2482 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/exceptions-64e.S linux-2.6.38.1/arch/powerpc/kernel/exceptions-64e.S
2483 --- linux-2.6.38.1/arch/powerpc/kernel/exceptions-64e.S 2011-03-14 21:20:32.000000000 -0400
2484 +++ linux-2.6.38.1/arch/powerpc/kernel/exceptions-64e.S 2011-03-21 18:31:35.000000000 -0400
2485 @@ -495,6 +495,7 @@ storage_fault_common:
2488 addi r3,r1,STACK_FRAME_OVERHEAD
2492 ld r14,PACA_EXGEN+EX_R14(r13)
2493 @@ -504,8 +505,7 @@ storage_fault_common:
2496 b .ret_from_except_lite
2500 addi r3,r1,STACK_FRAME_OVERHEAD
2503 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/exceptions-64s.S linux-2.6.38.1/arch/powerpc/kernel/exceptions-64s.S
2504 --- linux-2.6.38.1/arch/powerpc/kernel/exceptions-64s.S 2011-03-14 21:20:32.000000000 -0400
2505 +++ linux-2.6.38.1/arch/powerpc/kernel/exceptions-64s.S 2011-03-21 18:31:35.000000000 -0400
2506 @@ -848,10 +848,10 @@ handle_page_fault:
2509 addi r3,r1,STACK_FRAME_OVERHEAD
2516 addi r3,r1,STACK_FRAME_OVERHEAD
2518 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/ibmebus.c linux-2.6.38.1/arch/powerpc/kernel/ibmebus.c
2519 --- linux-2.6.38.1/arch/powerpc/kernel/ibmebus.c 2011-03-14 21:20:32.000000000 -0400
2520 +++ linux-2.6.38.1/arch/powerpc/kernel/ibmebus.c 2011-03-21 18:31:35.000000000 -0400
2521 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2525 -static struct dma_map_ops ibmebus_dma_ops = {
2526 +static const struct dma_map_ops ibmebus_dma_ops = {
2527 .alloc_coherent = ibmebus_alloc_coherent,
2528 .free_coherent = ibmebus_free_coherent,
2529 .map_sg = ibmebus_map_sg,
2530 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/kgdb.c linux-2.6.38.1/arch/powerpc/kernel/kgdb.c
2531 --- linux-2.6.38.1/arch/powerpc/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
2532 +++ linux-2.6.38.1/arch/powerpc/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
2533 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
2537 -struct kgdb_arch arch_kgdb_ops = {
2538 +const struct kgdb_arch arch_kgdb_ops = {
2539 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2542 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/module_32.c linux-2.6.38.1/arch/powerpc/kernel/module_32.c
2543 --- linux-2.6.38.1/arch/powerpc/kernel/module_32.c 2011-03-14 21:20:32.000000000 -0400
2544 +++ linux-2.6.38.1/arch/powerpc/kernel/module_32.c 2011-03-21 18:31:35.000000000 -0400
2545 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2546 me->arch.core_plt_section = i;
2548 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2549 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2550 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2554 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2556 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2557 /* Init, or core PLT? */
2558 - if (location >= mod->module_core
2559 - && location < mod->module_core + mod->core_size)
2560 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2561 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2562 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2564 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2565 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2566 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2568 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2572 /* Find this entry, or if that fails, the next avail. entry */
2573 while (entry->jump[0]) {
2574 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/module.c linux-2.6.38.1/arch/powerpc/kernel/module.c
2575 --- linux-2.6.38.1/arch/powerpc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
2576 +++ linux-2.6.38.1/arch/powerpc/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
2579 LIST_HEAD(module_bug_list);
2581 +#ifdef CONFIG_PAX_KERNEXEC
2582 void *module_alloc(unsigned long size)
2587 + return vmalloc(size);
2590 +void *module_alloc_exec(unsigned long size)
2592 +void *module_alloc(unsigned long size)
2599 return vmalloc_exec(size);
2602 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2603 vfree(module_region);
2606 +#ifdef CONFIG_PAX_KERNEXEC
2607 +void module_free_exec(struct module *mod, void *module_region)
2609 + module_free(mod, module_region);
2613 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2614 const Elf_Shdr *sechdrs,
2616 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/pci-common.c linux-2.6.38.1/arch/powerpc/kernel/pci-common.c
2617 --- linux-2.6.38.1/arch/powerpc/kernel/pci-common.c 2011-03-14 21:20:32.000000000 -0400
2618 +++ linux-2.6.38.1/arch/powerpc/kernel/pci-common.c 2011-03-21 18:31:35.000000000 -0400
2619 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2620 unsigned int ppc_pci_flags = 0;
2623 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2624 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2626 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2627 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2629 pci_dma_ops = dma_ops;
2632 -struct dma_map_ops *get_pci_dma_ops(void)
2633 +const struct dma_map_ops *get_pci_dma_ops(void)
2637 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/process.c linux-2.6.38.1/arch/powerpc/kernel/process.c
2638 --- linux-2.6.38.1/arch/powerpc/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
2639 +++ linux-2.6.38.1/arch/powerpc/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
2640 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
2641 * Lookup NIP late so we have the best change of getting the
2642 * above info out without failing
2644 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2645 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2646 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2647 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2649 show_stack(current, (unsigned long *) regs->gpr[1]);
2650 if (!user_mode(regs))
2651 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
2653 ip = stack[STACK_FRAME_LR_SAVE];
2654 if (!firstframe || ip != lr) {
2655 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2656 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2657 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2658 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2661 (void *)current->ret_stack[curr_frame].ret);
2664 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
2665 struct pt_regs *regs = (struct pt_regs *)
2666 (sp + STACK_FRAME_OVERHEAD);
2668 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2669 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2670 regs->trap, (void *)regs->nip, (void *)lr);
2673 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
2676 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2678 -unsigned long arch_align_stack(unsigned long sp)
2680 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2681 - sp -= get_random_int() & ~PAGE_MASK;
2685 -static inline unsigned long brk_rnd(void)
2687 - unsigned long rnd = 0;
2689 - /* 8MB for 32bit, 1GB for 64bit */
2690 - if (is_32bit_task())
2691 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2693 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2695 - return rnd << PAGE_SHIFT;
2698 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2700 - unsigned long base = mm->brk;
2701 - unsigned long ret;
2703 -#ifdef CONFIG_PPC_STD_MMU_64
2705 - * If we are using 1TB segments and we are allowed to randomise
2706 - * the heap, we can put it above 1TB so it is backed by a 1TB
2707 - * segment. Otherwise the heap will be in the bottom 1TB
2708 - * which always uses 256MB segments and this may result in a
2709 - * performance penalty.
2711 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2712 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2715 - ret = PAGE_ALIGN(base + brk_rnd());
2717 - if (ret < mm->brk)
2723 -unsigned long randomize_et_dyn(unsigned long base)
2725 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2732 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/signal_32.c linux-2.6.38.1/arch/powerpc/kernel/signal_32.c
2733 --- linux-2.6.38.1/arch/powerpc/kernel/signal_32.c 2011-03-14 21:20:32.000000000 -0400
2734 +++ linux-2.6.38.1/arch/powerpc/kernel/signal_32.c 2011-03-21 18:31:35.000000000 -0400
2735 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2736 /* Save user registers on the stack */
2737 frame = &rt_sf->uc.uc_mcontext;
2739 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2740 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2741 if (save_user_regs(regs, frame, 0, 1))
2743 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2744 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/signal_64.c linux-2.6.38.1/arch/powerpc/kernel/signal_64.c
2745 --- linux-2.6.38.1/arch/powerpc/kernel/signal_64.c 2011-03-14 21:20:32.000000000 -0400
2746 +++ linux-2.6.38.1/arch/powerpc/kernel/signal_64.c 2011-03-21 18:31:35.000000000 -0400
2747 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2748 current->thread.fpscr.val = 0;
2750 /* Set up to return from userspace. */
2751 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2752 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2753 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2755 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2756 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/vdso.c linux-2.6.38.1/arch/powerpc/kernel/vdso.c
2757 --- linux-2.6.38.1/arch/powerpc/kernel/vdso.c 2011-03-14 21:20:32.000000000 -0400
2758 +++ linux-2.6.38.1/arch/powerpc/kernel/vdso.c 2011-03-21 18:31:35.000000000 -0400
2760 #include <asm/firmware.h>
2761 #include <asm/vdso.h>
2762 #include <asm/vdso_datapage.h>
2763 +#include <asm/mman.h>
2767 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2768 vdso_base = VDSO32_MBASE;
2771 - current->mm->context.vdso_base = 0;
2772 + current->mm->context.vdso_base = ~0UL;
2774 /* vDSO has a problem and was disabled, just don't "enable" it for the
2776 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2777 vdso_base = get_unmapped_area(NULL, vdso_base,
2778 (vdso_pages << PAGE_SHIFT) +
2779 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2781 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2782 if (IS_ERR_VALUE(vdso_base)) {
2785 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/vio.c linux-2.6.38.1/arch/powerpc/kernel/vio.c
2786 --- linux-2.6.38.1/arch/powerpc/kernel/vio.c 2011-03-14 21:20:32.000000000 -0400
2787 +++ linux-2.6.38.1/arch/powerpc/kernel/vio.c 2011-03-21 18:31:35.000000000 -0400
2788 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
2789 return dma_iommu_ops.dma_supported(dev, mask);
2792 -struct dma_map_ops vio_dma_mapping_ops = {
2793 +const struct dma_map_ops vio_dma_mapping_ops = {
2794 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2795 .free_coherent = vio_dma_iommu_free_coherent,
2796 .map_sg = vio_dma_iommu_map_sg,
2797 .unmap_sg = vio_dma_iommu_unmap_sg,
2798 + .dma_supported = dma_iommu_dma_supported,
2799 .map_page = vio_dma_iommu_map_page,
2800 .unmap_page = vio_dma_iommu_unmap_page,
2801 .dma_supported = vio_dma_iommu_dma_supported,
2802 diff -urNp linux-2.6.38.1/arch/powerpc/lib/usercopy_64.c linux-2.6.38.1/arch/powerpc/lib/usercopy_64.c
2803 --- linux-2.6.38.1/arch/powerpc/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
2804 +++ linux-2.6.38.1/arch/powerpc/lib/usercopy_64.c 2011-03-21 18:31:35.000000000 -0400
2806 #include <linux/module.h>
2807 #include <asm/uaccess.h>
2809 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2811 - if (likely(access_ok(VERIFY_READ, from, n)))
2812 - n = __copy_from_user(to, from, n);
2818 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2820 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2821 - n = __copy_to_user(to, from, n);
2825 unsigned long copy_in_user(void __user *to, const void __user *from,
2828 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2832 -EXPORT_SYMBOL(copy_from_user);
2833 -EXPORT_SYMBOL(copy_to_user);
2834 EXPORT_SYMBOL(copy_in_user);
2836 diff -urNp linux-2.6.38.1/arch/powerpc/mm/fault.c linux-2.6.38.1/arch/powerpc/mm/fault.c
2837 --- linux-2.6.38.1/arch/powerpc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
2838 +++ linux-2.6.38.1/arch/powerpc/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
2840 #include <linux/kdebug.h>
2841 #include <linux/perf_event.h>
2842 #include <linux/magic.h>
2843 +#include <linux/slab.h>
2844 +#include <linux/pagemap.h>
2845 +#include <linux/compiler.h>
2846 +#include <linux/unistd.h>
2848 #include <asm/firmware.h>
2849 #include <asm/page.h>
2851 #include <asm/tlbflush.h>
2852 #include <asm/siginfo.h>
2853 #include <mm/mmu_decl.h>
2854 +#include <asm/ptrace.h>
2856 #ifdef CONFIG_KPROBES
2857 static inline int notify_page_fault(struct pt_regs *regs)
2858 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
2862 +#ifdef CONFIG_PAX_PAGEEXEC
2864 + * PaX: decide what to do with offenders (regs->nip = fault address)
2866 + * returns 1 when task should be killed
2868 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2873 +void pax_report_insns(void *pc, void *sp)
2877 + printk(KERN_ERR "PAX: bytes at PC: ");
2878 + for (i = 0; i < 5; i++) {
2880 + if (get_user(c, (unsigned int __user *)pc+i))
2881 + printk(KERN_CONT "???????? ");
2883 + printk(KERN_CONT "%08x ", c);
2890 * Check whether the instruction at regs->nip is a store using
2891 * an update addressing form which will update r1.
2892 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
2893 * indicate errors in DSISR but can validly be set in SRR1.
2896 - error_code &= 0x48200000;
2897 + error_code &= 0x58200000;
2899 is_write = error_code & DSISR_ISSTORE;
2901 @@ -258,7 +290,7 @@ good_area:
2902 * "undefined". Of those that can be set, this is the only
2903 * one which seems bad.
2905 - if (error_code & 0x10000000)
2906 + if (error_code & DSISR_GUARDED)
2907 /* Guarded storage error. */
2909 #endif /* CONFIG_8xx */
2910 @@ -273,7 +305,7 @@ good_area:
2911 * processors use the same I/D cache coherency mechanism
2914 - if (error_code & DSISR_PROTFAULT)
2915 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2917 #endif /* CONFIG_PPC_STD_MMU */
2919 @@ -342,6 +374,23 @@ bad_area:
2920 bad_area_nosemaphore:
2921 /* User mode accesses cause a SIGSEGV */
2922 if (user_mode(regs)) {
2924 +#ifdef CONFIG_PAX_PAGEEXEC
2925 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2926 +#ifdef CONFIG_PPC_STD_MMU
2927 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2929 + if (is_exec && regs->nip == address) {
2931 + switch (pax_handle_fetch_fault(regs)) {
2934 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2935 + do_group_exit(SIGKILL);
2940 _exception(SIGSEGV, regs, code, address);
2943 diff -urNp linux-2.6.38.1/arch/powerpc/mm/mmap_64.c linux-2.6.38.1/arch/powerpc/mm/mmap_64.c
2944 --- linux-2.6.38.1/arch/powerpc/mm/mmap_64.c 2011-03-14 21:20:32.000000000 -0400
2945 +++ linux-2.6.38.1/arch/powerpc/mm/mmap_64.c 2011-03-21 18:31:35.000000000 -0400
2946 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2948 if (mmap_is_legacy()) {
2949 mm->mmap_base = TASK_UNMAPPED_BASE;
2951 +#ifdef CONFIG_PAX_RANDMMAP
2952 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2953 + mm->mmap_base += mm->delta_mmap;
2956 mm->get_unmapped_area = arch_get_unmapped_area;
2957 mm->unmap_area = arch_unmap_area;
2959 mm->mmap_base = mmap_base();
2961 +#ifdef CONFIG_PAX_RANDMMAP
2962 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2963 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2966 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2967 mm->unmap_area = arch_unmap_area_topdown;
2969 diff -urNp linux-2.6.38.1/arch/powerpc/mm/slice.c linux-2.6.38.1/arch/powerpc/mm/slice.c
2970 --- linux-2.6.38.1/arch/powerpc/mm/slice.c 2011-03-14 21:20:32.000000000 -0400
2971 +++ linux-2.6.38.1/arch/powerpc/mm/slice.c 2011-03-21 23:47:41.000000000 -0400
2972 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2973 if ((mm->task_size - len) < addr)
2975 vma = find_vma(mm, addr);
2976 - return (!vma || (addr + len) <= vma->vm_start);
2977 + return check_heap_stack_gap(vma, addr, len);
2980 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2981 @@ -256,7 +256,7 @@ full_search:
2982 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2985 - if (!vma || addr + len <= vma->vm_start) {
2986 + if (check_heap_stack_gap(vma, addr, len)) {
2988 * Remember the place where we stopped the search:
2990 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2994 - addr = mm->mmap_base;
2995 - while (addr > len) {
2996 + if (mm->mmap_base < len)
2999 + addr = mm->mmap_base - len;
3001 + while (!IS_ERR_VALUE(addr)) {
3002 /* Go down by chunk size */
3003 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3004 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
3006 /* Check for hit with different page size */
3007 mask = slice_range_to_mask(addr, len);
3008 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3009 * return with success:
3011 vma = find_vma(mm, addr);
3012 - if (!vma || (addr + len) <= vma->vm_start) {
3013 + if (check_heap_stack_gap(vma, addr, len)) {
3014 /* remember the address as a hint for next time */
3016 mm->free_area_cache = addr;
3017 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3018 mm->cached_hole_size = vma->vm_start - addr;
3020 /* try just below the current vma->vm_start */
3021 - addr = vma->vm_start;
3022 + addr = skip_heap_stack_gap(vma, len);
3026 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3027 if (fixed && addr > (mm->task_size - len))
3030 +#ifdef CONFIG_PAX_RANDMMAP
3031 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3035 /* If hint, make sure it matches our alignment restrictions */
3036 if (!fixed && addr) {
3037 addr = _ALIGN_UP(addr, 1ul << pshift);
3038 diff -urNp linux-2.6.38.1/arch/powerpc/platforms/cell/iommu.c linux-2.6.38.1/arch/powerpc/platforms/cell/iommu.c
3039 --- linux-2.6.38.1/arch/powerpc/platforms/cell/iommu.c 2011-03-14 21:20:32.000000000 -0400
3040 +++ linux-2.6.38.1/arch/powerpc/platforms/cell/iommu.c 2011-03-21 18:31:35.000000000 -0400
3041 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3043 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3045 -struct dma_map_ops dma_iommu_fixed_ops = {
3046 +const struct dma_map_ops dma_iommu_fixed_ops = {
3047 .alloc_coherent = dma_fixed_alloc_coherent,
3048 .free_coherent = dma_fixed_free_coherent,
3049 .map_sg = dma_fixed_map_sg,
3050 diff -urNp linux-2.6.38.1/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.38.1/arch/powerpc/platforms/ps3/system-bus.c
3051 --- linux-2.6.38.1/arch/powerpc/platforms/ps3/system-bus.c 2011-03-14 21:20:32.000000000 -0400
3052 +++ linux-2.6.38.1/arch/powerpc/platforms/ps3/system-bus.c 2011-03-21 18:31:35.000000000 -0400
3053 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3054 return mask >= DMA_BIT_MASK(32);
3057 -static struct dma_map_ops ps3_sb_dma_ops = {
3058 +static const struct dma_map_ops ps3_sb_dma_ops = {
3059 .alloc_coherent = ps3_alloc_coherent,
3060 .free_coherent = ps3_free_coherent,
3061 .map_sg = ps3_sb_map_sg,
3062 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3063 .unmap_page = ps3_unmap_page,
3066 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3067 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3068 .alloc_coherent = ps3_alloc_coherent,
3069 .free_coherent = ps3_free_coherent,
3070 .map_sg = ps3_ioc0_map_sg,
3071 diff -urNp linux-2.6.38.1/arch/powerpc/sysdev/ppc4xx_cpm.c linux-2.6.38.1/arch/powerpc/sysdev/ppc4xx_cpm.c
3072 --- linux-2.6.38.1/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-03-14 21:20:32.000000000 -0400
3073 +++ linux-2.6.38.1/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-03-21 18:31:35.000000000 -0400
3074 @@ -240,7 +240,7 @@ static int cpm_suspend_enter(suspend_sta
3078 -static struct platform_suspend_ops cpm_suspend_ops = {
3079 +static const struct platform_suspend_ops cpm_suspend_ops = {
3080 .valid = cpm_suspend_valid,
3081 .enter = cpm_suspend_enter,
3083 diff -urNp linux-2.6.38.1/arch/s390/include/asm/elf.h linux-2.6.38.1/arch/s390/include/asm/elf.h
3084 --- linux-2.6.38.1/arch/s390/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
3085 +++ linux-2.6.38.1/arch/s390/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
3086 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
3087 the loader. We need to make sure that it is out of the way of the program
3088 that it will "exec", and that there is sufficient room for the brk. */
3090 -extern unsigned long randomize_et_dyn(unsigned long base);
3091 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
3092 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3094 +#ifdef CONFIG_PAX_ASLR
3095 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3097 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3098 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3101 /* This yields a mask that user programs can use to figure out what
3102 instruction set this CPU supports. */
3103 @@ -222,7 +228,4 @@ struct linux_binprm;
3104 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
3105 int arch_setup_additional_pages(struct linux_binprm *, int);
3107 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3108 -#define arch_randomize_brk arch_randomize_brk
3111 diff -urNp linux-2.6.38.1/arch/s390/include/asm/system.h linux-2.6.38.1/arch/s390/include/asm/system.h
3112 --- linux-2.6.38.1/arch/s390/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3113 +++ linux-2.6.38.1/arch/s390/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
3114 @@ -449,7 +449,7 @@ extern void (*_machine_restart)(char *co
3115 extern void (*_machine_halt)(void);
3116 extern void (*_machine_power_off)(void);
3118 -extern unsigned long arch_align_stack(unsigned long sp);
3119 +#define arch_align_stack(x) ((x) & ~0xfUL)
3121 static inline int tprot(unsigned long addr)
3123 diff -urNp linux-2.6.38.1/arch/s390/include/asm/uaccess.h linux-2.6.38.1/arch/s390/include/asm/uaccess.h
3124 --- linux-2.6.38.1/arch/s390/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
3125 +++ linux-2.6.38.1/arch/s390/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
3126 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3127 copy_to_user(void __user *to, const void *from, unsigned long n)
3134 if (access_ok(VERIFY_WRITE, to, n))
3135 n = __copy_to_user(to, from, n);
3137 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3138 static inline unsigned long __must_check
3139 __copy_from_user(void *to, const void __user *from, unsigned long n)
3144 if (__builtin_constant_p(n) && (n <= 256))
3145 return uaccess.copy_from_user_small(n, from, to);
3147 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3148 unsigned int sz = __compiletime_object_size(to);
3155 if (unlikely(sz != -1 && sz < n)) {
3156 copy_from_user_overflow();
3158 diff -urNp linux-2.6.38.1/arch/s390/Kconfig linux-2.6.38.1/arch/s390/Kconfig
3159 --- linux-2.6.38.1/arch/s390/Kconfig 2011-03-14 21:20:32.000000000 -0400
3160 +++ linux-2.6.38.1/arch/s390/Kconfig 2011-03-21 18:31:35.000000000 -0400
3161 @@ -233,11 +233,9 @@ config S390_EXEC_PROTECT
3162 prompt "Data execute protection"
3164 This option allows to enable a buffer overflow protection for user
3165 - space programs and it also selects the addressing mode option above.
3166 - The kernel parameter noexec=on will enable this feature and also
3167 - switch the addressing modes, default is disabled. Enabling this (via
3168 - kernel parameter) on machines earlier than IBM System z9 this will
3169 - reduce system performance.
3171 + Enabling this (via kernel parameter) on machines earlier than IBM
3172 + System z9 this will reduce system performance.
3174 comment "Code generation options"
3176 diff -urNp linux-2.6.38.1/arch/s390/kernel/module.c linux-2.6.38.1/arch/s390/kernel/module.c
3177 --- linux-2.6.38.1/arch/s390/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
3178 +++ linux-2.6.38.1/arch/s390/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
3179 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3181 /* Increase core size by size of got & plt and set start
3182 offsets for got and plt. */
3183 - me->core_size = ALIGN(me->core_size, 4);
3184 - me->arch.got_offset = me->core_size;
3185 - me->core_size += me->arch.got_size;
3186 - me->arch.plt_offset = me->core_size;
3187 - me->core_size += me->arch.plt_size;
3188 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3189 + me->arch.got_offset = me->core_size_rw;
3190 + me->core_size_rw += me->arch.got_size;
3191 + me->arch.plt_offset = me->core_size_rx;
3192 + me->core_size_rx += me->arch.plt_size;
3196 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3197 if (info->got_initialized == 0) {
3200 - gotent = me->module_core + me->arch.got_offset +
3201 + gotent = me->module_core_rw + me->arch.got_offset +
3204 info->got_initialized = 1;
3205 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3206 else if (r_type == R_390_GOTENT ||
3207 r_type == R_390_GOTPLTENT)
3208 *(unsigned int *) loc =
3209 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3210 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3211 else if (r_type == R_390_GOT64 ||
3212 r_type == R_390_GOTPLT64)
3213 *(unsigned long *) loc = val;
3214 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3215 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3216 if (info->plt_initialized == 0) {
3218 - ip = me->module_core + me->arch.plt_offset +
3219 + ip = me->module_core_rx + me->arch.plt_offset +
3221 #ifndef CONFIG_64BIT
3222 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3223 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3224 val - loc + 0xffffUL < 0x1ffffeUL) ||
3225 (r_type == R_390_PLT32DBL &&
3226 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3227 - val = (Elf_Addr) me->module_core +
3228 + val = (Elf_Addr) me->module_core_rx +
3229 me->arch.plt_offset +
3231 val += rela->r_addend - loc;
3232 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3233 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3234 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3235 val = val + rela->r_addend -
3236 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3237 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3238 if (r_type == R_390_GOTOFF16)
3239 *(unsigned short *) loc = val;
3240 else if (r_type == R_390_GOTOFF32)
3241 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3243 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3244 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3245 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3246 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3247 rela->r_addend - loc;
3248 if (r_type == R_390_GOTPC)
3249 *(unsigned int *) loc = val;
3250 diff -urNp linux-2.6.38.1/arch/s390/kernel/process.c linux-2.6.38.1/arch/s390/kernel/process.c
3251 --- linux-2.6.38.1/arch/s390/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3252 +++ linux-2.6.38.1/arch/s390/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
3253 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
3258 -unsigned long arch_align_stack(unsigned long sp)
3260 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3261 - sp -= get_random_int() & ~PAGE_MASK;
3265 -static inline unsigned long brk_rnd(void)
3267 - /* 8MB for 32bit, 1GB for 64bit */
3268 - if (is_32bit_task())
3269 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
3271 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
3274 -unsigned long arch_randomize_brk(struct mm_struct *mm)
3276 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
3278 - if (ret < mm->brk)
3283 -unsigned long randomize_et_dyn(unsigned long base)
3285 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
3287 - if (!(current->flags & PF_RANDOMIZE))
3293 diff -urNp linux-2.6.38.1/arch/s390/kernel/setup.c linux-2.6.38.1/arch/s390/kernel/setup.c
3294 --- linux-2.6.38.1/arch/s390/kernel/setup.c 2011-03-14 21:20:32.000000000 -0400
3295 +++ linux-2.6.38.1/arch/s390/kernel/setup.c 2011-03-21 18:31:35.000000000 -0400
3296 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3298 early_param("mem", early_parse_mem);
3300 -unsigned int user_mode = HOME_SPACE_MODE;
3301 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3302 EXPORT_SYMBOL_GPL(user_mode);
3304 static int set_amode_and_uaccess(unsigned long user_amode,
3305 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3310 - * Switch kernel/user addressing modes?
3312 -static int __init early_parse_switch_amode(char *p)
3314 - if (user_mode != SECONDARY_SPACE_MODE)
3315 - user_mode = PRIMARY_SPACE_MODE;
3318 -early_param("switch_amode", early_parse_switch_amode);
3320 static int __init early_parse_user_mode(char *p)
3322 if (p && strcmp(p, "primary") == 0)
3323 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3325 early_param("user_mode", early_parse_user_mode);
3327 -#ifdef CONFIG_S390_EXEC_PROTECT
3329 - * Enable execute protection?
3331 -static int __init early_parse_noexec(char *p)
3333 - if (!strncmp(p, "off", 3))
3335 - user_mode = SECONDARY_SPACE_MODE;
3338 -early_param("noexec", early_parse_noexec);
3339 -#endif /* CONFIG_S390_EXEC_PROTECT */
3341 static void setup_addressing_mode(void)
3343 if (user_mode == SECONDARY_SPACE_MODE) {
3344 diff -urNp linux-2.6.38.1/arch/s390/mm/maccess.c linux-2.6.38.1/arch/s390/mm/maccess.c
3345 --- linux-2.6.38.1/arch/s390/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
3346 +++ linux-2.6.38.1/arch/s390/mm/maccess.c 2011-03-21 18:31:35.000000000 -0400
3347 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3348 return rc ? rc : count;
3351 -long probe_kernel_write(void *dst, void *src, size_t size)
3352 +long probe_kernel_write(void *dst, const void *src, size_t size)
3356 diff -urNp linux-2.6.38.1/arch/s390/mm/mmap.c linux-2.6.38.1/arch/s390/mm/mmap.c
3357 --- linux-2.6.38.1/arch/s390/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3358 +++ linux-2.6.38.1/arch/s390/mm/mmap.c 2011-03-21 18:31:35.000000000 -0400
3359 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
3361 if (mmap_is_legacy()) {
3362 mm->mmap_base = TASK_UNMAPPED_BASE;
3364 +#ifdef CONFIG_PAX_RANDMMAP
3365 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3366 + mm->mmap_base += mm->delta_mmap;
3369 mm->get_unmapped_area = arch_get_unmapped_area;
3370 mm->unmap_area = arch_unmap_area;
3372 mm->mmap_base = mmap_base();
3374 +#ifdef CONFIG_PAX_RANDMMAP
3375 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3376 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3379 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3380 mm->unmap_area = arch_unmap_area_topdown;
3382 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
3384 if (mmap_is_legacy()) {
3385 mm->mmap_base = TASK_UNMAPPED_BASE;
3387 +#ifdef CONFIG_PAX_RANDMMAP
3388 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3389 + mm->mmap_base += mm->delta_mmap;
3392 mm->get_unmapped_area = s390_get_unmapped_area;
3393 mm->unmap_area = arch_unmap_area;
3395 mm->mmap_base = mmap_base();
3397 +#ifdef CONFIG_PAX_RANDMMAP
3398 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3399 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3402 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3403 mm->unmap_area = arch_unmap_area_topdown;
3405 diff -urNp linux-2.6.38.1/arch/score/include/asm/system.h linux-2.6.38.1/arch/score/include/asm/system.h
3406 --- linux-2.6.38.1/arch/score/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3407 +++ linux-2.6.38.1/arch/score/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
3408 @@ -17,7 +17,7 @@ do { \
3409 #define finish_arch_switch(prev) do {} while (0)
3411 typedef void (*vi_handler_t)(void);
3412 -extern unsigned long arch_align_stack(unsigned long sp);
3413 +#define arch_align_stack(x) (x)
3415 #define mb() barrier()
3416 #define rmb() barrier()
3417 diff -urNp linux-2.6.38.1/arch/score/kernel/process.c linux-2.6.38.1/arch/score/kernel/process.c
3418 --- linux-2.6.38.1/arch/score/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3419 +++ linux-2.6.38.1/arch/score/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
3420 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3422 return task_pt_regs(task)->cp0_epc;
3425 -unsigned long arch_align_stack(unsigned long sp)
3429 diff -urNp linux-2.6.38.1/arch/sh/include/asm/dma-mapping.h linux-2.6.38.1/arch/sh/include/asm/dma-mapping.h
3430 --- linux-2.6.38.1/arch/sh/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3431 +++ linux-2.6.38.1/arch/sh/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
3433 #ifndef __ASM_SH_DMA_MAPPING_H
3434 #define __ASM_SH_DMA_MAPPING_H
3436 -extern struct dma_map_ops *dma_ops;
3437 +extern const struct dma_map_ops *dma_ops;
3438 extern void no_iommu_init(void);
3440 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3441 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3445 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3447 static inline int dma_supported(struct device *dev, u64 mask)
3449 - struct dma_map_ops *ops = get_dma_ops(dev);
3450 + const struct dma_map_ops *ops = get_dma_ops(dev);
3452 if (ops->dma_supported)
3453 return ops->dma_supported(dev, mask);
3454 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3456 static inline int dma_set_mask(struct device *dev, u64 mask)
3458 - struct dma_map_ops *ops = get_dma_ops(dev);
3459 + const struct dma_map_ops *ops = get_dma_ops(dev);
3461 if (!dev->dma_mask || !dma_supported(dev, mask))
3463 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3465 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3467 - struct dma_map_ops *ops = get_dma_ops(dev);
3468 + const struct dma_map_ops *ops = get_dma_ops(dev);
3470 if (ops->mapping_error)
3471 return ops->mapping_error(dev, dma_addr);
3472 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3473 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3474 dma_addr_t *dma_handle, gfp_t gfp)
3476 - struct dma_map_ops *ops = get_dma_ops(dev);
3477 + const struct dma_map_ops *ops = get_dma_ops(dev);
3480 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3481 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3482 static inline void dma_free_coherent(struct device *dev, size_t size,
3483 void *vaddr, dma_addr_t dma_handle)
3485 - struct dma_map_ops *ops = get_dma_ops(dev);
3486 + const struct dma_map_ops *ops = get_dma_ops(dev);
3488 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3490 diff -urNp linux-2.6.38.1/arch/sh/kernel/dma-nommu.c linux-2.6.38.1/arch/sh/kernel/dma-nommu.c
3491 --- linux-2.6.38.1/arch/sh/kernel/dma-nommu.c 2011-03-14 21:20:32.000000000 -0400
3492 +++ linux-2.6.38.1/arch/sh/kernel/dma-nommu.c 2011-03-21 18:31:35.000000000 -0400
3493 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3497 -struct dma_map_ops nommu_dma_ops = {
3498 +const struct dma_map_ops nommu_dma_ops = {
3499 .alloc_coherent = dma_generic_alloc_coherent,
3500 .free_coherent = dma_generic_free_coherent,
3501 .map_page = nommu_map_page,
3502 diff -urNp linux-2.6.38.1/arch/sh/kernel/kgdb.c linux-2.6.38.1/arch/sh/kernel/kgdb.c
3503 --- linux-2.6.38.1/arch/sh/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
3504 +++ linux-2.6.38.1/arch/sh/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
3505 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3506 unregister_die_notifier(&kgdb_notifier);
3509 -struct kgdb_arch arch_kgdb_ops = {
3510 +const struct kgdb_arch arch_kgdb_ops = {
3511 /* Breakpoint instruction: trapa #0x3c */
3512 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3513 .gdb_bpt_instr = { 0x3c, 0xc3 },
3514 diff -urNp linux-2.6.38.1/arch/sh/mm/consistent.c linux-2.6.38.1/arch/sh/mm/consistent.c
3515 --- linux-2.6.38.1/arch/sh/mm/consistent.c 2011-03-14 21:20:32.000000000 -0400
3516 +++ linux-2.6.38.1/arch/sh/mm/consistent.c 2011-03-21 18:31:35.000000000 -0400
3519 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3521 -struct dma_map_ops *dma_ops;
3522 +const struct dma_map_ops *dma_ops;
3523 EXPORT_SYMBOL(dma_ops);
3525 static int __init dma_init(void)
3526 diff -urNp linux-2.6.38.1/arch/sh/mm/mmap.c linux-2.6.38.1/arch/sh/mm/mmap.c
3527 --- linux-2.6.38.1/arch/sh/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3528 +++ linux-2.6.38.1/arch/sh/mm/mmap.c 2011-03-21 23:47:41.000000000 -0400
3529 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3530 addr = PAGE_ALIGN(addr);
3532 vma = find_vma(mm, addr);
3533 - if (TASK_SIZE - len >= addr &&
3534 - (!vma || addr + len <= vma->vm_start))
3535 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3539 @@ -106,7 +105,7 @@ full_search:
3543 - if (likely(!vma || addr + len <= vma->vm_start)) {
3544 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3546 * Remember the place where we stopped the search:
3548 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3549 addr = PAGE_ALIGN(addr);
3551 vma = find_vma(mm, addr);
3552 - if (TASK_SIZE - len >= addr &&
3553 - (!vma || addr + len <= vma->vm_start))
3554 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3558 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3559 /* make sure it can fit in the remaining address space */
3560 if (likely(addr > len)) {
3561 vma = find_vma(mm, addr-len);
3562 - if (!vma || addr <= vma->vm_start) {
3563 + if (check_heap_stack_gap(vma, addr - len, len)) {
3564 /* remember the address as a hint for next time */
3565 return (mm->free_area_cache = addr-len);
3567 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3568 if (unlikely(mm->mmap_base < len))
3571 - addr = mm->mmap_base-len;
3572 - if (do_colour_align)
3573 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3574 + addr = mm->mmap_base - len;
3577 + if (do_colour_align)
3578 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3580 * Lookup failure means no vma is above this address,
3581 * else if new region fits below vma->vm_start,
3582 * return with success:
3584 vma = find_vma(mm, addr);
3585 - if (likely(!vma || addr+len <= vma->vm_start)) {
3586 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3587 /* remember the address as a hint for next time */
3588 return (mm->free_area_cache = addr);
3590 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3591 mm->cached_hole_size = vma->vm_start - addr;
3593 /* try just below the current vma->vm_start */
3594 - addr = vma->vm_start-len;
3595 - if (do_colour_align)
3596 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3597 - } while (likely(len < vma->vm_start));
3598 + addr = skip_heap_stack_gap(vma, len);
3599 + } while (!IS_ERR_VALUE(addr));
3603 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/atomic_64.h linux-2.6.38.1/arch/sparc/include/asm/atomic_64.h
3604 --- linux-2.6.38.1/arch/sparc/include/asm/atomic_64.h 2011-03-14 21:20:32.000000000 -0400
3605 +++ linux-2.6.38.1/arch/sparc/include/asm/atomic_64.h 2011-03-21 18:31:35.000000000 -0400
3607 #define ATOMIC64_INIT(i) { (i) }
3609 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3610 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3612 + return v->counter;
3614 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3615 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3617 + return v->counter;
3620 #define atomic_set(v, i) (((v)->counter) = i)
3621 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3625 #define atomic64_set(v, i) (((v)->counter) = i)
3626 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3631 extern void atomic_add(int, atomic_t *);
3632 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3633 extern void atomic64_add(long, atomic64_t *);
3634 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3635 extern void atomic_sub(int, atomic_t *);
3636 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3637 extern void atomic64_sub(long, atomic64_t *);
3638 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3640 extern int atomic_add_ret(int, atomic_t *);
3641 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3642 extern long atomic64_add_ret(long, atomic64_t *);
3643 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3644 extern int atomic_sub_ret(int, atomic_t *);
3645 extern long atomic64_sub_ret(long, atomic64_t *);
3647 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3648 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3650 #define atomic_inc_return(v) atomic_add_ret(1, v)
3651 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3653 + return atomic_add_ret_unchecked(1, v);
3655 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3656 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3658 + return atomic64_add_ret_unchecked(1, v);
3661 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3662 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3664 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3665 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3667 + return atomic_add_ret_unchecked(i, v);
3669 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3672 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3673 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3675 #define atomic_inc(v) atomic_add(1, v)
3676 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3678 + atomic_add_unchecked(1, v);
3680 #define atomic64_inc(v) atomic64_add(1, v)
3681 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3683 + atomic64_add_unchecked(1, v);
3686 #define atomic_dec(v) atomic_sub(1, v)
3687 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3689 + atomic_sub_unchecked(1, v);
3691 #define atomic64_dec(v) atomic64_sub(1, v)
3692 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3694 + atomic64_sub_unchecked(1, v);
3697 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3698 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3699 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3701 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3707 - if (unlikely(c == (u)))
3708 + if (unlikely(c == u))
3710 - old = atomic_cmpxchg((v), c, c + (a));
3712 + asm volatile("addcc %2, %0, %0\n"
3714 +#ifdef CONFIG_PAX_REFCOUNT
3719 + : "0" (c), "ir" (a)
3722 + old = atomic_cmpxchg(v, c, new);
3723 if (likely(old == c))
3731 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3732 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3734 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3738 c = atomic64_read(v);
3740 - if (unlikely(c == (u)))
3741 + if (unlikely(c == u))
3743 - old = atomic64_cmpxchg((v), c, c + (a));
3745 + asm volatile("addcc %2, %0, %0\n"
3747 +#ifdef CONFIG_PAX_REFCOUNT
3752 + : "0" (c), "ir" (a)
3755 + old = atomic64_cmpxchg(v, c, new);
3756 if (likely(old == c))
3764 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3765 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/dma-mapping.h linux-2.6.38.1/arch/sparc/include/asm/dma-mapping.h
3766 --- linux-2.6.38.1/arch/sparc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3767 +++ linux-2.6.38.1/arch/sparc/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
3768 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3769 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3770 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3772 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3773 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3774 extern struct bus_type pci_bus_type;
3776 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3777 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3779 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3780 if (dev->bus == &pci_bus_type)
3781 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3782 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3783 dma_addr_t *dma_handle, gfp_t flag)
3785 - struct dma_map_ops *ops = get_dma_ops(dev);
3786 + const struct dma_map_ops *ops = get_dma_ops(dev);
3789 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3790 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3791 static inline void dma_free_coherent(struct device *dev, size_t size,
3792 void *cpu_addr, dma_addr_t dma_handle)
3794 - struct dma_map_ops *ops = get_dma_ops(dev);
3795 + const struct dma_map_ops *ops = get_dma_ops(dev);
3797 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3798 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3799 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/elf_32.h linux-2.6.38.1/arch/sparc/include/asm/elf_32.h
3800 --- linux-2.6.38.1/arch/sparc/include/asm/elf_32.h 2011-03-14 21:20:32.000000000 -0400
3801 +++ linux-2.6.38.1/arch/sparc/include/asm/elf_32.h 2011-03-21 18:31:35.000000000 -0400
3802 @@ -114,6 +114,13 @@ typedef struct {
3804 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3806 +#ifdef CONFIG_PAX_ASLR
3807 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3809 +#define PAX_DELTA_MMAP_LEN 16
3810 +#define PAX_DELTA_STACK_LEN 16
3813 /* This yields a mask that user programs can use to figure out what
3814 instruction set this cpu supports. This can NOT be done in userspace
3816 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/elf_64.h linux-2.6.38.1/arch/sparc/include/asm/elf_64.h
3817 --- linux-2.6.38.1/arch/sparc/include/asm/elf_64.h 2011-03-14 21:20:32.000000000 -0400
3818 +++ linux-2.6.38.1/arch/sparc/include/asm/elf_64.h 2011-03-21 18:31:35.000000000 -0400
3819 @@ -162,6 +162,12 @@ typedef struct {
3820 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3821 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3823 +#ifdef CONFIG_PAX_ASLR
3824 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3826 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3827 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3830 /* This yields a mask that user programs can use to figure out what
3831 instruction set this cpu supports. */
3832 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/pgtable_32.h linux-2.6.38.1/arch/sparc/include/asm/pgtable_32.h
3833 --- linux-2.6.38.1/arch/sparc/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
3834 +++ linux-2.6.38.1/arch/sparc/include/asm/pgtable_32.h 2011-03-21 18:31:35.000000000 -0400
3835 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3836 BTFIXUPDEF_INT(page_none)
3837 BTFIXUPDEF_INT(page_copy)
3838 BTFIXUPDEF_INT(page_readonly)
3840 +#ifdef CONFIG_PAX_PAGEEXEC
3841 +BTFIXUPDEF_INT(page_shared_noexec)
3842 +BTFIXUPDEF_INT(page_copy_noexec)
3843 +BTFIXUPDEF_INT(page_readonly_noexec)
3846 BTFIXUPDEF_INT(page_kernel)
3848 #define PMD_SHIFT SUN4C_PMD_SHIFT
3849 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3850 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3851 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3853 +#ifdef CONFIG_PAX_PAGEEXEC
3854 +extern pgprot_t PAGE_SHARED_NOEXEC;
3855 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3856 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3858 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3859 +# define PAGE_COPY_NOEXEC PAGE_COPY
3860 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3863 extern unsigned long page_kernel;
3866 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.38.1/arch/sparc/include/asm/pgtsrmmu.h
3867 --- linux-2.6.38.1/arch/sparc/include/asm/pgtsrmmu.h 2011-03-14 21:20:32.000000000 -0400
3868 +++ linux-2.6.38.1/arch/sparc/include/asm/pgtsrmmu.h 2011-03-21 18:31:35.000000000 -0400
3869 @@ -115,6 +115,13 @@
3870 SRMMU_EXEC | SRMMU_REF)
3871 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3872 SRMMU_EXEC | SRMMU_REF)
3874 +#ifdef CONFIG_PAX_PAGEEXEC
3875 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3876 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3877 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3880 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3881 SRMMU_DIRTY | SRMMU_REF)
3883 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/spinlock_64.h linux-2.6.38.1/arch/sparc/include/asm/spinlock_64.h
3884 --- linux-2.6.38.1/arch/sparc/include/asm/spinlock_64.h 2011-03-14 21:20:32.000000000 -0400
3885 +++ linux-2.6.38.1/arch/sparc/include/asm/spinlock_64.h 2011-03-21 18:31:35.000000000 -0400
3886 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3887 __asm__ __volatile__ (
3888 "1: ldsw [%2], %0\n"
3890 -"4: add %0, 1, %1\n"
3891 +"4: addcc %0, 1, %1\n"
3893 +#ifdef CONFIG_PAX_REFCOUNT
3897 " cas [%2], %0, %1\n"
3899 " bne,pn %%icc, 1b\n"
3900 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3902 : "=&r" (tmp1), "=&r" (tmp2)
3905 + : "memory", "cc");
3908 static int inline arch_read_trylock(arch_rwlock_t *lock)
3909 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3910 "1: ldsw [%2], %0\n"
3911 " brlz,a,pn %0, 2f\n"
3914 +" addcc %0, 1, %1\n"
3916 +#ifdef CONFIG_PAX_REFCOUNT
3920 " cas [%2], %0, %1\n"
3922 " bne,pn %%icc, 1b\n"
3923 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3925 __asm__ __volatile__(
3926 "1: lduw [%2], %0\n"
3928 +" subcc %0, 1, %1\n"
3930 +#ifdef CONFIG_PAX_REFCOUNT
3934 " cas [%2], %0, %1\n"
3936 " bne,pn %%xcc, 1b\n"
3937 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/uaccess_32.h linux-2.6.38.1/arch/sparc/include/asm/uaccess_32.h
3938 --- linux-2.6.38.1/arch/sparc/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
3939 +++ linux-2.6.38.1/arch/sparc/include/asm/uaccess_32.h 2011-03-21 18:31:35.000000000 -0400
3940 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3942 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3944 - if (n && __access_ok((unsigned long) to, n))
3948 + if (n && __access_ok((unsigned long) to, n)) {
3949 + if (!__builtin_constant_p(n))
3950 + check_object_size(from, n, true);
3951 return __copy_user(to, (__force void __user *) from, n);
3957 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3962 + if (!__builtin_constant_p(n))
3963 + check_object_size(from, n, true);
3965 return __copy_user(to, (__force void __user *) from, n);
3968 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3970 - if (n && __access_ok((unsigned long) from, n))
3974 + if (n && __access_ok((unsigned long) from, n)) {
3975 + if (!__builtin_constant_p(n))
3976 + check_object_size(to, n, false);
3977 return __copy_user((__force void __user *) to, from, n);
3983 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3988 return __copy_user((__force void __user *) to, from, n);
3991 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/uaccess_64.h linux-2.6.38.1/arch/sparc/include/asm/uaccess_64.h
3992 --- linux-2.6.38.1/arch/sparc/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
3993 +++ linux-2.6.38.1/arch/sparc/include/asm/uaccess_64.h 2011-03-21 18:31:35.000000000 -0400
3995 #include <linux/compiler.h>
3996 #include <linux/string.h>
3997 #include <linux/thread_info.h>
3998 +#include <linux/kernel.h>
3999 #include <asm/asi.h>
4000 #include <asm/system.h>
4001 #include <asm/spitfire.h>
4002 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
4003 static inline unsigned long __must_check
4004 copy_from_user(void *to, const void __user *from, unsigned long size)
4006 - unsigned long ret = ___copy_from_user(to, from, size);
4007 + unsigned long ret;
4009 + if ((long)size < 0 || size > INT_MAX)
4012 + if (!__builtin_constant_p(size))
4013 + check_object_size(to, size, false);
4015 + ret = ___copy_from_user(to, from, size);
4017 ret = copy_from_user_fixup(to, from, size);
4019 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
4020 static inline unsigned long __must_check
4021 copy_to_user(void __user *to, const void *from, unsigned long size)
4023 - unsigned long ret = ___copy_to_user(to, from, size);
4024 + unsigned long ret;
4026 + if ((long)size < 0 || size > INT_MAX)
4029 + if (!__builtin_constant_p(size))
4030 + check_object_size(from, size, true);
4032 + ret = ___copy_to_user(to, from, size);
4034 ret = copy_to_user_fixup(to, from, size);
4036 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/uaccess.h linux-2.6.38.1/arch/sparc/include/asm/uaccess.h
4037 --- linux-2.6.38.1/arch/sparc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
4038 +++ linux-2.6.38.1/arch/sparc/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
4040 #ifndef ___ASM_SPARC_UACCESS_H
4041 #define ___ASM_SPARC_UACCESS_H
4044 +#ifndef __ASSEMBLY__
4045 +#include <linux/types.h>
4046 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4050 #if defined(__sparc__) && defined(__arch64__)
4051 #include <asm/uaccess_64.h>
4053 diff -urNp linux-2.6.38.1/arch/sparc/kernel/iommu.c linux-2.6.38.1/arch/sparc/kernel/iommu.c
4054 --- linux-2.6.38.1/arch/sparc/kernel/iommu.c 2011-03-14 21:20:32.000000000 -0400
4055 +++ linux-2.6.38.1/arch/sparc/kernel/iommu.c 2011-03-21 18:31:35.000000000 -0400
4056 @@ -827,7 +827,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4057 spin_unlock_irqrestore(&iommu->lock, flags);
4060 -static struct dma_map_ops sun4u_dma_ops = {
4061 +static const struct dma_map_ops sun4u_dma_ops = {
4062 .alloc_coherent = dma_4u_alloc_coherent,
4063 .free_coherent = dma_4u_free_coherent,
4064 .map_page = dma_4u_map_page,
4065 @@ -838,7 +838,7 @@ static struct dma_map_ops sun4u_dma_ops
4066 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4069 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4070 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4071 EXPORT_SYMBOL(dma_ops);
4073 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4074 diff -urNp linux-2.6.38.1/arch/sparc/kernel/ioport.c linux-2.6.38.1/arch/sparc/kernel/ioport.c
4075 --- linux-2.6.38.1/arch/sparc/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
4076 +++ linux-2.6.38.1/arch/sparc/kernel/ioport.c 2011-03-21 18:31:35.000000000 -0400
4077 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
4081 -struct dma_map_ops sbus_dma_ops = {
4082 +const struct dma_map_ops sbus_dma_ops = {
4083 .alloc_coherent = sbus_alloc_coherent,
4084 .free_coherent = sbus_free_coherent,
4085 .map_page = sbus_map_page,
4086 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
4087 .sync_sg_for_device = sbus_sync_sg_for_device,
4090 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4091 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4092 EXPORT_SYMBOL(dma_ops);
4094 static int __init sparc_register_ioport(void)
4095 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4099 -struct dma_map_ops pci32_dma_ops = {
4100 +const struct dma_map_ops pci32_dma_ops = {
4101 .alloc_coherent = pci32_alloc_coherent,
4102 .free_coherent = pci32_free_coherent,
4103 .map_page = pci32_map_page,
4104 diff -urNp linux-2.6.38.1/arch/sparc/kernel/kgdb_32.c linux-2.6.38.1/arch/sparc/kernel/kgdb_32.c
4105 --- linux-2.6.38.1/arch/sparc/kernel/kgdb_32.c 2011-03-14 21:20:32.000000000 -0400
4106 +++ linux-2.6.38.1/arch/sparc/kernel/kgdb_32.c 2011-03-21 18:31:35.000000000 -0400
4107 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4108 regs->npc = regs->pc + 4;
4111 -struct kgdb_arch arch_kgdb_ops = {
4112 +const struct kgdb_arch arch_kgdb_ops = {
4113 /* Breakpoint instruction: ta 0x7d */
4114 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4116 diff -urNp linux-2.6.38.1/arch/sparc/kernel/kgdb_64.c linux-2.6.38.1/arch/sparc/kernel/kgdb_64.c
4117 --- linux-2.6.38.1/arch/sparc/kernel/kgdb_64.c 2011-03-14 21:20:32.000000000 -0400
4118 +++ linux-2.6.38.1/arch/sparc/kernel/kgdb_64.c 2011-03-21 18:31:35.000000000 -0400
4119 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4120 regs->tnpc = regs->tpc + 4;
4123 -struct kgdb_arch arch_kgdb_ops = {
4124 +const struct kgdb_arch arch_kgdb_ops = {
4125 /* Breakpoint instruction: ta 0x72 */
4126 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4128 diff -urNp linux-2.6.38.1/arch/sparc/kernel/Makefile linux-2.6.38.1/arch/sparc/kernel/Makefile
4129 --- linux-2.6.38.1/arch/sparc/kernel/Makefile 2011-03-14 21:20:32.000000000 -0400
4130 +++ linux-2.6.38.1/arch/sparc/kernel/Makefile 2011-03-21 18:31:35.000000000 -0400
4135 -ccflags-y := -Werror
4136 +#ccflags-y := -Werror
4138 extra-y := head_$(BITS).o
4139 extra-y += init_task.o
4140 diff -urNp linux-2.6.38.1/arch/sparc/kernel/pci_sun4v.c linux-2.6.38.1/arch/sparc/kernel/pci_sun4v.c
4141 --- linux-2.6.38.1/arch/sparc/kernel/pci_sun4v.c 2011-03-14 21:20:32.000000000 -0400
4142 +++ linux-2.6.38.1/arch/sparc/kernel/pci_sun4v.c 2011-03-21 18:31:35.000000000 -0400
4143 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4144 spin_unlock_irqrestore(&iommu->lock, flags);
4147 -static struct dma_map_ops sun4v_dma_ops = {
4148 +static const struct dma_map_ops sun4v_dma_ops = {
4149 .alloc_coherent = dma_4v_alloc_coherent,
4150 .free_coherent = dma_4v_free_coherent,
4151 .map_page = dma_4v_map_page,
4152 diff -urNp linux-2.6.38.1/arch/sparc/kernel/process_32.c linux-2.6.38.1/arch/sparc/kernel/process_32.c
4153 --- linux-2.6.38.1/arch/sparc/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
4154 +++ linux-2.6.38.1/arch/sparc/kernel/process_32.c 2011-03-21 18:31:35.000000000 -0400
4155 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4156 rw->ins[4], rw->ins[5],
4159 - printk("%pS\n", (void *) rw->ins[7]);
4160 + printk("%pA\n", (void *) rw->ins[7]);
4161 rw = (struct reg_window32 *) rw->ins[6];
4163 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4164 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4166 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4167 r->psr, r->pc, r->npc, r->y, print_tainted());
4168 - printk("PC: <%pS>\n", (void *) r->pc);
4169 + printk("PC: <%pA>\n", (void *) r->pc);
4170 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4171 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4172 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4173 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4174 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4175 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4176 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4177 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4179 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4180 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4181 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4182 rw = (struct reg_window32 *) fp;
4184 printk("[%08lx : ", pc);
4185 - printk("%pS ] ", (void *) pc);
4186 + printk("%pA ] ", (void *) pc);
4188 } while (++count < 16);
4190 diff -urNp linux-2.6.38.1/arch/sparc/kernel/process_64.c linux-2.6.38.1/arch/sparc/kernel/process_64.c
4191 --- linux-2.6.38.1/arch/sparc/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
4192 +++ linux-2.6.38.1/arch/sparc/kernel/process_64.c 2011-03-21 18:31:35.000000000 -0400
4193 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4194 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4195 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4196 if (regs->tstate & TSTATE_PRIV)
4197 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4198 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4201 void show_regs(struct pt_regs *regs)
4203 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4204 regs->tpc, regs->tnpc, regs->y, print_tainted());
4205 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4206 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4207 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4208 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4210 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4211 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4212 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4214 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4215 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4216 show_regwindow(regs);
4217 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4219 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4220 ((tp && tp->task) ? tp->task->pid : -1));
4222 if (gp->tstate & TSTATE_PRIV) {
4223 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4224 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4228 diff -urNp linux-2.6.38.1/arch/sparc/kernel/sys_sparc_32.c linux-2.6.38.1/arch/sparc/kernel/sys_sparc_32.c
4229 --- linux-2.6.38.1/arch/sparc/kernel/sys_sparc_32.c 2011-03-14 21:20:32.000000000 -0400
4230 +++ linux-2.6.38.1/arch/sparc/kernel/sys_sparc_32.c 2011-03-21 18:31:35.000000000 -0400
4231 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
4232 if (ARCH_SUN4C && len > 0x20000000)
4235 - addr = TASK_UNMAPPED_BASE;
4236 + addr = current->mm->mmap_base;
4238 if (flags & MAP_SHARED)
4239 addr = COLOUR_ALIGN(addr);
4240 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
4242 if (TASK_SIZE - PAGE_SIZE - len < addr)
4244 - if (!vmm || addr + len <= vmm->vm_start)
4245 + if (check_heap_stack_gap(vmm, addr, len))
4248 if (flags & MAP_SHARED)
4249 diff -urNp linux-2.6.38.1/arch/sparc/kernel/sys_sparc_64.c linux-2.6.38.1/arch/sparc/kernel/sys_sparc_64.c
4250 --- linux-2.6.38.1/arch/sparc/kernel/sys_sparc_64.c 2011-03-14 21:20:32.000000000 -0400
4251 +++ linux-2.6.38.1/arch/sparc/kernel/sys_sparc_64.c 2011-03-21 23:47:41.000000000 -0400
4252 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4253 /* We do not accept a shared mapping if it would violate
4254 * cache aliasing constraints.
4256 - if ((flags & MAP_SHARED) &&
4257 + if ((filp || (flags & MAP_SHARED)) &&
4258 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4261 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4262 if (filp || (flags & MAP_SHARED))
4265 +#ifdef CONFIG_PAX_RANDMMAP
4266 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4271 addr = COLOUR_ALIGN(addr, pgoff);
4272 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4273 addr = PAGE_ALIGN(addr);
4275 vma = find_vma(mm, addr);
4276 - if (task_size - len >= addr &&
4277 - (!vma || addr + len <= vma->vm_start))
4278 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4282 if (len > mm->cached_hole_size) {
4283 - start_addr = addr = mm->free_area_cache;
4284 + start_addr = addr = mm->free_area_cache;
4286 - start_addr = addr = TASK_UNMAPPED_BASE;
4287 + start_addr = addr = mm->mmap_base;
4288 mm->cached_hole_size = 0;
4291 @@ -174,14 +177,14 @@ full_search:
4292 vma = find_vma(mm, VA_EXCLUDE_END);
4294 if (unlikely(task_size < addr)) {
4295 - if (start_addr != TASK_UNMAPPED_BASE) {
4296 - start_addr = addr = TASK_UNMAPPED_BASE;
4297 + if (start_addr != mm->mmap_base) {
4298 + start_addr = addr = mm->mmap_base;
4299 mm->cached_hole_size = 0;
4304 - if (likely(!vma || addr + len <= vma->vm_start)) {
4305 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4307 * Remember the place where we stopped the search:
4309 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4310 /* We do not accept a shared mapping if it would violate
4311 * cache aliasing constraints.
4313 - if ((flags & MAP_SHARED) &&
4314 + if ((filp || (flags & MAP_SHARED)) &&
4315 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4318 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4319 addr = PAGE_ALIGN(addr);
4321 vma = find_vma(mm, addr);
4322 - if (task_size - len >= addr &&
4323 - (!vma || addr + len <= vma->vm_start))
4324 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4328 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4329 /* make sure it can fit in the remaining address space */
4330 if (likely(addr > len)) {
4331 vma = find_vma(mm, addr-len);
4332 - if (!vma || addr <= vma->vm_start) {
4333 + if (check_heap_stack_gap(vma, addr - len, len)) {
4334 /* remember the address as a hint for next time */
4335 return (mm->free_area_cache = addr-len);
4337 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
4338 if (unlikely(mm->mmap_base < len))
4341 - addr = mm->mmap_base-len;
4342 - if (do_color_align)
4343 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4344 + addr = mm->mmap_base - len;
4347 + if (do_color_align)
4348 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4350 * Lookup failure means no vma is above this address,
4351 * else if new region fits below vma->vm_start,
4352 * return with success:
4354 vma = find_vma(mm, addr);
4355 - if (likely(!vma || addr+len <= vma->vm_start)) {
4356 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4357 /* remember the address as a hint for next time */
4358 return (mm->free_area_cache = addr);
4360 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
4361 mm->cached_hole_size = vma->vm_start - addr;
4363 /* try just below the current vma->vm_start */
4364 - addr = vma->vm_start-len;
4365 - if (do_color_align)
4366 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4367 - } while (likely(len < vma->vm_start));
4368 + addr = skip_heap_stack_gap(vma, len);
4369 + } while (!IS_ERR_VALUE(addr));
4373 @@ -385,6 +385,12 @@ void arch_pick_mmap_layout(struct mm_str
4374 gap == RLIM_INFINITY ||
4375 sysctl_legacy_va_layout) {
4376 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4378 +#ifdef CONFIG_PAX_RANDMMAP
4379 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4380 + mm->mmap_base += mm->delta_mmap;
4383 mm->get_unmapped_area = arch_get_unmapped_area;
4384 mm->unmap_area = arch_unmap_area;
4386 @@ -397,6 +403,12 @@ void arch_pick_mmap_layout(struct mm_str
4387 gap = (task_size / 6 * 5);
4389 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4391 +#ifdef CONFIG_PAX_RANDMMAP
4392 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4393 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4396 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4397 mm->unmap_area = arch_unmap_area_topdown;
4399 diff -urNp linux-2.6.38.1/arch/sparc/kernel/traps_32.c linux-2.6.38.1/arch/sparc/kernel/traps_32.c
4400 --- linux-2.6.38.1/arch/sparc/kernel/traps_32.c 2011-03-14 21:20:32.000000000 -0400
4401 +++ linux-2.6.38.1/arch/sparc/kernel/traps_32.c 2011-03-21 18:31:35.000000000 -0400
4402 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4404 (((unsigned long) rw) >= PAGE_OFFSET) &&
4405 !(((unsigned long) rw) & 0x7)) {
4406 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4407 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4408 (void *) rw->ins[7]);
4409 rw = (struct reg_window32 *)rw->ins[6];
4411 diff -urNp linux-2.6.38.1/arch/sparc/kernel/traps_64.c linux-2.6.38.1/arch/sparc/kernel/traps_64.c
4412 --- linux-2.6.38.1/arch/sparc/kernel/traps_64.c 2011-03-14 21:20:32.000000000 -0400
4413 +++ linux-2.6.38.1/arch/sparc/kernel/traps_64.c 2011-03-21 18:31:35.000000000 -0400
4414 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4416 p->trapstack[i].tstate, p->trapstack[i].tpc,
4417 p->trapstack[i].tnpc, p->trapstack[i].tt);
4418 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4419 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4423 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4426 if (regs->tstate & TSTATE_PRIV) {
4428 +#ifdef CONFIG_PAX_REFCOUNT
4430 + pax_report_refcount_overflow(regs);
4433 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4434 die_if_kernel(buffer, regs);
4436 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4437 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4442 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4443 0, lvl, SIGTRAP) == NOTIFY_STOP)
4446 +#ifdef CONFIG_PAX_REFCOUNT
4448 + pax_report_refcount_overflow(regs);
4451 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4453 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4454 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4455 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4456 printk("%s" "ERROR(%d): ",
4457 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4458 - printk("TPC<%pS>\n", (void *) regs->tpc);
4459 + printk("TPC<%pA>\n", (void *) regs->tpc);
4460 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4461 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4462 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4463 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4465 (type & 0x1) ? 'I' : 'D',
4467 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4468 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4469 panic("Irrecoverable Cheetah+ parity error.");
4472 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4474 (type & 0x1) ? 'I' : 'D',
4476 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4477 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4480 struct sun4v_error_entry {
4481 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4483 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4485 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4486 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4487 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4488 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4489 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4490 (void *) regs->u_regs[UREG_I7]);
4491 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4492 "pte[%lx] error[%lx]\n",
4493 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4495 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4497 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4498 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4499 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4500 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4501 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4502 (void *) regs->u_regs[UREG_I7]);
4503 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4504 "pte[%lx] error[%lx]\n",
4505 @@ -2196,13 +2207,13 @@ void show_stack(struct task_struct *tsk,
4506 fp = (unsigned long)sf->fp + STACK_BIAS;
4509 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4510 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4511 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4512 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4513 int index = tsk->curr_ret_stack;
4514 if (tsk->ret_stack && index >= graph) {
4515 pc = tsk->ret_stack[index - graph].ret;
4516 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4517 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4521 @@ -2255,7 +2266,7 @@ void die_if_kernel(char *str, struct pt_
4524 kstack_valid(tp, (unsigned long) rw)) {
4525 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4526 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4527 (void *) rw->ins[7]);
4529 rw = kernel_stack_up(rw);
4530 diff -urNp linux-2.6.38.1/arch/sparc/kernel/unaligned_64.c linux-2.6.38.1/arch/sparc/kernel/unaligned_64.c
4531 --- linux-2.6.38.1/arch/sparc/kernel/unaligned_64.c 2011-03-14 21:20:32.000000000 -0400
4532 +++ linux-2.6.38.1/arch/sparc/kernel/unaligned_64.c 2011-03-21 18:31:35.000000000 -0400
4533 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4534 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4536 if (__ratelimit(&ratelimit)) {
4537 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4538 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4539 regs->tpc, (void *) regs->tpc);
4542 diff -urNp linux-2.6.38.1/arch/sparc/lib/atomic_64.S linux-2.6.38.1/arch/sparc/lib/atomic_64.S
4543 --- linux-2.6.38.1/arch/sparc/lib/atomic_64.S 2011-03-14 21:20:32.000000000 -0400
4544 +++ linux-2.6.38.1/arch/sparc/lib/atomic_64.S 2011-03-21 18:31:35.000000000 -0400
4546 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4550 + addcc %g1, %o0, %g7
4552 +#ifdef CONFIG_PAX_REFCOUNT
4558 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4559 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4560 2: BACKOFF_SPIN(%o2, %o3, 1b)
4561 .size atomic_add, .-atomic_add
4563 + .globl atomic_add_unchecked
4564 + .type atomic_add_unchecked,#function
4565 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4566 + BACKOFF_SETUP(%o2)
4569 + cas [%o1], %g1, %g7
4575 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4576 + .size atomic_add_unchecked, .-atomic_add_unchecked
4579 .type atomic_sub,#function
4580 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4584 + subcc %g1, %o0, %g7
4586 +#ifdef CONFIG_PAX_REFCOUNT
4592 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4593 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4594 2: BACKOFF_SPIN(%o2, %o3, 1b)
4595 .size atomic_sub, .-atomic_sub
4597 + .globl atomic_sub_unchecked
4598 + .type atomic_sub_unchecked,#function
4599 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4600 + BACKOFF_SETUP(%o2)
4603 + cas [%o1], %g1, %g7
4609 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4610 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4612 .globl atomic_add_ret
4613 .type atomic_add_ret,#function
4614 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4618 + addcc %g1, %o0, %g7
4620 +#ifdef CONFIG_PAX_REFCOUNT
4626 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4627 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4628 2: BACKOFF_SPIN(%o2, %o3, 1b)
4629 .size atomic_add_ret, .-atomic_add_ret
4631 + .globl atomic_add_ret_unchecked
4632 + .type atomic_add_ret_unchecked,#function
4633 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4634 + BACKOFF_SETUP(%o2)
4636 + addcc %g1, %o0, %g7
4637 + cas [%o1], %g1, %g7
4644 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4645 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4647 .globl atomic_sub_ret
4648 .type atomic_sub_ret,#function
4649 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4653 + subcc %g1, %o0, %g7
4655 +#ifdef CONFIG_PAX_REFCOUNT
4661 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4662 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4663 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4667 + addcc %g1, %o0, %g7
4669 +#ifdef CONFIG_PAX_REFCOUNT
4673 casx [%o1], %g1, %g7
4675 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4676 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4677 2: BACKOFF_SPIN(%o2, %o3, 1b)
4678 .size atomic64_add, .-atomic64_add
4680 + .globl atomic64_add_unchecked
4681 + .type atomic64_add_unchecked,#function
4682 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4683 + BACKOFF_SETUP(%o2)
4685 + addcc %g1, %o0, %g7
4686 + casx [%o1], %g1, %g7
4692 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4693 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4696 .type atomic64_sub,#function
4697 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4701 + subcc %g1, %o0, %g7
4703 +#ifdef CONFIG_PAX_REFCOUNT
4707 casx [%o1], %g1, %g7
4709 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4710 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4711 2: BACKOFF_SPIN(%o2, %o3, 1b)
4712 .size atomic64_sub, .-atomic64_sub
4714 + .globl atomic64_sub_unchecked
4715 + .type atomic64_sub_unchecked,#function
4716 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4717 + BACKOFF_SETUP(%o2)
4719 + subcc %g1, %o0, %g7
4720 + casx [%o1], %g1, %g7
4726 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4727 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4729 .globl atomic64_add_ret
4730 .type atomic64_add_ret,#function
4731 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4735 + addcc %g1, %o0, %g7
4737 +#ifdef CONFIG_PAX_REFCOUNT
4741 casx [%o1], %g1, %g7
4743 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4744 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4745 2: BACKOFF_SPIN(%o2, %o3, 1b)
4746 .size atomic64_add_ret, .-atomic64_add_ret
4748 + .globl atomic64_add_ret_unchecked
4749 + .type atomic64_add_ret_unchecked,#function
4750 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4751 + BACKOFF_SETUP(%o2)
4753 + addcc %g1, %o0, %g7
4754 + casx [%o1], %g1, %g7
4761 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4762 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4764 .globl atomic64_sub_ret
4765 .type atomic64_sub_ret,#function
4766 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4770 + subcc %g1, %o0, %g7
4772 +#ifdef CONFIG_PAX_REFCOUNT
4776 casx [%o1], %g1, %g7
4778 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4779 diff -urNp linux-2.6.38.1/arch/sparc/lib/ksyms.c linux-2.6.38.1/arch/sparc/lib/ksyms.c
4780 --- linux-2.6.38.1/arch/sparc/lib/ksyms.c 2011-03-14 21:20:32.000000000 -0400
4781 +++ linux-2.6.38.1/arch/sparc/lib/ksyms.c 2011-03-21 18:31:35.000000000 -0400
4782 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4784 /* Atomic counter implementation. */
4785 EXPORT_SYMBOL(atomic_add);
4786 +EXPORT_SYMBOL(atomic_add_unchecked);
4787 EXPORT_SYMBOL(atomic_add_ret);
4788 EXPORT_SYMBOL(atomic_sub);
4789 +EXPORT_SYMBOL(atomic_sub_unchecked);
4790 EXPORT_SYMBOL(atomic_sub_ret);
4791 EXPORT_SYMBOL(atomic64_add);
4792 +EXPORT_SYMBOL(atomic64_add_unchecked);
4793 EXPORT_SYMBOL(atomic64_add_ret);
4794 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4795 EXPORT_SYMBOL(atomic64_sub);
4796 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4797 EXPORT_SYMBOL(atomic64_sub_ret);
4799 /* Atomic bit operations. */
4800 diff -urNp linux-2.6.38.1/arch/sparc/Makefile linux-2.6.38.1/arch/sparc/Makefile
4801 --- linux-2.6.38.1/arch/sparc/Makefile 2011-03-14 21:20:32.000000000 -0400
4802 +++ linux-2.6.38.1/arch/sparc/Makefile 2011-03-21 18:31:35.000000000 -0400
4803 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4804 # Export what is needed by arch/sparc/boot/Makefile
4805 export VMLINUX_INIT VMLINUX_MAIN
4806 VMLINUX_INIT := $(head-y) $(init-y)
4807 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4808 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4809 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4810 VMLINUX_MAIN += $(drivers-y) $(net-y)
4812 diff -urNp linux-2.6.38.1/arch/sparc/mm/fault_32.c linux-2.6.38.1/arch/sparc/mm/fault_32.c
4813 --- linux-2.6.38.1/arch/sparc/mm/fault_32.c 2011-03-14 21:20:32.000000000 -0400
4814 +++ linux-2.6.38.1/arch/sparc/mm/fault_32.c 2011-03-21 18:31:35.000000000 -0400
4816 #include <linux/interrupt.h>
4817 #include <linux/module.h>
4818 #include <linux/kdebug.h>
4819 +#include <linux/slab.h>
4820 +#include <linux/pagemap.h>
4821 +#include <linux/compiler.h>
4823 #include <asm/system.h>
4824 #include <asm/page.h>
4825 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4826 return safe_compute_effective_address(regs, insn);
4829 +#ifdef CONFIG_PAX_PAGEEXEC
4830 +#ifdef CONFIG_PAX_DLRESOLVE
4831 +static void pax_emuplt_close(struct vm_area_struct *vma)
4833 + vma->vm_mm->call_dl_resolve = 0UL;
4836 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4838 + unsigned int *kaddr;
4840 + vmf->page = alloc_page(GFP_HIGHUSER);
4842 + return VM_FAULT_OOM;
4844 + kaddr = kmap(vmf->page);
4845 + memset(kaddr, 0, PAGE_SIZE);
4846 + kaddr[0] = 0x9DE3BFA8U; /* save */
4847 + flush_dcache_page(vmf->page);
4848 + kunmap(vmf->page);
4849 + return VM_FAULT_MAJOR;
4852 +static const struct vm_operations_struct pax_vm_ops = {
4853 + .close = pax_emuplt_close,
4854 + .fault = pax_emuplt_fault
4857 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4861 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4862 + vma->vm_mm = current->mm;
4863 + vma->vm_start = addr;
4864 + vma->vm_end = addr + PAGE_SIZE;
4865 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4866 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4867 + vma->vm_ops = &pax_vm_ops;
4869 + ret = insert_vm_struct(current->mm, vma);
4873 + ++current->mm->total_vm;
4879 + * PaX: decide what to do with offenders (regs->pc = fault address)
4881 + * returns 1 when task should be killed
4882 + * 2 when patched PLT trampoline was detected
4883 + * 3 when unpatched PLT trampoline was detected
4885 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4888 +#ifdef CONFIG_PAX_EMUPLT
4891 + do { /* PaX: patched PLT emulation #1 */
4892 + unsigned int sethi1, sethi2, jmpl;
4894 + err = get_user(sethi1, (unsigned int *)regs->pc);
4895 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4896 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4901 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4902 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4903 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4905 + unsigned int addr;
4907 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4908 + addr = regs->u_regs[UREG_G1];
4909 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4911 + regs->npc = addr+4;
4916 + { /* PaX: patched PLT emulation #2 */
4919 + err = get_user(ba, (unsigned int *)regs->pc);
4921 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4922 + unsigned int addr;
4924 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4926 + regs->npc = addr+4;
4931 + do { /* PaX: patched PLT emulation #3 */
4932 + unsigned int sethi, jmpl, nop;
4934 + err = get_user(sethi, (unsigned int *)regs->pc);
4935 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4936 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4941 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4942 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4943 + nop == 0x01000000U)
4945 + unsigned int addr;
4947 + addr = (sethi & 0x003FFFFFU) << 10;
4948 + regs->u_regs[UREG_G1] = addr;
4949 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4951 + regs->npc = addr+4;
4956 + do { /* PaX: unpatched PLT emulation step 1 */
4957 + unsigned int sethi, ba, nop;
4959 + err = get_user(sethi, (unsigned int *)regs->pc);
4960 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4961 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4966 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4967 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4968 + nop == 0x01000000U)
4970 + unsigned int addr, save, call;
4972 + if ((ba & 0xFFC00000U) == 0x30800000U)
4973 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4975 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4977 + err = get_user(save, (unsigned int *)addr);
4978 + err |= get_user(call, (unsigned int *)(addr+4));
4979 + err |= get_user(nop, (unsigned int *)(addr+8));
4983 +#ifdef CONFIG_PAX_DLRESOLVE
4984 + if (save == 0x9DE3BFA8U &&
4985 + (call & 0xC0000000U) == 0x40000000U &&
4986 + nop == 0x01000000U)
4988 + struct vm_area_struct *vma;
4989 + unsigned long call_dl_resolve;
4991 + down_read(¤t->mm->mmap_sem);
4992 + call_dl_resolve = current->mm->call_dl_resolve;
4993 + up_read(¤t->mm->mmap_sem);
4994 + if (likely(call_dl_resolve))
4997 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4999 + down_write(¤t->mm->mmap_sem);
5000 + if (current->mm->call_dl_resolve) {
5001 + call_dl_resolve = current->mm->call_dl_resolve;
5002 + up_write(¤t->mm->mmap_sem);
5004 + kmem_cache_free(vm_area_cachep, vma);
5008 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5009 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5010 + up_write(¤t->mm->mmap_sem);
5012 + kmem_cache_free(vm_area_cachep, vma);
5016 + if (pax_insert_vma(vma, call_dl_resolve)) {
5017 + up_write(¤t->mm->mmap_sem);
5018 + kmem_cache_free(vm_area_cachep, vma);
5022 + current->mm->call_dl_resolve = call_dl_resolve;
5023 + up_write(¤t->mm->mmap_sem);
5026 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5027 + regs->pc = call_dl_resolve;
5028 + regs->npc = addr+4;
5033 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5034 + if ((save & 0xFFC00000U) == 0x05000000U &&
5035 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5036 + nop == 0x01000000U)
5038 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5039 + regs->u_regs[UREG_G2] = addr + 4;
5040 + addr = (save & 0x003FFFFFU) << 10;
5041 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5043 + regs->npc = addr+4;
5049 + do { /* PaX: unpatched PLT emulation step 2 */
5050 + unsigned int save, call, nop;
5052 + err = get_user(save, (unsigned int *)(regs->pc-4));
5053 + err |= get_user(call, (unsigned int *)regs->pc);
5054 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5058 + if (save == 0x9DE3BFA8U &&
5059 + (call & 0xC0000000U) == 0x40000000U &&
5060 + nop == 0x01000000U)
5062 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5064 + regs->u_regs[UREG_RETPC] = regs->pc;
5065 + regs->pc = dl_resolve;
5066 + regs->npc = dl_resolve+4;
5075 +void pax_report_insns(void *pc, void *sp)
5079 + printk(KERN_ERR "PAX: bytes at PC: ");
5080 + for (i = 0; i < 8; i++) {
5082 + if (get_user(c, (unsigned int *)pc+i))
5083 + printk(KERN_CONT "???????? ");
5085 + printk(KERN_CONT "%08x ", c);
5091 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
5094 @@ -282,6 +547,24 @@ good_area:
5095 if(!(vma->vm_flags & VM_WRITE))
5099 +#ifdef CONFIG_PAX_PAGEEXEC
5100 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5101 + up_read(&mm->mmap_sem);
5102 + switch (pax_handle_fetch_fault(regs)) {
5104 +#ifdef CONFIG_PAX_EMUPLT
5111 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5112 + do_group_exit(SIGKILL);
5116 /* Allow reads even for write-only mappings */
5117 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5119 diff -urNp linux-2.6.38.1/arch/sparc/mm/fault_64.c linux-2.6.38.1/arch/sparc/mm/fault_64.c
5120 --- linux-2.6.38.1/arch/sparc/mm/fault_64.c 2011-03-14 21:20:32.000000000 -0400
5121 +++ linux-2.6.38.1/arch/sparc/mm/fault_64.c 2011-03-21 18:31:35.000000000 -0400
5123 #include <linux/kprobes.h>
5124 #include <linux/kdebug.h>
5125 #include <linux/percpu.h>
5126 +#include <linux/slab.h>
5127 +#include <linux/pagemap.h>
5128 +#include <linux/compiler.h>
5130 #include <asm/page.h>
5131 #include <asm/pgtable.h>
5132 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5133 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5135 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5136 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5137 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5138 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5140 unhandled_fault(regs->tpc, current, regs);
5141 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5145 +#ifdef CONFIG_PAX_PAGEEXEC
5146 +#ifdef CONFIG_PAX_DLRESOLVE
5147 +static void pax_emuplt_close(struct vm_area_struct *vma)
5149 + vma->vm_mm->call_dl_resolve = 0UL;
5152 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5154 + unsigned int *kaddr;
5156 + vmf->page = alloc_page(GFP_HIGHUSER);
5158 + return VM_FAULT_OOM;
5160 + kaddr = kmap(vmf->page);
5161 + memset(kaddr, 0, PAGE_SIZE);
5162 + kaddr[0] = 0x9DE3BFA8U; /* save */
5163 + flush_dcache_page(vmf->page);
5164 + kunmap(vmf->page);
5165 + return VM_FAULT_MAJOR;
5168 +static const struct vm_operations_struct pax_vm_ops = {
5169 + .close = pax_emuplt_close,
5170 + .fault = pax_emuplt_fault
5173 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5177 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5178 + vma->vm_mm = current->mm;
5179 + vma->vm_start = addr;
5180 + vma->vm_end = addr + PAGE_SIZE;
5181 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5182 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5183 + vma->vm_ops = &pax_vm_ops;
5185 + ret = insert_vm_struct(current->mm, vma);
5189 + ++current->mm->total_vm;
5195 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5197 + * returns 1 when task should be killed
5198 + * 2 when patched PLT trampoline was detected
5199 + * 3 when unpatched PLT trampoline was detected
5201 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5204 +#ifdef CONFIG_PAX_EMUPLT
5207 + do { /* PaX: patched PLT emulation #1 */
5208 + unsigned int sethi1, sethi2, jmpl;
5210 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5211 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5212 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5217 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5218 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5219 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5221 + unsigned long addr;
5223 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5224 + addr = regs->u_regs[UREG_G1];
5225 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5227 + if (test_thread_flag(TIF_32BIT))
5228 + addr &= 0xFFFFFFFFUL;
5231 + regs->tnpc = addr+4;
5236 + { /* PaX: patched PLT emulation #2 */
5239 + err = get_user(ba, (unsigned int *)regs->tpc);
5241 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5242 + unsigned long addr;
5244 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5246 + if (test_thread_flag(TIF_32BIT))
5247 + addr &= 0xFFFFFFFFUL;
5250 + regs->tnpc = addr+4;
5255 + do { /* PaX: patched PLT emulation #3 */
5256 + unsigned int sethi, jmpl, nop;
5258 + err = get_user(sethi, (unsigned int *)regs->tpc);
5259 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5260 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5265 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5266 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5267 + nop == 0x01000000U)
5269 + unsigned long addr;
5271 + addr = (sethi & 0x003FFFFFU) << 10;
5272 + regs->u_regs[UREG_G1] = addr;
5273 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5275 + if (test_thread_flag(TIF_32BIT))
5276 + addr &= 0xFFFFFFFFUL;
5279 + regs->tnpc = addr+4;
5284 + do { /* PaX: patched PLT emulation #4 */
5285 + unsigned int sethi, mov1, call, mov2;
5287 + err = get_user(sethi, (unsigned int *)regs->tpc);
5288 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5289 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5290 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5295 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5296 + mov1 == 0x8210000FU &&
5297 + (call & 0xC0000000U) == 0x40000000U &&
5298 + mov2 == 0x9E100001U)
5300 + unsigned long addr;
5302 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5303 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5305 + if (test_thread_flag(TIF_32BIT))
5306 + addr &= 0xFFFFFFFFUL;
5309 + regs->tnpc = addr+4;
5314 + do { /* PaX: patched PLT emulation #5 */
5315 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5317 + err = get_user(sethi, (unsigned int *)regs->tpc);
5318 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5319 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5320 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5321 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5322 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5323 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5324 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5329 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5330 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5331 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5332 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5333 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5334 + sllx == 0x83287020U &&
5335 + jmpl == 0x81C04005U &&
5336 + nop == 0x01000000U)
5338 + unsigned long addr;
5340 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5341 + regs->u_regs[UREG_G1] <<= 32;
5342 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5343 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5345 + regs->tnpc = addr+4;
5350 + do { /* PaX: patched PLT emulation #6 */
5351 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5353 + err = get_user(sethi, (unsigned int *)regs->tpc);
5354 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5355 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5356 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5357 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5358 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5359 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5364 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5365 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5366 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5367 + sllx == 0x83287020U &&
5368 + (or & 0xFFFFE000U) == 0x8A116000U &&
5369 + jmpl == 0x81C04005U &&
5370 + nop == 0x01000000U)
5372 + unsigned long addr;
5374 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5375 + regs->u_regs[UREG_G1] <<= 32;
5376 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5377 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5379 + regs->tnpc = addr+4;
5384 + do { /* PaX: unpatched PLT emulation step 1 */
5385 + unsigned int sethi, ba, nop;
5387 + err = get_user(sethi, (unsigned int *)regs->tpc);
5388 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5389 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5394 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5395 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5396 + nop == 0x01000000U)
5398 + unsigned long addr;
5399 + unsigned int save, call;
5400 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5402 + if ((ba & 0xFFC00000U) == 0x30800000U)
5403 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5405 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5407 + if (test_thread_flag(TIF_32BIT))
5408 + addr &= 0xFFFFFFFFUL;
5410 + err = get_user(save, (unsigned int *)addr);
5411 + err |= get_user(call, (unsigned int *)(addr+4));
5412 + err |= get_user(nop, (unsigned int *)(addr+8));
5416 +#ifdef CONFIG_PAX_DLRESOLVE
5417 + if (save == 0x9DE3BFA8U &&
5418 + (call & 0xC0000000U) == 0x40000000U &&
5419 + nop == 0x01000000U)
5421 + struct vm_area_struct *vma;
5422 + unsigned long call_dl_resolve;
5424 + down_read(¤t->mm->mmap_sem);
5425 + call_dl_resolve = current->mm->call_dl_resolve;
5426 + up_read(¤t->mm->mmap_sem);
5427 + if (likely(call_dl_resolve))
5430 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5432 + down_write(¤t->mm->mmap_sem);
5433 + if (current->mm->call_dl_resolve) {
5434 + call_dl_resolve = current->mm->call_dl_resolve;
5435 + up_write(¤t->mm->mmap_sem);
5437 + kmem_cache_free(vm_area_cachep, vma);
5441 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5442 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5443 + up_write(¤t->mm->mmap_sem);
5445 + kmem_cache_free(vm_area_cachep, vma);
5449 + if (pax_insert_vma(vma, call_dl_resolve)) {
5450 + up_write(¤t->mm->mmap_sem);
5451 + kmem_cache_free(vm_area_cachep, vma);
5455 + current->mm->call_dl_resolve = call_dl_resolve;
5456 + up_write(¤t->mm->mmap_sem);
5459 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5460 + regs->tpc = call_dl_resolve;
5461 + regs->tnpc = addr+4;
5466 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5467 + if ((save & 0xFFC00000U) == 0x05000000U &&
5468 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5469 + nop == 0x01000000U)
5471 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5472 + regs->u_regs[UREG_G2] = addr + 4;
5473 + addr = (save & 0x003FFFFFU) << 10;
5474 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5476 + if (test_thread_flag(TIF_32BIT))
5477 + addr &= 0xFFFFFFFFUL;
5480 + regs->tnpc = addr+4;
5484 + /* PaX: 64-bit PLT stub */
5485 + err = get_user(sethi1, (unsigned int *)addr);
5486 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5487 + err |= get_user(or1, (unsigned int *)(addr+8));
5488 + err |= get_user(or2, (unsigned int *)(addr+12));
5489 + err |= get_user(sllx, (unsigned int *)(addr+16));
5490 + err |= get_user(add, (unsigned int *)(addr+20));
5491 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5492 + err |= get_user(nop, (unsigned int *)(addr+28));
5496 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5497 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5498 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5499 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5500 + sllx == 0x89293020U &&
5501 + add == 0x8A010005U &&
5502 + jmpl == 0x89C14000U &&
5503 + nop == 0x01000000U)
5505 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5506 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5507 + regs->u_regs[UREG_G4] <<= 32;
5508 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5509 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5510 + regs->u_regs[UREG_G4] = addr + 24;
5511 + addr = regs->u_regs[UREG_G5];
5513 + regs->tnpc = addr+4;
5519 +#ifdef CONFIG_PAX_DLRESOLVE
5520 + do { /* PaX: unpatched PLT emulation step 2 */
5521 + unsigned int save, call, nop;
5523 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5524 + err |= get_user(call, (unsigned int *)regs->tpc);
5525 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5529 + if (save == 0x9DE3BFA8U &&
5530 + (call & 0xC0000000U) == 0x40000000U &&
5531 + nop == 0x01000000U)
5533 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5535 + if (test_thread_flag(TIF_32BIT))
5536 + dl_resolve &= 0xFFFFFFFFUL;
5538 + regs->u_regs[UREG_RETPC] = regs->tpc;
5539 + regs->tpc = dl_resolve;
5540 + regs->tnpc = dl_resolve+4;
5546 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5547 + unsigned int sethi, ba, nop;
5549 + err = get_user(sethi, (unsigned int *)regs->tpc);
5550 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5551 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5556 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5557 + (ba & 0xFFF00000U) == 0x30600000U &&
5558 + nop == 0x01000000U)
5560 + unsigned long addr;
5562 + addr = (sethi & 0x003FFFFFU) << 10;
5563 + regs->u_regs[UREG_G1] = addr;
5564 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5566 + if (test_thread_flag(TIF_32BIT))
5567 + addr &= 0xFFFFFFFFUL;
5570 + regs->tnpc = addr+4;
5580 +void pax_report_insns(void *pc, void *sp)
5584 + printk(KERN_ERR "PAX: bytes at PC: ");
5585 + for (i = 0; i < 8; i++) {
5587 + if (get_user(c, (unsigned int *)pc+i))
5588 + printk(KERN_CONT "???????? ");
5590 + printk(KERN_CONT "%08x ", c);
5596 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5598 struct mm_struct *mm = current->mm;
5599 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5603 +#ifdef CONFIG_PAX_PAGEEXEC
5604 + /* PaX: detect ITLB misses on non-exec pages */
5605 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5606 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5608 + if (address != regs->tpc)
5611 + up_read(&mm->mmap_sem);
5612 + switch (pax_handle_fetch_fault(regs)) {
5614 +#ifdef CONFIG_PAX_EMUPLT
5621 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5622 + do_group_exit(SIGKILL);
5626 /* Pure DTLB misses do not tell us whether the fault causing
5627 * load/store/atomic was a write or not, it only says that there
5628 * was no match. So in such a case we (carefully) read the
5629 diff -urNp linux-2.6.38.1/arch/sparc/mm/hugetlbpage.c linux-2.6.38.1/arch/sparc/mm/hugetlbpage.c
5630 --- linux-2.6.38.1/arch/sparc/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
5631 +++ linux-2.6.38.1/arch/sparc/mm/hugetlbpage.c 2011-03-21 23:47:41.000000000 -0400
5632 @@ -68,7 +68,7 @@ full_search:
5636 - if (likely(!vma || addr + len <= vma->vm_start)) {
5637 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5639 * Remember the place where we stopped the search:
5641 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5642 /* make sure it can fit in the remaining address space */
5643 if (likely(addr > len)) {
5644 vma = find_vma(mm, addr-len);
5645 - if (!vma || addr <= vma->vm_start) {
5646 + if (check_heap_stack_gap(vma, addr - len, len)) {
5647 /* remember the address as a hint for next time */
5648 return (mm->free_area_cache = addr-len);
5650 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
5651 if (unlikely(mm->mmap_base < len))
5654 - addr = (mm->mmap_base-len) & HPAGE_MASK;
5655 + addr = mm->mmap_base - len;
5658 + addr &= HPAGE_MASK;
5660 * Lookup failure means no vma is above this address,
5661 * else if new region fits below vma->vm_start,
5662 * return with success:
5664 vma = find_vma(mm, addr);
5665 - if (likely(!vma || addr+len <= vma->vm_start)) {
5666 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5667 /* remember the address as a hint for next time */
5668 return (mm->free_area_cache = addr);
5670 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
5671 mm->cached_hole_size = vma->vm_start - addr;
5673 /* try just below the current vma->vm_start */
5674 - addr = (vma->vm_start-len) & HPAGE_MASK;
5675 - } while (likely(len < vma->vm_start));
5676 + addr = skip_heap_stack_gap(vma, len);
5677 + } while (!IS_ERR_VALUE(addr));
5681 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
5683 addr = ALIGN(addr, HPAGE_SIZE);
5684 vma = find_vma(mm, addr);
5685 - if (task_size - len >= addr &&
5686 - (!vma || addr + len <= vma->vm_start))
5687 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5690 if (mm->get_unmapped_area == arch_get_unmapped_area)
5691 diff -urNp linux-2.6.38.1/arch/sparc/mm/init_32.c linux-2.6.38.1/arch/sparc/mm/init_32.c
5692 --- linux-2.6.38.1/arch/sparc/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
5693 +++ linux-2.6.38.1/arch/sparc/mm/init_32.c 2011-03-21 18:31:35.000000000 -0400
5694 @@ -318,6 +318,9 @@ extern void device_scan(void);
5695 pgprot_t PAGE_SHARED __read_mostly;
5696 EXPORT_SYMBOL(PAGE_SHARED);
5698 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5699 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5701 void __init paging_init(void)
5703 switch(sparc_cpu_model) {
5704 @@ -346,17 +349,17 @@ void __init paging_init(void)
5706 /* Initialize the protection map with non-constant, MMU dependent values. */
5707 protection_map[0] = PAGE_NONE;
5708 - protection_map[1] = PAGE_READONLY;
5709 - protection_map[2] = PAGE_COPY;
5710 - protection_map[3] = PAGE_COPY;
5711 + protection_map[1] = PAGE_READONLY_NOEXEC;
5712 + protection_map[2] = PAGE_COPY_NOEXEC;
5713 + protection_map[3] = PAGE_COPY_NOEXEC;
5714 protection_map[4] = PAGE_READONLY;
5715 protection_map[5] = PAGE_READONLY;
5716 protection_map[6] = PAGE_COPY;
5717 protection_map[7] = PAGE_COPY;
5718 protection_map[8] = PAGE_NONE;
5719 - protection_map[9] = PAGE_READONLY;
5720 - protection_map[10] = PAGE_SHARED;
5721 - protection_map[11] = PAGE_SHARED;
5722 + protection_map[9] = PAGE_READONLY_NOEXEC;
5723 + protection_map[10] = PAGE_SHARED_NOEXEC;
5724 + protection_map[11] = PAGE_SHARED_NOEXEC;
5725 protection_map[12] = PAGE_READONLY;
5726 protection_map[13] = PAGE_READONLY;
5727 protection_map[14] = PAGE_SHARED;
5728 diff -urNp linux-2.6.38.1/arch/sparc/mm/Makefile linux-2.6.38.1/arch/sparc/mm/Makefile
5729 --- linux-2.6.38.1/arch/sparc/mm/Makefile 2011-03-14 21:20:32.000000000 -0400
5730 +++ linux-2.6.38.1/arch/sparc/mm/Makefile 2011-03-21 18:31:35.000000000 -0400
5735 -ccflags-y := -Werror
5736 +#ccflags-y := -Werror
5738 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5739 obj-y += fault_$(BITS).o
5740 diff -urNp linux-2.6.38.1/arch/sparc/mm/srmmu.c linux-2.6.38.1/arch/sparc/mm/srmmu.c
5741 --- linux-2.6.38.1/arch/sparc/mm/srmmu.c 2011-03-14 21:20:32.000000000 -0400
5742 +++ linux-2.6.38.1/arch/sparc/mm/srmmu.c 2011-03-21 18:31:35.000000000 -0400
5743 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5744 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5745 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5746 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5748 +#ifdef CONFIG_PAX_PAGEEXEC
5749 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5750 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5751 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5754 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5755 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5757 diff -urNp linux-2.6.38.1/arch/um/include/asm/kmap_types.h linux-2.6.38.1/arch/um/include/asm/kmap_types.h
5758 --- linux-2.6.38.1/arch/um/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
5759 +++ linux-2.6.38.1/arch/um/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
5760 @@ -23,6 +23,7 @@ enum km_type {
5768 diff -urNp linux-2.6.38.1/arch/um/include/asm/page.h linux-2.6.38.1/arch/um/include/asm/page.h
5769 --- linux-2.6.38.1/arch/um/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
5770 +++ linux-2.6.38.1/arch/um/include/asm/page.h 2011-03-21 18:31:35.000000000 -0400
5772 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5773 #define PAGE_MASK (~(PAGE_SIZE-1))
5775 +#define ktla_ktva(addr) (addr)
5776 +#define ktva_ktla(addr) (addr)
5778 #ifndef __ASSEMBLY__
5781 diff -urNp linux-2.6.38.1/arch/um/kernel/process.c linux-2.6.38.1/arch/um/kernel/process.c
5782 --- linux-2.6.38.1/arch/um/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
5783 +++ linux-2.6.38.1/arch/um/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
5784 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5789 - * Only x86 and x86_64 have an arch_align_stack().
5790 - * All other arches have "#define arch_align_stack(x) (x)"
5791 - * in their asm/system.h
5792 - * As this is included in UML from asm-um/system-generic.h,
5793 - * we can use it to behave as the subarch does.
5795 -#ifndef arch_align_stack
5796 -unsigned long arch_align_stack(unsigned long sp)
5798 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5799 - sp -= get_random_int() % 8192;
5804 unsigned long get_wchan(struct task_struct *p)
5806 unsigned long stack_page, sp, ip;
5807 diff -urNp linux-2.6.38.1/arch/um/sys-i386/syscalls.c linux-2.6.38.1/arch/um/sys-i386/syscalls.c
5808 --- linux-2.6.38.1/arch/um/sys-i386/syscalls.c 2011-03-14 21:20:32.000000000 -0400
5809 +++ linux-2.6.38.1/arch/um/sys-i386/syscalls.c 2011-03-21 18:31:35.000000000 -0400
5811 #include "asm/uaccess.h"
5812 #include "asm/unistd.h"
5814 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5816 + unsigned long pax_task_size = TASK_SIZE;
5818 +#ifdef CONFIG_PAX_SEGMEXEC
5819 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5820 + pax_task_size = SEGMEXEC_TASK_SIZE;
5823 + if (len > pax_task_size || addr > pax_task_size - len)
5830 * The prototype on i386 is:
5832 diff -urNp linux-2.6.38.1/arch/x86/boot/bitops.h linux-2.6.38.1/arch/x86/boot/bitops.h
5833 --- linux-2.6.38.1/arch/x86/boot/bitops.h 2011-03-14 21:20:32.000000000 -0400
5834 +++ linux-2.6.38.1/arch/x86/boot/bitops.h 2011-03-21 18:31:35.000000000 -0400
5835 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5837 const u32 *p = (const u32 *)addr;
5839 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5840 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5844 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5846 static inline void set_bit(int nr, void *addr)
5848 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5849 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5852 #endif /* BOOT_BITOPS_H */
5853 diff -urNp linux-2.6.38.1/arch/x86/boot/boot.h linux-2.6.38.1/arch/x86/boot/boot.h
5854 --- linux-2.6.38.1/arch/x86/boot/boot.h 2011-03-14 21:20:32.000000000 -0400
5855 +++ linux-2.6.38.1/arch/x86/boot/boot.h 2011-03-21 18:31:35.000000000 -0400
5856 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5857 static inline u16 ds(void)
5860 - asm("movw %%ds,%0" : "=rm" (seg));
5861 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5865 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5866 static inline int memcmp(const void *s1, const void *s2, size_t len)
5869 - asm("repe; cmpsb; setnz %0"
5870 + asm volatile("repe; cmpsb; setnz %0"
5871 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5874 diff -urNp linux-2.6.38.1/arch/x86/boot/compressed/head_32.S linux-2.6.38.1/arch/x86/boot/compressed/head_32.S
5875 --- linux-2.6.38.1/arch/x86/boot/compressed/head_32.S 2011-03-14 21:20:32.000000000 -0400
5876 +++ linux-2.6.38.1/arch/x86/boot/compressed/head_32.S 2011-03-21 18:31:35.000000000 -0400
5877 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5881 - movl $LOAD_PHYSICAL_ADDR, %ebx
5882 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5885 /* Target address to relocate to for decompression */
5886 @@ -162,7 +162,7 @@ relocated:
5887 * and where it was actually loaded.
5890 - subl $LOAD_PHYSICAL_ADDR, %ebx
5891 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5892 jz 2f /* Nothing to be done if loaded at compiled addr. */
5894 * Process relocations.
5895 @@ -170,8 +170,7 @@ relocated:
5902 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5905 diff -urNp linux-2.6.38.1/arch/x86/boot/compressed/head_64.S linux-2.6.38.1/arch/x86/boot/compressed/head_64.S
5906 --- linux-2.6.38.1/arch/x86/boot/compressed/head_64.S 2011-03-14 21:20:32.000000000 -0400
5907 +++ linux-2.6.38.1/arch/x86/boot/compressed/head_64.S 2011-03-21 18:31:35.000000000 -0400
5908 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5912 - movl $LOAD_PHYSICAL_ADDR, %ebx
5913 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5916 /* Target address to relocate to for decompression */
5917 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5921 - movq $LOAD_PHYSICAL_ADDR, %rbp
5922 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5925 /* Target address to relocate to for decompression */
5926 diff -urNp linux-2.6.38.1/arch/x86/boot/compressed/misc.c linux-2.6.38.1/arch/x86/boot/compressed/misc.c
5927 --- linux-2.6.38.1/arch/x86/boot/compressed/misc.c 2011-03-14 21:20:32.000000000 -0400
5928 +++ linux-2.6.38.1/arch/x86/boot/compressed/misc.c 2011-03-21 18:31:35.000000000 -0400
5929 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
5931 #ifdef CONFIG_RELOCATABLE
5933 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5934 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5936 dest = (void *)(phdr->p_paddr);
5938 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
5939 error("Destination address too large");
5941 #ifndef CONFIG_RELOCATABLE
5942 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5943 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5944 error("Wrong destination address");
5947 diff -urNp linux-2.6.38.1/arch/x86/boot/compressed/relocs.c linux-2.6.38.1/arch/x86/boot/compressed/relocs.c
5948 --- linux-2.6.38.1/arch/x86/boot/compressed/relocs.c 2011-03-14 21:20:32.000000000 -0400
5949 +++ linux-2.6.38.1/arch/x86/boot/compressed/relocs.c 2011-03-21 18:31:35.000000000 -0400
5952 static void die(char *fmt, ...);
5954 +#include "../../../../include/generated/autoconf.h"
5956 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5957 static Elf32_Ehdr ehdr;
5958 +static Elf32_Phdr *phdr;
5959 static unsigned long reloc_count, reloc_idx;
5960 static unsigned long *relocs;
5962 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5966 +static void read_phdrs(FILE *fp)
5970 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5972 + die("Unable to allocate %d program headers\n",
5975 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5976 + die("Seek to %d failed: %s\n",
5977 + ehdr.e_phoff, strerror(errno));
5979 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5980 + die("Cannot read ELF program headers: %s\n",
5983 + for(i = 0; i < ehdr.e_phnum; i++) {
5984 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5985 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5986 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5987 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5988 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5989 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5990 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5991 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5996 static void read_shdrs(FILE *fp)
6002 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6003 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
6005 static void read_strtabs(FILE *fp)
6009 for (i = 0; i < ehdr.e_shnum; i++) {
6010 struct section *sec = &secs[i];
6011 if (sec->shdr.sh_type != SHT_STRTAB) {
6012 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
6014 static void read_symtabs(FILE *fp)
6018 for (i = 0; i < ehdr.e_shnum; i++) {
6019 struct section *sec = &secs[i];
6020 if (sec->shdr.sh_type != SHT_SYMTAB) {
6021 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
6023 static void read_relocs(FILE *fp)
6029 for (i = 0; i < ehdr.e_shnum; i++) {
6030 struct section *sec = &secs[i];
6031 if (sec->shdr.sh_type != SHT_REL) {
6032 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
6033 die("Cannot read symbol table: %s\n",
6037 + for (j = 0; j < ehdr.e_phnum; j++) {
6038 + if (phdr[j].p_type != PT_LOAD )
6040 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6042 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6045 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6046 Elf32_Rel *rel = &sec->reltab[j];
6047 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6048 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6049 rel->r_info = elf32_to_cpu(rel->r_info);
6052 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
6054 static void print_absolute_symbols(void)
6058 printf("Absolute symbols\n");
6059 printf(" Num: Value Size Type Bind Visibility Name\n");
6060 for (i = 0; i < ehdr.e_shnum; i++) {
6061 struct section *sec = &secs[i];
6063 Elf32_Sym *sh_symtab;
6067 if (sec->shdr.sh_type != SHT_SYMTAB) {
6069 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
6071 static void print_absolute_relocs(void)
6073 - int i, printed = 0;
6074 + unsigned int i, printed = 0;
6076 for (i = 0; i < ehdr.e_shnum; i++) {
6077 struct section *sec = &secs[i];
6078 struct section *sec_applies, *sec_symtab;
6080 Elf32_Sym *sh_symtab;
6083 if (sec->shdr.sh_type != SHT_REL) {
6086 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
6088 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6092 /* Walk through the relocations */
6093 for (i = 0; i < ehdr.e_shnum; i++) {
6095 Elf32_Sym *sh_symtab;
6096 struct section *sec_applies, *sec_symtab;
6099 struct section *sec = &secs[i];
6101 if (sec->shdr.sh_type != SHT_REL) {
6102 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
6103 !is_rel_reloc(sym_name(sym_strtab, sym))) {
6106 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6107 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6110 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6111 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6112 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6114 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6116 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6118 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6125 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
6127 static void emit_relocs(int as_text)
6131 /* Count how many relocations I have and allocate space for them. */
6133 walk_relocs(count_reloc);
6134 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
6135 fname, strerror(errno));
6142 diff -urNp linux-2.6.38.1/arch/x86/boot/cpucheck.c linux-2.6.38.1/arch/x86/boot/cpucheck.c
6143 --- linux-2.6.38.1/arch/x86/boot/cpucheck.c 2011-03-14 21:20:32.000000000 -0400
6144 +++ linux-2.6.38.1/arch/x86/boot/cpucheck.c 2011-03-21 18:31:35.000000000 -0400
6145 @@ -74,7 +74,7 @@ static int has_fpu(void)
6146 u16 fcw = -1, fsw = -1;
6149 - asm("movl %%cr0,%0" : "=r" (cr0));
6150 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6151 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6152 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6153 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6154 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6159 + asm volatile("pushfl ; "
6163 @@ -115,7 +115,7 @@ static void get_flags(void)
6164 set_bit(X86_FEATURE_FPU, cpu.flags);
6166 if (has_eflag(X86_EFLAGS_ID)) {
6168 + asm volatile("cpuid"
6169 : "=a" (max_intel_level),
6170 "=b" (cpu_vendor[0]),
6171 "=d" (cpu_vendor[1]),
6172 @@ -124,7 +124,7 @@ static void get_flags(void)
6174 if (max_intel_level >= 0x00000001 &&
6175 max_intel_level <= 0x0000ffff) {
6177 + asm volatile("cpuid"
6179 "=c" (cpu.flags[4]),
6181 @@ -136,7 +136,7 @@ static void get_flags(void)
6182 cpu.model += ((tfms >> 16) & 0xf) << 4;
6186 + asm volatile("cpuid"
6187 : "=a" (max_amd_level)
6189 : "ebx", "ecx", "edx");
6190 @@ -144,7 +144,7 @@ static void get_flags(void)
6191 if (max_amd_level >= 0x80000001 &&
6192 max_amd_level <= 0x8000ffff) {
6193 u32 eax = 0x80000001;
6195 + asm volatile("cpuid"
6197 "=c" (cpu.flags[6]),
6199 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6200 u32 ecx = MSR_K7_HWCR;
6203 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6204 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6206 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6207 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6209 get_flags(); /* Make sure it really did something */
6210 err = check_flags();
6211 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6212 u32 ecx = MSR_VIA_FCR;
6215 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6216 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6217 eax |= (1<<1)|(1<<7);
6218 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6219 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6221 set_bit(X86_FEATURE_CX8, cpu.flags);
6222 err = check_flags();
6223 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6227 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6228 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6230 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6231 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6232 + asm volatile("cpuid"
6233 : "+a" (level), "=d" (cpu.flags[0])
6235 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6236 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6238 err = check_flags();
6240 diff -urNp linux-2.6.38.1/arch/x86/boot/header.S linux-2.6.38.1/arch/x86/boot/header.S
6241 --- linux-2.6.38.1/arch/x86/boot/header.S 2011-03-14 21:20:32.000000000 -0400
6242 +++ linux-2.6.38.1/arch/x86/boot/header.S 2011-03-21 18:31:35.000000000 -0400
6243 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6244 # single linked list of
6247 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6248 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6250 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6251 #define VO_INIT_SIZE (VO__end - VO__text)
6252 diff -urNp linux-2.6.38.1/arch/x86/boot/memory.c linux-2.6.38.1/arch/x86/boot/memory.c
6253 --- linux-2.6.38.1/arch/x86/boot/memory.c 2011-03-14 21:20:32.000000000 -0400
6254 +++ linux-2.6.38.1/arch/x86/boot/memory.c 2011-03-21 18:31:35.000000000 -0400
6257 static int detect_memory_e820(void)
6260 + unsigned int count = 0;
6261 struct biosregs ireg, oreg;
6262 struct e820entry *desc = boot_params.e820_map;
6263 static struct e820entry buf; /* static so it is zeroed */
6264 diff -urNp linux-2.6.38.1/arch/x86/boot/video.c linux-2.6.38.1/arch/x86/boot/video.c
6265 --- linux-2.6.38.1/arch/x86/boot/video.c 2011-03-14 21:20:32.000000000 -0400
6266 +++ linux-2.6.38.1/arch/x86/boot/video.c 2011-03-21 18:31:35.000000000 -0400
6267 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6268 static unsigned int get_entry(void)
6272 + unsigned int i, len = 0;
6276 diff -urNp linux-2.6.38.1/arch/x86/boot/video-vesa.c linux-2.6.38.1/arch/x86/boot/video-vesa.c
6277 --- linux-2.6.38.1/arch/x86/boot/video-vesa.c 2011-03-14 21:20:32.000000000 -0400
6278 +++ linux-2.6.38.1/arch/x86/boot/video-vesa.c 2011-03-21 18:31:35.000000000 -0400
6279 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6281 boot_params.screen_info.vesapm_seg = oreg.es;
6282 boot_params.screen_info.vesapm_off = oreg.di;
6283 + boot_params.screen_info.vesapm_size = oreg.cx;
6287 diff -urNp linux-2.6.38.1/arch/x86/ia32/ia32_aout.c linux-2.6.38.1/arch/x86/ia32/ia32_aout.c
6288 --- linux-2.6.38.1/arch/x86/ia32/ia32_aout.c 2011-03-14 21:20:32.000000000 -0400
6289 +++ linux-2.6.38.1/arch/x86/ia32/ia32_aout.c 2011-03-21 18:31:35.000000000 -0400
6290 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6291 unsigned long dump_start, dump_size;
6294 + memset(&dump, 0, sizeof(dump));
6299 diff -urNp linux-2.6.38.1/arch/x86/ia32/ia32entry.S linux-2.6.38.1/arch/x86/ia32/ia32entry.S
6300 --- linux-2.6.38.1/arch/x86/ia32/ia32entry.S 2011-03-14 21:20:32.000000000 -0400
6301 +++ linux-2.6.38.1/arch/x86/ia32/ia32entry.S 2011-03-21 18:31:35.000000000 -0400
6303 #include <asm/thread_info.h>
6304 #include <asm/segment.h>
6305 #include <asm/irqflags.h>
6306 +#include <asm/pgtable.h>
6307 #include <linux/linkage.h>
6309 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6310 @@ -93,6 +94,18 @@ ENTRY(native_irq_enable_sysexit)
6311 ENDPROC(native_irq_enable_sysexit)
6314 + .macro pax_enter_kernel_user
6315 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6316 + call pax_enter_kernel_user
6320 + .macro pax_exit_kernel_user
6321 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6322 + call pax_exit_kernel_user
6327 * 32bit SYSENTER instruction entry.
6329 @@ -120,6 +133,7 @@ ENTRY(ia32_sysenter_target)
6331 movq PER_CPU_VAR(kernel_stack), %rsp
6332 addq $(KERNEL_STACK_OFFSET),%rsp
6333 + pax_enter_kernel_user
6335 * No need to follow this irqs on/off section: the syscall
6336 * disabled irqs, here we enable it straight after entry:
6337 @@ -150,6 +164,12 @@ ENTRY(ia32_sysenter_target)
6339 /* no need to do an access_ok check here because rbp has been
6340 32bit zero extended */
6342 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6343 + mov $PAX_USER_SHADOW_BASE,%r10
6348 .section __ex_table,"a"
6349 .quad 1b,ia32_badarg
6350 @@ -172,6 +192,7 @@ sysenter_dispatch:
6351 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6353 sysexit_from_sys_call:
6354 + pax_exit_kernel_user
6355 andl $~TS_COMPAT,TI_status(%r10)
6356 /* clear IF, that popfq doesn't enable interrupts early */
6357 andl $~0x200,EFLAGS-R11(%rsp)
6358 @@ -290,6 +311,11 @@ ENTRY(ia32_cstar_target)
6361 movq PER_CPU_VAR(kernel_stack),%rsp
6363 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6364 + pax_enter_kernel_user
6368 * No need to follow this irqs on/off section: the syscall
6369 * disabled irqs and here we enable it straight after entry:
6370 @@ -311,6 +337,12 @@ ENTRY(ia32_cstar_target)
6371 /* no need to do an access_ok check here because r8 has been
6372 32bit zero extended */
6373 /* hardware stack frame is complete now */
6375 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6376 + mov $PAX_USER_SHADOW_BASE,%r10
6381 .section __ex_table,"a"
6382 .quad 1b,ia32_badarg
6383 @@ -333,6 +365,7 @@ cstar_dispatch:
6384 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6386 sysretl_from_sys_call:
6387 + pax_exit_kernel_user
6388 andl $~TS_COMPAT,TI_status(%r10)
6389 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6390 movl RIP-ARGOFFSET(%rsp),%ecx
6391 @@ -415,6 +448,7 @@ ENTRY(ia32_syscall)
6392 CFI_REL_OFFSET rip,RIP-RIP
6393 PARAVIRT_ADJUST_EXCEPTION_FRAME
6395 + pax_enter_kernel_user
6397 * No need to follow this irqs on/off section: the syscall
6398 * disabled irqs and here we enable it straight after entry:
6399 diff -urNp linux-2.6.38.1/arch/x86/ia32/ia32_signal.c linux-2.6.38.1/arch/x86/ia32/ia32_signal.c
6400 --- linux-2.6.38.1/arch/x86/ia32/ia32_signal.c 2011-03-14 21:20:32.000000000 -0400
6401 +++ linux-2.6.38.1/arch/x86/ia32/ia32_signal.c 2011-03-21 18:31:35.000000000 -0400
6402 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6404 /* Align the stack pointer according to the i386 ABI,
6405 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6406 - sp = ((sp + 4) & -16ul) - 4;
6407 + sp = ((sp - 12) & -16ul) - 4;
6408 return (void __user *) sp;
6411 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6412 * These are actually not used anymore, but left because some
6413 * gdb versions depend on them as a marker.
6415 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6416 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6417 } put_user_catch(err);
6420 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6422 __NR_ia32_rt_sigreturn,
6428 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6429 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6431 if (ka->sa.sa_flags & SA_RESTORER)
6432 restorer = ka->sa.sa_restorer;
6433 + else if (current->mm->context.vdso)
6434 + /* Return stub is in 32bit vsyscall page */
6435 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6437 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6439 + restorer = &frame->retcode;
6440 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6443 * Not actually used anymore, but left because some gdb
6446 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6447 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6448 } put_user_catch(err);
6451 diff -urNp linux-2.6.38.1/arch/x86/include/asm/alternative.h linux-2.6.38.1/arch/x86/include/asm/alternative.h
6452 --- linux-2.6.38.1/arch/x86/include/asm/alternative.h 2011-03-14 21:20:32.000000000 -0400
6453 +++ linux-2.6.38.1/arch/x86/include/asm/alternative.h 2011-03-21 18:31:35.000000000 -0400
6454 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
6455 ".section .discard,\"aw\",@progbits\n" \
6456 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6458 - ".section .altinstr_replacement, \"ax\"\n" \
6459 + ".section .altinstr_replacement, \"a\"\n" \
6460 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6463 diff -urNp linux-2.6.38.1/arch/x86/include/asm/apm.h linux-2.6.38.1/arch/x86/include/asm/apm.h
6464 --- linux-2.6.38.1/arch/x86/include/asm/apm.h 2011-03-14 21:20:32.000000000 -0400
6465 +++ linux-2.6.38.1/arch/x86/include/asm/apm.h 2011-03-21 18:31:35.000000000 -0400
6466 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6467 __asm__ __volatile__(APM_DO_ZERO_SEGS
6470 - "lcall *%%cs:apm_bios_entry\n\t"
6471 + "lcall *%%ss:apm_bios_entry\n\t"
6475 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6476 __asm__ __volatile__(APM_DO_ZERO_SEGS
6479 - "lcall *%%cs:apm_bios_entry\n\t"
6480 + "lcall *%%ss:apm_bios_entry\n\t"
6484 diff -urNp linux-2.6.38.1/arch/x86/include/asm/atomic64_32.h linux-2.6.38.1/arch/x86/include/asm/atomic64_32.h
6485 --- linux-2.6.38.1/arch/x86/include/asm/atomic64_32.h 2011-03-14 21:20:32.000000000 -0400
6486 +++ linux-2.6.38.1/arch/x86/include/asm/atomic64_32.h 2011-03-21 18:31:35.000000000 -0400
6487 @@ -12,6 +12,14 @@ typedef struct {
6488 u64 __aligned(8) counter;
6491 +#ifdef CONFIG_PAX_REFCOUNT
6493 + u64 __aligned(8) counter;
6494 +} atomic64_unchecked_t;
6496 +typedef atomic64_t atomic64_unchecked_t;
6499 #define ATOMIC64_INIT(val) { (val) }
6501 #ifdef CONFIG_X86_CMPXCHG64
6502 diff -urNp linux-2.6.38.1/arch/x86/include/asm/atomic64_64.h linux-2.6.38.1/arch/x86/include/asm/atomic64_64.h
6503 --- linux-2.6.38.1/arch/x86/include/asm/atomic64_64.h 2011-03-14 21:20:32.000000000 -0400
6504 +++ linux-2.6.38.1/arch/x86/include/asm/atomic64_64.h 2011-03-21 18:31:35.000000000 -0400
6507 static inline long atomic64_read(const atomic64_t *v)
6509 - return (*(volatile long *)&(v)->counter);
6510 + return (*(volatile const long *)&(v)->counter);
6514 + * atomic64_read_unchecked - read atomic64 variable
6515 + * @v: pointer of type atomic64_unchecked_t
6517 + * Atomically reads the value of @v.
6518 + * Doesn't imply a read memory barrier.
6520 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6522 + return (*(volatile const long *)&(v)->counter);
6526 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6530 + * atomic64_set_unchecked - set atomic64 variable
6531 + * @v: pointer to type atomic64_unchecked_t
6532 + * @i: required value
6534 + * Atomically sets the value of @v to @i.
6536 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6542 * atomic64_add - add integer to atomic64 variable
6543 * @i: integer value to add
6544 * @v: pointer to type atomic64_t
6545 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6547 static inline void atomic64_add(long i, atomic64_t *v)
6549 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6551 +#ifdef CONFIG_PAX_REFCOUNT
6553 + LOCK_PREFIX "subq %1,%0\n"
6555 + _ASM_EXTABLE(0b, 0b)
6558 + : "=m" (v->counter)
6559 + : "er" (i), "m" (v->counter));
6563 + * atomic64_add_unchecked - add integer to atomic64 variable
6564 + * @i: integer value to add
6565 + * @v: pointer to type atomic64_unchecked_t
6567 + * Atomically adds @i to @v.
6569 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6571 asm volatile(LOCK_PREFIX "addq %1,%0"
6573 : "er" (i), "m" (v->counter));
6574 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6576 static inline void atomic64_sub(long i, atomic64_t *v)
6578 - asm volatile(LOCK_PREFIX "subq %1,%0"
6579 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6581 +#ifdef CONFIG_PAX_REFCOUNT
6583 + LOCK_PREFIX "addq %1,%0\n"
6585 + _ASM_EXTABLE(0b, 0b)
6588 + : "=m" (v->counter)
6589 + : "er" (i), "m" (v->counter));
6593 + * atomic64_sub_unchecked - subtract the atomic64 variable
6594 + * @i: integer value to subtract
6595 + * @v: pointer to type atomic64_unchecked_t
6597 + * Atomically subtracts @i from @v.
6599 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6601 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6603 : "er" (i), "m" (v->counter));
6605 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6609 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6610 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6612 +#ifdef CONFIG_PAX_REFCOUNT
6614 + LOCK_PREFIX "addq %2,%0\n"
6616 + _ASM_EXTABLE(0b, 0b)
6620 : "=m" (v->counter), "=qm" (c)
6621 : "er" (i), "m" (v->counter) : "memory");
6623 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6625 static inline void atomic64_inc(atomic64_t *v)
6627 + asm volatile(LOCK_PREFIX "incq %0\n"
6629 +#ifdef CONFIG_PAX_REFCOUNT
6631 + LOCK_PREFIX "decq %0\n"
6633 + _ASM_EXTABLE(0b, 0b)
6636 + : "=m" (v->counter)
6637 + : "m" (v->counter));
6641 + * atomic64_inc_unchecked - increment atomic64 variable
6642 + * @v: pointer to type atomic64_unchecked_t
6644 + * Atomically increments @v by 1.
6646 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6648 asm volatile(LOCK_PREFIX "incq %0"
6650 : "m" (v->counter));
6651 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6653 static inline void atomic64_dec(atomic64_t *v)
6655 - asm volatile(LOCK_PREFIX "decq %0"
6656 + asm volatile(LOCK_PREFIX "decq %0\n"
6658 +#ifdef CONFIG_PAX_REFCOUNT
6660 + LOCK_PREFIX "incq %0\n"
6662 + _ASM_EXTABLE(0b, 0b)
6665 + : "=m" (v->counter)
6666 + : "m" (v->counter));
6670 + * atomic64_dec_unchecked - decrement atomic64 variable
6671 + * @v: pointer to type atomic64_t
6673 + * Atomically decrements @v by 1.
6675 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6677 + asm volatile(LOCK_PREFIX "decq %0\n"
6679 : "m" (v->counter));
6681 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6685 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6686 + asm volatile(LOCK_PREFIX "decq %0\n"
6688 +#ifdef CONFIG_PAX_REFCOUNT
6690 + LOCK_PREFIX "incq %0\n"
6692 + _ASM_EXTABLE(0b, 0b)
6696 : "=m" (v->counter), "=qm" (c)
6697 : "m" (v->counter) : "memory");
6699 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6703 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6704 + asm volatile(LOCK_PREFIX "incq %0\n"
6706 +#ifdef CONFIG_PAX_REFCOUNT
6708 + LOCK_PREFIX "decq %0\n"
6710 + _ASM_EXTABLE(0b, 0b)
6714 : "=m" (v->counter), "=qm" (c)
6715 : "m" (v->counter) : "memory");
6717 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6721 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6722 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6724 +#ifdef CONFIG_PAX_REFCOUNT
6726 + LOCK_PREFIX "subq %2,%0\n"
6728 + _ASM_EXTABLE(0b, 0b)
6732 : "=m" (v->counter), "=qm" (c)
6733 : "er" (i), "m" (v->counter) : "memory");
6735 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6736 static inline long atomic64_add_return(long i, atomic64_t *v)
6739 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6740 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6742 +#ifdef CONFIG_PAX_REFCOUNT
6746 + _ASM_EXTABLE(0b, 0b)
6749 + : "+r" (i), "+m" (v->counter)
6755 + * atomic64_add_return_unchecked - add and return
6756 + * @i: integer value to add
6757 + * @v: pointer to type atomic64_unchecked_t
6759 + * Atomically adds @i to @v and returns @i + @v
6761 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6764 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6765 : "+r" (i), "+m" (v->counter)
6768 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6771 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6772 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6774 + return atomic64_add_return_unchecked(1, v);
6776 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6778 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6779 @@ -206,17 +380,30 @@ static inline long atomic64_xchg(atomic6
6781 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6785 c = atomic64_read(v);
6787 - if (unlikely(c == (u)))
6788 + if (unlikely(c == u))
6790 - old = atomic64_cmpxchg((v), c, c + (a));
6792 + asm volatile("add %2,%0\n"
6794 +#ifdef CONFIG_PAX_REFCOUNT
6798 + _ASM_EXTABLE(0b, 0b)
6802 + : "0" (c), "ir" (a));
6804 + old = atomic64_cmpxchg(v, c, new);
6805 if (likely(old == c))
6813 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6814 diff -urNp linux-2.6.38.1/arch/x86/include/asm/atomic.h linux-2.6.38.1/arch/x86/include/asm/atomic.h
6815 --- linux-2.6.38.1/arch/x86/include/asm/atomic.h 2011-03-14 21:20:32.000000000 -0400
6816 +++ linux-2.6.38.1/arch/x86/include/asm/atomic.h 2011-03-21 18:31:35.000000000 -0400
6819 static inline int atomic_read(const atomic_t *v)
6821 - return (*(volatile int *)&(v)->counter);
6822 + return (*(volatile const int *)&(v)->counter);
6826 + * atomic_read_unchecked - read atomic variable
6827 + * @v: pointer of type atomic_unchecked_t
6829 + * Atomically reads the value of @v.
6831 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6833 + return (*(volatile const int *)&(v)->counter);
6837 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6841 + * atomic_set_unchecked - set atomic variable
6842 + * @v: pointer of type atomic_unchecked_t
6843 + * @i: required value
6845 + * Atomically sets the value of @v to @i.
6847 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6853 * atomic_add - add integer to atomic variable
6854 * @i: integer value to add
6855 * @v: pointer of type atomic_t
6856 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6858 static inline void atomic_add(int i, atomic_t *v)
6860 - asm volatile(LOCK_PREFIX "addl %1,%0"
6861 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6863 +#ifdef CONFIG_PAX_REFCOUNT
6865 + LOCK_PREFIX "subl %1,%0\n"
6867 + _ASM_EXTABLE(0b, 0b)
6870 + : "+m" (v->counter)
6875 + * atomic_add_unchecked - add integer to atomic variable
6876 + * @i: integer value to add
6877 + * @v: pointer of type atomic_unchecked_t
6879 + * Atomically adds @i to @v.
6881 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6883 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6887 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6889 static inline void atomic_sub(int i, atomic_t *v)
6891 - asm volatile(LOCK_PREFIX "subl %1,%0"
6892 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6894 +#ifdef CONFIG_PAX_REFCOUNT
6896 + LOCK_PREFIX "addl %1,%0\n"
6898 + _ASM_EXTABLE(0b, 0b)
6901 + : "+m" (v->counter)
6906 + * atomic_sub_unchecked - subtract integer from atomic variable
6907 + * @i: integer value to subtract
6908 + * @v: pointer of type atomic_t
6910 + * Atomically subtracts @i from @v.
6912 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6914 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6918 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6922 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6923 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6925 +#ifdef CONFIG_PAX_REFCOUNT
6927 + LOCK_PREFIX "addl %2,%0\n"
6929 + _ASM_EXTABLE(0b, 0b)
6933 : "+m" (v->counter), "=qm" (c)
6934 : "ir" (i) : "memory");
6936 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6938 static inline void atomic_inc(atomic_t *v)
6940 - asm volatile(LOCK_PREFIX "incl %0"
6941 + asm volatile(LOCK_PREFIX "incl %0\n"
6943 +#ifdef CONFIG_PAX_REFCOUNT
6945 + LOCK_PREFIX "decl %0\n"
6947 + _ASM_EXTABLE(0b, 0b)
6950 + : "+m" (v->counter));
6954 + * atomic_inc_unchecked - increment atomic variable
6955 + * @v: pointer of type atomic_unchecked_t
6957 + * Atomically increments @v by 1.
6959 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6961 + asm volatile(LOCK_PREFIX "incl %0\n"
6962 : "+m" (v->counter));
6965 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6967 static inline void atomic_dec(atomic_t *v)
6969 - asm volatile(LOCK_PREFIX "decl %0"
6970 + asm volatile(LOCK_PREFIX "decl %0\n"
6972 +#ifdef CONFIG_PAX_REFCOUNT
6974 + LOCK_PREFIX "incl %0\n"
6976 + _ASM_EXTABLE(0b, 0b)
6979 + : "+m" (v->counter));
6983 + * atomic_dec_unchecked - decrement atomic variable
6984 + * @v: pointer of type atomic_t
6986 + * Atomically decrements @v by 1.
6988 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6990 + asm volatile(LOCK_PREFIX "decl %0\n"
6991 : "+m" (v->counter));
6994 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6998 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6999 + asm volatile(LOCK_PREFIX "decl %0\n"
7001 +#ifdef CONFIG_PAX_REFCOUNT
7003 + LOCK_PREFIX "incl %0\n"
7005 + _ASM_EXTABLE(0b, 0b)
7009 : "+m" (v->counter), "=qm" (c)
7012 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
7016 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7017 + asm volatile(LOCK_PREFIX "incl %0\n"
7019 +#ifdef CONFIG_PAX_REFCOUNT
7021 + LOCK_PREFIX "decl %0\n"
7023 + _ASM_EXTABLE(0b, 0b)
7027 : "+m" (v->counter), "=qm" (c)
7030 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
7034 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7035 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7037 +#ifdef CONFIG_PAX_REFCOUNT
7039 + LOCK_PREFIX "subl %2,%0\n"
7041 + _ASM_EXTABLE(0b, 0b)
7045 : "+m" (v->counter), "=qm" (c)
7046 : "ir" (i) : "memory");
7048 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
7050 /* Modern 486+ processor */
7052 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7054 +#ifdef CONFIG_PAX_REFCOUNT
7058 + _ASM_EXTABLE(0b, 0b)
7061 + : "+r" (i), "+m" (v->counter)
7066 +no_xadd: /* Legacy 386 processor */
7067 + local_irq_save(flags);
7068 + __i = atomic_read(v);
7069 + atomic_set(v, i + __i);
7070 + local_irq_restore(flags);
7076 + * atomic_add_return_unchecked - add integer and return
7077 + * @v: pointer of type atomic_unchecked_t
7078 + * @i: integer value to add
7080 + * Atomically adds @i to @v and returns @i + @v
7082 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7086 + unsigned long flags;
7087 + if (unlikely(boot_cpu_data.x86 <= 3))
7090 + /* Modern 486+ processor */
7092 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7093 : "+r" (i), "+m" (v->counter)
7095 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
7098 #define atomic_inc_return(v) (atomic_add_return(1, v))
7099 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7101 + return atomic_add_return_unchecked(1, v);
7103 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7105 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
7106 @@ -231,21 +418,77 @@ static inline int atomic_xchg(atomic_t *
7108 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7114 - if (unlikely(c == (u)))
7115 + if (unlikely(c == u))
7117 - old = atomic_cmpxchg((v), c, c + (a));
7119 + asm volatile("addl %2,%0\n"
7121 +#ifdef CONFIG_PAX_REFCOUNT
7125 + _ASM_EXTABLE(0b, 0b)
7129 + : "0" (c), "ir" (a));
7131 + old = atomic_cmpxchg(v, c, new);
7132 if (likely(old == c))
7140 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7143 + * atomic_inc_not_zero_hint - increment if not null
7144 + * @v: pointer of type atomic_t
7145 + * @hint: probable value of the atomic before the increment
7147 + * This version of atomic_inc_not_zero() gives a hint of probable
7148 + * value of the atomic. This helps processor to not read the memory
7149 + * before doing the atomic read/modify/write cycle, lowering
7150 + * number of bus transactions on some arches.
7152 + * Returns: 0 if increment was not done, 1 otherwise.
7154 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
7155 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
7157 + int val, c = hint, new;
7159 + /* sanity test, should be removed by compiler if hint is a constant */
7161 + return atomic_inc_not_zero(v);
7164 + asm volatile("incl %0\n"
7166 +#ifdef CONFIG_PAX_REFCOUNT
7170 + _ASM_EXTABLE(0b, 0b)
7176 + val = atomic_cmpxchg(v, c, new);
7186 * atomic_dec_if_positive - decrement by 1 if old value positive
7187 * @v: pointer of type atomic_t
7188 diff -urNp linux-2.6.38.1/arch/x86/include/asm/bitops.h linux-2.6.38.1/arch/x86/include/asm/bitops.h
7189 --- linux-2.6.38.1/arch/x86/include/asm/bitops.h 2011-03-14 21:20:32.000000000 -0400
7190 +++ linux-2.6.38.1/arch/x86/include/asm/bitops.h 2011-03-21 18:31:35.000000000 -0400
7192 * a mask operation on a byte.
7194 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7195 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7196 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7197 #define CONST_MASK(nr) (1 << ((nr) & 7))
7200 diff -urNp linux-2.6.38.1/arch/x86/include/asm/boot.h linux-2.6.38.1/arch/x86/include/asm/boot.h
7201 --- linux-2.6.38.1/arch/x86/include/asm/boot.h 2011-03-14 21:20:32.000000000 -0400
7202 +++ linux-2.6.38.1/arch/x86/include/asm/boot.h 2011-03-21 18:31:35.000000000 -0400
7204 #include <asm/pgtable_types.h>
7206 /* Physical address where kernel should be loaded. */
7207 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7208 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7209 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7210 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7212 +#ifndef __ASSEMBLY__
7213 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7214 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7217 /* Minimum kernel alignment, as a power of two */
7218 #ifdef CONFIG_X86_64
7219 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7220 diff -urNp linux-2.6.38.1/arch/x86/include/asm/cacheflush.h linux-2.6.38.1/arch/x86/include/asm/cacheflush.h
7221 --- linux-2.6.38.1/arch/x86/include/asm/cacheflush.h 2011-03-14 21:20:32.000000000 -0400
7222 +++ linux-2.6.38.1/arch/x86/include/asm/cacheflush.h 2011-03-21 18:31:35.000000000 -0400
7223 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7224 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7226 if (pg_flags == _PGMT_DEFAULT)
7229 else if (pg_flags == _PGMT_WC)
7230 return _PAGE_CACHE_WC;
7231 else if (pg_flags == _PGMT_UC_MINUS)
7232 diff -urNp linux-2.6.38.1/arch/x86/include/asm/cache.h linux-2.6.38.1/arch/x86/include/asm/cache.h
7233 --- linux-2.6.38.1/arch/x86/include/asm/cache.h 2011-03-14 21:20:32.000000000 -0400
7234 +++ linux-2.6.38.1/arch/x86/include/asm/cache.h 2011-03-21 18:31:35.000000000 -0400
7236 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7238 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7239 +#define __read_only __attribute__((__section__(".data..read_only")))
7241 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7242 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7243 diff -urNp linux-2.6.38.1/arch/x86/include/asm/checksum_32.h linux-2.6.38.1/arch/x86/include/asm/checksum_32.h
7244 --- linux-2.6.38.1/arch/x86/include/asm/checksum_32.h 2011-03-14 21:20:32.000000000 -0400
7245 +++ linux-2.6.38.1/arch/x86/include/asm/checksum_32.h 2011-03-21 18:31:35.000000000 -0400
7246 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7247 int len, __wsum sum,
7248 int *src_err_ptr, int *dst_err_ptr);
7250 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7251 + int len, __wsum sum,
7252 + int *src_err_ptr, int *dst_err_ptr);
7254 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7255 + int len, __wsum sum,
7256 + int *src_err_ptr, int *dst_err_ptr);
7259 * Note: when you get a NULL pointer exception here this means someone
7260 * passed in an incorrect kernel address to one of these functions.
7261 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7265 - return csum_partial_copy_generic((__force void *)src, dst,
7266 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7267 len, sum, err_ptr, NULL);
7270 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7273 if (access_ok(VERIFY_WRITE, dst, len))
7274 - return csum_partial_copy_generic(src, (__force void *)dst,
7275 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7276 len, sum, NULL, err_ptr);
7279 diff -urNp linux-2.6.38.1/arch/x86/include/asm/cpufeature.h linux-2.6.38.1/arch/x86/include/asm/cpufeature.h
7280 --- linux-2.6.38.1/arch/x86/include/asm/cpufeature.h 2011-03-14 21:20:32.000000000 -0400
7281 +++ linux-2.6.38.1/arch/x86/include/asm/cpufeature.h 2011-03-21 18:31:35.000000000 -0400
7282 @@ -349,7 +349,7 @@ static __always_inline __pure bool __sta
7283 ".section .discard,\"aw\",@progbits\n"
7284 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7286 - ".section .altinstr_replacement,\"ax\"\n"
7287 + ".section .altinstr_replacement,\"a\"\n"
7291 diff -urNp linux-2.6.38.1/arch/x86/include/asm/desc_defs.h linux-2.6.38.1/arch/x86/include/asm/desc_defs.h
7292 --- linux-2.6.38.1/arch/x86/include/asm/desc_defs.h 2011-03-14 21:20:32.000000000 -0400
7293 +++ linux-2.6.38.1/arch/x86/include/asm/desc_defs.h 2011-03-21 18:31:35.000000000 -0400
7294 @@ -31,6 +31,12 @@ struct desc_struct {
7295 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7296 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7301 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7302 + unsigned offset_high: 16;
7305 } __attribute__((packed));
7307 diff -urNp linux-2.6.38.1/arch/x86/include/asm/desc.h linux-2.6.38.1/arch/x86/include/asm/desc.h
7308 --- linux-2.6.38.1/arch/x86/include/asm/desc.h 2011-03-14 21:20:32.000000000 -0400
7309 +++ linux-2.6.38.1/arch/x86/include/asm/desc.h 2011-03-21 18:31:35.000000000 -0400
7311 #include <asm/desc_defs.h>
7312 #include <asm/ldt.h>
7313 #include <asm/mmu.h>
7314 +#include <asm/pgtable.h>
7315 #include <linux/smp.h>
7317 static inline void fill_ldt(struct desc_struct *desc,
7318 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7319 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7320 desc->type = (info->read_exec_only ^ 1) << 1;
7321 desc->type |= info->contents << 2;
7322 + desc->type |= info->seg_not_present ^ 1;
7325 desc->p = info->seg_not_present ^ 1;
7326 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7329 extern struct desc_ptr idt_descr;
7330 -extern gate_desc idt_table[];
7333 - struct desc_struct gdt[GDT_ENTRIES];
7334 -} __attribute__((aligned(PAGE_SIZE)));
7335 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7336 +extern gate_desc idt_table[256];
7338 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7339 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7341 - return per_cpu(gdt_page, cpu).gdt;
7342 + return cpu_gdt_table[cpu];
7345 #ifdef CONFIG_X86_64
7346 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
7347 unsigned long base, unsigned dpl, unsigned flags,
7350 - gate->a = (seg << 16) | (base & 0xffff);
7351 - gate->b = (base & 0xffff0000) |
7352 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7353 + gate->gate.offset_low = base;
7354 + gate->gate.seg = seg;
7355 + gate->gate.reserved = 0;
7356 + gate->gate.type = type;
7358 + gate->gate.dpl = dpl;
7360 + gate->gate.offset_high = base >> 16;
7364 @@ -115,19 +118,24 @@ static inline void paravirt_free_ldt(str
7365 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7366 const gate_desc *gate)
7368 + pax_open_kernel();
7369 memcpy(&idt[entry], gate, sizeof(*gate));
7370 + pax_close_kernel();
7373 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7376 + pax_open_kernel();
7377 memcpy(&ldt[entry], desc, 8);
7378 + pax_close_kernel();
7381 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7382 const void *desc, int type)
7388 size = sizeof(tss_desc);
7389 @@ -139,7 +147,10 @@ static inline void native_write_gdt_entr
7390 size = sizeof(struct desc_struct);
7394 + pax_open_kernel();
7395 memcpy(&gdt[entry], desc, size);
7396 + pax_close_kernel();
7399 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7400 @@ -211,7 +222,9 @@ static inline void native_set_ldt(const
7402 static inline void native_load_tr_desc(void)
7404 + pax_open_kernel();
7405 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7406 + pax_close_kernel();
7409 static inline void native_load_gdt(const struct desc_ptr *dtr)
7410 @@ -246,8 +259,10 @@ static inline void native_load_tls(struc
7412 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7414 + pax_open_kernel();
7415 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7416 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7417 + pax_close_kernel();
7420 #define _LDT_empty(info) \
7421 @@ -309,7 +324,7 @@ static inline void set_desc_limit(struct
7422 desc->limit = (limit >> 16) & 0xf;
7425 -static inline void _set_gate(int gate, unsigned type, void *addr,
7426 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7427 unsigned dpl, unsigned ist, unsigned seg)
7430 @@ -327,7 +342,7 @@ static inline void _set_gate(int gate, u
7431 * Pentium F0 0F bugfix can have resulted in the mapped
7432 * IDT being write-protected.
7434 -static inline void set_intr_gate(unsigned int n, void *addr)
7435 +static inline void set_intr_gate(unsigned int n, const void *addr)
7437 BUG_ON((unsigned)n > 0xFF);
7438 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7439 @@ -356,19 +371,19 @@ static inline void alloc_intr_gate(unsig
7441 * This routine sets up an interrupt gate at directory privilege level 3.
7443 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7444 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7446 BUG_ON((unsigned)n > 0xFF);
7447 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7450 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7451 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7453 BUG_ON((unsigned)n > 0xFF);
7454 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7457 -static inline void set_trap_gate(unsigned int n, void *addr)
7458 +static inline void set_trap_gate(unsigned int n, const void *addr)
7460 BUG_ON((unsigned)n > 0xFF);
7461 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7462 @@ -377,19 +392,31 @@ static inline void set_trap_gate(unsigne
7463 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7465 BUG_ON((unsigned)n > 0xFF);
7466 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7467 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7470 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7471 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7473 BUG_ON((unsigned)n > 0xFF);
7474 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7477 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7478 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7480 BUG_ON((unsigned)n > 0xFF);
7481 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7484 +#ifdef CONFIG_X86_32
7485 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7487 + struct desc_struct d;
7489 + if (likely(limit))
7490 + limit = (limit - 1UL) >> PAGE_SHIFT;
7491 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7492 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7496 #endif /* _ASM_X86_DESC_H */
7497 diff -urNp linux-2.6.38.1/arch/x86/include/asm/device.h linux-2.6.38.1/arch/x86/include/asm/device.h
7498 --- linux-2.6.38.1/arch/x86/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
7499 +++ linux-2.6.38.1/arch/x86/include/asm/device.h 2011-03-21 18:31:35.000000000 -0400
7500 @@ -6,7 +6,7 @@ struct dev_archdata {
7503 #ifdef CONFIG_X86_64
7504 -struct dma_map_ops *dma_ops;
7505 + const struct dma_map_ops *dma_ops;
7507 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7508 void *iommu; /* hook for IOMMU specific extension */
7509 diff -urNp linux-2.6.38.1/arch/x86/include/asm/dma-mapping.h linux-2.6.38.1/arch/x86/include/asm/dma-mapping.h
7510 --- linux-2.6.38.1/arch/x86/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
7511 +++ linux-2.6.38.1/arch/x86/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
7512 @@ -26,9 +26,9 @@ extern int iommu_merge;
7513 extern struct device x86_dma_fallback_dev;
7514 extern int panic_on_overflow;
7516 -extern struct dma_map_ops *dma_ops;
7517 +extern const struct dma_map_ops *dma_ops;
7519 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7520 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7522 #ifdef CONFIG_X86_32
7524 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7525 /* Make sure we keep the same behaviour */
7526 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7528 - struct dma_map_ops *ops = get_dma_ops(dev);
7529 + const struct dma_map_ops *ops = get_dma_ops(dev);
7530 if (ops->mapping_error)
7531 return ops->mapping_error(dev, dma_addr);
7533 @@ -115,7 +115,7 @@ static inline void *
7534 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7537 - struct dma_map_ops *ops = get_dma_ops(dev);
7538 + const struct dma_map_ops *ops = get_dma_ops(dev);
7541 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7542 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7543 static inline void dma_free_coherent(struct device *dev, size_t size,
7544 void *vaddr, dma_addr_t bus)
7546 - struct dma_map_ops *ops = get_dma_ops(dev);
7547 + const struct dma_map_ops *ops = get_dma_ops(dev);
7549 WARN_ON(irqs_disabled()); /* for portability */
7551 diff -urNp linux-2.6.38.1/arch/x86/include/asm/e820.h linux-2.6.38.1/arch/x86/include/asm/e820.h
7552 --- linux-2.6.38.1/arch/x86/include/asm/e820.h 2011-03-14 21:20:32.000000000 -0400
7553 +++ linux-2.6.38.1/arch/x86/include/asm/e820.h 2011-03-21 18:31:35.000000000 -0400
7554 @@ -69,7 +69,7 @@ struct e820map {
7555 #define ISA_START_ADDRESS 0xa0000
7556 #define ISA_END_ADDRESS 0x100000
7558 -#define BIOS_BEGIN 0x000a0000
7559 +#define BIOS_BEGIN 0x000c0000
7560 #define BIOS_END 0x00100000
7562 #define BIOS_ROM_BASE 0xffe00000
7563 diff -urNp linux-2.6.38.1/arch/x86/include/asm/elf.h linux-2.6.38.1/arch/x86/include/asm/elf.h
7564 --- linux-2.6.38.1/arch/x86/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
7565 +++ linux-2.6.38.1/arch/x86/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
7566 @@ -237,7 +237,25 @@ extern int force_personality32;
7567 the loader. We need to make sure that it is out of the way of the program
7568 that it will "exec", and that there is sufficient room for the brk. */
7570 +#ifdef CONFIG_PAX_SEGMEXEC
7571 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7573 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7576 +#ifdef CONFIG_PAX_ASLR
7577 +#ifdef CONFIG_X86_32
7578 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7580 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7581 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7583 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7585 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7586 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7590 /* This yields a mask that user programs can use to figure out what
7591 instruction set this CPU supports. This could be done in user space,
7592 @@ -291,8 +309,7 @@ do { \
7593 #define ARCH_DLINFO \
7596 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7597 - (unsigned long)current->mm->context.vdso); \
7598 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7601 #define AT_SYSINFO 32
7602 @@ -303,7 +320,7 @@ do { \
7604 #endif /* !CONFIG_X86_32 */
7606 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7607 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7609 #define VDSO_ENTRY \
7610 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7611 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7612 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7613 #define compat_arch_setup_additional_pages syscall32_setup_pages
7615 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7616 -#define arch_randomize_brk arch_randomize_brk
7618 #endif /* _ASM_X86_ELF_H */
7619 diff -urNp linux-2.6.38.1/arch/x86/include/asm/futex.h linux-2.6.38.1/arch/x86/include/asm/futex.h
7620 --- linux-2.6.38.1/arch/x86/include/asm/futex.h 2011-03-14 21:20:32.000000000 -0400
7621 +++ linux-2.6.38.1/arch/x86/include/asm/futex.h 2011-03-21 18:31:35.000000000 -0400
7623 #include <asm/system.h>
7625 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7626 + typecheck(u32 *, uaddr); \
7627 asm volatile("1:\t" insn "\n" \
7628 "2:\t.section .fixup,\"ax\"\n" \
7629 "3:\tmov\t%3, %1\n" \
7632 _ASM_EXTABLE(1b, 3b) \
7633 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7634 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
7635 : "i" (-EFAULT), "0" (oparg), "1" (0))
7637 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7638 + typecheck(u32 *, uaddr); \
7639 asm volatile("1:\tmovl %2, %0\n" \
7640 "\tmovl\t%0, %3\n" \
7643 _ASM_EXTABLE(1b, 4b) \
7644 _ASM_EXTABLE(2b, 4b) \
7645 : "=&a" (oldval), "=&r" (ret), \
7646 - "+m" (*uaddr), "=&r" (tem) \
7647 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
7648 : "r" (oparg), "i" (-EFAULT), "1" (0))
7650 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7651 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7653 int op = (encoded_op >> 28) & 7;
7654 int cmp = (encoded_op >> 24) & 15;
7655 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7659 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7660 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7663 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7664 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7668 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
7672 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7673 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7677 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
7681 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7682 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7685 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7686 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
7687 "2:\t.section .fixup, \"ax\"\n"
7691 _ASM_EXTABLE(1b, 3b)
7692 - : "=a" (oldval), "+m" (*uaddr)
7693 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
7694 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7697 diff -urNp linux-2.6.38.1/arch/x86/include/asm/i387.h linux-2.6.38.1/arch/x86/include/asm/i387.h
7698 --- linux-2.6.38.1/arch/x86/include/asm/i387.h 2011-03-14 21:20:32.000000000 -0400
7699 +++ linux-2.6.38.1/arch/x86/include/asm/i387.h 2011-03-21 18:31:35.000000000 -0400
7700 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7704 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7705 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7706 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7709 /* See comment in fxsave() below. */
7710 #ifdef CONFIG_AS_FXSAVEQ
7711 asm volatile("1: fxrstorq %[fx]\n\t"
7712 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
7716 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7717 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7718 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7722 * Clear the bytes not touched by the fxsave and reserved
7724 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
7725 #endif /* CONFIG_X86_64 */
7727 /* We need a safe address that is cheap to find and that is already
7728 - in L1 during context switch. The best choices are unfortunately
7729 - different for UP and SMP */
7731 -#define safe_address (__per_cpu_offset[0])
7733 -#define safe_address (kstat_cpu(0).cpustat.user)
7735 + in L1 during context switch. */
7736 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7739 * These must be called with preempt disabled
7740 diff -urNp linux-2.6.38.1/arch/x86/include/asm/io.h linux-2.6.38.1/arch/x86/include/asm/io.h
7741 --- linux-2.6.38.1/arch/x86/include/asm/io.h 2011-03-14 21:20:32.000000000 -0400
7742 +++ linux-2.6.38.1/arch/x86/include/asm/io.h 2011-03-21 18:31:35.000000000 -0400
7743 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
7745 #include <linux/vmalloc.h>
7747 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7748 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7750 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7753 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7755 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7759 * Convert a virtual cached pointer to an uncached pointer
7761 diff -urNp linux-2.6.38.1/arch/x86/include/asm/iommu.h linux-2.6.38.1/arch/x86/include/asm/iommu.h
7762 --- linux-2.6.38.1/arch/x86/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
7763 +++ linux-2.6.38.1/arch/x86/include/asm/iommu.h 2011-03-21 18:31:35.000000000 -0400
7765 #ifndef _ASM_X86_IOMMU_H
7766 #define _ASM_X86_IOMMU_H
7768 -extern struct dma_map_ops nommu_dma_ops;
7769 +extern const struct dma_map_ops nommu_dma_ops;
7770 extern int force_iommu, no_iommu;
7771 extern int iommu_detected;
7772 extern int iommu_pass_through;
7773 diff -urNp linux-2.6.38.1/arch/x86/include/asm/irqflags.h linux-2.6.38.1/arch/x86/include/asm/irqflags.h
7774 --- linux-2.6.38.1/arch/x86/include/asm/irqflags.h 2011-03-14 21:20:32.000000000 -0400
7775 +++ linux-2.6.38.1/arch/x86/include/asm/irqflags.h 2011-03-21 18:31:35.000000000 -0400
7776 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
7780 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7781 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7782 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7783 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7786 #define INTERRUPT_RETURN iret
7787 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7788 diff -urNp linux-2.6.38.1/arch/x86/include/asm/kvm_host.h linux-2.6.38.1/arch/x86/include/asm/kvm_host.h
7789 --- linux-2.6.38.1/arch/x86/include/asm/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
7790 +++ linux-2.6.38.1/arch/x86/include/asm/kvm_host.h 2011-03-21 18:31:35.000000000 -0400
7791 @@ -603,7 +603,7 @@ struct kvm_arch_async_pf {
7795 -extern struct kvm_x86_ops *kvm_x86_ops;
7796 +extern const struct kvm_x86_ops *kvm_x86_ops;
7798 int kvm_mmu_module_init(void);
7799 void kvm_mmu_module_exit(void);
7800 diff -urNp linux-2.6.38.1/arch/x86/include/asm/local.h linux-2.6.38.1/arch/x86/include/asm/local.h
7801 --- linux-2.6.38.1/arch/x86/include/asm/local.h 2011-03-14 21:20:32.000000000 -0400
7802 +++ linux-2.6.38.1/arch/x86/include/asm/local.h 2011-03-21 18:31:35.000000000 -0400
7803 @@ -18,26 +18,58 @@ typedef struct {
7805 static inline void local_inc(local_t *l)
7807 - asm volatile(_ASM_INC "%0"
7808 + asm volatile(_ASM_INC "%0\n"
7810 +#ifdef CONFIG_PAX_REFCOUNT
7814 + _ASM_EXTABLE(0b, 0b)
7817 : "+m" (l->a.counter));
7820 static inline void local_dec(local_t *l)
7822 - asm volatile(_ASM_DEC "%0"
7823 + asm volatile(_ASM_DEC "%0\n"
7825 +#ifdef CONFIG_PAX_REFCOUNT
7829 + _ASM_EXTABLE(0b, 0b)
7832 : "+m" (l->a.counter));
7835 static inline void local_add(long i, local_t *l)
7837 - asm volatile(_ASM_ADD "%1,%0"
7838 + asm volatile(_ASM_ADD "%1,%0\n"
7840 +#ifdef CONFIG_PAX_REFCOUNT
7842 + _ASM_SUB "%1,%0\n"
7844 + _ASM_EXTABLE(0b, 0b)
7847 : "+m" (l->a.counter)
7851 static inline void local_sub(long i, local_t *l)
7853 - asm volatile(_ASM_SUB "%1,%0"
7854 + asm volatile(_ASM_SUB "%1,%0\n"
7856 +#ifdef CONFIG_PAX_REFCOUNT
7858 + _ASM_ADD "%1,%0\n"
7860 + _ASM_EXTABLE(0b, 0b)
7863 : "+m" (l->a.counter)
7866 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7870 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7871 + asm volatile(_ASM_SUB "%2,%0\n"
7873 +#ifdef CONFIG_PAX_REFCOUNT
7875 + _ASM_ADD "%2,%0\n"
7877 + _ASM_EXTABLE(0b, 0b)
7881 : "+m" (l->a.counter), "=qm" (c)
7882 : "ir" (i) : "memory");
7884 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7888 - asm volatile(_ASM_DEC "%0; sete %1"
7889 + asm volatile(_ASM_DEC "%0\n"
7891 +#ifdef CONFIG_PAX_REFCOUNT
7895 + _ASM_EXTABLE(0b, 0b)
7899 : "+m" (l->a.counter), "=qm" (c)
7902 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7906 - asm volatile(_ASM_INC "%0; sete %1"
7907 + asm volatile(_ASM_INC "%0\n"
7909 +#ifdef CONFIG_PAX_REFCOUNT
7913 + _ASM_EXTABLE(0b, 0b)
7917 : "+m" (l->a.counter), "=qm" (c)
7920 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7924 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7925 + asm volatile(_ASM_ADD "%2,%0\n"
7927 +#ifdef CONFIG_PAX_REFCOUNT
7929 + _ASM_SUB "%2,%0\n"
7931 + _ASM_EXTABLE(0b, 0b)
7935 : "+m" (l->a.counter), "=qm" (c)
7936 : "ir" (i) : "memory");
7938 @@ -133,7 +201,15 @@ static inline long local_add_return(long
7940 /* Modern 486+ processor */
7942 - asm volatile(_ASM_XADD "%0, %1;"
7943 + asm volatile(_ASM_XADD "%0, %1\n"
7945 +#ifdef CONFIG_PAX_REFCOUNT
7947 + _ASM_MOV "%0,%1\n"
7949 + _ASM_EXTABLE(0b, 0b)
7952 : "+r" (i), "+m" (l->a.counter)
7955 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mc146818rtc.h linux-2.6.38.1/arch/x86/include/asm/mc146818rtc.h
7956 --- linux-2.6.38.1/arch/x86/include/asm/mc146818rtc.h 2011-03-14 21:20:32.000000000 -0400
7957 +++ linux-2.6.38.1/arch/x86/include/asm/mc146818rtc.h 2011-03-21 18:31:35.000000000 -0400
7958 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7960 #define lock_cmos_prefix(reg) do {} while (0)
7961 #define lock_cmos_suffix(reg) do {} while (0)
7962 -#define lock_cmos(reg)
7963 -#define unlock_cmos()
7964 +#define lock_cmos(reg) do {} while (0)
7965 +#define unlock_cmos() do {} while (0)
7966 #define do_i_have_lock_cmos() 0
7967 #define current_lock_cmos_reg() 0
7969 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mce.h linux-2.6.38.1/arch/x86/include/asm/mce.h
7970 --- linux-2.6.38.1/arch/x86/include/asm/mce.h 2011-03-14 21:20:32.000000000 -0400
7971 +++ linux-2.6.38.1/arch/x86/include/asm/mce.h 2011-03-21 18:31:35.000000000 -0400
7972 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
7973 void mce_notify_process(void);
7975 DECLARE_PER_CPU(struct mce, injectm);
7976 -extern struct file_operations mce_chrdev_ops;
7977 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
7981 diff -urNp linux-2.6.38.1/arch/x86/include/asm/microcode.h linux-2.6.38.1/arch/x86/include/asm/microcode.h
7982 --- linux-2.6.38.1/arch/x86/include/asm/microcode.h 2011-03-14 21:20:32.000000000 -0400
7983 +++ linux-2.6.38.1/arch/x86/include/asm/microcode.h 2011-03-21 18:31:35.000000000 -0400
7984 @@ -12,13 +12,13 @@ struct device;
7985 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7987 struct microcode_ops {
7988 - enum ucode_state (*request_microcode_user) (int cpu,
7989 + enum ucode_state (* const request_microcode_user) (int cpu,
7990 const void __user *buf, size_t size);
7992 - enum ucode_state (*request_microcode_fw) (int cpu,
7993 + enum ucode_state (* const request_microcode_fw) (int cpu,
7994 struct device *device);
7996 - void (*microcode_fini_cpu) (int cpu);
7997 + void (* const microcode_fini_cpu) (int cpu);
8000 * The generic 'microcode_core' part guarantees that
8001 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
8002 extern struct ucode_cpu_info ucode_cpu_info[];
8004 #ifdef CONFIG_MICROCODE_INTEL
8005 -extern struct microcode_ops * __init init_intel_microcode(void);
8006 +extern const struct microcode_ops * __init init_intel_microcode(void);
8008 -static inline struct microcode_ops * __init init_intel_microcode(void)
8009 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8013 #endif /* CONFIG_MICROCODE_INTEL */
8015 #ifdef CONFIG_MICROCODE_AMD
8016 -extern struct microcode_ops * __init init_amd_microcode(void);
8017 +extern const struct microcode_ops * __init init_amd_microcode(void);
8019 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
8021 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
8025 -static inline struct microcode_ops * __init init_amd_microcode(void)
8026 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8030 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mman.h linux-2.6.38.1/arch/x86/include/asm/mman.h
8031 --- linux-2.6.38.1/arch/x86/include/asm/mman.h 2011-03-14 21:20:32.000000000 -0400
8032 +++ linux-2.6.38.1/arch/x86/include/asm/mman.h 2011-03-21 18:31:35.000000000 -0400
8035 #include <asm-generic/mman.h>
8038 +#ifndef __ASSEMBLY__
8039 +#ifdef CONFIG_X86_32
8040 +#define arch_mmap_check i386_mmap_check
8041 +int i386_mmap_check(unsigned long addr, unsigned long len,
8042 + unsigned long flags);
8047 #endif /* _ASM_X86_MMAN_H */
8048 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mmu_context.h linux-2.6.38.1/arch/x86/include/asm/mmu_context.h
8049 --- linux-2.6.38.1/arch/x86/include/asm/mmu_context.h 2011-03-14 21:20:32.000000000 -0400
8050 +++ linux-2.6.38.1/arch/x86/include/asm/mmu_context.h 2011-03-21 18:31:35.000000000 -0400
8051 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8053 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8056 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8060 + pax_open_kernel();
8061 + pgd = get_cpu_pgd(smp_processor_id());
8062 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8063 + if (paravirt_enabled())
8064 + set_pgd(pgd+i, native_make_pgd(0));
8066 + pgd[i] = native_make_pgd(0);
8067 + pax_close_kernel();
8071 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8072 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8073 @@ -34,17 +49,30 @@ static inline void switch_mm(struct mm_s
8074 struct task_struct *tsk)
8076 unsigned cpu = smp_processor_id();
8077 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8078 + int tlbstate = TLBSTATE_OK;
8081 if (likely(prev != next)) {
8083 +#ifdef CONFIG_X86_32
8084 + tlbstate = percpu_read(cpu_tlbstate.state);
8086 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8087 percpu_write(cpu_tlbstate.active_mm, next);
8089 cpumask_set_cpu(cpu, mm_cpumask(next));
8091 /* Re-load page tables */
8092 +#ifdef CONFIG_PAX_PER_CPU_PGD
8093 + pax_open_kernel();
8094 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8095 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8096 + pax_close_kernel();
8097 + load_cr3(get_cpu_pgd(cpu));
8099 load_cr3(next->pgd);
8102 /* stop flush ipis for the previous mm */
8103 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8105 @@ -53,9 +81,38 @@ static inline void switch_mm(struct mm_s
8107 if (unlikely(prev->context.ldt != next->context.ldt))
8108 load_LDT_nolock(&next->context);
8111 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8112 + if (!(__supported_pte_mask & _PAGE_NX)) {
8113 + smp_mb__before_clear_bit();
8114 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8115 + smp_mb__after_clear_bit();
8116 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8120 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8121 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8122 + prev->context.user_cs_limit != next->context.user_cs_limit))
8123 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8125 + else if (unlikely(tlbstate != TLBSTATE_OK))
8126 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8133 +#ifdef CONFIG_PAX_PER_CPU_PGD
8134 + pax_open_kernel();
8135 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8136 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8137 + pax_close_kernel();
8138 + load_cr3(get_cpu_pgd(cpu));
8142 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8143 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8145 @@ -64,11 +121,28 @@ static inline void switch_mm(struct mm_s
8146 * tlb flush IPI delivery. We must reload CR3
8147 * to make sure to use no freed page tables.
8150 +#ifndef CONFIG_PAX_PER_CPU_PGD
8151 load_cr3(next->pgd);
8154 load_LDT_nolock(&next->context);
8156 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8157 + if (!(__supported_pte_mask & _PAGE_NX))
8158 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8161 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8162 +#ifdef CONFIG_PAX_PAGEEXEC
8163 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8165 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8174 #define activate_mm(prev, next) \
8175 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mmu.h linux-2.6.38.1/arch/x86/include/asm/mmu.h
8176 --- linux-2.6.38.1/arch/x86/include/asm/mmu.h 2011-03-14 21:20:32.000000000 -0400
8177 +++ linux-2.6.38.1/arch/x86/include/asm/mmu.h 2011-03-21 18:31:35.000000000 -0400
8179 * we put the segment information here.
8183 + struct desc_struct *ldt;
8187 + unsigned long vdso;
8189 +#ifdef CONFIG_X86_32
8190 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8191 + unsigned long user_cs_base;
8192 + unsigned long user_cs_limit;
8194 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8195 + cpumask_t cpu_user_cs_mask;
8204 diff -urNp linux-2.6.38.1/arch/x86/include/asm/module.h linux-2.6.38.1/arch/x86/include/asm/module.h
8205 --- linux-2.6.38.1/arch/x86/include/asm/module.h 2011-03-14 21:20:32.000000000 -0400
8206 +++ linux-2.6.38.1/arch/x86/include/asm/module.h 2011-03-21 18:31:35.000000000 -0400
8208 #error unknown processor family
8211 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8212 +#define MODULE_PAX_UDEREF "UDEREF "
8214 +#define MODULE_PAX_UDEREF ""
8217 #ifdef CONFIG_X86_32
8218 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
8219 +# ifdef CONFIG_PAX_KERNEXEC
8220 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8222 +# define MODULE_PAX_KERNEXEC ""
8224 +# ifdef CONFIG_GRKERNSEC
8225 +# define MODULE_GRSEC "GRSECURITY "
8227 +# define MODULE_GRSEC ""
8229 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8231 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8234 #endif /* _ASM_X86_MODULE_H */
8235 diff -urNp linux-2.6.38.1/arch/x86/include/asm/page_64_types.h linux-2.6.38.1/arch/x86/include/asm/page_64_types.h
8236 --- linux-2.6.38.1/arch/x86/include/asm/page_64_types.h 2011-03-14 21:20:32.000000000 -0400
8237 +++ linux-2.6.38.1/arch/x86/include/asm/page_64_types.h 2011-03-21 18:31:35.000000000 -0400
8238 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8240 /* duplicated to the one in bootmem.h */
8241 extern unsigned long max_pfn;
8242 -extern unsigned long phys_base;
8243 +extern const unsigned long phys_base;
8245 extern unsigned long __phys_addr(unsigned long);
8246 #define __phys_reloc_hide(x) (x)
8247 diff -urNp linux-2.6.38.1/arch/x86/include/asm/paravirt.h linux-2.6.38.1/arch/x86/include/asm/paravirt.h
8248 --- linux-2.6.38.1/arch/x86/include/asm/paravirt.h 2011-03-14 21:20:32.000000000 -0400
8249 +++ linux-2.6.38.1/arch/x86/include/asm/paravirt.h 2011-03-21 18:31:35.000000000 -0400
8250 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
8251 pv_mmu_ops.set_fixmap(idx, phys, flags);
8254 +#ifdef CONFIG_PAX_KERNEXEC
8255 +static inline unsigned long pax_open_kernel(void)
8257 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8260 +static inline unsigned long pax_close_kernel(void)
8262 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8265 +static inline unsigned long pax_open_kernel(void) { return 0; }
8266 +static inline unsigned long pax_close_kernel(void) { return 0; }
8269 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8271 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8272 @@ -955,7 +970,7 @@ extern void default_banner(void);
8274 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8275 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8276 -#define PARA_INDIRECT(addr) *%cs:addr
8277 +#define PARA_INDIRECT(addr) *%ss:addr
8280 #define INTERRUPT_RETURN \
8281 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
8282 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8284 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8286 +#define GET_CR0_INTO_RDI \
8287 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8290 +#define SET_RDI_INTO_CR0 \
8291 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8293 +#define GET_CR3_INTO_RDI \
8294 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8297 +#define SET_RDI_INTO_CR3 \
8298 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8300 #endif /* CONFIG_X86_32 */
8302 #endif /* __ASSEMBLY__ */
8303 diff -urNp linux-2.6.38.1/arch/x86/include/asm/paravirt_types.h linux-2.6.38.1/arch/x86/include/asm/paravirt_types.h
8304 --- linux-2.6.38.1/arch/x86/include/asm/paravirt_types.h 2011-03-14 21:20:32.000000000 -0400
8305 +++ linux-2.6.38.1/arch/x86/include/asm/paravirt_types.h 2011-03-21 18:31:35.000000000 -0400
8306 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
8307 an mfn. We can tell which is which from the index. */
8308 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8309 phys_addr_t phys, pgprot_t flags);
8311 +#ifdef CONFIG_PAX_KERNEXEC
8312 + unsigned long (*pax_open_kernel)(void);
8313 + unsigned long (*pax_close_kernel)(void);
8318 struct arch_spinlock;
8319 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pci_x86.h linux-2.6.38.1/arch/x86/include/asm/pci_x86.h
8320 --- linux-2.6.38.1/arch/x86/include/asm/pci_x86.h 2011-03-14 21:20:32.000000000 -0400
8321 +++ linux-2.6.38.1/arch/x86/include/asm/pci_x86.h 2011-03-21 18:31:35.000000000 -0400
8322 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
8323 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8325 struct pci_raw_ops {
8326 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8327 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8328 int reg, int len, u32 *val);
8329 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8330 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8331 int reg, int len, u32 val);
8334 -extern struct pci_raw_ops *raw_pci_ops;
8335 -extern struct pci_raw_ops *raw_pci_ext_ops;
8336 +extern const struct pci_raw_ops *raw_pci_ops;
8337 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8339 -extern struct pci_raw_ops pci_direct_conf1;
8340 +extern const struct pci_raw_ops pci_direct_conf1;
8341 extern bool port_cf9_safe;
8343 /* arch_initcall level */
8344 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgalloc.h linux-2.6.38.1/arch/x86/include/asm/pgalloc.h
8345 --- linux-2.6.38.1/arch/x86/include/asm/pgalloc.h 2011-03-14 21:20:32.000000000 -0400
8346 +++ linux-2.6.38.1/arch/x86/include/asm/pgalloc.h 2011-03-21 18:31:35.000000000 -0400
8347 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8348 pmd_t *pmd, pte_t *pte)
8350 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8351 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8354 +static inline void pmd_populate_user(struct mm_struct *mm,
8355 + pmd_t *pmd, pte_t *pte)
8357 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8358 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8361 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable-2level.h linux-2.6.38.1/arch/x86/include/asm/pgtable-2level.h
8362 --- linux-2.6.38.1/arch/x86/include/asm/pgtable-2level.h 2011-03-14 21:20:32.000000000 -0400
8363 +++ linux-2.6.38.1/arch/x86/include/asm/pgtable-2level.h 2011-03-21 18:31:35.000000000 -0400
8364 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8366 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8368 + pax_open_kernel();
8370 + pax_close_kernel();
8373 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8374 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_32.h linux-2.6.38.1/arch/x86/include/asm/pgtable_32.h
8375 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
8376 +++ linux-2.6.38.1/arch/x86/include/asm/pgtable_32.h 2011-03-21 18:31:35.000000000 -0400
8379 struct vm_area_struct;
8381 -extern pgd_t swapper_pg_dir[1024];
8382 -extern pgd_t initial_page_table[1024];
8384 static inline void pgtable_cache_init(void) { }
8385 static inline void check_pgt_cache(void) { }
8386 void paging_init(void);
8387 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8388 # include <asm/pgtable-2level.h>
8391 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8392 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8393 +#ifdef CONFIG_X86_PAE
8394 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8397 #if defined(CONFIG_HIGHPTE)
8398 #define pte_offset_map(dir, address) \
8399 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8400 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8401 /* Clear a kernel PTE and flush it from the TLB */
8402 #define kpte_clear_flush(ptep, vaddr) \
8404 + pax_open_kernel(); \
8405 pte_clear(&init_mm, (vaddr), (ptep)); \
8406 + pax_close_kernel(); \
8407 __flush_tlb_one((vaddr)); \
8410 @@ -74,6 +79,9 @@ do { \
8412 #endif /* !__ASSEMBLY__ */
8414 +#define HAVE_ARCH_UNMAPPED_AREA
8415 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8418 * kern_addr_valid() is (1) for FLATMEM and (0) for
8419 * SPARSEMEM and DISCONTIGMEM
8420 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_32_types.h linux-2.6.38.1/arch/x86/include/asm/pgtable_32_types.h
8421 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_32_types.h 2011-03-14 21:20:32.000000000 -0400
8422 +++ linux-2.6.38.1/arch/x86/include/asm/pgtable_32_types.h 2011-03-21 18:31:35.000000000 -0400
8425 #ifdef CONFIG_X86_PAE
8426 # include <asm/pgtable-3level_types.h>
8427 -# define PMD_SIZE (1UL << PMD_SHIFT)
8428 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8429 # define PMD_MASK (~(PMD_SIZE - 1))
8431 # include <asm/pgtable-2level_types.h>
8432 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8433 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8436 +#ifdef CONFIG_PAX_KERNEXEC
8437 +#ifndef __ASSEMBLY__
8438 +extern unsigned char MODULES_EXEC_VADDR[];
8439 +extern unsigned char MODULES_EXEC_END[];
8441 +#include <asm/boot.h>
8442 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8443 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8445 +#define ktla_ktva(addr) (addr)
8446 +#define ktva_ktla(addr) (addr)
8449 #define MODULES_VADDR VMALLOC_START
8450 #define MODULES_END VMALLOC_END
8451 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8452 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable-3level.h linux-2.6.38.1/arch/x86/include/asm/pgtable-3level.h
8453 --- linux-2.6.38.1/arch/x86/include/asm/pgtable-3level.h 2011-03-23 17:20:06.000000000 -0400
8454 +++ linux-2.6.38.1/arch/x86/include/asm/pgtable-3level.h 2011-03-23 17:21:43.000000000 -0400
8455 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8457 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8459 + pax_open_kernel();
8460 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8461 + pax_close_kernel();
8464 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8466 + pax_open_kernel();
8467 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8468 + pax_close_kernel();
8472 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_64.h linux-2.6.38.1/arch/x86/include/asm/pgtable_64.h
8473 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_64.h 2011-03-14 21:20:32.000000000 -0400
8474 +++ linux-2.6.38.1/arch/x86/include/asm/pgtable_64.h 2011-03-21 18:31:35.000000000 -0400
8477 extern pud_t level3_kernel_pgt[512];
8478 extern pud_t level3_ident_pgt[512];
8479 +extern pud_t level3_vmalloc_pgt[512];
8480 +extern pud_t level3_vmemmap_pgt[512];
8481 +extern pud_t level2_vmemmap_pgt[512];
8482 extern pmd_t level2_kernel_pgt[512];
8483 extern pmd_t level2_fixmap_pgt[512];
8484 -extern pmd_t level2_ident_pgt[512];
8485 -extern pgd_t init_level4_pgt[];
8486 +extern pmd_t level2_ident_pgt[512*2];
8487 +extern pgd_t init_level4_pgt[512];
8489 #define swapper_pg_dir init_level4_pgt
8491 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8493 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8495 + pax_open_kernel();
8497 + pax_close_kernel();
8500 static inline void native_pmd_clear(pmd_t *pmd)
8501 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
8503 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8505 + pax_open_kernel();
8507 + pax_close_kernel();
8510 static inline void native_pgd_clear(pgd_t *pgd)
8511 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_64_types.h linux-2.6.38.1/arch/x86/include/asm/pgtable_64_types.h
8512 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_64_types.h 2011-03-14 21:20:32.000000000 -0400
8513 +++ linux-2.6.38.1/arch/x86/include/asm/pgtable_64_types.h 2011-03-21 18:31:35.000000000 -0400
8514 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8515 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8516 #define MODULES_END _AC(0xffffffffff000000, UL)
8517 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8518 +#define MODULES_EXEC_VADDR MODULES_VADDR
8519 +#define MODULES_EXEC_END MODULES_END
8521 +#define ktla_ktva(addr) (addr)
8522 +#define ktva_ktla(addr) (addr)
8524 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8525 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable.h linux-2.6.38.1/arch/x86/include/asm/pgtable.h
8526 --- linux-2.6.38.1/arch/x86/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
8527 +++ linux-2.6.38.1/arch/x86/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
8528 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
8530 #define arch_end_context_switch(prev) do {} while(0)
8532 +#define pax_open_kernel() native_pax_open_kernel()
8533 +#define pax_close_kernel() native_pax_close_kernel()
8534 #endif /* CONFIG_PARAVIRT */
8536 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8537 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8539 +#ifdef CONFIG_PAX_KERNEXEC
8540 +static inline unsigned long native_pax_open_kernel(void)
8542 + unsigned long cr0;
8544 + preempt_disable();
8546 + cr0 = read_cr0() ^ X86_CR0_WP;
8547 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8549 + return cr0 ^ X86_CR0_WP;
8552 +static inline unsigned long native_pax_close_kernel(void)
8554 + unsigned long cr0;
8556 + cr0 = read_cr0() ^ X86_CR0_WP;
8557 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8560 + preempt_enable_no_resched();
8561 + return cr0 ^ X86_CR0_WP;
8564 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8565 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8569 * The following only work if pte_present() is true.
8570 * Undefined behaviour if not..
8572 +static inline int pte_user(pte_t pte)
8574 + return pte_val(pte) & _PAGE_USER;
8577 static inline int pte_dirty(pte_t pte)
8579 return pte_flags(pte) & _PAGE_DIRTY;
8580 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
8581 return pte_clear_flags(pte, _PAGE_RW);
8584 +static inline pte_t pte_mkread(pte_t pte)
8586 + return __pte(pte_val(pte) | _PAGE_USER);
8589 static inline pte_t pte_mkexec(pte_t pte)
8591 - return pte_clear_flags(pte, _PAGE_NX);
8592 +#ifdef CONFIG_X86_PAE
8593 + if (__supported_pte_mask & _PAGE_NX)
8594 + return pte_clear_flags(pte, _PAGE_NX);
8597 + return pte_set_flags(pte, _PAGE_USER);
8600 +static inline pte_t pte_exprotect(pte_t pte)
8602 +#ifdef CONFIG_X86_PAE
8603 + if (__supported_pte_mask & _PAGE_NX)
8604 + return pte_set_flags(pte, _PAGE_NX);
8607 + return pte_clear_flags(pte, _PAGE_USER);
8610 static inline pte_t pte_mkdirty(pte_t pte)
8611 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
8614 #ifndef __ASSEMBLY__
8616 +#ifdef CONFIG_PAX_PER_CPU_PGD
8617 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8618 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8620 + return cpu_pgd[cpu];
8624 #include <linux/mm_types.h>
8626 static inline int pte_none(pte_t pte)
8627 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
8629 static inline int pgd_bad(pgd_t pgd)
8631 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8632 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8635 static inline int pgd_none(pgd_t pgd)
8636 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
8637 * pgd_offset() returns a (pgd_t *)
8638 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8640 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8641 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8643 +#ifdef CONFIG_PAX_PER_CPU_PGD
8644 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8648 * a shortcut which implies the use of the kernel's pgd, instead
8650 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
8651 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8652 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8654 +#ifdef CONFIG_X86_32
8655 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8657 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8658 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8660 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8661 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8663 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8668 #ifndef __ASSEMBLY__
8670 extern int direct_gbpages;
8671 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
8672 * dst and src can be on the same page, but the range must not overlap,
8673 * and must not cross a page boundary.
8675 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8676 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8678 - memcpy(dst, src, count * sizeof(pgd_t));
8679 + pax_open_kernel();
8682 + pax_close_kernel();
8685 +#ifdef CONFIG_PAX_PER_CPU_PGD
8686 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8689 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8690 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8692 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8695 #include <asm-generic/pgtable.h>
8696 #endif /* __ASSEMBLY__ */
8697 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_types.h linux-2.6.38.1/arch/x86/include/asm/pgtable_types.h
8698 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_types.h 2011-03-14 21:20:32.000000000 -0400
8699 +++ linux-2.6.38.1/arch/x86/include/asm/pgtable_types.h 2011-03-21 18:31:35.000000000 -0400
8701 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8702 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8703 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8704 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8705 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8706 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8707 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8708 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8709 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8710 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8711 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
8712 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8713 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
8714 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8716 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8718 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8719 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8720 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8721 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8722 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8723 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8724 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8727 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8728 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8730 +#elif defined(CONFIG_KMEMCHECK)
8731 #define _PAGE_NX (_AT(pteval_t, 0))
8733 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8736 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8738 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8741 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8742 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8744 #define __PAGE_KERNEL_EXEC \
8745 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8746 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8748 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8749 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8750 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8751 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8752 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8753 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8754 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8755 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8756 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8757 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8759 * bits are combined, this will alow user to access the high address mapped
8760 * VDSO in the presence of CONFIG_COMPAT_VDSO
8762 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8763 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8764 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8765 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8766 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8769 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8771 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8775 +#if PAGETABLE_LEVELS == 3
8776 +#include <asm-generic/pgtable-nopud.h>
8779 +#if PAGETABLE_LEVELS == 2
8780 +#include <asm-generic/pgtable-nopmd.h>
8783 +#ifndef __ASSEMBLY__
8784 #if PAGETABLE_LEVELS > 3
8785 typedef struct { pudval_t pud; } pud_t;
8787 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
8791 -#include <asm-generic/pgtable-nopud.h>
8793 static inline pudval_t native_pud_val(pud_t pud)
8795 return native_pgd_val(pud.pgd);
8796 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
8800 -#include <asm-generic/pgtable-nopmd.h>
8802 static inline pmdval_t native_pmd_val(pmd_t pmd)
8804 return native_pgd_val(pmd.pud.pgd);
8805 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
8807 extern pteval_t __supported_pte_mask;
8808 extern void set_nx(void);
8809 -extern int nx_enabled;
8811 #define pgprot_writecombine pgprot_writecombine
8812 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8813 diff -urNp linux-2.6.38.1/arch/x86/include/asm/processor.h linux-2.6.38.1/arch/x86/include/asm/processor.h
8814 --- linux-2.6.38.1/arch/x86/include/asm/processor.h 2011-03-14 21:20:32.000000000 -0400
8815 +++ linux-2.6.38.1/arch/x86/include/asm/processor.h 2011-03-21 18:31:35.000000000 -0400
8816 @@ -270,7 +270,7 @@ struct tss_struct {
8818 } ____cacheline_aligned;
8820 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8821 +extern struct tss_struct init_tss[NR_CPUS];
8824 * Save the original ist values for checking stack pointers during debugging
8825 @@ -864,8 +864,15 @@ static inline void spin_lock_prefetch(co
8827 #define TASK_SIZE PAGE_OFFSET
8828 #define TASK_SIZE_MAX TASK_SIZE
8830 +#ifdef CONFIG_PAX_SEGMEXEC
8831 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8832 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8834 #define STACK_TOP TASK_SIZE
8835 -#define STACK_TOP_MAX STACK_TOP
8838 +#define STACK_TOP_MAX TASK_SIZE
8840 #define INIT_THREAD { \
8841 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8842 @@ -882,7 +889,7 @@ static inline void spin_lock_prefetch(co
8844 #define INIT_TSS { \
8846 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8847 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8848 .ss0 = __KERNEL_DS, \
8849 .ss1 = __KERNEL_CS, \
8850 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8851 @@ -893,11 +900,7 @@ static inline void spin_lock_prefetch(co
8852 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8854 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8855 -#define KSTK_TOP(info) \
8857 - unsigned long *__ptr = (unsigned long *)(info); \
8858 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8860 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8863 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8864 @@ -912,7 +915,7 @@ extern unsigned long thread_saved_pc(str
8865 #define task_pt_regs(task) \
8867 struct pt_regs *__regs__; \
8868 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8869 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8873 @@ -922,13 +925,13 @@ extern unsigned long thread_saved_pc(str
8875 * User space process size. 47bits minus one guard page.
8877 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8878 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8880 /* This decides where the kernel will search for a free chunk of vm
8881 * space during mmap's.
8883 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8884 - 0xc0000000 : 0xFFFFe000)
8885 + 0xc0000000 : 0xFFFFf000)
8887 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8888 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8889 @@ -965,6 +968,10 @@ extern void start_thread(struct pt_regs
8891 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8893 +#ifdef CONFIG_PAX_SEGMEXEC
8894 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8897 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8899 /* Get/set a process' ability to use the timestamp counter instruction */
8900 diff -urNp linux-2.6.38.1/arch/x86/include/asm/ptrace.h linux-2.6.38.1/arch/x86/include/asm/ptrace.h
8901 --- linux-2.6.38.1/arch/x86/include/asm/ptrace.h 2011-03-14 21:20:32.000000000 -0400
8902 +++ linux-2.6.38.1/arch/x86/include/asm/ptrace.h 2011-03-21 18:31:35.000000000 -0400
8903 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8907 - * user_mode_vm(regs) determines whether a register set came from user mode.
8908 + * user_mode(regs) determines whether a register set came from user mode.
8909 * This is true if V8086 mode was enabled OR if the register set was from
8910 * protected mode with RPL-3 CS value. This tricky test checks that with
8911 * one comparison. Many places in the kernel can bypass this full check
8912 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8913 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8916 -static inline int user_mode(struct pt_regs *regs)
8917 +static inline int user_mode_novm(struct pt_regs *regs)
8919 #ifdef CONFIG_X86_32
8920 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8922 - return !!(regs->cs & 3);
8923 + return !!(regs->cs & SEGMENT_RPL_MASK);
8927 -static inline int user_mode_vm(struct pt_regs *regs)
8928 +static inline int user_mode(struct pt_regs *regs)
8930 #ifdef CONFIG_X86_32
8931 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8934 - return user_mode(regs);
8935 + return user_mode_novm(regs);
8939 diff -urNp linux-2.6.38.1/arch/x86/include/asm/reboot.h linux-2.6.38.1/arch/x86/include/asm/reboot.h
8940 --- linux-2.6.38.1/arch/x86/include/asm/reboot.h 2011-03-14 21:20:32.000000000 -0400
8941 +++ linux-2.6.38.1/arch/x86/include/asm/reboot.h 2011-03-21 18:31:35.000000000 -0400
8942 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8944 void native_machine_crash_shutdown(struct pt_regs *regs);
8945 void native_machine_shutdown(void);
8946 -void machine_real_restart(const unsigned char *code, int length);
8947 +void machine_real_restart(const unsigned char *code, unsigned int length);
8949 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8950 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8951 diff -urNp linux-2.6.38.1/arch/x86/include/asm/rwsem.h linux-2.6.38.1/arch/x86/include/asm/rwsem.h
8952 --- linux-2.6.38.1/arch/x86/include/asm/rwsem.h 2011-03-14 21:20:32.000000000 -0400
8953 +++ linux-2.6.38.1/arch/x86/include/asm/rwsem.h 2011-03-21 18:31:35.000000000 -0400
8954 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
8956 asm volatile("# beginning down_read\n\t"
8957 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8959 +#ifdef CONFIG_PAX_REFCOUNT
8961 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8963 + _ASM_EXTABLE(0b, 0b)
8966 /* adds 0x00000001 */
8968 " call call_rwsem_down_read_failed\n"
8969 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
8974 +#ifdef CONFIG_PAX_REFCOUNT
8978 + _ASM_EXTABLE(0b, 0b)
8982 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8984 @@ -158,6 +174,14 @@ static inline void __down_write_nested(s
8986 asm volatile("# beginning down_write\n\t"
8987 LOCK_PREFIX " xadd %1,(%2)\n\t"
8989 +#ifdef CONFIG_PAX_REFCOUNT
8993 + _ASM_EXTABLE(0b, 0b)
8996 /* adds 0xffff0001, returns the old value */
8998 /* was the count 0 before? */
8999 @@ -196,6 +220,14 @@ static inline void __up_read(struct rw_s
9001 asm volatile("# beginning __up_read\n\t"
9002 LOCK_PREFIX " xadd %1,(%2)\n\t"
9004 +#ifdef CONFIG_PAX_REFCOUNT
9008 + _ASM_EXTABLE(0b, 0b)
9011 /* subtracts 1, returns the old value */
9013 " call call_rwsem_wake\n" /* expects old value in %edx */
9014 @@ -214,6 +246,14 @@ static inline void __up_write(struct rw_
9016 asm volatile("# beginning __up_write\n\t"
9017 LOCK_PREFIX " xadd %1,(%2)\n\t"
9019 +#ifdef CONFIG_PAX_REFCOUNT
9023 + _ASM_EXTABLE(0b, 0b)
9026 /* subtracts 0xffff0001, returns the old value */
9028 " call call_rwsem_wake\n" /* expects old value in %edx */
9029 @@ -231,6 +271,14 @@ static inline void __downgrade_write(str
9031 asm volatile("# beginning __downgrade_write\n\t"
9032 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9034 +#ifdef CONFIG_PAX_REFCOUNT
9036 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9038 + _ASM_EXTABLE(0b, 0b)
9042 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9043 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9044 @@ -250,7 +298,15 @@ static inline void __downgrade_write(str
9045 static inline void rwsem_atomic_add(rwsem_count_t delta,
9046 struct rw_semaphore *sem)
9048 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9049 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9051 +#ifdef CONFIG_PAX_REFCOUNT
9053 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9055 + _ASM_EXTABLE(0b, 0b)
9061 @@ -263,7 +319,15 @@ static inline rwsem_count_t rwsem_atomic
9063 rwsem_count_t tmp = delta;
9065 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9066 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9068 +#ifdef CONFIG_PAX_REFCOUNT
9072 + _ASM_EXTABLE(0b, 0b)
9075 : "+r" (tmp), "+m" (sem->count)
9078 diff -urNp linux-2.6.38.1/arch/x86/include/asm/segment.h linux-2.6.38.1/arch/x86/include/asm/segment.h
9079 --- linux-2.6.38.1/arch/x86/include/asm/segment.h 2011-03-14 21:20:32.000000000 -0400
9080 +++ linux-2.6.38.1/arch/x86/include/asm/segment.h 2011-03-21 18:31:35.000000000 -0400
9082 * 26 - ESPFIX small SS
9083 * 27 - per-cpu [ offset to per-cpu data area ]
9084 * 28 - stack_canary-20 [ for stack protector ]
9087 + * 29 - PCI BIOS CS
9088 + * 30 - PCI BIOS DS
9089 * 31 - TSS for double fault handler
9091 #define GDT_ENTRY_TLS_MIN 6
9094 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
9096 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9098 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
9100 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
9101 @@ -102,6 +104,12 @@
9102 #define __KERNEL_STACK_CANARY 0
9105 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
9106 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9108 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
9109 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9111 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9117 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9118 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9119 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9124 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9125 #define __USER32_DS __USER_DS
9127 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9129 #define GDT_ENTRY_TSS 8 /* needs two entries */
9130 #define GDT_ENTRY_LDT 10 /* needs two entries */
9131 #define GDT_ENTRY_TLS_MIN 12
9135 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
9136 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
9137 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
9138 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
9139 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
9140 diff -urNp linux-2.6.38.1/arch/x86/include/asm/smp.h linux-2.6.38.1/arch/x86/include/asm/smp.h
9141 --- linux-2.6.38.1/arch/x86/include/asm/smp.h 2011-03-14 21:20:32.000000000 -0400
9142 +++ linux-2.6.38.1/arch/x86/include/asm/smp.h 2011-03-21 18:31:35.000000000 -0400
9143 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9144 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9145 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9146 DECLARE_PER_CPU(u16, cpu_llc_id);
9147 -DECLARE_PER_CPU(int, cpu_number);
9148 +DECLARE_PER_CPU(unsigned int, cpu_number);
9150 static inline struct cpumask *cpu_sibling_mask(int cpu)
9152 diff -urNp linux-2.6.38.1/arch/x86/include/asm/spinlock.h linux-2.6.38.1/arch/x86/include/asm/spinlock.h
9153 --- linux-2.6.38.1/arch/x86/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
9154 +++ linux-2.6.38.1/arch/x86/include/asm/spinlock.h 2011-03-21 18:31:35.000000000 -0400
9155 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9156 static inline void arch_read_lock(arch_rwlock_t *rw)
9158 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9160 +#ifdef CONFIG_PAX_REFCOUNT
9162 + LOCK_PREFIX " addl $1,(%0)\n"
9164 + _ASM_EXTABLE(0b, 0b)
9168 "call __read_lock_failed\n\t"
9170 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9171 static inline void arch_write_lock(arch_rwlock_t *rw)
9173 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9175 +#ifdef CONFIG_PAX_REFCOUNT
9177 + LOCK_PREFIX " addl %1,(%0)\n"
9179 + _ASM_EXTABLE(0b, 0b)
9183 "call __write_lock_failed\n\t"
9185 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9187 static inline void arch_read_unlock(arch_rwlock_t *rw)
9189 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9190 + asm volatile(LOCK_PREFIX "incl %0\n"
9192 +#ifdef CONFIG_PAX_REFCOUNT
9194 + LOCK_PREFIX "decl %0\n"
9196 + _ASM_EXTABLE(0b, 0b)
9199 + :"+m" (rw->lock) : : "memory");
9202 static inline void arch_write_unlock(arch_rwlock_t *rw)
9204 - asm volatile(LOCK_PREFIX "addl %1, %0"
9205 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9207 +#ifdef CONFIG_PAX_REFCOUNT
9209 + LOCK_PREFIX "subl %1, %0\n"
9211 + _ASM_EXTABLE(0b, 0b)
9214 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9217 diff -urNp linux-2.6.38.1/arch/x86/include/asm/stackprotector.h linux-2.6.38.1/arch/x86/include/asm/stackprotector.h
9218 --- linux-2.6.38.1/arch/x86/include/asm/stackprotector.h 2011-03-14 21:20:32.000000000 -0400
9219 +++ linux-2.6.38.1/arch/x86/include/asm/stackprotector.h 2011-03-21 18:31:35.000000000 -0400
9220 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9222 static inline void load_stack_canary_segment(void)
9224 -#ifdef CONFIG_X86_32
9225 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9226 asm volatile ("mov %0, %%gs" : : "r" (0));
9229 diff -urNp linux-2.6.38.1/arch/x86/include/asm/system.h linux-2.6.38.1/arch/x86/include/asm/system.h
9230 --- linux-2.6.38.1/arch/x86/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
9231 +++ linux-2.6.38.1/arch/x86/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
9232 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9234 unsigned long __limit;
9235 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9236 - return __limit + 1;
9240 static inline void native_clts(void)
9241 @@ -342,7 +342,7 @@ void enable_hlt(void);
9243 void cpu_idle_wait(void);
9245 -extern unsigned long arch_align_stack(unsigned long sp);
9246 +#define arch_align_stack(x) ((x) & ~0xfUL)
9247 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9249 void default_idle(void);
9250 diff -urNp linux-2.6.38.1/arch/x86/include/asm/uaccess_32.h linux-2.6.38.1/arch/x86/include/asm/uaccess_32.h
9251 --- linux-2.6.38.1/arch/x86/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
9252 +++ linux-2.6.38.1/arch/x86/include/asm/uaccess_32.h 2011-03-21 18:31:35.000000000 -0400
9253 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9254 static __always_inline unsigned long __must_check
9255 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9260 if (__builtin_constant_p(n)) {
9263 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9267 + if (!__builtin_constant_p(n))
9268 + check_object_size(from, n, true);
9269 return __copy_to_user_ll(to, from, n);
9272 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9273 static __always_inline unsigned long
9274 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9279 /* Avoid zeroing the tail if the copy fails..
9280 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9281 * but as the zeroing behaviour is only significant when n is not
9282 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9283 __copy_from_user(void *to, const void __user *from, unsigned long n)
9290 if (__builtin_constant_p(n)) {
9293 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9297 + if (!__builtin_constant_p(n))
9298 + check_object_size(to, n, false);
9299 return __copy_from_user_ll(to, from, n);
9302 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9303 const void __user *from, unsigned long n)
9310 if (__builtin_constant_p(n)) {
9313 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9314 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9317 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9322 -unsigned long __must_check copy_to_user(void __user *to,
9323 - const void *from, unsigned long n);
9324 -unsigned long __must_check _copy_from_user(void *to,
9325 - const void __user *from,
9327 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9330 +extern void copy_to_user_overflow(void)
9331 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9332 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9334 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9338 extern void copy_from_user_overflow(void)
9339 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9340 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9344 -static inline unsigned long __must_check copy_from_user(void *to,
9345 - const void __user *from,
9348 + * copy_to_user: - Copy a block of data into user space.
9349 + * @to: Destination address, in user space.
9350 + * @from: Source address, in kernel space.
9351 + * @n: Number of bytes to copy.
9353 + * Context: User context only. This function may sleep.
9355 + * Copy data from kernel space to user space.
9357 + * Returns number of bytes that could not be copied.
9358 + * On success, this will be zero.
9360 +static inline unsigned long __must_check
9361 +copy_to_user(void __user *to, const void *from, unsigned long n)
9363 + int sz = __compiletime_object_size(from);
9365 + if (unlikely(sz != -1 && sz < n))
9366 + copy_to_user_overflow();
9367 + else if (access_ok(VERIFY_WRITE, to, n))
9368 + n = __copy_to_user(to, from, n);
9373 + * copy_from_user: - Copy a block of data from user space.
9374 + * @to: Destination address, in kernel space.
9375 + * @from: Source address, in user space.
9376 + * @n: Number of bytes to copy.
9378 + * Context: User context only. This function may sleep.
9380 + * Copy data from user space to kernel space.
9382 + * Returns number of bytes that could not be copied.
9383 + * On success, this will be zero.
9385 + * If some data could not be copied, this function will pad the copied
9386 + * data to the requested size using zero bytes.
9388 +static inline unsigned long __must_check
9389 +copy_from_user(void *to, const void __user *from, unsigned long n)
9391 int sz = __compiletime_object_size(to);
9393 - if (likely(sz == -1 || sz >= n))
9394 - n = _copy_from_user(to, from, n);
9396 + if (unlikely(sz != -1 && sz < n))
9397 copy_from_user_overflow();
9399 + else if (access_ok(VERIFY_READ, from, n))
9400 + n = __copy_from_user(to, from, n);
9401 + else if ((long)n > 0) {
9402 + if (!__builtin_constant_p(n))
9403 + check_object_size(to, n, false);
9409 diff -urNp linux-2.6.38.1/arch/x86/include/asm/uaccess_64.h linux-2.6.38.1/arch/x86/include/asm/uaccess_64.h
9410 --- linux-2.6.38.1/arch/x86/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
9411 +++ linux-2.6.38.1/arch/x86/include/asm/uaccess_64.h 2011-03-21 18:31:35.000000000 -0400
9413 #include <asm/alternative.h>
9414 #include <asm/cpufeature.h>
9415 #include <asm/page.h>
9416 +#include <asm/pgtable.h>
9418 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9421 * Copy To/From Userspace
9422 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9426 -__must_check unsigned long
9427 -_copy_to_user(void __user *to, const void *from, unsigned len);
9428 -__must_check unsigned long
9429 -_copy_from_user(void *to, const void __user *from, unsigned len);
9430 +static __always_inline __must_check unsigned long
9431 +__copy_to_user(void __user *to, const void *from, unsigned len);
9432 +static __always_inline __must_check unsigned long
9433 +__copy_from_user(void *to, const void __user *from, unsigned len);
9434 __must_check unsigned long
9435 copy_in_user(void __user *to, const void __user *from, unsigned len);
9437 static inline unsigned long __must_check copy_from_user(void *to,
9438 const void __user *from,
9442 - int sz = __compiletime_object_size(to);
9445 - if (likely(sz == -1 || sz >= n))
9446 - n = _copy_from_user(to, from, n);
9447 -#ifdef CONFIG_DEBUG_VM
9449 - WARN(1, "Buffer overflow detected!\n");
9452 + if (access_ok(VERIFY_READ, from, n))
9453 + n = __copy_from_user(to, from, n);
9454 + else if ((int)n > 0) {
9455 + if (!__builtin_constant_p(n))
9456 + check_object_size(to, n, false);
9462 @@ -65,110 +68,174 @@ int copy_to_user(void __user *dst, const
9466 - return _copy_to_user(dst, src, size);
9467 + if (access_ok(VERIFY_WRITE, dst, size))
9468 + size = __copy_to_user(dst, src, size);
9472 static __always_inline __must_check
9473 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9474 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9477 + int sz = __compiletime_object_size(dst);
9481 - if (!__builtin_constant_p(size))
9482 - return copy_user_generic(dst, (__force void *)src, size);
9484 + if ((int)size < 0)
9487 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9488 + if (!__access_ok(VERIFY_READ, src, size))
9492 + if (unlikely(sz != -1 && sz < size)) {
9493 +#ifdef CONFIG_DEBUG_VM
9494 + WARN(1, "Buffer overflow detected!\n");
9499 + if (!__builtin_constant_p(size)) {
9500 + check_object_size(dst, size, false);
9501 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9502 + src += PAX_USER_SHADOW_BASE;
9503 + return copy_user_generic(dst, (__force const void *)src, size);
9506 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9507 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9508 ret, "b", "b", "=q", 1);
9510 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9511 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9512 ret, "w", "w", "=r", 2);
9514 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9515 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9516 ret, "l", "k", "=r", 4);
9518 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9519 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9520 ret, "q", "", "=r", 8);
9523 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9524 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9525 ret, "q", "", "=r", 10);
9528 __get_user_asm(*(u16 *)(8 + (char *)dst),
9529 - (u16 __user *)(8 + (char __user *)src),
9530 + (const u16 __user *)(8 + (const char __user *)src),
9531 ret, "w", "w", "=r", 2);
9534 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9535 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9536 ret, "q", "", "=r", 16);
9539 __get_user_asm(*(u64 *)(8 + (char *)dst),
9540 - (u64 __user *)(8 + (char __user *)src),
9541 + (const u64 __user *)(8 + (const char __user *)src),
9542 ret, "q", "", "=r", 8);
9545 - return copy_user_generic(dst, (__force void *)src, size);
9546 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9547 + src += PAX_USER_SHADOW_BASE;
9548 + return copy_user_generic(dst, (__force const void *)src, size);
9552 static __always_inline __must_check
9553 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9554 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9557 + int sz = __compiletime_object_size(src);
9561 - if (!__builtin_constant_p(size))
9563 + if ((int)size < 0)
9566 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9567 + if (!__access_ok(VERIFY_WRITE, dst, size))
9571 + if (unlikely(sz != -1 && sz < size)) {
9572 +#ifdef CONFIG_DEBUG_VM
9573 + WARN(1, "Buffer overflow detected!\n");
9578 + if (!__builtin_constant_p(size)) {
9579 + check_object_size(src, size, true);
9580 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9581 + dst += PAX_USER_SHADOW_BASE;
9582 return copy_user_generic((__force void *)dst, src, size);
9585 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9586 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9587 ret, "b", "b", "iq", 1);
9589 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9590 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9591 ret, "w", "w", "ir", 2);
9593 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9594 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9595 ret, "l", "k", "ir", 4);
9597 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9598 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9599 ret, "q", "", "er", 8);
9602 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9603 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9604 ret, "q", "", "er", 10);
9608 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9609 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9610 ret, "w", "w", "ir", 2);
9613 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9614 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9615 ret, "q", "", "er", 16);
9619 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9620 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9621 ret, "q", "", "er", 8);
9624 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9625 + dst += PAX_USER_SHADOW_BASE;
9626 return copy_user_generic((__force void *)dst, src, size);
9630 static __always_inline __must_check
9631 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9632 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9638 - if (!__builtin_constant_p(size))
9640 + if ((int)size < 0)
9643 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9644 + if (!__access_ok(VERIFY_READ, src, size))
9646 + if (!__access_ok(VERIFY_WRITE, dst, size))
9650 + if (!__builtin_constant_p(size)) {
9651 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9652 + src += PAX_USER_SHADOW_BASE;
9653 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9654 + dst += PAX_USER_SHADOW_BASE;
9655 return copy_user_generic((__force void *)dst,
9656 - (__force void *)src, size);
9657 + (__force const void *)src, size);
9662 - __get_user_asm(tmp, (u8 __user *)src,
9663 + __get_user_asm(tmp, (const u8 __user *)src,
9664 ret, "b", "b", "=q", 1);
9666 __put_user_asm(tmp, (u8 __user *)dst,
9667 @@ -177,7 +244,7 @@ int __copy_in_user(void __user *dst, con
9671 - __get_user_asm(tmp, (u16 __user *)src,
9672 + __get_user_asm(tmp, (const u16 __user *)src,
9673 ret, "w", "w", "=r", 2);
9675 __put_user_asm(tmp, (u16 __user *)dst,
9676 @@ -187,7 +254,7 @@ int __copy_in_user(void __user *dst, con
9680 - __get_user_asm(tmp, (u32 __user *)src,
9681 + __get_user_asm(tmp, (const u32 __user *)src,
9682 ret, "l", "k", "=r", 4);
9684 __put_user_asm(tmp, (u32 __user *)dst,
9685 @@ -196,7 +263,7 @@ int __copy_in_user(void __user *dst, con
9689 - __get_user_asm(tmp, (u64 __user *)src,
9690 + __get_user_asm(tmp, (const u64 __user *)src,
9691 ret, "q", "", "=r", 8);
9693 __put_user_asm(tmp, (u64 __user *)dst,
9694 @@ -204,8 +271,12 @@ int __copy_in_user(void __user *dst, con
9698 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9699 + src += PAX_USER_SHADOW_BASE;
9700 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9701 + dst += PAX_USER_SHADOW_BASE;
9702 return copy_user_generic((__force void *)dst,
9703 - (__force void *)src, size);
9704 + (__force const void *)src, size);
9708 @@ -222,33 +293,68 @@ __must_check unsigned long __clear_user(
9709 static __must_check __always_inline int
9710 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9712 + if ((int)size < 0)
9715 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9716 + if (!__access_ok(VERIFY_READ, src, size))
9720 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9721 + src += PAX_USER_SHADOW_BASE;
9722 return copy_user_generic(dst, (__force const void *)src, size);
9725 -static __must_check __always_inline int
9726 +static __must_check __always_inline unsigned long
9727 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9729 + if ((int)size < 0)
9732 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9733 + if (!__access_ok(VERIFY_WRITE, dst, size))
9737 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9738 + dst += PAX_USER_SHADOW_BASE;
9739 return copy_user_generic((__force void *)dst, src, size);
9742 -extern long __copy_user_nocache(void *dst, const void __user *src,
9743 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9744 unsigned size, int zerorest);
9747 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9748 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9752 + if ((int)size < 0)
9755 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9756 + if (!__access_ok(VERIFY_READ, src, size))
9760 return __copy_user_nocache(dst, src, size, 1);
9764 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9765 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9768 + if ((int)size < 0)
9771 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9772 + if (!__access_ok(VERIFY_READ, src, size))
9776 return __copy_user_nocache(dst, src, size, 0);
9780 +extern unsigned long
9781 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9783 #endif /* _ASM_X86_UACCESS_64_H */
9784 diff -urNp linux-2.6.38.1/arch/x86/include/asm/uaccess.h linux-2.6.38.1/arch/x86/include/asm/uaccess.h
9785 --- linux-2.6.38.1/arch/x86/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
9786 +++ linux-2.6.38.1/arch/x86/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
9788 #include <linux/thread_info.h>
9789 #include <linux/prefetch.h>
9790 #include <linux/string.h>
9791 +#include <linux/sched.h>
9792 #include <asm/asm.h>
9793 #include <asm/page.h>
9795 #define VERIFY_READ 0
9796 #define VERIFY_WRITE 1
9798 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9801 * The fs value determines whether argument validity checking should be
9802 * performed or not. If get_fs() == USER_DS, checking is performed, with
9805 #define get_ds() (KERNEL_DS)
9806 #define get_fs() (current_thread_info()->addr_limit)
9807 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9808 +void __set_fs(mm_segment_t x);
9809 +void set_fs(mm_segment_t x);
9811 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9814 #define segment_eq(a, b) ((a).seg == (b).seg)
9817 * checks that the pointer is in the user space range - after calling
9818 * this function, memory access functions may still return -EFAULT.
9820 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9821 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9822 +#define access_ok(type, addr, size) \
9824 + long __size = size; \
9825 + unsigned long __addr = (unsigned long)addr; \
9826 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9827 + unsigned long __end_ao = __addr + __size - 1; \
9828 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9829 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9830 + while(__addr_ao <= __end_ao) { \
9832 + __addr_ao += PAGE_SIZE; \
9833 + if (__size > PAGE_SIZE) \
9835 + if (__get_user(__c_ao, (char __user *)__addr)) \
9837 + if (type != VERIFY_WRITE) { \
9838 + __addr = __addr_ao; \
9841 + if (__put_user(__c_ao, (char __user *)__addr)) \
9843 + __addr = __addr_ao; \
9850 * The exception table consists of pairs of addresses: the first is the
9851 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
9852 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9853 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9856 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9857 +#define __copyuser_seg "gs;"
9858 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
9859 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
9861 +#define __copyuser_seg
9862 +#define __COPYUSER_SET_ES
9863 +#define __COPYUSER_RESTORE_ES
9866 #ifdef CONFIG_X86_32
9867 #define __put_user_asm_u64(x, addr, err, errret) \
9868 - asm volatile("1: movl %%eax,0(%2)\n" \
9869 - "2: movl %%edx,4(%2)\n" \
9870 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
9871 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
9873 ".section .fixup,\"ax\"\n" \
9875 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
9876 : "A" (x), "r" (addr), "i" (errret), "0" (err))
9878 #define __put_user_asm_ex_u64(x, addr) \
9879 - asm volatile("1: movl %%eax,0(%1)\n" \
9880 - "2: movl %%edx,4(%1)\n" \
9881 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
9882 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
9884 _ASM_EXTABLE(1b, 2b - 1b) \
9885 _ASM_EXTABLE(2b, 3b - 2b) \
9886 @@ -374,7 +416,7 @@ do { \
9889 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9890 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9891 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
9893 ".section .fixup,\"ax\"\n" \
9895 @@ -382,7 +424,7 @@ do { \
9898 _ASM_EXTABLE(1b, 3b) \
9899 - : "=r" (err), ltype(x) \
9900 + : "=r" (err), ltype (x) \
9901 : "m" (__m(addr)), "i" (errret), "0" (err))
9903 #define __get_user_size_ex(x, ptr, size) \
9904 @@ -407,7 +449,7 @@ do { \
9907 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9908 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9909 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
9911 _ASM_EXTABLE(1b, 2b - 1b) \
9912 : ltype(x) : "m" (__m(addr)))
9913 @@ -424,13 +466,24 @@ do { \
9915 unsigned long __gu_val; \
9916 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9917 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9918 + (x) = (__typeof__(*(ptr)))__gu_val; \
9922 /* FIXME: this hack is definitely wrong -AK */
9923 struct __large_struct { unsigned long buf[100]; };
9924 -#define __m(x) (*(struct __large_struct __user *)(x))
9925 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9928 + unsigned long ____x = (unsigned long)(x); \
9929 + if (____x < PAX_USER_SHADOW_BASE) \
9930 + ____x += PAX_USER_SHADOW_BASE; \
9931 + (void __user *)____x; \
9934 +#define ____m(x) (x)
9936 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9939 * Tell gcc we read from memory instead of writing: this is because
9940 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
9943 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9944 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9945 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
9947 ".section .fixup,\"ax\"\n" \
9949 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
9951 _ASM_EXTABLE(1b, 3b) \
9953 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9954 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
9956 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9957 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9958 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
9960 _ASM_EXTABLE(1b, 2b - 1b) \
9961 : : ltype(x), "m" (__m(addr)))
9962 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
9963 * On error, the variable @x is set to zero.
9966 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9967 +#define __get_user(x, ptr) get_user((x), (ptr))
9969 #define __get_user(x, ptr) \
9970 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
9974 * __put_user: - Write a simple value into user space, with less checking.
9975 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
9976 * Returns zero on success, or -EFAULT on error.
9979 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9980 +#define __put_user(x, ptr) put_user((x), (ptr))
9982 #define __put_user(x, ptr) \
9983 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
9986 #define __get_user_unaligned __get_user
9987 #define __put_user_unaligned __put_user
9988 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
9989 #define get_user_ex(x, ptr) do { \
9990 unsigned long __gue_val; \
9991 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9992 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9993 + (x) = (__typeof__(*(ptr)))__gue_val; \
9996 #ifdef CONFIG_X86_WP_WORKS_OK
9997 @@ -567,6 +628,7 @@ extern struct movsl_mask {
9999 #define ARCH_HAS_NOCACHE_UACCESS 1
10001 +#define ARCH_HAS_SORT_EXTABLE
10002 #ifdef CONFIG_X86_32
10003 # include "uaccess_32.h"
10005 diff -urNp linux-2.6.38.1/arch/x86/include/asm/vgtod.h linux-2.6.38.1/arch/x86/include/asm/vgtod.h
10006 --- linux-2.6.38.1/arch/x86/include/asm/vgtod.h 2011-03-14 21:20:32.000000000 -0400
10007 +++ linux-2.6.38.1/arch/x86/include/asm/vgtod.h 2011-03-21 18:31:35.000000000 -0400
10008 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10009 int sysctl_enabled;
10010 struct timezone sys_tz;
10011 struct { /* extract of a clocksource struct */
10013 cycle_t (*vread)(void);
10014 cycle_t cycle_last;
10016 diff -urNp linux-2.6.38.1/arch/x86/include/asm/vsyscall.h linux-2.6.38.1/arch/x86/include/asm/vsyscall.h
10017 --- linux-2.6.38.1/arch/x86/include/asm/vsyscall.h 2011-03-14 21:20:32.000000000 -0400
10018 +++ linux-2.6.38.1/arch/x86/include/asm/vsyscall.h 2011-03-21 18:31:35.000000000 -0400
10019 @@ -15,9 +15,10 @@ enum vsyscall_num {
10022 #include <linux/seqlock.h>
10023 +#include <linux/getcpu.h>
10024 +#include <linux/time.h>
10026 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
10027 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
10029 /* Definitions for CONFIG_GENERIC_TIME definitions */
10030 #define __section_vsyscall_gtod_data __attribute__ \
10031 @@ -31,7 +32,6 @@ enum vsyscall_num {
10032 #define VGETCPU_LSL 2
10034 extern int __vgetcpu_mode;
10035 -extern volatile unsigned long __jiffies;
10037 /* kernel space (writeable) */
10038 extern int vgetcpu_mode;
10039 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
10041 extern void map_vsyscall(void);
10043 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
10044 +extern time_t vtime(time_t *t);
10045 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
10046 #endif /* __KERNEL__ */
10048 #endif /* _ASM_X86_VSYSCALL_H */
10049 diff -urNp linux-2.6.38.1/arch/x86/include/asm/xsave.h linux-2.6.38.1/arch/x86/include/asm/xsave.h
10050 --- linux-2.6.38.1/arch/x86/include/asm/xsave.h 2011-03-14 21:20:32.000000000 -0400
10051 +++ linux-2.6.38.1/arch/x86/include/asm/xsave.h 2011-03-21 18:31:35.000000000 -0400
10052 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10056 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10057 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10058 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10062 * Clear the xsave header first, so that reserved fields are
10063 * initialized to zero.
10064 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
10066 u32 hmask = mask >> 32;
10068 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10069 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10070 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10073 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10075 ".section .fixup,\"ax\"\n"
10076 diff -urNp linux-2.6.38.1/arch/x86/Kconfig linux-2.6.38.1/arch/x86/Kconfig
10077 --- linux-2.6.38.1/arch/x86/Kconfig 2011-03-14 21:20:32.000000000 -0400
10078 +++ linux-2.6.38.1/arch/x86/Kconfig 2011-03-21 18:31:35.000000000 -0400
10079 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
10081 config X86_32_LAZY_GS
10083 - depends on X86_32 && !CC_STACKPROTECTOR
10084 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10086 config ARCH_HWEIGHT_CFLAGS
10088 @@ -1019,7 +1019,7 @@ choice
10092 - depends on !X86_NUMAQ
10093 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10095 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10096 However, the address space of 32-bit x86 processors is only 4
10097 @@ -1056,7 +1056,7 @@ config NOHIGHMEM
10101 - depends on !X86_NUMAQ
10102 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10104 Select this if you have a 32-bit processor and between 1 and 4
10105 gigabytes of physical RAM.
10106 @@ -1110,7 +1110,7 @@ config PAGE_OFFSET
10108 default 0xB0000000 if VMSPLIT_3G_OPT
10109 default 0x80000000 if VMSPLIT_2G
10110 - default 0x78000000 if VMSPLIT_2G_OPT
10111 + default 0x70000000 if VMSPLIT_2G_OPT
10112 default 0x40000000 if VMSPLIT_1G
10115 @@ -1454,7 +1454,7 @@ config ARCH_USES_PG_UNCACHED
10118 bool "EFI runtime service support"
10120 + depends on ACPI && !PAX_KERNEXEC
10122 This enables the kernel to use EFI runtime services that are
10123 available (such as the EFI variable services).
10124 @@ -1484,6 +1484,7 @@ config SECCOMP
10126 config CC_STACKPROTECTOR
10127 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10128 + depends on X86_64 || !PAX_MEMORY_UDEREF
10130 This option turns on the -fstack-protector GCC feature. This
10131 feature puts, at the beginning of functions, a canary value on
10132 @@ -1541,6 +1542,7 @@ config KEXEC_JUMP
10133 config PHYSICAL_START
10134 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
10135 default "0x1000000"
10136 + range 0x400000 0x40000000
10138 This gives the physical address where the kernel is loaded.
10140 @@ -1604,6 +1606,7 @@ config X86_NEED_RELOCS
10141 config PHYSICAL_ALIGN
10142 hex "Alignment value to which kernel should be aligned" if X86_32
10143 default "0x1000000"
10144 + range 0x400000 0x1000000 if PAX_KERNEXEC
10145 range 0x2000 0x1000000
10147 This value puts the alignment restrictions on physical address
10148 @@ -1635,9 +1638,10 @@ config HOTPLUG_CPU
10149 Say N if you want to disable CPU hotplug.
10154 prompt "Compat VDSO support"
10155 depends on X86_32 || IA32_EMULATION
10156 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10158 Map the 32-bit VDSO to the predictable old-style address too.
10160 diff -urNp linux-2.6.38.1/arch/x86/Kconfig.cpu linux-2.6.38.1/arch/x86/Kconfig.cpu
10161 --- linux-2.6.38.1/arch/x86/Kconfig.cpu 2011-03-14 21:20:32.000000000 -0400
10162 +++ linux-2.6.38.1/arch/x86/Kconfig.cpu 2011-03-21 18:31:35.000000000 -0400
10163 @@ -339,7 +339,7 @@ config X86_PPRO_FENCE
10165 config X86_F00F_BUG
10167 - depends on M586MMX || M586TSC || M586 || M486 || M386
10168 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10170 config X86_INVD_BUG
10172 @@ -363,7 +363,7 @@ config X86_POPAD_OK
10174 config X86_ALIGNMENT_16
10176 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10177 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10179 config X86_INTEL_USERCOPY
10181 @@ -409,7 +409,7 @@ config X86_CMPXCHG64
10185 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10186 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10188 config X86_MINIMUM_CPU_FAMILY
10190 diff -urNp linux-2.6.38.1/arch/x86/Kconfig.debug linux-2.6.38.1/arch/x86/Kconfig.debug
10191 --- linux-2.6.38.1/arch/x86/Kconfig.debug 2011-03-14 21:20:32.000000000 -0400
10192 +++ linux-2.6.38.1/arch/x86/Kconfig.debug 2011-03-21 18:31:35.000000000 -0400
10193 @@ -101,7 +101,7 @@ config X86_PTDUMP
10194 config DEBUG_RODATA
10195 bool "Write protect kernel read-only data structures"
10197 - depends on DEBUG_KERNEL
10198 + depends on DEBUG_KERNEL && BROKEN
10200 Mark the kernel read-only data as write-protected in the pagetables,
10201 in order to catch accidental (and incorrect) writes to such const
10202 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
10204 config DEBUG_SET_MODULE_RONX
10205 bool "Set loadable kernel module data as NX and text as RO"
10206 - depends on MODULES
10207 + depends on MODULES && BROKEN
10209 This option helps catch unintended modifications to loadable
10210 kernel module's text and read-only data. It also prevents execution
10211 diff -urNp linux-2.6.38.1/arch/x86/kernel/acpi/boot.c linux-2.6.38.1/arch/x86/kernel/acpi/boot.c
10212 --- linux-2.6.38.1/arch/x86/kernel/acpi/boot.c 2011-03-14 21:20:32.000000000 -0400
10213 +++ linux-2.6.38.1/arch/x86/kernel/acpi/boot.c 2011-03-21 18:31:35.000000000 -0400
10214 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
10215 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10219 + { NULL, NULL, {{0, {0}}}, NULL}
10223 diff -urNp linux-2.6.38.1/arch/x86/kernel/acpi/sleep.c linux-2.6.38.1/arch/x86/kernel/acpi/sleep.c
10224 --- linux-2.6.38.1/arch/x86/kernel/acpi/sleep.c 2011-03-14 21:20:32.000000000 -0400
10225 +++ linux-2.6.38.1/arch/x86/kernel/acpi/sleep.c 2011-03-21 18:31:35.000000000 -0400
10227 #include "realmode/wakeup.h"
10230 -unsigned long acpi_wakeup_address;
10231 +unsigned long acpi_wakeup_address = 0x2000;
10232 unsigned long acpi_realmode_flags;
10234 /* address in low memory of the wakeup routine. */
10235 @@ -99,8 +99,12 @@ int acpi_save_state_mem(void)
10236 header->trampoline_segment = setup_trampoline() >> 4;
10238 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10240 + pax_open_kernel();
10241 early_gdt_descr.address =
10242 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10243 + pax_close_kernel();
10245 initial_gs = per_cpu_offset(smp_processor_id());
10247 initial_code = (unsigned long)wakeup_long64;
10248 diff -urNp linux-2.6.38.1/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.38.1/arch/x86/kernel/acpi/wakeup_32.S
10249 --- linux-2.6.38.1/arch/x86/kernel/acpi/wakeup_32.S 2011-03-14 21:20:32.000000000 -0400
10250 +++ linux-2.6.38.1/arch/x86/kernel/acpi/wakeup_32.S 2011-03-21 18:31:35.000000000 -0400
10251 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10252 # and restore the stack ... but you need gdt for this to work
10253 movl saved_context_esp, %esp
10255 - movl %cs:saved_magic, %eax
10256 - cmpl $0x12345678, %eax
10257 + cmpl $0x12345678, saved_magic
10260 # jump to place where we left off
10261 - movl saved_eip, %eax
10267 diff -urNp linux-2.6.38.1/arch/x86/kernel/alternative.c linux-2.6.38.1/arch/x86/kernel/alternative.c
10268 --- linux-2.6.38.1/arch/x86/kernel/alternative.c 2011-03-23 17:20:06.000000000 -0400
10269 +++ linux-2.6.38.1/arch/x86/kernel/alternative.c 2011-03-26 20:47:42.000000000 -0400
10270 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10271 if (!*poff || ptr < text || ptr >= text_end)
10273 /* turn DS segment override prefix into lock prefix */
10274 - if (*ptr == 0x3e)
10275 + if (*ktla_ktva(ptr) == 0x3e)
10276 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10278 mutex_unlock(&text_mutex);
10279 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10280 if (!*poff || ptr < text || ptr >= text_end)
10282 /* turn lock prefix into DS segment override prefix */
10283 - if (*ptr == 0xf0)
10284 + if (*ktla_ktva(ptr) == 0xf0)
10285 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10287 mutex_unlock(&text_mutex);
10288 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
10290 BUG_ON(p->len > MAX_PATCH_LEN);
10291 /* prep the buffer with the original instructions */
10292 - memcpy(insnbuf, p->instr, p->len);
10293 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10294 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10295 (unsigned long)p->instr, p->len);
10297 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
10299 free_init_pages("SMP alternatives",
10300 (unsigned long)__smp_locks,
10301 - (unsigned long)__smp_locks_end);
10302 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10306 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
10307 * instructions. And on the local CPU you need to be protected again NMI or MCE
10308 * handlers seeing an inconsistent instruction while you patch.
10310 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10311 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10314 unsigned long flags;
10315 local_irq_save(flags);
10316 - memcpy(addr, opcode, len);
10318 + pax_open_kernel();
10319 + memcpy(ktla_ktva(addr), opcode, len);
10321 + pax_close_kernel();
10323 local_irq_restore(flags);
10324 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10325 that causes hangs on some VIA CPUs. */
10326 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
10328 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10330 - unsigned long flags;
10332 + unsigned char *vaddr = ktla_ktva(addr);
10333 struct page *pages[2];
10337 if (!core_kernel_text((unsigned long)addr)) {
10338 - pages[0] = vmalloc_to_page(addr);
10339 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10340 + pages[0] = vmalloc_to_page(vaddr);
10341 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10343 - pages[0] = virt_to_page(addr);
10344 + pages[0] = virt_to_page(vaddr);
10345 WARN_ON(!PageReserved(pages[0]));
10346 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10347 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10350 - local_irq_save(flags);
10351 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10353 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10354 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10355 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10356 - clear_fixmap(FIX_TEXT_POKE0);
10358 - clear_fixmap(FIX_TEXT_POKE1);
10359 - local_flush_tlb();
10361 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10362 - that causes hangs on some VIA CPUs. */
10363 + text_poke_early(addr, opcode, len);
10364 for (i = 0; i < len; i++)
10365 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10366 - local_irq_restore(flags);
10367 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10371 @@ -620,12 +610,7 @@ static int __kprobes stop_machine_text_p
10372 flush_icache_range((unsigned long)p->addr,
10373 (unsigned long)p->addr + p->len);
10376 - * Intel Archiecture Software Developer's Manual section 7.1.3 specifies
10377 - * that a core serializing instruction such as "cpuid" should be
10378 - * executed on _each_ core before the new instruction is made visible.
10385 @@ -682,9 +667,9 @@ void __kprobes text_poke_smp_batch(struc
10386 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
10388 #ifdef CONFIG_X86_64
10389 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10390 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10392 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10393 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10396 void __init arch_init_ideal_nop5(void)
10397 diff -urNp linux-2.6.38.1/arch/x86/kernel/amd_iommu.c linux-2.6.38.1/arch/x86/kernel/amd_iommu.c
10398 --- linux-2.6.38.1/arch/x86/kernel/amd_iommu.c 2011-03-14 21:20:32.000000000 -0400
10399 +++ linux-2.6.38.1/arch/x86/kernel/amd_iommu.c 2011-03-21 18:31:35.000000000 -0400
10400 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
10404 -static struct dma_map_ops amd_iommu_dma_ops = {
10405 +static const struct dma_map_ops amd_iommu_dma_ops = {
10406 .alloc_coherent = alloc_coherent,
10407 .free_coherent = free_coherent,
10408 .map_page = map_page,
10409 diff -urNp linux-2.6.38.1/arch/x86/kernel/apic/io_apic.c linux-2.6.38.1/arch/x86/kernel/apic/io_apic.c
10410 --- linux-2.6.38.1/arch/x86/kernel/apic/io_apic.c 2011-03-14 21:20:32.000000000 -0400
10411 +++ linux-2.6.38.1/arch/x86/kernel/apic/io_apic.c 2011-03-21 18:31:35.000000000 -0400
10412 @@ -617,7 +617,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10413 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10415 if (!ioapic_entries)
10419 for (apic = 0; apic < nr_ioapics; apic++) {
10420 ioapic_entries[apic] =
10421 @@ -634,7 +634,7 @@ nomem:
10422 kfree(ioapic_entries[apic]);
10423 kfree(ioapic_entries);
10430 @@ -1044,7 +1044,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10432 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10434 -void lock_vector_lock(void)
10435 +void lock_vector_lock(void) __acquires(vector_lock)
10437 /* Used to the online set of cpus does not change
10438 * during assign_irq_vector.
10439 @@ -1052,7 +1052,7 @@ void lock_vector_lock(void)
10440 raw_spin_lock(&vector_lock);
10443 -void unlock_vector_lock(void)
10444 +void unlock_vector_lock(void) __releases(vector_lock)
10446 raw_spin_unlock(&vector_lock);
10448 diff -urNp linux-2.6.38.1/arch/x86/kernel/apm_32.c linux-2.6.38.1/arch/x86/kernel/apm_32.c
10449 --- linux-2.6.38.1/arch/x86/kernel/apm_32.c 2011-03-14 21:20:32.000000000 -0400
10450 +++ linux-2.6.38.1/arch/x86/kernel/apm_32.c 2011-03-21 18:31:35.000000000 -0400
10451 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10452 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10453 * even though they are called in protected mode.
10455 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10456 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10457 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10459 static const char driver_version[] = "1.16ac"; /* no spaces */
10460 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10462 gdt = get_cpu_gdt_table(cpu);
10463 save_desc_40 = gdt[0x40 / 8];
10465 + pax_open_kernel();
10466 gdt[0x40 / 8] = bad_bios_desc;
10467 + pax_close_kernel();
10469 apm_irq_save(flags);
10471 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10473 APM_DO_RESTORE_SEGS;
10474 apm_irq_restore(flags);
10476 + pax_open_kernel();
10477 gdt[0x40 / 8] = save_desc_40;
10478 + pax_close_kernel();
10482 return call->eax & 0xff;
10483 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10485 gdt = get_cpu_gdt_table(cpu);
10486 save_desc_40 = gdt[0x40 / 8];
10488 + pax_open_kernel();
10489 gdt[0x40 / 8] = bad_bios_desc;
10490 + pax_close_kernel();
10492 apm_irq_save(flags);
10494 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10496 APM_DO_RESTORE_SEGS;
10497 apm_irq_restore(flags);
10499 + pax_open_kernel();
10500 gdt[0x40 / 8] = save_desc_40;
10501 + pax_close_kernel();
10506 @@ -975,7 +989,7 @@ recalc:
10508 static void apm_power_off(void)
10510 - unsigned char po_bios_call[] = {
10511 + const unsigned char po_bios_call[] = {
10512 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10513 0x8e, 0xd0, /* movw ax,ss */
10514 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10515 @@ -1932,7 +1946,10 @@ static const struct file_operations apm_
10516 static struct miscdevice apm_device = {
10527 @@ -2253,7 +2270,7 @@ static struct dmi_system_id __initdata a
10528 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10532 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10536 @@ -2356,12 +2373,15 @@ static int __init apm_init(void)
10537 * code to that CPU.
10539 gdt = get_cpu_gdt_table(0);
10541 + pax_open_kernel();
10542 set_desc_base(&gdt[APM_CS >> 3],
10543 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10544 set_desc_base(&gdt[APM_CS_16 >> 3],
10545 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10546 set_desc_base(&gdt[APM_DS >> 3],
10547 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10548 + pax_close_kernel();
10550 proc_create("apm", 0, NULL, &apm_file_ops);
10552 diff -urNp linux-2.6.38.1/arch/x86/kernel/asm-offsets_32.c linux-2.6.38.1/arch/x86/kernel/asm-offsets_32.c
10553 --- linux-2.6.38.1/arch/x86/kernel/asm-offsets_32.c 2011-03-14 21:20:32.000000000 -0400
10554 +++ linux-2.6.38.1/arch/x86/kernel/asm-offsets_32.c 2011-03-21 18:31:35.000000000 -0400
10555 @@ -113,6 +113,11 @@ void foo(void)
10556 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10557 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10558 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10560 +#ifdef CONFIG_PAX_KERNEXEC
10561 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10567 diff -urNp linux-2.6.38.1/arch/x86/kernel/asm-offsets_64.c linux-2.6.38.1/arch/x86/kernel/asm-offsets_64.c
10568 --- linux-2.6.38.1/arch/x86/kernel/asm-offsets_64.c 2011-03-14 21:20:32.000000000 -0400
10569 +++ linux-2.6.38.1/arch/x86/kernel/asm-offsets_64.c 2011-03-21 18:31:35.000000000 -0400
10570 @@ -63,6 +63,18 @@ int main(void)
10571 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10572 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10573 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10575 +#ifdef CONFIG_PAX_KERNEXEC
10576 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10577 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10580 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10581 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10582 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10583 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10589 @@ -115,6 +127,7 @@ int main(void)
10593 + DEFINE(TSS_size, sizeof(struct tss_struct));
10594 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10596 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10597 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/common.c linux-2.6.38.1/arch/x86/kernel/cpu/common.c
10598 --- linux-2.6.38.1/arch/x86/kernel/cpu/common.c 2011-03-14 21:20:32.000000000 -0400
10599 +++ linux-2.6.38.1/arch/x86/kernel/cpu/common.c 2011-03-21 18:31:35.000000000 -0400
10600 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10602 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10604 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10605 -#ifdef CONFIG_X86_64
10607 - * We need valid kernel segments for data and code in long mode too
10608 - * IRET will check the segment types kkeil 2000/10/28
10609 - * Also sysret mandates a special GDT layout
10611 - * TLS descriptors are currently at a different place compared to i386.
10612 - * Hopefully nobody expects them at a fixed place (Wine?)
10614 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10615 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10616 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10617 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10618 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10619 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10621 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10622 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10623 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10624 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10626 - * Segments used for calling PnP BIOS have byte granularity.
10627 - * They code segments and data segments have fixed 64k limits,
10628 - * the transfer segment sizes are set at run time.
10630 - /* 32-bit code */
10631 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10632 - /* 16-bit code */
10633 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10634 - /* 16-bit data */
10635 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10636 - /* 16-bit data */
10637 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10638 - /* 16-bit data */
10639 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10641 - * The APM segments have byte granularity and their bases
10642 - * are set at run time. All have 64k limits.
10644 - /* 32-bit code */
10645 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10646 - /* 16-bit code */
10647 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10649 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10651 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10652 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10653 - GDT_STACK_CANARY_INIT
10656 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10658 static int __init x86_xsave_setup(char *s)
10660 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10661 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
10663 struct desc_ptr gdt_descr;
10665 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10666 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10667 gdt_descr.size = GDT_SIZE - 1;
10668 load_gdt(&gdt_descr);
10669 /* Reload the per-cpu base */
10670 @@ -825,6 +771,10 @@ static void __cpuinit identify_cpu(struc
10671 /* Filter out anything that depends on CPUID levels we don't have */
10672 filter_cpuid_features(c, true);
10674 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10675 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10678 /* If the model name is still unset, do table lookup. */
10679 if (!c->x86_model_id[0]) {
10681 @@ -1084,7 +1034,7 @@ struct pt_regs * __cpuinit idle_regs(str
10683 memset(regs, 0, sizeof(struct pt_regs));
10684 regs->fs = __KERNEL_PERCPU;
10685 - regs->gs = __KERNEL_STACK_CANARY;
10686 + savesegment(gs, regs->gs);
10690 @@ -1139,7 +1089,7 @@ void __cpuinit cpu_init(void)
10693 cpu = stack_smp_processor_id();
10694 - t = &per_cpu(init_tss, cpu);
10695 + t = init_tss + cpu;
10696 oist = &per_cpu(orig_ist, cpu);
10699 @@ -1165,7 +1115,7 @@ void __cpuinit cpu_init(void)
10700 switch_to_new_gdt(cpu);
10701 loadsegment(fs, 0);
10703 - load_idt((const struct desc_ptr *)&idt_descr);
10704 + load_idt(&idt_descr);
10706 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10708 @@ -1174,7 +1124,6 @@ void __cpuinit cpu_init(void)
10709 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10712 - x86_configure_nx();
10716 @@ -1228,7 +1177,7 @@ void __cpuinit cpu_init(void)
10718 int cpu = smp_processor_id();
10719 struct task_struct *curr = current;
10720 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10721 + struct tss_struct *t = init_tss + cpu;
10722 struct thread_struct *thread = &curr->thread;
10724 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10725 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10726 --- linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-03-14 21:20:32.000000000 -0400
10727 +++ linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-03-21 18:31:35.000000000 -0400
10728 @@ -481,7 +481,7 @@ static const struct dmi_system_id sw_any
10729 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10733 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10736 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10737 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10738 --- linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-03-14 21:20:32.000000000 -0400
10739 +++ linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-03-21 18:31:35.000000000 -0400
10740 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10741 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10742 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10745 + { NULL, NULL, 0, NULL}
10749 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/intel.c linux-2.6.38.1/arch/x86/kernel/cpu/intel.c
10750 --- linux-2.6.38.1/arch/x86/kernel/cpu/intel.c 2011-03-14 21:20:32.000000000 -0400
10751 +++ linux-2.6.38.1/arch/x86/kernel/cpu/intel.c 2011-03-21 18:31:35.000000000 -0400
10752 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
10753 * Update the IDT descriptor and reload the IDT so that
10754 * it uses the read-only mapped virtual address.
10756 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10757 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10758 load_idt(&idt_descr);
10761 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/Makefile linux-2.6.38.1/arch/x86/kernel/cpu/Makefile
10762 --- linux-2.6.38.1/arch/x86/kernel/cpu/Makefile 2011-03-14 21:20:32.000000000 -0400
10763 +++ linux-2.6.38.1/arch/x86/kernel/cpu/Makefile 2011-03-21 18:31:35.000000000 -0400
10764 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10765 CFLAGS_REMOVE_perf_event.o = -pg
10768 -# Make sure load_percpu_segment has no stackprotector
10769 -nostackp := $(call cc-option, -fno-stack-protector)
10770 -CFLAGS_common.o := $(nostackp)
10772 obj-y := intel_cacheinfo.o scattered.o topology.o
10773 obj-y += proc.o capflags.o powerflags.o common.o
10774 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10775 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.38.1/arch/x86/kernel/cpu/mcheck/mce.c
10776 --- linux-2.6.38.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-14 21:20:32.000000000 -0400
10777 +++ linux-2.6.38.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-21 18:31:35.000000000 -0400
10779 #include <asm/ipi.h>
10780 #include <asm/mce.h>
10781 #include <asm/msr.h>
10782 +#include <asm/local.h>
10784 #include "mce-internal.h"
10786 @@ -219,7 +220,7 @@ static void print_mce(struct mce *m)
10787 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10790 - if (m->cs == __KERNEL_CS)
10791 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10792 print_symbol("{%s}", m->ip);
10795 @@ -1460,14 +1461,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10798 static DEFINE_SPINLOCK(mce_state_lock);
10799 -static int open_count; /* #times opened */
10800 +static local_t open_count; /* #times opened */
10801 static int open_exclu; /* already open exclusive? */
10803 static int mce_open(struct inode *inode, struct file *file)
10805 spin_lock(&mce_state_lock);
10807 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10808 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
10809 spin_unlock(&mce_state_lock);
10812 @@ -1475,7 +1476,7 @@ static int mce_open(struct inode *inode,
10814 if (file->f_flags & O_EXCL)
10817 + local_inc(&open_count);
10819 spin_unlock(&mce_state_lock);
10821 @@ -1486,7 +1487,7 @@ static int mce_release(struct inode *ino
10823 spin_lock(&mce_state_lock);
10826 + local_dec(&open_count);
10829 spin_unlock(&mce_state_lock);
10830 @@ -1658,8 +1659,7 @@ static long mce_ioctl(struct file *f, un
10834 -/* Modified in mce-inject.c, so not static or const */
10835 -struct file_operations mce_chrdev_ops = {
10836 +struct file_operations mce_chrdev_ops = { /* Modified in mce-inject.c, so not static or const */
10838 .release = mce_release,
10840 @@ -1673,6 +1673,7 @@ static struct miscdevice mce_log_device
10844 + {NULL, NULL}, NULL, NULL
10848 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/generic.c
10849 --- linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-14 21:20:32.000000000 -0400
10850 +++ linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-21 18:31:35.000000000 -0400
10851 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10852 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10853 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10854 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10859 static unsigned long smp_changes_mask;
10860 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/main.c
10861 --- linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/main.c 2011-03-14 21:20:32.000000000 -0400
10862 +++ linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/main.c 2011-03-21 18:31:35.000000000 -0400
10863 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10864 u64 size_or_mask, size_and_mask;
10865 static bool mtrr_aps_delayed_init;
10867 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10868 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10870 const struct mtrr_ops *mtrr_if;
10872 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/mtrr.h
10873 --- linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-14 21:20:32.000000000 -0400
10874 +++ linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-21 18:31:35.000000000 -0400
10875 @@ -12,19 +12,19 @@
10876 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10880 - u32 use_intel_if;
10881 - void (*set)(unsigned int reg, unsigned long base,
10882 + const u32 vendor;
10883 + const u32 use_intel_if;
10884 + void (* const set)(unsigned int reg, unsigned long base,
10885 unsigned long size, mtrr_type type);
10886 - void (*set_all)(void);
10887 + void (* const set_all)(void);
10889 - void (*get)(unsigned int reg, unsigned long *base,
10890 + void (* const get)(unsigned int reg, unsigned long *base,
10891 unsigned long *size, mtrr_type *type);
10892 - int (*get_free_region)(unsigned long base, unsigned long size,
10893 + int (* const get_free_region)(unsigned long base, unsigned long size,
10895 - int (*validate_add_page)(unsigned long base, unsigned long size,
10896 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10897 unsigned int type);
10898 - int (*have_wrcomb)(void);
10899 + int (* const have_wrcomb)(void);
10902 extern int generic_get_free_region(unsigned long base, unsigned long size,
10903 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/perf_event.c linux-2.6.38.1/arch/x86/kernel/cpu/perf_event.c
10904 --- linux-2.6.38.1/arch/x86/kernel/cpu/perf_event.c 2011-03-14 21:20:32.000000000 -0400
10905 +++ linux-2.6.38.1/arch/x86/kernel/cpu/perf_event.c 2011-03-21 18:31:35.000000000 -0400
10906 @@ -1781,7 +1781,7 @@ perf_callchain_user(struct perf_callchai
10909 perf_callchain_store(entry, frame.return_address);
10910 - fp = frame.next_frame;
10911 + fp = (__force const void __user *)frame.next_frame;
10915 diff -urNp linux-2.6.38.1/arch/x86/kernel/crash.c linux-2.6.38.1/arch/x86/kernel/crash.c
10916 --- linux-2.6.38.1/arch/x86/kernel/crash.c 2011-03-14 21:20:32.000000000 -0400
10917 +++ linux-2.6.38.1/arch/x86/kernel/crash.c 2011-03-21 18:31:35.000000000 -0400
10918 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
10921 #ifdef CONFIG_X86_32
10922 - if (!user_mode_vm(regs)) {
10923 + if (!user_mode(regs)) {
10924 crash_fixup_ss_esp(&fixed_regs, regs);
10925 regs = &fixed_regs;
10927 diff -urNp linux-2.6.38.1/arch/x86/kernel/doublefault_32.c linux-2.6.38.1/arch/x86/kernel/doublefault_32.c
10928 --- linux-2.6.38.1/arch/x86/kernel/doublefault_32.c 2011-03-14 21:20:32.000000000 -0400
10929 +++ linux-2.6.38.1/arch/x86/kernel/doublefault_32.c 2011-03-21 18:31:35.000000000 -0400
10932 #define DOUBLEFAULT_STACKSIZE (1024)
10933 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10934 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10935 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10937 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10939 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10940 unsigned long gdt, tss;
10942 store_gdt(&gdt_desc);
10943 - gdt = gdt_desc.address;
10944 + gdt = (unsigned long)gdt_desc.address;
10946 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10948 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10949 /* 0x2 bit is always set */
10950 .flags = X86_EFLAGS_SF | 0x2,
10953 + .es = __KERNEL_DS,
10957 + .ds = __KERNEL_DS,
10958 .fs = __KERNEL_PERCPU,
10960 .__cr3 = __pa_nodebug(swapper_pg_dir),
10961 diff -urNp linux-2.6.38.1/arch/x86/kernel/dumpstack_32.c linux-2.6.38.1/arch/x86/kernel/dumpstack_32.c
10962 --- linux-2.6.38.1/arch/x86/kernel/dumpstack_32.c 2011-03-14 21:20:32.000000000 -0400
10963 +++ linux-2.6.38.1/arch/x86/kernel/dumpstack_32.c 2011-03-21 18:31:35.000000000 -0400
10964 @@ -95,21 +95,22 @@ void show_registers(struct pt_regs *regs
10965 * When in-kernel, we also print out the stack and code at the
10966 * time of the fault..
10968 - if (!user_mode_vm(regs)) {
10969 + if (!user_mode(regs)) {
10970 unsigned int code_prologue = code_bytes * 43 / 64;
10971 unsigned int code_len = code_bytes;
10974 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10976 printk(KERN_EMERG "Stack:\n");
10977 show_stack_log_lvl(NULL, regs, ®s->sp, KERN_EMERG);
10979 printk(KERN_EMERG "Code: ");
10981 - ip = (u8 *)regs->ip - code_prologue;
10982 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10983 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10984 /* try starting at IP */
10985 - ip = (u8 *)regs->ip;
10986 + ip = (u8 *)regs->ip + cs_base;
10987 code_len = code_len - code_prologue + 1;
10989 for (i = 0; i < code_len; i++, ip++) {
10990 @@ -118,7 +119,7 @@ void show_registers(struct pt_regs *regs
10991 printk(" Bad EIP value.");
10994 - if (ip == (u8 *)regs->ip)
10995 + if (ip == (u8 *)regs->ip + cs_base)
10996 printk("<%02x> ", c);
10998 printk("%02x ", c);
10999 @@ -131,6 +132,7 @@ int is_valid_bugaddr(unsigned long ip)
11001 unsigned short ud2;
11003 + ip = ktla_ktva(ip);
11004 if (ip < PAGE_OFFSET)
11006 if (probe_kernel_address((unsigned short *)ip, ud2))
11007 diff -urNp linux-2.6.38.1/arch/x86/kernel/dumpstack.c linux-2.6.38.1/arch/x86/kernel/dumpstack.c
11008 --- linux-2.6.38.1/arch/x86/kernel/dumpstack.c 2011-03-14 21:20:32.000000000 -0400
11009 +++ linux-2.6.38.1/arch/x86/kernel/dumpstack.c 2011-03-21 18:31:35.000000000 -0400
11011 * Copyright (C) 1991, 1992 Linus Torvalds
11012 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11014 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11015 +#define __INCLUDED_BY_HIDESYM 1
11017 #include <linux/kallsyms.h>
11018 #include <linux/kprobes.h>
11019 #include <linux/uaccess.h>
11020 @@ -27,7 +30,7 @@ static int die_counter;
11022 void printk_address(unsigned long address, int reliable)
11024 - printk(" [<%p>] %s%pS\n", (void *) address,
11025 + printk(" [<%p>] %s%pA\n", (void *) address,
11026 reliable ? "" : "? ", (void *) address);
11029 @@ -200,7 +203,7 @@ void dump_stack(void)
11030 unsigned long stack;
11032 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11033 - current->pid, current->comm, current->xid, print_tainted(),
11034 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11035 init_utsname()->release,
11036 (int)strcspn(init_utsname()->version, " "),
11037 init_utsname()->version);
11038 @@ -257,7 +260,7 @@ void __kprobes oops_end(unsigned long fl
11039 panic("Fatal exception in interrupt");
11041 panic("Fatal exception");
11043 + do_group_exit(signr);
11046 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11047 @@ -284,7 +287,7 @@ int __kprobes __die(const char *str, str
11049 show_registers(regs);
11050 #ifdef CONFIG_X86_32
11051 - if (user_mode_vm(regs)) {
11052 + if (user_mode(regs)) {
11054 ss = regs->ss & 0xffff;
11056 @@ -312,7 +315,7 @@ void die(const char *str, struct pt_regs
11057 unsigned long flags = oops_begin();
11060 - if (!user_mode_vm(regs))
11061 + if (!user_mode(regs))
11062 report_bug(regs->ip, regs);
11064 if (__die(str, regs, err))
11065 diff -urNp linux-2.6.38.1/arch/x86/kernel/entry_32.S linux-2.6.38.1/arch/x86/kernel/entry_32.S
11066 --- linux-2.6.38.1/arch/x86/kernel/entry_32.S 2011-03-14 21:20:32.000000000 -0400
11067 +++ linux-2.6.38.1/arch/x86/kernel/entry_32.S 2011-03-21 18:31:35.000000000 -0400
11068 @@ -183,13 +183,81 @@
11069 /*CFI_REL_OFFSET gs, PT_GS*/
11071 .macro SET_KERNEL_GS reg
11073 +#ifdef CONFIG_CC_STACKPROTECTOR
11074 movl $(__KERNEL_STACK_CANARY), \reg
11075 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11076 + movl $(__USER_DS), \reg
11084 #endif /* CONFIG_X86_32_LAZY_GS */
11087 +.macro PAX_EXIT_KERNEL
11088 +#ifdef CONFIG_PAX_KERNEXEC
11089 +#ifdef CONFIG_PARAVIRT
11090 + push %eax; push %ecx
11093 + cmp $__KERNEXEC_KERNEL_CS, %esi
11095 +#ifdef CONFIG_PARAVIRT
11096 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11102 + ljmp $__KERNEL_CS, $1f
11104 +#ifdef CONFIG_PARAVIRT
11106 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11111 +#ifdef CONFIG_PARAVIRT
11112 + pop %ecx; pop %eax
11117 +.macro PAX_ENTER_KERNEL
11118 +#ifdef CONFIG_PAX_KERNEXEC
11119 +#ifdef CONFIG_PARAVIRT
11120 + push %eax; push %ecx
11121 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11129 + cmp $__KERNEL_CS, %esi
11131 + ljmp $__KERNEL_CS, $3f
11132 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11134 +#ifdef CONFIG_PARAVIRT
11136 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11141 +#ifdef CONFIG_PARAVIRT
11142 + pop %ecx; pop %eax
11147 +.macro __SAVE_ALL _DS
11151 @@ -212,7 +280,7 @@
11152 CFI_REL_OFFSET ecx, 0
11154 CFI_REL_OFFSET ebx, 0
11155 - movl $(__USER_DS), %edx
11159 movl $(__KERNEL_PERCPU), %edx
11160 @@ -220,6 +288,15 @@
11165 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11166 + __SAVE_ALL __KERNEL_DS
11169 + __SAVE_ALL __USER_DS
11173 .macro RESTORE_INT_REGS
11176 @@ -330,7 +407,15 @@ check_userspace:
11177 movb PT_CS(%esp), %al
11178 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11179 cmpl $USER_RPL, %eax
11181 +#ifdef CONFIG_PAX_KERNEXEC
11182 + jae resume_userspace
11185 + jmp resume_kernel
11187 jb resume_kernel # not returning to v8086 or userspace
11190 ENTRY(resume_userspace)
11192 @@ -392,10 +477,9 @@ sysenter_past_esp:
11193 /*CFI_REL_OFFSET cs, 0*/
11195 * Push current_thread_info()->sysenter_return to the stack.
11196 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11197 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11199 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE_asm+8+4*4)(%esp)
11200 + GET_THREAD_INFO(%ebp)
11201 + pushl_cfi TI_sysenter_return(%ebp)
11202 CFI_REL_OFFSET eip, 0
11205 @@ -406,9 +490,19 @@ sysenter_past_esp:
11206 * Load the potential sixth argument from user stack.
11207 * Careful about security.
11209 + movl PT_OLDESP(%esp),%ebp
11211 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11212 + mov PT_OLDSS(%esp),%ds
11213 +1: movl %ds:(%ebp),%ebp
11217 cmpl $__PAGE_OFFSET-3,%ebp
11219 1: movl (%ebp),%ebp
11222 movl %ebp,PT_EBP(%esp)
11223 .section __ex_table,"a"
11225 @@ -431,12 +525,23 @@ sysenter_do_call:
11226 testl $_TIF_ALLWORK_MASK, %ecx
11230 +#ifdef CONFIG_PAX_RANDKSTACK
11232 + CFI_ADJUST_CFA_OFFSET 4
11233 + call pax_randomize_kstack
11235 + CFI_ADJUST_CFA_OFFSET -4
11238 /* if something modifies registers it must also disable sysexit */
11239 movl PT_EIP(%esp), %edx
11240 movl PT_OLDESP(%esp), %ecx
11243 1: mov PT_FS(%esp), %fs
11244 +2: mov PT_DS(%esp), %ds
11245 +3: mov PT_ES(%esp), %es
11247 ENABLE_INTERRUPTS_SYSEXIT
11249 @@ -479,11 +584,17 @@ sysexit_audit:
11252 .pushsection .fixup,"ax"
11253 -2: movl $0,PT_FS(%esp)
11254 +4: movl $0,PT_FS(%esp)
11256 +5: movl $0,PT_DS(%esp)
11258 +6: movl $0,PT_ES(%esp)
11260 .section __ex_table,"a"
11268 ENDPROC(ia32_sysenter_target)
11269 @@ -516,6 +627,10 @@ syscall_exit:
11270 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11271 jne syscall_exit_work
11273 +#ifdef CONFIG_PAX_RANDKSTACK
11274 + call pax_randomize_kstack
11279 restore_all_notrace:
11280 @@ -575,14 +690,21 @@ ldt_ss:
11281 * compensating for the offset by changing to the ESPFIX segment with
11282 * a base address that matches for the difference.
11284 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11285 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11286 mov %esp, %edx /* load kernel esp */
11287 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11288 mov %dx, %ax /* eax: new kernel esp */
11289 sub %eax, %edx /* offset (low word is 0) */
11291 + movl PER_CPU_VAR(cpu_number), %ebx
11292 + shll $PAGE_SHIFT_asm, %ebx
11293 + addl $cpu_gdt_table, %ebx
11295 + movl $cpu_gdt_table, %ebx
11298 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11299 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11300 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11301 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11302 pushl_cfi $__ESPFIX_SS
11303 pushl_cfi %eax /* new kernel esp */
11304 /* Disable interrupts, but do not irqtrace this section: we
11305 @@ -617,23 +739,17 @@ work_resched:
11307 work_notifysig: # deal with pending signals and
11308 # notify-resume requests
11311 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11313 - jne work_notifysig_v86 # returning to kernel-space or
11314 + jz 1f # returning to kernel-space or
11317 - call do_notify_resume
11318 - jmp resume_userspace_sig
11321 -work_notifysig_v86:
11322 pushl_cfi %ecx # save ti_flags for do_notify_resume
11323 call save_v86_state # %eax contains pt_regs pointer
11331 call do_notify_resume
11332 @@ -668,6 +784,10 @@ END(syscall_exit_work)
11334 RING0_INT_FRAME # can't unwind into user space anyway
11336 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11340 GET_THREAD_INFO(%ebp)
11341 movl $-EFAULT,PT_EAX(%esp)
11342 jmp resume_userspace
11343 @@ -750,6 +870,36 @@ ptregs_clone:
11345 ENDPROC(ptregs_clone)
11348 +ENTRY(kernel_execve)
11351 + sub $PT_OLDSS+4,%esp
11355 + lea 3*4(%esp),%edi
11356 + mov $PT_OLDSS/4+1,%ecx
11362 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
11366 + CFI_ADJUST_CFA_OFFSET -4
11367 + GET_THREAD_INFO(%ebp)
11370 + add $PT_OLDSS+4,%esp
11371 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
11375 +ENDPROC(kernel_execve)
11377 .macro FIXUP_ESPFIX_STACK
11379 * Switch back for ESPFIX stack to the normal zerobased stack
11380 @@ -759,8 +909,15 @@ ENDPROC(ptregs_clone)
11381 * normal stack and adjusts ESP with the matching offset.
11383 /* fixup the stack */
11384 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11385 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11387 + movl PER_CPU_VAR(cpu_number), %ebx
11388 + shll $PAGE_SHIFT_asm, %ebx
11389 + addl $cpu_gdt_table, %ebx
11391 + movl $cpu_gdt_table, %ebx
11393 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11394 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11396 addl %esp, %eax /* the adjusted stack pointer */
11397 pushl_cfi $__KERNEL_DS
11398 @@ -1211,7 +1368,6 @@ return_to_handler:
11402 -.section .rodata,"a"
11403 #include "syscall_table_32.S"
11405 syscall_table_size=(.-sys_call_table)
11406 @@ -1257,9 +1413,12 @@ error_code:
11407 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11410 - movl $(__USER_DS), %ecx
11411 + movl $(__KERNEL_DS), %ecx
11418 movl %esp,%eax # pt_regs pointer
11420 @@ -1344,6 +1503,9 @@ nmi_stack_correct:
11421 xorl %edx,%edx # zero error code
11422 movl %esp,%eax # pt_regs pointer
11427 jmp restore_all_notrace
11430 @@ -1380,6 +1542,9 @@ nmi_espfix_stack:
11431 FIXUP_ESPFIX_STACK # %eax == %esp
11432 xorl %edx,%edx # zero error code
11438 lss 12+4(%esp), %esp # back to espfix stack
11439 CFI_ADJUST_CFA_OFFSET -24
11440 diff -urNp linux-2.6.38.1/arch/x86/kernel/entry_64.S linux-2.6.38.1/arch/x86/kernel/entry_64.S
11441 --- linux-2.6.38.1/arch/x86/kernel/entry_64.S 2011-03-23 17:20:06.000000000 -0400
11442 +++ linux-2.6.38.1/arch/x86/kernel/entry_64.S 2011-03-23 17:21:49.000000000 -0400
11444 #include <asm/paravirt.h>
11445 #include <asm/ftrace.h>
11446 #include <asm/percpu.h>
11447 +#include <asm/pgtable.h>
11449 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11450 #include <linux/elf-em.h>
11451 @@ -174,6 +175,201 @@ ENTRY(native_usergs_sysret64)
11452 ENDPROC(native_usergs_sysret64)
11453 #endif /* CONFIG_PARAVIRT */
11455 + .macro ljmpq sel, off
11456 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11457 + .byte 0x48; ljmp *1234f(%rip)
11458 + .pushsection .rodata
11460 + 1234: .quad \off; .word \sel
11469 + .macro pax_enter_kernel
11470 +#ifdef CONFIG_PAX_KERNEXEC
11471 + call pax_enter_kernel
11475 + .macro pax_exit_kernel
11476 +#ifdef CONFIG_PAX_KERNEXEC
11477 + call pax_exit_kernel
11481 +#ifdef CONFIG_PAX_KERNEXEC
11482 +ENTRY(pax_enter_kernel)
11485 +#ifdef CONFIG_PARAVIRT
11486 + PV_SAVE_REGS(CLBR_RDI)
11493 + cmp $__KERNEL_CS,%edi
11495 + ljmpq __KERNEL_CS,3f
11496 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11497 +2: SET_RDI_INTO_CR0
11500 +#ifdef CONFIG_PARAVIRT
11501 + PV_RESTORE_REGS(CLBR_RDI)
11506 +ENDPROC(pax_enter_kernel)
11508 +ENTRY(pax_exit_kernel)
11511 +#ifdef CONFIG_PARAVIRT
11512 + PV_SAVE_REGS(CLBR_RDI)
11516 + cmp $__KERNEXEC_KERNEL_CS,%edi
11520 + ljmpq __KERNEL_CS,1f
11521 +1: SET_RDI_INTO_CR0
11524 +#ifdef CONFIG_PARAVIRT
11525 + PV_RESTORE_REGS(CLBR_RDI);
11530 +ENDPROC(pax_exit_kernel)
11533 + .macro pax_enter_kernel_user
11534 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11535 + call pax_enter_kernel_user
11539 + .macro pax_exit_kernel_user
11540 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11541 + call pax_exit_kernel_user
11545 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11546 +ENTRY(pax_enter_kernel_user)
11550 +#ifdef CONFIG_PARAVIRT
11551 + PV_SAVE_REGS(CLBR_RDI)
11556 + add $__START_KERNEL_map,%rbx
11557 + sub phys_base(%rip),%rbx
11559 +#ifdef CONFIG_PARAVIRT
11561 + cmpl $0, pv_info+PARAVIRT_enabled
11564 + .rept USER_PGD_PTRS
11565 + mov i*8(%rbx),%rsi
11567 + lea i*8(%rbx),%rdi
11568 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11576 + .rept USER_PGD_PTRS
11577 + movb $0,i*8(%rbx)
11581 +#ifdef CONFIG_PARAVIRT
11586 +#ifdef CONFIG_PAX_KERNEXEC
11592 +#ifdef CONFIG_PARAVIRT
11593 + PV_RESTORE_REGS(CLBR_RDI)
11599 +ENDPROC(pax_enter_kernel_user)
11601 +ENTRY(pax_exit_kernel_user)
11604 +#ifdef CONFIG_PARAVIRT
11606 + PV_SAVE_REGS(CLBR_RDI)
11609 +#ifdef CONFIG_PAX_KERNEXEC
11616 + add $__START_KERNEL_map,%rdi
11617 + sub phys_base(%rip),%rdi
11619 +#ifdef CONFIG_PARAVIRT
11620 + cmpl $0, pv_info+PARAVIRT_enabled
11624 + .rept USER_PGD_PTRS
11625 + mov i*8(%rbx),%rsi
11627 + lea i*8(%rbx),%rdi
11628 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11636 + .rept USER_PGD_PTRS
11637 + movb $0x67,i*8(%rdi)
11641 +#ifdef CONFIG_PARAVIRT
11642 +2: PV_RESTORE_REGS(CLBR_RDI)
11648 +ENDPROC(pax_exit_kernel_user)
11651 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11652 #ifdef CONFIG_TRACE_IRQFLAGS
11653 @@ -316,7 +512,7 @@ ENTRY(save_args)
11654 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
11655 movq_cfi rbp, 8 /* push %rbp */
11656 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11657 - testl $3, CS(%rdi)
11658 + testb $3, CS(%rdi)
11662 @@ -407,7 +603,7 @@ ENTRY(ret_from_fork)
11666 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11667 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11668 je int_ret_from_sys_call
11670 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11671 @@ -466,6 +662,7 @@ ENTRY(system_call_after_swapgs)
11673 movq %rsp,PER_CPU_VAR(old_rsp)
11674 movq PER_CPU_VAR(kernel_stack),%rsp
11675 + pax_enter_kernel_user
11677 * No need to follow this irqs off/on section - it's straight
11679 @@ -500,6 +697,7 @@ sysret_check:
11683 + pax_exit_kernel_user
11685 * sysretq will re-enable interrupts:
11687 @@ -609,7 +807,7 @@ tracesys:
11688 GLOBAL(int_ret_from_sys_call)
11689 DISABLE_INTERRUPTS(CLBR_NONE)
11691 - testl $3,CS-ARGOFFSET(%rsp)
11692 + testb $3,CS-ARGOFFSET(%rsp)
11693 je retint_restore_args
11694 movl $_TIF_ALLWORK_MASK,%edi
11695 /* edi: mask to check */
11696 @@ -791,6 +989,16 @@ END(interrupt)
11697 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
11700 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11701 + testb $3, CS(%rdi)
11705 +1: pax_enter_kernel_user
11713 @@ -823,7 +1031,7 @@ ret_from_intr:
11714 CFI_ADJUST_CFA_OFFSET -8
11716 GET_THREAD_INFO(%rcx)
11717 - testl $3,CS-ARGOFFSET(%rsp)
11718 + testb $3,CS-ARGOFFSET(%rsp)
11721 /* Interrupt came from user space */
11722 @@ -845,12 +1053,14 @@ retint_swapgs: /* return to user-space
11723 * The iretq could re-enable interrupts:
11725 DISABLE_INTERRUPTS(CLBR_ANY)
11726 + pax_exit_kernel_user
11731 retint_restore_args: /* return to kernel space */
11732 DISABLE_INTERRUPTS(CLBR_ANY)
11735 * The iretq could re-enable interrupts:
11737 @@ -1022,6 +1232,16 @@ ENTRY(\sym)
11738 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11741 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11742 + testb $3, CS(%rsp)
11746 +1: pax_enter_kernel_user
11751 movq %rsp,%rdi /* pt_regs pointer */
11752 xorl %esi,%esi /* no error code */
11754 @@ -1039,6 +1259,16 @@ ENTRY(\sym)
11755 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11758 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11759 + testb $3, CS(%rsp)
11763 +1: pax_enter_kernel_user
11768 movq %rsp,%rdi /* pt_regs pointer */
11769 xorl %esi,%esi /* no error code */
11771 @@ -1047,7 +1277,7 @@ ENTRY(\sym)
11775 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
11776 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
11777 .macro paranoidzeroentry_ist sym do_sym ist
11780 @@ -1057,8 +1287,24 @@ ENTRY(\sym)
11781 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11784 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11785 + testb $3, CS(%rsp)
11789 +1: pax_enter_kernel_user
11794 movq %rsp,%rdi /* pt_regs pointer */
11795 xorl %esi,%esi /* no error code */
11797 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11798 + lea init_tss(%r12), %r12
11800 + lea init_tss(%rip), %r12
11802 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11804 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11805 @@ -1075,6 +1321,16 @@ ENTRY(\sym)
11806 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11809 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11810 + testb $3, CS(%rsp)
11814 +1: pax_enter_kernel_user
11819 movq %rsp,%rdi /* pt_regs pointer */
11820 movq ORIG_RAX(%rsp),%rsi /* get error code */
11821 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11822 @@ -1094,6 +1350,16 @@ ENTRY(\sym)
11826 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11827 + testb $3, CS(%rsp)
11831 +1: pax_enter_kernel_user
11836 movq %rsp,%rdi /* pt_regs pointer */
11837 movq ORIG_RAX(%rsp),%rsi /* get error code */
11838 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11839 @@ -1356,14 +1622,27 @@ ENTRY(paranoid_exit)
11841 testl %ebx,%ebx /* swapgs needed? */
11842 jnz paranoid_restore
11843 - testl $3,CS(%rsp)
11844 + testb $3,CS(%rsp)
11845 jnz paranoid_userspace
11846 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11848 + TRACE_IRQS_IRETQ 0
11849 + SWAPGS_UNSAFE_STACK
11854 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11855 + pax_exit_kernel_user
11860 SWAPGS_UNSAFE_STACK
11868 @@ -1421,7 +1700,7 @@ ENTRY(error_entry)
11869 movq_cfi r14, R14+8
11870 movq_cfi r15, R15+8
11872 - testl $3,CS+8(%rsp)
11873 + testb $3,CS+8(%rsp)
11874 je error_kernelspace
11877 @@ -1485,6 +1764,16 @@ ENTRY(nmi)
11878 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11881 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11882 + testb $3, CS(%rsp)
11886 +1: pax_enter_kernel_user
11891 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11894 @@ -1495,11 +1784,25 @@ ENTRY(nmi)
11895 DISABLE_INTERRUPTS(CLBR_NONE)
11896 testl %ebx,%ebx /* swapgs needed? */
11898 - testl $3,CS(%rsp)
11899 + testb $3,CS(%rsp)
11901 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11903 + SWAPGS_UNSAFE_STACK
11908 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11909 + pax_exit_kernel_user
11913 SWAPGS_UNSAFE_STACK
11921 diff -urNp linux-2.6.38.1/arch/x86/kernel/ftrace.c linux-2.6.38.1/arch/x86/kernel/ftrace.c
11922 --- linux-2.6.38.1/arch/x86/kernel/ftrace.c 2011-03-14 21:20:32.000000000 -0400
11923 +++ linux-2.6.38.1/arch/x86/kernel/ftrace.c 2011-03-21 18:31:35.000000000 -0400
11924 @@ -177,7 +177,9 @@ void ftrace_nmi_enter(void)
11926 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11928 + pax_open_kernel();
11930 + pax_close_kernel();
11931 atomic_inc(&nmi_update_count);
11933 /* Must have previous changes seen before executions */
11934 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
11936 unsigned char replaced[MCOUNT_INSN_SIZE];
11938 + ip = ktla_ktva(ip);
11941 * Note: Due to modules and __init, code can
11942 * disappear and change, we need to protect against faulting
11943 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11944 unsigned char old[MCOUNT_INSN_SIZE], *new;
11947 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11948 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11949 new = ftrace_call_replace(ip, (unsigned long)func);
11950 ret = ftrace_modify_code(ip, old, new);
11952 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
11954 unsigned char code[MCOUNT_INSN_SIZE];
11956 + ip = ktla_ktva(ip);
11958 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11961 diff -urNp linux-2.6.38.1/arch/x86/kernel/head32.c linux-2.6.38.1/arch/x86/kernel/head32.c
11962 --- linux-2.6.38.1/arch/x86/kernel/head32.c 2011-03-14 21:20:32.000000000 -0400
11963 +++ linux-2.6.38.1/arch/x86/kernel/head32.c 2011-03-21 18:31:35.000000000 -0400
11965 #include <asm/io_apic.h>
11966 #include <asm/bios_ebda.h>
11967 #include <asm/tlbflush.h>
11968 +#include <asm/boot.h>
11970 static void __init i386_default_early_setup(void)
11972 @@ -43,7 +44,7 @@ void __init i386_start_kernel(void)
11973 memblock_x86_reserve_range(PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE");
11976 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11977 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11979 #ifdef CONFIG_BLK_DEV_INITRD
11980 /* Reserve INITRD */
11981 diff -urNp linux-2.6.38.1/arch/x86/kernel/head_32.S linux-2.6.38.1/arch/x86/kernel/head_32.S
11982 --- linux-2.6.38.1/arch/x86/kernel/head_32.S 2011-03-14 21:20:32.000000000 -0400
11983 +++ linux-2.6.38.1/arch/x86/kernel/head_32.S 2011-03-21 18:31:35.000000000 -0400
11985 /* Physical address */
11986 #define pa(X) ((X) - __PAGE_OFFSET)
11988 +#ifdef CONFIG_PAX_KERNEXEC
11991 +#define ta(X) ((X) - __PAGE_OFFSET)
11995 * References to members of the new_cpu_data structure.
11998 * and small than max_low_pfn, otherwise will waste some page table entries
12001 -#if PTRS_PER_PMD > 1
12002 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
12004 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
12006 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
12008 /* Number of possible pages in the lowmem region */
12009 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
12010 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
12011 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12014 + * Real beginning of normal "text" segment
12020 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
12021 * %esi points to the real-mode code as a 32-bit pointer.
12022 * CS and DS must be 4 GB flat segments, but we don't depend on
12023 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12028 +#ifdef CONFIG_PAX_KERNEXEC
12030 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
12031 +.fill PAGE_SIZE-5,1,0xcc
12035 movl pa(stack_start),%ecx
12037 @@ -105,6 +120,57 @@ ENTRY(startup_32)
12039 leal -__PAGE_OFFSET(%ecx),%esp
12042 + movl $pa(cpu_gdt_table),%edi
12043 + movl $__per_cpu_load,%eax
12044 + movw %ax,__KERNEL_PERCPU + 2(%edi)
12046 + movb %al,__KERNEL_PERCPU + 4(%edi)
12047 + movb %ah,__KERNEL_PERCPU + 7(%edi)
12048 + movl $__per_cpu_end - 1,%eax
12049 + subl $__per_cpu_start,%eax
12050 + movw %ax,__KERNEL_PERCPU + 0(%edi)
12053 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12054 + movl $NR_CPUS,%ecx
12055 + movl $pa(cpu_gdt_table),%edi
12057 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
12058 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
12059 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
12060 + addl $PAGE_SIZE_asm,%edi
12064 +#ifdef CONFIG_PAX_KERNEXEC
12065 + movl $pa(boot_gdt),%edi
12066 + movl $__LOAD_PHYSICAL_ADDR,%eax
12067 + movw %ax,__BOOT_CS + 2(%edi)
12069 + movb %al,__BOOT_CS + 4(%edi)
12070 + movb %ah,__BOOT_CS + 7(%edi)
12073 + ljmp $(__BOOT_CS),$1f
12076 + movl $NR_CPUS,%ecx
12077 + movl $pa(cpu_gdt_table),%edi
12078 + addl $__PAGE_OFFSET,%eax
12080 + movw %ax,__KERNEL_CS + 2(%edi)
12081 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
12083 + movb %al,__KERNEL_CS + 4(%edi)
12084 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
12085 + movb %ah,__KERNEL_CS + 7(%edi)
12086 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
12088 + addl $PAGE_SIZE_asm,%edi
12093 * Clear BSS first so that there are no surprises...
12095 @@ -195,8 +261,11 @@ ENTRY(startup_32)
12096 movl %eax, pa(max_pfn_mapped)
12098 /* Do early initialization of the fixmap area */
12099 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12100 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
12101 +#ifdef CONFIG_COMPAT_VDSO
12102 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
12104 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
12106 #else /* Not PAE */
12108 page_pde_offset = (__PAGE_OFFSET >> 20);
12109 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12110 movl %eax, pa(max_pfn_mapped)
12112 /* Do early initialization of the fixmap area */
12113 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12114 - movl %eax,pa(initial_page_table+0xffc)
12115 +#ifdef CONFIG_COMPAT_VDSO
12116 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
12118 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
12122 #ifdef CONFIG_PARAVIRT
12123 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12124 cmpl $num_subarch_entries, %eax
12127 - movl pa(subarch_entries)(,%eax,4), %eax
12128 - subl $__PAGE_OFFSET, %eax
12130 + jmp *pa(subarch_entries)(,%eax,4)
12134 @@ -255,10 +325,10 @@ WEAK(xen_entry)
12138 - .long default_entry /* normal x86/PC */
12139 - .long lguest_entry /* lguest hypervisor */
12140 - .long xen_entry /* Xen hypervisor */
12141 - .long default_entry /* Moorestown MID */
12142 + .long pa(default_entry) /* normal x86/PC */
12143 + .long pa(lguest_entry) /* lguest hypervisor */
12144 + .long pa(xen_entry) /* Xen hypervisor */
12145 + .long pa(default_entry) /* Moorestown MID */
12146 num_subarch_entries = (. - subarch_entries) / 4
12149 @@ -312,6 +382,7 @@ default_entry:
12153 +#ifdef CONFIG_X86_PAE
12154 testb $X86_CR4_PAE, %al # check if PAE is enabled
12157 @@ -340,6 +411,9 @@ default_entry:
12158 /* Make changes effective */
12161 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12167 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
12168 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12169 movl %eax,%ss # after changing gdt.
12171 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12172 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12176 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
12180 - movl $gdt_page,%eax
12181 + movl $cpu_gdt_table,%eax
12182 movl $stack_canary,%ecx
12184 + addl $__per_cpu_load,%ecx
12186 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12188 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12189 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
12192 movl $(__KERNEL_STACK_CANARY),%eax
12193 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
12194 + movl $(__USER_DS),%eax
12200 xorl %eax,%eax # Clear LDT
12201 @@ -558,22 +639,22 @@ early_page_fault:
12206 #ifdef CONFIG_PRINTK
12207 + cmpl $1,%ss:early_recursion_flag
12209 + incl %ss:early_recursion_flag
12212 movl $(__KERNEL_DS),%eax
12215 - cmpl $2,early_recursion_flag
12217 - incl early_recursion_flag
12220 pushl %edx /* trapno */
12229 @@ -581,8 +662,11 @@ hlt_loop:
12230 /* This is the default interrupt "handler" :-) */
12234 #ifdef CONFIG_PRINTK
12235 + cmpl $2,%ss:early_recursion_flag
12237 + incl %ss:early_recursion_flag
12242 @@ -591,9 +675,6 @@ ignore_int:
12243 movl $(__KERNEL_DS),%eax
12246 - cmpl $2,early_recursion_flag
12248 - incl early_recursion_flag
12252 @@ -622,29 +703,43 @@ ENTRY(initial_code)
12256 -__PAGE_ALIGNED_BSS
12257 - .align PAGE_SIZE_asm
12258 #ifdef CONFIG_X86_PAE
12259 +.section .initial_pg_pmd,"a",@progbits
12261 .fill 1024*KPMDS,4,0
12263 +.section .initial_page_table,"a",@progbits
12264 ENTRY(initial_page_table)
12267 +.section .initial_pg_fixmap,"a",@progbits
12270 +.section .empty_zero_page,"a",@progbits
12271 ENTRY(empty_zero_page)
12273 +.section .swapper_pg_dir,"a",@progbits
12274 ENTRY(swapper_pg_dir)
12275 +#ifdef CONFIG_X86_PAE
12282 + * The IDT has to be page-aligned to simplify the Pentium
12283 + * F0 0F bug workaround.. We have a special link segment
12286 +.section .idt,"a",@progbits
12291 * This starts the data section.
12293 #ifdef CONFIG_X86_PAE
12294 -__PAGE_ALIGNED_DATA
12295 - /* Page-aligned for the benefit of paravirt? */
12296 - .align PAGE_SIZE_asm
12297 +.section .initial_page_table,"a",@progbits
12298 ENTRY(initial_page_table)
12299 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12301 @@ -663,13 +758,22 @@ ENTRY(initial_page_table)
12302 # error "Kernel PMDs should be 1, 2 or 3"
12304 .align PAGE_SIZE_asm /* needs to be page-sized too */
12306 +#ifdef CONFIG_PAX_PER_CPU_PGD
12318 - .long init_thread_union+THREAD_SIZE
12319 + .long init_thread_union+THREAD_SIZE-8
12321 +.section .rodata,"a",@progbits
12322 early_recursion_flag:
12325 @@ -707,7 +811,7 @@ fault_msg:
12326 .word 0 # 32 bit align gdt_desc.address
12329 - .long boot_gdt - __PAGE_OFFSET
12330 + .long pa(boot_gdt)
12332 .word 0 # 32-bit align idt_desc.address
12334 @@ -718,7 +822,7 @@ idt_descr:
12335 .word 0 # 32 bit align gdt_desc.address
12336 ENTRY(early_gdt_descr)
12337 .word GDT_ENTRIES*8-1
12338 - .long gdt_page /* Overwritten for secondary CPUs */
12339 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12342 * The boot_gdt must mirror the equivalent in setup.S and is
12343 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
12344 .align L1_CACHE_BYTES
12346 .fill GDT_ENTRY_BOOT_CS,8,0
12347 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12348 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12349 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12350 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12352 + .align PAGE_SIZE_asm
12353 +ENTRY(cpu_gdt_table)
12355 + .quad 0x0000000000000000 /* NULL descriptor */
12356 + .quad 0x0000000000000000 /* 0x0b reserved */
12357 + .quad 0x0000000000000000 /* 0x13 reserved */
12358 + .quad 0x0000000000000000 /* 0x1b reserved */
12360 +#ifdef CONFIG_PAX_KERNEXEC
12361 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12363 + .quad 0x0000000000000000 /* 0x20 unused */
12366 + .quad 0x0000000000000000 /* 0x28 unused */
12367 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12368 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12369 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12370 + .quad 0x0000000000000000 /* 0x4b reserved */
12371 + .quad 0x0000000000000000 /* 0x53 reserved */
12372 + .quad 0x0000000000000000 /* 0x5b reserved */
12374 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12375 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12376 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12377 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12379 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12380 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12383 + * Segments used for calling PnP BIOS have byte granularity.
12384 + * The code segments and data segments have fixed 64k limits,
12385 + * the transfer segment sizes are set at run time.
12387 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12388 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12389 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12390 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12391 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12394 + * The APM segments have byte granularity and their bases
12395 + * are set at run time. All have 64k limits.
12397 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12398 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12399 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12401 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12402 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12403 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12404 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12405 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12406 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12408 + /* Be sure this is zeroed to avoid false validations in Xen */
12409 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12411 diff -urNp linux-2.6.38.1/arch/x86/kernel/head_64.S linux-2.6.38.1/arch/x86/kernel/head_64.S
12412 --- linux-2.6.38.1/arch/x86/kernel/head_64.S 2011-03-14 21:20:32.000000000 -0400
12413 +++ linux-2.6.38.1/arch/x86/kernel/head_64.S 2011-03-21 18:31:35.000000000 -0400
12415 #include <asm/cache.h>
12416 #include <asm/processor-flags.h>
12417 #include <asm/percpu.h>
12418 +#include <asm/cpufeature.h>
12420 #ifdef CONFIG_PARAVIRT
12421 #include <asm/asm-offsets.h>
12422 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12423 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12424 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12425 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12426 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12427 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12428 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12429 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12433 @@ -85,35 +90,22 @@ startup_64:
12435 addq %rbp, init_level4_pgt + 0(%rip)
12436 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12437 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12438 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12439 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12441 addq %rbp, level3_ident_pgt + 0(%rip)
12442 +#ifndef CONFIG_XEN
12443 + addq %rbp, level3_ident_pgt + 8(%rip)
12446 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12447 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12448 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12450 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12451 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12452 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12454 - /* Add an Identity mapping if I am above 1G */
12455 - leaq _text(%rip), %rdi
12456 - andq $PMD_PAGE_MASK, %rdi
12459 - shrq $PUD_SHIFT, %rax
12460 - andq $(PTRS_PER_PUD - 1), %rax
12461 - jz ident_complete
12463 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12464 - leaq level3_ident_pgt(%rip), %rbx
12465 - movq %rdx, 0(%rbx, %rax, 8)
12468 - shrq $PMD_SHIFT, %rax
12469 - andq $(PTRS_PER_PMD - 1), %rax
12470 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12471 - leaq level2_spare_pgt(%rip), %rbx
12472 - movq %rdx, 0(%rbx, %rax, 8)
12474 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12475 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12478 * Fixup the kernel text+data virtual addresses. Note that
12479 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12480 * after the boot processor executes this code.
12483 - /* Enable PAE mode and PGE */
12484 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12485 + /* Enable PAE mode and PSE/PGE */
12486 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12489 /* Setup early boot stage 4 level pagetables. */
12490 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12491 movl $MSR_EFER, %ecx
12493 btsl $_EFER_SCE, %eax /* Enable System Call */
12494 - btl $20,%edi /* No Execute supported? */
12495 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12497 btsl $_EFER_NX, %eax
12498 + leaq init_level4_pgt(%rip), %rdi
12499 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12500 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12501 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12502 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12503 1: wrmsr /* Make changes effective */
12506 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
12510 - .section ".init.text","ax"
12512 #ifdef CONFIG_EARLY_PRINTK
12513 .globl early_idt_handlers
12514 early_idt_handlers:
12515 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
12516 #endif /* EARLY_PRINTK */
12521 #ifdef CONFIG_EARLY_PRINTK
12523 early_recursion_flag:
12527 + .section .rodata,"a",@progbits
12529 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12532 -#endif /* CONFIG_EARLY_PRINTK */
12534 +#endif /* CONFIG_EARLY_PRINTK */
12536 + .section .rodata,"a",@progbits
12537 #define NEXT_PAGE(name) \
12538 .balign PAGE_SIZE; \
12540 @@ -339,7 +341,6 @@ ENTRY(name)
12546 * This default setting generates an ident mapping at address 0x100000
12547 * and a mapping for the kernel that precisely maps virtual address
12548 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
12549 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12550 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12551 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12552 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12553 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12554 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12555 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12556 .org init_level4_pgt + L4_START_KERNEL*8, 0
12557 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12558 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12560 +#ifdef CONFIG_PAX_PER_CPU_PGD
12561 +NEXT_PAGE(cpu_pgd)
12567 NEXT_PAGE(level3_ident_pgt)
12568 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12572 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12576 +NEXT_PAGE(level3_vmalloc_pgt)
12579 +NEXT_PAGE(level3_vmemmap_pgt)
12580 + .fill L3_VMEMMAP_START,8,0
12581 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12583 NEXT_PAGE(level3_kernel_pgt)
12584 .fill L3_START_KERNEL,8,0
12585 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
12586 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12587 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12589 +NEXT_PAGE(level2_vmemmap_pgt)
12592 NEXT_PAGE(level2_fixmap_pgt)
12594 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12595 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12598 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12599 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12602 -NEXT_PAGE(level1_fixmap_pgt)
12603 +NEXT_PAGE(level1_vsyscall_pgt)
12606 -NEXT_PAGE(level2_ident_pgt)
12607 - /* Since I easily can, map the first 1G.
12608 + /* Since I easily can, map the first 2G.
12609 * Don't set NX because code runs from these pages.
12611 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12612 +NEXT_PAGE(level2_ident_pgt)
12613 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12615 NEXT_PAGE(level2_kernel_pgt)
12617 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
12618 * If you want to increase this then increase MODULES_VADDR
12621 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12622 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12624 -NEXT_PAGE(level2_spare_pgt)
12626 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12633 +ENTRY(cpu_gdt_table)
12635 + .quad 0x0000000000000000 /* NULL descriptor */
12636 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12637 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12638 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12639 + .quad 0x00cffb000000ffff /* __USER32_CS */
12640 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12641 + .quad 0x00affb000000ffff /* __USER_CS */
12643 +#ifdef CONFIG_PAX_KERNEXEC
12644 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12646 + .quad 0x0 /* unused */
12649 + .quad 0,0 /* TSS */
12650 + .quad 0,0 /* LDT */
12651 + .quad 0,0,0 /* three TLS descriptors */
12652 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12653 + /* asm/segment.h:GDT_ENTRIES must match this */
12655 + /* zero the remaining page */
12656 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12660 .globl early_gdt_descr
12662 .word GDT_ENTRIES*8-1
12663 early_gdt_descr_base:
12664 - .quad INIT_PER_CPU_VAR(gdt_page)
12665 + .quad cpu_gdt_table
12668 /* This must match the first entry in level2_kernel_pgt */
12669 .quad 0x0000000000000000
12671 #include "../../x86/xen/xen-head.S"
12673 - .section .bss, "aw", @nobits
12675 + .section .rodata,"a",@progbits
12676 .align L1_CACHE_BYTES
12678 - .skip IDT_ENTRIES * 16
12683 diff -urNp linux-2.6.38.1/arch/x86/kernel/i386_ksyms_32.c linux-2.6.38.1/arch/x86/kernel/i386_ksyms_32.c
12684 --- linux-2.6.38.1/arch/x86/kernel/i386_ksyms_32.c 2011-03-14 21:20:32.000000000 -0400
12685 +++ linux-2.6.38.1/arch/x86/kernel/i386_ksyms_32.c 2011-03-21 18:31:35.000000000 -0400
12686 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12687 EXPORT_SYMBOL(cmpxchg8b_emu);
12690 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12692 /* Networking helper routines. */
12693 EXPORT_SYMBOL(csum_partial_copy_generic);
12694 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12695 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12697 EXPORT_SYMBOL(__get_user_1);
12698 EXPORT_SYMBOL(__get_user_2);
12699 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12701 EXPORT_SYMBOL(csum_partial);
12702 EXPORT_SYMBOL(empty_zero_page);
12704 +#ifdef CONFIG_PAX_KERNEXEC
12705 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12707 diff -urNp linux-2.6.38.1/arch/x86/kernel/init_task.c linux-2.6.38.1/arch/x86/kernel/init_task.c
12708 --- linux-2.6.38.1/arch/x86/kernel/init_task.c 2011-03-14 21:20:32.000000000 -0400
12709 +++ linux-2.6.38.1/arch/x86/kernel/init_task.c 2011-03-21 18:31:35.000000000 -0400
12710 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12711 * section. Since TSS's are completely CPU-local, we want them
12712 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12714 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12716 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12717 +EXPORT_SYMBOL(init_tss);
12718 diff -urNp linux-2.6.38.1/arch/x86/kernel/ioport.c linux-2.6.38.1/arch/x86/kernel/ioport.c
12719 --- linux-2.6.38.1/arch/x86/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
12720 +++ linux-2.6.38.1/arch/x86/kernel/ioport.c 2011-03-21 18:31:35.000000000 -0400
12722 #include <linux/sched.h>
12723 #include <linux/kernel.h>
12724 #include <linux/capability.h>
12725 +#include <linux/security.h>
12726 #include <linux/errno.h>
12727 #include <linux/types.h>
12728 #include <linux/ioport.h>
12729 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12731 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12733 +#ifdef CONFIG_GRKERNSEC_IO
12734 + if (turn_on && grsec_disable_privio) {
12735 + gr_handle_ioperm();
12739 if (turn_on && !capable(CAP_SYS_RAWIO))
12742 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12743 * because the ->io_bitmap_max value must match the bitmap
12746 - tss = &per_cpu(init_tss, get_cpu());
12747 + tss = init_tss + get_cpu();
12749 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12751 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12753 /* Trying to gain more privileges? */
12755 +#ifdef CONFIG_GRKERNSEC_IO
12756 + if (grsec_disable_privio) {
12757 + gr_handle_iopl();
12761 if (!capable(CAP_SYS_RAWIO))
12764 diff -urNp linux-2.6.38.1/arch/x86/kernel/irq_32.c linux-2.6.38.1/arch/x86/kernel/irq_32.c
12765 --- linux-2.6.38.1/arch/x86/kernel/irq_32.c 2011-03-14 21:20:32.000000000 -0400
12766 +++ linux-2.6.38.1/arch/x86/kernel/irq_32.c 2011-03-21 18:31:35.000000000 -0400
12767 @@ -91,7 +91,7 @@ execute_on_irq_stack(int overflow, struc
12770 /* build the stack frame on the IRQ stack */
12771 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12772 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12773 irqctx->tinfo.task = curctx->tinfo.task;
12774 irqctx->tinfo.previous_esp = current_stack_pointer;
12776 @@ -103,6 +103,10 @@ execute_on_irq_stack(int overflow, struc
12777 (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
12778 (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
12780 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12781 + __set_fs(irqctx->tinfo.addr_limit);
12784 if (unlikely(overflow))
12785 call_on_stack(print_stack_overflow, isp);
12787 @@ -113,6 +117,11 @@ execute_on_irq_stack(int overflow, struc
12788 : "0" (irq), "1" (desc), "2" (isp),
12789 "D" (desc->handle_irq)
12790 : "memory", "cc", "ecx");
12792 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12793 + __set_fs(curctx->tinfo.addr_limit);
12799 @@ -168,9 +177,18 @@ asmlinkage void do_softirq(void)
12800 irqctx->tinfo.previous_esp = current_stack_pointer;
12802 /* build the stack frame on the softirq stack */
12803 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12804 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12806 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12807 + __set_fs(irqctx->tinfo.addr_limit);
12810 call_on_stack(__do_softirq, isp);
12812 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12813 + __set_fs(curctx->addr_limit);
12817 * Shouldnt happen, we returned above if in_interrupt():
12819 diff -urNp linux-2.6.38.1/arch/x86/kernel/kgdb.c linux-2.6.38.1/arch/x86/kernel/kgdb.c
12820 --- linux-2.6.38.1/arch/x86/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
12821 +++ linux-2.6.38.1/arch/x86/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
12822 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
12824 #ifdef CONFIG_X86_32
12826 - if (!user_mode_vm(regs))
12827 + if (!user_mode(regs))
12828 *(unsigned long *)mem = __KERNEL_DS;
12831 - if (!user_mode_vm(regs))
12832 + if (!user_mode(regs))
12833 *(unsigned long *)mem = kernel_stack_pointer(regs);
12836 @@ -719,7 +719,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12840 -struct kgdb_arch arch_kgdb_ops = {
12841 +const struct kgdb_arch arch_kgdb_ops = {
12842 /* Breakpoint instruction: */
12843 .gdb_bpt_instr = { 0xcc },
12844 .flags = KGDB_HW_BREAKPOINT,
12845 diff -urNp linux-2.6.38.1/arch/x86/kernel/kprobes.c linux-2.6.38.1/arch/x86/kernel/kprobes.c
12846 --- linux-2.6.38.1/arch/x86/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
12847 +++ linux-2.6.38.1/arch/x86/kernel/kprobes.c 2011-03-21 18:31:35.000000000 -0400
12848 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
12849 } __attribute__((packed)) *insn;
12851 insn = (struct __arch_relative_insn *)from;
12853 + pax_open_kernel();
12854 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12856 + pax_close_kernel();
12859 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12860 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
12861 kprobe_opcode_t opcode;
12862 kprobe_opcode_t *orig_opcodes = opcodes;
12864 - if (search_exception_tables((unsigned long)opcodes))
12865 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
12866 return 0; /* Page fault may occur on this address. */
12869 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
12872 insn_get_length(&insn);
12873 + pax_open_kernel();
12874 memcpy(dest, insn.kaddr, insn.length);
12875 + pax_close_kernel();
12877 #ifdef CONFIG_X86_64
12878 if (insn_rip_relative(&insn)) {
12879 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
12881 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12882 disp = (u8 *) dest + insn_offset_displacement(&insn);
12883 + pax_open_kernel();
12884 *(s32 *) disp = (s32) newdisp;
12885 + pax_close_kernel();
12888 return insn.length;
12889 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
12891 __copy_instruction(p->ainsn.insn, p->addr, 0);
12893 - if (can_boost(p->addr))
12894 + if (can_boost(ktla_ktva(p->addr)))
12895 p->ainsn.boostable = 0;
12897 p->ainsn.boostable = -1;
12899 - p->opcode = *p->addr;
12900 + p->opcode = *(ktla_ktva(p->addr));
12903 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12904 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
12905 * nor set current_kprobe, because it doesn't use single
12908 - regs->ip = (unsigned long)p->ainsn.insn;
12909 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12910 preempt_enable_no_resched();
12913 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
12914 if (p->opcode == BREAKPOINT_INSTRUCTION)
12915 regs->ip = (unsigned long)p->addr;
12917 - regs->ip = (unsigned long)p->ainsn.insn;
12918 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12922 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
12923 setup_singlestep(p, regs, kcb, 0);
12926 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12927 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12929 * The breakpoint instruction was removed right
12930 * after we hit it. Another cpu has removed
12931 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
12932 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12934 unsigned long *tos = stack_addr(regs);
12935 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12936 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12937 unsigned long orig_ip = (unsigned long)p->addr;
12938 kprobe_opcode_t *insn = p->ainsn.insn;
12940 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
12941 struct die_args *args = data;
12942 int ret = NOTIFY_DONE;
12944 - if (args->regs && user_mode_vm(args->regs))
12945 + if (args->regs && user_mode(args->regs))
12949 @@ -1372,7 +1379,7 @@ int __kprobes arch_prepare_optimized_kpr
12950 * Verify if the address gap is in 2GB range, because this uses
12953 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
12954 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
12955 if (abs(rel) > 0x7fffffff)
12958 @@ -1393,11 +1400,11 @@ int __kprobes arch_prepare_optimized_kpr
12959 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
12961 /* Set probe function call */
12962 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
12963 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
12965 /* Set returning jmp instruction at the tail of out-of-line buffer */
12966 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
12967 - (u8 *)op->kp.addr + op->optinsn.size);
12968 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
12970 flush_icache_range((unsigned long) buf,
12971 (unsigned long) buf + TMPL_END_IDX +
12972 @@ -1419,7 +1426,7 @@ static void __kprobes setup_optimize_kpr
12973 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
12975 /* Backup instructions which will be replaced by jump address */
12976 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
12977 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
12978 RELATIVE_ADDR_SIZE);
12980 insn_buf[0] = RELATIVEJUMP_OPCODE;
12981 diff -urNp linux-2.6.38.1/arch/x86/kernel/ldt.c linux-2.6.38.1/arch/x86/kernel/ldt.c
12982 --- linux-2.6.38.1/arch/x86/kernel/ldt.c 2011-03-14 21:20:32.000000000 -0400
12983 +++ linux-2.6.38.1/arch/x86/kernel/ldt.c 2011-03-21 18:31:35.000000000 -0400
12984 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
12989 + load_LDT_nolock(pc);
12990 if (!cpumask_equal(mm_cpumask(current->mm),
12991 cpumask_of(smp_processor_id())))
12992 smp_call_function(flush_ldt, current->mm, 1);
12996 + load_LDT_nolock(pc);
13000 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
13003 for (i = 0; i < old->size; i++)
13004 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
13005 + write_ldt_entry(new->ldt, i, old->ldt + i);
13009 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
13010 retval = copy_ldt(&mm->context, &old_mm->context);
13011 mutex_unlock(&old_mm->context.lock);
13014 + if (tsk == current) {
13015 + mm->context.vdso = 0;
13017 +#ifdef CONFIG_X86_32
13018 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
13019 + mm->context.user_cs_base = 0UL;
13020 + mm->context.user_cs_limit = ~0UL;
13022 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
13023 + cpus_clear(mm->context.cpu_user_cs_mask);
13034 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
13038 +#ifdef CONFIG_PAX_SEGMEXEC
13039 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
13045 fill_ldt(&ldt, &ldt_info);
13048 diff -urNp linux-2.6.38.1/arch/x86/kernel/machine_kexec_32.c linux-2.6.38.1/arch/x86/kernel/machine_kexec_32.c
13049 --- linux-2.6.38.1/arch/x86/kernel/machine_kexec_32.c 2011-03-14 21:20:32.000000000 -0400
13050 +++ linux-2.6.38.1/arch/x86/kernel/machine_kexec_32.c 2011-03-21 18:31:35.000000000 -0400
13052 #include <asm/cacheflush.h>
13053 #include <asm/debugreg.h>
13055 -static void set_idt(void *newidt, __u16 limit)
13056 +static void set_idt(struct desc_struct *newidt, __u16 limit)
13058 struct desc_ptr curidt;
13060 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
13064 -static void set_gdt(void *newgdt, __u16 limit)
13065 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
13067 struct desc_ptr curgdt;
13069 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
13072 control_page = page_address(image->control_code_page);
13073 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
13074 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
13076 relocate_kernel_ptr = control_page;
13077 page_list[PA_CONTROL_PAGE] = __pa(control_page);
13078 diff -urNp linux-2.6.38.1/arch/x86/kernel/microcode_amd.c linux-2.6.38.1/arch/x86/kernel/microcode_amd.c
13079 --- linux-2.6.38.1/arch/x86/kernel/microcode_amd.c 2011-03-14 21:20:32.000000000 -0400
13080 +++ linux-2.6.38.1/arch/x86/kernel/microcode_amd.c 2011-03-21 18:31:35.000000000 -0400
13081 @@ -317,7 +317,7 @@ static void microcode_fini_cpu_amd(int c
13085 -static struct microcode_ops microcode_amd_ops = {
13086 +static const struct microcode_ops microcode_amd_ops = {
13087 .request_microcode_user = request_microcode_user,
13088 .request_microcode_fw = request_microcode_fw,
13089 .collect_cpu_info = collect_cpu_info_amd,
13090 @@ -325,7 +325,7 @@ static struct microcode_ops microcode_am
13091 .microcode_fini_cpu = microcode_fini_cpu_amd,
13094 -struct microcode_ops * __init init_amd_microcode(void)
13095 +const struct microcode_ops * __init init_amd_microcode(void)
13097 return µcode_amd_ops;
13099 diff -urNp linux-2.6.38.1/arch/x86/kernel/microcode_core.c linux-2.6.38.1/arch/x86/kernel/microcode_core.c
13100 --- linux-2.6.38.1/arch/x86/kernel/microcode_core.c 2011-03-14 21:20:32.000000000 -0400
13101 +++ linux-2.6.38.1/arch/x86/kernel/microcode_core.c 2011-03-21 18:31:35.000000000 -0400
13102 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
13104 #define MICROCODE_VERSION "2.00"
13106 -static struct microcode_ops *microcode_ops;
13107 +static const struct microcode_ops *microcode_ops;
13111 diff -urNp linux-2.6.38.1/arch/x86/kernel/microcode_intel.c linux-2.6.38.1/arch/x86/kernel/microcode_intel.c
13112 --- linux-2.6.38.1/arch/x86/kernel/microcode_intel.c 2011-03-14 21:20:32.000000000 -0400
13113 +++ linux-2.6.38.1/arch/x86/kernel/microcode_intel.c 2011-03-21 18:31:35.000000000 -0400
13114 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
13116 static int get_ucode_user(void *to, const void *from, size_t n)
13118 - return copy_from_user(to, from, n);
13119 + return copy_from_user(to, (__force const void __user *)from, n);
13122 static enum ucode_state
13123 request_microcode_user(int cpu, const void __user *buf, size_t size)
13125 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
13126 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
13129 static void microcode_fini_cpu(int cpu)
13130 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
13134 -static struct microcode_ops microcode_intel_ops = {
13135 +static const struct microcode_ops microcode_intel_ops = {
13136 .request_microcode_user = request_microcode_user,
13137 .request_microcode_fw = request_microcode_fw,
13138 .collect_cpu_info = collect_cpu_info,
13139 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
13140 .microcode_fini_cpu = microcode_fini_cpu,
13143 -struct microcode_ops * __init init_intel_microcode(void)
13144 +const struct microcode_ops * __init init_intel_microcode(void)
13146 return µcode_intel_ops;
13148 diff -urNp linux-2.6.38.1/arch/x86/kernel/module.c linux-2.6.38.1/arch/x86/kernel/module.c
13149 --- linux-2.6.38.1/arch/x86/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
13150 +++ linux-2.6.38.1/arch/x86/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
13151 @@ -35,21 +35,66 @@
13152 #define DEBUGP(fmt...)
13155 -void *module_alloc(unsigned long size)
13156 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
13158 if (PAGE_ALIGN(size) > MODULES_LEN)
13160 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
13161 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
13162 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
13163 -1, __builtin_return_address(0));
13166 +void *module_alloc(unsigned long size)
13169 +#ifdef CONFIG_PAX_KERNEXEC
13170 + return __module_alloc(size, PAGE_KERNEL);
13172 + return __module_alloc(size, PAGE_KERNEL_EXEC);
13177 /* Free memory returned from module_alloc */
13178 void module_free(struct module *mod, void *module_region)
13180 vfree(module_region);
13183 +#ifdef CONFIG_PAX_KERNEXEC
13184 +#ifdef CONFIG_X86_32
13185 +void *module_alloc_exec(unsigned long size)
13187 + struct vm_struct *area;
13192 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13193 + return area ? area->addr : NULL;
13195 +EXPORT_SYMBOL(module_alloc_exec);
13197 +void module_free_exec(struct module *mod, void *module_region)
13199 + vunmap(module_region);
13201 +EXPORT_SYMBOL(module_free_exec);
13203 +void module_free_exec(struct module *mod, void *module_region)
13205 + module_free(mod, module_region);
13207 +EXPORT_SYMBOL(module_free_exec);
13209 +void *module_alloc_exec(unsigned long size)
13211 + return __module_alloc(size, PAGE_KERNEL_RX);
13213 +EXPORT_SYMBOL(module_alloc_exec);
13217 /* We don't need anything special. */
13218 int module_frob_arch_sections(Elf_Ehdr *hdr,
13220 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13222 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13224 - uint32_t *location;
13225 + uint32_t *plocation, location;
13227 DEBUGP("Applying relocate section %u to %u\n", relsec,
13228 sechdrs[relsec].sh_info);
13229 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13230 /* This is where to make the change */
13231 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13232 - + rel[i].r_offset;
13233 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13234 + location = (uint32_t)plocation;
13235 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13236 + plocation = ktla_ktva((void *)plocation);
13237 /* This is the symbol it is referring to. Note that all
13238 undefined symbols have been resolved. */
13239 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13240 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13241 switch (ELF32_R_TYPE(rel[i].r_info)) {
13243 /* We add the value into the location given */
13244 - *location += sym->st_value;
13245 + pax_open_kernel();
13246 + *plocation += sym->st_value;
13247 + pax_close_kernel();
13250 /* Add the value, subtract its postition */
13251 - *location += sym->st_value - (uint32_t)location;
13252 + pax_open_kernel();
13253 + *plocation += sym->st_value - location;
13254 + pax_close_kernel();
13257 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13258 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13259 case R_X86_64_NONE:
13262 + pax_open_kernel();
13264 + pax_close_kernel();
13267 + pax_open_kernel();
13269 + pax_close_kernel();
13270 if (val != *(u32 *)loc)
13274 + pax_open_kernel();
13276 + pax_close_kernel();
13277 if ((s64)val != *(s32 *)loc)
13280 case R_X86_64_PC32:
13282 + pax_open_kernel();
13284 + pax_close_kernel();
13287 if ((s64)val != *(s32 *)loc)
13289 diff -urNp linux-2.6.38.1/arch/x86/kernel/paravirt.c linux-2.6.38.1/arch/x86/kernel/paravirt.c
13290 --- linux-2.6.38.1/arch/x86/kernel/paravirt.c 2011-03-14 21:20:32.000000000 -0400
13291 +++ linux-2.6.38.1/arch/x86/kernel/paravirt.c 2011-03-21 18:31:35.000000000 -0400
13292 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13293 * corresponding structure. */
13294 static void *get_call_destination(u8 type)
13296 - struct paravirt_patch_template tmpl = {
13297 + const struct paravirt_patch_template tmpl = {
13298 .pv_init_ops = pv_init_ops,
13299 .pv_time_ops = pv_time_ops,
13300 .pv_cpu_ops = pv_cpu_ops,
13301 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13302 if (opfunc == NULL)
13303 /* If there's no function, patch it with a ud2a (BUG) */
13304 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13305 - else if (opfunc == _paravirt_nop)
13306 + else if (opfunc == (void *)_paravirt_nop)
13307 /* If the operation is a nop, then nop the callsite */
13308 ret = paravirt_patch_nop();
13310 /* identity functions just return their single argument */
13311 - else if (opfunc == _paravirt_ident_32)
13312 + else if (opfunc == (void *)_paravirt_ident_32)
13313 ret = paravirt_patch_ident_32(insnbuf, len);
13314 - else if (opfunc == _paravirt_ident_64)
13315 + else if (opfunc == (void *)_paravirt_ident_64)
13316 ret = paravirt_patch_ident_64(insnbuf, len);
13318 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13319 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13320 if (insn_len > len || start == NULL)
13323 - memcpy(insnbuf, start, insn_len);
13324 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13328 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13332 -struct pv_info pv_info = {
13333 +struct pv_info pv_info __read_only = {
13334 .name = "bare hardware",
13335 .paravirt_enabled = 0,
13337 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13340 -struct pv_init_ops pv_init_ops = {
13341 +struct pv_init_ops pv_init_ops __read_only = {
13342 .patch = native_patch,
13345 -struct pv_time_ops pv_time_ops = {
13346 +struct pv_time_ops pv_time_ops __read_only = {
13347 .sched_clock = native_sched_clock,
13350 -struct pv_irq_ops pv_irq_ops = {
13351 +struct pv_irq_ops pv_irq_ops __read_only = {
13352 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13353 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13354 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13355 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13359 -struct pv_cpu_ops pv_cpu_ops = {
13360 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13361 .cpuid = native_cpuid,
13362 .get_debugreg = native_get_debugreg,
13363 .set_debugreg = native_set_debugreg,
13364 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13365 .end_context_switch = paravirt_nop,
13368 -struct pv_apic_ops pv_apic_ops = {
13369 +struct pv_apic_ops pv_apic_ops __read_only = {
13370 #ifdef CONFIG_X86_LOCAL_APIC
13371 .startup_ipi_hook = paravirt_nop,
13373 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13374 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13377 -struct pv_mmu_ops pv_mmu_ops = {
13378 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13380 .read_cr2 = native_read_cr2,
13381 .write_cr2 = native_write_cr2,
13382 @@ -465,6 +465,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13385 .set_fixmap = native_set_fixmap,
13387 +#ifdef CONFIG_PAX_KERNEXEC
13388 + .pax_open_kernel = native_pax_open_kernel,
13389 + .pax_close_kernel = native_pax_close_kernel,
13394 EXPORT_SYMBOL_GPL(pv_time_ops);
13395 diff -urNp linux-2.6.38.1/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.38.1/arch/x86/kernel/paravirt-spinlocks.c
13396 --- linux-2.6.38.1/arch/x86/kernel/paravirt-spinlocks.c 2011-03-14 21:20:32.000000000 -0400
13397 +++ linux-2.6.38.1/arch/x86/kernel/paravirt-spinlocks.c 2011-03-21 18:31:35.000000000 -0400
13398 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13399 arch_spin_lock(lock);
13402 -struct pv_lock_ops pv_lock_ops = {
13403 +struct pv_lock_ops pv_lock_ops __read_only = {
13405 .spin_is_locked = __ticket_spin_is_locked,
13406 .spin_is_contended = __ticket_spin_is_contended,
13407 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-calgary_64.c linux-2.6.38.1/arch/x86/kernel/pci-calgary_64.c
13408 --- linux-2.6.38.1/arch/x86/kernel/pci-calgary_64.c 2011-03-14 21:20:32.000000000 -0400
13409 +++ linux-2.6.38.1/arch/x86/kernel/pci-calgary_64.c 2011-03-21 18:31:35.000000000 -0400
13410 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
13411 free_pages((unsigned long)vaddr, get_order(size));
13414 -static struct dma_map_ops calgary_dma_ops = {
13415 +static const struct dma_map_ops calgary_dma_ops = {
13416 .alloc_coherent = calgary_alloc_coherent,
13417 .free_coherent = calgary_free_coherent,
13418 .map_sg = calgary_map_sg,
13419 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-dma.c linux-2.6.38.1/arch/x86/kernel/pci-dma.c
13420 --- linux-2.6.38.1/arch/x86/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
13421 +++ linux-2.6.38.1/arch/x86/kernel/pci-dma.c 2011-03-21 18:31:35.000000000 -0400
13424 static int forbid_dac __read_mostly;
13426 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13427 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13428 EXPORT_SYMBOL(dma_ops);
13430 static int iommu_sac_force __read_mostly;
13431 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
13433 int dma_supported(struct device *dev, u64 mask)
13435 - struct dma_map_ops *ops = get_dma_ops(dev);
13436 + const struct dma_map_ops *ops = get_dma_ops(dev);
13439 if (mask > 0xffffffff && forbid_dac > 0) {
13440 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-gart_64.c linux-2.6.38.1/arch/x86/kernel/pci-gart_64.c
13441 --- linux-2.6.38.1/arch/x86/kernel/pci-gart_64.c 2011-03-14 21:20:32.000000000 -0400
13442 +++ linux-2.6.38.1/arch/x86/kernel/pci-gart_64.c 2011-03-21 18:31:35.000000000 -0400
13443 @@ -706,7 +706,7 @@ static __init int init_amd_gatt(struct a
13447 -static struct dma_map_ops gart_dma_ops = {
13448 +static const struct dma_map_ops gart_dma_ops = {
13449 .map_sg = gart_map_sg,
13450 .unmap_sg = gart_unmap_sg,
13451 .map_page = gart_map_page,
13452 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-nommu.c linux-2.6.38.1/arch/x86/kernel/pci-nommu.c
13453 --- linux-2.6.38.1/arch/x86/kernel/pci-nommu.c 2011-03-14 21:20:32.000000000 -0400
13454 +++ linux-2.6.38.1/arch/x86/kernel/pci-nommu.c 2011-03-21 18:31:35.000000000 -0400
13455 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13456 flush_write_buffers();
13459 -struct dma_map_ops nommu_dma_ops = {
13460 +const struct dma_map_ops nommu_dma_ops = {
13461 .alloc_coherent = dma_generic_alloc_coherent,
13462 .free_coherent = nommu_free_coherent,
13463 .map_sg = nommu_map_sg,
13464 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-swiotlb.c linux-2.6.38.1/arch/x86/kernel/pci-swiotlb.c
13465 --- linux-2.6.38.1/arch/x86/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
13466 +++ linux-2.6.38.1/arch/x86/kernel/pci-swiotlb.c 2011-03-21 18:31:35.000000000 -0400
13467 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
13468 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13471 -static struct dma_map_ops swiotlb_dma_ops = {
13472 +static const struct dma_map_ops swiotlb_dma_ops = {
13473 .mapping_error = swiotlb_dma_mapping_error,
13474 .alloc_coherent = x86_swiotlb_alloc_coherent,
13475 .free_coherent = swiotlb_free_coherent,
13476 diff -urNp linux-2.6.38.1/arch/x86/kernel/process_32.c linux-2.6.38.1/arch/x86/kernel/process_32.c
13477 --- linux-2.6.38.1/arch/x86/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
13478 +++ linux-2.6.38.1/arch/x86/kernel/process_32.c 2011-03-21 18:31:35.000000000 -0400
13479 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
13480 unsigned long thread_saved_pc(struct task_struct *tsk)
13482 return ((unsigned long *)tsk->thread.sp)[3];
13483 +//XXX return tsk->thread.eip;
13487 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
13489 unsigned short ss, gs;
13491 - if (user_mode_vm(regs)) {
13492 + if (user_mode(regs)) {
13494 ss = regs->ss & 0xffff;
13495 - gs = get_user_gs(regs);
13497 sp = kernel_stack_pointer(regs);
13498 savesegment(ss, ss);
13499 - savesegment(gs, gs);
13501 + gs = get_user_gs(regs);
13503 show_regs_common();
13505 @@ -196,7 +196,7 @@ int copy_thread(unsigned long clone_flag
13506 struct task_struct *tsk;
13509 - childregs = task_pt_regs(p);
13510 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13511 *childregs = *regs;
13513 childregs->sp = sp;
13514 @@ -293,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
13515 struct thread_struct *prev = &prev_p->thread,
13516 *next = &next_p->thread;
13517 int cpu = smp_processor_id();
13518 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13519 + struct tss_struct *tss = init_tss + cpu;
13522 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13523 @@ -328,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
13525 lazy_save_gs(prev->gs);
13527 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13528 + __set_fs(task_thread_info(next_p)->addr_limit);
13532 * Load the per-thread Thread-Local Storage descriptor.
13534 @@ -404,3 +408,27 @@ unsigned long get_wchan(struct task_stru
13538 +#ifdef CONFIG_PAX_RANDKSTACK
13539 +asmlinkage void pax_randomize_kstack(void)
13541 + struct thread_struct *thread = ¤t->thread;
13542 + unsigned long time;
13544 + if (!randomize_va_space)
13549 + /* P4 seems to return a 0 LSB, ignore it */
13550 +#ifdef CONFIG_MPENTIUM4
13558 + thread->sp0 ^= time;
13559 + load_sp0(init_tss + smp_processor_id(), thread);
13562 diff -urNp linux-2.6.38.1/arch/x86/kernel/process_64.c linux-2.6.38.1/arch/x86/kernel/process_64.c
13563 --- linux-2.6.38.1/arch/x86/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
13564 +++ linux-2.6.38.1/arch/x86/kernel/process_64.c 2011-03-21 18:31:35.000000000 -0400
13565 @@ -87,7 +87,7 @@ static void __exit_idle(void)
13566 void exit_idle(void)
13568 /* idle loop has pid 0 */
13569 - if (current->pid)
13570 + if (task_pid_nr(current))
13574 @@ -376,7 +376,7 @@ __switch_to(struct task_struct *prev_p,
13575 struct thread_struct *prev = &prev_p->thread;
13576 struct thread_struct *next = &next_p->thread;
13577 int cpu = smp_processor_id();
13578 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13579 + struct tss_struct *tss = init_tss + cpu;
13580 unsigned fsindex, gsindex;
13583 @@ -529,12 +529,11 @@ unsigned long get_wchan(struct task_stru
13584 if (!p || p == current || p->state == TASK_RUNNING)
13586 stack = (unsigned long)task_stack_page(p);
13587 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13588 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13590 fp = *(u64 *)(p->thread.sp);
13592 - if (fp < (unsigned long)stack ||
13593 - fp >= (unsigned long)stack+THREAD_SIZE)
13594 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13596 ip = *(u64 *)(fp+8);
13597 if (!in_sched_functions(ip))
13598 diff -urNp linux-2.6.38.1/arch/x86/kernel/process.c linux-2.6.38.1/arch/x86/kernel/process.c
13599 --- linux-2.6.38.1/arch/x86/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
13600 +++ linux-2.6.38.1/arch/x86/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
13601 @@ -70,7 +70,7 @@ void exit_thread(void)
13602 unsigned long *bp = t->io_bitmap_ptr;
13605 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13606 + struct tss_struct *tss = init_tss + get_cpu();
13608 t->io_bitmap_ptr = NULL;
13609 clear_thread_flag(TIF_IO_BITMAP);
13610 @@ -97,6 +97,7 @@ void show_regs_common(void)
13611 vendor = dmi_get_system_info(DMI_SYS_VENDOR);
13615 product = dmi_get_system_info(DMI_PRODUCT_NAME);
13618 @@ -105,8 +106,8 @@ void show_regs_common(void)
13619 board = dmi_get_system_info(DMI_BOARD_NAME);
13621 printk(KERN_CONT "\n");
13622 - printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
13623 - current->pid, current->xid, current->comm, print_tainted(),
13624 + printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s\n",
13625 + task_pid_nr(current), current->comm, print_tainted(),
13626 init_utsname()->release,
13627 (int)strcspn(init_utsname()->version, " "),
13628 init_utsname()->version);
13629 @@ -123,6 +124,9 @@ void flush_thread(void)
13631 struct task_struct *tsk = current;
13633 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
13634 + loadsegment(gs, 0);
13636 flush_ptrace_hw_breakpoint(tsk);
13637 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13639 @@ -285,10 +289,10 @@ int kernel_thread(int (*fn)(void *), voi
13640 regs.di = (unsigned long) arg;
13642 #ifdef CONFIG_X86_32
13643 - regs.ds = __USER_DS;
13644 - regs.es = __USER_DS;
13645 + regs.ds = __KERNEL_DS;
13646 + regs.es = __KERNEL_DS;
13647 regs.fs = __KERNEL_PERCPU;
13648 - regs.gs = __KERNEL_STACK_CANARY;
13649 + savesegment(gs, regs.gs);
13651 regs.ss = __KERNEL_DS;
13653 @@ -667,17 +671,3 @@ static int __init idle_setup(char *str)
13656 early_param("idle", idle_setup);
13658 -unsigned long arch_align_stack(unsigned long sp)
13660 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13661 - sp -= get_random_int() % 8192;
13662 - return sp & ~0xf;
13665 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13667 - unsigned long range_end = mm->brk + 0x02000000;
13668 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13671 diff -urNp linux-2.6.38.1/arch/x86/kernel/ptrace.c linux-2.6.38.1/arch/x86/kernel/ptrace.c
13672 --- linux-2.6.38.1/arch/x86/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
13673 +++ linux-2.6.38.1/arch/x86/kernel/ptrace.c 2011-03-21 18:31:35.000000000 -0400
13674 @@ -805,7 +805,7 @@ long arch_ptrace(struct task_struct *chi
13675 unsigned long addr, unsigned long data)
13678 - unsigned long __user *datap = (unsigned long __user *)data;
13679 + unsigned long __user *datap = (__force unsigned long __user *)data;
13682 /* read the word at location addr in the USER area. */
13683 @@ -890,14 +890,14 @@ long arch_ptrace(struct task_struct *chi
13684 if ((int) addr < 0)
13686 ret = do_get_thread_area(child, addr,
13687 - (struct user_desc __user *)data);
13688 + (__force struct user_desc __user *) data);
13691 case PTRACE_SET_THREAD_AREA:
13692 if ((int) addr < 0)
13694 ret = do_set_thread_area(child, addr,
13695 - (struct user_desc __user *)data, 0);
13696 + (__force struct user_desc __user *) data, 0);
13700 @@ -1314,7 +1314,7 @@ static void fill_sigtrap_info(struct tas
13701 memset(info, 0, sizeof(*info));
13702 info->si_signo = SIGTRAP;
13703 info->si_code = si_code;
13704 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13705 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13708 void user_single_step_siginfo(struct task_struct *tsk,
13709 @@ -1347,7 +1347,7 @@ void send_sigtrap(struct task_struct *ts
13710 * We must return the syscall number to actually look up in the table.
13711 * This can be -1L to skip running any syscall at all.
13713 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
13714 +long syscall_trace_enter(struct pt_regs *regs)
13718 @@ -1392,7 +1392,7 @@ asmregparm long syscall_trace_enter(stru
13719 return ret ?: regs->orig_ax;
13722 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
13723 +void syscall_trace_leave(struct pt_regs *regs)
13727 diff -urNp linux-2.6.38.1/arch/x86/kernel/reboot.c linux-2.6.38.1/arch/x86/kernel/reboot.c
13728 --- linux-2.6.38.1/arch/x86/kernel/reboot.c 2011-03-14 21:20:32.000000000 -0400
13729 +++ linux-2.6.38.1/arch/x86/kernel/reboot.c 2011-03-21 18:31:35.000000000 -0400
13730 @@ -34,7 +34,7 @@ void (*pm_power_off)(void);
13731 EXPORT_SYMBOL(pm_power_off);
13733 static const struct desc_ptr no_idt = {};
13734 -static int reboot_mode;
13735 +static unsigned short reboot_mode;
13736 enum reboot_type reboot_type = BOOT_KBD;
13739 @@ -293,7 +293,7 @@ static struct dmi_system_id __initdata r
13740 DMI_MATCH(DMI_BOARD_NAME, "VersaLogic Menlow board"),
13744 + { NULL, NULL, {{0, {0}}}, NULL}
13747 static int __init reboot_init(void)
13748 @@ -309,12 +309,12 @@ core_initcall(reboot_init);
13749 controller to pulse the CPU reset line, which is more thorough, but
13750 doesn't work with at least one type of 486 motherboard. It is easy
13751 to stop this code working; hence the copious comments. */
13752 -static const unsigned long long
13753 -real_mode_gdt_entries [3] =
13754 +static struct desc_struct
13755 +real_mode_gdt_entries [3] __read_only =
13757 - 0x0000000000000000ULL, /* Null descriptor */
13758 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13759 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13760 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13761 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13762 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13765 static const struct desc_ptr
13766 @@ -363,7 +363,7 @@ static const unsigned char jump_to_bios
13767 * specified by the code and length parameters.
13768 * We assume that length will aways be less that 100!
13770 -void machine_real_restart(const unsigned char *code, int length)
13771 +void machine_real_restart(const unsigned char *code, unsigned int length)
13773 local_irq_disable();
13775 @@ -390,16 +390,15 @@ void machine_real_restart(const unsigned
13776 boot)". This seems like a fairly standard thing that gets set by
13777 REBOOT.COM programs, and the previous reset routine did this
13779 - *((unsigned short *)0x472) = reboot_mode;
13780 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13782 /* For the switch to real mode, copy some code to low memory. It has
13783 to be in the first 64k because it is running in 16-bit mode, and it
13784 has to have the same physical and virtual address, because it turns
13785 off paging. Copy it near the end of the first page, out of the way
13786 of BIOS variables. */
13787 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13788 - real_mode_switch, sizeof (real_mode_switch));
13789 - memcpy((void *)(0x1000 - 100), code, length);
13790 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13791 + memcpy(__va(0x1000 - 100), code, length);
13793 /* Set up the IDT for real mode. */
13794 load_idt(&real_mode_idt);
13795 diff -urNp linux-2.6.38.1/arch/x86/kernel/setup.c linux-2.6.38.1/arch/x86/kernel/setup.c
13796 --- linux-2.6.38.1/arch/x86/kernel/setup.c 2011-03-14 21:20:32.000000000 -0400
13797 +++ linux-2.6.38.1/arch/x86/kernel/setup.c 2011-03-21 18:31:35.000000000 -0400
13798 @@ -654,7 +654,7 @@ static void __init trim_bios_range(void)
13799 * area (640->1Mb) as ram even though it is not.
13802 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13803 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13804 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13807 @@ -790,14 +790,14 @@ void __init setup_arch(char **cmdline_p)
13809 if (!boot_params.hdr.root_flags)
13810 root_mountflags &= ~MS_RDONLY;
13811 - init_mm.start_code = (unsigned long) _text;
13812 - init_mm.end_code = (unsigned long) _etext;
13813 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13814 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13815 init_mm.end_data = (unsigned long) _edata;
13816 init_mm.brk = _brk_end;
13818 - code_resource.start = virt_to_phys(_text);
13819 - code_resource.end = virt_to_phys(_etext)-1;
13820 - data_resource.start = virt_to_phys(_etext);
13821 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13822 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13823 + data_resource.start = virt_to_phys(_sdata);
13824 data_resource.end = virt_to_phys(_edata)-1;
13825 bss_resource.start = virt_to_phys(&__bss_start);
13826 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13827 diff -urNp linux-2.6.38.1/arch/x86/kernel/setup_percpu.c linux-2.6.38.1/arch/x86/kernel/setup_percpu.c
13828 --- linux-2.6.38.1/arch/x86/kernel/setup_percpu.c 2011-03-14 21:20:32.000000000 -0400
13829 +++ linux-2.6.38.1/arch/x86/kernel/setup_percpu.c 2011-03-21 18:31:35.000000000 -0400
13830 @@ -21,19 +21,17 @@
13831 #include <asm/cpu.h>
13832 #include <asm/stackprotector.h>
13834 -DEFINE_PER_CPU(int, cpu_number);
13836 +DEFINE_PER_CPU(unsigned int, cpu_number);
13837 EXPORT_PER_CPU_SYMBOL(cpu_number);
13840 -#ifdef CONFIG_X86_64
13841 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13843 -#define BOOT_PERCPU_OFFSET 0
13846 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13847 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13849 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13850 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13851 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13853 EXPORT_SYMBOL(__per_cpu_offset);
13854 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
13856 #ifdef CONFIG_X86_32
13857 struct desc_struct gdt;
13858 + unsigned long base = per_cpu_offset(cpu);
13860 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13861 - 0x2 | DESCTYPE_S, 0x8);
13863 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13864 + 0x83 | DESCTYPE_S, 0xC);
13865 write_gdt_entry(get_cpu_gdt_table(cpu),
13866 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13868 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
13869 /* alrighty, percpu areas up and running */
13870 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13871 for_each_possible_cpu(cpu) {
13872 +#ifdef CONFIG_CC_STACKPROTECTOR
13873 +#ifdef CONFIG_x86_32
13874 + unsigned long canary = per_cpu(stack_canary, cpu);
13877 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13878 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13879 per_cpu(cpu_number, cpu) = cpu;
13880 @@ -243,6 +246,12 @@ void __init setup_per_cpu_areas(void)
13881 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13884 +#ifdef CONFIG_CC_STACKPROTECTOR
13885 +#ifdef CONFIG_x86_32
13886 + if (cpu == boot_cpu_id)
13887 + per_cpu(stack_canary, cpu) = canary;
13891 * Up to this point, the boot CPU has been using .init.data
13892 * area. Reload any changed state for the boot CPU.
13893 diff -urNp linux-2.6.38.1/arch/x86/kernel/signal.c linux-2.6.38.1/arch/x86/kernel/signal.c
13894 --- linux-2.6.38.1/arch/x86/kernel/signal.c 2011-03-14 21:20:32.000000000 -0400
13895 +++ linux-2.6.38.1/arch/x86/kernel/signal.c 2011-03-21 18:31:35.000000000 -0400
13896 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13897 * Align the stack pointer according to the i386 ABI,
13898 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13900 - sp = ((sp + 4) & -16ul) - 4;
13901 + sp = ((sp - 12) & -16ul) - 4;
13902 #else /* !CONFIG_X86_32 */
13903 sp = round_down(sp, 16) - 8;
13905 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13906 * Return an always-bogus address instead so we will die with SIGSEGV.
13908 if (onsigstack && !likely(on_sig_stack(sp)))
13909 - return (void __user *)-1L;
13910 + return (__force void __user *)-1L;
13912 /* save i387 state */
13913 if (used_math() && save_i387_xstate(*fpstate) < 0)
13914 - return (void __user *)-1L;
13915 + return (__force void __user *)-1L;
13917 return (void __user *)sp;
13919 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13922 if (current->mm->context.vdso)
13923 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13924 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13926 - restorer = &frame->retcode;
13927 + restorer = (void __user *)&frame->retcode;
13928 if (ka->sa.sa_flags & SA_RESTORER)
13929 restorer = ka->sa.sa_restorer;
13931 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13932 * reasons and because gdb uses it as a signature to notice
13933 * signal handler stack frames.
13935 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13936 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13940 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
13941 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13943 /* Set up to return from userspace. */
13944 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13945 + if (current->mm->context.vdso)
13946 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13948 + restorer = (void __user *)&frame->retcode;
13949 if (ka->sa.sa_flags & SA_RESTORER)
13950 restorer = ka->sa.sa_restorer;
13951 put_user_ex(restorer, &frame->pretcode);
13952 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
13953 * reasons and because gdb uses it as a signature to notice
13954 * signal handler stack frames.
13956 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13957 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13958 } put_user_catch(err);
13961 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
13962 * X86_32: vm86 regs switched out by assembly code before reaching
13963 * here, so testing against kernel CS suffices.
13965 - if (!user_mode(regs))
13966 + if (!user_mode_novm(regs))
13969 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13970 diff -urNp linux-2.6.38.1/arch/x86/kernel/smpboot.c linux-2.6.38.1/arch/x86/kernel/smpboot.c
13971 --- linux-2.6.38.1/arch/x86/kernel/smpboot.c 2011-03-14 21:20:32.000000000 -0400
13972 +++ linux-2.6.38.1/arch/x86/kernel/smpboot.c 2011-03-21 18:31:35.000000000 -0400
13973 @@ -783,7 +783,11 @@ do_rest:
13974 (unsigned long)task_stack_page(c_idle.idle) -
13975 KERNEL_STACK_OFFSET + THREAD_SIZE;
13978 + pax_open_kernel();
13979 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13980 + pax_close_kernel();
13982 initial_code = (unsigned long)start_secondary;
13983 stack_start = c_idle.idle->thread.sp;
13985 @@ -923,6 +927,12 @@ int __cpuinit native_cpu_up(unsigned int
13987 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13989 +#ifdef CONFIG_PAX_PER_CPU_PGD
13990 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13991 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13992 + KERNEL_PGD_PTRS);
13995 err = do_boot_cpu(apicid, cpu);
13997 pr_debug("do_boot_cpu failed %d\n", err);
13998 diff -urNp linux-2.6.38.1/arch/x86/kernel/step.c linux-2.6.38.1/arch/x86/kernel/step.c
13999 --- linux-2.6.38.1/arch/x86/kernel/step.c 2011-03-14 21:20:32.000000000 -0400
14000 +++ linux-2.6.38.1/arch/x86/kernel/step.c 2011-03-21 18:31:35.000000000 -0400
14001 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
14002 struct desc_struct *desc;
14003 unsigned long base;
14008 mutex_lock(&child->mm->context.lock);
14009 - if (unlikely((seg >> 3) >= child->mm->context.size))
14010 + if (unlikely(seg >= child->mm->context.size))
14011 addr = -1L; /* bogus selector, access would fault */
14013 desc = child->mm->context.ldt + seg;
14014 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
14017 mutex_unlock(&child->mm->context.lock);
14019 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
14020 + addr = ktla_ktva(addr);
14024 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
14025 unsigned char opcode[15];
14026 unsigned long addr = convert_ip_to_linear(child, regs);
14028 + if (addr == -EINVAL)
14031 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
14032 for (i = 0; i < copied; i++) {
14033 switch (opcode[i]) {
14034 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
14036 #ifdef CONFIG_X86_64
14037 case 0x40 ... 0x4f:
14038 - if (regs->cs != __USER_CS)
14039 + if ((regs->cs & 0xffff) != __USER_CS)
14040 /* 32-bit mode: register increment */
14042 /* 64-bit mode: REX prefix */
14043 diff -urNp linux-2.6.38.1/arch/x86/kernel/syscall_table_32.S linux-2.6.38.1/arch/x86/kernel/syscall_table_32.S
14044 --- linux-2.6.38.1/arch/x86/kernel/syscall_table_32.S 2011-03-14 21:20:32.000000000 -0400
14045 +++ linux-2.6.38.1/arch/x86/kernel/syscall_table_32.S 2011-03-21 18:31:35.000000000 -0400
14047 +.section .rodata,"a",@progbits
14048 ENTRY(sys_call_table)
14049 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
14051 diff -urNp linux-2.6.38.1/arch/x86/kernel/sys_i386_32.c linux-2.6.38.1/arch/x86/kernel/sys_i386_32.c
14052 --- linux-2.6.38.1/arch/x86/kernel/sys_i386_32.c 2011-03-14 21:20:32.000000000 -0400
14053 +++ linux-2.6.38.1/arch/x86/kernel/sys_i386_32.c 2011-03-21 23:47:41.000000000 -0400
14054 @@ -24,17 +24,224 @@
14056 #include <asm/syscalls.h>
14059 - * Do a system call from kernel instead of calling sys_execve so we
14060 - * end up with proper pt_regs.
14062 -int kernel_execve(const char *filename,
14063 - const char *const argv[],
14064 - const char *const envp[])
14065 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
14068 - asm volatile ("int $0x80"
14070 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
14072 + unsigned long pax_task_size = TASK_SIZE;
14074 +#ifdef CONFIG_PAX_SEGMEXEC
14075 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
14076 + pax_task_size = SEGMEXEC_TASK_SIZE;
14079 + if (len > pax_task_size || addr > pax_task_size - len)
14086 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
14087 + unsigned long len, unsigned long pgoff, unsigned long flags)
14089 + struct mm_struct *mm = current->mm;
14090 + struct vm_area_struct *vma;
14091 + unsigned long start_addr, pax_task_size = TASK_SIZE;
14093 +#ifdef CONFIG_PAX_SEGMEXEC
14094 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14095 + pax_task_size = SEGMEXEC_TASK_SIZE;
14098 + pax_task_size -= PAGE_SIZE;
14100 + if (len > pax_task_size)
14103 + if (flags & MAP_FIXED)
14106 +#ifdef CONFIG_PAX_RANDMMAP
14107 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14111 + addr = PAGE_ALIGN(addr);
14112 + if (pax_task_size - len >= addr) {
14113 + vma = find_vma(mm, addr);
14114 + if (check_heap_stack_gap(vma, addr, len))
14118 + if (len > mm->cached_hole_size) {
14119 + start_addr = addr = mm->free_area_cache;
14121 + start_addr = addr = mm->mmap_base;
14122 + mm->cached_hole_size = 0;
14125 +#ifdef CONFIG_PAX_PAGEEXEC
14126 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
14127 + start_addr = 0x00110000UL;
14129 +#ifdef CONFIG_PAX_RANDMMAP
14130 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14131 + start_addr += mm->delta_mmap & 0x03FFF000UL;
14134 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
14135 + start_addr = addr = mm->mmap_base;
14137 + addr = start_addr;
14142 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14143 + /* At this point: (!vma || addr < vma->vm_end). */
14144 + if (pax_task_size - len < addr) {
14146 + * Start a new search - just in case we missed
14149 + if (start_addr != mm->mmap_base) {
14150 + start_addr = addr = mm->mmap_base;
14151 + mm->cached_hole_size = 0;
14152 + goto full_search;
14156 + if (check_heap_stack_gap(vma, addr, len))
14158 + if (addr + mm->cached_hole_size < vma->vm_start)
14159 + mm->cached_hole_size = vma->vm_start - addr;
14160 + addr = vma->vm_end;
14161 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
14162 + start_addr = addr = mm->mmap_base;
14163 + mm->cached_hole_size = 0;
14164 + goto full_search;
14169 + * Remember the place where we stopped the search:
14171 + mm->free_area_cache = addr + len;
14176 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
14177 + const unsigned long len, const unsigned long pgoff,
14178 + const unsigned long flags)
14180 + struct vm_area_struct *vma;
14181 + struct mm_struct *mm = current->mm;
14182 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
14184 +#ifdef CONFIG_PAX_SEGMEXEC
14185 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14186 + pax_task_size = SEGMEXEC_TASK_SIZE;
14189 + pax_task_size -= PAGE_SIZE;
14191 + /* requested length too big for entire address space */
14192 + if (len > pax_task_size)
14195 + if (flags & MAP_FIXED)
14198 +#ifdef CONFIG_PAX_PAGEEXEC
14199 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
14203 +#ifdef CONFIG_PAX_RANDMMAP
14204 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14207 + /* requesting a specific address */
14209 + addr = PAGE_ALIGN(addr);
14210 + if (pax_task_size - len >= addr) {
14211 + vma = find_vma(mm, addr);
14212 + if (check_heap_stack_gap(vma, addr, len))
14217 + /* check if free_area_cache is useful for us */
14218 + if (len <= mm->cached_hole_size) {
14219 + mm->cached_hole_size = 0;
14220 + mm->free_area_cache = mm->mmap_base;
14223 + /* either no address requested or can't fit in requested address hole */
14224 + addr = mm->free_area_cache;
14226 + /* make sure it can fit in the remaining address space */
14227 + if (addr > len) {
14228 + vma = find_vma(mm, addr-len);
14229 + if (check_heap_stack_gap(vma, addr - len, len))
14230 + /* remember the address as a hint for next time */
14231 + return (mm->free_area_cache = addr-len);
14234 + if (mm->mmap_base < len)
14237 + addr = mm->mmap_base-len;
14241 + * Lookup failure means no vma is above this address,
14242 + * else if new region fits below vma->vm_start,
14243 + * return with success:
14245 + vma = find_vma(mm, addr);
14246 + if (check_heap_stack_gap(vma, addr, len))
14247 + /* remember the address as a hint for next time */
14248 + return (mm->free_area_cache = addr);
14250 + /* remember the largest hole we saw so far */
14251 + if (addr + mm->cached_hole_size < vma->vm_start)
14252 + mm->cached_hole_size = vma->vm_start - addr;
14254 + /* try just below the current vma->vm_start */
14255 + addr = skip_heap_stack_gap(vma, len);
14256 + } while (!IS_ERR_VALUE(addr));
14260 + * A failed mmap() very likely causes application failure,
14261 + * so fall back to the bottom-up function here. This scenario
14262 + * can happen with large stack limits and large mmap()
14266 +#ifdef CONFIG_PAX_SEGMEXEC
14267 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14268 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14272 + mm->mmap_base = TASK_UNMAPPED_BASE;
14274 +#ifdef CONFIG_PAX_RANDMMAP
14275 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14276 + mm->mmap_base += mm->delta_mmap;
14279 + mm->free_area_cache = mm->mmap_base;
14280 + mm->cached_hole_size = ~0UL;
14281 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14283 + * Restore the topdown base:
14285 + mm->mmap_base = base;
14286 + mm->free_area_cache = base;
14287 + mm->cached_hole_size = ~0UL;
14291 diff -urNp linux-2.6.38.1/arch/x86/kernel/sys_x86_64.c linux-2.6.38.1/arch/x86/kernel/sys_x86_64.c
14292 --- linux-2.6.38.1/arch/x86/kernel/sys_x86_64.c 2011-03-14 21:20:32.000000000 -0400
14293 +++ linux-2.6.38.1/arch/x86/kernel/sys_x86_64.c 2011-03-21 23:47:41.000000000 -0400
14294 @@ -32,8 +32,8 @@ out:
14298 -static void find_start_end(unsigned long flags, unsigned long *begin,
14299 - unsigned long *end)
14300 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14301 + unsigned long *begin, unsigned long *end)
14303 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
14304 unsigned long new_begin;
14305 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
14306 *begin = new_begin;
14309 - *begin = TASK_UNMAPPED_BASE;
14310 + *begin = mm->mmap_base;
14314 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
14315 if (flags & MAP_FIXED)
14318 - find_start_end(flags, &begin, &end);
14319 + find_start_end(mm, flags, &begin, &end);
14324 +#ifdef CONFIG_PAX_RANDMMAP
14325 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14329 addr = PAGE_ALIGN(addr);
14330 vma = find_vma(mm, addr);
14331 - if (end - len >= addr &&
14332 - (!vma || addr + len <= vma->vm_start))
14333 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
14336 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
14337 @@ -106,7 +109,7 @@ full_search:
14341 - if (!vma || addr + len <= vma->vm_start) {
14342 + if (check_heap_stack_gap(vma, addr, len)) {
14344 * Remember the place where we stopped the search:
14346 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
14348 struct vm_area_struct *vma;
14349 struct mm_struct *mm = current->mm;
14350 - unsigned long addr = addr0;
14351 + unsigned long base = mm->mmap_base, addr = addr0;
14353 /* requested length too big for entire address space */
14354 if (len > TASK_SIZE)
14355 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
14356 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14359 +#ifdef CONFIG_PAX_RANDMMAP
14360 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14363 /* requesting a specific address */
14365 addr = PAGE_ALIGN(addr);
14366 - vma = find_vma(mm, addr);
14367 - if (TASK_SIZE - len >= addr &&
14368 - (!vma || addr + len <= vma->vm_start))
14370 + if (TASK_SIZE - len >= addr) {
14371 + vma = find_vma(mm, addr);
14372 + if (check_heap_stack_gap(vma, addr, len))
14377 /* check if free_area_cache is useful for us */
14378 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
14379 /* make sure it can fit in the remaining address space */
14381 vma = find_vma(mm, addr-len);
14382 - if (!vma || addr <= vma->vm_start)
14383 + if (check_heap_stack_gap(vma, addr - len, len))
14384 /* remember the address as a hint for next time */
14385 return mm->free_area_cache = addr-len;
14387 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
14388 * return with success:
14390 vma = find_vma(mm, addr);
14391 - if (!vma || addr+len <= vma->vm_start)
14392 + if (check_heap_stack_gap(vma, addr, len))
14393 /* remember the address as a hint for next time */
14394 return mm->free_area_cache = addr;
14396 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
14397 mm->cached_hole_size = vma->vm_start - addr;
14399 /* try just below the current vma->vm_start */
14400 - addr = vma->vm_start-len;
14401 - } while (len < vma->vm_start);
14402 + addr = skip_heap_stack_gap(vma, len);
14403 + } while (!IS_ERR_VALUE(addr));
14407 @@ -198,13 +206,21 @@ bottomup:
14408 * can happen with large stack limits and large mmap()
14411 + mm->mmap_base = TASK_UNMAPPED_BASE;
14413 +#ifdef CONFIG_PAX_RANDMMAP
14414 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14415 + mm->mmap_base += mm->delta_mmap;
14418 + mm->free_area_cache = mm->mmap_base;
14419 mm->cached_hole_size = ~0UL;
14420 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14421 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14423 * Restore the topdown base:
14425 - mm->free_area_cache = mm->mmap_base;
14426 + mm->mmap_base = base;
14427 + mm->free_area_cache = base;
14428 mm->cached_hole_size = ~0UL;
14431 diff -urNp linux-2.6.38.1/arch/x86/kernel/time.c linux-2.6.38.1/arch/x86/kernel/time.c
14432 --- linux-2.6.38.1/arch/x86/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
14433 +++ linux-2.6.38.1/arch/x86/kernel/time.c 2011-03-21 18:31:35.000000000 -0400
14434 @@ -22,17 +22,13 @@
14435 #include <asm/hpet.h>
14436 #include <asm/time.h>
14438 -#ifdef CONFIG_X86_64
14439 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14442 unsigned long profile_pc(struct pt_regs *regs)
14444 unsigned long pc = instruction_pointer(regs);
14446 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14447 + if (!user_mode(regs) && in_lock_functions(pc)) {
14448 #ifdef CONFIG_FRAME_POINTER
14449 - return *(unsigned long *)(regs->bp + sizeof(long));
14450 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14452 unsigned long *sp =
14453 (unsigned long *)kernel_stack_pointer(regs);
14454 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
14455 * or above a saved flags. Eflags has bits 22-31 zero,
14456 * kernel addresses don't.
14459 +#ifdef CONFIG_PAX_KERNEXEC
14460 + return ktla_ktva(sp[0]);
14472 diff -urNp linux-2.6.38.1/arch/x86/kernel/tls.c linux-2.6.38.1/arch/x86/kernel/tls.c
14473 --- linux-2.6.38.1/arch/x86/kernel/tls.c 2011-03-14 21:20:32.000000000 -0400
14474 +++ linux-2.6.38.1/arch/x86/kernel/tls.c 2011-03-21 18:31:35.000000000 -0400
14475 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14476 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14479 +#ifdef CONFIG_PAX_SEGMEXEC
14480 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14484 set_tls_desc(p, idx, &info, 1);
14487 diff -urNp linux-2.6.38.1/arch/x86/kernel/trampoline_32.S linux-2.6.38.1/arch/x86/kernel/trampoline_32.S
14488 --- linux-2.6.38.1/arch/x86/kernel/trampoline_32.S 2011-03-14 21:20:32.000000000 -0400
14489 +++ linux-2.6.38.1/arch/x86/kernel/trampoline_32.S 2011-03-21 18:31:35.000000000 -0400
14491 #include <asm/segment.h>
14492 #include <asm/page_types.h>
14494 +#ifdef CONFIG_PAX_KERNEXEC
14497 +#define ta(X) ((X) - __PAGE_OFFSET)
14500 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14503 @@ -60,7 +66,7 @@ r_base = .
14504 inc %ax # protected mode (PE) bit
14505 lmsw %ax # into protected mode
14506 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14507 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14508 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14510 # These need to be in the same 64K segment as the above;
14511 # hence we don't use the boot_gdt_descr defined in head.S
14512 diff -urNp linux-2.6.38.1/arch/x86/kernel/trampoline_64.S linux-2.6.38.1/arch/x86/kernel/trampoline_64.S
14513 --- linux-2.6.38.1/arch/x86/kernel/trampoline_64.S 2011-03-14 21:20:32.000000000 -0400
14514 +++ linux-2.6.38.1/arch/x86/kernel/trampoline_64.S 2011-03-21 18:31:35.000000000 -0400
14515 @@ -91,7 +91,7 @@ startup_32:
14516 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
14519 - movl $X86_CR4_PAE, %eax
14520 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14521 movl %eax, %cr4 # Enable PAE mode
14523 # Setup trampoline 4 level pagetables
14524 @@ -138,7 +138,7 @@ tidt:
14525 # so the kernel can live anywhere
14528 - .short tgdt_end - tgdt # gdt limit
14529 + .short tgdt_end - tgdt - 1 # gdt limit
14530 .long tgdt - r_base
14532 .quad 0x00cf9b000000ffff # __KERNEL32_CS
14533 diff -urNp linux-2.6.38.1/arch/x86/kernel/traps.c linux-2.6.38.1/arch/x86/kernel/traps.c
14534 --- linux-2.6.38.1/arch/x86/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
14535 +++ linux-2.6.38.1/arch/x86/kernel/traps.c 2011-03-21 18:31:35.000000000 -0400
14536 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14538 /* Do we ignore FPU interrupts ? */
14539 char ignore_fpu_irq;
14542 - * The IDT has to be page-aligned to simplify the Pentium
14543 - * F0 0F bug workaround.
14545 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14548 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14549 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
14552 static void __kprobes
14553 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14554 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14555 long error_code, siginfo_t *info)
14557 struct task_struct *tsk = current;
14559 #ifdef CONFIG_X86_32
14560 - if (regs->flags & X86_VM_MASK) {
14561 + if (v8086_mode(regs)) {
14563 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14564 * On nmi (interrupt 2), do_trap should not be called.
14565 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
14569 - if (!user_mode(regs))
14570 + if (!user_mode_novm(regs))
14573 #ifdef CONFIG_X86_32
14574 @@ -157,7 +151,7 @@ trap_signal:
14575 printk_ratelimit()) {
14577 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14578 - tsk->comm, tsk->pid, str,
14579 + tsk->comm, task_pid_nr(tsk), str,
14580 regs->ip, regs->sp, error_code);
14581 print_vma_addr(" in ", regs->ip);
14583 @@ -174,8 +168,20 @@ kernel_trap:
14584 if (!fixup_exception(regs)) {
14585 tsk->thread.error_code = error_code;
14586 tsk->thread.trap_no = trapnr;
14588 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14589 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14590 + str = "PAX: suspicious stack segment fault";
14593 die(str, regs, error_code);
14596 +#ifdef CONFIG_PAX_REFCOUNT
14598 + pax_report_refcount_overflow(regs);
14603 #ifdef CONFIG_X86_32
14604 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
14605 conditional_sti(regs);
14607 #ifdef CONFIG_X86_32
14608 - if (regs->flags & X86_VM_MASK)
14609 + if (v8086_mode(regs))
14614 - if (!user_mode(regs))
14615 + if (!user_mode_novm(regs))
14618 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14619 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14620 + struct mm_struct *mm = tsk->mm;
14621 + unsigned long limit;
14623 + down_write(&mm->mmap_sem);
14624 + limit = mm->context.user_cs_limit;
14625 + if (limit < TASK_SIZE) {
14626 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14627 + up_write(&mm->mmap_sem);
14630 + up_write(&mm->mmap_sem);
14634 tsk->thread.error_code = error_code;
14635 tsk->thread.trap_no = 13;
14637 @@ -304,6 +326,13 @@ gp_in_kernel:
14638 if (notify_die(DIE_GPF, "general protection fault", regs,
14639 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14642 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14643 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14644 + die("PAX: suspicious general protection fault", regs, error_code);
14648 die("general protection fault", regs, error_code);
14651 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
14652 /* It's safe to allow irq's after DR6 has been saved */
14653 preempt_conditional_sti(regs);
14655 - if (regs->flags & X86_VM_MASK) {
14656 + if (v8086_mode(regs)) {
14657 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14659 preempt_conditional_cli(regs);
14660 @@ -583,7 +612,7 @@ dotraplinkage void __kprobes do_debug(st
14661 * We already checked v86 mode above, so we can check for kernel mode
14662 * by just checking the CPL of CS.
14664 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14665 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14666 tsk->thread.debugreg6 &= ~DR_STEP;
14667 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14668 regs->flags &= ~X86_EFLAGS_TF;
14669 @@ -612,7 +641,7 @@ void math_error(struct pt_regs *regs, in
14671 conditional_sti(regs);
14673 - if (!user_mode_vm(regs))
14674 + if (!user_mode(regs))
14676 if (!fixup_exception(regs)) {
14677 task->thread.error_code = error_code;
14678 diff -urNp linux-2.6.38.1/arch/x86/kernel/tsc.c linux-2.6.38.1/arch/x86/kernel/tsc.c
14679 --- linux-2.6.38.1/arch/x86/kernel/tsc.c 2011-03-14 21:20:32.000000000 -0400
14680 +++ linux-2.6.38.1/arch/x86/kernel/tsc.c 2011-03-21 18:31:35.000000000 -0400
14681 @@ -837,7 +837,7 @@ static struct dmi_system_id __initdata b
14682 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14686 + { NULL, NULL, {{0, {0}}}, NULL}
14689 static void __init check_system_tsc_reliable(void)
14690 diff -urNp linux-2.6.38.1/arch/x86/kernel/vm86_32.c linux-2.6.38.1/arch/x86/kernel/vm86_32.c
14691 --- linux-2.6.38.1/arch/x86/kernel/vm86_32.c 2011-03-14 21:20:32.000000000 -0400
14692 +++ linux-2.6.38.1/arch/x86/kernel/vm86_32.c 2011-03-21 18:31:35.000000000 -0400
14694 #include <linux/ptrace.h>
14695 #include <linux/audit.h>
14696 #include <linux/stddef.h>
14697 +#include <linux/grsecurity.h>
14699 #include <asm/uaccess.h>
14700 #include <asm/io.h>
14701 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14705 - tss = &per_cpu(init_tss, get_cpu());
14706 + tss = init_tss + get_cpu();
14707 current->thread.sp0 = current->thread.saved_sp0;
14708 current->thread.sysenter_cs = __KERNEL_CS;
14709 load_sp0(tss, ¤t->thread);
14710 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
14711 struct task_struct *tsk;
14712 int tmp, ret = -EPERM;
14714 +#ifdef CONFIG_GRKERNSEC_VM86
14715 + if (!capable(CAP_SYS_RAWIO)) {
14716 + gr_handle_vm86();
14722 if (tsk->thread.saved_sp0)
14724 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
14726 struct vm86plus_struct __user *v86;
14728 +#ifdef CONFIG_GRKERNSEC_VM86
14729 + if (!capable(CAP_SYS_RAWIO)) {
14730 + gr_handle_vm86();
14738 case VM86_REQUEST_IRQ:
14739 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
14740 tsk->thread.saved_fs = info->regs32->fs;
14741 tsk->thread.saved_gs = get_user_gs(info->regs32);
14743 - tss = &per_cpu(init_tss, get_cpu());
14744 + tss = init_tss + get_cpu();
14745 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14747 tsk->thread.sysenter_cs = 0;
14748 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
14749 goto cannot_handle;
14750 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14751 goto cannot_handle;
14752 - intr_ptr = (unsigned long __user *) (i << 2);
14753 + intr_ptr = (__force unsigned long __user *) (i << 2);
14754 if (get_user(segoffs, intr_ptr))
14755 goto cannot_handle;
14756 if ((segoffs >> 16) == BIOSSEG)
14757 diff -urNp linux-2.6.38.1/arch/x86/kernel/vmlinux.lds.S linux-2.6.38.1/arch/x86/kernel/vmlinux.lds.S
14758 --- linux-2.6.38.1/arch/x86/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
14759 +++ linux-2.6.38.1/arch/x86/kernel/vmlinux.lds.S 2011-03-21 18:31:35.000000000 -0400
14761 #include <asm/page_types.h>
14762 #include <asm/cache.h>
14763 #include <asm/boot.h>
14764 +#include <asm/segment.h>
14766 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14767 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14769 +#define __KERNEL_TEXT_OFFSET 0
14772 #undef i386 /* in case the preprocessor is a 32bit one */
14774 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14775 #ifdef CONFIG_X86_32
14777 ENTRY(phys_startup_32)
14778 -jiffies = jiffies_64;
14780 OUTPUT_ARCH(i386:x86-64)
14781 ENTRY(phys_startup_64)
14782 -jiffies_64 = jiffies;
14785 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14786 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
14789 text PT_LOAD FLAGS(5); /* R_E */
14790 +#ifdef CONFIG_X86_32
14791 + module PT_LOAD FLAGS(5); /* R_E */
14794 + rodata PT_LOAD FLAGS(5); /* R_E */
14796 + rodata PT_LOAD FLAGS(4); /* R__ */
14798 data PT_LOAD FLAGS(6); /* RW_ */
14799 #ifdef CONFIG_X86_64
14800 user PT_LOAD FLAGS(5); /* R_E */
14802 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14804 percpu PT_LOAD FLAGS(6); /* RW_ */
14806 + text.init PT_LOAD FLAGS(5); /* R_E */
14807 + text.exit PT_LOAD FLAGS(5); /* R_E */
14808 init PT_LOAD FLAGS(7); /* RWE */
14810 note PT_NOTE FLAGS(0); /* ___ */
14815 #ifdef CONFIG_X86_32
14816 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14817 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14818 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14820 - . = __START_KERNEL;
14821 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14822 + . = __START_KERNEL;
14825 /* Text and read-only data */
14826 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14828 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14829 /* bootstrapping code */
14830 +#ifdef CONFIG_X86_32
14831 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14833 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14835 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14838 #ifdef CONFIG_X86_32
14839 . = ALIGN(PAGE_SIZE);
14840 @@ -108,13 +128,47 @@ SECTIONS
14844 - /* End of text section */
14848 - NOTES :text :note
14849 + . += __KERNEL_TEXT_OFFSET;
14851 +#ifdef CONFIG_X86_32
14852 + . = ALIGN(PAGE_SIZE);
14853 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14855 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14856 + MODULES_EXEC_VADDR = .;
14858 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14859 + . = ALIGN(HPAGE_SIZE);
14860 + MODULES_EXEC_END = . - 1;
14866 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14867 + /* End of text section */
14868 + _etext = . - __KERNEL_TEXT_OFFSET;
14871 - EXCEPTION_TABLE(16) :text = 0x9090
14872 +#ifdef CONFIG_X86_32
14873 + . = ALIGN(PAGE_SIZE);
14874 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14876 + . = ALIGN(PAGE_SIZE);
14877 + *(.empty_zero_page)
14878 + *(.initial_pg_fixmap)
14879 + *(.initial_pg_pmd)
14880 + *(.initial_page_table)
14881 + *(.swapper_pg_dir)
14885 + . = ALIGN(PAGE_SIZE);
14886 + NOTES :rodata :note
14888 + EXCEPTION_TABLE(16) :rodata
14890 #if defined(CONFIG_DEBUG_RODATA)
14891 /* .text should occupy whole number of pages */
14892 @@ -126,16 +180,20 @@ SECTIONS
14895 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14897 +#ifdef CONFIG_PAX_KERNEXEC
14898 + . = ALIGN(HPAGE_SIZE);
14900 + . = ALIGN(PAGE_SIZE);
14903 /* Start of data section */
14907 INIT_TASK_DATA(THREAD_SIZE)
14909 -#ifdef CONFIG_X86_32
14910 - /* 32 bit has nosave before _edata */
14914 PAGE_ALIGNED_DATA(PAGE_SIZE)
14916 @@ -144,6 +202,8 @@ SECTIONS
14920 + jiffies = jiffies_64;
14922 /* rarely changed data like cpu maps */
14923 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
14925 @@ -198,12 +258,6 @@ SECTIONS
14927 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14929 - . = ALIGN(L1_CACHE_BYTES);
14930 - .jiffies : AT(VLOAD(.jiffies)) {
14933 - jiffies = VVIRT(.jiffies);
14935 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14938 @@ -219,12 +273,19 @@ SECTIONS
14939 #endif /* CONFIG_X86_64 */
14941 /* Init code and data - will be freed after init */
14942 - . = ALIGN(PAGE_SIZE);
14943 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14946 +#ifdef CONFIG_PAX_KERNEXEC
14947 + . = ALIGN(HPAGE_SIZE);
14949 + . = ALIGN(PAGE_SIZE);
14952 __init_begin = .; /* paired with __init_end */
14956 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14959 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14960 * output PHDR, so the next output section - .init.text - should
14961 @@ -233,12 +294,27 @@ SECTIONS
14962 PERCPU_VADDR(0, :percpu)
14965 - INIT_TEXT_SECTION(PAGE_SIZE)
14966 -#ifdef CONFIG_X86_64
14969 + . = ALIGN(PAGE_SIZE);
14971 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14972 + VMLINUX_SYMBOL(_sinittext) = .;
14974 + VMLINUX_SYMBOL(_einittext) = .;
14975 + . = ALIGN(PAGE_SIZE);
14978 - INIT_DATA_SECTION(16)
14980 + * .exit.text is discard at runtime, not link time, to deal with
14981 + * references from .altinstructions and .eh_frame
14983 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14987 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14989 + . = ALIGN(PAGE_SIZE);
14990 + INIT_DATA_SECTION(16) :init
14992 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14993 __x86_cpu_dev_start = .;
14994 @@ -292,19 +368,12 @@ SECTIONS
14995 __iommu_table_end = .;
14999 - * .exit.text is discard at runtime, not link time, to deal with
15000 - * references from .altinstructions and .eh_frame
15002 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
15006 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
15010 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
15011 +#ifndef CONFIG_SMP
15012 PERCPU(THREAD_SIZE)
15015 @@ -323,16 +392,10 @@ SECTIONS
15016 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
15019 - . = ALIGN(PAGE_SIZE);
15020 __smp_locks_end = .;
15021 + . = ALIGN(PAGE_SIZE);
15024 -#ifdef CONFIG_X86_64
15025 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
15031 . = ALIGN(PAGE_SIZE);
15032 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
15033 @@ -348,6 +411,7 @@ SECTIONS
15035 . += 64 * 1024; /* 64k alignment slop space */
15036 *(.brk_reservation) /* areas brk users have reserved */
15037 + . = ALIGN(HPAGE_SIZE);
15041 @@ -374,13 +438,12 @@ SECTIONS
15042 * for the boot processor.
15044 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
15045 -INIT_PER_CPU(gdt_page);
15046 INIT_PER_CPU(irq_stack_union);
15049 * Build-time check on the image size:
15051 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
15052 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
15053 "kernel image bigger than KERNEL_IMAGE_SIZE");
15056 diff -urNp linux-2.6.38.1/arch/x86/kernel/vsyscall_64.c linux-2.6.38.1/arch/x86/kernel/vsyscall_64.c
15057 --- linux-2.6.38.1/arch/x86/kernel/vsyscall_64.c 2011-03-14 21:20:32.000000000 -0400
15058 +++ linux-2.6.38.1/arch/x86/kernel/vsyscall_64.c 2011-03-21 18:31:35.000000000 -0400
15059 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
15061 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
15062 /* copy vsyscall data */
15063 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
15064 vsyscall_gtod_data.clock.vread = clock->vread;
15065 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
15066 vsyscall_gtod_data.clock.mask = clock->mask;
15067 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
15068 We do this here because otherwise user space would do it on
15069 its own in a likely inferior way (no access to jiffies).
15070 If you don't like it pass NULL. */
15071 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
15072 + if (tcache && tcache->blob[0] == (j = jiffies)) {
15073 p = tcache->blob[1];
15074 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
15075 /* Load per CPU data from RDTSCP */
15076 diff -urNp linux-2.6.38.1/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.38.1/arch/x86/kernel/x8664_ksyms_64.c
15077 --- linux-2.6.38.1/arch/x86/kernel/x8664_ksyms_64.c 2011-03-14 21:20:32.000000000 -0400
15078 +++ linux-2.6.38.1/arch/x86/kernel/x8664_ksyms_64.c 2011-03-21 18:31:35.000000000 -0400
15079 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
15080 EXPORT_SYMBOL(copy_user_generic_string);
15081 EXPORT_SYMBOL(copy_user_generic_unrolled);
15082 EXPORT_SYMBOL(__copy_user_nocache);
15083 -EXPORT_SYMBOL(_copy_from_user);
15084 -EXPORT_SYMBOL(_copy_to_user);
15086 EXPORT_SYMBOL(copy_page);
15087 EXPORT_SYMBOL(clear_page);
15088 diff -urNp linux-2.6.38.1/arch/x86/kernel/xsave.c linux-2.6.38.1/arch/x86/kernel/xsave.c
15089 --- linux-2.6.38.1/arch/x86/kernel/xsave.c 2011-03-14 21:20:32.000000000 -0400
15090 +++ linux-2.6.38.1/arch/x86/kernel/xsave.c 2011-03-21 18:31:35.000000000 -0400
15091 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
15092 fx_sw_user->xstate_size > fx_sw_user->extended_size)
15095 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
15096 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
15097 fx_sw_user->extended_size -
15098 FP_XSTATE_MAGIC2_SIZE));
15100 @@ -267,7 +267,7 @@ fx_only:
15101 * the other extended state.
15103 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15104 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15105 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15109 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
15111 err = restore_user_xstate(buf);
15113 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15114 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15116 if (unlikely(err)) {
15118 diff -urNp linux-2.6.38.1/arch/x86/kvm/emulate.c linux-2.6.38.1/arch/x86/kvm/emulate.c
15119 --- linux-2.6.38.1/arch/x86/kvm/emulate.c 2011-03-14 21:20:32.000000000 -0400
15120 +++ linux-2.6.38.1/arch/x86/kvm/emulate.c 2011-03-21 18:31:35.000000000 -0400
15122 #define Src2ImmByte (2<<29)
15123 #define Src2One (3<<29)
15124 #define Src2Imm (4<<29)
15125 -#define Src2Mask (7<<29)
15126 +#define Src2Mask (7U<<29)
15128 #define X2(x...) x, x
15129 #define X3(x...) X2(x), x
15130 @@ -189,6 +189,7 @@ struct group_dual {
15132 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
15134 + unsigned long _tmp; \
15135 __asm__ __volatile__ ( \
15136 _PRE_EFLAGS("0", "4", "2") \
15137 _op _suffix " %"_x"3,%1; " \
15138 @@ -202,8 +203,6 @@ struct group_dual {
15139 /* Raw emulation: instruction has two explicit operands. */
15140 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15142 - unsigned long _tmp; \
15144 switch ((_dst).bytes) { \
15146 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
15147 @@ -219,7 +218,6 @@ struct group_dual {
15149 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15151 - unsigned long _tmp; \
15152 switch ((_dst).bytes) { \
15154 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
15155 diff -urNp linux-2.6.38.1/arch/x86/kvm/lapic.c linux-2.6.38.1/arch/x86/kvm/lapic.c
15156 --- linux-2.6.38.1/arch/x86/kvm/lapic.c 2011-03-14 21:20:32.000000000 -0400
15157 +++ linux-2.6.38.1/arch/x86/kvm/lapic.c 2011-03-21 18:31:35.000000000 -0400
15159 #define APIC_BUS_CYCLE_NS 1
15161 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15162 -#define apic_debug(fmt, arg...)
15163 +#define apic_debug(fmt, arg...) do {} while (0)
15165 #define APIC_LVT_NUM 6
15166 /* 14 is the version for Xeon and Pentium 8.4.8*/
15167 diff -urNp linux-2.6.38.1/arch/x86/kvm/svm.c linux-2.6.38.1/arch/x86/kvm/svm.c
15168 --- linux-2.6.38.1/arch/x86/kvm/svm.c 2011-03-14 21:20:32.000000000 -0400
15169 +++ linux-2.6.38.1/arch/x86/kvm/svm.c 2011-03-21 18:31:35.000000000 -0400
15170 @@ -3273,7 +3273,11 @@ static void reload_tss(struct kvm_vcpu *
15171 int cpu = raw_smp_processor_id();
15173 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15175 + pax_open_kernel();
15176 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15177 + pax_close_kernel();
15182 @@ -3850,7 +3854,7 @@ static void svm_fpu_deactivate(struct kv
15183 update_cr0_intercept(svm);
15186 -static struct kvm_x86_ops svm_x86_ops = {
15187 +static const struct kvm_x86_ops svm_x86_ops = {
15188 .cpu_has_kvm_support = has_svm,
15189 .disabled_by_bios = is_disabled,
15190 .hardware_setup = svm_hardware_setup,
15191 diff -urNp linux-2.6.38.1/arch/x86/kvm/vmx.c linux-2.6.38.1/arch/x86/kvm/vmx.c
15192 --- linux-2.6.38.1/arch/x86/kvm/vmx.c 2011-03-14 21:20:32.000000000 -0400
15193 +++ linux-2.6.38.1/arch/x86/kvm/vmx.c 2011-03-21 18:31:35.000000000 -0400
15194 @@ -725,7 +725,11 @@ static void reload_tss(void)
15195 struct desc_struct *descs;
15197 descs = (void *)gdt->address;
15199 + pax_open_kernel();
15200 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15201 + pax_close_kernel();
15206 @@ -1642,8 +1646,11 @@ static __init int hardware_setup(void)
15207 if (!cpu_has_vmx_flexpriority())
15208 flexpriority_enabled = 0;
15210 - if (!cpu_has_vmx_tpr_shadow())
15211 - kvm_x86_ops->update_cr8_intercept = NULL;
15212 + if (!cpu_has_vmx_tpr_shadow()) {
15213 + pax_open_kernel();
15214 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15215 + pax_close_kernel();
15218 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15219 kvm_disable_largepages();
15220 @@ -2640,7 +2647,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15221 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15223 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15224 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15225 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15226 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15227 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15228 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15229 @@ -4031,6 +4038,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15230 "jmp .Lkvm_vmx_return \n\t"
15231 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15232 ".Lkvm_vmx_return: "
15234 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15235 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15236 + ".Lkvm_vmx_return2: "
15239 /* Save guest registers, load host registers, keep flags */
15240 "xchg %0, (%%"R"sp) \n\t"
15241 "mov %%"R"ax, %c[rax](%0) \n\t"
15242 @@ -4077,6 +4090,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
15243 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15245 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15247 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15248 + ,[cs]"i"(__KERNEL_CS)
15252 , R"ax", R"bx", R"di", R"si"
15253 #ifdef CONFIG_X86_64
15254 @@ -4091,7 +4109,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15256 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
15258 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15259 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15262 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
15263 @@ -4326,7 +4344,7 @@ static void vmx_set_supported_cpuid(u32
15267 -static struct kvm_x86_ops vmx_x86_ops = {
15268 +static const struct kvm_x86_ops vmx_x86_ops = {
15269 .cpu_has_kvm_support = cpu_has_kvm_support,
15270 .disabled_by_bios = vmx_disabled_by_bios,
15271 .hardware_setup = hardware_setup,
15272 diff -urNp linux-2.6.38.1/arch/x86/kvm/x86.c linux-2.6.38.1/arch/x86/kvm/x86.c
15273 --- linux-2.6.38.1/arch/x86/kvm/x86.c 2011-03-14 21:20:32.000000000 -0400
15274 +++ linux-2.6.38.1/arch/x86/kvm/x86.c 2011-03-21 18:31:35.000000000 -0400
15275 @@ -93,7 +93,7 @@ static void update_cr8_intercept(struct
15276 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15277 struct kvm_cpuid_entry2 __user *entries);
15279 -struct kvm_x86_ops *kvm_x86_ops;
15280 +const struct kvm_x86_ops *kvm_x86_ops;
15281 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15283 int ignore_msrs = 0;
15284 @@ -119,38 +119,38 @@ static struct kvm_shared_msrs_global __r
15285 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15287 struct kvm_stats_debugfs_item debugfs_entries[] = {
15288 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15289 - { "pf_guest", VCPU_STAT(pf_guest) },
15290 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15291 - { "invlpg", VCPU_STAT(invlpg) },
15292 - { "exits", VCPU_STAT(exits) },
15293 - { "io_exits", VCPU_STAT(io_exits) },
15294 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15295 - { "signal_exits", VCPU_STAT(signal_exits) },
15296 - { "irq_window", VCPU_STAT(irq_window_exits) },
15297 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15298 - { "halt_exits", VCPU_STAT(halt_exits) },
15299 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15300 - { "hypercalls", VCPU_STAT(hypercalls) },
15301 - { "request_irq", VCPU_STAT(request_irq_exits) },
15302 - { "irq_exits", VCPU_STAT(irq_exits) },
15303 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15304 - { "efer_reload", VCPU_STAT(efer_reload) },
15305 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15306 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15307 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15308 - { "irq_injections", VCPU_STAT(irq_injections) },
15309 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15310 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15311 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15312 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15313 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15314 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15315 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15316 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15317 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15318 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15319 - { "largepages", VM_STAT(lpages) },
15320 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15321 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15322 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15323 + { "invlpg", VCPU_STAT(invlpg), NULL },
15324 + { "exits", VCPU_STAT(exits), NULL },
15325 + { "io_exits", VCPU_STAT(io_exits), NULL },
15326 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15327 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15328 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15329 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15330 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15331 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15332 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15333 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15334 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15335 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15336 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15337 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15338 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15339 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15340 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15341 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15342 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15343 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15344 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15345 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15346 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15347 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15348 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15349 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15350 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15351 + { "largepages", VM_STAT(lpages), NULL },
15355 @@ -2023,6 +2023,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15356 if (n < msr_list.nmsrs)
15359 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15361 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15362 num_msrs_to_save * sizeof(u32)))
15364 @@ -2499,7 +2501,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15365 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15366 struct kvm_interrupt *irq)
15368 - if (irq->irq < 0 || irq->irq >= 256)
15369 + if (irq->irq >= 256)
15371 if (irqchip_in_kernel(vcpu->kvm))
15373 @@ -4687,10 +4689,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15375 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15377 -int kvm_arch_init(void *opaque)
15378 +int kvm_arch_init(const void *opaque)
15381 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15382 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15385 printk(KERN_ERR "kvm: already loaded the other module\n");
15386 diff -urNp linux-2.6.38.1/arch/x86/lib/atomic64_cx8_32.S linux-2.6.38.1/arch/x86/lib/atomic64_cx8_32.S
15387 --- linux-2.6.38.1/arch/x86/lib/atomic64_cx8_32.S 2011-03-14 21:20:32.000000000 -0400
15388 +++ linux-2.6.38.1/arch/x86/lib/atomic64_cx8_32.S 2011-03-21 18:31:35.000000000 -0400
15389 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
15391 \ins\()l %esi, %ebx
15392 \insc\()l %edi, %ecx
15394 +#ifdef CONFIG_PAX_REFCOUNT
15397 + _ASM_EXTABLE(2b, 3f)
15408 +#ifdef CONFIG_PAX_REFCOUNT
15415 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
15420 +#ifdef CONFIG_PAX_REFCOUNT
15423 + _ASM_EXTABLE(2b, 3f)
15434 +#ifdef CONFIG_PAX_REFCOUNT
15441 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
15446 +#ifdef CONFIG_PAX_REFCOUNT
15449 + _ASM_EXTABLE(1234b, 1234b)
15455 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
15460 +#ifdef CONFIG_PAX_REFCOUNT
15463 + _ASM_EXTABLE(1234b, 1234b)
15469 diff -urNp linux-2.6.38.1/arch/x86/lib/checksum_32.S linux-2.6.38.1/arch/x86/lib/checksum_32.S
15470 --- linux-2.6.38.1/arch/x86/lib/checksum_32.S 2011-03-14 21:20:32.000000000 -0400
15471 +++ linux-2.6.38.1/arch/x86/lib/checksum_32.S 2011-03-21 18:31:35.000000000 -0400
15473 #include <linux/linkage.h>
15474 #include <asm/dwarf2.h>
15475 #include <asm/errno.h>
15477 +#include <asm/segment.h>
15480 * computes a partial checksum, e.g. for TCP/UDP fragments
15482 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
15487 -ENTRY(csum_partial_copy_generic)
15489 +ENTRY(csum_partial_copy_generic_to_user)
15492 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15494 + CFI_ADJUST_CFA_OFFSET 4
15496 + CFI_ADJUST_CFA_OFFSET -4
15497 + jmp csum_partial_copy_generic
15500 +ENTRY(csum_partial_copy_generic_from_user)
15502 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15504 + CFI_ADJUST_CFA_OFFSET 4
15506 + CFI_ADJUST_CFA_OFFSET -4
15509 +ENTRY(csum_partial_copy_generic)
15511 CFI_ADJUST_CFA_OFFSET 4
15513 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
15515 SRC(1: movw (%esi), %bx )
15517 -DST( movw %bx, (%edi) )
15518 +DST( movw %bx, %es:(%edi) )
15522 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
15523 SRC(1: movl (%esi), %ebx )
15524 SRC( movl 4(%esi), %edx )
15526 -DST( movl %ebx, (%edi) )
15527 +DST( movl %ebx, %es:(%edi) )
15529 -DST( movl %edx, 4(%edi) )
15530 +DST( movl %edx, %es:4(%edi) )
15532 SRC( movl 8(%esi), %ebx )
15533 SRC( movl 12(%esi), %edx )
15535 -DST( movl %ebx, 8(%edi) )
15536 +DST( movl %ebx, %es:8(%edi) )
15538 -DST( movl %edx, 12(%edi) )
15539 +DST( movl %edx, %es:12(%edi) )
15541 SRC( movl 16(%esi), %ebx )
15542 SRC( movl 20(%esi), %edx )
15544 -DST( movl %ebx, 16(%edi) )
15545 +DST( movl %ebx, %es:16(%edi) )
15547 -DST( movl %edx, 20(%edi) )
15548 +DST( movl %edx, %es:20(%edi) )
15550 SRC( movl 24(%esi), %ebx )
15551 SRC( movl 28(%esi), %edx )
15553 -DST( movl %ebx, 24(%edi) )
15554 +DST( movl %ebx, %es:24(%edi) )
15556 -DST( movl %edx, 28(%edi) )
15557 +DST( movl %edx, %es:28(%edi) )
15561 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
15562 shrl $2, %edx # This clears CF
15563 SRC(3: movl (%esi), %ebx )
15565 -DST( movl %ebx, (%edi) )
15566 +DST( movl %ebx, %es:(%edi) )
15570 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
15572 SRC( movw (%esi), %cx )
15574 -DST( movw %cx, (%edi) )
15575 +DST( movw %cx, %es:(%edi) )
15579 SRC(5: movb (%esi), %cl )
15580 -DST( movb %cl, (%edi) )
15581 +DST( movb %cl, %es:(%edi) )
15585 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
15588 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15589 - movl $-EFAULT, (%ebx)
15590 + movl $-EFAULT, %ss:(%ebx)
15592 # zero the complete destination - computing the rest
15594 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
15597 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15598 - movl $-EFAULT,(%ebx)
15599 + movl $-EFAULT,%ss:(%ebx)
15605 + CFI_ADJUST_CFA_OFFSET 4
15607 + CFI_ADJUST_CFA_OFFSET -4
15609 + CFI_ADJUST_CFA_OFFSET 4
15611 + CFI_ADJUST_CFA_OFFSET -4
15613 CFI_ADJUST_CFA_OFFSET -4
15615 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
15616 CFI_ADJUST_CFA_OFFSET -4
15619 -ENDPROC(csum_partial_copy_generic)
15620 +ENDPROC(csum_partial_copy_generic_to_user)
15624 /* Version for PentiumII/PPro */
15626 #define ROUND1(x) \
15628 SRC(movl x(%esi), %ebx ) ; \
15629 addl %ebx, %eax ; \
15630 - DST(movl %ebx, x(%edi) ) ;
15631 + DST(movl %ebx, %es:x(%edi)) ;
15635 SRC(movl x(%esi), %ebx ) ; \
15636 adcl %ebx, %eax ; \
15637 - DST(movl %ebx, x(%edi) ) ;
15638 + DST(movl %ebx, %es:x(%edi)) ;
15642 -ENTRY(csum_partial_copy_generic)
15644 +ENTRY(csum_partial_copy_generic_to_user)
15647 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15649 + CFI_ADJUST_CFA_OFFSET 4
15651 + CFI_ADJUST_CFA_OFFSET -4
15652 + jmp csum_partial_copy_generic
15655 +ENTRY(csum_partial_copy_generic_from_user)
15657 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15659 + CFI_ADJUST_CFA_OFFSET 4
15661 + CFI_ADJUST_CFA_OFFSET -4
15664 +ENTRY(csum_partial_copy_generic)
15666 CFI_ADJUST_CFA_OFFSET 4
15667 CFI_REL_OFFSET ebx, 0
15668 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
15672 - lea 3f(%ebx,%ebx), %ebx
15673 + lea 3f(%ebx,%ebx,2), %ebx
15677 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
15679 SRC( movw (%esi), %dx )
15681 -DST( movw %dx, (%edi) )
15682 +DST( movw %dx, %es:(%edi) )
15687 SRC( movb (%esi), %dl )
15688 -DST( movb %dl, (%edi) )
15689 +DST( movb %dl, %es:(%edi) )
15693 .section .fixup, "ax"
15694 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15695 - movl $-EFAULT, (%ebx)
15696 + movl $-EFAULT, %ss:(%ebx)
15697 # zero the complete destination (computing the rest is too much work)
15698 movl ARGBASE+8(%esp),%edi # dst
15699 movl ARGBASE+12(%esp),%ecx # len
15700 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
15703 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15704 - movl $-EFAULT, (%ebx)
15705 + movl $-EFAULT, %ss:(%ebx)
15709 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15711 + CFI_ADJUST_CFA_OFFSET 4
15713 + CFI_ADJUST_CFA_OFFSET -4
15715 + CFI_ADJUST_CFA_OFFSET 4
15717 + CFI_ADJUST_CFA_OFFSET -4
15721 CFI_ADJUST_CFA_OFFSET -4
15723 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
15727 -ENDPROC(csum_partial_copy_generic)
15728 +ENDPROC(csum_partial_copy_generic_to_user)
15732 diff -urNp linux-2.6.38.1/arch/x86/lib/clear_page_64.S linux-2.6.38.1/arch/x86/lib/clear_page_64.S
15733 --- linux-2.6.38.1/arch/x86/lib/clear_page_64.S 2011-03-14 21:20:32.000000000 -0400
15734 +++ linux-2.6.38.1/arch/x86/lib/clear_page_64.S 2011-03-21 18:31:35.000000000 -0400
15735 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15737 #include <asm/cpufeature.h>
15739 - .section .altinstr_replacement,"ax"
15740 + .section .altinstr_replacement,"a"
15741 1: .byte 0xeb /* jmp <disp8> */
15742 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15744 diff -urNp linux-2.6.38.1/arch/x86/lib/copy_page_64.S linux-2.6.38.1/arch/x86/lib/copy_page_64.S
15745 --- linux-2.6.38.1/arch/x86/lib/copy_page_64.S 2011-03-14 21:20:32.000000000 -0400
15746 +++ linux-2.6.38.1/arch/x86/lib/copy_page_64.S 2011-03-21 18:31:35.000000000 -0400
15747 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15749 #include <asm/cpufeature.h>
15751 - .section .altinstr_replacement,"ax"
15752 + .section .altinstr_replacement,"a"
15753 1: .byte 0xeb /* jmp <disp8> */
15754 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15756 diff -urNp linux-2.6.38.1/arch/x86/lib/copy_user_64.S linux-2.6.38.1/arch/x86/lib/copy_user_64.S
15757 --- linux-2.6.38.1/arch/x86/lib/copy_user_64.S 2011-03-14 21:20:32.000000000 -0400
15758 +++ linux-2.6.38.1/arch/x86/lib/copy_user_64.S 2011-03-21 18:31:35.000000000 -0400
15759 @@ -15,13 +15,14 @@
15760 #include <asm/asm-offsets.h>
15761 #include <asm/thread_info.h>
15762 #include <asm/cpufeature.h>
15763 +#include <asm/pgtable.h>
15765 .macro ALTERNATIVE_JUMP feature,orig,alt
15767 .byte 0xe9 /* 32bit jump */
15768 .long \orig-1f /* by default jump to orig */
15770 - .section .altinstr_replacement,"ax"
15771 + .section .altinstr_replacement,"a"
15772 2: .byte 0xe9 /* near jump with 32bit immediate */
15773 .long \alt-1b /* offset */ /* or alternatively to alt */
15775 @@ -64,37 +65,13 @@
15779 -/* Standard copy_to_user with segment limit checking */
15780 -ENTRY(_copy_to_user)
15782 - GET_THREAD_INFO(%rax)
15786 - cmpq TI_addr_limit(%rax),%rcx
15788 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15790 -ENDPROC(_copy_to_user)
15792 -/* Standard copy_from_user with segment limit checking */
15793 -ENTRY(_copy_from_user)
15795 - GET_THREAD_INFO(%rax)
15799 - cmpq TI_addr_limit(%rax),%rcx
15800 - jae bad_from_user
15801 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15803 -ENDPROC(_copy_from_user)
15805 .section .fixup,"ax"
15806 /* must zero dest */
15807 ENTRY(bad_from_user)
15815 diff -urNp linux-2.6.38.1/arch/x86/lib/copy_user_nocache_64.S linux-2.6.38.1/arch/x86/lib/copy_user_nocache_64.S
15816 --- linux-2.6.38.1/arch/x86/lib/copy_user_nocache_64.S 2011-03-14 21:20:32.000000000 -0400
15817 +++ linux-2.6.38.1/arch/x86/lib/copy_user_nocache_64.S 2011-03-21 18:31:35.000000000 -0400
15819 #include <asm/current.h>
15820 #include <asm/asm-offsets.h>
15821 #include <asm/thread_info.h>
15822 +#include <asm/pgtable.h>
15824 .macro ALIGN_DESTINATION
15825 #ifdef FIX_ALIGNMENT
15828 ENTRY(__copy_user_nocache)
15831 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15832 + mov $PAX_USER_SHADOW_BASE,%rcx
15840 jb 20f /* less then 8 bytes, go to byte copy loop */
15842 diff -urNp linux-2.6.38.1/arch/x86/lib/csum-wrappers_64.c linux-2.6.38.1/arch/x86/lib/csum-wrappers_64.c
15843 --- linux-2.6.38.1/arch/x86/lib/csum-wrappers_64.c 2011-03-14 21:20:32.000000000 -0400
15844 +++ linux-2.6.38.1/arch/x86/lib/csum-wrappers_64.c 2011-03-21 18:31:35.000000000 -0400
15845 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15849 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15850 + src += PAX_USER_SHADOW_BASE;
15851 isum = csum_partial_copy_generic((__force const void *)src,
15852 dst, len, isum, errp, NULL);
15853 if (unlikely(*errp))
15854 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15858 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15859 + dst += PAX_USER_SHADOW_BASE;
15860 return csum_partial_copy_generic(src, (void __force *)dst,
15861 len, isum, NULL, errp);
15863 diff -urNp linux-2.6.38.1/arch/x86/lib/getuser.S linux-2.6.38.1/arch/x86/lib/getuser.S
15864 --- linux-2.6.38.1/arch/x86/lib/getuser.S 2011-03-14 21:20:32.000000000 -0400
15865 +++ linux-2.6.38.1/arch/x86/lib/getuser.S 2011-03-21 18:31:35.000000000 -0400
15866 @@ -33,14 +33,35 @@
15867 #include <asm/asm-offsets.h>
15868 #include <asm/thread_info.h>
15869 #include <asm/asm.h>
15870 +#include <asm/segment.h>
15871 +#include <asm/pgtable.h>
15873 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15874 +#define __copyuser_seg gs;
15876 +#define __copyuser_seg
15880 ENTRY(__get_user_1)
15883 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15884 GET_THREAD_INFO(%_ASM_DX)
15885 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15887 -1: movzb (%_ASM_AX),%edx
15889 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15890 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15891 + cmp %_ASM_DX,%_ASM_AX
15893 + add %_ASM_DX,%_ASM_AX
15899 +1: __copyuser_seg movzb (%_ASM_AX),%edx
15903 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
15904 ENTRY(__get_user_2)
15908 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15910 GET_THREAD_INFO(%_ASM_DX)
15911 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15913 -2: movzwl -1(%_ASM_AX),%edx
15915 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15916 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15917 + cmp %_ASM_DX,%_ASM_AX
15919 + add %_ASM_DX,%_ASM_AX
15925 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
15929 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
15930 ENTRY(__get_user_4)
15934 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15936 GET_THREAD_INFO(%_ASM_DX)
15937 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15939 -3: mov -3(%_ASM_AX),%edx
15941 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15942 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15943 + cmp %_ASM_DX,%_ASM_AX
15945 + add %_ASM_DX,%_ASM_AX
15951 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
15955 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
15956 GET_THREAD_INFO(%_ASM_DX)
15957 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15960 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15961 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15962 + cmp %_ASM_DX,%_ASM_AX
15964 + add %_ASM_DX,%_ASM_AX
15968 4: movq -7(%_ASM_AX),%_ASM_DX
15971 diff -urNp linux-2.6.38.1/arch/x86/lib/insn.c linux-2.6.38.1/arch/x86/lib/insn.c
15972 --- linux-2.6.38.1/arch/x86/lib/insn.c 2011-03-14 21:20:32.000000000 -0400
15973 +++ linux-2.6.38.1/arch/x86/lib/insn.c 2011-03-21 18:31:35.000000000 -0400
15975 #include <linux/string.h>
15976 #include <asm/inat.h>
15977 #include <asm/insn.h>
15979 +#include <asm/pgtable_types.h>
15981 +#define ktla_ktva(addr) addr
15984 #define get_next(t, insn) \
15985 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15987 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15989 memset(insn, 0, sizeof(*insn));
15990 - insn->kaddr = kaddr;
15991 - insn->next_byte = kaddr;
15992 + insn->kaddr = ktla_ktva(kaddr);
15993 + insn->next_byte = ktla_ktva(kaddr);
15994 insn->x86_64 = x86_64 ? 1 : 0;
15995 insn->opnd_bytes = 4;
15997 diff -urNp linux-2.6.38.1/arch/x86/lib/mmx_32.c linux-2.6.38.1/arch/x86/lib/mmx_32.c
15998 --- linux-2.6.38.1/arch/x86/lib/mmx_32.c 2011-03-14 21:20:32.000000000 -0400
15999 +++ linux-2.6.38.1/arch/x86/lib/mmx_32.c 2011-03-21 18:31:35.000000000 -0400
16000 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
16004 + unsigned long cr0;
16006 if (unlikely(in_interrupt()))
16007 return __memcpy(to, from, len);
16008 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
16009 kernel_fpu_begin();
16011 __asm__ __volatile__ (
16012 - "1: prefetch (%0)\n" /* This set is 28 bytes */
16013 - " prefetch 64(%0)\n"
16014 - " prefetch 128(%0)\n"
16015 - " prefetch 192(%0)\n"
16016 - " prefetch 256(%0)\n"
16017 + "1: prefetch (%1)\n" /* This set is 28 bytes */
16018 + " prefetch 64(%1)\n"
16019 + " prefetch 128(%1)\n"
16020 + " prefetch 192(%1)\n"
16021 + " prefetch 256(%1)\n"
16023 ".section .fixup, \"ax\"\n"
16024 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16027 +#ifdef CONFIG_PAX_KERNEXEC
16028 + " movl %%cr0, %0\n"
16029 + " movl %0, %%eax\n"
16030 + " andl $0xFFFEFFFF, %%eax\n"
16031 + " movl %%eax, %%cr0\n"
16034 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16036 +#ifdef CONFIG_PAX_KERNEXEC
16037 + " movl %0, %%cr0\n"
16042 _ASM_EXTABLE(1b, 3b)
16044 + : "=&r" (cr0) : "r" (from) : "ax");
16046 for ( ; i > 5; i--) {
16047 __asm__ __volatile__ (
16048 - "1: prefetch 320(%0)\n"
16049 - "2: movq (%0), %%mm0\n"
16050 - " movq 8(%0), %%mm1\n"
16051 - " movq 16(%0), %%mm2\n"
16052 - " movq 24(%0), %%mm3\n"
16053 - " movq %%mm0, (%1)\n"
16054 - " movq %%mm1, 8(%1)\n"
16055 - " movq %%mm2, 16(%1)\n"
16056 - " movq %%mm3, 24(%1)\n"
16057 - " movq 32(%0), %%mm0\n"
16058 - " movq 40(%0), %%mm1\n"
16059 - " movq 48(%0), %%mm2\n"
16060 - " movq 56(%0), %%mm3\n"
16061 - " movq %%mm0, 32(%1)\n"
16062 - " movq %%mm1, 40(%1)\n"
16063 - " movq %%mm2, 48(%1)\n"
16064 - " movq %%mm3, 56(%1)\n"
16065 + "1: prefetch 320(%1)\n"
16066 + "2: movq (%1), %%mm0\n"
16067 + " movq 8(%1), %%mm1\n"
16068 + " movq 16(%1), %%mm2\n"
16069 + " movq 24(%1), %%mm3\n"
16070 + " movq %%mm0, (%2)\n"
16071 + " movq %%mm1, 8(%2)\n"
16072 + " movq %%mm2, 16(%2)\n"
16073 + " movq %%mm3, 24(%2)\n"
16074 + " movq 32(%1), %%mm0\n"
16075 + " movq 40(%1), %%mm1\n"
16076 + " movq 48(%1), %%mm2\n"
16077 + " movq 56(%1), %%mm3\n"
16078 + " movq %%mm0, 32(%2)\n"
16079 + " movq %%mm1, 40(%2)\n"
16080 + " movq %%mm2, 48(%2)\n"
16081 + " movq %%mm3, 56(%2)\n"
16082 ".section .fixup, \"ax\"\n"
16083 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16086 +#ifdef CONFIG_PAX_KERNEXEC
16087 + " movl %%cr0, %0\n"
16088 + " movl %0, %%eax\n"
16089 + " andl $0xFFFEFFFF, %%eax\n"
16090 + " movl %%eax, %%cr0\n"
16093 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16095 +#ifdef CONFIG_PAX_KERNEXEC
16096 + " movl %0, %%cr0\n"
16101 _ASM_EXTABLE(1b, 3b)
16102 - : : "r" (from), "r" (to) : "memory");
16103 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16107 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
16108 static void fast_copy_page(void *to, void *from)
16111 + unsigned long cr0;
16113 kernel_fpu_begin();
16115 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
16116 * but that is for later. -AV
16118 __asm__ __volatile__(
16119 - "1: prefetch (%0)\n"
16120 - " prefetch 64(%0)\n"
16121 - " prefetch 128(%0)\n"
16122 - " prefetch 192(%0)\n"
16123 - " prefetch 256(%0)\n"
16124 + "1: prefetch (%1)\n"
16125 + " prefetch 64(%1)\n"
16126 + " prefetch 128(%1)\n"
16127 + " prefetch 192(%1)\n"
16128 + " prefetch 256(%1)\n"
16130 ".section .fixup, \"ax\"\n"
16131 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16134 +#ifdef CONFIG_PAX_KERNEXEC
16135 + " movl %%cr0, %0\n"
16136 + " movl %0, %%eax\n"
16137 + " andl $0xFFFEFFFF, %%eax\n"
16138 + " movl %%eax, %%cr0\n"
16141 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16143 +#ifdef CONFIG_PAX_KERNEXEC
16144 + " movl %0, %%cr0\n"
16149 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16150 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16152 for (i = 0; i < (4096-320)/64; i++) {
16153 __asm__ __volatile__ (
16154 - "1: prefetch 320(%0)\n"
16155 - "2: movq (%0), %%mm0\n"
16156 - " movntq %%mm0, (%1)\n"
16157 - " movq 8(%0), %%mm1\n"
16158 - " movntq %%mm1, 8(%1)\n"
16159 - " movq 16(%0), %%mm2\n"
16160 - " movntq %%mm2, 16(%1)\n"
16161 - " movq 24(%0), %%mm3\n"
16162 - " movntq %%mm3, 24(%1)\n"
16163 - " movq 32(%0), %%mm4\n"
16164 - " movntq %%mm4, 32(%1)\n"
16165 - " movq 40(%0), %%mm5\n"
16166 - " movntq %%mm5, 40(%1)\n"
16167 - " movq 48(%0), %%mm6\n"
16168 - " movntq %%mm6, 48(%1)\n"
16169 - " movq 56(%0), %%mm7\n"
16170 - " movntq %%mm7, 56(%1)\n"
16171 + "1: prefetch 320(%1)\n"
16172 + "2: movq (%1), %%mm0\n"
16173 + " movntq %%mm0, (%2)\n"
16174 + " movq 8(%1), %%mm1\n"
16175 + " movntq %%mm1, 8(%2)\n"
16176 + " movq 16(%1), %%mm2\n"
16177 + " movntq %%mm2, 16(%2)\n"
16178 + " movq 24(%1), %%mm3\n"
16179 + " movntq %%mm3, 24(%2)\n"
16180 + " movq 32(%1), %%mm4\n"
16181 + " movntq %%mm4, 32(%2)\n"
16182 + " movq 40(%1), %%mm5\n"
16183 + " movntq %%mm5, 40(%2)\n"
16184 + " movq 48(%1), %%mm6\n"
16185 + " movntq %%mm6, 48(%2)\n"
16186 + " movq 56(%1), %%mm7\n"
16187 + " movntq %%mm7, 56(%2)\n"
16188 ".section .fixup, \"ax\"\n"
16189 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16192 +#ifdef CONFIG_PAX_KERNEXEC
16193 + " movl %%cr0, %0\n"
16194 + " movl %0, %%eax\n"
16195 + " andl $0xFFFEFFFF, %%eax\n"
16196 + " movl %%eax, %%cr0\n"
16199 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16201 +#ifdef CONFIG_PAX_KERNEXEC
16202 + " movl %0, %%cr0\n"
16207 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16208 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16212 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16213 static void fast_copy_page(void *to, void *from)
16216 + unsigned long cr0;
16218 kernel_fpu_begin();
16220 __asm__ __volatile__ (
16221 - "1: prefetch (%0)\n"
16222 - " prefetch 64(%0)\n"
16223 - " prefetch 128(%0)\n"
16224 - " prefetch 192(%0)\n"
16225 - " prefetch 256(%0)\n"
16226 + "1: prefetch (%1)\n"
16227 + " prefetch 64(%1)\n"
16228 + " prefetch 128(%1)\n"
16229 + " prefetch 192(%1)\n"
16230 + " prefetch 256(%1)\n"
16232 ".section .fixup, \"ax\"\n"
16233 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16236 +#ifdef CONFIG_PAX_KERNEXEC
16237 + " movl %%cr0, %0\n"
16238 + " movl %0, %%eax\n"
16239 + " andl $0xFFFEFFFF, %%eax\n"
16240 + " movl %%eax, %%cr0\n"
16243 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16245 +#ifdef CONFIG_PAX_KERNEXEC
16246 + " movl %0, %%cr0\n"
16251 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16252 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16254 for (i = 0; i < 4096/64; i++) {
16255 __asm__ __volatile__ (
16256 - "1: prefetch 320(%0)\n"
16257 - "2: movq (%0), %%mm0\n"
16258 - " movq 8(%0), %%mm1\n"
16259 - " movq 16(%0), %%mm2\n"
16260 - " movq 24(%0), %%mm3\n"
16261 - " movq %%mm0, (%1)\n"
16262 - " movq %%mm1, 8(%1)\n"
16263 - " movq %%mm2, 16(%1)\n"
16264 - " movq %%mm3, 24(%1)\n"
16265 - " movq 32(%0), %%mm0\n"
16266 - " movq 40(%0), %%mm1\n"
16267 - " movq 48(%0), %%mm2\n"
16268 - " movq 56(%0), %%mm3\n"
16269 - " movq %%mm0, 32(%1)\n"
16270 - " movq %%mm1, 40(%1)\n"
16271 - " movq %%mm2, 48(%1)\n"
16272 - " movq %%mm3, 56(%1)\n"
16273 + "1: prefetch 320(%1)\n"
16274 + "2: movq (%1), %%mm0\n"
16275 + " movq 8(%1), %%mm1\n"
16276 + " movq 16(%1), %%mm2\n"
16277 + " movq 24(%1), %%mm3\n"
16278 + " movq %%mm0, (%2)\n"
16279 + " movq %%mm1, 8(%2)\n"
16280 + " movq %%mm2, 16(%2)\n"
16281 + " movq %%mm3, 24(%2)\n"
16282 + " movq 32(%1), %%mm0\n"
16283 + " movq 40(%1), %%mm1\n"
16284 + " movq 48(%1), %%mm2\n"
16285 + " movq 56(%1), %%mm3\n"
16286 + " movq %%mm0, 32(%2)\n"
16287 + " movq %%mm1, 40(%2)\n"
16288 + " movq %%mm2, 48(%2)\n"
16289 + " movq %%mm3, 56(%2)\n"
16290 ".section .fixup, \"ax\"\n"
16291 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16294 +#ifdef CONFIG_PAX_KERNEXEC
16295 + " movl %%cr0, %0\n"
16296 + " movl %0, %%eax\n"
16297 + " andl $0xFFFEFFFF, %%eax\n"
16298 + " movl %%eax, %%cr0\n"
16301 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16303 +#ifdef CONFIG_PAX_KERNEXEC
16304 + " movl %0, %%cr0\n"
16309 _ASM_EXTABLE(1b, 3b)
16310 - : : "r" (from), "r" (to) : "memory");
16311 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16315 diff -urNp linux-2.6.38.1/arch/x86/lib/putuser.S linux-2.6.38.1/arch/x86/lib/putuser.S
16316 --- linux-2.6.38.1/arch/x86/lib/putuser.S 2011-03-14 21:20:32.000000000 -0400
16317 +++ linux-2.6.38.1/arch/x86/lib/putuser.S 2011-03-21 18:31:35.000000000 -0400
16319 #include <asm/thread_info.h>
16320 #include <asm/errno.h>
16321 #include <asm/asm.h>
16323 +#include <asm/segment.h>
16324 +#include <asm/pgtable.h>
16328 @@ -29,52 +30,119 @@
16329 * as they get called from within inline assembly.
16332 -#define ENTER CFI_STARTPROC ; \
16333 - GET_THREAD_INFO(%_ASM_BX)
16334 +#define ENTER CFI_STARTPROC
16335 #define EXIT ret ; \
16338 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16339 +#define _DEST %_ASM_CX,%_ASM_BX
16341 +#define _DEST %_ASM_CX
16344 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16345 +#define __copyuser_seg gs;
16347 +#define __copyuser_seg
16351 ENTRY(__put_user_1)
16354 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16355 + GET_THREAD_INFO(%_ASM_BX)
16356 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16358 -1: movb %al,(%_ASM_CX)
16360 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16361 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16362 + cmp %_ASM_BX,%_ASM_CX
16370 +1: __copyuser_seg movb %al,(_DEST)
16373 ENDPROC(__put_user_1)
16375 ENTRY(__put_user_2)
16378 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16379 + GET_THREAD_INFO(%_ASM_BX)
16380 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16382 cmp %_ASM_BX,%_ASM_CX
16384 -2: movw %ax,(%_ASM_CX)
16386 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16387 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16388 + cmp %_ASM_BX,%_ASM_CX
16396 +2: __copyuser_seg movw %ax,(_DEST)
16399 ENDPROC(__put_user_2)
16401 ENTRY(__put_user_4)
16404 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16405 + GET_THREAD_INFO(%_ASM_BX)
16406 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16408 cmp %_ASM_BX,%_ASM_CX
16410 -3: movl %eax,(%_ASM_CX)
16412 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16413 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16414 + cmp %_ASM_BX,%_ASM_CX
16422 +3: __copyuser_seg movl %eax,(_DEST)
16425 ENDPROC(__put_user_4)
16427 ENTRY(__put_user_8)
16430 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16431 + GET_THREAD_INFO(%_ASM_BX)
16432 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16434 cmp %_ASM_BX,%_ASM_CX
16436 -4: mov %_ASM_AX,(%_ASM_CX)
16438 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16439 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16440 + cmp %_ASM_BX,%_ASM_CX
16448 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
16449 #ifdef CONFIG_X86_32
16450 -5: movl %edx,4(%_ASM_CX)
16451 +5: __copyuser_seg movl %edx,4(_DEST)
16455 diff -urNp linux-2.6.38.1/arch/x86/lib/usercopy_32.c linux-2.6.38.1/arch/x86/lib/usercopy_32.c
16456 --- linux-2.6.38.1/arch/x86/lib/usercopy_32.c 2011-03-14 21:20:32.000000000 -0400
16457 +++ linux-2.6.38.1/arch/x86/lib/usercopy_32.c 2011-03-21 18:31:35.000000000 -0400
16458 @@ -43,7 +43,7 @@ do { \
16459 __asm__ __volatile__( \
16463 + "0: "__copyuser_seg"lodsb\n" \
16465 " testb %%al,%%al\n" \
16467 @@ -128,10 +128,12 @@ do { \
16470 __asm__ __volatile__( \
16471 + __COPYUSER_SET_ES \
16472 "0: rep; stosl\n" \
16474 "1: rep; stosb\n" \
16476 + __COPYUSER_RESTORE_ES \
16477 ".section .fixup,\"ax\"\n" \
16478 "3: lea 0(%2,%0,4),%0\n" \
16480 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
16483 __asm__ __volatile__(
16484 + __COPYUSER_SET_ES
16488 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
16492 + __COPYUSER_RESTORE_ES
16493 ".section .fixup,\"ax\"\n"
16494 "2: xorl %%eax,%%eax\n"
16496 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
16498 #ifdef CONFIG_X86_INTEL_USERCOPY
16499 static unsigned long
16500 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16501 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16504 __asm__ __volatile__(
16505 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
16507 "3: movl 0(%4), %%eax\n"
16508 "4: movl 4(%4), %%edx\n"
16509 - "5: movl %%eax, 0(%3)\n"
16510 - "6: movl %%edx, 4(%3)\n"
16511 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
16512 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
16513 "7: movl 8(%4), %%eax\n"
16514 "8: movl 12(%4),%%edx\n"
16515 - "9: movl %%eax, 8(%3)\n"
16516 - "10: movl %%edx, 12(%3)\n"
16517 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
16518 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
16519 "11: movl 16(%4), %%eax\n"
16520 "12: movl 20(%4), %%edx\n"
16521 - "13: movl %%eax, 16(%3)\n"
16522 - "14: movl %%edx, 20(%3)\n"
16523 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
16524 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
16525 "15: movl 24(%4), %%eax\n"
16526 "16: movl 28(%4), %%edx\n"
16527 - "17: movl %%eax, 24(%3)\n"
16528 - "18: movl %%edx, 28(%3)\n"
16529 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
16530 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
16531 "19: movl 32(%4), %%eax\n"
16532 "20: movl 36(%4), %%edx\n"
16533 - "21: movl %%eax, 32(%3)\n"
16534 - "22: movl %%edx, 36(%3)\n"
16535 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
16536 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
16537 "23: movl 40(%4), %%eax\n"
16538 "24: movl 44(%4), %%edx\n"
16539 - "25: movl %%eax, 40(%3)\n"
16540 - "26: movl %%edx, 44(%3)\n"
16541 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
16542 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
16543 "27: movl 48(%4), %%eax\n"
16544 "28: movl 52(%4), %%edx\n"
16545 - "29: movl %%eax, 48(%3)\n"
16546 - "30: movl %%edx, 52(%3)\n"
16547 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
16548 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
16549 "31: movl 56(%4), %%eax\n"
16550 "32: movl 60(%4), %%edx\n"
16551 - "33: movl %%eax, 56(%3)\n"
16552 - "34: movl %%edx, 60(%3)\n"
16553 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
16554 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
16558 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
16560 " andl $3, %%eax\n"
16562 + __COPYUSER_SET_ES
16564 "36: movl %%eax, %0\n"
16567 + __COPYUSER_RESTORE_ES
16568 + ".section .fixup,\"ax\"\n"
16569 + "101: lea 0(%%eax,%0,4),%0\n"
16572 + ".section __ex_table,\"a\"\n"
16574 + " .long 1b,100b\n"
16575 + " .long 2b,100b\n"
16576 + " .long 3b,100b\n"
16577 + " .long 4b,100b\n"
16578 + " .long 5b,100b\n"
16579 + " .long 6b,100b\n"
16580 + " .long 7b,100b\n"
16581 + " .long 8b,100b\n"
16582 + " .long 9b,100b\n"
16583 + " .long 10b,100b\n"
16584 + " .long 11b,100b\n"
16585 + " .long 12b,100b\n"
16586 + " .long 13b,100b\n"
16587 + " .long 14b,100b\n"
16588 + " .long 15b,100b\n"
16589 + " .long 16b,100b\n"
16590 + " .long 17b,100b\n"
16591 + " .long 18b,100b\n"
16592 + " .long 19b,100b\n"
16593 + " .long 20b,100b\n"
16594 + " .long 21b,100b\n"
16595 + " .long 22b,100b\n"
16596 + " .long 23b,100b\n"
16597 + " .long 24b,100b\n"
16598 + " .long 25b,100b\n"
16599 + " .long 26b,100b\n"
16600 + " .long 27b,100b\n"
16601 + " .long 28b,100b\n"
16602 + " .long 29b,100b\n"
16603 + " .long 30b,100b\n"
16604 + " .long 31b,100b\n"
16605 + " .long 32b,100b\n"
16606 + " .long 33b,100b\n"
16607 + " .long 34b,100b\n"
16608 + " .long 35b,100b\n"
16609 + " .long 36b,100b\n"
16610 + " .long 37b,100b\n"
16611 + " .long 99b,101b\n"
16613 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16614 + : "1"(to), "2"(from), "0"(size)
16615 + : "eax", "edx", "memory");
16619 +static unsigned long
16620 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16623 + __asm__ __volatile__(
16624 + " .align 2,0x90\n"
16625 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
16626 + " cmpl $67, %0\n"
16628 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
16629 + " .align 2,0x90\n"
16630 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
16631 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
16632 + "5: movl %%eax, 0(%3)\n"
16633 + "6: movl %%edx, 4(%3)\n"
16634 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
16635 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
16636 + "9: movl %%eax, 8(%3)\n"
16637 + "10: movl %%edx, 12(%3)\n"
16638 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
16639 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
16640 + "13: movl %%eax, 16(%3)\n"
16641 + "14: movl %%edx, 20(%3)\n"
16642 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
16643 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
16644 + "17: movl %%eax, 24(%3)\n"
16645 + "18: movl %%edx, 28(%3)\n"
16646 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
16647 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
16648 + "21: movl %%eax, 32(%3)\n"
16649 + "22: movl %%edx, 36(%3)\n"
16650 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
16651 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
16652 + "25: movl %%eax, 40(%3)\n"
16653 + "26: movl %%edx, 44(%3)\n"
16654 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
16655 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
16656 + "29: movl %%eax, 48(%3)\n"
16657 + "30: movl %%edx, 52(%3)\n"
16658 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
16659 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
16660 + "33: movl %%eax, 56(%3)\n"
16661 + "34: movl %%edx, 60(%3)\n"
16662 + " addl $-64, %0\n"
16663 + " addl $64, %4\n"
16664 + " addl $64, %3\n"
16665 + " cmpl $63, %0\n"
16667 + "35: movl %0, %%eax\n"
16669 + " andl $3, %%eax\n"
16671 + "99: rep; "__copyuser_seg" movsl\n"
16672 + "36: movl %%eax, %0\n"
16673 + "37: rep; "__copyuser_seg" movsb\n"
16675 ".section .fixup,\"ax\"\n"
16676 "101: lea 0(%%eax,%0,4),%0\n"
16678 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
16680 __asm__ __volatile__(
16682 - "0: movl 32(%4), %%eax\n"
16683 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
16686 - "1: movl 64(%4), %%eax\n"
16687 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
16689 - "2: movl 0(%4), %%eax\n"
16690 - "21: movl 4(%4), %%edx\n"
16691 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
16692 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
16693 " movl %%eax, 0(%3)\n"
16694 " movl %%edx, 4(%3)\n"
16695 - "3: movl 8(%4), %%eax\n"
16696 - "31: movl 12(%4),%%edx\n"
16697 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
16698 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
16699 " movl %%eax, 8(%3)\n"
16700 " movl %%edx, 12(%3)\n"
16701 - "4: movl 16(%4), %%eax\n"
16702 - "41: movl 20(%4), %%edx\n"
16703 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
16704 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
16705 " movl %%eax, 16(%3)\n"
16706 " movl %%edx, 20(%3)\n"
16707 - "10: movl 24(%4), %%eax\n"
16708 - "51: movl 28(%4), %%edx\n"
16709 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
16710 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
16711 " movl %%eax, 24(%3)\n"
16712 " movl %%edx, 28(%3)\n"
16713 - "11: movl 32(%4), %%eax\n"
16714 - "61: movl 36(%4), %%edx\n"
16715 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
16716 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
16717 " movl %%eax, 32(%3)\n"
16718 " movl %%edx, 36(%3)\n"
16719 - "12: movl 40(%4), %%eax\n"
16720 - "71: movl 44(%4), %%edx\n"
16721 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
16722 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
16723 " movl %%eax, 40(%3)\n"
16724 " movl %%edx, 44(%3)\n"
16725 - "13: movl 48(%4), %%eax\n"
16726 - "81: movl 52(%4), %%edx\n"
16727 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
16728 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
16729 " movl %%eax, 48(%3)\n"
16730 " movl %%edx, 52(%3)\n"
16731 - "14: movl 56(%4), %%eax\n"
16732 - "91: movl 60(%4), %%edx\n"
16733 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
16734 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
16735 " movl %%eax, 56(%3)\n"
16736 " movl %%edx, 60(%3)\n"
16738 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
16740 " andl $3, %%eax\n"
16742 - "6: rep; movsl\n"
16743 + "6: rep; "__copyuser_seg" movsl\n"
16745 - "7: rep; movsb\n"
16746 + "7: rep; "__copyuser_seg" movsb\n"
16748 ".section .fixup,\"ax\"\n"
16749 "9: lea 0(%%eax,%0,4),%0\n"
16750 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
16752 __asm__ __volatile__(
16754 - "0: movl 32(%4), %%eax\n"
16755 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
16758 - "1: movl 64(%4), %%eax\n"
16759 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
16761 - "2: movl 0(%4), %%eax\n"
16762 - "21: movl 4(%4), %%edx\n"
16763 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
16764 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
16765 " movnti %%eax, 0(%3)\n"
16766 " movnti %%edx, 4(%3)\n"
16767 - "3: movl 8(%4), %%eax\n"
16768 - "31: movl 12(%4),%%edx\n"
16769 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
16770 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
16771 " movnti %%eax, 8(%3)\n"
16772 " movnti %%edx, 12(%3)\n"
16773 - "4: movl 16(%4), %%eax\n"
16774 - "41: movl 20(%4), %%edx\n"
16775 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
16776 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
16777 " movnti %%eax, 16(%3)\n"
16778 " movnti %%edx, 20(%3)\n"
16779 - "10: movl 24(%4), %%eax\n"
16780 - "51: movl 28(%4), %%edx\n"
16781 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
16782 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
16783 " movnti %%eax, 24(%3)\n"
16784 " movnti %%edx, 28(%3)\n"
16785 - "11: movl 32(%4), %%eax\n"
16786 - "61: movl 36(%4), %%edx\n"
16787 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
16788 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
16789 " movnti %%eax, 32(%3)\n"
16790 " movnti %%edx, 36(%3)\n"
16791 - "12: movl 40(%4), %%eax\n"
16792 - "71: movl 44(%4), %%edx\n"
16793 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
16794 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
16795 " movnti %%eax, 40(%3)\n"
16796 " movnti %%edx, 44(%3)\n"
16797 - "13: movl 48(%4), %%eax\n"
16798 - "81: movl 52(%4), %%edx\n"
16799 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
16800 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
16801 " movnti %%eax, 48(%3)\n"
16802 " movnti %%edx, 52(%3)\n"
16803 - "14: movl 56(%4), %%eax\n"
16804 - "91: movl 60(%4), %%edx\n"
16805 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
16806 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
16807 " movnti %%eax, 56(%3)\n"
16808 " movnti %%edx, 60(%3)\n"
16810 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
16812 " andl $3, %%eax\n"
16814 - "6: rep; movsl\n"
16815 + "6: rep; "__copyuser_seg" movsl\n"
16817 - "7: rep; movsb\n"
16818 + "7: rep; "__copyuser_seg" movsb\n"
16820 ".section .fixup,\"ax\"\n"
16821 "9: lea 0(%%eax,%0,4),%0\n"
16822 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
16824 __asm__ __volatile__(
16826 - "0: movl 32(%4), %%eax\n"
16827 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
16830 - "1: movl 64(%4), %%eax\n"
16831 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
16833 - "2: movl 0(%4), %%eax\n"
16834 - "21: movl 4(%4), %%edx\n"
16835 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
16836 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
16837 " movnti %%eax, 0(%3)\n"
16838 " movnti %%edx, 4(%3)\n"
16839 - "3: movl 8(%4), %%eax\n"
16840 - "31: movl 12(%4),%%edx\n"
16841 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
16842 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
16843 " movnti %%eax, 8(%3)\n"
16844 " movnti %%edx, 12(%3)\n"
16845 - "4: movl 16(%4), %%eax\n"
16846 - "41: movl 20(%4), %%edx\n"
16847 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
16848 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
16849 " movnti %%eax, 16(%3)\n"
16850 " movnti %%edx, 20(%3)\n"
16851 - "10: movl 24(%4), %%eax\n"
16852 - "51: movl 28(%4), %%edx\n"
16853 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
16854 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
16855 " movnti %%eax, 24(%3)\n"
16856 " movnti %%edx, 28(%3)\n"
16857 - "11: movl 32(%4), %%eax\n"
16858 - "61: movl 36(%4), %%edx\n"
16859 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
16860 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
16861 " movnti %%eax, 32(%3)\n"
16862 " movnti %%edx, 36(%3)\n"
16863 - "12: movl 40(%4), %%eax\n"
16864 - "71: movl 44(%4), %%edx\n"
16865 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
16866 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
16867 " movnti %%eax, 40(%3)\n"
16868 " movnti %%edx, 44(%3)\n"
16869 - "13: movl 48(%4), %%eax\n"
16870 - "81: movl 52(%4), %%edx\n"
16871 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
16872 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
16873 " movnti %%eax, 48(%3)\n"
16874 " movnti %%edx, 52(%3)\n"
16875 - "14: movl 56(%4), %%eax\n"
16876 - "91: movl 60(%4), %%edx\n"
16877 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
16878 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
16879 " movnti %%eax, 56(%3)\n"
16880 " movnti %%edx, 60(%3)\n"
16882 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
16884 " andl $3, %%eax\n"
16886 - "6: rep; movsl\n"
16887 + "6: rep; "__copyuser_seg" movsl\n"
16889 - "7: rep; movsb\n"
16890 + "7: rep; "__copyuser_seg" movsb\n"
16892 ".section .fixup,\"ax\"\n"
16893 "9: lea 0(%%eax,%0,4),%0\n"
16894 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
16896 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16897 unsigned long size);
16898 -unsigned long __copy_user_intel(void __user *to, const void *from,
16899 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16900 + unsigned long size);
16901 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16902 unsigned long size);
16903 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16904 const void __user *from, unsigned long size);
16905 #endif /* CONFIG_X86_INTEL_USERCOPY */
16907 /* Generic arbitrary sized copy. */
16908 -#define __copy_user(to, from, size) \
16909 +#define __copy_user(to, from, size, prefix, set, restore) \
16911 int __d0, __d1, __d2; \
16912 __asm__ __volatile__( \
16920 - "4: rep; movsb\n" \
16921 + "4: rep; "prefix"movsb\n" \
16925 " .align 2,0x90\n" \
16926 - "0: rep; movsl\n" \
16927 + "0: rep; "prefix"movsl\n" \
16929 - "1: rep; movsb\n" \
16930 + "1: rep; "prefix"movsb\n" \
16933 ".section .fixup,\"ax\"\n" \
16934 "5: addl %3,%0\n" \
16936 @@ -682,14 +799,14 @@ do { \
16940 - "4: rep; movsb\n" \
16941 + "4: rep; "__copyuser_seg"movsb\n" \
16945 " .align 2,0x90\n" \
16946 - "0: rep; movsl\n" \
16947 + "0: rep; "__copyuser_seg"movsl\n" \
16949 - "1: rep; movsb\n" \
16950 + "1: rep; "__copyuser_seg"movsb\n" \
16952 ".section .fixup,\"ax\"\n" \
16953 "5: addl %3,%0\n" \
16954 @@ -775,9 +892,9 @@ survive:
16957 if (movsl_is_ok(to, from, n))
16958 - __copy_user(to, from, n);
16959 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
16961 - n = __copy_user_intel(to, from, n);
16962 + n = __generic_copy_to_user_intel(to, from, n);
16965 EXPORT_SYMBOL(__copy_to_user_ll);
16966 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
16969 if (movsl_is_ok(to, from, n))
16970 - __copy_user(to, from, n);
16971 + __copy_user(to, from, n, __copyuser_seg, "", "");
16973 - n = __copy_user_intel((void __user *)to,
16974 - (const void *)from, n);
16975 + n = __generic_copy_from_user_intel(to, from, n);
16978 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
16979 @@ -827,65 +943,49 @@ unsigned long __copy_from_user_ll_nocach
16980 if (n > 64 && cpu_has_xmm2)
16981 n = __copy_user_intel_nocache(to, from, n);
16983 - __copy_user(to, from, n);
16984 + __copy_user(to, from, n, __copyuser_seg, "", "");
16986 - __copy_user(to, from, n);
16987 + __copy_user(to, from, n, __copyuser_seg, "", "");
16991 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
16994 - * copy_to_user: - Copy a block of data into user space.
16995 - * @to: Destination address, in user space.
16996 - * @from: Source address, in kernel space.
16997 - * @n: Number of bytes to copy.
16999 - * Context: User context only. This function may sleep.
17001 - * Copy data from kernel space to user space.
17003 - * Returns number of bytes that could not be copied.
17004 - * On success, this will be zero.
17007 -copy_to_user(void __user *to, const void *from, unsigned long n)
17008 +void copy_from_user_overflow(void)
17010 - if (access_ok(VERIFY_WRITE, to, n))
17011 - n = __copy_to_user(to, from, n);
17013 + WARN(1, "Buffer overflow detected!\n");
17015 -EXPORT_SYMBOL(copy_to_user);
17016 +EXPORT_SYMBOL(copy_from_user_overflow);
17019 - * copy_from_user: - Copy a block of data from user space.
17020 - * @to: Destination address, in kernel space.
17021 - * @from: Source address, in user space.
17022 - * @n: Number of bytes to copy.
17024 - * Context: User context only. This function may sleep.
17026 - * Copy data from user space to kernel space.
17028 - * Returns number of bytes that could not be copied.
17029 - * On success, this will be zero.
17031 - * If some data could not be copied, this function will pad the copied
17032 - * data to the requested size using zero bytes.
17035 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17036 +void copy_to_user_overflow(void)
17038 - if (access_ok(VERIFY_READ, from, n))
17039 - n = __copy_from_user(to, from, n);
17041 - memset(to, 0, n);
17043 + WARN(1, "Buffer overflow detected!\n");
17045 -EXPORT_SYMBOL(_copy_from_user);
17046 +EXPORT_SYMBOL(copy_to_user_overflow);
17048 -void copy_from_user_overflow(void)
17049 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17050 +void __set_fs(mm_segment_t x)
17052 - WARN(1, "Buffer overflow detected!\n");
17055 + loadsegment(gs, 0);
17057 + case TASK_SIZE_MAX:
17058 + loadsegment(gs, __USER_DS);
17061 + loadsegment(gs, __KERNEL_DS);
17068 -EXPORT_SYMBOL(copy_from_user_overflow);
17070 +void set_fs(mm_segment_t x)
17072 + current_thread_info()->addr_limit = x;
17075 +EXPORT_SYMBOL(set_fs);
17077 diff -urNp linux-2.6.38.1/arch/x86/lib/usercopy_64.c linux-2.6.38.1/arch/x86/lib/usercopy_64.c
17078 --- linux-2.6.38.1/arch/x86/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
17079 +++ linux-2.6.38.1/arch/x86/lib/usercopy_64.c 2011-03-21 18:31:35.000000000 -0400
17080 @@ -42,6 +42,8 @@ long
17081 __strncpy_from_user(char *dst, const char __user *src, long count)
17084 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17085 + src += PAX_USER_SHADOW_BASE;
17086 __do_strncpy_from_user(dst, src, count, res);
17089 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17093 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17094 + addr += PAX_USER_SHADOW_BASE;
17095 /* no memory constraint because it doesn't change any memory gcc knows
17098 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17100 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17102 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17103 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17104 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17105 + to += PAX_USER_SHADOW_BASE;
17106 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17107 + from += PAX_USER_SHADOW_BASE;
17108 return copy_user_generic((__force void *)to, (__force void *)from, len);
17114 EXPORT_SYMBOL(copy_in_user);
17116 diff -urNp linux-2.6.38.1/arch/x86/Makefile linux-2.6.38.1/arch/x86/Makefile
17117 --- linux-2.6.38.1/arch/x86/Makefile 2011-03-14 21:20:32.000000000 -0400
17118 +++ linux-2.6.38.1/arch/x86/Makefile 2011-03-21 18:31:35.000000000 -0400
17119 @@ -195,3 +195,12 @@ define archhelp
17120 echo ' FDARGS="..." arguments for the booted kernel'
17121 echo ' FDINITRD=file initrd for the booted kernel'
17126 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17127 +*** Please upgrade your binutils to 2.18 or newer
17131 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17132 diff -urNp linux-2.6.38.1/arch/x86/mm/extable.c linux-2.6.38.1/arch/x86/mm/extable.c
17133 --- linux-2.6.38.1/arch/x86/mm/extable.c 2011-03-14 21:20:32.000000000 -0400
17134 +++ linux-2.6.38.1/arch/x86/mm/extable.c 2011-03-21 18:31:35.000000000 -0400
17136 #include <linux/module.h>
17137 #include <linux/spinlock.h>
17138 +#include <linux/sort.h>
17139 #include <asm/uaccess.h>
17140 +#include <asm/pgtable.h>
17143 + * The exception table needs to be sorted so that the binary
17144 + * search that we use to find entries in it works properly.
17145 + * This is used both for the kernel exception table and for
17146 + * the exception tables of modules that get loaded.
17148 +static int cmp_ex(const void *a, const void *b)
17150 + const struct exception_table_entry *x = a, *y = b;
17152 + /* avoid overflow */
17153 + if (x->insn > y->insn)
17155 + if (x->insn < y->insn)
17160 +static void swap_ex(void *a, void *b, int size)
17162 + struct exception_table_entry t, *x = a, *y = b;
17166 + pax_open_kernel();
17169 + pax_close_kernel();
17172 +void sort_extable(struct exception_table_entry *start,
17173 + struct exception_table_entry *finish)
17175 + sort(start, finish - start, sizeof(struct exception_table_entry),
17176 + cmp_ex, swap_ex);
17179 +#ifdef CONFIG_MODULES
17181 + * If the exception table is sorted, any referring to the module init
17182 + * will be at the beginning or the end.
17184 +void trim_init_extable(struct module *m)
17186 + /*trim the beginning*/
17187 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17189 + m->num_exentries--;
17192 + while (m->num_exentries &&
17193 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17194 + m->num_exentries--;
17196 +#endif /* CONFIG_MODULES */
17198 int fixup_exception(struct pt_regs *regs)
17200 const struct exception_table_entry *fixup;
17202 #ifdef CONFIG_PNPBIOS
17203 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17204 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17205 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17206 extern u32 pnp_bios_is_utter_crap;
17207 pnp_bios_is_utter_crap = 1;
17208 diff -urNp linux-2.6.38.1/arch/x86/mm/fault.c linux-2.6.38.1/arch/x86/mm/fault.c
17209 --- linux-2.6.38.1/arch/x86/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
17210 +++ linux-2.6.38.1/arch/x86/mm/fault.c 2011-03-21 23:48:53.000000000 -0400
17211 @@ -12,10 +12,18 @@
17212 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17213 #include <linux/perf_event.h> /* perf_sw_event */
17214 #include <linux/hugetlb.h> /* hstate_index_to_shift */
17215 +#include <linux/unistd.h>
17216 +#include <linux/compiler.h>
17218 #include <asm/traps.h> /* dotraplinkage, ... */
17219 #include <asm/pgalloc.h> /* pgd_*(), ... */
17220 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17221 +#include <asm/vsyscall.h>
17222 +#include <asm/tlbflush.h>
17224 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17225 +#include <asm/stacktrace.h>
17229 * Page fault error code bits:
17230 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
17233 /* kprobe_running() needs smp_processor_id() */
17234 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17235 + if (kprobes_built_in() && !user_mode(regs)) {
17237 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17239 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
17240 return !instr_lo || (instr_lo>>1) == 1;
17242 /* Prefetch instruction is 0x0F0D or 0x0F18 */
17243 - if (probe_kernel_address(instr, opcode))
17244 + if (user_mode(regs)) {
17245 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
17247 + } else if (probe_kernel_address(instr, opcode))
17250 *prefetch = (instr_lo == 0xF) &&
17251 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
17252 while (instr < max_instr) {
17253 unsigned char opcode;
17255 - if (probe_kernel_address(instr, opcode))
17256 + if (user_mode(regs)) {
17257 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
17259 + } else if (probe_kernel_address(instr, opcode))
17263 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
17264 force_sig_info(si_signo, &info, tsk);
17267 +#ifdef CONFIG_PAX_EMUTRAMP
17268 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17271 +#ifdef CONFIG_PAX_PAGEEXEC
17272 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17278 + pgd = pgd_offset(mm, address);
17279 + if (!pgd_present(*pgd))
17281 + pud = pud_offset(pgd, address);
17282 + if (!pud_present(*pud))
17284 + pmd = pmd_offset(pud, address);
17285 + if (!pmd_present(*pmd))
17291 DEFINE_SPINLOCK(pgd_lock);
17292 LIST_HEAD(pgd_list);
17294 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
17295 for (address = VMALLOC_START & PMD_MASK;
17296 address >= TASK_SIZE && address < FIXADDR_TOP;
17297 address += PMD_SIZE) {
17299 +#ifdef CONFIG_PAX_PER_CPU_PGD
17300 + unsigned long cpu;
17305 spin_lock(&pgd_lock);
17307 +#ifdef CONFIG_PAX_PER_CPU_PGD
17308 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17309 + pgd_t *pgd = get_cpu_pgd(cpu);
17312 list_for_each_entry(page, &pgd_list, lru) {
17313 + pgd_t *pgd = page_address(page);
17314 spinlock_t *pgt_lock;
17317 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
17318 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
17320 spin_lock(pgt_lock);
17321 - ret = vmalloc_sync_one(page_address(page), address);
17324 + ret = vmalloc_sync_one(pgd, address);
17326 +#ifndef CONFIG_PAX_PER_CPU_PGD
17327 spin_unlock(pgt_lock);
17332 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
17333 * an interrupt in the middle of a task switch..
17335 pgd_paddr = read_cr3();
17337 +#ifdef CONFIG_PAX_PER_CPU_PGD
17338 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17341 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17344 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
17345 * happen within a race in page table update. In the later
17349 +#ifdef CONFIG_PAX_PER_CPU_PGD
17350 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17351 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17353 pgd = pgd_offset(current->active_mm, address);
17356 pgd_ref = pgd_offset_k(address);
17357 if (pgd_none(*pgd_ref))
17359 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
17360 static int is_errata100(struct pt_regs *regs, unsigned long address)
17362 #ifdef CONFIG_X86_64
17363 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17364 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17368 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
17371 static const char nx_warning[] = KERN_CRIT
17372 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17373 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17376 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17377 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
17378 if (!oops_may_print())
17381 - if (error_code & PF_INSTR) {
17382 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17383 unsigned int level;
17385 pte_t *pte = lookup_address(address, &level);
17387 if (pte && pte_present(*pte) && !pte_exec(*pte))
17388 - printk(nx_warning, current_uid());
17389 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17392 +#ifdef CONFIG_PAX_KERNEXEC
17393 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17394 + if (current->signal->curr_ip)
17395 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17396 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17398 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17399 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17403 printk(KERN_ALERT "BUG: unable to handle kernel ");
17404 if (address < PAGE_SIZE)
17405 printk(KERN_CONT "NULL pointer dereference");
17406 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17407 unsigned long address, int si_code)
17409 struct task_struct *tsk = current;
17410 + struct mm_struct *mm = tsk->mm;
17412 +#ifdef CONFIG_X86_64
17413 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
17414 + if (regs->ip == (unsigned long)vgettimeofday) {
17415 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17417 + } else if (regs->ip == (unsigned long)vtime) {
17418 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17420 + } else if (regs->ip == (unsigned long)vgetcpu) {
17421 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17427 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17428 + if (mm && (error_code & PF_USER)) {
17429 + unsigned long ip = regs->ip;
17431 + if (v8086_mode(regs))
17432 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
17435 + * It's possible to have interrupts off here:
17437 + local_irq_enable();
17439 +#ifdef CONFIG_PAX_PAGEEXEC
17440 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17441 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
17443 +#ifdef CONFIG_PAX_EMUTRAMP
17444 + switch (pax_handle_fetch_fault(regs)) {
17450 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17451 + do_group_exit(SIGKILL);
17455 +#ifdef CONFIG_PAX_SEGMEXEC
17456 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
17458 +#ifdef CONFIG_PAX_EMUTRAMP
17459 + switch (pax_handle_fetch_fault(regs)) {
17465 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17466 + do_group_exit(SIGKILL);
17473 /* User mode accesses just cause a SIGSEGV */
17474 if (error_code & PF_USER) {
17475 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
17479 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17480 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17485 + unsigned char pte_mask;
17487 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17488 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17491 + /* PaX: it's our fault, let's handle it if we can */
17493 + /* PaX: take a look at read faults before acquiring any locks */
17494 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17495 + /* instruction fetch attempt from a protected page in user mode */
17496 + up_read(&mm->mmap_sem);
17498 +#ifdef CONFIG_PAX_EMUTRAMP
17499 + switch (pax_handle_fetch_fault(regs)) {
17505 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17506 + do_group_exit(SIGKILL);
17509 + pmd = pax_get_pmd(mm, address);
17510 + if (unlikely(!pmd))
17513 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17514 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17515 + pte_unmap_unlock(pte, ptl);
17519 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17520 + /* write attempt to a protected page in user mode */
17521 + pte_unmap_unlock(pte, ptl);
17526 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17528 + if (likely(address > get_limit(regs->cs)))
17531 + set_pte(pte, pte_mkread(*pte));
17532 + __flush_tlb_one(address);
17533 + pte_unmap_unlock(pte, ptl);
17534 + up_read(&mm->mmap_sem);
17538 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17541 + * PaX: fill DTLB with user rights and retry
17543 + __asm__ __volatile__ (
17545 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17547 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17548 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17549 + * page fault when examined during a TLB load attempt. this is true not only
17550 + * for PTEs holding a non-present entry but also present entries that will
17551 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17552 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17553 + * for our target pages since their PTEs are simply not in the TLBs at all.
17555 + * the best thing in omitting it is that we gain around 15-20% speed in the
17556 + * fast path of the page fault handler and can get rid of tracing since we
17557 + * can no longer flush unintended entries.
17561 + __copyuser_seg"testb $0,(%0)\n"
17564 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
17565 + : "memory", "cc");
17566 + pte_unmap_unlock(pte, ptl);
17567 + up_read(&mm->mmap_sem);
17573 * Handle a spurious fault caused by a stale TLB entry.
17575 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
17577 access_error(unsigned long error_code, struct vm_area_struct *vma)
17579 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17582 if (error_code & PF_WRITE) {
17583 /* write, present and write, not present: */
17584 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17585 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
17587 struct vm_area_struct *vma;
17588 struct task_struct *tsk;
17589 - unsigned long address;
17590 struct mm_struct *mm;
17592 int write = error_code & PF_WRITE;
17593 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
17594 (write ? FAULT_FLAG_WRITE : 0);
17596 + /* Get the faulting address: */
17597 + unsigned long address = read_cr2();
17599 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17600 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17601 + if (!search_exception_tables(regs->ip)) {
17602 + bad_area_nosemaphore(regs, error_code, address);
17605 + if (address < PAX_USER_SHADOW_BASE) {
17606 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17607 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
17608 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, KERN_ERR);
17610 + address -= PAX_USER_SHADOW_BASE;
17617 - /* Get the faulting address: */
17618 - address = read_cr2();
17621 * Detect and handle instructions that would cause a page fault for
17622 * both a tracked kernel page and a userspace page.
17623 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
17624 * User-mode registers count as a user access even for any
17625 * potential system fault or CPU buglet:
17627 - if (user_mode_vm(regs)) {
17628 + if (user_mode(regs)) {
17629 local_irq_enable();
17630 error_code |= PF_USER;
17632 @@ -1087,6 +1337,11 @@ retry:
17636 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17637 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17641 vma = find_vma(mm, address);
17642 if (unlikely(!vma)) {
17643 bad_area(regs, error_code, address);
17644 @@ -1098,18 +1353,24 @@ retry:
17645 bad_area(regs, error_code, address);
17648 - if (error_code & PF_USER) {
17650 - * Accessing the stack below %sp is always a bug.
17651 - * The large cushion allows instructions like enter
17652 - * and pusha to work. ("enter $65535, $31" pushes
17653 - * 32 pointers and then decrements %sp by 65535.)
17655 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17656 - bad_area(regs, error_code, address);
17660 + * Accessing the stack below %sp is always a bug.
17661 + * The large cushion allows instructions like enter
17662 + * and pusha to work. ("enter $65535, $31" pushes
17663 + * 32 pointers and then decrements %sp by 65535.)
17665 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17666 + bad_area(regs, error_code, address);
17670 +#ifdef CONFIG_PAX_SEGMEXEC
17671 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17672 + bad_area(regs, error_code, address);
17677 if (unlikely(expand_stack(vma, address))) {
17678 bad_area(regs, error_code, address);
17680 @@ -1164,3 +1425,199 @@ good_area:
17682 up_read(&mm->mmap_sem);
17685 +#ifdef CONFIG_PAX_EMUTRAMP
17686 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17690 + do { /* PaX: gcc trampoline emulation #1 */
17691 + unsigned char mov1, mov2;
17692 + unsigned short jmp;
17693 + unsigned int addr1, addr2;
17695 +#ifdef CONFIG_X86_64
17696 + if ((regs->ip + 11) >> 32)
17700 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17701 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17702 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17703 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17704 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17709 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17710 + regs->cx = addr1;
17711 + regs->ax = addr2;
17712 + regs->ip = addr2;
17717 + do { /* PaX: gcc trampoline emulation #2 */
17718 + unsigned char mov, jmp;
17719 + unsigned int addr1, addr2;
17721 +#ifdef CONFIG_X86_64
17722 + if ((regs->ip + 9) >> 32)
17726 + err = get_user(mov, (unsigned char __user *)regs->ip);
17727 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17728 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17729 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17734 + if (mov == 0xB9 && jmp == 0xE9) {
17735 + regs->cx = addr1;
17736 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17741 + return 1; /* PaX in action */
17744 +#ifdef CONFIG_X86_64
17745 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17749 + do { /* PaX: gcc trampoline emulation #1 */
17750 + unsigned short mov1, mov2, jmp1;
17751 + unsigned char jmp2;
17752 + unsigned int addr1;
17753 + unsigned long addr2;
17755 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17756 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17757 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17758 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17759 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17760 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17765 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17766 + regs->r11 = addr1;
17767 + regs->r10 = addr2;
17768 + regs->ip = addr1;
17773 + do { /* PaX: gcc trampoline emulation #2 */
17774 + unsigned short mov1, mov2, jmp1;
17775 + unsigned char jmp2;
17776 + unsigned long addr1, addr2;
17778 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17779 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
17780 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
17781 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
17782 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
17783 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
17788 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17789 + regs->r11 = addr1;
17790 + regs->r10 = addr2;
17791 + regs->ip = addr1;
17796 + return 1; /* PaX in action */
17801 + * PaX: decide what to do with offenders (regs->ip = fault address)
17803 + * returns 1 when task should be killed
17804 + * 2 when gcc trampoline was detected
17806 +static int pax_handle_fetch_fault(struct pt_regs *regs)
17808 + if (v8086_mode(regs))
17811 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
17814 +#ifdef CONFIG_X86_32
17815 + return pax_handle_fetch_fault_32(regs);
17817 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
17818 + return pax_handle_fetch_fault_32(regs);
17820 + return pax_handle_fetch_fault_64(regs);
17825 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17826 +void pax_report_insns(void *pc, void *sp)
17830 + printk(KERN_ERR "PAX: bytes at PC: ");
17831 + for (i = 0; i < 20; i++) {
17833 + if (get_user(c, (__force unsigned char __user *)pc+i))
17834 + printk(KERN_CONT "?? ");
17836 + printk(KERN_CONT "%02x ", c);
17840 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
17841 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
17843 + if (get_user(c, (__force unsigned long __user *)sp+i))
17844 +#ifdef CONFIG_X86_32
17845 + printk(KERN_CONT "???????? ");
17847 + printk(KERN_CONT "???????????????? ");
17850 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
17857 + * probe_kernel_write(): safely attempt to write to a location
17858 + * @dst: address to write to
17859 + * @src: pointer to the data that shall be written
17860 + * @size: size of the data chunk
17862 + * Safely write to address @dst from the buffer at @src. If a kernel fault
17863 + * happens, handle that and return -EFAULT.
17865 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
17868 + mm_segment_t old_fs = get_fs();
17870 + set_fs(KERNEL_DS);
17871 + pagefault_disable();
17872 + pax_open_kernel();
17873 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
17874 + pax_close_kernel();
17875 + pagefault_enable();
17878 + return ret ? -EFAULT : 0;
17880 diff -urNp linux-2.6.38.1/arch/x86/mm/gup.c linux-2.6.38.1/arch/x86/mm/gup.c
17881 --- linux-2.6.38.1/arch/x86/mm/gup.c 2011-03-14 21:20:32.000000000 -0400
17882 +++ linux-2.6.38.1/arch/x86/mm/gup.c 2011-03-21 18:31:35.000000000 -0400
17883 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
17885 len = (unsigned long) nr_pages << PAGE_SHIFT;
17887 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17888 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17889 (void __user *)start, len)))
17892 diff -urNp linux-2.6.38.1/arch/x86/mm/highmem_32.c linux-2.6.38.1/arch/x86/mm/highmem_32.c
17893 --- linux-2.6.38.1/arch/x86/mm/highmem_32.c 2011-03-14 21:20:32.000000000 -0400
17894 +++ linux-2.6.38.1/arch/x86/mm/highmem_32.c 2011-03-21 18:31:35.000000000 -0400
17895 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
17896 idx = type + KM_TYPE_NR*smp_processor_id();
17897 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17898 BUG_ON(!pte_none(*(kmap_pte-idx)));
17900 + pax_open_kernel();
17901 set_pte(kmap_pte-idx, mk_pte(page, prot));
17902 + pax_close_kernel();
17904 return (void *)vaddr;
17906 diff -urNp linux-2.6.38.1/arch/x86/mm/hugetlbpage.c linux-2.6.38.1/arch/x86/mm/hugetlbpage.c
17907 --- linux-2.6.38.1/arch/x86/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
17908 +++ linux-2.6.38.1/arch/x86/mm/hugetlbpage.c 2011-03-21 23:47:41.000000000 -0400
17909 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
17910 struct hstate *h = hstate_file(file);
17911 struct mm_struct *mm = current->mm;
17912 struct vm_area_struct *vma;
17913 - unsigned long start_addr;
17914 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17916 +#ifdef CONFIG_PAX_SEGMEXEC
17917 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17918 + pax_task_size = SEGMEXEC_TASK_SIZE;
17921 + pax_task_size -= PAGE_SIZE;
17923 if (len > mm->cached_hole_size) {
17924 - start_addr = mm->free_area_cache;
17925 + start_addr = mm->free_area_cache;
17927 - start_addr = TASK_UNMAPPED_BASE;
17928 - mm->cached_hole_size = 0;
17929 + start_addr = mm->mmap_base;
17930 + mm->cached_hole_size = 0;
17934 @@ -280,26 +287,27 @@ full_search:
17936 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17937 /* At this point: (!vma || addr < vma->vm_end). */
17938 - if (TASK_SIZE - len < addr) {
17939 + if (pax_task_size - len < addr) {
17941 * Start a new search - just in case we missed
17944 - if (start_addr != TASK_UNMAPPED_BASE) {
17945 - start_addr = TASK_UNMAPPED_BASE;
17946 + if (start_addr != mm->mmap_base) {
17947 + start_addr = mm->mmap_base;
17948 mm->cached_hole_size = 0;
17953 - if (!vma || addr + len <= vma->vm_start) {
17954 - mm->free_area_cache = addr + len;
17957 + if (check_heap_stack_gap(vma, addr, len))
17959 if (addr + mm->cached_hole_size < vma->vm_start)
17960 mm->cached_hole_size = vma->vm_start - addr;
17961 addr = ALIGN(vma->vm_end, huge_page_size(h));
17964 + mm->free_area_cache = addr + len;
17968 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
17969 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
17971 struct hstate *h = hstate_file(file);
17972 struct mm_struct *mm = current->mm;
17973 - struct vm_area_struct *vma, *prev_vma;
17974 - unsigned long base = mm->mmap_base, addr = addr0;
17975 + struct vm_area_struct *vma;
17976 + unsigned long base = mm->mmap_base, addr;
17977 unsigned long largest_hole = mm->cached_hole_size;
17978 - int first_time = 1;
17980 /* don't allow allocations above current base */
17981 if (mm->free_area_cache > base)
17982 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
17984 mm->free_area_cache = base;
17988 /* make sure it can fit in the remaining address space */
17989 if (mm->free_area_cache < len)
17992 /* either no address requested or cant fit in requested address hole */
17993 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
17994 + addr = (mm->free_area_cache - len);
17996 + addr &= huge_page_mask(h);
17997 + vma = find_vma(mm, addr);
17999 * Lookup failure means no vma is above this address,
18000 * i.e. return with success:
18002 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18006 * new region fits between prev_vma->vm_end and
18007 * vma->vm_start, use it:
18009 - if (addr + len <= vma->vm_start &&
18010 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18011 + if (check_heap_stack_gap(vma, addr, len)) {
18012 /* remember the address as a hint for next time */
18013 - mm->cached_hole_size = largest_hole;
18014 - return (mm->free_area_cache = addr);
18016 - /* pull free_area_cache down to the first hole */
18017 - if (mm->free_area_cache == vma->vm_end) {
18018 - mm->free_area_cache = vma->vm_start;
18019 - mm->cached_hole_size = largest_hole;
18021 + mm->cached_hole_size = largest_hole;
18022 + return (mm->free_area_cache = addr);
18024 + /* pull free_area_cache down to the first hole */
18025 + if (mm->free_area_cache == vma->vm_end) {
18026 + mm->free_area_cache = vma->vm_start;
18027 + mm->cached_hole_size = largest_hole;
18030 /* remember the largest hole we saw so far */
18031 if (addr + largest_hole < vma->vm_start)
18032 - largest_hole = vma->vm_start - addr;
18033 + largest_hole = vma->vm_start - addr;
18035 /* try just below the current vma->vm_start */
18036 - addr = (vma->vm_start - len) & huge_page_mask(h);
18037 - } while (len <= vma->vm_start);
18038 + addr = skip_heap_stack_gap(vma, len);
18039 + } while (!IS_ERR_VALUE(addr));
18043 - * if hint left us with no space for the requested
18044 - * mapping then try again:
18046 - if (first_time) {
18047 - mm->free_area_cache = base;
18048 - largest_hole = 0;
18053 * A failed mmap() very likely causes application failure,
18054 * so fall back to the bottom-up function here. This scenario
18055 * can happen with large stack limits and large mmap()
18058 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18060 +#ifdef CONFIG_PAX_SEGMEXEC
18061 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18062 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18066 + mm->mmap_base = TASK_UNMAPPED_BASE;
18068 +#ifdef CONFIG_PAX_RANDMMAP
18069 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18070 + mm->mmap_base += mm->delta_mmap;
18073 + mm->free_area_cache = mm->mmap_base;
18074 mm->cached_hole_size = ~0UL;
18075 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18076 len, pgoff, flags);
18077 @@ -386,6 +392,7 @@ fail:
18079 * Restore the topdown base:
18081 + mm->mmap_base = base;
18082 mm->free_area_cache = base;
18083 mm->cached_hole_size = ~0UL;
18085 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
18086 struct hstate *h = hstate_file(file);
18087 struct mm_struct *mm = current->mm;
18088 struct vm_area_struct *vma;
18089 + unsigned long pax_task_size = TASK_SIZE;
18091 if (len & ~huge_page_mask(h))
18093 - if (len > TASK_SIZE)
18095 +#ifdef CONFIG_PAX_SEGMEXEC
18096 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18097 + pax_task_size = SEGMEXEC_TASK_SIZE;
18100 + pax_task_size -= PAGE_SIZE;
18102 + if (len > pax_task_size)
18105 if (flags & MAP_FIXED) {
18106 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
18108 addr = ALIGN(addr, huge_page_size(h));
18109 vma = find_vma(mm, addr);
18110 - if (TASK_SIZE - len >= addr &&
18111 - (!vma || addr + len <= vma->vm_start))
18112 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18115 if (mm->get_unmapped_area == arch_get_unmapped_area)
18116 diff -urNp linux-2.6.38.1/arch/x86/mm/init_32.c linux-2.6.38.1/arch/x86/mm/init_32.c
18117 --- linux-2.6.38.1/arch/x86/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
18118 +++ linux-2.6.38.1/arch/x86/mm/init_32.c 2011-03-21 18:31:35.000000000 -0400
18119 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
18123 - * Creates a middle page table and puts a pointer to it in the
18124 - * given global directory entry. This only returns the gd entry
18125 - * in non-PAE compilation mode, since the middle layer is folded.
18127 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18130 - pmd_t *pmd_table;
18132 -#ifdef CONFIG_X86_PAE
18133 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18134 - if (after_bootmem)
18135 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18137 - pmd_table = (pmd_t *)alloc_low_page();
18138 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18139 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18140 - pud = pud_offset(pgd, 0);
18141 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18143 - return pmd_table;
18146 - pud = pud_offset(pgd, 0);
18147 - pmd_table = pmd_offset(pud, 0);
18149 - return pmd_table;
18153 * Create a page table and place a pointer to it in a middle page
18156 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
18157 page_table = (pte_t *)alloc_low_page();
18159 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18160 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18161 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18163 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18165 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18168 return pte_offset_kernel(pmd, 0);
18171 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18174 + pmd_t *pmd_table;
18176 + pud = pud_offset(pgd, 0);
18177 + pmd_table = pmd_offset(pud, 0);
18179 + return pmd_table;
18182 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18184 int pgd_idx = pgd_index(vaddr);
18185 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
18186 int pgd_idx, pmd_idx;
18187 unsigned long vaddr;
18193 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
18194 pgd = pgd_base + pgd_idx;
18196 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18197 - pmd = one_md_table_init(pgd);
18198 - pmd = pmd + pmd_index(vaddr);
18199 + pud = pud_offset(pgd, vaddr);
18200 + pmd = pmd_offset(pud, vaddr);
18202 +#ifdef CONFIG_X86_PAE
18203 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18206 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18207 pmd++, pmd_idx++) {
18208 pte = page_table_kmap_check(one_page_table_init(pmd),
18209 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
18213 -static inline int is_kernel_text(unsigned long addr)
18214 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18216 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
18219 + if ((start > ktla_ktva((unsigned long)_etext) ||
18220 + end <= ktla_ktva((unsigned long)_stext)) &&
18221 + (start > ktla_ktva((unsigned long)_einittext) ||
18222 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18224 +#ifdef CONFIG_ACPI_SLEEP
18225 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18228 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18234 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
18235 unsigned long last_map_addr = end;
18236 unsigned long start_pfn, end_pfn;
18237 pgd_t *pgd_base = swapper_pg_dir;
18238 - int pgd_idx, pmd_idx, pte_ofs;
18239 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18245 unsigned pages_2m, pages_4k;
18246 @@ -281,8 +282,13 @@ repeat:
18248 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18249 pgd = pgd_base + pgd_idx;
18250 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18251 - pmd = one_md_table_init(pgd);
18252 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18253 + pud = pud_offset(pgd, 0);
18254 + pmd = pmd_offset(pud, 0);
18256 +#ifdef CONFIG_X86_PAE
18257 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18260 if (pfn >= end_pfn)
18262 @@ -294,14 +300,13 @@ repeat:
18264 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18265 pmd++, pmd_idx++) {
18266 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18267 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18270 * Map with big pages if possible, otherwise
18271 * create normal page tables:
18274 - unsigned int addr2;
18275 pgprot_t prot = PAGE_KERNEL_LARGE;
18277 * first pass will use the same initial
18278 @@ -311,11 +316,7 @@ repeat:
18279 __pgprot(PTE_IDENT_ATTR |
18282 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18283 - PAGE_OFFSET + PAGE_SIZE-1;
18285 - if (is_kernel_text(addr) ||
18286 - is_kernel_text(addr2))
18287 + if (is_kernel_text(address, address + PMD_SIZE))
18288 prot = PAGE_KERNEL_LARGE_EXEC;
18291 @@ -332,7 +333,7 @@ repeat:
18292 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18294 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18295 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18296 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18297 pgprot_t prot = PAGE_KERNEL;
18299 * first pass will use the same initial
18300 @@ -340,7 +341,7 @@ repeat:
18302 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18304 - if (is_kernel_text(addr))
18305 + if (is_kernel_text(address, address + PAGE_SIZE))
18306 prot = PAGE_KERNEL_EXEC;
18309 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
18311 pud = pud_offset(pgd, va);
18312 pmd = pmd_offset(pud, va);
18313 - if (!pmd_present(*pmd))
18314 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18317 pte = pte_offset_kernel(pmd, va);
18318 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
18320 static void __init pagetable_init(void)
18322 - pgd_t *pgd_base = swapper_pg_dir;
18324 - permanent_kmaps_init(pgd_base);
18325 + permanent_kmaps_init(swapper_pg_dir);
18328 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18329 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18330 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18332 /* user-defined highmem size */
18333 @@ -755,6 +754,12 @@ void __init mem_init(void)
18337 +#ifdef CONFIG_PAX_PER_CPU_PGD
18338 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18339 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18340 + KERNEL_PGD_PTRS);
18343 #ifdef CONFIG_FLATMEM
18346 @@ -772,7 +777,7 @@ void __init mem_init(void)
18347 set_highmem_pages_init();
18349 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18350 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18351 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18352 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18354 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18355 @@ -813,10 +818,10 @@ void __init mem_init(void)
18356 ((unsigned long)&__init_end -
18357 (unsigned long)&__init_begin) >> 10,
18359 - (unsigned long)&_etext, (unsigned long)&_edata,
18360 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18361 + (unsigned long)&_sdata, (unsigned long)&_edata,
18362 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18364 - (unsigned long)&_text, (unsigned long)&_etext,
18365 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18366 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18369 @@ -894,6 +899,7 @@ void set_kernel_text_rw(void)
18370 if (!kernel_set_to_readonly)
18373 + start = ktla_ktva(start);
18374 pr_debug("Set kernel text: %lx - %lx for read write\n",
18375 start, start+size);
18377 @@ -908,6 +914,7 @@ void set_kernel_text_ro(void)
18378 if (!kernel_set_to_readonly)
18381 + start = ktla_ktva(start);
18382 pr_debug("Set kernel text: %lx - %lx for read only\n",
18383 start, start+size);
18385 @@ -936,6 +943,7 @@ void mark_rodata_ro(void)
18386 unsigned long start = PFN_ALIGN(_text);
18387 unsigned long size = PFN_ALIGN(_etext) - start;
18389 + start = ktla_ktva(start);
18390 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18391 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18393 diff -urNp linux-2.6.38.1/arch/x86/mm/init_64.c linux-2.6.38.1/arch/x86/mm/init_64.c
18394 --- linux-2.6.38.1/arch/x86/mm/init_64.c 2011-03-14 21:20:32.000000000 -0400
18395 +++ linux-2.6.38.1/arch/x86/mm/init_64.c 2011-03-21 18:31:35.000000000 -0400
18396 @@ -72,7 +72,7 @@ early_param("gbpages", parse_direct_gbpa
18397 * around without checking the pgd every time.
18400 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18401 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18402 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18404 int force_personality32;
18405 @@ -105,12 +105,22 @@ void sync_global_pgds(unsigned long star
18407 for (address = start; address <= end; address += PGDIR_SIZE) {
18408 const pgd_t *pgd_ref = pgd_offset_k(address);
18410 +#ifdef CONFIG_PAX_PER_CPU_PGD
18411 + unsigned long cpu;
18416 if (pgd_none(*pgd_ref))
18419 spin_lock(&pgd_lock);
18421 +#ifdef CONFIG_PAX_PER_CPU_PGD
18422 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18423 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
18425 list_for_each_entry(page, &pgd_list, lru) {
18427 spinlock_t *pgt_lock;
18428 @@ -119,6 +129,7 @@ void sync_global_pgds(unsigned long star
18429 /* the pgt_lock only for Xen */
18430 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
18431 spin_lock(pgt_lock);
18434 if (pgd_none(*pgd))
18435 set_pgd(pgd, *pgd_ref);
18436 @@ -126,7 +137,10 @@ void sync_global_pgds(unsigned long star
18437 BUG_ON(pgd_page_vaddr(*pgd)
18438 != pgd_page_vaddr(*pgd_ref));
18440 +#ifndef CONFIG_PAX_PER_CPU_PGD
18441 spin_unlock(pgt_lock);
18445 spin_unlock(&pgd_lock);
18447 @@ -200,7 +214,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18448 pmd = fill_pmd(pud, vaddr);
18449 pte = fill_pte(pmd, vaddr);
18451 + pax_open_kernel();
18452 set_pte(pte, new_pte);
18453 + pax_close_kernel();
18456 * It's enough to flush this one mapping.
18457 @@ -259,14 +275,12 @@ static void __init __init_extra_mapping(
18458 pgd = pgd_offset_k((unsigned long)__va(phys));
18459 if (pgd_none(*pgd)) {
18460 pud = (pud_t *) spp_getpage();
18461 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18463 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18465 pud = pud_offset(pgd, (unsigned long)__va(phys));
18466 if (pud_none(*pud)) {
18467 pmd = (pmd_t *) spp_getpage();
18468 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18470 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18472 pmd = pmd_offset(pud, phys);
18473 BUG_ON(!pmd_none(*pmd));
18474 @@ -706,6 +720,12 @@ void __init mem_init(void)
18478 +#ifdef CONFIG_PAX_PER_CPU_PGD
18479 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18480 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18481 + KERNEL_PGD_PTRS);
18484 /* clear_bss() already clear the empty_zero_page */
18487 @@ -866,8 +886,8 @@ int kern_addr_valid(unsigned long addr)
18488 static struct vm_area_struct gate_vma = {
18489 .vm_start = VSYSCALL_START,
18490 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18491 - .vm_page_prot = PAGE_READONLY_EXEC,
18492 - .vm_flags = VM_READ | VM_EXEC
18493 + .vm_page_prot = PAGE_READONLY,
18494 + .vm_flags = VM_READ
18497 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18498 @@ -901,7 +921,7 @@ int in_gate_area_no_task(unsigned long a
18500 const char *arch_vma_name(struct vm_area_struct *vma)
18502 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18503 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18505 if (vma == &gate_vma)
18506 return "[vsyscall]";
18507 diff -urNp linux-2.6.38.1/arch/x86/mm/init.c linux-2.6.38.1/arch/x86/mm/init.c
18508 --- linux-2.6.38.1/arch/x86/mm/init.c 2011-03-14 21:20:32.000000000 -0400
18509 +++ linux-2.6.38.1/arch/x86/mm/init.c 2011-03-21 18:31:35.000000000 -0400
18510 @@ -72,11 +72,7 @@ static void __init find_early_table_spac
18511 * cause a hotspot and fill up ZONE_DMA. The page tables
18512 * need roughly 0.5KB per GB.
18514 -#ifdef CONFIG_X86_32
18519 + start = 0x100000;
18520 base = memblock_find_in_range(start, max_pfn_mapped<<PAGE_SHIFT,
18521 tables, PAGE_SIZE);
18522 if (base == MEMBLOCK_ERROR)
18523 @@ -323,7 +319,13 @@ unsigned long __init_refok init_memory_m
18525 int devmem_is_allowed(unsigned long pagenr)
18527 - if (pagenr <= 256)
18530 +#ifdef CONFIG_VM86
18531 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18534 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18536 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18538 @@ -383,6 +385,86 @@ void free_init_pages(char *what, unsigne
18540 void free_initmem(void)
18543 +#ifdef CONFIG_PAX_KERNEXEC
18544 +#ifdef CONFIG_X86_32
18545 + /* PaX: limit KERNEL_CS to actual size */
18546 + unsigned long addr, limit;
18547 + struct desc_struct d;
18550 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18551 + limit = (limit - 1UL) >> PAGE_SHIFT;
18553 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18554 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18555 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18556 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18559 + /* PaX: make KERNEL_CS read-only */
18560 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18561 + if (!paravirt_enabled())
18562 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18564 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18565 + pgd = pgd_offset_k(addr);
18566 + pud = pud_offset(pgd, addr);
18567 + pmd = pmd_offset(pud, addr);
18568 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18571 +#ifdef CONFIG_X86_PAE
18572 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18574 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18575 + pgd = pgd_offset_k(addr);
18576 + pud = pud_offset(pgd, addr);
18577 + pmd = pmd_offset(pud, addr);
18578 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18583 +#ifdef CONFIG_MODULES
18584 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18591 + unsigned long addr, end;
18593 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18594 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18595 + pgd = pgd_offset_k(addr);
18596 + pud = pud_offset(pgd, addr);
18597 + pmd = pmd_offset(pud, addr);
18598 + if (!pmd_present(*pmd))
18600 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18601 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18603 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18606 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18607 + end = addr + KERNEL_IMAGE_SIZE;
18608 + for (; addr < end; addr += PMD_SIZE) {
18609 + pgd = pgd_offset_k(addr);
18610 + pud = pud_offset(pgd, addr);
18611 + pmd = pmd_offset(pud, addr);
18612 + if (!pmd_present(*pmd))
18614 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18615 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18622 free_init_pages("unused kernel memory",
18623 (unsigned long)(&__init_begin),
18624 (unsigned long)(&__init_end));
18625 diff -urNp linux-2.6.38.1/arch/x86/mm/iomap_32.c linux-2.6.38.1/arch/x86/mm/iomap_32.c
18626 --- linux-2.6.38.1/arch/x86/mm/iomap_32.c 2011-03-14 21:20:32.000000000 -0400
18627 +++ linux-2.6.38.1/arch/x86/mm/iomap_32.c 2011-03-21 18:31:35.000000000 -0400
18628 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18629 type = kmap_atomic_idx_push();
18630 idx = type + KM_TYPE_NR * smp_processor_id();
18631 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18633 + pax_open_kernel();
18634 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18635 + pax_close_kernel();
18637 arch_flush_lazy_mmu_mode();
18639 return (void *)vaddr;
18640 diff -urNp linux-2.6.38.1/arch/x86/mm/ioremap.c linux-2.6.38.1/arch/x86/mm/ioremap.c
18641 --- linux-2.6.38.1/arch/x86/mm/ioremap.c 2011-03-14 21:20:32.000000000 -0400
18642 +++ linux-2.6.38.1/arch/x86/mm/ioremap.c 2011-03-21 18:31:35.000000000 -0400
18643 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
18644 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
18645 int is_ram = page_is_ram(pfn);
18647 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18648 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18650 WARN_ON_ONCE(is_ram);
18652 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
18653 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18655 static __initdata int after_paging_init;
18656 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18657 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18659 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18661 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
18662 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18664 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18665 - memset(bm_pte, 0, sizeof(bm_pte));
18666 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18667 + pmd_populate_user(&init_mm, pmd, bm_pte);
18670 * The boot-ioremap range spans multiple pmds, for which
18671 diff -urNp linux-2.6.38.1/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.38.1/arch/x86/mm/kmemcheck/kmemcheck.c
18672 --- linux-2.6.38.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-14 21:20:32.000000000 -0400
18673 +++ linux-2.6.38.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-21 18:31:35.000000000 -0400
18674 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18675 * memory (e.g. tracked pages)? For now, we need this to avoid
18676 * invoking kmemcheck for PnP BIOS calls.
18678 - if (regs->flags & X86_VM_MASK)
18679 + if (v8086_mode(regs))
18681 - if (regs->cs != __KERNEL_CS)
18682 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18685 pte = kmemcheck_pte_lookup(address);
18686 diff -urNp linux-2.6.38.1/arch/x86/mm/mmap.c linux-2.6.38.1/arch/x86/mm/mmap.c
18687 --- linux-2.6.38.1/arch/x86/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
18688 +++ linux-2.6.38.1/arch/x86/mm/mmap.c 2011-03-21 18:31:35.000000000 -0400
18689 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18690 * Leave an at least ~128 MB hole with possible stack randomization.
18692 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18693 -#define MAX_GAP (TASK_SIZE/6*5)
18694 +#define MAX_GAP (pax_task_size/6*5)
18697 * True on X86_32 or when emulating IA32 on X86_64
18698 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18699 return rnd << PAGE_SHIFT;
18702 -static unsigned long mmap_base(void)
18703 +static unsigned long mmap_base(struct mm_struct *mm)
18705 unsigned long gap = rlimit(RLIMIT_STACK);
18706 + unsigned long pax_task_size = TASK_SIZE;
18708 +#ifdef CONFIG_PAX_SEGMEXEC
18709 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18710 + pax_task_size = SEGMEXEC_TASK_SIZE;
18715 else if (gap > MAX_GAP)
18718 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18719 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18723 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18724 * does, but not when emulating X86_32
18726 -static unsigned long mmap_legacy_base(void)
18727 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18729 - if (mmap_is_ia32())
18730 + if (mmap_is_ia32()) {
18732 +#ifdef CONFIG_PAX_SEGMEXEC
18733 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18734 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18738 return TASK_UNMAPPED_BASE;
18741 return TASK_UNMAPPED_BASE + mmap_rnd();
18744 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18745 void arch_pick_mmap_layout(struct mm_struct *mm)
18747 if (mmap_is_legacy()) {
18748 - mm->mmap_base = mmap_legacy_base();
18749 + mm->mmap_base = mmap_legacy_base(mm);
18751 +#ifdef CONFIG_PAX_RANDMMAP
18752 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18753 + mm->mmap_base += mm->delta_mmap;
18756 mm->get_unmapped_area = arch_get_unmapped_area;
18757 mm->unmap_area = arch_unmap_area;
18759 - mm->mmap_base = mmap_base();
18760 + mm->mmap_base = mmap_base(mm);
18762 +#ifdef CONFIG_PAX_RANDMMAP
18763 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18764 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18767 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18768 mm->unmap_area = arch_unmap_area_topdown;
18770 diff -urNp linux-2.6.38.1/arch/x86/mm/numa_32.c linux-2.6.38.1/arch/x86/mm/numa_32.c
18771 --- linux-2.6.38.1/arch/x86/mm/numa_32.c 2011-03-14 21:20:32.000000000 -0400
18772 +++ linux-2.6.38.1/arch/x86/mm/numa_32.c 2011-03-21 18:31:35.000000000 -0400
18773 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
18777 -extern unsigned long find_max_low_pfn(void);
18778 extern unsigned long highend_pfn, highstart_pfn;
18780 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
18781 diff -urNp linux-2.6.38.1/arch/x86/mm/pageattr.c linux-2.6.38.1/arch/x86/mm/pageattr.c
18782 --- linux-2.6.38.1/arch/x86/mm/pageattr.c 2011-03-14 21:20:32.000000000 -0400
18783 +++ linux-2.6.38.1/arch/x86/mm/pageattr.c 2011-03-21 18:31:35.000000000 -0400
18784 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
18786 #ifdef CONFIG_PCI_BIOS
18787 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
18788 - pgprot_val(forbidden) |= _PAGE_NX;
18789 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18793 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
18794 * Does not cover __inittext since that is gone later on. On
18795 * 64bit we do not enforce !NX on the low mapping
18797 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
18798 - pgprot_val(forbidden) |= _PAGE_NX;
18799 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
18800 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18802 +#ifdef CONFIG_DEBUG_RODATA
18804 * The .rodata section needs to be read-only. Using the pfn
18805 * catches all aliases.
18806 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
18807 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
18808 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
18809 pgprot_val(forbidden) |= _PAGE_RW;
18812 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18814 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
18818 +#ifdef CONFIG_PAX_KERNEXEC
18819 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
18820 + pgprot_val(forbidden) |= _PAGE_RW;
18821 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18825 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
18828 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
18829 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
18831 /* change init_mm */
18832 + pax_open_kernel();
18833 set_pte_atomic(kpte, pte);
18835 #ifdef CONFIG_X86_32
18836 if (!SHARED_KERNEL_PMD) {
18838 +#ifdef CONFIG_PAX_PER_CPU_PGD
18839 + unsigned long cpu;
18844 +#ifdef CONFIG_PAX_PER_CPU_PGD
18845 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18846 + pgd_t *pgd = get_cpu_pgd(cpu);
18848 list_for_each_entry(page, &pgd_list, lru) {
18850 + pgd_t *pgd = (pgd_t *)page_address(page);
18856 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
18857 + pgd += pgd_index(address);
18858 pud = pud_offset(pgd, address);
18859 pmd = pmd_offset(pud, address);
18860 set_pte_atomic((pte_t *)pmd, pte);
18864 + pax_close_kernel();
18868 diff -urNp linux-2.6.38.1/arch/x86/mm/pageattr-test.c linux-2.6.38.1/arch/x86/mm/pageattr-test.c
18869 --- linux-2.6.38.1/arch/x86/mm/pageattr-test.c 2011-03-14 21:20:32.000000000 -0400
18870 +++ linux-2.6.38.1/arch/x86/mm/pageattr-test.c 2011-03-21 18:31:35.000000000 -0400
18871 @@ -36,7 +36,7 @@ enum {
18873 static int pte_testbit(pte_t pte)
18875 - return pte_flags(pte) & _PAGE_UNUSED1;
18876 + return pte_flags(pte) & _PAGE_CPA_TEST;
18879 struct split_state {
18880 diff -urNp linux-2.6.38.1/arch/x86/mm/pat.c linux-2.6.38.1/arch/x86/mm/pat.c
18881 --- linux-2.6.38.1/arch/x86/mm/pat.c 2011-03-14 21:20:32.000000000 -0400
18882 +++ linux-2.6.38.1/arch/x86/mm/pat.c 2011-03-21 18:31:35.000000000 -0400
18883 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
18886 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
18887 - current->comm, current->pid, start, end);
18888 + current->comm, task_pid_nr(current), start, end);
18892 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
18893 while (cursor < to) {
18894 if (!devmem_is_allowed(pfn)) {
18896 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
18897 - current->comm, from, to);
18898 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
18899 + current->comm, from, to, cursor);
18902 cursor += PAGE_SIZE;
18903 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
18905 "%s:%d ioremap_change_attr failed %s "
18907 - current->comm, current->pid,
18908 + current->comm, task_pid_nr(current),
18910 base, (unsigned long long)(base + size));
18912 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
18913 if (want_flags != flags) {
18914 printk(KERN_WARNING
18915 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
18916 - current->comm, current->pid,
18917 + current->comm, task_pid_nr(current),
18918 cattr_name(want_flags),
18919 (unsigned long long)paddr,
18920 (unsigned long long)(paddr + size),
18921 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
18922 free_memtype(paddr, paddr + size);
18923 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
18924 " for %Lx-%Lx, got %s\n",
18925 - current->comm, current->pid,
18926 + current->comm, task_pid_nr(current),
18927 cattr_name(want_flags),
18928 (unsigned long long)paddr,
18929 (unsigned long long)(paddr + size),
18930 diff -urNp linux-2.6.38.1/arch/x86/mm/pgtable_32.c linux-2.6.38.1/arch/x86/mm/pgtable_32.c
18931 --- linux-2.6.38.1/arch/x86/mm/pgtable_32.c 2011-03-14 21:20:32.000000000 -0400
18932 +++ linux-2.6.38.1/arch/x86/mm/pgtable_32.c 2011-03-21 18:31:35.000000000 -0400
18933 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
18936 pte = pte_offset_kernel(pmd, vaddr);
18938 + pax_open_kernel();
18939 if (pte_val(pteval))
18940 set_pte_at(&init_mm, vaddr, pte, pteval);
18942 pte_clear(&init_mm, vaddr, pte);
18943 + pax_close_kernel();
18946 * It's enough to flush this one mapping.
18947 diff -urNp linux-2.6.38.1/arch/x86/mm/pgtable.c linux-2.6.38.1/arch/x86/mm/pgtable.c
18948 --- linux-2.6.38.1/arch/x86/mm/pgtable.c 2011-03-23 17:20:06.000000000 -0400
18949 +++ linux-2.6.38.1/arch/x86/mm/pgtable.c 2011-03-24 23:22:14.000000000 -0400
18950 @@ -84,9 +84,58 @@ static inline void pgd_list_del(pgd_t *p
18951 list_del(&page->lru);
18954 -#define UNSHARED_PTRS_PER_PGD \
18955 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
18956 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18957 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
18959 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
18962 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
18966 +#ifdef CONFIG_PAX_PER_CPU_PGD
18967 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
18971 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18972 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
18980 +#ifdef CONFIG_PAX_PER_CPU_PGD
18981 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
18982 +static inline void pgd_dtor(pgd_t *pgd) {}
18983 +#ifdef CONFIG_X86_64
18984 +#define pxd_t pud_t
18985 +#define pyd_t pgd_t
18986 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
18987 +#define pxd_free(mm, pud) pud_free((mm), (pud))
18988 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
18989 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
18990 +#define PYD_SIZE PGDIR_SIZE
18992 +#define pxd_t pmd_t
18993 +#define pyd_t pud_t
18994 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
18995 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
18996 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
18997 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
18998 +#define PYD_SIZE PUD_SIZE
19001 +#define pxd_t pmd_t
19002 +#define pyd_t pud_t
19003 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19004 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19005 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19006 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19007 +#define PYD_SIZE PUD_SIZE
19009 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
19011 @@ -128,6 +177,7 @@ static void pgd_dtor(pgd_t *pgd)
19013 spin_unlock(&pgd_lock);
19018 * List of all pgd's needed for non-PAE so it can invalidate entries
19019 @@ -140,7 +190,7 @@ static void pgd_dtor(pgd_t *pgd)
19023 -#ifdef CONFIG_X86_PAE
19024 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19026 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19027 * updating the top-level pagetable entries to guarantee the
19028 @@ -152,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd)
19029 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19030 * and initialize the kernel pmds here.
19032 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19033 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19035 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19037 @@ -170,36 +220,38 @@ void pud_populate(struct mm_struct *mm,
19041 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19042 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19043 #else /* !CONFIG_X86_PAE */
19045 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19046 -#define PREALLOCATED_PMDS 0
19047 +#define PREALLOCATED_PXDS 0
19049 #endif /* CONFIG_X86_PAE */
19051 -static void free_pmds(pmd_t *pmds[])
19052 +static void free_pxds(pxd_t *pxds[])
19056 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19058 - free_page((unsigned long)pmds[i]);
19059 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19061 + free_page((unsigned long)pxds[i]);
19064 -static int preallocate_pmds(pmd_t *pmds[])
19065 +static int preallocate_pxds(pxd_t *pxds[])
19068 bool failed = false;
19070 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19071 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19073 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19074 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19087 @@ -212,51 +264,55 @@ static int preallocate_pmds(pmd_t *pmds[
19088 * preallocate which never got a corresponding vma will need to be
19091 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19092 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19096 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19097 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19098 pgd_t pgd = pgdp[i];
19100 if (pgd_val(pgd) != 0) {
19101 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19102 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19104 - pgdp[i] = native_make_pgd(0);
19105 + set_pgd(pgdp + i, native_make_pgd(0));
19107 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19108 - pmd_free(mm, pmd);
19109 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19110 + pxd_free(mm, pxd);
19115 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19116 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19120 unsigned long addr;
19123 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19124 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19127 - pud = pud_offset(pgd, 0);
19128 +#ifdef CONFIG_X86_64
19129 + pyd = pyd_offset(mm, 0L);
19131 + pyd = pyd_offset(pgd, 0L);
19134 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19135 - i++, pud++, addr += PUD_SIZE) {
19136 - pmd_t *pmd = pmds[i];
19137 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19138 + i++, pyd++, addr += PYD_SIZE) {
19139 + pxd_t *pxd = pxds[i];
19141 if (i >= KERNEL_PGD_BOUNDARY)
19142 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19143 - sizeof(pmd_t) * PTRS_PER_PMD);
19144 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19145 + sizeof(pxd_t) * PTRS_PER_PMD);
19147 - pud_populate(mm, pud, pmd);
19148 + pyd_populate(mm, pyd, pxd);
19152 pgd_t *pgd_alloc(struct mm_struct *mm)
19155 - pmd_t *pmds[PREALLOCATED_PMDS];
19156 + pxd_t *pxds[PREALLOCATED_PXDS];
19158 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19160 @@ -265,11 +321,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19164 - if (preallocate_pmds(pmds) != 0)
19165 + if (preallocate_pxds(pxds) != 0)
19168 if (paravirt_pgd_alloc(mm) != 0)
19169 - goto out_free_pmds;
19170 + goto out_free_pxds;
19173 * Make sure that pre-populating the pmds is atomic with
19174 @@ -279,14 +335,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19175 spin_lock(&pgd_lock);
19178 - pgd_prepopulate_pmd(mm, pgd, pmds);
19179 + pgd_prepopulate_pxd(mm, pgd, pxds);
19181 spin_unlock(&pgd_lock);
19190 free_page((unsigned long)pgd);
19192 @@ -295,7 +351,7 @@ out:
19194 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19196 - pgd_mop_up_pmds(mm, pgd);
19197 + pgd_mop_up_pxds(mm, pgd);
19199 paravirt_pgd_free(mm, pgd);
19200 free_page((unsigned long)pgd);
19201 diff -urNp linux-2.6.38.1/arch/x86/mm/setup_nx.c linux-2.6.38.1/arch/x86/mm/setup_nx.c
19202 --- linux-2.6.38.1/arch/x86/mm/setup_nx.c 2011-03-14 21:20:32.000000000 -0400
19203 +++ linux-2.6.38.1/arch/x86/mm/setup_nx.c 2011-03-21 18:31:35.000000000 -0400
19205 #include <asm/pgtable.h>
19206 #include <asm/proto.h>
19208 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19209 static int disable_nx __cpuinitdata;
19211 +#ifndef CONFIG_PAX_PAGEEXEC
19215 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19218 early_param("noexec", noexec_setup);
19223 void __cpuinit x86_configure_nx(void)
19225 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19226 if (cpu_has_nx && !disable_nx)
19227 __supported_pte_mask |= _PAGE_NX;
19230 __supported_pte_mask &= ~_PAGE_NX;
19233 diff -urNp linux-2.6.38.1/arch/x86/mm/tlb.c linux-2.6.38.1/arch/x86/mm/tlb.c
19234 --- linux-2.6.38.1/arch/x86/mm/tlb.c 2011-03-14 21:20:32.000000000 -0400
19235 +++ linux-2.6.38.1/arch/x86/mm/tlb.c 2011-03-21 18:31:35.000000000 -0400
19237 #include <asm/uv/uv.h>
19239 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19240 - = { &init_mm, 0, };
19241 + = { &init_mm, 0 };
19244 * Smarter SMP flushing macros.
19245 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
19247 cpumask_clear_cpu(cpu,
19248 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19250 +#ifndef CONFIG_PAX_PER_CPU_PGD
19251 load_cr3(swapper_pg_dir);
19255 EXPORT_SYMBOL_GPL(leave_mm);
19257 diff -urNp linux-2.6.38.1/arch/x86/oprofile/backtrace.c linux-2.6.38.1/arch/x86/oprofile/backtrace.c
19258 --- linux-2.6.38.1/arch/x86/oprofile/backtrace.c 2011-03-14 21:20:32.000000000 -0400
19259 +++ linux-2.6.38.1/arch/x86/oprofile/backtrace.c 2011-03-21 18:31:35.000000000 -0400
19260 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
19261 struct stack_frame_ia32 *fp;
19263 /* Also check accessibility of one struct frame_head beyond */
19264 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19265 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19267 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19269 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
19271 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
19273 - if (!user_mode_vm(regs)) {
19274 + if (!user_mode(regs)) {
19275 unsigned long stack = kernel_stack_pointer(regs);
19277 dump_trace(NULL, regs, (unsigned long *)stack,
19278 diff -urNp linux-2.6.38.1/arch/x86/oprofile/op_model_p4.c linux-2.6.38.1/arch/x86/oprofile/op_model_p4.c
19279 --- linux-2.6.38.1/arch/x86/oprofile/op_model_p4.c 2011-03-14 21:20:32.000000000 -0400
19280 +++ linux-2.6.38.1/arch/x86/oprofile/op_model_p4.c 2011-03-21 18:31:35.000000000 -0400
19281 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19285 -static int inline addr_increment(void)
19286 +static inline int addr_increment(void)
19289 return smp_num_siblings == 2 ? 2 : 1;
19290 diff -urNp linux-2.6.38.1/arch/x86/pci/ce4100.c linux-2.6.38.1/arch/x86/pci/ce4100.c
19291 --- linux-2.6.38.1/arch/x86/pci/ce4100.c 2011-03-14 21:20:32.000000000 -0400
19292 +++ linux-2.6.38.1/arch/x86/pci/ce4100.c 2011-03-21 18:31:35.000000000 -0400
19293 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
19294 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
19297 -struct pci_raw_ops ce4100_pci_conf = {
19298 +const struct pci_raw_ops ce4100_pci_conf = {
19299 .read = ce4100_conf_read,
19300 .write = ce4100_conf_write,
19302 diff -urNp linux-2.6.38.1/arch/x86/pci/common.c linux-2.6.38.1/arch/x86/pci/common.c
19303 --- linux-2.6.38.1/arch/x86/pci/common.c 2011-03-14 21:20:32.000000000 -0400
19304 +++ linux-2.6.38.1/arch/x86/pci/common.c 2011-03-21 18:31:35.000000000 -0400
19305 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
19306 int pcibios_last_bus = -1;
19307 unsigned long pirq_table_addr;
19308 struct pci_bus *pci_root_bus;
19309 -struct pci_raw_ops *raw_pci_ops;
19310 -struct pci_raw_ops *raw_pci_ext_ops;
19311 +const struct pci_raw_ops *raw_pci_ops;
19312 +const struct pci_raw_ops *raw_pci_ext_ops;
19314 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19315 int reg, int len, u32 *val)
19316 @@ -423,7 +423,7 @@ static const struct dmi_system_id __devi
19317 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19321 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19324 void __init dmi_check_pciprobe(void)
19325 diff -urNp linux-2.6.38.1/arch/x86/pci/direct.c linux-2.6.38.1/arch/x86/pci/direct.c
19326 --- linux-2.6.38.1/arch/x86/pci/direct.c 2011-03-14 21:20:32.000000000 -0400
19327 +++ linux-2.6.38.1/arch/x86/pci/direct.c 2011-03-21 18:31:35.000000000 -0400
19328 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19330 #undef PCI_CONF1_ADDRESS
19332 -struct pci_raw_ops pci_direct_conf1 = {
19333 +const struct pci_raw_ops pci_direct_conf1 = {
19334 .read = pci_conf1_read,
19335 .write = pci_conf1_write,
19337 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19339 #undef PCI_CONF2_ADDRESS
19341 -struct pci_raw_ops pci_direct_conf2 = {
19342 +const struct pci_raw_ops pci_direct_conf2 = {
19343 .read = pci_conf2_read,
19344 .write = pci_conf2_write,
19346 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19347 * This should be close to trivial, but it isn't, because there are buggy
19348 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19350 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19351 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19355 diff -urNp linux-2.6.38.1/arch/x86/pci/fixup.c linux-2.6.38.1/arch/x86/pci/fixup.c
19356 --- linux-2.6.38.1/arch/x86/pci/fixup.c 2011-03-14 21:20:32.000000000 -0400
19357 +++ linux-2.6.38.1/arch/x86/pci/fixup.c 2011-03-21 18:31:35.000000000 -0400
19358 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19359 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19363 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19367 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19368 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19372 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19375 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19376 diff -urNp linux-2.6.38.1/arch/x86/pci/irq.c linux-2.6.38.1/arch/x86/pci/irq.c
19377 --- linux-2.6.38.1/arch/x86/pci/irq.c 2011-03-14 21:20:32.000000000 -0400
19378 +++ linux-2.6.38.1/arch/x86/pci/irq.c 2011-03-21 18:31:35.000000000 -0400
19379 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19380 static struct pci_device_id __initdata pirq_440gx[] = {
19381 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19382 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19384 + { PCI_DEVICE(0, 0) }
19387 /* 440GX has a proprietary PIRQ router -- don't use it */
19388 @@ -1115,7 +1115,7 @@ static struct dmi_system_id __initdata p
19389 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19393 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19396 void __init pcibios_irq_init(void)
19397 diff -urNp linux-2.6.38.1/arch/x86/pci/mmconfig_32.c linux-2.6.38.1/arch/x86/pci/mmconfig_32.c
19398 --- linux-2.6.38.1/arch/x86/pci/mmconfig_32.c 2011-03-14 21:20:32.000000000 -0400
19399 +++ linux-2.6.38.1/arch/x86/pci/mmconfig_32.c 2011-03-21 18:31:35.000000000 -0400
19400 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19404 -static struct pci_raw_ops pci_mmcfg = {
19405 +static const struct pci_raw_ops pci_mmcfg = {
19406 .read = pci_mmcfg_read,
19407 .write = pci_mmcfg_write,
19409 diff -urNp linux-2.6.38.1/arch/x86/pci/mmconfig_64.c linux-2.6.38.1/arch/x86/pci/mmconfig_64.c
19410 --- linux-2.6.38.1/arch/x86/pci/mmconfig_64.c 2011-03-14 21:20:32.000000000 -0400
19411 +++ linux-2.6.38.1/arch/x86/pci/mmconfig_64.c 2011-03-21 18:31:35.000000000 -0400
19412 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19416 -static struct pci_raw_ops pci_mmcfg = {
19417 +static const struct pci_raw_ops pci_mmcfg = {
19418 .read = pci_mmcfg_read,
19419 .write = pci_mmcfg_write,
19421 diff -urNp linux-2.6.38.1/arch/x86/pci/numaq_32.c linux-2.6.38.1/arch/x86/pci/numaq_32.c
19422 --- linux-2.6.38.1/arch/x86/pci/numaq_32.c 2011-03-14 21:20:32.000000000 -0400
19423 +++ linux-2.6.38.1/arch/x86/pci/numaq_32.c 2011-03-21 18:31:35.000000000 -0400
19424 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19426 #undef PCI_CONF1_MQ_ADDRESS
19428 -static struct pci_raw_ops pci_direct_conf1_mq = {
19429 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19430 .read = pci_conf1_mq_read,
19431 .write = pci_conf1_mq_write
19433 diff -urNp linux-2.6.38.1/arch/x86/pci/olpc.c linux-2.6.38.1/arch/x86/pci/olpc.c
19434 --- linux-2.6.38.1/arch/x86/pci/olpc.c 2011-03-14 21:20:32.000000000 -0400
19435 +++ linux-2.6.38.1/arch/x86/pci/olpc.c 2011-03-21 18:31:35.000000000 -0400
19436 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19440 -static struct pci_raw_ops pci_olpc_conf = {
19441 +static const struct pci_raw_ops pci_olpc_conf = {
19442 .read = pci_olpc_read,
19443 .write = pci_olpc_write,
19445 diff -urNp linux-2.6.38.1/arch/x86/pci/pcbios.c linux-2.6.38.1/arch/x86/pci/pcbios.c
19446 --- linux-2.6.38.1/arch/x86/pci/pcbios.c 2011-03-14 21:20:32.000000000 -0400
19447 +++ linux-2.6.38.1/arch/x86/pci/pcbios.c 2011-03-21 18:31:35.000000000 -0400
19448 @@ -79,50 +79,93 @@ union bios32 {
19450 unsigned long address;
19451 unsigned short segment;
19452 -} bios32_indirect = { 0, __KERNEL_CS };
19453 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19456 * Returns the entry point for the given service, NULL on error
19459 -static unsigned long bios32_service(unsigned long service)
19460 +static unsigned long __devinit bios32_service(unsigned long service)
19462 unsigned char return_code; /* %al */
19463 unsigned long address; /* %ebx */
19464 unsigned long length; /* %ecx */
19465 unsigned long entry; /* %edx */
19466 unsigned long flags;
19467 + struct desc_struct d, *gdt;
19469 local_irq_save(flags);
19470 - __asm__("lcall *(%%edi); cld"
19472 + gdt = get_cpu_gdt_table(smp_processor_id());
19474 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19475 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19476 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19477 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19479 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19480 : "=a" (return_code),
19486 - "D" (&bios32_indirect));
19487 + "D" (&bios32_indirect),
19488 + "r"(__PCIBIOS_DS)
19491 + pax_open_kernel();
19492 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19493 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19494 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19495 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19496 + pax_close_kernel();
19498 local_irq_restore(flags);
19500 switch (return_code) {
19502 - return address + entry;
19503 - case 0x80: /* Not present */
19504 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19506 - default: /* Shouldn't happen */
19507 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19508 - service, return_code);
19511 + unsigned char flags;
19513 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19514 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19515 + printk(KERN_WARNING "bios32_service: not valid\n");
19518 + address = address + PAGE_OFFSET;
19519 + length += 16UL; /* some BIOSs underreport this... */
19521 + if (length >= 64*1024*1024) {
19522 + length >>= PAGE_SHIFT;
19526 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19527 + gdt = get_cpu_gdt_table(cpu);
19528 + pack_descriptor(&d, address, length, 0x9b, flags);
19529 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19530 + pack_descriptor(&d, address, length, 0x93, flags);
19531 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19535 + case 0x80: /* Not present */
19536 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19538 + default: /* Shouldn't happen */
19539 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19540 + service, return_code);
19546 unsigned long address;
19547 unsigned short segment;
19548 -} pci_indirect = { 0, __KERNEL_CS };
19549 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19551 -static int pci_bios_present;
19552 +static int pci_bios_present __read_only;
19554 static int __devinit check_pcibios(void)
19556 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
19557 unsigned long flags, pcibios_entry;
19559 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19560 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19561 + pci_indirect.address = pcibios_entry;
19563 local_irq_save(flags);
19565 - "lcall *(%%edi); cld\n\t"
19566 + __asm__("movw %w6, %%ds\n\t"
19567 + "lcall *%%ss:(%%edi); cld\n\t"
19573 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
19576 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19577 - "D" (&pci_indirect)
19578 + "D" (&pci_indirect),
19579 + "r" (__PCIBIOS_DS)
19581 local_irq_restore(flags);
19583 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
19587 - __asm__("lcall *(%%esi); cld\n\t"
19588 + __asm__("movw %w6, %%ds\n\t"
19589 + "lcall *%%ss:(%%esi); cld\n\t"
19595 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
19596 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19599 - "S" (&pci_indirect));
19600 + "S" (&pci_indirect),
19601 + "r" (__PCIBIOS_DS));
19603 * Zero-extend the result beyond 8 bits, do not trust the
19604 * BIOS having done it:
19605 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
19609 - __asm__("lcall *(%%esi); cld\n\t"
19610 + __asm__("movw %w6, %%ds\n\t"
19611 + "lcall *%%ss:(%%esi); cld\n\t"
19617 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
19618 : "1" (PCIBIOS_READ_CONFIG_WORD),
19621 - "S" (&pci_indirect));
19622 + "S" (&pci_indirect),
19623 + "r" (__PCIBIOS_DS));
19625 * Zero-extend the result beyond 16 bits, do not trust the
19626 * BIOS having done it:
19627 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
19631 - __asm__("lcall *(%%esi); cld\n\t"
19632 + __asm__("movw %w6, %%ds\n\t"
19633 + "lcall *%%ss:(%%esi); cld\n\t"
19639 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
19640 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19643 - "S" (&pci_indirect));
19644 + "S" (&pci_indirect),
19645 + "r" (__PCIBIOS_DS));
19649 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
19653 - __asm__("lcall *(%%esi); cld\n\t"
19654 + __asm__("movw %w6, %%ds\n\t"
19655 + "lcall *%%ss:(%%esi); cld\n\t"
19661 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
19665 - "S" (&pci_indirect));
19666 + "S" (&pci_indirect),
19667 + "r" (__PCIBIOS_DS));
19670 - __asm__("lcall *(%%esi); cld\n\t"
19671 + __asm__("movw %w6, %%ds\n\t"
19672 + "lcall *%%ss:(%%esi); cld\n\t"
19678 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
19682 - "S" (&pci_indirect));
19683 + "S" (&pci_indirect),
19684 + "r" (__PCIBIOS_DS));
19687 - __asm__("lcall *(%%esi); cld\n\t"
19688 + __asm__("movw %w6, %%ds\n\t"
19689 + "lcall *%%ss:(%%esi); cld\n\t"
19695 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
19699 - "S" (&pci_indirect));
19700 + "S" (&pci_indirect),
19701 + "r" (__PCIBIOS_DS));
19705 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
19706 * Function table for BIOS32 access
19709 -static struct pci_raw_ops pci_bios_access = {
19710 +static const struct pci_raw_ops pci_bios_access = {
19711 .read = pci_bios_read,
19712 .write = pci_bios_write
19714 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
19715 * Try to find PCI BIOS.
19718 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19719 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19721 union bios32 *check;
19723 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
19725 DBG("PCI: Fetching IRQ routing table... ");
19726 __asm__("push %%es\n\t"
19727 + "movw %w8, %%ds\n\t"
19730 - "lcall *(%%esi); cld\n\t"
19731 + "lcall *%%ss:(%%esi); cld\n\t"
19738 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
19741 "S" (&pci_indirect),
19744 + "r" (__PCIBIOS_DS)
19746 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19748 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
19752 - __asm__("lcall *(%%esi); cld\n\t"
19753 + __asm__("movw %w5, %%ds\n\t"
19754 + "lcall *%%ss:(%%esi); cld\n\t"
19760 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
19761 : "0" (PCIBIOS_SET_PCI_HW_INT),
19762 "b" ((dev->bus->number << 8) | dev->devfn),
19763 "c" ((irq << 8) | (pin + 10)),
19764 - "S" (&pci_indirect));
19765 + "S" (&pci_indirect),
19766 + "r" (__PCIBIOS_DS));
19767 return !(ret & 0xff00);
19769 EXPORT_SYMBOL(pcibios_set_irq_routing);
19770 diff -urNp linux-2.6.38.1/arch/x86/platform/efi/efi_32.c linux-2.6.38.1/arch/x86/platform/efi/efi_32.c
19771 --- linux-2.6.38.1/arch/x86/platform/efi/efi_32.c 2011-03-14 21:20:32.000000000 -0400
19772 +++ linux-2.6.38.1/arch/x86/platform/efi/efi_32.c 2011-03-21 18:31:35.000000000 -0400
19773 @@ -38,70 +38,37 @@
19776 static unsigned long efi_rt_eflags;
19777 -static pgd_t efi_bak_pg_dir_pointer[2];
19778 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
19780 -void efi_call_phys_prelog(void)
19781 +void __init efi_call_phys_prelog(void)
19783 - unsigned long cr4;
19784 - unsigned long temp;
19785 struct desc_ptr gdt_descr;
19787 local_irq_save(efi_rt_eflags);
19790 - * If I don't have PAE, I should just duplicate two entries in page
19791 - * directory. If I have PAE, I just need to duplicate one entry in
19792 - * page directory.
19794 - cr4 = read_cr4_safe();
19796 - if (cr4 & X86_CR4_PAE) {
19797 - efi_bak_pg_dir_pointer[0].pgd =
19798 - swapper_pg_dir[pgd_index(0)].pgd;
19799 - swapper_pg_dir[0].pgd =
19800 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
19802 - efi_bak_pg_dir_pointer[0].pgd =
19803 - swapper_pg_dir[pgd_index(0)].pgd;
19804 - efi_bak_pg_dir_pointer[1].pgd =
19805 - swapper_pg_dir[pgd_index(0x400000)].pgd;
19806 - swapper_pg_dir[pgd_index(0)].pgd =
19807 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
19808 - temp = PAGE_OFFSET + 0x400000;
19809 - swapper_pg_dir[pgd_index(0x400000)].pgd =
19810 - swapper_pg_dir[pgd_index(temp)].pgd;
19812 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
19813 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19814 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
19817 * After the lock is released, the original page table is restored.
19821 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
19822 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
19823 gdt_descr.size = GDT_SIZE - 1;
19824 load_gdt(&gdt_descr);
19827 -void efi_call_phys_epilog(void)
19828 +void __init efi_call_phys_epilog(void)
19830 - unsigned long cr4;
19831 struct desc_ptr gdt_descr;
19833 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
19834 + gdt_descr.address = get_cpu_gdt_table(0);
19835 gdt_descr.size = GDT_SIZE - 1;
19836 load_gdt(&gdt_descr);
19838 - cr4 = read_cr4_safe();
19840 - if (cr4 & X86_CR4_PAE) {
19841 - swapper_pg_dir[pgd_index(0)].pgd =
19842 - efi_bak_pg_dir_pointer[0].pgd;
19844 - swapper_pg_dir[pgd_index(0)].pgd =
19845 - efi_bak_pg_dir_pointer[0].pgd;
19846 - swapper_pg_dir[pgd_index(0x400000)].pgd =
19847 - efi_bak_pg_dir_pointer[1].pgd;
19849 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
19852 * After the lock is released, the original page table is restored.
19853 diff -urNp linux-2.6.38.1/arch/x86/platform/efi/efi_stub_32.S linux-2.6.38.1/arch/x86/platform/efi/efi_stub_32.S
19854 --- linux-2.6.38.1/arch/x86/platform/efi/efi_stub_32.S 2011-03-14 21:20:32.000000000 -0400
19855 +++ linux-2.6.38.1/arch/x86/platform/efi/efi_stub_32.S 2011-03-21 18:31:35.000000000 -0400
19859 #include <linux/linkage.h>
19860 +#include <linux/init.h>
19861 #include <asm/page_types.h>
19865 * service functions will comply with gcc calling convention, too.
19870 ENTRY(efi_call_phys)
19872 * 0. The function can only be called in Linux kernel. So CS has been
19873 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
19874 * The mapping of lower virtual memory has been created in prelog and
19878 - subl $__PAGE_OFFSET, %edx
19880 + jmp 1f-__PAGE_OFFSET
19884 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
19885 * parameter 2, ..., param n. To make things easy, we save the return
19886 * address of efi_call_phys in a global variable.
19889 - movl %edx, saved_return_addr
19890 - /* get the function pointer into ECX*/
19892 - movl %ecx, efi_rt_function_ptr
19894 - subl $__PAGE_OFFSET, %edx
19896 + popl (saved_return_addr)
19897 + popl (efi_rt_function_ptr)
19900 * 3. Clear PG bit in %CR0.
19901 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
19903 * 5. Call the physical function.
19906 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
19910 * 6. After EFI runtime service returns, control will return to
19911 * following instruction. We'd better readjust stack pointer first.
19912 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
19914 orl $0x80000000, %edx
19920 * 8. Now restore the virtual mode from flat mode by
19921 * adding EIP with PAGE_OFFSET.
19925 + jmp 1f+__PAGE_OFFSET
19929 * 9. Balance the stack. And because EAX contain the return value,
19930 * we'd better not clobber it.
19932 - leal efi_rt_function_ptr, %edx
19933 - movl (%edx), %ecx
19935 + pushl (efi_rt_function_ptr)
19938 - * 10. Push the saved return address onto the stack and return.
19939 + * 10. Return to the saved return address.
19941 - leal saved_return_addr, %edx
19942 - movl (%edx), %ecx
19945 + jmpl *(saved_return_addr)
19946 ENDPROC(efi_call_phys)
19953 efi_rt_function_ptr:
19954 diff -urNp linux-2.6.38.1/arch/x86/power/cpu.c linux-2.6.38.1/arch/x86/power/cpu.c
19955 --- linux-2.6.38.1/arch/x86/power/cpu.c 2011-03-14 21:20:32.000000000 -0400
19956 +++ linux-2.6.38.1/arch/x86/power/cpu.c 2011-03-21 18:31:35.000000000 -0400
19957 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
19958 static void fix_processor_context(void)
19960 int cpu = smp_processor_id();
19961 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19962 + struct tss_struct *t = init_tss + cpu;
19964 set_tss_desc(cpu, t); /*
19965 * This just modifies memory; should not be
19966 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
19969 #ifdef CONFIG_X86_64
19970 + pax_open_kernel();
19971 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
19972 + pax_close_kernel();
19974 syscall_init(); /* This sets MSR_*STAR and related */
19976 diff -urNp linux-2.6.38.1/arch/x86/vdso/Makefile linux-2.6.38.1/arch/x86/vdso/Makefile
19977 --- linux-2.6.38.1/arch/x86/vdso/Makefile 2011-03-14 21:20:32.000000000 -0400
19978 +++ linux-2.6.38.1/arch/x86/vdso/Makefile 2011-03-21 18:31:35.000000000 -0400
19979 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
19980 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
19981 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
19983 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19984 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19988 diff -urNp linux-2.6.38.1/arch/x86/vdso/vclock_gettime.c linux-2.6.38.1/arch/x86/vdso/vclock_gettime.c
19989 --- linux-2.6.38.1/arch/x86/vdso/vclock_gettime.c 2011-03-14 21:20:32.000000000 -0400
19990 +++ linux-2.6.38.1/arch/x86/vdso/vclock_gettime.c 2011-03-21 18:31:35.000000000 -0400
19991 @@ -22,24 +22,48 @@
19992 #include <asm/hpet.h>
19993 #include <asm/unistd.h>
19994 #include <asm/io.h>
19995 +#include <asm/fixmap.h>
19996 #include "vextern.h"
19998 #define gtod vdso_vsyscall_gtod_data
20000 +notrace noinline long __vdso_fallback_time(long *t)
20003 + asm volatile("syscall"
20005 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
20009 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
20012 asm("syscall" : "=a" (ret) :
20013 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20014 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20018 +notrace static inline cycle_t __vdso_vread_hpet(void)
20020 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20023 +notrace static inline cycle_t __vdso_vread_tsc(void)
20025 + cycle_t ret = (cycle_t)vget_cycles();
20027 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20030 notrace static inline long vgetns(void)
20033 - cycles_t (*vread)(void);
20034 - vread = gtod->clock.vread;
20035 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20036 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20037 + v = __vdso_vread_tsc();
20039 + v = __vdso_vread_hpet();
20040 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20041 return (v * gtod->clock.mult) >> gtod->clock.shift;
20044 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20046 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20048 - if (likely(gtod->sysctl_enabled))
20049 + if (likely(gtod->sysctl_enabled &&
20050 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20051 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20053 case CLOCK_REALTIME:
20054 if (likely(gtod->clock.vread))
20055 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20056 int clock_gettime(clockid_t, struct timespec *)
20057 __attribute__((weak, alias("__vdso_clock_gettime")));
20059 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20060 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20063 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20064 + asm("syscall" : "=a" (ret) :
20065 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20069 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20071 + if (likely(gtod->sysctl_enabled &&
20072 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20073 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20075 if (likely(tv != NULL)) {
20076 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20077 offsetof(struct timespec, tv_nsec) ||
20078 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20082 - asm("syscall" : "=a" (ret) :
20083 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20085 + return __vdso_fallback_gettimeofday(tv, tz);
20087 int gettimeofday(struct timeval *, struct timezone *)
20088 __attribute__((weak, alias("__vdso_gettimeofday")));
20089 diff -urNp linux-2.6.38.1/arch/x86/vdso/vdso32-setup.c linux-2.6.38.1/arch/x86/vdso/vdso32-setup.c
20090 --- linux-2.6.38.1/arch/x86/vdso/vdso32-setup.c 2011-03-14 21:20:32.000000000 -0400
20091 +++ linux-2.6.38.1/arch/x86/vdso/vdso32-setup.c 2011-03-21 18:31:35.000000000 -0400
20093 #include <asm/tlbflush.h>
20094 #include <asm/vdso.h>
20095 #include <asm/proto.h>
20096 +#include <asm/mman.h>
20100 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20101 void enable_sep_cpu(void)
20103 int cpu = get_cpu();
20104 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20105 + struct tss_struct *tss = init_tss + cpu;
20107 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20109 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20110 gate_vma.vm_start = FIXADDR_USER_START;
20111 gate_vma.vm_end = FIXADDR_USER_END;
20112 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20113 - gate_vma.vm_page_prot = __P101;
20114 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20116 * Make sure the vDSO gets into every core dump.
20117 * Dumping its contents makes post-mortem fully interpretable later
20118 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20120 addr = VDSO_HIGH_BASE;
20122 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20123 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20124 if (IS_ERR_VALUE(addr)) {
20130 - current->mm->context.vdso = (void *)addr;
20131 + current->mm->context.vdso = addr;
20133 if (compat_uses_vma || !compat) {
20135 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20138 current_thread_info()->sysenter_return =
20139 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20140 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20144 - current->mm->context.vdso = NULL;
20145 + current->mm->context.vdso = 0;
20147 up_write(&mm->mmap_sem);
20149 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20151 const char *arch_vma_name(struct vm_area_struct *vma)
20153 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20154 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20157 +#ifdef CONFIG_PAX_SEGMEXEC
20158 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20165 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20166 struct mm_struct *mm = tsk->mm;
20168 /* Check to see if this task was created in compat vdso mode */
20169 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20170 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20174 diff -urNp linux-2.6.38.1/arch/x86/vdso/vdso.lds.S linux-2.6.38.1/arch/x86/vdso/vdso.lds.S
20175 --- linux-2.6.38.1/arch/x86/vdso/vdso.lds.S 2011-03-14 21:20:32.000000000 -0400
20176 +++ linux-2.6.38.1/arch/x86/vdso/vdso.lds.S 2011-03-21 18:31:35.000000000 -0400
20177 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20178 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20179 #include "vextern.h"
20182 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20183 +VEXTERN(fallback_gettimeofday)
20184 +VEXTERN(fallback_time)
20187 diff -urNp linux-2.6.38.1/arch/x86/vdso/vextern.h linux-2.6.38.1/arch/x86/vdso/vextern.h
20188 --- linux-2.6.38.1/arch/x86/vdso/vextern.h 2011-03-14 21:20:32.000000000 -0400
20189 +++ linux-2.6.38.1/arch/x86/vdso/vextern.h 2011-03-21 18:31:35.000000000 -0400
20191 put into vextern.h and be referenced as a pointer with vdso prefix.
20192 The main kernel later fills in the values. */
20195 VEXTERN(vgetcpu_mode)
20196 VEXTERN(vsyscall_gtod_data)
20197 diff -urNp linux-2.6.38.1/arch/x86/vdso/vma.c linux-2.6.38.1/arch/x86/vdso/vma.c
20198 --- linux-2.6.38.1/arch/x86/vdso/vma.c 2011-03-14 21:20:32.000000000 -0400
20199 +++ linux-2.6.38.1/arch/x86/vdso/vma.c 2011-03-21 18:31:35.000000000 -0400
20200 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20204 - if (memcmp(vbase, "\177ELF", 4)) {
20205 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20206 printk("VDSO: I'm broken; not ELF\n");
20209 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
20213 - current->mm->context.vdso = (void *)addr;
20214 + current->mm->context.vdso = addr;
20216 ret = install_special_mapping(mm, addr, vdso_size,
20218 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
20222 - current->mm->context.vdso = NULL;
20223 + current->mm->context.vdso = 0;
20227 @@ -134,10 +134,3 @@ up_fail:
20228 up_write(&mm->mmap_sem);
20232 -static __init int vdso_setup(char *s)
20234 - vdso_enabled = simple_strtoul(s, NULL, 0);
20237 -__setup("vdso=", vdso_setup);
20238 diff -urNp linux-2.6.38.1/arch/x86/xen/enlighten.c linux-2.6.38.1/arch/x86/xen/enlighten.c
20239 --- linux-2.6.38.1/arch/x86/xen/enlighten.c 2011-03-14 21:20:32.000000000 -0400
20240 +++ linux-2.6.38.1/arch/x86/xen/enlighten.c 2011-03-21 18:31:35.000000000 -0400
20241 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20243 struct shared_info xen_dummy_shared_info;
20245 -void *xen_initial_gdt;
20247 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
20248 __read_mostly int xen_have_vector_callback;
20249 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
20250 @@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
20251 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20253 /* Work out if we support NX */
20254 - x86_configure_nx();
20255 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20256 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20257 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20260 + __supported_pte_mask |= _PAGE_NX;
20261 + rdmsr(MSR_EFER, l, h);
20263 + wrmsr(MSR_EFER, l, h);
20267 xen_setup_features();
20269 @@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
20271 machine_ops = xen_machine_ops;
20274 - * The only reliable way to retain the initial address of the
20275 - * percpu gdt_page is to remember it here, so we can go and
20276 - * mark it RW later, when the initial percpu area is freed.
20278 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20282 #ifdef CONFIG_ACPI_NUMA
20283 diff -urNp linux-2.6.38.1/arch/x86/xen/mmu.c linux-2.6.38.1/arch/x86/xen/mmu.c
20284 --- linux-2.6.38.1/arch/x86/xen/mmu.c 2011-03-14 21:20:32.000000000 -0400
20285 +++ linux-2.6.38.1/arch/x86/xen/mmu.c 2011-03-21 18:31:35.000000000 -0400
20286 @@ -1718,6 +1718,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20287 convert_pfn_mfn(init_level4_pgt);
20288 convert_pfn_mfn(level3_ident_pgt);
20289 convert_pfn_mfn(level3_kernel_pgt);
20290 + convert_pfn_mfn(level3_vmalloc_pgt);
20291 + convert_pfn_mfn(level3_vmemmap_pgt);
20293 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20294 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20295 @@ -1736,7 +1738,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20296 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20297 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20298 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20299 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20300 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20301 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20302 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20303 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20304 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20306 diff -urNp linux-2.6.38.1/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.38.1/arch/x86/xen/pci-swiotlb-xen.c
20307 --- linux-2.6.38.1/arch/x86/xen/pci-swiotlb-xen.c 2011-03-14 21:20:32.000000000 -0400
20308 +++ linux-2.6.38.1/arch/x86/xen/pci-swiotlb-xen.c 2011-03-21 18:31:35.000000000 -0400
20311 int xen_swiotlb __read_mostly;
20313 -static struct dma_map_ops xen_swiotlb_dma_ops = {
20314 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
20315 .mapping_error = xen_swiotlb_dma_mapping_error,
20316 .alloc_coherent = xen_swiotlb_alloc_coherent,
20317 .free_coherent = xen_swiotlb_free_coherent,
20318 diff -urNp linux-2.6.38.1/arch/x86/xen/smp.c linux-2.6.38.1/arch/x86/xen/smp.c
20319 --- linux-2.6.38.1/arch/x86/xen/smp.c 2011-03-14 21:20:32.000000000 -0400
20320 +++ linux-2.6.38.1/arch/x86/xen/smp.c 2011-03-21 18:31:35.000000000 -0400
20321 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
20323 BUG_ON(smp_processor_id() != 0);
20324 native_smp_prepare_boot_cpu();
20326 - /* We've switched to the "real" per-cpu gdt, so make sure the
20327 - old memory can be recycled */
20328 - make_lowmem_page_readwrite(xen_initial_gdt);
20330 xen_filter_cpu_maps();
20331 xen_setup_vcpu_info_placement();
20333 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
20334 gdt = get_cpu_gdt_table(cpu);
20336 ctxt->flags = VGCF_IN_KERNEL;
20337 - ctxt->user_regs.ds = __USER_DS;
20338 - ctxt->user_regs.es = __USER_DS;
20339 + ctxt->user_regs.ds = __KERNEL_DS;
20340 + ctxt->user_regs.es = __KERNEL_DS;
20341 ctxt->user_regs.ss = __KERNEL_DS;
20342 #ifdef CONFIG_X86_32
20343 ctxt->user_regs.fs = __KERNEL_PERCPU;
20344 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
20345 + savesegment(gs, ctxt->user_regs.gs);
20347 ctxt->gs_base_kernel = per_cpu_offset(cpu);
20349 diff -urNp linux-2.6.38.1/arch/x86/xen/xen-head.S linux-2.6.38.1/arch/x86/xen/xen-head.S
20350 --- linux-2.6.38.1/arch/x86/xen/xen-head.S 2011-03-14 21:20:32.000000000 -0400
20351 +++ linux-2.6.38.1/arch/x86/xen/xen-head.S 2011-03-21 18:31:35.000000000 -0400
20352 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20353 #ifdef CONFIG_X86_32
20354 mov %esi,xen_start_info
20355 mov $init_thread_union+THREAD_SIZE,%esp
20357 + movl $cpu_gdt_table,%edi
20358 + movl $__per_cpu_load,%eax
20359 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20361 + movb %al,__KERNEL_PERCPU + 4(%edi)
20362 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20363 + movl $__per_cpu_end - 1,%eax
20364 + subl $__per_cpu_start,%eax
20365 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20368 mov %rsi,xen_start_info
20369 mov $init_thread_union+THREAD_SIZE,%rsp
20370 diff -urNp linux-2.6.38.1/arch/x86/xen/xen-ops.h linux-2.6.38.1/arch/x86/xen/xen-ops.h
20371 --- linux-2.6.38.1/arch/x86/xen/xen-ops.h 2011-03-14 21:20:32.000000000 -0400
20372 +++ linux-2.6.38.1/arch/x86/xen/xen-ops.h 2011-03-21 18:31:35.000000000 -0400
20374 extern const char xen_hypervisor_callback[];
20375 extern const char xen_failsafe_callback[];
20377 -extern void *xen_initial_gdt;
20380 void xen_copy_trap_info(struct trap_info *traps);
20382 diff -urNp linux-2.6.38.1/block/blk-iopoll.c linux-2.6.38.1/block/blk-iopoll.c
20383 --- linux-2.6.38.1/block/blk-iopoll.c 2011-03-14 21:20:32.000000000 -0400
20384 +++ linux-2.6.38.1/block/blk-iopoll.c 2011-03-21 18:31:35.000000000 -0400
20385 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20387 EXPORT_SYMBOL(blk_iopoll_complete);
20389 -static void blk_iopoll_softirq(struct softirq_action *h)
20390 +static void blk_iopoll_softirq(void)
20392 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20393 int rearm = 0, budget = blk_iopoll_budget;
20394 diff -urNp linux-2.6.38.1/block/blk-map.c linux-2.6.38.1/block/blk-map.c
20395 --- linux-2.6.38.1/block/blk-map.c 2011-03-14 21:20:32.000000000 -0400
20396 +++ linux-2.6.38.1/block/blk-map.c 2011-03-21 18:31:35.000000000 -0400
20397 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
20401 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
20402 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
20404 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20406 diff -urNp linux-2.6.38.1/block/blk-softirq.c linux-2.6.38.1/block/blk-softirq.c
20407 --- linux-2.6.38.1/block/blk-softirq.c 2011-03-14 21:20:32.000000000 -0400
20408 +++ linux-2.6.38.1/block/blk-softirq.c 2011-03-21 18:31:35.000000000 -0400
20409 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20410 * Softirq action handler - move entries to local list and loop over them
20411 * while passing them to the queue registered handler.
20413 -static void blk_done_softirq(struct softirq_action *h)
20414 +static void blk_done_softirq(void)
20416 struct list_head *cpu_list, local_list;
20418 diff -urNp linux-2.6.38.1/crypto/lrw.c linux-2.6.38.1/crypto/lrw.c
20419 --- linux-2.6.38.1/crypto/lrw.c 2011-03-14 21:20:32.000000000 -0400
20420 +++ linux-2.6.38.1/crypto/lrw.c 2011-03-21 18:31:35.000000000 -0400
20421 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20422 struct priv *ctx = crypto_tfm_ctx(parent);
20423 struct crypto_cipher *child = ctx->child;
20425 - be128 tmp = { 0 };
20426 + be128 tmp = { 0, 0 };
20427 int bsize = crypto_cipher_blocksize(child);
20429 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20430 diff -urNp linux-2.6.38.1/Documentation/dontdiff linux-2.6.38.1/Documentation/dontdiff
20431 --- linux-2.6.38.1/Documentation/dontdiff 2011-03-14 21:20:32.000000000 -0400
20432 +++ linux-2.6.38.1/Documentation/dontdiff 2011-03-21 18:31:35.000000000 -0400
20452 @@ -49,11 +52,16 @@
20469 @@ -82,6 +90,8 @@ bvmlinux
20478 @@ -106,16 +116,19 @@ fore200e_mkfirm
20493 initramfs_data.cpio
20494 +initramfs_data.cpio.bz2
20495 initramfs_data.cpio.gz
20498 @@ -125,7 +138,6 @@ int32.c
20506 @@ -149,7 +161,9 @@ mkboot
20516 @@ -165,6 +179,7 @@ parse.h
20524 @@ -180,6 +195,7 @@ r600_reg_safe.h
20532 @@ -189,6 +205,7 @@ setup
20540 @@ -213,13 +230,17 @@ version.h*
20558 diff -urNp linux-2.6.38.1/Documentation/filesystems/sysfs.txt linux-2.6.38.1/Documentation/filesystems/sysfs.txt
20559 --- linux-2.6.38.1/Documentation/filesystems/sysfs.txt 2011-03-14 21:20:32.000000000 -0400
20560 +++ linux-2.6.38.1/Documentation/filesystems/sysfs.txt 2011-03-21 18:31:35.000000000 -0400
20561 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20562 show and store methods of the attribute owners.
20565 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20566 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
20567 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20568 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
20571 [ Subsystems should have already defined a struct kobj_type as a
20572 diff -urNp linux-2.6.38.1/Documentation/kernel-parameters.txt linux-2.6.38.1/Documentation/kernel-parameters.txt
20573 --- linux-2.6.38.1/Documentation/kernel-parameters.txt 2011-03-14 21:20:32.000000000 -0400
20574 +++ linux-2.6.38.1/Documentation/kernel-parameters.txt 2011-03-21 18:31:35.000000000 -0400
20575 @@ -1853,6 +1853,13 @@ bytes respectively. Such letter suffixes
20576 the specified number of seconds. This is to be used if
20577 your oopses keep scrolling off the screen.
20579 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
20580 + virtualization environments that don't cope well with the
20581 + expand down segment used by UDEREF on X86-32 or the frequent
20582 + page table updates on X86-64.
20584 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
20589 diff -urNp linux-2.6.38.1/drivers/acpi/battery.c linux-2.6.38.1/drivers/acpi/battery.c
20590 --- linux-2.6.38.1/drivers/acpi/battery.c 2011-03-14 21:20:32.000000000 -0400
20591 +++ linux-2.6.38.1/drivers/acpi/battery.c 2011-03-21 18:31:35.000000000 -0400
20592 @@ -862,7 +862,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20595 static struct battery_file {
20596 - struct file_operations ops;
20597 + const struct file_operations ops;
20600 } acpi_battery_file[] = {
20601 diff -urNp linux-2.6.38.1/drivers/acpi/blacklist.c linux-2.6.38.1/drivers/acpi/blacklist.c
20602 --- linux-2.6.38.1/drivers/acpi/blacklist.c 2011-03-14 21:20:32.000000000 -0400
20603 +++ linux-2.6.38.1/drivers/acpi/blacklist.c 2011-03-21 18:31:35.000000000 -0400
20604 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20605 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20606 "Incorrect _ADR", 1},
20609 + {"", "", 0, NULL, all_versions, NULL, 0}
20612 #if CONFIG_ACPI_BLACKLIST_YEAR
20613 diff -urNp linux-2.6.38.1/drivers/acpi/dock.c linux-2.6.38.1/drivers/acpi/dock.c
20614 --- linux-2.6.38.1/drivers/acpi/dock.c 2011-03-14 21:20:32.000000000 -0400
20615 +++ linux-2.6.38.1/drivers/acpi/dock.c 2011-03-21 18:31:35.000000000 -0400
20616 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20617 struct list_head list;
20618 struct list_head hotplug_list;
20619 acpi_handle handle;
20620 - struct acpi_dock_ops *ops;
20621 + const struct acpi_dock_ops *ops;
20625 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20626 * the dock driver after _DCK is executed.
20629 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20630 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20633 struct dock_dependent_device *dd;
20634 diff -urNp linux-2.6.38.1/drivers/acpi/ec_sys.c linux-2.6.38.1/drivers/acpi/ec_sys.c
20635 --- linux-2.6.38.1/drivers/acpi/ec_sys.c 2011-03-14 21:20:32.000000000 -0400
20636 +++ linux-2.6.38.1/drivers/acpi/ec_sys.c 2011-03-21 18:31:35.000000000 -0400
20637 @@ -96,7 +96,7 @@ static ssize_t acpi_ec_write_io(struct f
20641 -static struct file_operations acpi_ec_io_ops = {
20642 +static const struct file_operations acpi_ec_io_ops = {
20643 .owner = THIS_MODULE,
20644 .open = acpi_ec_open_io,
20645 .read = acpi_ec_read_io,
20646 diff -urNp linux-2.6.38.1/drivers/acpi/power_meter.c linux-2.6.38.1/drivers/acpi/power_meter.c
20647 --- linux-2.6.38.1/drivers/acpi/power_meter.c 2011-03-14 21:20:32.000000000 -0400
20648 +++ linux-2.6.38.1/drivers/acpi/power_meter.c 2011-03-21 18:31:35.000000000 -0400
20649 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20656 mutex_lock(&resource->lock);
20657 resource->trip[attr->index - 7] = temp;
20658 diff -urNp linux-2.6.38.1/drivers/acpi/proc.c linux-2.6.38.1/drivers/acpi/proc.c
20659 --- linux-2.6.38.1/drivers/acpi/proc.c 2011-03-14 21:20:32.000000000 -0400
20660 +++ linux-2.6.38.1/drivers/acpi/proc.c 2011-03-21 18:31:35.000000000 -0400
20661 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
20662 size_t count, loff_t * ppos)
20664 struct list_head *node, *next;
20666 - char str[5] = "";
20667 - unsigned int len = count;
20673 + char strbuf[5] = {0};
20675 - if (copy_from_user(strbuf, buffer, len))
20678 + if (copy_from_user(strbuf, buffer, count))
20680 - strbuf[len] = '\0';
20681 - sscanf(strbuf, "%s", str);
20682 + strbuf[count] = '\0';
20684 mutex_lock(&acpi_device_lock);
20685 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20686 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
20687 if (!dev->wakeup.flags.valid)
20690 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20691 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20692 if (device_can_wakeup(&dev->dev)) {
20693 bool enable = !device_may_wakeup(&dev->dev);
20694 device_set_wakeup_enable(&dev->dev, enable);
20695 diff -urNp linux-2.6.38.1/drivers/acpi/processor_driver.c linux-2.6.38.1/drivers/acpi/processor_driver.c
20696 --- linux-2.6.38.1/drivers/acpi/processor_driver.c 2011-03-14 21:20:32.000000000 -0400
20697 +++ linux-2.6.38.1/drivers/acpi/processor_driver.c 2011-03-21 18:31:35.000000000 -0400
20698 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
20702 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20703 + BUG_ON(pr->id >= nr_cpu_ids);
20707 diff -urNp linux-2.6.38.1/drivers/acpi/processor_idle.c linux-2.6.38.1/drivers/acpi/processor_idle.c
20708 --- linux-2.6.38.1/drivers/acpi/processor_idle.c 2011-03-14 21:20:32.000000000 -0400
20709 +++ linux-2.6.38.1/drivers/acpi/processor_idle.c 2011-03-21 18:31:35.000000000 -0400
20710 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
20711 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20712 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20715 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20719 diff -urNp linux-2.6.38.1/drivers/ata/acard-ahci.c linux-2.6.38.1/drivers/ata/acard-ahci.c
20720 --- linux-2.6.38.1/drivers/ata/acard-ahci.c 2011-03-14 21:20:32.000000000 -0400
20721 +++ linux-2.6.38.1/drivers/ata/acard-ahci.c 2011-03-21 18:31:35.000000000 -0400
20722 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
20723 AHCI_SHT("acard-ahci"),
20726 -static struct ata_port_operations acard_ops = {
20727 +static const struct ata_port_operations acard_ops = {
20728 .inherits = &ahci_ops,
20729 .qc_prep = acard_ahci_qc_prep,
20730 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
20731 diff -urNp linux-2.6.38.1/drivers/ata/ahci.c linux-2.6.38.1/drivers/ata/ahci.c
20732 --- linux-2.6.38.1/drivers/ata/ahci.c 2011-03-23 17:20:06.000000000 -0400
20733 +++ linux-2.6.38.1/drivers/ata/ahci.c 2011-03-23 17:21:49.000000000 -0400
20734 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
20738 -static struct ata_port_operations ahci_vt8251_ops = {
20739 +static const struct ata_port_operations ahci_vt8251_ops = {
20740 .inherits = &ahci_ops,
20741 .hardreset = ahci_vt8251_hardreset,
20744 -static struct ata_port_operations ahci_p5wdh_ops = {
20745 +static const struct ata_port_operations ahci_p5wdh_ops = {
20746 .inherits = &ahci_ops,
20747 .hardreset = ahci_p5wdh_hardreset,
20750 -static struct ata_port_operations ahci_sb600_ops = {
20751 +static const struct ata_port_operations ahci_sb600_ops = {
20752 .inherits = &ahci_ops,
20753 .softreset = ahci_sb600_softreset,
20754 .pmp_softreset = ahci_sb600_softreset,
20755 @@ -394,7 +394,7 @@ static const struct pci_device_id ahci_p
20756 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20757 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20759 - { } /* terminate list */
20760 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20764 diff -urNp linux-2.6.38.1/drivers/ata/ahci.h linux-2.6.38.1/drivers/ata/ahci.h
20765 --- linux-2.6.38.1/drivers/ata/ahci.h 2011-03-14 21:20:32.000000000 -0400
20766 +++ linux-2.6.38.1/drivers/ata/ahci.h 2011-03-21 18:31:35.000000000 -0400
20767 @@ -309,7 +309,7 @@ extern struct device_attribute *ahci_sde
20768 .shost_attrs = ahci_shost_attrs, \
20769 .sdev_attrs = ahci_sdev_attrs
20771 -extern struct ata_port_operations ahci_ops;
20772 +extern const struct ata_port_operations ahci_ops;
20774 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
20776 diff -urNp linux-2.6.38.1/drivers/ata/ata_generic.c linux-2.6.38.1/drivers/ata/ata_generic.c
20777 --- linux-2.6.38.1/drivers/ata/ata_generic.c 2011-03-14 21:20:32.000000000 -0400
20778 +++ linux-2.6.38.1/drivers/ata/ata_generic.c 2011-03-21 18:31:35.000000000 -0400
20779 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
20780 ATA_BMDMA_SHT(DRV_NAME),
20783 -static struct ata_port_operations generic_port_ops = {
20784 +static const struct ata_port_operations generic_port_ops = {
20785 .inherits = &ata_bmdma_port_ops,
20786 .cable_detect = ata_cable_unknown,
20787 .set_mode = generic_set_mode,
20788 diff -urNp linux-2.6.38.1/drivers/ata/ata_piix.c linux-2.6.38.1/drivers/ata/ata_piix.c
20789 --- linux-2.6.38.1/drivers/ata/ata_piix.c 2011-03-14 21:20:32.000000000 -0400
20790 +++ linux-2.6.38.1/drivers/ata/ata_piix.c 2011-03-21 18:31:35.000000000 -0400
20791 @@ -309,7 +309,7 @@ static const struct pci_device_id piix_p
20792 { 0x8086, 0x1d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
20793 /* SATA Controller IDE (PBG) */
20794 { 0x8086, 0x1d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20795 - { } /* terminate list */
20796 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20799 static struct pci_driver piix_pci_driver = {
20800 @@ -327,12 +327,12 @@ static struct scsi_host_template piix_sh
20801 ATA_BMDMA_SHT(DRV_NAME),
20804 -static struct ata_port_operations piix_sata_ops = {
20805 +static const struct ata_port_operations piix_sata_ops = {
20806 .inherits = &ata_bmdma32_port_ops,
20807 .sff_irq_check = piix_irq_check,
20810 -static struct ata_port_operations piix_pata_ops = {
20811 +static const struct ata_port_operations piix_pata_ops = {
20812 .inherits = &piix_sata_ops,
20813 .cable_detect = ata_cable_40wire,
20814 .set_piomode = piix_set_piomode,
20815 @@ -340,12 +340,12 @@ static struct ata_port_operations piix_p
20816 .prereset = piix_pata_prereset,
20819 -static struct ata_port_operations piix_vmw_ops = {
20820 +static const struct ata_port_operations piix_vmw_ops = {
20821 .inherits = &piix_pata_ops,
20822 .bmdma_status = piix_vmw_bmdma_status,
20825 -static struct ata_port_operations ich_pata_ops = {
20826 +static const struct ata_port_operations ich_pata_ops = {
20827 .inherits = &piix_pata_ops,
20828 .cable_detect = ich_pata_cable_detect,
20829 .set_dmamode = ich_set_dmamode,
20830 @@ -361,7 +361,7 @@ static struct scsi_host_template piix_si
20831 .shost_attrs = piix_sidpr_shost_attrs,
20834 -static struct ata_port_operations piix_sidpr_sata_ops = {
20835 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20836 .inherits = &piix_sata_ops,
20837 .hardreset = sata_std_hardreset,
20838 .scr_read = piix_sidpr_scr_read,
20839 @@ -638,7 +638,7 @@ static const struct ich_laptop ich_lapto
20840 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20841 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20848 @@ -1130,7 +1130,7 @@ static int piix_broken_suspend(void)
20852 - { } /* terminate list */
20853 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20855 static const char *oemstrs[] = {
20857 diff -urNp linux-2.6.38.1/drivers/ata/libahci.c linux-2.6.38.1/drivers/ata/libahci.c
20858 --- linux-2.6.38.1/drivers/ata/libahci.c 2011-03-14 21:20:32.000000000 -0400
20859 +++ linux-2.6.38.1/drivers/ata/libahci.c 2011-03-21 18:31:35.000000000 -0400
20860 @@ -137,7 +137,7 @@ struct device_attribute *ahci_sdev_attrs
20862 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
20864 -struct ata_port_operations ahci_ops = {
20865 +const struct ata_port_operations ahci_ops = {
20866 .inherits = &sata_pmp_port_ops,
20868 .qc_defer = ahci_pmp_qc_defer,
20869 diff -urNp linux-2.6.38.1/drivers/ata/libata-acpi.c linux-2.6.38.1/drivers/ata/libata-acpi.c
20870 --- linux-2.6.38.1/drivers/ata/libata-acpi.c 2011-03-14 21:20:32.000000000 -0400
20871 +++ linux-2.6.38.1/drivers/ata/libata-acpi.c 2011-03-21 18:31:35.000000000 -0400
20872 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
20873 ata_acpi_uevent(dev->link->ap, dev, event);
20876 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20877 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20878 .handler = ata_acpi_dev_notify_dock,
20879 .uevent = ata_acpi_dev_uevent,
20882 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20883 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20884 .handler = ata_acpi_ap_notify_dock,
20885 .uevent = ata_acpi_ap_uevent,
20887 diff -urNp linux-2.6.38.1/drivers/ata/libata-core.c linux-2.6.38.1/drivers/ata/libata-core.c
20888 --- linux-2.6.38.1/drivers/ata/libata-core.c 2011-03-14 21:20:32.000000000 -0400
20889 +++ linux-2.6.38.1/drivers/ata/libata-core.c 2011-03-21 18:31:35.000000000 -0400
20890 @@ -897,7 +897,7 @@ static const struct ata_xfer_ent {
20891 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20892 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20893 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20899 @@ -2885,7 +2885,7 @@ static const struct ata_timing ata_timin
20900 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20901 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20904 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
20907 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
20908 @@ -4141,7 +4141,7 @@ static const struct ata_blacklist_entry
20909 { "PIONEER DVD-RW DVR-212D", "1.28", ATA_HORKAGE_NOSETXFER },
20913 + { NULL, NULL, 0 }
20917 @@ -4746,7 +4746,7 @@ void ata_qc_free(struct ata_queued_cmd *
20918 struct ata_port *ap;
20921 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20922 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20926 @@ -4762,7 +4762,7 @@ void __ata_qc_complete(struct ata_queued
20927 struct ata_port *ap;
20928 struct ata_link *link;
20930 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20931 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20932 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
20934 link = qc->dev->link;
20935 @@ -5755,7 +5755,7 @@ static void ata_host_stop(struct device
20939 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
20940 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
20942 static DEFINE_SPINLOCK(lock);
20943 const struct ata_port_operations *cur;
20944 @@ -5767,6 +5767,7 @@ static void ata_finalize_port_ops(struct
20948 + pax_open_kernel();
20950 for (cur = ops->inherits; cur; cur = cur->inherits) {
20951 void **inherit = (void **)cur;
20952 @@ -5780,8 +5781,9 @@ static void ata_finalize_port_ops(struct
20956 - ops->inherits = NULL;
20957 + ((struct ata_port_operations *)ops)->inherits = NULL;
20959 + pax_close_kernel();
20960 spin_unlock(&lock);
20963 @@ -5878,7 +5880,7 @@ int ata_host_start(struct ata_host *host
20965 /* KILLME - the only user left is ipr */
20966 void ata_host_init(struct ata_host *host, struct device *dev,
20967 - unsigned long flags, struct ata_port_operations *ops)
20968 + unsigned long flags, const struct ata_port_operations *ops)
20970 spin_lock_init(&host->lock);
20971 mutex_init(&host->eh_mutex);
20972 @@ -6584,7 +6586,7 @@ static void ata_dummy_error_handler(stru
20976 -struct ata_port_operations ata_dummy_port_ops = {
20977 +const struct ata_port_operations ata_dummy_port_ops = {
20978 .qc_prep = ata_noop_qc_prep,
20979 .qc_issue = ata_dummy_qc_issue,
20980 .error_handler = ata_dummy_error_handler,
20981 diff -urNp linux-2.6.38.1/drivers/ata/libata-eh.c linux-2.6.38.1/drivers/ata/libata-eh.c
20982 --- linux-2.6.38.1/drivers/ata/libata-eh.c 2011-03-23 17:20:06.000000000 -0400
20983 +++ linux-2.6.38.1/drivers/ata/libata-eh.c 2011-03-23 17:21:49.000000000 -0400
20984 @@ -3880,7 +3880,7 @@ void ata_do_eh(struct ata_port *ap, ata_
20986 void ata_std_error_handler(struct ata_port *ap)
20988 - struct ata_port_operations *ops = ap->ops;
20989 + const struct ata_port_operations *ops = ap->ops;
20990 ata_reset_fn_t hardreset = ops->hardreset;
20992 /* ignore built-in hardreset if SCR access is not available */
20993 diff -urNp linux-2.6.38.1/drivers/ata/libata-pmp.c linux-2.6.38.1/drivers/ata/libata-pmp.c
20994 --- linux-2.6.38.1/drivers/ata/libata-pmp.c 2011-03-14 21:20:32.000000000 -0400
20995 +++ linux-2.6.38.1/drivers/ata/libata-pmp.c 2011-03-21 18:31:35.000000000 -0400
20996 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
20998 static int sata_pmp_eh_recover(struct ata_port *ap)
21000 - struct ata_port_operations *ops = ap->ops;
21001 + const struct ata_port_operations *ops = ap->ops;
21002 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21003 struct ata_link *pmp_link = &ap->link;
21004 struct ata_device *pmp_dev = pmp_link->device;
21005 diff -urNp linux-2.6.38.1/drivers/ata/pata_acpi.c linux-2.6.38.1/drivers/ata/pata_acpi.c
21006 --- linux-2.6.38.1/drivers/ata/pata_acpi.c 2011-03-14 21:20:32.000000000 -0400
21007 +++ linux-2.6.38.1/drivers/ata/pata_acpi.c 2011-03-21 18:31:35.000000000 -0400
21008 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21009 ATA_BMDMA_SHT(DRV_NAME),
21012 -static struct ata_port_operations pacpi_ops = {
21013 +static const struct ata_port_operations pacpi_ops = {
21014 .inherits = &ata_bmdma_port_ops,
21015 .qc_issue = pacpi_qc_issue,
21016 .cable_detect = pacpi_cable_detect,
21017 diff -urNp linux-2.6.38.1/drivers/ata/pata_ali.c linux-2.6.38.1/drivers/ata/pata_ali.c
21018 --- linux-2.6.38.1/drivers/ata/pata_ali.c 2011-03-14 21:20:32.000000000 -0400
21019 +++ linux-2.6.38.1/drivers/ata/pata_ali.c 2011-03-21 18:31:35.000000000 -0400
21020 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21021 * Port operations for PIO only ALi
21024 -static struct ata_port_operations ali_early_port_ops = {
21025 +static const struct ata_port_operations ali_early_port_ops = {
21026 .inherits = &ata_sff_port_ops,
21027 .cable_detect = ata_cable_40wire,
21028 .set_piomode = ali_set_piomode,
21029 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21030 * Port operations for DMA capable ALi without cable
21033 -static struct ata_port_operations ali_20_port_ops = {
21034 +static const struct ata_port_operations ali_20_port_ops = {
21035 .inherits = &ali_dma_base_ops,
21036 .cable_detect = ata_cable_40wire,
21037 .mode_filter = ali_20_filter,
21038 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21040 * Port operations for DMA capable ALi with cable detect
21042 -static struct ata_port_operations ali_c2_port_ops = {
21043 +static const struct ata_port_operations ali_c2_port_ops = {
21044 .inherits = &ali_dma_base_ops,
21045 .check_atapi_dma = ali_check_atapi_dma,
21046 .cable_detect = ali_c2_cable_detect,
21047 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21049 * Port operations for DMA capable ALi with cable detect
21051 -static struct ata_port_operations ali_c4_port_ops = {
21052 +static const struct ata_port_operations ali_c4_port_ops = {
21053 .inherits = &ali_dma_base_ops,
21054 .check_atapi_dma = ali_check_atapi_dma,
21055 .cable_detect = ali_c2_cable_detect,
21056 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21058 * Port operations for DMA capable ALi with cable detect and LBA48
21060 -static struct ata_port_operations ali_c5_port_ops = {
21061 +static const struct ata_port_operations ali_c5_port_ops = {
21062 .inherits = &ali_dma_base_ops,
21063 .check_atapi_dma = ali_check_atapi_dma,
21064 .dev_config = ali_warn_atapi_dma,
21065 diff -urNp linux-2.6.38.1/drivers/ata/pata_amd.c linux-2.6.38.1/drivers/ata/pata_amd.c
21066 --- linux-2.6.38.1/drivers/ata/pata_amd.c 2011-03-14 21:20:32.000000000 -0400
21067 +++ linux-2.6.38.1/drivers/ata/pata_amd.c 2011-03-21 18:31:35.000000000 -0400
21068 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21069 .prereset = amd_pre_reset,
21072 -static struct ata_port_operations amd33_port_ops = {
21073 +static const struct ata_port_operations amd33_port_ops = {
21074 .inherits = &amd_base_port_ops,
21075 .cable_detect = ata_cable_40wire,
21076 .set_piomode = amd33_set_piomode,
21077 .set_dmamode = amd33_set_dmamode,
21080 -static struct ata_port_operations amd66_port_ops = {
21081 +static const struct ata_port_operations amd66_port_ops = {
21082 .inherits = &amd_base_port_ops,
21083 .cable_detect = ata_cable_unknown,
21084 .set_piomode = amd66_set_piomode,
21085 .set_dmamode = amd66_set_dmamode,
21088 -static struct ata_port_operations amd100_port_ops = {
21089 +static const struct ata_port_operations amd100_port_ops = {
21090 .inherits = &amd_base_port_ops,
21091 .cable_detect = ata_cable_unknown,
21092 .set_piomode = amd100_set_piomode,
21093 .set_dmamode = amd100_set_dmamode,
21096 -static struct ata_port_operations amd133_port_ops = {
21097 +static const struct ata_port_operations amd133_port_ops = {
21098 .inherits = &amd_base_port_ops,
21099 .cable_detect = amd_cable_detect,
21100 .set_piomode = amd133_set_piomode,
21101 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21102 .host_stop = nv_host_stop,
21105 -static struct ata_port_operations nv100_port_ops = {
21106 +static const struct ata_port_operations nv100_port_ops = {
21107 .inherits = &nv_base_port_ops,
21108 .set_piomode = nv100_set_piomode,
21109 .set_dmamode = nv100_set_dmamode,
21112 -static struct ata_port_operations nv133_port_ops = {
21113 +static const struct ata_port_operations nv133_port_ops = {
21114 .inherits = &nv_base_port_ops,
21115 .set_piomode = nv133_set_piomode,
21116 .set_dmamode = nv133_set_dmamode,
21117 diff -urNp linux-2.6.38.1/drivers/ata/pata_artop.c linux-2.6.38.1/drivers/ata/pata_artop.c
21118 --- linux-2.6.38.1/drivers/ata/pata_artop.c 2011-03-14 21:20:32.000000000 -0400
21119 +++ linux-2.6.38.1/drivers/ata/pata_artop.c 2011-03-21 18:31:35.000000000 -0400
21120 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
21121 ATA_BMDMA_SHT(DRV_NAME),
21124 -static struct ata_port_operations artop6210_ops = {
21125 +static const struct ata_port_operations artop6210_ops = {
21126 .inherits = &ata_bmdma_port_ops,
21127 .cable_detect = ata_cable_40wire,
21128 .set_piomode = artop6210_set_piomode,
21129 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
21130 .qc_defer = artop6210_qc_defer,
21133 -static struct ata_port_operations artop6260_ops = {
21134 +static const struct ata_port_operations artop6260_ops = {
21135 .inherits = &ata_bmdma_port_ops,
21136 .cable_detect = artop6260_cable_detect,
21137 .set_piomode = artop6260_set_piomode,
21138 diff -urNp linux-2.6.38.1/drivers/ata/pata_at32.c linux-2.6.38.1/drivers/ata/pata_at32.c
21139 --- linux-2.6.38.1/drivers/ata/pata_at32.c 2011-03-14 21:20:32.000000000 -0400
21140 +++ linux-2.6.38.1/drivers/ata/pata_at32.c 2011-03-21 18:31:35.000000000 -0400
21141 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21142 ATA_PIO_SHT(DRV_NAME),
21145 -static struct ata_port_operations at32_port_ops = {
21146 +static const struct ata_port_operations at32_port_ops = {
21147 .inherits = &ata_sff_port_ops,
21148 .cable_detect = ata_cable_40wire,
21149 .set_piomode = pata_at32_set_piomode,
21150 diff -urNp linux-2.6.38.1/drivers/ata/pata_at91.c linux-2.6.38.1/drivers/ata/pata_at91.c
21151 --- linux-2.6.38.1/drivers/ata/pata_at91.c 2011-03-14 21:20:32.000000000 -0400
21152 +++ linux-2.6.38.1/drivers/ata/pata_at91.c 2011-03-21 18:31:35.000000000 -0400
21153 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21154 ATA_PIO_SHT(DRV_NAME),
21157 -static struct ata_port_operations pata_at91_port_ops = {
21158 +static const struct ata_port_operations pata_at91_port_ops = {
21159 .inherits = &ata_sff_port_ops,
21161 .sff_data_xfer = pata_at91_data_xfer_noirq,
21162 diff -urNp linux-2.6.38.1/drivers/ata/pata_atiixp.c linux-2.6.38.1/drivers/ata/pata_atiixp.c
21163 --- linux-2.6.38.1/drivers/ata/pata_atiixp.c 2011-03-14 21:20:32.000000000 -0400
21164 +++ linux-2.6.38.1/drivers/ata/pata_atiixp.c 2011-03-21 18:31:35.000000000 -0400
21165 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21166 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21169 -static struct ata_port_operations atiixp_port_ops = {
21170 +static const struct ata_port_operations atiixp_port_ops = {
21171 .inherits = &ata_bmdma_port_ops,
21173 .qc_prep = ata_bmdma_dumb_qc_prep,
21174 diff -urNp linux-2.6.38.1/drivers/ata/pata_atp867x.c linux-2.6.38.1/drivers/ata/pata_atp867x.c
21175 --- linux-2.6.38.1/drivers/ata/pata_atp867x.c 2011-03-14 21:20:32.000000000 -0400
21176 +++ linux-2.6.38.1/drivers/ata/pata_atp867x.c 2011-03-21 18:31:35.000000000 -0400
21177 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21178 ATA_BMDMA_SHT(DRV_NAME),
21181 -static struct ata_port_operations atp867x_ops = {
21182 +static const struct ata_port_operations atp867x_ops = {
21183 .inherits = &ata_bmdma_port_ops,
21184 .cable_detect = atp867x_cable_detect,
21185 .set_piomode = atp867x_set_piomode,
21186 diff -urNp linux-2.6.38.1/drivers/ata/pata_bf54x.c linux-2.6.38.1/drivers/ata/pata_bf54x.c
21187 --- linux-2.6.38.1/drivers/ata/pata_bf54x.c 2011-03-14 21:20:32.000000000 -0400
21188 +++ linux-2.6.38.1/drivers/ata/pata_bf54x.c 2011-03-21 18:31:35.000000000 -0400
21189 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21190 .dma_boundary = ATA_DMA_BOUNDARY,
21193 -static struct ata_port_operations bfin_pata_ops = {
21194 +static const struct ata_port_operations bfin_pata_ops = {
21195 .inherits = &ata_bmdma_port_ops,
21197 .set_piomode = bfin_set_piomode,
21198 diff -urNp linux-2.6.38.1/drivers/ata/pata_cmd640.c linux-2.6.38.1/drivers/ata/pata_cmd640.c
21199 --- linux-2.6.38.1/drivers/ata/pata_cmd640.c 2011-03-14 21:20:32.000000000 -0400
21200 +++ linux-2.6.38.1/drivers/ata/pata_cmd640.c 2011-03-21 18:31:35.000000000 -0400
21201 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
21202 ATA_PIO_SHT(DRV_NAME),
21205 -static struct ata_port_operations cmd640_port_ops = {
21206 +static const struct ata_port_operations cmd640_port_ops = {
21207 .inherits = &ata_sff_port_ops,
21208 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21209 .sff_data_xfer = ata_sff_data_xfer_noirq,
21210 diff -urNp linux-2.6.38.1/drivers/ata/pata_cmd64x.c linux-2.6.38.1/drivers/ata/pata_cmd64x.c
21211 --- linux-2.6.38.1/drivers/ata/pata_cmd64x.c 2011-03-14 21:20:32.000000000 -0400
21212 +++ linux-2.6.38.1/drivers/ata/pata_cmd64x.c 2011-03-21 18:31:35.000000000 -0400
21213 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21214 .set_dmamode = cmd64x_set_dmamode,
21217 -static struct ata_port_operations cmd64x_port_ops = {
21218 +static const struct ata_port_operations cmd64x_port_ops = {
21219 .inherits = &cmd64x_base_ops,
21220 .cable_detect = ata_cable_40wire,
21223 -static struct ata_port_operations cmd646r1_port_ops = {
21224 +static const struct ata_port_operations cmd646r1_port_ops = {
21225 .inherits = &cmd64x_base_ops,
21226 .bmdma_stop = cmd646r1_bmdma_stop,
21227 .cable_detect = ata_cable_40wire,
21230 -static struct ata_port_operations cmd648_port_ops = {
21231 +static const struct ata_port_operations cmd648_port_ops = {
21232 .inherits = &cmd64x_base_ops,
21233 .bmdma_stop = cmd648_bmdma_stop,
21234 .cable_detect = cmd648_cable_detect,
21235 diff -urNp linux-2.6.38.1/drivers/ata/pata_cs5520.c linux-2.6.38.1/drivers/ata/pata_cs5520.c
21236 --- linux-2.6.38.1/drivers/ata/pata_cs5520.c 2011-03-14 21:20:32.000000000 -0400
21237 +++ linux-2.6.38.1/drivers/ata/pata_cs5520.c 2011-03-21 18:31:35.000000000 -0400
21238 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21239 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21242 -static struct ata_port_operations cs5520_port_ops = {
21243 +static const struct ata_port_operations cs5520_port_ops = {
21244 .inherits = &ata_bmdma_port_ops,
21245 .qc_prep = ata_bmdma_dumb_qc_prep,
21246 .cable_detect = ata_cable_40wire,
21247 diff -urNp linux-2.6.38.1/drivers/ata/pata_cs5530.c linux-2.6.38.1/drivers/ata/pata_cs5530.c
21248 --- linux-2.6.38.1/drivers/ata/pata_cs5530.c 2011-03-14 21:20:32.000000000 -0400
21249 +++ linux-2.6.38.1/drivers/ata/pata_cs5530.c 2011-03-21 18:31:35.000000000 -0400
21250 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21251 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21254 -static struct ata_port_operations cs5530_port_ops = {
21255 +static const struct ata_port_operations cs5530_port_ops = {
21256 .inherits = &ata_bmdma_port_ops,
21258 .qc_prep = ata_bmdma_dumb_qc_prep,
21259 diff -urNp linux-2.6.38.1/drivers/ata/pata_cs5535.c linux-2.6.38.1/drivers/ata/pata_cs5535.c
21260 --- linux-2.6.38.1/drivers/ata/pata_cs5535.c 2011-03-14 21:20:32.000000000 -0400
21261 +++ linux-2.6.38.1/drivers/ata/pata_cs5535.c 2011-03-21 18:31:35.000000000 -0400
21262 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21263 ATA_BMDMA_SHT(DRV_NAME),
21266 -static struct ata_port_operations cs5535_port_ops = {
21267 +static const struct ata_port_operations cs5535_port_ops = {
21268 .inherits = &ata_bmdma_port_ops,
21269 .cable_detect = cs5535_cable_detect,
21270 .set_piomode = cs5535_set_piomode,
21271 diff -urNp linux-2.6.38.1/drivers/ata/pata_cs5536.c linux-2.6.38.1/drivers/ata/pata_cs5536.c
21272 --- linux-2.6.38.1/drivers/ata/pata_cs5536.c 2011-03-14 21:20:32.000000000 -0400
21273 +++ linux-2.6.38.1/drivers/ata/pata_cs5536.c 2011-03-21 18:31:35.000000000 -0400
21274 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
21275 ATA_BMDMA_SHT(DRV_NAME),
21278 -static struct ata_port_operations cs5536_port_ops = {
21279 +static const struct ata_port_operations cs5536_port_ops = {
21280 .inherits = &ata_bmdma32_port_ops,
21281 .cable_detect = cs5536_cable_detect,
21282 .set_piomode = cs5536_set_piomode,
21283 diff -urNp linux-2.6.38.1/drivers/ata/pata_cypress.c linux-2.6.38.1/drivers/ata/pata_cypress.c
21284 --- linux-2.6.38.1/drivers/ata/pata_cypress.c 2011-03-14 21:20:32.000000000 -0400
21285 +++ linux-2.6.38.1/drivers/ata/pata_cypress.c 2011-03-21 18:31:35.000000000 -0400
21286 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21287 ATA_BMDMA_SHT(DRV_NAME),
21290 -static struct ata_port_operations cy82c693_port_ops = {
21291 +static const struct ata_port_operations cy82c693_port_ops = {
21292 .inherits = &ata_bmdma_port_ops,
21293 .cable_detect = ata_cable_40wire,
21294 .set_piomode = cy82c693_set_piomode,
21295 diff -urNp linux-2.6.38.1/drivers/ata/pata_efar.c linux-2.6.38.1/drivers/ata/pata_efar.c
21296 --- linux-2.6.38.1/drivers/ata/pata_efar.c 2011-03-14 21:20:32.000000000 -0400
21297 +++ linux-2.6.38.1/drivers/ata/pata_efar.c 2011-03-21 18:31:35.000000000 -0400
21298 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21299 ATA_BMDMA_SHT(DRV_NAME),
21302 -static struct ata_port_operations efar_ops = {
21303 +static const struct ata_port_operations efar_ops = {
21304 .inherits = &ata_bmdma_port_ops,
21305 .cable_detect = efar_cable_detect,
21306 .set_piomode = efar_set_piomode,
21307 diff -urNp linux-2.6.38.1/drivers/ata/pata_hpt366.c linux-2.6.38.1/drivers/ata/pata_hpt366.c
21308 --- linux-2.6.38.1/drivers/ata/pata_hpt366.c 2011-03-14 21:20:32.000000000 -0400
21309 +++ linux-2.6.38.1/drivers/ata/pata_hpt366.c 2011-03-21 18:31:35.000000000 -0400
21310 @@ -275,7 +275,7 @@ static struct scsi_host_template hpt36x_
21311 * Configuration for HPT366/68
21314 -static struct ata_port_operations hpt366_port_ops = {
21315 +static const struct ata_port_operations hpt366_port_ops = {
21316 .inherits = &ata_bmdma_port_ops,
21317 .cable_detect = hpt36x_cable_detect,
21318 .mode_filter = hpt366_filter,
21319 diff -urNp linux-2.6.38.1/drivers/ata/pata_hpt37x.c linux-2.6.38.1/drivers/ata/pata_hpt37x.c
21320 --- linux-2.6.38.1/drivers/ata/pata_hpt37x.c 2011-03-14 21:20:32.000000000 -0400
21321 +++ linux-2.6.38.1/drivers/ata/pata_hpt37x.c 2011-03-21 18:31:35.000000000 -0400
21322 @@ -587,7 +587,7 @@ static struct scsi_host_template hpt37x_
21323 * Configuration for HPT370
21326 -static struct ata_port_operations hpt370_port_ops = {
21327 +static const struct ata_port_operations hpt370_port_ops = {
21328 .inherits = &ata_bmdma_port_ops,
21330 .bmdma_stop = hpt370_bmdma_stop,
21331 @@ -603,7 +603,7 @@ static struct ata_port_operations hpt370
21332 * Configuration for HPT370A. Close to 370 but less filters
21335 -static struct ata_port_operations hpt370a_port_ops = {
21336 +static const struct ata_port_operations hpt370a_port_ops = {
21337 .inherits = &hpt370_port_ops,
21338 .mode_filter = hpt370a_filter,
21340 @@ -613,7 +613,7 @@ static struct ata_port_operations hpt370
21341 * mode setting functionality.
21344 -static struct ata_port_operations hpt302_port_ops = {
21345 +static const struct ata_port_operations hpt302_port_ops = {
21346 .inherits = &ata_bmdma_port_ops,
21348 .bmdma_stop = hpt37x_bmdma_stop,
21349 @@ -629,7 +629,7 @@ static struct ata_port_operations hpt302
21350 * but we have a mode filter.
21353 -static struct ata_port_operations hpt372_port_ops = {
21354 +static const struct ata_port_operations hpt372_port_ops = {
21355 .inherits = &hpt302_port_ops,
21356 .mode_filter = hpt372_filter,
21358 @@ -639,7 +639,7 @@ static struct ata_port_operations hpt372
21359 * but we have a different cable detection procedure for function 1.
21362 -static struct ata_port_operations hpt374_fn1_port_ops = {
21363 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21364 .inherits = &hpt372_port_ops,
21365 .cable_detect = hpt374_fn1_cable_detect,
21367 diff -urNp linux-2.6.38.1/drivers/ata/pata_hpt3x2n.c linux-2.6.38.1/drivers/ata/pata_hpt3x2n.c
21368 --- linux-2.6.38.1/drivers/ata/pata_hpt3x2n.c 2011-03-14 21:20:32.000000000 -0400
21369 +++ linux-2.6.38.1/drivers/ata/pata_hpt3x2n.c 2011-03-21 18:31:35.000000000 -0400
21370 @@ -348,7 +348,7 @@ static struct scsi_host_template hpt3x2n
21371 * Configuration for HPT302N/371N.
21374 -static struct ata_port_operations hpt3xxn_port_ops = {
21375 +static const struct ata_port_operations hpt3xxn_port_ops = {
21376 .inherits = &ata_bmdma_port_ops,
21378 .bmdma_stop = hpt3x2n_bmdma_stop,
21379 @@ -366,7 +366,7 @@ static struct ata_port_operations hpt3xx
21380 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
21383 -static struct ata_port_operations hpt372n_port_ops = {
21384 +static const struct ata_port_operations hpt372n_port_ops = {
21385 .inherits = &hpt3xxn_port_ops,
21386 .mode_filter = &hpt372n_filter,
21388 diff -urNp linux-2.6.38.1/drivers/ata/pata_hpt3x3.c linux-2.6.38.1/drivers/ata/pata_hpt3x3.c
21389 --- linux-2.6.38.1/drivers/ata/pata_hpt3x3.c 2011-03-14 21:20:32.000000000 -0400
21390 +++ linux-2.6.38.1/drivers/ata/pata_hpt3x3.c 2011-03-21 18:31:35.000000000 -0400
21391 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21392 ATA_BMDMA_SHT(DRV_NAME),
21395 -static struct ata_port_operations hpt3x3_port_ops = {
21396 +static const struct ata_port_operations hpt3x3_port_ops = {
21397 .inherits = &ata_bmdma_port_ops,
21398 .cable_detect = ata_cable_40wire,
21399 .set_piomode = hpt3x3_set_piomode,
21400 diff -urNp linux-2.6.38.1/drivers/ata/pata_icside.c linux-2.6.38.1/drivers/ata/pata_icside.c
21401 --- linux-2.6.38.1/drivers/ata/pata_icside.c 2011-03-14 21:20:32.000000000 -0400
21402 +++ linux-2.6.38.1/drivers/ata/pata_icside.c 2011-03-21 18:31:35.000000000 -0400
21403 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21407 -static struct ata_port_operations pata_icside_port_ops = {
21408 +static const struct ata_port_operations pata_icside_port_ops = {
21409 .inherits = &ata_bmdma_port_ops,
21410 /* no need to build any PRD tables for DMA */
21411 .qc_prep = ata_noop_qc_prep,
21412 diff -urNp linux-2.6.38.1/drivers/ata/pata_isapnp.c linux-2.6.38.1/drivers/ata/pata_isapnp.c
21413 --- linux-2.6.38.1/drivers/ata/pata_isapnp.c 2011-03-14 21:20:32.000000000 -0400
21414 +++ linux-2.6.38.1/drivers/ata/pata_isapnp.c 2011-03-21 18:31:35.000000000 -0400
21415 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21416 ATA_PIO_SHT(DRV_NAME),
21419 -static struct ata_port_operations isapnp_port_ops = {
21420 +static const struct ata_port_operations isapnp_port_ops = {
21421 .inherits = &ata_sff_port_ops,
21422 .cable_detect = ata_cable_40wire,
21425 -static struct ata_port_operations isapnp_noalt_port_ops = {
21426 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21427 .inherits = &ata_sff_port_ops,
21428 .cable_detect = ata_cable_40wire,
21429 /* No altstatus so we don't want to use the lost interrupt poll */
21430 diff -urNp linux-2.6.38.1/drivers/ata/pata_it8213.c linux-2.6.38.1/drivers/ata/pata_it8213.c
21431 --- linux-2.6.38.1/drivers/ata/pata_it8213.c 2011-03-14 21:20:32.000000000 -0400
21432 +++ linux-2.6.38.1/drivers/ata/pata_it8213.c 2011-03-21 18:31:35.000000000 -0400
21433 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21437 -static struct ata_port_operations it8213_ops = {
21438 +static const struct ata_port_operations it8213_ops = {
21439 .inherits = &ata_bmdma_port_ops,
21440 .cable_detect = it8213_cable_detect,
21441 .set_piomode = it8213_set_piomode,
21442 diff -urNp linux-2.6.38.1/drivers/ata/pata_it821x.c linux-2.6.38.1/drivers/ata/pata_it821x.c
21443 --- linux-2.6.38.1/drivers/ata/pata_it821x.c 2011-03-14 21:20:32.000000000 -0400
21444 +++ linux-2.6.38.1/drivers/ata/pata_it821x.c 2011-03-21 18:31:35.000000000 -0400
21445 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21446 ATA_BMDMA_SHT(DRV_NAME),
21449 -static struct ata_port_operations it821x_smart_port_ops = {
21450 +static const struct ata_port_operations it821x_smart_port_ops = {
21451 .inherits = &ata_bmdma_port_ops,
21453 .check_atapi_dma= it821x_check_atapi_dma,
21454 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21455 .port_start = it821x_port_start,
21458 -static struct ata_port_operations it821x_passthru_port_ops = {
21459 +static const struct ata_port_operations it821x_passthru_port_ops = {
21460 .inherits = &ata_bmdma_port_ops,
21462 .check_atapi_dma= it821x_check_atapi_dma,
21463 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21464 .port_start = it821x_port_start,
21467 -static struct ata_port_operations it821x_rdc_port_ops = {
21468 +static const struct ata_port_operations it821x_rdc_port_ops = {
21469 .inherits = &ata_bmdma_port_ops,
21471 .check_atapi_dma= it821x_check_atapi_dma,
21472 diff -urNp linux-2.6.38.1/drivers/ata/pata_ixp4xx_cf.c linux-2.6.38.1/drivers/ata/pata_ixp4xx_cf.c
21473 --- linux-2.6.38.1/drivers/ata/pata_ixp4xx_cf.c 2011-03-14 21:20:32.000000000 -0400
21474 +++ linux-2.6.38.1/drivers/ata/pata_ixp4xx_cf.c 2011-03-21 18:31:35.000000000 -0400
21475 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21476 ATA_PIO_SHT(DRV_NAME),
21479 -static struct ata_port_operations ixp4xx_port_ops = {
21480 +static const struct ata_port_operations ixp4xx_port_ops = {
21481 .inherits = &ata_sff_port_ops,
21482 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21483 .cable_detect = ata_cable_40wire,
21484 diff -urNp linux-2.6.38.1/drivers/ata/pata_jmicron.c linux-2.6.38.1/drivers/ata/pata_jmicron.c
21485 --- linux-2.6.38.1/drivers/ata/pata_jmicron.c 2011-03-14 21:20:32.000000000 -0400
21486 +++ linux-2.6.38.1/drivers/ata/pata_jmicron.c 2011-03-21 18:31:35.000000000 -0400
21487 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21488 ATA_BMDMA_SHT(DRV_NAME),
21491 -static struct ata_port_operations jmicron_ops = {
21492 +static const struct ata_port_operations jmicron_ops = {
21493 .inherits = &ata_bmdma_port_ops,
21494 .prereset = jmicron_pre_reset,
21496 diff -urNp linux-2.6.38.1/drivers/ata/pata_legacy.c linux-2.6.38.1/drivers/ata/pata_legacy.c
21497 --- linux-2.6.38.1/drivers/ata/pata_legacy.c 2011-03-14 21:20:32.000000000 -0400
21498 +++ linux-2.6.38.1/drivers/ata/pata_legacy.c 2011-03-21 18:31:35.000000000 -0400
21499 @@ -116,7 +116,7 @@ struct legacy_probe {
21501 struct legacy_controller {
21503 - struct ata_port_operations *ops;
21504 + const struct ata_port_operations *ops;
21505 unsigned int pio_mask;
21506 unsigned int flags;
21507 unsigned int pflags;
21508 @@ -239,12 +239,12 @@ static const struct ata_port_operations
21509 * pio_mask as well.
21512 -static struct ata_port_operations simple_port_ops = {
21513 +static const struct ata_port_operations simple_port_ops = {
21514 .inherits = &legacy_base_port_ops,
21515 .sff_data_xfer = ata_sff_data_xfer_noirq,
21518 -static struct ata_port_operations legacy_port_ops = {
21519 +static const struct ata_port_operations legacy_port_ops = {
21520 .inherits = &legacy_base_port_ops,
21521 .sff_data_xfer = ata_sff_data_xfer_noirq,
21522 .set_mode = legacy_set_mode,
21523 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
21527 -static struct ata_port_operations pdc20230_port_ops = {
21528 +static const struct ata_port_operations pdc20230_port_ops = {
21529 .inherits = &legacy_base_port_ops,
21530 .set_piomode = pdc20230_set_piomode,
21531 .sff_data_xfer = pdc_data_xfer_vlb,
21532 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
21533 ioread8(ap->ioaddr.status_addr);
21536 -static struct ata_port_operations ht6560a_port_ops = {
21537 +static const struct ata_port_operations ht6560a_port_ops = {
21538 .inherits = &legacy_base_port_ops,
21539 .set_piomode = ht6560a_set_piomode,
21541 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
21542 ioread8(ap->ioaddr.status_addr);
21545 -static struct ata_port_operations ht6560b_port_ops = {
21546 +static const struct ata_port_operations ht6560b_port_ops = {
21547 .inherits = &legacy_base_port_ops,
21548 .set_piomode = ht6560b_set_piomode,
21550 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
21554 -static struct ata_port_operations opti82c611a_port_ops = {
21555 +static const struct ata_port_operations opti82c611a_port_ops = {
21556 .inherits = &legacy_base_port_ops,
21557 .set_piomode = opti82c611a_set_piomode,
21559 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
21560 return ata_sff_qc_issue(qc);
21563 -static struct ata_port_operations opti82c46x_port_ops = {
21564 +static const struct ata_port_operations opti82c46x_port_ops = {
21565 .inherits = &legacy_base_port_ops,
21566 .set_piomode = opti82c46x_set_piomode,
21567 .qc_issue = opti82c46x_qc_issue,
21568 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
21572 -static struct ata_port_operations qdi6500_port_ops = {
21573 +static const struct ata_port_operations qdi6500_port_ops = {
21574 .inherits = &legacy_base_port_ops,
21575 .set_piomode = qdi6500_set_piomode,
21576 .qc_issue = qdi_qc_issue,
21577 .sff_data_xfer = vlb32_data_xfer,
21580 -static struct ata_port_operations qdi6580_port_ops = {
21581 +static const struct ata_port_operations qdi6580_port_ops = {
21582 .inherits = &legacy_base_port_ops,
21583 .set_piomode = qdi6580_set_piomode,
21584 .sff_data_xfer = vlb32_data_xfer,
21587 -static struct ata_port_operations qdi6580dp_port_ops = {
21588 +static const struct ata_port_operations qdi6580dp_port_ops = {
21589 .inherits = &legacy_base_port_ops,
21590 .set_piomode = qdi6580dp_set_piomode,
21591 .qc_issue = qdi_qc_issue,
21592 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
21596 -static struct ata_port_operations winbond_port_ops = {
21597 +static const struct ata_port_operations winbond_port_ops = {
21598 .inherits = &legacy_base_port_ops,
21599 .set_piomode = winbond_set_piomode,
21600 .sff_data_xfer = vlb32_data_xfer,
21601 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
21602 int pio_modes = controller->pio_mask;
21603 unsigned long io = probe->port;
21604 u32 mask = (1 << probe->slot);
21605 - struct ata_port_operations *ops = controller->ops;
21606 + const struct ata_port_operations *ops = controller->ops;
21607 struct legacy_data *ld = &legacy_data[probe->slot];
21608 struct ata_host *host = NULL;
21609 struct ata_port *ap;
21610 diff -urNp linux-2.6.38.1/drivers/ata/pata_macio.c linux-2.6.38.1/drivers/ata/pata_macio.c
21611 --- linux-2.6.38.1/drivers/ata/pata_macio.c 2011-03-14 21:20:32.000000000 -0400
21612 +++ linux-2.6.38.1/drivers/ata/pata_macio.c 2011-03-21 18:31:35.000000000 -0400
21613 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21614 .slave_configure = pata_macio_slave_config,
21617 -static struct ata_port_operations pata_macio_ops = {
21618 +static const struct ata_port_operations pata_macio_ops = {
21619 .inherits = &ata_bmdma_port_ops,
21621 .freeze = pata_macio_freeze,
21622 .set_piomode = pata_macio_set_timings,
21623 .set_dmamode = pata_macio_set_timings,
21624 diff -urNp linux-2.6.38.1/drivers/ata/pata_marvell.c linux-2.6.38.1/drivers/ata/pata_marvell.c
21625 --- linux-2.6.38.1/drivers/ata/pata_marvell.c 2011-03-14 21:20:32.000000000 -0400
21626 +++ linux-2.6.38.1/drivers/ata/pata_marvell.c 2011-03-21 18:31:35.000000000 -0400
21627 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21628 ATA_BMDMA_SHT(DRV_NAME),
21631 -static struct ata_port_operations marvell_ops = {
21632 +static const struct ata_port_operations marvell_ops = {
21633 .inherits = &ata_bmdma_port_ops,
21634 .cable_detect = marvell_cable_detect,
21635 .prereset = marvell_pre_reset,
21636 diff -urNp linux-2.6.38.1/drivers/ata/pata_mpc52xx.c linux-2.6.38.1/drivers/ata/pata_mpc52xx.c
21637 --- linux-2.6.38.1/drivers/ata/pata_mpc52xx.c 2011-03-14 21:20:32.000000000 -0400
21638 +++ linux-2.6.38.1/drivers/ata/pata_mpc52xx.c 2011-03-21 18:31:35.000000000 -0400
21639 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21640 ATA_PIO_SHT(DRV_NAME),
21643 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21644 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21645 .inherits = &ata_bmdma_port_ops,
21646 .sff_dev_select = mpc52xx_ata_dev_select,
21647 .set_piomode = mpc52xx_ata_set_piomode,
21648 diff -urNp linux-2.6.38.1/drivers/ata/pata_mpiix.c linux-2.6.38.1/drivers/ata/pata_mpiix.c
21649 --- linux-2.6.38.1/drivers/ata/pata_mpiix.c 2011-03-14 21:20:32.000000000 -0400
21650 +++ linux-2.6.38.1/drivers/ata/pata_mpiix.c 2011-03-21 18:31:35.000000000 -0400
21651 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21652 ATA_PIO_SHT(DRV_NAME),
21655 -static struct ata_port_operations mpiix_port_ops = {
21656 +static const struct ata_port_operations mpiix_port_ops = {
21657 .inherits = &ata_sff_port_ops,
21658 .qc_issue = mpiix_qc_issue,
21659 .cable_detect = ata_cable_40wire,
21660 diff -urNp linux-2.6.38.1/drivers/ata/pata_netcell.c linux-2.6.38.1/drivers/ata/pata_netcell.c
21661 --- linux-2.6.38.1/drivers/ata/pata_netcell.c 2011-03-14 21:20:32.000000000 -0400
21662 +++ linux-2.6.38.1/drivers/ata/pata_netcell.c 2011-03-21 18:31:35.000000000 -0400
21663 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21664 ATA_BMDMA_SHT(DRV_NAME),
21667 -static struct ata_port_operations netcell_ops = {
21668 +static const struct ata_port_operations netcell_ops = {
21669 .inherits = &ata_bmdma_port_ops,
21670 .cable_detect = ata_cable_80wire,
21671 .read_id = netcell_read_id,
21672 diff -urNp linux-2.6.38.1/drivers/ata/pata_ninja32.c linux-2.6.38.1/drivers/ata/pata_ninja32.c
21673 --- linux-2.6.38.1/drivers/ata/pata_ninja32.c 2011-03-14 21:20:32.000000000 -0400
21674 +++ linux-2.6.38.1/drivers/ata/pata_ninja32.c 2011-03-21 18:31:35.000000000 -0400
21675 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21676 ATA_BMDMA_SHT(DRV_NAME),
21679 -static struct ata_port_operations ninja32_port_ops = {
21680 +static const struct ata_port_operations ninja32_port_ops = {
21681 .inherits = &ata_bmdma_port_ops,
21682 .sff_dev_select = ninja32_dev_select,
21683 .cable_detect = ata_cable_40wire,
21684 diff -urNp linux-2.6.38.1/drivers/ata/pata_ns87410.c linux-2.6.38.1/drivers/ata/pata_ns87410.c
21685 --- linux-2.6.38.1/drivers/ata/pata_ns87410.c 2011-03-14 21:20:32.000000000 -0400
21686 +++ linux-2.6.38.1/drivers/ata/pata_ns87410.c 2011-03-21 18:31:35.000000000 -0400
21687 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21688 ATA_PIO_SHT(DRV_NAME),
21691 -static struct ata_port_operations ns87410_port_ops = {
21692 +static const struct ata_port_operations ns87410_port_ops = {
21693 .inherits = &ata_sff_port_ops,
21694 .qc_issue = ns87410_qc_issue,
21695 .cable_detect = ata_cable_40wire,
21696 diff -urNp linux-2.6.38.1/drivers/ata/pata_ns87415.c linux-2.6.38.1/drivers/ata/pata_ns87415.c
21697 --- linux-2.6.38.1/drivers/ata/pata_ns87415.c 2011-03-14 21:20:32.000000000 -0400
21698 +++ linux-2.6.38.1/drivers/ata/pata_ns87415.c 2011-03-21 18:31:35.000000000 -0400
21699 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21701 #endif /* 87560 SuperIO Support */
21703 -static struct ata_port_operations ns87415_pata_ops = {
21704 +static const struct ata_port_operations ns87415_pata_ops = {
21705 .inherits = &ata_bmdma_port_ops,
21707 .check_atapi_dma = ns87415_check_atapi_dma,
21708 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21711 #if defined(CONFIG_SUPERIO)
21712 -static struct ata_port_operations ns87560_pata_ops = {
21713 +static const struct ata_port_operations ns87560_pata_ops = {
21714 .inherits = &ns87415_pata_ops,
21715 .sff_tf_read = ns87560_tf_read,
21716 .sff_check_status = ns87560_check_status,
21717 diff -urNp linux-2.6.38.1/drivers/ata/pata_octeon_cf.c linux-2.6.38.1/drivers/ata/pata_octeon_cf.c
21718 --- linux-2.6.38.1/drivers/ata/pata_octeon_cf.c 2011-03-14 21:20:32.000000000 -0400
21719 +++ linux-2.6.38.1/drivers/ata/pata_octeon_cf.c 2011-03-21 18:31:35.000000000 -0400
21720 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
21724 -static struct ata_port_operations octeon_cf_ops = {
21725 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
21726 .inherits = &ata_sff_port_ops,
21727 .check_atapi_dma = octeon_cf_check_atapi_dma,
21728 .qc_prep = ata_noop_qc_prep,
21729 diff -urNp linux-2.6.38.1/drivers/ata/pata_oldpiix.c linux-2.6.38.1/drivers/ata/pata_oldpiix.c
21730 --- linux-2.6.38.1/drivers/ata/pata_oldpiix.c 2011-03-14 21:20:32.000000000 -0400
21731 +++ linux-2.6.38.1/drivers/ata/pata_oldpiix.c 2011-03-21 18:31:35.000000000 -0400
21732 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21733 ATA_BMDMA_SHT(DRV_NAME),
21736 -static struct ata_port_operations oldpiix_pata_ops = {
21737 +static const struct ata_port_operations oldpiix_pata_ops = {
21738 .inherits = &ata_bmdma_port_ops,
21739 .qc_issue = oldpiix_qc_issue,
21740 .cable_detect = ata_cable_40wire,
21741 diff -urNp linux-2.6.38.1/drivers/ata/pata_opti.c linux-2.6.38.1/drivers/ata/pata_opti.c
21742 --- linux-2.6.38.1/drivers/ata/pata_opti.c 2011-03-14 21:20:32.000000000 -0400
21743 +++ linux-2.6.38.1/drivers/ata/pata_opti.c 2011-03-21 18:31:35.000000000 -0400
21744 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21745 ATA_PIO_SHT(DRV_NAME),
21748 -static struct ata_port_operations opti_port_ops = {
21749 +static const struct ata_port_operations opti_port_ops = {
21750 .inherits = &ata_sff_port_ops,
21751 .cable_detect = ata_cable_40wire,
21752 .set_piomode = opti_set_piomode,
21753 diff -urNp linux-2.6.38.1/drivers/ata/pata_optidma.c linux-2.6.38.1/drivers/ata/pata_optidma.c
21754 --- linux-2.6.38.1/drivers/ata/pata_optidma.c 2011-03-14 21:20:32.000000000 -0400
21755 +++ linux-2.6.38.1/drivers/ata/pata_optidma.c 2011-03-21 18:31:35.000000000 -0400
21756 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21757 ATA_BMDMA_SHT(DRV_NAME),
21760 -static struct ata_port_operations optidma_port_ops = {
21761 +static const struct ata_port_operations optidma_port_ops = {
21762 .inherits = &ata_bmdma_port_ops,
21763 .cable_detect = ata_cable_40wire,
21764 .set_piomode = optidma_set_pio_mode,
21765 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21766 .prereset = optidma_pre_reset,
21769 -static struct ata_port_operations optiplus_port_ops = {
21770 +static const struct ata_port_operations optiplus_port_ops = {
21771 .inherits = &optidma_port_ops,
21772 .set_piomode = optiplus_set_pio_mode,
21773 .set_dmamode = optiplus_set_dma_mode,
21774 diff -urNp linux-2.6.38.1/drivers/ata/pata_palmld.c linux-2.6.38.1/drivers/ata/pata_palmld.c
21775 --- linux-2.6.38.1/drivers/ata/pata_palmld.c 2011-03-14 21:20:32.000000000 -0400
21776 +++ linux-2.6.38.1/drivers/ata/pata_palmld.c 2011-03-21 18:31:35.000000000 -0400
21777 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21778 ATA_PIO_SHT(DRV_NAME),
21781 -static struct ata_port_operations palmld_port_ops = {
21782 +static const struct ata_port_operations palmld_port_ops = {
21783 .inherits = &ata_sff_port_ops,
21784 .sff_data_xfer = ata_sff_data_xfer_noirq,
21785 .cable_detect = ata_cable_40wire,
21786 diff -urNp linux-2.6.38.1/drivers/ata/pata_pcmcia.c linux-2.6.38.1/drivers/ata/pata_pcmcia.c
21787 --- linux-2.6.38.1/drivers/ata/pata_pcmcia.c 2011-03-14 21:20:32.000000000 -0400
21788 +++ linux-2.6.38.1/drivers/ata/pata_pcmcia.c 2011-03-21 18:31:35.000000000 -0400
21789 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
21790 ATA_PIO_SHT(DRV_NAME),
21793 -static struct ata_port_operations pcmcia_port_ops = {
21794 +static const struct ata_port_operations pcmcia_port_ops = {
21795 .inherits = &ata_sff_port_ops,
21796 .sff_data_xfer = ata_sff_data_xfer_noirq,
21797 .cable_detect = ata_cable_40wire,
21798 .set_mode = pcmcia_set_mode,
21801 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21802 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21803 .inherits = &ata_sff_port_ops,
21804 .sff_data_xfer = ata_data_xfer_8bit,
21805 .cable_detect = ata_cable_40wire,
21806 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
21807 unsigned long io_base, ctl_base;
21808 void __iomem *io_addr, *ctl_addr;
21810 - struct ata_port_operations *ops = &pcmcia_port_ops;
21811 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21813 /* Set up attributes in order to probe card and get resources */
21814 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
21815 diff -urNp linux-2.6.38.1/drivers/ata/pata_pdc2027x.c linux-2.6.38.1/drivers/ata/pata_pdc2027x.c
21816 --- linux-2.6.38.1/drivers/ata/pata_pdc2027x.c 2011-03-14 21:20:32.000000000 -0400
21817 +++ linux-2.6.38.1/drivers/ata/pata_pdc2027x.c 2011-03-21 18:31:35.000000000 -0400
21818 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21819 ATA_BMDMA_SHT(DRV_NAME),
21822 -static struct ata_port_operations pdc2027x_pata100_ops = {
21823 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21824 .inherits = &ata_bmdma_port_ops,
21825 .check_atapi_dma = pdc2027x_check_atapi_dma,
21826 .cable_detect = pdc2027x_cable_detect,
21827 .prereset = pdc2027x_prereset,
21830 -static struct ata_port_operations pdc2027x_pata133_ops = {
21831 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21832 .inherits = &pdc2027x_pata100_ops,
21833 .mode_filter = pdc2027x_mode_filter,
21834 .set_piomode = pdc2027x_set_piomode,
21835 diff -urNp linux-2.6.38.1/drivers/ata/pata_pdc202xx_old.c linux-2.6.38.1/drivers/ata/pata_pdc202xx_old.c
21836 --- linux-2.6.38.1/drivers/ata/pata_pdc202xx_old.c 2011-03-14 21:20:32.000000000 -0400
21837 +++ linux-2.6.38.1/drivers/ata/pata_pdc202xx_old.c 2011-03-21 18:31:35.000000000 -0400
21838 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
21839 ATA_BMDMA_SHT(DRV_NAME),
21842 -static struct ata_port_operations pdc2024x_port_ops = {
21843 +static const struct ata_port_operations pdc2024x_port_ops = {
21844 .inherits = &ata_bmdma_port_ops,
21846 .cable_detect = ata_cable_40wire,
21847 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
21848 .sff_irq_check = pdc202xx_irq_check,
21851 -static struct ata_port_operations pdc2026x_port_ops = {
21852 +static const struct ata_port_operations pdc2026x_port_ops = {
21853 .inherits = &pdc2024x_port_ops,
21855 .check_atapi_dma = pdc2026x_check_atapi_dma,
21856 diff -urNp linux-2.6.38.1/drivers/ata/pata_piccolo.c linux-2.6.38.1/drivers/ata/pata_piccolo.c
21857 --- linux-2.6.38.1/drivers/ata/pata_piccolo.c 2011-03-14 21:20:32.000000000 -0400
21858 +++ linux-2.6.38.1/drivers/ata/pata_piccolo.c 2011-03-21 18:31:35.000000000 -0400
21859 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21860 ATA_BMDMA_SHT(DRV_NAME),
21863 -static struct ata_port_operations tosh_port_ops = {
21864 +static const struct ata_port_operations tosh_port_ops = {
21865 .inherits = &ata_bmdma_port_ops,
21866 .cable_detect = ata_cable_unknown,
21867 .set_piomode = tosh_set_piomode,
21868 diff -urNp linux-2.6.38.1/drivers/ata/pata_platform.c linux-2.6.38.1/drivers/ata/pata_platform.c
21869 --- linux-2.6.38.1/drivers/ata/pata_platform.c 2011-03-14 21:20:32.000000000 -0400
21870 +++ linux-2.6.38.1/drivers/ata/pata_platform.c 2011-03-21 18:31:35.000000000 -0400
21871 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21872 ATA_PIO_SHT(DRV_NAME),
21875 -static struct ata_port_operations pata_platform_port_ops = {
21876 +static const struct ata_port_operations pata_platform_port_ops = {
21877 .inherits = &ata_sff_port_ops,
21878 .sff_data_xfer = ata_sff_data_xfer_noirq,
21879 .cable_detect = ata_cable_unknown,
21880 diff -urNp linux-2.6.38.1/drivers/ata/pata_pxa.c linux-2.6.38.1/drivers/ata/pata_pxa.c
21881 --- linux-2.6.38.1/drivers/ata/pata_pxa.c 2011-03-14 21:20:32.000000000 -0400
21882 +++ linux-2.6.38.1/drivers/ata/pata_pxa.c 2011-03-21 18:31:35.000000000 -0400
21883 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
21884 ATA_BMDMA_SHT(DRV_NAME),
21887 -static struct ata_port_operations pxa_ata_port_ops = {
21888 +static const struct ata_port_operations pxa_ata_port_ops = {
21889 .inherits = &ata_bmdma_port_ops,
21890 .cable_detect = ata_cable_40wire,
21892 diff -urNp linux-2.6.38.1/drivers/ata/pata_qdi.c linux-2.6.38.1/drivers/ata/pata_qdi.c
21893 --- linux-2.6.38.1/drivers/ata/pata_qdi.c 2011-03-14 21:20:32.000000000 -0400
21894 +++ linux-2.6.38.1/drivers/ata/pata_qdi.c 2011-03-21 18:31:35.000000000 -0400
21895 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21896 ATA_PIO_SHT(DRV_NAME),
21899 -static struct ata_port_operations qdi6500_port_ops = {
21900 +static const struct ata_port_operations qdi6500_port_ops = {
21901 .inherits = &ata_sff_port_ops,
21902 .qc_issue = qdi_qc_issue,
21903 .sff_data_xfer = qdi_data_xfer,
21904 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21905 .set_piomode = qdi6500_set_piomode,
21908 -static struct ata_port_operations qdi6580_port_ops = {
21909 +static const struct ata_port_operations qdi6580_port_ops = {
21910 .inherits = &qdi6500_port_ops,
21911 .set_piomode = qdi6580_set_piomode,
21913 diff -urNp linux-2.6.38.1/drivers/ata/pata_radisys.c linux-2.6.38.1/drivers/ata/pata_radisys.c
21914 --- linux-2.6.38.1/drivers/ata/pata_radisys.c 2011-03-14 21:20:32.000000000 -0400
21915 +++ linux-2.6.38.1/drivers/ata/pata_radisys.c 2011-03-21 18:31:35.000000000 -0400
21916 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21917 ATA_BMDMA_SHT(DRV_NAME),
21920 -static struct ata_port_operations radisys_pata_ops = {
21921 +static const struct ata_port_operations radisys_pata_ops = {
21922 .inherits = &ata_bmdma_port_ops,
21923 .qc_issue = radisys_qc_issue,
21924 .cable_detect = ata_cable_unknown,
21925 diff -urNp linux-2.6.38.1/drivers/ata/pata_rb532_cf.c linux-2.6.38.1/drivers/ata/pata_rb532_cf.c
21926 --- linux-2.6.38.1/drivers/ata/pata_rb532_cf.c 2011-03-14 21:20:32.000000000 -0400
21927 +++ linux-2.6.38.1/drivers/ata/pata_rb532_cf.c 2011-03-21 18:31:35.000000000 -0400
21928 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21929 return IRQ_HANDLED;
21932 -static struct ata_port_operations rb532_pata_port_ops = {
21933 +static const struct ata_port_operations rb532_pata_port_ops = {
21934 .inherits = &ata_sff_port_ops,
21935 .sff_data_xfer = ata_sff_data_xfer32,
21937 diff -urNp linux-2.6.38.1/drivers/ata/pata_rdc.c linux-2.6.38.1/drivers/ata/pata_rdc.c
21938 --- linux-2.6.38.1/drivers/ata/pata_rdc.c 2011-03-14 21:20:32.000000000 -0400
21939 +++ linux-2.6.38.1/drivers/ata/pata_rdc.c 2011-03-21 18:31:35.000000000 -0400
21940 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21941 pci_write_config_byte(dev, 0x48, udma_enable);
21944 -static struct ata_port_operations rdc_pata_ops = {
21945 +static const struct ata_port_operations rdc_pata_ops = {
21946 .inherits = &ata_bmdma32_port_ops,
21947 .cable_detect = rdc_pata_cable_detect,
21948 .set_piomode = rdc_set_piomode,
21949 diff -urNp linux-2.6.38.1/drivers/ata/pata_rz1000.c linux-2.6.38.1/drivers/ata/pata_rz1000.c
21950 --- linux-2.6.38.1/drivers/ata/pata_rz1000.c 2011-03-14 21:20:32.000000000 -0400
21951 +++ linux-2.6.38.1/drivers/ata/pata_rz1000.c 2011-03-21 18:31:35.000000000 -0400
21952 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
21953 ATA_PIO_SHT(DRV_NAME),
21956 -static struct ata_port_operations rz1000_port_ops = {
21957 +static const struct ata_port_operations rz1000_port_ops = {
21958 .inherits = &ata_sff_port_ops,
21959 .cable_detect = ata_cable_40wire,
21960 .set_mode = rz1000_set_mode,
21961 diff -urNp linux-2.6.38.1/drivers/ata/pata_samsung_cf.c linux-2.6.38.1/drivers/ata/pata_samsung_cf.c
21962 --- linux-2.6.38.1/drivers/ata/pata_samsung_cf.c 2011-03-14 21:20:32.000000000 -0400
21963 +++ linux-2.6.38.1/drivers/ata/pata_samsung_cf.c 2011-03-21 18:31:35.000000000 -0400
21964 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
21965 ATA_PIO_SHT(DRV_NAME),
21968 -static struct ata_port_operations pata_s3c_port_ops = {
21969 +static const struct ata_port_operations pata_s3c_port_ops = {
21970 .inherits = &ata_sff_port_ops,
21971 .sff_check_status = pata_s3c_check_status,
21972 .sff_check_altstatus = pata_s3c_check_altstatus,
21973 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
21974 .set_piomode = pata_s3c_set_piomode,
21977 -static struct ata_port_operations pata_s5p_port_ops = {
21978 +static const struct ata_port_operations pata_s5p_port_ops = {
21979 .inherits = &ata_sff_port_ops,
21980 .set_piomode = pata_s3c_set_piomode,
21982 diff -urNp linux-2.6.38.1/drivers/ata/pata_sc1200.c linux-2.6.38.1/drivers/ata/pata_sc1200.c
21983 --- linux-2.6.38.1/drivers/ata/pata_sc1200.c 2011-03-14 21:20:32.000000000 -0400
21984 +++ linux-2.6.38.1/drivers/ata/pata_sc1200.c 2011-03-21 18:31:35.000000000 -0400
21985 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
21986 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21989 -static struct ata_port_operations sc1200_port_ops = {
21990 +static const struct ata_port_operations sc1200_port_ops = {
21991 .inherits = &ata_bmdma_port_ops,
21992 .qc_prep = ata_bmdma_dumb_qc_prep,
21993 .qc_issue = sc1200_qc_issue,
21994 diff -urNp linux-2.6.38.1/drivers/ata/pata_scc.c linux-2.6.38.1/drivers/ata/pata_scc.c
21995 --- linux-2.6.38.1/drivers/ata/pata_scc.c 2011-03-14 21:20:32.000000000 -0400
21996 +++ linux-2.6.38.1/drivers/ata/pata_scc.c 2011-03-21 18:31:35.000000000 -0400
21997 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
21998 ATA_BMDMA_SHT(DRV_NAME),
22001 -static struct ata_port_operations scc_pata_ops = {
22002 +static const struct ata_port_operations scc_pata_ops = {
22003 .inherits = &ata_bmdma_port_ops,
22005 .set_piomode = scc_set_piomode,
22006 diff -urNp linux-2.6.38.1/drivers/ata/pata_sch.c linux-2.6.38.1/drivers/ata/pata_sch.c
22007 --- linux-2.6.38.1/drivers/ata/pata_sch.c 2011-03-14 21:20:32.000000000 -0400
22008 +++ linux-2.6.38.1/drivers/ata/pata_sch.c 2011-03-21 18:31:35.000000000 -0400
22009 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22010 ATA_BMDMA_SHT(DRV_NAME),
22013 -static struct ata_port_operations sch_pata_ops = {
22014 +static const struct ata_port_operations sch_pata_ops = {
22015 .inherits = &ata_bmdma_port_ops,
22016 .cable_detect = ata_cable_unknown,
22017 .set_piomode = sch_set_piomode,
22018 diff -urNp linux-2.6.38.1/drivers/ata/pata_serverworks.c linux-2.6.38.1/drivers/ata/pata_serverworks.c
22019 --- linux-2.6.38.1/drivers/ata/pata_serverworks.c 2011-03-14 21:20:32.000000000 -0400
22020 +++ linux-2.6.38.1/drivers/ata/pata_serverworks.c 2011-03-21 18:31:35.000000000 -0400
22021 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22022 ATA_BMDMA_SHT(DRV_NAME),
22025 -static struct ata_port_operations serverworks_osb4_port_ops = {
22026 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22027 .inherits = &ata_bmdma_port_ops,
22028 .cable_detect = serverworks_cable_detect,
22029 .mode_filter = serverworks_osb4_filter,
22030 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22031 .set_dmamode = serverworks_set_dmamode,
22034 -static struct ata_port_operations serverworks_csb_port_ops = {
22035 +static const struct ata_port_operations serverworks_csb_port_ops = {
22036 .inherits = &serverworks_osb4_port_ops,
22037 .mode_filter = serverworks_csb_filter,
22039 diff -urNp linux-2.6.38.1/drivers/ata/pata_sil680.c linux-2.6.38.1/drivers/ata/pata_sil680.c
22040 --- linux-2.6.38.1/drivers/ata/pata_sil680.c 2011-03-14 21:20:32.000000000 -0400
22041 +++ linux-2.6.38.1/drivers/ata/pata_sil680.c 2011-03-21 18:31:35.000000000 -0400
22042 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
22043 ATA_BMDMA_SHT(DRV_NAME),
22047 -static struct ata_port_operations sil680_port_ops = {
22048 +static const struct ata_port_operations sil680_port_ops = {
22049 .inherits = &ata_bmdma32_port_ops,
22050 .sff_exec_command = sil680_sff_exec_command,
22051 .sff_irq_check = sil680_sff_irq_check,
22052 diff -urNp linux-2.6.38.1/drivers/ata/pata_sis.c linux-2.6.38.1/drivers/ata/pata_sis.c
22053 --- linux-2.6.38.1/drivers/ata/pata_sis.c 2011-03-14 21:20:32.000000000 -0400
22054 +++ linux-2.6.38.1/drivers/ata/pata_sis.c 2011-03-21 18:31:35.000000000 -0400
22055 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22056 ATA_BMDMA_SHT(DRV_NAME),
22059 -static struct ata_port_operations sis_133_for_sata_ops = {
22060 +static const struct ata_port_operations sis_133_for_sata_ops = {
22061 .inherits = &ata_bmdma_port_ops,
22062 .set_piomode = sis_133_set_piomode,
22063 .set_dmamode = sis_133_set_dmamode,
22064 .cable_detect = sis_133_cable_detect,
22067 -static struct ata_port_operations sis_base_ops = {
22068 +static const struct ata_port_operations sis_base_ops = {
22069 .inherits = &ata_bmdma_port_ops,
22070 .prereset = sis_pre_reset,
22073 -static struct ata_port_operations sis_133_ops = {
22074 +static const struct ata_port_operations sis_133_ops = {
22075 .inherits = &sis_base_ops,
22076 .set_piomode = sis_133_set_piomode,
22077 .set_dmamode = sis_133_set_dmamode,
22078 .cable_detect = sis_133_cable_detect,
22081 -static struct ata_port_operations sis_133_early_ops = {
22082 +static const struct ata_port_operations sis_133_early_ops = {
22083 .inherits = &sis_base_ops,
22084 .set_piomode = sis_100_set_piomode,
22085 .set_dmamode = sis_133_early_set_dmamode,
22086 .cable_detect = sis_66_cable_detect,
22089 -static struct ata_port_operations sis_100_ops = {
22090 +static const struct ata_port_operations sis_100_ops = {
22091 .inherits = &sis_base_ops,
22092 .set_piomode = sis_100_set_piomode,
22093 .set_dmamode = sis_100_set_dmamode,
22094 .cable_detect = sis_66_cable_detect,
22097 -static struct ata_port_operations sis_66_ops = {
22098 +static const struct ata_port_operations sis_66_ops = {
22099 .inherits = &sis_base_ops,
22100 .set_piomode = sis_old_set_piomode,
22101 .set_dmamode = sis_66_set_dmamode,
22102 .cable_detect = sis_66_cable_detect,
22105 -static struct ata_port_operations sis_old_ops = {
22106 +static const struct ata_port_operations sis_old_ops = {
22107 .inherits = &sis_base_ops,
22108 .set_piomode = sis_old_set_piomode,
22109 .set_dmamode = sis_old_set_dmamode,
22110 diff -urNp linux-2.6.38.1/drivers/ata/pata_sl82c105.c linux-2.6.38.1/drivers/ata/pata_sl82c105.c
22111 --- linux-2.6.38.1/drivers/ata/pata_sl82c105.c 2011-03-14 21:20:32.000000000 -0400
22112 +++ linux-2.6.38.1/drivers/ata/pata_sl82c105.c 2011-03-21 18:31:35.000000000 -0400
22113 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
22114 ATA_BMDMA_SHT(DRV_NAME),
22117 -static struct ata_port_operations sl82c105_port_ops = {
22118 +static const struct ata_port_operations sl82c105_port_ops = {
22119 .inherits = &ata_bmdma_port_ops,
22120 .qc_defer = sl82c105_qc_defer,
22121 .bmdma_start = sl82c105_bmdma_start,
22122 diff -urNp linux-2.6.38.1/drivers/ata/pata_triflex.c linux-2.6.38.1/drivers/ata/pata_triflex.c
22123 --- linux-2.6.38.1/drivers/ata/pata_triflex.c 2011-03-14 21:20:32.000000000 -0400
22124 +++ linux-2.6.38.1/drivers/ata/pata_triflex.c 2011-03-21 18:31:35.000000000 -0400
22125 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22126 ATA_BMDMA_SHT(DRV_NAME),
22129 -static struct ata_port_operations triflex_port_ops = {
22130 +static const struct ata_port_operations triflex_port_ops = {
22131 .inherits = &ata_bmdma_port_ops,
22132 .bmdma_start = triflex_bmdma_start,
22133 .bmdma_stop = triflex_bmdma_stop,
22134 diff -urNp linux-2.6.38.1/drivers/ata/pata_via.c linux-2.6.38.1/drivers/ata/pata_via.c
22135 --- linux-2.6.38.1/drivers/ata/pata_via.c 2011-03-14 21:20:32.000000000 -0400
22136 +++ linux-2.6.38.1/drivers/ata/pata_via.c 2011-03-21 18:31:35.000000000 -0400
22137 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22138 ATA_BMDMA_SHT(DRV_NAME),
22141 -static struct ata_port_operations via_port_ops = {
22142 +static const struct ata_port_operations via_port_ops = {
22143 .inherits = &ata_bmdma_port_ops,
22144 .cable_detect = via_cable_detect,
22145 .set_piomode = via_set_piomode,
22146 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22147 .mode_filter = via_mode_filter,
22150 -static struct ata_port_operations via_port_ops_noirq = {
22151 +static const struct ata_port_operations via_port_ops_noirq = {
22152 .inherits = &via_port_ops,
22153 .sff_data_xfer = ata_sff_data_xfer_noirq,
22155 diff -urNp linux-2.6.38.1/drivers/ata/pdc_adma.c linux-2.6.38.1/drivers/ata/pdc_adma.c
22156 --- linux-2.6.38.1/drivers/ata/pdc_adma.c 2011-03-14 21:20:32.000000000 -0400
22157 +++ linux-2.6.38.1/drivers/ata/pdc_adma.c 2011-03-21 18:31:35.000000000 -0400
22158 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22159 .dma_boundary = ADMA_DMA_BOUNDARY,
22162 -static struct ata_port_operations adma_ata_ops = {
22163 +static const struct ata_port_operations adma_ata_ops = {
22164 .inherits = &ata_sff_port_ops,
22166 .lost_interrupt = ATA_OP_NULL,
22167 diff -urNp linux-2.6.38.1/drivers/ata/sata_dwc_460ex.c linux-2.6.38.1/drivers/ata/sata_dwc_460ex.c
22168 --- linux-2.6.38.1/drivers/ata/sata_dwc_460ex.c 2011-03-14 21:20:32.000000000 -0400
22169 +++ linux-2.6.38.1/drivers/ata/sata_dwc_460ex.c 2011-03-21 18:31:35.000000000 -0400
22170 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
22171 .dma_boundary = ATA_DMA_BOUNDARY,
22174 -static struct ata_port_operations sata_dwc_ops = {
22175 +static const struct ata_port_operations sata_dwc_ops = {
22176 .inherits = &ata_sff_port_ops,
22178 .error_handler = sata_dwc_error_handler,
22179 diff -urNp linux-2.6.38.1/drivers/ata/sata_fsl.c linux-2.6.38.1/drivers/ata/sata_fsl.c
22180 --- linux-2.6.38.1/drivers/ata/sata_fsl.c 2011-03-14 21:20:32.000000000 -0400
22181 +++ linux-2.6.38.1/drivers/ata/sata_fsl.c 2011-03-21 18:31:35.000000000 -0400
22182 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
22183 .dma_boundary = ATA_DMA_BOUNDARY,
22186 -static struct ata_port_operations sata_fsl_ops = {
22187 +static const struct ata_port_operations sata_fsl_ops = {
22188 .inherits = &sata_pmp_port_ops,
22190 .qc_defer = ata_std_qc_defer,
22191 diff -urNp linux-2.6.38.1/drivers/ata/sata_inic162x.c linux-2.6.38.1/drivers/ata/sata_inic162x.c
22192 --- linux-2.6.38.1/drivers/ata/sata_inic162x.c 2011-03-14 21:20:32.000000000 -0400
22193 +++ linux-2.6.38.1/drivers/ata/sata_inic162x.c 2011-03-21 18:31:35.000000000 -0400
22194 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22198 -static struct ata_port_operations inic_port_ops = {
22199 +static const struct ata_port_operations inic_port_ops = {
22200 .inherits = &sata_port_ops,
22202 .check_atapi_dma = inic_check_atapi_dma,
22203 diff -urNp linux-2.6.38.1/drivers/ata/sata_mv.c linux-2.6.38.1/drivers/ata/sata_mv.c
22204 --- linux-2.6.38.1/drivers/ata/sata_mv.c 2011-03-14 21:20:32.000000000 -0400
22205 +++ linux-2.6.38.1/drivers/ata/sata_mv.c 2011-03-21 18:31:35.000000000 -0400
22206 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22207 .dma_boundary = MV_DMA_BOUNDARY,
22210 -static struct ata_port_operations mv5_ops = {
22211 +static const struct ata_port_operations mv5_ops = {
22212 .inherits = &ata_sff_port_ops,
22214 .lost_interrupt = ATA_OP_NULL,
22215 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22216 .port_stop = mv_port_stop,
22219 -static struct ata_port_operations mv6_ops = {
22220 +static const struct ata_port_operations mv6_ops = {
22221 .inherits = &ata_bmdma_port_ops,
22223 .lost_interrupt = ATA_OP_NULL,
22224 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22225 .port_stop = mv_port_stop,
22228 -static struct ata_port_operations mv_iie_ops = {
22229 +static const struct ata_port_operations mv_iie_ops = {
22230 .inherits = &mv6_ops,
22231 .dev_config = ATA_OP_NULL,
22232 .qc_prep = mv_qc_prep_iie,
22233 diff -urNp linux-2.6.38.1/drivers/ata/sata_nv.c linux-2.6.38.1/drivers/ata/sata_nv.c
22234 --- linux-2.6.38.1/drivers/ata/sata_nv.c 2011-03-14 21:20:32.000000000 -0400
22235 +++ linux-2.6.38.1/drivers/ata/sata_nv.c 2011-03-21 18:31:35.000000000 -0400
22236 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22237 * cases. Define nv_hardreset() which only kicks in for post-boot
22238 * probing and use it for all variants.
22240 -static struct ata_port_operations nv_generic_ops = {
22241 +static const struct ata_port_operations nv_generic_ops = {
22242 .inherits = &ata_bmdma_port_ops,
22243 .lost_interrupt = ATA_OP_NULL,
22244 .scr_read = nv_scr_read,
22245 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22246 .hardreset = nv_hardreset,
22249 -static struct ata_port_operations nv_nf2_ops = {
22250 +static const struct ata_port_operations nv_nf2_ops = {
22251 .inherits = &nv_generic_ops,
22252 .freeze = nv_nf2_freeze,
22253 .thaw = nv_nf2_thaw,
22256 -static struct ata_port_operations nv_ck804_ops = {
22257 +static const struct ata_port_operations nv_ck804_ops = {
22258 .inherits = &nv_generic_ops,
22259 .freeze = nv_ck804_freeze,
22260 .thaw = nv_ck804_thaw,
22261 .host_stop = nv_ck804_host_stop,
22264 -static struct ata_port_operations nv_adma_ops = {
22265 +static const struct ata_port_operations nv_adma_ops = {
22266 .inherits = &nv_ck804_ops,
22268 .check_atapi_dma = nv_adma_check_atapi_dma,
22269 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22270 .host_stop = nv_adma_host_stop,
22273 -static struct ata_port_operations nv_swncq_ops = {
22274 +static const struct ata_port_operations nv_swncq_ops = {
22275 .inherits = &nv_generic_ops,
22277 .qc_defer = ata_std_qc_defer,
22278 diff -urNp linux-2.6.38.1/drivers/ata/sata_promise.c linux-2.6.38.1/drivers/ata/sata_promise.c
22279 --- linux-2.6.38.1/drivers/ata/sata_promise.c 2011-03-14 21:20:32.000000000 -0400
22280 +++ linux-2.6.38.1/drivers/ata/sata_promise.c 2011-03-21 18:31:35.000000000 -0400
22281 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22282 .error_handler = pdc_error_handler,
22285 -static struct ata_port_operations pdc_sata_ops = {
22286 +static const struct ata_port_operations pdc_sata_ops = {
22287 .inherits = &pdc_common_ops,
22288 .cable_detect = pdc_sata_cable_detect,
22289 .freeze = pdc_sata_freeze,
22290 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22292 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22293 and ->freeze/thaw that ignore the hotplug controls. */
22294 -static struct ata_port_operations pdc_old_sata_ops = {
22295 +static const struct ata_port_operations pdc_old_sata_ops = {
22296 .inherits = &pdc_sata_ops,
22297 .freeze = pdc_freeze,
22299 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22302 -static struct ata_port_operations pdc_pata_ops = {
22303 +static const struct ata_port_operations pdc_pata_ops = {
22304 .inherits = &pdc_common_ops,
22305 .cable_detect = pdc_pata_cable_detect,
22306 .freeze = pdc_freeze,
22307 diff -urNp linux-2.6.38.1/drivers/ata/sata_qstor.c linux-2.6.38.1/drivers/ata/sata_qstor.c
22308 --- linux-2.6.38.1/drivers/ata/sata_qstor.c 2011-03-14 21:20:32.000000000 -0400
22309 +++ linux-2.6.38.1/drivers/ata/sata_qstor.c 2011-03-21 18:31:35.000000000 -0400
22310 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22311 .dma_boundary = QS_DMA_BOUNDARY,
22314 -static struct ata_port_operations qs_ata_ops = {
22315 +static const struct ata_port_operations qs_ata_ops = {
22316 .inherits = &ata_sff_port_ops,
22318 .check_atapi_dma = qs_check_atapi_dma,
22319 diff -urNp linux-2.6.38.1/drivers/ata/sata_sil24.c linux-2.6.38.1/drivers/ata/sata_sil24.c
22320 --- linux-2.6.38.1/drivers/ata/sata_sil24.c 2011-03-14 21:20:32.000000000 -0400
22321 +++ linux-2.6.38.1/drivers/ata/sata_sil24.c 2011-03-21 18:31:35.000000000 -0400
22322 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22323 .dma_boundary = ATA_DMA_BOUNDARY,
22326 -static struct ata_port_operations sil24_ops = {
22327 +static const struct ata_port_operations sil24_ops = {
22328 .inherits = &sata_pmp_port_ops,
22330 .qc_defer = sil24_qc_defer,
22331 diff -urNp linux-2.6.38.1/drivers/ata/sata_sil.c linux-2.6.38.1/drivers/ata/sata_sil.c
22332 --- linux-2.6.38.1/drivers/ata/sata_sil.c 2011-03-14 21:20:32.000000000 -0400
22333 +++ linux-2.6.38.1/drivers/ata/sata_sil.c 2011-03-21 18:31:35.000000000 -0400
22334 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22335 .sg_tablesize = ATA_MAX_PRD
22338 -static struct ata_port_operations sil_ops = {
22339 +static const struct ata_port_operations sil_ops = {
22340 .inherits = &ata_bmdma32_port_ops,
22341 .dev_config = sil_dev_config,
22342 .set_mode = sil_set_mode,
22343 diff -urNp linux-2.6.38.1/drivers/ata/sata_sis.c linux-2.6.38.1/drivers/ata/sata_sis.c
22344 --- linux-2.6.38.1/drivers/ata/sata_sis.c 2011-03-14 21:20:32.000000000 -0400
22345 +++ linux-2.6.38.1/drivers/ata/sata_sis.c 2011-03-21 18:31:35.000000000 -0400
22346 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22347 ATA_BMDMA_SHT(DRV_NAME),
22350 -static struct ata_port_operations sis_ops = {
22351 +static const struct ata_port_operations sis_ops = {
22352 .inherits = &ata_bmdma_port_ops,
22353 .scr_read = sis_scr_read,
22354 .scr_write = sis_scr_write,
22355 diff -urNp linux-2.6.38.1/drivers/ata/sata_svw.c linux-2.6.38.1/drivers/ata/sata_svw.c
22356 --- linux-2.6.38.1/drivers/ata/sata_svw.c 2011-03-14 21:20:32.000000000 -0400
22357 +++ linux-2.6.38.1/drivers/ata/sata_svw.c 2011-03-21 18:31:35.000000000 -0400
22358 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22362 -static struct ata_port_operations k2_sata_ops = {
22363 +static const struct ata_port_operations k2_sata_ops = {
22364 .inherits = &ata_bmdma_port_ops,
22365 .sff_tf_load = k2_sata_tf_load,
22366 .sff_tf_read = k2_sata_tf_read,
22367 diff -urNp linux-2.6.38.1/drivers/ata/sata_sx4.c linux-2.6.38.1/drivers/ata/sata_sx4.c
22368 --- linux-2.6.38.1/drivers/ata/sata_sx4.c 2011-03-14 21:20:32.000000000 -0400
22369 +++ linux-2.6.38.1/drivers/ata/sata_sx4.c 2011-03-21 18:31:35.000000000 -0400
22370 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22373 /* TODO: inherit from base port_ops after converting to new EH */
22374 -static struct ata_port_operations pdc_20621_ops = {
22375 +static const struct ata_port_operations pdc_20621_ops = {
22376 .inherits = &ata_sff_port_ops,
22378 .check_atapi_dma = pdc_check_atapi_dma,
22379 diff -urNp linux-2.6.38.1/drivers/ata/sata_uli.c linux-2.6.38.1/drivers/ata/sata_uli.c
22380 --- linux-2.6.38.1/drivers/ata/sata_uli.c 2011-03-14 21:20:32.000000000 -0400
22381 +++ linux-2.6.38.1/drivers/ata/sata_uli.c 2011-03-21 18:31:35.000000000 -0400
22382 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22383 ATA_BMDMA_SHT(DRV_NAME),
22386 -static struct ata_port_operations uli_ops = {
22387 +static const struct ata_port_operations uli_ops = {
22388 .inherits = &ata_bmdma_port_ops,
22389 .scr_read = uli_scr_read,
22390 .scr_write = uli_scr_write,
22391 diff -urNp linux-2.6.38.1/drivers/ata/sata_via.c linux-2.6.38.1/drivers/ata/sata_via.c
22392 --- linux-2.6.38.1/drivers/ata/sata_via.c 2011-03-14 21:20:32.000000000 -0400
22393 +++ linux-2.6.38.1/drivers/ata/sata_via.c 2011-03-21 18:31:35.000000000 -0400
22394 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22395 ATA_BMDMA_SHT(DRV_NAME),
22398 -static struct ata_port_operations svia_base_ops = {
22399 +static const struct ata_port_operations svia_base_ops = {
22400 .inherits = &ata_bmdma_port_ops,
22401 .sff_tf_load = svia_tf_load,
22404 -static struct ata_port_operations vt6420_sata_ops = {
22405 +static const struct ata_port_operations vt6420_sata_ops = {
22406 .inherits = &svia_base_ops,
22407 .freeze = svia_noop_freeze,
22408 .prereset = vt6420_prereset,
22409 .bmdma_start = vt6420_bmdma_start,
22412 -static struct ata_port_operations vt6421_pata_ops = {
22413 +static const struct ata_port_operations vt6421_pata_ops = {
22414 .inherits = &svia_base_ops,
22415 .cable_detect = vt6421_pata_cable_detect,
22416 .set_piomode = vt6421_set_pio_mode,
22417 .set_dmamode = vt6421_set_dma_mode,
22420 -static struct ata_port_operations vt6421_sata_ops = {
22421 +static const struct ata_port_operations vt6421_sata_ops = {
22422 .inherits = &svia_base_ops,
22423 .scr_read = svia_scr_read,
22424 .scr_write = svia_scr_write,
22427 -static struct ata_port_operations vt8251_ops = {
22428 +static const struct ata_port_operations vt8251_ops = {
22429 .inherits = &svia_base_ops,
22430 .hardreset = sata_std_hardreset,
22431 .scr_read = vt8251_scr_read,
22432 diff -urNp linux-2.6.38.1/drivers/ata/sata_vsc.c linux-2.6.38.1/drivers/ata/sata_vsc.c
22433 --- linux-2.6.38.1/drivers/ata/sata_vsc.c 2011-03-14 21:20:32.000000000 -0400
22434 +++ linux-2.6.38.1/drivers/ata/sata_vsc.c 2011-03-21 18:31:35.000000000 -0400
22435 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22439 -static struct ata_port_operations vsc_sata_ops = {
22440 +static const struct ata_port_operations vsc_sata_ops = {
22441 .inherits = &ata_bmdma_port_ops,
22442 /* The IRQ handling is not quite standard SFF behaviour so we
22443 cannot use the default lost interrupt handler */
22444 diff -urNp linux-2.6.38.1/drivers/atm/adummy.c linux-2.6.38.1/drivers/atm/adummy.c
22445 --- linux-2.6.38.1/drivers/atm/adummy.c 2011-03-14 21:20:32.000000000 -0400
22446 +++ linux-2.6.38.1/drivers/atm/adummy.c 2011-03-21 18:31:35.000000000 -0400
22447 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
22448 vcc->pop(vcc, skb);
22450 dev_kfree_skb_any(skb);
22451 - atomic_inc(&vcc->stats->tx);
22452 + atomic_inc_unchecked(&vcc->stats->tx);
22456 diff -urNp linux-2.6.38.1/drivers/atm/ambassador.c linux-2.6.38.1/drivers/atm/ambassador.c
22457 --- linux-2.6.38.1/drivers/atm/ambassador.c 2011-03-14 21:20:32.000000000 -0400
22458 +++ linux-2.6.38.1/drivers/atm/ambassador.c 2011-03-21 18:31:35.000000000 -0400
22459 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22460 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22463 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22464 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22466 // free the descriptor
22468 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22469 dump_skb ("<<<", vc, skb);
22472 - atomic_inc(&atm_vcc->stats->rx);
22473 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22474 __net_timestamp(skb);
22475 // end of our responsability
22476 atm_vcc->push (atm_vcc, skb);
22477 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22479 PRINTK (KERN_INFO, "dropped over-size frame");
22480 // should we count this?
22481 - atomic_inc(&atm_vcc->stats->rx_drop);
22482 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22486 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22489 if (check_area (skb->data, skb->len)) {
22490 - atomic_inc(&atm_vcc->stats->tx_err);
22491 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22492 return -ENOMEM; // ?
22495 diff -urNp linux-2.6.38.1/drivers/atm/atmtcp.c linux-2.6.38.1/drivers/atm/atmtcp.c
22496 --- linux-2.6.38.1/drivers/atm/atmtcp.c 2011-03-14 21:20:32.000000000 -0400
22497 +++ linux-2.6.38.1/drivers/atm/atmtcp.c 2011-03-21 18:31:35.000000000 -0400
22498 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22499 if (vcc->pop) vcc->pop(vcc,skb);
22500 else dev_kfree_skb(skb);
22501 if (dev_data) return 0;
22502 - atomic_inc(&vcc->stats->tx_err);
22503 + atomic_inc_unchecked(&vcc->stats->tx_err);
22506 size = skb->len+sizeof(struct atmtcp_hdr);
22507 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22509 if (vcc->pop) vcc->pop(vcc,skb);
22510 else dev_kfree_skb(skb);
22511 - atomic_inc(&vcc->stats->tx_err);
22512 + atomic_inc_unchecked(&vcc->stats->tx_err);
22515 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22516 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22517 if (vcc->pop) vcc->pop(vcc,skb);
22518 else dev_kfree_skb(skb);
22519 out_vcc->push(out_vcc,new_skb);
22520 - atomic_inc(&vcc->stats->tx);
22521 - atomic_inc(&out_vcc->stats->rx);
22522 + atomic_inc_unchecked(&vcc->stats->tx);
22523 + atomic_inc_unchecked(&out_vcc->stats->rx);
22527 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22528 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22529 read_unlock(&vcc_sklist_lock);
22531 - atomic_inc(&vcc->stats->tx_err);
22532 + atomic_inc_unchecked(&vcc->stats->tx_err);
22535 skb_pull(skb,sizeof(struct atmtcp_hdr));
22536 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22537 __net_timestamp(new_skb);
22538 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22539 out_vcc->push(out_vcc,new_skb);
22540 - atomic_inc(&vcc->stats->tx);
22541 - atomic_inc(&out_vcc->stats->rx);
22542 + atomic_inc_unchecked(&vcc->stats->tx);
22543 + atomic_inc_unchecked(&out_vcc->stats->rx);
22545 if (vcc->pop) vcc->pop(vcc,skb);
22546 else dev_kfree_skb(skb);
22547 diff -urNp linux-2.6.38.1/drivers/atm/eni.c linux-2.6.38.1/drivers/atm/eni.c
22548 --- linux-2.6.38.1/drivers/atm/eni.c 2011-03-14 21:20:32.000000000 -0400
22549 +++ linux-2.6.38.1/drivers/atm/eni.c 2011-03-21 18:31:35.000000000 -0400
22550 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22551 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22554 - atomic_inc(&vcc->stats->rx_err);
22555 + atomic_inc_unchecked(&vcc->stats->rx_err);
22558 length = ATM_CELL_SIZE-1; /* no HEC */
22559 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22563 - atomic_inc(&vcc->stats->rx_err);
22564 + atomic_inc_unchecked(&vcc->stats->rx_err);
22567 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22568 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22569 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22570 vcc->dev->number,vcc->vci,length,size << 2,descr);
22572 - atomic_inc(&vcc->stats->rx_err);
22573 + atomic_inc_unchecked(&vcc->stats->rx_err);
22576 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22577 @@ -771,7 +771,7 @@ rx_dequeued++;
22578 vcc->push(vcc,skb);
22581 - atomic_inc(&vcc->stats->rx);
22582 + atomic_inc_unchecked(&vcc->stats->rx);
22584 wake_up(&eni_dev->rx_wait);
22586 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22588 if (vcc->pop) vcc->pop(vcc,skb);
22589 else dev_kfree_skb_irq(skb);
22590 - atomic_inc(&vcc->stats->tx);
22591 + atomic_inc_unchecked(&vcc->stats->tx);
22592 wake_up(&eni_dev->tx_wait);
22595 diff -urNp linux-2.6.38.1/drivers/atm/firestream.c linux-2.6.38.1/drivers/atm/firestream.c
22596 --- linux-2.6.38.1/drivers/atm/firestream.c 2011-03-14 21:20:32.000000000 -0400
22597 +++ linux-2.6.38.1/drivers/atm/firestream.c 2011-03-21 18:31:35.000000000 -0400
22598 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22602 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22603 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22605 fs_dprintk (FS_DEBUG_TXMEM, "i");
22606 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22607 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22609 skb_put (skb, qe->p1 & 0xffff);
22610 ATM_SKB(skb)->vcc = atm_vcc;
22611 - atomic_inc(&atm_vcc->stats->rx);
22612 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22613 __net_timestamp(skb);
22614 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22615 atm_vcc->push (atm_vcc, skb);
22616 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22620 - atomic_inc(&atm_vcc->stats->rx_drop);
22621 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22623 case 0x1f: /* Reassembly abort: no buffers. */
22624 /* Silently increment error counter. */
22626 - atomic_inc(&atm_vcc->stats->rx_drop);
22627 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22629 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22630 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22631 diff -urNp linux-2.6.38.1/drivers/atm/fore200e.c linux-2.6.38.1/drivers/atm/fore200e.c
22632 --- linux-2.6.38.1/drivers/atm/fore200e.c 2011-03-14 21:20:32.000000000 -0400
22633 +++ linux-2.6.38.1/drivers/atm/fore200e.c 2011-03-21 18:31:35.000000000 -0400
22634 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22636 /* check error condition */
22637 if (*entry->status & STATUS_ERROR)
22638 - atomic_inc(&vcc->stats->tx_err);
22639 + atomic_inc_unchecked(&vcc->stats->tx_err);
22641 - atomic_inc(&vcc->stats->tx);
22642 + atomic_inc_unchecked(&vcc->stats->tx);
22646 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22648 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22650 - atomic_inc(&vcc->stats->rx_drop);
22651 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22655 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22657 dev_kfree_skb_any(skb);
22659 - atomic_inc(&vcc->stats->rx_drop);
22660 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22664 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22666 vcc->push(vcc, skb);
22667 - atomic_inc(&vcc->stats->rx);
22668 + atomic_inc_unchecked(&vcc->stats->rx);
22670 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22672 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22673 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22674 fore200e->atm_dev->number,
22675 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22676 - atomic_inc(&vcc->stats->rx_err);
22677 + atomic_inc_unchecked(&vcc->stats->rx_err);
22681 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22685 - atomic_inc(&vcc->stats->tx_err);
22686 + atomic_inc_unchecked(&vcc->stats->tx_err);
22688 fore200e->tx_sat++;
22689 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22690 diff -urNp linux-2.6.38.1/drivers/atm/he.c linux-2.6.38.1/drivers/atm/he.c
22691 --- linux-2.6.38.1/drivers/atm/he.c 2011-03-14 21:20:32.000000000 -0400
22692 +++ linux-2.6.38.1/drivers/atm/he.c 2011-03-21 18:31:35.000000000 -0400
22693 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22695 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22696 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22697 - atomic_inc(&vcc->stats->rx_drop);
22698 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22699 goto return_host_buffers;
22702 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22703 RBRQ_LEN_ERR(he_dev->rbrq_head)
22705 vcc->vpi, vcc->vci);
22706 - atomic_inc(&vcc->stats->rx_err);
22707 + atomic_inc_unchecked(&vcc->stats->rx_err);
22708 goto return_host_buffers;
22711 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22712 vcc->push(vcc, skb);
22713 spin_lock(&he_dev->global_lock);
22715 - atomic_inc(&vcc->stats->rx);
22716 + atomic_inc_unchecked(&vcc->stats->rx);
22718 return_host_buffers:
22720 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22721 tpd->vcc->pop(tpd->vcc, tpd->skb);
22723 dev_kfree_skb_any(tpd->skb);
22724 - atomic_inc(&tpd->vcc->stats->tx_err);
22725 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22727 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22729 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22730 vcc->pop(vcc, skb);
22732 dev_kfree_skb_any(skb);
22733 - atomic_inc(&vcc->stats->tx_err);
22734 + atomic_inc_unchecked(&vcc->stats->tx_err);
22738 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22739 vcc->pop(vcc, skb);
22741 dev_kfree_skb_any(skb);
22742 - atomic_inc(&vcc->stats->tx_err);
22743 + atomic_inc_unchecked(&vcc->stats->tx_err);
22747 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22748 vcc->pop(vcc, skb);
22750 dev_kfree_skb_any(skb);
22751 - atomic_inc(&vcc->stats->tx_err);
22752 + atomic_inc_unchecked(&vcc->stats->tx_err);
22753 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22756 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22757 vcc->pop(vcc, skb);
22759 dev_kfree_skb_any(skb);
22760 - atomic_inc(&vcc->stats->tx_err);
22761 + atomic_inc_unchecked(&vcc->stats->tx_err);
22762 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22765 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22766 __enqueue_tpd(he_dev, tpd, cid);
22767 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22769 - atomic_inc(&vcc->stats->tx);
22770 + atomic_inc_unchecked(&vcc->stats->tx);
22774 diff -urNp linux-2.6.38.1/drivers/atm/horizon.c linux-2.6.38.1/drivers/atm/horizon.c
22775 --- linux-2.6.38.1/drivers/atm/horizon.c 2011-03-14 21:20:32.000000000 -0400
22776 +++ linux-2.6.38.1/drivers/atm/horizon.c 2011-03-21 18:31:35.000000000 -0400
22777 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22779 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22781 - atomic_inc(&vcc->stats->rx);
22782 + atomic_inc_unchecked(&vcc->stats->rx);
22783 __net_timestamp(skb);
22784 // end of our responsability
22785 vcc->push (vcc, skb);
22786 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22787 dev->tx_iovec = NULL;
22790 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22791 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22794 hrz_kfree_skb (skb);
22795 diff -urNp linux-2.6.38.1/drivers/atm/idt77252.c linux-2.6.38.1/drivers/atm/idt77252.c
22796 --- linux-2.6.38.1/drivers/atm/idt77252.c 2011-03-14 21:20:32.000000000 -0400
22797 +++ linux-2.6.38.1/drivers/atm/idt77252.c 2011-03-21 18:31:35.000000000 -0400
22798 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22800 dev_kfree_skb(skb);
22802 - atomic_inc(&vcc->stats->tx);
22803 + atomic_inc_unchecked(&vcc->stats->tx);
22806 atomic_dec(&scq->used);
22807 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22808 if ((sb = dev_alloc_skb(64)) == NULL) {
22809 printk("%s: Can't allocate buffers for aal0.\n",
22811 - atomic_add(i, &vcc->stats->rx_drop);
22812 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22815 if (!atm_charge(vcc, sb->truesize)) {
22816 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22818 - atomic_add(i - 1, &vcc->stats->rx_drop);
22819 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22823 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22824 ATM_SKB(sb)->vcc = vcc;
22825 __net_timestamp(sb);
22826 vcc->push(vcc, sb);
22827 - atomic_inc(&vcc->stats->rx);
22828 + atomic_inc_unchecked(&vcc->stats->rx);
22830 cell += ATM_CELL_PAYLOAD;
22832 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22834 card->name, len, rpp->len, readl(SAR_REG_CDC));
22835 recycle_rx_pool_skb(card, rpp);
22836 - atomic_inc(&vcc->stats->rx_err);
22837 + atomic_inc_unchecked(&vcc->stats->rx_err);
22840 if (stat & SAR_RSQE_CRC) {
22841 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22842 recycle_rx_pool_skb(card, rpp);
22843 - atomic_inc(&vcc->stats->rx_err);
22844 + atomic_inc_unchecked(&vcc->stats->rx_err);
22847 if (skb_queue_len(&rpp->queue) > 1) {
22848 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22849 RXPRINTK("%s: Can't alloc RX skb.\n",
22851 recycle_rx_pool_skb(card, rpp);
22852 - atomic_inc(&vcc->stats->rx_err);
22853 + atomic_inc_unchecked(&vcc->stats->rx_err);
22856 if (!atm_charge(vcc, skb->truesize)) {
22857 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22858 __net_timestamp(skb);
22860 vcc->push(vcc, skb);
22861 - atomic_inc(&vcc->stats->rx);
22862 + atomic_inc_unchecked(&vcc->stats->rx);
22866 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22867 __net_timestamp(skb);
22869 vcc->push(vcc, skb);
22870 - atomic_inc(&vcc->stats->rx);
22871 + atomic_inc_unchecked(&vcc->stats->rx);
22873 if (skb->truesize > SAR_FB_SIZE_3)
22874 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22875 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22876 if (vcc->qos.aal != ATM_AAL0) {
22877 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22878 card->name, vpi, vci);
22879 - atomic_inc(&vcc->stats->rx_drop);
22880 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22884 if ((sb = dev_alloc_skb(64)) == NULL) {
22885 printk("%s: Can't allocate buffers for AAL0.\n",
22887 - atomic_inc(&vcc->stats->rx_err);
22888 + atomic_inc_unchecked(&vcc->stats->rx_err);
22892 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22893 ATM_SKB(sb)->vcc = vcc;
22894 __net_timestamp(sb);
22895 vcc->push(vcc, sb);
22896 - atomic_inc(&vcc->stats->rx);
22897 + atomic_inc_unchecked(&vcc->stats->rx);
22900 skb_pull(queue, 64);
22901 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22904 printk("%s: NULL connection in send().\n", card->name);
22905 - atomic_inc(&vcc->stats->tx_err);
22906 + atomic_inc_unchecked(&vcc->stats->tx_err);
22907 dev_kfree_skb(skb);
22910 if (!test_bit(VCF_TX, &vc->flags)) {
22911 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22912 - atomic_inc(&vcc->stats->tx_err);
22913 + atomic_inc_unchecked(&vcc->stats->tx_err);
22914 dev_kfree_skb(skb);
22917 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22920 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22921 - atomic_inc(&vcc->stats->tx_err);
22922 + atomic_inc_unchecked(&vcc->stats->tx_err);
22923 dev_kfree_skb(skb);
22927 if (skb_shinfo(skb)->nr_frags != 0) {
22928 printk("%s: No scatter-gather yet.\n", card->name);
22929 - atomic_inc(&vcc->stats->tx_err);
22930 + atomic_inc_unchecked(&vcc->stats->tx_err);
22931 dev_kfree_skb(skb);
22934 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22936 err = queue_skb(card, vc, skb, oam);
22938 - atomic_inc(&vcc->stats->tx_err);
22939 + atomic_inc_unchecked(&vcc->stats->tx_err);
22940 dev_kfree_skb(skb);
22943 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22944 skb = dev_alloc_skb(64);
22946 printk("%s: Out of memory in send_oam().\n", card->name);
22947 - atomic_inc(&vcc->stats->tx_err);
22948 + atomic_inc_unchecked(&vcc->stats->tx_err);
22951 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
22952 diff -urNp linux-2.6.38.1/drivers/atm/iphase.c linux-2.6.38.1/drivers/atm/iphase.c
22953 --- linux-2.6.38.1/drivers/atm/iphase.c 2011-03-14 21:20:32.000000000 -0400
22954 +++ linux-2.6.38.1/drivers/atm/iphase.c 2011-03-21 18:31:35.000000000 -0400
22955 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
22956 status = (u_short) (buf_desc_ptr->desc_mode);
22957 if (status & (RX_CER | RX_PTE | RX_OFL))
22959 - atomic_inc(&vcc->stats->rx_err);
22960 + atomic_inc_unchecked(&vcc->stats->rx_err);
22961 IF_ERR(printk("IA: bad packet, dropping it");)
22962 if (status & RX_CER) {
22963 IF_ERR(printk(" cause: packet CRC error\n");)
22964 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
22965 len = dma_addr - buf_addr;
22966 if (len > iadev->rx_buf_sz) {
22967 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
22968 - atomic_inc(&vcc->stats->rx_err);
22969 + atomic_inc_unchecked(&vcc->stats->rx_err);
22970 goto out_free_desc;
22973 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
22974 ia_vcc = INPH_IA_VCC(vcc);
22975 if (ia_vcc == NULL)
22977 - atomic_inc(&vcc->stats->rx_err);
22978 + atomic_inc_unchecked(&vcc->stats->rx_err);
22979 dev_kfree_skb_any(skb);
22980 atm_return(vcc, atm_guess_pdu2truesize(len));
22982 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
22983 if ((length > iadev->rx_buf_sz) || (length >
22984 (skb->len - sizeof(struct cpcs_trailer))))
22986 - atomic_inc(&vcc->stats->rx_err);
22987 + atomic_inc_unchecked(&vcc->stats->rx_err);
22988 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
22989 length, skb->len);)
22990 dev_kfree_skb_any(skb);
22991 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
22993 IF_RX(printk("rx_dle_intr: skb push");)
22994 vcc->push(vcc,skb);
22995 - atomic_inc(&vcc->stats->rx);
22996 + atomic_inc_unchecked(&vcc->stats->rx);
22997 iadev->rx_pkt_cnt++;
23000 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23002 struct k_sonet_stats *stats;
23003 stats = &PRIV(_ia_dev[board])->sonet_stats;
23004 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23005 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23006 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23007 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23008 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23009 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23010 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23011 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23012 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23013 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23014 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23015 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23016 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23017 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23018 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23019 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23020 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23021 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23023 ia_cmds.status = 0;
23025 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23026 if ((desc == 0) || (desc > iadev->num_tx_desc))
23028 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23029 - atomic_inc(&vcc->stats->tx);
23030 + atomic_inc_unchecked(&vcc->stats->tx);
23032 vcc->pop(vcc, skb);
23034 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23035 ATM_DESC(skb) = vcc->vci;
23036 skb_queue_tail(&iadev->tx_dma_q, skb);
23038 - atomic_inc(&vcc->stats->tx);
23039 + atomic_inc_unchecked(&vcc->stats->tx);
23040 iadev->tx_pkt_cnt++;
23041 /* Increment transaction counter */
23042 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23045 /* add flow control logic */
23046 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23047 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23048 if (iavcc->vc_desc_cnt > 10) {
23049 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23050 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23051 diff -urNp linux-2.6.38.1/drivers/atm/lanai.c linux-2.6.38.1/drivers/atm/lanai.c
23052 --- linux-2.6.38.1/drivers/atm/lanai.c 2011-03-14 21:20:32.000000000 -0400
23053 +++ linux-2.6.38.1/drivers/atm/lanai.c 2011-03-21 18:31:35.000000000 -0400
23054 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23055 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23056 lanai_endtx(lanai, lvcc);
23057 lanai_free_skb(lvcc->tx.atmvcc, skb);
23058 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23059 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23062 /* Try to fill the buffer - don't call unless there is backlog */
23063 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23064 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23065 __net_timestamp(skb);
23066 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23067 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23068 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23070 lvcc->rx.buf.ptr = end;
23071 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23072 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23073 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23074 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23075 lanai->stats.service_rxnotaal5++;
23076 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23077 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23080 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23081 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23083 read_unlock(&vcc_sklist_lock);
23084 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23085 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23086 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23087 lvcc->stats.x.aal5.service_trash++;
23088 bytes = (SERVICE_GET_END(s) * 16) -
23089 (((unsigned long) lvcc->rx.buf.ptr) -
23090 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23092 if (s & SERVICE_STREAM) {
23093 read_unlock(&vcc_sklist_lock);
23094 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23095 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23096 lvcc->stats.x.aal5.service_stream++;
23097 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23098 "PDU on VCI %d!\n", lanai->number, vci);
23099 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23102 DPRINTK("got rx crc error on vci %d\n", vci);
23103 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23104 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23105 lvcc->stats.x.aal5.service_rxcrc++;
23106 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23107 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23108 diff -urNp linux-2.6.38.1/drivers/atm/nicstar.c linux-2.6.38.1/drivers/atm/nicstar.c
23109 --- linux-2.6.38.1/drivers/atm/nicstar.c 2011-03-14 21:20:32.000000000 -0400
23110 +++ linux-2.6.38.1/drivers/atm/nicstar.c 2011-03-21 18:31:35.000000000 -0400
23111 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
23112 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
23113 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
23115 - atomic_inc(&vcc->stats->tx_err);
23116 + atomic_inc_unchecked(&vcc->stats->tx_err);
23117 dev_kfree_skb_any(skb);
23120 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
23122 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
23124 - atomic_inc(&vcc->stats->tx_err);
23125 + atomic_inc_unchecked(&vcc->stats->tx_err);
23126 dev_kfree_skb_any(skb);
23129 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
23130 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
23131 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
23133 - atomic_inc(&vcc->stats->tx_err);
23134 + atomic_inc_unchecked(&vcc->stats->tx_err);
23135 dev_kfree_skb_any(skb);
23139 if (skb_shinfo(skb)->nr_frags != 0) {
23140 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23141 - atomic_inc(&vcc->stats->tx_err);
23142 + atomic_inc_unchecked(&vcc->stats->tx_err);
23143 dev_kfree_skb_any(skb);
23146 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
23149 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
23150 - atomic_inc(&vcc->stats->tx_err);
23151 + atomic_inc_unchecked(&vcc->stats->tx_err);
23152 dev_kfree_skb_any(skb);
23155 - atomic_inc(&vcc->stats->tx);
23156 + atomic_inc_unchecked(&vcc->stats->tx);
23160 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
23162 ("nicstar%d: Can't allocate buffers for aal0.\n",
23164 - atomic_add(i, &vcc->stats->rx_drop);
23165 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23168 if (!atm_charge(vcc, sb->truesize)) {
23170 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
23172 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23173 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23174 dev_kfree_skb_any(sb);
23177 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
23178 ATM_SKB(sb)->vcc = vcc;
23179 __net_timestamp(sb);
23180 vcc->push(vcc, sb);
23181 - atomic_inc(&vcc->stats->rx);
23182 + atomic_inc_unchecked(&vcc->stats->rx);
23183 cell += ATM_CELL_PAYLOAD;
23186 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
23187 if (iovb == NULL) {
23188 printk("nicstar%d: Out of iovec buffers.\n",
23190 - atomic_inc(&vcc->stats->rx_drop);
23191 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23192 recycle_rx_buf(card, skb);
23195 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
23196 small or large buffer itself. */
23197 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
23198 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23199 - atomic_inc(&vcc->stats->rx_err);
23200 + atomic_inc_unchecked(&vcc->stats->rx_err);
23201 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23203 NS_PRV_IOVCNT(iovb) = 0;
23204 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
23205 ("nicstar%d: Expected a small buffer, and this is not one.\n",
23207 which_list(card, skb);
23208 - atomic_inc(&vcc->stats->rx_err);
23209 + atomic_inc_unchecked(&vcc->stats->rx_err);
23210 recycle_rx_buf(card, skb);
23212 recycle_iov_buf(card, iovb);
23213 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
23214 ("nicstar%d: Expected a large buffer, and this is not one.\n",
23216 which_list(card, skb);
23217 - atomic_inc(&vcc->stats->rx_err);
23218 + atomic_inc_unchecked(&vcc->stats->rx_err);
23219 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23220 NS_PRV_IOVCNT(iovb));
23222 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
23223 printk(" - PDU size mismatch.\n");
23226 - atomic_inc(&vcc->stats->rx_err);
23227 + atomic_inc_unchecked(&vcc->stats->rx_err);
23228 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23229 NS_PRV_IOVCNT(iovb));
23231 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
23232 /* skb points to a small buffer */
23233 if (!atm_charge(vcc, skb->truesize)) {
23234 push_rxbufs(card, skb);
23235 - atomic_inc(&vcc->stats->rx_drop);
23236 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23239 dequeue_sm_buf(card, skb);
23240 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
23241 ATM_SKB(skb)->vcc = vcc;
23242 __net_timestamp(skb);
23243 vcc->push(vcc, skb);
23244 - atomic_inc(&vcc->stats->rx);
23245 + atomic_inc_unchecked(&vcc->stats->rx);
23247 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
23248 struct sk_buff *sb;
23249 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
23250 if (len <= NS_SMBUFSIZE) {
23251 if (!atm_charge(vcc, sb->truesize)) {
23252 push_rxbufs(card, sb);
23253 - atomic_inc(&vcc->stats->rx_drop);
23254 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23257 dequeue_sm_buf(card, sb);
23258 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
23259 ATM_SKB(sb)->vcc = vcc;
23260 __net_timestamp(sb);
23261 vcc->push(vcc, sb);
23262 - atomic_inc(&vcc->stats->rx);
23263 + atomic_inc_unchecked(&vcc->stats->rx);
23266 push_rxbufs(card, skb);
23267 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
23269 if (!atm_charge(vcc, skb->truesize)) {
23270 push_rxbufs(card, skb);
23271 - atomic_inc(&vcc->stats->rx_drop);
23272 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23274 dequeue_lg_buf(card, skb);
23275 #ifdef NS_USE_DESTRUCTORS
23276 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
23277 ATM_SKB(skb)->vcc = vcc;
23278 __net_timestamp(skb);
23279 vcc->push(vcc, skb);
23280 - atomic_inc(&vcc->stats->rx);
23281 + atomic_inc_unchecked(&vcc->stats->rx);
23284 push_rxbufs(card, sb);
23285 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
23287 ("nicstar%d: Out of huge buffers.\n",
23289 - atomic_inc(&vcc->stats->rx_drop);
23290 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23291 recycle_iovec_rx_bufs(card,
23294 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
23295 card->hbpool.count++;
23297 dev_kfree_skb_any(hb);
23298 - atomic_inc(&vcc->stats->rx_drop);
23299 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23301 /* Copy the small buffer to the huge buffer */
23302 sb = (struct sk_buff *)iov->iov_base;
23303 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
23304 #endif /* NS_USE_DESTRUCTORS */
23305 __net_timestamp(hb);
23306 vcc->push(vcc, hb);
23307 - atomic_inc(&vcc->stats->rx);
23308 + atomic_inc_unchecked(&vcc->stats->rx);
23312 diff -urNp linux-2.6.38.1/drivers/atm/solos-pci.c linux-2.6.38.1/drivers/atm/solos-pci.c
23313 --- linux-2.6.38.1/drivers/atm/solos-pci.c 2011-03-14 21:20:32.000000000 -0400
23314 +++ linux-2.6.38.1/drivers/atm/solos-pci.c 2011-03-21 18:31:35.000000000 -0400
23315 @@ -717,7 +717,7 @@ void solos_bh(unsigned long card_arg)
23317 atm_charge(vcc, skb->truesize);
23318 vcc->push(vcc, skb);
23319 - atomic_inc(&vcc->stats->rx);
23320 + atomic_inc_unchecked(&vcc->stats->rx);
23324 @@ -1026,7 +1026,7 @@ static uint32_t fpga_tx(struct solos_car
23325 vcc = SKB_CB(oldskb)->vcc;
23328 - atomic_inc(&vcc->stats->tx);
23329 + atomic_inc_unchecked(&vcc->stats->tx);
23330 solos_pop(vcc, oldskb);
23332 dev_kfree_skb_irq(oldskb);
23333 diff -urNp linux-2.6.38.1/drivers/atm/suni.c linux-2.6.38.1/drivers/atm/suni.c
23334 --- linux-2.6.38.1/drivers/atm/suni.c 2011-03-14 21:20:32.000000000 -0400
23335 +++ linux-2.6.38.1/drivers/atm/suni.c 2011-03-21 18:31:35.000000000 -0400
23336 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23339 #define ADD_LIMITED(s,v) \
23340 - atomic_add((v),&stats->s); \
23341 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23342 + atomic_add_unchecked((v),&stats->s); \
23343 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23346 static void suni_hz(unsigned long from_timer)
23347 diff -urNp linux-2.6.38.1/drivers/atm/uPD98402.c linux-2.6.38.1/drivers/atm/uPD98402.c
23348 --- linux-2.6.38.1/drivers/atm/uPD98402.c 2011-03-14 21:20:32.000000000 -0400
23349 +++ linux-2.6.38.1/drivers/atm/uPD98402.c 2011-03-21 18:31:35.000000000 -0400
23350 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23351 struct sonet_stats tmp;
23354 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23355 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23356 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23357 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23358 if (zero && !error) {
23359 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23362 #define ADD_LIMITED(s,v) \
23363 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23364 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23365 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23366 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23367 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23368 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23371 static void stat_event(struct atm_dev *dev)
23372 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23373 if (reason & uPD98402_INT_PFM) stat_event(dev);
23374 if (reason & uPD98402_INT_PCO) {
23375 (void) GET(PCOCR); /* clear interrupt cause */
23376 - atomic_add(GET(HECCT),
23377 + atomic_add_unchecked(GET(HECCT),
23378 &PRIV(dev)->sonet_stats.uncorr_hcs);
23380 if ((reason & uPD98402_INT_RFO) &&
23381 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23382 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23383 uPD98402_INT_LOS),PIMR); /* enable them */
23384 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23385 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23386 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23387 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23388 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23389 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23390 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23394 diff -urNp linux-2.6.38.1/drivers/atm/zatm.c linux-2.6.38.1/drivers/atm/zatm.c
23395 --- linux-2.6.38.1/drivers/atm/zatm.c 2011-03-14 21:20:32.000000000 -0400
23396 +++ linux-2.6.38.1/drivers/atm/zatm.c 2011-03-21 18:31:35.000000000 -0400
23397 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23400 dev_kfree_skb_irq(skb);
23401 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23402 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23405 if (!atm_charge(vcc,skb->truesize)) {
23406 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23408 ATM_SKB(skb)->vcc = vcc;
23409 vcc->push(vcc,skb);
23410 - atomic_inc(&vcc->stats->rx);
23411 + atomic_inc_unchecked(&vcc->stats->rx);
23413 zout(pos & 0xffff,MTA(mbx));
23414 #if 0 /* probably a stupid idea */
23415 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23416 skb_queue_head(&zatm_vcc->backlog,skb);
23419 - atomic_inc(&vcc->stats->tx);
23420 + atomic_inc_unchecked(&vcc->stats->tx);
23421 wake_up(&zatm_vcc->tx_wait);
23424 diff -urNp linux-2.6.38.1/drivers/block/cciss.c linux-2.6.38.1/drivers/block/cciss.c
23425 --- linux-2.6.38.1/drivers/block/cciss.c 2011-03-14 21:20:32.000000000 -0400
23426 +++ linux-2.6.38.1/drivers/block/cciss.c 2011-03-21 18:31:35.000000000 -0400
23427 @@ -1112,6 +1112,8 @@ static int cciss_ioctl32_passthru(struct
23431 + memset(&arg64, 0, sizeof(arg64));
23435 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
23436 diff -urNp linux-2.6.38.1/drivers/char/agp/frontend.c linux-2.6.38.1/drivers/char/agp/frontend.c
23437 --- linux-2.6.38.1/drivers/char/agp/frontend.c 2011-03-14 21:20:32.000000000 -0400
23438 +++ linux-2.6.38.1/drivers/char/agp/frontend.c 2011-03-21 18:31:35.000000000 -0400
23439 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
23440 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23443 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23444 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23447 client = agp_find_client_by_pid(reserve.pid);
23448 diff -urNp linux-2.6.38.1/drivers/char/agp/intel-agp.c linux-2.6.38.1/drivers/char/agp/intel-agp.c
23449 --- linux-2.6.38.1/drivers/char/agp/intel-agp.c 2011-03-14 21:20:32.000000000 -0400
23450 +++ linux-2.6.38.1/drivers/char/agp/intel-agp.c 2011-03-21 18:31:35.000000000 -0400
23451 @@ -903,7 +903,7 @@ static struct pci_device_id agp_intel_pc
23452 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23453 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23454 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
23456 + { 0, 0, 0, 0, 0, 0, 0 }
23459 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23460 diff -urNp linux-2.6.38.1/drivers/char/hpet.c linux-2.6.38.1/drivers/char/hpet.c
23461 --- linux-2.6.38.1/drivers/char/hpet.c 2011-03-14 21:20:32.000000000 -0400
23462 +++ linux-2.6.38.1/drivers/char/hpet.c 2011-03-21 18:31:35.000000000 -0400
23463 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23467 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
23468 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
23469 struct hpet_info *info)
23471 struct hpet_timer __iomem *timer;
23472 @@ -1043,7 +1043,7 @@ static struct acpi_driver hpet_acpi_driv
23476 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23477 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23479 static int __init hpet_init(void)
23481 diff -urNp linux-2.6.38.1/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.38.1/drivers/char/ipmi/ipmi_msghandler.c
23482 --- linux-2.6.38.1/drivers/char/ipmi/ipmi_msghandler.c 2011-03-14 21:20:32.000000000 -0400
23483 +++ linux-2.6.38.1/drivers/char/ipmi/ipmi_msghandler.c 2011-03-21 18:31:35.000000000 -0400
23484 @@ -414,7 +414,7 @@ struct ipmi_smi {
23485 struct proc_dir_entry *proc_dir;
23486 char proc_dir_name[10];
23488 - atomic_t stats[IPMI_NUM_STATS];
23489 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23492 * run_to_completion duplicate of smb_info, smi_info
23493 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23496 #define ipmi_inc_stat(intf, stat) \
23497 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23498 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23499 #define ipmi_get_stat(intf, stat) \
23500 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23501 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23503 static int is_lan_addr(struct ipmi_addr *addr)
23505 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23506 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23507 init_waitqueue_head(&intf->waitq);
23508 for (i = 0; i < IPMI_NUM_STATS; i++)
23509 - atomic_set(&intf->stats[i], 0);
23510 + atomic_set_unchecked(&intf->stats[i], 0);
23512 intf->proc_dir = NULL;
23514 diff -urNp linux-2.6.38.1/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.38.1/drivers/char/ipmi/ipmi_si_intf.c
23515 --- linux-2.6.38.1/drivers/char/ipmi/ipmi_si_intf.c 2011-03-14 21:20:32.000000000 -0400
23516 +++ linux-2.6.38.1/drivers/char/ipmi/ipmi_si_intf.c 2011-03-21 18:31:35.000000000 -0400
23517 @@ -285,7 +285,7 @@ struct smi_info {
23518 unsigned char slave_addr;
23520 /* Counters and things for the proc filesystem. */
23521 - atomic_t stats[SI_NUM_STATS];
23522 + atomic_unchecked_t stats[SI_NUM_STATS];
23524 struct task_struct *thread;
23526 @@ -294,9 +294,9 @@ struct smi_info {
23529 #define smi_inc_stat(smi, stat) \
23530 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23531 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23532 #define smi_get_stat(smi, stat) \
23533 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23534 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23536 #define SI_MAX_PARMS 4
23538 @@ -3202,7 +3202,7 @@ static int try_smi_init(struct smi_info
23539 atomic_set(&new_smi->req_events, 0);
23540 new_smi->run_to_completion = 0;
23541 for (i = 0; i < SI_NUM_STATS; i++)
23542 - atomic_set(&new_smi->stats[i], 0);
23543 + atomic_set_unchecked(&new_smi->stats[i], 0);
23545 new_smi->interrupt_disabled = 1;
23546 atomic_set(&new_smi->stop_operation, 0);
23547 diff -urNp linux-2.6.38.1/drivers/char/mem.c linux-2.6.38.1/drivers/char/mem.c
23548 --- linux-2.6.38.1/drivers/char/mem.c 2011-03-14 21:20:32.000000000 -0400
23549 +++ linux-2.6.38.1/drivers/char/mem.c 2011-03-21 18:31:35.000000000 -0400
23551 #include <linux/raw.h>
23552 #include <linux/tty.h>
23553 #include <linux/capability.h>
23554 +#include <linux/security.h>
23555 #include <linux/ptrace.h>
23556 #include <linux/device.h>
23557 #include <linux/highmem.h>
23559 # include <linux/efi.h>
23562 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23563 +extern struct file_operations grsec_fops;
23566 static inline unsigned long size_inside_page(unsigned long start,
23567 unsigned long size)
23569 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23571 while (count > 0) {
23572 unsigned long remaining;
23575 sz = size_inside_page(p, count);
23577 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23581 - remaining = copy_to_user(buf, ptr, sz);
23582 +#ifdef CONFIG_PAX_USERCOPY
23583 + temp = kmalloc(sz, GFP_KERNEL);
23585 + unxlate_dev_mem_ptr(p, ptr);
23588 + memcpy(temp, ptr, sz);
23593 + remaining = copy_to_user(buf, temp, sz);
23595 +#ifdef CONFIG_PAX_USERCOPY
23599 unxlate_dev_mem_ptr(p, ptr);
23602 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23603 if (!valid_phys_addr_range(p, count))
23606 +#ifdef CONFIG_GRKERNSEC_KMEM
23607 + gr_handle_mem_write();
23613 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23614 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23615 &vma->vm_page_prot))
23618 +#ifdef CONFIG_GRKERNSEC_KMEM
23619 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23623 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23625 vma->vm_page_prot);
23626 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23627 size_t count, loff_t *ppos)
23629 unsigned long p = *ppos;
23630 - ssize_t low_count, read, sz;
23631 + ssize_t low_count, read, sz, err = 0;
23632 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23636 if (p < (unsigned long) high_memory) {
23637 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23640 while (low_count > 0) {
23643 sz = size_inside_page(p, low_count);
23646 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23648 kbuf = xlate_dev_kmem_ptr((char *)p);
23650 - if (copy_to_user(buf, kbuf, sz))
23651 +#ifdef CONFIG_PAX_USERCOPY
23652 + temp = kmalloc(sz, GFP_KERNEL);
23655 + memcpy(temp, kbuf, sz);
23660 + err = copy_to_user(buf, temp, sz);
23662 +#ifdef CONFIG_PAX_USERCOPY
23670 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23671 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23674 +#ifdef CONFIG_GRKERNSEC_KMEM
23675 + gr_handle_kmem_write();
23679 if (p < (unsigned long) high_memory) {
23680 unsigned long to_write = min_t(unsigned long, count,
23681 (unsigned long)high_memory - p);
23682 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23684 static int open_port(struct inode * inode, struct file * filp)
23686 +#ifdef CONFIG_GRKERNSEC_KMEM
23687 + gr_handle_open_port();
23691 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23694 +static int open_mem(struct inode * inode, struct file * filp)
23696 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23699 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23700 #define full_lseek null_lseek
23701 #define write_zero write_null
23702 #define read_full read_zero
23703 -#define open_mem open_port
23704 #define open_kmem open_mem
23705 #define open_oldmem open_mem
23707 @@ -857,6 +919,9 @@ static const struct memdev {
23708 #ifdef CONFIG_CRASH_DUMP
23709 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23711 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23712 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23716 static int memory_open(struct inode *inode, struct file *filp)
23717 diff -urNp linux-2.6.38.1/drivers/char/nvram.c linux-2.6.38.1/drivers/char/nvram.c
23718 --- linux-2.6.38.1/drivers/char/nvram.c 2011-03-14 21:20:32.000000000 -0400
23719 +++ linux-2.6.38.1/drivers/char/nvram.c 2011-03-21 18:31:35.000000000 -0400
23720 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
23722 spin_unlock_irq(&rtc_lock);
23724 - if (copy_to_user(buf, contents, tmp - contents))
23725 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23729 @@ -435,7 +435,10 @@ static const struct file_operations nvra
23730 static struct miscdevice nvram_dev = {
23740 static int __init nvram_init(void)
23741 diff -urNp linux-2.6.38.1/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.38.1/drivers/char/pcmcia/ipwireless/tty.c
23742 --- linux-2.6.38.1/drivers/char/pcmcia/ipwireless/tty.c 2011-03-14 21:20:32.000000000 -0400
23743 +++ linux-2.6.38.1/drivers/char/pcmcia/ipwireless/tty.c 2011-03-21 18:31:35.000000000 -0400
23745 #include <linux/tty_driver.h>
23746 #include <linux/tty_flip.h>
23747 #include <linux/uaccess.h>
23748 +#include <asm/local.h>
23751 #include "network.h"
23752 @@ -51,7 +52,7 @@ struct ipw_tty {
23754 struct ipw_network *network;
23755 struct tty_struct *linux_tty;
23757 + local_t open_count;
23758 unsigned int control_lines;
23759 struct mutex ipw_tty_mutex;
23760 int tx_bytes_queued;
23761 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
23762 mutex_unlock(&tty->ipw_tty_mutex);
23765 - if (tty->open_count == 0)
23766 + if (local_read(&tty->open_count) == 0)
23767 tty->tx_bytes_queued = 0;
23769 - tty->open_count++;
23770 + local_inc(&tty->open_count);
23772 tty->linux_tty = linux_tty;
23773 linux_tty->driver_data = tty;
23774 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
23776 static void do_ipw_close(struct ipw_tty *tty)
23778 - tty->open_count--;
23780 - if (tty->open_count == 0) {
23781 + if (local_dec_return(&tty->open_count) == 0) {
23782 struct tty_struct *linux_tty = tty->linux_tty;
23784 if (linux_tty != NULL) {
23785 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
23788 mutex_lock(&tty->ipw_tty_mutex);
23789 - if (tty->open_count == 0) {
23790 + if (local_read(&tty->open_count) == 0) {
23791 mutex_unlock(&tty->ipw_tty_mutex);
23794 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
23798 - if (!tty->open_count) {
23799 + if (!local_read(&tty->open_count)) {
23800 mutex_unlock(&tty->ipw_tty_mutex);
23803 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
23806 mutex_lock(&tty->ipw_tty_mutex);
23807 - if (!tty->open_count) {
23808 + if (!local_read(&tty->open_count)) {
23809 mutex_unlock(&tty->ipw_tty_mutex);
23812 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
23816 - if (!tty->open_count)
23817 + if (!local_read(&tty->open_count))
23820 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
23821 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
23825 - if (!tty->open_count)
23826 + if (!local_read(&tty->open_count))
23829 return tty->tx_bytes_queued;
23830 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
23834 - if (!tty->open_count)
23835 + if (!local_read(&tty->open_count))
23838 return get_control_lines(tty);
23839 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
23843 - if (!tty->open_count)
23844 + if (!local_read(&tty->open_count))
23847 return set_control_lines(tty, set, clear);
23848 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
23852 - if (!tty->open_count)
23853 + if (!local_read(&tty->open_count))
23856 /* FIXME: Exactly how is the tty object locked here .. */
23857 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
23858 against a parallel ioctl etc */
23859 mutex_lock(&ttyj->ipw_tty_mutex);
23861 - while (ttyj->open_count)
23862 + while (local_read(&ttyj->open_count))
23863 do_ipw_close(ttyj);
23864 ipwireless_disassociate_network_ttys(network,
23865 ttyj->channel_idx);
23866 diff -urNp linux-2.6.38.1/drivers/char/random.c linux-2.6.38.1/drivers/char/random.c
23867 --- linux-2.6.38.1/drivers/char/random.c 2011-03-14 21:20:32.000000000 -0400
23868 +++ linux-2.6.38.1/drivers/char/random.c 2011-03-21 18:31:35.000000000 -0400
23869 @@ -254,8 +254,13 @@
23871 * Configuration information
23873 +#ifdef CONFIG_GRKERNSEC_RANDNET
23874 +#define INPUT_POOL_WORDS 512
23875 +#define OUTPUT_POOL_WORDS 128
23877 #define INPUT_POOL_WORDS 128
23878 #define OUTPUT_POOL_WORDS 32
23880 #define SEC_XFER_SIZE 512
23881 #define EXTRACT_SIZE 10
23883 @@ -293,10 +298,17 @@ static struct poolinfo {
23885 int tap1, tap2, tap3, tap4, tap5;
23886 } poolinfo_table[] = {
23887 +#ifdef CONFIG_GRKERNSEC_RANDNET
23888 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
23889 + { 512, 411, 308, 208, 104, 1 },
23890 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
23891 + { 128, 103, 76, 51, 25, 1 },
23893 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
23894 { 128, 103, 76, 51, 25, 1 },
23895 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
23896 { 32, 26, 20, 14, 7, 1 },
23899 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
23900 { 2048, 1638, 1231, 819, 411, 1 },
23901 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
23903 extract_buf(r, tmp);
23904 i = min_t(int, nbytes, EXTRACT_SIZE);
23905 - if (copy_to_user(buf, tmp, i)) {
23906 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
23910 @@ -1207,7 +1219,7 @@ EXPORT_SYMBOL(generate_random_uuid);
23911 #include <linux/sysctl.h>
23913 static int min_read_thresh = 8, min_write_thresh;
23914 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
23915 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
23916 static int max_write_thresh = INPUT_POOL_WORDS * 32;
23917 static char sysctl_bootid[16];
23919 diff -urNp linux-2.6.38.1/drivers/char/sonypi.c linux-2.6.38.1/drivers/char/sonypi.c
23920 --- linux-2.6.38.1/drivers/char/sonypi.c 2011-03-14 21:20:32.000000000 -0400
23921 +++ linux-2.6.38.1/drivers/char/sonypi.c 2011-03-21 18:31:35.000000000 -0400
23923 #include <asm/uaccess.h>
23924 #include <asm/io.h>
23925 #include <asm/system.h>
23926 +#include <asm/local.h>
23928 #include <linux/sonypi.h>
23930 @@ -491,7 +492,7 @@ static struct sonypi_device {
23931 spinlock_t fifo_lock;
23932 wait_queue_head_t fifo_proc_list;
23933 struct fasync_struct *fifo_async;
23935 + local_t open_count;
23937 struct input_dev *input_jog_dev;
23938 struct input_dev *input_key_dev;
23939 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
23940 static int sonypi_misc_release(struct inode *inode, struct file *file)
23942 mutex_lock(&sonypi_device.lock);
23943 - sonypi_device.open_count--;
23944 + local_dec(&sonypi_device.open_count);
23945 mutex_unlock(&sonypi_device.lock);
23948 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
23950 mutex_lock(&sonypi_device.lock);
23951 /* Flush input queue on first open */
23952 - if (!sonypi_device.open_count)
23953 + if (!local_read(&sonypi_device.open_count))
23954 kfifo_reset(&sonypi_device.fifo);
23955 - sonypi_device.open_count++;
23956 + local_inc(&sonypi_device.open_count);
23957 mutex_unlock(&sonypi_device.lock);
23960 diff -urNp linux-2.6.38.1/drivers/char/tpm/tpm_bios.c linux-2.6.38.1/drivers/char/tpm/tpm_bios.c
23961 --- linux-2.6.38.1/drivers/char/tpm/tpm_bios.c 2011-03-14 21:20:32.000000000 -0400
23962 +++ linux-2.6.38.1/drivers/char/tpm/tpm_bios.c 2011-03-21 18:31:35.000000000 -0400
23963 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
23966 if ((event->event_type == 0 && event->event_size == 0) ||
23967 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
23968 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
23972 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
23975 if ((event->event_type == 0 && event->event_size == 0) ||
23976 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
23977 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
23981 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
23984 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
23985 - seq_putc(m, data[i]);
23986 + if (!seq_putc(m, data[i]))
23991 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
23992 log->bios_event_log_end = log->bios_event_log + len;
23994 virt = acpi_os_map_memory(start, len);
23996 + kfree(log->bios_event_log);
23997 + log->bios_event_log = NULL;
24001 memcpy(log->bios_event_log, virt, len);
24003 diff -urNp linux-2.6.38.1/drivers/char/tpm/tpm.c linux-2.6.38.1/drivers/char/tpm/tpm.c
24004 --- linux-2.6.38.1/drivers/char/tpm/tpm.c 2011-03-14 21:20:32.000000000 -0400
24005 +++ linux-2.6.38.1/drivers/char/tpm/tpm.c 2011-03-21 18:31:35.000000000 -0400
24006 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
24007 chip->vendor.req_complete_val)
24010 - if ((status == chip->vendor.req_canceled)) {
24011 + if (status == chip->vendor.req_canceled) {
24012 dev_err(chip->dev, "Operation Canceled\n");
24015 diff -urNp linux-2.6.38.1/drivers/cpuidle/sysfs.c linux-2.6.38.1/drivers/cpuidle/sysfs.c
24016 --- linux-2.6.38.1/drivers/cpuidle/sysfs.c 2011-03-14 21:20:32.000000000 -0400
24017 +++ linux-2.6.38.1/drivers/cpuidle/sysfs.c 2011-03-21 18:31:35.000000000 -0400
24018 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24019 .release = cpuidle_state_sysfs_release,
24022 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24023 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24025 kobject_put(&device->kobjs[i]->kobj);
24026 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24027 diff -urNp linux-2.6.38.1/drivers/edac/edac_core.h linux-2.6.38.1/drivers/edac/edac_core.h
24028 --- linux-2.6.38.1/drivers/edac/edac_core.h 2011-03-14 21:20:32.000000000 -0400
24029 +++ linux-2.6.38.1/drivers/edac/edac_core.h 2011-03-21 18:31:35.000000000 -0400
24030 @@ -88,11 +88,11 @@ extern int edac_debug_level;
24032 #else /* !CONFIG_EDAC_DEBUG */
24034 -#define debugf0( ... )
24035 -#define debugf1( ... )
24036 -#define debugf2( ... )
24037 -#define debugf3( ... )
24038 -#define debugf4( ... )
24039 +#define debugf0( ... ) do {} while (0)
24040 +#define debugf1( ... ) do {} while (0)
24041 +#define debugf2( ... ) do {} while (0)
24042 +#define debugf3( ... ) do {} while (0)
24043 +#define debugf4( ... ) do {} while (0)
24045 #endif /* !CONFIG_EDAC_DEBUG */
24047 diff -urNp linux-2.6.38.1/drivers/edac/edac_mc_sysfs.c linux-2.6.38.1/drivers/edac/edac_mc_sysfs.c
24048 --- linux-2.6.38.1/drivers/edac/edac_mc_sysfs.c 2011-03-14 21:20:32.000000000 -0400
24049 +++ linux-2.6.38.1/drivers/edac/edac_mc_sysfs.c 2011-03-21 18:31:35.000000000 -0400
24050 @@ -761,7 +761,7 @@ static void edac_inst_grp_release(struct
24053 /* Intermediate show/store table */
24054 -static struct sysfs_ops inst_grp_ops = {
24055 +static const struct sysfs_ops inst_grp_ops = {
24056 .show = inst_grp_show,
24057 .store = inst_grp_store
24059 diff -urNp linux-2.6.38.1/drivers/firewire/core-cdev.c linux-2.6.38.1/drivers/firewire/core-cdev.c
24060 --- linux-2.6.38.1/drivers/firewire/core-cdev.c 2011-03-14 21:20:32.000000000 -0400
24061 +++ linux-2.6.38.1/drivers/firewire/core-cdev.c 2011-03-21 18:31:35.000000000 -0400
24062 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
24065 if ((request->channels == 0 && request->bandwidth == 0) ||
24066 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24067 - request->bandwidth < 0)
24068 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24071 r = kmalloc(sizeof(*r), GFP_KERNEL);
24072 diff -urNp linux-2.6.38.1/drivers/firmware/dmi_scan.c linux-2.6.38.1/drivers/firmware/dmi_scan.c
24073 --- linux-2.6.38.1/drivers/firmware/dmi_scan.c 2011-03-14 21:20:32.000000000 -0400
24074 +++ linux-2.6.38.1/drivers/firmware/dmi_scan.c 2011-03-21 18:31:35.000000000 -0400
24075 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
24080 - * no iounmap() for that ioremap(); it would be a no-op, but
24081 - * it's so early in setup that sucker gets confused into doing
24082 - * what it shouldn't if we actually call it.
24084 p = dmi_ioremap(0xF0000, 0x10000);
24087 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.38.1/drivers/gpu/drm/drm_crtc_helper.c
24088 --- linux-2.6.38.1/drivers/gpu/drm/drm_crtc_helper.c 2011-03-14 21:20:32.000000000 -0400
24089 +++ linux-2.6.38.1/drivers/gpu/drm/drm_crtc_helper.c 2011-03-21 18:31:35.000000000 -0400
24090 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
24091 struct drm_crtc *tmp;
24094 - WARN(!crtc, "checking null crtc?\n");
24099 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_drv.c linux-2.6.38.1/drivers/gpu/drm/drm_drv.c
24100 --- linux-2.6.38.1/drivers/gpu/drm/drm_drv.c 2011-03-14 21:20:32.000000000 -0400
24101 +++ linux-2.6.38.1/drivers/gpu/drm/drm_drv.c 2011-03-21 18:31:35.000000000 -0400
24102 @@ -425,7 +425,7 @@ long drm_ioctl(struct file *filp,
24104 dev = file_priv->minor->dev;
24105 atomic_inc(&dev->ioctl_count);
24106 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24107 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24108 ++file_priv->ioctl_count;
24110 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24111 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_fops.c linux-2.6.38.1/drivers/gpu/drm/drm_fops.c
24112 --- linux-2.6.38.1/drivers/gpu/drm/drm_fops.c 2011-03-14 21:20:32.000000000 -0400
24113 +++ linux-2.6.38.1/drivers/gpu/drm/drm_fops.c 2011-03-21 18:31:35.000000000 -0400
24114 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
24117 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24118 - atomic_set(&dev->counts[i], 0);
24119 + atomic_set_unchecked(&dev->counts[i], 0);
24121 dev->sigdata.lock = NULL;
24123 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
24125 retcode = drm_open_helper(inode, filp, dev);
24127 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24128 - if (!dev->open_count++)
24129 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24130 + if (local_inc_return(&dev->open_count) == 1)
24131 retcode = drm_setup(dev);
24134 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
24136 mutex_lock(&drm_global_mutex);
24138 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24139 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
24141 if (dev->driver->preclose)
24142 dev->driver->preclose(dev, file_priv);
24143 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
24144 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24145 task_pid_nr(current),
24146 (long)old_encode_dev(file_priv->minor->device),
24147 - dev->open_count);
24148 + local_read(&dev->open_count));
24150 /* if the master has gone away we can't do anything with the lock */
24151 if (file_priv->minor->master)
24152 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
24153 * End inline drm_release
24156 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24157 - if (!--dev->open_count) {
24158 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24159 + if (local_dec_and_test(&dev->open_count)) {
24160 if (atomic_read(&dev->ioctl_count)) {
24161 DRM_ERROR("Device busy: %d\n",
24162 atomic_read(&dev->ioctl_count));
24163 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_global.c linux-2.6.38.1/drivers/gpu/drm/drm_global.c
24164 --- linux-2.6.38.1/drivers/gpu/drm/drm_global.c 2011-03-14 21:20:32.000000000 -0400
24165 +++ linux-2.6.38.1/drivers/gpu/drm/drm_global.c 2011-03-21 18:31:35.000000000 -0400
24167 struct drm_global_item {
24168 struct mutex mutex;
24171 + atomic_t refcount;
24174 static struct drm_global_item glob[DRM_GLOBAL_NUM];
24175 @@ -49,7 +49,7 @@ void drm_global_init(void)
24176 struct drm_global_item *item = &glob[i];
24177 mutex_init(&item->mutex);
24178 item->object = NULL;
24179 - item->refcount = 0;
24180 + atomic_set(&item->refcount, 0);
24184 @@ -59,7 +59,7 @@ void drm_global_release(void)
24185 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
24186 struct drm_global_item *item = &glob[i];
24187 BUG_ON(item->object != NULL);
24188 - BUG_ON(item->refcount != 0);
24189 + BUG_ON(atomic_read(&item->refcount) != 0);
24193 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
24196 mutex_lock(&item->mutex);
24197 - if (item->refcount == 0) {
24198 + if (atomic_read(&item->refcount) == 0) {
24199 item->object = kzalloc(ref->size, GFP_KERNEL);
24200 if (unlikely(item->object == NULL)) {
24202 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
24206 - ++item->refcount;
24207 + atomic_inc(&item->refcount);
24208 ref->object = item->object;
24209 object = item->object;
24210 mutex_unlock(&item->mutex);
24211 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
24212 struct drm_global_item *item = &glob[ref->global_type];
24214 mutex_lock(&item->mutex);
24215 - BUG_ON(item->refcount == 0);
24216 + BUG_ON(atomic_read(&item->refcount) == 0);
24217 BUG_ON(ref->object != item->object);
24218 - if (--item->refcount == 0) {
24219 + if (atomic_dec_and_test(&item->refcount)) {
24221 item->object = NULL;
24223 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_info.c linux-2.6.38.1/drivers/gpu/drm/drm_info.c
24224 --- linux-2.6.38.1/drivers/gpu/drm/drm_info.c 2011-03-14 21:20:32.000000000 -0400
24225 +++ linux-2.6.38.1/drivers/gpu/drm/drm_info.c 2011-03-21 18:31:35.000000000 -0400
24226 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
24227 struct drm_local_map *map;
24228 struct drm_map_list *r_list;
24230 - /* Hardcoded from _DRM_FRAME_BUFFER,
24231 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
24232 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
24233 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
24234 + static const char * const types[] = {
24235 + [_DRM_FRAME_BUFFER] = "FB",
24236 + [_DRM_REGISTERS] = "REG",
24237 + [_DRM_SHM] = "SHM",
24238 + [_DRM_AGP] = "AGP",
24239 + [_DRM_SCATTER_GATHER] = "SG",
24240 + [_DRM_CONSISTENT] = "PCI",
24241 + [_DRM_GEM] = "GEM" };
24245 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
24249 - if (map->type < 0 || map->type > 5)
24250 + if (map->type >= ARRAY_SIZE(types))
24253 type = types[map->type];
24254 @@ -301,7 +305,11 @@ int drm_vma_info(struct seq_file *m, voi
24255 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
24256 vma->vm_flags & VM_LOCKED ? 'l' : '-',
24257 vma->vm_flags & VM_IO ? 'i' : '-',
24258 +#ifdef CONFIG_GRKERNSEC_HIDESYM
24264 #if defined(__i386__)
24265 pgprot = pgprot_val(vma->vm_page_prot);
24266 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_ioctl.c linux-2.6.38.1/drivers/gpu/drm/drm_ioctl.c
24267 --- linux-2.6.38.1/drivers/gpu/drm/drm_ioctl.c 2011-03-14 21:20:32.000000000 -0400
24268 +++ linux-2.6.38.1/drivers/gpu/drm/drm_ioctl.c 2011-03-21 18:31:35.000000000 -0400
24269 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
24270 stats->data[i].value =
24271 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24273 - stats->data[i].value = atomic_read(&dev->counts[i]);
24274 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24275 stats->data[i].type = dev->types[i];
24278 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_lock.c linux-2.6.38.1/drivers/gpu/drm/drm_lock.c
24279 --- linux-2.6.38.1/drivers/gpu/drm/drm_lock.c 2011-03-14 21:20:32.000000000 -0400
24280 +++ linux-2.6.38.1/drivers/gpu/drm/drm_lock.c 2011-03-21 18:31:35.000000000 -0400
24281 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
24282 if (drm_lock_take(&master->lock, lock->context)) {
24283 master->lock.file_priv = file_priv;
24284 master->lock.lock_time = jiffies;
24285 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24286 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24287 break; /* Got lock */
24290 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
24294 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24295 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24297 if (drm_lock_free(&master->lock, lock->context)) {
24298 /* FIXME: Should really bail out here. */
24299 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i810/i810_dma.c linux-2.6.38.1/drivers/gpu/drm/i810/i810_dma.c
24300 --- linux-2.6.38.1/drivers/gpu/drm/i810/i810_dma.c 2011-03-14 21:20:32.000000000 -0400
24301 +++ linux-2.6.38.1/drivers/gpu/drm/i810/i810_dma.c 2011-03-21 18:31:35.000000000 -0400
24302 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24303 dma->buflist[vertex->idx],
24304 vertex->discard, vertex->used);
24306 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24307 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24308 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24309 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24310 sarea_priv->last_enqueue = dev_priv->counter - 1;
24311 sarea_priv->last_dispatch = (int)hw_status[5];
24313 @@ -1114,8 +1114,8 @@ static int i810_dma_mc(struct drm_device
24314 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24317 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24318 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24319 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24320 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24321 sarea_priv->last_enqueue = dev_priv->counter - 1;
24322 sarea_priv->last_dispatch = (int)hw_status[5];
24324 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7017.c
24325 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-14 21:20:32.000000000 -0400
24326 +++ linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-21 18:31:35.000000000 -0400
24327 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
24331 -struct intel_dvo_dev_ops ch7017_ops = {
24332 +const struct intel_dvo_dev_ops ch7017_ops = {
24333 .init = ch7017_init,
24334 .detect = ch7017_detect,
24335 .mode_valid = ch7017_mode_valid,
24336 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7xxx.c
24337 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-14 21:20:32.000000000 -0400
24338 +++ linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-21 18:31:35.000000000 -0400
24339 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
24343 -struct intel_dvo_dev_ops ch7xxx_ops = {
24344 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24345 .init = ch7xxx_init,
24346 .detect = ch7xxx_detect,
24347 .mode_valid = ch7xxx_mode_valid,
24348 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo.h linux-2.6.38.1/drivers/gpu/drm/i915/dvo.h
24349 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo.h 2011-03-14 21:20:32.000000000 -0400
24350 +++ linux-2.6.38.1/drivers/gpu/drm/i915/dvo.h 2011-03-21 18:31:35.000000000 -0400
24351 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
24353 * \return singly-linked list of modes or NULL if no modes found.
24355 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24356 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24359 * Clean up driver-specific bits of the output
24361 - void (*destroy) (struct intel_dvo_device *dvo);
24362 + void (* const destroy) (struct intel_dvo_device *dvo);
24365 * Debugging hook to dump device registers to log file
24367 - void (*dump_regs)(struct intel_dvo_device *dvo);
24368 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24371 -extern struct intel_dvo_dev_ops sil164_ops;
24372 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24373 -extern struct intel_dvo_dev_ops ivch_ops;
24374 -extern struct intel_dvo_dev_ops tfp410_ops;
24375 -extern struct intel_dvo_dev_ops ch7017_ops;
24376 +extern const struct intel_dvo_dev_ops sil164_ops;
24377 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24378 +extern const struct intel_dvo_dev_ops ivch_ops;
24379 +extern const struct intel_dvo_dev_ops tfp410_ops;
24380 +extern const struct intel_dvo_dev_ops ch7017_ops;
24382 #endif /* _INTEL_DVO_H */
24383 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ivch.c
24384 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-14 21:20:32.000000000 -0400
24385 +++ linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-21 18:31:35.000000000 -0400
24386 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
24390 -struct intel_dvo_dev_ops ivch_ops= {
24391 +const struct intel_dvo_dev_ops ivch_ops= {
24394 .mode_valid = ivch_mode_valid,
24395 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.38.1/drivers/gpu/drm/i915/dvo_sil164.c
24396 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-14 21:20:32.000000000 -0400
24397 +++ linux-2.6.38.1/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-21 18:31:35.000000000 -0400
24398 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
24402 -struct intel_dvo_dev_ops sil164_ops = {
24403 +const struct intel_dvo_dev_ops sil164_ops = {
24404 .init = sil164_init,
24405 .detect = sil164_detect,
24406 .mode_valid = sil164_mode_valid,
24407 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.38.1/drivers/gpu/drm/i915/dvo_tfp410.c
24408 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-14 21:20:32.000000000 -0400
24409 +++ linux-2.6.38.1/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-21 18:31:35.000000000 -0400
24410 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
24414 -struct intel_dvo_dev_ops tfp410_ops = {
24415 +const struct intel_dvo_dev_ops tfp410_ops = {
24416 .init = tfp410_init,
24417 .detect = tfp410_detect,
24418 .mode_valid = tfp410_mode_valid,
24419 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/i915_dma.c linux-2.6.38.1/drivers/gpu/drm/i915/i915_dma.c
24420 --- linux-2.6.38.1/drivers/gpu/drm/i915/i915_dma.c 2011-03-14 21:20:32.000000000 -0400
24421 +++ linux-2.6.38.1/drivers/gpu/drm/i915/i915_dma.c 2011-03-21 18:31:35.000000000 -0400
24422 @@ -1159,7 +1159,7 @@ static bool i915_switcheroo_can_switch(s
24425 spin_lock(&dev->count_lock);
24426 - can_switch = (dev->open_count == 0);
24427 + can_switch = (local_read(&dev->open_count) == 0);
24428 spin_unlock(&dev->count_lock);
24431 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/i915_drv.c linux-2.6.38.1/drivers/gpu/drm/i915/i915_drv.c
24432 --- linux-2.6.38.1/drivers/gpu/drm/i915/i915_drv.c 2011-03-14 21:20:32.000000000 -0400
24433 +++ linux-2.6.38.1/drivers/gpu/drm/i915/i915_drv.c 2011-03-21 18:31:35.000000000 -0400
24434 @@ -673,7 +673,7 @@ static const struct dev_pm_ops i915_pm_o
24435 .restore = i915_pm_resume,
24438 -static struct vm_operations_struct i915_gem_vm_ops = {
24439 +static const struct vm_operations_struct i915_gem_vm_ops = {
24440 .fault = i915_gem_fault,
24441 .open = drm_gem_vm_open,
24442 .close = drm_gem_vm_close,
24443 diff -urNp linux-2.6.38.1/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.38.1/drivers/gpu/drm/nouveau/nouveau_state.c
24444 --- linux-2.6.38.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-03-14 21:20:32.000000000 -0400
24445 +++ linux-2.6.38.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-03-21 18:31:35.000000000 -0400
24446 @@ -621,7 +621,7 @@ static bool nouveau_switcheroo_can_switc
24449 spin_lock(&dev->count_lock);
24450 - can_switch = (dev->open_count == 0);
24451 + can_switch = (local_read(&dev->open_count) == 0);
24452 spin_unlock(&dev->count_lock);
24455 diff -urNp linux-2.6.38.1/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.38.1/drivers/gpu/drm/radeon/mkregtable.c
24456 --- linux-2.6.38.1/drivers/gpu/drm/radeon/mkregtable.c 2011-03-14 21:20:32.000000000 -0400
24457 +++ linux-2.6.38.1/drivers/gpu/drm/radeon/mkregtable.c 2011-03-21 18:31:35.000000000 -0400
24458 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24460 regmatch_t match[4];
24468 struct offset *offset;
24469 char last_reg_s[10];
24471 + unsigned long last_reg;
24474 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24475 diff -urNp linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_device.c
24476 --- linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_device.c 2011-03-14 21:20:32.000000000 -0400
24477 +++ linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_device.c 2011-03-21 18:31:35.000000000 -0400
24478 @@ -673,7 +673,7 @@ static bool radeon_switcheroo_can_switch
24481 spin_lock(&dev->count_lock);
24482 - can_switch = (dev->open_count == 0);
24483 + can_switch = (local_read(&dev->open_count) == 0);
24484 spin_unlock(&dev->count_lock);
24487 diff -urNp linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_state.c
24488 --- linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_state.c 2011-03-14 21:20:32.000000000 -0400
24489 +++ linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_state.c 2011-03-21 18:31:35.000000000 -0400
24490 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24491 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24492 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24494 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24495 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24496 sarea_priv->nbox * sizeof(depth_boxes[0])))
24499 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24501 drm_radeon_private_t *dev_priv = dev->dev_private;
24502 drm_radeon_getparam_t *param = data;
24506 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24508 diff -urNp linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_ttm.c
24509 --- linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-14 21:20:32.000000000 -0400
24510 +++ linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-21 18:31:35.000000000 -0400
24511 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
24512 man->size = size >> PAGE_SHIFT;
24515 -static struct vm_operations_struct radeon_ttm_vm_ops;
24516 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24517 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24518 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24519 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24521 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24523 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
24524 struct radeon_device *rdev;
24527 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24528 - if (bo == NULL) {
24529 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24531 return VM_FAULT_NOPAGE;
24533 rdev = radeon_get_rdev(bo->bdev);
24534 mutex_lock(&rdev->vram_mutex);
24535 - r = ttm_vm_ops->fault(vma, vmf);
24536 + r = ttm_bo_vm_fault(vma, vmf);
24537 mutex_unlock(&rdev->vram_mutex);
24541 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24542 + .fault = radeon_ttm_fault,
24543 + .open = ttm_bo_vm_open,
24544 + .close = ttm_bo_vm_close
24547 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24549 struct drm_file *file_priv;
24550 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
24552 file_priv = filp->private_data;
24553 rdev = file_priv->minor->dev->dev_private;
24554 - if (rdev == NULL) {
24558 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24559 - if (unlikely(r != 0)) {
24563 - if (unlikely(ttm_vm_ops == NULL)) {
24564 - ttm_vm_ops = vma->vm_ops;
24565 - radeon_ttm_vm_ops = *ttm_vm_ops;
24566 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24568 vma->vm_ops = &radeon_ttm_vm_ops;
24571 diff -urNp linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo.c
24572 --- linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo.c 2011-03-14 21:20:32.000000000 -0400
24573 +++ linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo.c 2011-03-21 18:31:35.000000000 -0400
24575 #include <asm/atomic.h>
24577 #define TTM_ASSERT_LOCKED(param)
24578 -#define TTM_DEBUG(fmt, arg...)
24579 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24580 #define TTM_BO_HASH_ORDER 13
24582 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24583 diff -urNp linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo_vm.c
24584 --- linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-14 21:20:32.000000000 -0400
24585 +++ linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-21 18:31:35.000000000 -0400
24586 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24590 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24591 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24593 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24594 vma->vm_private_data;
24595 - struct ttm_bo_device *bdev = bo->bdev;
24596 + struct ttm_bo_device *bdev;
24597 unsigned long page_offset;
24598 unsigned long page_last;
24600 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
24602 unsigned long address = (unsigned long)vmf->virtual_address;
24603 int retval = VM_FAULT_NOPAGE;
24604 - struct ttm_mem_type_manager *man =
24605 - &bdev->man[bo->mem.mem_type];
24606 + struct ttm_mem_type_manager *man;
24609 + return VM_FAULT_NOPAGE;
24611 + man = &bdev->man[bo->mem.mem_type];
24614 * Work around locking order reversal in fault / nopfn
24615 @@ -219,22 +223,25 @@ out_unlock:
24616 ttm_bo_unreserve(bo);
24619 +EXPORT_SYMBOL(ttm_bo_vm_fault);
24621 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
24622 +void ttm_bo_vm_open(struct vm_area_struct *vma)
24624 struct ttm_buffer_object *bo =
24625 (struct ttm_buffer_object *)vma->vm_private_data;
24627 (void)ttm_bo_reference(bo);
24629 +EXPORT_SYMBOL(ttm_bo_vm_open);
24631 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
24632 +void ttm_bo_vm_close(struct vm_area_struct *vma)
24634 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24637 vma->vm_private_data = NULL;
24639 +EXPORT_SYMBOL(ttm_bo_vm_close);
24641 static const struct vm_operations_struct ttm_bo_vm_ops = {
24642 .fault = ttm_bo_vm_fault,
24643 diff -urNp linux-2.6.38.1/drivers/hid/usbhid/hiddev.c linux-2.6.38.1/drivers/hid/usbhid/hiddev.c
24644 --- linux-2.6.38.1/drivers/hid/usbhid/hiddev.c 2011-03-14 21:20:32.000000000 -0400
24645 +++ linux-2.6.38.1/drivers/hid/usbhid/hiddev.c 2011-03-21 18:31:35.000000000 -0400
24646 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
24649 case HIDIOCAPPLICATION:
24650 - if (arg < 0 || arg >= hid->maxapplication)
24651 + if (arg >= hid->maxapplication)
24654 for (i = 0; i < hid->maxcollection; i++)
24655 diff -urNp linux-2.6.38.1/drivers/hwmon/k8temp.c linux-2.6.38.1/drivers/hwmon/k8temp.c
24656 --- linux-2.6.38.1/drivers/hwmon/k8temp.c 2011-03-14 21:20:32.000000000 -0400
24657 +++ linux-2.6.38.1/drivers/hwmon/k8temp.c 2011-03-21 18:31:35.000000000 -0400
24658 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
24660 static const struct pci_device_id k8temp_ids[] = {
24661 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
24663 + { 0, 0, 0, 0, 0, 0, 0 },
24666 MODULE_DEVICE_TABLE(pci, k8temp_ids);
24667 diff -urNp linux-2.6.38.1/drivers/hwmon/sis5595.c linux-2.6.38.1/drivers/hwmon/sis5595.c
24668 --- linux-2.6.38.1/drivers/hwmon/sis5595.c 2011-03-14 21:20:32.000000000 -0400
24669 +++ linux-2.6.38.1/drivers/hwmon/sis5595.c 2011-03-21 18:31:35.000000000 -0400
24670 @@ -701,7 +701,7 @@ static struct sis5595_data *sis5595_upda
24672 static const struct pci_device_id sis5595_pci_ids[] = {
24673 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24675 + { 0, 0, 0, 0, 0, 0, 0 }
24678 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
24679 diff -urNp linux-2.6.38.1/drivers/hwmon/via686a.c linux-2.6.38.1/drivers/hwmon/via686a.c
24680 --- linux-2.6.38.1/drivers/hwmon/via686a.c 2011-03-14 21:20:32.000000000 -0400
24681 +++ linux-2.6.38.1/drivers/hwmon/via686a.c 2011-03-21 18:31:35.000000000 -0400
24682 @@ -779,7 +779,7 @@ static struct via686a_data *via686a_upda
24684 static const struct pci_device_id via686a_pci_ids[] = {
24685 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
24687 + { 0, 0, 0, 0, 0, 0, 0 }
24690 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
24691 diff -urNp linux-2.6.38.1/drivers/hwmon/vt8231.c linux-2.6.38.1/drivers/hwmon/vt8231.c
24692 --- linux-2.6.38.1/drivers/hwmon/vt8231.c 2011-03-14 21:20:32.000000000 -0400
24693 +++ linux-2.6.38.1/drivers/hwmon/vt8231.c 2011-03-21 18:31:35.000000000 -0400
24694 @@ -701,7 +701,7 @@ static struct platform_driver vt8231_dri
24696 static const struct pci_device_id vt8231_pci_ids[] = {
24697 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
24699 + { 0, 0, 0, 0, 0, 0, 0 }
24702 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
24703 diff -urNp linux-2.6.38.1/drivers/hwmon/w83791d.c linux-2.6.38.1/drivers/hwmon/w83791d.c
24704 --- linux-2.6.38.1/drivers/hwmon/w83791d.c 2011-03-14 21:20:32.000000000 -0400
24705 +++ linux-2.6.38.1/drivers/hwmon/w83791d.c 2011-03-21 18:31:35.000000000 -0400
24706 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
24707 struct i2c_board_info *info);
24708 static int w83791d_remove(struct i2c_client *client);
24710 -static int w83791d_read(struct i2c_client *client, u8 register);
24711 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
24712 +static int w83791d_read(struct i2c_client *client, u8 reg);
24713 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
24714 static struct w83791d_data *w83791d_update_device(struct device *dev);
24717 diff -urNp linux-2.6.38.1/drivers/i2c/busses/i2c-i801.c linux-2.6.38.1/drivers/i2c/busses/i2c-i801.c
24718 --- linux-2.6.38.1/drivers/i2c/busses/i2c-i801.c 2011-03-14 21:20:32.000000000 -0400
24719 +++ linux-2.6.38.1/drivers/i2c/busses/i2c-i801.c 2011-03-21 18:31:35.000000000 -0400
24720 @@ -621,7 +621,7 @@ static const struct pci_device_id i801_i
24721 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF0) },
24722 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF1) },
24723 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF2) },
24725 + { 0, 0, 0, 0, 0, 0, 0 }
24728 MODULE_DEVICE_TABLE(pci, i801_ids);
24729 diff -urNp linux-2.6.38.1/drivers/i2c/busses/i2c-piix4.c linux-2.6.38.1/drivers/i2c/busses/i2c-piix4.c
24730 --- linux-2.6.38.1/drivers/i2c/busses/i2c-piix4.c 2011-03-14 21:20:32.000000000 -0400
24731 +++ linux-2.6.38.1/drivers/i2c/busses/i2c-piix4.c 2011-03-21 18:31:35.000000000 -0400
24732 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
24734 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
24737 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
24740 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
24741 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
24742 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
24743 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
24744 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
24746 + { 0, 0, 0, 0, 0, 0, 0 }
24749 MODULE_DEVICE_TABLE (pci, piix4_ids);
24750 diff -urNp linux-2.6.38.1/drivers/i2c/busses/i2c-sis630.c linux-2.6.38.1/drivers/i2c/busses/i2c-sis630.c
24751 --- linux-2.6.38.1/drivers/i2c/busses/i2c-sis630.c 2011-03-14 21:20:32.000000000 -0400
24752 +++ linux-2.6.38.1/drivers/i2c/busses/i2c-sis630.c 2011-03-21 18:31:35.000000000 -0400
24753 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
24754 static const struct pci_device_id sis630_ids[] __devinitconst = {
24755 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24756 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
24758 + { 0, 0, 0, 0, 0, 0, 0 }
24761 MODULE_DEVICE_TABLE (pci, sis630_ids);
24762 diff -urNp linux-2.6.38.1/drivers/i2c/busses/i2c-sis96x.c linux-2.6.38.1/drivers/i2c/busses/i2c-sis96x.c
24763 --- linux-2.6.38.1/drivers/i2c/busses/i2c-sis96x.c 2011-03-14 21:20:32.000000000 -0400
24764 +++ linux-2.6.38.1/drivers/i2c/busses/i2c-sis96x.c 2011-03-21 18:31:35.000000000 -0400
24765 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
24767 static const struct pci_device_id sis96x_ids[] = {
24768 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
24770 + { 0, 0, 0, 0, 0, 0, 0 }
24773 MODULE_DEVICE_TABLE (pci, sis96x_ids);
24774 diff -urNp linux-2.6.38.1/drivers/ide/ide-cd.c linux-2.6.38.1/drivers/ide/ide-cd.c
24775 --- linux-2.6.38.1/drivers/ide/ide-cd.c 2011-03-14 21:20:32.000000000 -0400
24776 +++ linux-2.6.38.1/drivers/ide/ide-cd.c 2011-03-21 18:31:35.000000000 -0400
24777 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
24778 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
24779 if ((unsigned long)buf & alignment
24780 || blk_rq_bytes(rq) & q->dma_pad_mask
24781 - || object_is_on_stack(buf))
24782 + || object_starts_on_stack(buf))
24786 diff -urNp linux-2.6.38.1/drivers/infiniband/core/cm.c linux-2.6.38.1/drivers/infiniband/core/cm.c
24787 --- linux-2.6.38.1/drivers/infiniband/core/cm.c 2011-03-23 17:20:07.000000000 -0400
24788 +++ linux-2.6.38.1/drivers/infiniband/core/cm.c 2011-03-23 17:21:50.000000000 -0400
24789 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
24791 struct cm_counter_group {
24792 struct kobject obj;
24793 - atomic_long_t counter[CM_ATTR_COUNT];
24794 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
24797 struct cm_counter_attribute {
24798 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
24799 struct ib_mad_send_buf *msg = NULL;
24802 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24803 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24804 counter[CM_REQ_COUNTER]);
24806 /* Quick state check to discard duplicate REQs. */
24807 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
24811 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24812 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24813 counter[CM_REP_COUNTER]);
24814 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
24816 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
24817 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
24818 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
24819 spin_unlock_irq(&cm_id_priv->lock);
24820 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24821 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24822 counter[CM_RTU_COUNTER]);
24825 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
24826 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
24827 dreq_msg->local_comm_id);
24829 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24830 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24831 counter[CM_DREQ_COUNTER]);
24832 cm_issue_drep(work->port, work->mad_recv_wc);
24834 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
24835 case IB_CM_MRA_REP_RCVD:
24837 case IB_CM_TIMEWAIT:
24838 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24839 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24840 counter[CM_DREQ_COUNTER]);
24841 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
24843 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
24846 case IB_CM_DREQ_RCVD:
24847 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24848 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24849 counter[CM_DREQ_COUNTER]);
24852 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
24853 ib_modify_mad(cm_id_priv->av.port->mad_agent,
24854 cm_id_priv->msg, timeout)) {
24855 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
24856 - atomic_long_inc(&work->port->
24857 + atomic_long_inc_unchecked(&work->port->
24858 counter_group[CM_RECV_DUPLICATES].
24859 counter[CM_MRA_COUNTER]);
24861 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
24863 case IB_CM_MRA_REQ_RCVD:
24864 case IB_CM_MRA_REP_RCVD:
24865 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24866 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24867 counter[CM_MRA_COUNTER]);
24870 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
24871 case IB_CM_LAP_IDLE:
24873 case IB_CM_MRA_LAP_SENT:
24874 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24875 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24876 counter[CM_LAP_COUNTER]);
24877 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
24879 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
24882 case IB_CM_LAP_RCVD:
24883 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24884 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24885 counter[CM_LAP_COUNTER]);
24888 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
24889 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
24890 if (cur_cm_id_priv) {
24891 spin_unlock_irq(&cm.lock);
24892 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24893 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24894 counter[CM_SIDR_REQ_COUNTER]);
24895 goto out; /* Duplicate message. */
24897 @@ -3187,10 +3187,10 @@ static void cm_send_handler(struct ib_ma
24898 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
24901 - atomic_long_add(1 + msg->retries,
24902 + atomic_long_add_unchecked(1 + msg->retries,
24903 &port->counter_group[CM_XMIT].counter[attr_index]);
24905 - atomic_long_add(msg->retries,
24906 + atomic_long_add_unchecked(msg->retries,
24907 &port->counter_group[CM_XMIT_RETRIES].
24908 counter[attr_index]);
24910 @@ -3400,7 +3400,7 @@ static void cm_recv_handler(struct ib_ma
24913 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
24914 - atomic_long_inc(&port->counter_group[CM_RECV].
24915 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
24916 counter[attr_id - CM_ATTR_ID_OFFSET]);
24918 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
24919 @@ -3598,7 +3598,7 @@ static ssize_t cm_show_counter(struct ko
24920 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
24922 return sprintf(buf, "%ld\n",
24923 - atomic_long_read(&group->counter[cm_attr->index]));
24924 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
24927 static const struct sysfs_ops cm_counter_ops = {
24928 diff -urNp linux-2.6.38.1/drivers/infiniband/hw/qib/qib.h linux-2.6.38.1/drivers/infiniband/hw/qib/qib.h
24929 --- linux-2.6.38.1/drivers/infiniband/hw/qib/qib.h 2011-03-14 21:20:32.000000000 -0400
24930 +++ linux-2.6.38.1/drivers/infiniband/hw/qib/qib.h 2011-03-21 18:31:35.000000000 -0400
24932 #include <linux/completion.h>
24933 #include <linux/kref.h>
24934 #include <linux/sched.h>
24935 +#include <linux/slab.h>
24937 #include "qib_common.h"
24938 #include "qib_verbs.h"
24939 diff -urNp linux-2.6.38.1/drivers/input/keyboard/atkbd.c linux-2.6.38.1/drivers/input/keyboard/atkbd.c
24940 --- linux-2.6.38.1/drivers/input/keyboard/atkbd.c 2011-03-14 21:20:32.000000000 -0400
24941 +++ linux-2.6.38.1/drivers/input/keyboard/atkbd.c 2011-03-21 18:31:35.000000000 -0400
24942 @@ -1250,7 +1250,7 @@ static struct serio_device_id atkbd_seri
24944 .extra = SERIO_ANY,
24950 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
24951 diff -urNp linux-2.6.38.1/drivers/input/mouse/lifebook.c linux-2.6.38.1/drivers/input/mouse/lifebook.c
24952 --- linux-2.6.38.1/drivers/input/mouse/lifebook.c 2011-03-14 21:20:32.000000000 -0400
24953 +++ linux-2.6.38.1/drivers/input/mouse/lifebook.c 2011-03-21 18:31:35.000000000 -0400
24954 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
24955 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
24959 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
24962 void __init lifebook_module_init(void)
24963 diff -urNp linux-2.6.38.1/drivers/input/mouse/psmouse-base.c linux-2.6.38.1/drivers/input/mouse/psmouse-base.c
24964 --- linux-2.6.38.1/drivers/input/mouse/psmouse-base.c 2011-03-14 21:20:32.000000000 -0400
24965 +++ linux-2.6.38.1/drivers/input/mouse/psmouse-base.c 2011-03-21 18:31:35.000000000 -0400
24966 @@ -1462,7 +1462,7 @@ static struct serio_device_id psmouse_se
24968 .extra = SERIO_ANY,
24974 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
24975 diff -urNp linux-2.6.38.1/drivers/input/mouse/synaptics.c linux-2.6.38.1/drivers/input/mouse/synaptics.c
24976 --- linux-2.6.38.1/drivers/input/mouse/synaptics.c 2011-03-14 21:20:32.000000000 -0400
24977 +++ linux-2.6.38.1/drivers/input/mouse/synaptics.c 2011-03-21 18:31:35.000000000 -0400
24978 @@ -559,7 +559,7 @@ static void synaptics_process_packet(str
24981 if (SYN_MODEL_PEN(priv->model_id))
24982 - ; /* Nothing, treat a pen as a single finger */
24983 + break; /* Nothing, treat a pen as a single finger */
24986 if (SYN_CAP_PALMDETECT(priv->capabilities))
24987 @@ -825,7 +825,6 @@ static const struct dmi_system_id __init
24988 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
24989 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
24994 /* Toshiba Portege M300 */
24995 @@ -834,9 +833,8 @@ static const struct dmi_system_id __init
24996 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
24997 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25002 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25006 diff -urNp linux-2.6.38.1/drivers/input/mousedev.c linux-2.6.38.1/drivers/input/mousedev.c
25007 --- linux-2.6.38.1/drivers/input/mousedev.c 2011-03-14 21:20:32.000000000 -0400
25008 +++ linux-2.6.38.1/drivers/input/mousedev.c 2011-03-21 18:31:35.000000000 -0400
25009 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
25011 spin_unlock_irq(&client->packet_lock);
25013 - if (copy_to_user(buffer, data, count))
25014 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25018 @@ -1067,7 +1067,7 @@ static struct input_handler mousedev_han
25020 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25021 static struct miscdevice psaux_mouse = {
25022 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25023 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25025 static int psaux_registered;
25027 diff -urNp linux-2.6.38.1/drivers/input/serio/i8042-x86ia64io.h linux-2.6.38.1/drivers/input/serio/i8042-x86ia64io.h
25028 --- linux-2.6.38.1/drivers/input/serio/i8042-x86ia64io.h 2011-03-14 21:20:32.000000000 -0400
25029 +++ linux-2.6.38.1/drivers/input/serio/i8042-x86ia64io.h 2011-03-21 18:31:35.000000000 -0400
25030 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25031 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25035 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25039 @@ -431,7 +431,7 @@ static const struct dmi_system_id __init
25040 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V13"),
25044 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25047 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25048 @@ -505,7 +505,7 @@ static const struct dmi_system_id __init
25049 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25053 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25057 @@ -524,7 +524,7 @@ static const struct dmi_system_id __init
25058 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25062 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25065 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25066 @@ -548,7 +548,7 @@ static const struct dmi_system_id __init
25067 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25071 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25075 @@ -640,7 +640,7 @@ static const struct dmi_system_id __init
25076 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25080 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25083 #endif /* CONFIG_X86 */
25084 diff -urNp linux-2.6.38.1/drivers/input/serio/serio_raw.c linux-2.6.38.1/drivers/input/serio/serio_raw.c
25085 --- linux-2.6.38.1/drivers/input/serio/serio_raw.c 2011-03-14 21:20:32.000000000 -0400
25086 +++ linux-2.6.38.1/drivers/input/serio/serio_raw.c 2011-03-21 18:31:35.000000000 -0400
25087 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25089 .extra = SERIO_ANY,
25095 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25096 diff -urNp linux-2.6.38.1/drivers/isdn/gigaset/common.c linux-2.6.38.1/drivers/isdn/gigaset/common.c
25097 --- linux-2.6.38.1/drivers/isdn/gigaset/common.c 2011-03-14 21:20:32.000000000 -0400
25098 +++ linux-2.6.38.1/drivers/isdn/gigaset/common.c 2011-03-21 18:31:35.000000000 -0400
25099 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25100 cs->commands_pending = 0;
25101 cs->cur_at_seq = 0;
25103 - cs->open_count = 0;
25104 + local_set(&cs->open_count, 0);
25107 cs->tty_dev = NULL;
25108 diff -urNp linux-2.6.38.1/drivers/isdn/gigaset/gigaset.h linux-2.6.38.1/drivers/isdn/gigaset/gigaset.h
25109 --- linux-2.6.38.1/drivers/isdn/gigaset/gigaset.h 2011-03-14 21:20:32.000000000 -0400
25110 +++ linux-2.6.38.1/drivers/isdn/gigaset/gigaset.h 2011-03-21 18:31:35.000000000 -0400
25112 #include <linux/tty_driver.h>
25113 #include <linux/list.h>
25114 #include <asm/atomic.h>
25115 +#include <asm/local.h>
25117 #define GIG_VERSION {0, 5, 0, 0}
25118 #define GIG_COMPAT {0, 4, 0, 0}
25119 @@ -433,7 +434,7 @@ struct cardstate {
25120 spinlock_t cmdlock;
25121 unsigned curlen, cmdbytes;
25123 - unsigned open_count;
25124 + local_t open_count;
25125 struct tty_struct *tty;
25126 struct tasklet_struct if_wake_tasklet;
25127 unsigned control_state;
25128 diff -urNp linux-2.6.38.1/drivers/isdn/gigaset/interface.c linux-2.6.38.1/drivers/isdn/gigaset/interface.c
25129 --- linux-2.6.38.1/drivers/isdn/gigaset/interface.c 2011-03-14 21:20:32.000000000 -0400
25130 +++ linux-2.6.38.1/drivers/isdn/gigaset/interface.c 2011-03-21 18:31:35.000000000 -0400
25131 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25132 return -ERESTARTSYS;
25133 tty->driver_data = cs;
25135 - ++cs->open_count;
25137 - if (cs->open_count == 1) {
25138 + if (local_inc_return(&cs->open_count) == 1) {
25139 spin_lock_irqsave(&cs->lock, flags);
25141 spin_unlock_irqrestore(&cs->lock, flags);
25142 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25144 if (!cs->connected)
25145 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25146 - else if (!cs->open_count)
25147 + else if (!local_read(&cs->open_count))
25148 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25150 - if (!--cs->open_count) {
25151 + if (!local_dec_return(&cs->open_count)) {
25152 spin_lock_irqsave(&cs->lock, flags);
25154 spin_unlock_irqrestore(&cs->lock, flags);
25155 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25156 if (!cs->connected) {
25157 gig_dbg(DEBUG_IF, "not connected");
25159 - } else if (!cs->open_count)
25160 + } else if (!local_read(&cs->open_count))
25161 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25164 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
25168 - if (!cs->open_count) {
25169 + if (!local_read(&cs->open_count)) {
25170 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25173 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
25174 if (!cs->connected) {
25175 gig_dbg(DEBUG_IF, "not connected");
25177 - } else if (!cs->open_count)
25178 + } else if (!local_read(&cs->open_count))
25179 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25180 else if (cs->mstate != MS_LOCKED) {
25181 dev_warn(cs->dev, "can't write to unlocked device\n");
25182 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
25184 if (!cs->connected)
25185 gig_dbg(DEBUG_IF, "not connected");
25186 - else if (!cs->open_count)
25187 + else if (!local_read(&cs->open_count))
25188 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25189 else if (cs->mstate != MS_LOCKED)
25190 dev_warn(cs->dev, "can't write to unlocked device\n");
25191 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
25193 if (!cs->connected)
25194 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25195 - else if (!cs->open_count)
25196 + else if (!local_read(&cs->open_count))
25197 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25199 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25200 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
25202 if (!cs->connected)
25203 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25204 - else if (!cs->open_count)
25205 + else if (!local_read(&cs->open_count))
25206 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25208 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25209 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
25213 - if (!cs->open_count) {
25214 + if (!local_read(&cs->open_count)) {
25215 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25218 diff -urNp linux-2.6.38.1/drivers/isdn/hardware/avm/b1.c linux-2.6.38.1/drivers/isdn/hardware/avm/b1.c
25219 --- linux-2.6.38.1/drivers/isdn/hardware/avm/b1.c 2011-03-14 21:20:32.000000000 -0400
25220 +++ linux-2.6.38.1/drivers/isdn/hardware/avm/b1.c 2011-03-21 18:31:35.000000000 -0400
25221 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25224 if (t4file->user) {
25225 - if (copy_from_user(buf, dp, left))
25226 + if (left > sizeof buf || copy_from_user(buf, dp, left))
25229 memcpy(buf, dp, left);
25230 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25233 if (config->user) {
25234 - if (copy_from_user(buf, dp, left))
25235 + if (left > sizeof buf || copy_from_user(buf, dp, left))
25238 memcpy(buf, dp, left);
25239 diff -urNp linux-2.6.38.1/drivers/isdn/icn/icn.c linux-2.6.38.1/drivers/isdn/icn/icn.c
25240 --- linux-2.6.38.1/drivers/isdn/icn/icn.c 2011-03-14 21:20:32.000000000 -0400
25241 +++ linux-2.6.38.1/drivers/isdn/icn/icn.c 2011-03-21 18:31:35.000000000 -0400
25242 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25246 - if (copy_from_user(msg, buf, count))
25247 + if (count > sizeof msg || copy_from_user(msg, buf, count))
25250 memcpy(msg, buf, count);
25251 diff -urNp linux-2.6.38.1/drivers/leds/leds-lp5521.c linux-2.6.38.1/drivers/leds/leds-lp5521.c
25252 --- linux-2.6.38.1/drivers/leds/leds-lp5521.c 2011-03-14 21:20:32.000000000 -0400
25253 +++ linux-2.6.38.1/drivers/leds/leds-lp5521.c 2011-03-21 18:31:35.000000000 -0400
25254 @@ -534,7 +534,7 @@ static ssize_t lp5521_selftest(struct de
25257 /* led class device attributes */
25258 -static DEVICE_ATTR(led_current, S_IRUGO | S_IWUGO, show_current, store_current);
25259 +static DEVICE_ATTR(led_current, S_IRUGO | S_IWUSR, show_current, store_current);
25260 static DEVICE_ATTR(max_current, S_IRUGO , show_max_current, NULL);
25262 static struct attribute *lp5521_led_attributes[] = {
25263 @@ -548,15 +548,15 @@ static struct attribute_group lp5521_led
25266 /* device attributes */
25267 -static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUGO,
25268 +static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUSR,
25269 show_engine1_mode, store_engine1_mode);
25270 -static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUGO,
25271 +static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUSR,
25272 show_engine2_mode, store_engine2_mode);
25273 -static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUGO,
25274 +static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUSR,
25275 show_engine3_mode, store_engine3_mode);
25276 -static DEVICE_ATTR(engine1_load, S_IWUGO, NULL, store_engine1_load);
25277 -static DEVICE_ATTR(engine2_load, S_IWUGO, NULL, store_engine2_load);
25278 -static DEVICE_ATTR(engine3_load, S_IWUGO, NULL, store_engine3_load);
25279 +static DEVICE_ATTR(engine1_load, S_IWUSR, NULL, store_engine1_load);
25280 +static DEVICE_ATTR(engine2_load, S_IWUSR, NULL, store_engine2_load);
25281 +static DEVICE_ATTR(engine3_load, S_IWUSR, NULL, store_engine3_load);
25282 static DEVICE_ATTR(selftest, S_IRUGO, lp5521_selftest, NULL);
25284 static struct attribute *lp5521_attributes[] = {
25285 diff -urNp linux-2.6.38.1/drivers/leds/leds-lp5523.c linux-2.6.38.1/drivers/leds/leds-lp5523.c
25286 --- linux-2.6.38.1/drivers/leds/leds-lp5523.c 2011-03-14 21:20:32.000000000 -0400
25287 +++ linux-2.6.38.1/drivers/leds/leds-lp5523.c 2011-03-21 18:31:35.000000000 -0400
25288 @@ -713,7 +713,7 @@ static ssize_t store_current(struct devi
25291 /* led class device attributes */
25292 -static DEVICE_ATTR(led_current, S_IRUGO | S_IWUGO, show_current, store_current);
25293 +static DEVICE_ATTR(led_current, S_IRUGO | S_IWUSR, show_current, store_current);
25294 static DEVICE_ATTR(max_current, S_IRUGO , show_max_current, NULL);
25296 static struct attribute *lp5523_led_attributes[] = {
25297 @@ -727,21 +727,21 @@ static struct attribute_group lp5523_led
25300 /* device attributes */
25301 -static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUGO,
25302 +static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUSR,
25303 show_engine1_mode, store_engine1_mode);
25304 -static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUGO,
25305 +static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUSR,
25306 show_engine2_mode, store_engine2_mode);
25307 -static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUGO,
25308 +static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUSR,
25309 show_engine3_mode, store_engine3_mode);
25310 -static DEVICE_ATTR(engine1_leds, S_IRUGO | S_IWUGO,
25311 +static DEVICE_ATTR(engine1_leds, S_IRUGO | S_IWUSR,
25312 show_engine1_leds, store_engine1_leds);
25313 -static DEVICE_ATTR(engine2_leds, S_IRUGO | S_IWUGO,
25314 +static DEVICE_ATTR(engine2_leds, S_IRUGO | S_IWUSR,
25315 show_engine2_leds, store_engine2_leds);
25316 -static DEVICE_ATTR(engine3_leds, S_IRUGO | S_IWUGO,
25317 +static DEVICE_ATTR(engine3_leds, S_IRUGO | S_IWUSR,
25318 show_engine3_leds, store_engine3_leds);
25319 -static DEVICE_ATTR(engine1_load, S_IWUGO, NULL, store_engine1_load);
25320 -static DEVICE_ATTR(engine2_load, S_IWUGO, NULL, store_engine2_load);
25321 -static DEVICE_ATTR(engine3_load, S_IWUGO, NULL, store_engine3_load);
25322 +static DEVICE_ATTR(engine1_load, S_IWUSR, NULL, store_engine1_load);
25323 +static DEVICE_ATTR(engine2_load, S_IWUSR, NULL, store_engine2_load);
25324 +static DEVICE_ATTR(engine3_load, S_IWUSR, NULL, store_engine3_load);
25325 static DEVICE_ATTR(selftest, S_IRUGO, lp5523_selftest, NULL);
25327 static struct attribute *lp5523_attributes[] = {
25328 diff -urNp linux-2.6.38.1/drivers/lguest/core.c linux-2.6.38.1/drivers/lguest/core.c
25329 --- linux-2.6.38.1/drivers/lguest/core.c 2011-03-14 21:20:32.000000000 -0400
25330 +++ linux-2.6.38.1/drivers/lguest/core.c 2011-03-21 18:31:35.000000000 -0400
25331 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25332 * it's worked so far. The end address needs +1 because __get_vm_area
25333 * allocates an extra guard page, so we need space for that.
25336 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25337 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25338 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25339 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25341 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25342 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25343 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25346 if (!switcher_vma) {
25348 printk("lguest: could not map switcher pages high\n");
25349 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
25350 * Now the Switcher is mapped at the right address, we can't fail!
25351 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
25353 - memcpy(switcher_vma->addr, start_switcher_text,
25354 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
25355 end_switcher_text - start_switcher_text);
25357 printk(KERN_INFO "lguest: mapped switcher at %p\n",
25358 diff -urNp linux-2.6.38.1/drivers/lguest/x86/core.c linux-2.6.38.1/drivers/lguest/x86/core.c
25359 --- linux-2.6.38.1/drivers/lguest/x86/core.c 2011-03-14 21:20:32.000000000 -0400
25360 +++ linux-2.6.38.1/drivers/lguest/x86/core.c 2011-03-21 18:31:35.000000000 -0400
25361 @@ -59,7 +59,7 @@ static struct {
25362 /* Offset from where switcher.S was compiled to where we've copied it */
25363 static unsigned long switcher_offset(void)
25365 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
25366 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
25369 /* This cpu's struct lguest_pages. */
25370 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
25371 * These copies are pretty cheap, so we do them unconditionally: */
25372 /* Save the current Host top-level page directory.
25375 +#ifdef CONFIG_PAX_PER_CPU_PGD
25376 + pages->state.host_cr3 = read_cr3();
25378 pages->state.host_cr3 = __pa(current->mm->pgd);
25382 * Set up the Guest's page tables to see this CPU's pages (and no
25383 * other CPU's pages).
25384 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
25385 * compiled-in switcher code and the high-mapped copy we just made.
25387 for (i = 0; i < IDT_ENTRIES; i++)
25388 - default_idt_entries[i] += switcher_offset();
25389 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
25392 * Set up the Switcher's per-cpu areas.
25393 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
25394 * it will be undisturbed when we switch. To change %cs and jump we
25395 * need this structure to feed to Intel's "lcall" instruction.
25397 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
25398 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
25399 lguest_entry.segment = LGUEST_CS;
25402 diff -urNp linux-2.6.38.1/drivers/lguest/x86/switcher_32.S linux-2.6.38.1/drivers/lguest/x86/switcher_32.S
25403 --- linux-2.6.38.1/drivers/lguest/x86/switcher_32.S 2011-03-14 21:20:32.000000000 -0400
25404 +++ linux-2.6.38.1/drivers/lguest/x86/switcher_32.S 2011-03-21 18:31:35.000000000 -0400
25406 #include <asm/page.h>
25407 #include <asm/segment.h>
25408 #include <asm/lguest.h>
25409 +#include <asm/processor-flags.h>
25411 // We mark the start of the code to copy
25412 // It's placed in .text tho it's never run here
25413 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
25414 // Changes type when we load it: damn Intel!
25415 // For after we switch over our page tables
25416 // That entry will be read-only: we'd crash.
25418 +#ifdef CONFIG_PAX_KERNEXEC
25420 + xor $X86_CR0_WP, %edx
25424 movl $(GDT_ENTRY_TSS*8), %edx
25427 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
25428 // Let's clear it again for our return.
25429 // The GDT descriptor of the Host
25430 // Points to the table after two "size" bytes
25431 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
25432 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
25433 // Clear "used" from type field (byte 5, bit 2)
25434 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
25435 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
25437 +#ifdef CONFIG_PAX_KERNEXEC
25439 + xor $X86_CR0_WP, %eax
25443 // Once our page table's switched, the Guest is live!
25444 // The Host fades as we run this final step.
25445 @@ -295,13 +309,12 @@ deliver_to_host:
25446 // I consulted gcc, and it gave
25447 // These instructions, which I gladly credit:
25448 leal (%edx,%ebx,8), %eax
25449 - movzwl (%eax),%edx
25450 - movl 4(%eax), %eax
25453 + movl 4(%eax), %edx
25455 // Now the address of the handler's in %edx
25456 // We call it now: its "iret" drops us home.
25458 + ljmp $__KERNEL_CS, $1f
25461 // Every interrupt can come to us here
25462 // But we must truly tell each apart.
25463 diff -urNp linux-2.6.38.1/drivers/md/bitmap.c linux-2.6.38.1/drivers/md/bitmap.c
25464 --- linux-2.6.38.1/drivers/md/bitmap.c 2011-03-14 21:20:32.000000000 -0400
25465 +++ linux-2.6.38.1/drivers/md/bitmap.c 2011-03-21 18:31:35.000000000 -0400
25468 # define PRINTK(x...) printk(KERN_DEBUG x)
25470 -# define PRINTK(x...)
25471 +# define PRINTK(x...) do {} while (0)
25475 diff -urNp linux-2.6.38.1/drivers/md/dm-ioctl.c linux-2.6.38.1/drivers/md/dm-ioctl.c
25476 --- linux-2.6.38.1/drivers/md/dm-ioctl.c 2011-03-14 21:20:32.000000000 -0400
25477 +++ linux-2.6.38.1/drivers/md/dm-ioctl.c 2011-03-21 18:31:35.000000000 -0400
25478 @@ -1541,7 +1541,7 @@ static int validate_params(uint cmd, str
25479 cmd == DM_LIST_VERSIONS_CMD)
25482 - if ((cmd == DM_DEV_CREATE_CMD)) {
25483 + if (cmd == DM_DEV_CREATE_CMD) {
25484 if (!*param->name) {
25485 DMWARN("name not supplied when creating device");
25487 diff -urNp linux-2.6.38.1/drivers/md/dm-table.c linux-2.6.38.1/drivers/md/dm-table.c
25488 --- linux-2.6.38.1/drivers/md/dm-table.c 2011-03-14 21:20:32.000000000 -0400
25489 +++ linux-2.6.38.1/drivers/md/dm-table.c 2011-03-21 18:31:35.000000000 -0400
25490 @@ -372,7 +372,7 @@ static int device_area_is_invalid(struct
25494 - if ((start >= dev_size) || (start + len > dev_size)) {
25495 + if ((start >= dev_size) || (len > dev_size - start)) {
25496 DMWARN("%s: %s too small for target: "
25497 "start=%llu, len=%llu, dev_size=%llu",
25498 dm_device_name(ti->table->md), bdevname(bdev, b),
25499 diff -urNp linux-2.6.38.1/drivers/md/md.c linux-2.6.38.1/drivers/md/md.c
25500 --- linux-2.6.38.1/drivers/md/md.c 2011-03-14 21:20:32.000000000 -0400
25501 +++ linux-2.6.38.1/drivers/md/md.c 2011-03-21 18:31:35.000000000 -0400
25502 @@ -1889,7 +1889,7 @@ static int bind_rdev_to_array(mdk_rdev_t
25504 ko = &part_to_dev(rdev->bdev->bd_part)->kobj;
25505 if (sysfs_create_link(&rdev->kobj, ko, "block"))
25506 - /* failure here is OK */;
25507 + /* failure here is OK */{}
25508 rdev->sysfs_state = sysfs_get_dirent_safe(rdev->kobj.sd, "state");
25510 list_add_rcu(&rdev->same_set, &mddev->disks);
25511 @@ -2499,7 +2499,7 @@ slot_store(mdk_rdev_t *rdev, const char
25512 sysfs_notify_dirent_safe(rdev->sysfs_state);
25513 sprintf(nm, "rd%d", rdev->raid_disk);
25514 if (sysfs_create_link(&rdev->mddev->kobj, &rdev->kobj, nm))
25515 - /* failure here is OK */;
25516 + /* failure here is OK */{}
25517 /* don't wakeup anyone, leave that to userspace. */
25519 if (slot >= rdev->mddev->raid_disks &&
25520 @@ -4594,7 +4594,7 @@ int md_run(mddev_t *mddev)
25522 sprintf(nm, "rd%d", rdev->raid_disk);
25523 if (sysfs_create_link(&mddev->kobj, &rdev->kobj, nm))
25524 - /* failure here is OK */;
25525 + /* failure here is OK */{}
25528 set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
25529 @@ -6462,7 +6462,7 @@ static int md_seq_show(struct seq_file *
25530 chunk_kb ? "KB" : "B");
25531 if (bitmap->file) {
25532 seq_printf(seq, ", file: ");
25533 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25534 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25537 seq_printf(seq, "\n");
25538 @@ -6556,7 +6556,7 @@ static int is_mddev_idle(mddev_t *mddev,
25539 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25540 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25541 (int)part_stat_read(&disk->part0, sectors[1]) -
25542 - atomic_read(&disk->sync_io);
25543 + atomic_read_unchecked(&disk->sync_io);
25544 /* sync IO will cause sync_io to increase before the disk_stats
25545 * as sync_io is counted when a request starts, and
25546 * disk_stats is counted when it completes.
25547 @@ -7070,7 +7070,7 @@ static int remove_and_add_spares(mddev_t
25548 sprintf(nm, "rd%d", rdev->raid_disk);
25549 if (sysfs_create_link(&mddev->kobj,
25551 - /* failure here is OK */;
25552 + /* failure here is OK */{}
25554 md_new_event(mddev);
25555 set_bit(MD_CHANGE_DEVS, &mddev->flags);
25556 diff -urNp linux-2.6.38.1/drivers/md/md.h linux-2.6.38.1/drivers/md/md.h
25557 --- linux-2.6.38.1/drivers/md/md.h 2011-03-14 21:20:32.000000000 -0400
25558 +++ linux-2.6.38.1/drivers/md/md.h 2011-03-21 18:31:35.000000000 -0400
25559 @@ -360,7 +360,7 @@ static inline void rdev_dec_pending(mdk_
25561 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25563 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25564 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25567 struct mdk_personality
25568 diff -urNp linux-2.6.38.1/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.38.1/drivers/media/dvb/dvb-core/dvbdev.c
25569 --- linux-2.6.38.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-14 21:20:32.000000000 -0400
25570 +++ linux-2.6.38.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-21 18:31:35.000000000 -0400
25571 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
25572 const struct dvb_device *template, void *priv, int type)
25574 struct dvb_device *dvbdev;
25575 - struct file_operations *dvbdevfops;
25576 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
25577 struct device *clsdev;
25580 diff -urNp linux-2.6.38.1/drivers/media/radio/radio-cadet.c linux-2.6.38.1/drivers/media/radio/radio-cadet.c
25581 --- linux-2.6.38.1/drivers/media/radio/radio-cadet.c 2011-03-14 21:20:32.000000000 -0400
25582 +++ linux-2.6.38.1/drivers/media/radio/radio-cadet.c 2011-03-21 18:31:35.000000000 -0400
25583 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
25584 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25585 mutex_unlock(&dev->lock);
25587 - if (copy_to_user(data, readbuf, i))
25588 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
25592 diff -urNp linux-2.6.38.1/drivers/media/rc/ir-lirc-codec.c linux-2.6.38.1/drivers/media/rc/ir-lirc-codec.c
25593 --- linux-2.6.38.1/drivers/media/rc/ir-lirc-codec.c 2011-03-14 21:20:32.000000000 -0400
25594 +++ linux-2.6.38.1/drivers/media/rc/ir-lirc-codec.c 2011-03-21 18:31:35.000000000 -0400
25595 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
25599 -static struct file_operations lirc_fops = {
25600 +static const struct file_operations lirc_fops = {
25601 .owner = THIS_MODULE,
25602 .write = ir_lirc_transmit_ir,
25603 .unlocked_ioctl = ir_lirc_ioctl,
25604 diff -urNp linux-2.6.38.1/drivers/media/rc/lirc_dev.c linux-2.6.38.1/drivers/media/rc/lirc_dev.c
25605 --- linux-2.6.38.1/drivers/media/rc/lirc_dev.c 2011-03-14 21:20:32.000000000 -0400
25606 +++ linux-2.6.38.1/drivers/media/rc/lirc_dev.c 2011-03-21 18:31:35.000000000 -0400
25607 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
25611 -static struct file_operations lirc_dev_fops = {
25612 +static const struct file_operations lirc_dev_fops = {
25613 .owner = THIS_MODULE,
25614 .read = lirc_dev_fop_read,
25615 .write = lirc_dev_fop_write,
25616 diff -urNp linux-2.6.38.1/drivers/media/video/sn9c102/sn9c102_core.c linux-2.6.38.1/drivers/media/video/sn9c102/sn9c102_core.c
25617 --- linux-2.6.38.1/drivers/media/video/sn9c102/sn9c102_core.c 2011-03-14 21:20:32.000000000 -0400
25618 +++ linux-2.6.38.1/drivers/media/video/sn9c102/sn9c102_core.c 2011-03-21 18:31:35.000000000 -0400
25619 @@ -1430,9 +1430,9 @@ static DEVICE_ATTR(i2c_reg, S_IRUGO | S_
25620 sn9c102_show_i2c_reg, sn9c102_store_i2c_reg);
25621 static DEVICE_ATTR(i2c_val, S_IRUGO | S_IWUSR,
25622 sn9c102_show_i2c_val, sn9c102_store_i2c_val);
25623 -static DEVICE_ATTR(green, S_IWUGO, NULL, sn9c102_store_green);
25624 -static DEVICE_ATTR(blue, S_IWUGO, NULL, sn9c102_store_blue);
25625 -static DEVICE_ATTR(red, S_IWUGO, NULL, sn9c102_store_red);
25626 +static DEVICE_ATTR(green, S_IWUSR, NULL, sn9c102_store_green);
25627 +static DEVICE_ATTR(blue, S_IWUSR, NULL, sn9c102_store_blue);
25628 +static DEVICE_ATTR(red, S_IWUSR, NULL, sn9c102_store_red);
25629 static DEVICE_ATTR(frame_header, S_IRUGO, sn9c102_show_frame_header, NULL);
25632 diff -urNp linux-2.6.38.1/drivers/message/fusion/mptbase.c linux-2.6.38.1/drivers/message/fusion/mptbase.c
25633 --- linux-2.6.38.1/drivers/message/fusion/mptbase.c 2011-03-14 21:20:32.000000000 -0400
25634 +++ linux-2.6.38.1/drivers/message/fusion/mptbase.c 2011-03-21 18:31:35.000000000 -0400
25635 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
25636 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25637 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25639 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25640 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
25642 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25643 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25647 * Rounding UP to nearest 4-kB boundary here...
25649 diff -urNp linux-2.6.38.1/drivers/message/fusion/mptdebug.h linux-2.6.38.1/drivers/message/fusion/mptdebug.h
25650 --- linux-2.6.38.1/drivers/message/fusion/mptdebug.h 2011-03-14 21:20:32.000000000 -0400
25651 +++ linux-2.6.38.1/drivers/message/fusion/mptdebug.h 2011-03-21 18:31:35.000000000 -0400
25656 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25657 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25661 diff -urNp linux-2.6.38.1/drivers/message/fusion/mptsas.c linux-2.6.38.1/drivers/message/fusion/mptsas.c
25662 --- linux-2.6.38.1/drivers/message/fusion/mptsas.c 2011-03-14 21:20:32.000000000 -0400
25663 +++ linux-2.6.38.1/drivers/message/fusion/mptsas.c 2011-03-21 18:31:35.000000000 -0400
25664 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
25668 +static inline void
25669 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25671 + if (phy_info->port_details) {
25672 + phy_info->port_details->rphy = rphy;
25673 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25674 + ioc->name, rphy));
25678 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25679 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25680 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25681 + ioc->name, rphy, rphy->dev.release));
25687 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25688 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25692 -static inline void
25693 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25695 - if (phy_info->port_details) {
25696 - phy_info->port_details->rphy = rphy;
25697 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25698 - ioc->name, rphy));
25702 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25703 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25704 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25705 - ioc->name, rphy, rphy->dev.release));
25709 static inline struct sas_port *
25710 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25712 diff -urNp linux-2.6.38.1/drivers/message/fusion/mptscsih.c linux-2.6.38.1/drivers/message/fusion/mptscsih.c
25713 --- linux-2.6.38.1/drivers/message/fusion/mptscsih.c 2011-03-14 21:20:32.000000000 -0400
25714 +++ linux-2.6.38.1/drivers/message/fusion/mptscsih.c 2011-03-21 18:31:35.000000000 -0400
25715 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
25717 h = shost_priv(SChost);
25720 - if (h->info_kbuf == NULL)
25721 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
25722 - return h->info_kbuf;
25723 - h->info_kbuf[0] = '\0';
25727 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
25728 - h->info_kbuf[size-1] = '\0';
25730 + if (h->info_kbuf == NULL)
25731 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
25732 + return h->info_kbuf;
25733 + h->info_kbuf[0] = '\0';
25735 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
25736 + h->info_kbuf[size-1] = '\0';
25738 return h->info_kbuf;
25740 diff -urNp linux-2.6.38.1/drivers/message/i2o/i2o_proc.c linux-2.6.38.1/drivers/message/i2o/i2o_proc.c
25741 --- linux-2.6.38.1/drivers/message/i2o/i2o_proc.c 2011-03-14 21:20:32.000000000 -0400
25742 +++ linux-2.6.38.1/drivers/message/i2o/i2o_proc.c 2011-03-21 18:31:35.000000000 -0400
25743 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
25744 "Array Controller Device"
25747 -static char *chtostr(u8 * chars, int n)
25751 - return strncat(tmp, (char *)chars, n);
25754 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25757 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
25759 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25760 seq_printf(seq, "%-#8x", ddm_table.module_id);
25761 - seq_printf(seq, "%-29s",
25762 - chtostr(ddm_table.module_name_version, 28));
25763 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25764 seq_printf(seq, "%9d ", ddm_table.data_size);
25765 seq_printf(seq, "%8d", ddm_table.code_size);
25767 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
25769 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25770 seq_printf(seq, "%-#8x", dst->module_id);
25771 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25772 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25773 + seq_printf(seq, "%-.28s", dst->module_name_version);
25774 + seq_printf(seq, "%-.8s", dst->date);
25775 seq_printf(seq, "%8d ", dst->module_size);
25776 seq_printf(seq, "%8d ", dst->mpb_size);
25777 seq_printf(seq, "0x%04x", dst->module_flags);
25778 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
25779 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25780 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25781 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25782 - seq_printf(seq, "Vendor info : %s\n",
25783 - chtostr((u8 *) (work32 + 2), 16));
25784 - seq_printf(seq, "Product info : %s\n",
25785 - chtostr((u8 *) (work32 + 6), 16));
25786 - seq_printf(seq, "Description : %s\n",
25787 - chtostr((u8 *) (work32 + 10), 16));
25788 - seq_printf(seq, "Product rev. : %s\n",
25789 - chtostr((u8 *) (work32 + 14), 8));
25790 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
25791 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
25792 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
25793 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
25795 seq_printf(seq, "Serial number : ");
25796 print_serial_number(seq, (u8 *) (work32 + 16),
25797 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
25800 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
25801 - seq_printf(seq, "Module name : %s\n",
25802 - chtostr(result.module_name, 24));
25803 - seq_printf(seq, "Module revision : %s\n",
25804 - chtostr(result.module_rev, 8));
25805 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
25806 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
25808 seq_printf(seq, "Serial number : ");
25809 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
25810 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
25814 - seq_printf(seq, "Device name : %s\n",
25815 - chtostr(result.device_name, 64));
25816 - seq_printf(seq, "Service name : %s\n",
25817 - chtostr(result.service_name, 64));
25818 - seq_printf(seq, "Physical name : %s\n",
25819 - chtostr(result.physical_location, 64));
25820 - seq_printf(seq, "Instance number : %s\n",
25821 - chtostr(result.instance_number, 4));
25822 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
25823 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
25824 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
25825 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
25829 diff -urNp linux-2.6.38.1/drivers/mfd/ab3100-core.c linux-2.6.38.1/drivers/mfd/ab3100-core.c
25830 --- linux-2.6.38.1/drivers/mfd/ab3100-core.c 2011-03-14 21:20:32.000000000 -0400
25831 +++ linux-2.6.38.1/drivers/mfd/ab3100-core.c 2011-03-21 18:31:35.000000000 -0400
25832 @@ -613,7 +613,7 @@ static void ab3100_setup_debugfs(struct
25833 ab3100_get_priv.ab3100 = ab3100;
25834 ab3100_get_priv.mode = false;
25835 ab3100_get_reg_file = debugfs_create_file("get_reg",
25836 - S_IWUGO, ab3100_dir, &ab3100_get_priv,
25837 + S_IWUSR, ab3100_dir, &ab3100_get_priv,
25838 &ab3100_get_set_reg_fops);
25839 if (!ab3100_get_reg_file) {
25841 @@ -623,7 +623,7 @@ static void ab3100_setup_debugfs(struct
25842 ab3100_set_priv.ab3100 = ab3100;
25843 ab3100_set_priv.mode = true;
25844 ab3100_set_reg_file = debugfs_create_file("set_reg",
25845 - S_IWUGO, ab3100_dir, &ab3100_set_priv,
25846 + S_IWUSR, ab3100_dir, &ab3100_set_priv,
25847 &ab3100_get_set_reg_fops);
25848 if (!ab3100_set_reg_file) {
25850 diff -urNp linux-2.6.38.1/drivers/mfd/ab3550-core.c linux-2.6.38.1/drivers/mfd/ab3550-core.c
25851 --- linux-2.6.38.1/drivers/mfd/ab3550-core.c 2011-03-14 21:20:32.000000000 -0400
25852 +++ linux-2.6.38.1/drivers/mfd/ab3550-core.c 2011-03-21 18:31:35.000000000 -0400
25853 @@ -1053,17 +1053,17 @@ static inline void ab3550_setup_debugfs(
25854 goto exit_destroy_dir;
25856 ab3550_bank_file = debugfs_create_file("register-bank",
25857 - (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_bank_fops);
25858 + (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_bank_fops);
25859 if (!ab3550_bank_file)
25860 goto exit_destroy_reg;
25862 ab3550_address_file = debugfs_create_file("register-address",
25863 - (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_address_fops);
25864 + (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_address_fops);
25865 if (!ab3550_address_file)
25866 goto exit_destroy_bank;
25868 ab3550_val_file = debugfs_create_file("register-value",
25869 - (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_val_fops);
25870 + (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_val_fops);
25871 if (!ab3550_val_file)
25872 goto exit_destroy_address;
25874 diff -urNp linux-2.6.38.1/drivers/mfd/ab8500-debugfs.c linux-2.6.38.1/drivers/mfd/ab8500-debugfs.c
25875 --- linux-2.6.38.1/drivers/mfd/ab8500-debugfs.c 2011-03-14 21:20:32.000000000 -0400
25876 +++ linux-2.6.38.1/drivers/mfd/ab8500-debugfs.c 2011-03-21 18:31:35.000000000 -0400
25877 @@ -585,18 +585,18 @@ static int __devinit ab8500_debug_probe(
25878 goto exit_destroy_dir;
25880 ab8500_bank_file = debugfs_create_file("register-bank",
25881 - (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, &ab8500_bank_fops);
25882 + (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, &ab8500_bank_fops);
25883 if (!ab8500_bank_file)
25884 goto exit_destroy_reg;
25886 ab8500_address_file = debugfs_create_file("register-address",
25887 - (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev,
25888 + (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev,
25889 &ab8500_address_fops);
25890 if (!ab8500_address_file)
25891 goto exit_destroy_bank;
25893 ab8500_val_file = debugfs_create_file("register-value",
25894 - (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, &ab8500_val_fops);
25895 + (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, &ab8500_val_fops);
25896 if (!ab8500_val_file)
25897 goto exit_destroy_address;
25899 diff -urNp linux-2.6.38.1/drivers/mfd/janz-cmodio.c linux-2.6.38.1/drivers/mfd/janz-cmodio.c
25900 --- linux-2.6.38.1/drivers/mfd/janz-cmodio.c 2011-03-14 21:20:32.000000000 -0400
25901 +++ linux-2.6.38.1/drivers/mfd/janz-cmodio.c 2011-03-21 18:31:35.000000000 -0400
25904 #include <linux/kernel.h>
25905 #include <linux/module.h>
25906 +#include <linux/slab.h>
25907 #include <linux/init.h>
25908 #include <linux/pci.h>
25909 #include <linux/interrupt.h>
25910 diff -urNp linux-2.6.38.1/drivers/misc/ep93xx_pwm.c linux-2.6.38.1/drivers/misc/ep93xx_pwm.c
25911 --- linux-2.6.38.1/drivers/misc/ep93xx_pwm.c 2011-03-14 21:20:32.000000000 -0400
25912 +++ linux-2.6.38.1/drivers/misc/ep93xx_pwm.c 2011-03-21 18:31:35.000000000 -0400
25913 @@ -249,11 +249,11 @@ static ssize_t ep93xx_pwm_set_invert(str
25915 static DEVICE_ATTR(min_freq, S_IRUGO, ep93xx_pwm_get_min_freq, NULL);
25916 static DEVICE_ATTR(max_freq, S_IRUGO, ep93xx_pwm_get_max_freq, NULL);
25917 -static DEVICE_ATTR(freq, S_IWUGO | S_IRUGO,
25918 +static DEVICE_ATTR(freq, S_IWUSR | S_IRUGO,
25919 ep93xx_pwm_get_freq, ep93xx_pwm_set_freq);
25920 -static DEVICE_ATTR(duty_percent, S_IWUGO | S_IRUGO,
25921 +static DEVICE_ATTR(duty_percent, S_IWUSR | S_IRUGO,
25922 ep93xx_pwm_get_duty_percent, ep93xx_pwm_set_duty_percent);
25923 -static DEVICE_ATTR(invert, S_IWUGO | S_IRUGO,
25924 +static DEVICE_ATTR(invert, S_IWUSR | S_IRUGO,
25925 ep93xx_pwm_get_invert, ep93xx_pwm_set_invert);
25927 static struct attribute *ep93xx_pwm_attrs[] = {
25928 diff -urNp linux-2.6.38.1/drivers/misc/kgdbts.c linux-2.6.38.1/drivers/misc/kgdbts.c
25929 --- linux-2.6.38.1/drivers/misc/kgdbts.c 2011-03-14 21:20:32.000000000 -0400
25930 +++ linux-2.6.38.1/drivers/misc/kgdbts.c 2011-03-21 18:31:35.000000000 -0400
25931 @@ -118,7 +118,7 @@
25933 #define MAX_CONFIG_LEN 40
25935 -static struct kgdb_io kgdbts_io_ops;
25936 +static const struct kgdb_io kgdbts_io_ops;
25937 static char get_buf[BUFMAX];
25938 static int get_buf_cnt;
25939 static char put_buf[BUFMAX];
25940 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
25941 module_put(THIS_MODULE);
25944 -static struct kgdb_io kgdbts_io_ops = {
25945 +static const struct kgdb_io kgdbts_io_ops = {
25947 .read_char = kgdbts_get_char,
25948 .write_char = kgdbts_put_char,
25949 diff -urNp linux-2.6.38.1/drivers/misc/sgi-gru/gruhandles.c linux-2.6.38.1/drivers/misc/sgi-gru/gruhandles.c
25950 --- linux-2.6.38.1/drivers/misc/sgi-gru/gruhandles.c 2011-03-14 21:20:32.000000000 -0400
25951 +++ linux-2.6.38.1/drivers/misc/sgi-gru/gruhandles.c 2011-03-21 18:31:35.000000000 -0400
25952 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
25953 unsigned long nsec;
25955 nsec = CLKS2NSEC(clks);
25956 - atomic_long_inc(&mcs_op_statistics[op].count);
25957 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
25958 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
25959 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
25960 if (mcs_op_statistics[op].max < nsec)
25961 mcs_op_statistics[op].max = nsec;
25963 diff -urNp linux-2.6.38.1/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.38.1/drivers/misc/sgi-gru/gruprocfs.c
25964 --- linux-2.6.38.1/drivers/misc/sgi-gru/gruprocfs.c 2011-03-14 21:20:32.000000000 -0400
25965 +++ linux-2.6.38.1/drivers/misc/sgi-gru/gruprocfs.c 2011-03-21 18:31:35.000000000 -0400
25968 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
25970 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
25971 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
25973 - unsigned long val = atomic_long_read(v);
25974 + unsigned long val = atomic_long_read_unchecked(v);
25976 seq_printf(s, "%16lu %s\n", val, id);
25978 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
25980 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
25981 for (op = 0; op < mcsop_last; op++) {
25982 - count = atomic_long_read(&mcs_op_statistics[op].count);
25983 - total = atomic_long_read(&mcs_op_statistics[op].total);
25984 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
25985 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
25986 max = mcs_op_statistics[op].max;
25987 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
25988 count ? total / count : 0, max);
25989 diff -urNp linux-2.6.38.1/drivers/misc/sgi-gru/grutables.h linux-2.6.38.1/drivers/misc/sgi-gru/grutables.h
25990 --- linux-2.6.38.1/drivers/misc/sgi-gru/grutables.h 2011-03-14 21:20:32.000000000 -0400
25991 +++ linux-2.6.38.1/drivers/misc/sgi-gru/grutables.h 2011-03-21 18:31:35.000000000 -0400
25992 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
25995 struct gru_stats_s {
25996 - atomic_long_t vdata_alloc;
25997 - atomic_long_t vdata_free;
25998 - atomic_long_t gts_alloc;
25999 - atomic_long_t gts_free;
26000 - atomic_long_t gms_alloc;
26001 - atomic_long_t gms_free;
26002 - atomic_long_t gts_double_allocate;
26003 - atomic_long_t assign_context;
26004 - atomic_long_t assign_context_failed;
26005 - atomic_long_t free_context;
26006 - atomic_long_t load_user_context;
26007 - atomic_long_t load_kernel_context;
26008 - atomic_long_t lock_kernel_context;
26009 - atomic_long_t unlock_kernel_context;
26010 - atomic_long_t steal_user_context;
26011 - atomic_long_t steal_kernel_context;
26012 - atomic_long_t steal_context_failed;
26013 - atomic_long_t nopfn;
26014 - atomic_long_t asid_new;
26015 - atomic_long_t asid_next;
26016 - atomic_long_t asid_wrap;
26017 - atomic_long_t asid_reuse;
26018 - atomic_long_t intr;
26019 - atomic_long_t intr_cbr;
26020 - atomic_long_t intr_tfh;
26021 - atomic_long_t intr_spurious;
26022 - atomic_long_t intr_mm_lock_failed;
26023 - atomic_long_t call_os;
26024 - atomic_long_t call_os_wait_queue;
26025 - atomic_long_t user_flush_tlb;
26026 - atomic_long_t user_unload_context;
26027 - atomic_long_t user_exception;
26028 - atomic_long_t set_context_option;
26029 - atomic_long_t check_context_retarget_intr;
26030 - atomic_long_t check_context_unload;
26031 - atomic_long_t tlb_dropin;
26032 - atomic_long_t tlb_preload_page;
26033 - atomic_long_t tlb_dropin_fail_no_asid;
26034 - atomic_long_t tlb_dropin_fail_upm;
26035 - atomic_long_t tlb_dropin_fail_invalid;
26036 - atomic_long_t tlb_dropin_fail_range_active;
26037 - atomic_long_t tlb_dropin_fail_idle;
26038 - atomic_long_t tlb_dropin_fail_fmm;
26039 - atomic_long_t tlb_dropin_fail_no_exception;
26040 - atomic_long_t tfh_stale_on_fault;
26041 - atomic_long_t mmu_invalidate_range;
26042 - atomic_long_t mmu_invalidate_page;
26043 - atomic_long_t flush_tlb;
26044 - atomic_long_t flush_tlb_gru;
26045 - atomic_long_t flush_tlb_gru_tgh;
26046 - atomic_long_t flush_tlb_gru_zero_asid;
26048 - atomic_long_t copy_gpa;
26049 - atomic_long_t read_gpa;
26051 - atomic_long_t mesq_receive;
26052 - atomic_long_t mesq_receive_none;
26053 - atomic_long_t mesq_send;
26054 - atomic_long_t mesq_send_failed;
26055 - atomic_long_t mesq_noop;
26056 - atomic_long_t mesq_send_unexpected_error;
26057 - atomic_long_t mesq_send_lb_overflow;
26058 - atomic_long_t mesq_send_qlimit_reached;
26059 - atomic_long_t mesq_send_amo_nacked;
26060 - atomic_long_t mesq_send_put_nacked;
26061 - atomic_long_t mesq_page_overflow;
26062 - atomic_long_t mesq_qf_locked;
26063 - atomic_long_t mesq_qf_noop_not_full;
26064 - atomic_long_t mesq_qf_switch_head_failed;
26065 - atomic_long_t mesq_qf_unexpected_error;
26066 - atomic_long_t mesq_noop_unexpected_error;
26067 - atomic_long_t mesq_noop_lb_overflow;
26068 - atomic_long_t mesq_noop_qlimit_reached;
26069 - atomic_long_t mesq_noop_amo_nacked;
26070 - atomic_long_t mesq_noop_put_nacked;
26071 - atomic_long_t mesq_noop_page_overflow;
26072 + atomic_long_unchecked_t vdata_alloc;
26073 + atomic_long_unchecked_t vdata_free;
26074 + atomic_long_unchecked_t gts_alloc;
26075 + atomic_long_unchecked_t gts_free;
26076 + atomic_long_unchecked_t gms_alloc;
26077 + atomic_long_unchecked_t gms_free;
26078 + atomic_long_unchecked_t gts_double_allocate;
26079 + atomic_long_unchecked_t assign_context;
26080 + atomic_long_unchecked_t assign_context_failed;
26081 + atomic_long_unchecked_t free_context;
26082 + atomic_long_unchecked_t load_user_context;
26083 + atomic_long_unchecked_t load_kernel_context;
26084 + atomic_long_unchecked_t lock_kernel_context;
26085 + atomic_long_unchecked_t unlock_kernel_context;
26086 + atomic_long_unchecked_t steal_user_context;
26087 + atomic_long_unchecked_t steal_kernel_context;
26088 + atomic_long_unchecked_t steal_context_failed;
26089 + atomic_long_unchecked_t nopfn;
26090 + atomic_long_unchecked_t asid_new;
26091 + atomic_long_unchecked_t asid_next;
26092 + atomic_long_unchecked_t asid_wrap;
26093 + atomic_long_unchecked_t asid_reuse;
26094 + atomic_long_unchecked_t intr;
26095 + atomic_long_unchecked_t intr_cbr;
26096 + atomic_long_unchecked_t intr_tfh;
26097 + atomic_long_unchecked_t intr_spurious;
26098 + atomic_long_unchecked_t intr_mm_lock_failed;
26099 + atomic_long_unchecked_t call_os;
26100 + atomic_long_unchecked_t call_os_wait_queue;
26101 + atomic_long_unchecked_t user_flush_tlb;
26102 + atomic_long_unchecked_t user_unload_context;
26103 + atomic_long_unchecked_t user_exception;
26104 + atomic_long_unchecked_t set_context_option;
26105 + atomic_long_unchecked_t check_context_retarget_intr;
26106 + atomic_long_unchecked_t check_context_unload;
26107 + atomic_long_unchecked_t tlb_dropin;
26108 + atomic_long_unchecked_t tlb_preload_page;
26109 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26110 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26111 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26112 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26113 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26114 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26115 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26116 + atomic_long_unchecked_t tfh_stale_on_fault;
26117 + atomic_long_unchecked_t mmu_invalidate_range;
26118 + atomic_long_unchecked_t mmu_invalidate_page;
26119 + atomic_long_unchecked_t flush_tlb;
26120 + atomic_long_unchecked_t flush_tlb_gru;
26121 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26122 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26124 + atomic_long_unchecked_t copy_gpa;
26125 + atomic_long_unchecked_t read_gpa;
26127 + atomic_long_unchecked_t mesq_receive;
26128 + atomic_long_unchecked_t mesq_receive_none;
26129 + atomic_long_unchecked_t mesq_send;
26130 + atomic_long_unchecked_t mesq_send_failed;
26131 + atomic_long_unchecked_t mesq_noop;
26132 + atomic_long_unchecked_t mesq_send_unexpected_error;
26133 + atomic_long_unchecked_t mesq_send_lb_overflow;
26134 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26135 + atomic_long_unchecked_t mesq_send_amo_nacked;
26136 + atomic_long_unchecked_t mesq_send_put_nacked;
26137 + atomic_long_unchecked_t mesq_page_overflow;
26138 + atomic_long_unchecked_t mesq_qf_locked;
26139 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26140 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26141 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26142 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26143 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26144 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26145 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26146 + atomic_long_unchecked_t mesq_noop_put_nacked;
26147 + atomic_long_unchecked_t mesq_noop_page_overflow;
26151 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26152 tghop_invalidate, mcsop_last};
26154 struct mcs_op_statistic {
26155 - atomic_long_t count;
26156 - atomic_long_t total;
26157 + atomic_long_unchecked_t count;
26158 + atomic_long_unchecked_t total;
26162 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26164 #define STAT(id) do { \
26165 if (gru_options & OPT_STATS) \
26166 - atomic_long_inc(&gru_stats.id); \
26167 + atomic_long_inc_unchecked(&gru_stats.id); \
26170 #ifdef CONFIG_SGI_GRU_DEBUG
26171 diff -urNp linux-2.6.38.1/drivers/mtd/devices/doc2000.c linux-2.6.38.1/drivers/mtd/devices/doc2000.c
26172 --- linux-2.6.38.1/drivers/mtd/devices/doc2000.c 2011-03-14 21:20:32.000000000 -0400
26173 +++ linux-2.6.38.1/drivers/mtd/devices/doc2000.c 2011-03-21 18:31:35.000000000 -0400
26174 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26176 /* The ECC will not be calculated correctly if less than 512 is written */
26178 - if (len != 0x200 && eccbuf)
26179 + if (len != 0x200)
26180 printk(KERN_WARNING
26181 "ECC needs a full sector write (adr: %lx size %lx)\n",
26182 (long) to, (long) len);
26183 diff -urNp linux-2.6.38.1/drivers/mtd/devices/doc2001.c linux-2.6.38.1/drivers/mtd/devices/doc2001.c
26184 --- linux-2.6.38.1/drivers/mtd/devices/doc2001.c 2011-03-14 21:20:32.000000000 -0400
26185 +++ linux-2.6.38.1/drivers/mtd/devices/doc2001.c 2011-03-21 18:31:35.000000000 -0400
26186 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26187 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26189 /* Don't allow read past end of device */
26190 - if (from >= this->totlen)
26191 + if (from >= this->totlen || !len)
26194 /* Don't allow a single read to cross a 512-byte block boundary */
26195 diff -urNp linux-2.6.38.1/drivers/mtd/nand/denali.c linux-2.6.38.1/drivers/mtd/nand/denali.c
26196 --- linux-2.6.38.1/drivers/mtd/nand/denali.c 2011-03-14 21:20:32.000000000 -0400
26197 +++ linux-2.6.38.1/drivers/mtd/nand/denali.c 2011-03-21 18:31:35.000000000 -0400
26199 #include <linux/pci.h>
26200 #include <linux/mtd/mtd.h>
26201 #include <linux/module.h>
26202 +#include <linux/slab.h>
26204 #include "denali.h"
26206 diff -urNp linux-2.6.38.1/drivers/mtd/ubi/build.c linux-2.6.38.1/drivers/mtd/ubi/build.c
26207 --- linux-2.6.38.1/drivers/mtd/ubi/build.c 2011-03-14 21:20:32.000000000 -0400
26208 +++ linux-2.6.38.1/drivers/mtd/ubi/build.c 2011-03-21 18:31:35.000000000 -0400
26209 @@ -1285,7 +1285,7 @@ module_exit(ubi_exit);
26210 static int __init bytes_str_to_int(const char *str)
26213 - unsigned long result;
26214 + unsigned long result, scale = 1;
26216 result = simple_strtoul(str, &endp, 0);
26217 if (str == endp || result >= INT_MAX) {
26218 @@ -1296,11 +1296,11 @@ static int __init bytes_str_to_int(const
26230 if (endp[1] == 'i' && endp[2] == 'B')
26233 @@ -1311,7 +1311,13 @@ static int __init bytes_str_to_int(const
26238 + if ((intoverflow_t)result*scale >= INT_MAX) {
26239 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26244 + return result*scale;
26248 diff -urNp linux-2.6.38.1/drivers/net/e1000e/82571.c linux-2.6.38.1/drivers/net/e1000e/82571.c
26249 --- linux-2.6.38.1/drivers/net/e1000e/82571.c 2011-03-14 21:20:32.000000000 -0400
26250 +++ linux-2.6.38.1/drivers/net/e1000e/82571.c 2011-03-21 18:31:35.000000000 -0400
26251 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
26253 struct e1000_hw *hw = &adapter->hw;
26254 struct e1000_mac_info *mac = &hw->mac;
26255 - struct e1000_mac_operations *func = &mac->ops;
26256 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
26259 bool force_clear_smbi = false;
26260 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
26264 -static struct e1000_mac_operations e82571_mac_ops = {
26265 +static const struct e1000_mac_operations e82571_mac_ops = {
26266 /* .check_mng_mode: mac type dependent */
26267 /* .check_for_link: media type dependent */
26268 .id_led_init = e1000e_id_led_init,
26269 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
26270 .read_mac_addr = e1000_read_mac_addr_82571,
26273 -static struct e1000_phy_operations e82_phy_ops_igp = {
26274 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26275 .acquire = e1000_get_hw_semaphore_82571,
26276 .check_polarity = e1000_check_polarity_igp,
26277 .check_reset_block = e1000e_check_reset_block_generic,
26278 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
26279 .cfg_on_link_up = NULL,
26282 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26283 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26284 .acquire = e1000_get_hw_semaphore_82571,
26285 .check_polarity = e1000_check_polarity_m88,
26286 .check_reset_block = e1000e_check_reset_block_generic,
26287 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
26288 .cfg_on_link_up = NULL,
26291 -static struct e1000_phy_operations e82_phy_ops_bm = {
26292 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26293 .acquire = e1000_get_hw_semaphore_82571,
26294 .check_polarity = e1000_check_polarity_m88,
26295 .check_reset_block = e1000e_check_reset_block_generic,
26296 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
26297 .cfg_on_link_up = NULL,
26300 -static struct e1000_nvm_operations e82571_nvm_ops = {
26301 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26302 .acquire = e1000_acquire_nvm_82571,
26303 .read = e1000e_read_nvm_eerd,
26304 .release = e1000_release_nvm_82571,
26305 diff -urNp linux-2.6.38.1/drivers/net/e1000e/e1000.h linux-2.6.38.1/drivers/net/e1000e/e1000.h
26306 --- linux-2.6.38.1/drivers/net/e1000e/e1000.h 2011-03-14 21:20:32.000000000 -0400
26307 +++ linux-2.6.38.1/drivers/net/e1000e/e1000.h 2011-03-21 18:31:35.000000000 -0400
26308 @@ -408,9 +408,9 @@ struct e1000_info {
26310 u32 max_hw_frame_size;
26311 s32 (*get_variants)(struct e1000_adapter *);
26312 - struct e1000_mac_operations *mac_ops;
26313 - struct e1000_phy_operations *phy_ops;
26314 - struct e1000_nvm_operations *nvm_ops;
26315 + const struct e1000_mac_operations *mac_ops;
26316 + const struct e1000_phy_operations *phy_ops;
26317 + const struct e1000_nvm_operations *nvm_ops;
26320 /* hardware capability, feature, and workaround flags */
26321 diff -urNp linux-2.6.38.1/drivers/net/e1000e/es2lan.c linux-2.6.38.1/drivers/net/e1000e/es2lan.c
26322 --- linux-2.6.38.1/drivers/net/e1000e/es2lan.c 2011-03-14 21:20:32.000000000 -0400
26323 +++ linux-2.6.38.1/drivers/net/e1000e/es2lan.c 2011-03-21 18:31:35.000000000 -0400
26324 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
26326 struct e1000_hw *hw = &adapter->hw;
26327 struct e1000_mac_info *mac = &hw->mac;
26328 - struct e1000_mac_operations *func = &mac->ops;
26329 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
26331 /* Set media type */
26332 switch (adapter->pdev->device) {
26333 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
26337 -static struct e1000_mac_operations es2_mac_ops = {
26338 +static const struct e1000_mac_operations es2_mac_ops = {
26339 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26340 .id_led_init = e1000e_id_led_init,
26341 .check_mng_mode = e1000e_check_mng_mode_generic,
26342 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
26343 .setup_led = e1000e_setup_led_generic,
26346 -static struct e1000_phy_operations es2_phy_ops = {
26347 +static const struct e1000_phy_operations es2_phy_ops = {
26348 .acquire = e1000_acquire_phy_80003es2lan,
26349 .check_polarity = e1000_check_polarity_m88,
26350 .check_reset_block = e1000e_check_reset_block_generic,
26351 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
26352 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26355 -static struct e1000_nvm_operations es2_nvm_ops = {
26356 +static const struct e1000_nvm_operations es2_nvm_ops = {
26357 .acquire = e1000_acquire_nvm_80003es2lan,
26358 .read = e1000e_read_nvm_eerd,
26359 .release = e1000_release_nvm_80003es2lan,
26360 diff -urNp linux-2.6.38.1/drivers/net/e1000e/hw.h linux-2.6.38.1/drivers/net/e1000e/hw.h
26361 --- linux-2.6.38.1/drivers/net/e1000e/hw.h 2011-03-14 21:20:32.000000000 -0400
26362 +++ linux-2.6.38.1/drivers/net/e1000e/hw.h 2011-03-21 18:31:35.000000000 -0400
26363 @@ -801,16 +801,17 @@ struct e1000_phy_operations {
26365 /* Function pointers for the NVM. */
26366 struct e1000_nvm_operations {
26367 - s32 (*acquire)(struct e1000_hw *);
26368 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26369 - void (*release)(struct e1000_hw *);
26370 - s32 (*update)(struct e1000_hw *);
26371 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26372 - s32 (*validate)(struct e1000_hw *);
26373 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26374 + s32 (* acquire)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
26375 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26376 + void (* release)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
26377 + s32 (* const update)(struct e1000_hw *);
26378 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26379 + s32 (* const validate)(struct e1000_hw *);
26380 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26383 struct e1000_mac_info {
26384 + /* cannot be const see e1000_init_mac_params_ich8lan */
26385 struct e1000_mac_operations ops;
26388 @@ -853,6 +854,7 @@ struct e1000_mac_info {
26391 struct e1000_phy_info {
26392 + /* Cannot be const see e1000_init_phy_params_82571() */
26393 struct e1000_phy_operations ops;
26395 enum e1000_phy_type type;
26396 @@ -887,6 +889,7 @@ struct e1000_phy_info {
26399 struct e1000_nvm_info {
26400 + /* cannot be const */
26401 struct e1000_nvm_operations ops;
26403 enum e1000_nvm_type type;
26404 diff -urNp linux-2.6.38.1/drivers/net/e1000e/ich8lan.c linux-2.6.38.1/drivers/net/e1000e/ich8lan.c
26405 --- linux-2.6.38.1/drivers/net/e1000e/ich8lan.c 2011-03-14 21:20:32.000000000 -0400
26406 +++ linux-2.6.38.1/drivers/net/e1000e/ich8lan.c 2011-03-21 18:31:35.000000000 -0400
26407 @@ -3840,7 +3840,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26411 -static struct e1000_mac_operations ich8_mac_ops = {
26412 +static const struct e1000_mac_operations ich8_mac_ops = {
26413 .id_led_init = e1000e_id_led_init,
26414 /* check_mng_mode dependent on mac type */
26415 .check_for_link = e1000_check_for_copper_link_ich8lan,
26416 @@ -3859,7 +3859,7 @@ static struct e1000_mac_operations ich8_
26417 /* id_led_init dependent on mac type */
26420 -static struct e1000_phy_operations ich8_phy_ops = {
26421 +static const struct e1000_phy_operations ich8_phy_ops = {
26422 .acquire = e1000_acquire_swflag_ich8lan,
26423 .check_reset_block = e1000_check_reset_block_ich8lan,
26425 @@ -3873,7 +3873,7 @@ static struct e1000_phy_operations ich8_
26426 .write_reg = e1000e_write_phy_reg_igp,
26429 -static struct e1000_nvm_operations ich8_nvm_ops = {
26430 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26431 .acquire = e1000_acquire_nvm_ich8lan,
26432 .read = e1000_read_nvm_ich8lan,
26433 .release = e1000_release_nvm_ich8lan,
26434 diff -urNp linux-2.6.38.1/drivers/net/igb/e1000_82575.c linux-2.6.38.1/drivers/net/igb/e1000_82575.c
26435 --- linux-2.6.38.1/drivers/net/igb/e1000_82575.c 2011-03-14 21:20:32.000000000 -0400
26436 +++ linux-2.6.38.1/drivers/net/igb/e1000_82575.c 2011-03-21 18:31:35.000000000 -0400
26437 @@ -1747,7 +1747,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26441 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26442 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26443 .init_hw = igb_init_hw_82575,
26444 .check_for_link = igb_check_for_link_82575,
26445 .rar_set = igb_rar_set,
26446 @@ -1755,13 +1755,13 @@ static struct e1000_mac_operations e1000
26447 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26450 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26451 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26452 .acquire = igb_acquire_phy_82575,
26453 .get_cfg_done = igb_get_cfg_done_82575,
26454 .release = igb_release_phy_82575,
26457 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26458 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26459 .acquire = igb_acquire_nvm_82575,
26460 .read = igb_read_nvm_eerd,
26461 .release = igb_release_nvm_82575,
26462 diff -urNp linux-2.6.38.1/drivers/net/igb/e1000_hw.h linux-2.6.38.1/drivers/net/igb/e1000_hw.h
26463 --- linux-2.6.38.1/drivers/net/igb/e1000_hw.h 2011-03-14 21:20:32.000000000 -0400
26464 +++ linux-2.6.38.1/drivers/net/igb/e1000_hw.h 2011-03-21 18:31:35.000000000 -0400
26465 @@ -327,22 +327,23 @@ struct e1000_phy_operations {
26468 struct e1000_nvm_operations {
26469 - s32 (*acquire)(struct e1000_hw *);
26470 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26471 - void (*release)(struct e1000_hw *);
26472 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26473 + s32 (* const acquire)(struct e1000_hw *);
26474 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26475 + void (* const release)(struct e1000_hw *);
26476 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26479 struct e1000_info {
26480 s32 (*get_invariants)(struct e1000_hw *);
26481 - struct e1000_mac_operations *mac_ops;
26482 - struct e1000_phy_operations *phy_ops;
26483 - struct e1000_nvm_operations *nvm_ops;
26484 + const struct e1000_mac_operations *mac_ops;
26485 + const struct e1000_phy_operations *phy_ops;
26486 + const struct e1000_nvm_operations *nvm_ops;
26489 extern const struct e1000_info e1000_82575_info;
26491 struct e1000_mac_info {
26492 + /* cannot be const see igb_get_invariants_82575() */
26493 struct e1000_mac_operations ops;
26496 @@ -381,6 +382,7 @@ struct e1000_mac_info {
26499 struct e1000_phy_info {
26500 + /* cannot be const see igb_get_invariants_82575() */
26501 struct e1000_phy_operations ops;
26503 enum e1000_phy_type type;
26504 @@ -416,6 +418,7 @@ struct e1000_phy_info {
26507 struct e1000_nvm_info {
26508 + /* cannot be const */
26509 struct e1000_nvm_operations ops;
26511 enum e1000_nvm_type type;
26512 diff -urNp linux-2.6.38.1/drivers/net/igbvf/vf.h linux-2.6.38.1/drivers/net/igbvf/vf.h
26513 --- linux-2.6.38.1/drivers/net/igbvf/vf.h 2011-03-14 21:20:32.000000000 -0400
26514 +++ linux-2.6.38.1/drivers/net/igbvf/vf.h 2011-03-21 18:31:35.000000000 -0400
26515 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
26518 struct e1000_mac_info {
26519 + /* cannot be const see e1000_init_mac_params_vf() */
26520 struct e1000_mac_operations ops;
26523 diff -urNp linux-2.6.38.1/drivers/net/irda/vlsi_ir.c linux-2.6.38.1/drivers/net/irda/vlsi_ir.c
26524 --- linux-2.6.38.1/drivers/net/irda/vlsi_ir.c 2011-03-14 21:20:32.000000000 -0400
26525 +++ linux-2.6.38.1/drivers/net/irda/vlsi_ir.c 2011-03-21 18:31:35.000000000 -0400
26526 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26527 /* no race - tx-ring already empty */
26528 vlsi_set_baud(idev, iobase);
26529 netif_wake_queue(ndev);
26534 /* keep the speed change pending like it would
26535 * for any len>0 packet. tx completion interrupt
26536 * will apply it when the tx ring becomes empty.
26539 spin_unlock_irqrestore(&idev->lock, flags);
26540 dev_kfree_skb_any(skb);
26541 return NETDEV_TX_OK;
26542 diff -urNp linux-2.6.38.1/drivers/net/pcnet32.c linux-2.6.38.1/drivers/net/pcnet32.c
26543 --- linux-2.6.38.1/drivers/net/pcnet32.c 2011-03-14 21:20:32.000000000 -0400
26544 +++ linux-2.6.38.1/drivers/net/pcnet32.c 2011-03-21 18:31:35.000000000 -0400
26545 @@ -82,7 +82,7 @@ static int cards_found;
26547 * VLB I/O addresses
26549 -static unsigned int pcnet32_portlist[] __initdata =
26550 +static unsigned int pcnet32_portlist[] __devinitdata =
26551 { 0x300, 0x320, 0x340, 0x360, 0 };
26553 static int pcnet32_debug;
26554 diff -urNp linux-2.6.38.1/drivers/net/ppp_generic.c linux-2.6.38.1/drivers/net/ppp_generic.c
26555 --- linux-2.6.38.1/drivers/net/ppp_generic.c 2011-03-14 21:20:32.000000000 -0400
26556 +++ linux-2.6.38.1/drivers/net/ppp_generic.c 2011-03-21 18:31:35.000000000 -0400
26557 @@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, st
26558 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26559 struct ppp_stats stats;
26560 struct ppp_comp_stats cstats;
26564 case SIOCGPPPSTATS:
26565 @@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, st
26569 - vers = PPP_VERSION;
26570 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26571 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26575 diff -urNp linux-2.6.38.1/drivers/net/tg3.h linux-2.6.38.1/drivers/net/tg3.h
26576 --- linux-2.6.38.1/drivers/net/tg3.h 2011-03-14 21:20:32.000000000 -0400
26577 +++ linux-2.6.38.1/drivers/net/tg3.h 2011-03-21 18:31:35.000000000 -0400
26578 @@ -131,6 +131,7 @@
26579 #define CHIPREV_ID_5750_A0 0x4000
26580 #define CHIPREV_ID_5750_A1 0x4001
26581 #define CHIPREV_ID_5750_A3 0x4003
26582 +#define CHIPREV_ID_5750_C1 0x4201
26583 #define CHIPREV_ID_5750_C2 0x4202
26584 #define CHIPREV_ID_5752_A0_HW 0x5000
26585 #define CHIPREV_ID_5752_A0 0x6000
26586 diff -urNp linux-2.6.38.1/drivers/net/tulip/de4x5.c linux-2.6.38.1/drivers/net/tulip/de4x5.c
26587 --- linux-2.6.38.1/drivers/net/tulip/de4x5.c 2011-03-14 21:20:32.000000000 -0400
26588 +++ linux-2.6.38.1/drivers/net/tulip/de4x5.c 2011-03-21 18:31:35.000000000 -0400
26589 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26590 for (i=0; i<ETH_ALEN; i++) {
26591 tmp.addr[i] = dev->dev_addr[i];
26593 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26594 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26597 case DE4X5_SET_HWADDR: /* Set the hardware address */
26598 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26599 spin_lock_irqsave(&lp->lock, flags);
26600 memcpy(&statbuf, &lp->pktStats, ioc->len);
26601 spin_unlock_irqrestore(&lp->lock, flags);
26602 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26603 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
26607 diff -urNp linux-2.6.38.1/drivers/net/usb/hso.c linux-2.6.38.1/drivers/net/usb/hso.c
26608 --- linux-2.6.38.1/drivers/net/usb/hso.c 2011-03-14 21:20:32.000000000 -0400
26609 +++ linux-2.6.38.1/drivers/net/usb/hso.c 2011-03-21 18:31:35.000000000 -0400
26611 #include <asm/byteorder.h>
26612 #include <linux/serial_core.h>
26613 #include <linux/serial.h>
26615 +#include <asm/local.h>
26617 #define MOD_AUTHOR "Option Wireless"
26618 #define MOD_DESCRIPTION "USB High Speed Option driver"
26619 @@ -257,7 +257,7 @@ struct hso_serial {
26621 /* from usb_serial_port */
26622 struct tty_struct *tty;
26624 + local_t open_count;
26625 spinlock_t serial_lock;
26627 int (*write_data) (struct hso_serial *serial);
26628 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
26631 urb = serial->rx_urb[0];
26632 - if (serial->open_count > 0) {
26633 + if (local_read(&serial->open_count) > 0) {
26634 count = put_rxbuf_data(urb, serial);
26637 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
26638 DUMP1(urb->transfer_buffer, urb->actual_length);
26640 /* Anyone listening? */
26641 - if (serial->open_count == 0)
26642 + if (local_read(&serial->open_count) == 0)
26646 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
26647 spin_unlock_irq(&serial->serial_lock);
26649 /* check for port already opened, if not set the termios */
26650 - serial->open_count++;
26651 - if (serial->open_count == 1) {
26652 + if (local_inc_return(&serial->open_count) == 1) {
26653 serial->rx_state = RX_IDLE;
26654 /* Force default termio settings */
26655 _hso_serial_set_termios(tty, NULL);
26656 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
26657 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26659 hso_stop_serial_device(serial->parent);
26660 - serial->open_count--;
26661 + local_dec(&serial->open_count);
26662 kref_put(&serial->parent->ref, hso_serial_ref_free);
26665 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
26667 /* reset the rts and dtr */
26668 /* do the actual close */
26669 - serial->open_count--;
26670 + local_dec(&serial->open_count);
26672 - if (serial->open_count <= 0) {
26673 - serial->open_count = 0;
26674 + if (local_read(&serial->open_count) <= 0) {
26675 + local_set(&serial->open_count, 0);
26676 spin_lock_irq(&serial->serial_lock);
26677 if (serial->tty == tty) {
26678 serial->tty->driver_data = NULL;
26679 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
26681 /* the actual setup */
26682 spin_lock_irqsave(&serial->serial_lock, flags);
26683 - if (serial->open_count)
26684 + if (local_read(&serial->open_count))
26685 _hso_serial_set_termios(tty, old);
26687 tty->termios = old;
26688 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
26689 D1("Pending read interrupt on port %d\n", i);
26690 spin_lock(&serial->serial_lock);
26691 if (serial->rx_state == RX_IDLE &&
26692 - serial->open_count > 0) {
26693 + local_read(&serial->open_count) > 0) {
26694 /* Setup and send a ctrl req read on
26696 if (!serial->rx_urb_filled[0]) {
26697 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
26698 /* Start all serial ports */
26699 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26700 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26701 - if (dev2ser(serial_table[i])->open_count) {
26702 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
26704 hso_start_serial_device(serial_table[i], GFP_NOIO);
26705 hso_kick_transmit(dev2ser(serial_table[i]));
26706 diff -urNp linux-2.6.38.1/drivers/net/wireless/b43/debugfs.c linux-2.6.38.1/drivers/net/wireless/b43/debugfs.c
26707 --- linux-2.6.38.1/drivers/net/wireless/b43/debugfs.c 2011-03-14 21:20:32.000000000 -0400
26708 +++ linux-2.6.38.1/drivers/net/wireless/b43/debugfs.c 2011-03-21 18:31:35.000000000 -0400
26709 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
26710 struct b43_debugfs_fops {
26711 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26712 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26713 - struct file_operations fops;
26714 + const struct file_operations fops;
26715 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26716 size_t file_struct_offset;
26718 diff -urNp linux-2.6.38.1/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.38.1/drivers/net/wireless/b43legacy/debugfs.c
26719 --- linux-2.6.38.1/drivers/net/wireless/b43legacy/debugfs.c 2011-03-14 21:20:32.000000000 -0400
26720 +++ linux-2.6.38.1/drivers/net/wireless/b43legacy/debugfs.c 2011-03-21 18:31:35.000000000 -0400
26721 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
26722 struct b43legacy_debugfs_fops {
26723 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26724 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26725 - struct file_operations fops;
26726 + const struct file_operations fops;
26727 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26728 size_t file_struct_offset;
26729 /* Take wl->irq_lock before calling read/write? */
26730 diff -urNp linux-2.6.38.1/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.38.1/drivers/net/wireless/iwlwifi/iwl-debug.h
26731 --- linux-2.6.38.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-14 21:20:32.000000000 -0400
26732 +++ linux-2.6.38.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-21 18:31:35.000000000 -0400
26733 @@ -68,8 +68,8 @@ do {
26737 -#define IWL_DEBUG(__priv, level, fmt, args...)
26738 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26739 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26740 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26741 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26742 const void *p, u32 len)
26744 diff -urNp linux-2.6.38.1/drivers/net/wireless/libertas/debugfs.c linux-2.6.38.1/drivers/net/wireless/libertas/debugfs.c
26745 --- linux-2.6.38.1/drivers/net/wireless/libertas/debugfs.c 2011-03-14 21:20:32.000000000 -0400
26746 +++ linux-2.6.38.1/drivers/net/wireless/libertas/debugfs.c 2011-03-21 18:31:35.000000000 -0400
26747 @@ -702,7 +702,7 @@ out_unlock:
26748 struct lbs_debugfs_files {
26751 - struct file_operations fops;
26752 + const struct file_operations fops;
26755 static const struct lbs_debugfs_files debugfs_files[] = {
26756 diff -urNp linux-2.6.38.1/drivers/net/wireless/rndis_wlan.c linux-2.6.38.1/drivers/net/wireless/rndis_wlan.c
26757 --- linux-2.6.38.1/drivers/net/wireless/rndis_wlan.c 2011-03-14 21:20:32.000000000 -0400
26758 +++ linux-2.6.38.1/drivers/net/wireless/rndis_wlan.c 2011-03-21 18:31:35.000000000 -0400
26759 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
26761 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26763 - if (rts_threshold < 0 || rts_threshold > 2347)
26764 + if (rts_threshold > 2347)
26765 rts_threshold = 2347;
26767 tmp = cpu_to_le32(rts_threshold);
26768 diff -urNp linux-2.6.38.1/drivers/oprofile/buffer_sync.c linux-2.6.38.1/drivers/oprofile/buffer_sync.c
26769 --- linux-2.6.38.1/drivers/oprofile/buffer_sync.c 2011-03-14 21:20:32.000000000 -0400
26770 +++ linux-2.6.38.1/drivers/oprofile/buffer_sync.c 2011-03-21 18:31:35.000000000 -0400
26771 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
26772 if (cookie == NO_COOKIE)
26774 if (cookie == INVALID_COOKIE) {
26775 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26776 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26779 if (cookie != last_cookie) {
26780 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
26781 /* add userspace sample */
26784 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
26785 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26789 cookie = lookup_dcookie(mm, s->eip, &offset);
26791 if (cookie == INVALID_COOKIE) {
26792 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26793 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26797 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
26798 /* ignore backtraces if failed to add a sample */
26799 if (state == sb_bt_start) {
26800 state = sb_bt_ignore;
26801 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26802 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26806 diff -urNp linux-2.6.38.1/drivers/oprofile/event_buffer.c linux-2.6.38.1/drivers/oprofile/event_buffer.c
26807 --- linux-2.6.38.1/drivers/oprofile/event_buffer.c 2011-03-14 21:20:32.000000000 -0400
26808 +++ linux-2.6.38.1/drivers/oprofile/event_buffer.c 2011-03-21 18:31:35.000000000 -0400
26809 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26812 if (buffer_pos == buffer_size) {
26813 - atomic_inc(&oprofile_stats.event_lost_overflow);
26814 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26818 diff -urNp linux-2.6.38.1/drivers/oprofile/oprof.c linux-2.6.38.1/drivers/oprofile/oprof.c
26819 --- linux-2.6.38.1/drivers/oprofile/oprof.c 2011-03-14 21:20:32.000000000 -0400
26820 +++ linux-2.6.38.1/drivers/oprofile/oprof.c 2011-03-21 18:31:35.000000000 -0400
26821 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26822 if (oprofile_ops.switch_events())
26825 - atomic_inc(&oprofile_stats.multiplex_counter);
26826 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26827 start_switch_worker();
26830 diff -urNp linux-2.6.38.1/drivers/oprofile/oprofilefs.c linux-2.6.38.1/drivers/oprofile/oprofilefs.c
26831 --- linux-2.6.38.1/drivers/oprofile/oprofilefs.c 2011-03-14 21:20:32.000000000 -0400
26832 +++ linux-2.6.38.1/drivers/oprofile/oprofilefs.c 2011-03-21 18:31:35.000000000 -0400
26833 @@ -186,7 +186,7 @@ static const struct file_operations atom
26836 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26837 - char const *name, atomic_t *val)
26838 + char const *name, atomic_unchecked_t *val)
26840 return __oprofilefs_create_file(sb, root, name,
26841 &atomic_ro_fops, 0444, val);
26842 diff -urNp linux-2.6.38.1/drivers/oprofile/oprofile_stats.c linux-2.6.38.1/drivers/oprofile/oprofile_stats.c
26843 --- linux-2.6.38.1/drivers/oprofile/oprofile_stats.c 2011-03-14 21:20:32.000000000 -0400
26844 +++ linux-2.6.38.1/drivers/oprofile/oprofile_stats.c 2011-03-21 18:31:35.000000000 -0400
26845 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
26846 cpu_buf->sample_invalid_eip = 0;
26849 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26850 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26851 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
26852 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
26853 - atomic_set(&oprofile_stats.multiplex_counter, 0);
26854 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26855 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26856 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26857 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
26858 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
26862 diff -urNp linux-2.6.38.1/drivers/oprofile/oprofile_stats.h linux-2.6.38.1/drivers/oprofile/oprofile_stats.h
26863 --- linux-2.6.38.1/drivers/oprofile/oprofile_stats.h 2011-03-14 21:20:32.000000000 -0400
26864 +++ linux-2.6.38.1/drivers/oprofile/oprofile_stats.h 2011-03-21 18:31:35.000000000 -0400
26865 @@ -13,11 +13,11 @@
26866 #include <asm/atomic.h>
26868 struct oprofile_stat_struct {
26869 - atomic_t sample_lost_no_mm;
26870 - atomic_t sample_lost_no_mapping;
26871 - atomic_t bt_lost_no_mapping;
26872 - atomic_t event_lost_overflow;
26873 - atomic_t multiplex_counter;
26874 + atomic_unchecked_t sample_lost_no_mm;
26875 + atomic_unchecked_t sample_lost_no_mapping;
26876 + atomic_unchecked_t bt_lost_no_mapping;
26877 + atomic_unchecked_t event_lost_overflow;
26878 + atomic_unchecked_t multiplex_counter;
26881 extern struct oprofile_stat_struct oprofile_stats;
26882 diff -urNp linux-2.6.38.1/drivers/parport/procfs.c linux-2.6.38.1/drivers/parport/procfs.c
26883 --- linux-2.6.38.1/drivers/parport/procfs.c 2011-03-14 21:20:32.000000000 -0400
26884 +++ linux-2.6.38.1/drivers/parport/procfs.c 2011-03-21 18:31:35.000000000 -0400
26885 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
26889 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
26890 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
26893 #ifdef CONFIG_PARPORT_1284
26894 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
26898 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
26899 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
26901 #endif /* IEEE1284.3 support. */
26903 diff -urNp linux-2.6.38.1/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.38.1/drivers/pci/hotplug/acpiphp_glue.c
26904 --- linux-2.6.38.1/drivers/pci/hotplug/acpiphp_glue.c 2011-03-14 21:20:32.000000000 -0400
26905 +++ linux-2.6.38.1/drivers/pci/hotplug/acpiphp_glue.c 2011-03-21 18:31:35.000000000 -0400
26906 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
26910 -static struct acpi_dock_ops acpiphp_dock_ops = {
26911 +static const struct acpi_dock_ops acpiphp_dock_ops = {
26912 .handler = handle_hotplug_event_func,
26915 diff -urNp linux-2.6.38.1/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.38.1/drivers/pci/hotplug/cpqphp_nvram.c
26916 --- linux-2.6.38.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-14 21:20:32.000000000 -0400
26917 +++ linux-2.6.38.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-21 18:31:35.000000000 -0400
26918 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
26920 void compaq_nvram_init (void __iomem *rom_start)
26923 +#ifndef CONFIG_PAX_KERNEXEC
26925 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
26929 dbg("int15 entry = %p\n", compaq_int15_entry_point);
26931 /* initialize our int15 lock */
26932 diff -urNp linux-2.6.38.1/drivers/pci/intel-iommu.c linux-2.6.38.1/drivers/pci/intel-iommu.c
26933 --- linux-2.6.38.1/drivers/pci/intel-iommu.c 2011-03-14 21:20:32.000000000 -0400
26934 +++ linux-2.6.38.1/drivers/pci/intel-iommu.c 2011-03-21 18:31:35.000000000 -0400
26935 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
26939 -struct dma_map_ops intel_dma_ops = {
26940 +const struct dma_map_ops intel_dma_ops = {
26941 .alloc_coherent = intel_alloc_coherent,
26942 .free_coherent = intel_free_coherent,
26943 .map_sg = intel_map_sg,
26944 diff -urNp linux-2.6.38.1/drivers/pci/pcie/aspm.c linux-2.6.38.1/drivers/pci/pcie/aspm.c
26945 --- linux-2.6.38.1/drivers/pci/pcie/aspm.c 2011-03-14 21:20:32.000000000 -0400
26946 +++ linux-2.6.38.1/drivers/pci/pcie/aspm.c 2011-03-21 18:31:35.000000000 -0400
26948 #define MODULE_PARAM_PREFIX "pcie_aspm."
26950 /* Note: those are not register definitions */
26951 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
26952 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
26953 -#define ASPM_STATE_L1 (4) /* L1 state */
26954 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
26955 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
26956 +#define ASPM_STATE_L1 (4U) /* L1 state */
26957 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
26958 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
26960 diff -urNp linux-2.6.38.1/drivers/pci/pcie/portdrv_pci.c linux-2.6.38.1/drivers/pci/pcie/portdrv_pci.c
26961 --- linux-2.6.38.1/drivers/pci/pcie/portdrv_pci.c 2011-03-14 21:20:32.000000000 -0400
26962 +++ linux-2.6.38.1/drivers/pci/pcie/portdrv_pci.c 2011-03-21 18:31:35.000000000 -0400
26963 @@ -307,7 +307,7 @@ static void pcie_portdrv_err_resume(stru
26964 static const struct pci_device_id port_pci_ids[] = { {
26965 /* handle any PCI-Express port */
26966 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
26967 - }, { /* end: all zeroes */ }
26968 + }, { 0, 0, 0, 0, 0, 0, 0 }
26970 MODULE_DEVICE_TABLE(pci, port_pci_ids);
26972 diff -urNp linux-2.6.38.1/drivers/pci/probe.c linux-2.6.38.1/drivers/pci/probe.c
26973 --- linux-2.6.38.1/drivers/pci/probe.c 2011-03-14 21:20:32.000000000 -0400
26974 +++ linux-2.6.38.1/drivers/pci/probe.c 2011-03-21 18:31:35.000000000 -0400
26975 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
26979 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
26980 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
26981 struct device_attribute *attr,
26984 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
26987 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
26988 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
26989 struct device_attribute *attr,
26992 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
26996 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
26997 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
26999 if (!dev->mmio_always_on) {
27000 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
27001 diff -urNp linux-2.6.38.1/drivers/pci/proc.c linux-2.6.38.1/drivers/pci/proc.c
27002 --- linux-2.6.38.1/drivers/pci/proc.c 2011-03-14 21:20:32.000000000 -0400
27003 +++ linux-2.6.38.1/drivers/pci/proc.c 2011-03-21 18:31:35.000000000 -0400
27004 @@ -476,7 +476,16 @@ static const struct file_operations proc
27005 static int __init pci_proc_init(void)
27007 struct pci_dev *dev = NULL;
27009 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
27010 +#ifdef CONFIG_GRKERNSEC_PROC_USER
27011 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27012 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27013 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27016 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27018 proc_create("devices", 0, proc_bus_pci_dir,
27019 &proc_bus_pci_dev_operations);
27020 proc_initialized = 1;
27021 diff -urNp linux-2.6.38.1/drivers/pcmcia/ti113x.h linux-2.6.38.1/drivers/pcmcia/ti113x.h
27022 --- linux-2.6.38.1/drivers/pcmcia/ti113x.h 2011-03-14 21:20:32.000000000 -0400
27023 +++ linux-2.6.38.1/drivers/pcmcia/ti113x.h 2011-03-21 18:31:35.000000000 -0400
27024 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27025 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27026 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27029 + { 0, 0, 0, 0, 0, 0, 0 }
27032 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27033 diff -urNp linux-2.6.38.1/drivers/pcmcia/yenta_socket.c linux-2.6.38.1/drivers/pcmcia/yenta_socket.c
27034 --- linux-2.6.38.1/drivers/pcmcia/yenta_socket.c 2011-03-14 21:20:32.000000000 -0400
27035 +++ linux-2.6.38.1/drivers/pcmcia/yenta_socket.c 2011-03-21 18:31:35.000000000 -0400
27036 @@ -1426,7 +1426,7 @@ static struct pci_device_id yenta_table[
27038 /* match any cardbus bridge */
27039 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27040 - { /* all zeroes */ }
27041 + { 0, 0, 0, 0, 0, 0, 0 }
27043 MODULE_DEVICE_TABLE(pci, yenta_table);
27045 diff -urNp linux-2.6.38.1/drivers/platform/x86/asus-laptop.c linux-2.6.38.1/drivers/platform/x86/asus-laptop.c
27046 --- linux-2.6.38.1/drivers/platform/x86/asus-laptop.c 2011-03-14 21:20:32.000000000 -0400
27047 +++ linux-2.6.38.1/drivers/platform/x86/asus-laptop.c 2011-03-21 18:31:35.000000000 -0400
27048 @@ -243,7 +243,6 @@ struct asus_laptop {
27049 struct asus_led gled;
27050 struct asus_led kled;
27051 struct workqueue_struct *led_workqueue;
27053 int wireless_status;
27056 diff -urNp linux-2.6.38.1/drivers/pnp/pnpbios/bioscalls.c linux-2.6.38.1/drivers/pnp/pnpbios/bioscalls.c
27057 --- linux-2.6.38.1/drivers/pnp/pnpbios/bioscalls.c 2011-03-14 21:20:32.000000000 -0400
27058 +++ linux-2.6.38.1/drivers/pnp/pnpbios/bioscalls.c 2011-03-21 18:31:35.000000000 -0400
27059 @@ -59,7 +59,7 @@ do { \
27060 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27063 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27064 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27065 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27068 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27071 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27073 + pax_open_kernel();
27074 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27075 + pax_close_kernel();
27077 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27078 spin_lock_irqsave(&pnp_bios_lock, flags);
27079 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27081 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27083 + pax_open_kernel();
27084 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27085 + pax_close_kernel();
27089 /* If we get here and this is set then the PnP BIOS faulted on us. */
27090 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27094 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27095 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27099 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27100 pnp_bios_callpoint.offset = header->fields.pm16offset;
27101 pnp_bios_callpoint.segment = PNP_CS16;
27103 + pax_open_kernel();
27105 for_each_possible_cpu(i) {
27106 struct desc_struct *gdt = get_cpu_gdt_table(i);
27108 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27109 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27110 (unsigned long)__va(header->fields.pm16dseg));
27113 + pax_close_kernel();
27115 diff -urNp linux-2.6.38.1/drivers/pnp/quirks.c linux-2.6.38.1/drivers/pnp/quirks.c
27116 --- linux-2.6.38.1/drivers/pnp/quirks.c 2011-03-14 21:20:32.000000000 -0400
27117 +++ linux-2.6.38.1/drivers/pnp/quirks.c 2011-03-21 18:31:35.000000000 -0400
27118 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27119 /* PnP resources that might overlap PCI BARs */
27120 {"PNP0c01", quirk_system_pci_resources},
27121 {"PNP0c02", quirk_system_pci_resources},
27126 void pnp_fixup_device(struct pnp_dev *dev)
27127 diff -urNp linux-2.6.38.1/drivers/pnp/resource.c linux-2.6.38.1/drivers/pnp/resource.c
27128 --- linux-2.6.38.1/drivers/pnp/resource.c 2011-03-14 21:20:32.000000000 -0400
27129 +++ linux-2.6.38.1/drivers/pnp/resource.c 2011-03-21 18:31:35.000000000 -0400
27130 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27133 /* check if the resource is valid */
27134 - if (*irq < 0 || *irq > 15)
27138 /* check if the resource is reserved */
27139 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27142 /* check if the resource is valid */
27143 - if (*dma < 0 || *dma == 4 || *dma > 7)
27144 + if (*dma == 4 || *dma > 7)
27147 /* check if the resource is reserved */
27148 diff -urNp linux-2.6.38.1/drivers/rtc/rtc-dev.c linux-2.6.38.1/drivers/rtc/rtc-dev.c
27149 --- linux-2.6.38.1/drivers/rtc/rtc-dev.c 2011-03-14 21:20:32.000000000 -0400
27150 +++ linux-2.6.38.1/drivers/rtc/rtc-dev.c 2011-03-21 18:31:35.000000000 -0400
27152 #include <linux/module.h>
27153 #include <linux/rtc.h>
27154 #include <linux/sched.h>
27155 +#include <linux/grsecurity.h>
27156 #include "rtc-core.h"
27158 static dev_t rtc_devt;
27159 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
27160 if (copy_from_user(&tm, uarg, sizeof(tm)))
27163 + gr_log_timechange();
27165 return rtc_set_time(rtc, &tm);
27168 diff -urNp linux-2.6.38.1/drivers/rtc/rtc-ds1511.c linux-2.6.38.1/drivers/rtc/rtc-ds1511.c
27169 --- linux-2.6.38.1/drivers/rtc/rtc-ds1511.c 2011-03-14 21:20:32.000000000 -0400
27170 +++ linux-2.6.38.1/drivers/rtc/rtc-ds1511.c 2011-03-21 18:31:35.000000000 -0400
27171 @@ -485,7 +485,7 @@ ds1511_nvram_write(struct file *filp, st
27172 static struct bin_attribute ds1511_nvram_attr = {
27175 - .mode = S_IRUGO | S_IWUGO,
27176 + .mode = S_IRUGO | S_IWUSR,
27178 .size = DS1511_RAM_MAX,
27179 .read = ds1511_nvram_read,
27180 diff -urNp linux-2.6.38.1/drivers/s390/cio/qdio_debug.c linux-2.6.38.1/drivers/s390/cio/qdio_debug.c
27181 --- linux-2.6.38.1/drivers/s390/cio/qdio_debug.c 2011-03-14 21:20:32.000000000 -0400
27182 +++ linux-2.6.38.1/drivers/s390/cio/qdio_debug.c 2011-03-21 18:31:35.000000000 -0400
27183 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
27184 filp->f_path.dentry->d_inode->i_private);
27187 -static struct file_operations debugfs_perf_fops = {
27188 +static const struct file_operations debugfs_perf_fops = {
27189 .owner = THIS_MODULE,
27190 .open = qperf_seq_open,
27192 diff -urNp linux-2.6.38.1/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.38.1/drivers/scsi/aic94xx/aic94xx_init.c
27193 --- linux-2.6.38.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-14 21:20:32.000000000 -0400
27194 +++ linux-2.6.38.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-21 18:31:35.000000000 -0400
27195 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
27196 flash_error_table[i].reason);
27199 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
27200 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
27201 asd_show_update_bios, asd_store_update_bios);
27203 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
27204 diff -urNp linux-2.6.38.1/drivers/scsi/hpsa.c linux-2.6.38.1/drivers/scsi/hpsa.c
27205 --- linux-2.6.38.1/drivers/scsi/hpsa.c 2011-03-14 21:20:32.000000000 -0400
27206 +++ linux-2.6.38.1/drivers/scsi/hpsa.c 2011-03-21 18:31:35.000000000 -0400
27207 @@ -2281,6 +2281,8 @@ static int hpsa_ioctl32_passthru(struct
27211 + memset(&arg64, 0, sizeof(arg64));
27214 err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27215 sizeof(arg64.LUN_info));
27216 diff -urNp linux-2.6.38.1/drivers/scsi/ipr.c linux-2.6.38.1/drivers/scsi/ipr.c
27217 --- linux-2.6.38.1/drivers/scsi/ipr.c 2011-03-14 21:20:32.000000000 -0400
27218 +++ linux-2.6.38.1/drivers/scsi/ipr.c 2011-03-21 18:31:35.000000000 -0400
27219 @@ -6207,7 +6207,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27223 -static struct ata_port_operations ipr_sata_ops = {
27224 +static const struct ata_port_operations ipr_sata_ops = {
27225 .phy_reset = ipr_ata_phy_reset,
27226 .hardreset = ipr_sata_reset,
27227 .post_internal_cmd = ipr_ata_post_internal,
27228 diff -urNp linux-2.6.38.1/drivers/scsi/libfc/fc_exch.c linux-2.6.38.1/drivers/scsi/libfc/fc_exch.c
27229 --- linux-2.6.38.1/drivers/scsi/libfc/fc_exch.c 2011-03-14 21:20:32.000000000 -0400
27230 +++ linux-2.6.38.1/drivers/scsi/libfc/fc_exch.c 2011-03-21 18:31:35.000000000 -0400
27231 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
27232 * all together if not used XXX
27235 - atomic_t no_free_exch;
27236 - atomic_t no_free_exch_xid;
27237 - atomic_t xid_not_found;
27238 - atomic_t xid_busy;
27239 - atomic_t seq_not_found;
27240 - atomic_t non_bls_resp;
27241 + atomic_unchecked_t no_free_exch;
27242 + atomic_unchecked_t no_free_exch_xid;
27243 + atomic_unchecked_t xid_not_found;
27244 + atomic_unchecked_t xid_busy;
27245 + atomic_unchecked_t seq_not_found;
27246 + atomic_unchecked_t non_bls_resp;
27250 @@ -687,7 +687,7 @@ static struct fc_exch *fc_exch_em_alloc(
27251 /* allocate memory for exchange */
27252 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27254 - atomic_inc(&mp->stats.no_free_exch);
27255 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27258 memset(ep, 0, sizeof(*ep));
27259 @@ -748,7 +748,7 @@ out:
27262 spin_unlock_bh(&pool->lock);
27263 - atomic_inc(&mp->stats.no_free_exch_xid);
27264 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27265 mempool_free(ep, mp->ep_pool);
27268 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27269 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27270 ep = fc_exch_find(mp, xid);
27272 - atomic_inc(&mp->stats.xid_not_found);
27273 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27274 reject = FC_RJT_OX_ID;
27277 @@ -923,7 +923,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27278 ep = fc_exch_find(mp, xid);
27279 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27281 - atomic_inc(&mp->stats.xid_busy);
27282 + atomic_inc_unchecked(&mp->stats.xid_busy);
27283 reject = FC_RJT_RX_ID;
27286 @@ -934,7 +934,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27288 xid = ep->xid; /* get our XID */
27290 - atomic_inc(&mp->stats.xid_not_found);
27291 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27292 reject = FC_RJT_RX_ID; /* XID not found */
27295 @@ -951,7 +951,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27298 if (sp->id != fh->fh_seq_id) {
27299 - atomic_inc(&mp->stats.seq_not_found);
27300 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27301 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27304 @@ -1368,22 +1368,22 @@ static void fc_exch_recv_seq_resp(struct
27306 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27308 - atomic_inc(&mp->stats.xid_not_found);
27309 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27312 if (ep->esb_stat & ESB_ST_COMPLETE) {
27313 - atomic_inc(&mp->stats.xid_not_found);
27314 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27317 if (ep->rxid == FC_XID_UNKNOWN)
27318 ep->rxid = ntohs(fh->fh_rx_id);
27319 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27320 - atomic_inc(&mp->stats.xid_not_found);
27321 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27324 if (ep->did != ntoh24(fh->fh_s_id) &&
27325 ep->did != FC_FID_FLOGI) {
27326 - atomic_inc(&mp->stats.xid_not_found);
27327 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27331 @@ -1392,7 +1392,7 @@ static void fc_exch_recv_seq_resp(struct
27332 sp->ssb_stat |= SSB_ST_RESP;
27333 sp->id = fh->fh_seq_id;
27334 } else if (sp->id != fh->fh_seq_id) {
27335 - atomic_inc(&mp->stats.seq_not_found);
27336 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27340 @@ -1455,9 +1455,9 @@ static void fc_exch_recv_resp(struct fc_
27341 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27344 - atomic_inc(&mp->stats.xid_not_found);
27345 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27347 - atomic_inc(&mp->stats.non_bls_resp);
27348 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27352 diff -urNp linux-2.6.38.1/drivers/scsi/libsas/sas_ata.c linux-2.6.38.1/drivers/scsi/libsas/sas_ata.c
27353 --- linux-2.6.38.1/drivers/scsi/libsas/sas_ata.c 2011-03-14 21:20:32.000000000 -0400
27354 +++ linux-2.6.38.1/drivers/scsi/libsas/sas_ata.c 2011-03-21 18:31:35.000000000 -0400
27355 @@ -348,10 +348,10 @@ static int sas_ata_scr_read(struct ata_l
27359 -static struct ata_port_operations sas_sata_ops = {
27360 +static const struct ata_port_operations sas_sata_ops = {
27361 .phy_reset = sas_ata_phy_reset,
27362 .post_internal_cmd = sas_ata_post_internal,
27363 - .qc_defer = ata_std_qc_defer,
27364 + .qc_defer = ata_std_qc_defer,
27365 .qc_prep = ata_noop_qc_prep,
27366 .qc_issue = sas_ata_qc_issue,
27367 .qc_fill_rtf = sas_ata_qc_fill_rtf,
27368 diff -urNp linux-2.6.38.1/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.38.1/drivers/scsi/mpt2sas/mpt2sas_debug.h
27369 --- linux-2.6.38.1/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-03-14 21:20:32.000000000 -0400
27370 +++ linux-2.6.38.1/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-03-21 18:31:35.000000000 -0400
27375 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27376 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27377 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27380 diff -urNp linux-2.6.38.1/drivers/scsi/qla2xxx/qla_os.c linux-2.6.38.1/drivers/scsi/qla2xxx/qla_os.c
27381 --- linux-2.6.38.1/drivers/scsi/qla2xxx/qla_os.c 2011-03-14 21:20:32.000000000 -0400
27382 +++ linux-2.6.38.1/drivers/scsi/qla2xxx/qla_os.c 2011-03-21 18:31:35.000000000 -0400
27383 @@ -4096,7 +4096,7 @@ static struct pci_driver qla2xxx_pci_dri
27384 .err_handler = &qla2xxx_err_handler,
27387 -static struct file_operations apidev_fops = {
27388 +static const struct file_operations apidev_fops = {
27389 .owner = THIS_MODULE,
27390 .llseek = noop_llseek,
27392 diff -urNp linux-2.6.38.1/drivers/scsi/scsi_logging.h linux-2.6.38.1/drivers/scsi/scsi_logging.h
27393 --- linux-2.6.38.1/drivers/scsi/scsi_logging.h 2011-03-14 21:20:32.000000000 -0400
27394 +++ linux-2.6.38.1/drivers/scsi/scsi_logging.h 2011-03-21 18:31:35.000000000 -0400
27395 @@ -51,7 +51,7 @@ do { \
27399 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27400 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27401 #endif /* CONFIG_SCSI_LOGGING */
27404 diff -urNp linux-2.6.38.1/drivers/scsi/scsi_transport_iscsi.c linux-2.6.38.1/drivers/scsi/scsi_transport_iscsi.c
27405 --- linux-2.6.38.1/drivers/scsi/scsi_transport_iscsi.c 2011-03-14 21:20:32.000000000 -0400
27406 +++ linux-2.6.38.1/drivers/scsi/scsi_transport_iscsi.c 2011-03-21 18:31:35.000000000 -0400
27407 @@ -1847,7 +1847,7 @@ store_priv_session_##field(struct device
27408 #define iscsi_priv_session_rw_attr(field, format) \
27409 iscsi_priv_session_attr_show(field, format) \
27410 iscsi_priv_session_attr_store(field) \
27411 -static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUGO, \
27412 +static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUSR, \
27413 show_priv_session_##field, \
27414 store_priv_session_##field)
27415 iscsi_priv_session_rw_attr(recovery_tmo, "%d");
27416 diff -urNp linux-2.6.38.1/drivers/scsi/sg.c linux-2.6.38.1/drivers/scsi/sg.c
27417 --- linux-2.6.38.1/drivers/scsi/sg.c 2011-03-14 21:20:32.000000000 -0400
27418 +++ linux-2.6.38.1/drivers/scsi/sg.c 2011-03-21 18:31:35.000000000 -0400
27419 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
27420 const struct file_operations * fops;
27423 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27424 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27425 {"allow_dio", &adio_fops},
27426 {"debug", &debug_fops},
27427 {"def_reserved_size", &dressz_fops},
27428 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
27431 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27432 - struct sg_proc_leaf * leaf;
27433 + const struct sg_proc_leaf * leaf;
27435 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27437 diff -urNp linux-2.6.38.1/drivers/staging/autofs/root.c linux-2.6.38.1/drivers/staging/autofs/root.c
27438 --- linux-2.6.38.1/drivers/staging/autofs/root.c 2011-03-14 21:20:32.000000000 -0400
27439 +++ linux-2.6.38.1/drivers/staging/autofs/root.c 2011-03-21 18:31:35.000000000 -0400
27440 @@ -311,7 +311,8 @@ static int autofs_root_symlink(struct in
27441 set_bit(n,sbi->symlink_bitmap);
27442 sl = &sbi->symlink[n];
27443 sl->len = strlen(symname);
27444 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
27445 + slsize = sl->len + 1;
27446 + sl->data = kmalloc(slsize, GFP_KERNEL);
27448 clear_bit(n,sbi->symlink_bitmap);
27450 diff -urNp linux-2.6.38.1/drivers/staging/bcm/Bcmchar.c linux-2.6.38.1/drivers/staging/bcm/Bcmchar.c
27451 --- linux-2.6.38.1/drivers/staging/bcm/Bcmchar.c 2011-03-14 21:20:32.000000000 -0400
27452 +++ linux-2.6.38.1/drivers/staging/bcm/Bcmchar.c 2011-03-21 18:31:35.000000000 -0400
27453 @@ -2093,7 +2093,7 @@ static long bcm_char_ioctl(struct file *
27457 -static struct file_operations bcm_fops = {
27458 +static const struct file_operations bcm_fops = {
27459 .owner = THIS_MODULE,
27460 .open = bcm_char_open,
27461 .release = bcm_char_release,
27462 diff -urNp linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
27463 --- linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-03-14 21:20:32.000000000 -0400
27464 +++ linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-03-21 18:31:35.000000000 -0400
27465 @@ -863,14 +863,14 @@ static void dhd_op_if(dhd_if_t *ifp)
27466 free_netdev(ifp->net);
27468 /* Allocate etherdev, including space for private structure */
27469 - ifp->net = alloc_etherdev(sizeof(dhd));
27470 + ifp->net = alloc_etherdev(sizeof(*dhd));
27472 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
27476 strcpy(ifp->net->name, ifp->name);
27477 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
27478 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
27479 err = dhd_net_attach(&dhd->pub, ifp->idx);
27481 DHD_ERROR(("%s: dhd_net_attach failed, "
27482 @@ -1969,25 +1969,23 @@ dhd_pub_t *dhd_attach(struct osl_info *o
27483 strcpy(nv_path, nvram_path);
27485 /* Allocate etherdev, including space for private structure */
27486 - net = alloc_etherdev(sizeof(dhd));
27487 + net = alloc_etherdev(sizeof(*dhd));
27489 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
27493 /* Allocate primary dhd_info */
27494 - dhd = kmalloc(sizeof(dhd_info_t), GFP_ATOMIC);
27495 + dhd = kzalloc(sizeof(dhd_info_t), GFP_ATOMIC);
27497 DHD_ERROR(("%s: OOM - alloc dhd_info\n", __func__));
27501 - memset(dhd, 0, sizeof(dhd_info_t));
27504 * Save the dhd_info into the priv
27506 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
27507 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
27508 dhd->pub.osh = osh;
27510 /* Set network interface name if it was provided as module parameter */
27511 @@ -2105,7 +2103,7 @@ dhd_pub_t *dhd_attach(struct osl_info *o
27513 * Save the dhd_info into the priv
27515 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
27516 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
27518 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
27520 diff -urNp linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c
27521 --- linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-03-14 21:20:32.000000000 -0400
27522 +++ linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-03-21 18:31:35.000000000 -0400
27523 @@ -513,7 +513,7 @@ wl_iw_get_range(struct net_device *dev,
27524 list = (wl_u32_list_t *) channels;
27526 dwrq->length = sizeof(struct iw_range);
27527 - memset(range, 0, sizeof(range));
27528 + memset(range, 0, sizeof(*range));
27530 range->min_nwid = range->max_nwid = 0;
27532 diff -urNp linux-2.6.38.1/drivers/staging/comedi/comedi_fops.c linux-2.6.38.1/drivers/staging/comedi/comedi_fops.c
27533 --- linux-2.6.38.1/drivers/staging/comedi/comedi_fops.c 2011-03-14 21:20:32.000000000 -0400
27534 +++ linux-2.6.38.1/drivers/staging/comedi/comedi_fops.c 2011-03-21 18:31:35.000000000 -0400
27535 @@ -1426,7 +1426,7 @@ static void comedi_unmap(struct vm_area_
27536 mutex_unlock(&dev->mutex);
27539 -static struct vm_operations_struct comedi_vm_ops = {
27540 +static const struct vm_operations_struct comedi_vm_ops = {
27541 .close = comedi_unmap,
27544 diff -urNp linux-2.6.38.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.38.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
27545 --- linux-2.6.38.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-03-14 21:20:32.000000000 -0400
27546 +++ linux-2.6.38.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-03-21 18:31:35.000000000 -0400
27547 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
27549 // Table of entry-point routines for char device
27551 -static struct file_operations ft1000fops =
27552 +static const struct file_operations ft1000fops =
27554 .unlocked_ioctl = ft1000_ioctl,
27555 .poll = ft1000_poll_dev,
27556 diff -urNp linux-2.6.38.1/drivers/staging/go7007/go7007-v4l2.c linux-2.6.38.1/drivers/staging/go7007/go7007-v4l2.c
27557 --- linux-2.6.38.1/drivers/staging/go7007/go7007-v4l2.c 2011-03-14 21:20:32.000000000 -0400
27558 +++ linux-2.6.38.1/drivers/staging/go7007/go7007-v4l2.c 2011-03-21 18:31:35.000000000 -0400
27559 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
27563 -static struct vm_operations_struct go7007_vm_ops = {
27564 +static const struct vm_operations_struct go7007_vm_ops = {
27565 .open = go7007_vm_open,
27566 .close = go7007_vm_close,
27567 .fault = go7007_vm_fault,
27568 diff -urNp linux-2.6.38.1/drivers/staging/hv/hv.c linux-2.6.38.1/drivers/staging/hv/hv.c
27569 --- linux-2.6.38.1/drivers/staging/hv/hv.c 2011-03-14 21:20:32.000000000 -0400
27570 +++ linux-2.6.38.1/drivers/staging/hv/hv.c 2011-03-21 18:31:35.000000000 -0400
27571 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
27572 u64 output_address = (output) ? virt_to_phys(output) : 0;
27573 u32 output_address_hi = output_address >> 32;
27574 u32 output_address_lo = output_address & 0xFFFFFFFF;
27575 - volatile void *hypercall_page = hv_context.hypercall_page;
27576 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
27578 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27579 control, input, output);
27580 diff -urNp linux-2.6.38.1/drivers/staging/phison/phison.c linux-2.6.38.1/drivers/staging/phison/phison.c
27581 --- linux-2.6.38.1/drivers/staging/phison/phison.c 2011-03-14 21:20:32.000000000 -0400
27582 +++ linux-2.6.38.1/drivers/staging/phison/phison.c 2011-03-21 18:31:35.000000000 -0400
27583 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27584 ATA_BMDMA_SHT(DRV_NAME),
27587 -static struct ata_port_operations phison_ops = {
27588 +static const struct ata_port_operations phison_ops = {
27589 .inherits = &ata_bmdma_port_ops,
27590 .prereset = phison_pre_reset,
27592 diff -urNp linux-2.6.38.1/drivers/staging/pohmelfs/inode.c linux-2.6.38.1/drivers/staging/pohmelfs/inode.c
27593 --- linux-2.6.38.1/drivers/staging/pohmelfs/inode.c 2011-03-14 21:20:32.000000000 -0400
27594 +++ linux-2.6.38.1/drivers/staging/pohmelfs/inode.c 2011-03-21 18:31:35.000000000 -0400
27595 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
27596 mutex_init(&psb->mcache_lock);
27597 psb->mcache_root = RB_ROOT;
27598 psb->mcache_timeout = msecs_to_jiffies(5000);
27599 - atomic_long_set(&psb->mcache_gen, 0);
27600 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
27602 psb->trans_max_pages = 100;
27604 diff -urNp linux-2.6.38.1/drivers/staging/pohmelfs/mcache.c linux-2.6.38.1/drivers/staging/pohmelfs/mcache.c
27605 --- linux-2.6.38.1/drivers/staging/pohmelfs/mcache.c 2011-03-14 21:20:32.000000000 -0400
27606 +++ linux-2.6.38.1/drivers/staging/pohmelfs/mcache.c 2011-03-21 18:31:35.000000000 -0400
27607 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27611 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
27612 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27614 mutex_lock(&psb->mcache_lock);
27615 err = pohmelfs_mcache_insert(psb, m);
27616 diff -urNp linux-2.6.38.1/drivers/staging/pohmelfs/netfs.h linux-2.6.38.1/drivers/staging/pohmelfs/netfs.h
27617 --- linux-2.6.38.1/drivers/staging/pohmelfs/netfs.h 2011-03-14 21:20:32.000000000 -0400
27618 +++ linux-2.6.38.1/drivers/staging/pohmelfs/netfs.h 2011-03-21 18:31:35.000000000 -0400
27619 @@ -571,7 +571,7 @@ struct pohmelfs_config;
27620 struct pohmelfs_sb {
27621 struct rb_root mcache_root;
27622 struct mutex mcache_lock;
27623 - atomic_long_t mcache_gen;
27624 + atomic_long_unchecked_t mcache_gen;
27625 unsigned long mcache_timeout;
27628 diff -urNp linux-2.6.38.1/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.38.1/drivers/staging/rtl8192u/ieee80211/proc.c
27629 --- linux-2.6.38.1/drivers/staging/rtl8192u/ieee80211/proc.c 2011-03-14 21:20:32.000000000 -0400
27630 +++ linux-2.6.38.1/drivers/staging/rtl8192u/ieee80211/proc.c 2011-03-21 18:31:35.000000000 -0400
27631 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27632 return seq_open(file, &crypto_seq_ops);
27635 -static struct file_operations proc_crypto_ops = {
27636 +static const struct file_operations proc_crypto_ops = {
27637 .open = crypto_info_open,
27639 .llseek = seq_lseek,
27640 diff -urNp linux-2.6.38.1/drivers/staging/spectra/ffsport.c linux-2.6.38.1/drivers/staging/spectra/ffsport.c
27641 --- linux-2.6.38.1/drivers/staging/spectra/ffsport.c 2011-03-14 21:20:32.000000000 -0400
27642 +++ linux-2.6.38.1/drivers/staging/spectra/ffsport.c 2011-03-21 18:31:35.000000000 -0400
27643 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
27647 -static struct block_device_operations GLOB_SBD_ops = {
27648 +static const struct block_device_operations GLOB_SBD_ops = {
27649 .owner = THIS_MODULE,
27650 .open = GLOB_SBD_open,
27651 .release = GLOB_SBD_release,
27652 diff -urNp linux-2.6.38.1/drivers/staging/vme/devices/vme_user.c linux-2.6.38.1/drivers/staging/vme/devices/vme_user.c
27653 --- linux-2.6.38.1/drivers/staging/vme/devices/vme_user.c 2011-03-14 21:20:32.000000000 -0400
27654 +++ linux-2.6.38.1/drivers/staging/vme/devices/vme_user.c 2011-03-21 18:31:35.000000000 -0400
27655 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
27656 static int __devinit vme_user_probe(struct device *, int, int);
27657 static int __devexit vme_user_remove(struct device *, int, int);
27659 -static struct file_operations vme_user_fops = {
27660 +static const struct file_operations vme_user_fops = {
27661 .open = vme_user_open,
27662 .release = vme_user_release,
27663 .read = vme_user_read,
27664 diff -urNp linux-2.6.38.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.38.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
27665 --- linux-2.6.38.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-03-14 21:20:32.000000000 -0400
27666 +++ linux-2.6.38.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-03-21 18:31:35.000000000 -0400
27667 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
27670 /*standard block device driver interface */
27671 -static struct block_device_operations cyasblkdev_bdops = {
27672 +static const struct block_device_operations cyasblkdev_bdops = {
27673 .open = cyasblkdev_blk_open,
27674 .release = cyasblkdev_blk_release,
27675 .ioctl = cyasblkdev_blk_ioctl,
27676 diff -urNp linux-2.6.38.1/drivers/tty/hvc/hvc_console.h linux-2.6.38.1/drivers/tty/hvc/hvc_console.h
27677 --- linux-2.6.38.1/drivers/tty/hvc/hvc_console.h 2011-03-14 21:20:32.000000000 -0400
27678 +++ linux-2.6.38.1/drivers/tty/hvc/hvc_console.h 2011-03-21 18:31:35.000000000 -0400
27679 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
27680 /* register a vterm for hvc tty operation (module_init or hotplug add) */
27681 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
27682 const struct hv_ops *ops, int outbuf_size);
27684 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
27685 extern int hvc_remove(struct hvc_struct *hp);
27687 diff -urNp linux-2.6.38.1/drivers/tty/hvc/hvcs.c linux-2.6.38.1/drivers/tty/hvc/hvcs.c
27688 --- linux-2.6.38.1/drivers/tty/hvc/hvcs.c 2011-03-14 21:20:32.000000000 -0400
27689 +++ linux-2.6.38.1/drivers/tty/hvc/hvcs.c 2011-03-21 18:31:35.000000000 -0400
27691 #include <asm/hvcserver.h>
27692 #include <asm/uaccess.h>
27693 #include <asm/vio.h>
27694 +#include <asm/local.h>
27697 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
27698 @@ -270,7 +271,7 @@ struct hvcs_struct {
27699 unsigned int index;
27701 struct tty_struct *tty;
27703 + local_t open_count;
27706 * Used to tell the driver kernel_thread what operations need to take
27707 @@ -420,7 +421,7 @@ static ssize_t hvcs_vterm_state_store(st
27709 spin_lock_irqsave(&hvcsd->lock, flags);
27711 - if (hvcsd->open_count > 0) {
27712 + if (local_read(&hvcsd->open_count) > 0) {
27713 spin_unlock_irqrestore(&hvcsd->lock, flags);
27714 printk(KERN_INFO "HVCS: vterm state unchanged. "
27715 "The hvcs device node is still in use.\n");
27716 @@ -1136,7 +1137,7 @@ static int hvcs_open(struct tty_struct *
27717 if ((retval = hvcs_partner_connect(hvcsd)))
27718 goto error_release;
27720 - hvcsd->open_count = 1;
27721 + local_set(&hvcsd->open_count, 1);
27723 tty->driver_data = hvcsd;
27725 @@ -1170,7 +1171,7 @@ fast_open:
27727 spin_lock_irqsave(&hvcsd->lock, flags);
27728 kref_get(&hvcsd->kref);
27729 - hvcsd->open_count++;
27730 + local_inc(&hvcsd->open_count);
27731 hvcsd->todo_mask |= HVCS_SCHED_READ;
27732 spin_unlock_irqrestore(&hvcsd->lock, flags);
27734 @@ -1214,7 +1215,7 @@ static void hvcs_close(struct tty_struct
27735 hvcsd = tty->driver_data;
27737 spin_lock_irqsave(&hvcsd->lock, flags);
27738 - if (--hvcsd->open_count == 0) {
27739 + if (local_dec_and_test(&hvcsd->open_count)) {
27741 vio_disable_interrupts(hvcsd->vdev);
27743 @@ -1240,10 +1241,10 @@ static void hvcs_close(struct tty_struct
27744 free_irq(irq, hvcsd);
27745 kref_put(&hvcsd->kref, destroy_hvcs_struct);
27747 - } else if (hvcsd->open_count < 0) {
27748 + } else if (local_read(&hvcsd->open_count) < 0) {
27749 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
27750 " is missmanaged.\n",
27751 - hvcsd->vdev->unit_address, hvcsd->open_count);
27752 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
27755 spin_unlock_irqrestore(&hvcsd->lock, flags);
27756 @@ -1259,7 +1260,7 @@ static void hvcs_hangup(struct tty_struc
27758 spin_lock_irqsave(&hvcsd->lock, flags);
27759 /* Preserve this so that we know how many kref refs to put */
27760 - temp_open_count = hvcsd->open_count;
27761 + temp_open_count = local_read(&hvcsd->open_count);
27764 * Don't kref put inside the spinlock because the destruction
27765 @@ -1274,7 +1275,7 @@ static void hvcs_hangup(struct tty_struc
27766 hvcsd->tty->driver_data = NULL;
27769 - hvcsd->open_count = 0;
27770 + local_set(&hvcsd->open_count, 0);
27772 /* This will drop any buffered data on the floor which is OK in a hangup
27774 @@ -1345,7 +1346,7 @@ static int hvcs_write(struct tty_struct
27775 * the middle of a write operation? This is a crummy place to do this
27776 * but we want to keep it all in the spinlock.
27778 - if (hvcsd->open_count <= 0) {
27779 + if (local_read(&hvcsd->open_count) <= 0) {
27780 spin_unlock_irqrestore(&hvcsd->lock, flags);
27783 @@ -1419,7 +1420,7 @@ static int hvcs_write_room(struct tty_st
27785 struct hvcs_struct *hvcsd = tty->driver_data;
27787 - if (!hvcsd || hvcsd->open_count <= 0)
27788 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
27791 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
27792 diff -urNp linux-2.6.38.1/drivers/tty/hvc/hvc_xen.c linux-2.6.38.1/drivers/tty/hvc/hvc_xen.c
27793 --- linux-2.6.38.1/drivers/tty/hvc/hvc_xen.c 2011-03-14 21:20:32.000000000 -0400
27794 +++ linux-2.6.38.1/drivers/tty/hvc/hvc_xen.c 2011-03-21 18:31:35.000000000 -0400
27795 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
27799 -static struct hv_ops domU_hvc_ops = {
27800 +static const struct hv_ops domU_hvc_ops = {
27801 .get_chars = domU_read_console,
27802 .put_chars = domU_write_console,
27803 .notifier_add = notifier_add_irq,
27804 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
27808 -static struct hv_ops dom0_hvc_ops = {
27809 +static const struct hv_ops dom0_hvc_ops = {
27810 .get_chars = dom0_read_console,
27811 .put_chars = dom0_write_console,
27812 .notifier_add = notifier_add_irq,
27813 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
27814 static int __init xen_hvc_init(void)
27816 struct hvc_struct *hp;
27817 - struct hv_ops *ops;
27818 + const struct hv_ops *ops;
27820 if (!xen_pv_domain())
27822 @@ -203,7 +203,7 @@ static void __exit xen_hvc_fini(void)
27824 static int xen_cons_init(void)
27826 - struct hv_ops *ops;
27827 + const struct hv_ops *ops;
27829 if (!xen_pv_domain())
27831 diff -urNp linux-2.6.38.1/drivers/tty/n_gsm.c linux-2.6.38.1/drivers/tty/n_gsm.c
27832 --- linux-2.6.38.1/drivers/tty/n_gsm.c 2011-03-14 21:20:32.000000000 -0400
27833 +++ linux-2.6.38.1/drivers/tty/n_gsm.c 2011-03-21 18:31:35.000000000 -0400
27834 @@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
27836 spin_lock_init(&dlci->lock);
27837 dlci->fifo = &dlci->_fifo;
27838 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
27839 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
27843 diff -urNp linux-2.6.38.1/drivers/tty/n_tty.c linux-2.6.38.1/drivers/tty/n_tty.c
27844 --- linux-2.6.38.1/drivers/tty/n_tty.c 2011-03-14 21:20:32.000000000 -0400
27845 +++ linux-2.6.38.1/drivers/tty/n_tty.c 2011-03-21 18:31:35.000000000 -0400
27846 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
27848 *ops = tty_ldisc_N_TTY;
27850 - ops->refcount = ops->flags = 0;
27851 + atomic_set(&ops->refcount, 0);
27854 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
27855 diff -urNp linux-2.6.38.1/drivers/tty/pty.c linux-2.6.38.1/drivers/tty/pty.c
27856 --- linux-2.6.38.1/drivers/tty/pty.c 2011-03-14 21:20:32.000000000 -0400
27857 +++ linux-2.6.38.1/drivers/tty/pty.c 2011-03-21 18:31:35.000000000 -0400
27858 @@ -700,7 +700,18 @@ out:
27862 -static struct file_operations ptmx_fops;
27863 +static const struct file_operations ptmx_fops = {
27864 + .llseek = no_llseek,
27865 + .read = tty_read,
27866 + .write = tty_write,
27867 + .poll = tty_poll,
27868 + .unlocked_ioctl = tty_ioctl,
27869 + .compat_ioctl = tty_compat_ioctl,
27870 + .open = ptmx_open,
27871 + .release = tty_release,
27872 + .fasync = tty_fasync,
27876 static void __init unix98_pty_init(void)
27878 @@ -753,10 +764,6 @@ static void __init unix98_pty_init(void)
27880 register_sysctl_table(pty_root_table);
27882 - /* Now create the /dev/ptmx special device */
27883 - tty_default_fops(&ptmx_fops);
27884 - ptmx_fops.open = ptmx_open;
27886 cdev_init(&ptmx_cdev, &ptmx_fops);
27887 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
27888 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
27889 diff -urNp linux-2.6.38.1/drivers/tty/serial/8250_pci.c linux-2.6.38.1/drivers/tty/serial/8250_pci.c
27890 --- linux-2.6.38.1/drivers/tty/serial/8250_pci.c 2011-03-14 21:20:32.000000000 -0400
27891 +++ linux-2.6.38.1/drivers/tty/serial/8250_pci.c 2011-03-21 18:31:35.000000000 -0400
27892 @@ -3818,7 +3818,7 @@ static struct pci_device_id serial_pci_t
27893 PCI_ANY_ID, PCI_ANY_ID,
27894 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27895 0xffff00, pbn_default },
27897 + { 0, 0, 0, 0, 0, 0, 0 }
27900 static struct pci_driver serial_pci_driver = {
27901 diff -urNp linux-2.6.38.1/drivers/tty/serial/kgdboc.c linux-2.6.38.1/drivers/tty/serial/kgdboc.c
27902 --- linux-2.6.38.1/drivers/tty/serial/kgdboc.c 2011-03-14 21:20:32.000000000 -0400
27903 +++ linux-2.6.38.1/drivers/tty/serial/kgdboc.c 2011-03-21 18:31:35.000000000 -0400
27906 #define MAX_CONFIG_LEN 40
27908 -static struct kgdb_io kgdboc_io_ops;
27909 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
27911 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27912 static int configured = -1;
27913 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
27914 kgdboc_restore_input();
27917 -static struct kgdb_io kgdboc_io_ops = {
27918 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
27920 .read_char = kgdboc_get_char,
27921 .write_char = kgdboc_put_char,
27922 diff -urNp linux-2.6.38.1/drivers/tty/tty_io.c linux-2.6.38.1/drivers/tty/tty_io.c
27923 --- linux-2.6.38.1/drivers/tty/tty_io.c 2011-03-14 21:20:32.000000000 -0400
27924 +++ linux-2.6.38.1/drivers/tty/tty_io.c 2011-03-21 18:31:35.000000000 -0400
27925 @@ -140,21 +140,11 @@ EXPORT_SYMBOL(tty_mutex);
27926 /* Spinlock to protect the tty->tty_files list */
27927 DEFINE_SPINLOCK(tty_files_lock);
27929 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
27930 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
27931 ssize_t redirected_tty_write(struct file *, const char __user *,
27933 -static unsigned int tty_poll(struct file *, poll_table *);
27934 static int tty_open(struct inode *, struct file *);
27935 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
27936 -#ifdef CONFIG_COMPAT
27937 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
27938 - unsigned long arg);
27940 -#define tty_compat_ioctl NULL
27942 static int __tty_fasync(int fd, struct file *filp, int on);
27943 -static int tty_fasync(int fd, struct file *filp, int on);
27944 static void release_tty(struct tty_struct *tty, int idx);
27945 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27946 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27947 @@ -938,7 +928,7 @@ EXPORT_SYMBOL(start_tty);
27948 * read calls may be outstanding in parallel.
27951 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27952 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27956 @@ -964,6 +954,8 @@ static ssize_t tty_read(struct file *fil
27960 +EXPORT_SYMBOL(tty_read);
27962 void tty_write_unlock(struct tty_struct *tty)
27964 mutex_unlock(&tty->atomic_write_lock);
27965 @@ -1113,7 +1105,7 @@ void tty_write_message(struct tty_struct
27966 * write method will not be invoked in parallel for each device.
27969 -static ssize_t tty_write(struct file *file, const char __user *buf,
27970 +ssize_t tty_write(struct file *file, const char __user *buf,
27971 size_t count, loff_t *ppos)
27973 struct inode *inode = file->f_path.dentry->d_inode;
27974 @@ -1139,6 +1131,8 @@ static ssize_t tty_write(struct file *fi
27978 +EXPORT_SYMBOL(tty_write);
27980 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
27981 size_t count, loff_t *ppos)
27983 @@ -1778,6 +1772,8 @@ int tty_release(struct inode *inode, str
27987 +EXPORT_SYMBOL(tty_release);
27990 * tty_open - open a tty device
27991 * @inode: inode of device file
27992 @@ -1969,7 +1965,7 @@ got_driver:
27993 * may be re-entered freely by other callers.
27996 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
27997 +unsigned int tty_poll(struct file *filp, poll_table *wait)
27999 struct tty_struct *tty = file_tty(filp);
28000 struct tty_ldisc *ld;
28001 @@ -1985,6 +1981,8 @@ static unsigned int tty_poll(struct file
28005 +EXPORT_SYMBOL(tty_poll);
28007 static int __tty_fasync(int fd, struct file *filp, int on)
28009 struct tty_struct *tty = file_tty(filp);
28010 @@ -2026,7 +2024,7 @@ out:
28014 -static int tty_fasync(int fd, struct file *filp, int on)
28015 +int tty_fasync(int fd, struct file *filp, int on)
28019 @@ -2035,6 +2033,8 @@ static int tty_fasync(int fd, struct fil
28023 +EXPORT_SYMBOL(tty_fasync);
28026 * tiocsti - fake input character
28027 * @tty: tty to fake input into
28028 @@ -2692,8 +2692,10 @@ long tty_ioctl(struct file *file, unsign
28032 +EXPORT_SYMBOL(tty_ioctl);
28034 #ifdef CONFIG_COMPAT
28035 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28036 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
28039 struct inode *inode = file->f_dentry->d_inode;
28040 @@ -2717,6 +2719,9 @@ static long tty_compat_ioctl(struct file
28045 +EXPORT_SYMBOL(tty_compat_ioctl);
28050 @@ -3195,11 +3200,6 @@ struct tty_struct *get_current_tty(void)
28052 EXPORT_SYMBOL_GPL(get_current_tty);
28054 -void tty_default_fops(struct file_operations *fops)
28056 - *fops = tty_fops;
28060 * Initialize the console device. This is called *early*, so
28061 * we can't necessarily depend on lots of kernel help here.
28062 diff -urNp linux-2.6.38.1/drivers/tty/tty_ldisc.c linux-2.6.38.1/drivers/tty/tty_ldisc.c
28063 --- linux-2.6.38.1/drivers/tty/tty_ldisc.c 2011-03-14 21:20:32.000000000 -0400
28064 +++ linux-2.6.38.1/drivers/tty/tty_ldisc.c 2011-03-21 18:31:35.000000000 -0400
28065 @@ -76,7 +76,7 @@ static void put_ldisc(struct tty_ldisc *
28066 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
28067 struct tty_ldisc_ops *ldo = ld->ops;
28070 + atomic_dec(&ldo->refcount);
28071 module_put(ldo->owner);
28072 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28074 @@ -111,7 +111,7 @@ int tty_register_ldisc(int disc, struct
28075 spin_lock_irqsave(&tty_ldisc_lock, flags);
28076 tty_ldiscs[disc] = new_ldisc;
28077 new_ldisc->num = disc;
28078 - new_ldisc->refcount = 0;
28079 + atomic_set(&new_ldisc->refcount, 0);
28080 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28083 @@ -139,7 +139,7 @@ int tty_unregister_ldisc(int disc)
28086 spin_lock_irqsave(&tty_ldisc_lock, flags);
28087 - if (tty_ldiscs[disc]->refcount)
28088 + if (atomic_read(&tty_ldiscs[disc]->refcount))
28091 tty_ldiscs[disc] = NULL;
28092 @@ -160,7 +160,7 @@ static struct tty_ldisc_ops *get_ldops(i
28094 ret = ERR_PTR(-EAGAIN);
28095 if (try_module_get(ldops->owner)) {
28096 - ldops->refcount++;
28097 + atomic_inc(&ldops->refcount);
28101 @@ -173,7 +173,7 @@ static void put_ldops(struct tty_ldisc_o
28102 unsigned long flags;
28104 spin_lock_irqsave(&tty_ldisc_lock, flags);
28105 - ldops->refcount--;
28106 + atomic_dec(&ldops->refcount);
28107 module_put(ldops->owner);
28108 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28110 diff -urNp linux-2.6.38.1/drivers/tty/vt/keyboard.c linux-2.6.38.1/drivers/tty/vt/keyboard.c
28111 --- linux-2.6.38.1/drivers/tty/vt/keyboard.c 2011-03-14 21:20:32.000000000 -0400
28112 +++ linux-2.6.38.1/drivers/tty/vt/keyboard.c 2011-03-21 18:31:35.000000000 -0400
28113 @@ -657,6 +657,16 @@ static void k_spec(struct vc_data *vc, u
28114 kbd->kbdmode == VC_MEDIUMRAW) &&
28115 value != KVAL(K_SAK))
28116 return; /* SAK is allowed even in raw mode */
28118 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
28120 + void *func = fn_handler[value];
28121 + if (func == fn_show_state || func == fn_show_ptregs ||
28122 + func == fn_show_mem)
28127 fn_handler[value](vc);
28130 @@ -1413,7 +1423,7 @@ static const struct input_device_id kbd_
28131 .evbit = { BIT_MASK(EV_SND) },
28134 - { }, /* Terminating entry */
28135 + { 0 }, /* Terminating entry */
28138 MODULE_DEVICE_TABLE(input, kbd_ids);
28139 diff -urNp linux-2.6.38.1/drivers/tty/vt/vt.c linux-2.6.38.1/drivers/tty/vt/vt.c
28140 --- linux-2.6.38.1/drivers/tty/vt/vt.c 2011-03-14 21:20:32.000000000 -0400
28141 +++ linux-2.6.38.1/drivers/tty/vt/vt.c 2011-03-21 18:31:35.000000000 -0400
28142 @@ -262,7 +262,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
28144 static void notify_write(struct vc_data *vc, unsigned int unicode)
28146 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
28147 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
28148 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
28151 diff -urNp linux-2.6.38.1/drivers/tty/vt/vt_ioctl.c linux-2.6.38.1/drivers/tty/vt/vt_ioctl.c
28152 --- linux-2.6.38.1/drivers/tty/vt/vt_ioctl.c 2011-03-14 21:20:32.000000000 -0400
28153 +++ linux-2.6.38.1/drivers/tty/vt/vt_ioctl.c 2011-03-21 18:31:35.000000000 -0400
28154 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28155 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
28158 - if (!capable(CAP_SYS_TTY_CONFIG))
28163 key_map = key_maps[s];
28164 @@ -224,6 +221,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28165 val = (i ? K_HOLE : K_NOSUCHMAP);
28166 return put_user(val, &user_kbe->kb_value);
28168 + if (!capable(CAP_SYS_TTY_CONFIG))
28173 if (!i && v == K_NOSUCHMAP) {
28174 @@ -325,9 +325,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28178 - if (!capable(CAP_SYS_TTY_CONFIG))
28181 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
28184 @@ -361,6 +358,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28186 return ((p && *p) ? -EOVERFLOW : 0);
28188 + if (!capable(CAP_SYS_TTY_CONFIG))
28194 diff -urNp linux-2.6.38.1/drivers/uio/uio.c linux-2.6.38.1/drivers/uio/uio.c
28195 --- linux-2.6.38.1/drivers/uio/uio.c 2011-03-14 21:20:32.000000000 -0400
28196 +++ linux-2.6.38.1/drivers/uio/uio.c 2011-03-21 18:31:35.000000000 -0400
28198 #include <linux/kobject.h>
28199 #include <linux/cdev.h>
28200 #include <linux/uio_driver.h>
28201 +#include <asm/local.h>
28203 #define UIO_MAX_DEVICES (1U << MINORBITS)
28205 @@ -35,7 +36,7 @@ struct uio_device {
28207 struct fasync_struct *async_queue;
28208 wait_queue_head_t wait;
28210 + local_t vma_count;
28211 struct uio_info *info;
28212 struct kobject *map_dir;
28213 struct kobject *portio_dir;
28214 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
28215 static void uio_vma_open(struct vm_area_struct *vma)
28217 struct uio_device *idev = vma->vm_private_data;
28218 - idev->vma_count++;
28219 + local_inc(&idev->vma_count);
28222 static void uio_vma_close(struct vm_area_struct *vma)
28224 struct uio_device *idev = vma->vm_private_data;
28225 - idev->vma_count--;
28226 + local_dec(&idev->vma_count);
28229 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
28230 diff -urNp linux-2.6.38.1/drivers/usb/atm/cxacru.c linux-2.6.38.1/drivers/usb/atm/cxacru.c
28231 --- linux-2.6.38.1/drivers/usb/atm/cxacru.c 2011-03-14 21:20:32.000000000 -0400
28232 +++ linux-2.6.38.1/drivers/usb/atm/cxacru.c 2011-03-21 18:31:35.000000000 -0400
28233 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
28234 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
28237 - if (index < 0 || index > 0x7f)
28238 + if (index > 0x7f)
28242 diff -urNp linux-2.6.38.1/drivers/usb/atm/usbatm.c linux-2.6.38.1/drivers/usb/atm/usbatm.c
28243 --- linux-2.6.38.1/drivers/usb/atm/usbatm.c 2011-03-14 21:20:32.000000000 -0400
28244 +++ linux-2.6.38.1/drivers/usb/atm/usbatm.c 2011-03-21 18:31:35.000000000 -0400
28245 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
28246 if (printk_ratelimit())
28247 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
28248 __func__, vpi, vci);
28249 - atomic_inc(&vcc->stats->rx_err);
28250 + atomic_inc_unchecked(&vcc->stats->rx_err);
28254 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
28255 if (length > ATM_MAX_AAL5_PDU) {
28256 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
28257 __func__, length, vcc);
28258 - atomic_inc(&vcc->stats->rx_err);
28259 + atomic_inc_unchecked(&vcc->stats->rx_err);
28263 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
28264 if (sarb->len < pdu_length) {
28265 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
28266 __func__, pdu_length, sarb->len, vcc);
28267 - atomic_inc(&vcc->stats->rx_err);
28268 + atomic_inc_unchecked(&vcc->stats->rx_err);
28272 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
28273 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
28275 - atomic_inc(&vcc->stats->rx_err);
28276 + atomic_inc_unchecked(&vcc->stats->rx_err);
28280 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
28281 if (printk_ratelimit())
28282 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
28284 - atomic_inc(&vcc->stats->rx_drop);
28285 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28289 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
28291 vcc->push(vcc, skb);
28293 - atomic_inc(&vcc->stats->rx);
28294 + atomic_inc_unchecked(&vcc->stats->rx);
28298 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
28299 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28301 usbatm_pop(vcc, skb);
28302 - atomic_inc(&vcc->stats->tx);
28303 + atomic_inc_unchecked(&vcc->stats->tx);
28305 skb = skb_dequeue(&instance->sndqueue);
28307 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
28309 return sprintf(page,
28310 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28311 - atomic_read(&atm_dev->stats.aal5.tx),
28312 - atomic_read(&atm_dev->stats.aal5.tx_err),
28313 - atomic_read(&atm_dev->stats.aal5.rx),
28314 - atomic_read(&atm_dev->stats.aal5.rx_err),
28315 - atomic_read(&atm_dev->stats.aal5.rx_drop));
28316 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28317 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28318 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28319 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28320 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28323 if (instance->disconnected)
28324 diff -urNp linux-2.6.38.1/drivers/usb/class/cdc-acm.c linux-2.6.38.1/drivers/usb/class/cdc-acm.c
28325 --- linux-2.6.38.1/drivers/usb/class/cdc-acm.c 2011-03-14 21:20:32.000000000 -0400
28326 +++ linux-2.6.38.1/drivers/usb/class/cdc-acm.c 2011-03-21 18:31:35.000000000 -0400
28327 @@ -1635,7 +1635,7 @@ static const struct usb_device_id acm_id
28328 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
28329 USB_CDC_ACM_PROTO_AT_CDMA) },
28332 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28335 MODULE_DEVICE_TABLE(usb, acm_ids);
28336 diff -urNp linux-2.6.38.1/drivers/usb/class/usblp.c linux-2.6.38.1/drivers/usb/class/usblp.c
28337 --- linux-2.6.38.1/drivers/usb/class/usblp.c 2011-03-14 21:20:32.000000000 -0400
28338 +++ linux-2.6.38.1/drivers/usb/class/usblp.c 2011-03-21 18:31:35.000000000 -0400
28339 @@ -227,7 +227,7 @@ static const struct quirk_printer_struct
28340 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28341 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28342 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28347 static int usblp_wwait(struct usblp *usblp, int nonblock);
28348 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
28349 { USB_INTERFACE_INFO(7, 1, 2) },
28350 { USB_INTERFACE_INFO(7, 1, 3) },
28351 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28352 - { } /* Terminating entry */
28353 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28356 MODULE_DEVICE_TABLE(usb, usblp_ids);
28357 diff -urNp linux-2.6.38.1/drivers/usb/core/hcd.c linux-2.6.38.1/drivers/usb/core/hcd.c
28358 --- linux-2.6.38.1/drivers/usb/core/hcd.c 2011-03-23 17:20:07.000000000 -0400
28359 +++ linux-2.6.38.1/drivers/usb/core/hcd.c 2011-03-26 20:49:43.000000000 -0400
28360 @@ -2457,7 +2457,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
28362 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28364 -struct usb_mon_operations *mon_ops;
28365 +const struct usb_mon_operations *mon_ops;
28368 * The registration is unlocked.
28369 @@ -2467,7 +2467,7 @@ struct usb_mon_operations *mon_ops;
28370 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28373 -int usb_mon_register (struct usb_mon_operations *ops)
28374 +int usb_mon_register (const struct usb_mon_operations *ops)
28378 diff -urNp linux-2.6.38.1/drivers/usb/core/hub.c linux-2.6.38.1/drivers/usb/core/hub.c
28379 --- linux-2.6.38.1/drivers/usb/core/hub.c 2011-03-14 21:20:32.000000000 -0400
28380 +++ linux-2.6.38.1/drivers/usb/core/hub.c 2011-03-21 18:31:35.000000000 -0400
28381 @@ -3492,7 +3492,7 @@ static const struct usb_device_id hub_id
28382 .bDeviceClass = USB_CLASS_HUB},
28383 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28384 .bInterfaceClass = USB_CLASS_HUB},
28385 - { } /* Terminating entry */
28386 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28389 MODULE_DEVICE_TABLE (usb, hub_id_table);
28390 diff -urNp linux-2.6.38.1/drivers/usb/core/message.c linux-2.6.38.1/drivers/usb/core/message.c
28391 --- linux-2.6.38.1/drivers/usb/core/message.c 2011-03-14 21:20:32.000000000 -0400
28392 +++ linux-2.6.38.1/drivers/usb/core/message.c 2011-03-21 18:31:35.000000000 -0400
28393 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
28394 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
28396 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28398 - smallbuf = kmalloc(++len, GFP_NOIO);
28400 + smallbuf = kmalloc(len, GFP_NOIO);
28403 memcpy(smallbuf, buf, len);
28404 diff -urNp linux-2.6.38.1/drivers/usb/early/ehci-dbgp.c linux-2.6.38.1/drivers/usb/early/ehci-dbgp.c
28405 --- linux-2.6.38.1/drivers/usb/early/ehci-dbgp.c 2011-03-14 21:20:32.000000000 -0400
28406 +++ linux-2.6.38.1/drivers/usb/early/ehci-dbgp.c 2011-03-21 18:31:35.000000000 -0400
28407 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
28411 -static struct kgdb_io kgdbdbgp_io_ops;
28412 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
28413 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
28415 #define dbgp_kgdb_mode (0)
28416 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
28417 early_dbgp_write(NULL, &chr, 1);
28420 -static struct kgdb_io kgdbdbgp_io_ops = {
28421 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
28422 .name = "kgdbdbgp",
28423 .read_char = kgdbdbgp_read_char,
28424 .write_char = kgdbdbgp_write_char,
28425 diff -urNp linux-2.6.38.1/drivers/usb/host/ehci-pci.c linux-2.6.38.1/drivers/usb/host/ehci-pci.c
28426 --- linux-2.6.38.1/drivers/usb/host/ehci-pci.c 2011-03-14 21:20:32.000000000 -0400
28427 +++ linux-2.6.38.1/drivers/usb/host/ehci-pci.c 2011-03-21 18:31:35.000000000 -0400
28428 @@ -516,7 +516,7 @@ static const struct pci_device_id pci_id
28429 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28430 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28432 - { /* end: all zeroes */ }
28433 + { 0, 0, 0, 0, 0, 0, 0 }
28435 MODULE_DEVICE_TABLE(pci, pci_ids);
28437 diff -urNp linux-2.6.38.1/drivers/usb/host/uhci-hcd.c linux-2.6.38.1/drivers/usb/host/uhci-hcd.c
28438 --- linux-2.6.38.1/drivers/usb/host/uhci-hcd.c 2011-03-14 21:20:32.000000000 -0400
28439 +++ linux-2.6.38.1/drivers/usb/host/uhci-hcd.c 2011-03-21 18:31:35.000000000 -0400
28440 @@ -948,7 +948,7 @@ static const struct pci_device_id uhci_p
28441 /* handle any USB UHCI controller */
28442 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28443 .driver_data = (unsigned long) &uhci_driver,
28444 - }, { /* end: all zeroes */ }
28445 + }, { 0, 0, 0, 0, 0, 0, 0 }
28448 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28449 diff -urNp linux-2.6.38.1/drivers/usb/mon/mon_main.c linux-2.6.38.1/drivers/usb/mon/mon_main.c
28450 --- linux-2.6.38.1/drivers/usb/mon/mon_main.c 2011-03-14 21:20:32.000000000 -0400
28451 +++ linux-2.6.38.1/drivers/usb/mon/mon_main.c 2011-03-21 18:31:35.000000000 -0400
28452 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
28456 -static struct usb_mon_operations mon_ops_0 = {
28457 +static const struct usb_mon_operations mon_ops_0 = {
28458 .urb_submit = mon_submit,
28459 .urb_submit_error = mon_submit_error,
28460 .urb_complete = mon_complete,
28461 diff -urNp linux-2.6.38.1/drivers/usb/storage/debug.h linux-2.6.38.1/drivers/usb/storage/debug.h
28462 --- linux-2.6.38.1/drivers/usb/storage/debug.h 2011-03-14 21:20:32.000000000 -0400
28463 +++ linux-2.6.38.1/drivers/usb/storage/debug.h 2011-03-21 18:31:35.000000000 -0400
28464 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28465 #define US_DEBUGPX(x...) printk( x )
28466 #define US_DEBUG(x) x
28468 -#define US_DEBUGP(x...)
28469 -#define US_DEBUGPX(x...)
28470 -#define US_DEBUG(x)
28471 +#define US_DEBUGP(x...) do {} while (0)
28472 +#define US_DEBUGPX(x...) do {} while (0)
28473 +#define US_DEBUG(x) do {} while (0)
28477 diff -urNp linux-2.6.38.1/drivers/usb/storage/usb.c linux-2.6.38.1/drivers/usb/storage/usb.c
28478 --- linux-2.6.38.1/drivers/usb/storage/usb.c 2011-03-14 21:20:32.000000000 -0400
28479 +++ linux-2.6.38.1/drivers/usb/storage/usb.c 2011-03-21 18:31:35.000000000 -0400
28480 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28482 static struct us_unusual_dev us_unusual_dev_list[] = {
28483 # include "unusual_devs.h"
28484 - { } /* Terminating entry */
28485 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28489 diff -urNp linux-2.6.38.1/drivers/usb/storage/usual-tables.c linux-2.6.38.1/drivers/usb/storage/usual-tables.c
28490 --- linux-2.6.38.1/drivers/usb/storage/usual-tables.c 2011-03-14 21:20:32.000000000 -0400
28491 +++ linux-2.6.38.1/drivers/usb/storage/usual-tables.c 2011-03-21 18:31:35.000000000 -0400
28494 struct usb_device_id usb_storage_usb_ids[] = {
28495 # include "unusual_devs.h"
28496 - { } /* Terminating entry */
28497 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28499 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28501 diff -urNp linux-2.6.38.1/drivers/vhost/vhost.c linux-2.6.38.1/drivers/vhost/vhost.c
28502 --- linux-2.6.38.1/drivers/vhost/vhost.c 2011-03-14 21:20:32.000000000 -0400
28503 +++ linux-2.6.38.1/drivers/vhost/vhost.c 2011-03-21 18:31:35.000000000 -0400
28504 @@ -565,7 +565,7 @@ static int init_used(struct vhost_virtqu
28505 return get_user(vq->last_used_idx, &used->idx);
28508 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28509 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28511 struct file *eventfp, *filep = NULL,
28512 *pollstart = NULL, *pollstop = NULL;
28513 diff -urNp linux-2.6.38.1/drivers/video/fbcmap.c linux-2.6.38.1/drivers/video/fbcmap.c
28514 --- linux-2.6.38.1/drivers/video/fbcmap.c 2011-03-14 21:20:32.000000000 -0400
28515 +++ linux-2.6.38.1/drivers/video/fbcmap.c 2011-03-21 18:31:35.000000000 -0400
28516 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28520 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28521 - !info->fbops->fb_setcmap)) {
28522 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28526 diff -urNp linux-2.6.38.1/drivers/video/fbmem.c linux-2.6.38.1/drivers/video/fbmem.c
28527 --- linux-2.6.38.1/drivers/video/fbmem.c 2011-03-14 21:20:32.000000000 -0400
28528 +++ linux-2.6.38.1/drivers/video/fbmem.c 2011-03-21 18:31:35.000000000 -0400
28529 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28530 image->dx += image->width + 8;
28532 } else if (rotate == FB_ROTATE_UD) {
28533 - for (x = 0; x < num && image->dx >= 0; x++) {
28534 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28535 info->fbops->fb_imageblit(info, image);
28536 image->dx -= image->width + 8;
28538 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28539 image->dy += image->height + 8;
28541 } else if (rotate == FB_ROTATE_CCW) {
28542 - for (x = 0; x < num && image->dy >= 0; x++) {
28543 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28544 info->fbops->fb_imageblit(info, image);
28545 image->dy -= image->height + 8;
28547 @@ -1101,7 +1101,7 @@ static long do_fb_ioctl(struct fb_info *
28549 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28551 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28552 + if (con2fb.framebuffer >= FB_MAX)
28554 if (!registered_fb[con2fb.framebuffer])
28555 request_module("fb%d", con2fb.framebuffer);
28556 diff -urNp linux-2.6.38.1/drivers/video/fbmon.c linux-2.6.38.1/drivers/video/fbmon.c
28557 --- linux-2.6.38.1/drivers/video/fbmon.c 2011-03-14 21:20:32.000000000 -0400
28558 +++ linux-2.6.38.1/drivers/video/fbmon.c 2011-03-21 18:31:35.000000000 -0400
28561 #define DPRINTK(fmt, args...) printk(fmt,## args)
28563 -#define DPRINTK(fmt, args...)
28564 +#define DPRINTK(fmt, args...) do {} while (0)
28567 #define FBMON_FIX_HEADER 1
28568 diff -urNp linux-2.6.38.1/drivers/video/i810/i810_accel.c linux-2.6.38.1/drivers/video/i810/i810_accel.c
28569 --- linux-2.6.38.1/drivers/video/i810/i810_accel.c 2011-03-14 21:20:32.000000000 -0400
28570 +++ linux-2.6.38.1/drivers/video/i810/i810_accel.c 2011-03-21 18:31:35.000000000 -0400
28571 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28574 printk("ringbuffer lockup!!!\n");
28575 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28576 i810_report_error(mmio);
28577 par->dev_flags |= LOCKUP;
28578 info->pixmap.scan_align = 1;
28579 diff -urNp linux-2.6.38.1/drivers/video/i810/i810_main.c linux-2.6.38.1/drivers/video/i810/i810_main.c
28580 --- linux-2.6.38.1/drivers/video/i810/i810_main.c 2011-03-14 21:20:32.000000000 -0400
28581 +++ linux-2.6.38.1/drivers/video/i810/i810_main.c 2011-03-21 18:31:35.000000000 -0400
28582 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28583 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28584 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28585 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28587 + { 0, 0, 0, 0, 0, 0, 0 },
28590 static struct pci_driver i810fb_driver = {
28591 diff -urNp linux-2.6.38.1/drivers/video/modedb.c linux-2.6.38.1/drivers/video/modedb.c
28592 --- linux-2.6.38.1/drivers/video/modedb.c 2011-03-14 21:20:32.000000000 -0400
28593 +++ linux-2.6.38.1/drivers/video/modedb.c 2011-03-21 18:31:35.000000000 -0400
28594 @@ -40,255 +40,255 @@ static const struct fb_videomode modedb[
28596 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28597 { NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2, 0,
28598 - FB_VMODE_NONINTERLACED },
28599 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28601 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28602 { NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2, 0,
28603 - FB_VMODE_NONINTERLACED },
28604 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28606 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28607 { NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2, 0,
28608 - FB_VMODE_NONINTERLACED },
28609 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28611 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28612 { NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8, 0,
28613 - FB_VMODE_INTERLACED },
28614 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28616 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28617 { NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28618 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED },
28619 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28621 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28622 { NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3, 0,
28623 - FB_VMODE_NONINTERLACED },
28624 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28626 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28627 { NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3, 0,
28628 - FB_VMODE_NONINTERLACED },
28629 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28631 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28632 { NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28633 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28634 - FB_VMODE_NONINTERLACED },
28635 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28637 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28638 { NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3, 0,
28639 - FB_VMODE_NONINTERLACED },
28640 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28642 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28643 { NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10, 0,
28644 - FB_VMODE_INTERLACED },
28645 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28646 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28647 { NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28648 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28649 - FB_VMODE_NONINTERLACED },
28650 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28652 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28653 { NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6, 0,
28654 - FB_VMODE_NONINTERLACED },
28655 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28657 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28658 { NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6, 0,
28659 - FB_VMODE_NONINTERLACED },
28660 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28662 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28663 { NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8, 0,
28664 - FB_VMODE_NONINTERLACED },
28665 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28667 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28668 { NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5, 0,
28669 - FB_VMODE_NONINTERLACED },
28670 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28672 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28673 { NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6, 0,
28674 - FB_VMODE_NONINTERLACED },
28675 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28677 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28678 { NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12, 0,
28679 - FB_VMODE_INTERLACED },
28680 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28682 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28683 { NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6, 0,
28684 - FB_VMODE_NONINTERLACED },
28685 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28687 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28688 { NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3, 0,
28689 - FB_VMODE_NONINTERLACED },
28690 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28692 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28693 { NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10, 0,
28694 - FB_VMODE_NONINTERLACED },
28695 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28697 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28698 { NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3, 0,
28699 - FB_VMODE_NONINTERLACED },
28700 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28702 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28703 { NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3, 0,
28704 - FB_VMODE_NONINTERLACED },
28705 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28707 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28708 { NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28709 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28710 - FB_VMODE_NONINTERLACED },
28711 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28713 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28714 { NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28715 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28716 - FB_VMODE_NONINTERLACED },
28717 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28719 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28720 { NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6, 0,
28721 - FB_VMODE_NONINTERLACED },
28722 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28724 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28725 { NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12, 0,
28726 - FB_VMODE_NONINTERLACED },
28727 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28729 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28730 { NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8, 0,
28731 - FB_VMODE_NONINTERLACED },
28732 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28734 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28735 { NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28736 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28737 - FB_VMODE_NONINTERLACED },
28738 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28740 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28741 { NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12, 0,
28742 - FB_VMODE_NONINTERLACED },
28743 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28745 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28746 { NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3, 0,
28747 - FB_VMODE_NONINTERLACED },
28748 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28750 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28751 { NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10, 0,
28752 - FB_VMODE_NONINTERLACED },
28753 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28755 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28756 { NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3, 0,
28757 - FB_VMODE_NONINTERLACED },
28758 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28760 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28761 { NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3, 0,
28762 - FB_VMODE_NONINTERLACED },
28763 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28765 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28766 { NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19, 0,
28767 - FB_VMODE_NONINTERLACED },
28768 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28770 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28771 { NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28772 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28773 - FB_VMODE_NONINTERLACED },
28774 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28776 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28777 { NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28778 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28779 - FB_VMODE_NONINTERLACED },
28780 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28782 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28783 { NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28784 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28785 - FB_VMODE_NONINTERLACED },
28786 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28788 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28789 { NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28790 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28791 - FB_VMODE_NONINTERLACED },
28792 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28794 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28795 { NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15, 0,
28796 - FB_VMODE_NONINTERLACED },
28797 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28799 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28800 { NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28801 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28802 - FB_VMODE_NONINTERLACED },
28803 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28805 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28806 { NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28807 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28808 - FB_VMODE_NONINTERLACED },
28809 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28811 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28812 { NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3, 0,
28813 - FB_VMODE_NONINTERLACED },
28814 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28816 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28817 { NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3, 0,
28818 - FB_VMODE_NONINTERLACED },
28819 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28821 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28822 { NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1, 0,
28823 - FB_VMODE_DOUBLE },
28824 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28826 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28827 { NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1, 0,
28828 - FB_VMODE_DOUBLE },
28829 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28831 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28832 { NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2, 0,
28833 - FB_VMODE_DOUBLE },
28834 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28836 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28837 { NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1, 0,
28838 - FB_VMODE_DOUBLE },
28839 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28841 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28842 { NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2, 0,
28843 - FB_VMODE_DOUBLE },
28844 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28846 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28847 { NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3, 0,
28848 - FB_VMODE_DOUBLE },
28849 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28851 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28852 { NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1, 0,
28853 - FB_VMODE_DOUBLE },
28854 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28856 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28857 { NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2, 0,
28858 - FB_VMODE_DOUBLE },
28859 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28861 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28862 { NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2, 0,
28863 - FB_VMODE_DOUBLE },
28864 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28866 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28867 { NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3, 0,
28868 - FB_VMODE_DOUBLE },
28869 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28871 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28872 { NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28873 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28874 - FB_VMODE_NONINTERLACED },
28875 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28877 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28878 { NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28879 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28880 - FB_VMODE_NONINTERLACED },
28881 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28883 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28884 { NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5, 0,
28885 - FB_VMODE_NONINTERLACED },
28886 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28888 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28889 { NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3, 0,
28890 - FB_VMODE_NONINTERLACED },
28891 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28893 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28894 { NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5, 0,
28895 - FB_VMODE_INTERLACED },
28896 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28898 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28899 { NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5, 0,
28900 - FB_VMODE_INTERLACED },
28901 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28903 /* 864x480 @ 60 Hz, 35.15 kHz hsync */
28904 { NULL, 60, 864, 480, 27777, 1, 1, 1, 1, 0, 0,
28905 - 0, FB_VMODE_NONINTERLACED },
28906 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28909 #ifdef CONFIG_FB_MODE_HELPERS
28910 diff -urNp linux-2.6.38.1/drivers/video/pxa3xx-gcu.c linux-2.6.38.1/drivers/video/pxa3xx-gcu.c
28911 --- linux-2.6.38.1/drivers/video/pxa3xx-gcu.c 2011-03-14 21:20:32.000000000 -0400
28912 +++ linux-2.6.38.1/drivers/video/pxa3xx-gcu.c 2011-03-21 18:31:35.000000000 -0400
28913 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
28914 dma_addr_t shared_phys;
28915 struct resource *resource_mem;
28916 struct miscdevice misc_dev;
28917 - struct file_operations misc_fops;
28918 + const struct file_operations misc_fops;
28919 wait_queue_head_t wait_idle;
28920 wait_queue_head_t wait_free;
28921 spinlock_t spinlock;
28922 diff -urNp linux-2.6.38.1/drivers/video/uvesafb.c linux-2.6.38.1/drivers/video/uvesafb.c
28923 --- linux-2.6.38.1/drivers/video/uvesafb.c 2011-03-14 21:20:32.000000000 -0400
28924 +++ linux-2.6.38.1/drivers/video/uvesafb.c 2011-03-21 18:31:35.000000000 -0400
28926 #include <linux/io.h>
28927 #include <linux/mutex.h>
28928 #include <linux/slab.h>
28929 +#include <linux/moduleloader.h>
28930 #include <video/edid.h>
28931 #include <video/uvesafb.h>
28933 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
28937 - return call_usermodehelper(v86d_path, argv, envp, 1);
28938 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
28942 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
28943 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
28944 par->pmi_setpal = par->ypan = 0;
28947 +#ifdef CONFIG_PAX_KERNEXEC
28948 +#ifdef CONFIG_MODULES
28949 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
28951 + if (!par->pmi_code) {
28952 + par->pmi_setpal = par->ypan = 0;
28957 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
28958 + task->t.regs.edi);
28960 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28961 + pax_open_kernel();
28962 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
28963 + pax_close_kernel();
28965 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
28966 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
28968 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
28969 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
28972 printk(KERN_INFO "uvesafb: protected mode interface info at "
28974 (u16)task->t.regs.es, (u16)task->t.regs.edi);
28975 @@ -1800,6 +1823,11 @@ out:
28976 if (par->vbe_modes)
28977 kfree(par->vbe_modes);
28979 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28980 + if (par->pmi_code)
28981 + module_free_exec(NULL, par->pmi_code);
28984 framebuffer_release(info);
28987 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
28988 kfree(par->vbe_state_orig);
28989 if (par->vbe_state_saved)
28990 kfree(par->vbe_state_saved);
28992 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28993 + if (par->pmi_code)
28994 + module_free_exec(NULL, par->pmi_code);
28999 framebuffer_release(info);
29000 diff -urNp linux-2.6.38.1/drivers/video/vesafb.c linux-2.6.38.1/drivers/video/vesafb.c
29001 --- linux-2.6.38.1/drivers/video/vesafb.c 2011-03-14 21:20:32.000000000 -0400
29002 +++ linux-2.6.38.1/drivers/video/vesafb.c 2011-03-21 18:31:35.000000000 -0400
29006 #include <linux/module.h>
29007 +#include <linux/moduleloader.h>
29008 #include <linux/kernel.h>
29009 #include <linux/errno.h>
29010 #include <linux/string.h>
29011 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
29012 static int vram_total __initdata; /* Set total amount of memory */
29013 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
29014 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
29015 -static void (*pmi_start)(void) __read_mostly;
29016 -static void (*pmi_pal) (void) __read_mostly;
29017 +static void (*pmi_start)(void) __read_only;
29018 +static void (*pmi_pal) (void) __read_only;
29019 static int depth __read_mostly;
29020 static int vga_compat __read_mostly;
29021 /* --------------------------------------------------------------------- */
29022 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
29023 unsigned int size_vmode;
29024 unsigned int size_remap;
29025 unsigned int size_total;
29026 + void *pmi_code = NULL;
29028 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
29030 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
29031 size_remap = size_total;
29032 vesafb_fix.smem_len = size_remap;
29035 - screen_info.vesapm_seg = 0;
29038 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
29039 printk(KERN_WARNING
29040 "vesafb: cannot reserve video memory at 0x%lx\n",
29041 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
29042 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
29043 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
29047 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29048 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
29050 +#elif !defined(CONFIG_PAX_KERNEXEC)
29055 + screen_info.vesapm_seg = 0;
29057 if (screen_info.vesapm_seg) {
29058 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
29059 - screen_info.vesapm_seg,screen_info.vesapm_off);
29060 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
29061 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
29064 if (screen_info.vesapm_seg < 0xc000)
29065 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
29067 if (ypan || pmi_setpal) {
29068 unsigned short *pmi_base;
29069 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29070 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
29071 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
29073 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29075 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29076 + pax_open_kernel();
29077 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
29079 + pmi_code = pmi_base;
29082 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
29083 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
29085 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29086 + pmi_start = ktva_ktla(pmi_start);
29087 + pmi_pal = ktva_ktla(pmi_pal);
29088 + pax_close_kernel();
29091 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29093 printk(KERN_INFO "vesafb: pmi: ports = ");
29094 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29095 info->node, info->fix.id);
29099 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29100 + module_free_exec(NULL, pmi_code);
29103 if (info->screen_base)
29104 iounmap(info->screen_base);
29105 framebuffer_release(info);
29106 diff -urNp linux-2.6.38.1/fs/9p/vfs_inode.c linux-2.6.38.1/fs/9p/vfs_inode.c
29107 --- linux-2.6.38.1/fs/9p/vfs_inode.c 2011-03-14 21:20:32.000000000 -0400
29108 +++ linux-2.6.38.1/fs/9p/vfs_inode.c 2011-03-21 18:31:35.000000000 -0400
29109 @@ -1094,7 +1094,7 @@ static void *v9fs_vfs_follow_link(struct
29111 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29113 - char *s = nd_get_link(nd);
29114 + const char *s = nd_get_link(nd);
29116 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
29117 IS_ERR(s) ? "<error>" : s);
29118 diff -urNp linux-2.6.38.1/fs/aio.c linux-2.6.38.1/fs/aio.c
29119 --- linux-2.6.38.1/fs/aio.c 2011-03-14 21:20:32.000000000 -0400
29120 +++ linux-2.6.38.1/fs/aio.c 2011-03-21 18:31:35.000000000 -0400
29121 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
29122 size += sizeof(struct io_event) * nr_events;
29123 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
29125 - if (nr_pages < 0)
29126 + if (nr_pages <= 0)
29129 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
29130 diff -urNp linux-2.6.38.1/fs/attr.c linux-2.6.38.1/fs/attr.c
29131 --- linux-2.6.38.1/fs/attr.c 2011-03-14 21:20:32.000000000 -0400
29132 +++ linux-2.6.38.1/fs/attr.c 2011-03-21 18:31:35.000000000 -0400
29133 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
29134 unsigned long limit;
29136 limit = rlimit(RLIMIT_FSIZE);
29137 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
29138 if (limit != RLIM_INFINITY && offset > limit)
29140 if (offset > inode->i_sb->s_maxbytes)
29141 diff -urNp linux-2.6.38.1/fs/befs/linuxvfs.c linux-2.6.38.1/fs/befs/linuxvfs.c
29142 --- linux-2.6.38.1/fs/befs/linuxvfs.c 2011-03-14 21:20:32.000000000 -0400
29143 +++ linux-2.6.38.1/fs/befs/linuxvfs.c 2011-03-21 18:31:35.000000000 -0400
29144 @@ -499,7 +499,7 @@ static void befs_put_link(struct dentry
29146 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
29147 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
29148 - char *link = nd_get_link(nd);
29149 + const char *link = nd_get_link(nd);
29153 diff -urNp linux-2.6.38.1/fs/binfmt_aout.c linux-2.6.38.1/fs/binfmt_aout.c
29154 --- linux-2.6.38.1/fs/binfmt_aout.c 2011-03-14 21:20:32.000000000 -0400
29155 +++ linux-2.6.38.1/fs/binfmt_aout.c 2011-03-21 18:31:35.000000000 -0400
29157 #include <linux/string.h>
29158 #include <linux/fs.h>
29159 #include <linux/file.h>
29160 +#include <linux/security.h>
29161 #include <linux/stat.h>
29162 #include <linux/fcntl.h>
29163 #include <linux/ptrace.h>
29164 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
29166 # define START_STACK(u) ((void __user *)u.start_stack)
29168 + memset(&dump, 0, sizeof(dump));
29173 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
29175 /* If the size of the dump file exceeds the rlimit, then see what would happen
29176 if we wrote the stack, but not the data area. */
29177 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
29178 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
29181 /* Make sure we have enough room to write the stack and data areas. */
29182 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
29183 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
29186 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
29187 rlim = rlimit(RLIMIT_DATA);
29188 if (rlim >= RLIM_INFINITY)
29191 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29192 if (ex.a_data + ex.a_bss > rlim)
29195 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
29196 install_exec_creds(bprm);
29197 current->flags &= ~PF_FORKNOEXEC;
29199 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29200 + current->mm->pax_flags = 0UL;
29203 +#ifdef CONFIG_PAX_PAGEEXEC
29204 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29205 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29207 +#ifdef CONFIG_PAX_EMUTRAMP
29208 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29209 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29212 +#ifdef CONFIG_PAX_MPROTECT
29213 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29214 + current->mm->pax_flags |= MF_PAX_MPROTECT;
29220 if (N_MAGIC(ex) == OMAGIC) {
29221 unsigned long text_addr, map_size;
29223 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
29225 down_write(¤t->mm->mmap_sem);
29226 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29227 - PROT_READ | PROT_WRITE | PROT_EXEC,
29228 + PROT_READ | PROT_WRITE,
29229 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29230 fd_offset + ex.a_text);
29231 up_write(¤t->mm->mmap_sem);
29232 diff -urNp linux-2.6.38.1/fs/binfmt_elf.c linux-2.6.38.1/fs/binfmt_elf.c
29233 --- linux-2.6.38.1/fs/binfmt_elf.c 2011-03-14 21:20:32.000000000 -0400
29234 +++ linux-2.6.38.1/fs/binfmt_elf.c 2011-03-21 18:31:35.000000000 -0400
29235 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29236 #define elf_core_dump NULL
29239 +#ifdef CONFIG_PAX_MPROTECT
29240 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29243 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29244 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29246 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29247 .load_binary = load_elf_binary,
29248 .load_shlib = load_elf_library,
29249 .core_dump = elf_core_dump,
29251 +#ifdef CONFIG_PAX_MPROTECT
29252 + .handle_mprotect= elf_handle_mprotect,
29255 .min_coredump = ELF_EXEC_PAGESIZE,
29258 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
29260 static int set_brk(unsigned long start, unsigned long end)
29262 + unsigned long e = end;
29264 start = ELF_PAGEALIGN(start);
29265 end = ELF_PAGEALIGN(end);
29267 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
29268 if (BAD_ADDR(addr))
29271 - current->mm->start_brk = current->mm->brk = end;
29272 + current->mm->start_brk = current->mm->brk = e;
29276 @@ -148,7 +159,7 @@ create_elf_tables(struct linux_binprm *b
29277 elf_addr_t __user *u_rand_bytes;
29278 const char *k_platform = ELF_PLATFORM;
29279 const char *k_base_platform = ELF_BASE_PLATFORM;
29280 - unsigned char k_rand_bytes[16];
29281 + u32 k_rand_bytes[4];
29283 elf_addr_t *elf_info;
29285 @@ -195,8 +206,12 @@ create_elf_tables(struct linux_binprm *b
29286 * Generate 16 random bytes for userspace PRNG seeding.
29288 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29289 - u_rand_bytes = (elf_addr_t __user *)
29290 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29291 + srandom32(k_rand_bytes[0] ^ random32());
29292 + srandom32(k_rand_bytes[1] ^ random32());
29293 + srandom32(k_rand_bytes[2] ^ random32());
29294 + srandom32(k_rand_bytes[3] ^ random32());
29295 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29296 + u_rand_bytes = (elf_addr_t __user *) p;
29297 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29300 @@ -381,10 +396,10 @@ static unsigned long load_elf_interp(str
29302 struct elf_phdr *elf_phdata;
29303 struct elf_phdr *eppnt;
29304 - unsigned long load_addr = 0;
29305 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29306 int load_addr_set = 0;
29307 unsigned long last_bss = 0, elf_bss = 0;
29308 - unsigned long error = ~0UL;
29309 + unsigned long error = -EINVAL;
29310 unsigned long total_size;
29311 int retval, i, size;
29313 @@ -430,6 +445,11 @@ static unsigned long load_elf_interp(str
29317 +#ifdef CONFIG_PAX_SEGMEXEC
29318 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29319 + pax_task_size = SEGMEXEC_TASK_SIZE;
29322 eppnt = elf_phdata;
29323 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29324 if (eppnt->p_type == PT_LOAD) {
29325 @@ -473,8 +493,8 @@ static unsigned long load_elf_interp(str
29326 k = load_addr + eppnt->p_vaddr;
29328 eppnt->p_filesz > eppnt->p_memsz ||
29329 - eppnt->p_memsz > TASK_SIZE ||
29330 - TASK_SIZE - eppnt->p_memsz < k) {
29331 + eppnt->p_memsz > pax_task_size ||
29332 + pax_task_size - eppnt->p_memsz < k) {
29336 @@ -528,6 +548,177 @@ out:
29340 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29341 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29343 + unsigned long pax_flags = 0UL;
29345 +#ifdef CONFIG_PAX_PAGEEXEC
29346 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29347 + pax_flags |= MF_PAX_PAGEEXEC;
29350 +#ifdef CONFIG_PAX_SEGMEXEC
29351 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29352 + pax_flags |= MF_PAX_SEGMEXEC;
29355 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29356 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29357 + if ((__supported_pte_mask & _PAGE_NX))
29358 + pax_flags &= ~MF_PAX_SEGMEXEC;
29360 + pax_flags &= ~MF_PAX_PAGEEXEC;
29364 +#ifdef CONFIG_PAX_EMUTRAMP
29365 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29366 + pax_flags |= MF_PAX_EMUTRAMP;
29369 +#ifdef CONFIG_PAX_MPROTECT
29370 + if (elf_phdata->p_flags & PF_MPROTECT)
29371 + pax_flags |= MF_PAX_MPROTECT;
29374 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29375 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29376 + pax_flags |= MF_PAX_RANDMMAP;
29379 + return pax_flags;
29383 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29384 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29386 + unsigned long pax_flags = 0UL;
29388 +#ifdef CONFIG_PAX_PAGEEXEC
29389 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29390 + pax_flags |= MF_PAX_PAGEEXEC;
29393 +#ifdef CONFIG_PAX_SEGMEXEC
29394 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29395 + pax_flags |= MF_PAX_SEGMEXEC;
29398 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29399 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29400 + if ((__supported_pte_mask & _PAGE_NX))
29401 + pax_flags &= ~MF_PAX_SEGMEXEC;
29403 + pax_flags &= ~MF_PAX_PAGEEXEC;
29407 +#ifdef CONFIG_PAX_EMUTRAMP
29408 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29409 + pax_flags |= MF_PAX_EMUTRAMP;
29412 +#ifdef CONFIG_PAX_MPROTECT
29413 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29414 + pax_flags |= MF_PAX_MPROTECT;
29417 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29418 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29419 + pax_flags |= MF_PAX_RANDMMAP;
29422 + return pax_flags;
29426 +#ifdef CONFIG_PAX_EI_PAX
29427 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29429 + unsigned long pax_flags = 0UL;
29431 +#ifdef CONFIG_PAX_PAGEEXEC
29432 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29433 + pax_flags |= MF_PAX_PAGEEXEC;
29436 +#ifdef CONFIG_PAX_SEGMEXEC
29437 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29438 + pax_flags |= MF_PAX_SEGMEXEC;
29441 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29442 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29443 + if ((__supported_pte_mask & _PAGE_NX))
29444 + pax_flags &= ~MF_PAX_SEGMEXEC;
29446 + pax_flags &= ~MF_PAX_PAGEEXEC;
29450 +#ifdef CONFIG_PAX_EMUTRAMP
29451 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29452 + pax_flags |= MF_PAX_EMUTRAMP;
29455 +#ifdef CONFIG_PAX_MPROTECT
29456 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29457 + pax_flags |= MF_PAX_MPROTECT;
29460 +#ifdef CONFIG_PAX_ASLR
29461 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29462 + pax_flags |= MF_PAX_RANDMMAP;
29465 + return pax_flags;
29469 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29470 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29472 + unsigned long pax_flags = 0UL;
29474 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29478 +#ifdef CONFIG_PAX_EI_PAX
29479 + pax_flags = pax_parse_ei_pax(elf_ex);
29482 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29483 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29484 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29485 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29486 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29487 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29488 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29489 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29492 +#ifdef CONFIG_PAX_SOFTMODE
29493 + if (pax_softmode)
29494 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29498 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29503 + if (0 > pax_check_flags(&pax_flags))
29506 + current->mm->pax_flags = pax_flags;
29512 * These are the functions used to load ELF style executables and shared
29513 * libraries. There is no binary dependent code anywhere else.
29514 @@ -544,6 +735,11 @@ static unsigned long randomize_stack_top
29516 unsigned int random_variable = 0;
29518 +#ifdef CONFIG_PAX_RANDUSTACK
29519 + if (randomize_va_space)
29520 + return stack_top - current->mm->delta_stack;
29523 if ((current->flags & PF_RANDOMIZE) &&
29524 !(current->personality & ADDR_NO_RANDOMIZE)) {
29525 random_variable = get_random_int() & STACK_RND_MASK;
29526 @@ -562,7 +758,7 @@ static int load_elf_binary(struct linux_
29527 unsigned long load_addr = 0, load_bias = 0;
29528 int load_addr_set = 0;
29529 char * elf_interpreter = NULL;
29530 - unsigned long error;
29531 + unsigned long error = 0;
29532 struct elf_phdr *elf_ppnt, *elf_phdata;
29533 unsigned long elf_bss, elf_brk;
29535 @@ -572,11 +768,11 @@ static int load_elf_binary(struct linux_
29536 unsigned long start_code, end_code, start_data, end_data;
29537 unsigned long reloc_func_desc = 0;
29538 int executable_stack = EXSTACK_DEFAULT;
29539 - unsigned long def_flags = 0;
29541 struct elfhdr elf_ex;
29542 struct elfhdr interp_elf_ex;
29544 + unsigned long pax_task_size = TASK_SIZE;
29546 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29548 @@ -714,11 +910,80 @@ static int load_elf_binary(struct linux_
29550 /* OK, This is the point of no return */
29551 current->flags &= ~PF_FORKNOEXEC;
29552 - current->mm->def_flags = def_flags;
29554 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29555 + current->mm->pax_flags = 0UL;
29558 +#ifdef CONFIG_PAX_DLRESOLVE
29559 + current->mm->call_dl_resolve = 0UL;
29562 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29563 + current->mm->call_syscall = 0UL;
29566 +#ifdef CONFIG_PAX_ASLR
29567 + current->mm->delta_mmap = 0UL;
29568 + current->mm->delta_stack = 0UL;
29571 + current->mm->def_flags = 0;
29573 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29574 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29575 + send_sig(SIGKILL, current, 0);
29576 + goto out_free_dentry;
29580 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29581 + pax_set_initial_flags(bprm);
29582 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29583 + if (pax_set_initial_flags_func)
29584 + (pax_set_initial_flags_func)(bprm);
29587 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29588 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29589 + current->mm->context.user_cs_limit = PAGE_SIZE;
29590 + current->mm->def_flags |= VM_PAGEEXEC;
29594 +#ifdef CONFIG_PAX_SEGMEXEC
29595 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29596 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29597 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29598 + pax_task_size = SEGMEXEC_TASK_SIZE;
29602 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29603 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29604 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29609 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29610 may depend on the personality. */
29611 SET_PERSONALITY(loc->elf_ex);
29613 +#ifdef CONFIG_PAX_ASLR
29614 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29615 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29616 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29620 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29621 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29622 + executable_stack = EXSTACK_DISABLE_X;
29623 + current->personality &= ~READ_IMPLIES_EXEC;
29627 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29628 current->personality |= READ_IMPLIES_EXEC;
29630 @@ -800,6 +1065,20 @@ static int load_elf_binary(struct linux_
29632 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29635 +#ifdef CONFIG_PAX_RANDMMAP
29636 + /* PaX: randomize base address at the default exe base if requested */
29637 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29638 +#ifdef CONFIG_SPARC64
29639 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29641 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29643 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29644 + elf_flags |= MAP_FIXED;
29650 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29651 @@ -832,9 +1111,9 @@ static int load_elf_binary(struct linux_
29652 * allowed task size. Note that p_filesz must always be
29653 * <= p_memsz so it is only necessary to check p_memsz.
29655 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29656 - elf_ppnt->p_memsz > TASK_SIZE ||
29657 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29658 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29659 + elf_ppnt->p_memsz > pax_task_size ||
29660 + pax_task_size - elf_ppnt->p_memsz < k) {
29661 /* set_brk can never work. Avoid overflows. */
29662 send_sig(SIGKILL, current, 0);
29664 @@ -862,6 +1141,11 @@ static int load_elf_binary(struct linux_
29665 start_data += load_bias;
29666 end_data += load_bias;
29668 +#ifdef CONFIG_PAX_RANDMMAP
29669 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29670 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29673 /* Calling set_brk effectively mmaps the pages that we need
29674 * for the bss and break sections. We must do this before
29675 * mapping in the interpreter, to make sure it doesn't wind
29676 @@ -873,9 +1157,11 @@ static int load_elf_binary(struct linux_
29677 goto out_free_dentry;
29679 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29680 - send_sig(SIGSEGV, current, 0);
29681 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29682 - goto out_free_dentry;
29684 + * This bss-zeroing can fail if the ELF
29685 + * file specifies odd protections. So
29686 + * we don't check the return value
29690 if (elf_interpreter) {
29691 @@ -1086,7 +1372,7 @@ out:
29692 * Decide what to dump of a segment, part, all or none.
29694 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29695 - unsigned long mm_flags)
29696 + unsigned long mm_flags, long signr)
29698 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29700 @@ -1120,7 +1406,7 @@ static unsigned long vma_dump_size(struc
29701 if (vma->vm_file == NULL)
29704 - if (FILTER(MAPPED_PRIVATE))
29705 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29709 @@ -1342,9 +1628,9 @@ static void fill_auxv_note(struct memelf
29711 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29716 - while (auxv[i - 2] != AT_NULL);
29717 + } while (auxv[i - 2] != AT_NULL);
29718 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29721 @@ -1850,14 +2136,14 @@ static void fill_extnum_info(struct elfh
29724 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29725 - unsigned long mm_flags)
29726 + struct coredump_params *cprm)
29728 struct vm_area_struct *vma;
29731 for (vma = first_vma(current, gate_vma); vma != NULL;
29732 vma = next_vma(vma, gate_vma))
29733 - size += vma_dump_size(vma, mm_flags);
29734 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29738 @@ -1951,7 +2237,7 @@ static int elf_core_dump(struct coredump
29740 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29742 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29743 + offset += elf_core_vma_data_size(gate_vma, cprm);
29744 offset += elf_core_extra_data_size();
29747 @@ -1965,10 +2251,12 @@ static int elf_core_dump(struct coredump
29750 size += sizeof(*elf);
29751 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29752 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29755 size += sizeof(*phdr4note);
29756 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29757 if (size > cprm->limit
29758 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29760 @@ -1982,7 +2270,7 @@ static int elf_core_dump(struct coredump
29761 phdr.p_offset = offset;
29762 phdr.p_vaddr = vma->vm_start;
29764 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29765 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29766 phdr.p_memsz = vma->vm_end - vma->vm_start;
29767 offset += phdr.p_filesz;
29768 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29769 @@ -1993,6 +2281,7 @@ static int elf_core_dump(struct coredump
29770 phdr.p_align = ELF_EXEC_PAGESIZE;
29772 size += sizeof(phdr);
29773 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29774 if (size > cprm->limit
29775 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29777 @@ -2017,7 +2306,7 @@ static int elf_core_dump(struct coredump
29778 unsigned long addr;
29781 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29782 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29784 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29786 @@ -2026,6 +2315,7 @@ static int elf_core_dump(struct coredump
29787 page = get_dump_page(addr);
29789 void *kaddr = kmap(page);
29790 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29791 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29792 !dump_write(cprm->file, kaddr,
29794 @@ -2043,6 +2333,7 @@ static int elf_core_dump(struct coredump
29796 if (e_phnum == PN_XNUM) {
29797 size += sizeof(*shdr4extnum);
29798 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29799 if (size > cprm->limit
29800 || !dump_write(cprm->file, shdr4extnum,
29801 sizeof(*shdr4extnum)))
29802 @@ -2063,6 +2354,97 @@ out:
29804 #endif /* CONFIG_ELF_CORE */
29806 +#ifdef CONFIG_PAX_MPROTECT
29807 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29808 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29809 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29811 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29812 + * basis because we want to allow the common case and not the special ones.
29814 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29816 + struct elfhdr elf_h;
29817 + struct elf_phdr elf_p;
29819 + unsigned long oldflags;
29820 + bool is_textrel_rw, is_textrel_rx, is_relro;
29822 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29825 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29826 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29828 +#ifdef CONFIG_PAX_ELFRELOCS
29829 + /* possible TEXTREL */
29830 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29831 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29833 + is_textrel_rw = false;
29834 + is_textrel_rx = false;
29837 + /* possible RELRO */
29838 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29840 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29843 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29844 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29846 +#ifdef CONFIG_PAX_ETEXECRELOCS
29847 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29849 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29852 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29853 + !elf_check_arch(&elf_h) ||
29854 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29855 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29858 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29859 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29861 + switch (elf_p.p_type) {
29863 + if (!is_textrel_rw && !is_textrel_rx)
29866 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29869 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29871 + if (dyn.d_tag == DT_NULL)
29873 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29874 + gr_log_textrel(vma);
29875 + if (is_textrel_rw)
29876 + vma->vm_flags |= VM_MAYWRITE;
29878 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29879 + vma->vm_flags &= ~VM_MAYWRITE;
29886 + case PT_GNU_RELRO:
29889 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29890 + vma->vm_flags &= ~VM_MAYWRITE;
29897 static int __init init_elf_binfmt(void)
29899 return register_binfmt(&elf_format);
29900 diff -urNp linux-2.6.38.1/fs/binfmt_flat.c linux-2.6.38.1/fs/binfmt_flat.c
29901 --- linux-2.6.38.1/fs/binfmt_flat.c 2011-03-14 21:20:32.000000000 -0400
29902 +++ linux-2.6.38.1/fs/binfmt_flat.c 2011-03-21 18:31:35.000000000 -0400
29903 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
29904 realdatastart = (unsigned long) -ENOMEM;
29905 printk("Unable to allocate RAM for process data, errno %d\n",
29906 (int)-realdatastart);
29907 + down_write(¤t->mm->mmap_sem);
29908 do_munmap(current->mm, textpos, text_len);
29909 + up_write(¤t->mm->mmap_sem);
29910 ret = realdatastart;
29913 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
29915 if (IS_ERR_VALUE(result)) {
29916 printk("Unable to read data+bss, errno %d\n", (int)-result);
29917 + down_write(¤t->mm->mmap_sem);
29918 do_munmap(current->mm, textpos, text_len);
29919 do_munmap(current->mm, realdatastart, len);
29920 + up_write(¤t->mm->mmap_sem);
29924 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
29926 if (IS_ERR_VALUE(result)) {
29927 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
29928 + down_write(¤t->mm->mmap_sem);
29929 do_munmap(current->mm, textpos, text_len + data_len + extra +
29930 MAX_SHARED_LIBS * sizeof(unsigned long));
29931 + up_write(¤t->mm->mmap_sem);
29935 diff -urNp linux-2.6.38.1/fs/binfmt_misc.c linux-2.6.38.1/fs/binfmt_misc.c
29936 --- linux-2.6.38.1/fs/binfmt_misc.c 2011-03-14 21:20:32.000000000 -0400
29937 +++ linux-2.6.38.1/fs/binfmt_misc.c 2011-03-21 18:31:35.000000000 -0400
29938 @@ -698,7 +698,7 @@ static int bm_fill_super(struct super_bl
29939 static struct tree_descr bm_files[] = {
29940 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
29941 [3] = {"register", &bm_register_operations, S_IWUSR},
29942 - /* last one */ {""}
29943 + /* last one */ {"", NULL, 0}
29945 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
29947 diff -urNp linux-2.6.38.1/fs/bio.c linux-2.6.38.1/fs/bio.c
29948 --- linux-2.6.38.1/fs/bio.c 2011-03-14 21:20:32.000000000 -0400
29949 +++ linux-2.6.38.1/fs/bio.c 2011-03-21 18:31:35.000000000 -0400
29950 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
29951 const int read = bio_data_dir(bio) == READ;
29952 struct bio_map_data *bmd = bio->bi_private;
29954 - char *p = bmd->sgvecs[0].iov_base;
29955 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
29957 __bio_for_each_segment(bvec, bio, i, 0) {
29958 char *addr = page_address(bvec->bv_page);
29959 diff -urNp linux-2.6.38.1/fs/block_dev.c linux-2.6.38.1/fs/block_dev.c
29960 --- linux-2.6.38.1/fs/block_dev.c 2011-03-14 21:20:32.000000000 -0400
29961 +++ linux-2.6.38.1/fs/block_dev.c 2011-03-21 18:31:35.000000000 -0400
29962 @@ -669,7 +669,7 @@ static bool bd_may_claim(struct block_de
29963 else if (bdev->bd_contains == bdev)
29964 return true; /* is a whole device which isn't held */
29966 - else if (whole->bd_holder == bd_may_claim)
29967 + else if (whole->bd_holder == (void *)bd_may_claim)
29968 return true; /* is a partition of a device that is being partitioned */
29969 else if (whole->bd_holder != NULL)
29970 return false; /* is a partition of a held device */
29971 diff -urNp linux-2.6.38.1/fs/btrfs/ctree.c linux-2.6.38.1/fs/btrfs/ctree.c
29972 --- linux-2.6.38.1/fs/btrfs/ctree.c 2011-03-14 21:20:32.000000000 -0400
29973 +++ linux-2.6.38.1/fs/btrfs/ctree.c 2011-03-21 18:31:35.000000000 -0400
29974 @@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st
29975 free_extent_buffer(buf);
29976 add_root_to_dirty_list(root);
29978 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
29979 - parent_start = parent->start;
29981 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
29983 + parent_start = parent->start;
29985 + parent_start = 0;
29989 WARN_ON(trans->transid != btrfs_header_generation(parent));
29990 @@ -3776,7 +3779,6 @@ setup_items_for_insert(struct btrfs_tran
29994 - struct btrfs_disk_key disk_key;
29995 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
29996 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
29998 diff -urNp linux-2.6.38.1/fs/btrfs/disk-io.c linux-2.6.38.1/fs/btrfs/disk-io.c
29999 --- linux-2.6.38.1/fs/btrfs/disk-io.c 2011-03-14 21:20:32.000000000 -0400
30000 +++ linux-2.6.38.1/fs/btrfs/disk-io.c 2011-03-21 18:31:35.000000000 -0400
30002 #include "tree-log.h"
30003 #include "free-space-cache.h"
30005 -static struct extent_io_ops btree_extent_io_ops;
30006 +static const struct extent_io_ops btree_extent_io_ops;
30007 static void end_workqueue_fn(struct btrfs_work *work);
30008 static void free_fs_root(struct btrfs_root *root);
30009 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
30010 @@ -3028,7 +3028,7 @@ static int btrfs_cleanup_transaction(str
30014 -static struct extent_io_ops btree_extent_io_ops = {
30015 +static const struct extent_io_ops btree_extent_io_ops = {
30016 .write_cache_pages_lock_hook = btree_lock_page_hook,
30017 .readpage_end_io_hook = btree_readpage_end_io_hook,
30018 .submit_bio_hook = btree_submit_bio_hook,
30019 diff -urNp linux-2.6.38.1/fs/btrfs/extent_io.h linux-2.6.38.1/fs/btrfs/extent_io.h
30020 --- linux-2.6.38.1/fs/btrfs/extent_io.h 2011-03-14 21:20:32.000000000 -0400
30021 +++ linux-2.6.38.1/fs/btrfs/extent_io.h 2011-03-21 18:31:35.000000000 -0400
30022 @@ -55,36 +55,36 @@ typedef int (extent_submit_bio_hook_t)(s
30023 struct bio *bio, int mirror_num,
30024 unsigned long bio_flags, u64 bio_offset);
30025 struct extent_io_ops {
30026 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
30027 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
30028 u64 start, u64 end, int *page_started,
30029 unsigned long *nr_written);
30030 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
30031 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
30032 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
30033 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
30034 extent_submit_bio_hook_t *submit_bio_hook;
30035 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
30036 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
30037 size_t size, struct bio *bio,
30038 unsigned long bio_flags);
30039 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
30040 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
30041 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
30042 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
30043 u64 start, u64 end,
30044 struct extent_state *state);
30045 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
30046 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
30047 u64 start, u64 end,
30048 struct extent_state *state);
30049 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30050 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30051 struct extent_state *state);
30052 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30053 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30054 struct extent_state *state, int uptodate);
30055 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
30056 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
30058 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
30059 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
30061 - int (*merge_extent_hook)(struct inode *inode,
30062 + int (* const merge_extent_hook)(struct inode *inode,
30063 struct extent_state *new,
30064 struct extent_state *other);
30065 - int (*split_extent_hook)(struct inode *inode,
30066 + int (* const split_extent_hook)(struct inode *inode,
30067 struct extent_state *orig, u64 split);
30068 - int (*write_cache_pages_lock_hook)(struct page *page);
30069 + int (* const write_cache_pages_lock_hook)(struct page *page);
30072 struct extent_io_tree {
30073 @@ -94,7 +94,7 @@ struct extent_io_tree {
30076 spinlock_t buffer_lock;
30077 - struct extent_io_ops *ops;
30078 + const struct extent_io_ops *ops;
30081 struct extent_state {
30082 diff -urNp linux-2.6.38.1/fs/btrfs/free-space-cache.c linux-2.6.38.1/fs/btrfs/free-space-cache.c
30083 --- linux-2.6.38.1/fs/btrfs/free-space-cache.c 2011-03-14 21:20:32.000000000 -0400
30084 +++ linux-2.6.38.1/fs/btrfs/free-space-cache.c 2011-03-21 18:31:35.000000000 -0400
30085 @@ -1855,8 +1855,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
30088 if (entry->bytes < bytes || entry->offset < min_start) {
30089 - struct rb_node *node;
30091 node = rb_next(&entry->offset_index);
30094 @@ -2018,7 +2016,7 @@ again:
30096 while (entry->bitmap || found_bitmap ||
30097 (!entry->bitmap && entry->bytes < min_bytes)) {
30098 - struct rb_node *node = rb_next(&entry->offset_index);
30099 + node = rb_next(&entry->offset_index);
30101 if (entry->bitmap && entry->bytes > bytes + empty_size) {
30102 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
30103 diff -urNp linux-2.6.38.1/fs/btrfs/inode.c linux-2.6.38.1/fs/btrfs/inode.c
30104 --- linux-2.6.38.1/fs/btrfs/inode.c 2011-03-14 21:20:32.000000000 -0400
30105 +++ linux-2.6.38.1/fs/btrfs/inode.c 2011-03-24 23:08:20.000000000 -0400
30106 @@ -64,7 +64,7 @@ static const struct inode_operations btr
30107 static const struct address_space_operations btrfs_aops;
30108 static const struct address_space_operations btrfs_symlink_aops;
30109 static const struct file_operations btrfs_dir_file_operations;
30110 -static struct extent_io_ops btrfs_extent_io_ops;
30111 +static const struct extent_io_ops btrfs_extent_io_ops;
30113 static struct kmem_cache *btrfs_inode_cachep;
30114 struct kmem_cache *btrfs_trans_handle_cachep;
30115 @@ -6796,7 +6796,7 @@ fail:
30119 -static int btrfs_getattr(struct vfsmount *mnt,
30120 +int btrfs_getattr(struct vfsmount *mnt,
30121 struct dentry *dentry, struct kstat *stat)
30123 struct inode *inode = dentry->d_inode;
30124 @@ -6808,6 +6808,14 @@ static int btrfs_getattr(struct vfsmount
30128 +EXPORT_SYMBOL(btrfs_getattr);
30130 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
30132 + return BTRFS_I(inode)->root->anon_super.s_dev;
30134 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
30136 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
30137 struct inode *new_dir, struct dentry *new_dentry)
30139 @@ -7311,7 +7319,7 @@ static const struct file_operations btrf
30140 .fsync = btrfs_sync_file,
30143 -static struct extent_io_ops btrfs_extent_io_ops = {
30144 +static const struct extent_io_ops btrfs_extent_io_ops = {
30145 .fill_delalloc = run_delalloc_range,
30146 .submit_bio_hook = btrfs_submit_bio_hook,
30147 .merge_bio_hook = btrfs_merge_bio_hook,
30148 diff -urNp linux-2.6.38.1/fs/btrfs/ioctl.c linux-2.6.38.1/fs/btrfs/ioctl.c
30149 --- linux-2.6.38.1/fs/btrfs/ioctl.c 2011-03-14 21:20:32.000000000 -0400
30150 +++ linux-2.6.38.1/fs/btrfs/ioctl.c 2011-03-21 18:31:35.000000000 -0400
30151 @@ -2270,9 +2270,12 @@ long btrfs_ioctl_space_info(struct btrfs
30152 for (i = 0; i < num_types; i++) {
30153 struct btrfs_space_info *tmp;
30155 + /* Don't copy in more than we allocated */
30163 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
30164 @@ -2294,10 +2297,7 @@ long btrfs_ioctl_space_info(struct btrfs
30165 memcpy(dest, &space, sizeof(space));
30167 space_args.total_spaces++;
30173 up_read(&info->groups_sem);
30175 diff -urNp linux-2.6.38.1/fs/btrfs/relocation.c linux-2.6.38.1/fs/btrfs/relocation.c
30176 --- linux-2.6.38.1/fs/btrfs/relocation.c 2011-03-14 21:20:32.000000000 -0400
30177 +++ linux-2.6.38.1/fs/btrfs/relocation.c 2011-03-21 18:31:35.000000000 -0400
30178 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
30180 spin_unlock(&rc->reloc_root_tree.lock);
30182 - BUG_ON((struct btrfs_root *)node->data != root);
30183 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
30186 spin_lock(&rc->reloc_root_tree.lock);
30187 diff -urNp linux-2.6.38.1/fs/cachefiles/bind.c linux-2.6.38.1/fs/cachefiles/bind.c
30188 --- linux-2.6.38.1/fs/cachefiles/bind.c 2011-03-14 21:20:32.000000000 -0400
30189 +++ linux-2.6.38.1/fs/cachefiles/bind.c 2011-03-21 18:31:35.000000000 -0400
30190 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
30193 /* start by checking things over */
30194 - ASSERT(cache->fstop_percent >= 0 &&
30195 - cache->fstop_percent < cache->fcull_percent &&
30196 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
30197 cache->fcull_percent < cache->frun_percent &&
30198 cache->frun_percent < 100);
30200 - ASSERT(cache->bstop_percent >= 0 &&
30201 - cache->bstop_percent < cache->bcull_percent &&
30202 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
30203 cache->bcull_percent < cache->brun_percent &&
30204 cache->brun_percent < 100);
30206 diff -urNp linux-2.6.38.1/fs/cachefiles/daemon.c linux-2.6.38.1/fs/cachefiles/daemon.c
30207 --- linux-2.6.38.1/fs/cachefiles/daemon.c 2011-03-14 21:20:32.000000000 -0400
30208 +++ linux-2.6.38.1/fs/cachefiles/daemon.c 2011-03-21 18:31:35.000000000 -0400
30209 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
30213 - if (copy_to_user(_buffer, buffer, n) != 0)
30214 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
30218 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
30219 if (test_bit(CACHEFILES_DEAD, &cache->flags))
30222 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
30223 + if (datalen > PAGE_SIZE - 1)
30224 return -EOPNOTSUPP;
30226 /* drag the command string into the kernel so we can parse it */
30227 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
30228 if (args[0] != '%' || args[1] != '\0')
30231 - if (fstop < 0 || fstop >= cache->fcull_percent)
30232 + if (fstop >= cache->fcull_percent)
30233 return cachefiles_daemon_range_error(cache, args);
30235 cache->fstop_percent = fstop;
30236 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
30237 if (args[0] != '%' || args[1] != '\0')
30240 - if (bstop < 0 || bstop >= cache->bcull_percent)
30241 + if (bstop >= cache->bcull_percent)
30242 return cachefiles_daemon_range_error(cache, args);
30244 cache->bstop_percent = bstop;
30245 diff -urNp linux-2.6.38.1/fs/cachefiles/rdwr.c linux-2.6.38.1/fs/cachefiles/rdwr.c
30246 --- linux-2.6.38.1/fs/cachefiles/rdwr.c 2011-03-14 21:20:32.000000000 -0400
30247 +++ linux-2.6.38.1/fs/cachefiles/rdwr.c 2011-03-21 18:31:35.000000000 -0400
30248 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
30251 ret = file->f_op->write(
30252 - file, (const void __user *) data, len, &pos);
30253 + file, (__force const void __user *) data, len, &pos);
30257 diff -urNp linux-2.6.38.1/fs/ceph/dir.c linux-2.6.38.1/fs/ceph/dir.c
30258 --- linux-2.6.38.1/fs/ceph/dir.c 2011-03-14 21:20:32.000000000 -0400
30259 +++ linux-2.6.38.1/fs/ceph/dir.c 2011-03-21 18:31:35.000000000 -0400
30260 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
30261 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
30262 struct ceph_mds_client *mdsc = fsc->mdsc;
30263 unsigned frag = fpos_frag(filp->f_pos);
30264 - int off = fpos_off(filp->f_pos);
30265 + unsigned int off = fpos_off(filp->f_pos);
30268 struct ceph_mds_reply_info_parsed *rinfo;
30269 @@ -358,7 +358,7 @@ more:
30270 rinfo = &fi->last_readdir->r_reply_info;
30271 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
30272 rinfo->dir_nr, off, fi->offset);
30273 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
30274 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
30275 u64 pos = ceph_make_fpos(frag, off);
30276 struct ceph_mds_reply_inode *in =
30277 rinfo->dir_in[off - fi->offset].in;
30278 diff -urNp linux-2.6.38.1/fs/cifs/cifs_uniupr.h linux-2.6.38.1/fs/cifs/cifs_uniupr.h
30279 --- linux-2.6.38.1/fs/cifs/cifs_uniupr.h 2011-03-14 21:20:32.000000000 -0400
30280 +++ linux-2.6.38.1/fs/cifs/cifs_uniupr.h 2011-03-21 18:31:35.000000000 -0400
30281 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30282 {0x0490, 0x04cc, UniCaseRangeU0490},
30283 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30284 {0xff40, 0xff5a, UniCaseRangeUff40},
30290 diff -urNp linux-2.6.38.1/fs/cifs/link.c linux-2.6.38.1/fs/cifs/link.c
30291 --- linux-2.6.38.1/fs/cifs/link.c 2011-03-14 21:20:32.000000000 -0400
30292 +++ linux-2.6.38.1/fs/cifs/link.c 2011-03-21 18:31:35.000000000 -0400
30293 @@ -577,7 +577,7 @@ symlink_exit:
30295 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30297 - char *p = nd_get_link(nd);
30298 + const char *p = nd_get_link(nd);
30302 diff -urNp linux-2.6.38.1/fs/compat_binfmt_elf.c linux-2.6.38.1/fs/compat_binfmt_elf.c
30303 --- linux-2.6.38.1/fs/compat_binfmt_elf.c 2011-03-14 21:20:32.000000000 -0400
30304 +++ linux-2.6.38.1/fs/compat_binfmt_elf.c 2011-03-21 18:31:35.000000000 -0400
30305 @@ -30,11 +30,13 @@
30311 #define elfhdr elf32_hdr
30312 #define elf_phdr elf32_phdr
30313 #define elf_shdr elf32_shdr
30314 #define elf_note elf32_note
30315 +#define elf_dyn Elf32_Dyn
30316 #define elf_addr_t Elf32_Addr
30319 diff -urNp linux-2.6.38.1/fs/compat.c linux-2.6.38.1/fs/compat.c
30320 --- linux-2.6.38.1/fs/compat.c 2011-03-14 21:20:32.000000000 -0400
30321 +++ linux-2.6.38.1/fs/compat.c 2011-03-21 18:31:35.000000000 -0400
30322 @@ -594,7 +594,7 @@ ssize_t compat_rw_copy_check_uvector(int
30326 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
30327 + if (nr_segs > UIO_MAXIOV)
30329 if (nr_segs > fast_segs) {
30331 @@ -876,6 +876,7 @@ struct compat_old_linux_dirent {
30333 struct compat_readdir_callback {
30334 struct compat_old_linux_dirent __user *dirent;
30335 + struct file * file;
30339 @@ -893,6 +894,10 @@ static int compat_fillonedir(void *__buf
30340 buf->result = -EOVERFLOW;
30344 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30348 dirent = buf->dirent;
30349 if (!access_ok(VERIFY_WRITE, dirent,
30350 @@ -925,6 +930,7 @@ asmlinkage long compat_sys_old_readdir(u
30353 buf.dirent = dirent;
30356 error = vfs_readdir(file, compat_fillonedir, &buf);
30358 @@ -945,6 +951,7 @@ struct compat_linux_dirent {
30359 struct compat_getdents_callback {
30360 struct compat_linux_dirent __user *current_dir;
30361 struct compat_linux_dirent __user *previous;
30362 + struct file * file;
30366 @@ -966,6 +973,10 @@ static int compat_filldir(void *__buf, c
30367 buf->error = -EOVERFLOW;
30371 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30374 dirent = buf->previous;
30376 if (__put_user(offset, &dirent->d_off))
30377 @@ -1013,6 +1024,7 @@ asmlinkage long compat_sys_getdents(unsi
30378 buf.previous = NULL;
30383 error = vfs_readdir(file, compat_filldir, &buf);
30385 @@ -1034,6 +1046,7 @@ out:
30386 struct compat_getdents_callback64 {
30387 struct linux_dirent64 __user *current_dir;
30388 struct linux_dirent64 __user *previous;
30389 + struct file * file;
30393 @@ -1050,6 +1063,10 @@ static int compat_filldir64(void * __buf
30394 buf->error = -EINVAL; /* only used if we fail.. */
30395 if (reclen > buf->count)
30398 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30401 dirent = buf->previous;
30404 @@ -1101,6 +1118,7 @@ asmlinkage long compat_sys_getdents64(un
30405 buf.previous = NULL;
30410 error = vfs_readdir(file, compat_filldir64, &buf);
30412 @@ -1423,6 +1441,7 @@ static int compat_copy_strings(int argc,
30414 page = get_arg_page(bprm, pos, 1);
30416 + /* We've exceed the stack rlimit. */
30420 @@ -1464,6 +1483,11 @@ int compat_do_execve(char * filename,
30421 compat_uptr_t __user *envp,
30422 struct pt_regs * regs)
30424 +#ifdef CONFIG_GRKERNSEC
30425 + struct file *old_exec_file;
30426 + struct acl_subject_label *old_acl;
30427 + struct rlimit old_rlim[RLIM_NLIMITS];
30429 struct linux_binprm *bprm;
30431 struct files_struct *displaced;
30432 @@ -1500,6 +1524,14 @@ int compat_do_execve(char * filename,
30433 bprm->filename = filename;
30434 bprm->interp = filename;
30436 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30437 + retval = -EAGAIN;
30438 + if (gr_handle_nproc())
30440 + retval = -EACCES;
30441 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30444 retval = bprm_mm_init(bprm);
30447 @@ -1529,9 +1561,40 @@ int compat_do_execve(char * filename,
30451 + if (!gr_tpe_allow(file)) {
30452 + retval = -EACCES;
30456 + if (gr_check_crash_exec(file)) {
30457 + retval = -EACCES;
30461 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30463 + gr_handle_exec_args_compat(bprm, argv);
30465 +#ifdef CONFIG_GRKERNSEC
30466 + old_acl = current->acl;
30467 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30468 + old_exec_file = current->exec_file;
30470 + current->exec_file = file;
30473 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30474 + bprm->unsafe & LSM_UNSAFE_SHARE);
30478 retval = search_binary_handler(bprm, regs);
30482 +#ifdef CONFIG_GRKERNSEC
30483 + if (old_exec_file)
30484 + fput(old_exec_file);
30487 /* execve succeeded */
30488 current->fs->in_exec = 0;
30489 @@ -1542,6 +1605,14 @@ int compat_do_execve(char * filename,
30490 put_files_struct(displaced);
30494 +#ifdef CONFIG_GRKERNSEC
30495 + current->acl = old_acl;
30496 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30497 + fput(current->exec_file);
30498 + current->exec_file = old_exec_file;
30503 acct_arg_size(bprm, 0);
30504 diff -urNp linux-2.6.38.1/fs/compat_ioctl.c linux-2.6.38.1/fs/compat_ioctl.c
30505 --- linux-2.6.38.1/fs/compat_ioctl.c 2011-03-14 21:20:32.000000000 -0400
30506 +++ linux-2.6.38.1/fs/compat_ioctl.c 2011-03-21 18:31:35.000000000 -0400
30507 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
30509 err = get_user(palp, &up->palette);
30510 err |= get_user(length, &up->length);
30514 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
30515 err = put_user(compat_ptr(palp), &up_native->palette);
30516 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
30517 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
30520 - a = *(unsigned int *)p;
30521 - b = *(unsigned int *)q;
30522 + a = *(const unsigned int *)p;
30523 + b = *(const unsigned int *)q;
30527 diff -urNp linux-2.6.38.1/fs/debugfs/inode.c linux-2.6.38.1/fs/debugfs/inode.c
30528 --- linux-2.6.38.1/fs/debugfs/inode.c 2011-03-14 21:20:32.000000000 -0400
30529 +++ linux-2.6.38.1/fs/debugfs/inode.c 2011-03-21 18:31:35.000000000 -0400
30530 @@ -130,7 +130,7 @@ static inline int debugfs_positive(struc
30532 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30534 - static struct tree_descr debug_files[] = {{""}};
30535 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30537 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30539 diff -urNp linux-2.6.38.1/fs/dlm/lockspace.c linux-2.6.38.1/fs/dlm/lockspace.c
30540 --- linux-2.6.38.1/fs/dlm/lockspace.c 2011-03-14 21:20:32.000000000 -0400
30541 +++ linux-2.6.38.1/fs/dlm/lockspace.c 2011-03-21 18:31:35.000000000 -0400
30542 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30546 -static struct kset_uevent_ops dlm_uevent_ops = {
30547 +static const struct kset_uevent_ops dlm_uevent_ops = {
30548 .uevent = dlm_uevent,
30551 diff -urNp linux-2.6.38.1/fs/ecryptfs/inode.c linux-2.6.38.1/fs/ecryptfs/inode.c
30552 --- linux-2.6.38.1/fs/ecryptfs/inode.c 2011-03-14 21:20:32.000000000 -0400
30553 +++ linux-2.6.38.1/fs/ecryptfs/inode.c 2011-03-21 18:31:35.000000000 -0400
30554 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
30557 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30558 - (char __user *)lower_buf,
30559 + (__force char __user *)lower_buf,
30563 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
30567 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30568 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30572 @@ -719,7 +719,7 @@ out:
30574 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30576 - char *buf = nd_get_link(nd);
30577 + const char *buf = nd_get_link(nd);
30578 if (!IS_ERR(buf)) {
30579 /* Free the char* */
30581 diff -urNp linux-2.6.38.1/fs/ecryptfs/miscdev.c linux-2.6.38.1/fs/ecryptfs/miscdev.c
30582 --- linux-2.6.38.1/fs/ecryptfs/miscdev.c 2011-03-14 21:20:32.000000000 -0400
30583 +++ linux-2.6.38.1/fs/ecryptfs/miscdev.c 2011-03-21 18:31:35.000000000 -0400
30584 @@ -328,7 +328,7 @@ check_list:
30585 goto out_unlock_msg_ctx;
30587 if (msg_ctx->msg) {
30588 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30589 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30590 goto out_unlock_msg_ctx;
30591 i += packet_length_size;
30592 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30593 diff -urNp linux-2.6.38.1/fs/exec.c linux-2.6.38.1/fs/exec.c
30594 --- linux-2.6.38.1/fs/exec.c 2011-03-14 21:20:32.000000000 -0400
30595 +++ linux-2.6.38.1/fs/exec.c 2011-03-21 18:31:35.000000000 -0400
30596 @@ -55,12 +55,24 @@
30597 #include <linux/fs_struct.h>
30598 #include <linux/pipe_fs_i.h>
30599 #include <linux/oom.h>
30600 +#include <linux/random.h>
30601 +#include <linux/seq_file.h>
30603 +#ifdef CONFIG_PAX_REFCOUNT
30604 +#include <linux/kallsyms.h>
30605 +#include <linux/kdebug.h>
30608 #include <asm/uaccess.h>
30609 #include <asm/mmu_context.h>
30610 #include <asm/tlb.h>
30611 #include "internal.h"
30613 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30614 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30615 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30619 char core_pattern[CORENAME_MAX_SIZE] = "core";
30620 unsigned int core_pipe_limit;
30621 @@ -120,7 +132,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30624 file = do_filp_open(AT_FDCWD, tmp,
30625 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
30626 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
30627 MAY_READ | MAY_EXEC | MAY_OPEN);
30629 error = PTR_ERR(file);
30630 @@ -187,18 +199,10 @@ struct page *get_arg_page(struct linux_b
30636 -#ifdef CONFIG_STACK_GROWSUP
30638 - ret = expand_stack_downwards(bprm->vma, pos);
30643 - ret = get_user_pages(current, bprm->mm, pos,
30644 - 1, write, 1, &page, NULL);
30646 + if (0 > expand_stack_downwards(bprm->vma, pos))
30648 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30652 @@ -273,6 +277,11 @@ static int __bprm_mm_init(struct linux_b
30653 vma->vm_end = STACK_TOP_MAX;
30654 vma->vm_start = vma->vm_end - PAGE_SIZE;
30655 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30657 +#ifdef CONFIG_PAX_SEGMEXEC
30658 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30661 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30662 INIT_LIST_HEAD(&vma->anon_vma_chain);
30664 @@ -287,6 +296,12 @@ static int __bprm_mm_init(struct linux_b
30665 mm->stack_vm = mm->total_vm = 1;
30666 up_write(&mm->mmap_sem);
30667 bprm->p = vma->vm_end - sizeof(void *);
30669 +#ifdef CONFIG_PAX_RANDUSTACK
30670 + if (randomize_va_space)
30671 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30676 up_write(&mm->mmap_sem);
30677 @@ -522,7 +537,7 @@ int copy_strings_kernel(int argc, const
30679 mm_segment_t oldfs = get_fs();
30681 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
30682 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
30686 @@ -552,7 +567,8 @@ static int shift_arg_pages(struct vm_are
30687 unsigned long new_end = old_end - shift;
30688 struct mmu_gather *tlb;
30690 - BUG_ON(new_start > new_end);
30691 + if (new_start >= new_end || new_start < mmap_min_addr)
30695 * ensure there are no vmas between where we want to go
30696 @@ -561,6 +577,10 @@ static int shift_arg_pages(struct vm_are
30697 if (vma != find_vma(mm, new_start))
30700 +#ifdef CONFIG_PAX_SEGMEXEC
30701 + BUG_ON(pax_find_mirror_vma(vma));
30705 * cover the whole range: [new_start, old_end)
30707 @@ -641,10 +661,6 @@ int setup_arg_pages(struct linux_binprm
30708 stack_top = arch_align_stack(stack_top);
30709 stack_top = PAGE_ALIGN(stack_top);
30711 - if (unlikely(stack_top < mmap_min_addr) ||
30712 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
30715 stack_shift = vma->vm_end - stack_top;
30717 bprm->p -= stack_shift;
30718 @@ -656,8 +672,28 @@ int setup_arg_pages(struct linux_binprm
30719 bprm->exec -= stack_shift;
30721 down_write(&mm->mmap_sem);
30723 + /* Move stack pages down in memory. */
30724 + if (stack_shift) {
30725 + ret = shift_arg_pages(vma, stack_shift);
30730 vm_flags = VM_STACK_FLAGS;
30732 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30733 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30734 + vm_flags &= ~VM_EXEC;
30736 +#ifdef CONFIG_PAX_MPROTECT
30737 + if (mm->pax_flags & MF_PAX_MPROTECT)
30738 + vm_flags &= ~VM_MAYEXEC;
30745 * Adjust stack execute permissions; explicitly enable for
30746 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30747 @@ -676,13 +712,6 @@ int setup_arg_pages(struct linux_binprm
30749 BUG_ON(prev != vma);
30751 - /* Move stack pages down in memory. */
30752 - if (stack_shift) {
30753 - ret = shift_arg_pages(vma, stack_shift);
30758 /* mprotect_fixup is overkill to remove the temporary stack flags */
30759 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30761 @@ -723,7 +752,7 @@ struct file *open_exec(const char *name)
30764 file = do_filp_open(AT_FDCWD, name,
30765 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
30766 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
30767 MAY_EXEC | MAY_OPEN);
30770 @@ -760,7 +789,7 @@ int kernel_read(struct file *file, loff_
30773 /* The cast to a user pointer is valid due to the set_fs() */
30774 - result = vfs_read(file, (void __user *)addr, count, &pos);
30775 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30779 @@ -1182,7 +1211,7 @@ int check_unsafe_exec(struct linux_binpr
30783 - if (p->fs->users > n_fs) {
30784 + if (atomic_read(&p->fs->users) > n_fs) {
30785 bprm->unsafe |= LSM_UNSAFE_SHARE;
30788 @@ -1378,6 +1407,11 @@ int do_execve(const char * filename,
30789 const char __user *const __user *envp,
30790 struct pt_regs * regs)
30792 +#ifdef CONFIG_GRKERNSEC
30793 + struct file *old_exec_file;
30794 + struct acl_subject_label *old_acl;
30795 + struct rlimit old_rlim[RLIM_NLIMITS];
30797 struct linux_binprm *bprm;
30799 struct files_struct *displaced;
30800 @@ -1414,6 +1448,18 @@ int do_execve(const char * filename,
30801 bprm->filename = filename;
30802 bprm->interp = filename;
30804 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30806 + if (gr_handle_nproc()) {
30807 + retval = -EAGAIN;
30811 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30812 + retval = -EACCES;
30816 retval = bprm_mm_init(bprm);
30819 @@ -1443,9 +1489,40 @@ int do_execve(const char * filename,
30823 + if (!gr_tpe_allow(file)) {
30824 + retval = -EACCES;
30828 + if (gr_check_crash_exec(file)) {
30829 + retval = -EACCES;
30833 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30835 + gr_handle_exec_args(bprm, argv);
30837 +#ifdef CONFIG_GRKERNSEC
30838 + old_acl = current->acl;
30839 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30840 + old_exec_file = current->exec_file;
30842 + current->exec_file = file;
30845 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30846 + bprm->unsafe & LSM_UNSAFE_SHARE);
30850 retval = search_binary_handler(bprm,regs);
30854 +#ifdef CONFIG_GRKERNSEC
30855 + if (old_exec_file)
30856 + fput(old_exec_file);
30859 /* execve succeeded */
30860 current->fs->in_exec = 0;
30861 @@ -1456,6 +1533,14 @@ int do_execve(const char * filename,
30862 put_files_struct(displaced);
30866 +#ifdef CONFIG_GRKERNSEC
30867 + current->acl = old_acl;
30868 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30869 + fput(current->exec_file);
30870 + current->exec_file = old_exec_file;
30875 acct_arg_size(bprm, 0);
30876 @@ -1642,6 +1727,217 @@ out:
30880 +int pax_check_flags(unsigned long *flags)
30884 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30885 + if (*flags & MF_PAX_SEGMEXEC)
30887 + *flags &= ~MF_PAX_SEGMEXEC;
30888 + retval = -EINVAL;
30892 + if ((*flags & MF_PAX_PAGEEXEC)
30894 +#ifdef CONFIG_PAX_PAGEEXEC
30895 + && (*flags & MF_PAX_SEGMEXEC)
30900 + *flags &= ~MF_PAX_PAGEEXEC;
30901 + retval = -EINVAL;
30904 + if ((*flags & MF_PAX_MPROTECT)
30906 +#ifdef CONFIG_PAX_MPROTECT
30907 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30912 + *flags &= ~MF_PAX_MPROTECT;
30913 + retval = -EINVAL;
30916 + if ((*flags & MF_PAX_EMUTRAMP)
30918 +#ifdef CONFIG_PAX_EMUTRAMP
30919 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30924 + *flags &= ~MF_PAX_EMUTRAMP;
30925 + retval = -EINVAL;
30931 +EXPORT_SYMBOL(pax_check_flags);
30933 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30934 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30936 + struct task_struct *tsk = current;
30937 + struct mm_struct *mm = current->mm;
30938 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30939 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30940 + char *path_exec = NULL;
30941 + char *path_fault = NULL;
30942 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
30944 + if (buffer_exec && buffer_fault) {
30945 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30947 + down_read(&mm->mmap_sem);
30949 + while (vma && (!vma_exec || !vma_fault)) {
30950 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30952 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30954 + vma = vma->vm_next;
30957 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30958 + if (IS_ERR(path_exec))
30959 + path_exec = "<path too long>";
30961 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30964 + path_exec = buffer_exec;
30966 + path_exec = "<path too long>";
30970 + start = vma_fault->vm_start;
30971 + end = vma_fault->vm_end;
30972 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30973 + if (vma_fault->vm_file) {
30974 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30975 + if (IS_ERR(path_fault))
30976 + path_fault = "<path too long>";
30978 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30979 + if (path_fault) {
30981 + path_fault = buffer_fault;
30983 + path_fault = "<path too long>";
30986 + path_fault = "<anonymous mapping>";
30988 + up_read(&mm->mmap_sem);
30990 + if (tsk->signal->curr_ip)
30991 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
30993 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30994 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30995 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30996 + task_uid(tsk), task_euid(tsk), pc, sp);
30997 + free_page((unsigned long)buffer_exec);
30998 + free_page((unsigned long)buffer_fault);
30999 + pax_report_insns(pc, sp);
31000 + do_coredump(SIGKILL, SIGKILL, regs);
31004 +#ifdef CONFIG_PAX_REFCOUNT
31005 +void pax_report_refcount_overflow(struct pt_regs *regs)
31007 + if (current->signal->curr_ip)
31008 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31009 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
31011 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31012 + current->comm, task_pid_nr(current), current_uid(), current_euid());
31013 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
31015 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
31019 +#ifdef CONFIG_PAX_USERCOPY
31020 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
31021 +int object_is_on_stack(const void *obj, unsigned long len)
31023 + const void * const stack = task_stack_page(current);
31024 + const void * const stackend = stack + THREAD_SIZE;
31026 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31027 + const void *frame = NULL;
31028 + const void *oldframe;
31031 + if (obj + len < obj)
31034 + if (obj + len <= stack || stackend <= obj)
31037 + if (obj < stack || stackend < obj + len)
31040 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31041 + oldframe = __builtin_frame_address(1);
31043 + frame = __builtin_frame_address(2);
31045 + low ----------------------------------------------> high
31046 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
31047 + ^----------------^
31048 + allow copies only within here
31050 + while (stack <= frame && frame < stackend) {
31051 + /* if obj + len extends past the last frame, this
31052 + check won't pass and the next frame will be 0,
31053 + causing us to bail out and correctly report
31054 + the copy as invalid
31056 + if (obj + len <= frame)
31057 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
31058 + oldframe = frame;
31059 + frame = *(const void * const *)frame;
31068 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
31070 + if (current->signal->curr_ip)
31071 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
31072 + ¤t->signal->curr_ip, ptr, len);
31074 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
31076 + do_group_exit(SIGKILL);
31079 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
31081 + if (current->signal->curr_ip)
31082 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
31083 + ¤t->signal->curr_ip, ptr, len);
31085 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
31087 + do_group_exit(SIGKILL);
31091 static int zap_process(struct task_struct *start, int exit_code)
31093 struct task_struct *t;
31094 @@ -1852,17 +2148,17 @@ static void wait_for_dump_helpers(struct
31095 pipe = file->f_path.dentry->d_inode->i_pipe;
31100 + atomic_inc(&pipe->readers);
31101 + atomic_dec(&pipe->writers);
31103 - while ((pipe->readers > 1) && (!signal_pending(current))) {
31104 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
31105 wake_up_interruptible_sync(&pipe->wait);
31106 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
31112 + atomic_dec(&pipe->readers);
31113 + atomic_inc(&pipe->writers);
31117 @@ -1978,6 +2274,10 @@ void do_coredump(long signr, int exit_co
31118 goto fail_corename;
31121 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
31122 + gr_handle_brute_attach(current);
31123 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
31127 char **helper_argv;
31128 diff -urNp linux-2.6.38.1/fs/ext2/balloc.c linux-2.6.38.1/fs/ext2/balloc.c
31129 --- linux-2.6.38.1/fs/ext2/balloc.c 2011-03-14 21:20:32.000000000 -0400
31130 +++ linux-2.6.38.1/fs/ext2/balloc.c 2011-03-21 18:31:35.000000000 -0400
31131 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
31133 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31134 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31135 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31136 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31137 sbi->s_resuid != current_fsuid() &&
31138 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31140 diff -urNp linux-2.6.38.1/fs/ext2/xattr.c linux-2.6.38.1/fs/ext2/xattr.c
31141 --- linux-2.6.38.1/fs/ext2/xattr.c 2011-03-14 21:20:32.000000000 -0400
31142 +++ linux-2.6.38.1/fs/ext2/xattr.c 2011-03-21 18:31:35.000000000 -0400
31147 -# define ea_idebug(f...)
31148 -# define ea_bdebug(f...)
31149 +# define ea_idebug(inode, f...) do {} while (0)
31150 +# define ea_bdebug(bh, f...) do {} while (0)
31153 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
31154 diff -urNp linux-2.6.38.1/fs/ext3/balloc.c linux-2.6.38.1/fs/ext3/balloc.c
31155 --- linux-2.6.38.1/fs/ext3/balloc.c 2011-03-14 21:20:32.000000000 -0400
31156 +++ linux-2.6.38.1/fs/ext3/balloc.c 2011-03-21 18:31:35.000000000 -0400
31157 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
31159 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31160 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31161 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31162 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31163 sbi->s_resuid != current_fsuid() &&
31164 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31166 diff -urNp linux-2.6.38.1/fs/ext3/namei.c linux-2.6.38.1/fs/ext3/namei.c
31167 --- linux-2.6.38.1/fs/ext3/namei.c 2011-03-23 17:20:08.000000000 -0400
31168 +++ linux-2.6.38.1/fs/ext3/namei.c 2011-03-23 17:21:51.000000000 -0400
31169 @@ -1159,7 +1159,7 @@ static struct ext3_dir_entry_2 *do_split
31170 char *data1 = (*bh)->b_data, *data2;
31171 unsigned split, move, size;
31172 struct ext3_dir_entry_2 *de = NULL, *de2;
31176 bh2 = ext3_append (handle, dir, &newblock, &err);
31178 diff -urNp linux-2.6.38.1/fs/ext3/xattr.c linux-2.6.38.1/fs/ext3/xattr.c
31179 --- linux-2.6.38.1/fs/ext3/xattr.c 2011-03-14 21:20:32.000000000 -0400
31180 +++ linux-2.6.38.1/fs/ext3/xattr.c 2011-03-21 18:31:35.000000000 -0400
31185 -# define ea_idebug(f...)
31186 -# define ea_bdebug(f...)
31187 +# define ea_idebug(f...) do {} while (0)
31188 +# define ea_bdebug(f...) do {} while (0)
31191 static void ext3_xattr_cache_insert(struct buffer_head *);
31192 diff -urNp linux-2.6.38.1/fs/ext4/balloc.c linux-2.6.38.1/fs/ext4/balloc.c
31193 --- linux-2.6.38.1/fs/ext4/balloc.c 2011-03-14 21:20:32.000000000 -0400
31194 +++ linux-2.6.38.1/fs/ext4/balloc.c 2011-03-21 18:31:35.000000000 -0400
31195 @@ -519,7 +519,7 @@ static int ext4_has_free_blocks(struct e
31196 /* Hm, nope. Are (enough) root reserved blocks available? */
31197 if (sbi->s_resuid == current_fsuid() ||
31198 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
31199 - capable(CAP_SYS_RESOURCE)) {
31200 + capable_nolog(CAP_SYS_RESOURCE)) {
31201 if (free_blocks >= (nblocks + dirty_blocks))
31204 diff -urNp linux-2.6.38.1/fs/ext4/ext4.h linux-2.6.38.1/fs/ext4/ext4.h
31205 --- linux-2.6.38.1/fs/ext4/ext4.h 2011-03-14 21:20:32.000000000 -0400
31206 +++ linux-2.6.38.1/fs/ext4/ext4.h 2011-03-21 18:31:35.000000000 -0400
31207 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
31208 unsigned long s_mb_last_start;
31210 /* stats for buddy allocator */
31211 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
31212 - atomic_t s_bal_success; /* we found long enough chunks */
31213 - atomic_t s_bal_allocated; /* in blocks */
31214 - atomic_t s_bal_ex_scanned; /* total extents scanned */
31215 - atomic_t s_bal_goals; /* goal hits */
31216 - atomic_t s_bal_breaks; /* too long searches */
31217 - atomic_t s_bal_2orders; /* 2^order hits */
31218 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
31219 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
31220 + atomic_unchecked_t s_bal_allocated; /* in blocks */
31221 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
31222 + atomic_unchecked_t s_bal_goals; /* goal hits */
31223 + atomic_unchecked_t s_bal_breaks; /* too long searches */
31224 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
31225 spinlock_t s_bal_lock;
31226 unsigned long s_mb_buddies_generated;
31227 unsigned long long s_mb_generation_time;
31228 - atomic_t s_mb_lost_chunks;
31229 - atomic_t s_mb_preallocated;
31230 - atomic_t s_mb_discarded;
31231 + atomic_unchecked_t s_mb_lost_chunks;
31232 + atomic_unchecked_t s_mb_preallocated;
31233 + atomic_unchecked_t s_mb_discarded;
31234 atomic_t s_lock_busy;
31236 /* locality groups */
31237 diff -urNp linux-2.6.38.1/fs/ext4/mballoc.c linux-2.6.38.1/fs/ext4/mballoc.c
31238 --- linux-2.6.38.1/fs/ext4/mballoc.c 2011-03-14 21:20:32.000000000 -0400
31239 +++ linux-2.6.38.1/fs/ext4/mballoc.c 2011-03-21 18:31:35.000000000 -0400
31240 @@ -1846,7 +1846,7 @@ void ext4_mb_simple_scan_group(struct ex
31241 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
31243 if (EXT4_SB(sb)->s_mb_stats)
31244 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
31245 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
31249 @@ -2140,7 +2140,7 @@ repeat:
31250 ac->ac_status = AC_STATUS_CONTINUE;
31251 ac->ac_flags |= EXT4_MB_HINT_FIRST;
31253 - atomic_inc(&sbi->s_mb_lost_chunks);
31254 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
31258 @@ -2606,25 +2606,25 @@ int ext4_mb_release(struct super_block *
31259 if (sbi->s_mb_stats) {
31261 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
31262 - atomic_read(&sbi->s_bal_allocated),
31263 - atomic_read(&sbi->s_bal_reqs),
31264 - atomic_read(&sbi->s_bal_success));
31265 + atomic_read_unchecked(&sbi->s_bal_allocated),
31266 + atomic_read_unchecked(&sbi->s_bal_reqs),
31267 + atomic_read_unchecked(&sbi->s_bal_success));
31269 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
31270 "%u 2^N hits, %u breaks, %u lost\n",
31271 - atomic_read(&sbi->s_bal_ex_scanned),
31272 - atomic_read(&sbi->s_bal_goals),
31273 - atomic_read(&sbi->s_bal_2orders),
31274 - atomic_read(&sbi->s_bal_breaks),
31275 - atomic_read(&sbi->s_mb_lost_chunks));
31276 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
31277 + atomic_read_unchecked(&sbi->s_bal_goals),
31278 + atomic_read_unchecked(&sbi->s_bal_2orders),
31279 + atomic_read_unchecked(&sbi->s_bal_breaks),
31280 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
31282 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
31283 sbi->s_mb_buddies_generated++,
31284 sbi->s_mb_generation_time);
31286 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
31287 - atomic_read(&sbi->s_mb_preallocated),
31288 - atomic_read(&sbi->s_mb_discarded));
31289 + atomic_read_unchecked(&sbi->s_mb_preallocated),
31290 + atomic_read_unchecked(&sbi->s_mb_discarded));
31293 free_percpu(sbi->s_locality_groups);
31294 @@ -3100,16 +3100,16 @@ static void ext4_mb_collect_stats(struct
31295 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
31297 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
31298 - atomic_inc(&sbi->s_bal_reqs);
31299 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
31300 + atomic_inc_unchecked(&sbi->s_bal_reqs);
31301 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
31302 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
31303 - atomic_inc(&sbi->s_bal_success);
31304 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
31305 + atomic_inc_unchecked(&sbi->s_bal_success);
31306 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
31307 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
31308 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
31309 - atomic_inc(&sbi->s_bal_goals);
31310 + atomic_inc_unchecked(&sbi->s_bal_goals);
31311 if (ac->ac_found > sbi->s_mb_max_to_scan)
31312 - atomic_inc(&sbi->s_bal_breaks);
31313 + atomic_inc_unchecked(&sbi->s_bal_breaks);
31316 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
31317 @@ -3507,7 +3507,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
31318 trace_ext4_mb_new_inode_pa(ac, pa);
31320 ext4_mb_use_inode_pa(ac, pa);
31321 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31322 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31324 ei = EXT4_I(ac->ac_inode);
31325 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
31326 @@ -3567,7 +3567,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
31327 trace_ext4_mb_new_group_pa(ac, pa);
31329 ext4_mb_use_group_pa(ac, pa);
31330 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31331 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31333 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
31335 @@ -3654,7 +3654,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
31336 * from the bitmap and continue.
31339 - atomic_add(free, &sbi->s_mb_discarded);
31340 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
31344 @@ -3672,7 +3672,7 @@ ext4_mb_release_group_pa(struct ext4_bud
31345 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
31346 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
31347 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
31348 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
31349 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
31350 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
31353 diff -urNp linux-2.6.38.1/fs/ext4/namei.c linux-2.6.38.1/fs/ext4/namei.c
31354 --- linux-2.6.38.1/fs/ext4/namei.c 2011-03-14 21:20:32.000000000 -0400
31355 +++ linux-2.6.38.1/fs/ext4/namei.c 2011-03-21 18:31:35.000000000 -0400
31356 @@ -1161,7 +1161,7 @@ static struct ext4_dir_entry_2 *do_split
31357 char *data1 = (*bh)->b_data, *data2;
31358 unsigned split, move, size;
31359 struct ext4_dir_entry_2 *de = NULL, *de2;
31363 bh2 = ext4_append (handle, dir, &newblock, &err);
31365 diff -urNp linux-2.6.38.1/fs/ext4/xattr.c linux-2.6.38.1/fs/ext4/xattr.c
31366 --- linux-2.6.38.1/fs/ext4/xattr.c 2011-03-14 21:20:32.000000000 -0400
31367 +++ linux-2.6.38.1/fs/ext4/xattr.c 2011-03-21 18:31:35.000000000 -0400
31372 -# define ea_idebug(f...)
31373 -# define ea_bdebug(f...)
31374 +# define ea_idebug(inode, f...) do {} while (0)
31375 +# define ea_bdebug(bh, f...) do {} while (0)
31378 static void ext4_xattr_cache_insert(struct buffer_head *);
31379 diff -urNp linux-2.6.38.1/fs/fcntl.c linux-2.6.38.1/fs/fcntl.c
31380 --- linux-2.6.38.1/fs/fcntl.c 2011-03-14 21:20:32.000000000 -0400
31381 +++ linux-2.6.38.1/fs/fcntl.c 2011-03-21 18:31:35.000000000 -0400
31382 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
31386 + if (gr_handle_chroot_fowner(pid, type))
31388 + if (gr_check_protected_task_fowner(pid, type))
31391 f_modown(filp, pid, type, force);
31394 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
31397 case F_DUPFD_CLOEXEC:
31398 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
31399 if (arg >= rlimit(RLIMIT_NOFILE))
31401 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
31402 @@ -808,14 +814,14 @@ static int __init fcntl_init(void)
31403 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
31404 * is defined as O_NONBLOCK on some platforms and not on others.
31406 - BUILD_BUG_ON(18 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
31407 + BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
31408 O_RDONLY | O_WRONLY | O_RDWR |
31409 O_CREAT | O_EXCL | O_NOCTTY |
31410 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
31411 __O_SYNC | O_DSYNC | FASYNC |
31412 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
31413 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
31415 + __FMODE_EXEC | FMODE_GREXEC
31418 fasync_cache = kmem_cache_create("fasync_cache",
31419 diff -urNp linux-2.6.38.1/fs/fifo.c linux-2.6.38.1/fs/fifo.c
31420 --- linux-2.6.38.1/fs/fifo.c 2011-03-14 21:20:32.000000000 -0400
31421 +++ linux-2.6.38.1/fs/fifo.c 2011-03-21 18:31:35.000000000 -0400
31422 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
31424 filp->f_op = &read_pipefifo_fops;
31426 - if (pipe->readers++ == 0)
31427 + if (atomic_inc_return(&pipe->readers) == 1)
31428 wake_up_partner(inode);
31430 - if (!pipe->writers) {
31431 + if (!atomic_read(&pipe->writers)) {
31432 if ((filp->f_flags & O_NONBLOCK)) {
31433 /* suppress POLLHUP until we have
31435 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
31436 * errno=ENXIO when there is no process reading the FIFO.
31439 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
31440 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
31443 filp->f_op = &write_pipefifo_fops;
31445 - if (!pipe->writers++)
31446 + if (atomic_inc_return(&pipe->writers) == 1)
31447 wake_up_partner(inode);
31449 - if (!pipe->readers) {
31450 + if (!atomic_read(&pipe->readers)) {
31451 wait_for_partner(inode, &pipe->r_counter);
31452 if (signal_pending(current))
31454 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
31456 filp->f_op = &rdwr_pipefifo_fops;
31460 + atomic_inc(&pipe->readers);
31461 + atomic_inc(&pipe->writers);
31464 - if (pipe->readers == 1 || pipe->writers == 1)
31465 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
31466 wake_up_partner(inode);
31469 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
31473 - if (!--pipe->readers)
31474 + if (atomic_dec_and_test(&pipe->readers))
31475 wake_up_interruptible(&pipe->wait);
31476 ret = -ERESTARTSYS;
31480 - if (!--pipe->writers)
31481 + if (atomic_dec_and_test(&pipe->writers))
31482 wake_up_interruptible(&pipe->wait);
31483 ret = -ERESTARTSYS;
31487 - if (!pipe->readers && !pipe->writers)
31488 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
31489 free_pipe_info(inode);
31492 diff -urNp linux-2.6.38.1/fs/file.c linux-2.6.38.1/fs/file.c
31493 --- linux-2.6.38.1/fs/file.c 2011-03-14 21:20:32.000000000 -0400
31494 +++ linux-2.6.38.1/fs/file.c 2011-03-21 18:31:35.000000000 -0400
31496 #include <linux/slab.h>
31497 #include <linux/vmalloc.h>
31498 #include <linux/file.h>
31499 +#include <linux/security.h>
31500 #include <linux/fdtable.h>
31501 #include <linux/bitops.h>
31502 #include <linux/interrupt.h>
31503 @@ -250,6 +251,7 @@ int expand_files(struct files_struct *fi
31504 * N.B. For clone tasks sharing a files structure, this test
31505 * will limit the total number of files that can be opened.
31507 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
31508 if (nr >= rlimit(RLIMIT_NOFILE))
31511 diff -urNp linux-2.6.38.1/fs/fs_struct.c linux-2.6.38.1/fs/fs_struct.c
31512 --- linux-2.6.38.1/fs/fs_struct.c 2011-03-14 21:20:32.000000000 -0400
31513 +++ linux-2.6.38.1/fs/fs_struct.c 2011-03-21 18:31:35.000000000 -0400
31515 #include <linux/slab.h>
31516 #include <linux/fs_struct.h>
31517 #include <linux/vserver/global.h>
31518 +#include <linux/grsecurity.h>
31519 #include "internal.h"
31521 static inline void path_get_longterm(struct path *path)
31522 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
31523 old_root = fs->root;
31525 path_get_longterm(path);
31526 + gr_set_chroot_entries(current, path);
31527 write_seqcount_end(&fs->seq);
31528 spin_unlock(&fs->lock);
31529 if (old_root.dentry)
31530 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
31531 && fs->root.mnt == old_root->mnt) {
31532 path_get_longterm(new_root);
31533 fs->root = *new_root;
31534 + gr_set_chroot_entries(p, new_root);
31537 if (fs->pwd.dentry == old_root->dentry
31538 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
31539 spin_lock(&fs->lock);
31540 write_seqcount_begin(&fs->seq);
31542 - kill = !--fs->users;
31543 + gr_clear_chroot_entries(tsk);
31544 + kill = !atomic_dec_return(&fs->users);
31545 write_seqcount_end(&fs->seq);
31546 spin_unlock(&fs->lock);
31548 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
31549 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31550 /* We don't need to lock fs - think why ;-) */
31553 + atomic_set(&fs->users, 1);
31555 spin_lock_init(&fs->lock);
31556 seqcount_init(&fs->seq);
31557 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
31558 spin_lock(&old->lock);
31559 fs->root = old->root;
31560 path_get_longterm(&fs->root);
31561 + /* instead of calling gr_set_chroot_entries here,
31562 + we call it from every caller of this function
31564 fs->pwd = old->pwd;
31565 path_get_longterm(&fs->pwd);
31566 spin_unlock(&old->lock);
31567 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
31569 task_lock(current);
31570 spin_lock(&fs->lock);
31571 - kill = !--fs->users;
31572 + kill = !atomic_dec_return(&fs->users);
31573 current->fs = new_fs;
31574 + gr_set_chroot_entries(current, &new_fs->root);
31575 spin_unlock(&fs->lock);
31576 task_unlock(current);
31578 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
31580 /* to be mentioned only in INIT_TASK */
31581 struct fs_struct init_fs = {
31583 + .users = ATOMIC_INIT(1),
31584 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
31585 .seq = SEQCNT_ZERO,
31587 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
31588 task_lock(current);
31590 spin_lock(&init_fs.lock);
31592 + atomic_inc(&init_fs.users);
31593 spin_unlock(&init_fs.lock);
31595 spin_lock(&fs->lock);
31596 current->fs = &init_fs;
31597 - kill = !--fs->users;
31598 + gr_set_chroot_entries(current, ¤t->fs->root);
31599 + kill = !atomic_dec_return(&fs->users);
31600 spin_unlock(&fs->lock);
31602 task_unlock(current);
31603 diff -urNp linux-2.6.38.1/fs/fuse/control.c linux-2.6.38.1/fs/fuse/control.c
31604 --- linux-2.6.38.1/fs/fuse/control.c 2011-03-14 21:20:32.000000000 -0400
31605 +++ linux-2.6.38.1/fs/fuse/control.c 2011-03-21 18:31:35.000000000 -0400
31606 @@ -298,7 +298,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31608 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31610 - struct tree_descr empty_descr = {""};
31611 + struct tree_descr empty_descr = {"", NULL, 0};
31612 struct fuse_conn *fc;
31615 diff -urNp linux-2.6.38.1/fs/fuse/cuse.c linux-2.6.38.1/fs/fuse/cuse.c
31616 --- linux-2.6.38.1/fs/fuse/cuse.c 2011-03-14 21:20:32.000000000 -0400
31617 +++ linux-2.6.38.1/fs/fuse/cuse.c 2011-03-21 18:31:35.000000000 -0400
31618 @@ -530,8 +530,18 @@ static int cuse_channel_release(struct i
31622 -static struct file_operations cuse_channel_fops; /* initialized during init */
31624 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31625 + .owner = THIS_MODULE,
31626 + .llseek = no_llseek,
31627 + .read = do_sync_read,
31628 + .aio_read = fuse_dev_read,
31629 + .write = do_sync_write,
31630 + .aio_write = fuse_dev_write,
31631 + .poll = fuse_dev_poll,
31632 + .open = cuse_channel_open,
31633 + .release = cuse_channel_release,
31634 + .fasync = fuse_dev_fasync,
31637 /**************************************************************************
31638 * Misc stuff and module initializatiion
31639 @@ -577,12 +587,6 @@ static int __init cuse_init(void)
31640 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31641 INIT_LIST_HEAD(&cuse_conntbl[i]);
31643 - /* inherit and extend fuse_dev_operations */
31644 - cuse_channel_fops = fuse_dev_operations;
31645 - cuse_channel_fops.owner = THIS_MODULE;
31646 - cuse_channel_fops.open = cuse_channel_open;
31647 - cuse_channel_fops.release = cuse_channel_release;
31649 cuse_class = class_create(THIS_MODULE, "cuse");
31650 if (IS_ERR(cuse_class))
31651 return PTR_ERR(cuse_class);
31652 diff -urNp linux-2.6.38.1/fs/fuse/dev.c linux-2.6.38.1/fs/fuse/dev.c
31653 --- linux-2.6.38.1/fs/fuse/dev.c 2011-03-14 21:20:32.000000000 -0400
31654 +++ linux-2.6.38.1/fs/fuse/dev.c 2011-03-21 18:31:35.000000000 -0400
31655 @@ -1183,7 +1183,7 @@ static ssize_t fuse_dev_do_read(struct f
31659 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31660 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31661 unsigned long nr_segs, loff_t pos)
31663 struct fuse_copy_state cs;
31664 @@ -1197,6 +1197,8 @@ static ssize_t fuse_dev_read(struct kioc
31665 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31668 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31670 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31671 struct pipe_buffer *buf)
31673 @@ -1240,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(stru
31677 - if (!pipe->readers) {
31678 + if (!atomic_read(&pipe->readers)) {
31679 send_sig(SIGPIPE, current, 0);
31682 @@ -1733,7 +1735,7 @@ static ssize_t fuse_dev_do_write(struct
31686 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31687 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31688 unsigned long nr_segs, loff_t pos)
31690 struct fuse_copy_state cs;
31691 @@ -1746,6 +1748,8 @@ static ssize_t fuse_dev_write(struct kio
31692 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31695 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31697 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31698 struct file *out, loff_t *ppos,
31699 size_t len, unsigned int flags)
31700 @@ -1824,7 +1828,7 @@ out:
31704 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31705 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31707 unsigned mask = POLLOUT | POLLWRNORM;
31708 struct fuse_conn *fc = fuse_get_conn(file);
31709 @@ -1843,6 +1847,8 @@ static unsigned fuse_dev_poll(struct fil
31713 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31716 * Abort all requests on the given list (pending or processing)
31718 @@ -1962,7 +1968,7 @@ int fuse_dev_release(struct inode *inode
31720 EXPORT_SYMBOL_GPL(fuse_dev_release);
31722 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31723 +int fuse_dev_fasync(int fd, struct file *file, int on)
31725 struct fuse_conn *fc = fuse_get_conn(file);
31727 @@ -1972,6 +1978,8 @@ static int fuse_dev_fasync(int fd, struc
31728 return fasync_helper(fd, file, on, &fc->fasync);
31731 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31733 const struct file_operations fuse_dev_operations = {
31734 .owner = THIS_MODULE,
31735 .llseek = no_llseek,
31736 diff -urNp linux-2.6.38.1/fs/fuse/dir.c linux-2.6.38.1/fs/fuse/dir.c
31737 --- linux-2.6.38.1/fs/fuse/dir.c 2011-03-14 21:20:32.000000000 -0400
31738 +++ linux-2.6.38.1/fs/fuse/dir.c 2011-03-21 18:31:35.000000000 -0400
31739 @@ -1133,7 +1133,7 @@ static char *read_link(struct dentry *de
31743 -static void free_link(char *link)
31744 +static void free_link(const char *link)
31747 free_page((unsigned long) link);
31748 diff -urNp linux-2.6.38.1/fs/fuse/fuse_i.h linux-2.6.38.1/fs/fuse/fuse_i.h
31749 --- linux-2.6.38.1/fs/fuse/fuse_i.h 2011-03-14 21:20:32.000000000 -0400
31750 +++ linux-2.6.38.1/fs/fuse/fuse_i.h 2011-03-21 18:31:35.000000000 -0400
31751 @@ -541,6 +541,16 @@ extern const struct file_operations fuse
31753 extern const struct dentry_operations fuse_dentry_operations;
31755 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31756 + unsigned long nr_segs, loff_t pos);
31758 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31759 + unsigned long nr_segs, loff_t pos);
31761 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31763 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31766 * Inode to nodeid comparison.
31768 diff -urNp linux-2.6.38.1/fs/hfs/inode.c linux-2.6.38.1/fs/hfs/inode.c
31769 --- linux-2.6.38.1/fs/hfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31770 +++ linux-2.6.38.1/fs/hfs/inode.c 2011-03-21 18:31:35.000000000 -0400
31771 @@ -447,7 +447,7 @@ int hfs_write_inode(struct inode *inode,
31773 if (S_ISDIR(main_inode->i_mode)) {
31774 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31777 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31778 sizeof(struct hfs_cat_dir));
31779 if (rec.type != HFS_CDR_DIR ||
31780 @@ -468,7 +468,7 @@ int hfs_write_inode(struct inode *inode,
31781 sizeof(struct hfs_cat_file));
31783 if (fd.entrylength < sizeof(struct hfs_cat_file))
31786 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31787 sizeof(struct hfs_cat_file));
31788 if (rec.type != HFS_CDR_FIL ||
31789 diff -urNp linux-2.6.38.1/fs/hfsplus/inode.c linux-2.6.38.1/fs/hfsplus/inode.c
31790 --- linux-2.6.38.1/fs/hfsplus/inode.c 2011-03-14 21:20:32.000000000 -0400
31791 +++ linux-2.6.38.1/fs/hfsplus/inode.c 2011-03-21 18:31:35.000000000 -0400
31792 @@ -498,7 +498,7 @@ int hfsplus_cat_read_inode(struct inode
31793 struct hfsplus_cat_folder *folder = &entry.folder;
31795 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31798 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31799 sizeof(struct hfsplus_cat_folder));
31800 hfsplus_get_perms(inode, &folder->permissions, 1);
31801 @@ -515,7 +515,7 @@ int hfsplus_cat_read_inode(struct inode
31802 struct hfsplus_cat_file *file = &entry.file;
31804 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31807 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31808 sizeof(struct hfsplus_cat_file));
31810 @@ -572,7 +572,7 @@ int hfsplus_cat_write_inode(struct inode
31811 struct hfsplus_cat_folder *folder = &entry.folder;
31813 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31816 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31817 sizeof(struct hfsplus_cat_folder));
31818 /* simple node checks? */
31819 @@ -594,7 +594,7 @@ int hfsplus_cat_write_inode(struct inode
31820 struct hfsplus_cat_file *file = &entry.file;
31822 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31825 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31826 sizeof(struct hfsplus_cat_file));
31827 hfsplus_inode_write_fork(inode, &file->data_fork);
31828 diff -urNp linux-2.6.38.1/fs/hugetlbfs/inode.c linux-2.6.38.1/fs/hugetlbfs/inode.c
31829 --- linux-2.6.38.1/fs/hugetlbfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31830 +++ linux-2.6.38.1/fs/hugetlbfs/inode.c 2011-03-21 18:31:35.000000000 -0400
31831 @@ -915,7 +915,7 @@ static struct file_system_type hugetlbfs
31832 .kill_sb = kill_litter_super,
31835 -static struct vfsmount *hugetlbfs_vfsmount;
31836 +struct vfsmount *hugetlbfs_vfsmount;
31838 static int can_do_hugetlb_shm(void)
31840 diff -urNp linux-2.6.38.1/fs/jffs2/debug.h linux-2.6.38.1/fs/jffs2/debug.h
31841 --- linux-2.6.38.1/fs/jffs2/debug.h 2011-03-14 21:20:32.000000000 -0400
31842 +++ linux-2.6.38.1/fs/jffs2/debug.h 2011-03-21 18:31:35.000000000 -0400
31843 @@ -53,13 +53,13 @@
31844 #if CONFIG_JFFS2_FS_DEBUG > 0
31848 +#define D1(x) do {} while (0);
31851 #if CONFIG_JFFS2_FS_DEBUG > 1
31855 +#define D2(x) do {} while (0);
31858 /* The prefixes of JFFS2 messages */
31859 @@ -115,73 +115,73 @@
31860 #ifdef JFFS2_DBG_READINODE_MESSAGES
31861 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31863 -#define dbg_readinode(fmt, ...)
31864 +#define dbg_readinode(fmt, ...) do {} while (0)
31866 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31867 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31869 -#define dbg_readinode2(fmt, ...)
31870 +#define dbg_readinode2(fmt, ...) do {} while (0)
31873 /* Fragtree build debugging messages */
31874 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31875 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31877 -#define dbg_fragtree(fmt, ...)
31878 +#define dbg_fragtree(fmt, ...) do {} while (0)
31880 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31881 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31883 -#define dbg_fragtree2(fmt, ...)
31884 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31887 /* Directory entry list manilulation debugging messages */
31888 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31889 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31891 -#define dbg_dentlist(fmt, ...)
31892 +#define dbg_dentlist(fmt, ...) do {} while (0)
31895 /* Print the messages about manipulating node_refs */
31896 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31897 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31899 -#define dbg_noderef(fmt, ...)
31900 +#define dbg_noderef(fmt, ...) do {} while (0)
31903 /* Manipulations with the list of inodes (JFFS2 inocache) */
31904 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31905 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31907 -#define dbg_inocache(fmt, ...)
31908 +#define dbg_inocache(fmt, ...) do {} while (0)
31911 /* Summary debugging messages */
31912 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31913 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31915 -#define dbg_summary(fmt, ...)
31916 +#define dbg_summary(fmt, ...) do {} while (0)
31919 /* File system build messages */
31920 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31921 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31923 -#define dbg_fsbuild(fmt, ...)
31924 +#define dbg_fsbuild(fmt, ...) do {} while (0)
31927 /* Watch the object allocations */
31928 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31929 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31931 -#define dbg_memalloc(fmt, ...)
31932 +#define dbg_memalloc(fmt, ...) do {} while (0)
31935 /* Watch the XATTR subsystem */
31936 #ifdef JFFS2_DBG_XATTR_MESSAGES
31937 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31939 -#define dbg_xattr(fmt, ...)
31940 +#define dbg_xattr(fmt, ...) do {} while (0)
31943 /* "Sanity" checks */
31944 diff -urNp linux-2.6.38.1/fs/jffs2/erase.c linux-2.6.38.1/fs/jffs2/erase.c
31945 --- linux-2.6.38.1/fs/jffs2/erase.c 2011-03-14 21:20:32.000000000 -0400
31946 +++ linux-2.6.38.1/fs/jffs2/erase.c 2011-03-21 18:31:35.000000000 -0400
31947 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
31948 struct jffs2_unknown_node marker = {
31949 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31950 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31951 - .totlen = cpu_to_je32(c->cleanmarker_size)
31952 + .totlen = cpu_to_je32(c->cleanmarker_size),
31953 + .hdr_crc = cpu_to_je32(0)
31956 jffs2_prealloc_raw_node_refs(c, jeb, 1);
31957 diff -urNp linux-2.6.38.1/fs/jffs2/summary.h linux-2.6.38.1/fs/jffs2/summary.h
31958 --- linux-2.6.38.1/fs/jffs2/summary.h 2011-03-14 21:20:32.000000000 -0400
31959 +++ linux-2.6.38.1/fs/jffs2/summary.h 2011-03-21 18:31:35.000000000 -0400
31960 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31962 #define jffs2_sum_active() (0)
31963 #define jffs2_sum_init(a) (0)
31964 -#define jffs2_sum_exit(a)
31965 -#define jffs2_sum_disable_collecting(a)
31966 +#define jffs2_sum_exit(a) do {} while (0)
31967 +#define jffs2_sum_disable_collecting(a) do {} while (0)
31968 #define jffs2_sum_is_disabled(a) (0)
31969 -#define jffs2_sum_reset_collected(a)
31970 +#define jffs2_sum_reset_collected(a) do {} while (0)
31971 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31972 -#define jffs2_sum_move_collected(a,b)
31973 +#define jffs2_sum_move_collected(a,b) do {} while (0)
31974 #define jffs2_sum_write_sumnode(a) (0)
31975 -#define jffs2_sum_add_padding_mem(a,b)
31976 -#define jffs2_sum_add_inode_mem(a,b,c)
31977 -#define jffs2_sum_add_dirent_mem(a,b,c)
31978 -#define jffs2_sum_add_xattr_mem(a,b,c)
31979 -#define jffs2_sum_add_xref_mem(a,b,c)
31980 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31981 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31982 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31983 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31984 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31985 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31987 #endif /* CONFIG_JFFS2_SUMMARY */
31988 diff -urNp linux-2.6.38.1/fs/jffs2/wbuf.c linux-2.6.38.1/fs/jffs2/wbuf.c
31989 --- linux-2.6.38.1/fs/jffs2/wbuf.c 2011-03-14 21:20:32.000000000 -0400
31990 +++ linux-2.6.38.1/fs/jffs2/wbuf.c 2011-03-21 18:31:35.000000000 -0400
31991 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31993 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31994 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31995 - .totlen = constant_cpu_to_je32(8)
31996 + .totlen = constant_cpu_to_je32(8),
31997 + .hdr_crc = constant_cpu_to_je32(0)
32001 diff -urNp linux-2.6.38.1/fs/Kconfig.binfmt linux-2.6.38.1/fs/Kconfig.binfmt
32002 --- linux-2.6.38.1/fs/Kconfig.binfmt 2011-03-14 21:20:32.000000000 -0400
32003 +++ linux-2.6.38.1/fs/Kconfig.binfmt 2011-03-21 18:31:35.000000000 -0400
32004 @@ -86,7 +86,7 @@ config HAVE_AOUT
32007 tristate "Kernel support for a.out and ECOFF binaries"
32008 - depends on HAVE_AOUT
32009 + depends on HAVE_AOUT && BROKEN
32011 A.out (Assembler.OUTput) is a set of formats for libraries and
32012 executables used in the earliest versions of UNIX. Linux used
32013 diff -urNp linux-2.6.38.1/fs/lockd/svc.c linux-2.6.38.1/fs/lockd/svc.c
32014 --- linux-2.6.38.1/fs/lockd/svc.c 2011-03-14 21:20:32.000000000 -0400
32015 +++ linux-2.6.38.1/fs/lockd/svc.c 2011-03-21 18:31:35.000000000 -0400
32018 static struct svc_program nlmsvc_program;
32020 -struct nlmsvc_binding * nlmsvc_ops;
32021 +const struct nlmsvc_binding * nlmsvc_ops;
32022 EXPORT_SYMBOL_GPL(nlmsvc_ops);
32024 static DEFINE_MUTEX(nlmsvc_mutex);
32025 diff -urNp linux-2.6.38.1/fs/locks.c linux-2.6.38.1/fs/locks.c
32026 --- linux-2.6.38.1/fs/locks.c 2011-03-14 21:20:32.000000000 -0400
32027 +++ linux-2.6.38.1/fs/locks.c 2011-03-21 18:31:35.000000000 -0400
32028 @@ -2044,16 +2044,16 @@ void locks_remove_flock(struct file *fil
32031 if (filp->f_op && filp->f_op->flock) {
32032 - struct file_lock fl = {
32033 + struct file_lock flock = {
32034 .fl_pid = current->tgid,
32036 .fl_flags = FL_FLOCK,
32037 .fl_type = F_UNLCK,
32038 .fl_end = OFFSET_MAX,
32040 - filp->f_op->flock(filp, F_SETLKW, &fl);
32041 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
32042 - fl.fl_ops->fl_release_private(&fl);
32043 + filp->f_op->flock(filp, F_SETLKW, &flock);
32044 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
32045 + flock.fl_ops->fl_release_private(&flock);
32049 diff -urNp linux-2.6.38.1/fs/namei.c linux-2.6.38.1/fs/namei.c
32050 --- linux-2.6.38.1/fs/namei.c 2011-03-14 21:20:32.000000000 -0400
32051 +++ linux-2.6.38.1/fs/namei.c 2011-03-25 18:59:30.000000000 -0400
32052 @@ -226,14 +226,6 @@ int generic_permission(struct inode *ino
32056 - * Read/write DACs are always overridable.
32057 - * Executable DACs are overridable if at least one exec bit is set.
32059 - if (!(mask & MAY_EXEC) || execute_ok(inode))
32060 - if (capable(CAP_DAC_OVERRIDE))
32064 * Searching includes executable on directories, else just read.
32066 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
32067 @@ -241,6 +233,14 @@ int generic_permission(struct inode *ino
32068 if (capable(CAP_DAC_READ_SEARCH))
32072 + * Read/write DACs are always overridable.
32073 + * Executable DACs are overridable if at least one exec bit is set.
32075 + if (!(mask & MAY_EXEC) || execute_ok(inode))
32076 + if (capable(CAP_DAC_OVERRIDE))
32082 @@ -687,7 +687,8 @@ static inline int exec_permission(struct
32083 if (ret == -ECHILD)
32086 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
32087 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
32088 + capable(CAP_DAC_OVERRIDE))
32092 @@ -775,7 +776,7 @@ __do_follow_link(const struct path *link
32093 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
32094 error = PTR_ERR(*p);
32096 - char *s = nd_get_link(nd);
32097 + const char *s = nd_get_link(nd);
32100 error = __vfs_follow_link(nd, s);
32101 @@ -814,6 +815,13 @@ static inline int do_follow_link(struct
32102 err = security_inode_follow_link(path->dentry, nd);
32106 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
32107 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
32112 current->link_count++;
32113 current->total_link_count++;
32115 @@ -1505,13 +1513,36 @@ return_reval:
32117 if (nameidata_drop_rcu_last_maybe(nd))
32120 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
32122 + goto err_and_ret;
32127 if (!(nd->flags & LOOKUP_RCU))
32128 path_put_conditional(&next, nd);
32131 +#ifdef CONFIG_GRKERNSEC
32132 + /* we do this because we can't operate here on an rcu'd dentry,
32133 + acquire a properly-referenced copy
32135 + if (nameidata_drop_rcu_last_maybe(nd))
32139 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
32143 +#ifndef CONFIG_GRKERNSEC
32144 + /* since we convert to ref-walk above, always put the path if we reach
32147 if (!(nd->flags & LOOKUP_RCU))
32149 path_put(&nd->path);
32152 @@ -1738,6 +1769,9 @@ static int do_path_lookup(int dfd, const
32155 if (likely(!retval)) {
32156 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
32159 if (unlikely(!audit_dummy_context())) {
32160 if (nd->path.dentry && nd->inode)
32161 audit_inode(name, nd->path.dentry);
32162 @@ -1789,6 +1823,7 @@ int vfs_path_lookup(struct dentry *dentr
32163 nd->inode = nd->path.dentry->d_inode;
32165 retval = path_walk(name, nd);
32167 if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
32169 audit_inode(name, nd->path.dentry);
32170 @@ -2078,6 +2113,30 @@ int vfs_create(struct inode *dir, struct
32175 + * Note that while the flag value (low two bits) for sys_open means:
32177 + * 01 - write-only
32178 + * 10 - read-write
32180 + * it is changed into
32181 + * 00 - no permissions needed
32182 + * 01 - read-permission
32183 + * 10 - write-permission
32184 + * 11 - read-write
32185 + * for the internal routines (ie open_namei()/follow_link() etc)
32186 + * This is more logical, and also allows the 00 "no perm needed"
32187 + * to be used for symlinks (where the permissions are checked
32191 +static inline int open_to_namei_flags(int flag)
32193 + if ((flag+1) & O_ACCMODE)
32198 int may_open(struct path *path, int acc_mode, int flag)
32200 struct dentry *dentry = path->dentry;
32201 @@ -2126,7 +2185,27 @@ int may_open(struct path *path, int acc_
32203 * Ensure there are no outstanding leases on the file.
32205 - return break_lease(inode, flag);
32206 + error = break_lease(inode, flag);
32211 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
32216 + if (gr_handle_rawio(inode)) {
32221 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
32229 static int handle_truncate(struct file *filp)
32230 @@ -2161,6 +2240,12 @@ static int __open_namei_create(struct na
32233 struct dentry *dir = nd->path.dentry;
32234 + int flag = open_to_namei_flags(open_flag);
32236 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
32241 if (!IS_POSIXACL(dir->d_inode))
32242 mode &= ~current_umask();
32243 @@ -2168,6 +2253,8 @@ static int __open_namei_create(struct na
32246 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
32248 + gr_handle_create(path->dentry, nd->path.mnt);
32250 mutex_unlock(&dir->d_inode->i_mutex);
32251 dput(nd->path.dentry);
32252 @@ -2179,30 +2266,6 @@ out_unlock:
32253 return may_open(&nd->path, 0, open_flag & ~O_TRUNC);
32257 - * Note that while the flag value (low two bits) for sys_open means:
32259 - * 01 - write-only
32260 - * 10 - read-write
32262 - * it is changed into
32263 - * 00 - no permissions needed
32264 - * 01 - read-permission
32265 - * 10 - write-permission
32266 - * 11 - read-write
32267 - * for the internal routines (ie open_namei()/follow_link() etc)
32268 - * This is more logical, and also allows the 00 "no perm needed"
32269 - * to be used for symlinks (where the permissions are checked
32273 -static inline int open_to_namei_flags(int flag)
32275 - if ((flag+1) & O_ACCMODE)
32280 static int open_will_truncate(int flag, struct inode *inode)
32283 @@ -2273,6 +2336,7 @@ static struct file *do_last(struct namei
32284 int mode, const char *pathname)
32286 struct dentry *dir = nd->path.dentry;
32287 + int flag = open_to_namei_flags(open_flag);
32289 int error = -EISDIR;
32291 @@ -2351,6 +2415,14 @@ static struct file *do_last(struct namei
32293 * It already exists.
32296 + /* only check if O_CREAT is specified, all other checks need to go
32298 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
32300 + goto exit_mutex_unlock;
32303 mutex_unlock(&dir->d_inode->i_mutex);
32304 audit_inode(pathname, path->dentry);
32306 @@ -2467,6 +2539,7 @@ struct file *do_filp_open(int dfd, const
32307 if (!nd.inode->i_op->lookup)
32311 audit_inode(pathname, nd.path.dentry);
32312 filp = finish_open(&nd, open_flag, acc_mode);
32314 @@ -2500,6 +2573,7 @@ reval:
32316 error = path_walk_simple(pathname, &nd);
32319 if (unlikely(error))
32321 if (unlikely(!audit_dummy_context()))
32322 @@ -2534,6 +2608,11 @@ reval:
32323 error = security_inode_follow_link(link.dentry, &nd);
32326 + if (gr_handle_follow_link(link.dentry->d_parent->d_inode,
32327 + link.dentry->d_inode, link.dentry, nd.path.mnt)) {
32331 error = __do_follow_link(&link, &nd, &cookie);
32332 if (unlikely(error)) {
32333 if (!IS_ERR(cookie) && linki->i_op->put_link)
32334 @@ -2704,6 +2783,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32335 error = may_mknod(mode);
32339 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
32344 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
32349 error = mnt_want_write(nd.path.mnt);
32352 @@ -2724,6 +2814,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32355 mnt_drop_write(nd.path.mnt);
32358 + gr_handle_create(dentry, nd.path.mnt);
32362 @@ -2776,6 +2869,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32363 if (IS_ERR(dentry))
32366 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
32371 if (!IS_POSIXACL(nd.path.dentry->d_inode))
32372 mode &= ~current_umask();
32373 error = mnt_want_write(nd.path.mnt);
32374 @@ -2787,6 +2885,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32375 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
32377 mnt_drop_write(nd.path.mnt);
32380 + gr_handle_create(dentry, nd.path.mnt);
32385 @@ -2866,6 +2968,8 @@ static long do_rmdir(int dfd, const char
32387 struct dentry *dentry;
32388 struct nameidata nd;
32389 + ino_t saved_ino = 0;
32390 + dev_t saved_dev = 0;
32392 error = user_path_parent(dfd, pathname, &nd, &name);
32394 @@ -2890,6 +2994,19 @@ static long do_rmdir(int dfd, const char
32395 error = PTR_ERR(dentry);
32396 if (IS_ERR(dentry))
32399 + if (dentry->d_inode != NULL) {
32400 + if (dentry->d_inode->i_nlink <= 1) {
32401 + saved_ino = dentry->d_inode->i_ino;
32402 + saved_dev = gr_get_dev_from_dentry(dentry);
32405 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
32411 error = mnt_want_write(nd.path.mnt);
32414 @@ -2897,6 +3014,8 @@ static long do_rmdir(int dfd, const char
32417 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
32418 + if (!error && (saved_dev || saved_ino))
32419 + gr_handle_delete(saved_ino, saved_dev);
32421 mnt_drop_write(nd.path.mnt);
32423 @@ -2959,6 +3078,8 @@ static long do_unlinkat(int dfd, const c
32424 struct dentry *dentry;
32425 struct nameidata nd;
32426 struct inode *inode = NULL;
32427 + ino_t saved_ino = 0;
32428 + dev_t saved_dev = 0;
32430 error = user_path_parent(dfd, pathname, &nd, &name);
32432 @@ -2978,8 +3099,17 @@ static long do_unlinkat(int dfd, const c
32433 if (nd.last.name[nd.last.len])
32435 inode = dentry->d_inode;
32439 + if (inode->i_nlink <= 1) {
32440 + saved_ino = inode->i_ino;
32441 + saved_dev = gr_get_dev_from_dentry(dentry);
32443 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
32448 error = mnt_want_write(nd.path.mnt);
32451 @@ -2987,6 +3117,8 @@ static long do_unlinkat(int dfd, const c
32454 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
32455 + if (!error && (saved_ino || saved_dev))
32456 + gr_handle_delete(saved_ino, saved_dev);
32458 mnt_drop_write(nd.path.mnt);
32460 @@ -3064,6 +3196,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
32461 if (IS_ERR(dentry))
32464 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
32469 error = mnt_want_write(nd.path.mnt);
32472 @@ -3071,6 +3208,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
32474 goto out_drop_write;
32475 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
32477 + gr_handle_create(dentry, nd.path.mnt);
32479 mnt_drop_write(nd.path.mnt);
32481 @@ -3163,6 +3302,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32482 error = PTR_ERR(new_dentry);
32483 if (IS_ERR(new_dentry))
32486 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
32487 + old_path.dentry->d_inode,
32488 + old_path.dentry->d_inode->i_mode, to)) {
32493 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
32494 + old_path.dentry, old_path.mnt, to)) {
32499 error = mnt_want_write(nd.path.mnt);
32502 @@ -3170,6 +3323,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32504 goto out_drop_write;
32505 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
32507 + gr_handle_create(new_dentry, nd.path.mnt);
32509 mnt_drop_write(nd.path.mnt);
32511 @@ -3403,6 +3558,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32512 if (new_dentry == trap)
32515 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
32516 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
32521 error = mnt_want_write(oldnd.path.mnt);
32524 @@ -3412,6 +3573,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32526 error = vfs_rename(old_dir->d_inode, old_dentry,
32527 new_dir->d_inode, new_dentry);
32529 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
32530 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
32532 mnt_drop_write(oldnd.path.mnt);
32534 diff -urNp linux-2.6.38.1/fs/namespace.c linux-2.6.38.1/fs/namespace.c
32535 --- linux-2.6.38.1/fs/namespace.c 2011-03-14 21:20:32.000000000 -0400
32536 +++ linux-2.6.38.1/fs/namespace.c 2011-03-21 18:31:35.000000000 -0400
32537 @@ -1285,6 +1285,9 @@ static int do_umount(struct vfsmount *mn
32538 if (!(sb->s_flags & MS_RDONLY))
32539 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
32540 up_write(&sb->s_umount);
32542 + gr_log_remount(mnt->mnt_devname, retval);
32547 @@ -1304,6 +1307,9 @@ static int do_umount(struct vfsmount *mn
32548 br_write_unlock(vfsmount_lock);
32549 up_write(&namespace_sem);
32550 release_mounts(&umount_list);
32552 + gr_log_unmount(mnt->mnt_devname, retval);
32557 @@ -2241,6 +2247,16 @@ long do_mount(char *dev_name, char *dir_
32558 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
32561 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
32566 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
32571 if (flags & MS_REMOUNT)
32572 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
32574 @@ -2255,6 +2271,9 @@ long do_mount(char *dev_name, char *dir_
32575 dev_name, data_page);
32579 + gr_log_mount(dev_name, dir_name, retval);
32584 @@ -2483,6 +2502,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
32588 + if (gr_handle_chroot_pivot()) {
32594 get_fs_root(current->fs, &root);
32595 down_write(&namespace_sem);
32596 mutex_lock(&old.dentry->d_inode->i_mutex);
32597 diff -urNp linux-2.6.38.1/fs/nfs/inode.c linux-2.6.38.1/fs/nfs/inode.c
32598 --- linux-2.6.38.1/fs/nfs/inode.c 2011-03-14 21:20:32.000000000 -0400
32599 +++ linux-2.6.38.1/fs/nfs/inode.c 2011-03-21 18:31:35.000000000 -0400
32600 @@ -998,16 +998,16 @@ static int nfs_size_need_update(const st
32601 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
32604 -static atomic_long_t nfs_attr_generation_counter;
32605 +static atomic_long_unchecked_t nfs_attr_generation_counter;
32607 static unsigned long nfs_read_attr_generation_counter(void)
32609 - return atomic_long_read(&nfs_attr_generation_counter);
32610 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
32613 unsigned long nfs_inc_attr_generation_counter(void)
32615 - return atomic_long_inc_return(&nfs_attr_generation_counter);
32616 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
32619 void nfs_fattr_init(struct nfs_fattr *fattr)
32620 diff -urNp linux-2.6.38.1/fs/nfs/nfs4proc.c linux-2.6.38.1/fs/nfs/nfs4proc.c
32621 --- linux-2.6.38.1/fs/nfs/nfs4proc.c 2011-03-14 21:20:32.000000000 -0400
32622 +++ linux-2.6.38.1/fs/nfs/nfs4proc.c 2011-03-21 18:31:35.000000000 -0400
32623 @@ -1198,7 +1198,7 @@ static int _nfs4_do_open_reclaim(struct
32624 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
32626 struct nfs_server *server = NFS_SERVER(state->inode);
32627 - struct nfs4_exception exception = { };
32628 + struct nfs4_exception exception = {0, 0};
32631 err = _nfs4_do_open_reclaim(ctx, state);
32632 @@ -1240,7 +1240,7 @@ static int _nfs4_open_delegation_recall(
32634 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
32636 - struct nfs4_exception exception = { };
32637 + struct nfs4_exception exception = {0, 0};
32638 struct nfs_server *server = NFS_SERVER(state->inode);
32641 @@ -1615,7 +1615,7 @@ static int _nfs4_open_expired(struct nfs
32642 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
32644 struct nfs_server *server = NFS_SERVER(state->inode);
32645 - struct nfs4_exception exception = { };
32646 + struct nfs4_exception exception = {0, 0};
32650 @@ -1730,7 +1730,7 @@ out_err:
32652 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
32654 - struct nfs4_exception exception = { };
32655 + struct nfs4_exception exception = {0, 0};
32656 struct nfs4_state *res;
32659 @@ -1821,7 +1821,7 @@ static int nfs4_do_setattr(struct inode
32660 struct nfs4_state *state)
32662 struct nfs_server *server = NFS_SERVER(inode);
32663 - struct nfs4_exception exception = { };
32664 + struct nfs4_exception exception = {0, 0};
32667 err = nfs4_handle_exception(server,
32668 @@ -2111,7 +2111,7 @@ static int _nfs4_server_capabilities(str
32670 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
32672 - struct nfs4_exception exception = { };
32673 + struct nfs4_exception exception = {0, 0};
32676 err = nfs4_handle_exception(server,
32677 @@ -2145,7 +2145,7 @@ static int _nfs4_lookup_root(struct nfs_
32678 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
32679 struct nfs_fsinfo *info)
32681 - struct nfs4_exception exception = { };
32682 + struct nfs4_exception exception = {0, 0};
32685 err = nfs4_handle_exception(server,
32686 @@ -2233,7 +2233,7 @@ static int _nfs4_proc_getattr(struct nfs
32688 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32690 - struct nfs4_exception exception = { };
32691 + struct nfs4_exception exception = {0, 0};
32694 err = nfs4_handle_exception(server,
32695 @@ -2321,7 +2321,7 @@ static int nfs4_proc_lookupfh(struct nfs
32696 struct qstr *name, struct nfs_fh *fhandle,
32697 struct nfs_fattr *fattr)
32699 - struct nfs4_exception exception = { };
32700 + struct nfs4_exception exception = {0, 0};
32703 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
32704 @@ -2350,7 +2350,7 @@ static int _nfs4_proc_lookup(struct inod
32706 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32708 - struct nfs4_exception exception = { };
32709 + struct nfs4_exception exception = {0, 0};
32712 err = nfs4_handle_exception(NFS_SERVER(dir),
32713 @@ -2417,7 +2417,7 @@ static int _nfs4_proc_access(struct inod
32715 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32717 - struct nfs4_exception exception = { };
32718 + struct nfs4_exception exception = {0, 0};
32721 err = nfs4_handle_exception(NFS_SERVER(inode),
32722 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_readlink(struct in
32723 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32724 unsigned int pgbase, unsigned int pglen)
32726 - struct nfs4_exception exception = { };
32727 + struct nfs4_exception exception = {0, 0};
32730 err = nfs4_handle_exception(NFS_SERVER(inode),
32731 @@ -2568,7 +2568,7 @@ out:
32733 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32735 - struct nfs4_exception exception = { };
32736 + struct nfs4_exception exception = {0, 0};
32739 err = nfs4_handle_exception(NFS_SERVER(dir),
32740 @@ -2673,7 +2673,7 @@ out:
32741 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32742 struct inode *new_dir, struct qstr *new_name)
32744 - struct nfs4_exception exception = { };
32745 + struct nfs4_exception exception = {0, 0};
32748 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32749 @@ -2722,7 +2722,7 @@ out:
32751 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32753 - struct nfs4_exception exception = { };
32754 + struct nfs4_exception exception = {0, 0};
32757 err = nfs4_handle_exception(NFS_SERVER(inode),
32758 @@ -2814,7 +2814,7 @@ out:
32759 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32760 struct page *page, unsigned int len, struct iattr *sattr)
32762 - struct nfs4_exception exception = { };
32763 + struct nfs4_exception exception = {0, 0};
32766 err = nfs4_handle_exception(NFS_SERVER(dir),
32767 @@ -2845,7 +2845,7 @@ out:
32768 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32769 struct iattr *sattr)
32771 - struct nfs4_exception exception = { };
32772 + struct nfs4_exception exception = {0, 0};
32775 sattr->ia_mode &= ~current_umask();
32776 @@ -2899,7 +2899,7 @@ static int _nfs4_proc_readdir(struct den
32777 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32778 u64 cookie, struct page **pages, unsigned int count, int plus)
32780 - struct nfs4_exception exception = { };
32781 + struct nfs4_exception exception = {0, 0};
32784 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32785 @@ -2947,7 +2947,7 @@ out:
32786 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32787 struct iattr *sattr, dev_t rdev)
32789 - struct nfs4_exception exception = { };
32790 + struct nfs4_exception exception = {0, 0};
32793 sattr->ia_mode &= ~current_umask();
32794 @@ -2981,7 +2981,7 @@ static int _nfs4_proc_statfs(struct nfs_
32796 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32798 - struct nfs4_exception exception = { };
32799 + struct nfs4_exception exception = {0, 0};
32802 err = nfs4_handle_exception(server,
32803 @@ -3012,7 +3012,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32805 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32807 - struct nfs4_exception exception = { };
32808 + struct nfs4_exception exception = {0, 0};
32812 @@ -3058,7 +3058,7 @@ static int _nfs4_proc_pathconf(struct nf
32813 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32814 struct nfs_pathconf *pathconf)
32816 - struct nfs4_exception exception = { };
32817 + struct nfs4_exception exception = {0, 0};
32821 @@ -3404,7 +3404,7 @@ out_free:
32823 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32825 - struct nfs4_exception exception = { };
32826 + struct nfs4_exception exception = {0, 0};
32829 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32830 @@ -3479,7 +3479,7 @@ static int __nfs4_proc_set_acl(struct in
32832 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32834 - struct nfs4_exception exception = { };
32835 + struct nfs4_exception exception = {0, 0};
32838 err = nfs4_handle_exception(NFS_SERVER(inode),
32839 @@ -3760,7 +3760,7 @@ out:
32840 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32842 struct nfs_server *server = NFS_SERVER(inode);
32843 - struct nfs4_exception exception = { };
32844 + struct nfs4_exception exception = {0, 0};
32847 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32848 @@ -3834,7 +3834,7 @@ out:
32850 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32852 - struct nfs4_exception exception = { };
32853 + struct nfs4_exception exception = {0, 0};
32857 @@ -4239,7 +4239,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32858 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32860 struct nfs_server *server = NFS_SERVER(state->inode);
32861 - struct nfs4_exception exception = { };
32862 + struct nfs4_exception exception = {0, 0};
32866 @@ -4257,7 +4257,7 @@ static int nfs4_lock_reclaim(struct nfs4
32867 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32869 struct nfs_server *server = NFS_SERVER(state->inode);
32870 - struct nfs4_exception exception = { };
32871 + struct nfs4_exception exception = {0, 0};
32874 err = nfs4_set_lock_state(state, request);
32875 @@ -4321,7 +4321,7 @@ out:
32877 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32879 - struct nfs4_exception exception = { };
32880 + struct nfs4_exception exception = {0, 0};
32884 @@ -4381,7 +4381,7 @@ nfs4_proc_lock(struct file *filp, int cm
32885 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32887 struct nfs_server *server = NFS_SERVER(state->inode);
32888 - struct nfs4_exception exception = { };
32889 + struct nfs4_exception exception = {0, 0};
32892 err = nfs4_set_lock_state(state, fl);
32893 diff -urNp linux-2.6.38.1/fs/nfsd/lockd.c linux-2.6.38.1/fs/nfsd/lockd.c
32894 --- linux-2.6.38.1/fs/nfsd/lockd.c 2011-03-14 21:20:32.000000000 -0400
32895 +++ linux-2.6.38.1/fs/nfsd/lockd.c 2011-03-21 18:31:35.000000000 -0400
32896 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32900 -static struct nlmsvc_binding nfsd_nlm_ops = {
32901 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32902 .fopen = nlm_fopen, /* open file for locking */
32903 .fclose = nlm_fclose, /* close file */
32905 diff -urNp linux-2.6.38.1/fs/nfsd/nfsctl.c linux-2.6.38.1/fs/nfsd/nfsctl.c
32906 --- linux-2.6.38.1/fs/nfsd/nfsctl.c 2011-03-14 21:20:32.000000000 -0400
32907 +++ linux-2.6.38.1/fs/nfsd/nfsctl.c 2011-03-21 18:31:35.000000000 -0400
32908 @@ -180,7 +180,7 @@ static int export_features_open(struct i
32909 return single_open(file, export_features_show, NULL);
32912 -static struct file_operations export_features_operations = {
32913 +static const struct file_operations export_features_operations = {
32914 .open = export_features_open,
32916 .llseek = seq_lseek,
32917 diff -urNp linux-2.6.38.1/fs/nfsd/vfs.c linux-2.6.38.1/fs/nfsd/vfs.c
32918 --- linux-2.6.38.1/fs/nfsd/vfs.c 2011-03-14 21:20:32.000000000 -0400
32919 +++ linux-2.6.38.1/fs/nfsd/vfs.c 2011-03-21 18:31:35.000000000 -0400
32920 @@ -898,7 +898,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32924 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32925 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32929 @@ -1002,7 +1002,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32931 /* Write the data. */
32932 oldfs = get_fs(); set_fs(KERNEL_DS);
32933 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32934 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32938 @@ -1518,7 +1518,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32941 oldfs = get_fs(); set_fs(KERNEL_DS);
32942 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32943 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32947 diff -urNp linux-2.6.38.1/fs/nls/nls_base.c linux-2.6.38.1/fs/nls/nls_base.c
32948 --- linux-2.6.38.1/fs/nls/nls_base.c 2011-03-14 21:20:32.000000000 -0400
32949 +++ linux-2.6.38.1/fs/nls/nls_base.c 2011-03-21 18:31:35.000000000 -0400
32950 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32951 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32952 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32953 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32954 - {0, /* end of table */}
32955 + {0, 0, 0, 0, 0, /* end of table */}
32958 #define UNICODE_MAX 0x0010ffff
32959 diff -urNp linux-2.6.38.1/fs/ntfs/dir.c linux-2.6.38.1/fs/ntfs/dir.c
32960 --- linux-2.6.38.1/fs/ntfs/dir.c 2011-03-14 21:20:32.000000000 -0400
32961 +++ linux-2.6.38.1/fs/ntfs/dir.c 2011-03-21 18:31:35.000000000 -0400
32962 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
32963 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
32964 ~(s64)(ndir->itype.index.block_size - 1)));
32965 /* Bounds checks. */
32966 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32967 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32968 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
32969 "inode 0x%lx or driver bug.", vdir->i_ino);
32971 diff -urNp linux-2.6.38.1/fs/ntfs/file.c linux-2.6.38.1/fs/ntfs/file.c
32972 --- linux-2.6.38.1/fs/ntfs/file.c 2011-03-14 21:20:32.000000000 -0400
32973 +++ linux-2.6.38.1/fs/ntfs/file.c 2011-03-21 18:31:35.000000000 -0400
32974 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
32975 #endif /* NTFS_RW */
32978 -const struct file_operations ntfs_empty_file_ops = {};
32979 +const struct file_operations ntfs_empty_file_ops __read_only;
32981 -const struct inode_operations ntfs_empty_inode_ops = {};
32982 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32983 diff -urNp linux-2.6.38.1/fs/ocfs2/localalloc.c linux-2.6.38.1/fs/ocfs2/localalloc.c
32984 --- linux-2.6.38.1/fs/ocfs2/localalloc.c 2011-03-14 21:20:32.000000000 -0400
32985 +++ linux-2.6.38.1/fs/ocfs2/localalloc.c 2011-03-21 18:31:35.000000000 -0400
32986 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32990 - atomic_inc(&osb->alloc_stats.moves);
32991 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32995 diff -urNp linux-2.6.38.1/fs/ocfs2/ocfs2.h linux-2.6.38.1/fs/ocfs2/ocfs2.h
32996 --- linux-2.6.38.1/fs/ocfs2/ocfs2.h 2011-03-14 21:20:32.000000000 -0400
32997 +++ linux-2.6.38.1/fs/ocfs2/ocfs2.h 2011-03-21 18:31:35.000000000 -0400
32998 @@ -230,11 +230,11 @@ enum ocfs2_vol_state
33000 struct ocfs2_alloc_stats
33003 - atomic_t local_data;
33004 - atomic_t bitmap_data;
33005 - atomic_t bg_allocs;
33006 - atomic_t bg_extends;
33007 + atomic_unchecked_t moves;
33008 + atomic_unchecked_t local_data;
33009 + atomic_unchecked_t bitmap_data;
33010 + atomic_unchecked_t bg_allocs;
33011 + atomic_unchecked_t bg_extends;
33014 enum ocfs2_local_alloc_state
33015 diff -urNp linux-2.6.38.1/fs/ocfs2/suballoc.c linux-2.6.38.1/fs/ocfs2/suballoc.c
33016 --- linux-2.6.38.1/fs/ocfs2/suballoc.c 2011-03-14 21:20:32.000000000 -0400
33017 +++ linux-2.6.38.1/fs/ocfs2/suballoc.c 2011-03-21 18:31:35.000000000 -0400
33018 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
33019 mlog_errno(status);
33022 - atomic_inc(&osb->alloc_stats.bg_extends);
33023 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
33025 /* You should never ask for this much metadata */
33026 BUG_ON(bits_wanted >
33027 @@ -2012,7 +2012,7 @@ int ocfs2_claim_metadata(handle_t *handl
33028 mlog_errno(status);
33031 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33032 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33034 *suballoc_loc = res.sr_bg_blkno;
33035 *suballoc_bit_start = res.sr_bit_offset;
33036 @@ -2219,7 +2219,7 @@ int ocfs2_claim_new_inode(handle_t *hand
33037 mlog_errno(status);
33040 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33041 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33043 BUG_ON(res.sr_bits != 1);
33045 @@ -2324,7 +2324,7 @@ int __ocfs2_claim_clusters(handle_t *han
33049 - atomic_inc(&osb->alloc_stats.local_data);
33050 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
33052 if (min_clusters > (osb->bitmap_cpg - 1)) {
33053 /* The only paths asking for contiguousness
33054 @@ -2350,7 +2350,7 @@ int __ocfs2_claim_clusters(handle_t *han
33055 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
33057 res.sr_bit_offset);
33058 - atomic_inc(&osb->alloc_stats.bitmap_data);
33059 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
33060 *num_clusters = res.sr_bits;
33063 diff -urNp linux-2.6.38.1/fs/ocfs2/super.c linux-2.6.38.1/fs/ocfs2/super.c
33064 --- linux-2.6.38.1/fs/ocfs2/super.c 2011-03-14 21:20:32.000000000 -0400
33065 +++ linux-2.6.38.1/fs/ocfs2/super.c 2011-03-21 18:31:35.000000000 -0400
33066 @@ -297,11 +297,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
33067 "%10s => GlobalAllocs: %d LocalAllocs: %d "
33068 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
33070 - atomic_read(&osb->alloc_stats.bitmap_data),
33071 - atomic_read(&osb->alloc_stats.local_data),
33072 - atomic_read(&osb->alloc_stats.bg_allocs),
33073 - atomic_read(&osb->alloc_stats.moves),
33074 - atomic_read(&osb->alloc_stats.bg_extends));
33075 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
33076 + atomic_read_unchecked(&osb->alloc_stats.local_data),
33077 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
33078 + atomic_read_unchecked(&osb->alloc_stats.moves),
33079 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
33081 out += snprintf(buf + out, len - out,
33082 "%10s => State: %u Descriptor: %llu Size: %u bits "
33083 @@ -2141,11 +2141,11 @@ static int ocfs2_initialize_super(struct
33084 spin_lock_init(&osb->osb_xattr_lock);
33085 ocfs2_init_steal_slots(osb);
33087 - atomic_set(&osb->alloc_stats.moves, 0);
33088 - atomic_set(&osb->alloc_stats.local_data, 0);
33089 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
33090 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
33091 - atomic_set(&osb->alloc_stats.bg_extends, 0);
33092 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
33093 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
33094 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
33095 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
33096 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
33098 /* Copy the blockcheck stats from the superblock probe */
33099 osb->osb_ecc_stats = *stats;
33100 diff -urNp linux-2.6.38.1/fs/ocfs2/symlink.c linux-2.6.38.1/fs/ocfs2/symlink.c
33101 --- linux-2.6.38.1/fs/ocfs2/symlink.c 2011-03-14 21:20:32.000000000 -0400
33102 +++ linux-2.6.38.1/fs/ocfs2/symlink.c 2011-03-21 18:31:35.000000000 -0400
33103 @@ -148,7 +148,7 @@ bail:
33105 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33107 - char *link = nd_get_link(nd);
33108 + const char *link = nd_get_link(nd);
33112 diff -urNp linux-2.6.38.1/fs/open.c linux-2.6.38.1/fs/open.c
33113 --- linux-2.6.38.1/fs/open.c 2011-03-14 21:20:32.000000000 -0400
33114 +++ linux-2.6.38.1/fs/open.c 2011-03-21 18:31:35.000000000 -0400
33115 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
33116 error = locks_verify_truncate(inode, NULL, length);
33118 error = security_path_truncate(&path);
33120 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
33124 error = do_truncate(path.dentry, length, 0, NULL);
33126 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
33127 if (__mnt_is_readonly(path.mnt))
33130 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
33136 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
33140 + gr_log_chdir(path.dentry, path.mnt);
33142 set_fs_pwd(current->fs, &path);
33145 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
33148 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
33150 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
33154 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
33157 set_fs_pwd(current->fs, &file->f_path);
33159 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
33163 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
33164 + goto dput_and_out;
33166 + if (gr_handle_chroot_caps(&path)) {
33168 + goto dput_and_out;
33171 set_fs_root(current->fs, &path);
33173 + gr_handle_chroot_chdir(&path);
33178 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
33179 err = mnt_want_write_file(file);
33183 mutex_lock(&inode->i_mutex);
33185 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
33190 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
33193 if (mode == (mode_t) -1)
33194 mode = inode->i_mode;
33196 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
33201 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33202 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33203 err = notify_change(dentry, &newattrs);
33204 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
33205 error = mnt_want_write(path.mnt);
33209 mutex_lock(&inode->i_mutex);
33211 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
33216 error = security_path_chmod(path.dentry, path.mnt, mode);
33219 if (mode == (mode_t) -1)
33220 mode = inode->i_mode;
33222 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
33227 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33228 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33229 error = notify_change(path.dentry, &newattrs);
33230 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
33232 struct iattr newattrs;
33234 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
33237 newattrs.ia_valid = ATTR_CTIME;
33238 if (user != (uid_t) -1) {
33239 newattrs.ia_valid |= ATTR_UID;
33240 @@ -898,7 +954,10 @@ long do_sys_open(int dfd, const char __u
33241 if (!IS_ERR(tmp)) {
33242 fd = get_unused_fd_flags(flags);
33244 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
33246 + /* don't allow to be set by userland */
33247 + flags &= ~FMODE_GREXEC;
33248 + f = do_filp_open(dfd, tmp, flags, mode, 0);
33252 diff -urNp linux-2.6.38.1/fs/partitions/ldm.c linux-2.6.38.1/fs/partitions/ldm.c
33253 --- linux-2.6.38.1/fs/partitions/ldm.c 2011-03-14 21:20:32.000000000 -0400
33254 +++ linux-2.6.38.1/fs/partitions/ldm.c 2011-03-21 18:31:35.000000000 -0400
33255 @@ -1313,7 +1313,7 @@ static bool ldm_frag_add (const u8 *data
33259 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
33260 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
33262 ldm_crit ("Out of memory.");
33264 diff -urNp linux-2.6.38.1/fs/pipe.c linux-2.6.38.1/fs/pipe.c
33265 --- linux-2.6.38.1/fs/pipe.c 2011-03-14 21:20:32.000000000 -0400
33266 +++ linux-2.6.38.1/fs/pipe.c 2011-03-21 18:31:35.000000000 -0400
33267 @@ -420,9 +420,9 @@ redo:
33269 if (bufs) /* More to do? */
33271 - if (!pipe->writers)
33272 + if (!atomic_read(&pipe->writers))
33274 - if (!pipe->waiting_writers) {
33275 + if (!atomic_read(&pipe->waiting_writers)) {
33276 /* syscall merging: Usually we must not sleep
33277 * if O_NONBLOCK is set, or if we got some data.
33278 * But if a writer sleeps in kernel space, then
33279 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
33280 mutex_lock(&inode->i_mutex);
33281 pipe = inode->i_pipe;
33283 - if (!pipe->readers) {
33284 + if (!atomic_read(&pipe->readers)) {
33285 send_sig(SIGPIPE, current, 0);
33288 @@ -530,7 +530,7 @@ redo1:
33292 - if (!pipe->readers) {
33293 + if (!atomic_read(&pipe->readers)) {
33294 send_sig(SIGPIPE, current, 0);
33297 @@ -616,9 +616,9 @@ redo2:
33298 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
33301 - pipe->waiting_writers++;
33302 + atomic_inc(&pipe->waiting_writers);
33304 - pipe->waiting_writers--;
33305 + atomic_dec(&pipe->waiting_writers);
33308 mutex_unlock(&inode->i_mutex);
33309 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
33311 if (filp->f_mode & FMODE_READ) {
33312 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
33313 - if (!pipe->writers && filp->f_version != pipe->w_counter)
33314 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
33318 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
33319 * Most Unices do not set POLLERR for FIFOs but on Linux they
33320 * behave exactly like pipes for poll().
33322 - if (!pipe->readers)
33323 + if (!atomic_read(&pipe->readers))
33327 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
33329 mutex_lock(&inode->i_mutex);
33330 pipe = inode->i_pipe;
33331 - pipe->readers -= decr;
33332 - pipe->writers -= decw;
33333 + atomic_sub(decr, &pipe->readers);
33334 + atomic_sub(decw, &pipe->writers);
33336 - if (!pipe->readers && !pipe->writers) {
33337 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
33338 free_pipe_info(inode);
33340 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
33341 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
33343 if (inode->i_pipe) {
33345 - inode->i_pipe->readers++;
33346 + atomic_inc(&inode->i_pipe->readers);
33349 mutex_unlock(&inode->i_mutex);
33350 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
33352 if (inode->i_pipe) {
33354 - inode->i_pipe->writers++;
33355 + atomic_inc(&inode->i_pipe->writers);
33358 mutex_unlock(&inode->i_mutex);
33359 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
33360 if (inode->i_pipe) {
33362 if (filp->f_mode & FMODE_READ)
33363 - inode->i_pipe->readers++;
33364 + atomic_inc(&inode->i_pipe->readers);
33365 if (filp->f_mode & FMODE_WRITE)
33366 - inode->i_pipe->writers++;
33367 + atomic_inc(&inode->i_pipe->writers);
33370 mutex_unlock(&inode->i_mutex);
33371 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
33372 inode->i_pipe = NULL;
33375 -static struct vfsmount *pipe_mnt __read_mostly;
33376 +struct vfsmount *pipe_mnt __read_mostly;
33379 * pipefs_dname() is called from d_path().
33380 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
33382 inode->i_pipe = pipe;
33384 - pipe->readers = pipe->writers = 1;
33385 + atomic_set(&pipe->readers, 1);
33386 + atomic_set(&pipe->writers, 1);
33387 inode->i_fop = &rdwr_pipefifo_fops;
33390 diff -urNp linux-2.6.38.1/fs/proc/array.c linux-2.6.38.1/fs/proc/array.c
33391 --- linux-2.6.38.1/fs/proc/array.c 2011-03-14 21:20:32.000000000 -0400
33392 +++ linux-2.6.38.1/fs/proc/array.c 2011-03-21 18:31:35.000000000 -0400
33394 #include <linux/tty.h>
33395 #include <linux/string.h>
33396 #include <linux/mman.h>
33397 +#include <linux/grsecurity.h>
33398 #include <linux/proc_fs.h>
33399 #include <linux/ioport.h>
33400 #include <linux/uaccess.h>
33401 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
33405 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33406 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
33409 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
33410 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
33411 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
33412 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
33413 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
33414 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
33416 + seq_printf(m, "PaX:\t-----\n");
33420 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
33421 struct pid *pid, struct task_struct *task)
33423 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
33424 cpuset_task_status_allowed(m, task);
33425 task_vs_id(m, task);
33426 task_context_switch_counts(m, task);
33428 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33429 + task_pax(m, task);
33432 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
33433 + task_grsec_rbac(m, task);
33439 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33440 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33441 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33442 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33445 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
33446 struct pid *pid, struct task_struct *task, int whole)
33448 @@ -449,6 +480,19 @@ static int do_task_stat(struct seq_file
33449 gtime = task->gtime;
33452 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33453 + if (PAX_RAND_FLAGS(mm)) {
33459 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33465 /* scale priority and nice values from timeslices to -20..20 */
33466 /* to make it look like a "normal" Unix priority/nice value */
33467 priority = task_prio(task);
33468 @@ -489,9 +533,15 @@ static int do_task_stat(struct seq_file
33470 mm ? get_mm_rss(mm) : 0,
33472 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33473 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
33474 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
33475 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
33477 mm ? (permitted ? mm->start_code : 1) : 0,
33478 mm ? (permitted ? mm->end_code : 1) : 0,
33479 (permitted && mm) ? mm->start_stack : 0,
33483 /* The signal information here is obsolete.
33484 @@ -544,3 +594,10 @@ int proc_pid_statm(struct seq_file *m, s
33489 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33490 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
33492 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
33495 diff -urNp linux-2.6.38.1/fs/proc/base.c linux-2.6.38.1/fs/proc/base.c
33496 --- linux-2.6.38.1/fs/proc/base.c 2011-03-14 21:20:32.000000000 -0400
33497 +++ linux-2.6.38.1/fs/proc/base.c 2011-03-26 11:59:10.000000000 -0400
33498 @@ -104,6 +104,22 @@ struct pid_entry {
33502 +struct getdents_callback {
33503 + struct linux_dirent __user * current_dir;
33504 + struct linux_dirent __user * previous;
33505 + struct file * file;
33510 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
33511 + loff_t offset, u64 ino, unsigned int d_type)
33513 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
33514 + buf->error = -EINVAL;
33518 #define NOD(NAME, MODE, IOP, FOP, OP) { \
33520 .len = sizeof(NAME) - 1, \
33521 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
33522 if (task == current)
33525 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
33529 * If current is actively ptrace'ing, and would also be
33530 * permitted to freshly attach with ptrace now, permit it.
33531 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
33533 goto out_mm; /* Shh! No looking before we're done */
33535 + if (gr_acl_handle_procpidmem(task))
33538 len = mm->arg_end - mm->arg_start;
33540 if (len > PAGE_SIZE)
33541 @@ -277,12 +299,28 @@ out:
33545 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33546 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33547 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33548 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33551 static int proc_pid_auxv(struct task_struct *task, char *buffer)
33554 struct mm_struct *mm = get_task_mm(task);
33556 unsigned int nwords = 0;
33558 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33559 + /* allow if we're currently ptracing this task */
33560 + if (PAX_RAND_FLAGS(mm) &&
33561 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
33569 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
33570 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
33574 -#ifdef CONFIG_KALLSYMS
33575 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33577 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
33578 * Returns the resolved symbol. If that fails, simply return the address.
33579 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
33581 #endif /* CONFIG_KALLSYMS */
33583 -#ifdef CONFIG_STACKTRACE
33584 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33586 #define MAX_STACK_TRACE_DEPTH 64
33588 @@ -503,7 +541,7 @@ static int proc_pid_limits(struct task_s
33592 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33593 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33594 static int proc_pid_syscall(struct task_struct *task, char *buffer)
33597 @@ -528,7 +566,7 @@ static int proc_pid_syscall(struct task_
33598 /************************************************************************/
33600 /* permission checks */
33601 -static int proc_fd_access_allowed(struct inode *inode)
33602 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
33604 struct task_struct *task;
33606 @@ -538,7 +576,10 @@ static int proc_fd_access_allowed(struct
33608 task = get_proc_task(inode);
33610 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
33612 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
33614 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
33615 put_task_struct(task);
33618 @@ -917,6 +958,9 @@ static ssize_t environ_read(struct file
33622 + if (gr_acl_handle_procpidmem(task))
33625 if (!ptrace_may_access(task, PTRACE_MODE_READ))
33628 @@ -1606,7 +1650,7 @@ static void *proc_pid_follow_link(struct
33629 path_put(&nd->path);
33631 /* Are we allowed to snoop on the tasks file descriptors? */
33632 - if (!proc_fd_access_allowed(inode))
33633 + if (!proc_fd_access_allowed(inode,0))
33636 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
33637 @@ -1645,8 +1689,18 @@ static int proc_pid_readlink(struct dent
33640 /* Are we allowed to snoop on the tasks file descriptors? */
33641 - if (!proc_fd_access_allowed(inode))
33643 + /* logging this is needed for learning on chromium to work properly,
33644 + but we don't want to flood the logs from 'ps' which does a readlink
33645 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
33646 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
33648 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
33649 + if (!proc_fd_access_allowed(inode,0))
33652 + if (!proc_fd_access_allowed(inode,1))
33656 error = PROC_I(inode)->op.proc_get_link(inode, &path);
33658 @@ -1712,7 +1766,11 @@ static struct inode *proc_pid_make_inode
33660 cred = __task_cred(task);
33661 inode->i_uid = cred->euid;
33662 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33663 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33665 inode->i_gid = cred->egid;
33669 security_task_to_inode(task, inode);
33670 @@ -1730,6 +1788,9 @@ static int pid_getattr(struct vfsmount *
33671 struct inode *inode = dentry->d_inode;
33672 struct task_struct *task;
33673 const struct cred *cred;
33674 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33675 + const struct cred *tmpcred = current_cred();
33678 generic_fillattr(inode, stat);
33680 @@ -1737,12 +1798,34 @@ static int pid_getattr(struct vfsmount *
33683 task = pid_task(proc_pid(inode), PIDTYPE_PID);
33685 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
33686 + rcu_read_unlock();
33691 + cred = __task_cred(task);
33692 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33693 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
33694 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33695 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33699 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33700 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33701 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33702 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33703 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33705 task_dumpable(task)) {
33706 - cred = __task_cred(task);
33707 stat->uid = cred->euid;
33708 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33709 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
33711 stat->gid = cred->egid;
33716 @@ -1780,11 +1863,20 @@ static int pid_revalidate(struct dentry
33719 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33720 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33721 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33722 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33723 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33725 task_dumpable(task)) {
33727 cred = __task_cred(task);
33728 inode->i_uid = cred->euid;
33729 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33730 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33732 inode->i_gid = cred->egid;
33737 @@ -1905,7 +1997,8 @@ static int proc_fd_info(struct inode *in
33738 int fd = proc_fd(inode);
33741 - files = get_files_struct(task);
33742 + if (!gr_acl_handle_procpidmem(task))
33743 + files = get_files_struct(task);
33744 put_task_struct(task);
33747 @@ -2165,15 +2258,25 @@ static const struct file_operations proc
33749 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
33751 + struct task_struct *task;
33754 if (flags & IPERM_FLAG_RCU)
33756 rv = generic_permission(inode, mask, flags, NULL);
33760 if (task_pid(current) == proc_pid(inode))
33763 + task = get_proc_task(inode);
33764 + if (task == NULL)
33767 + if (gr_acl_handle_procpidmem(task))
33770 + put_task_struct(task);
33775 @@ -2283,6 +2386,9 @@ static struct dentry *proc_pident_lookup
33779 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33783 * Yes, it does not scale. And it should not. Don't add
33784 * new entries into /proc/<tgid>/ without very good reasons.
33785 @@ -2327,6 +2433,9 @@ static int proc_pident_readdir(struct fi
33789 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33795 @@ -2597,7 +2706,7 @@ static void *proc_self_follow_link(struc
33796 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
33799 - char *s = nd_get_link(nd);
33800 + const char *s = nd_get_link(nd);
33804 @@ -2777,7 +2886,7 @@ static const struct pid_entry tgid_base_
33805 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
33807 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33808 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33809 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33810 INF("syscall", S_IRUSR, proc_pid_syscall),
33812 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33813 @@ -2802,10 +2911,10 @@ static const struct pid_entry tgid_base_
33814 #ifdef CONFIG_SECURITY
33815 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33817 -#ifdef CONFIG_KALLSYMS
33818 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33819 INF("wchan", S_IRUGO, proc_pid_wchan),
33821 -#ifdef CONFIG_STACKTRACE
33822 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33823 ONE("stack", S_IRUSR, proc_pid_stack),
33825 #ifdef CONFIG_SCHEDSTATS
33826 @@ -2836,6 +2945,9 @@ static const struct pid_entry tgid_base_
33827 INF("io", S_IRUGO, proc_tgid_io_accounting),
33829 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
33830 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33831 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33835 static int proc_tgid_base_readdir(struct file * filp,
33836 @@ -2961,7 +3073,14 @@ static struct dentry *proc_pid_instantia
33840 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33841 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33842 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33843 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33844 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33846 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33848 inode->i_op = &proc_tgid_base_inode_operations;
33849 inode->i_fop = &proc_tgid_base_operations;
33850 inode->i_flags|=S_IMMUTABLE;
33851 @@ -3003,7 +3122,11 @@ struct dentry *proc_pid_lookup(struct in
33855 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33856 + goto out_put_task;
33858 result = proc_pid_instantiate(dir, dentry, task, NULL);
33860 put_task_struct(task);
33863 @@ -3068,6 +3191,11 @@ int proc_pid_readdir(struct file * filp,
33865 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33866 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
33867 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33868 + const struct cred *tmpcred = current_cred();
33869 + const struct cred *itercred;
33871 + filldir_t __filldir = filldir;
33872 struct tgid_iter iter;
33873 struct pid_namespace *ns;
33875 @@ -3086,8 +3214,27 @@ int proc_pid_readdir(struct file * filp,
33876 for (iter = next_tgid(ns, iter);
33878 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33879 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33881 + itercred = __task_cred(iter.task);
33883 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33884 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33885 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33886 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33887 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33892 + __filldir = &gr_fake_filldir;
33894 + __filldir = filldir;
33895 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33896 + rcu_read_unlock();
33898 filp->f_pos = iter.tgid + TGID_OFFSET;
33899 if (!vx_proc_task_visible(iter.task))
33901 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33902 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33903 put_task_struct(iter.task);
33904 @@ -3114,7 +3261,7 @@ static const struct pid_entry tid_base_s
33905 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33907 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33908 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33909 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33910 INF("syscall", S_IRUSR, proc_pid_syscall),
33912 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33913 @@ -3138,10 +3285,10 @@ static const struct pid_entry tid_base_s
33914 #ifdef CONFIG_SECURITY
33915 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33917 -#ifdef CONFIG_KALLSYMS
33918 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33919 INF("wchan", S_IRUGO, proc_pid_wchan),
33921 -#ifdef CONFIG_STACKTRACE
33922 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33923 ONE("stack", S_IRUSR, proc_pid_stack),
33925 #ifdef CONFIG_SCHEDSTATS
33926 diff -urNp linux-2.6.38.1/fs/proc/cmdline.c linux-2.6.38.1/fs/proc/cmdline.c
33927 --- linux-2.6.38.1/fs/proc/cmdline.c 2011-03-14 21:20:32.000000000 -0400
33928 +++ linux-2.6.38.1/fs/proc/cmdline.c 2011-03-21 18:31:35.000000000 -0400
33929 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33931 static int __init proc_cmdline_init(void)
33933 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33934 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33936 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33940 module_init(proc_cmdline_init);
33941 diff -urNp linux-2.6.38.1/fs/proc/devices.c linux-2.6.38.1/fs/proc/devices.c
33942 --- linux-2.6.38.1/fs/proc/devices.c 2011-03-14 21:20:32.000000000 -0400
33943 +++ linux-2.6.38.1/fs/proc/devices.c 2011-03-21 18:31:35.000000000 -0400
33944 @@ -64,7 +64,11 @@ static const struct file_operations proc
33946 static int __init proc_devices_init(void)
33948 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33949 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33951 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33955 module_init(proc_devices_init);
33956 diff -urNp linux-2.6.38.1/fs/proc/inode.c linux-2.6.38.1/fs/proc/inode.c
33957 --- linux-2.6.38.1/fs/proc/inode.c 2011-03-14 21:20:32.000000000 -0400
33958 +++ linux-2.6.38.1/fs/proc/inode.c 2011-03-21 18:31:35.000000000 -0400
33959 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
33961 inode->i_mode = de->mode;
33962 inode->i_uid = de->uid;
33963 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33964 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33966 inode->i_gid = de->gid;
33970 inode->i_size = de->size;
33971 diff -urNp linux-2.6.38.1/fs/proc/internal.h linux-2.6.38.1/fs/proc/internal.h
33972 --- linux-2.6.38.1/fs/proc/internal.h 2011-03-14 21:20:32.000000000 -0400
33973 +++ linux-2.6.38.1/fs/proc/internal.h 2011-03-21 18:31:35.000000000 -0400
33974 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33975 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
33976 struct pid *pid, struct task_struct *task);
33978 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33979 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33981 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33983 extern const struct file_operations proc_maps_operations;
33984 diff -urNp linux-2.6.38.1/fs/proc/Kconfig linux-2.6.38.1/fs/proc/Kconfig
33985 --- linux-2.6.38.1/fs/proc/Kconfig 2011-03-14 21:20:32.000000000 -0400
33986 +++ linux-2.6.38.1/fs/proc/Kconfig 2011-03-21 18:31:35.000000000 -0400
33987 @@ -30,12 +30,12 @@ config PROC_FS
33990 bool "/proc/kcore support" if !ARM
33991 - depends on PROC_FS && MMU
33992 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33995 bool "/proc/vmcore support"
33996 - depends on PROC_FS && CRASH_DUMP
33998 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
34001 Exports the dump image of crashed kernel in ELF format.
34003 @@ -59,8 +59,8 @@ config PROC_SYSCTL
34006 config PROC_PAGE_MONITOR
34008 - depends on PROC_FS && MMU
34010 + depends on PROC_FS && MMU && !GRKERNSEC
34011 bool "Enable /proc page monitoring" if EXPERT
34013 Various /proc files exist to monitor process memory utilization:
34014 diff -urNp linux-2.6.38.1/fs/proc/kcore.c linux-2.6.38.1/fs/proc/kcore.c
34015 --- linux-2.6.38.1/fs/proc/kcore.c 2011-03-14 21:20:32.000000000 -0400
34016 +++ linux-2.6.38.1/fs/proc/kcore.c 2011-03-21 18:31:35.000000000 -0400
34017 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
34018 * the addresses in the elf_phdr on our list.
34020 start = kc_offset_to_vaddr(*fpos - elf_buflen);
34021 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
34022 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
34023 + if (tsz > buflen)
34028 struct kcore_list *m;
34030 @@ -509,20 +510,23 @@ read_kcore(struct file *file, char __use
34033 if (kern_addr_valid(start)) {
34036 + mm_segment_t oldfs;
34038 - n = copy_to_user(buffer, (char *)start, tsz);
34040 - * We cannot distingush between fault on source
34041 - * and fault on destination. When this happens
34042 - * we clear too and hope it will trigger the
34046 - if (clear_user(buffer + tsz - n,
34048 + elf_buf = kmalloc(tsz, GFP_KERNEL);
34051 + oldfs = get_fs();
34052 + set_fs(KERNEL_DS);
34053 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
34055 + if (copy_to_user(buffer, elf_buf, tsz)) {
34063 if (clear_user(buffer, tsz))
34065 @@ -542,6 +546,9 @@ read_kcore(struct file *file, char __use
34067 static int open_kcore(struct inode *inode, struct file *filp)
34069 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
34072 if (!capable(CAP_SYS_RAWIO))
34074 if (kcore_need_update)
34075 diff -urNp linux-2.6.38.1/fs/proc/meminfo.c linux-2.6.38.1/fs/proc/meminfo.c
34076 --- linux-2.6.38.1/fs/proc/meminfo.c 2011-03-14 21:20:32.000000000 -0400
34077 +++ linux-2.6.38.1/fs/proc/meminfo.c 2011-03-21 18:31:35.000000000 -0400
34078 @@ -157,7 +157,7 @@ static int meminfo_proc_show(struct seq_
34080 vmi.largest_chunk >> 10
34081 #ifdef CONFIG_MEMORY_FAILURE
34082 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
34083 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
34085 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
34086 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
34087 diff -urNp linux-2.6.38.1/fs/proc/nommu.c linux-2.6.38.1/fs/proc/nommu.c
34088 --- linux-2.6.38.1/fs/proc/nommu.c 2011-03-14 21:20:32.000000000 -0400
34089 +++ linux-2.6.38.1/fs/proc/nommu.c 2011-03-21 18:31:35.000000000 -0400
34090 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
34093 seq_printf(m, "%*c", len, ' ');
34094 - seq_path(m, &file->f_path, "");
34095 + seq_path(m, &file->f_path, "\n\\");
34099 diff -urNp linux-2.6.38.1/fs/proc/proc_net.c linux-2.6.38.1/fs/proc/proc_net.c
34100 --- linux-2.6.38.1/fs/proc/proc_net.c 2011-03-14 21:20:32.000000000 -0400
34101 +++ linux-2.6.38.1/fs/proc/proc_net.c 2011-03-21 18:31:35.000000000 -0400
34102 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
34103 struct task_struct *task;
34104 struct nsproxy *ns;
34105 struct net *net = NULL;
34106 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34107 + const struct cred *cred = current_cred();
34110 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34113 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34114 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
34119 task = pid_task(proc_pid(dir), PIDTYPE_PID);
34120 diff -urNp linux-2.6.38.1/fs/proc/proc_sysctl.c linux-2.6.38.1/fs/proc/proc_sysctl.c
34121 --- linux-2.6.38.1/fs/proc/proc_sysctl.c 2011-03-14 21:20:32.000000000 -0400
34122 +++ linux-2.6.38.1/fs/proc/proc_sysctl.c 2011-03-21 18:31:35.000000000 -0400
34124 #include <linux/namei.h>
34125 #include "internal.h"
34127 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
34129 static const struct dentry_operations proc_sys_dentry_operations;
34130 static const struct file_operations proc_sys_file_operations;
34131 static const struct inode_operations proc_sys_inode_operations;
34132 @@ -112,6 +114,9 @@ static struct dentry *proc_sys_lookup(st
34136 + if (gr_handle_sysctl(p, MAY_EXEC))
34139 err = ERR_PTR(-ENOMEM);
34140 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
34142 @@ -231,6 +236,9 @@ static int scan(struct ctl_table_header
34143 if (*pos < file->f_pos)
34146 + if (gr_handle_sysctl(table, 0))
34149 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
34152 @@ -359,6 +367,9 @@ static int proc_sys_getattr(struct vfsmo
34154 return PTR_ERR(head);
34156 + if (table && gr_handle_sysctl(table, MAY_EXEC))
34159 generic_fillattr(inode, stat);
34161 stat->mode = (stat->mode & S_IFMT) | table->mode;
34162 diff -urNp linux-2.6.38.1/fs/proc/root.c linux-2.6.38.1/fs/proc/root.c
34163 --- linux-2.6.38.1/fs/proc/root.c 2011-03-14 21:20:32.000000000 -0400
34164 +++ linux-2.6.38.1/fs/proc/root.c 2011-03-21 18:31:35.000000000 -0400
34165 @@ -132,7 +132,15 @@ void __init proc_root_init(void)
34166 #ifdef CONFIG_PROC_DEVICETREE
34167 proc_device_tree_init();
34169 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34170 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34171 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
34172 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34173 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
34176 proc_mkdir("bus", NULL);
34181 diff -urNp linux-2.6.38.1/fs/proc/task_mmu.c linux-2.6.38.1/fs/proc/task_mmu.c
34182 --- linux-2.6.38.1/fs/proc/task_mmu.c 2011-03-14 21:20:32.000000000 -0400
34183 +++ linux-2.6.38.1/fs/proc/task_mmu.c 2011-03-21 18:31:35.000000000 -0400
34184 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
34185 "VmExe:\t%8lu kB\n"
34186 "VmLib:\t%8lu kB\n"
34187 "VmPTE:\t%8lu kB\n"
34188 - "VmSwap:\t%8lu kB\n",
34189 - hiwater_vm << (PAGE_SHIFT-10),
34190 + "VmSwap:\t%8lu kB\n"
34192 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34193 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
34196 + ,hiwater_vm << (PAGE_SHIFT-10),
34197 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
34198 mm->locked_vm << (PAGE_SHIFT-10),
34199 hiwater_rss << (PAGE_SHIFT-10),
34200 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
34201 data << (PAGE_SHIFT-10),
34202 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
34203 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
34204 - swap << (PAGE_SHIFT-10));
34205 + swap << (PAGE_SHIFT-10)
34207 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34208 + , mm->context.user_cs_base, mm->context.user_cs_limit
34214 unsigned long task_vsize(struct mm_struct *mm)
34215 @@ -204,6 +215,12 @@ static int do_maps_open(struct inode *in
34219 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34220 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34221 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34222 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34225 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
34227 struct mm_struct *mm = vma->vm_mm;
34228 @@ -211,7 +228,6 @@ static void show_map_vma(struct seq_file
34229 int flags = vma->vm_flags;
34230 unsigned long ino = 0;
34231 unsigned long long pgoff = 0;
34232 - unsigned long start;
34236 @@ -222,20 +238,24 @@ static void show_map_vma(struct seq_file
34237 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
34240 - /* We don't show the stack guard page in /proc/maps */
34241 - start = vma->vm_start;
34242 - if (vma->vm_flags & VM_GROWSDOWN)
34243 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
34244 - start += PAGE_SIZE;
34246 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
34248 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34249 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
34250 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
34255 flags & VM_READ ? 'r' : '-',
34256 flags & VM_WRITE ? 'w' : '-',
34257 flags & VM_EXEC ? 'x' : '-',
34258 flags & VM_MAYSHARE ? 's' : 'p',
34259 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34260 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
34264 MAJOR(dev), MINOR(dev), ino, &len);
34267 @@ -244,16 +264,16 @@ static void show_map_vma(struct seq_file
34270 pad_len_spaces(m, len);
34271 - seq_path(m, &file->f_path, "\n");
34272 + seq_path(m, &file->f_path, "\n\\");
34274 const char *name = arch_vma_name(vma);
34277 - if (vma->vm_start <= mm->brk &&
34278 - vma->vm_end >= mm->start_brk) {
34279 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
34281 - } else if (vma->vm_start <= mm->start_stack &&
34282 - vma->vm_end >= mm->start_stack) {
34283 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
34284 + (vma->vm_start <= mm->start_stack &&
34285 + vma->vm_end >= mm->start_stack)) {
34289 @@ -399,11 +419,16 @@ static int show_smap(struct seq_file *m,
34292 memset(&mss, 0, sizeof mss);
34294 - /* mmap_sem is held in m_start */
34295 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34296 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34298 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34299 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
34302 + /* mmap_sem is held in m_start */
34303 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34304 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34305 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34308 show_map_vma(m, vma);
34311 @@ -420,7 +445,11 @@ static int show_smap(struct seq_file *m,
34312 "KernelPageSize: %8lu kB\n"
34313 "MMUPageSize: %8lu kB\n"
34314 "Locked: %8lu kB\n",
34315 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34316 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
34318 (vma->vm_end - vma->vm_start) >> 10,
34320 mss.resident >> 10,
34321 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
34322 mss.shared_clean >> 10,
34323 diff -urNp linux-2.6.38.1/fs/proc/task_nommu.c linux-2.6.38.1/fs/proc/task_nommu.c
34324 --- linux-2.6.38.1/fs/proc/task_nommu.c 2011-03-14 21:20:32.000000000 -0400
34325 +++ linux-2.6.38.1/fs/proc/task_nommu.c 2011-03-21 18:31:35.000000000 -0400
34326 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
34328 bytes += kobjsize(mm);
34330 - if (current->fs && current->fs->users > 1)
34331 + if (current->fs && atomic_read(¤t->fs->users) > 1)
34332 sbytes += kobjsize(current->fs);
34334 bytes += kobjsize(current->fs);
34335 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
34338 pad_len_spaces(m, len);
34339 - seq_path(m, &file->f_path, "");
34340 + seq_path(m, &file->f_path, "\n\\");
34342 if (vma->vm_start <= mm->start_stack &&
34343 vma->vm_end >= mm->start_stack) {
34344 diff -urNp linux-2.6.38.1/fs/readdir.c linux-2.6.38.1/fs/readdir.c
34345 --- linux-2.6.38.1/fs/readdir.c 2011-03-14 21:20:32.000000000 -0400
34346 +++ linux-2.6.38.1/fs/readdir.c 2011-03-21 18:31:35.000000000 -0400
34348 #include <linux/security.h>
34349 #include <linux/syscalls.h>
34350 #include <linux/unistd.h>
34351 +#include <linux/namei.h>
34353 #include <asm/uaccess.h>
34355 @@ -67,6 +68,7 @@ struct old_linux_dirent {
34357 struct readdir_callback {
34358 struct old_linux_dirent __user * dirent;
34359 + struct file * file;
34363 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
34364 buf->result = -EOVERFLOW;
34368 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34372 dirent = buf->dirent;
34373 if (!access_ok(VERIFY_WRITE, dirent,
34374 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
34377 buf.dirent = dirent;
34380 error = vfs_readdir(file, fillonedir, &buf);
34382 @@ -142,6 +149,7 @@ struct linux_dirent {
34383 struct getdents_callback {
34384 struct linux_dirent __user * current_dir;
34385 struct linux_dirent __user * previous;
34386 + struct file * file;
34390 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
34391 buf->error = -EOVERFLOW;
34395 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34398 dirent = buf->previous;
34400 if (__put_user(offset, &dirent->d_off))
34401 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
34402 buf.previous = NULL;
34407 error = vfs_readdir(file, filldir, &buf);
34409 @@ -229,6 +242,7 @@ out:
34410 struct getdents_callback64 {
34411 struct linux_dirent64 __user * current_dir;
34412 struct linux_dirent64 __user * previous;
34413 + struct file *file;
34417 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
34418 buf->error = -EINVAL; /* only used if we fail.. */
34419 if (reclen > buf->count)
34422 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34425 dirent = buf->previous;
34427 if (__put_user(offset, &dirent->d_off))
34428 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
34430 buf.current_dir = dirent;
34431 buf.previous = NULL;
34436 diff -urNp linux-2.6.38.1/fs/reiserfs/do_balan.c linux-2.6.38.1/fs/reiserfs/do_balan.c
34437 --- linux-2.6.38.1/fs/reiserfs/do_balan.c 2011-03-14 21:20:32.000000000 -0400
34438 +++ linux-2.6.38.1/fs/reiserfs/do_balan.c 2011-03-21 18:31:35.000000000 -0400
34439 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
34443 - atomic_inc(&(fs_generation(tb->tb_sb)));
34444 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
34445 do_balance_starts(tb);
34447 /* balance leaf returns 0 except if combining L R and S into
34448 diff -urNp linux-2.6.38.1/fs/reiserfs/item_ops.c linux-2.6.38.1/fs/reiserfs/item_ops.c
34449 --- linux-2.6.38.1/fs/reiserfs/item_ops.c 2011-03-14 21:20:32.000000000 -0400
34450 +++ linux-2.6.38.1/fs/reiserfs/item_ops.c 2011-03-21 18:31:35.000000000 -0400
34451 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
34452 vi->vi_index, vi->vi_type, vi->vi_ih);
34455 -static struct item_operations stat_data_ops = {
34456 +static const struct item_operations stat_data_ops = {
34457 .bytes_number = sd_bytes_number,
34458 .decrement_key = sd_decrement_key,
34459 .is_left_mergeable = sd_is_left_mergeable,
34460 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
34461 vi->vi_index, vi->vi_type, vi->vi_ih);
34464 -static struct item_operations direct_ops = {
34465 +static const struct item_operations direct_ops = {
34466 .bytes_number = direct_bytes_number,
34467 .decrement_key = direct_decrement_key,
34468 .is_left_mergeable = direct_is_left_mergeable,
34469 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
34470 vi->vi_index, vi->vi_type, vi->vi_ih);
34473 -static struct item_operations indirect_ops = {
34474 +static const struct item_operations indirect_ops = {
34475 .bytes_number = indirect_bytes_number,
34476 .decrement_key = indirect_decrement_key,
34477 .is_left_mergeable = indirect_is_left_mergeable,
34478 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
34482 -static struct item_operations direntry_ops = {
34483 +static const struct item_operations direntry_ops = {
34484 .bytes_number = direntry_bytes_number,
34485 .decrement_key = direntry_decrement_key,
34486 .is_left_mergeable = direntry_is_left_mergeable,
34487 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
34488 "Invalid item type observed, run fsck ASAP");
34491 -static struct item_operations errcatch_ops = {
34492 +static const struct item_operations errcatch_ops = {
34493 errcatch_bytes_number,
34494 errcatch_decrement_key,
34495 errcatch_is_left_mergeable,
34496 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
34497 #error Item types must use disk-format assigned values.
34500 -struct item_operations *item_ops[TYPE_ANY + 1] = {
34501 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
34505 diff -urNp linux-2.6.38.1/fs/reiserfs/procfs.c linux-2.6.38.1/fs/reiserfs/procfs.c
34506 --- linux-2.6.38.1/fs/reiserfs/procfs.c 2011-03-14 21:20:32.000000000 -0400
34507 +++ linux-2.6.38.1/fs/reiserfs/procfs.c 2011-03-21 18:31:35.000000000 -0400
34508 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
34509 "SMALL_TAILS " : "NO_TAILS ",
34510 replay_only(sb) ? "REPLAY_ONLY " : "",
34511 convert_reiserfs(sb) ? "CONV " : "",
34512 - atomic_read(&r->s_generation_counter),
34513 + atomic_read_unchecked(&r->s_generation_counter),
34514 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
34515 SF(s_do_balance), SF(s_unneeded_left_neighbor),
34516 SF(s_good_search_by_key_reada), SF(s_bmaps),
34517 diff -urNp linux-2.6.38.1/fs/select.c linux-2.6.38.1/fs/select.c
34518 --- linux-2.6.38.1/fs/select.c 2011-03-14 21:20:32.000000000 -0400
34519 +++ linux-2.6.38.1/fs/select.c 2011-03-21 18:31:35.000000000 -0400
34521 #include <linux/module.h>
34522 #include <linux/slab.h>
34523 #include <linux/poll.h>
34524 +#include <linux/security.h>
34525 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
34526 #include <linux/file.h>
34527 #include <linux/fdtable.h>
34528 @@ -840,6 +841,7 @@ int do_sys_poll(struct pollfd __user *uf
34529 struct poll_list *walk = head;
34530 unsigned long todo = nfds;
34532 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
34533 if (nfds > rlimit(RLIMIT_NOFILE))
34536 diff -urNp linux-2.6.38.1/fs/seq_file.c linux-2.6.38.1/fs/seq_file.c
34537 --- linux-2.6.38.1/fs/seq_file.c 2011-03-14 21:20:32.000000000 -0400
34538 +++ linux-2.6.38.1/fs/seq_file.c 2011-03-21 18:31:35.000000000 -0400
34539 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
34543 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34544 + m->size = PAGE_SIZE;
34545 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34549 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
34553 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34555 + m->buf = kmalloc(m->size, GFP_KERNEL);
34556 return !m->buf ? -ENOMEM : -EAGAIN;
34559 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
34560 m->version = file->f_version;
34561 /* grab buffer if we didn't have one */
34563 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34564 + m->size = PAGE_SIZE;
34565 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34569 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
34573 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34575 + m->buf = kmalloc(m->size, GFP_KERNEL);
34579 diff -urNp linux-2.6.38.1/fs/splice.c linux-2.6.38.1/fs/splice.c
34580 --- linux-2.6.38.1/fs/splice.c 2011-03-14 21:20:32.000000000 -0400
34581 +++ linux-2.6.38.1/fs/splice.c 2011-03-21 18:31:35.000000000 -0400
34582 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
34586 - if (!pipe->readers) {
34587 + if (!atomic_read(&pipe->readers)) {
34588 send_sig(SIGPIPE, current, 0);
34591 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
34595 - pipe->waiting_writers++;
34596 + atomic_inc(&pipe->waiting_writers);
34598 - pipe->waiting_writers--;
34599 + atomic_dec(&pipe->waiting_writers);
34603 @@ -556,7 +556,7 @@ static ssize_t kernel_readv(struct file
34606 /* The cast to a user pointer is valid due to the set_fs() */
34607 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
34608 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
34612 @@ -571,7 +571,7 @@ static ssize_t kernel_write(struct file
34615 /* The cast to a user pointer is valid due to the set_fs() */
34616 - res = vfs_write(file, (const char __user *)buf, count, &pos);
34617 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
34621 @@ -622,7 +622,7 @@ ssize_t default_file_splice_read(struct
34624 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
34625 - vec[i].iov_base = (void __user *) page_address(page);
34626 + vec[i].iov_base = (__force void __user *) page_address(page);
34627 vec[i].iov_len = this_len;
34628 spd.pages[i] = page;
34630 @@ -842,10 +842,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
34631 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
34633 while (!pipe->nrbufs) {
34634 - if (!pipe->writers)
34635 + if (!atomic_read(&pipe->writers))
34638 - if (!pipe->waiting_writers && sd->num_spliced)
34639 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
34642 if (sd->flags & SPLICE_F_NONBLOCK)
34643 @@ -1178,7 +1178,7 @@ ssize_t splice_direct_to_actor(struct fi
34644 * out of the pipe right after the splice_to_pipe(). So set
34645 * PIPE_READERS appropriately.
34647 - pipe->readers = 1;
34648 + atomic_set(&pipe->readers, 1);
34650 current->splice_pipe = pipe;
34652 @@ -1730,9 +1730,9 @@ static int ipipe_prep(struct pipe_inode_
34653 ret = -ERESTARTSYS;
34656 - if (!pipe->writers)
34657 + if (!atomic_read(&pipe->writers))
34659 - if (!pipe->waiting_writers) {
34660 + if (!atomic_read(&pipe->waiting_writers)) {
34661 if (flags & SPLICE_F_NONBLOCK) {
34664 @@ -1764,7 +1764,7 @@ static int opipe_prep(struct pipe_inode_
34667 while (pipe->nrbufs >= pipe->buffers) {
34668 - if (!pipe->readers) {
34669 + if (!atomic_read(&pipe->readers)) {
34670 send_sig(SIGPIPE, current, 0);
34673 @@ -1777,9 +1777,9 @@ static int opipe_prep(struct pipe_inode_
34674 ret = -ERESTARTSYS;
34677 - pipe->waiting_writers++;
34678 + atomic_inc(&pipe->waiting_writers);
34680 - pipe->waiting_writers--;
34681 + atomic_dec(&pipe->waiting_writers);
34685 @@ -1815,14 +1815,14 @@ retry:
34686 pipe_double_lock(ipipe, opipe);
34689 - if (!opipe->readers) {
34690 + if (!atomic_read(&opipe->readers)) {
34691 send_sig(SIGPIPE, current, 0);
34697 - if (!ipipe->nrbufs && !ipipe->writers)
34698 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
34702 @@ -1922,7 +1922,7 @@ static int link_pipe(struct pipe_inode_i
34703 pipe_double_lock(ipipe, opipe);
34706 - if (!opipe->readers) {
34707 + if (!atomic_read(&opipe->readers)) {
34708 send_sig(SIGPIPE, current, 0);
34711 @@ -1967,7 +1967,7 @@ static int link_pipe(struct pipe_inode_i
34712 * return EAGAIN if we have the potential of some data in the
34713 * future, otherwise just return 0
34715 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
34716 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
34719 pipe_unlock(ipipe);
34720 diff -urNp linux-2.6.38.1/fs/sysfs/mount.c linux-2.6.38.1/fs/sysfs/mount.c
34721 --- linux-2.6.38.1/fs/sysfs/mount.c 2011-03-14 21:20:32.000000000 -0400
34722 +++ linux-2.6.38.1/fs/sysfs/mount.c 2011-03-21 18:31:35.000000000 -0400
34723 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
34725 .s_count = ATOMIC_INIT(1),
34726 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
34727 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
34728 + .s_mode = S_IFDIR | S_IRWXU,
34730 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
34735 diff -urNp linux-2.6.38.1/fs/sysfs/symlink.c linux-2.6.38.1/fs/sysfs/symlink.c
34736 --- linux-2.6.38.1/fs/sysfs/symlink.c 2011-03-14 21:20:32.000000000 -0400
34737 +++ linux-2.6.38.1/fs/sysfs/symlink.c 2011-03-21 18:31:35.000000000 -0400
34738 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
34740 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
34742 - char *page = nd_get_link(nd);
34743 + const char *page = nd_get_link(nd);
34745 free_page((unsigned long)page);
34747 diff -urNp linux-2.6.38.1/fs/ubifs/debug.c linux-2.6.38.1/fs/ubifs/debug.c
34748 --- linux-2.6.38.1/fs/ubifs/debug.c 2011-03-14 21:20:32.000000000 -0400
34749 +++ linux-2.6.38.1/fs/ubifs/debug.c 2011-03-21 18:31:35.000000000 -0400
34750 @@ -2813,19 +2813,19 @@ int dbg_debugfs_init_fs(struct ubifs_inf
34753 fname = "dump_lprops";
34754 - dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
34755 + dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
34758 d->dfs_dump_lprops = dent;
34760 fname = "dump_budg";
34761 - dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
34762 + dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
34765 d->dfs_dump_budg = dent;
34767 fname = "dump_tnc";
34768 - dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
34769 + dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
34772 d->dfs_dump_tnc = dent;
34773 diff -urNp linux-2.6.38.1/fs/udf/misc.c linux-2.6.38.1/fs/udf/misc.c
34774 --- linux-2.6.38.1/fs/udf/misc.c 2011-03-14 21:20:32.000000000 -0400
34775 +++ linux-2.6.38.1/fs/udf/misc.c 2011-03-21 18:31:35.000000000 -0400
34776 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
34777 iinfo->i_lenEAttr += size;
34778 return (struct genericFormat *)&ea[offset];
34782 + if (loc & 0x02) {
34787 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
34789 u8 udf_tag_checksum(const struct tag *t)
34791 - u8 *data = (u8 *)t;
34792 + const u8 *data = (const u8 *)t;
34795 for (i = 0; i < sizeof(struct tag); ++i)
34796 diff -urNp linux-2.6.38.1/fs/udf/udfdecl.h linux-2.6.38.1/fs/udf/udfdecl.h
34797 --- linux-2.6.38.1/fs/udf/udfdecl.h 2011-03-14 21:20:32.000000000 -0400
34798 +++ linux-2.6.38.1/fs/udf/udfdecl.h 2011-03-21 18:31:35.000000000 -0400
34799 @@ -26,7 +26,7 @@ do { \
34803 -#define udf_debug(f, a...) /**/
34804 +#define udf_debug(f, a...) do {} while (0)
34807 #define udf_info(f, a...) \
34808 diff -urNp linux-2.6.38.1/fs/utimes.c linux-2.6.38.1/fs/utimes.c
34809 --- linux-2.6.38.1/fs/utimes.c 2011-03-14 21:20:32.000000000 -0400
34810 +++ linux-2.6.38.1/fs/utimes.c 2011-03-21 18:31:35.000000000 -0400
34812 #include <linux/compiler.h>
34813 #include <linux/file.h>
34814 #include <linux/fs.h>
34815 +#include <linux/security.h>
34816 #include <linux/linkage.h>
34817 #include <linux/mount.h>
34818 #include <linux/namei.h>
34819 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
34820 goto mnt_drop_write_and_out;
34824 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
34826 + goto mnt_drop_write_and_out;
34829 mutex_lock(&inode->i_mutex);
34830 error = notify_change(path->dentry, &newattrs);
34831 mutex_unlock(&inode->i_mutex);
34832 diff -urNp linux-2.6.38.1/fs/xattr_acl.c linux-2.6.38.1/fs/xattr_acl.c
34833 --- linux-2.6.38.1/fs/xattr_acl.c 2011-03-14 21:20:32.000000000 -0400
34834 +++ linux-2.6.38.1/fs/xattr_acl.c 2011-03-21 18:31:35.000000000 -0400
34837 posix_acl_from_xattr(const void *value, size_t size)
34839 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
34840 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
34841 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
34842 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
34844 struct posix_acl *acl;
34845 struct posix_acl_entry *acl_e;
34846 diff -urNp linux-2.6.38.1/fs/xattr.c linux-2.6.38.1/fs/xattr.c
34847 --- linux-2.6.38.1/fs/xattr.c 2011-03-14 21:20:32.000000000 -0400
34848 +++ linux-2.6.38.1/fs/xattr.c 2011-03-21 18:31:35.000000000 -0400
34849 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
34850 * Extended attribute SET operations
34853 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
34854 +setxattr(struct path *path, const char __user *name, const void __user *value,
34855 size_t size, int flags)
34858 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
34859 return PTR_ERR(kvalue);
34862 - error = vfs_setxattr(d, kname, kvalue, size, flags);
34863 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
34868 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
34873 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
34875 error = mnt_want_write(path.mnt);
34877 - error = setxattr(path.dentry, name, value, size, flags);
34878 + error = setxattr(&path, name, value, size, flags);
34879 mnt_drop_write(path.mnt);
34882 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
34884 error = mnt_want_write(path.mnt);
34886 - error = setxattr(path.dentry, name, value, size, flags);
34887 + error = setxattr(&path, name, value, size, flags);
34888 mnt_drop_write(path.mnt);
34891 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
34892 const void __user *,value, size_t, size, int, flags)
34895 - struct dentry *dentry;
34896 int error = -EBADF;
34901 - dentry = f->f_path.dentry;
34902 - audit_inode(NULL, dentry);
34903 + audit_inode(NULL, f->f_path.dentry);
34904 error = mnt_want_write_file(f);
34906 - error = setxattr(dentry, name, value, size, flags);
34907 + error = setxattr(&f->f_path, name, value, size, flags);
34908 mnt_drop_write(f->f_path.mnt);
34911 diff -urNp linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl32.c
34912 --- linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-14 21:20:32.000000000 -0400
34913 +++ linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-21 18:31:35.000000000 -0400
34914 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
34915 xfs_fsop_geom_t fsgeo;
34918 + memset(&fsgeo, 0, sizeof(fsgeo));
34919 error = xfs_fs_geometry(mp, &fsgeo, 3);
34922 diff -urNp linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl.c
34923 --- linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl.c 2011-03-14 21:20:32.000000000 -0400
34924 +++ linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl.c 2011-03-21 18:31:35.000000000 -0400
34925 @@ -128,7 +128,7 @@ xfs_find_handle(
34929 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
34930 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
34931 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
34934 @@ -720,6 +720,7 @@ xfs_ioc_fsgeometry(
34935 xfs_fsop_geom_t fsgeo;
34938 + memset(&fsgeo, 0, sizeof(fsgeo));
34939 error = xfs_fs_geometry(mp, &fsgeo, 4);
34942 diff -urNp linux-2.6.38.1/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.38.1/fs/xfs/linux-2.6/xfs_iops.c
34943 --- linux-2.6.38.1/fs/xfs/linux-2.6/xfs_iops.c 2011-03-14 21:20:32.000000000 -0400
34944 +++ linux-2.6.38.1/fs/xfs/linux-2.6/xfs_iops.c 2011-03-21 18:31:35.000000000 -0400
34945 @@ -436,7 +436,7 @@ xfs_vn_put_link(
34946 struct nameidata *nd,
34949 - char *s = nd_get_link(nd);
34950 + const char *s = nd_get_link(nd);
34954 diff -urNp linux-2.6.38.1/fs/xfs/xfs_bmap.c linux-2.6.38.1/fs/xfs/xfs_bmap.c
34955 --- linux-2.6.38.1/fs/xfs/xfs_bmap.c 2011-03-14 21:20:32.000000000 -0400
34956 +++ linux-2.6.38.1/fs/xfs/xfs_bmap.c 2011-03-21 18:31:35.000000000 -0400
34957 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
34961 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34962 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34966 diff -urNp linux-2.6.38.1/grsecurity/gracl_alloc.c linux-2.6.38.1/grsecurity/gracl_alloc.c
34967 --- linux-2.6.38.1/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34968 +++ linux-2.6.38.1/grsecurity/gracl_alloc.c 2011-03-21 18:31:35.000000000 -0400
34970 +#include <linux/kernel.h>
34971 +#include <linux/mm.h>
34972 +#include <linux/slab.h>
34973 +#include <linux/vmalloc.h>
34974 +#include <linux/gracl.h>
34975 +#include <linux/grsecurity.h>
34977 +static unsigned long alloc_stack_next = 1;
34978 +static unsigned long alloc_stack_size = 1;
34979 +static void **alloc_stack;
34981 +static __inline__ int
34984 + if (alloc_stack_next == 1)
34987 + kfree(alloc_stack[alloc_stack_next - 2]);
34989 + alloc_stack_next--;
34994 +static __inline__ int
34995 +alloc_push(void *buf)
34997 + if (alloc_stack_next >= alloc_stack_size)
35000 + alloc_stack[alloc_stack_next - 1] = buf;
35002 + alloc_stack_next++;
35008 +acl_alloc(unsigned long len)
35010 + void *ret = NULL;
35012 + if (!len || len > PAGE_SIZE)
35015 + ret = kmalloc(len, GFP_KERNEL);
35018 + if (alloc_push(ret)) {
35029 +acl_alloc_num(unsigned long num, unsigned long len)
35031 + if (!len || (num > (PAGE_SIZE / len)))
35034 + return acl_alloc(num * len);
35038 +acl_free_all(void)
35040 + if (gr_acl_is_enabled() || !alloc_stack)
35043 + while (alloc_pop()) ;
35045 + if (alloc_stack) {
35046 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
35047 + kfree(alloc_stack);
35049 + vfree(alloc_stack);
35052 + alloc_stack = NULL;
35053 + alloc_stack_size = 1;
35054 + alloc_stack_next = 1;
35060 +acl_alloc_stack_init(unsigned long size)
35062 + if ((size * sizeof (void *)) <= PAGE_SIZE)
35064 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
35066 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
35068 + alloc_stack_size = size;
35070 + if (!alloc_stack)
35075 diff -urNp linux-2.6.38.1/grsecurity/gracl.c linux-2.6.38.1/grsecurity/gracl.c
35076 --- linux-2.6.38.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
35077 +++ linux-2.6.38.1/grsecurity/gracl.c 2011-03-26 17:50:26.000000000 -0400
35079 +#include <linux/kernel.h>
35080 +#include <linux/module.h>
35081 +#include <linux/sched.h>
35082 +#include <linux/mm.h>
35083 +#include <linux/file.h>
35084 +#include <linux/fs.h>
35085 +#include <linux/namei.h>
35086 +#include <linux/mount.h>
35087 +#include <linux/tty.h>
35088 +#include <linux/proc_fs.h>
35089 +#include <linux/smp_lock.h>
35090 +#include <linux/lglock.h>
35091 +#include <linux/slab.h>
35092 +#include <linux/vmalloc.h>
35093 +#include <linux/types.h>
35094 +#include <linux/sysctl.h>
35095 +#include <linux/netdevice.h>
35096 +#include <linux/ptrace.h>
35097 +#include <linux/gracl.h>
35098 +#include <linux/gralloc.h>
35099 +#include <linux/grsecurity.h>
35100 +#include <linux/grinternal.h>
35101 +#include <linux/pid_namespace.h>
35102 +#include <linux/fdtable.h>
35103 +#include <linux/percpu.h>
35105 +#include <asm/uaccess.h>
35106 +#include <asm/errno.h>
35107 +#include <asm/mman.h>
35109 +static struct acl_role_db acl_role_set;
35110 +static struct name_db name_set;
35111 +static struct inodev_db inodev_set;
35113 +/* for keeping track of userspace pointers used for subjects, so we
35114 + can share references in the kernel as well
35117 +static struct path real_root;
35119 +static struct acl_subj_map_db subj_map_set;
35121 +static struct acl_role_label *default_role;
35123 +static struct acl_role_label *role_list;
35125 +static u16 acl_sp_role_value;
35127 +extern char *gr_shared_page[4];
35128 +static DEFINE_MUTEX(gr_dev_mutex);
35129 +DEFINE_RWLOCK(gr_inode_lock);
35131 +struct gr_arg *gr_usermode;
35133 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
35135 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
35136 +extern void gr_clear_learn_entries(void);
35138 +#ifdef CONFIG_GRKERNSEC_RESLOG
35139 +extern void gr_log_resource(const struct task_struct *task,
35140 + const int res, const unsigned long wanted, const int gt);
35143 +unsigned char *gr_system_salt;
35144 +unsigned char *gr_system_sum;
35146 +static struct sprole_pw **acl_special_roles = NULL;
35147 +static __u16 num_sprole_pws = 0;
35149 +static struct acl_role_label *kernel_role = NULL;
35151 +static unsigned int gr_auth_attempts = 0;
35152 +static unsigned long gr_auth_expires = 0UL;
35154 +extern struct vfsmount *sock_mnt;
35155 +extern struct vfsmount *pipe_mnt;
35156 +extern struct vfsmount *shm_mnt;
35157 +#ifdef CONFIG_HUGETLBFS
35158 +extern struct vfsmount *hugetlbfs_vfsmount;
35161 +static struct acl_object_label *fakefs_obj;
35163 +extern int gr_init_uidset(void);
35164 +extern void gr_free_uidset(void);
35165 +extern void gr_remove_uid(uid_t uid);
35166 +extern int gr_find_uid(uid_t uid);
35168 +DECLARE_BRLOCK(vfsmount_lock);
35171 +gr_acl_is_enabled(void)
35173 + return (gr_status & GR_READY);
35176 +#ifdef CONFIG_BTRFS_FS
35177 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
35178 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
35181 +static inline dev_t __get_dev(const struct dentry *dentry)
35183 +#ifdef CONFIG_BTRFS_FS
35184 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
35185 + return get_btrfs_dev_from_inode(dentry->d_inode);
35188 + return dentry->d_inode->i_sb->s_dev;
35191 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
35193 + return __get_dev(dentry);
35196 +static char gr_task_roletype_to_char(struct task_struct *task)
35198 + switch (task->role->roletype &
35199 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
35200 + GR_ROLE_SPECIAL)) {
35201 + case GR_ROLE_DEFAULT:
35203 + case GR_ROLE_USER:
35205 + case GR_ROLE_GROUP:
35207 + case GR_ROLE_SPECIAL:
35214 +char gr_roletype_to_char(void)
35216 + return gr_task_roletype_to_char(current);
35220 +gr_acl_tpe_check(void)
35222 + if (unlikely(!(gr_status & GR_READY)))
35224 + if (current->role->roletype & GR_ROLE_TPE)
35231 +gr_handle_rawio(const struct inode *inode)
35233 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
35234 + if (inode && S_ISBLK(inode->i_mode) &&
35235 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
35236 + !capable(CAP_SYS_RAWIO))
35243 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
35245 + if (likely(lena != lenb))
35248 + return !memcmp(a, b, lena);
35251 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
35253 + *buflen -= namelen;
35255 + return -ENAMETOOLONG;
35256 + *buffer -= namelen;
35257 + memcpy(*buffer, str, namelen);
35261 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
35263 + return prepend(buffer, buflen, name->name, name->len);
35266 +static int prepend_path(const struct path *path, struct path *root,
35267 + char **buffer, int *buflen)
35269 + struct dentry *dentry = path->dentry;
35270 + struct vfsmount *vfsmnt = path->mnt;
35271 + bool slash = false;
35274 + while (dentry != root->dentry || vfsmnt != root->mnt) {
35275 + struct dentry * parent;
35277 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
35278 + /* Global root? */
35279 + if (vfsmnt->mnt_parent == vfsmnt) {
35282 + dentry = vfsmnt->mnt_mountpoint;
35283 + vfsmnt = vfsmnt->mnt_parent;
35286 + parent = dentry->d_parent;
35287 + prefetch(parent);
35288 + spin_lock(&dentry->d_lock);
35289 + error = prepend_name(buffer, buflen, &dentry->d_name);
35290 + spin_unlock(&dentry->d_lock);
35292 + error = prepend(buffer, buflen, "/", 1);
35301 + if (!error && !slash)
35302 + error = prepend(buffer, buflen, "/", 1);
35307 +/* this must be called with vfsmount_lock and rename_lock held */
35309 +static char *__our_d_path(const struct path *path, struct path *root,
35310 + char *buf, int buflen)
35312 + char *res = buf + buflen;
35315 + prepend(&res, &buflen, "\0", 1);
35316 + error = prepend_path(path, root, &res, &buflen);
35318 + return ERR_PTR(error);
35324 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
35328 + retval = __our_d_path(path, root, buf, buflen);
35329 + if (unlikely(IS_ERR(retval)))
35330 + retval = strcpy(buf, "<path too long>");
35331 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
35332 + retval[1] = '\0';
35338 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35339 + char *buf, int buflen)
35341 + struct path path;
35344 + path.dentry = (struct dentry *)dentry;
35345 + path.mnt = (struct vfsmount *)vfsmnt;
35347 + /* we can use real_root.dentry, real_root.mnt, because this is only called
35348 + by the RBAC system */
35349 + res = gen_full_path(&path, &real_root, buf, buflen);
35355 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35356 + char *buf, int buflen)
35359 + struct path path;
35360 + struct path root;
35361 + struct task_struct *reaper = &init_task;
35363 + path.dentry = (struct dentry *)dentry;
35364 + path.mnt = (struct vfsmount *)vfsmnt;
35366 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
35367 + root.dentry = reaper->nsproxy->mnt_ns->root->mnt_root;
35368 + root.mnt = reaper->nsproxy->mnt_ns->root;
35371 + write_seqlock(&rename_lock);
35372 + br_read_lock(vfsmount_lock);
35373 + res = gen_full_path(&path, &root, buf, buflen);
35374 + br_read_unlock(vfsmount_lock);
35375 + write_sequnlock(&rename_lock);
35382 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
35385 + write_seqlock(&rename_lock);
35386 + br_read_lock(vfsmount_lock);
35387 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35389 + br_read_unlock(vfsmount_lock);
35390 + write_sequnlock(&rename_lock);
35395 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
35397 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35402 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
35404 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
35409 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
35411 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
35416 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
35418 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
35423 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
35425 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
35430 +to_gr_audit(const __u32 reqmode)
35432 + /* masks off auditable permission flags, then shifts them to create
35433 + auditing flags, and adds the special case of append auditing if
35434 + we're requesting write */
35435 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
35438 +struct acl_subject_label *
35439 +lookup_subject_map(const struct acl_subject_label *userp)
35441 + unsigned int index = shash(userp, subj_map_set.s_size);
35442 + struct subject_map *match;
35444 + match = subj_map_set.s_hash[index];
35446 + while (match && match->user != userp)
35447 + match = match->next;
35449 + if (match != NULL)
35450 + return match->kernel;
35456 +insert_subj_map_entry(struct subject_map *subjmap)
35458 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
35459 + struct subject_map **curr;
35461 + subjmap->prev = NULL;
35463 + curr = &subj_map_set.s_hash[index];
35464 + if (*curr != NULL)
35465 + (*curr)->prev = subjmap;
35467 + subjmap->next = *curr;
35473 +static struct acl_role_label *
35474 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
35477 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
35478 + struct acl_role_label *match;
35479 + struct role_allowed_ip *ipp;
35481 + u32 curr_ip = task->signal->curr_ip;
35483 + task->signal->saved_ip = curr_ip;
35485 + match = acl_role_set.r_hash[index];
35488 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
35489 + for (x = 0; x < match->domain_child_num; x++) {
35490 + if (match->domain_children[x] == uid)
35493 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
35495 + match = match->next;
35498 + if (match == NULL) {
35500 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
35501 + match = acl_role_set.r_hash[index];
35504 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
35505 + for (x = 0; x < match->domain_child_num; x++) {
35506 + if (match->domain_children[x] == gid)
35509 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
35511 + match = match->next;
35514 + if (match == NULL)
35515 + match = default_role;
35516 + if (match->allowed_ips == NULL)
35519 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35521 + ((ntohl(curr_ip) & ipp->netmask) ==
35522 + (ntohl(ipp->addr) & ipp->netmask)))
35525 + match = default_role;
35527 + } else if (match->allowed_ips == NULL) {
35530 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35532 + ((ntohl(curr_ip) & ipp->netmask) ==
35533 + (ntohl(ipp->addr) & ipp->netmask)))
35542 +struct acl_subject_label *
35543 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
35544 + const struct acl_role_label *role)
35546 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35547 + struct acl_subject_label *match;
35549 + match = role->subj_hash[index];
35551 + while (match && (match->inode != ino || match->device != dev ||
35552 + (match->mode & GR_DELETED))) {
35553 + match = match->next;
35556 + if (match && !(match->mode & GR_DELETED))
35562 +struct acl_subject_label *
35563 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
35564 + const struct acl_role_label *role)
35566 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35567 + struct acl_subject_label *match;
35569 + match = role->subj_hash[index];
35571 + while (match && (match->inode != ino || match->device != dev ||
35572 + !(match->mode & GR_DELETED))) {
35573 + match = match->next;
35576 + if (match && (match->mode & GR_DELETED))
35582 +static struct acl_object_label *
35583 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
35584 + const struct acl_subject_label *subj)
35586 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35587 + struct acl_object_label *match;
35589 + match = subj->obj_hash[index];
35591 + while (match && (match->inode != ino || match->device != dev ||
35592 + (match->mode & GR_DELETED))) {
35593 + match = match->next;
35596 + if (match && !(match->mode & GR_DELETED))
35602 +static struct acl_object_label *
35603 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
35604 + const struct acl_subject_label *subj)
35606 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35607 + struct acl_object_label *match;
35609 + match = subj->obj_hash[index];
35611 + while (match && (match->inode != ino || match->device != dev ||
35612 + !(match->mode & GR_DELETED))) {
35613 + match = match->next;
35616 + if (match && (match->mode & GR_DELETED))
35619 + match = subj->obj_hash[index];
35621 + while (match && (match->inode != ino || match->device != dev ||
35622 + (match->mode & GR_DELETED))) {
35623 + match = match->next;
35626 + if (match && !(match->mode & GR_DELETED))
35632 +static struct name_entry *
35633 +lookup_name_entry(const char *name)
35635 + unsigned int len = strlen(name);
35636 + unsigned int key = full_name_hash(name, len);
35637 + unsigned int index = key % name_set.n_size;
35638 + struct name_entry *match;
35640 + match = name_set.n_hash[index];
35642 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
35643 + match = match->next;
35648 +static struct name_entry *
35649 +lookup_name_entry_create(const char *name)
35651 + unsigned int len = strlen(name);
35652 + unsigned int key = full_name_hash(name, len);
35653 + unsigned int index = key % name_set.n_size;
35654 + struct name_entry *match;
35656 + match = name_set.n_hash[index];
35658 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35659 + !match->deleted))
35660 + match = match->next;
35662 + if (match && match->deleted)
35665 + match = name_set.n_hash[index];
35667 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35669 + match = match->next;
35671 + if (match && !match->deleted)
35677 +static struct inodev_entry *
35678 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
35680 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
35681 + struct inodev_entry *match;
35683 + match = inodev_set.i_hash[index];
35685 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
35686 + match = match->next;
35692 +insert_inodev_entry(struct inodev_entry *entry)
35694 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
35695 + inodev_set.i_size);
35696 + struct inodev_entry **curr;
35698 + entry->prev = NULL;
35700 + curr = &inodev_set.i_hash[index];
35701 + if (*curr != NULL)
35702 + (*curr)->prev = entry;
35704 + entry->next = *curr;
35711 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
35713 + unsigned int index =
35714 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
35715 + struct acl_role_label **curr;
35716 + struct acl_role_label *tmp;
35718 + curr = &acl_role_set.r_hash[index];
35720 + /* if role was already inserted due to domains and already has
35721 + a role in the same bucket as it attached, then we need to
35722 + combine these two buckets
35724 + if (role->next) {
35725 + tmp = role->next;
35726 + while (tmp->next)
35728 + tmp->next = *curr;
35730 + role->next = *curr;
35737 +insert_acl_role_label(struct acl_role_label *role)
35741 + if (role_list == NULL) {
35742 + role_list = role;
35743 + role->prev = NULL;
35745 + role->prev = role_list;
35746 + role_list = role;
35749 + /* used for hash chains */
35750 + role->next = NULL;
35752 + if (role->roletype & GR_ROLE_DOMAIN) {
35753 + for (i = 0; i < role->domain_child_num; i++)
35754 + __insert_acl_role_label(role, role->domain_children[i]);
35756 + __insert_acl_role_label(role, role->uidgid);
35760 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
35762 + struct name_entry **curr, *nentry;
35763 + struct inodev_entry *ientry;
35764 + unsigned int len = strlen(name);
35765 + unsigned int key = full_name_hash(name, len);
35766 + unsigned int index = key % name_set.n_size;
35768 + curr = &name_set.n_hash[index];
35770 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
35771 + curr = &((*curr)->next);
35773 + if (*curr != NULL)
35776 + nentry = acl_alloc(sizeof (struct name_entry));
35777 + if (nentry == NULL)
35779 + ientry = acl_alloc(sizeof (struct inodev_entry));
35780 + if (ientry == NULL)
35782 + ientry->nentry = nentry;
35784 + nentry->key = key;
35785 + nentry->name = name;
35786 + nentry->inode = inode;
35787 + nentry->device = device;
35788 + nentry->len = len;
35789 + nentry->deleted = deleted;
35791 + nentry->prev = NULL;
35792 + curr = &name_set.n_hash[index];
35793 + if (*curr != NULL)
35794 + (*curr)->prev = nentry;
35795 + nentry->next = *curr;
35798 + /* insert us into the table searchable by inode/dev */
35799 + insert_inodev_entry(ientry);
35805 +insert_acl_obj_label(struct acl_object_label *obj,
35806 + struct acl_subject_label *subj)
35808 + unsigned int index =
35809 + fhash(obj->inode, obj->device, subj->obj_hash_size);
35810 + struct acl_object_label **curr;
35813 + obj->prev = NULL;
35815 + curr = &subj->obj_hash[index];
35816 + if (*curr != NULL)
35817 + (*curr)->prev = obj;
35819 + obj->next = *curr;
35826 +insert_acl_subj_label(struct acl_subject_label *obj,
35827 + struct acl_role_label *role)
35829 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
35830 + struct acl_subject_label **curr;
35832 + obj->prev = NULL;
35834 + curr = &role->subj_hash[index];
35835 + if (*curr != NULL)
35836 + (*curr)->prev = obj;
35838 + obj->next = *curr;
35844 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
35847 +create_table(__u32 * len, int elementsize)
35849 + unsigned int table_sizes[] = {
35850 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
35851 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
35852 + 4194301, 8388593, 16777213, 33554393, 67108859
35854 + void *newtable = NULL;
35855 + unsigned int pwr = 0;
35857 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
35858 + table_sizes[pwr] <= *len)
35861 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
35864 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
35866 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
35868 + newtable = vmalloc(table_sizes[pwr] * elementsize);
35870 + *len = table_sizes[pwr];
35876 +init_variables(const struct gr_arg *arg)
35878 + struct task_struct *reaper = &init_task;
35879 + unsigned int stacksize;
35881 + subj_map_set.s_size = arg->role_db.num_subjects;
35882 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
35883 + name_set.n_size = arg->role_db.num_objects;
35884 + inodev_set.i_size = arg->role_db.num_objects;
35886 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
35887 + !name_set.n_size || !inodev_set.i_size)
35890 + if (!gr_init_uidset())
35893 + /* set up the stack that holds allocation info */
35895 + stacksize = arg->role_db.num_pointers + 5;
35897 + if (!acl_alloc_stack_init(stacksize))
35900 + /* grab reference for the real root dentry and vfsmount */
35901 + real_root.dentry = reaper->nsproxy->mnt_ns->root->mnt_root;
35902 + real_root.mnt = reaper->nsproxy->mnt_ns->root;
35903 + path_get(&real_root);
35905 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
35906 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
35909 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
35910 + if (fakefs_obj == NULL)
35912 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
35914 + subj_map_set.s_hash =
35915 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
35916 + acl_role_set.r_hash =
35917 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
35918 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
35919 + inodev_set.i_hash =
35920 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
35922 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
35923 + !name_set.n_hash || !inodev_set.i_hash)
35926 + memset(subj_map_set.s_hash, 0,
35927 + sizeof(struct subject_map *) * subj_map_set.s_size);
35928 + memset(acl_role_set.r_hash, 0,
35929 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
35930 + memset(name_set.n_hash, 0,
35931 + sizeof (struct name_entry *) * name_set.n_size);
35932 + memset(inodev_set.i_hash, 0,
35933 + sizeof (struct inodev_entry *) * inodev_set.i_size);
35938 +/* free information not needed after startup
35939 + currently contains user->kernel pointer mappings for subjects
35943 +free_init_variables(void)
35947 + if (subj_map_set.s_hash) {
35948 + for (i = 0; i < subj_map_set.s_size; i++) {
35949 + if (subj_map_set.s_hash[i]) {
35950 + kfree(subj_map_set.s_hash[i]);
35951 + subj_map_set.s_hash[i] = NULL;
35955 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
35957 + kfree(subj_map_set.s_hash);
35959 + vfree(subj_map_set.s_hash);
35966 +free_variables(void)
35968 + struct acl_subject_label *s;
35969 + struct acl_role_label *r;
35970 + struct task_struct *task, *task2;
35973 + gr_clear_learn_entries();
35975 + read_lock(&tasklist_lock);
35976 + do_each_thread(task2, task) {
35977 + task->acl_sp_role = 0;
35978 + task->acl_role_id = 0;
35979 + task->acl = NULL;
35980 + task->role = NULL;
35981 + } while_each_thread(task2, task);
35982 + read_unlock(&tasklist_lock);
35984 + /* release the reference to the real root dentry and vfsmount */
35985 + path_put(&real_root);
35987 + /* free all object hash tables */
35989 + FOR_EACH_ROLE_START(r)
35990 + if (r->subj_hash == NULL)
35992 + FOR_EACH_SUBJECT_START(r, s, x)
35993 + if (s->obj_hash == NULL)
35995 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35996 + kfree(s->obj_hash);
35998 + vfree(s->obj_hash);
35999 + FOR_EACH_SUBJECT_END(s, x)
36000 + FOR_EACH_NESTED_SUBJECT_START(r, s)
36001 + if (s->obj_hash == NULL)
36003 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
36004 + kfree(s->obj_hash);
36006 + vfree(s->obj_hash);
36007 + FOR_EACH_NESTED_SUBJECT_END(s)
36008 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
36009 + kfree(r->subj_hash);
36011 + vfree(r->subj_hash);
36012 + r->subj_hash = NULL;
36014 + FOR_EACH_ROLE_END(r)
36018 + if (acl_role_set.r_hash) {
36019 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
36021 + kfree(acl_role_set.r_hash);
36023 + vfree(acl_role_set.r_hash);
36025 + if (name_set.n_hash) {
36026 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
36028 + kfree(name_set.n_hash);
36030 + vfree(name_set.n_hash);
36033 + if (inodev_set.i_hash) {
36034 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
36036 + kfree(inodev_set.i_hash);
36038 + vfree(inodev_set.i_hash);
36041 + gr_free_uidset();
36043 + memset(&name_set, 0, sizeof (struct name_db));
36044 + memset(&inodev_set, 0, sizeof (struct inodev_db));
36045 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
36046 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
36048 + default_role = NULL;
36049 + role_list = NULL;
36055 +count_user_objs(struct acl_object_label *userp)
36057 + struct acl_object_label o_tmp;
36061 + if (copy_from_user(&o_tmp, userp,
36062 + sizeof (struct acl_object_label)))
36065 + userp = o_tmp.prev;
36072 +static struct acl_subject_label *
36073 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
36076 +copy_user_glob(struct acl_object_label *obj)
36078 + struct acl_object_label *g_tmp, **guser;
36079 + unsigned int len;
36082 + if (obj->globbed == NULL)
36085 + guser = &obj->globbed;
36087 + g_tmp = (struct acl_object_label *)
36088 + acl_alloc(sizeof (struct acl_object_label));
36089 + if (g_tmp == NULL)
36092 + if (copy_from_user(g_tmp, *guser,
36093 + sizeof (struct acl_object_label)))
36096 + len = strnlen_user(g_tmp->filename, PATH_MAX);
36098 + if (!len || len >= PATH_MAX)
36101 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36104 + if (copy_from_user(tmp, g_tmp->filename, len))
36106 + tmp[len-1] = '\0';
36107 + g_tmp->filename = tmp;
36110 + guser = &(g_tmp->next);
36117 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
36118 + struct acl_role_label *role)
36120 + struct acl_object_label *o_tmp;
36121 + unsigned int len;
36126 + if ((o_tmp = (struct acl_object_label *)
36127 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
36130 + if (copy_from_user(o_tmp, userp,
36131 + sizeof (struct acl_object_label)))
36134 + userp = o_tmp->prev;
36136 + len = strnlen_user(o_tmp->filename, PATH_MAX);
36138 + if (!len || len >= PATH_MAX)
36141 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36144 + if (copy_from_user(tmp, o_tmp->filename, len))
36146 + tmp[len-1] = '\0';
36147 + o_tmp->filename = tmp;
36149 + insert_acl_obj_label(o_tmp, subj);
36150 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
36151 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
36154 + ret = copy_user_glob(o_tmp);
36158 + if (o_tmp->nested) {
36159 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
36160 + if (IS_ERR(o_tmp->nested))
36161 + return PTR_ERR(o_tmp->nested);
36163 + /* insert into nested subject list */
36164 + o_tmp->nested->next = role->hash->first;
36165 + role->hash->first = o_tmp->nested;
36173 +count_user_subjs(struct acl_subject_label *userp)
36175 + struct acl_subject_label s_tmp;
36179 + if (copy_from_user(&s_tmp, userp,
36180 + sizeof (struct acl_subject_label)))
36183 + userp = s_tmp.prev;
36184 + /* do not count nested subjects against this count, since
36185 + they are not included in the hash table, but are
36186 + attached to objects. We have already counted
36187 + the subjects in userspace for the allocation
36190 + if (!(s_tmp.mode & GR_NESTED))
36198 +copy_user_allowedips(struct acl_role_label *rolep)
36200 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
36202 + ruserip = rolep->allowed_ips;
36204 + while (ruserip) {
36207 + if ((rtmp = (struct role_allowed_ip *)
36208 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
36211 + if (copy_from_user(rtmp, ruserip,
36212 + sizeof (struct role_allowed_ip)))
36215 + ruserip = rtmp->prev;
36218 + rtmp->prev = NULL;
36219 + rolep->allowed_ips = rtmp;
36221 + rlast->next = rtmp;
36222 + rtmp->prev = rlast;
36226 + rtmp->next = NULL;
36233 +copy_user_transitions(struct acl_role_label *rolep)
36235 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
36237 + unsigned int len;
36240 + rusertp = rolep->transitions;
36242 + while (rusertp) {
36245 + if ((rtmp = (struct role_transition *)
36246 + acl_alloc(sizeof (struct role_transition))) == NULL)
36249 + if (copy_from_user(rtmp, rusertp,
36250 + sizeof (struct role_transition)))
36253 + rusertp = rtmp->prev;
36255 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
36257 + if (!len || len >= GR_SPROLE_LEN)
36260 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36263 + if (copy_from_user(tmp, rtmp->rolename, len))
36265 + tmp[len-1] = '\0';
36266 + rtmp->rolename = tmp;
36269 + rtmp->prev = NULL;
36270 + rolep->transitions = rtmp;
36272 + rlast->next = rtmp;
36273 + rtmp->prev = rlast;
36277 + rtmp->next = NULL;
36283 +static struct acl_subject_label *
36284 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
36286 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
36287 + unsigned int len;
36290 + struct acl_ip_label **i_tmp, *i_utmp2;
36291 + struct gr_hash_struct ghash;
36292 + struct subject_map *subjmap;
36293 + unsigned int i_num;
36296 + s_tmp = lookup_subject_map(userp);
36298 + /* we've already copied this subject into the kernel, just return
36299 + the reference to it, and don't copy it over again
36304 + if ((s_tmp = (struct acl_subject_label *)
36305 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
36306 + return ERR_PTR(-ENOMEM);
36308 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
36309 + if (subjmap == NULL)
36310 + return ERR_PTR(-ENOMEM);
36312 + subjmap->user = userp;
36313 + subjmap->kernel = s_tmp;
36314 + insert_subj_map_entry(subjmap);
36316 + if (copy_from_user(s_tmp, userp,
36317 + sizeof (struct acl_subject_label)))
36318 + return ERR_PTR(-EFAULT);
36320 + len = strnlen_user(s_tmp->filename, PATH_MAX);
36322 + if (!len || len >= PATH_MAX)
36323 + return ERR_PTR(-EINVAL);
36325 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36326 + return ERR_PTR(-ENOMEM);
36328 + if (copy_from_user(tmp, s_tmp->filename, len))
36329 + return ERR_PTR(-EFAULT);
36330 + tmp[len-1] = '\0';
36331 + s_tmp->filename = tmp;
36333 + if (!strcmp(s_tmp->filename, "/"))
36334 + role->root_label = s_tmp;
36336 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
36337 + return ERR_PTR(-EFAULT);
36339 + /* copy user and group transition tables */
36341 + if (s_tmp->user_trans_num) {
36344 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
36345 + if (uidlist == NULL)
36346 + return ERR_PTR(-ENOMEM);
36347 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
36348 + return ERR_PTR(-EFAULT);
36350 + s_tmp->user_transitions = uidlist;
36353 + if (s_tmp->group_trans_num) {
36356 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
36357 + if (gidlist == NULL)
36358 + return ERR_PTR(-ENOMEM);
36359 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
36360 + return ERR_PTR(-EFAULT);
36362 + s_tmp->group_transitions = gidlist;
36365 + /* set up object hash table */
36366 + num_objs = count_user_objs(ghash.first);
36368 + s_tmp->obj_hash_size = num_objs;
36369 + s_tmp->obj_hash =
36370 + (struct acl_object_label **)
36371 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
36373 + if (!s_tmp->obj_hash)
36374 + return ERR_PTR(-ENOMEM);
36376 + memset(s_tmp->obj_hash, 0,
36377 + s_tmp->obj_hash_size *
36378 + sizeof (struct acl_object_label *));
36380 + /* add in objects */
36381 + err = copy_user_objs(ghash.first, s_tmp, role);
36384 + return ERR_PTR(err);
36386 + /* set pointer for parent subject */
36387 + if (s_tmp->parent_subject) {
36388 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
36390 + if (IS_ERR(s_tmp2))
36393 + s_tmp->parent_subject = s_tmp2;
36396 + /* add in ip acls */
36398 + if (!s_tmp->ip_num) {
36399 + s_tmp->ips = NULL;
36404 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
36405 + sizeof (struct acl_ip_label *));
36408 + return ERR_PTR(-ENOMEM);
36410 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
36411 + *(i_tmp + i_num) =
36412 + (struct acl_ip_label *)
36413 + acl_alloc(sizeof (struct acl_ip_label));
36414 + if (!*(i_tmp + i_num))
36415 + return ERR_PTR(-ENOMEM);
36417 + if (copy_from_user
36418 + (&i_utmp2, s_tmp->ips + i_num,
36419 + sizeof (struct acl_ip_label *)))
36420 + return ERR_PTR(-EFAULT);
36422 + if (copy_from_user
36423 + (*(i_tmp + i_num), i_utmp2,
36424 + sizeof (struct acl_ip_label)))
36425 + return ERR_PTR(-EFAULT);
36427 + if ((*(i_tmp + i_num))->iface == NULL)
36430 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
36431 + if (!len || len >= IFNAMSIZ)
36432 + return ERR_PTR(-EINVAL);
36433 + tmp = acl_alloc(len);
36435 + return ERR_PTR(-ENOMEM);
36436 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
36437 + return ERR_PTR(-EFAULT);
36438 + (*(i_tmp + i_num))->iface = tmp;
36441 + s_tmp->ips = i_tmp;
36444 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
36445 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
36446 + return ERR_PTR(-ENOMEM);
36452 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
36454 + struct acl_subject_label s_pre;
36455 + struct acl_subject_label * ret;
36459 + if (copy_from_user(&s_pre, userp,
36460 + sizeof (struct acl_subject_label)))
36463 + /* do not add nested subjects here, add
36464 + while parsing objects
36467 + if (s_pre.mode & GR_NESTED) {
36468 + userp = s_pre.prev;
36472 + ret = do_copy_user_subj(userp, role);
36474 + err = PTR_ERR(ret);
36478 + insert_acl_subj_label(ret, role);
36480 + userp = s_pre.prev;
36487 +copy_user_acl(struct gr_arg *arg)
36489 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
36490 + struct sprole_pw *sptmp;
36491 + struct gr_hash_struct *ghash;
36492 + uid_t *domainlist;
36493 + unsigned int r_num;
36494 + unsigned int len;
36500 + /* we need a default and kernel role */
36501 + if (arg->role_db.num_roles < 2)
36504 + /* copy special role authentication info from userspace */
36506 + num_sprole_pws = arg->num_sprole_pws;
36507 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
36509 + if (!acl_special_roles) {
36514 + for (i = 0; i < num_sprole_pws; i++) {
36515 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
36520 + if (copy_from_user(sptmp, arg->sprole_pws + i,
36521 + sizeof (struct sprole_pw))) {
36527 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
36529 + if (!len || len >= GR_SPROLE_LEN) {
36534 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36539 + if (copy_from_user(tmp, sptmp->rolename, len)) {
36543 + tmp[len-1] = '\0';
36544 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
36545 + printk(KERN_ALERT "Copying special role %s\n", tmp);
36547 + sptmp->rolename = tmp;
36548 + acl_special_roles[i] = sptmp;
36551 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
36553 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
36554 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
36561 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
36562 + sizeof (struct acl_role_label *))) {
36567 + if (copy_from_user(r_tmp, r_utmp2,
36568 + sizeof (struct acl_role_label))) {
36573 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
36575 + if (!len || len >= PATH_MAX) {
36580 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36584 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
36588 + tmp[len-1] = '\0';
36589 + r_tmp->rolename = tmp;
36591 + if (!strcmp(r_tmp->rolename, "default")
36592 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
36593 + default_role = r_tmp;
36594 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
36595 + kernel_role = r_tmp;
36598 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
36602 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
36607 + r_tmp->hash = ghash;
36609 + num_subjs = count_user_subjs(r_tmp->hash->first);
36611 + r_tmp->subj_hash_size = num_subjs;
36612 + r_tmp->subj_hash =
36613 + (struct acl_subject_label **)
36614 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
36616 + if (!r_tmp->subj_hash) {
36621 + err = copy_user_allowedips(r_tmp);
36625 + /* copy domain info */
36626 + if (r_tmp->domain_children != NULL) {
36627 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
36628 + if (domainlist == NULL) {
36632 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
36636 + r_tmp->domain_children = domainlist;
36639 + err = copy_user_transitions(r_tmp);
36643 + memset(r_tmp->subj_hash, 0,
36644 + r_tmp->subj_hash_size *
36645 + sizeof (struct acl_subject_label *));
36647 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
36652 + /* set nested subject list to null */
36653 + r_tmp->hash->first = NULL;
36655 + insert_acl_role_label(r_tmp);
36660 + free_variables();
36667 +gracl_init(struct gr_arg *args)
36671 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
36672 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
36674 + if (init_variables(args)) {
36675 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
36677 + free_variables();
36681 + error = copy_user_acl(args);
36682 + free_init_variables();
36684 + free_variables();
36688 + if ((error = gr_set_acls(0))) {
36689 + free_variables();
36693 + pax_open_kernel();
36694 + gr_status |= GR_READY;
36695 + pax_close_kernel();
36701 +/* derived from glibc fnmatch() 0: match, 1: no match*/
36704 +glob_match(const char *p, const char *n)
36708 + while ((c = *p++) != '\0') {
36713 + else if (*n == '/')
36721 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
36724 + else if (c == '?') {
36734 + const char *endp;
36736 + if ((endp = strchr(n, '/')) == NULL)
36737 + endp = n + strlen(n);
36740 + for (--p; n < endp; ++n)
36741 + if (!glob_match(p, n))
36743 + } else if (c == '/') {
36744 + while (*n != '\0' && *n != '/')
36746 + if (*n == '/' && !glob_match(p, n + 1))
36749 + for (--p; n < endp; ++n)
36750 + if (*n == c && !glob_match(p, n))
36761 + if (*n == '\0' || *n == '/')
36764 + not = (*p == '!' || *p == '^');
36770 + unsigned char fn = (unsigned char)*n;
36780 + if (c == '-' && *p != ']') {
36781 + unsigned char cend = *p++;
36783 + if (cend == '\0')
36786 + if (cold <= fn && fn <= cend)
36800 + while (c != ']') {
36827 +static struct acl_object_label *
36828 +chk_glob_label(struct acl_object_label *globbed,
36829 + struct dentry *dentry, struct vfsmount *mnt, char **path)
36831 + struct acl_object_label *tmp;
36833 + if (*path == NULL)
36834 + *path = gr_to_filename_nolock(dentry, mnt);
36839 + if (!glob_match(tmp->filename, *path))
36847 +static struct acl_object_label *
36848 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36849 + const ino_t curr_ino, const dev_t curr_dev,
36850 + const struct acl_subject_label *subj, char **path, const int checkglob)
36852 + struct acl_subject_label *tmpsubj;
36853 + struct acl_object_label *retval;
36854 + struct acl_object_label *retval2;
36856 + tmpsubj = (struct acl_subject_label *) subj;
36857 + read_lock(&gr_inode_lock);
36859 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
36861 + if (checkglob && retval->globbed) {
36862 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
36863 + (struct vfsmount *)orig_mnt, path);
36865 + retval = retval2;
36869 + } while ((tmpsubj = tmpsubj->parent_subject));
36870 + read_unlock(&gr_inode_lock);
36875 +static __inline__ struct acl_object_label *
36876 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36877 + struct dentry *curr_dentry,
36878 + const struct acl_subject_label *subj, char **path, const int checkglob)
36880 + int newglob = checkglob;
36884 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
36885 + as we don't want a / * rule to match instead of the / object
36886 + don't do this for create lookups that call this function though, since they're looking up
36887 + on the parent and thus need globbing checks on all paths
36889 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
36890 + newglob = GR_NO_GLOB;
36892 + spin_lock(&curr_dentry->d_lock);
36893 + inode = curr_dentry->d_inode->i_ino;
36894 + device = __get_dev(curr_dentry);
36895 + spin_unlock(&curr_dentry->d_lock);
36897 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
36900 +static struct acl_object_label *
36901 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36902 + const struct acl_subject_label *subj, char *path, const int checkglob)
36904 + struct dentry *dentry = (struct dentry *) l_dentry;
36905 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36906 + struct acl_object_label *retval;
36907 + struct dentry *parent;
36909 + write_seqlock(&rename_lock);
36910 + br_read_lock(vfsmount_lock);
36912 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
36913 +#ifdef CONFIG_HUGETLBFS
36914 + mnt == hugetlbfs_vfsmount ||
36916 + /* ignore Eric Biederman */
36917 + IS_PRIVATE(l_dentry->d_inode))) {
36918 + retval = fakefs_obj;
36923 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36926 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36927 + if (mnt->mnt_parent == mnt)
36930 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36931 + if (retval != NULL)
36934 + dentry = mnt->mnt_mountpoint;
36935 + mnt = mnt->mnt_parent;
36939 + parent = dentry->d_parent;
36940 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36941 + if (retval != NULL)
36947 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36949 + /* real_root is pinned so we don't have to hold a reference */
36950 + if (retval == NULL)
36951 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
36953 + br_read_unlock(vfsmount_lock);
36954 + write_sequnlock(&rename_lock);
36956 + BUG_ON(retval == NULL);
36961 +static __inline__ struct acl_object_label *
36962 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36963 + const struct acl_subject_label *subj)
36965 + char *path = NULL;
36966 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
36969 +static __inline__ struct acl_object_label *
36970 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36971 + const struct acl_subject_label *subj)
36973 + char *path = NULL;
36974 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
36977 +static __inline__ struct acl_object_label *
36978 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36979 + const struct acl_subject_label *subj, char *path)
36981 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
36984 +static struct acl_subject_label *
36985 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36986 + const struct acl_role_label *role)
36988 + struct dentry *dentry = (struct dentry *) l_dentry;
36989 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36990 + struct acl_subject_label *retval;
36991 + struct dentry *parent;
36993 + write_seqlock(&rename_lock);
36994 + br_read_lock(vfsmount_lock);
36997 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36999 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
37000 + if (mnt->mnt_parent == mnt)
37003 + spin_lock(&dentry->d_lock);
37004 + read_lock(&gr_inode_lock);
37006 + lookup_acl_subj_label(dentry->d_inode->i_ino,
37007 + __get_dev(dentry), role);
37008 + read_unlock(&gr_inode_lock);
37009 + spin_unlock(&dentry->d_lock);
37010 + if (retval != NULL)
37013 + dentry = mnt->mnt_mountpoint;
37014 + mnt = mnt->mnt_parent;
37018 + spin_lock(&dentry->d_lock);
37019 + read_lock(&gr_inode_lock);
37020 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
37021 + __get_dev(dentry), role);
37022 + read_unlock(&gr_inode_lock);
37023 + parent = dentry->d_parent;
37024 + spin_unlock(&dentry->d_lock);
37026 + if (retval != NULL)
37032 + spin_lock(&dentry->d_lock);
37033 + read_lock(&gr_inode_lock);
37034 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
37035 + __get_dev(dentry), role);
37036 + read_unlock(&gr_inode_lock);
37037 + spin_unlock(&dentry->d_lock);
37039 + if (unlikely(retval == NULL)) {
37040 + /* real_root is pinned, we don't need to hold a reference */
37041 + read_lock(&gr_inode_lock);
37042 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
37043 + __get_dev(real_root.dentry), role);
37044 + read_unlock(&gr_inode_lock);
37047 + br_read_unlock(vfsmount_lock);
37048 + write_sequnlock(&rename_lock);
37050 + BUG_ON(retval == NULL);
37056 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
37058 + struct task_struct *task = current;
37059 + const struct cred *cred = current_cred();
37061 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
37062 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
37063 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
37064 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
37070 +gr_log_learn_sysctl(const char *path, const __u32 mode)
37072 + struct task_struct *task = current;
37073 + const struct cred *cred = current_cred();
37075 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
37076 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
37077 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
37078 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
37084 +gr_log_learn_id_change(const char type, const unsigned int real,
37085 + const unsigned int effective, const unsigned int fs)
37087 + struct task_struct *task = current;
37088 + const struct cred *cred = current_cred();
37090 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
37091 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
37092 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
37093 + type, real, effective, fs, &task->signal->saved_ip);
37099 +gr_check_link(const struct dentry * new_dentry,
37100 + const struct dentry * parent_dentry,
37101 + const struct vfsmount * parent_mnt,
37102 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
37104 + struct acl_object_label *obj;
37105 + __u32 oldmode, newmode;
37108 + if (unlikely(!(gr_status & GR_READY)))
37109 + return (GR_CREATE | GR_LINK);
37111 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
37112 + oldmode = obj->mode;
37114 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37115 + oldmode |= (GR_CREATE | GR_LINK);
37117 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
37118 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
37119 + needmode |= GR_SETID | GR_AUDIT_SETID;
37122 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
37123 + oldmode | needmode);
37125 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
37126 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
37127 + GR_INHERIT | GR_AUDIT_INHERIT);
37129 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
37132 + if ((oldmode & needmode) != needmode)
37135 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
37136 + if ((newmode & needmode) != needmode)
37139 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
37142 + needmode = oldmode;
37143 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
37144 + needmode |= GR_SETID;
37146 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
37147 + gr_log_learn(old_dentry, old_mnt, needmode);
37148 + return (GR_CREATE | GR_LINK);
37149 + } else if (newmode & GR_SUPPRESS)
37150 + return GR_SUPPRESS;
37156 +gr_search_file(const struct dentry * dentry, const __u32 mode,
37157 + const struct vfsmount * mnt)
37159 + __u32 retval = mode;
37160 + struct acl_subject_label *curracl;
37161 + struct acl_object_label *currobj;
37163 + if (unlikely(!(gr_status & GR_READY)))
37164 + return (mode & ~GR_AUDITS);
37166 + curracl = current->acl;
37168 + currobj = chk_obj_label(dentry, mnt, curracl);
37169 + retval = currobj->mode & mode;
37171 + /* if we're opening a specified transfer file for writing
37172 + (e.g. /dev/initctl), then transfer our role to init
37174 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
37175 + current->role->roletype & GR_ROLE_PERSIST)) {
37176 + struct task_struct *task = init_pid_ns.child_reaper;
37178 + if (task->role != current->role) {
37179 + task->acl_sp_role = 0;
37180 + task->acl_role_id = current->acl_role_id;
37181 + task->role = current->role;
37183 + read_lock(&grsec_exec_file_lock);
37184 + gr_apply_subject_to_task(task);
37185 + read_unlock(&grsec_exec_file_lock);
37186 + rcu_read_unlock();
37187 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
37192 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
37193 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
37194 + __u32 new_mode = mode;
37196 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37198 + retval = new_mode;
37200 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
37201 + new_mode |= GR_INHERIT;
37203 + if (!(mode & GR_NOLEARN))
37204 + gr_log_learn(dentry, mnt, new_mode);
37211 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
37212 + const struct vfsmount * mnt, const __u32 mode)
37214 + struct name_entry *match;
37215 + struct acl_object_label *matchpo;
37216 + struct acl_subject_label *curracl;
37220 + if (unlikely(!(gr_status & GR_READY)))
37221 + return (mode & ~GR_AUDITS);
37223 + preempt_disable();
37224 + path = gr_to_filename_rbac(new_dentry, mnt);
37225 + match = lookup_name_entry_create(path);
37228 + goto check_parent;
37230 + curracl = current->acl;
37232 + read_lock(&gr_inode_lock);
37233 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
37234 + read_unlock(&gr_inode_lock);
37237 + if ((matchpo->mode & mode) !=
37238 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
37239 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
37240 + __u32 new_mode = mode;
37242 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37244 + gr_log_learn(new_dentry, mnt, new_mode);
37246 + preempt_enable();
37249 + preempt_enable();
37250 + return (matchpo->mode & mode);
37254 + curracl = current->acl;
37256 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
37257 + retval = matchpo->mode & mode;
37259 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
37260 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
37261 + __u32 new_mode = mode;
37263 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37265 + gr_log_learn(new_dentry, mnt, new_mode);
37266 + preempt_enable();
37270 + preempt_enable();
37275 +gr_check_hidden_task(const struct task_struct *task)
37277 + if (unlikely(!(gr_status & GR_READY)))
37280 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
37287 +gr_check_protected_task(const struct task_struct *task)
37289 + if (unlikely(!(gr_status & GR_READY) || !task))
37292 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
37293 + task->acl != current->acl)
37300 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
37302 + struct task_struct *p;
37305 + if (unlikely(!(gr_status & GR_READY) || !pid))
37308 + read_lock(&tasklist_lock);
37309 + do_each_pid_task(pid, type, p) {
37310 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
37311 + p->acl != current->acl) {
37315 + } while_each_pid_task(pid, type, p);
37317 + read_unlock(&tasklist_lock);
37323 +gr_copy_label(struct task_struct *tsk)
37325 + tsk->signal->used_accept = 0;
37326 + tsk->acl_sp_role = 0;
37327 + tsk->acl_role_id = current->acl_role_id;
37328 + tsk->acl = current->acl;
37329 + tsk->role = current->role;
37330 + tsk->signal->curr_ip = current->signal->curr_ip;
37331 + tsk->signal->saved_ip = current->signal->saved_ip;
37332 + if (current->exec_file)
37333 + get_file(current->exec_file);
37334 + tsk->exec_file = current->exec_file;
37335 + tsk->is_writable = current->is_writable;
37336 + if (unlikely(current->signal->used_accept)) {
37337 + current->signal->curr_ip = 0;
37338 + current->signal->saved_ip = 0;
37345 +gr_set_proc_res(struct task_struct *task)
37347 + struct acl_subject_label *proc;
37348 + unsigned short i;
37350 + proc = task->acl;
37352 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
37355 + for (i = 0; i < RLIM_NLIMITS; i++) {
37356 + if (!(proc->resmask & (1 << i)))
37359 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
37360 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
37367 +gr_check_user_change(int real, int effective, int fs)
37374 + int effectiveok = 0;
37377 + if (unlikely(!(gr_status & GR_READY)))
37380 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37381 + gr_log_learn_id_change('u', real, effective, fs);
37383 + num = current->acl->user_trans_num;
37384 + uidlist = current->acl->user_transitions;
37386 + if (uidlist == NULL)
37391 + if (effective == -1)
37396 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
37397 + for (i = 0; i < num; i++) {
37398 + curuid = (int)uidlist[i];
37399 + if (real == curuid)
37401 + if (effective == curuid)
37403 + if (fs == curuid)
37406 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
37407 + for (i = 0; i < num; i++) {
37408 + curuid = (int)uidlist[i];
37409 + if (real == curuid)
37411 + if (effective == curuid)
37413 + if (fs == curuid)
37416 + /* not in deny list */
37424 + if (realok && effectiveok && fsok)
37427 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37433 +gr_check_group_change(int real, int effective, int fs)
37440 + int effectiveok = 0;
37443 + if (unlikely(!(gr_status & GR_READY)))
37446 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37447 + gr_log_learn_id_change('g', real, effective, fs);
37449 + num = current->acl->group_trans_num;
37450 + gidlist = current->acl->group_transitions;
37452 + if (gidlist == NULL)
37457 + if (effective == -1)
37462 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
37463 + for (i = 0; i < num; i++) {
37464 + curgid = (int)gidlist[i];
37465 + if (real == curgid)
37467 + if (effective == curgid)
37469 + if (fs == curgid)
37472 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
37473 + for (i = 0; i < num; i++) {
37474 + curgid = (int)gidlist[i];
37475 + if (real == curgid)
37477 + if (effective == curgid)
37479 + if (fs == curgid)
37482 + /* not in deny list */
37490 + if (realok && effectiveok && fsok)
37493 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37499 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
37501 + struct acl_role_label *role = task->role;
37502 + struct acl_subject_label *subj = NULL;
37503 + struct acl_object_label *obj;
37504 + struct file *filp;
37506 + if (unlikely(!(gr_status & GR_READY)))
37509 + filp = task->exec_file;
37511 + /* kernel process, we'll give them the kernel role */
37512 + if (unlikely(!filp)) {
37513 + task->role = kernel_role;
37514 + task->acl = kernel_role->root_label;
37516 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
37517 + role = lookup_acl_role_label(task, uid, gid);
37519 + /* perform subject lookup in possibly new role
37520 + we can use this result below in the case where role == task->role
37522 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
37524 + /* if we changed uid/gid, but result in the same role
37525 + and are using inheritance, don't lose the inherited subject
37526 + if current subject is other than what normal lookup
37527 + would result in, we arrived via inheritance, don't
37530 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
37531 + (subj == task->acl)))
37532 + task->acl = subj;
37534 + task->role = role;
37536 + task->is_writable = 0;
37538 + /* ignore additional mmap checks for processes that are writable
37539 + by the default ACL */
37540 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37541 + if (unlikely(obj->mode & GR_WRITE))
37542 + task->is_writable = 1;
37543 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37544 + if (unlikely(obj->mode & GR_WRITE))
37545 + task->is_writable = 1;
37547 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
37548 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37551 + gr_set_proc_res(task);
37557 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
37558 + const int unsafe_share)
37560 + struct task_struct *task = current;
37561 + struct acl_subject_label *newacl;
37562 + struct acl_object_label *obj;
37565 + if (unlikely(!(gr_status & GR_READY)))
37568 + newacl = chk_subj_label(dentry, mnt, task->role);
37571 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
37572 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
37573 + !(task->role->roletype & GR_ROLE_GOD) &&
37574 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
37575 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
37576 + task_unlock(task);
37577 + if (unsafe_share)
37578 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
37580 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
37583 + task_unlock(task);
37585 + obj = chk_obj_label(dentry, mnt, task->acl);
37586 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
37588 + if (!(task->acl->mode & GR_INHERITLEARN) &&
37589 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
37591 + task->acl = obj->nested;
37593 + task->acl = newacl;
37594 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
37595 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
37597 + task->is_writable = 0;
37599 + /* ignore additional mmap checks for processes that are writable
37600 + by the default ACL */
37601 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
37602 + if (unlikely(obj->mode & GR_WRITE))
37603 + task->is_writable = 1;
37604 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
37605 + if (unlikely(obj->mode & GR_WRITE))
37606 + task->is_writable = 1;
37608 + gr_set_proc_res(task);
37610 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
37611 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37616 +/* always called with valid inodev ptr */
37618 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
37620 + struct acl_object_label *matchpo;
37621 + struct acl_subject_label *matchps;
37622 + struct acl_subject_label *subj;
37623 + struct acl_role_label *role;
37626 + FOR_EACH_ROLE_START(role)
37627 + FOR_EACH_SUBJECT_START(role, subj, x)
37628 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
37629 + matchpo->mode |= GR_DELETED;
37630 + FOR_EACH_SUBJECT_END(subj,x)
37631 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37632 + if (subj->inode == ino && subj->device == dev)
37633 + subj->mode |= GR_DELETED;
37634 + FOR_EACH_NESTED_SUBJECT_END(subj)
37635 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
37636 + matchps->mode |= GR_DELETED;
37637 + FOR_EACH_ROLE_END(role)
37639 + inodev->nentry->deleted = 1;
37645 +gr_handle_delete(const ino_t ino, const dev_t dev)
37647 + struct inodev_entry *inodev;
37649 + if (unlikely(!(gr_status & GR_READY)))
37652 + write_lock(&gr_inode_lock);
37653 + inodev = lookup_inodev_entry(ino, dev);
37654 + if (inodev != NULL)
37655 + do_handle_delete(inodev, ino, dev);
37656 + write_unlock(&gr_inode_lock);
37662 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
37663 + const ino_t newinode, const dev_t newdevice,
37664 + struct acl_subject_label *subj)
37666 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
37667 + struct acl_object_label *match;
37669 + match = subj->obj_hash[index];
37671 + while (match && (match->inode != oldinode ||
37672 + match->device != olddevice ||
37673 + !(match->mode & GR_DELETED)))
37674 + match = match->next;
37676 + if (match && (match->inode == oldinode)
37677 + && (match->device == olddevice)
37678 + && (match->mode & GR_DELETED)) {
37679 + if (match->prev == NULL) {
37680 + subj->obj_hash[index] = match->next;
37681 + if (match->next != NULL)
37682 + match->next->prev = NULL;
37684 + match->prev->next = match->next;
37685 + if (match->next != NULL)
37686 + match->next->prev = match->prev;
37688 + match->prev = NULL;
37689 + match->next = NULL;
37690 + match->inode = newinode;
37691 + match->device = newdevice;
37692 + match->mode &= ~GR_DELETED;
37694 + insert_acl_obj_label(match, subj);
37701 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
37702 + const ino_t newinode, const dev_t newdevice,
37703 + struct acl_role_label *role)
37705 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
37706 + struct acl_subject_label *match;
37708 + match = role->subj_hash[index];
37710 + while (match && (match->inode != oldinode ||
37711 + match->device != olddevice ||
37712 + !(match->mode & GR_DELETED)))
37713 + match = match->next;
37715 + if (match && (match->inode == oldinode)
37716 + && (match->device == olddevice)
37717 + && (match->mode & GR_DELETED)) {
37718 + if (match->prev == NULL) {
37719 + role->subj_hash[index] = match->next;
37720 + if (match->next != NULL)
37721 + match->next->prev = NULL;
37723 + match->prev->next = match->next;
37724 + if (match->next != NULL)
37725 + match->next->prev = match->prev;
37727 + match->prev = NULL;
37728 + match->next = NULL;
37729 + match->inode = newinode;
37730 + match->device = newdevice;
37731 + match->mode &= ~GR_DELETED;
37733 + insert_acl_subj_label(match, role);
37740 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
37741 + const ino_t newinode, const dev_t newdevice)
37743 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
37744 + struct inodev_entry *match;
37746 + match = inodev_set.i_hash[index];
37748 + while (match && (match->nentry->inode != oldinode ||
37749 + match->nentry->device != olddevice || !match->nentry->deleted))
37750 + match = match->next;
37752 + if (match && (match->nentry->inode == oldinode)
37753 + && (match->nentry->device == olddevice) &&
37754 + match->nentry->deleted) {
37755 + if (match->prev == NULL) {
37756 + inodev_set.i_hash[index] = match->next;
37757 + if (match->next != NULL)
37758 + match->next->prev = NULL;
37760 + match->prev->next = match->next;
37761 + if (match->next != NULL)
37762 + match->next->prev = match->prev;
37764 + match->prev = NULL;
37765 + match->next = NULL;
37766 + match->nentry->inode = newinode;
37767 + match->nentry->device = newdevice;
37768 + match->nentry->deleted = 0;
37770 + insert_inodev_entry(match);
37777 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
37778 + const struct vfsmount *mnt)
37780 + struct acl_subject_label *subj;
37781 + struct acl_role_label *role;
37783 + ino_t ino = dentry->d_inode->i_ino;
37784 + dev_t dev = __get_dev(dentry);
37786 + FOR_EACH_ROLE_START(role)
37787 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
37789 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37790 + if ((subj->inode == ino) && (subj->device == dev)) {
37791 + subj->inode = ino;
37792 + subj->device = dev;
37794 + FOR_EACH_NESTED_SUBJECT_END(subj)
37795 + FOR_EACH_SUBJECT_START(role, subj, x)
37796 + update_acl_obj_label(matchn->inode, matchn->device,
37798 + FOR_EACH_SUBJECT_END(subj,x)
37799 + FOR_EACH_ROLE_END(role)
37801 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
37807 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
37809 + struct name_entry *matchn;
37811 + if (unlikely(!(gr_status & GR_READY)))
37814 + preempt_disable();
37815 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
37817 + if (unlikely((unsigned long)matchn)) {
37818 + write_lock(&gr_inode_lock);
37819 + do_handle_create(matchn, dentry, mnt);
37820 + write_unlock(&gr_inode_lock);
37822 + preempt_enable();
37828 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
37829 + struct dentry *old_dentry,
37830 + struct dentry *new_dentry,
37831 + struct vfsmount *mnt, const __u8 replace)
37833 + struct name_entry *matchn;
37834 + struct inodev_entry *inodev;
37835 + ino_t old_ino = old_dentry->d_inode->i_ino;
37836 + dev_t old_dev = __get_dev(old_dentry);
37838 + /* vfs_rename swaps the name and parent link for old_dentry and
37840 + at this point, old_dentry has the new name, parent link, and inode
37841 + for the renamed file
37842 + if a file is being replaced by a rename, new_dentry has the inode
37843 + and name for the replaced file
37846 + if (unlikely(!(gr_status & GR_READY)))
37849 + preempt_disable();
37850 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
37852 + /* we wouldn't have to check d_inode if it weren't for
37853 + NFS silly-renaming
37856 + write_lock(&gr_inode_lock);
37857 + if (unlikely(replace && new_dentry->d_inode)) {
37858 + ino_t new_ino = new_dentry->d_inode->i_ino;
37859 + dev_t new_dev = __get_dev(new_dentry);
37861 + inodev = lookup_inodev_entry(new_ino, new_dev);
37862 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
37863 + do_handle_delete(inodev, new_ino, new_dev);
37866 + inodev = lookup_inodev_entry(old_ino, old_dev);
37867 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
37868 + do_handle_delete(inodev, old_ino, old_dev);
37870 + if (unlikely((unsigned long)matchn))
37871 + do_handle_create(matchn, old_dentry, mnt);
37873 + write_unlock(&gr_inode_lock);
37874 + preempt_enable();
37880 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
37881 + unsigned char **sum)
37883 + struct acl_role_label *r;
37884 + struct role_allowed_ip *ipp;
37885 + struct role_transition *trans;
37888 + u32 curr_ip = current->signal->curr_ip;
37890 + current->signal->saved_ip = curr_ip;
37892 + /* check transition table */
37894 + for (trans = current->role->transitions; trans; trans = trans->next) {
37895 + if (!strcmp(rolename, trans->rolename)) {
37904 + /* handle special roles that do not require authentication
37907 + FOR_EACH_ROLE_START(r)
37908 + if (!strcmp(rolename, r->rolename) &&
37909 + (r->roletype & GR_ROLE_SPECIAL)) {
37911 + if (r->allowed_ips != NULL) {
37912 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
37913 + if ((ntohl(curr_ip) & ipp->netmask) ==
37914 + (ntohl(ipp->addr) & ipp->netmask))
37922 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
37923 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
37929 + FOR_EACH_ROLE_END(r)
37931 + for (i = 0; i < num_sprole_pws; i++) {
37932 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
37933 + *salt = acl_special_roles[i]->salt;
37934 + *sum = acl_special_roles[i]->sum;
37943 +assign_special_role(char *rolename)
37945 + struct acl_object_label *obj;
37946 + struct acl_role_label *r;
37947 + struct acl_role_label *assigned = NULL;
37948 + struct task_struct *tsk;
37949 + struct file *filp;
37951 + FOR_EACH_ROLE_START(r)
37952 + if (!strcmp(rolename, r->rolename) &&
37953 + (r->roletype & GR_ROLE_SPECIAL)) {
37957 + FOR_EACH_ROLE_END(r)
37962 + read_lock(&tasklist_lock);
37963 + read_lock(&grsec_exec_file_lock);
37965 + tsk = current->real_parent;
37969 + filp = tsk->exec_file;
37970 + if (filp == NULL)
37973 + tsk->is_writable = 0;
37975 + tsk->acl_sp_role = 1;
37976 + tsk->acl_role_id = ++acl_sp_role_value;
37977 + tsk->role = assigned;
37978 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
37980 + /* ignore additional mmap checks for processes that are writable
37981 + by the default ACL */
37982 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37983 + if (unlikely(obj->mode & GR_WRITE))
37984 + tsk->is_writable = 1;
37985 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
37986 + if (unlikely(obj->mode & GR_WRITE))
37987 + tsk->is_writable = 1;
37989 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
37990 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
37994 + read_unlock(&grsec_exec_file_lock);
37995 + read_unlock(&tasklist_lock);
37999 +int gr_check_secure_terminal(struct task_struct *task)
38001 + struct task_struct *p, *p2, *p3;
38002 + struct files_struct *files;
38003 + struct fdtable *fdt;
38004 + struct file *our_file = NULL, *file;
38007 + if (task->signal->tty == NULL)
38010 + files = get_files_struct(task);
38011 + if (files != NULL) {
38013 + fdt = files_fdtable(files);
38014 + for (i=0; i < fdt->max_fds; i++) {
38015 + file = fcheck_files(files, i);
38016 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
38021 + rcu_read_unlock();
38022 + put_files_struct(files);
38025 + if (our_file == NULL)
38028 + read_lock(&tasklist_lock);
38029 + do_each_thread(p2, p) {
38030 + files = get_files_struct(p);
38031 + if (files == NULL ||
38032 + (p->signal && p->signal->tty == task->signal->tty)) {
38033 + if (files != NULL)
38034 + put_files_struct(files);
38038 + fdt = files_fdtable(files);
38039 + for (i=0; i < fdt->max_fds; i++) {
38040 + file = fcheck_files(files, i);
38041 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
38042 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
38044 + while (p3->pid > 0) {
38047 + p3 = p3->real_parent;
38051 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
38052 + gr_handle_alertkill(p);
38053 + rcu_read_unlock();
38054 + put_files_struct(files);
38055 + read_unlock(&tasklist_lock);
38060 + rcu_read_unlock();
38061 + put_files_struct(files);
38062 + } while_each_thread(p2, p);
38063 + read_unlock(&tasklist_lock);
38070 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
38072 + struct gr_arg_wrapper uwrap;
38073 + unsigned char *sprole_salt = NULL;
38074 + unsigned char *sprole_sum = NULL;
38075 + int error = sizeof (struct gr_arg_wrapper);
38078 + mutex_lock(&gr_dev_mutex);
38080 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
38085 + if (count != sizeof (struct gr_arg_wrapper)) {
38086 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
38092 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
38093 + gr_auth_expires = 0;
38094 + gr_auth_attempts = 0;
38097 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
38102 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
38107 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
38112 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
38113 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
38114 + time_after(gr_auth_expires, get_seconds())) {
38119 + /* if non-root trying to do anything other than use a special role,
38120 + do not attempt authentication, do not count towards authentication
38124 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
38125 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
38131 + /* ensure pw and special role name are null terminated */
38133 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
38134 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
38137 + * We have our enough of the argument structure..(we have yet
38138 + * to copy_from_user the tables themselves) . Copy the tables
38139 + * only if we need them, i.e. for loading operations. */
38141 + switch (gr_usermode->mode) {
38143 + if (gr_status & GR_READY) {
38145 + if (!gr_check_secure_terminal(current))
38150 + case GR_SHUTDOWN:
38151 + if ((gr_status & GR_READY)
38152 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38153 + pax_open_kernel();
38154 + gr_status &= ~GR_READY;
38155 + pax_close_kernel();
38157 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
38158 + free_variables();
38159 + memset(gr_usermode, 0, sizeof (struct gr_arg));
38160 + memset(gr_system_salt, 0, GR_SALT_LEN);
38161 + memset(gr_system_sum, 0, GR_SHA_LEN);
38162 + } else if (gr_status & GR_READY) {
38163 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
38166 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
38171 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
38172 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
38174 + if (gr_status & GR_READY)
38178 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
38182 + if (!(gr_status & GR_READY)) {
38183 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
38185 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38186 + preempt_disable();
38188 + pax_open_kernel();
38189 + gr_status &= ~GR_READY;
38190 + pax_close_kernel();
38192 + free_variables();
38193 + if (!(error2 = gracl_init(gr_usermode))) {
38194 + preempt_enable();
38195 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
38197 + preempt_enable();
38199 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
38202 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
38207 + if (unlikely(!(gr_status & GR_READY))) {
38208 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
38213 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38214 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
38215 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
38216 + struct acl_subject_label *segvacl;
38218 + lookup_acl_subj_label(gr_usermode->segv_inode,
38219 + gr_usermode->segv_device,
38222 + segvacl->crashes = 0;
38223 + segvacl->expires = 0;
38225 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
38226 + gr_remove_uid(gr_usermode->segv_uid);
38229 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
38234 + case GR_SPROLEPAM:
38235 + if (unlikely(!(gr_status & GR_READY))) {
38236 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
38241 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
38242 + current->role->expires = 0;
38243 + current->role->auth_attempts = 0;
38246 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
38247 + time_after(current->role->expires, get_seconds())) {
38252 + if (lookup_special_role_auth
38253 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
38254 + && ((!sprole_salt && !sprole_sum)
38255 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
38257 + assign_special_role(gr_usermode->sp_role);
38258 + read_lock(&tasklist_lock);
38259 + if (current->real_parent)
38260 + p = current->real_parent->role->rolename;
38261 + read_unlock(&tasklist_lock);
38262 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
38263 + p, acl_sp_role_value);
38265 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
38267 + if(!(current->role->auth_attempts++))
38268 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
38273 + case GR_UNSPROLE:
38274 + if (unlikely(!(gr_status & GR_READY))) {
38275 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
38280 + if (current->role->roletype & GR_ROLE_SPECIAL) {
38284 + read_lock(&tasklist_lock);
38285 + if (current->real_parent) {
38286 + p = current->real_parent->role->rolename;
38287 + i = current->real_parent->acl_role_id;
38289 + read_unlock(&tasklist_lock);
38291 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
38299 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
38304 + if (error != -EPERM)
38307 + if(!(gr_auth_attempts++))
38308 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
38311 + mutex_unlock(&gr_dev_mutex);
38315 +/* must be called with
38317 + read_lock(&tasklist_lock);
38318 + read_lock(&grsec_exec_file_lock);
38320 +int gr_apply_subject_to_task(struct task_struct *task)
38322 + struct acl_object_label *obj;
38324 + struct acl_subject_label *tmpsubj;
38325 + struct file *filp;
38326 + struct name_entry *nmatch;
38328 + filp = task->exec_file;
38329 + if (filp == NULL)
38332 + /* the following is to apply the correct subject
38333 + on binaries running when the RBAC system
38334 + is enabled, when the binaries have been
38335 + replaced or deleted since their execution
38337 + when the RBAC system starts, the inode/dev
38338 + from exec_file will be one the RBAC system
38339 + is unaware of. It only knows the inode/dev
38340 + of the present file on disk, or the absence
38343 + preempt_disable();
38344 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
38346 + nmatch = lookup_name_entry(tmpname);
38347 + preempt_enable();
38350 + if (nmatch->deleted)
38351 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
38353 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
38354 + if (tmpsubj != NULL)
38355 + task->acl = tmpsubj;
38357 + if (tmpsubj == NULL)
38358 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
38361 + struct acl_subject_label *curr;
38362 + curr = task->acl;
38364 + task->is_writable = 0;
38365 + /* ignore additional mmap checks for processes that are writable
38366 + by the default ACL */
38367 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38368 + if (unlikely(obj->mode & GR_WRITE))
38369 + task->is_writable = 1;
38370 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
38371 + if (unlikely(obj->mode & GR_WRITE))
38372 + task->is_writable = 1;
38374 + gr_set_proc_res(task);
38376 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
38377 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38387 +gr_set_acls(const int type)
38389 + struct task_struct *task, *task2;
38390 + struct acl_role_label *role = current->role;
38391 + __u16 acl_role_id = current->acl_role_id;
38392 + const struct cred *cred;
38396 + read_lock(&tasklist_lock);
38397 + read_lock(&grsec_exec_file_lock);
38398 + do_each_thread(task2, task) {
38399 + /* check to see if we're called from the exit handler,
38400 + if so, only replace ACLs that have inherited the admin
38403 + if (type && (task->role != role ||
38404 + task->acl_role_id != acl_role_id))
38407 + task->acl_role_id = 0;
38408 + task->acl_sp_role = 0;
38410 + if (task->exec_file) {
38411 + cred = __task_cred(task);
38412 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
38413 + ret = gr_apply_subject_to_task(task);
38415 + read_unlock(&grsec_exec_file_lock);
38416 + read_unlock(&tasklist_lock);
38417 + rcu_read_unlock();
38418 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
38422 + // it's a kernel process
38423 + task->role = kernel_role;
38424 + task->acl = kernel_role->root_label;
38425 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
38426 + task->acl->mode &= ~GR_PROCFIND;
38429 + } while_each_thread(task2, task);
38430 + read_unlock(&grsec_exec_file_lock);
38431 + read_unlock(&tasklist_lock);
38432 + rcu_read_unlock();
38438 +gr_learn_resource(const struct task_struct *task,
38439 + const int res, const unsigned long wanted, const int gt)
38441 + struct acl_subject_label *acl;
38442 + const struct cred *cred;
38444 + if (unlikely((gr_status & GR_READY) &&
38445 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
38446 + goto skip_reslog;
38448 +#ifdef CONFIG_GRKERNSEC_RESLOG
38449 + gr_log_resource(task, res, wanted, gt);
38453 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
38458 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
38459 + !(acl->resmask & (1 << (unsigned short) res))))
38462 + if (wanted >= acl->res[res].rlim_cur) {
38463 + unsigned long res_add;
38465 + res_add = wanted;
38468 + res_add += GR_RLIM_CPU_BUMP;
38470 + case RLIMIT_FSIZE:
38471 + res_add += GR_RLIM_FSIZE_BUMP;
38473 + case RLIMIT_DATA:
38474 + res_add += GR_RLIM_DATA_BUMP;
38476 + case RLIMIT_STACK:
38477 + res_add += GR_RLIM_STACK_BUMP;
38479 + case RLIMIT_CORE:
38480 + res_add += GR_RLIM_CORE_BUMP;
38483 + res_add += GR_RLIM_RSS_BUMP;
38485 + case RLIMIT_NPROC:
38486 + res_add += GR_RLIM_NPROC_BUMP;
38488 + case RLIMIT_NOFILE:
38489 + res_add += GR_RLIM_NOFILE_BUMP;
38491 + case RLIMIT_MEMLOCK:
38492 + res_add += GR_RLIM_MEMLOCK_BUMP;
38495 + res_add += GR_RLIM_AS_BUMP;
38497 + case RLIMIT_LOCKS:
38498 + res_add += GR_RLIM_LOCKS_BUMP;
38500 + case RLIMIT_SIGPENDING:
38501 + res_add += GR_RLIM_SIGPENDING_BUMP;
38503 + case RLIMIT_MSGQUEUE:
38504 + res_add += GR_RLIM_MSGQUEUE_BUMP;
38506 + case RLIMIT_NICE:
38507 + res_add += GR_RLIM_NICE_BUMP;
38509 + case RLIMIT_RTPRIO:
38510 + res_add += GR_RLIM_RTPRIO_BUMP;
38512 + case RLIMIT_RTTIME:
38513 + res_add += GR_RLIM_RTTIME_BUMP;
38517 + acl->res[res].rlim_cur = res_add;
38519 + if (wanted > acl->res[res].rlim_max)
38520 + acl->res[res].rlim_max = res_add;
38522 + /* only log the subject filename, since resource logging is supported for
38523 + single-subject learning only */
38525 + cred = __task_cred(task);
38526 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38527 + task->role->roletype, cred->uid, cred->gid, acl->filename,
38528 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
38529 + "", (unsigned long) res, &task->signal->saved_ip);
38530 + rcu_read_unlock();
38536 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
38538 +pax_set_initial_flags(struct linux_binprm *bprm)
38540 + struct task_struct *task = current;
38541 + struct acl_subject_label *proc;
38542 + unsigned long flags;
38544 + if (unlikely(!(gr_status & GR_READY)))
38547 + flags = pax_get_flags(task);
38549 + proc = task->acl;
38551 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
38552 + flags &= ~MF_PAX_PAGEEXEC;
38553 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
38554 + flags &= ~MF_PAX_SEGMEXEC;
38555 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
38556 + flags &= ~MF_PAX_RANDMMAP;
38557 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
38558 + flags &= ~MF_PAX_EMUTRAMP;
38559 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
38560 + flags &= ~MF_PAX_MPROTECT;
38562 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
38563 + flags |= MF_PAX_PAGEEXEC;
38564 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
38565 + flags |= MF_PAX_SEGMEXEC;
38566 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
38567 + flags |= MF_PAX_RANDMMAP;
38568 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
38569 + flags |= MF_PAX_EMUTRAMP;
38570 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
38571 + flags |= MF_PAX_MPROTECT;
38573 + pax_set_flags(task, flags);
38579 +#ifdef CONFIG_SYSCTL
38580 +/* Eric Biederman likes breaking userland ABI and every inode-based security
38581 + system to save 35kb of memory */
38583 +/* we modify the passed in filename, but adjust it back before returning */
38584 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
38586 + struct name_entry *nmatch;
38587 + char *p, *lastp = NULL;
38588 + struct acl_object_label *obj = NULL, *tmp;
38589 + struct acl_subject_label *tmpsubj;
38592 + read_lock(&gr_inode_lock);
38594 + p = name + len - 1;
38596 + nmatch = lookup_name_entry(name);
38597 + if (lastp != NULL)
38600 + if (nmatch == NULL)
38601 + goto next_component;
38602 + tmpsubj = current->acl;
38604 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
38605 + if (obj != NULL) {
38606 + tmp = obj->globbed;
38608 + if (!glob_match(tmp->filename, name)) {
38616 + } while ((tmpsubj = tmpsubj->parent_subject));
38622 + while (*p != '/')
38634 + read_unlock(&gr_inode_lock);
38635 + /* obj returned will always be non-null */
38639 +/* returns 0 when allowing, non-zero on error
38640 + op of 0 is used for readdir, so we don't log the names of hidden files
38643 +gr_handle_sysctl(const struct ctl_table *table, const int op)
38645 + struct ctl_table *tmp;
38646 + const char *proc_sys = "/proc/sys";
38648 + struct acl_object_label *obj;
38649 + unsigned short len = 0, pos = 0, depth = 0, i;
38653 + if (unlikely(!(gr_status & GR_READY)))
38656 + /* for now, ignore operations on non-sysctl entries if it's not a
38658 + if (table->child != NULL && op != 0)
38662 + /* it's only a read if it's an entry, read on dirs is for readdir */
38663 + if (op & MAY_READ)
38665 + if (op & MAY_WRITE)
38666 + mode |= GR_WRITE;
38668 + preempt_disable();
38670 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
38672 + /* it's only a read/write if it's an actual entry, not a dir
38673 + (which are opened for readdir)
38676 + /* convert the requested sysctl entry into a pathname */
38678 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38679 + len += strlen(tmp->procname);
38684 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
38689 + memset(path, 0, PAGE_SIZE);
38691 + memcpy(path, proc_sys, strlen(proc_sys));
38693 + pos += strlen(proc_sys);
38695 + for (; depth > 0; depth--) {
38698 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38699 + if (depth == i) {
38700 + memcpy(path + pos, tmp->procname,
38701 + strlen(tmp->procname));
38702 + pos += strlen(tmp->procname);
38708 + obj = gr_lookup_by_name(path, pos);
38709 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
38711 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
38712 + ((err & mode) != mode))) {
38713 + __u32 new_mode = mode;
38715 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38718 + gr_log_learn_sysctl(path, new_mode);
38719 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
38720 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
38722 + } else if (!(err & GR_FIND)) {
38724 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
38725 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
38726 + path, (mode & GR_READ) ? " reading" : "",
38727 + (mode & GR_WRITE) ? " writing" : "");
38729 + } else if ((err & mode) != mode) {
38731 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
38732 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
38733 + path, (mode & GR_READ) ? " reading" : "",
38734 + (mode & GR_WRITE) ? " writing" : "");
38740 + preempt_enable();
38747 +gr_handle_proc_ptrace(struct task_struct *task)
38749 + struct file *filp;
38750 + struct task_struct *tmp = task;
38751 + struct task_struct *curtemp = current;
38754 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38755 + if (unlikely(!(gr_status & GR_READY)))
38759 + read_lock(&tasklist_lock);
38760 + read_lock(&grsec_exec_file_lock);
38761 + filp = task->exec_file;
38763 + while (tmp->pid > 0) {
38764 + if (tmp == curtemp)
38766 + tmp = tmp->real_parent;
38769 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38770 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
38771 + read_unlock(&grsec_exec_file_lock);
38772 + read_unlock(&tasklist_lock);
38776 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38777 + if (!(gr_status & GR_READY)) {
38778 + read_unlock(&grsec_exec_file_lock);
38779 + read_unlock(&tasklist_lock);
38784 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
38785 + read_unlock(&grsec_exec_file_lock);
38786 + read_unlock(&tasklist_lock);
38788 + if (retmode & GR_NOPTRACE)
38791 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
38792 + && (current->acl != task->acl || (current->acl != current->role->root_label
38793 + && current->pid != task->pid)))
38799 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
38801 + if (unlikely(!(gr_status & GR_READY)))
38804 + if (!(current->role->roletype & GR_ROLE_GOD))
38807 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
38808 + p->role->rolename, gr_task_roletype_to_char(p),
38809 + p->acl->filename);
38813 +gr_handle_ptrace(struct task_struct *task, const long request)
38815 + struct task_struct *tmp = task;
38816 + struct task_struct *curtemp = current;
38819 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38820 + if (unlikely(!(gr_status & GR_READY)))
38824 + read_lock(&tasklist_lock);
38825 + while (tmp->pid > 0) {
38826 + if (tmp == curtemp)
38828 + tmp = tmp->real_parent;
38831 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38832 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
38833 + read_unlock(&tasklist_lock);
38834 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38837 + read_unlock(&tasklist_lock);
38839 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38840 + if (!(gr_status & GR_READY))
38844 + read_lock(&grsec_exec_file_lock);
38845 + if (unlikely(!task->exec_file)) {
38846 + read_unlock(&grsec_exec_file_lock);
38850 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
38851 + read_unlock(&grsec_exec_file_lock);
38853 + if (retmode & GR_NOPTRACE) {
38854 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38858 + if (retmode & GR_PTRACERD) {
38859 + switch (request) {
38860 + case PTRACE_POKETEXT:
38861 + case PTRACE_POKEDATA:
38862 + case PTRACE_POKEUSR:
38863 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
38864 + case PTRACE_SETREGS:
38865 + case PTRACE_SETFPREGS:
38868 + case PTRACE_SETFPXREGS:
38870 +#ifdef CONFIG_ALTIVEC
38871 + case PTRACE_SETVRREGS:
38877 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
38878 + !(current->role->roletype & GR_ROLE_GOD) &&
38879 + (current->acl != task->acl)) {
38880 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38887 +static int is_writable_mmap(const struct file *filp)
38889 + struct task_struct *task = current;
38890 + struct acl_object_label *obj, *obj2;
38892 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
38893 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
38894 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38895 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
38896 + task->role->root_label);
38897 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
38898 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
38906 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
38910 + if (unlikely(!file || !(prot & PROT_EXEC)))
38913 + if (is_writable_mmap(file))
38917 + gr_search_file(file->f_path.dentry,
38918 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38919 + file->f_path.mnt);
38921 + if (!gr_tpe_allow(file))
38924 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38925 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38927 + } else if (unlikely(!(mode & GR_EXEC))) {
38929 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38930 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38938 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38942 + if (unlikely(!file || !(prot & PROT_EXEC)))
38945 + if (is_writable_mmap(file))
38949 + gr_search_file(file->f_path.dentry,
38950 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38951 + file->f_path.mnt);
38953 + if (!gr_tpe_allow(file))
38956 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38957 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38959 + } else if (unlikely(!(mode & GR_EXEC))) {
38961 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38962 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38970 +gr_acl_handle_psacct(struct task_struct *task, const long code)
38972 + unsigned long runtime;
38973 + unsigned long cputime;
38974 + unsigned int wday, cday;
38978 + struct timespec timeval;
38980 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
38981 + !(task->acl->mode & GR_PROCACCT)))
38984 + do_posix_clock_monotonic_gettime(&timeval);
38985 + runtime = timeval.tv_sec - task->start_time.tv_sec;
38986 + wday = runtime / (3600 * 24);
38987 + runtime -= wday * (3600 * 24);
38988 + whr = runtime / 3600;
38989 + runtime -= whr * 3600;
38990 + wmin = runtime / 60;
38991 + runtime -= wmin * 60;
38994 + cputime = (task->utime + task->stime) / HZ;
38995 + cday = cputime / (3600 * 24);
38996 + cputime -= cday * (3600 * 24);
38997 + chr = cputime / 3600;
38998 + cputime -= chr * 3600;
38999 + cmin = cputime / 60;
39000 + cputime -= cmin * 60;
39003 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
39008 +void gr_set_kernel_label(struct task_struct *task)
39010 + if (gr_status & GR_READY) {
39011 + task->role = kernel_role;
39012 + task->acl = kernel_role->root_label;
39017 +#ifdef CONFIG_TASKSTATS
39018 +int gr_is_taskstats_denied(int pid)
39020 + struct task_struct *task;
39021 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39022 + const struct cred *cred;
39026 + /* restrict taskstats viewing to un-chrooted root users
39027 + who have the 'view' subject flag if the RBAC system is enabled
39031 + read_lock(&tasklist_lock);
39032 + task = find_task_by_vpid(pid);
39034 +#ifdef CONFIG_GRKERNSEC_CHROOT
39035 + if (proc_is_chrooted(task))
39038 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39039 + cred = __task_cred(task);
39040 +#ifdef CONFIG_GRKERNSEC_PROC_USER
39041 + if (cred->uid != 0)
39043 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
39044 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
39048 + if (gr_status & GR_READY) {
39049 + if (!(task->acl->mode & GR_VIEW))
39055 + read_unlock(&tasklist_lock);
39056 + rcu_read_unlock();
39062 +/* AUXV entries are filled via a descendant of search_binary_handler
39063 + after we've already applied the subject for the target
39065 +int gr_acl_enable_at_secure(void)
39067 + if (unlikely(!(gr_status & GR_READY)))
39070 + if (current->acl->mode & GR_ATSECURE)
39076 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
39078 + struct task_struct *task = current;
39079 + struct dentry *dentry = file->f_path.dentry;
39080 + struct vfsmount *mnt = file->f_path.mnt;
39081 + struct acl_object_label *obj, *tmp;
39082 + struct acl_subject_label *subj;
39083 + unsigned int bufsize;
39086 + dev_t dev = __get_dev(dentry);
39088 + if (unlikely(!(gr_status & GR_READY)))
39091 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
39094 + /* ignore Eric Biederman */
39095 + if (IS_PRIVATE(dentry->d_inode))
39098 + subj = task->acl;
39100 + obj = lookup_acl_obj_label(ino, dev, subj);
39102 + return (obj->mode & GR_FIND) ? 1 : 0;
39103 + } while ((subj = subj->parent_subject));
39105 + /* this is purely an optimization since we're looking for an object
39106 + for the directory we're doing a readdir on
39107 + if it's possible for any globbed object to match the entry we're
39108 + filling into the directory, then the object we find here will be
39109 + an anchor point with attached globbed objects
39111 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
39112 + if (obj->globbed == NULL)
39113 + return (obj->mode & GR_FIND) ? 1 : 0;
39115 + is_not_root = ((obj->filename[0] == '/') &&
39116 + (obj->filename[1] == '\0')) ? 0 : 1;
39117 + bufsize = PAGE_SIZE - namelen - is_not_root;
39119 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
39120 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
39123 + preempt_disable();
39124 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
39127 + bufsize = strlen(path);
39129 + /* if base is "/", don't append an additional slash */
39131 + *(path + bufsize) = '/';
39132 + memcpy(path + bufsize + is_not_root, name, namelen);
39133 + *(path + bufsize + namelen + is_not_root) = '\0';
39135 + tmp = obj->globbed;
39137 + if (!glob_match(tmp->filename, path)) {
39138 + preempt_enable();
39139 + return (tmp->mode & GR_FIND) ? 1 : 0;
39143 + preempt_enable();
39144 + return (obj->mode & GR_FIND) ? 1 : 0;
39147 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
39148 +EXPORT_SYMBOL(gr_acl_is_enabled);
39150 +EXPORT_SYMBOL(gr_learn_resource);
39151 +EXPORT_SYMBOL(gr_set_kernel_label);
39152 +#ifdef CONFIG_SECURITY
39153 +EXPORT_SYMBOL(gr_check_user_change);
39154 +EXPORT_SYMBOL(gr_check_group_change);
39157 diff -urNp linux-2.6.38.1/grsecurity/gracl_cap.c linux-2.6.38.1/grsecurity/gracl_cap.c
39158 --- linux-2.6.38.1/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
39159 +++ linux-2.6.38.1/grsecurity/gracl_cap.c 2011-03-21 20:22:36.000000000 -0400
39161 +#include <linux/kernel.h>
39162 +#include <linux/module.h>
39163 +#include <linux/sched.h>
39164 +#include <linux/gracl.h>
39165 +#include <linux/grsecurity.h>
39166 +#include <linux/grinternal.h>
39168 +static const char *captab_log[] = {
39170 + "CAP_DAC_OVERRIDE",
39171 + "CAP_DAC_READ_SEARCH",
39178 + "CAP_LINUX_IMMUTABLE",
39179 + "CAP_NET_BIND_SERVICE",
39180 + "CAP_NET_BROADCAST",
39185 + "CAP_SYS_MODULE",
39187 + "CAP_SYS_CHROOT",
39188 + "CAP_SYS_PTRACE",
39193 + "CAP_SYS_RESOURCE",
39195 + "CAP_SYS_TTY_CONFIG",
39198 + "CAP_AUDIT_WRITE",
39199 + "CAP_AUDIT_CONTROL",
39201 + "CAP_MAC_OVERRIDE",
39206 +EXPORT_SYMBOL(gr_is_capable);
39207 +EXPORT_SYMBOL(gr_is_capable_nolog);
39210 +gr_is_capable(const int cap)
39212 + struct task_struct *task = current;
39213 + const struct cred *cred = current_cred();
39214 + struct acl_subject_label *curracl;
39215 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
39216 + kernel_cap_t cap_audit = __cap_empty_set;
39218 + if (!gr_acl_is_enabled())
39221 + curracl = task->acl;
39223 + cap_drop = curracl->cap_lower;
39224 + cap_mask = curracl->cap_mask;
39225 + cap_audit = curracl->cap_invert_audit;
39227 + while ((curracl = curracl->parent_subject)) {
39228 + /* if the cap isn't specified in the current computed mask but is specified in the
39229 + current level subject, and is lowered in the current level subject, then add
39230 + it to the set of dropped capabilities
39231 + otherwise, add the current level subject's mask to the current computed mask
39233 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
39234 + cap_raise(cap_mask, cap);
39235 + if (cap_raised(curracl->cap_lower, cap))
39236 + cap_raise(cap_drop, cap);
39237 + if (cap_raised(curracl->cap_invert_audit, cap))
39238 + cap_raise(cap_audit, cap);
39242 + if (!cap_raised(cap_drop, cap)) {
39243 + if (cap_raised(cap_audit, cap))
39244 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
39248 + curracl = task->acl;
39250 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
39251 + && cap_raised(cred->cap_effective, cap)) {
39252 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
39253 + task->role->roletype, cred->uid,
39254 + cred->gid, task->exec_file ?
39255 + gr_to_filename(task->exec_file->f_path.dentry,
39256 + task->exec_file->f_path.mnt) : curracl->filename,
39257 + curracl->filename, 0UL,
39258 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
39262 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
39263 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
39268 +gr_is_capable_nolog(const int cap)
39270 + struct acl_subject_label *curracl;
39271 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
39273 + if (!gr_acl_is_enabled())
39276 + curracl = current->acl;
39278 + cap_drop = curracl->cap_lower;
39279 + cap_mask = curracl->cap_mask;
39281 + while ((curracl = curracl->parent_subject)) {
39282 + /* if the cap isn't specified in the current computed mask but is specified in the
39283 + current level subject, and is lowered in the current level subject, then add
39284 + it to the set of dropped capabilities
39285 + otherwise, add the current level subject's mask to the current computed mask
39287 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
39288 + cap_raise(cap_mask, cap);
39289 + if (cap_raised(curracl->cap_lower, cap))
39290 + cap_raise(cap_drop, cap);
39294 + if (!cap_raised(cap_drop, cap))
39300 diff -urNp linux-2.6.38.1/grsecurity/gracl_fs.c linux-2.6.38.1/grsecurity/gracl_fs.c
39301 --- linux-2.6.38.1/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
39302 +++ linux-2.6.38.1/grsecurity/gracl_fs.c 2011-03-26 14:32:42.000000000 -0400
39304 +#include <linux/kernel.h>
39305 +#include <linux/sched.h>
39306 +#include <linux/types.h>
39307 +#include <linux/fs.h>
39308 +#include <linux/file.h>
39309 +#include <linux/stat.h>
39310 +#include <linux/grsecurity.h>
39311 +#include <linux/grinternal.h>
39312 +#include <linux/gracl.h>
39315 +gr_acl_handle_hidden_file(const struct dentry * dentry,
39316 + const struct vfsmount * mnt)
39320 + if (unlikely(!dentry->d_inode))
39324 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
39326 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
39327 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
39329 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
39330 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
39332 + } else if (unlikely(!(mode & GR_FIND)))
39339 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
39342 + __u32 reqmode = GR_FIND;
39345 + if (unlikely(!dentry->d_inode))
39348 + if (unlikely(fmode & O_APPEND))
39349 + reqmode |= GR_APPEND;
39350 + else if (unlikely(fmode & FMODE_WRITE))
39351 + reqmode |= GR_WRITE;
39352 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39353 + reqmode |= GR_READ;
39354 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
39355 + reqmode &= ~GR_READ;
39357 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39360 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39361 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39362 + reqmode & GR_READ ? " reading" : "",
39363 + reqmode & GR_WRITE ? " writing" : reqmode &
39364 + GR_APPEND ? " appending" : "");
39367 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39369 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39370 + reqmode & GR_READ ? " reading" : "",
39371 + reqmode & GR_WRITE ? " writing" : reqmode &
39372 + GR_APPEND ? " appending" : "");
39374 + } else if (unlikely((mode & reqmode) != reqmode))
39381 +gr_acl_handle_creat(const struct dentry * dentry,
39382 + const struct dentry * p_dentry,
39383 + const struct vfsmount * p_mnt, const int fmode,
39386 + __u32 reqmode = GR_WRITE | GR_CREATE;
39389 + if (unlikely(fmode & O_APPEND))
39390 + reqmode |= GR_APPEND;
39391 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39392 + reqmode |= GR_READ;
39393 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
39394 + reqmode |= GR_SETID;
39397 + gr_check_create(dentry, p_dentry, p_mnt,
39398 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39400 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39401 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39402 + reqmode & GR_READ ? " reading" : "",
39403 + reqmode & GR_WRITE ? " writing" : reqmode &
39404 + GR_APPEND ? " appending" : "");
39407 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39409 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39410 + reqmode & GR_READ ? " reading" : "",
39411 + reqmode & GR_WRITE ? " writing" : reqmode &
39412 + GR_APPEND ? " appending" : "");
39414 + } else if (unlikely((mode & reqmode) != reqmode))
39421 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
39424 + __u32 mode, reqmode = GR_FIND;
39426 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
39427 + reqmode |= GR_EXEC;
39428 + if (fmode & S_IWOTH)
39429 + reqmode |= GR_WRITE;
39430 + if (fmode & S_IROTH)
39431 + reqmode |= GR_READ;
39434 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39437 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39438 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39439 + reqmode & GR_READ ? " reading" : "",
39440 + reqmode & GR_WRITE ? " writing" : "",
39441 + reqmode & GR_EXEC ? " executing" : "");
39444 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39446 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39447 + reqmode & GR_READ ? " reading" : "",
39448 + reqmode & GR_WRITE ? " writing" : "",
39449 + reqmode & GR_EXEC ? " executing" : "");
39451 + } else if (unlikely((mode & reqmode) != reqmode))
39457 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
39461 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
39463 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39464 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
39466 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39467 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
39469 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39472 + return (reqmode);
39476 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
39478 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
39482 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
39484 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
39488 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
39490 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
39494 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
39496 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
39500 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
39503 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
39506 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39507 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39508 + GR_FCHMOD_ACL_MSG);
39510 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
39515 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
39518 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39519 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39520 + GR_CHMOD_ACL_MSG);
39522 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
39527 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
39529 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
39533 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
39535 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
39539 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
39541 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
39545 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
39547 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
39548 + GR_UNIXCONNECT_ACL_MSG);
39551 +/* hardlinks require at minimum create permission,
39552 + any additional privilege required is based on the
39553 + privilege of the file being linked to
39556 +gr_acl_handle_link(const struct dentry * new_dentry,
39557 + const struct dentry * parent_dentry,
39558 + const struct vfsmount * parent_mnt,
39559 + const struct dentry * old_dentry,
39560 + const struct vfsmount * old_mnt, const char *to)
39563 + __u32 needmode = GR_CREATE | GR_LINK;
39564 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
39567 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
39570 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
39571 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39573 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39574 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39576 + } else if (unlikely((mode & needmode) != needmode))
39583 +gr_acl_handle_symlink(const struct dentry * new_dentry,
39584 + const struct dentry * parent_dentry,
39585 + const struct vfsmount * parent_mnt, const char *from)
39587 + __u32 needmode = GR_WRITE | GR_CREATE;
39591 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
39592 + GR_CREATE | GR_AUDIT_CREATE |
39593 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
39595 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
39596 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39598 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39599 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39601 + } else if (unlikely((mode & needmode) != needmode))
39604 + return (GR_WRITE | GR_CREATE);
39607 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
39611 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39613 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39614 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
39616 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39617 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
39619 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39622 + return (reqmode);
39626 +gr_acl_handle_mknod(const struct dentry * new_dentry,
39627 + const struct dentry * parent_dentry,
39628 + const struct vfsmount * parent_mnt,
39631 + __u32 reqmode = GR_WRITE | GR_CREATE;
39632 + if (unlikely(mode & (S_ISUID | S_ISGID)))
39633 + reqmode |= GR_SETID;
39635 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39636 + reqmode, GR_MKNOD_ACL_MSG);
39640 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
39641 + const struct dentry *parent_dentry,
39642 + const struct vfsmount *parent_mnt)
39644 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39645 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
39648 +#define RENAME_CHECK_SUCCESS(old, new) \
39649 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
39650 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
39653 +gr_acl_handle_rename(struct dentry *new_dentry,
39654 + struct dentry *parent_dentry,
39655 + const struct vfsmount *parent_mnt,
39656 + struct dentry *old_dentry,
39657 + struct inode *old_parent_inode,
39658 + struct vfsmount *old_mnt, const char *newname)
39660 + __u32 comp1, comp2;
39663 + if (unlikely(!gr_acl_is_enabled()))
39666 + if (!new_dentry->d_inode) {
39667 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
39668 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
39669 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
39670 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
39671 + GR_DELETE | GR_AUDIT_DELETE |
39672 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39673 + GR_SUPPRESS, old_mnt);
39675 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
39676 + GR_CREATE | GR_DELETE |
39677 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
39678 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39679 + GR_SUPPRESS, parent_mnt);
39681 + gr_search_file(old_dentry,
39682 + GR_READ | GR_WRITE | GR_AUDIT_READ |
39683 + GR_DELETE | GR_AUDIT_DELETE |
39684 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
39687 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
39688 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
39689 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39690 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
39691 + && !(comp2 & GR_SUPPRESS)) {
39692 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39694 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
39701 +gr_acl_handle_exit(void)
39705 + struct file *exec_file;
39707 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
39708 + !(current->role->roletype & GR_ROLE_PERSIST))) {
39709 + id = current->acl_role_id;
39710 + rolename = current->role->rolename;
39712 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
39715 + write_lock(&grsec_exec_file_lock);
39716 + exec_file = current->exec_file;
39717 + current->exec_file = NULL;
39718 + write_unlock(&grsec_exec_file_lock);
39725 +gr_acl_handle_procpidmem(const struct task_struct *task)
39727 + if (unlikely(!gr_acl_is_enabled()))
39730 + if (task != current && task->acl->mode & GR_PROTPROCFD)
39735 diff -urNp linux-2.6.38.1/grsecurity/gracl_ip.c linux-2.6.38.1/grsecurity/gracl_ip.c
39736 --- linux-2.6.38.1/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
39737 +++ linux-2.6.38.1/grsecurity/gracl_ip.c 2011-03-21 18:31:35.000000000 -0400
39739 +#include <linux/kernel.h>
39740 +#include <asm/uaccess.h>
39741 +#include <asm/errno.h>
39742 +#include <net/sock.h>
39743 +#include <linux/file.h>
39744 +#include <linux/fs.h>
39745 +#include <linux/net.h>
39746 +#include <linux/in.h>
39747 +#include <linux/skbuff.h>
39748 +#include <linux/ip.h>
39749 +#include <linux/udp.h>
39750 +#include <linux/smp_lock.h>
39751 +#include <linux/types.h>
39752 +#include <linux/sched.h>
39753 +#include <linux/netdevice.h>
39754 +#include <linux/inetdevice.h>
39755 +#include <linux/gracl.h>
39756 +#include <linux/grsecurity.h>
39757 +#include <linux/grinternal.h>
39759 +#define GR_BIND 0x01
39760 +#define GR_CONNECT 0x02
39761 +#define GR_INVERT 0x04
39762 +#define GR_BINDOVERRIDE 0x08
39763 +#define GR_CONNECTOVERRIDE 0x10
39764 +#define GR_SOCK_FAMILY 0x20
39766 +static const char * gr_protocols[IPPROTO_MAX] = {
39767 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
39768 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
39769 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
39770 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
39771 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
39772 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
39773 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
39774 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
39775 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
39776 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
39777 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
39778 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
39779 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
39780 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
39781 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
39782 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
39783 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
39784 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
39785 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
39786 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
39787 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
39788 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
39789 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
39790 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
39791 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
39792 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
39793 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
39794 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
39795 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
39796 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
39797 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
39798 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
39801 +static const char * gr_socktypes[SOCK_MAX] = {
39802 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
39803 + "unknown:7", "unknown:8", "unknown:9", "packet"
39806 +static const char * gr_sockfamilies[AF_MAX+1] = {
39807 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
39808 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
39809 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
39810 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
39814 +gr_proto_to_name(unsigned char proto)
39816 + return gr_protocols[proto];
39820 +gr_socktype_to_name(unsigned char type)
39822 + return gr_socktypes[type];
39826 +gr_sockfamily_to_name(unsigned char family)
39828 + return gr_sockfamilies[family];
39832 +gr_search_socket(const int domain, const int type, const int protocol)
39834 + struct acl_subject_label *curr;
39835 + const struct cred *cred = current_cred();
39837 + if (unlikely(!gr_acl_is_enabled()))
39840 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
39841 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
39842 + goto exit; // let the kernel handle it
39844 + curr = current->acl;
39846 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
39847 + /* the family is allowed, if this is PF_INET allow it only if
39848 + the extra sock type/protocol checks pass */
39849 + if (domain == PF_INET)
39853 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39854 + __u32 fakeip = 0;
39855 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39856 + current->role->roletype, cred->uid,
39857 + cred->gid, current->exec_file ?
39858 + gr_to_filename(current->exec_file->f_path.dentry,
39859 + current->exec_file->f_path.mnt) :
39860 + curr->filename, curr->filename,
39861 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
39862 + ¤t->signal->saved_ip);
39869 + /* the rest of this checking is for IPv4 only */
39873 + if ((curr->ip_type & (1 << type)) &&
39874 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
39877 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39878 + /* we don't place acls on raw sockets , and sometimes
39879 + dgram/ip sockets are opened for ioctl and not
39880 + bind/connect, so we'll fake a bind learn log */
39881 + if (type == SOCK_RAW || type == SOCK_PACKET) {
39882 + __u32 fakeip = 0;
39883 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39884 + current->role->roletype, cred->uid,
39885 + cred->gid, current->exec_file ?
39886 + gr_to_filename(current->exec_file->f_path.dentry,
39887 + current->exec_file->f_path.mnt) :
39888 + curr->filename, curr->filename,
39889 + &fakeip, 0, type,
39890 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
39891 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
39892 + __u32 fakeip = 0;
39893 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39894 + current->role->roletype, cred->uid,
39895 + cred->gid, current->exec_file ?
39896 + gr_to_filename(current->exec_file->f_path.dentry,
39897 + current->exec_file->f_path.mnt) :
39898 + curr->filename, curr->filename,
39899 + &fakeip, 0, type,
39900 + protocol, GR_BIND, ¤t->signal->saved_ip);
39902 + /* we'll log when they use connect or bind */
39907 + if (domain == PF_INET)
39908 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
39909 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
39911 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
39912 + gr_socktype_to_name(type), protocol);
39919 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
39921 + if ((ip->mode & mode) &&
39922 + (ip_port >= ip->low) &&
39923 + (ip_port <= ip->high) &&
39924 + ((ntohl(ip_addr) & our_netmask) ==
39925 + (ntohl(our_addr) & our_netmask))
39926 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
39927 + && (ip->type & (1 << type))) {
39928 + if (ip->mode & GR_INVERT)
39929 + return 2; // specifically denied
39931 + return 1; // allowed
39934 + return 0; // not specifically allowed, may continue parsing
39938 +gr_search_connectbind(const int full_mode, struct sock *sk,
39939 + struct sockaddr_in *addr, const int type)
39941 + char iface[IFNAMSIZ] = {0};
39942 + struct acl_subject_label *curr;
39943 + struct acl_ip_label *ip;
39944 + struct inet_sock *isk;
39945 + struct net_device *dev;
39946 + struct in_device *idev;
39949 + int mode = full_mode & (GR_BIND | GR_CONNECT);
39950 + __u32 ip_addr = 0;
39952 + __u32 our_netmask;
39954 + __u16 ip_port = 0;
39955 + const struct cred *cred = current_cred();
39957 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
39960 + curr = current->acl;
39961 + isk = inet_sk(sk);
39963 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
39964 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
39965 + addr->sin_addr.s_addr = curr->inaddr_any_override;
39966 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
39967 + struct sockaddr_in saddr;
39970 + saddr.sin_family = AF_INET;
39971 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
39972 + saddr.sin_port = isk->inet_sport;
39974 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39978 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39986 + ip_addr = addr->sin_addr.s_addr;
39987 + ip_port = ntohs(addr->sin_port);
39989 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39990 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39991 + current->role->roletype, cred->uid,
39992 + cred->gid, current->exec_file ?
39993 + gr_to_filename(current->exec_file->f_path.dentry,
39994 + current->exec_file->f_path.mnt) :
39995 + curr->filename, curr->filename,
39996 + &ip_addr, ip_port, type,
39997 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
40001 + for (i = 0; i < curr->ip_num; i++) {
40002 + ip = *(curr->ips + i);
40003 + if (ip->iface != NULL) {
40004 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
40005 + p = strchr(iface, ':');
40008 + dev = dev_get_by_name(sock_net(sk), iface);
40011 + idev = in_dev_get(dev);
40012 + if (idev == NULL) {
40018 + if (!strcmp(ip->iface, ifa->ifa_label)) {
40019 + our_addr = ifa->ifa_address;
40020 + our_netmask = 0xffffffff;
40021 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
40023 + rcu_read_unlock();
40024 + in_dev_put(idev);
40027 + } else if (ret == 2) {
40028 + rcu_read_unlock();
40029 + in_dev_put(idev);
40034 + } endfor_ifa(idev);
40035 + rcu_read_unlock();
40036 + in_dev_put(idev);
40039 + our_addr = ip->addr;
40040 + our_netmask = ip->netmask;
40041 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
40044 + else if (ret == 2)
40050 + if (mode == GR_BIND)
40051 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
40052 + else if (mode == GR_CONNECT)
40053 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
40059 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
40061 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
40065 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
40067 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
40070 +int gr_search_listen(struct socket *sock)
40072 + struct sock *sk = sock->sk;
40073 + struct sockaddr_in addr;
40075 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
40076 + addr.sin_port = inet_sk(sk)->inet_sport;
40078 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
40081 +int gr_search_accept(struct socket *sock)
40083 + struct sock *sk = sock->sk;
40084 + struct sockaddr_in addr;
40086 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
40087 + addr.sin_port = inet_sk(sk)->inet_sport;
40089 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
40093 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
40096 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
40098 + struct sockaddr_in sin;
40099 + const struct inet_sock *inet = inet_sk(sk);
40101 + sin.sin_addr.s_addr = inet->inet_daddr;
40102 + sin.sin_port = inet->inet_dport;
40104 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
40109 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
40111 + struct sockaddr_in sin;
40113 + if (unlikely(skb->len < sizeof (struct udphdr)))
40114 + return 0; // skip this packet
40116 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
40117 + sin.sin_port = udp_hdr(skb)->source;
40119 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
40121 diff -urNp linux-2.6.38.1/grsecurity/gracl_learn.c linux-2.6.38.1/grsecurity/gracl_learn.c
40122 --- linux-2.6.38.1/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
40123 +++ linux-2.6.38.1/grsecurity/gracl_learn.c 2011-03-21 18:31:35.000000000 -0400
40125 +#include <linux/kernel.h>
40126 +#include <linux/mm.h>
40127 +#include <linux/sched.h>
40128 +#include <linux/poll.h>
40129 +#include <linux/smp_lock.h>
40130 +#include <linux/string.h>
40131 +#include <linux/file.h>
40132 +#include <linux/types.h>
40133 +#include <linux/vmalloc.h>
40134 +#include <linux/grinternal.h>
40136 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
40137 + size_t count, loff_t *ppos);
40138 +extern int gr_acl_is_enabled(void);
40140 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
40141 +static int gr_learn_attached;
40143 +/* use a 512k buffer */
40144 +#define LEARN_BUFFER_SIZE (512 * 1024)
40146 +static DEFINE_SPINLOCK(gr_learn_lock);
40147 +static DEFINE_MUTEX(gr_learn_user_mutex);
40149 +/* we need to maintain two buffers, so that the kernel context of grlearn
40150 + uses a semaphore around the userspace copying, and the other kernel contexts
40151 + use a spinlock when copying into the buffer, since they cannot sleep
40153 +static char *learn_buffer;
40154 +static char *learn_buffer_user;
40155 +static int learn_buffer_len;
40156 +static int learn_buffer_user_len;
40159 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
40161 + DECLARE_WAITQUEUE(wait, current);
40162 + ssize_t retval = 0;
40164 + add_wait_queue(&learn_wait, &wait);
40165 + set_current_state(TASK_INTERRUPTIBLE);
40167 + mutex_lock(&gr_learn_user_mutex);
40168 + spin_lock(&gr_learn_lock);
40169 + if (learn_buffer_len)
40171 + spin_unlock(&gr_learn_lock);
40172 + mutex_unlock(&gr_learn_user_mutex);
40173 + if (file->f_flags & O_NONBLOCK) {
40174 + retval = -EAGAIN;
40177 + if (signal_pending(current)) {
40178 + retval = -ERESTARTSYS;
40185 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
40186 + learn_buffer_user_len = learn_buffer_len;
40187 + retval = learn_buffer_len;
40188 + learn_buffer_len = 0;
40190 + spin_unlock(&gr_learn_lock);
40192 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
40193 + retval = -EFAULT;
40195 + mutex_unlock(&gr_learn_user_mutex);
40197 + set_current_state(TASK_RUNNING);
40198 + remove_wait_queue(&learn_wait, &wait);
40202 +static unsigned int
40203 +poll_learn(struct file * file, poll_table * wait)
40205 + poll_wait(file, &learn_wait, wait);
40207 + if (learn_buffer_len)
40208 + return (POLLIN | POLLRDNORM);
40214 +gr_clear_learn_entries(void)
40218 + mutex_lock(&gr_learn_user_mutex);
40219 + if (learn_buffer != NULL) {
40220 + spin_lock(&gr_learn_lock);
40221 + tmp = learn_buffer;
40222 + learn_buffer = NULL;
40223 + spin_unlock(&gr_learn_lock);
40224 + vfree(learn_buffer);
40226 + if (learn_buffer_user != NULL) {
40227 + vfree(learn_buffer_user);
40228 + learn_buffer_user = NULL;
40230 + learn_buffer_len = 0;
40231 + mutex_unlock(&gr_learn_user_mutex);
40237 +gr_add_learn_entry(const char *fmt, ...)
40240 + unsigned int len;
40242 + if (!gr_learn_attached)
40245 + spin_lock(&gr_learn_lock);
40247 + /* leave a gap at the end so we know when it's "full" but don't have to
40248 + compute the exact length of the string we're trying to append
40250 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
40251 + spin_unlock(&gr_learn_lock);
40252 + wake_up_interruptible(&learn_wait);
40255 + if (learn_buffer == NULL) {
40256 + spin_unlock(&gr_learn_lock);
40260 + va_start(args, fmt);
40261 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
40264 + learn_buffer_len += len + 1;
40266 + spin_unlock(&gr_learn_lock);
40267 + wake_up_interruptible(&learn_wait);
40273 +open_learn(struct inode *inode, struct file *file)
40275 + if (file->f_mode & FMODE_READ && gr_learn_attached)
40277 + if (file->f_mode & FMODE_READ) {
40279 + mutex_lock(&gr_learn_user_mutex);
40280 + if (learn_buffer == NULL)
40281 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
40282 + if (learn_buffer_user == NULL)
40283 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
40284 + if (learn_buffer == NULL) {
40285 + retval = -ENOMEM;
40288 + if (learn_buffer_user == NULL) {
40289 + retval = -ENOMEM;
40292 + learn_buffer_len = 0;
40293 + learn_buffer_user_len = 0;
40294 + gr_learn_attached = 1;
40296 + mutex_unlock(&gr_learn_user_mutex);
40303 +close_learn(struct inode *inode, struct file *file)
40307 + if (file->f_mode & FMODE_READ) {
40308 + mutex_lock(&gr_learn_user_mutex);
40309 + if (learn_buffer != NULL) {
40310 + spin_lock(&gr_learn_lock);
40311 + tmp = learn_buffer;
40312 + learn_buffer = NULL;
40313 + spin_unlock(&gr_learn_lock);
40316 + if (learn_buffer_user != NULL) {
40317 + vfree(learn_buffer_user);
40318 + learn_buffer_user = NULL;
40320 + learn_buffer_len = 0;
40321 + learn_buffer_user_len = 0;
40322 + gr_learn_attached = 0;
40323 + mutex_unlock(&gr_learn_user_mutex);
40329 +const struct file_operations grsec_fops = {
40330 + .read = read_learn,
40331 + .write = write_grsec_handler,
40332 + .open = open_learn,
40333 + .release = close_learn,
40334 + .poll = poll_learn,
40336 diff -urNp linux-2.6.38.1/grsecurity/gracl_res.c linux-2.6.38.1/grsecurity/gracl_res.c
40337 --- linux-2.6.38.1/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
40338 +++ linux-2.6.38.1/grsecurity/gracl_res.c 2011-03-21 18:31:35.000000000 -0400
40340 +#include <linux/kernel.h>
40341 +#include <linux/sched.h>
40342 +#include <linux/gracl.h>
40343 +#include <linux/grinternal.h>
40345 +static const char *restab_log[] = {
40346 + [RLIMIT_CPU] = "RLIMIT_CPU",
40347 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
40348 + [RLIMIT_DATA] = "RLIMIT_DATA",
40349 + [RLIMIT_STACK] = "RLIMIT_STACK",
40350 + [RLIMIT_CORE] = "RLIMIT_CORE",
40351 + [RLIMIT_RSS] = "RLIMIT_RSS",
40352 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
40353 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
40354 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
40355 + [RLIMIT_AS] = "RLIMIT_AS",
40356 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
40357 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
40358 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
40359 + [RLIMIT_NICE] = "RLIMIT_NICE",
40360 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
40361 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
40362 + [GR_CRASH_RES] = "RLIMIT_CRASH"
40366 +gr_log_resource(const struct task_struct *task,
40367 + const int res, const unsigned long wanted, const int gt)
40369 + const struct cred *cred;
40370 + unsigned long rlim;
40372 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
40375 + // not yet supported resource
40376 + if (unlikely(!restab_log[res]))
40379 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
40380 + rlim = task_rlimit_max(task, res);
40382 + rlim = task_rlimit(task, res);
40384 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
40388 + cred = __task_cred(task);
40390 + if (res == RLIMIT_NPROC &&
40391 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
40392 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
40393 + goto out_rcu_unlock;
40394 + else if (res == RLIMIT_MEMLOCK &&
40395 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
40396 + goto out_rcu_unlock;
40397 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
40398 + goto out_rcu_unlock;
40399 + rcu_read_unlock();
40401 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
40405 + rcu_read_unlock();
40408 diff -urNp linux-2.6.38.1/grsecurity/gracl_segv.c linux-2.6.38.1/grsecurity/gracl_segv.c
40409 --- linux-2.6.38.1/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
40410 +++ linux-2.6.38.1/grsecurity/gracl_segv.c 2011-03-24 23:09:37.000000000 -0400
40412 +#include <linux/kernel.h>
40413 +#include <linux/mm.h>
40414 +#include <asm/uaccess.h>
40415 +#include <asm/errno.h>
40416 +#include <asm/mman.h>
40417 +#include <net/sock.h>
40418 +#include <linux/file.h>
40419 +#include <linux/fs.h>
40420 +#include <linux/net.h>
40421 +#include <linux/in.h>
40422 +#include <linux/smp_lock.h>
40423 +#include <linux/slab.h>
40424 +#include <linux/types.h>
40425 +#include <linux/sched.h>
40426 +#include <linux/timer.h>
40427 +#include <linux/gracl.h>
40428 +#include <linux/grsecurity.h>
40429 +#include <linux/grinternal.h>
40431 +static struct crash_uid *uid_set;
40432 +static unsigned short uid_used;
40433 +static DEFINE_SPINLOCK(gr_uid_lock);
40434 +extern rwlock_t gr_inode_lock;
40435 +extern struct acl_subject_label *
40436 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
40437 + struct acl_role_label *role);
40438 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
40441 +#ifdef CONFIG_BTRFS_FS
40442 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
40443 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
40446 +static inline dev_t __get_dev(const struct dentry *dentry)
40448 +#ifdef CONFIG_BTRFS_FS
40449 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
40450 + return get_btrfs_dev_from_inode(dentry->d_inode);
40453 + return dentry->d_inode->i_sb->s_dev;
40457 +gr_init_uidset(void)
40460 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
40463 + return uid_set ? 1 : 0;
40467 +gr_free_uidset(void)
40476 +gr_find_uid(const uid_t uid)
40478 + struct crash_uid *tmp = uid_set;
40480 + int low = 0, high = uid_used - 1, mid;
40482 + while (high >= low) {
40483 + mid = (low + high) >> 1;
40484 + buid = tmp[mid].uid;
40496 +static __inline__ void
40497 +gr_insertsort(void)
40499 + unsigned short i, j;
40500 + struct crash_uid index;
40502 + for (i = 1; i < uid_used; i++) {
40503 + index = uid_set[i];
40505 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
40506 + uid_set[j] = uid_set[j - 1];
40509 + uid_set[j] = index;
40515 +static __inline__ void
40516 +gr_insert_uid(const uid_t uid, const unsigned long expires)
40520 + if (uid_used == GR_UIDTABLE_MAX)
40523 + loc = gr_find_uid(uid);
40526 + uid_set[loc].expires = expires;
40530 + uid_set[uid_used].uid = uid;
40531 + uid_set[uid_used].expires = expires;
40540 +gr_remove_uid(const unsigned short loc)
40542 + unsigned short i;
40544 + for (i = loc + 1; i < uid_used; i++)
40545 + uid_set[i - 1] = uid_set[i];
40553 +gr_check_crash_uid(const uid_t uid)
40558 + if (unlikely(!gr_acl_is_enabled()))
40561 + spin_lock(&gr_uid_lock);
40562 + loc = gr_find_uid(uid);
40567 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
40568 + gr_remove_uid(loc);
40573 + spin_unlock(&gr_uid_lock);
40577 +static __inline__ int
40578 +proc_is_setxid(const struct cred *cred)
40580 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
40581 + cred->uid != cred->fsuid)
40583 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
40584 + cred->gid != cred->fsgid)
40589 +static __inline__ int
40590 +gr_fake_force_sig(int sig, struct task_struct *t)
40592 + unsigned long int flags;
40593 + int ret, blocked, ignored;
40594 + struct k_sigaction *action;
40596 + spin_lock_irqsave(&t->sighand->siglock, flags);
40597 + action = &t->sighand->action[sig-1];
40598 + ignored = action->sa.sa_handler == SIG_IGN;
40599 + blocked = sigismember(&t->blocked, sig);
40600 + if (blocked || ignored) {
40601 + action->sa.sa_handler = SIG_DFL;
40603 + sigdelset(&t->blocked, sig);
40604 + recalc_sigpending_and_wake(t);
40607 + if (action->sa.sa_handler == SIG_DFL)
40608 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
40609 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
40611 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
40617 +gr_handle_crash(struct task_struct *task, const int sig)
40619 + struct acl_subject_label *curr;
40620 + struct acl_subject_label *curr2;
40621 + struct task_struct *tsk, *tsk2;
40622 + const struct cred *cred;
40623 + const struct cred *cred2;
40625 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
40628 + if (unlikely(!gr_acl_is_enabled()))
40631 + curr = task->acl;
40633 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
40636 + if (time_before_eq(curr->expires, get_seconds())) {
40637 + curr->expires = 0;
40638 + curr->crashes = 0;
40643 + if (!curr->expires)
40644 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
40646 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40647 + time_after(curr->expires, get_seconds())) {
40649 + cred = __task_cred(task);
40650 + if (cred->uid && proc_is_setxid(cred)) {
40651 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40652 + spin_lock(&gr_uid_lock);
40653 + gr_insert_uid(cred->uid, curr->expires);
40654 + spin_unlock(&gr_uid_lock);
40655 + curr->expires = 0;
40656 + curr->crashes = 0;
40657 + read_lock(&tasklist_lock);
40658 + do_each_thread(tsk2, tsk) {
40659 + cred2 = __task_cred(tsk);
40660 + if (tsk != task && cred2->uid == cred->uid)
40661 + gr_fake_force_sig(SIGKILL, tsk);
40662 + } while_each_thread(tsk2, tsk);
40663 + read_unlock(&tasklist_lock);
40665 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40666 + read_lock(&tasklist_lock);
40667 + do_each_thread(tsk2, tsk) {
40668 + if (likely(tsk != task)) {
40669 + curr2 = tsk->acl;
40671 + if (curr2->device == curr->device &&
40672 + curr2->inode == curr->inode)
40673 + gr_fake_force_sig(SIGKILL, tsk);
40675 + } while_each_thread(tsk2, tsk);
40676 + read_unlock(&tasklist_lock);
40678 + rcu_read_unlock();
40685 +gr_check_crash_exec(const struct file *filp)
40687 + struct acl_subject_label *curr;
40689 + if (unlikely(!gr_acl_is_enabled()))
40692 + read_lock(&gr_inode_lock);
40693 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
40694 + __get_dev(filp->f_path.dentry),
40696 + read_unlock(&gr_inode_lock);
40698 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
40699 + (!curr->crashes && !curr->expires))
40702 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40703 + time_after(curr->expires, get_seconds()))
40705 + else if (time_before_eq(curr->expires, get_seconds())) {
40706 + curr->crashes = 0;
40707 + curr->expires = 0;
40714 +gr_handle_alertkill(struct task_struct *task)
40716 + struct acl_subject_label *curracl;
40718 + struct task_struct *p, *p2;
40720 + if (unlikely(!gr_acl_is_enabled()))
40723 + curracl = task->acl;
40724 + curr_ip = task->signal->curr_ip;
40726 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
40727 + read_lock(&tasklist_lock);
40728 + do_each_thread(p2, p) {
40729 + if (p->signal->curr_ip == curr_ip)
40730 + gr_fake_force_sig(SIGKILL, p);
40731 + } while_each_thread(p2, p);
40732 + read_unlock(&tasklist_lock);
40733 + } else if (curracl->mode & GR_KILLPROC)
40734 + gr_fake_force_sig(SIGKILL, task);
40738 diff -urNp linux-2.6.38.1/grsecurity/gracl_shm.c linux-2.6.38.1/grsecurity/gracl_shm.c
40739 --- linux-2.6.38.1/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
40740 +++ linux-2.6.38.1/grsecurity/gracl_shm.c 2011-03-21 18:31:35.000000000 -0400
40742 +#include <linux/kernel.h>
40743 +#include <linux/mm.h>
40744 +#include <linux/sched.h>
40745 +#include <linux/file.h>
40746 +#include <linux/ipc.h>
40747 +#include <linux/gracl.h>
40748 +#include <linux/grsecurity.h>
40749 +#include <linux/grinternal.h>
40752 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40753 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40755 + struct task_struct *task;
40757 + if (!gr_acl_is_enabled())
40761 + read_lock(&tasklist_lock);
40763 + task = find_task_by_vpid(shm_cprid);
40765 + if (unlikely(!task))
40766 + task = find_task_by_vpid(shm_lapid);
40768 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
40769 + (task->pid == shm_lapid)) &&
40770 + (task->acl->mode & GR_PROTSHM) &&
40771 + (task->acl != current->acl))) {
40772 + read_unlock(&tasklist_lock);
40773 + rcu_read_unlock();
40774 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
40777 + read_unlock(&tasklist_lock);
40778 + rcu_read_unlock();
40782 diff -urNp linux-2.6.38.1/grsecurity/grsec_chdir.c linux-2.6.38.1/grsecurity/grsec_chdir.c
40783 --- linux-2.6.38.1/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
40784 +++ linux-2.6.38.1/grsecurity/grsec_chdir.c 2011-03-21 18:31:35.000000000 -0400
40786 +#include <linux/kernel.h>
40787 +#include <linux/sched.h>
40788 +#include <linux/fs.h>
40789 +#include <linux/file.h>
40790 +#include <linux/grsecurity.h>
40791 +#include <linux/grinternal.h>
40794 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
40796 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40797 + if ((grsec_enable_chdir && grsec_enable_group &&
40798 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
40799 + !grsec_enable_group)) {
40800 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
40805 diff -urNp linux-2.6.38.1/grsecurity/grsec_chroot.c linux-2.6.38.1/grsecurity/grsec_chroot.c
40806 --- linux-2.6.38.1/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
40807 +++ linux-2.6.38.1/grsecurity/grsec_chroot.c 2011-03-21 21:24:10.000000000 -0400
40809 +#include <linux/kernel.h>
40810 +#include <linux/module.h>
40811 +#include <linux/sched.h>
40812 +#include <linux/file.h>
40813 +#include <linux/fs.h>
40814 +#include <linux/mount.h>
40815 +#include <linux/types.h>
40816 +#include <linux/pid_namespace.h>
40817 +#include <linux/grsecurity.h>
40818 +#include <linux/grinternal.h>
40820 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
40822 +#ifdef CONFIG_GRKERNSEC
40823 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
40824 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
40825 + task->gr_is_chrooted = 1;
40827 + task->gr_is_chrooted = 0;
40829 + task->gr_chroot_dentry = path->dentry;
40834 +void gr_clear_chroot_entries(struct task_struct *task)
40836 +#ifdef CONFIG_GRKERNSEC
40837 + task->gr_is_chrooted = 0;
40838 + task->gr_chroot_dentry = NULL;
40844 +gr_handle_chroot_unix(struct pid *pid)
40846 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40847 + struct task_struct *p;
40849 + if (unlikely(!grsec_enable_chroot_unix))
40852 + if (likely(!proc_is_chrooted(current)))
40856 + read_lock(&tasklist_lock);
40857 + p = pid_task(pid, PIDTYPE_PID);
40858 + if (unlikely(!have_same_root(current, p))) {
40859 + read_unlock(&tasklist_lock);
40860 + rcu_read_unlock();
40861 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
40864 + read_unlock(&tasklist_lock);
40865 + rcu_read_unlock();
40871 +gr_handle_chroot_nice(void)
40873 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40874 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
40875 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
40883 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
40885 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40886 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
40887 + && proc_is_chrooted(current)) {
40888 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
40896 +gr_handle_chroot_rawio(const struct inode *inode)
40898 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40899 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
40900 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
40907 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
40909 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40910 + struct task_struct *p;
40912 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
40915 + read_lock(&tasklist_lock);
40916 + do_each_pid_task(pid, type, p) {
40917 + if (!have_same_root(current, p)) {
40921 + } while_each_pid_task(pid, type, p);
40923 + read_unlock(&tasklist_lock);
40930 +gr_pid_is_chrooted(struct task_struct *p)
40932 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40933 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
40936 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
40937 + !have_same_root(current, p)) {
40944 +EXPORT_SYMBOL(gr_pid_is_chrooted);
40946 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
40947 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
40949 + struct path path, currentroot;
40952 + path.dentry = (struct dentry *)u_dentry;
40953 + path.mnt = (struct vfsmount *)u_mnt;
40954 + get_fs_root(current->fs, ¤troot);
40955 + if (path_is_under(&path, ¤troot))
40957 + path_put(¤troot);
40964 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
40966 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40967 + if (!grsec_enable_chroot_fchdir)
40970 + if (!proc_is_chrooted(current))
40972 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
40973 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
40981 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40982 + const time_t shm_createtime)
40984 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40985 + struct pid *pid = NULL;
40986 + time_t starttime;
40988 + if (unlikely(!grsec_enable_chroot_shmat))
40991 + if (likely(!proc_is_chrooted(current)))
40995 + read_lock(&tasklist_lock);
40997 + pid = find_vpid(shm_cprid);
40999 + struct task_struct *p;
41000 + p = pid_task(pid, PIDTYPE_PID);
41001 + starttime = p->start_time.tv_sec;
41002 + if (unlikely(!have_same_root(current, p) &&
41003 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
41004 + read_unlock(&tasklist_lock);
41005 + rcu_read_unlock();
41006 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
41010 + pid = find_vpid(shm_lapid);
41012 + struct task_struct *p;
41013 + p = pid_task(pid, PIDTYPE_PID);
41014 + if (unlikely(!have_same_root(current, p))) {
41015 + read_unlock(&tasklist_lock);
41016 + rcu_read_unlock();
41017 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
41023 + read_unlock(&tasklist_lock);
41024 + rcu_read_unlock();
41030 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
41032 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41033 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
41034 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
41040 +gr_handle_chroot_mknod(const struct dentry *dentry,
41041 + const struct vfsmount *mnt, const int mode)
41043 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41044 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
41045 + proc_is_chrooted(current)) {
41046 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
41054 +gr_handle_chroot_mount(const struct dentry *dentry,
41055 + const struct vfsmount *mnt, const char *dev_name)
41057 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41058 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
41059 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
41067 +gr_handle_chroot_pivot(void)
41069 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41070 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
41071 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
41079 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
41081 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41082 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
41083 + !gr_is_outside_chroot(dentry, mnt)) {
41084 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
41092 +gr_handle_chroot_caps(struct path *path)
41094 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41095 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
41096 + (init_task.fs->root.dentry != path->dentry) &&
41097 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
41099 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
41100 + const struct cred *old = current_cred();
41101 + struct cred *new = prepare_creds();
41105 + new->cap_permitted = cap_drop(old->cap_permitted,
41107 + new->cap_inheritable = cap_drop(old->cap_inheritable,
41109 + new->cap_effective = cap_drop(old->cap_effective,
41112 + commit_creds(new);
41121 +gr_handle_chroot_sysctl(const int op)
41123 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41124 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
41125 + proc_is_chrooted(current))
41132 +gr_handle_chroot_chdir(struct path *path)
41134 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41135 + if (grsec_enable_chroot_chdir)
41136 + set_fs_pwd(current->fs, path);
41142 +gr_handle_chroot_chmod(const struct dentry *dentry,
41143 + const struct vfsmount *mnt, const int mode)
41145 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41146 + /* allow chmod +s on directories, but not files */
41147 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
41148 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
41149 + proc_is_chrooted(current)) {
41150 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
41157 +#ifdef CONFIG_SECURITY
41158 +EXPORT_SYMBOL(gr_handle_chroot_caps);
41160 diff -urNp linux-2.6.38.1/grsecurity/grsec_disabled.c linux-2.6.38.1/grsecurity/grsec_disabled.c
41161 --- linux-2.6.38.1/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
41162 +++ linux-2.6.38.1/grsecurity/grsec_disabled.c 2011-03-25 18:57:41.000000000 -0400
41164 +#include <linux/kernel.h>
41165 +#include <linux/module.h>
41166 +#include <linux/sched.h>
41167 +#include <linux/file.h>
41168 +#include <linux/fs.h>
41169 +#include <linux/kdev_t.h>
41170 +#include <linux/net.h>
41171 +#include <linux/in.h>
41172 +#include <linux/ip.h>
41173 +#include <linux/skbuff.h>
41174 +#include <linux/sysctl.h>
41176 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
41178 +pax_set_initial_flags(struct linux_binprm *bprm)
41184 +#ifdef CONFIG_SYSCTL
41186 +gr_handle_sysctl(const struct ctl_table * table, const int op)
41192 +#ifdef CONFIG_TASKSTATS
41193 +int gr_is_taskstats_denied(int pid)
41200 +gr_acl_is_enabled(void)
41206 +gr_handle_rawio(const struct inode *inode)
41212 +gr_acl_handle_psacct(struct task_struct *task, const long code)
41218 +gr_handle_ptrace(struct task_struct *task, const long request)
41224 +gr_handle_proc_ptrace(struct task_struct *task)
41230 +gr_learn_resource(const struct task_struct *task,
41231 + const int res, const unsigned long wanted, const int gt)
41237 +gr_set_acls(const int type)
41243 +gr_check_hidden_task(const struct task_struct *tsk)
41249 +gr_check_protected_task(const struct task_struct *task)
41255 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
41261 +gr_copy_label(struct task_struct *tsk)
41267 +gr_set_pax_flags(struct task_struct *task)
41273 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
41274 + const int unsafe_share)
41280 +gr_handle_delete(const ino_t ino, const dev_t dev)
41286 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
41292 +gr_handle_crash(struct task_struct *task, const int sig)
41298 +gr_check_crash_exec(const struct file *filp)
41304 +gr_check_crash_uid(const uid_t uid)
41310 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
41311 + struct dentry *old_dentry,
41312 + struct dentry *new_dentry,
41313 + struct vfsmount *mnt, const __u8 replace)
41319 +gr_search_socket(const int family, const int type, const int protocol)
41325 +gr_search_connectbind(const int mode, const struct socket *sock,
41326 + const struct sockaddr_in *addr)
41332 +gr_is_capable(const int cap)
41338 +gr_is_capable_nolog(const int cap)
41344 +gr_handle_alertkill(struct task_struct *task)
41350 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
41356 +gr_acl_handle_hidden_file(const struct dentry * dentry,
41357 + const struct vfsmount * mnt)
41363 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
41370 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
41376 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
41382 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
41383 + unsigned int *vm_flags)
41389 +gr_acl_handle_truncate(const struct dentry * dentry,
41390 + const struct vfsmount * mnt)
41396 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
41402 +gr_acl_handle_access(const struct dentry * dentry,
41403 + const struct vfsmount * mnt, const int fmode)
41409 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
41416 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
41423 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
41429 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
41435 +grsecurity_init(void)
41441 +gr_acl_handle_mknod(const struct dentry * new_dentry,
41442 + const struct dentry * parent_dentry,
41443 + const struct vfsmount * parent_mnt,
41450 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
41451 + const struct dentry * parent_dentry,
41452 + const struct vfsmount * parent_mnt)
41458 +gr_acl_handle_symlink(const struct dentry * new_dentry,
41459 + const struct dentry * parent_dentry,
41460 + const struct vfsmount * parent_mnt, const char *from)
41466 +gr_acl_handle_link(const struct dentry * new_dentry,
41467 + const struct dentry * parent_dentry,
41468 + const struct vfsmount * parent_mnt,
41469 + const struct dentry * old_dentry,
41470 + const struct vfsmount * old_mnt, const char *to)
41476 +gr_acl_handle_rename(const struct dentry *new_dentry,
41477 + const struct dentry *parent_dentry,
41478 + const struct vfsmount *parent_mnt,
41479 + const struct dentry *old_dentry,
41480 + const struct inode *old_parent_inode,
41481 + const struct vfsmount *old_mnt, const char *newname)
41487 +gr_acl_handle_filldir(const struct file *file, const char *name,
41488 + const int namelen, const ino_t ino)
41494 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41495 + const time_t shm_createtime, const uid_t cuid, const int shmid)
41501 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
41507 +gr_search_accept(const struct socket *sock)
41513 +gr_search_listen(const struct socket *sock)
41519 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
41525 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
41531 +gr_acl_handle_creat(const struct dentry * dentry,
41532 + const struct dentry * p_dentry,
41533 + const struct vfsmount * p_mnt, const int fmode,
41540 +gr_acl_handle_exit(void)
41546 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
41552 +gr_set_role_label(const uid_t uid, const gid_t gid)
41558 +gr_acl_handle_procpidmem(const struct task_struct *task)
41564 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
41570 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
41576 +gr_set_kernel_label(struct task_struct *task)
41582 +gr_check_user_change(int real, int effective, int fs)
41588 +gr_check_group_change(int real, int effective, int fs)
41593 +int gr_acl_enable_at_secure(void)
41598 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
41600 + return dentry->d_inode->i_sb->s_dev;
41603 +EXPORT_SYMBOL(gr_is_capable);
41604 +EXPORT_SYMBOL(gr_is_capable_nolog);
41605 +EXPORT_SYMBOL(gr_learn_resource);
41606 +EXPORT_SYMBOL(gr_set_kernel_label);
41607 +#ifdef CONFIG_SECURITY
41608 +EXPORT_SYMBOL(gr_check_user_change);
41609 +EXPORT_SYMBOL(gr_check_group_change);
41611 diff -urNp linux-2.6.38.1/grsecurity/grsec_exec.c linux-2.6.38.1/grsecurity/grsec_exec.c
41612 --- linux-2.6.38.1/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
41613 +++ linux-2.6.38.1/grsecurity/grsec_exec.c 2011-03-21 18:31:35.000000000 -0400
41615 +#include <linux/kernel.h>
41616 +#include <linux/sched.h>
41617 +#include <linux/file.h>
41618 +#include <linux/binfmts.h>
41619 +#include <linux/smp_lock.h>
41620 +#include <linux/fs.h>
41621 +#include <linux/types.h>
41622 +#include <linux/grdefs.h>
41623 +#include <linux/grinternal.h>
41624 +#include <linux/capability.h>
41625 +#include <linux/compat.h>
41627 +#include <asm/uaccess.h>
41629 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41630 +static char gr_exec_arg_buf[132];
41631 +static DEFINE_MUTEX(gr_exec_arg_mutex);
41635 +gr_handle_nproc(void)
41637 +#ifdef CONFIG_GRKERNSEC_EXECVE
41638 + const struct cred *cred = current_cred();
41639 + if (grsec_enable_execve && cred->user &&
41640 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
41641 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
41642 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
41650 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
41652 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41653 + char *grarg = gr_exec_arg_buf;
41654 + unsigned int i, x, execlen = 0;
41657 + if (!((grsec_enable_execlog && grsec_enable_group &&
41658 + in_group_p(grsec_audit_gid))
41659 + || (grsec_enable_execlog && !grsec_enable_group)))
41662 + mutex_lock(&gr_exec_arg_mutex);
41663 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41665 + if (unlikely(argv == NULL))
41668 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41669 + const char __user *p;
41670 + unsigned int len;
41672 + if (copy_from_user(&p, argv + i, sizeof(p)))
41676 + len = strnlen_user(p, 128 - execlen);
41677 + if (len > 128 - execlen)
41678 + len = 128 - execlen;
41679 + else if (len > 0)
41681 + if (copy_from_user(grarg + execlen, p, len))
41684 + /* rewrite unprintable characters */
41685 + for (x = 0; x < len; x++) {
41686 + c = *(grarg + execlen + x);
41687 + if (c < 32 || c > 126)
41688 + *(grarg + execlen + x) = ' ';
41692 + *(grarg + execlen) = ' ';
41693 + *(grarg + execlen + 1) = '\0';
41698 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41699 + bprm->file->f_path.mnt, grarg);
41700 + mutex_unlock(&gr_exec_arg_mutex);
41705 +#ifdef CONFIG_COMPAT
41707 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
41709 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41710 + char *grarg = gr_exec_arg_buf;
41711 + unsigned int i, x, execlen = 0;
41714 + if (!((grsec_enable_execlog && grsec_enable_group &&
41715 + in_group_p(grsec_audit_gid))
41716 + || (grsec_enable_execlog && !grsec_enable_group)))
41719 + mutex_lock(&gr_exec_arg_mutex);
41720 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41722 + if (unlikely(argv == NULL))
41725 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41727 + unsigned int len;
41729 + if (get_user(p, argv + i))
41731 + len = strnlen_user(compat_ptr(p), 128 - execlen);
41732 + if (len > 128 - execlen)
41733 + len = 128 - execlen;
41734 + else if (len > 0)
41738 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
41741 + /* rewrite unprintable characters */
41742 + for (x = 0; x < len; x++) {
41743 + c = *(grarg + execlen + x);
41744 + if (c < 32 || c > 126)
41745 + *(grarg + execlen + x) = ' ';
41749 + *(grarg + execlen) = ' ';
41750 + *(grarg + execlen + 1) = '\0';
41755 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41756 + bprm->file->f_path.mnt, grarg);
41757 + mutex_unlock(&gr_exec_arg_mutex);
41762 diff -urNp linux-2.6.38.1/grsecurity/grsec_fifo.c linux-2.6.38.1/grsecurity/grsec_fifo.c
41763 --- linux-2.6.38.1/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
41764 +++ linux-2.6.38.1/grsecurity/grsec_fifo.c 2011-03-21 20:33:29.000000000 -0400
41766 +#include <linux/kernel.h>
41767 +#include <linux/sched.h>
41768 +#include <linux/fs.h>
41769 +#include <linux/file.h>
41770 +#include <linux/grinternal.h>
41773 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
41774 + const struct dentry *dir, const int flag, const int acc_mode)
41776 +#ifdef CONFIG_GRKERNSEC_FIFO
41777 + const struct cred *cred = current_cred();
41779 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
41780 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
41781 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
41782 + (cred->fsuid != dentry->d_inode->i_uid)) {
41783 + if (!inode_permission(dentry->d_inode, acc_mode))
41784 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
41790 diff -urNp linux-2.6.38.1/grsecurity/grsec_fork.c linux-2.6.38.1/grsecurity/grsec_fork.c
41791 --- linux-2.6.38.1/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
41792 +++ linux-2.6.38.1/grsecurity/grsec_fork.c 2011-03-21 18:31:35.000000000 -0400
41794 +#include <linux/kernel.h>
41795 +#include <linux/sched.h>
41796 +#include <linux/grsecurity.h>
41797 +#include <linux/grinternal.h>
41798 +#include <linux/errno.h>
41801 +gr_log_forkfail(const int retval)
41803 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41804 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
41805 + switch (retval) {
41807 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
41810 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
41817 diff -urNp linux-2.6.38.1/grsecurity/grsec_init.c linux-2.6.38.1/grsecurity/grsec_init.c
41818 --- linux-2.6.38.1/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
41819 +++ linux-2.6.38.1/grsecurity/grsec_init.c 2011-03-21 18:31:35.000000000 -0400
41821 +#include <linux/kernel.h>
41822 +#include <linux/sched.h>
41823 +#include <linux/mm.h>
41824 +#include <linux/smp_lock.h>
41825 +#include <linux/gracl.h>
41826 +#include <linux/slab.h>
41827 +#include <linux/vmalloc.h>
41828 +#include <linux/percpu.h>
41829 +#include <linux/module.h>
41831 +int grsec_enable_link;
41832 +int grsec_enable_dmesg;
41833 +int grsec_enable_harden_ptrace;
41834 +int grsec_enable_fifo;
41835 +int grsec_enable_execve;
41836 +int grsec_enable_execlog;
41837 +int grsec_enable_signal;
41838 +int grsec_enable_forkfail;
41839 +int grsec_enable_audit_ptrace;
41840 +int grsec_enable_time;
41841 +int grsec_enable_audit_textrel;
41842 +int grsec_enable_group;
41843 +int grsec_audit_gid;
41844 +int grsec_enable_chdir;
41845 +int grsec_enable_mount;
41846 +int grsec_enable_rofs;
41847 +int grsec_enable_chroot_findtask;
41848 +int grsec_enable_chroot_mount;
41849 +int grsec_enable_chroot_shmat;
41850 +int grsec_enable_chroot_fchdir;
41851 +int grsec_enable_chroot_double;
41852 +int grsec_enable_chroot_pivot;
41853 +int grsec_enable_chroot_chdir;
41854 +int grsec_enable_chroot_chmod;
41855 +int grsec_enable_chroot_mknod;
41856 +int grsec_enable_chroot_nice;
41857 +int grsec_enable_chroot_execlog;
41858 +int grsec_enable_chroot_caps;
41859 +int grsec_enable_chroot_sysctl;
41860 +int grsec_enable_chroot_unix;
41861 +int grsec_enable_tpe;
41862 +int grsec_tpe_gid;
41863 +int grsec_enable_blackhole;
41864 +#ifdef CONFIG_IPV6_MODULE
41865 +EXPORT_SYMBOL(grsec_enable_blackhole);
41867 +int grsec_lastack_retries;
41868 +int grsec_enable_tpe_all;
41869 +int grsec_enable_tpe_invert;
41870 +int grsec_enable_socket_all;
41871 +int grsec_socket_all_gid;
41872 +int grsec_enable_socket_client;
41873 +int grsec_socket_client_gid;
41874 +int grsec_enable_socket_server;
41875 +int grsec_socket_server_gid;
41876 +int grsec_resource_logging;
41877 +int grsec_disable_privio;
41878 +int grsec_enable_log_rwxmaps;
41881 +DEFINE_SPINLOCK(grsec_alert_lock);
41882 +unsigned long grsec_alert_wtime = 0;
41883 +unsigned long grsec_alert_fyet = 0;
41885 +DEFINE_SPINLOCK(grsec_audit_lock);
41887 +DEFINE_RWLOCK(grsec_exec_file_lock);
41889 +char *gr_shared_page[4];
41891 +char *gr_alert_log_fmt;
41892 +char *gr_audit_log_fmt;
41893 +char *gr_alert_log_buf;
41894 +char *gr_audit_log_buf;
41896 +extern struct gr_arg *gr_usermode;
41897 +extern unsigned char *gr_system_salt;
41898 +extern unsigned char *gr_system_sum;
41901 +grsecurity_init(void)
41904 + /* create the per-cpu shared pages */
41907 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
41910 + for (j = 0; j < 4; j++) {
41911 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
41912 + if (gr_shared_page[j] == NULL) {
41913 + panic("Unable to allocate grsecurity shared page");
41918 + /* allocate log buffers */
41919 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
41920 + if (!gr_alert_log_fmt) {
41921 + panic("Unable to allocate grsecurity alert log format buffer");
41924 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
41925 + if (!gr_audit_log_fmt) {
41926 + panic("Unable to allocate grsecurity audit log format buffer");
41929 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41930 + if (!gr_alert_log_buf) {
41931 + panic("Unable to allocate grsecurity alert log buffer");
41934 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41935 + if (!gr_audit_log_buf) {
41936 + panic("Unable to allocate grsecurity audit log buffer");
41940 + /* allocate memory for authentication structure */
41941 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
41942 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
41943 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
41945 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
41946 + panic("Unable to allocate grsecurity authentication structure");
41951 +#ifdef CONFIG_GRKERNSEC_IO
41952 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
41953 + grsec_disable_privio = 1;
41954 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41955 + grsec_disable_privio = 1;
41957 + grsec_disable_privio = 0;
41961 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41962 + /* for backward compatibility, tpe_invert always defaults to on if
41963 + enabled in the kernel
41965 + grsec_enable_tpe_invert = 1;
41968 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41969 +#ifndef CONFIG_GRKERNSEC_SYSCTL
41973 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41974 + grsec_enable_audit_textrel = 1;
41976 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41977 + grsec_enable_log_rwxmaps = 1;
41979 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
41980 + grsec_enable_group = 1;
41981 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
41983 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41984 + grsec_enable_chdir = 1;
41986 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
41987 + grsec_enable_harden_ptrace = 1;
41989 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41990 + grsec_enable_mount = 1;
41992 +#ifdef CONFIG_GRKERNSEC_LINK
41993 + grsec_enable_link = 1;
41995 +#ifdef CONFIG_GRKERNSEC_DMESG
41996 + grsec_enable_dmesg = 1;
41998 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41999 + grsec_enable_blackhole = 1;
42000 + grsec_lastack_retries = 4;
42002 +#ifdef CONFIG_GRKERNSEC_FIFO
42003 + grsec_enable_fifo = 1;
42005 +#ifdef CONFIG_GRKERNSEC_EXECVE
42006 + grsec_enable_execve = 1;
42008 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42009 + grsec_enable_execlog = 1;
42011 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42012 + grsec_enable_signal = 1;
42014 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42015 + grsec_enable_forkfail = 1;
42017 +#ifdef CONFIG_GRKERNSEC_TIME
42018 + grsec_enable_time = 1;
42020 +#ifdef CONFIG_GRKERNSEC_RESLOG
42021 + grsec_resource_logging = 1;
42023 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42024 + grsec_enable_chroot_findtask = 1;
42026 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
42027 + grsec_enable_chroot_unix = 1;
42029 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42030 + grsec_enable_chroot_mount = 1;
42032 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
42033 + grsec_enable_chroot_fchdir = 1;
42035 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
42036 + grsec_enable_chroot_shmat = 1;
42038 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42039 + grsec_enable_audit_ptrace = 1;
42041 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42042 + grsec_enable_chroot_double = 1;
42044 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
42045 + grsec_enable_chroot_pivot = 1;
42047 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
42048 + grsec_enable_chroot_chdir = 1;
42050 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
42051 + grsec_enable_chroot_chmod = 1;
42053 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
42054 + grsec_enable_chroot_mknod = 1;
42056 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
42057 + grsec_enable_chroot_nice = 1;
42059 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
42060 + grsec_enable_chroot_execlog = 1;
42062 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
42063 + grsec_enable_chroot_caps = 1;
42065 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
42066 + grsec_enable_chroot_sysctl = 1;
42068 +#ifdef CONFIG_GRKERNSEC_TPE
42069 + grsec_enable_tpe = 1;
42070 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
42071 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42072 + grsec_enable_tpe_all = 1;
42075 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42076 + grsec_enable_socket_all = 1;
42077 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
42079 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42080 + grsec_enable_socket_client = 1;
42081 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
42083 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42084 + grsec_enable_socket_server = 1;
42085 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
42091 diff -urNp linux-2.6.38.1/grsecurity/grsec_link.c linux-2.6.38.1/grsecurity/grsec_link.c
42092 --- linux-2.6.38.1/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
42093 +++ linux-2.6.38.1/grsecurity/grsec_link.c 2011-03-21 20:34:41.000000000 -0400
42095 +#include <linux/kernel.h>
42096 +#include <linux/sched.h>
42097 +#include <linux/fs.h>
42098 +#include <linux/file.h>
42099 +#include <linux/grinternal.h>
42102 +gr_handle_follow_link(const struct inode *parent,
42103 + const struct inode *inode,
42104 + const struct dentry *dentry, const struct vfsmount *mnt)
42106 +#ifdef CONFIG_GRKERNSEC_LINK
42107 + const struct cred *cred = current_cred();
42109 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
42110 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
42111 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
42112 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
42120 +gr_handle_hardlink(const struct dentry *dentry,
42121 + const struct vfsmount *mnt,
42122 + struct inode *inode, const int mode, const char *to)
42124 +#ifdef CONFIG_GRKERNSEC_LINK
42125 + const struct cred *cred = current_cred();
42127 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
42128 + (!S_ISREG(mode) || (mode & S_ISUID) ||
42129 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
42130 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
42131 + !capable(CAP_FOWNER) && cred->uid) {
42132 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
42138 diff -urNp linux-2.6.38.1/grsecurity/grsec_log.c linux-2.6.38.1/grsecurity/grsec_log.c
42139 --- linux-2.6.38.1/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
42140 +++ linux-2.6.38.1/grsecurity/grsec_log.c 2011-03-21 18:31:35.000000000 -0400
42142 +#include <linux/kernel.h>
42143 +#include <linux/sched.h>
42144 +#include <linux/file.h>
42145 +#include <linux/tty.h>
42146 +#include <linux/fs.h>
42147 +#include <linux/grinternal.h>
42149 +#ifdef CONFIG_TREE_PREEMPT_RCU
42150 +#define DISABLE_PREEMPT() preempt_disable()
42151 +#define ENABLE_PREEMPT() preempt_enable()
42153 +#define DISABLE_PREEMPT()
42154 +#define ENABLE_PREEMPT()
42157 +#define BEGIN_LOCKS(x) \
42158 + DISABLE_PREEMPT(); \
42159 + rcu_read_lock(); \
42160 + read_lock(&tasklist_lock); \
42161 + read_lock(&grsec_exec_file_lock); \
42162 + if (x != GR_DO_AUDIT) \
42163 + spin_lock(&grsec_alert_lock); \
42165 + spin_lock(&grsec_audit_lock)
42167 +#define END_LOCKS(x) \
42168 + if (x != GR_DO_AUDIT) \
42169 + spin_unlock(&grsec_alert_lock); \
42171 + spin_unlock(&grsec_audit_lock); \
42172 + read_unlock(&grsec_exec_file_lock); \
42173 + read_unlock(&tasklist_lock); \
42174 + rcu_read_unlock(); \
42175 + ENABLE_PREEMPT(); \
42176 + if (x == GR_DONT_AUDIT) \
42177 + gr_handle_alertkill(current)
42184 +extern char *gr_alert_log_fmt;
42185 +extern char *gr_audit_log_fmt;
42186 +extern char *gr_alert_log_buf;
42187 +extern char *gr_audit_log_buf;
42189 +static int gr_log_start(int audit)
42191 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
42192 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
42193 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42195 + if (audit == GR_DO_AUDIT)
42198 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
42199 + grsec_alert_wtime = jiffies;
42200 + grsec_alert_fyet = 0;
42201 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
42202 + grsec_alert_fyet++;
42203 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
42204 + grsec_alert_wtime = jiffies;
42205 + grsec_alert_fyet++;
42206 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
42208 + } else return FLOODING;
42211 + memset(buf, 0, PAGE_SIZE);
42212 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
42213 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
42214 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
42215 + } else if (current->signal->curr_ip) {
42216 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
42217 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
42218 + } else if (gr_acl_is_enabled()) {
42219 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
42220 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
42222 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
42223 + strcpy(buf, fmt);
42226 + return NO_FLOODING;
42229 +static void gr_log_middle(int audit, const char *msg, va_list ap)
42230 + __attribute__ ((format (printf, 2, 0)));
42232 +static void gr_log_middle(int audit, const char *msg, va_list ap)
42234 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42235 + unsigned int len = strlen(buf);
42237 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
42242 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
42243 + __attribute__ ((format (printf, 2, 3)));
42245 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
42247 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42248 + unsigned int len = strlen(buf);
42251 + va_start(ap, msg);
42252 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
42258 +static void gr_log_end(int audit)
42260 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42261 + unsigned int len = strlen(buf);
42263 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
42264 + printk("%s\n", buf);
42269 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
42272 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
42273 + char *str1, *str2, *str3;
42276 + unsigned long ulong1, ulong2;
42277 + struct dentry *dentry;
42278 + struct vfsmount *mnt;
42279 + struct file *file;
42280 + struct task_struct *task;
42281 + const struct cred *cred, *pcred;
42284 + BEGIN_LOCKS(audit);
42285 + logtype = gr_log_start(audit);
42286 + if (logtype == FLOODING) {
42287 + END_LOCKS(audit);
42290 + va_start(ap, argtypes);
42291 + switch (argtypes) {
42292 + case GR_TTYSNIFF:
42293 + task = va_arg(ap, struct task_struct *);
42294 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
42296 + case GR_SYSCTL_HIDDEN:
42297 + str1 = va_arg(ap, char *);
42298 + gr_log_middle_varargs(audit, msg, result, str1);
42301 + dentry = va_arg(ap, struct dentry *);
42302 + mnt = va_arg(ap, struct vfsmount *);
42303 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
42305 + case GR_RBAC_STR:
42306 + dentry = va_arg(ap, struct dentry *);
42307 + mnt = va_arg(ap, struct vfsmount *);
42308 + str1 = va_arg(ap, char *);
42309 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
42311 + case GR_STR_RBAC:
42312 + str1 = va_arg(ap, char *);
42313 + dentry = va_arg(ap, struct dentry *);
42314 + mnt = va_arg(ap, struct vfsmount *);
42315 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
42317 + case GR_RBAC_MODE2:
42318 + dentry = va_arg(ap, struct dentry *);
42319 + mnt = va_arg(ap, struct vfsmount *);
42320 + str1 = va_arg(ap, char *);
42321 + str2 = va_arg(ap, char *);
42322 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
42324 + case GR_RBAC_MODE3:
42325 + dentry = va_arg(ap, struct dentry *);
42326 + mnt = va_arg(ap, struct vfsmount *);
42327 + str1 = va_arg(ap, char *);
42328 + str2 = va_arg(ap, char *);
42329 + str3 = va_arg(ap, char *);
42330 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
42332 + case GR_FILENAME:
42333 + dentry = va_arg(ap, struct dentry *);
42334 + mnt = va_arg(ap, struct vfsmount *);
42335 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
42337 + case GR_STR_FILENAME:
42338 + str1 = va_arg(ap, char *);
42339 + dentry = va_arg(ap, struct dentry *);
42340 + mnt = va_arg(ap, struct vfsmount *);
42341 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
42343 + case GR_FILENAME_STR:
42344 + dentry = va_arg(ap, struct dentry *);
42345 + mnt = va_arg(ap, struct vfsmount *);
42346 + str1 = va_arg(ap, char *);
42347 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
42349 + case GR_FILENAME_TWO_INT:
42350 + dentry = va_arg(ap, struct dentry *);
42351 + mnt = va_arg(ap, struct vfsmount *);
42352 + num1 = va_arg(ap, int);
42353 + num2 = va_arg(ap, int);
42354 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
42356 + case GR_FILENAME_TWO_INT_STR:
42357 + dentry = va_arg(ap, struct dentry *);
42358 + mnt = va_arg(ap, struct vfsmount *);
42359 + num1 = va_arg(ap, int);
42360 + num2 = va_arg(ap, int);
42361 + str1 = va_arg(ap, char *);
42362 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
42365 + file = va_arg(ap, struct file *);
42366 + ulong1 = va_arg(ap, unsigned long);
42367 + ulong2 = va_arg(ap, unsigned long);
42368 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
42371 + task = va_arg(ap, struct task_struct *);
42372 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
42374 + case GR_RESOURCE:
42375 + task = va_arg(ap, struct task_struct *);
42376 + cred = __task_cred(task);
42377 + pcred = __task_cred(task->real_parent);
42378 + ulong1 = va_arg(ap, unsigned long);
42379 + str1 = va_arg(ap, char *);
42380 + ulong2 = va_arg(ap, unsigned long);
42381 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42384 + task = va_arg(ap, struct task_struct *);
42385 + cred = __task_cred(task);
42386 + pcred = __task_cred(task->real_parent);
42387 + str1 = va_arg(ap, char *);
42388 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42391 + str1 = va_arg(ap, char *);
42392 + voidptr = va_arg(ap, void *);
42393 + gr_log_middle_varargs(audit, msg, str1, voidptr);
42396 + task = va_arg(ap, struct task_struct *);
42397 + cred = __task_cred(task);
42398 + pcred = __task_cred(task->real_parent);
42399 + num1 = va_arg(ap, int);
42400 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42403 + task = va_arg(ap, struct task_struct *);
42404 + cred = __task_cred(task);
42405 + pcred = __task_cred(task->real_parent);
42406 + ulong1 = va_arg(ap, unsigned long);
42407 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
42410 + task = va_arg(ap, struct task_struct *);
42411 + cred = __task_cred(task);
42412 + pcred = __task_cred(task->real_parent);
42413 + ulong1 = va_arg(ap, unsigned long);
42414 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
42417 + file = va_arg(ap, struct file *);
42418 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
42422 + unsigned int wday, cday;
42426 + char cur_tty[64] = { 0 };
42427 + char parent_tty[64] = { 0 };
42429 + task = va_arg(ap, struct task_struct *);
42430 + wday = va_arg(ap, unsigned int);
42431 + cday = va_arg(ap, unsigned int);
42432 + whr = va_arg(ap, int);
42433 + chr = va_arg(ap, int);
42434 + wmin = va_arg(ap, int);
42435 + cmin = va_arg(ap, int);
42436 + wsec = va_arg(ap, int);
42437 + csec = va_arg(ap, int);
42438 + ulong1 = va_arg(ap, unsigned long);
42439 + cred = __task_cred(task);
42440 + pcred = __task_cred(task->real_parent);
42442 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42446 + gr_log_middle(audit, msg, ap);
42449 + gr_log_end(audit);
42450 + END_LOCKS(audit);
42452 diff -urNp linux-2.6.38.1/grsecurity/grsec_mem.c linux-2.6.38.1/grsecurity/grsec_mem.c
42453 --- linux-2.6.38.1/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
42454 +++ linux-2.6.38.1/grsecurity/grsec_mem.c 2011-03-26 14:40:33.000000000 -0400
42456 +#include <linux/kernel.h>
42457 +#include <linux/sched.h>
42458 +#include <linux/mm.h>
42459 +#include <linux/mman.h>
42460 +#include <linux/grinternal.h>
42463 +gr_handle_ioperm(void)
42465 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
42470 +gr_handle_iopl(void)
42472 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
42477 +gr_handle_mem_write(void)
42479 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
42484 +gr_handle_kmem_write(void)
42486 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
42491 +gr_handle_open_port(void)
42493 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
42498 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
42500 + unsigned long start, end;
42503 + end = start + vma->vm_end - vma->vm_start;
42505 + if (start > end) {
42506 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42510 +/* if raw i/o is disabled, prevent writes to /dev/mem entirely */
42511 +#ifndef CONFIG_GRKERNSEC_IO
42512 + /* allowed ranges : ISA I/O BIOS */
42513 + if ((start >= __pa(high_memory))
42514 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
42515 + || (start >= 0x000a0000 && end <= 0x00100000)
42516 + || (start >= 0x00000000 && end <= 0x00001000)
42522 + if (vma->vm_flags & VM_WRITE) {
42523 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42526 + vma->vm_flags &= ~VM_MAYWRITE;
42532 +gr_log_nonroot_mod_load(const char *modname)
42535 +#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE)
42536 + /* There are known knowns. These are things we know
42537 + that we know. There are known unknowns. That is to say,
42538 + there are things that we know we don't know. But there are
42539 + also unknown unknowns. There are things we don't know
42541 + This here is a known unknown.
42543 + && strcmp(modname, "net-pf-10")
42546 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
42551 +gr_handle_vm86(void)
42553 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
42556 diff -urNp linux-2.6.38.1/grsecurity/grsec_mount.c linux-2.6.38.1/grsecurity/grsec_mount.c
42557 --- linux-2.6.38.1/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
42558 +++ linux-2.6.38.1/grsecurity/grsec_mount.c 2011-03-21 18:31:35.000000000 -0400
42560 +#include <linux/kernel.h>
42561 +#include <linux/sched.h>
42562 +#include <linux/mount.h>
42563 +#include <linux/grsecurity.h>
42564 +#include <linux/grinternal.h>
42567 +gr_log_remount(const char *devname, const int retval)
42569 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42570 + if (grsec_enable_mount && (retval >= 0))
42571 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
42577 +gr_log_unmount(const char *devname, const int retval)
42579 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42580 + if (grsec_enable_mount && (retval >= 0))
42581 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
42587 +gr_log_mount(const char *from, const char *to, const int retval)
42589 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42590 + if (grsec_enable_mount && (retval >= 0))
42591 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
42597 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
42599 +#ifdef CONFIG_GRKERNSEC_ROFS
42600 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
42601 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
42610 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
42612 +#ifdef CONFIG_GRKERNSEC_ROFS
42613 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
42614 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
42615 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
42622 diff -urNp linux-2.6.38.1/grsecurity/grsec_pax.c linux-2.6.38.1/grsecurity/grsec_pax.c
42623 --- linux-2.6.38.1/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
42624 +++ linux-2.6.38.1/grsecurity/grsec_pax.c 2011-03-21 18:31:35.000000000 -0400
42626 +#include <linux/kernel.h>
42627 +#include <linux/sched.h>
42628 +#include <linux/mm.h>
42629 +#include <linux/file.h>
42630 +#include <linux/grinternal.h>
42631 +#include <linux/grsecurity.h>
42634 +gr_log_textrel(struct vm_area_struct * vma)
42636 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42637 + if (grsec_enable_audit_textrel)
42638 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42644 +gr_log_rwxmmap(struct file *file)
42646 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42647 + if (grsec_enable_log_rwxmaps)
42648 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
42654 +gr_log_rwxmprotect(struct file *file)
42656 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42657 + if (grsec_enable_log_rwxmaps)
42658 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
42662 diff -urNp linux-2.6.38.1/grsecurity/grsec_ptrace.c linux-2.6.38.1/grsecurity/grsec_ptrace.c
42663 --- linux-2.6.38.1/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
42664 +++ linux-2.6.38.1/grsecurity/grsec_ptrace.c 2011-03-21 18:31:35.000000000 -0400
42666 +#include <linux/kernel.h>
42667 +#include <linux/sched.h>
42668 +#include <linux/grinternal.h>
42669 +#include <linux/grsecurity.h>
42672 +gr_audit_ptrace(struct task_struct *task)
42674 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42675 + if (grsec_enable_audit_ptrace)
42676 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
42680 diff -urNp linux-2.6.38.1/grsecurity/grsec_sig.c linux-2.6.38.1/grsecurity/grsec_sig.c
42681 --- linux-2.6.38.1/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
42682 +++ linux-2.6.38.1/grsecurity/grsec_sig.c 2011-03-26 19:58:27.000000000 -0400
42684 +#include <linux/kernel.h>
42685 +#include <linux/sched.h>
42686 +#include <linux/delay.h>
42687 +#include <linux/grsecurity.h>
42688 +#include <linux/grinternal.h>
42690 +char *signames[] = {
42691 + [SIGSEGV] = "Segmentation fault",
42692 + [SIGILL] = "Illegal instruction",
42693 + [SIGABRT] = "Abort",
42694 + [SIGBUS] = "Invalid alignment/Bus error"
42698 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
42700 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42701 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
42702 + (sig == SIGABRT) || (sig == SIGBUS))) {
42703 + if (t->pid == current->pid) {
42704 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
42706 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
42714 +gr_handle_signal(const struct task_struct *p, const int sig)
42716 +#ifdef CONFIG_GRKERNSEC
42717 + if (current->pid > 1 && gr_check_protected_task(p)) {
42718 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
42720 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
42727 +void gr_handle_brute_attach(struct task_struct *p)
42729 +#ifdef CONFIG_GRKERNSEC_BRUTE
42730 + read_lock(&tasklist_lock);
42731 + read_lock(&grsec_exec_file_lock);
42732 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
42733 + p->real_parent->brute = 1;
42734 + read_unlock(&grsec_exec_file_lock);
42735 + read_unlock(&tasklist_lock);
42740 +void gr_handle_brute_check(void)
42742 +#ifdef CONFIG_GRKERNSEC_BRUTE
42743 + if (current->brute)
42744 + msleep(30 * 1000);
42749 diff -urNp linux-2.6.38.1/grsecurity/grsec_sock.c linux-2.6.38.1/grsecurity/grsec_sock.c
42750 --- linux-2.6.38.1/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
42751 +++ linux-2.6.38.1/grsecurity/grsec_sock.c 2011-03-21 18:31:35.000000000 -0400
42753 +#include <linux/kernel.h>
42754 +#include <linux/module.h>
42755 +#include <linux/sched.h>
42756 +#include <linux/file.h>
42757 +#include <linux/net.h>
42758 +#include <linux/in.h>
42759 +#include <linux/ip.h>
42760 +#include <net/sock.h>
42761 +#include <net/inet_sock.h>
42762 +#include <linux/grsecurity.h>
42763 +#include <linux/grinternal.h>
42764 +#include <linux/gracl.h>
42766 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
42767 +EXPORT_SYMBOL(gr_cap_rtnetlink);
42769 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
42770 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
42772 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
42773 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
42775 +#ifdef CONFIG_UNIX_MODULE
42776 +EXPORT_SYMBOL(gr_acl_handle_unix);
42777 +EXPORT_SYMBOL(gr_acl_handle_mknod);
42778 +EXPORT_SYMBOL(gr_handle_chroot_unix);
42779 +EXPORT_SYMBOL(gr_handle_create);
42782 +#ifdef CONFIG_GRKERNSEC
42783 +#define gr_conn_table_size 32749
42784 +struct conn_table_entry {
42785 + struct conn_table_entry *next;
42786 + struct signal_struct *sig;
42789 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
42790 +DEFINE_SPINLOCK(gr_conn_table_lock);
42792 +extern const char * gr_socktype_to_name(unsigned char type);
42793 +extern const char * gr_proto_to_name(unsigned char proto);
42794 +extern const char * gr_sockfamily_to_name(unsigned char family);
42796 +static __inline__ int
42797 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
42799 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
42802 +static __inline__ int
42803 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
42804 + __u16 sport, __u16 dport)
42806 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
42807 + sig->gr_sport == sport && sig->gr_dport == dport))
42813 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
42815 + struct conn_table_entry **match;
42816 + unsigned int index;
42818 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42819 + sig->gr_sport, sig->gr_dport,
42820 + gr_conn_table_size);
42822 + newent->sig = sig;
42824 + match = &gr_conn_table[index];
42825 + newent->next = *match;
42831 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
42833 + struct conn_table_entry *match, *last = NULL;
42834 + unsigned int index;
42836 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42837 + sig->gr_sport, sig->gr_dport,
42838 + gr_conn_table_size);
42840 + match = gr_conn_table[index];
42841 + while (match && !conn_match(match->sig,
42842 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
42843 + sig->gr_dport)) {
42845 + match = match->next;
42850 + last->next = match->next;
42852 + gr_conn_table[index] = NULL;
42859 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
42860 + __u16 sport, __u16 dport)
42862 + struct conn_table_entry *match;
42863 + unsigned int index;
42865 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
42867 + match = gr_conn_table[index];
42868 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
42869 + match = match->next;
42872 + return match->sig;
42879 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
42881 +#ifdef CONFIG_GRKERNSEC
42882 + struct signal_struct *sig = task->signal;
42883 + struct conn_table_entry *newent;
42885 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
42886 + if (newent == NULL)
42888 + /* no bh lock needed since we are called with bh disabled */
42889 + spin_lock(&gr_conn_table_lock);
42890 + gr_del_task_from_ip_table_nolock(sig);
42891 + sig->gr_saddr = inet->inet_rcv_saddr;
42892 + sig->gr_daddr = inet->inet_daddr;
42893 + sig->gr_sport = inet->inet_sport;
42894 + sig->gr_dport = inet->inet_dport;
42895 + gr_add_to_task_ip_table_nolock(sig, newent);
42896 + spin_unlock(&gr_conn_table_lock);
42901 +void gr_del_task_from_ip_table(struct task_struct *task)
42903 +#ifdef CONFIG_GRKERNSEC
42904 + spin_lock_bh(&gr_conn_table_lock);
42905 + gr_del_task_from_ip_table_nolock(task->signal);
42906 + spin_unlock_bh(&gr_conn_table_lock);
42912 +gr_attach_curr_ip(const struct sock *sk)
42914 +#ifdef CONFIG_GRKERNSEC
42915 + struct signal_struct *p, *set;
42916 + const struct inet_sock *inet = inet_sk(sk);
42918 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
42921 + set = current->signal;
42923 + spin_lock_bh(&gr_conn_table_lock);
42924 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
42925 + inet->inet_dport, inet->inet_sport);
42926 + if (unlikely(p != NULL)) {
42927 + set->curr_ip = p->curr_ip;
42928 + set->used_accept = 1;
42929 + gr_del_task_from_ip_table_nolock(p);
42930 + spin_unlock_bh(&gr_conn_table_lock);
42933 + spin_unlock_bh(&gr_conn_table_lock);
42935 + set->curr_ip = inet->inet_daddr;
42936 + set->used_accept = 1;
42942 +gr_handle_sock_all(const int family, const int type, const int protocol)
42944 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42945 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
42946 + (family != AF_UNIX)) {
42947 + if (family == AF_INET)
42948 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
42950 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
42958 +gr_handle_sock_server(const struct sockaddr *sck)
42960 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42961 + if (grsec_enable_socket_server &&
42962 + in_group_p(grsec_socket_server_gid) &&
42963 + sck && (sck->sa_family != AF_UNIX) &&
42964 + (sck->sa_family != AF_LOCAL)) {
42965 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42973 +gr_handle_sock_server_other(const struct sock *sck)
42975 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42976 + if (grsec_enable_socket_server &&
42977 + in_group_p(grsec_socket_server_gid) &&
42978 + sck && (sck->sk_family != AF_UNIX) &&
42979 + (sck->sk_family != AF_LOCAL)) {
42980 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42988 +gr_handle_sock_client(const struct sockaddr *sck)
42990 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42991 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
42992 + sck && (sck->sa_family != AF_UNIX) &&
42993 + (sck->sa_family != AF_LOCAL)) {
42994 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
43002 +gr_cap_rtnetlink(struct sock *sock)
43004 +#ifdef CONFIG_GRKERNSEC
43005 + if (!gr_acl_is_enabled())
43006 + return current_cap();
43007 + else if (sock->sk_protocol == NETLINK_ISCSI &&
43008 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
43009 + gr_is_capable(CAP_SYS_ADMIN))
43010 + return current_cap();
43011 + else if (sock->sk_protocol == NETLINK_AUDIT &&
43012 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
43013 + gr_is_capable(CAP_AUDIT_WRITE) &&
43014 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
43015 + gr_is_capable(CAP_AUDIT_CONTROL))
43016 + return current_cap();
43017 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
43018 + ((sock->sk_protocol == NETLINK_ROUTE) ?
43019 + gr_is_capable_nolog(CAP_NET_ADMIN) :
43020 + gr_is_capable(CAP_NET_ADMIN)))
43021 + return current_cap();
43023 + return __cap_empty_set;
43025 + return current_cap();
43028 diff -urNp linux-2.6.38.1/grsecurity/grsec_sysctl.c linux-2.6.38.1/grsecurity/grsec_sysctl.c
43029 --- linux-2.6.38.1/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
43030 +++ linux-2.6.38.1/grsecurity/grsec_sysctl.c 2011-03-21 18:31:35.000000000 -0400
43032 +#include <linux/kernel.h>
43033 +#include <linux/sched.h>
43034 +#include <linux/sysctl.h>
43035 +#include <linux/grsecurity.h>
43036 +#include <linux/grinternal.h>
43039 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
43041 +#ifdef CONFIG_GRKERNSEC_SYSCTL
43042 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
43043 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
43050 +#ifdef CONFIG_GRKERNSEC_ROFS
43051 +static int __maybe_unused one = 1;
43054 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
43055 +struct ctl_table grsecurity_table[] = {
43056 +#ifdef CONFIG_GRKERNSEC_SYSCTL
43057 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
43058 +#ifdef CONFIG_GRKERNSEC_IO
43060 + .procname = "disable_priv_io",
43061 + .data = &grsec_disable_privio,
43062 + .maxlen = sizeof(int),
43064 + .proc_handler = &proc_dointvec,
43068 +#ifdef CONFIG_GRKERNSEC_LINK
43070 + .procname = "linking_restrictions",
43071 + .data = &grsec_enable_link,
43072 + .maxlen = sizeof(int),
43074 + .proc_handler = &proc_dointvec,
43077 +#ifdef CONFIG_GRKERNSEC_FIFO
43079 + .procname = "fifo_restrictions",
43080 + .data = &grsec_enable_fifo,
43081 + .maxlen = sizeof(int),
43083 + .proc_handler = &proc_dointvec,
43086 +#ifdef CONFIG_GRKERNSEC_EXECVE
43088 + .procname = "execve_limiting",
43089 + .data = &grsec_enable_execve,
43090 + .maxlen = sizeof(int),
43092 + .proc_handler = &proc_dointvec,
43095 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
43097 + .procname = "ip_blackhole",
43098 + .data = &grsec_enable_blackhole,
43099 + .maxlen = sizeof(int),
43101 + .proc_handler = &proc_dointvec,
43104 + .procname = "lastack_retries",
43105 + .data = &grsec_lastack_retries,
43106 + .maxlen = sizeof(int),
43108 + .proc_handler = &proc_dointvec,
43111 +#ifdef CONFIG_GRKERNSEC_EXECLOG
43113 + .procname = "exec_logging",
43114 + .data = &grsec_enable_execlog,
43115 + .maxlen = sizeof(int),
43117 + .proc_handler = &proc_dointvec,
43120 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
43122 + .procname = "rwxmap_logging",
43123 + .data = &grsec_enable_log_rwxmaps,
43124 + .maxlen = sizeof(int),
43126 + .proc_handler = &proc_dointvec,
43129 +#ifdef CONFIG_GRKERNSEC_SIGNAL
43131 + .procname = "signal_logging",
43132 + .data = &grsec_enable_signal,
43133 + .maxlen = sizeof(int),
43135 + .proc_handler = &proc_dointvec,
43138 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
43140 + .procname = "forkfail_logging",
43141 + .data = &grsec_enable_forkfail,
43142 + .maxlen = sizeof(int),
43144 + .proc_handler = &proc_dointvec,
43147 +#ifdef CONFIG_GRKERNSEC_TIME
43149 + .procname = "timechange_logging",
43150 + .data = &grsec_enable_time,
43151 + .maxlen = sizeof(int),
43153 + .proc_handler = &proc_dointvec,
43156 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
43158 + .procname = "chroot_deny_shmat",
43159 + .data = &grsec_enable_chroot_shmat,
43160 + .maxlen = sizeof(int),
43162 + .proc_handler = &proc_dointvec,
43165 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
43167 + .procname = "chroot_deny_unix",
43168 + .data = &grsec_enable_chroot_unix,
43169 + .maxlen = sizeof(int),
43171 + .proc_handler = &proc_dointvec,
43174 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
43176 + .procname = "chroot_deny_mount",
43177 + .data = &grsec_enable_chroot_mount,
43178 + .maxlen = sizeof(int),
43180 + .proc_handler = &proc_dointvec,
43183 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
43185 + .procname = "chroot_deny_fchdir",
43186 + .data = &grsec_enable_chroot_fchdir,
43187 + .maxlen = sizeof(int),
43189 + .proc_handler = &proc_dointvec,
43192 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
43194 + .procname = "chroot_deny_chroot",
43195 + .data = &grsec_enable_chroot_double,
43196 + .maxlen = sizeof(int),
43198 + .proc_handler = &proc_dointvec,
43201 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
43203 + .procname = "chroot_deny_pivot",
43204 + .data = &grsec_enable_chroot_pivot,
43205 + .maxlen = sizeof(int),
43207 + .proc_handler = &proc_dointvec,
43210 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
43212 + .procname = "chroot_enforce_chdir",
43213 + .data = &grsec_enable_chroot_chdir,
43214 + .maxlen = sizeof(int),
43216 + .proc_handler = &proc_dointvec,
43219 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
43221 + .procname = "chroot_deny_chmod",
43222 + .data = &grsec_enable_chroot_chmod,
43223 + .maxlen = sizeof(int),
43225 + .proc_handler = &proc_dointvec,
43228 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
43230 + .procname = "chroot_deny_mknod",
43231 + .data = &grsec_enable_chroot_mknod,
43232 + .maxlen = sizeof(int),
43234 + .proc_handler = &proc_dointvec,
43237 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
43239 + .procname = "chroot_restrict_nice",
43240 + .data = &grsec_enable_chroot_nice,
43241 + .maxlen = sizeof(int),
43243 + .proc_handler = &proc_dointvec,
43246 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
43248 + .procname = "chroot_execlog",
43249 + .data = &grsec_enable_chroot_execlog,
43250 + .maxlen = sizeof(int),
43252 + .proc_handler = &proc_dointvec,
43255 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
43257 + .procname = "chroot_caps",
43258 + .data = &grsec_enable_chroot_caps,
43259 + .maxlen = sizeof(int),
43261 + .proc_handler = &proc_dointvec,
43264 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
43266 + .procname = "chroot_deny_sysctl",
43267 + .data = &grsec_enable_chroot_sysctl,
43268 + .maxlen = sizeof(int),
43270 + .proc_handler = &proc_dointvec,
43273 +#ifdef CONFIG_GRKERNSEC_TPE
43275 + .procname = "tpe",
43276 + .data = &grsec_enable_tpe,
43277 + .maxlen = sizeof(int),
43279 + .proc_handler = &proc_dointvec,
43282 + .procname = "tpe_gid",
43283 + .data = &grsec_tpe_gid,
43284 + .maxlen = sizeof(int),
43286 + .proc_handler = &proc_dointvec,
43289 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43291 + .procname = "tpe_invert",
43292 + .data = &grsec_enable_tpe_invert,
43293 + .maxlen = sizeof(int),
43295 + .proc_handler = &proc_dointvec,
43298 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43300 + .procname = "tpe_restrict_all",
43301 + .data = &grsec_enable_tpe_all,
43302 + .maxlen = sizeof(int),
43304 + .proc_handler = &proc_dointvec,
43307 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
43309 + .procname = "socket_all",
43310 + .data = &grsec_enable_socket_all,
43311 + .maxlen = sizeof(int),
43313 + .proc_handler = &proc_dointvec,
43316 + .procname = "socket_all_gid",
43317 + .data = &grsec_socket_all_gid,
43318 + .maxlen = sizeof(int),
43320 + .proc_handler = &proc_dointvec,
43323 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
43325 + .procname = "socket_client",
43326 + .data = &grsec_enable_socket_client,
43327 + .maxlen = sizeof(int),
43329 + .proc_handler = &proc_dointvec,
43332 + .procname = "socket_client_gid",
43333 + .data = &grsec_socket_client_gid,
43334 + .maxlen = sizeof(int),
43336 + .proc_handler = &proc_dointvec,
43339 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
43341 + .procname = "socket_server",
43342 + .data = &grsec_enable_socket_server,
43343 + .maxlen = sizeof(int),
43345 + .proc_handler = &proc_dointvec,
43348 + .procname = "socket_server_gid",
43349 + .data = &grsec_socket_server_gid,
43350 + .maxlen = sizeof(int),
43352 + .proc_handler = &proc_dointvec,
43355 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
43357 + .procname = "audit_group",
43358 + .data = &grsec_enable_group,
43359 + .maxlen = sizeof(int),
43361 + .proc_handler = &proc_dointvec,
43364 + .procname = "audit_gid",
43365 + .data = &grsec_audit_gid,
43366 + .maxlen = sizeof(int),
43368 + .proc_handler = &proc_dointvec,
43371 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
43373 + .procname = "audit_chdir",
43374 + .data = &grsec_enable_chdir,
43375 + .maxlen = sizeof(int),
43377 + .proc_handler = &proc_dointvec,
43380 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43382 + .procname = "audit_mount",
43383 + .data = &grsec_enable_mount,
43384 + .maxlen = sizeof(int),
43386 + .proc_handler = &proc_dointvec,
43389 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
43391 + .procname = "audit_textrel",
43392 + .data = &grsec_enable_audit_textrel,
43393 + .maxlen = sizeof(int),
43395 + .proc_handler = &proc_dointvec,
43398 +#ifdef CONFIG_GRKERNSEC_DMESG
43400 + .procname = "dmesg",
43401 + .data = &grsec_enable_dmesg,
43402 + .maxlen = sizeof(int),
43404 + .proc_handler = &proc_dointvec,
43407 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
43409 + .procname = "chroot_findtask",
43410 + .data = &grsec_enable_chroot_findtask,
43411 + .maxlen = sizeof(int),
43413 + .proc_handler = &proc_dointvec,
43416 +#ifdef CONFIG_GRKERNSEC_RESLOG
43418 + .procname = "resource_logging",
43419 + .data = &grsec_resource_logging,
43420 + .maxlen = sizeof(int),
43422 + .proc_handler = &proc_dointvec,
43425 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
43427 + .procname = "audit_ptrace",
43428 + .data = &grsec_enable_audit_ptrace,
43429 + .maxlen = sizeof(int),
43431 + .proc_handler = &proc_dointvec,
43434 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
43436 + .procname = "harden_ptrace",
43437 + .data = &grsec_enable_harden_ptrace,
43438 + .maxlen = sizeof(int),
43440 + .proc_handler = &proc_dointvec,
43444 + .procname = "grsec_lock",
43445 + .data = &grsec_lock,
43446 + .maxlen = sizeof(int),
43448 + .proc_handler = &proc_dointvec,
43451 +#ifdef CONFIG_GRKERNSEC_ROFS
43453 + .procname = "romount_protect",
43454 + .data = &grsec_enable_rofs,
43455 + .maxlen = sizeof(int),
43457 + .proc_handler = &proc_dointvec_minmax,
43465 diff -urNp linux-2.6.38.1/grsecurity/grsec_time.c linux-2.6.38.1/grsecurity/grsec_time.c
43466 --- linux-2.6.38.1/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
43467 +++ linux-2.6.38.1/grsecurity/grsec_time.c 2011-03-21 18:31:35.000000000 -0400
43469 +#include <linux/kernel.h>
43470 +#include <linux/sched.h>
43471 +#include <linux/grinternal.h>
43472 +#include <linux/module.h>
43475 +gr_log_timechange(void)
43477 +#ifdef CONFIG_GRKERNSEC_TIME
43478 + if (grsec_enable_time)
43479 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
43484 +EXPORT_SYMBOL(gr_log_timechange);
43485 diff -urNp linux-2.6.38.1/grsecurity/grsec_tpe.c linux-2.6.38.1/grsecurity/grsec_tpe.c
43486 --- linux-2.6.38.1/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
43487 +++ linux-2.6.38.1/grsecurity/grsec_tpe.c 2011-03-21 18:31:35.000000000 -0400
43489 +#include <linux/kernel.h>
43490 +#include <linux/sched.h>
43491 +#include <linux/file.h>
43492 +#include <linux/fs.h>
43493 +#include <linux/grinternal.h>
43495 +extern int gr_acl_tpe_check(void);
43498 +gr_tpe_allow(const struct file *file)
43500 +#ifdef CONFIG_GRKERNSEC
43501 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
43502 + const struct cred *cred = current_cred();
43504 + if (cred->uid && ((grsec_enable_tpe &&
43505 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43506 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
43507 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
43509 + in_group_p(grsec_tpe_gid)
43511 + ) || gr_acl_tpe_check()) &&
43512 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
43513 + (inode->i_mode & S_IWOTH))))) {
43514 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43517 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43518 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
43519 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
43520 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
43521 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43528 diff -urNp linux-2.6.38.1/grsecurity/grsum.c linux-2.6.38.1/grsecurity/grsum.c
43529 --- linux-2.6.38.1/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
43530 +++ linux-2.6.38.1/grsecurity/grsum.c 2011-03-21 18:31:35.000000000 -0400
43532 +#include <linux/err.h>
43533 +#include <linux/kernel.h>
43534 +#include <linux/sched.h>
43535 +#include <linux/mm.h>
43536 +#include <linux/scatterlist.h>
43537 +#include <linux/crypto.h>
43538 +#include <linux/gracl.h>
43541 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
43542 +#error "crypto and sha256 must be built into the kernel"
43546 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
43549 + struct crypto_hash *tfm;
43550 + struct hash_desc desc;
43551 + struct scatterlist sg;
43552 + unsigned char temp_sum[GR_SHA_LEN];
43553 + volatile int retval = 0;
43554 + volatile int dummy = 0;
43557 + sg_init_table(&sg, 1);
43559 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
43560 + if (IS_ERR(tfm)) {
43561 + /* should never happen, since sha256 should be built in */
43568 + crypto_hash_init(&desc);
43571 + sg_set_buf(&sg, p, GR_SALT_LEN);
43572 + crypto_hash_update(&desc, &sg, sg.length);
43575 + sg_set_buf(&sg, p, strlen(p));
43577 + crypto_hash_update(&desc, &sg, sg.length);
43579 + crypto_hash_final(&desc, temp_sum);
43581 + memset(entry->pw, 0, GR_PW_LEN);
43583 + for (i = 0; i < GR_SHA_LEN; i++)
43584 + if (sum[i] != temp_sum[i])
43587 + dummy = 1; // waste a cycle
43589 + crypto_free_hash(tfm);
43593 diff -urNp linux-2.6.38.1/grsecurity/Kconfig linux-2.6.38.1/grsecurity/Kconfig
43594 --- linux-2.6.38.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
43595 +++ linux-2.6.38.1/grsecurity/Kconfig 2011-03-26 19:54:37.000000000 -0400
43598 +# grecurity configuration
43604 + bool "Grsecurity"
43606 + select CRYPTO_SHA256
43608 + If you say Y here, you will be able to configure many features
43609 + that will enhance the security of your system. It is highly
43610 + recommended that you say Y here and read through the help
43611 + for each option so that you fully understand the features and
43612 + can evaluate their usefulness for your machine.
43615 + prompt "Security Level"
43616 + depends on GRKERNSEC
43617 + default GRKERNSEC_CUSTOM
43619 +config GRKERNSEC_LOW
43621 + select GRKERNSEC_LINK
43622 + select GRKERNSEC_FIFO
43623 + select GRKERNSEC_EXECVE
43624 + select GRKERNSEC_RANDNET
43625 + select GRKERNSEC_DMESG
43626 + select GRKERNSEC_CHROOT
43627 + select GRKERNSEC_CHROOT_CHDIR
43630 + If you choose this option, several of the grsecurity options will
43631 + be enabled that will give you greater protection against a number
43632 + of attacks, while assuring that none of your software will have any
43633 + conflicts with the additional security measures. If you run a lot
43634 + of unusual software, or you are having problems with the higher
43635 + security levels, you should say Y here. With this option, the
43636 + following features are enabled:
43638 + - Linking restrictions
43639 + - FIFO restrictions
43640 + - Enforcing RLIMIT_NPROC on execve
43641 + - Restricted dmesg
43642 + - Enforced chdir("/") on chroot
43643 + - Runtime module disabling
43645 +config GRKERNSEC_MEDIUM
43648 + select PAX_EI_PAX
43649 + select PAX_PT_PAX_FLAGS
43650 + select PAX_HAVE_ACL_FLAGS
43651 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43652 + select GRKERNSEC_CHROOT
43653 + select GRKERNSEC_CHROOT_SYSCTL
43654 + select GRKERNSEC_LINK
43655 + select GRKERNSEC_FIFO
43656 + select GRKERNSEC_EXECVE
43657 + select GRKERNSEC_DMESG
43658 + select GRKERNSEC_RANDNET
43659 + select GRKERNSEC_FORKFAIL
43660 + select GRKERNSEC_TIME
43661 + select GRKERNSEC_SIGNAL
43662 + select GRKERNSEC_CHROOT
43663 + select GRKERNSEC_CHROOT_UNIX
43664 + select GRKERNSEC_CHROOT_MOUNT
43665 + select GRKERNSEC_CHROOT_PIVOT
43666 + select GRKERNSEC_CHROOT_DOUBLE
43667 + select GRKERNSEC_CHROOT_CHDIR
43668 + select GRKERNSEC_CHROOT_MKNOD
43669 + select GRKERNSEC_PROC
43670 + select GRKERNSEC_PROC_USERGROUP
43671 + select PAX_RANDUSTACK
43673 + select PAX_RANDMMAP
43674 + select PAX_REFCOUNT if (X86 || SPARC64)
43675 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
43678 + If you say Y here, several features in addition to those included
43679 + in the low additional security level will be enabled. These
43680 + features provide even more security to your system, though in rare
43681 + cases they may be incompatible with very old or poorly written
43682 + software. If you enable this option, make sure that your auth
43683 + service (identd) is running as gid 1001. With this option,
43684 + the following features (in addition to those provided in the
43685 + low additional security level) will be enabled:
43687 + - Failed fork logging
43688 + - Time change logging
43690 + - Deny mounts in chroot
43691 + - Deny double chrooting
43692 + - Deny sysctl writes in chroot
43693 + - Deny mknod in chroot
43694 + - Deny access to abstract AF_UNIX sockets out of chroot
43695 + - Deny pivot_root in chroot
43696 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
43697 + - /proc restrictions with special GID set to 10 (usually wheel)
43698 + - Address Space Layout Randomization (ASLR)
43699 + - Prevent exploitation of most refcount overflows
43700 + - Bounds checking of copying between the kernel and userland
43702 +config GRKERNSEC_HIGH
43704 + select GRKERNSEC_LINK
43705 + select GRKERNSEC_FIFO
43706 + select GRKERNSEC_EXECVE
43707 + select GRKERNSEC_DMESG
43708 + select GRKERNSEC_FORKFAIL
43709 + select GRKERNSEC_TIME
43710 + select GRKERNSEC_SIGNAL
43711 + select GRKERNSEC_CHROOT
43712 + select GRKERNSEC_CHROOT_SHMAT
43713 + select GRKERNSEC_CHROOT_UNIX
43714 + select GRKERNSEC_CHROOT_MOUNT
43715 + select GRKERNSEC_CHROOT_FCHDIR
43716 + select GRKERNSEC_CHROOT_PIVOT
43717 + select GRKERNSEC_CHROOT_DOUBLE
43718 + select GRKERNSEC_CHROOT_CHDIR
43719 + select GRKERNSEC_CHROOT_MKNOD
43720 + select GRKERNSEC_CHROOT_CAPS
43721 + select GRKERNSEC_CHROOT_SYSCTL
43722 + select GRKERNSEC_CHROOT_FINDTASK
43723 + select GRKERNSEC_SYSFS_RESTRICT
43724 + select GRKERNSEC_PROC
43725 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43726 + select GRKERNSEC_HIDESYM
43727 + select GRKERNSEC_BRUTE
43728 + select GRKERNSEC_PROC_USERGROUP
43729 + select GRKERNSEC_KMEM
43730 + select GRKERNSEC_RESLOG
43731 + select GRKERNSEC_RANDNET
43732 + select GRKERNSEC_PROC_ADD
43733 + select GRKERNSEC_CHROOT_CHMOD
43734 + select GRKERNSEC_CHROOT_NICE
43735 + select GRKERNSEC_AUDIT_MOUNT
43736 + select GRKERNSEC_MODHARDEN if (MODULES)
43737 + select GRKERNSEC_HARDEN_PTRACE
43738 + select GRKERNSEC_VM86 if (X86_32)
43740 + select PAX_RANDUSTACK
43742 + select PAX_RANDMMAP
43743 + select PAX_NOEXEC
43744 + select PAX_MPROTECT
43745 + select PAX_EI_PAX
43746 + select PAX_PT_PAX_FLAGS
43747 + select PAX_HAVE_ACL_FLAGS
43748 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
43749 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
43750 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
43751 + select PAX_SEGMEXEC if (X86_32)
43752 + select PAX_PAGEEXEC
43753 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
43754 + select PAX_EMUTRAMP if (PARISC)
43755 + select PAX_EMUSIGRT if (PARISC)
43756 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
43757 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
43758 + select PAX_REFCOUNT if (X86 || SPARC64)
43759 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
43761 + If you say Y here, many of the features of grsecurity will be
43762 + enabled, which will protect you against many kinds of attacks
43763 + against your system. The heightened security comes at a cost
43764 + of an increased chance of incompatibilities with rare software
43765 + on your machine. Since this security level enables PaX, you should
43766 + view <http://pax.grsecurity.net> and read about the PaX
43767 + project. While you are there, download chpax and run it on
43768 + binaries that cause problems with PaX. Also remember that
43769 + since the /proc restrictions are enabled, you must run your
43770 + identd as gid 1001. This security level enables the following
43771 + features in addition to those listed in the low and medium
43774 + - Additional /proc restrictions
43775 + - Chmod restrictions in chroot
43776 + - No signals, ptrace, or viewing of processes outside of chroot
43777 + - Capability restrictions in chroot
43778 + - Deny fchdir out of chroot
43779 + - Priority restrictions in chroot
43780 + - Segmentation-based implementation of PaX
43781 + - Mprotect restrictions
43782 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
43783 + - Kernel stack randomization
43784 + - Mount/unmount/remount logging
43785 + - Kernel symbol hiding
43786 + - Prevention of memory exhaustion-based exploits
43787 + - Hardening of module auto-loading
43788 + - Ptrace restrictions
43789 + - Restricted vm86 mode
43790 + - Restricted sysfs/debugfs
43792 +config GRKERNSEC_CUSTOM
43795 + If you say Y here, you will be able to configure every grsecurity
43796 + option, which allows you to enable many more features that aren't
43797 + covered in the basic security levels. These additional features
43798 + include TPE, socket restrictions, and the sysctl system for
43799 + grsecurity. It is advised that you read through the help for
43800 + each option to determine its usefulness in your situation.
43804 +menu "Address Space Protection"
43805 +depends on GRKERNSEC
43807 +config GRKERNSEC_KMEM
43808 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
43810 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
43811 + be written to via mmap or otherwise to modify the running kernel.
43812 + /dev/port will also not be allowed to be opened. If you have module
43813 + support disabled, enabling this will close up four ways that are
43814 + currently used to insert malicious code into the running kernel.
43815 + Even with all these features enabled, we still highly recommend that
43816 + you use the RBAC system, as it is still possible for an attacker to
43817 + modify the running kernel through privileged I/O granted by ioperm/iopl.
43818 + If you are not using XFree86, you may be able to stop this additional
43819 + case by enabling the 'Disable privileged I/O' option. Though nothing
43820 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
43821 + but only to video memory, which is the only writing we allow in this
43822 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
43823 + not be allowed to mprotect it with PROT_WRITE later.
43824 + It is highly recommended that you say Y here if you meet all the
43825 + conditions above.
43827 +config GRKERNSEC_VM86
43828 + bool "Restrict VM86 mode"
43829 + depends on X86_32
43832 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
43833 + make use of a special execution mode on 32bit x86 processors called
43834 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
43835 + video cards and will still work with this option enabled. The purpose
43836 + of the option is to prevent exploitation of emulation errors in
43837 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
43838 + Nearly all users should be able to enable this option.
43840 +config GRKERNSEC_IO
43841 + bool "Disable privileged I/O"
43844 + select RTC_INTF_DEV
43845 + select RTC_DRV_CMOS
43848 + If you say Y here, all ioperm and iopl calls will return an error.
43849 + Ioperm and iopl can be used to modify the running kernel.
43850 + Unfortunately, some programs need this access to operate properly,
43851 + the most notable of which are XFree86 and hwclock. hwclock can be
43852 + remedied by having RTC support in the kernel, so real-time
43853 + clock support is enabled if this option is enabled, to ensure
43854 + that hwclock operates correctly. XFree86 still will not
43855 + operate correctly with this option enabled, so DO NOT CHOOSE Y
43856 + IF YOU USE XFree86. If you use XFree86 and you still want to
43857 + protect your kernel against modification, use the RBAC system.
43859 +config GRKERNSEC_PROC_MEMMAP
43860 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
43861 + default y if (PAX_NOEXEC || PAX_ASLR)
43862 + depends on PAX_NOEXEC || PAX_ASLR
43864 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
43865 + give no information about the addresses of its mappings if
43866 + PaX features that rely on random addresses are enabled on the task.
43867 + If you use PaX it is greatly recommended that you say Y here as it
43868 + closes up a hole that makes the full ASLR useless for suid
43871 +config GRKERNSEC_BRUTE
43872 + bool "Deter exploit bruteforcing"
43874 + If you say Y here, attempts to bruteforce exploits against forking
43875 + daemons such as apache or sshd will be deterred. When a child of a
43876 + forking daemon is killed by PaX or crashes due to an illegal
43877 + instruction, the parent process will be delayed 30 seconds upon every
43878 + subsequent fork until the administrator is able to assess the
43879 + situation and restart the daemon. It is recommended that you also
43880 + enable signal logging in the auditing section so that logs are
43881 + generated when a process performs an illegal instruction.
43883 +config GRKERNSEC_MODHARDEN
43884 + bool "Harden module auto-loading"
43885 + depends on MODULES
43887 + If you say Y here, module auto-loading in response to use of some
43888 + feature implemented by an unloaded module will be restricted to
43889 + root users. Enabling this option helps defend against attacks
43890 + by unprivileged users who abuse the auto-loading behavior to
43891 + cause a vulnerable module to load that is then exploited.
43893 + If this option prevents a legitimate use of auto-loading for a
43894 + non-root user, the administrator can execute modprobe manually
43895 + with the exact name of the module mentioned in the alert log.
43896 + Alternatively, the administrator can add the module to the list
43897 + of modules loaded at boot by modifying init scripts.
43899 + Modification of init scripts will most likely be needed on
43900 + Ubuntu servers with encrypted home directory support enabled,
43901 + as the first non-root user logging in will cause the ecb(aes),
43902 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
43904 +config GRKERNSEC_HIDESYM
43905 + bool "Hide kernel symbols"
43907 + If you say Y here, getting information on loaded modules, and
43908 + displaying all kernel symbols through a syscall will be restricted
43909 + to users with CAP_SYS_MODULE. For software compatibility reasons,
43910 + /proc/kallsyms will be restricted to the root user. The RBAC
43911 + system can hide that entry even from root.
43913 + This option also prevents leaking of kernel addresses through
43914 + several /proc entries.
43916 + Note that this option is only effective provided the following
43917 + conditions are met:
43918 + 1) The kernel using grsecurity is not precompiled by some distribution
43919 + 2) You have also enabled GRKERNSEC_DMESG
43920 + 3) You are using the RBAC system and hiding other files such as your
43921 + kernel image and System.map. Alternatively, enabling this option
43922 + causes the permissions on /boot, /lib/modules, and the kernel
43923 + source directory to change at compile time to prevent
43924 + reading by non-root users.
43925 + If the above conditions are met, this option will aid in providing a
43926 + useful protection against local kernel exploitation of overflows
43927 + and arbitrary read/write vulnerabilities.
43930 +menu "Role Based Access Control Options"
43931 +depends on GRKERNSEC
43933 +config GRKERNSEC_RBAC_DEBUG
43936 +config GRKERNSEC_NO_RBAC
43937 + bool "Disable RBAC system"
43939 + If you say Y here, the /dev/grsec device will be removed from the kernel,
43940 + preventing the RBAC system from being enabled. You should only say Y
43941 + here if you have no intention of using the RBAC system, so as to prevent
43942 + an attacker with root access from misusing the RBAC system to hide files
43943 + and processes when loadable module support and /dev/[k]mem have been
43946 +config GRKERNSEC_ACL_HIDEKERN
43947 + bool "Hide kernel processes"
43949 + If you say Y here, all kernel threads will be hidden to all
43950 + processes but those whose subject has the "view hidden processes"
43953 +config GRKERNSEC_ACL_MAXTRIES
43954 + int "Maximum tries before password lockout"
43957 + This option enforces the maximum number of times a user can attempt
43958 + to authorize themselves with the grsecurity RBAC system before being
43959 + denied the ability to attempt authorization again for a specified time.
43960 + The lower the number, the harder it will be to brute-force a password.
43962 +config GRKERNSEC_ACL_TIMEOUT
43963 + int "Time to wait after max password tries, in seconds"
43966 + This option specifies the time the user must wait after attempting to
43967 + authorize to the RBAC system with the maximum number of invalid
43968 + passwords. The higher the number, the harder it will be to brute-force
43972 +menu "Filesystem Protections"
43973 +depends on GRKERNSEC
43975 +config GRKERNSEC_PROC
43976 + bool "Proc restrictions"
43978 + If you say Y here, the permissions of the /proc filesystem
43979 + will be altered to enhance system security and privacy. You MUST
43980 + choose either a user only restriction or a user and group restriction.
43981 + Depending upon the option you choose, you can either restrict users to
43982 + see only the processes they themselves run, or choose a group that can
43983 + view all processes and files normally restricted to root if you choose
43984 + the "restrict to user only" option. NOTE: If you're running identd as
43985 + a non-root user, you will have to run it as the group you specify here.
43987 +config GRKERNSEC_PROC_USER
43988 + bool "Restrict /proc to user only"
43989 + depends on GRKERNSEC_PROC
43991 + If you say Y here, non-root users will only be able to view their own
43992 + processes, and restricts them from viewing network-related information,
43993 + and viewing kernel symbol and module information.
43995 +config GRKERNSEC_PROC_USERGROUP
43996 + bool "Allow special group"
43997 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
43999 + If you say Y here, you will be able to select a group that will be
44000 + able to view all processes and network-related information. If you've
44001 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
44002 + remain hidden. This option is useful if you want to run identd as
44005 +config GRKERNSEC_PROC_GID
44006 + int "GID for special group"
44007 + depends on GRKERNSEC_PROC_USERGROUP
44010 +config GRKERNSEC_PROC_ADD
44011 + bool "Additional restrictions"
44012 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
44014 + If you say Y here, additional restrictions will be placed on
44015 + /proc that keep normal users from viewing device information and
44016 + slabinfo information that could be useful for exploits.
44018 +config GRKERNSEC_LINK
44019 + bool "Linking restrictions"
44021 + If you say Y here, /tmp race exploits will be prevented, since users
44022 + will no longer be able to follow symlinks owned by other users in
44023 + world-writable +t directories (e.g. /tmp), unless the owner of the
44024 + symlink is the owner of the directory. users will also not be
44025 + able to hardlink to files they do not own. If the sysctl option is
44026 + enabled, a sysctl option with name "linking_restrictions" is created.
44028 +config GRKERNSEC_FIFO
44029 + bool "FIFO restrictions"
44031 + If you say Y here, users will not be able to write to FIFOs they don't
44032 + own in world-writable +t directories (e.g. /tmp), unless the owner of
44033 + the FIFO is the same owner of the directory it's held in. If the sysctl
44034 + option is enabled, a sysctl option with name "fifo_restrictions" is
44037 +config GRKERNSEC_SYSFS_RESTRICT
44038 + bool "Sysfs/debugfs restriction"
44041 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
44042 + any filesystem normally mounted under it (e.g. debugfs) will only
44043 + be accessible by root. These filesystems generally provide access
44044 + to hardware and debug information that isn't appropriate for unprivileged
44045 + users of the system. Sysfs and debugfs have also become a large source
44046 + of new vulnerabilities, ranging from infoleaks to local compromise.
44047 + There has been very little oversight with an eye toward security involved
44048 + in adding new exporters of information to these filesystems, so their
44049 + use is discouraged.
44050 + This option is equivalent to a chmod 0700 of the mount paths.
44052 +config GRKERNSEC_ROFS
44053 + bool "Runtime read-only mount protection"
44055 + If you say Y here, a sysctl option with name "romount_protect" will
44056 + be created. By setting this option to 1 at runtime, filesystems
44057 + will be protected in the following ways:
44058 + * No new writable mounts will be allowed
44059 + * Existing read-only mounts won't be able to be remounted read/write
44060 + * Write operations will be denied on all block devices
44061 + This option acts independently of grsec_lock: once it is set to 1,
44062 + it cannot be turned off. Therefore, please be mindful of the resulting
44063 + behavior if this option is enabled in an init script on a read-only
44064 + filesystem. This feature is mainly intended for secure embedded systems.
44066 +config GRKERNSEC_CHROOT
44067 + bool "Chroot jail restrictions"
44069 + If you say Y here, you will be able to choose several options that will
44070 + make breaking out of a chrooted jail much more difficult. If you
44071 + encounter no software incompatibilities with the following options, it
44072 + is recommended that you enable each one.
44074 +config GRKERNSEC_CHROOT_MOUNT
44075 + bool "Deny mounts"
44076 + depends on GRKERNSEC_CHROOT
44078 + If you say Y here, processes inside a chroot will not be able to
44079 + mount or remount filesystems. If the sysctl option is enabled, a
44080 + sysctl option with name "chroot_deny_mount" is created.
44082 +config GRKERNSEC_CHROOT_DOUBLE
44083 + bool "Deny double-chroots"
44084 + depends on GRKERNSEC_CHROOT
44086 + If you say Y here, processes inside a chroot will not be able to chroot
44087 + again outside the chroot. This is a widely used method of breaking
44088 + out of a chroot jail and should not be allowed. If the sysctl
44089 + option is enabled, a sysctl option with name
44090 + "chroot_deny_chroot" is created.
44092 +config GRKERNSEC_CHROOT_PIVOT
44093 + bool "Deny pivot_root in chroot"
44094 + depends on GRKERNSEC_CHROOT
44096 + If you say Y here, processes inside a chroot will not be able to use
44097 + a function called pivot_root() that was introduced in Linux 2.3.41. It
44098 + works similar to chroot in that it changes the root filesystem. This
44099 + function could be misused in a chrooted process to attempt to break out
44100 + of the chroot, and therefore should not be allowed. If the sysctl
44101 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
44104 +config GRKERNSEC_CHROOT_CHDIR
44105 + bool "Enforce chdir(\"/\") on all chroots"
44106 + depends on GRKERNSEC_CHROOT
44108 + If you say Y here, the current working directory of all newly-chrooted
44109 + applications will be set to the the root directory of the chroot.
44110 + The man page on chroot(2) states:
44111 + Note that this call does not change the current working
44112 + directory, so that `.' can be outside the tree rooted at
44113 + `/'. In particular, the super-user can escape from a
44114 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
44116 + It is recommended that you say Y here, since it's not known to break
44117 + any software. If the sysctl option is enabled, a sysctl option with
44118 + name "chroot_enforce_chdir" is created.
44120 +config GRKERNSEC_CHROOT_CHMOD
44121 + bool "Deny (f)chmod +s"
44122 + depends on GRKERNSEC_CHROOT
44124 + If you say Y here, processes inside a chroot will not be able to chmod
44125 + or fchmod files to make them have suid or sgid bits. This protects
44126 + against another published method of breaking a chroot. If the sysctl
44127 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
44130 +config GRKERNSEC_CHROOT_FCHDIR
44131 + bool "Deny fchdir out of chroot"
44132 + depends on GRKERNSEC_CHROOT
44134 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
44135 + to a file descriptor of the chrooting process that points to a directory
44136 + outside the filesystem will be stopped. If the sysctl option
44137 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
44139 +config GRKERNSEC_CHROOT_MKNOD
44140 + bool "Deny mknod"
44141 + depends on GRKERNSEC_CHROOT
44143 + If you say Y here, processes inside a chroot will not be allowed to
44144 + mknod. The problem with using mknod inside a chroot is that it
44145 + would allow an attacker to create a device entry that is the same
44146 + as one on the physical root of your system, which could range from
44147 + anything from the console device to a device for your harddrive (which
44148 + they could then use to wipe the drive or steal data). It is recommended
44149 + that you say Y here, unless you run into software incompatibilities.
44150 + If the sysctl option is enabled, a sysctl option with name
44151 + "chroot_deny_mknod" is created.
44153 +config GRKERNSEC_CHROOT_SHMAT
44154 + bool "Deny shmat() out of chroot"
44155 + depends on GRKERNSEC_CHROOT
44157 + If you say Y here, processes inside a chroot will not be able to attach
44158 + to shared memory segments that were created outside of the chroot jail.
44159 + It is recommended that you say Y here. If the sysctl option is enabled,
44160 + a sysctl option with name "chroot_deny_shmat" is created.
44162 +config GRKERNSEC_CHROOT_UNIX
44163 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
44164 + depends on GRKERNSEC_CHROOT
44166 + If you say Y here, processes inside a chroot will not be able to
44167 + connect to abstract (meaning not belonging to a filesystem) Unix
44168 + domain sockets that were bound outside of a chroot. It is recommended
44169 + that you say Y here. If the sysctl option is enabled, a sysctl option
44170 + with name "chroot_deny_unix" is created.
44172 +config GRKERNSEC_CHROOT_FINDTASK
44173 + bool "Protect outside processes"
44174 + depends on GRKERNSEC_CHROOT
44176 + If you say Y here, processes inside a chroot will not be able to
44177 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
44178 + getsid, or view any process outside of the chroot. If the sysctl
44179 + option is enabled, a sysctl option with name "chroot_findtask" is
44182 +config GRKERNSEC_CHROOT_NICE
44183 + bool "Restrict priority changes"
44184 + depends on GRKERNSEC_CHROOT
44186 + If you say Y here, processes inside a chroot will not be able to raise
44187 + the priority of processes in the chroot, or alter the priority of
44188 + processes outside the chroot. This provides more security than simply
44189 + removing CAP_SYS_NICE from the process' capability set. If the
44190 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
44193 +config GRKERNSEC_CHROOT_SYSCTL
44194 + bool "Deny sysctl writes"
44195 + depends on GRKERNSEC_CHROOT
44197 + If you say Y here, an attacker in a chroot will not be able to
44198 + write to sysctl entries, either by sysctl(2) or through a /proc
44199 + interface. It is strongly recommended that you say Y here. If the
44200 + sysctl option is enabled, a sysctl option with name
44201 + "chroot_deny_sysctl" is created.
44203 +config GRKERNSEC_CHROOT_CAPS
44204 + bool "Capability restrictions"
44205 + depends on GRKERNSEC_CHROOT
44207 + If you say Y here, the capabilities on all root processes within a
44208 + chroot jail will be lowered to stop module insertion, raw i/o,
44209 + system and net admin tasks, rebooting the system, modifying immutable
44210 + files, modifying IPC owned by another, and changing the system time.
44211 + This is left an option because it can break some apps. Disable this
44212 + if your chrooted apps are having problems performing those kinds of
44213 + tasks. If the sysctl option is enabled, a sysctl option with
44214 + name "chroot_caps" is created.
44217 +menu "Kernel Auditing"
44218 +depends on GRKERNSEC
44220 +config GRKERNSEC_AUDIT_GROUP
44221 + bool "Single group for auditing"
44223 + If you say Y here, the exec, chdir, and (un)mount logging features
44224 + will only operate on a group you specify. This option is recommended
44225 + if you only want to watch certain users instead of having a large
44226 + amount of logs from the entire system. If the sysctl option is enabled,
44227 + a sysctl option with name "audit_group" is created.
44229 +config GRKERNSEC_AUDIT_GID
44230 + int "GID for auditing"
44231 + depends on GRKERNSEC_AUDIT_GROUP
44234 +config GRKERNSEC_EXECLOG
44235 + bool "Exec logging"
44237 + If you say Y here, all execve() calls will be logged (since the
44238 + other exec*() calls are frontends to execve(), all execution
44239 + will be logged). Useful for shell-servers that like to keep track
44240 + of their users. If the sysctl option is enabled, a sysctl option with
44241 + name "exec_logging" is created.
44242 + WARNING: This option when enabled will produce a LOT of logs, especially
44243 + on an active system.
44245 +config GRKERNSEC_RESLOG
44246 + bool "Resource logging"
44248 + If you say Y here, all attempts to overstep resource limits will
44249 + be logged with the resource name, the requested size, and the current
44250 + limit. It is highly recommended that you say Y here. If the sysctl
44251 + option is enabled, a sysctl option with name "resource_logging" is
44252 + created. If the RBAC system is enabled, the sysctl value is ignored.
44254 +config GRKERNSEC_CHROOT_EXECLOG
44255 + bool "Log execs within chroot"
44257 + If you say Y here, all executions inside a chroot jail will be logged
44258 + to syslog. This can cause a large amount of logs if certain
44259 + applications (eg. djb's daemontools) are installed on the system, and
44260 + is therefore left as an option. If the sysctl option is enabled, a
44261 + sysctl option with name "chroot_execlog" is created.
44263 +config GRKERNSEC_AUDIT_PTRACE
44264 + bool "Ptrace logging"
44266 + If you say Y here, all attempts to attach to a process via ptrace
44267 + will be logged. If the sysctl option is enabled, a sysctl option
44268 + with name "audit_ptrace" is created.
44270 +config GRKERNSEC_AUDIT_CHDIR
44271 + bool "Chdir logging"
44273 + If you say Y here, all chdir() calls will be logged. If the sysctl
44274 + option is enabled, a sysctl option with name "audit_chdir" is created.
44276 +config GRKERNSEC_AUDIT_MOUNT
44277 + bool "(Un)Mount logging"
44279 + If you say Y here, all mounts and unmounts will be logged. If the
44280 + sysctl option is enabled, a sysctl option with name "audit_mount" is
44283 +config GRKERNSEC_SIGNAL
44284 + bool "Signal logging"
44286 + If you say Y here, certain important signals will be logged, such as
44287 + SIGSEGV, which will as a result inform you of when a error in a program
44288 + occurred, which in some cases could mean a possible exploit attempt.
44289 + If the sysctl option is enabled, a sysctl option with name
44290 + "signal_logging" is created.
44292 +config GRKERNSEC_FORKFAIL
44293 + bool "Fork failure logging"
44295 + If you say Y here, all failed fork() attempts will be logged.
44296 + This could suggest a fork bomb, or someone attempting to overstep
44297 + their process limit. If the sysctl option is enabled, a sysctl option
44298 + with name "forkfail_logging" is created.
44300 +config GRKERNSEC_TIME
44301 + bool "Time change logging"
44303 + If you say Y here, any changes of the system clock will be logged.
44304 + If the sysctl option is enabled, a sysctl option with name
44305 + "timechange_logging" is created.
44307 +config GRKERNSEC_PROC_IPADDR
44308 + bool "/proc/<pid>/ipaddr support"
44310 + If you say Y here, a new entry will be added to each /proc/<pid>
44311 + directory that contains the IP address of the person using the task.
44312 + The IP is carried across local TCP and AF_UNIX stream sockets.
44313 + This information can be useful for IDS/IPSes to perform remote response
44314 + to a local attack. The entry is readable by only the owner of the
44315 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
44316 + the RBAC system), and thus does not create privacy concerns.
44318 +config GRKERNSEC_RWXMAP_LOG
44319 + bool 'Denied RWX mmap/mprotect logging'
44320 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
44322 + If you say Y here, calls to mmap() and mprotect() with explicit
44323 + usage of PROT_WRITE and PROT_EXEC together will be logged when
44324 + denied by the PAX_MPROTECT feature. If the sysctl option is
44325 + enabled, a sysctl option with name "rwxmap_logging" is created.
44327 +config GRKERNSEC_AUDIT_TEXTREL
44328 + bool 'ELF text relocations logging (READ HELP)'
44329 + depends on PAX_MPROTECT
44331 + If you say Y here, text relocations will be logged with the filename
44332 + of the offending library or binary. The purpose of the feature is
44333 + to help Linux distribution developers get rid of libraries and
44334 + binaries that need text relocations which hinder the future progress
44335 + of PaX. Only Linux distribution developers should say Y here, and
44336 + never on a production machine, as this option creates an information
44337 + leak that could aid an attacker in defeating the randomization of
44338 + a single memory region. If the sysctl option is enabled, a sysctl
44339 + option with name "audit_textrel" is created.
44343 +menu "Executable Protections"
44344 +depends on GRKERNSEC
44346 +config GRKERNSEC_EXECVE
44347 + bool "Enforce RLIMIT_NPROC on execs"
44349 + If you say Y here, users with a resource limit on processes will
44350 + have the value checked during execve() calls. The current system
44351 + only checks the system limit during fork() calls. If the sysctl option
44352 + is enabled, a sysctl option with name "execve_limiting" is created.
44354 +config GRKERNSEC_DMESG
44355 + bool "Dmesg(8) restriction"
44357 + If you say Y here, non-root users will not be able to use dmesg(8)
44358 + to view up to the last 4kb of messages in the kernel's log buffer.
44359 + The kernel's log buffer often contains kernel addresses and other
44360 + identifying information useful to an attacker in fingerprinting a
44361 + system for a targeted exploit.
44362 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
44365 +config GRKERNSEC_HARDEN_PTRACE
44366 + bool "Deter ptrace-based process snooping"
44368 + If you say Y here, TTY sniffers and other malicious monitoring
44369 + programs implemented through ptrace will be defeated. If you
44370 + have been using the RBAC system, this option has already been
44371 + enabled for several years for all users, with the ability to make
44372 + fine-grained exceptions.
44374 + This option only affects the ability of non-root users to ptrace
44375 + processes that are not a descendent of the ptracing process.
44376 + This means that strace ./binary and gdb ./binary will still work,
44377 + but attaching to arbitrary processes will not. If the sysctl
44378 + option is enabled, a sysctl option with name "harden_ptrace" is
44381 +config GRKERNSEC_TPE
44382 + bool "Trusted Path Execution (TPE)"
44384 + If you say Y here, you will be able to choose a gid to add to the
44385 + supplementary groups of users you want to mark as "untrusted."
44386 + These users will not be able to execute any files that are not in
44387 + root-owned directories writable only by root. If the sysctl option
44388 + is enabled, a sysctl option with name "tpe" is created.
44390 +config GRKERNSEC_TPE_ALL
44391 + bool "Partially restrict all non-root users"
44392 + depends on GRKERNSEC_TPE
44394 + If you say Y here, all non-root users will be covered under
44395 + a weaker TPE restriction. This is separate from, and in addition to,
44396 + the main TPE options that you have selected elsewhere. Thus, if a
44397 + "trusted" GID is chosen, this restriction applies to even that GID.
44398 + Under this restriction, all non-root users will only be allowed to
44399 + execute files in directories they own that are not group or
44400 + world-writable, or in directories owned by root and writable only by
44401 + root. If the sysctl option is enabled, a sysctl option with name
44402 + "tpe_restrict_all" is created.
44404 +config GRKERNSEC_TPE_INVERT
44405 + bool "Invert GID option"
44406 + depends on GRKERNSEC_TPE
44408 + If you say Y here, the group you specify in the TPE configuration will
44409 + decide what group TPE restrictions will be *disabled* for. This
44410 + option is useful if you want TPE restrictions to be applied to most
44411 + users on the system. If the sysctl option is enabled, a sysctl option
44412 + with name "tpe_invert" is created. Unlike other sysctl options, this
44413 + entry will default to on for backward-compatibility.
44415 +config GRKERNSEC_TPE_GID
44416 + int "GID for untrusted users"
44417 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
44420 + Setting this GID determines what group TPE restrictions will be
44421 + *enabled* for. If the sysctl option is enabled, a sysctl option
44422 + with name "tpe_gid" is created.
44424 +config GRKERNSEC_TPE_GID
44425 + int "GID for trusted users"
44426 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
44429 + Setting this GID determines what group TPE restrictions will be
44430 + *disabled* for. If the sysctl option is enabled, a sysctl option
44431 + with name "tpe_gid" is created.
44434 +menu "Network Protections"
44435 +depends on GRKERNSEC
44437 +config GRKERNSEC_RANDNET
44438 + bool "Larger entropy pools"
44440 + If you say Y here, the entropy pools used for many features of Linux
44441 + and grsecurity will be doubled in size. Since several grsecurity
44442 + features use additional randomness, it is recommended that you say Y
44443 + here. Saying Y here has a similar effect as modifying
44444 + /proc/sys/kernel/random/poolsize.
44446 +config GRKERNSEC_BLACKHOLE
44447 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
44449 + If you say Y here, neither TCP resets nor ICMP
44450 + destination-unreachable packets will be sent in response to packets
44451 + sent to ports for which no associated listening process exists.
44452 + This feature supports both IPV4 and IPV6 and exempts the
44453 + loopback interface from blackholing. Enabling this feature
44454 + makes a host more resilient to DoS attacks and reduces network
44455 + visibility against scanners.
44457 + The blackhole feature as-implemented is equivalent to the FreeBSD
44458 + blackhole feature, as it prevents RST responses to all packets, not
44459 + just SYNs. Under most application behavior this causes no
44460 + problems, but applications (like haproxy) may not close certain
44461 + connections in a way that cleanly terminates them on the remote
44462 + end, leaving the remote host in LAST_ACK state. Because of this
44463 + side-effect and to prevent intentional LAST_ACK DoSes, this
44464 + feature also adds automatic mitigation against such attacks.
44465 + The mitigation drastically reduces the amount of time a socket
44466 + can spend in LAST_ACK state. If you're using haproxy and not
44467 + all servers it connects to have this option enabled, consider
44468 + disabling this feature on the haproxy host.
44470 + If the sysctl option is enabled, two sysctl options with names
44471 + "ip_blackhole" and "lastack_retries" will be created.
44472 + While "ip_blackhole" takes the standard zero/non-zero on/off
44473 + toggle, "lastack_retries" uses the same kinds of values as
44474 + "tcp_retries1" and "tcp_retries2". The default value of 4
44475 + prevents a socket from lasting more than 45 seconds in LAST_ACK
44478 +config GRKERNSEC_SOCKET
44479 + bool "Socket restrictions"
44481 + If you say Y here, you will be able to choose from several options.
44482 + If you assign a GID on your system and add it to the supplementary
44483 + groups of users you want to restrict socket access to, this patch
44484 + will perform up to three things, based on the option(s) you choose.
44486 +config GRKERNSEC_SOCKET_ALL
44487 + bool "Deny any sockets to group"
44488 + depends on GRKERNSEC_SOCKET
44490 + If you say Y here, you will be able to choose a GID of whose users will
44491 + be unable to connect to other hosts from your machine or run server
44492 + applications from your machine. If the sysctl option is enabled, a
44493 + sysctl option with name "socket_all" is created.
44495 +config GRKERNSEC_SOCKET_ALL_GID
44496 + int "GID to deny all sockets for"
44497 + depends on GRKERNSEC_SOCKET_ALL
44500 + Here you can choose the GID to disable socket access for. Remember to
44501 + add the users you want socket access disabled for to the GID
44502 + specified here. If the sysctl option is enabled, a sysctl option
44503 + with name "socket_all_gid" is created.
44505 +config GRKERNSEC_SOCKET_CLIENT
44506 + bool "Deny client sockets to group"
44507 + depends on GRKERNSEC_SOCKET
44509 + If you say Y here, you will be able to choose a GID of whose users will
44510 + be unable to connect to other hosts from your machine, but will be
44511 + able to run servers. If this option is enabled, all users in the group
44512 + you specify will have to use passive mode when initiating ftp transfers
44513 + from the shell on your machine. If the sysctl option is enabled, a
44514 + sysctl option with name "socket_client" is created.
44516 +config GRKERNSEC_SOCKET_CLIENT_GID
44517 + int "GID to deny client sockets for"
44518 + depends on GRKERNSEC_SOCKET_CLIENT
44521 + Here you can choose the GID to disable client socket access for.
44522 + Remember to add the users you want client socket access disabled for to
44523 + the GID specified here. If the sysctl option is enabled, a sysctl
44524 + option with name "socket_client_gid" is created.
44526 +config GRKERNSEC_SOCKET_SERVER
44527 + bool "Deny server sockets to group"
44528 + depends on GRKERNSEC_SOCKET
44530 + If you say Y here, you will be able to choose a GID of whose users will
44531 + be unable to run server applications from your machine. If the sysctl
44532 + option is enabled, a sysctl option with name "socket_server" is created.
44534 +config GRKERNSEC_SOCKET_SERVER_GID
44535 + int "GID to deny server sockets for"
44536 + depends on GRKERNSEC_SOCKET_SERVER
44539 + Here you can choose the GID to disable server socket access for.
44540 + Remember to add the users you want server socket access disabled for to
44541 + the GID specified here. If the sysctl option is enabled, a sysctl
44542 + option with name "socket_server_gid" is created.
44545 +menu "Sysctl support"
44546 +depends on GRKERNSEC && SYSCTL
44548 +config GRKERNSEC_SYSCTL
44549 + bool "Sysctl support"
44551 + If you say Y here, you will be able to change the options that
44552 + grsecurity runs with at bootup, without having to recompile your
44553 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
44554 + to enable (1) or disable (0) various features. All the sysctl entries
44555 + are mutable until the "grsec_lock" entry is set to a non-zero value.
44556 + All features enabled in the kernel configuration are disabled at boot
44557 + if you do not say Y to the "Turn on features by default" option.
44558 + All options should be set at startup, and the grsec_lock entry should
44559 + be set to a non-zero value after all the options are set.
44560 + *THIS IS EXTREMELY IMPORTANT*
44562 +config GRKERNSEC_SYSCTL_DISTRO
44563 + bool "Extra sysctl support for distro makers (READ HELP)"
44564 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
44566 + If you say Y here, additional sysctl options will be created
44567 + for features that affect processes running as root. Therefore,
44568 + it is critical when using this option that the grsec_lock entry be
44569 + enabled after boot. Only distros with prebuilt kernel packages
44570 + with this option enabled that can ensure grsec_lock is enabled
44571 + after boot should use this option.
44572 + *Failure to set grsec_lock after boot makes all grsec features
44573 + this option covers useless*
44575 + Currently this option creates the following sysctl entries:
44576 + "Disable Privileged I/O": "disable_priv_io"
44578 +config GRKERNSEC_SYSCTL_ON
44579 + bool "Turn on features by default"
44580 + depends on GRKERNSEC_SYSCTL
44582 + If you say Y here, instead of having all features enabled in the
44583 + kernel configuration disabled at boot time, the features will be
44584 + enabled at boot time. It is recommended you say Y here unless
44585 + there is some reason you would want all sysctl-tunable features to
44586 + be disabled by default. As mentioned elsewhere, it is important
44587 + to enable the grsec_lock entry once you have finished modifying
44588 + the sysctl entries.
44591 +menu "Logging Options"
44592 +depends on GRKERNSEC
44594 +config GRKERNSEC_FLOODTIME
44595 + int "Seconds in between log messages (minimum)"
44598 + This option allows you to enforce the number of seconds between
44599 + grsecurity log messages. The default should be suitable for most
44600 + people, however, if you choose to change it, choose a value small enough
44601 + to allow informative logs to be produced, but large enough to
44602 + prevent flooding.
44604 +config GRKERNSEC_FLOODBURST
44605 + int "Number of messages in a burst (maximum)"
44608 + This option allows you to choose the maximum number of messages allowed
44609 + within the flood time interval you chose in a separate option. The
44610 + default should be suitable for most people, however if you find that
44611 + many of your logs are being interpreted as flooding, you may want to
44612 + raise this value.
44617 diff -urNp linux-2.6.38.1/grsecurity/Makefile linux-2.6.38.1/grsecurity/Makefile
44618 --- linux-2.6.38.1/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
44619 +++ linux-2.6.38.1/grsecurity/Makefile 2011-03-21 18:31:35.000000000 -0400
44621 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
44622 +# during 2001-2009 it has been completely redesigned by Brad Spengler
44623 +# into an RBAC system
44625 +# All code in this directory and various hooks inserted throughout the kernel
44626 +# are copyright Brad Spengler - Open Source Security, Inc., and released
44627 +# under the GPL v2 or higher
44629 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
44630 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
44631 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
44633 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
44634 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
44635 + gracl_learn.o grsec_log.o
44636 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
44638 +ifndef CONFIG_GRKERNSEC
44639 +obj-y += grsec_disabled.o
44642 +ifdef CONFIG_GRKERNSEC_HIDESYM
44643 +extra-y := grsec_hidesym.o
44644 +$(obj)/grsec_hidesym.o:
44645 + @-chmod -f 500 /boot
44646 + @-chmod -f 500 /lib/modules
44648 + @echo ' grsec: protected kernel image paths'
44650 diff -urNp linux-2.6.38.1/include/acpi/acoutput.h linux-2.6.38.1/include/acpi/acoutput.h
44651 --- linux-2.6.38.1/include/acpi/acoutput.h 2011-03-14 21:20:32.000000000 -0400
44652 +++ linux-2.6.38.1/include/acpi/acoutput.h 2011-03-21 18:31:35.000000000 -0400
44653 @@ -269,8 +269,8 @@
44654 * leaving no executable debug code!
44656 #define ACPI_FUNCTION_NAME(a)
44657 -#define ACPI_DEBUG_PRINT(pl)
44658 -#define ACPI_DEBUG_PRINT_RAW(pl)
44659 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
44660 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
44662 #endif /* ACPI_DEBUG_OUTPUT */
44664 diff -urNp linux-2.6.38.1/include/acpi/acpi_drivers.h linux-2.6.38.1/include/acpi/acpi_drivers.h
44665 --- linux-2.6.38.1/include/acpi/acpi_drivers.h 2011-03-14 21:20:32.000000000 -0400
44666 +++ linux-2.6.38.1/include/acpi/acpi_drivers.h 2011-03-21 18:31:35.000000000 -0400
44667 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
44669 -------------------------------------------------------------------------- */
44670 struct acpi_dock_ops {
44671 - acpi_notify_handler handler;
44672 - acpi_notify_handler uevent;
44673 + const acpi_notify_handler handler;
44674 + const acpi_notify_handler uevent;
44677 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
44678 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
44679 extern int register_dock_notifier(struct notifier_block *nb);
44680 extern void unregister_dock_notifier(struct notifier_block *nb);
44681 extern int register_hotplug_dock_device(acpi_handle handle,
44682 - struct acpi_dock_ops *ops,
44683 + const struct acpi_dock_ops *ops,
44685 extern void unregister_hotplug_dock_device(acpi_handle handle);
44687 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
44690 static inline int register_hotplug_dock_device(acpi_handle handle,
44691 - struct acpi_dock_ops *ops,
44692 + const struct acpi_dock_ops *ops,
44696 diff -urNp linux-2.6.38.1/include/asm-generic/atomic-long.h linux-2.6.38.1/include/asm-generic/atomic-long.h
44697 --- linux-2.6.38.1/include/asm-generic/atomic-long.h 2011-03-14 21:20:32.000000000 -0400
44698 +++ linux-2.6.38.1/include/asm-generic/atomic-long.h 2011-03-21 18:31:35.000000000 -0400
44701 typedef atomic64_t atomic_long_t;
44703 +#ifdef CONFIG_PAX_REFCOUNT
44704 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
44706 +typedef atomic64_t atomic_long_unchecked_t;
44709 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
44711 static inline long atomic_long_read(atomic_long_t *l)
44712 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
44713 return (long)atomic64_read(v);
44716 +#ifdef CONFIG_PAX_REFCOUNT
44717 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44719 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44721 + return (long)atomic64_read_unchecked(v);
44725 static inline void atomic_long_set(atomic_long_t *l, long i)
44727 atomic64_t *v = (atomic64_t *)l;
44728 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
44729 atomic64_set(v, i);
44732 +#ifdef CONFIG_PAX_REFCOUNT
44733 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44735 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44737 + atomic64_set_unchecked(v, i);
44741 static inline void atomic_long_inc(atomic_long_t *l)
44743 atomic64_t *v = (atomic64_t *)l;
44744 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
44748 +#ifdef CONFIG_PAX_REFCOUNT
44749 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44751 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44753 + atomic64_inc_unchecked(v);
44757 static inline void atomic_long_dec(atomic_long_t *l)
44759 atomic64_t *v = (atomic64_t *)l;
44760 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
44764 +#ifdef CONFIG_PAX_REFCOUNT
44765 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44767 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44769 + atomic64_dec_unchecked(v);
44773 static inline void atomic_long_add(long i, atomic_long_t *l)
44775 atomic64_t *v = (atomic64_t *)l;
44776 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
44777 atomic64_add(i, v);
44780 +#ifdef CONFIG_PAX_REFCOUNT
44781 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44783 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44785 + atomic64_add_unchecked(i, v);
44789 static inline void atomic_long_sub(long i, atomic_long_t *l)
44791 atomic64_t *v = (atomic64_t *)l;
44792 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
44793 atomic64_sub(i, v);
44796 +#ifdef CONFIG_PAX_REFCOUNT
44797 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44799 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44801 + atomic64_sub_unchecked(i, v);
44805 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44807 atomic64_t *v = (atomic64_t *)l;
44808 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
44809 return (long)atomic64_inc_return(v);
44812 +#ifdef CONFIG_PAX_REFCOUNT
44813 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44815 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44817 + return (long)atomic64_inc_return_unchecked(v);
44821 static inline long atomic_long_dec_return(atomic_long_t *l)
44823 atomic64_t *v = (atomic64_t *)l;
44824 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
44826 typedef atomic_t atomic_long_t;
44828 +#ifdef CONFIG_PAX_REFCOUNT
44829 +typedef atomic_unchecked_t atomic_long_unchecked_t;
44831 +typedef atomic_t atomic_long_unchecked_t;
44834 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
44835 static inline long atomic_long_read(atomic_long_t *l)
44837 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
44838 return (long)atomic_read(v);
44841 +#ifdef CONFIG_PAX_REFCOUNT
44842 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44844 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44846 + return (long)atomic_read_unchecked(v);
44850 static inline void atomic_long_set(atomic_long_t *l, long i)
44852 atomic_t *v = (atomic_t *)l;
44853 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
44857 +#ifdef CONFIG_PAX_REFCOUNT
44858 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44860 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44862 + atomic_set_unchecked(v, i);
44866 static inline void atomic_long_inc(atomic_long_t *l)
44868 atomic_t *v = (atomic_t *)l;
44869 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
44873 +#ifdef CONFIG_PAX_REFCOUNT
44874 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44876 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44878 + atomic_inc_unchecked(v);
44882 static inline void atomic_long_dec(atomic_long_t *l)
44884 atomic_t *v = (atomic_t *)l;
44885 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
44889 +#ifdef CONFIG_PAX_REFCOUNT
44890 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44892 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44894 + atomic_dec_unchecked(v);
44898 static inline void atomic_long_add(long i, atomic_long_t *l)
44900 atomic_t *v = (atomic_t *)l;
44901 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
44905 +#ifdef CONFIG_PAX_REFCOUNT
44906 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44908 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44910 + atomic_add_unchecked(i, v);
44914 static inline void atomic_long_sub(long i, atomic_long_t *l)
44916 atomic_t *v = (atomic_t *)l;
44917 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
44921 +#ifdef CONFIG_PAX_REFCOUNT
44922 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44924 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44926 + atomic_sub_unchecked(i, v);
44930 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44932 atomic_t *v = (atomic_t *)l;
44933 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
44934 return (long)atomic_inc_return(v);
44937 +#ifdef CONFIG_PAX_REFCOUNT
44938 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44940 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44942 + return (long)atomic_inc_return_unchecked(v);
44946 static inline long atomic_long_dec_return(atomic_long_t *l)
44948 atomic_t *v = (atomic_t *)l;
44949 @@ -255,4 +393,41 @@ static inline long atomic_long_add_unles
44951 #endif /* BITS_PER_LONG == 64 */
44953 +#ifdef CONFIG_PAX_REFCOUNT
44954 +static inline void pax_refcount_needs_these_functions(void)
44956 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
44957 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
44958 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
44959 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
44960 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
44961 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
44962 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
44964 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
44965 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
44966 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
44967 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
44968 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
44969 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
44970 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
44973 +#define atomic_read_unchecked(v) atomic_read(v)
44974 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
44975 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
44976 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
44977 +#define atomic_inc_unchecked(v) atomic_inc(v)
44978 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
44979 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
44981 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
44982 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
44983 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
44984 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
44985 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
44986 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
44987 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
44990 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
44991 diff -urNp linux-2.6.38.1/include/asm-generic/dma-mapping-common.h linux-2.6.38.1/include/asm-generic/dma-mapping-common.h
44992 --- linux-2.6.38.1/include/asm-generic/dma-mapping-common.h 2011-03-14 21:20:32.000000000 -0400
44993 +++ linux-2.6.38.1/include/asm-generic/dma-mapping-common.h 2011-03-21 18:31:35.000000000 -0400
44994 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
44995 enum dma_data_direction dir,
44996 struct dma_attrs *attrs)
44998 - struct dma_map_ops *ops = get_dma_ops(dev);
44999 + const struct dma_map_ops *ops = get_dma_ops(dev);
45002 kmemcheck_mark_initialized(ptr, size);
45003 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
45004 enum dma_data_direction dir,
45005 struct dma_attrs *attrs)
45007 - struct dma_map_ops *ops = get_dma_ops(dev);
45008 + const struct dma_map_ops *ops = get_dma_ops(dev);
45010 BUG_ON(!valid_dma_direction(dir));
45011 if (ops->unmap_page)
45012 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
45013 int nents, enum dma_data_direction dir,
45014 struct dma_attrs *attrs)
45016 - struct dma_map_ops *ops = get_dma_ops(dev);
45017 + const struct dma_map_ops *ops = get_dma_ops(dev);
45019 struct scatterlist *s;
45021 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
45022 int nents, enum dma_data_direction dir,
45023 struct dma_attrs *attrs)
45025 - struct dma_map_ops *ops = get_dma_ops(dev);
45026 + const struct dma_map_ops *ops = get_dma_ops(dev);
45028 BUG_ON(!valid_dma_direction(dir));
45029 debug_dma_unmap_sg(dev, sg, nents, dir);
45030 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
45031 size_t offset, size_t size,
45032 enum dma_data_direction dir)
45034 - struct dma_map_ops *ops = get_dma_ops(dev);
45035 + const struct dma_map_ops *ops = get_dma_ops(dev);
45038 kmemcheck_mark_initialized(page_address(page) + offset, size);
45039 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
45040 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
45041 size_t size, enum dma_data_direction dir)
45043 - struct dma_map_ops *ops = get_dma_ops(dev);
45044 + const struct dma_map_ops *ops = get_dma_ops(dev);
45046 BUG_ON(!valid_dma_direction(dir));
45047 if (ops->unmap_page)
45048 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
45050 enum dma_data_direction dir)
45052 - struct dma_map_ops *ops = get_dma_ops(dev);
45053 + const struct dma_map_ops *ops = get_dma_ops(dev);
45055 BUG_ON(!valid_dma_direction(dir));
45056 if (ops->sync_single_for_cpu)
45057 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
45058 dma_addr_t addr, size_t size,
45059 enum dma_data_direction dir)
45061 - struct dma_map_ops *ops = get_dma_ops(dev);
45062 + const struct dma_map_ops *ops = get_dma_ops(dev);
45064 BUG_ON(!valid_dma_direction(dir));
45065 if (ops->sync_single_for_device)
45066 @@ -139,7 +139,7 @@ static inline void
45067 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
45068 int nelems, enum dma_data_direction dir)
45070 - struct dma_map_ops *ops = get_dma_ops(dev);
45071 + const struct dma_map_ops *ops = get_dma_ops(dev);
45073 BUG_ON(!valid_dma_direction(dir));
45074 if (ops->sync_sg_for_cpu)
45075 @@ -151,7 +151,7 @@ static inline void
45076 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
45077 int nelems, enum dma_data_direction dir)
45079 - struct dma_map_ops *ops = get_dma_ops(dev);
45080 + const struct dma_map_ops *ops = get_dma_ops(dev);
45082 BUG_ON(!valid_dma_direction(dir));
45083 if (ops->sync_sg_for_device)
45084 diff -urNp linux-2.6.38.1/include/asm-generic/futex.h linux-2.6.38.1/include/asm-generic/futex.h
45085 --- linux-2.6.38.1/include/asm-generic/futex.h 2011-03-14 21:20:32.000000000 -0400
45086 +++ linux-2.6.38.1/include/asm-generic/futex.h 2011-03-21 18:31:35.000000000 -0400
45088 #include <asm/errno.h>
45091 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
45092 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
45094 int op = (encoded_op >> 28) & 7;
45095 int cmp = (encoded_op >> 24) & 15;
45096 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
45100 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
45101 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
45105 diff -urNp linux-2.6.38.1/include/asm-generic/int-l64.h linux-2.6.38.1/include/asm-generic/int-l64.h
45106 --- linux-2.6.38.1/include/asm-generic/int-l64.h 2011-03-14 21:20:32.000000000 -0400
45107 +++ linux-2.6.38.1/include/asm-generic/int-l64.h 2011-03-21 18:31:35.000000000 -0400
45108 @@ -46,6 +46,8 @@ typedef unsigned int u32;
45109 typedef signed long s64;
45110 typedef unsigned long u64;
45112 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
45115 #define U8_C(x) x ## U
45117 diff -urNp linux-2.6.38.1/include/asm-generic/int-ll64.h linux-2.6.38.1/include/asm-generic/int-ll64.h
45118 --- linux-2.6.38.1/include/asm-generic/int-ll64.h 2011-03-14 21:20:32.000000000 -0400
45119 +++ linux-2.6.38.1/include/asm-generic/int-ll64.h 2011-03-21 18:31:35.000000000 -0400
45120 @@ -51,6 +51,8 @@ typedef unsigned int u32;
45121 typedef signed long long s64;
45122 typedef unsigned long long u64;
45124 +typedef unsigned long long intoverflow_t;
45127 #define U8_C(x) x ## U
45129 diff -urNp linux-2.6.38.1/include/asm-generic/kmap_types.h linux-2.6.38.1/include/asm-generic/kmap_types.h
45130 --- linux-2.6.38.1/include/asm-generic/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
45131 +++ linux-2.6.38.1/include/asm-generic/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
45132 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
45134 KMAP_D(18) KM_NMI_PTE,
45136 +KMAP_D(20) KM_CLEARPAGE,
45138 * Remember to update debug_kmap_atomic() when adding new kmap types!
45140 -KMAP_D(20) KM_TYPE_NR
45141 +KMAP_D(21) KM_TYPE_NR
45145 diff -urNp linux-2.6.38.1/include/asm-generic/pgtable.h linux-2.6.38.1/include/asm-generic/pgtable.h
45146 --- linux-2.6.38.1/include/asm-generic/pgtable.h 2011-03-14 21:20:32.000000000 -0400
45147 +++ linux-2.6.38.1/include/asm-generic/pgtable.h 2011-03-21 18:31:35.000000000 -0400
45148 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
45149 #endif /* __HAVE_ARCH_PMD_WRITE */
45152 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
45153 +static inline unsigned long pax_open_kernel(void) { return 0; }
45156 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
45157 +static inline unsigned long pax_close_kernel(void) { return 0; }
45160 #endif /* !__ASSEMBLY__ */
45162 #endif /* _ASM_GENERIC_PGTABLE_H */
45163 diff -urNp linux-2.6.38.1/include/asm-generic/pgtable-nopmd.h linux-2.6.38.1/include/asm-generic/pgtable-nopmd.h
45164 --- linux-2.6.38.1/include/asm-generic/pgtable-nopmd.h 2011-03-14 21:20:32.000000000 -0400
45165 +++ linux-2.6.38.1/include/asm-generic/pgtable-nopmd.h 2011-03-21 18:31:35.000000000 -0400
45167 #ifndef _PGTABLE_NOPMD_H
45168 #define _PGTABLE_NOPMD_H
45170 -#ifndef __ASSEMBLY__
45172 #include <asm-generic/pgtable-nopud.h>
45176 #define __PAGETABLE_PMD_FOLDED
45178 +#define PMD_SHIFT PUD_SHIFT
45179 +#define PTRS_PER_PMD 1
45180 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
45181 +#define PMD_MASK (~(PMD_SIZE-1))
45183 +#ifndef __ASSEMBLY__
45188 * Having the pmd type consist of a pud gets the size right, and allows
45189 * us to conceptually access the pud entry that this pmd is folded into
45190 @@ -16,11 +21,6 @@ struct mm_struct;
45192 typedef struct { pud_t pud; } pmd_t;
45194 -#define PMD_SHIFT PUD_SHIFT
45195 -#define PTRS_PER_PMD 1
45196 -#define PMD_SIZE (1UL << PMD_SHIFT)
45197 -#define PMD_MASK (~(PMD_SIZE-1))
45200 * The "pud_xxx()" functions here are trivial for a folded two-level
45201 * setup: the pmd is never bad, and a pmd always exists (as it's folded
45202 diff -urNp linux-2.6.38.1/include/asm-generic/pgtable-nopud.h linux-2.6.38.1/include/asm-generic/pgtable-nopud.h
45203 --- linux-2.6.38.1/include/asm-generic/pgtable-nopud.h 2011-03-14 21:20:32.000000000 -0400
45204 +++ linux-2.6.38.1/include/asm-generic/pgtable-nopud.h 2011-03-21 18:31:35.000000000 -0400
45206 #ifndef _PGTABLE_NOPUD_H
45207 #define _PGTABLE_NOPUD_H
45209 -#ifndef __ASSEMBLY__
45211 #define __PAGETABLE_PUD_FOLDED
45213 +#define PUD_SHIFT PGDIR_SHIFT
45214 +#define PTRS_PER_PUD 1
45215 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
45216 +#define PUD_MASK (~(PUD_SIZE-1))
45218 +#ifndef __ASSEMBLY__
45221 * Having the pud type consist of a pgd gets the size right, and allows
45222 * us to conceptually access the pgd entry that this pud is folded into
45225 typedef struct { pgd_t pgd; } pud_t;
45227 -#define PUD_SHIFT PGDIR_SHIFT
45228 -#define PTRS_PER_PUD 1
45229 -#define PUD_SIZE (1UL << PUD_SHIFT)
45230 -#define PUD_MASK (~(PUD_SIZE-1))
45233 * The "pgd_xxx()" functions here are trivial for a folded two-level
45234 * setup: the pud is never bad, and a pud always exists (as it's folded
45235 diff -urNp linux-2.6.38.1/include/asm-generic/vmlinux.lds.h linux-2.6.38.1/include/asm-generic/vmlinux.lds.h
45236 --- linux-2.6.38.1/include/asm-generic/vmlinux.lds.h 2011-03-14 21:20:32.000000000 -0400
45237 +++ linux-2.6.38.1/include/asm-generic/vmlinux.lds.h 2011-03-21 18:31:35.000000000 -0400
45238 @@ -213,6 +213,7 @@
45239 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
45240 VMLINUX_SYMBOL(__start_rodata) = .; \
45241 *(.rodata) *(.rodata.*) \
45242 + *(.data..read_only) \
45243 *(__vermagic) /* Kernel version magic */ \
45245 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
45246 @@ -696,14 +697,15 @@
45247 * section in the linker script will go there too. @phdr should have
45250 - * Note that this macros defines __per_cpu_load as an absolute symbol.
45251 + * Note that this macros defines per_cpu_load as an absolute symbol.
45252 * If there is no need to put the percpu section at a predetermined
45253 * address, use PERCPU().
45255 #define PERCPU_VADDR(vaddr, phdr) \
45256 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
45257 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
45258 + per_cpu_load = .; \
45259 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
45261 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
45262 VMLINUX_SYMBOL(__per_cpu_start) = .; \
45263 *(.data..percpu..first) \
45264 . = ALIGN(PAGE_SIZE); \
45265 @@ -713,7 +715,7 @@
45266 *(.data..percpu..shared_aligned) \
45267 VMLINUX_SYMBOL(__per_cpu_end) = .; \
45269 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
45270 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
45273 * PERCPU - define output section for percpu area, simple version
45274 diff -urNp linux-2.6.38.1/include/drm/drm_pciids.h linux-2.6.38.1/include/drm/drm_pciids.h
45275 --- linux-2.6.38.1/include/drm/drm_pciids.h 2011-03-14 21:20:32.000000000 -0400
45276 +++ linux-2.6.38.1/include/drm/drm_pciids.h 2011-03-21 18:31:35.000000000 -0400
45277 @@ -458,7 +458,7 @@
45278 {0x1002, 0x9803, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45279 {0x1002, 0x9804, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45280 {0x1002, 0x9805, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45282 + {0, 0, 0, 0, 0, 0}
45284 #define r128_PCI_IDS \
45285 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45286 @@ -498,14 +498,14 @@
45287 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45288 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45289 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45291 + {0, 0, 0, 0, 0, 0}
45293 #define mga_PCI_IDS \
45294 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
45295 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
45296 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
45297 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
45299 + {0, 0, 0, 0, 0, 0}
45301 #define mach64_PCI_IDS \
45302 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45303 @@ -528,7 +528,7 @@
45304 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45305 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45306 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45308 + {0, 0, 0, 0, 0, 0}
45310 #define sisdrv_PCI_IDS \
45311 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45312 @@ -539,7 +539,7 @@
45313 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45314 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
45315 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
45317 + {0, 0, 0, 0, 0, 0}
45319 #define tdfx_PCI_IDS \
45320 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45321 @@ -548,7 +548,7 @@
45322 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45323 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45324 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45326 + {0, 0, 0, 0, 0, 0}
45328 #define viadrv_PCI_IDS \
45329 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45330 @@ -560,14 +560,14 @@
45331 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45332 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
45333 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
45335 + {0, 0, 0, 0, 0, 0}
45337 #define i810_PCI_IDS \
45338 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45339 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45340 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45341 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45343 + {0, 0, 0, 0, 0, 0}
45345 #define i830_PCI_IDS \
45346 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45347 @@ -575,11 +575,11 @@
45348 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45349 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45350 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45352 + {0, 0, 0, 0, 0, 0}
45354 #define gamma_PCI_IDS \
45355 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45357 + {0, 0, 0, 0, 0, 0}
45359 #define savage_PCI_IDS \
45360 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
45361 @@ -605,10 +605,10 @@
45362 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
45363 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
45364 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
45366 + {0, 0, 0, 0, 0, 0}
45368 #define ffb_PCI_IDS \
45370 + {0, 0, 0, 0, 0, 0}
45372 #define i915_PCI_IDS \
45373 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45374 @@ -642,4 +642,4 @@
45375 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45376 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45377 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45379 + {0, 0, 0, 0, 0, 0}
45380 diff -urNp linux-2.6.38.1/include/drm/drmP.h linux-2.6.38.1/include/drm/drmP.h
45381 --- linux-2.6.38.1/include/drm/drmP.h 2011-03-14 21:20:32.000000000 -0400
45382 +++ linux-2.6.38.1/include/drm/drmP.h 2011-03-21 18:31:35.000000000 -0400
45384 #include <linux/workqueue.h>
45385 #include <linux/poll.h>
45386 #include <asm/pgalloc.h>
45387 +#include <asm/local.h>
45390 #include <linux/idr.h>
45391 @@ -881,7 +882,7 @@ struct drm_driver {
45392 void (*vgaarb_irq)(struct drm_device *dev, bool state);
45394 /* Driver private ops for this object */
45395 - struct vm_operations_struct *gem_vm_ops;
45396 + const struct vm_operations_struct *gem_vm_ops;
45400 @@ -894,7 +895,7 @@ struct drm_driver {
45402 struct drm_ioctl_desc *ioctls;
45404 - struct file_operations fops;
45405 + const struct file_operations fops;
45406 struct pci_driver pci_driver;
45407 struct platform_device *platform_device;
45408 /* List of devices hanging off this driver */
45409 @@ -991,7 +992,7 @@ struct drm_device {
45411 /** \name Usage Counters */
45413 - int open_count; /**< Outstanding files open */
45414 + local_t open_count; /**< Outstanding files open */
45415 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
45416 atomic_t vma_count; /**< Outstanding vma areas open */
45417 int buf_use; /**< Buffers in use -- cannot alloc */
45418 @@ -1002,7 +1003,7 @@ struct drm_device {
45420 unsigned long counters;
45421 enum drm_stat_type types[15];
45422 - atomic_t counts[15];
45423 + atomic_unchecked_t counts[15];
45426 struct list_head filelist;
45427 @@ -1101,7 +1102,7 @@ struct drm_device {
45428 struct platform_device *platformdev; /**< Platform device struture */
45430 struct drm_sg_mem *sg; /**< Scatter gather memory */
45431 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
45432 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
45433 void *dev_private; /**< device private data */
45435 struct address_space *dev_mapping;
45436 diff -urNp linux-2.6.38.1/include/linux/a.out.h linux-2.6.38.1/include/linux/a.out.h
45437 --- linux-2.6.38.1/include/linux/a.out.h 2011-03-14 21:20:32.000000000 -0400
45438 +++ linux-2.6.38.1/include/linux/a.out.h 2011-03-21 18:31:35.000000000 -0400
45439 @@ -39,6 +39,14 @@ enum machine_type {
45440 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
45443 +/* Constants for the N_FLAGS field */
45444 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45445 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
45446 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
45447 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
45448 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45449 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45451 #if !defined (N_MAGIC)
45452 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
45454 diff -urNp linux-2.6.38.1/include/linux/atmdev.h linux-2.6.38.1/include/linux/atmdev.h
45455 --- linux-2.6.38.1/include/linux/atmdev.h 2011-03-14 21:20:32.000000000 -0400
45456 +++ linux-2.6.38.1/include/linux/atmdev.h 2011-03-21 18:31:35.000000000 -0400
45457 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
45460 struct k_atm_aal_stats {
45461 -#define __HANDLE_ITEM(i) atomic_t i
45462 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
45464 #undef __HANDLE_ITEM
45466 diff -urNp linux-2.6.38.1/include/linux/binfmts.h linux-2.6.38.1/include/linux/binfmts.h
45467 --- linux-2.6.38.1/include/linux/binfmts.h 2011-03-14 21:20:32.000000000 -0400
45468 +++ linux-2.6.38.1/include/linux/binfmts.h 2011-03-21 18:31:35.000000000 -0400
45469 @@ -92,6 +92,7 @@ struct linux_binfmt {
45470 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
45471 int (*load_shlib)(struct file *);
45472 int (*core_dump)(struct coredump_params *cprm);
45473 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
45474 unsigned long min_coredump; /* minimal dump size */
45477 diff -urNp linux-2.6.38.1/include/linux/blkdev.h linux-2.6.38.1/include/linux/blkdev.h
45478 --- linux-2.6.38.1/include/linux/blkdev.h 2011-03-14 21:20:32.000000000 -0400
45479 +++ linux-2.6.38.1/include/linux/blkdev.h 2011-03-21 18:31:35.000000000 -0400
45480 @@ -1247,22 +1247,22 @@ queue_max_integrity_segments(struct requ
45481 #endif /* CONFIG_BLK_DEV_INTEGRITY */
45483 struct block_device_operations {
45484 - int (*open) (struct block_device *, fmode_t);
45485 - int (*release) (struct gendisk *, fmode_t);
45486 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45487 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45488 - int (*direct_access) (struct block_device *, sector_t,
45489 + int (* const open) (struct block_device *, fmode_t);
45490 + int (* const release) (struct gendisk *, fmode_t);
45491 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45492 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45493 + int (* const direct_access) (struct block_device *, sector_t,
45494 void **, unsigned long *);
45495 - unsigned int (*check_events) (struct gendisk *disk,
45496 + unsigned int (* const check_events) (struct gendisk *disk,
45497 unsigned int clearing);
45498 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
45499 - int (*media_changed) (struct gendisk *);
45500 - void (*unlock_native_capacity) (struct gendisk *);
45501 - int (*revalidate_disk) (struct gendisk *);
45502 - int (*getgeo)(struct block_device *, struct hd_geometry *);
45503 + int (* const media_changed) (struct gendisk *);
45504 + void (* const unlock_native_capacity) (struct gendisk *);
45505 + int (* const revalidate_disk) (struct gendisk *);
45506 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
45507 /* this callback is with swap_lock and sometimes page table lock held */
45508 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
45509 - struct module *owner;
45510 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
45511 + struct module * const owner;
45514 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
45515 diff -urNp linux-2.6.38.1/include/linux/byteorder/little_endian.h linux-2.6.38.1/include/linux/byteorder/little_endian.h
45516 --- linux-2.6.38.1/include/linux/byteorder/little_endian.h 2011-03-14 21:20:32.000000000 -0400
45517 +++ linux-2.6.38.1/include/linux/byteorder/little_endian.h 2011-03-21 18:31:35.000000000 -0400
45518 @@ -42,51 +42,51 @@
45520 static inline __le64 __cpu_to_le64p(const __u64 *p)
45522 - return (__force __le64)*p;
45523 + return (__force const __le64)*p;
45525 static inline __u64 __le64_to_cpup(const __le64 *p)
45527 - return (__force __u64)*p;
45528 + return (__force const __u64)*p;
45530 static inline __le32 __cpu_to_le32p(const __u32 *p)
45532 - return (__force __le32)*p;
45533 + return (__force const __le32)*p;
45535 static inline __u32 __le32_to_cpup(const __le32 *p)
45537 - return (__force __u32)*p;
45538 + return (__force const __u32)*p;
45540 static inline __le16 __cpu_to_le16p(const __u16 *p)
45542 - return (__force __le16)*p;
45543 + return (__force const __le16)*p;
45545 static inline __u16 __le16_to_cpup(const __le16 *p)
45547 - return (__force __u16)*p;
45548 + return (__force const __u16)*p;
45550 static inline __be64 __cpu_to_be64p(const __u64 *p)
45552 - return (__force __be64)__swab64p(p);
45553 + return (__force const __be64)__swab64p(p);
45555 static inline __u64 __be64_to_cpup(const __be64 *p)
45557 - return __swab64p((__u64 *)p);
45558 + return __swab64p((const __u64 *)p);
45560 static inline __be32 __cpu_to_be32p(const __u32 *p)
45562 - return (__force __be32)__swab32p(p);
45563 + return (__force const __be32)__swab32p(p);
45565 static inline __u32 __be32_to_cpup(const __be32 *p)
45567 - return __swab32p((__u32 *)p);
45568 + return __swab32p((const __u32 *)p);
45570 static inline __be16 __cpu_to_be16p(const __u16 *p)
45572 - return (__force __be16)__swab16p(p);
45573 + return (__force const __be16)__swab16p(p);
45575 static inline __u16 __be16_to_cpup(const __be16 *p)
45577 - return __swab16p((__u16 *)p);
45578 + return __swab16p((const __u16 *)p);
45580 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
45581 #define __le64_to_cpus(x) do { (void)(x); } while (0)
45582 diff -urNp linux-2.6.38.1/include/linux/cache.h linux-2.6.38.1/include/linux/cache.h
45583 --- linux-2.6.38.1/include/linux/cache.h 2011-03-14 21:20:32.000000000 -0400
45584 +++ linux-2.6.38.1/include/linux/cache.h 2011-03-21 18:31:35.000000000 -0400
45586 #define __read_mostly
45589 +#ifndef __read_only
45590 +#define __read_only __read_mostly
45593 #ifndef ____cacheline_aligned
45594 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
45596 diff -urNp linux-2.6.38.1/include/linux/capability.h linux-2.6.38.1/include/linux/capability.h
45597 --- linux-2.6.38.1/include/linux/capability.h 2011-03-14 21:20:32.000000000 -0400
45598 +++ linux-2.6.38.1/include/linux/capability.h 2011-03-21 18:31:35.000000000 -0400
45599 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
45600 (security_real_capable_noaudit((t), (cap)) == 0)
45602 extern int capable(int cap);
45603 +int capable_nolog(int cap);
45605 /* audit system wants to get cap info from files as well */
45607 diff -urNp linux-2.6.38.1/include/linux/compiler-gcc4.h linux-2.6.38.1/include/linux/compiler-gcc4.h
45608 --- linux-2.6.38.1/include/linux/compiler-gcc4.h 2011-03-14 21:20:32.000000000 -0400
45609 +++ linux-2.6.38.1/include/linux/compiler-gcc4.h 2011-03-21 18:31:35.000000000 -0400
45614 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
45615 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
45616 +#define __bos0(ptr) __bos((ptr), 0)
45617 +#define __bos1(ptr) __bos((ptr), 1)
45620 #if __GNUC_MINOR__ > 0
45621 diff -urNp linux-2.6.38.1/include/linux/compiler.h linux-2.6.38.1/include/linux/compiler.h
45622 --- linux-2.6.38.1/include/linux/compiler.h 2011-03-14 21:20:32.000000000 -0400
45623 +++ linux-2.6.38.1/include/linux/compiler.h 2011-03-21 18:31:35.000000000 -0400
45624 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
45628 +#ifndef __alloc_size
45629 +#define __alloc_size
45644 /* Simple shorthand for a section definition */
45646 # define __section(S) __attribute__ ((__section__(#S)))
45647 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
45648 * use is to mediate communication between process-level code and irq/NMI
45649 * handlers, all running on the same CPU.
45651 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
45652 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
45653 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
45655 #endif /* __LINUX_COMPILER_H */
45656 diff -urNp linux-2.6.38.1/include/linux/cpuset.h linux-2.6.38.1/include/linux/cpuset.h
45657 --- linux-2.6.38.1/include/linux/cpuset.h 2011-03-14 21:20:32.000000000 -0400
45658 +++ linux-2.6.38.1/include/linux/cpuset.h 2011-03-21 18:31:35.000000000 -0400
45659 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
45663 - --ACCESS_ONCE(current->mems_allowed_change_disable);
45664 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
45667 static inline void set_mems_allowed(nodemask_t nodemask)
45668 diff -urNp linux-2.6.38.1/include/linux/decompress/mm.h linux-2.6.38.1/include/linux/decompress/mm.h
45669 --- linux-2.6.38.1/include/linux/decompress/mm.h 2011-03-14 21:20:32.000000000 -0400
45670 +++ linux-2.6.38.1/include/linux/decompress/mm.h 2011-03-21 18:31:35.000000000 -0400
45671 @@ -77,7 +77,7 @@ static void free(void *where)
45672 * warnings when not needed (indeed large_malloc / large_free are not
45673 * needed by inflate */
45675 -#define malloc(a) kmalloc(a, GFP_KERNEL)
45676 +#define malloc(a) kmalloc((a), GFP_KERNEL)
45677 #define free(a) kfree(a)
45679 #define large_malloc(a) vmalloc(a)
45680 diff -urNp linux-2.6.38.1/include/linux/dma-mapping.h linux-2.6.38.1/include/linux/dma-mapping.h
45681 --- linux-2.6.38.1/include/linux/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
45682 +++ linux-2.6.38.1/include/linux/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
45683 @@ -16,40 +16,40 @@ enum dma_data_direction {
45686 struct dma_map_ops {
45687 - void* (*alloc_coherent)(struct device *dev, size_t size,
45688 + void* (* const alloc_coherent)(struct device *dev, size_t size,
45689 dma_addr_t *dma_handle, gfp_t gfp);
45690 - void (*free_coherent)(struct device *dev, size_t size,
45691 + void (* const free_coherent)(struct device *dev, size_t size,
45692 void *vaddr, dma_addr_t dma_handle);
45693 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
45694 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
45695 unsigned long offset, size_t size,
45696 enum dma_data_direction dir,
45697 struct dma_attrs *attrs);
45698 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
45699 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
45700 size_t size, enum dma_data_direction dir,
45701 struct dma_attrs *attrs);
45702 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
45703 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
45704 int nents, enum dma_data_direction dir,
45705 struct dma_attrs *attrs);
45706 - void (*unmap_sg)(struct device *dev,
45707 + void (* const unmap_sg)(struct device *dev,
45708 struct scatterlist *sg, int nents,
45709 enum dma_data_direction dir,
45710 struct dma_attrs *attrs);
45711 - void (*sync_single_for_cpu)(struct device *dev,
45712 + void (* const sync_single_for_cpu)(struct device *dev,
45713 dma_addr_t dma_handle, size_t size,
45714 enum dma_data_direction dir);
45715 - void (*sync_single_for_device)(struct device *dev,
45716 + void (* const sync_single_for_device)(struct device *dev,
45717 dma_addr_t dma_handle, size_t size,
45718 enum dma_data_direction dir);
45719 - void (*sync_sg_for_cpu)(struct device *dev,
45720 + void (* const sync_sg_for_cpu)(struct device *dev,
45721 struct scatterlist *sg, int nents,
45722 enum dma_data_direction dir);
45723 - void (*sync_sg_for_device)(struct device *dev,
45724 + void (* const sync_sg_for_device)(struct device *dev,
45725 struct scatterlist *sg, int nents,
45726 enum dma_data_direction dir);
45727 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
45728 - int (*dma_supported)(struct device *dev, u64 mask);
45729 - int (*set_dma_mask)(struct device *dev, u64 mask);
45731 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
45732 + int (* const dma_supported)(struct device *dev, u64 mask);
45733 + int (* set_dma_mask)(struct device *dev, u64 mask);
45734 + const int is_phys;
45737 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
45738 diff -urNp linux-2.6.38.1/include/linux/elf.h linux-2.6.38.1/include/linux/elf.h
45739 --- linux-2.6.38.1/include/linux/elf.h 2011-03-14 21:20:32.000000000 -0400
45740 +++ linux-2.6.38.1/include/linux/elf.h 2011-03-21 18:31:35.000000000 -0400
45741 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
45742 #define PT_GNU_EH_FRAME 0x6474e550
45744 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
45745 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
45747 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
45749 +/* Constants for the e_flags field */
45750 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45751 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
45752 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
45753 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
45754 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45755 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45758 * Extended Numbering
45759 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
45760 #define DT_DEBUG 21
45761 #define DT_TEXTREL 22
45762 #define DT_JMPREL 23
45763 +#define DT_FLAGS 30
45764 + #define DF_TEXTREL 0x00000004
45765 #define DT_ENCODING 32
45766 #define OLD_DT_LOOS 0x60000000
45767 #define DT_LOOS 0x6000000d
45768 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
45772 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
45773 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
45774 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
45775 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
45776 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
45777 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
45778 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
45779 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
45780 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
45781 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
45782 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
45783 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
45785 typedef struct elf32_phdr{
45787 Elf32_Off p_offset;
45788 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
45794 #define ELFMAG0 0x7f /* EI_MAG */
45795 #define ELFMAG1 'E'
45796 #define ELFMAG2 'L'
45797 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
45798 #define elf_note elf32_note
45799 #define elf_addr_t Elf32_Off
45800 #define Elf_Half Elf32_Half
45801 +#define elf_dyn Elf32_Dyn
45805 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
45806 #define elf_note elf64_note
45807 #define elf_addr_t Elf64_Off
45808 #define Elf_Half Elf64_Half
45809 +#define elf_dyn Elf64_Dyn
45813 diff -urNp linux-2.6.38.1/include/linux/fs.h linux-2.6.38.1/include/linux/fs.h
45814 --- linux-2.6.38.1/include/linux/fs.h 2011-03-14 21:20:32.000000000 -0400
45815 +++ linux-2.6.38.1/include/linux/fs.h 2011-03-21 18:31:35.000000000 -0400
45816 @@ -105,6 +105,11 @@ struct inodes_stat_t {
45817 /* File was opened by fanotify and shouldn't generate fanotify events */
45818 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
45820 +/* Hack for grsec so as not to require read permission simply to execute
45823 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
45826 * The below are the various read and write types that we support. Some of
45827 * them include behavioral modifiers that send information down to the
45828 @@ -581,42 +586,42 @@ typedef int (*read_actor_t)(read_descrip
45829 unsigned long, unsigned long);
45831 struct address_space_operations {
45832 - int (*writepage)(struct page *page, struct writeback_control *wbc);
45833 - int (*readpage)(struct file *, struct page *);
45834 - void (*sync_page)(struct page *);
45835 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
45836 + int (* const readpage)(struct file *, struct page *);
45837 + void (* const sync_page)(struct page *);
45839 /* Write back some dirty pages from this mapping. */
45840 - int (*writepages)(struct address_space *, struct writeback_control *);
45841 + int (* const writepages)(struct address_space *, struct writeback_control *);
45843 /* Set a page dirty. Return true if this dirtied it */
45844 - int (*set_page_dirty)(struct page *page);
45845 + int (* const set_page_dirty)(struct page *page);
45847 - int (*readpages)(struct file *filp, struct address_space *mapping,
45848 + int (* const readpages)(struct file *filp, struct address_space *mapping,
45849 struct list_head *pages, unsigned nr_pages);
45851 - int (*write_begin)(struct file *, struct address_space *mapping,
45852 + int (* const write_begin)(struct file *, struct address_space *mapping,
45853 loff_t pos, unsigned len, unsigned flags,
45854 struct page **pagep, void **fsdata);
45855 - int (*write_end)(struct file *, struct address_space *mapping,
45856 + int (* const write_end)(struct file *, struct address_space *mapping,
45857 loff_t pos, unsigned len, unsigned copied,
45858 struct page *page, void *fsdata);
45860 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
45861 - sector_t (*bmap)(struct address_space *, sector_t);
45862 - void (*invalidatepage) (struct page *, unsigned long);
45863 - int (*releasepage) (struct page *, gfp_t);
45864 - void (*freepage)(struct page *);
45865 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
45866 + sector_t (* const bmap)(struct address_space *, sector_t);
45867 + void (* const invalidatepage) (struct page *, unsigned long);
45868 + int (* const releasepage) (struct page *, gfp_t);
45869 + void (* const freepage)(struct page *);
45870 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
45871 loff_t offset, unsigned long nr_segs);
45872 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
45873 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
45874 void **, unsigned long *);
45875 /* migrate the contents of a page to the specified target */
45876 - int (*migratepage) (struct address_space *,
45877 + int (* const migratepage) (struct address_space *,
45878 struct page *, struct page *);
45879 - int (*launder_page) (struct page *);
45880 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
45881 + int (* const launder_page) (struct page *);
45882 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
45884 - int (*error_remove_page)(struct address_space *, struct page *);
45885 + int (* const error_remove_page)(struct address_space *, struct page *);
45889 @@ -1059,17 +1064,17 @@ static inline int file_check_writeable(s
45890 typedef struct files_struct *fl_owner_t;
45892 struct file_lock_operations {
45893 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
45894 - void (*fl_release_private)(struct file_lock *);
45895 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
45896 + void (* const fl_release_private)(struct file_lock *);
45899 struct lock_manager_operations {
45900 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
45901 - void (*fl_notify)(struct file_lock *); /* unblock callback */
45902 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
45903 - void (*fl_release_private)(struct file_lock *);
45904 - void (*fl_break)(struct file_lock *);
45905 - int (*fl_change)(struct file_lock **, int);
45906 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
45907 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
45908 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
45909 + void (* const fl_release_private)(struct file_lock *);
45910 + void (* const fl_break)(struct file_lock *);
45911 + int (* const fl_change)(struct file_lock **, int);
45914 struct lock_manager {
45915 diff -urNp linux-2.6.38.1/include/linux/fs_struct.h linux-2.6.38.1/include/linux/fs_struct.h
45916 --- linux-2.6.38.1/include/linux/fs_struct.h 2011-03-14 21:20:32.000000000 -0400
45917 +++ linux-2.6.38.1/include/linux/fs_struct.h 2011-03-21 18:31:35.000000000 -0400
45919 #include <linux/seqlock.h>
45927 diff -urNp linux-2.6.38.1/include/linux/genhd.h linux-2.6.38.1/include/linux/genhd.h
45928 --- linux-2.6.38.1/include/linux/genhd.h 2011-03-14 21:20:32.000000000 -0400
45929 +++ linux-2.6.38.1/include/linux/genhd.h 2011-03-21 18:31:35.000000000 -0400
45930 @@ -183,7 +183,7 @@ struct gendisk {
45931 struct kobject *slave_dir;
45933 struct timer_rand_state *random;
45934 - atomic_t sync_io; /* RAID */
45935 + atomic_unchecked_t sync_io; /* RAID */
45936 struct disk_events *ev;
45937 #ifdef CONFIG_BLK_DEV_INTEGRITY
45938 struct blk_integrity *integrity;
45939 diff -urNp linux-2.6.38.1/include/linux/gracl.h linux-2.6.38.1/include/linux/gracl.h
45940 --- linux-2.6.38.1/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
45941 +++ linux-2.6.38.1/include/linux/gracl.h 2011-03-26 14:27:27.000000000 -0400
45946 +#include <linux/grdefs.h>
45947 +#include <linux/resource.h>
45948 +#include <linux/capability.h>
45949 +#include <linux/dcache.h>
45950 +#include <asm/resource.h>
45952 +/* Major status information */
45954 +#define GR_VERSION "grsecurity 2.2.2"
45955 +#define GRSECURITY_VERSION 0x2202
45966 + GR_SPROLEPAM = 8,
45969 +/* Password setup definitions
45970 + * kernel/grhash.c */
45973 + GR_SALT_LEN = 16,
45978 + GR_SPROLE_LEN = 64,
45987 +#define GR_NLIMITS 32
45989 +/* Begin Data Structures */
45991 +struct sprole_pw {
45992 + unsigned char *rolename;
45993 + unsigned char salt[GR_SALT_LEN];
45994 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
45997 +struct name_entry {
46004 + struct name_entry *prev;
46005 + struct name_entry *next;
46008 +struct inodev_entry {
46009 + struct name_entry *nentry;
46010 + struct inodev_entry *prev;
46011 + struct inodev_entry *next;
46014 +struct acl_role_db {
46015 + struct acl_role_label **r_hash;
46019 +struct inodev_db {
46020 + struct inodev_entry **i_hash;
46025 + struct name_entry **n_hash;
46029 +struct crash_uid {
46031 + unsigned long expires;
46034 +struct gr_hash_struct {
46036 + void **nametable;
46038 + __u32 table_size;
46043 +/* Userspace Grsecurity ACL data structures */
46045 +struct acl_subject_label {
46050 + kernel_cap_t cap_mask;
46051 + kernel_cap_t cap_lower;
46052 + kernel_cap_t cap_invert_audit;
46054 + struct rlimit res[GR_NLIMITS];
46057 + __u8 user_trans_type;
46058 + __u8 group_trans_type;
46059 + uid_t *user_transitions;
46060 + gid_t *group_transitions;
46061 + __u16 user_trans_num;
46062 + __u16 group_trans_num;
46064 + __u32 sock_families[2];
46065 + __u32 ip_proto[8];
46067 + struct acl_ip_label **ips;
46069 + __u32 inaddr_any_override;
46072 + unsigned long expires;
46074 + struct acl_subject_label *parent_subject;
46075 + struct gr_hash_struct *hash;
46076 + struct acl_subject_label *prev;
46077 + struct acl_subject_label *next;
46079 + struct acl_object_label **obj_hash;
46080 + __u32 obj_hash_size;
46084 +struct role_allowed_ip {
46088 + struct role_allowed_ip *prev;
46089 + struct role_allowed_ip *next;
46092 +struct role_transition {
46095 + struct role_transition *prev;
46096 + struct role_transition *next;
46099 +struct acl_role_label {
46104 + __u16 auth_attempts;
46105 + unsigned long expires;
46107 + struct acl_subject_label *root_label;
46108 + struct gr_hash_struct *hash;
46110 + struct acl_role_label *prev;
46111 + struct acl_role_label *next;
46113 + struct role_transition *transitions;
46114 + struct role_allowed_ip *allowed_ips;
46115 + uid_t *domain_children;
46116 + __u16 domain_child_num;
46118 + struct acl_subject_label **subj_hash;
46119 + __u32 subj_hash_size;
46122 +struct user_acl_role_db {
46123 + struct acl_role_label **r_table;
46124 + __u32 num_pointers; /* Number of allocations to track */
46125 + __u32 num_roles; /* Number of roles */
46126 + __u32 num_domain_children; /* Number of domain children */
46127 + __u32 num_subjects; /* Number of subjects */
46128 + __u32 num_objects; /* Number of objects */
46131 +struct acl_object_label {
46137 + struct acl_subject_label *nested;
46138 + struct acl_object_label *globbed;
46140 + /* next two structures not used */
46142 + struct acl_object_label *prev;
46143 + struct acl_object_label *next;
46146 +struct acl_ip_label {
46155 + /* next two structures not used */
46157 + struct acl_ip_label *prev;
46158 + struct acl_ip_label *next;
46162 + struct user_acl_role_db role_db;
46163 + unsigned char pw[GR_PW_LEN];
46164 + unsigned char salt[GR_SALT_LEN];
46165 + unsigned char sum[GR_SHA_LEN];
46166 + unsigned char sp_role[GR_SPROLE_LEN];
46167 + struct sprole_pw *sprole_pws;
46168 + dev_t segv_device;
46169 + ino_t segv_inode;
46171 + __u16 num_sprole_pws;
46175 +struct gr_arg_wrapper {
46176 + struct gr_arg *arg;
46181 +struct subject_map {
46182 + struct acl_subject_label *user;
46183 + struct acl_subject_label *kernel;
46184 + struct subject_map *prev;
46185 + struct subject_map *next;
46188 +struct acl_subj_map_db {
46189 + struct subject_map **s_hash;
46193 +/* End Data Structures Section */
46195 +/* Hash functions generated by empirical testing by Brad Spengler
46196 + Makes good use of the low bits of the inode. Generally 0-1 times
46197 + in loop for successful match. 0-3 for unsuccessful match.
46198 + Shift/add algorithm with modulus of table size and an XOR*/
46200 +static __inline__ unsigned int
46201 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
46203 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
46206 + static __inline__ unsigned int
46207 +shash(const struct acl_subject_label *userp, const unsigned int sz)
46209 + return ((const unsigned long)userp % sz);
46212 +static __inline__ unsigned int
46213 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
46215 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
46218 +static __inline__ unsigned int
46219 +nhash(const char *name, const __u16 len, const unsigned int sz)
46221 + return full_name_hash((const unsigned char *)name, len) % sz;
46224 +#define FOR_EACH_ROLE_START(role) \
46225 + role = role_list; \
46228 +#define FOR_EACH_ROLE_END(role) \
46229 + role = role->prev; \
46232 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
46235 + while (iter < role->subj_hash_size) { \
46236 + if (subj == NULL) \
46237 + subj = role->subj_hash[iter]; \
46238 + if (subj == NULL) { \
46243 +#define FOR_EACH_SUBJECT_END(subj,iter) \
46244 + subj = subj->next; \
46245 + if (subj == NULL) \
46250 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
46251 + subj = role->hash->first; \
46252 + while (subj != NULL) {
46254 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
46255 + subj = subj->next; \
46260 diff -urNp linux-2.6.38.1/include/linux/gralloc.h linux-2.6.38.1/include/linux/gralloc.h
46261 --- linux-2.6.38.1/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
46262 +++ linux-2.6.38.1/include/linux/gralloc.h 2011-03-21 18:31:35.000000000 -0400
46264 +#ifndef __GRALLOC_H
46265 +#define __GRALLOC_H
46267 +void acl_free_all(void);
46268 +int acl_alloc_stack_init(unsigned long size);
46269 +void *acl_alloc(unsigned long len);
46270 +void *acl_alloc_num(unsigned long num, unsigned long len);
46273 diff -urNp linux-2.6.38.1/include/linux/grdefs.h linux-2.6.38.1/include/linux/grdefs.h
46274 --- linux-2.6.38.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
46275 +++ linux-2.6.38.1/include/linux/grdefs.h 2011-03-26 16:39:14.000000000 -0400
46280 +/* Begin grsecurity status declarations */
46284 + GR_STATUS_INIT = 0x00 // disabled state
46287 +/* Begin ACL declarations */
46292 + GR_ROLE_USER = 0x0001,
46293 + GR_ROLE_GROUP = 0x0002,
46294 + GR_ROLE_DEFAULT = 0x0004,
46295 + GR_ROLE_SPECIAL = 0x0008,
46296 + GR_ROLE_AUTH = 0x0010,
46297 + GR_ROLE_NOPW = 0x0020,
46298 + GR_ROLE_GOD = 0x0040,
46299 + GR_ROLE_LEARN = 0x0080,
46300 + GR_ROLE_TPE = 0x0100,
46301 + GR_ROLE_DOMAIN = 0x0200,
46302 + GR_ROLE_PAM = 0x0400,
46303 + GR_ROLE_PERSIST = 0x0800
46306 +/* ACL Subject and Object mode flags */
46308 + GR_DELETED = 0x80000000
46311 +/* ACL Object-only mode flags */
46313 + GR_READ = 0x00000001,
46314 + GR_APPEND = 0x00000002,
46315 + GR_WRITE = 0x00000004,
46316 + GR_EXEC = 0x00000008,
46317 + GR_FIND = 0x00000010,
46318 + GR_INHERIT = 0x00000020,
46319 + GR_SETID = 0x00000040,
46320 + GR_CREATE = 0x00000080,
46321 + GR_DELETE = 0x00000100,
46322 + GR_LINK = 0x00000200,
46323 + GR_AUDIT_READ = 0x00000400,
46324 + GR_AUDIT_APPEND = 0x00000800,
46325 + GR_AUDIT_WRITE = 0x00001000,
46326 + GR_AUDIT_EXEC = 0x00002000,
46327 + GR_AUDIT_FIND = 0x00004000,
46328 + GR_AUDIT_INHERIT= 0x00008000,
46329 + GR_AUDIT_SETID = 0x00010000,
46330 + GR_AUDIT_CREATE = 0x00020000,
46331 + GR_AUDIT_DELETE = 0x00040000,
46332 + GR_AUDIT_LINK = 0x00080000,
46333 + GR_PTRACERD = 0x00100000,
46334 + GR_NOPTRACE = 0x00200000,
46335 + GR_SUPPRESS = 0x00400000,
46336 + GR_NOLEARN = 0x00800000,
46337 + GR_INIT_TRANSFER= 0x01000000
46340 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
46341 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
46342 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
46344 +/* ACL subject-only mode flags */
46346 + GR_KILL = 0x00000001,
46347 + GR_VIEW = 0x00000002,
46348 + GR_PROTECTED = 0x00000004,
46349 + GR_LEARN = 0x00000008,
46350 + GR_OVERRIDE = 0x00000010,
46351 + /* just a placeholder, this mode is only used in userspace */
46352 + GR_DUMMY = 0x00000020,
46353 + GR_PROTSHM = 0x00000040,
46354 + GR_KILLPROC = 0x00000080,
46355 + GR_KILLIPPROC = 0x00000100,
46356 + /* just a placeholder, this mode is only used in userspace */
46357 + GR_NOTROJAN = 0x00000200,
46358 + GR_PROTPROCFD = 0x00000400,
46359 + GR_PROCACCT = 0x00000800,
46360 + GR_RELAXPTRACE = 0x00001000,
46361 + GR_NESTED = 0x00002000,
46362 + GR_INHERITLEARN = 0x00004000,
46363 + GR_PROCFIND = 0x00008000,
46364 + GR_POVERRIDE = 0x00010000,
46365 + GR_KERNELAUTH = 0x00020000,
46366 + GR_ATSECURE = 0x00040000
46370 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
46371 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
46372 + GR_PAX_ENABLE_MPROTECT = 0x0004,
46373 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
46374 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
46375 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
46376 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
46377 + GR_PAX_DISABLE_MPROTECT = 0x0400,
46378 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
46379 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
46383 + GR_ID_USER = 0x01,
46384 + GR_ID_GROUP = 0x02,
46388 + GR_ID_ALLOW = 0x01,
46389 + GR_ID_DENY = 0x02,
46392 +#define GR_CRASH_RES 31
46393 +#define GR_UIDTABLE_MAX 500
46395 +/* begin resource learning section */
46397 + GR_RLIM_CPU_BUMP = 60,
46398 + GR_RLIM_FSIZE_BUMP = 50000,
46399 + GR_RLIM_DATA_BUMP = 10000,
46400 + GR_RLIM_STACK_BUMP = 1000,
46401 + GR_RLIM_CORE_BUMP = 10000,
46402 + GR_RLIM_RSS_BUMP = 500000,
46403 + GR_RLIM_NPROC_BUMP = 1,
46404 + GR_RLIM_NOFILE_BUMP = 5,
46405 + GR_RLIM_MEMLOCK_BUMP = 50000,
46406 + GR_RLIM_AS_BUMP = 500000,
46407 + GR_RLIM_LOCKS_BUMP = 2,
46408 + GR_RLIM_SIGPENDING_BUMP = 5,
46409 + GR_RLIM_MSGQUEUE_BUMP = 10000,
46410 + GR_RLIM_NICE_BUMP = 1,
46411 + GR_RLIM_RTPRIO_BUMP = 1,
46412 + GR_RLIM_RTTIME_BUMP = 1000000
46416 diff -urNp linux-2.6.38.1/include/linux/grinternal.h linux-2.6.38.1/include/linux/grinternal.h
46417 --- linux-2.6.38.1/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
46418 +++ linux-2.6.38.1/include/linux/grinternal.h 2011-03-26 16:51:07.000000000 -0400
46420 +#ifndef __GRINTERNAL_H
46421 +#define __GRINTERNAL_H
46423 +#ifdef CONFIG_GRKERNSEC
46425 +#include <linux/fs.h>
46426 +#include <linux/mnt_namespace.h>
46427 +#include <linux/nsproxy.h>
46428 +#include <linux/gracl.h>
46429 +#include <linux/grdefs.h>
46430 +#include <linux/grmsg.h>
46432 +void gr_add_learn_entry(const char *fmt, ...)
46433 + __attribute__ ((format (printf, 1, 2)));
46434 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
46435 + const struct vfsmount *mnt);
46436 +__u32 gr_check_create(const struct dentry *new_dentry,
46437 + const struct dentry *parent,
46438 + const struct vfsmount *mnt, const __u32 mode);
46439 +int gr_check_protected_task(const struct task_struct *task);
46440 +__u32 to_gr_audit(const __u32 reqmode);
46441 +int gr_set_acls(const int type);
46442 +int gr_apply_subject_to_task(struct task_struct *task);
46443 +int gr_acl_is_enabled(void);
46444 +char gr_roletype_to_char(void);
46446 +void gr_handle_alertkill(struct task_struct *task);
46447 +char *gr_to_filename(const struct dentry *dentry,
46448 + const struct vfsmount *mnt);
46449 +char *gr_to_filename1(const struct dentry *dentry,
46450 + const struct vfsmount *mnt);
46451 +char *gr_to_filename2(const struct dentry *dentry,
46452 + const struct vfsmount *mnt);
46453 +char *gr_to_filename3(const struct dentry *dentry,
46454 + const struct vfsmount *mnt);
46456 +extern int grsec_enable_harden_ptrace;
46457 +extern int grsec_enable_link;
46458 +extern int grsec_enable_fifo;
46459 +extern int grsec_enable_execve;
46460 +extern int grsec_enable_shm;
46461 +extern int grsec_enable_execlog;
46462 +extern int grsec_enable_signal;
46463 +extern int grsec_enable_audit_ptrace;
46464 +extern int grsec_enable_forkfail;
46465 +extern int grsec_enable_time;
46466 +extern int grsec_enable_rofs;
46467 +extern int grsec_enable_chroot_shmat;
46468 +extern int grsec_enable_chroot_findtask;
46469 +extern int grsec_enable_chroot_mount;
46470 +extern int grsec_enable_chroot_double;
46471 +extern int grsec_enable_chroot_pivot;
46472 +extern int grsec_enable_chroot_chdir;
46473 +extern int grsec_enable_chroot_chmod;
46474 +extern int grsec_enable_chroot_mknod;
46475 +extern int grsec_enable_chroot_fchdir;
46476 +extern int grsec_enable_chroot_nice;
46477 +extern int grsec_enable_chroot_execlog;
46478 +extern int grsec_enable_chroot_caps;
46479 +extern int grsec_enable_chroot_sysctl;
46480 +extern int grsec_enable_chroot_unix;
46481 +extern int grsec_enable_tpe;
46482 +extern int grsec_tpe_gid;
46483 +extern int grsec_enable_tpe_all;
46484 +extern int grsec_enable_tpe_invert;
46485 +extern int grsec_enable_socket_all;
46486 +extern int grsec_socket_all_gid;
46487 +extern int grsec_enable_socket_client;
46488 +extern int grsec_socket_client_gid;
46489 +extern int grsec_enable_socket_server;
46490 +extern int grsec_socket_server_gid;
46491 +extern int grsec_audit_gid;
46492 +extern int grsec_enable_group;
46493 +extern int grsec_enable_audit_textrel;
46494 +extern int grsec_enable_log_rwxmaps;
46495 +extern int grsec_enable_mount;
46496 +extern int grsec_enable_chdir;
46497 +extern int grsec_resource_logging;
46498 +extern int grsec_enable_blackhole;
46499 +extern int grsec_lastack_retries;
46500 +extern int grsec_lock;
46502 +extern spinlock_t grsec_alert_lock;
46503 +extern unsigned long grsec_alert_wtime;
46504 +extern unsigned long grsec_alert_fyet;
46506 +extern spinlock_t grsec_audit_lock;
46508 +extern rwlock_t grsec_exec_file_lock;
46510 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
46511 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
46512 + (tsk)->exec_file->f_vfsmnt) : "/")
46514 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
46515 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
46516 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46518 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
46519 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
46520 + (tsk)->exec_file->f_vfsmnt) : "/")
46522 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
46523 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
46524 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46526 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
46528 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
46530 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
46531 + (task)->pid, (cred)->uid, \
46532 + (cred)->euid, (cred)->gid, (cred)->egid, \
46533 + gr_parent_task_fullpath(task), \
46534 + (task)->real_parent->comm, (task)->real_parent->pid, \
46535 + (pcred)->uid, (pcred)->euid, \
46536 + (pcred)->gid, (pcred)->egid
46538 +#define GR_CHROOT_CAPS {{ \
46539 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
46540 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
46541 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
46542 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
46543 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
46544 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
46546 +#define security_learn(normal_msg,args...) \
46548 + read_lock(&grsec_exec_file_lock); \
46549 + gr_add_learn_entry(normal_msg "\n", ## args); \
46550 + read_unlock(&grsec_exec_file_lock); \
46556 + /* used for non-audit messages that we shouldn't kill the task on */
46557 + GR_DONT_AUDIT_GOOD
46568 + GR_SYSCTL_HIDDEN,
46571 + GR_ONE_INT_TWO_STR,
46577 + GR_FIVE_INT_TWO_STR,
46583 + GR_FILENAME_TWO_INT,
46584 + GR_FILENAME_TWO_INT_STR,
46597 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
46598 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
46599 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
46600 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
46601 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
46602 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
46603 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
46604 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
46605 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
46606 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
46607 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
46608 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
46609 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
46610 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
46611 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
46612 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
46613 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
46614 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
46615 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
46616 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
46617 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
46618 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
46619 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
46620 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
46621 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
46622 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
46623 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
46624 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
46625 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
46626 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
46627 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
46628 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
46629 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
46630 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
46632 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
46637 diff -urNp linux-2.6.38.1/include/linux/grmsg.h linux-2.6.38.1/include/linux/grmsg.h
46638 --- linux-2.6.38.1/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
46639 +++ linux-2.6.38.1/include/linux/grmsg.h 2011-03-26 16:52:08.000000000 -0400
46641 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
46642 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
46643 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
46644 +#define GR_STOPMOD_MSG "denied modification of module state by "
46645 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
46646 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
46647 +#define GR_IOPERM_MSG "denied use of ioperm() by "
46648 +#define GR_IOPL_MSG "denied use of iopl() by "
46649 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
46650 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
46651 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
46652 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
46653 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
46654 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
46655 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
46656 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
46657 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
46658 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
46659 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
46660 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
46661 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
46662 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
46663 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
46664 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
46665 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
46666 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
46667 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
46668 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
46669 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
46670 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
46671 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
46672 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
46673 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
46674 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
46675 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
46676 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
46677 +#define GR_NPROC_MSG "denied overstep of process limit by "
46678 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
46679 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
46680 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
46681 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
46682 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
46683 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
46684 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
46685 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
46686 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
46687 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
46688 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
46689 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
46690 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
46691 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
46692 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
46693 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
46694 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
46695 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
46696 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
46697 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
46698 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
46699 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
46700 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
46701 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
46702 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
46703 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
46704 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
46705 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
46706 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
46707 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
46708 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
46709 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
46710 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
46711 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
46712 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
46713 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
46714 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
46715 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
46716 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
46717 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
46718 +#define GR_NICE_CHROOT_MSG "denied priority change by "
46719 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
46720 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
46721 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
46722 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
46723 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
46724 +#define GR_TIME_MSG "time set by "
46725 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
46726 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
46727 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
46728 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
46729 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
46730 +#define GR_BIND_MSG "denied bind() by "
46731 +#define GR_CONNECT_MSG "denied connect() by "
46732 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
46733 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
46734 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
46735 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
46736 +#define GR_CAP_ACL_MSG "use of %s denied for "
46737 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
46738 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
46739 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
46740 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
46741 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
46742 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
46743 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
46744 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
46745 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
46746 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
46747 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
46748 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
46749 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
46750 +#define GR_VM86_MSG "denied use of vm86 by "
46751 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
46752 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
46753 diff -urNp linux-2.6.38.1/include/linux/grsecurity.h linux-2.6.38.1/include/linux/grsecurity.h
46754 --- linux-2.6.38.1/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
46755 +++ linux-2.6.38.1/include/linux/grsecurity.h 2011-03-26 19:58:41.000000000 -0400
46757 +#ifndef GR_SECURITY_H
46758 +#define GR_SECURITY_H
46759 +#include <linux/fs.h>
46760 +#include <linux/fs_struct.h>
46761 +#include <linux/binfmts.h>
46762 +#include <linux/gracl.h>
46763 +#include <linux/compat.h>
46765 +/* notify of brain-dead configs */
46766 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
46767 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
46769 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46770 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46772 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46773 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46775 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
46776 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
46778 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
46779 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
46782 +void gr_handle_brute_attach(struct task_struct *p);
46783 +void gr_handle_brute_check(void);
46785 +char gr_roletype_to_char(void);
46787 +int gr_acl_enable_at_secure(void);
46789 +int gr_check_user_change(int real, int effective, int fs);
46790 +int gr_check_group_change(int real, int effective, int fs);
46792 +void gr_del_task_from_ip_table(struct task_struct *p);
46794 +int gr_pid_is_chrooted(struct task_struct *p);
46795 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
46796 +int gr_handle_chroot_nice(void);
46797 +int gr_handle_chroot_sysctl(const int op);
46798 +int gr_handle_chroot_setpriority(struct task_struct *p,
46799 + const int niceval);
46800 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
46801 +int gr_handle_chroot_chroot(const struct dentry *dentry,
46802 + const struct vfsmount *mnt);
46803 +int gr_handle_chroot_caps(struct path *path);
46804 +void gr_handle_chroot_chdir(struct path *path);
46805 +int gr_handle_chroot_chmod(const struct dentry *dentry,
46806 + const struct vfsmount *mnt, const int mode);
46807 +int gr_handle_chroot_mknod(const struct dentry *dentry,
46808 + const struct vfsmount *mnt, const int mode);
46809 +int gr_handle_chroot_mount(const struct dentry *dentry,
46810 + const struct vfsmount *mnt,
46811 + const char *dev_name);
46812 +int gr_handle_chroot_pivot(void);
46813 +int gr_handle_chroot_unix(struct pid *pid);
46815 +int gr_handle_rawio(const struct inode *inode);
46816 +int gr_handle_nproc(void);
46818 +void gr_handle_ioperm(void);
46819 +void gr_handle_iopl(void);
46821 +int gr_tpe_allow(const struct file *file);
46823 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
46824 +void gr_clear_chroot_entries(struct task_struct *task);
46826 +void gr_log_forkfail(const int retval);
46827 +void gr_log_timechange(void);
46828 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
46829 +void gr_log_chdir(const struct dentry *dentry,
46830 + const struct vfsmount *mnt);
46831 +void gr_log_chroot_exec(const struct dentry *dentry,
46832 + const struct vfsmount *mnt);
46833 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
46834 +#ifdef CONFIG_COMPAT
46835 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
46837 +void gr_log_remount(const char *devname, const int retval);
46838 +void gr_log_unmount(const char *devname, const int retval);
46839 +void gr_log_mount(const char *from, const char *to, const int retval);
46840 +void gr_log_textrel(struct vm_area_struct *vma);
46841 +void gr_log_rwxmmap(struct file *file);
46842 +void gr_log_rwxmprotect(struct file *file);
46844 +int gr_handle_follow_link(const struct inode *parent,
46845 + const struct inode *inode,
46846 + const struct dentry *dentry,
46847 + const struct vfsmount *mnt);
46848 +int gr_handle_fifo(const struct dentry *dentry,
46849 + const struct vfsmount *mnt,
46850 + const struct dentry *dir, const int flag,
46851 + const int acc_mode);
46852 +int gr_handle_hardlink(const struct dentry *dentry,
46853 + const struct vfsmount *mnt,
46854 + struct inode *inode,
46855 + const int mode, const char *to);
46857 +int gr_is_capable(const int cap);
46858 +int gr_is_capable_nolog(const int cap);
46859 +void gr_learn_resource(const struct task_struct *task, const int limit,
46860 + const unsigned long wanted, const int gt);
46861 +void gr_copy_label(struct task_struct *tsk);
46862 +void gr_handle_crash(struct task_struct *task, const int sig);
46863 +int gr_handle_signal(const struct task_struct *p, const int sig);
46864 +int gr_check_crash_uid(const uid_t uid);
46865 +int gr_check_protected_task(const struct task_struct *task);
46866 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
46867 +int gr_acl_handle_mmap(const struct file *file,
46868 + const unsigned long prot);
46869 +int gr_acl_handle_mprotect(const struct file *file,
46870 + const unsigned long prot);
46871 +int gr_check_hidden_task(const struct task_struct *tsk);
46872 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
46873 + const struct vfsmount *mnt);
46874 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
46875 + const struct vfsmount *mnt);
46876 +__u32 gr_acl_handle_access(const struct dentry *dentry,
46877 + const struct vfsmount *mnt, const int fmode);
46878 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
46879 + const struct vfsmount *mnt, mode_t mode);
46880 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
46881 + const struct vfsmount *mnt, mode_t mode);
46882 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
46883 + const struct vfsmount *mnt);
46884 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
46885 + const struct vfsmount *mnt);
46886 +int gr_handle_ptrace(struct task_struct *task, const long request);
46887 +int gr_handle_proc_ptrace(struct task_struct *task);
46888 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
46889 + const struct vfsmount *mnt);
46890 +int gr_check_crash_exec(const struct file *filp);
46891 +int gr_acl_is_enabled(void);
46892 +void gr_set_kernel_label(struct task_struct *task);
46893 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
46894 + const gid_t gid);
46895 +int gr_set_proc_label(const struct dentry *dentry,
46896 + const struct vfsmount *mnt,
46897 + const int unsafe_share);
46898 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
46899 + const struct vfsmount *mnt);
46900 +__u32 gr_acl_handle_open(const struct dentry *dentry,
46901 + const struct vfsmount *mnt, const int fmode);
46902 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
46903 + const struct dentry *p_dentry,
46904 + const struct vfsmount *p_mnt, const int fmode,
46905 + const int imode);
46906 +void gr_handle_create(const struct dentry *dentry,
46907 + const struct vfsmount *mnt);
46908 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
46909 + const struct dentry *parent_dentry,
46910 + const struct vfsmount *parent_mnt,
46912 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
46913 + const struct dentry *parent_dentry,
46914 + const struct vfsmount *parent_mnt);
46915 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
46916 + const struct vfsmount *mnt);
46917 +void gr_handle_delete(const ino_t ino, const dev_t dev);
46918 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
46919 + const struct vfsmount *mnt);
46920 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
46921 + const struct dentry *parent_dentry,
46922 + const struct vfsmount *parent_mnt,
46923 + const char *from);
46924 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
46925 + const struct dentry *parent_dentry,
46926 + const struct vfsmount *parent_mnt,
46927 + const struct dentry *old_dentry,
46928 + const struct vfsmount *old_mnt, const char *to);
46929 +int gr_acl_handle_rename(struct dentry *new_dentry,
46930 + struct dentry *parent_dentry,
46931 + const struct vfsmount *parent_mnt,
46932 + struct dentry *old_dentry,
46933 + struct inode *old_parent_inode,
46934 + struct vfsmount *old_mnt, const char *newname);
46935 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
46936 + struct dentry *old_dentry,
46937 + struct dentry *new_dentry,
46938 + struct vfsmount *mnt, const __u8 replace);
46939 +__u32 gr_check_link(const struct dentry *new_dentry,
46940 + const struct dentry *parent_dentry,
46941 + const struct vfsmount *parent_mnt,
46942 + const struct dentry *old_dentry,
46943 + const struct vfsmount *old_mnt);
46944 +int gr_acl_handle_filldir(const struct file *file, const char *name,
46945 + const unsigned int namelen, const ino_t ino);
46947 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
46948 + const struct vfsmount *mnt);
46949 +void gr_acl_handle_exit(void);
46950 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
46951 +int gr_acl_handle_procpidmem(const struct task_struct *task);
46952 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
46953 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
46954 +void gr_audit_ptrace(struct task_struct *task);
46955 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
46957 +#ifdef CONFIG_GRKERNSEC
46958 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
46959 +void gr_log_nonroot_mod_load(const char *modname);
46960 +void gr_handle_vm86(void);
46961 +void gr_handle_mem_write(void);
46962 +void gr_handle_kmem_write(void);
46963 +void gr_handle_open_port(void);
46964 +int gr_handle_mem_mmap(const unsigned long offset,
46965 + struct vm_area_struct *vma);
46967 +extern int grsec_enable_dmesg;
46968 +extern int grsec_disable_privio;
46972 diff -urNp linux-2.6.38.1/include/linux/grsock.h linux-2.6.38.1/include/linux/grsock.h
46973 --- linux-2.6.38.1/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
46974 +++ linux-2.6.38.1/include/linux/grsock.h 2011-03-21 18:31:35.000000000 -0400
46976 +#ifndef __GRSOCK_H
46977 +#define __GRSOCK_H
46979 +extern void gr_attach_curr_ip(const struct sock *sk);
46980 +extern int gr_handle_sock_all(const int family, const int type,
46981 + const int protocol);
46982 +extern int gr_handle_sock_server(const struct sockaddr *sck);
46983 +extern int gr_handle_sock_server_other(const struct sock *sck);
46984 +extern int gr_handle_sock_client(const struct sockaddr *sck);
46985 +extern int gr_search_connect(struct socket * sock,
46986 + struct sockaddr_in * addr);
46987 +extern int gr_search_bind(struct socket * sock,
46988 + struct sockaddr_in * addr);
46989 +extern int gr_search_listen(struct socket * sock);
46990 +extern int gr_search_accept(struct socket * sock);
46991 +extern int gr_search_socket(const int domain, const int type,
46992 + const int protocol);
46995 diff -urNp linux-2.6.38.1/include/linux/highmem.h linux-2.6.38.1/include/linux/highmem.h
46996 --- linux-2.6.38.1/include/linux/highmem.h 2011-03-14 21:20:32.000000000 -0400
46997 +++ linux-2.6.38.1/include/linux/highmem.h 2011-03-21 18:31:35.000000000 -0400
46998 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
46999 kunmap_atomic(kaddr, KM_USER0);
47002 +static inline void sanitize_highpage(struct page *page)
47005 + unsigned long flags;
47007 + local_irq_save(flags);
47008 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
47009 + clear_page(kaddr);
47010 + kunmap_atomic(kaddr, KM_CLEARPAGE);
47011 + local_irq_restore(flags);
47014 static inline void zero_user_segments(struct page *page,
47015 unsigned start1, unsigned end1,
47016 unsigned start2, unsigned end2)
47017 diff -urNp linux-2.6.38.1/include/linux/init.h linux-2.6.38.1/include/linux/init.h
47018 --- linux-2.6.38.1/include/linux/init.h 2011-03-14 21:20:32.000000000 -0400
47019 +++ linux-2.6.38.1/include/linux/init.h 2011-03-21 18:31:35.000000000 -0400
47020 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
47022 /* Each module must use one module_init(). */
47023 #define module_init(initfn) \
47024 - static inline initcall_t __inittest(void) \
47025 + static inline __used initcall_t __inittest(void) \
47026 { return initfn; } \
47027 int init_module(void) __attribute__((alias(#initfn)));
47029 /* This is only required if you want to be unloadable. */
47030 #define module_exit(exitfn) \
47031 - static inline exitcall_t __exittest(void) \
47032 + static inline __used exitcall_t __exittest(void) \
47033 { return exitfn; } \
47034 void cleanup_module(void) __attribute__((alias(#exitfn)));
47036 diff -urNp linux-2.6.38.1/include/linux/interrupt.h linux-2.6.38.1/include/linux/interrupt.h
47037 --- linux-2.6.38.1/include/linux/interrupt.h 2011-03-14 21:20:32.000000000 -0400
47038 +++ linux-2.6.38.1/include/linux/interrupt.h 2011-03-21 18:31:35.000000000 -0400
47039 @@ -393,7 +393,7 @@ enum
47040 /* map softirq index to softirq name. update 'softirq_to_name' in
47041 * kernel/softirq.c when adding a new softirq.
47043 -extern char *softirq_to_name[NR_SOFTIRQS];
47044 +extern const char * const softirq_to_name[NR_SOFTIRQS];
47046 /* softirq mask and active fields moved to irq_cpustat_t in
47047 * asm/hardirq.h to get better cache usage. KAO
47048 @@ -401,12 +401,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
47050 struct softirq_action
47052 - void (*action)(struct softirq_action *);
47053 + void (*action)(void);
47056 asmlinkage void do_softirq(void);
47057 asmlinkage void __do_softirq(void);
47058 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
47059 +extern void open_softirq(int nr, void (*action)(void));
47060 extern void softirq_init(void);
47061 static inline void __raise_softirq_irqoff(unsigned int nr)
47063 diff -urNp linux-2.6.38.1/include/linux/jbd2.h linux-2.6.38.1/include/linux/jbd2.h
47064 --- linux-2.6.38.1/include/linux/jbd2.h 2011-03-14 21:20:32.000000000 -0400
47065 +++ linux-2.6.38.1/include/linux/jbd2.h 2011-03-21 18:31:35.000000000 -0400
47066 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
47070 -#define jbd_debug(f, a...) /**/
47071 +#define jbd_debug(f, a...) do {} while (0)
47074 extern void *jbd2_alloc(size_t size, gfp_t flags);
47075 diff -urNp linux-2.6.38.1/include/linux/jbd.h linux-2.6.38.1/include/linux/jbd.h
47076 --- linux-2.6.38.1/include/linux/jbd.h 2011-03-14 21:20:32.000000000 -0400
47077 +++ linux-2.6.38.1/include/linux/jbd.h 2011-03-21 18:31:35.000000000 -0400
47078 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
47082 -#define jbd_debug(f, a...) /**/
47083 +#define jbd_debug(f, a...) do {} while (0)
47086 static inline void *jbd_alloc(size_t size, gfp_t flags)
47087 diff -urNp linux-2.6.38.1/include/linux/kallsyms.h linux-2.6.38.1/include/linux/kallsyms.h
47088 --- linux-2.6.38.1/include/linux/kallsyms.h 2011-03-14 21:20:32.000000000 -0400
47089 +++ linux-2.6.38.1/include/linux/kallsyms.h 2011-03-21 18:31:35.000000000 -0400
47094 -#ifdef CONFIG_KALLSYMS
47095 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
47096 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
47097 /* Lookup the address for a symbol. Returns 0 if not found. */
47098 unsigned long kallsyms_lookup_name(const char *name);
47100 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
47101 /* Stupid that this does nothing, but I didn't create this mess. */
47102 #define __print_symbol(fmt, addr)
47103 #endif /*CONFIG_KALLSYMS*/
47104 +#else /* when included by kallsyms.c, vsnprintf.c, or
47105 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
47106 +extern void __print_symbol(const char *fmt, unsigned long address);
47107 +extern int sprint_symbol(char *buffer, unsigned long address);
47108 +const char *kallsyms_lookup(unsigned long addr,
47109 + unsigned long *symbolsize,
47110 + unsigned long *offset,
47111 + char **modname, char *namebuf);
47114 /* This macro allows us to keep printk typechecking */
47115 static void __check_printsym_format(const char *fmt, ...)
47116 diff -urNp linux-2.6.38.1/include/linux/kgdb.h linux-2.6.38.1/include/linux/kgdb.h
47117 --- linux-2.6.38.1/include/linux/kgdb.h 2011-03-14 21:20:32.000000000 -0400
47118 +++ linux-2.6.38.1/include/linux/kgdb.h 2011-03-21 18:31:35.000000000 -0400
47119 @@ -269,22 +269,22 @@ struct kgdb_arch {
47123 - int (*read_char) (void);
47124 - void (*write_char) (u8);
47125 - void (*flush) (void);
47126 - int (*init) (void);
47127 - void (*pre_exception) (void);
47128 - void (*post_exception) (void);
47129 + int (* const read_char) (void);
47130 + void (* const write_char) (u8);
47131 + void (* const flush) (void);
47132 + int (* const init) (void);
47133 + void (* const pre_exception) (void);
47134 + void (* const post_exception) (void);
47138 -extern struct kgdb_arch arch_kgdb_ops;
47139 +extern const struct kgdb_arch arch_kgdb_ops;
47141 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
47143 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
47144 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
47145 -extern struct kgdb_io *dbg_io_ops;
47146 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
47147 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
47148 +extern const struct kgdb_io *dbg_io_ops;
47150 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
47151 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
47152 diff -urNp linux-2.6.38.1/include/linux/kvm_host.h linux-2.6.38.1/include/linux/kvm_host.h
47153 --- linux-2.6.38.1/include/linux/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
47154 +++ linux-2.6.38.1/include/linux/kvm_host.h 2011-03-21 18:31:35.000000000 -0400
47155 @@ -288,7 +288,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
47156 void vcpu_load(struct kvm_vcpu *vcpu);
47157 void vcpu_put(struct kvm_vcpu *vcpu);
47159 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
47160 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
47161 struct module *module);
47162 void kvm_exit(void);
47164 @@ -428,7 +428,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
47165 struct kvm_guest_debug *dbg);
47166 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
47168 -int kvm_arch_init(void *opaque);
47169 +int kvm_arch_init(const void *opaque);
47170 void kvm_arch_exit(void);
47172 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
47173 diff -urNp linux-2.6.38.1/include/linux/libata.h linux-2.6.38.1/include/linux/libata.h
47174 --- linux-2.6.38.1/include/linux/libata.h 2011-03-14 21:20:32.000000000 -0400
47175 +++ linux-2.6.38.1/include/linux/libata.h 2011-03-21 18:31:35.000000000 -0400
47176 @@ -65,11 +65,11 @@
47177 #ifdef ATA_VERBOSE_DEBUG
47178 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
47180 -#define VPRINTK(fmt, args...)
47181 +#define VPRINTK(fmt, args...) do {} while (0)
47182 #endif /* ATA_VERBOSE_DEBUG */
47184 -#define DPRINTK(fmt, args...)
47185 -#define VPRINTK(fmt, args...)
47186 +#define DPRINTK(fmt, args...) do {} while (0)
47187 +#define VPRINTK(fmt, args...) do {} while (0)
47188 #endif /* ATA_DEBUG */
47190 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
47191 @@ -530,11 +530,11 @@ struct ata_ioports {
47195 - struct device *dev;
47196 + struct device *dev;
47197 void __iomem * const *iomap;
47198 unsigned int n_ports;
47199 void *private_data;
47200 - struct ata_port_operations *ops;
47201 + const struct ata_port_operations *ops;
47202 unsigned long flags;
47204 struct mutex eh_mutex;
47205 @@ -725,7 +725,7 @@ struct ata_link {
47208 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
47209 - struct ata_port_operations *ops;
47210 + const struct ata_port_operations *ops;
47212 /* Flags owned by the EH context. Only EH should touch these once the
47214 @@ -913,7 +913,7 @@ struct ata_port_info {
47215 unsigned long pio_mask;
47216 unsigned long mwdma_mask;
47217 unsigned long udma_mask;
47218 - struct ata_port_operations *port_ops;
47219 + const struct ata_port_operations *port_ops;
47220 void *private_data;
47223 @@ -937,7 +937,7 @@ extern const unsigned long sata_deb_timi
47224 extern const unsigned long sata_deb_timing_hotplug[];
47225 extern const unsigned long sata_deb_timing_long[];
47227 -extern struct ata_port_operations ata_dummy_port_ops;
47228 +extern const struct ata_port_operations ata_dummy_port_ops;
47229 extern const struct ata_port_info ata_dummy_port_info;
47231 static inline const unsigned long *
47232 @@ -983,7 +983,7 @@ extern int ata_host_activate(struct ata_
47233 struct scsi_host_template *sht);
47234 extern void ata_host_detach(struct ata_host *host);
47235 extern void ata_host_init(struct ata_host *, struct device *,
47236 - unsigned long, struct ata_port_operations *);
47237 + unsigned long, const struct ata_port_operations *);
47238 extern int ata_scsi_detect(struct scsi_host_template *sht);
47239 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
47240 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
47241 diff -urNp linux-2.6.38.1/include/linux/lockd/bind.h linux-2.6.38.1/include/linux/lockd/bind.h
47242 --- linux-2.6.38.1/include/linux/lockd/bind.h 2011-03-14 21:20:32.000000000 -0400
47243 +++ linux-2.6.38.1/include/linux/lockd/bind.h 2011-03-21 18:31:35.000000000 -0400
47244 @@ -23,13 +23,13 @@ struct svc_rqst;
47245 * This is the set of functions for lockd->nfsd communication
47247 struct nlmsvc_binding {
47248 - __be32 (*fopen)(struct svc_rqst *,
47249 + __be32 (* const fopen)(struct svc_rqst *,
47252 - void (*fclose)(struct file *);
47253 + void (* const fclose)(struct file *);
47256 -extern struct nlmsvc_binding * nlmsvc_ops;
47257 +extern const struct nlmsvc_binding * nlmsvc_ops;
47260 * Similar to nfs_client_initdata, but without the NFS-specific
47261 diff -urNp linux-2.6.38.1/include/linux/mm.h linux-2.6.38.1/include/linux/mm.h
47262 --- linux-2.6.38.1/include/linux/mm.h 2011-03-14 21:20:32.000000000 -0400
47263 +++ linux-2.6.38.1/include/linux/mm.h 2011-03-21 18:31:35.000000000 -0400
47264 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
47266 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
47267 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
47269 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
47270 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
47271 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
47273 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
47276 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
47277 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
47279 @@ -985,12 +992,6 @@ int set_page_dirty(struct page *page);
47280 int set_page_dirty_lock(struct page *page);
47281 int clear_page_dirty_for_io(struct page *page);
47283 -/* Is the vma a continuation of the stack vma above it? */
47284 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
47286 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
47289 extern unsigned long move_page_tables(struct vm_area_struct *vma,
47290 unsigned long old_addr, struct vm_area_struct *new_vma,
47291 unsigned long new_addr, unsigned long len);
47292 @@ -1142,6 +1143,15 @@ struct shrinker {
47293 extern void register_shrinker(struct shrinker *);
47294 extern void unregister_shrinker(struct shrinker *);
47297 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
47299 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
47301 + return __pgprot(0);
47305 int vma_wants_writenotify(struct vm_area_struct *vma);
47307 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
47308 @@ -1431,6 +1441,7 @@ out:
47311 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
47312 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
47314 extern unsigned long do_brk(unsigned long, unsigned long);
47316 @@ -1487,6 +1498,10 @@ extern struct vm_area_struct * find_vma(
47317 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
47318 struct vm_area_struct **pprev);
47320 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
47321 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
47322 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
47324 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
47325 NULL if none. Assume start_addr < end_addr. */
47326 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
47327 @@ -1503,15 +1518,6 @@ static inline unsigned long vma_pages(st
47328 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
47332 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
47334 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
47336 - return __pgprot(0);
47340 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
47341 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
47342 unsigned long pfn, unsigned long size, pgprot_t);
47343 @@ -1620,7 +1626,7 @@ extern int unpoison_memory(unsigned long
47344 extern int sysctl_memory_failure_early_kill;
47345 extern int sysctl_memory_failure_recovery;
47346 extern void shake_page(struct page *p, int access);
47347 -extern atomic_long_t mce_bad_pages;
47348 +extern atomic_long_unchecked_t mce_bad_pages;
47349 extern int soft_offline_page(struct page *page, int flags);
47350 #ifdef CONFIG_MEMORY_FAILURE
47351 int is_hwpoison_address(unsigned long addr);
47352 @@ -1642,5 +1648,11 @@ extern void copy_user_huge_page(struct p
47353 unsigned int pages_per_huge_page);
47354 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
47356 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
47357 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
47359 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
47362 #endif /* __KERNEL__ */
47363 #endif /* _LINUX_MM_H */
47364 diff -urNp linux-2.6.38.1/include/linux/mm_types.h linux-2.6.38.1/include/linux/mm_types.h
47365 --- linux-2.6.38.1/include/linux/mm_types.h 2011-03-14 21:20:32.000000000 -0400
47366 +++ linux-2.6.38.1/include/linux/mm_types.h 2011-03-21 18:31:35.000000000 -0400
47367 @@ -183,6 +183,8 @@ struct vm_area_struct {
47369 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
47372 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
47375 struct core_thread {
47376 @@ -315,6 +317,24 @@ struct mm_struct {
47378 /* How many tasks sharing this mm are OOM_DISABLE */
47379 atomic_t oom_disable_count;
47381 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47382 + unsigned long pax_flags;
47385 +#ifdef CONFIG_PAX_DLRESOLVE
47386 + unsigned long call_dl_resolve;
47389 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
47390 + unsigned long call_syscall;
47393 +#ifdef CONFIG_PAX_ASLR
47394 + unsigned long delta_mmap; /* randomized offset */
47395 + unsigned long delta_stack; /* randomized offset */
47400 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
47401 diff -urNp linux-2.6.38.1/include/linux/mmu_notifier.h linux-2.6.38.1/include/linux/mmu_notifier.h
47402 --- linux-2.6.38.1/include/linux/mmu_notifier.h 2011-03-14 21:20:32.000000000 -0400
47403 +++ linux-2.6.38.1/include/linux/mmu_notifier.h 2011-03-21 18:31:35.000000000 -0400
47404 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
47406 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
47410 struct vm_area_struct *___vma = __vma; \
47411 unsigned long ___address = __address; \
47412 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
47413 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
47414 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
47419 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
47420 diff -urNp linux-2.6.38.1/include/linux/mmzone.h linux-2.6.38.1/include/linux/mmzone.h
47421 --- linux-2.6.38.1/include/linux/mmzone.h 2011-03-14 21:20:32.000000000 -0400
47422 +++ linux-2.6.38.1/include/linux/mmzone.h 2011-03-21 18:31:35.000000000 -0400
47423 @@ -355,7 +355,7 @@ struct zone {
47424 unsigned long flags; /* zone flags, see below */
47426 /* Zone statistics */
47427 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47428 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47431 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
47432 diff -urNp linux-2.6.38.1/include/linux/mod_devicetable.h linux-2.6.38.1/include/linux/mod_devicetable.h
47433 --- linux-2.6.38.1/include/linux/mod_devicetable.h 2011-03-14 21:20:32.000000000 -0400
47434 +++ linux-2.6.38.1/include/linux/mod_devicetable.h 2011-03-21 18:31:35.000000000 -0400
47436 typedef unsigned long kernel_ulong_t;
47439 -#define PCI_ANY_ID (~0)
47440 +#define PCI_ANY_ID ((__u16)~0)
47442 struct pci_device_id {
47443 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
47444 @@ -131,7 +131,7 @@ struct usb_device_id {
47445 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
47446 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
47448 -#define HID_ANY_ID (~0)
47449 +#define HID_ANY_ID (~0U)
47451 struct hid_device_id {
47453 diff -urNp linux-2.6.38.1/include/linux/module.h linux-2.6.38.1/include/linux/module.h
47454 --- linux-2.6.38.1/include/linux/module.h 2011-03-14 21:20:32.000000000 -0400
47455 +++ linux-2.6.38.1/include/linux/module.h 2011-03-21 18:31:35.000000000 -0400
47456 @@ -324,19 +324,16 @@ struct module
47459 /* If this is non-NULL, vfree after init() returns */
47460 - void *module_init;
47461 + void *module_init_rx, *module_init_rw;
47463 /* Here is the actual code + data, vfree'd on unload. */
47464 - void *module_core;
47465 + void *module_core_rx, *module_core_rw;
47467 /* Here are the sizes of the init and core sections */
47468 - unsigned int init_size, core_size;
47469 + unsigned int init_size_rw, core_size_rw;
47471 /* The size of the executable code in each section. */
47472 - unsigned int init_text_size, core_text_size;
47474 - /* Size of RO sections of the module (text+rodata) */
47475 - unsigned int init_ro_size, core_ro_size;
47476 + unsigned int init_size_rx, core_size_rx;
47478 /* Arch-specific module values */
47479 struct mod_arch_specific arch;
47480 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
47481 bool is_module_percpu_address(unsigned long addr);
47482 bool is_module_text_address(unsigned long addr);
47484 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
47487 +#ifdef CONFIG_PAX_KERNEXEC
47488 + if (ktla_ktva(addr) >= (unsigned long)start &&
47489 + ktla_ktva(addr) < (unsigned long)start + size)
47493 + return ((void *)addr >= start && (void *)addr < start + size);
47496 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
47498 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
47501 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
47503 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
47506 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
47508 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
47511 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
47513 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
47516 static inline int within_module_core(unsigned long addr, struct module *mod)
47518 - return (unsigned long)mod->module_core <= addr &&
47519 - addr < (unsigned long)mod->module_core + mod->core_size;
47520 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
47523 static inline int within_module_init(unsigned long addr, struct module *mod)
47525 - return (unsigned long)mod->module_init <= addr &&
47526 - addr < (unsigned long)mod->module_init + mod->init_size;
47527 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
47530 /* Search for module by name: must hold module_mutex. */
47531 diff -urNp linux-2.6.38.1/include/linux/moduleloader.h linux-2.6.38.1/include/linux/moduleloader.h
47532 --- linux-2.6.38.1/include/linux/moduleloader.h 2011-03-14 21:20:32.000000000 -0400
47533 +++ linux-2.6.38.1/include/linux/moduleloader.h 2011-03-21 18:31:35.000000000 -0400
47534 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
47535 sections. Returns NULL on failure. */
47536 void *module_alloc(unsigned long size);
47538 +#ifdef CONFIG_PAX_KERNEXEC
47539 +void *module_alloc_exec(unsigned long size);
47541 +#define module_alloc_exec(x) module_alloc(x)
47544 /* Free memory returned from module_alloc. */
47545 void module_free(struct module *mod, void *module_region);
47547 +#ifdef CONFIG_PAX_KERNEXEC
47548 +void module_free_exec(struct module *mod, void *module_region);
47550 +#define module_free_exec(x, y) module_free((x), (y))
47553 /* Apply the given relocation to the (simplified) ELF. Return -error
47555 int apply_relocate(Elf_Shdr *sechdrs,
47556 diff -urNp linux-2.6.38.1/include/linux/moduleparam.h linux-2.6.38.1/include/linux/moduleparam.h
47557 --- linux-2.6.38.1/include/linux/moduleparam.h 2011-03-14 21:20:32.000000000 -0400
47558 +++ linux-2.6.38.1/include/linux/moduleparam.h 2011-03-21 18:31:35.000000000 -0400
47559 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
47560 * @len is usually just sizeof(string).
47562 #define module_param_string(name, string, len, perm) \
47563 - static const struct kparam_string __param_string_##name \
47564 + static const struct kparam_string __param_string_##name __used \
47565 = { len, string }; \
47566 __module_param_call(MODULE_PARAM_PREFIX, name, \
47567 ¶m_ops_string, \
47568 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
47569 * module_param_named() for why this might be necessary.
47571 #define module_param_array_named(name, array, type, nump, perm) \
47572 - static const struct kparam_array __param_arr_##name \
47573 + static const struct kparam_array __param_arr_##name __used \
47574 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
47575 sizeof(array[0]), array }; \
47576 __module_param_call(MODULE_PARAM_PREFIX, name, \
47577 diff -urNp linux-2.6.38.1/include/linux/namei.h linux-2.6.38.1/include/linux/namei.h
47578 --- linux-2.6.38.1/include/linux/namei.h 2011-03-14 21:20:32.000000000 -0400
47579 +++ linux-2.6.38.1/include/linux/namei.h 2011-03-21 18:31:35.000000000 -0400
47580 @@ -25,7 +25,7 @@ struct nameidata {
47584 - char *saved_names[MAX_NESTED_LINKS + 1];
47585 + const char *saved_names[MAX_NESTED_LINKS + 1];
47589 @@ -88,12 +88,12 @@ extern int follow_up(struct path *);
47590 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
47591 extern void unlock_rename(struct dentry *, struct dentry *);
47593 -static inline void nd_set_link(struct nameidata *nd, char *path)
47594 +static inline void nd_set_link(struct nameidata *nd, const char *path)
47596 nd->saved_names[nd->depth] = path;
47599 -static inline char *nd_get_link(struct nameidata *nd)
47600 +static inline const char *nd_get_link(const struct nameidata *nd)
47602 return nd->saved_names[nd->depth];
47604 diff -urNp linux-2.6.38.1/include/linux/netfilter/xt_gradm.h linux-2.6.38.1/include/linux/netfilter/xt_gradm.h
47605 --- linux-2.6.38.1/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
47606 +++ linux-2.6.38.1/include/linux/netfilter/xt_gradm.h 2011-03-21 18:31:35.000000000 -0400
47608 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
47609 +#define _LINUX_NETFILTER_XT_GRADM_H 1
47611 +struct xt_gradm_mtinfo {
47617 diff -urNp linux-2.6.38.1/include/linux/oprofile.h linux-2.6.38.1/include/linux/oprofile.h
47618 --- linux-2.6.38.1/include/linux/oprofile.h 2011-03-14 21:20:32.000000000 -0400
47619 +++ linux-2.6.38.1/include/linux/oprofile.h 2011-03-21 18:31:35.000000000 -0400
47620 @@ -132,9 +132,9 @@ int oprofilefs_create_ulong(struct super
47621 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
47622 char const * name, ulong * val);
47624 -/** Create a file for read-only access to an atomic_t. */
47625 +/** Create a file for read-only access to an atomic_unchecked_t. */
47626 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
47627 - char const * name, atomic_t * val);
47628 + char const * name, atomic_unchecked_t * val);
47630 /** create a directory */
47631 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
47632 diff -urNp linux-2.6.38.1/include/linux/pipe_fs_i.h linux-2.6.38.1/include/linux/pipe_fs_i.h
47633 --- linux-2.6.38.1/include/linux/pipe_fs_i.h 2011-03-14 21:20:32.000000000 -0400
47634 +++ linux-2.6.38.1/include/linux/pipe_fs_i.h 2011-03-21 18:31:35.000000000 -0400
47635 @@ -46,9 +46,9 @@ struct pipe_buffer {
47636 struct pipe_inode_info {
47637 wait_queue_head_t wait;
47638 unsigned int nrbufs, curbuf, buffers;
47639 - unsigned int readers;
47640 - unsigned int writers;
47641 - unsigned int waiting_writers;
47642 + atomic_t readers;
47643 + atomic_t writers;
47644 + atomic_t waiting_writers;
47645 unsigned int r_counter;
47646 unsigned int w_counter;
47647 struct page *tmp_page;
47648 diff -urNp linux-2.6.38.1/include/linux/pm_runtime.h linux-2.6.38.1/include/linux/pm_runtime.h
47649 --- linux-2.6.38.1/include/linux/pm_runtime.h 2011-03-14 21:20:32.000000000 -0400
47650 +++ linux-2.6.38.1/include/linux/pm_runtime.h 2011-03-21 18:31:35.000000000 -0400
47651 @@ -89,7 +89,7 @@ static inline bool pm_runtime_enabled(st
47653 static inline void pm_runtime_mark_last_busy(struct device *dev)
47655 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
47656 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
47659 #else /* !CONFIG_PM_RUNTIME */
47660 diff -urNp linux-2.6.38.1/include/linux/poison.h linux-2.6.38.1/include/linux/poison.h
47661 --- linux-2.6.38.1/include/linux/poison.h 2011-03-14 21:20:32.000000000 -0400
47662 +++ linux-2.6.38.1/include/linux/poison.h 2011-03-21 18:31:35.000000000 -0400
47664 * under normal circumstances, used to verify that nobody uses
47665 * non-initialized list entries.
47667 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
47668 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
47669 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
47670 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
47672 /********** include/linux/timer.h **********/
47674 diff -urNp linux-2.6.38.1/include/linux/proc_fs.h linux-2.6.38.1/include/linux/proc_fs.h
47675 --- linux-2.6.38.1/include/linux/proc_fs.h 2011-03-14 21:20:32.000000000 -0400
47676 +++ linux-2.6.38.1/include/linux/proc_fs.h 2011-03-21 18:31:35.000000000 -0400
47677 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
47678 return proc_create_data(name, mode, parent, proc_fops, NULL);
47681 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
47682 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
47684 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47685 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
47686 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47687 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
47689 + return proc_create_data(name, mode, parent, proc_fops, NULL);
47694 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
47695 mode_t mode, struct proc_dir_entry *base,
47696 read_proc_t *read_proc, void * data)
47697 diff -urNp linux-2.6.38.1/include/linux/ptrace.h linux-2.6.38.1/include/linux/ptrace.h
47698 --- linux-2.6.38.1/include/linux/ptrace.h 2011-03-14 21:20:32.000000000 -0400
47699 +++ linux-2.6.38.1/include/linux/ptrace.h 2011-03-26 11:36:13.000000000 -0400
47700 @@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
47701 extern void exit_ptrace(struct task_struct *tracer);
47702 #define PTRACE_MODE_READ 1
47703 #define PTRACE_MODE_ATTACH 2
47704 -/* Returns 0 on success, -errno on denial. */
47705 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
47706 /* Returns true on success, false on denial. */
47707 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
47708 +/* Returns true on success, false on denial. */
47709 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
47711 static inline int ptrace_reparented(struct task_struct *child)
47713 diff -urNp linux-2.6.38.1/include/linux/random.h linux-2.6.38.1/include/linux/random.h
47714 --- linux-2.6.38.1/include/linux/random.h 2011-03-14 21:20:32.000000000 -0400
47715 +++ linux-2.6.38.1/include/linux/random.h 2011-03-21 18:31:35.000000000 -0400
47716 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
47718 u32 prandom32(struct rnd_state *);
47720 +static inline unsigned long pax_get_random_long(void)
47722 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
47726 * Handle minimum values for seeds
47728 static inline u32 __seed(u32 x, u32 m)
47730 - return (x < m) ? x + m : x;
47731 + return (x <= m) ? x + m + 1 : x;
47735 diff -urNp linux-2.6.38.1/include/linux/reiserfs_fs.h linux-2.6.38.1/include/linux/reiserfs_fs.h
47736 --- linux-2.6.38.1/include/linux/reiserfs_fs.h 2011-03-14 21:20:32.000000000 -0400
47737 +++ linux-2.6.38.1/include/linux/reiserfs_fs.h 2011-03-21 18:31:35.000000000 -0400
47738 @@ -1403,7 +1403,7 @@ static inline loff_t max_reiserfs_offset
47739 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
47741 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
47742 -#define get_generation(s) atomic_read (&fs_generation(s))
47743 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
47744 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
47745 #define __fs_changed(gen,s) (gen != get_generation (s))
47746 #define fs_changed(gen,s) \
47747 @@ -1615,24 +1615,24 @@ static inline struct super_block *sb_fro
47750 struct item_operations {
47751 - int (*bytes_number) (struct item_head * ih, int block_size);
47752 - void (*decrement_key) (struct cpu_key *);
47753 - int (*is_left_mergeable) (struct reiserfs_key * ih,
47754 + int (* const bytes_number) (struct item_head * ih, int block_size);
47755 + void (* const decrement_key) (struct cpu_key *);
47756 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
47757 unsigned long bsize);
47758 - void (*print_item) (struct item_head *, char *item);
47759 - void (*check_item) (struct item_head *, char *item);
47760 + void (* const print_item) (struct item_head *, char *item);
47761 + void (* const check_item) (struct item_head *, char *item);
47763 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47764 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47765 int is_affected, int insert_size);
47766 - int (*check_left) (struct virtual_item * vi, int free,
47767 + int (* const check_left) (struct virtual_item * vi, int free,
47768 int start_skip, int end_skip);
47769 - int (*check_right) (struct virtual_item * vi, int free);
47770 - int (*part_size) (struct virtual_item * vi, int from, int to);
47771 - int (*unit_num) (struct virtual_item * vi);
47772 - void (*print_vi) (struct virtual_item * vi);
47773 + int (* const check_right) (struct virtual_item * vi, int free);
47774 + int (* const part_size) (struct virtual_item * vi, int from, int to);
47775 + int (* const unit_num) (struct virtual_item * vi);
47776 + void (* const print_vi) (struct virtual_item * vi);
47779 -extern struct item_operations *item_ops[TYPE_ANY + 1];
47780 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
47782 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
47783 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
47784 diff -urNp linux-2.6.38.1/include/linux/reiserfs_fs_sb.h linux-2.6.38.1/include/linux/reiserfs_fs_sb.h
47785 --- linux-2.6.38.1/include/linux/reiserfs_fs_sb.h 2011-03-14 21:20:32.000000000 -0400
47786 +++ linux-2.6.38.1/include/linux/reiserfs_fs_sb.h 2011-03-21 18:31:35.000000000 -0400
47787 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
47788 /* Comment? -Hans */
47789 wait_queue_head_t s_wait;
47790 /* To be obsoleted soon by per buffer seals.. -Hans */
47791 - atomic_t s_generation_counter; // increased by one every time the
47792 + atomic_unchecked_t s_generation_counter; // increased by one every time the
47793 // tree gets re-balanced
47794 unsigned long s_properties; /* File system properties. Currently holds
47795 on-disk FS format */
47796 diff -urNp linux-2.6.38.1/include/linux/rmap.h linux-2.6.38.1/include/linux/rmap.h
47797 --- linux-2.6.38.1/include/linux/rmap.h 2011-03-14 21:20:32.000000000 -0400
47798 +++ linux-2.6.38.1/include/linux/rmap.h 2011-03-21 18:31:35.000000000 -0400
47799 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
47800 void anon_vma_init(void); /* create anon_vma_cachep */
47801 int anon_vma_prepare(struct vm_area_struct *);
47802 void unlink_anon_vmas(struct vm_area_struct *);
47803 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
47804 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
47805 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
47806 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
47807 void __anon_vma_link(struct vm_area_struct *);
47808 void anon_vma_free(struct anon_vma *);
47810 diff -urNp linux-2.6.38.1/include/linux/sched.h linux-2.6.38.1/include/linux/sched.h
47811 --- linux-2.6.38.1/include/linux/sched.h 2011-03-14 21:20:32.000000000 -0400
47812 +++ linux-2.6.38.1/include/linux/sched.h 2011-03-26 17:18:15.000000000 -0400
47813 @@ -99,6 +99,7 @@ struct robust_list_head;
47816 struct perf_event_context;
47817 +struct linux_binprm;
47820 * List of flags we want to share for kernel threads,
47821 @@ -380,10 +381,13 @@ struct user_namespace;
47822 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
47824 extern int sysctl_max_map_count;
47825 +extern unsigned long sysctl_heap_stack_gap;
47827 #include <linux/aio.h>
47830 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
47831 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
47832 extern void arch_pick_mmap_layout(struct mm_struct *mm);
47833 extern unsigned long
47834 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
47835 @@ -628,6 +632,17 @@ struct signal_struct {
47836 #ifdef CONFIG_TASKSTATS
47837 struct taskstats *stats;
47840 +#ifdef CONFIG_GRKERNSEC
47847 + u8 used_accept:1;
47850 #ifdef CONFIG_AUDIT
47851 unsigned audit_tty;
47852 struct tty_audit_buf *tty_audit_buf;
47853 @@ -1192,7 +1207,7 @@ enum perf_event_task_context {
47855 struct task_struct {
47856 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
47858 + struct thread_info *stack;
47860 unsigned int flags; /* per process flags, defined below */
47861 unsigned int ptrace;
47862 @@ -1307,8 +1322,8 @@ struct task_struct {
47863 struct list_head thread_group;
47865 struct completion *vfork_done; /* for vfork() */
47866 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
47867 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47868 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
47869 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47871 cputime_t utime, stime, utimescaled, stimescaled;
47873 @@ -1324,13 +1339,6 @@ struct task_struct {
47874 struct task_cputime cputime_expires;
47875 struct list_head cpu_timers[3];
47877 -/* process credentials */
47878 - const struct cred __rcu *real_cred; /* objective and real subjective task
47879 - * credentials (COW) */
47880 - const struct cred __rcu *cred; /* effective (overridable) subjective task
47881 - * credentials (COW) */
47882 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47884 char comm[TASK_COMM_LEN]; /* executable name excluding path
47885 - access with [gs]et_task_comm (which lock
47886 it with task_lock())
47887 @@ -1349,6 +1357,10 @@ struct task_struct {
47888 struct thread_struct thread;
47889 /* filesystem information */
47890 struct fs_struct *fs;
47892 + const struct cred __rcu *cred; /* effective (overridable) subjective task
47893 + * credentials (COW) */
47895 /* open file information */
47896 struct files_struct *files;
47898 @@ -1395,6 +1407,11 @@ struct task_struct {
47899 struct rt_mutex_waiter *pi_blocked_on;
47902 +/* process credentials */
47903 + const struct cred __rcu *real_cred; /* objective and real subjective task
47904 + * credentials (COW) */
47905 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47907 #ifdef CONFIG_DEBUG_MUTEXES
47908 /* mutex deadlock detection */
47909 struct mutex_waiter *blocked_on;
47910 @@ -1499,6 +1516,21 @@ struct task_struct {
47911 unsigned long default_timer_slack_ns;
47913 struct list_head *scm_work_list;
47915 +#ifdef CONFIG_GRKERNSEC
47917 + struct dentry *gr_chroot_dentry;
47918 + struct acl_subject_label *acl;
47919 + struct acl_role_label *role;
47920 + struct file *exec_file;
47922 + /* is this the task that authenticated to the special role */
47926 + u8 gr_is_chrooted;
47929 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
47930 /* Index of current stored address in ret_stack */
47931 int curr_ret_stack;
47932 @@ -1530,6 +1562,52 @@ struct task_struct {
47936 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
47937 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
47938 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
47939 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
47940 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
47941 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
47943 +#ifdef CONFIG_PAX_SOFTMODE
47944 +extern unsigned int pax_softmode;
47947 +extern int pax_check_flags(unsigned long *);
47949 +/* if tsk != current then task_lock must be held on it */
47950 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47951 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
47953 + if (likely(tsk->mm))
47954 + return tsk->mm->pax_flags;
47959 +/* if tsk != current then task_lock must be held on it */
47960 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
47962 + if (likely(tsk->mm)) {
47963 + tsk->mm->pax_flags = flags;
47970 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
47971 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
47972 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
47973 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
47976 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
47977 +void pax_report_insns(void *pc, void *sp);
47978 +void pax_report_refcount_overflow(struct pt_regs *regs);
47979 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
47980 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
47982 /* Future-safe accessor for struct task_struct's cpus_allowed. */
47983 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
47985 @@ -2169,7 +2247,7 @@ extern void __cleanup_sighand(struct sig
47986 extern void exit_itimers(struct signal_struct *);
47987 extern void flush_itimer_signals(void);
47989 -extern NORET_TYPE void do_group_exit(int);
47990 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
47992 extern void daemonize(const char *, ...);
47993 extern int allow_signal(int);
47994 @@ -2294,8 +2372,8 @@ static inline void unlock_task_sighand(s
47996 #ifndef __HAVE_THREAD_FUNCTIONS
47998 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
47999 -#define task_stack_page(task) ((task)->stack)
48000 +#define task_thread_info(task) ((task)->stack)
48001 +#define task_stack_page(task) ((void *)(task)->stack)
48003 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
48005 @@ -2310,13 +2388,17 @@ static inline unsigned long *end_of_stac
48009 -static inline int object_is_on_stack(void *obj)
48010 +static inline int object_starts_on_stack(void *obj)
48012 - void *stack = task_stack_page(current);
48013 + const void *stack = task_stack_page(current);
48015 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
48018 +#ifdef CONFIG_PAX_USERCOPY
48019 +extern int object_is_on_stack(const void *obj, unsigned long len);
48022 extern void thread_info_cache_init(void);
48024 #ifdef CONFIG_DEBUG_STACK_USAGE
48025 diff -urNp linux-2.6.38.1/include/linux/screen_info.h linux-2.6.38.1/include/linux/screen_info.h
48026 --- linux-2.6.38.1/include/linux/screen_info.h 2011-03-14 21:20:32.000000000 -0400
48027 +++ linux-2.6.38.1/include/linux/screen_info.h 2011-03-21 18:31:35.000000000 -0400
48028 @@ -43,7 +43,8 @@ struct screen_info {
48029 __u16 pages; /* 0x32 */
48030 __u16 vesa_attributes; /* 0x34 */
48031 __u32 capabilities; /* 0x36 */
48032 - __u8 _reserved[6]; /* 0x3a */
48033 + __u16 vesapm_size; /* 0x3a */
48034 + __u8 _reserved[4]; /* 0x3c */
48035 } __attribute__((packed));
48037 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
48038 diff -urNp linux-2.6.38.1/include/linux/security.h linux-2.6.38.1/include/linux/security.h
48039 --- linux-2.6.38.1/include/linux/security.h 2011-03-14 21:20:32.000000000 -0400
48040 +++ linux-2.6.38.1/include/linux/security.h 2011-03-21 18:31:35.000000000 -0400
48042 #include <linux/key.h>
48043 #include <linux/xfrm.h>
48044 #include <linux/slab.h>
48045 +#include <linux/grsecurity.h>
48046 #include <net/flow.h>
48048 /* Maximum number of letters for an LSM name string */
48049 diff -urNp linux-2.6.38.1/include/linux/shm.h linux-2.6.38.1/include/linux/shm.h
48050 --- linux-2.6.38.1/include/linux/shm.h 2011-03-14 21:20:32.000000000 -0400
48051 +++ linux-2.6.38.1/include/linux/shm.h 2011-03-21 18:31:35.000000000 -0400
48052 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
48055 struct user_struct *mlock_user;
48056 +#ifdef CONFIG_GRKERNSEC
48057 + time_t shm_createtime;
48062 /* shm_mode upper byte flags */
48063 diff -urNp linux-2.6.38.1/include/linux/skbuff.h linux-2.6.38.1/include/linux/skbuff.h
48064 --- linux-2.6.38.1/include/linux/skbuff.h 2011-03-14 21:20:32.000000000 -0400
48065 +++ linux-2.6.38.1/include/linux/skbuff.h 2011-03-21 18:31:35.000000000 -0400
48066 @@ -589,7 +589,7 @@ static inline struct skb_shared_hwtstamp
48068 static inline int skb_queue_empty(const struct sk_buff_head *list)
48070 - return list->next == (struct sk_buff *)list;
48071 + return list->next == (const struct sk_buff *)list;
48075 @@ -602,7 +602,7 @@ static inline int skb_queue_empty(const
48076 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
48077 const struct sk_buff *skb)
48079 - return skb->next == (struct sk_buff *)list;
48080 + return skb->next == (const struct sk_buff *)list;
48084 @@ -615,7 +615,7 @@ static inline bool skb_queue_is_last(con
48085 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
48086 const struct sk_buff *skb)
48088 - return skb->prev == (struct sk_buff *)list;
48089 + return skb->prev == (const struct sk_buff *)list;
48093 diff -urNp linux-2.6.38.1/include/linux/slab.h linux-2.6.38.1/include/linux/slab.h
48094 --- linux-2.6.38.1/include/linux/slab.h 2011-03-14 21:20:32.000000000 -0400
48095 +++ linux-2.6.38.1/include/linux/slab.h 2011-03-21 18:31:35.000000000 -0400
48098 #include <linux/gfp.h>
48099 #include <linux/types.h>
48100 +#include <linux/err.h>
48103 * Flags to pass to kmem_cache_create().
48104 @@ -87,10 +88,13 @@
48105 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
48106 * Both make kfree a no-op.
48108 -#define ZERO_SIZE_PTR ((void *)16)
48109 +#define ZERO_SIZE_PTR \
48111 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
48112 + (void *)(-MAX_ERRNO-1L); \
48115 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
48116 - (unsigned long)ZERO_SIZE_PTR)
48117 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
48120 * struct kmem_cache related prototypes
48121 @@ -142,6 +146,7 @@ void * __must_check krealloc(const void
48122 void kfree(const void *);
48123 void kzfree(const void *);
48124 size_t ksize(const void *);
48125 +void check_object_size(const void *ptr, unsigned long n, bool to);
48128 * Allocator specific definitions. These are mainly used to establish optimized
48129 @@ -334,4 +339,37 @@ static inline void *kzalloc_node(size_t
48131 void __init kmem_cache_init_late(void);
48133 +#define kmalloc(x, y) \
48135 + void *___retval; \
48136 + intoverflow_t ___x = (intoverflow_t)x; \
48137 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
48138 + ___retval = NULL; \
48140 + ___retval = kmalloc((size_t)___x, (y)); \
48144 +#define kmalloc_node(x, y, z) \
48146 + void *___retval; \
48147 + intoverflow_t ___x = (intoverflow_t)x; \
48148 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
48149 + ___retval = NULL; \
48151 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
48155 +#define kzalloc(x, y) \
48157 + void *___retval; \
48158 + intoverflow_t ___x = (intoverflow_t)x; \
48159 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
48160 + ___retval = NULL; \
48162 + ___retval = kzalloc((size_t)___x, (y)); \
48166 #endif /* _LINUX_SLAB_H */
48167 diff -urNp linux-2.6.38.1/include/linux/slub_def.h linux-2.6.38.1/include/linux/slub_def.h
48168 --- linux-2.6.38.1/include/linux/slub_def.h 2011-03-14 21:20:32.000000000 -0400
48169 +++ linux-2.6.38.1/include/linux/slub_def.h 2011-03-21 18:31:35.000000000 -0400
48170 @@ -79,7 +79,7 @@ struct kmem_cache {
48171 struct kmem_cache_order_objects max;
48172 struct kmem_cache_order_objects min;
48173 gfp_t allocflags; /* gfp flags to use on each alloc */
48174 - int refcount; /* Refcount for slab cache destroy */
48175 + atomic_t refcount; /* Refcount for slab cache destroy */
48176 void (*ctor)(void *);
48177 int inuse; /* Offset to metadata */
48178 int align; /* Alignment */
48179 diff -urNp linux-2.6.38.1/include/linux/sonet.h linux-2.6.38.1/include/linux/sonet.h
48180 --- linux-2.6.38.1/include/linux/sonet.h 2011-03-14 21:20:32.000000000 -0400
48181 +++ linux-2.6.38.1/include/linux/sonet.h 2011-03-21 18:31:35.000000000 -0400
48182 @@ -61,7 +61,7 @@ struct sonet_stats {
48183 #include <asm/atomic.h>
48185 struct k_sonet_stats {
48186 -#define __HANDLE_ITEM(i) atomic_t i
48187 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
48189 #undef __HANDLE_ITEM
48191 diff -urNp linux-2.6.38.1/include/linux/sunrpc/clnt.h linux-2.6.38.1/include/linux/sunrpc/clnt.h
48192 --- linux-2.6.38.1/include/linux/sunrpc/clnt.h 2011-03-14 21:20:32.000000000 -0400
48193 +++ linux-2.6.38.1/include/linux/sunrpc/clnt.h 2011-03-21 18:31:35.000000000 -0400
48194 @@ -168,9 +168,9 @@ static inline unsigned short rpc_get_por
48196 switch (sap->sa_family) {
48198 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
48199 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
48201 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
48202 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
48206 @@ -203,7 +203,7 @@ static inline bool __rpc_cmp_addr4(const
48207 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
48208 const struct sockaddr *src)
48210 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
48211 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
48212 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
48214 dsin->sin_family = ssin->sin_family;
48215 @@ -300,7 +300,7 @@ static inline u32 rpc_get_scope_id(const
48216 if (sa->sa_family != AF_INET6)
48219 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
48220 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
48223 #endif /* __KERNEL__ */
48224 diff -urNp linux-2.6.38.1/include/linux/suspend.h linux-2.6.38.1/include/linux/suspend.h
48225 --- linux-2.6.38.1/include/linux/suspend.h 2011-03-14 21:20:32.000000000 -0400
48226 +++ linux-2.6.38.1/include/linux/suspend.h 2011-03-21 18:31:35.000000000 -0400
48227 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
48228 * which require special recovery actions in that situation.
48230 struct platform_suspend_ops {
48231 - int (*valid)(suspend_state_t state);
48232 - int (*begin)(suspend_state_t state);
48233 - int (*prepare)(void);
48234 - int (*prepare_late)(void);
48235 - int (*enter)(suspend_state_t state);
48236 - void (*wake)(void);
48237 - void (*finish)(void);
48238 - void (*end)(void);
48239 - void (*recover)(void);
48240 + int (* const valid)(suspend_state_t state);
48241 + int (* const begin)(suspend_state_t state);
48242 + int (* const prepare)(void);
48243 + int (* const prepare_late)(void);
48244 + int (* const enter)(suspend_state_t state);
48245 + void (* const wake)(void);
48246 + void (* const finish)(void);
48247 + void (* const end)(void);
48248 + void (* const recover)(void);
48251 #ifdef CONFIG_SUSPEND
48252 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
48253 * platforms which require special recovery actions in that situation.
48255 struct platform_hibernation_ops {
48256 - int (*begin)(void);
48257 - void (*end)(void);
48258 - int (*pre_snapshot)(void);
48259 - void (*finish)(void);
48260 - int (*prepare)(void);
48261 - int (*enter)(void);
48262 - void (*leave)(void);
48263 - int (*pre_restore)(void);
48264 - void (*restore_cleanup)(void);
48265 - void (*recover)(void);
48266 + int (* const begin)(void);
48267 + void (* const end)(void);
48268 + int (* const pre_snapshot)(void);
48269 + void (* const finish)(void);
48270 + int (* const prepare)(void);
48271 + int (* const enter)(void);
48272 + void (* const leave)(void);
48273 + int (* const pre_restore)(void);
48274 + void (* const restore_cleanup)(void);
48275 + void (* const recover)(void);
48278 #ifdef CONFIG_HIBERNATION
48279 diff -urNp linux-2.6.38.1/include/linux/sysctl.h linux-2.6.38.1/include/linux/sysctl.h
48280 --- linux-2.6.38.1/include/linux/sysctl.h 2011-03-14 21:20:32.000000000 -0400
48281 +++ linux-2.6.38.1/include/linux/sysctl.h 2011-03-21 18:31:35.000000000 -0400
48282 @@ -155,7 +155,11 @@ enum
48283 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
48287 +#ifdef CONFIG_PAX_SOFTMODE
48289 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
48293 /* CTL_VM names: */
48295 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
48297 extern int proc_dostring(struct ctl_table *, int,
48298 void __user *, size_t *, loff_t *);
48299 +extern int proc_dostring_modpriv(struct ctl_table *, int,
48300 + void __user *, size_t *, loff_t *);
48301 extern int proc_dointvec(struct ctl_table *, int,
48302 void __user *, size_t *, loff_t *);
48303 extern int proc_dointvec_minmax(struct ctl_table *, int,
48304 diff -urNp linux-2.6.38.1/include/linux/sysfs.h linux-2.6.38.1/include/linux/sysfs.h
48305 --- linux-2.6.38.1/include/linux/sysfs.h 2011-03-14 21:20:32.000000000 -0400
48306 +++ linux-2.6.38.1/include/linux/sysfs.h 2011-03-21 18:31:35.000000000 -0400
48307 @@ -110,8 +110,8 @@ struct bin_attribute {
48308 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
48311 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
48312 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
48313 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
48314 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
48317 struct sysfs_dirent;
48318 diff -urNp linux-2.6.38.1/include/linux/tty.h linux-2.6.38.1/include/linux/tty.h
48319 --- linux-2.6.38.1/include/linux/tty.h 2011-03-14 21:20:32.000000000 -0400
48320 +++ linux-2.6.38.1/include/linux/tty.h 2011-03-21 18:31:35.000000000 -0400
48322 #include <linux/tty_driver.h>
48323 #include <linux/tty_ldisc.h>
48324 #include <linux/mutex.h>
48325 +#include <linux/poll.h>
48326 +#include <linux/smp_lock.h>
48328 #include <asm/system.h>
48330 @@ -465,7 +467,6 @@ extern int tty_perform_flush(struct tty_
48331 extern dev_t tty_devnum(struct tty_struct *tty);
48332 extern void proc_clear_tty(struct task_struct *p);
48333 extern struct tty_struct *get_current_tty(void);
48334 -extern void tty_default_fops(struct file_operations *fops);
48335 extern struct tty_struct *alloc_tty_struct(void);
48336 extern int tty_add_file(struct tty_struct *tty, struct file *file);
48337 extern void free_tty_struct(struct tty_struct *tty);
48338 @@ -528,6 +529,18 @@ extern void tty_ldisc_begin(void);
48339 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
48340 extern void tty_ldisc_enable(struct tty_struct *tty);
48343 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
48344 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
48345 +extern unsigned int tty_poll(struct file *, poll_table *);
48346 +#ifdef CONFIG_COMPAT
48347 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
48348 + unsigned long arg);
48350 +#define tty_compat_ioctl NULL
48352 +extern int tty_release(struct inode *, struct file *);
48353 +extern int tty_fasync(int fd, struct file *filp, int on);
48356 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
48357 diff -urNp linux-2.6.38.1/include/linux/tty_ldisc.h linux-2.6.38.1/include/linux/tty_ldisc.h
48358 --- linux-2.6.38.1/include/linux/tty_ldisc.h 2011-03-14 21:20:32.000000000 -0400
48359 +++ linux-2.6.38.1/include/linux/tty_ldisc.h 2011-03-21 18:31:35.000000000 -0400
48360 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
48362 struct module *owner;
48365 + atomic_t refcount;
48369 diff -urNp linux-2.6.38.1/include/linux/types.h linux-2.6.38.1/include/linux/types.h
48370 --- linux-2.6.38.1/include/linux/types.h 2011-03-14 21:20:32.000000000 -0400
48371 +++ linux-2.6.38.1/include/linux/types.h 2011-03-21 18:31:35.000000000 -0400
48372 @@ -207,10 +207,26 @@ typedef struct {
48376 +#ifdef CONFIG_PAX_REFCOUNT
48379 +} atomic_unchecked_t;
48381 +typedef atomic_t atomic_unchecked_t;
48384 #ifdef CONFIG_64BIT
48389 +#ifdef CONFIG_PAX_REFCOUNT
48392 +} atomic64_unchecked_t;
48394 +typedef atomic64_t atomic64_unchecked_t;
48399 diff -urNp linux-2.6.38.1/include/linux/uaccess.h linux-2.6.38.1/include/linux/uaccess.h
48400 --- linux-2.6.38.1/include/linux/uaccess.h 2011-03-14 21:20:32.000000000 -0400
48401 +++ linux-2.6.38.1/include/linux/uaccess.h 2011-03-21 18:31:35.000000000 -0400
48402 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
48404 mm_segment_t old_fs = get_fs(); \
48406 - set_fs(KERNEL_DS); \
48407 pagefault_disable(); \
48408 + set_fs(KERNEL_DS); \
48409 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
48410 - pagefault_enable(); \
48412 + pagefault_enable(); \
48416 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
48417 * Safely read from address @src to the buffer at @dst. If a kernel fault
48418 * happens, handle that and return -EFAULT.
48420 -extern long probe_kernel_read(void *dst, void *src, size_t size);
48421 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
48422 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
48423 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
48426 * probe_kernel_write(): safely attempt to write to a location
48427 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
48428 * Safely write to address @dst from the buffer at @src. If a kernel fault
48429 * happens, handle that and return -EFAULT.
48431 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
48432 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
48433 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
48434 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
48436 #endif /* __LINUX_UACCESS_H__ */
48437 diff -urNp linux-2.6.38.1/include/linux/unaligned/access_ok.h linux-2.6.38.1/include/linux/unaligned/access_ok.h
48438 --- linux-2.6.38.1/include/linux/unaligned/access_ok.h 2011-03-14 21:20:32.000000000 -0400
48439 +++ linux-2.6.38.1/include/linux/unaligned/access_ok.h 2011-03-21 18:31:35.000000000 -0400
48442 static inline u16 get_unaligned_le16(const void *p)
48444 - return le16_to_cpup((__le16 *)p);
48445 + return le16_to_cpup((const __le16 *)p);
48448 static inline u32 get_unaligned_le32(const void *p)
48450 - return le32_to_cpup((__le32 *)p);
48451 + return le32_to_cpup((const __le32 *)p);
48454 static inline u64 get_unaligned_le64(const void *p)
48456 - return le64_to_cpup((__le64 *)p);
48457 + return le64_to_cpup((const __le64 *)p);
48460 static inline u16 get_unaligned_be16(const void *p)
48462 - return be16_to_cpup((__be16 *)p);
48463 + return be16_to_cpup((const __be16 *)p);
48466 static inline u32 get_unaligned_be32(const void *p)
48468 - return be32_to_cpup((__be32 *)p);
48469 + return be32_to_cpup((const __be32 *)p);
48472 static inline u64 get_unaligned_be64(const void *p)
48474 - return be64_to_cpup((__be64 *)p);
48475 + return be64_to_cpup((const __be64 *)p);
48478 static inline void put_unaligned_le16(u16 val, void *p)
48479 diff -urNp linux-2.6.38.1/include/linux/usb/hcd.h linux-2.6.38.1/include/linux/usb/hcd.h
48480 --- linux-2.6.38.1/include/linux/usb/hcd.h 2011-03-23 17:20:08.000000000 -0400
48481 +++ linux-2.6.38.1/include/linux/usb/hcd.h 2011-03-23 17:21:51.000000000 -0400
48482 @@ -589,7 +589,7 @@ struct usb_mon_operations {
48483 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
48486 -extern struct usb_mon_operations *mon_ops;
48487 +extern const struct usb_mon_operations *mon_ops;
48489 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
48491 @@ -611,7 +611,7 @@ static inline void usbmon_urb_complete(s
48492 (*mon_ops->urb_complete)(bus, urb, status);
48495 -int usb_mon_register(struct usb_mon_operations *ops);
48496 +int usb_mon_register(const struct usb_mon_operations *ops);
48497 void usb_mon_deregister(void);
48500 diff -urNp linux-2.6.38.1/include/linux/vmalloc.h linux-2.6.38.1/include/linux/vmalloc.h
48501 --- linux-2.6.38.1/include/linux/vmalloc.h 2011-03-14 21:20:32.000000000 -0400
48502 +++ linux-2.6.38.1/include/linux/vmalloc.h 2011-03-21 18:31:35.000000000 -0400
48503 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
48504 #define VM_MAP 0x00000004 /* vmap()ed pages */
48505 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
48506 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
48508 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
48509 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
48512 /* bits [20..32] reserved for arch specific ioremap internals */
48515 @@ -123,4 +128,103 @@ struct vm_struct **pcpu_get_vm_areas(con
48516 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
48519 +#define vmalloc(x) \
48521 + void *___retval; \
48522 + intoverflow_t ___x = (intoverflow_t)x; \
48523 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
48524 + ___retval = NULL; \
48526 + ___retval = vmalloc((unsigned long)___x); \
48530 +#define vzalloc(x) \
48532 + void *___retval; \
48533 + intoverflow_t ___x = (intoverflow_t)x; \
48534 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
48535 + ___retval = NULL; \
48537 + ___retval = vzalloc((unsigned long)___x); \
48541 +#define __vmalloc(x, y, z) \
48543 + void *___retval; \
48544 + intoverflow_t ___x = (intoverflow_t)x; \
48545 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
48546 + ___retval = NULL; \
48548 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
48552 +#define vmalloc_user(x) \
48554 + void *___retval; \
48555 + intoverflow_t ___x = (intoverflow_t)x; \
48556 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
48557 + ___retval = NULL; \
48559 + ___retval = vmalloc_user((unsigned long)___x); \
48563 +#define vmalloc_exec(x) \
48565 + void *___retval; \
48566 + intoverflow_t ___x = (intoverflow_t)x; \
48567 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
48568 + ___retval = NULL; \
48570 + ___retval = vmalloc_exec((unsigned long)___x); \
48574 +#define vmalloc_node(x, y) \
48576 + void *___retval; \
48577 + intoverflow_t ___x = (intoverflow_t)x; \
48578 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
48579 + ___retval = NULL; \
48581 + ___retval = vmalloc_node((unsigned long)___x, (y));\
48585 +#define vzalloc_node(x, y) \
48587 + void *___retval; \
48588 + intoverflow_t ___x = (intoverflow_t)x; \
48589 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
48590 + ___retval = NULL; \
48592 + ___retval = vzalloc_node((unsigned long)___x, (y));\
48596 +#define vmalloc_32(x) \
48598 + void *___retval; \
48599 + intoverflow_t ___x = (intoverflow_t)x; \
48600 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
48601 + ___retval = NULL; \
48603 + ___retval = vmalloc_32((unsigned long)___x); \
48607 +#define vmalloc_32_user(x) \
48609 +void *___retval; \
48610 + intoverflow_t ___x = (intoverflow_t)x; \
48611 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
48612 + ___retval = NULL; \
48614 + ___retval = vmalloc_32_user((unsigned long)___x);\
48618 #endif /* _LINUX_VMALLOC_H */
48619 diff -urNp linux-2.6.38.1/include/linux/vmstat.h linux-2.6.38.1/include/linux/vmstat.h
48620 --- linux-2.6.38.1/include/linux/vmstat.h 2011-03-14 21:20:32.000000000 -0400
48621 +++ linux-2.6.38.1/include/linux/vmstat.h 2011-03-21 18:31:35.000000000 -0400
48622 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
48624 * Zone based page accounting with per cpu differentials.
48626 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48627 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48629 static inline void zone_page_state_add(long x, struct zone *zone,
48630 enum zone_stat_item item)
48632 - atomic_long_add(x, &zone->vm_stat[item]);
48633 - atomic_long_add(x, &vm_stat[item]);
48634 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
48635 + atomic_long_add_unchecked(x, &vm_stat[item]);
48638 static inline unsigned long global_page_state(enum zone_stat_item item)
48640 - long x = atomic_long_read(&vm_stat[item]);
48641 + long x = atomic_long_read_unchecked(&vm_stat[item]);
48645 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
48646 static inline unsigned long zone_page_state(struct zone *zone,
48647 enum zone_stat_item item)
48649 - long x = atomic_long_read(&zone->vm_stat[item]);
48650 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48654 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
48655 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
48656 enum zone_stat_item item)
48658 - long x = atomic_long_read(&zone->vm_stat[item]);
48659 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48663 @@ -273,8 +273,8 @@ static inline void __mod_zone_page_state
48665 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
48667 - atomic_long_inc(&zone->vm_stat[item]);
48668 - atomic_long_inc(&vm_stat[item]);
48669 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
48670 + atomic_long_inc_unchecked(&vm_stat[item]);
48673 static inline void __inc_zone_page_state(struct page *page,
48674 @@ -285,8 +285,8 @@ static inline void __inc_zone_page_state
48676 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
48678 - atomic_long_dec(&zone->vm_stat[item]);
48679 - atomic_long_dec(&vm_stat[item]);
48680 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
48681 + atomic_long_dec_unchecked(&vm_stat[item]);
48684 static inline void __dec_zone_page_state(struct page *page,
48685 diff -urNp linux-2.6.38.1/include/net/inetpeer.h linux-2.6.38.1/include/net/inetpeer.h
48686 --- linux-2.6.38.1/include/net/inetpeer.h 2011-03-14 21:20:32.000000000 -0400
48687 +++ linux-2.6.38.1/include/net/inetpeer.h 2011-03-21 18:31:35.000000000 -0400
48688 @@ -38,8 +38,8 @@ struct inet_peer {
48692 - atomic_t rid; /* Frag reception counter */
48693 - atomic_t ip_id_count; /* IP ID for the next packet */
48694 + atomic_unchecked_t rid; /* Frag reception counter */
48695 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
48697 __u32 tcp_ts_stamp;
48699 @@ -88,7 +88,7 @@ static inline __u16 inet_getid(struct in
48702 inet_peer_refcheck(p);
48703 - return atomic_add_return(more, &p->ip_id_count) - more;
48704 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
48707 #endif /* _NET_INETPEER_H */
48708 diff -urNp linux-2.6.38.1/include/net/irda/ircomm_tty.h linux-2.6.38.1/include/net/irda/ircomm_tty.h
48709 --- linux-2.6.38.1/include/net/irda/ircomm_tty.h 2011-03-14 21:20:32.000000000 -0400
48710 +++ linux-2.6.38.1/include/net/irda/ircomm_tty.h 2011-03-21 18:31:35.000000000 -0400
48712 #include <linux/termios.h>
48713 #include <linux/timer.h>
48714 #include <linux/tty.h> /* struct tty_struct */
48715 +#include <asm/local.h>
48717 #include <net/irda/irias_object.h>
48718 #include <net/irda/ircomm_core.h>
48719 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
48720 unsigned short close_delay;
48721 unsigned short closing_wait; /* time to wait before closing */
48724 - int blocked_open; /* # of blocked opens */
48725 + local_t open_count;
48726 + local_t blocked_open; /* # of blocked opens */
48728 /* Protect concurent access to :
48729 * o self->open_count
48730 diff -urNp linux-2.6.38.1/include/net/neighbour.h linux-2.6.38.1/include/net/neighbour.h
48731 --- linux-2.6.38.1/include/net/neighbour.h 2011-03-14 21:20:32.000000000 -0400
48732 +++ linux-2.6.38.1/include/net/neighbour.h 2011-03-21 18:31:35.000000000 -0400
48733 @@ -118,12 +118,12 @@ struct neighbour {
48737 - void (*solicit)(struct neighbour *, struct sk_buff*);
48738 - void (*error_report)(struct neighbour *, struct sk_buff*);
48739 - int (*output)(struct sk_buff*);
48740 - int (*connected_output)(struct sk_buff*);
48741 - int (*hh_output)(struct sk_buff*);
48742 - int (*queue_xmit)(struct sk_buff*);
48743 + void (* const solicit)(struct neighbour *, struct sk_buff*);
48744 + void (* const error_report)(struct neighbour *, struct sk_buff*);
48745 + int (* const output)(struct sk_buff*);
48746 + int (* const connected_output)(struct sk_buff*);
48747 + int (* const hh_output)(struct sk_buff*);
48748 + int (* const queue_xmit)(struct sk_buff*);
48751 struct pneigh_entry {
48752 diff -urNp linux-2.6.38.1/include/net/netlink.h linux-2.6.38.1/include/net/netlink.h
48753 --- linux-2.6.38.1/include/net/netlink.h 2011-03-14 21:20:32.000000000 -0400
48754 +++ linux-2.6.38.1/include/net/netlink.h 2011-03-21 18:31:35.000000000 -0400
48755 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
48756 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
48759 - skb_trim(skb, (unsigned char *) mark - skb->data);
48760 + skb_trim(skb, (const unsigned char *) mark - skb->data);
48764 diff -urNp linux-2.6.38.1/include/net/sctp/sctp.h linux-2.6.38.1/include/net/sctp/sctp.h
48765 --- linux-2.6.38.1/include/net/sctp/sctp.h 2011-03-14 21:20:32.000000000 -0400
48766 +++ linux-2.6.38.1/include/net/sctp/sctp.h 2011-03-21 18:31:35.000000000 -0400
48767 @@ -316,9 +316,9 @@ do { \
48769 #else /* SCTP_DEBUG */
48771 -#define SCTP_DEBUG_PRINTK(whatever...)
48772 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
48773 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
48774 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
48775 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
48776 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
48777 #define SCTP_ENABLE_DEBUG
48778 #define SCTP_DISABLE_DEBUG
48779 #define SCTP_ASSERT(expr, str, func)
48780 diff -urNp linux-2.6.38.1/include/net/tcp.h linux-2.6.38.1/include/net/tcp.h
48781 --- linux-2.6.38.1/include/net/tcp.h 2011-03-14 21:20:32.000000000 -0400
48782 +++ linux-2.6.38.1/include/net/tcp.h 2011-03-21 18:31:35.000000000 -0400
48783 @@ -1382,7 +1382,7 @@ enum tcp_seq_states {
48784 struct tcp_seq_afinfo {
48786 sa_family_t family;
48787 - struct file_operations seq_fops;
48788 + struct file_operations seq_fops; /* cannot be const */
48789 struct seq_operations seq_ops;
48792 diff -urNp linux-2.6.38.1/include/net/udp.h linux-2.6.38.1/include/net/udp.h
48793 --- linux-2.6.38.1/include/net/udp.h 2011-03-14 21:20:32.000000000 -0400
48794 +++ linux-2.6.38.1/include/net/udp.h 2011-03-21 18:31:35.000000000 -0400
48795 @@ -223,7 +223,7 @@ struct udp_seq_afinfo {
48797 sa_family_t family;
48798 struct udp_table *udp_table;
48799 - struct file_operations seq_fops;
48800 + struct file_operations seq_fops; /* cannot be const */
48801 struct seq_operations seq_ops;
48804 diff -urNp linux-2.6.38.1/include/sound/ac97_codec.h linux-2.6.38.1/include/sound/ac97_codec.h
48805 --- linux-2.6.38.1/include/sound/ac97_codec.h 2011-03-14 21:20:32.000000000 -0400
48806 +++ linux-2.6.38.1/include/sound/ac97_codec.h 2011-03-21 18:31:35.000000000 -0400
48807 @@ -419,15 +419,15 @@
48810 struct snd_ac97_build_ops {
48811 - int (*build_3d) (struct snd_ac97 *ac97);
48812 - int (*build_specific) (struct snd_ac97 *ac97);
48813 - int (*build_spdif) (struct snd_ac97 *ac97);
48814 - int (*build_post_spdif) (struct snd_ac97 *ac97);
48815 + int (* const build_3d) (struct snd_ac97 *ac97);
48816 + int (* const build_specific) (struct snd_ac97 *ac97);
48817 + int (* const build_spdif) (struct snd_ac97 *ac97);
48818 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
48820 - void (*suspend) (struct snd_ac97 *ac97);
48821 - void (*resume) (struct snd_ac97 *ac97);
48822 + void (* const suspend) (struct snd_ac97 *ac97);
48823 + void (* const resume) (struct snd_ac97 *ac97);
48825 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48826 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48829 struct snd_ac97_bus_ops {
48830 diff -urNp linux-2.6.38.1/include/trace/events/irq.h linux-2.6.38.1/include/trace/events/irq.h
48831 --- linux-2.6.38.1/include/trace/events/irq.h 2011-03-14 21:20:32.000000000 -0400
48832 +++ linux-2.6.38.1/include/trace/events/irq.h 2011-03-21 18:31:35.000000000 -0400
48833 @@ -36,7 +36,7 @@ struct softirq_action;
48835 TRACE_EVENT(irq_handler_entry,
48837 - TP_PROTO(int irq, struct irqaction *action),
48838 + TP_PROTO(int irq, const struct irqaction *action),
48840 TP_ARGS(irq, action),
48842 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
48844 TRACE_EVENT(irq_handler_exit,
48846 - TP_PROTO(int irq, struct irqaction *action, int ret),
48847 + TP_PROTO(int irq, const struct irqaction *action, int ret),
48849 TP_ARGS(irq, action, ret),
48851 diff -urNp linux-2.6.38.1/include/video/uvesafb.h linux-2.6.38.1/include/video/uvesafb.h
48852 --- linux-2.6.38.1/include/video/uvesafb.h 2011-03-14 21:20:32.000000000 -0400
48853 +++ linux-2.6.38.1/include/video/uvesafb.h 2011-03-21 18:31:35.000000000 -0400
48854 @@ -177,6 +177,7 @@ struct uvesafb_par {
48855 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
48856 u8 pmi_setpal; /* PMI for palette changes */
48857 u16 *pmi_base; /* protected mode interface location */
48858 + u8 *pmi_code; /* protected mode code location */
48861 u8 *vbe_state_orig; /*
48862 diff -urNp linux-2.6.38.1/init/do_mounts.c linux-2.6.38.1/init/do_mounts.c
48863 --- linux-2.6.38.1/init/do_mounts.c 2011-03-14 21:20:32.000000000 -0400
48864 +++ linux-2.6.38.1/init/do_mounts.c 2011-03-21 18:31:35.000000000 -0400
48865 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
48867 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
48869 - int err = sys_mount(name, "/root", fs, flags, data);
48870 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
48874 @@ -382,18 +382,18 @@ void __init change_floppy(char *fmt, ...
48875 va_start(args, fmt);
48876 vsprintf(buf, fmt, args);
48878 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
48879 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
48881 sys_ioctl(fd, FDEJECT, 0);
48884 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
48885 - fd = sys_open("/dev/console", O_RDWR, 0);
48886 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
48888 sys_ioctl(fd, TCGETS, (long)&termios);
48889 termios.c_lflag &= ~ICANON;
48890 sys_ioctl(fd, TCSETSF, (long)&termios);
48891 - sys_read(fd, &c, 1);
48892 + sys_read(fd, (char __user *)&c, 1);
48893 termios.c_lflag |= ICANON;
48894 sys_ioctl(fd, TCSETSF, (long)&termios);
48896 @@ -487,6 +487,6 @@ void __init prepare_namespace(void)
48899 devtmpfs_mount("dev");
48900 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48901 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48902 sys_chroot((const char __user __force *)".");
48904 diff -urNp linux-2.6.38.1/init/do_mounts.h linux-2.6.38.1/init/do_mounts.h
48905 --- linux-2.6.38.1/init/do_mounts.h 2011-03-14 21:20:32.000000000 -0400
48906 +++ linux-2.6.38.1/init/do_mounts.h 2011-03-21 18:31:35.000000000 -0400
48907 @@ -15,15 +15,15 @@ extern int root_mountflags;
48909 static inline int create_dev(char *name, dev_t dev)
48911 - sys_unlink(name);
48912 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
48913 + sys_unlink((__force char __user *)name);
48914 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
48917 #if BITS_PER_LONG == 32
48918 static inline u32 bstat(char *name)
48920 struct stat64 stat;
48921 - if (sys_stat64(name, &stat) != 0)
48922 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
48924 if (!S_ISBLK(stat.st_mode))
48926 diff -urNp linux-2.6.38.1/init/do_mounts_initrd.c linux-2.6.38.1/init/do_mounts_initrd.c
48927 --- linux-2.6.38.1/init/do_mounts_initrd.c 2011-03-14 21:20:32.000000000 -0400
48928 +++ linux-2.6.38.1/init/do_mounts_initrd.c 2011-03-21 18:31:35.000000000 -0400
48929 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
48930 create_dev("/dev/root.old", Root_RAM0);
48931 /* mount initrd on rootfs' /root */
48932 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
48933 - sys_mkdir("/old", 0700);
48934 - root_fd = sys_open("/", 0, 0);
48935 - old_fd = sys_open("/old", 0, 0);
48936 + sys_mkdir((__force const char __user *)"/old", 0700);
48937 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
48938 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
48939 /* move initrd over / and chdir/chroot in initrd root */
48940 - sys_chdir("/root");
48941 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48943 + sys_chdir((__force const char __user *)"/root");
48944 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48945 + sys_chroot((__force const char __user *)".");
48948 * In case that a resume from disk is carried out by linuxrc or one of
48949 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
48951 /* move initrd to rootfs' /old */
48952 sys_fchdir(old_fd);
48953 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
48954 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
48955 /* switch root and cwd back to / of rootfs */
48956 sys_fchdir(root_fd);
48958 + sys_chroot((__force const char __user *)".");
48960 sys_close(root_fd);
48962 if (new_decode_dev(real_root_dev) == Root_RAM0) {
48963 - sys_chdir("/old");
48964 + sys_chdir((__force const char __user *)"/old");
48968 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
48971 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
48972 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
48973 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
48977 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
48978 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
48979 if (error == -ENOENT)
48980 printk("/initrd does not exist. Ignored.\n");
48982 printk("failed\n");
48983 printk(KERN_NOTICE "Unmounting old root\n");
48984 - sys_umount("/old", MNT_DETACH);
48985 + sys_umount((__force char __user *)"/old", MNT_DETACH);
48986 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
48989 @@ -116,11 +116,11 @@ int __init initrd_load(void)
48990 * mounted in the normal path.
48992 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
48993 - sys_unlink("/initrd.image");
48994 + sys_unlink((__force const char __user *)"/initrd.image");
48999 - sys_unlink("/initrd.image");
49000 + sys_unlink((__force const char __user *)"/initrd.image");
49003 diff -urNp linux-2.6.38.1/init/do_mounts_md.c linux-2.6.38.1/init/do_mounts_md.c
49004 --- linux-2.6.38.1/init/do_mounts_md.c 2011-03-14 21:20:32.000000000 -0400
49005 +++ linux-2.6.38.1/init/do_mounts_md.c 2011-03-21 18:31:35.000000000 -0400
49006 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
49007 partitioned ? "_d" : "", minor,
49008 md_setup_args[ent].device_names);
49010 - fd = sys_open(name, 0, 0);
49011 + fd = sys_open((__force char __user *)name, 0, 0);
49013 printk(KERN_ERR "md: open failed - cannot start "
49014 "array %s\n", name);
49015 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
49019 - fd = sys_open(name, 0, 0);
49020 + fd = sys_open((__force char __user *)name, 0, 0);
49021 sys_ioctl(fd, BLKRRPART, 0);
49024 diff -urNp linux-2.6.38.1/init/initramfs.c linux-2.6.38.1/init/initramfs.c
49025 --- linux-2.6.38.1/init/initramfs.c 2011-03-14 21:20:32.000000000 -0400
49026 +++ linux-2.6.38.1/init/initramfs.c 2011-03-21 18:31:35.000000000 -0400
49027 @@ -74,7 +74,7 @@ static void __init free_hash(void)
49031 -static long __init do_utime(char __user *filename, time_t mtime)
49032 +static long __init do_utime(__force char __user *filename, time_t mtime)
49034 struct timespec t[2];
49036 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
49037 struct dir_entry *de, *tmp;
49038 list_for_each_entry_safe(de, tmp, &dir_list, list) {
49039 list_del(&de->list);
49040 - do_utime(de->name, de->mtime);
49041 + do_utime((__force char __user *)de->name, de->mtime);
49045 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
49047 char *old = find_link(major, minor, ino, mode, collected);
49049 - return (sys_link(old, collected) < 0) ? -1 : 1;
49050 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
49054 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
49058 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
49059 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
49060 if (S_ISDIR(st.st_mode))
49062 + sys_rmdir((__force char __user *)path);
49064 - sys_unlink(path);
49065 + sys_unlink((__force char __user *)path);
49069 @@ -305,7 +305,7 @@ static int __init do_name(void)
49070 int openflags = O_WRONLY|O_CREAT;
49072 openflags |= O_TRUNC;
49073 - wfd = sys_open(collected, openflags, mode);
49074 + wfd = sys_open((__force char __user *)collected, openflags, mode);
49077 sys_fchown(wfd, uid, gid);
49078 @@ -317,17 +317,17 @@ static int __init do_name(void)
49081 } else if (S_ISDIR(mode)) {
49082 - sys_mkdir(collected, mode);
49083 - sys_chown(collected, uid, gid);
49084 - sys_chmod(collected, mode);
49085 + sys_mkdir((__force char __user *)collected, mode);
49086 + sys_chown((__force char __user *)collected, uid, gid);
49087 + sys_chmod((__force char __user *)collected, mode);
49088 dir_add(collected, mtime);
49089 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
49090 S_ISFIFO(mode) || S_ISSOCK(mode)) {
49091 if (maybe_link() == 0) {
49092 - sys_mknod(collected, mode, rdev);
49093 - sys_chown(collected, uid, gid);
49094 - sys_chmod(collected, mode);
49095 - do_utime(collected, mtime);
49096 + sys_mknod((__force char __user *)collected, mode, rdev);
49097 + sys_chown((__force char __user *)collected, uid, gid);
49098 + sys_chmod((__force char __user *)collected, mode);
49099 + do_utime((__force char __user *)collected, mtime);
49103 @@ -336,15 +336,15 @@ static int __init do_name(void)
49104 static int __init do_copy(void)
49106 if (count >= body_len) {
49107 - sys_write(wfd, victim, body_len);
49108 + sys_write(wfd, (__force char __user *)victim, body_len);
49110 - do_utime(vcollected, mtime);
49111 + do_utime((__force char __user *)vcollected, mtime);
49117 - sys_write(wfd, victim, count);
49118 + sys_write(wfd, (__force char __user *)victim, count);
49122 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
49124 collected[N_ALIGN(name_len) + body_len] = '\0';
49125 clean_path(collected, 0);
49126 - sys_symlink(collected + N_ALIGN(name_len), collected);
49127 - sys_lchown(collected, uid, gid);
49128 - do_utime(collected, mtime);
49129 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
49130 + sys_lchown((__force char __user *)collected, uid, gid);
49131 + do_utime((__force char __user *)collected, mtime);
49133 next_state = Reset;
49135 diff -urNp linux-2.6.38.1/init/Kconfig linux-2.6.38.1/init/Kconfig
49136 --- linux-2.6.38.1/init/Kconfig 2011-03-14 21:20:32.000000000 -0400
49137 +++ linux-2.6.38.1/init/Kconfig 2011-03-21 18:31:35.000000000 -0400
49138 @@ -1185,7 +1185,7 @@ config SLUB_DEBUG
49141 bool "Disable heap randomization"
49145 Randomizing heap placement makes heap exploits harder, but it
49146 also breaks ancient binaries (including anything libc5 based).
49147 diff -urNp linux-2.6.38.1/init/main.c linux-2.6.38.1/init/main.c
49148 --- linux-2.6.38.1/init/main.c 2011-03-14 21:20:32.000000000 -0400
49149 +++ linux-2.6.38.1/init/main.c 2011-03-21 18:31:35.000000000 -0400
49150 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
49151 extern void tc_init(void);
49154 +extern void grsecurity_init(void);
49157 * Debug helper: via this flag we know that we are in 'early bootup code'
49158 * where only the boot processor is running with IRQ disabled. This means
49159 @@ -206,6 +208,47 @@ static int __init set_reset_devices(char
49161 __setup("reset_devices", set_reset_devices);
49163 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
49164 +extern char pax_enter_kernel_user[];
49165 +extern char pax_exit_kernel_user[];
49166 +extern pgdval_t clone_pgd_mask;
49169 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
49170 +static int __init setup_pax_nouderef(char *str)
49172 +#ifdef CONFIG_X86_32
49173 + unsigned int cpu;
49175 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
49176 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
49177 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
49178 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
49179 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
49181 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
49183 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
49184 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
49185 + clone_pgd_mask = ~(pgdval_t)0UL;
49190 +early_param("pax_nouderef", setup_pax_nouderef);
49193 +#ifdef CONFIG_PAX_SOFTMODE
49194 +unsigned int pax_softmode;
49196 +static int __init setup_pax_softmode(char *str)
49198 + get_option(&str, &pax_softmode);
49201 +__setup("pax_softmode=", setup_pax_softmode);
49204 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
49205 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
49206 static const char *panic_later, *panic_param;
49207 @@ -751,6 +794,7 @@ int __init_or_module do_one_initcall(ini
49209 int count = preempt_count();
49211 + const char *msg1 = "", *msg2 = "";
49213 if (initcall_debug)
49214 ret = do_one_initcall_debug(fn);
49215 @@ -763,15 +807,15 @@ int __init_or_module do_one_initcall(ini
49216 sprintf(msgbuf, "error code %d ", ret);
49218 if (preempt_count() != count) {
49219 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
49220 + msg1 = " preemption imbalance";
49221 preempt_count() = count;
49223 if (irqs_disabled()) {
49224 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
49225 + msg2 = " disabled interrupts";
49226 local_irq_enable();
49229 - printk("initcall %pF returned with %s\n", fn, msgbuf);
49230 + if (msgbuf[0] || *msg1 || *msg2) {
49231 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
49235 @@ -898,7 +942,7 @@ static int __init kernel_init(void * unu
49238 /* Open the /dev/console on the rootfs, this should never fail */
49239 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
49240 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
49241 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
49244 @@ -911,11 +955,13 @@ static int __init kernel_init(void * unu
49245 if (!ramdisk_execute_command)
49246 ramdisk_execute_command = "/init";
49248 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
49249 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
49250 ramdisk_execute_command = NULL;
49251 prepare_namespace();
49254 + grsecurity_init();
49257 * Ok, we have completed the initial bootup, and
49258 * we're essentially up and running. Get rid of the
49259 diff -urNp linux-2.6.38.1/ipc/mqueue.c linux-2.6.38.1/ipc/mqueue.c
49260 --- linux-2.6.38.1/ipc/mqueue.c 2011-03-14 21:20:32.000000000 -0400
49261 +++ linux-2.6.38.1/ipc/mqueue.c 2011-03-21 18:31:35.000000000 -0400
49262 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
49263 mq_bytes = (mq_msg_tblsz +
49264 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
49266 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
49267 spin_lock(&mq_lock);
49268 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
49269 u->mq_bytes + mq_bytes >
49270 diff -urNp linux-2.6.38.1/ipc/shm.c linux-2.6.38.1/ipc/shm.c
49271 --- linux-2.6.38.1/ipc/shm.c 2011-03-14 21:20:32.000000000 -0400
49272 +++ linux-2.6.38.1/ipc/shm.c 2011-03-21 18:31:35.000000000 -0400
49273 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
49274 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
49277 +#ifdef CONFIG_GRKERNSEC
49278 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49279 + const time_t shm_createtime, const uid_t cuid,
49280 + const int shmid);
49281 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49282 + const time_t shm_createtime);
49285 void shm_init_ns(struct ipc_namespace *ns)
49287 ns->shm_ctlmax = SHMMAX;
49288 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
49289 shp->shm_lprid = 0;
49290 shp->shm_atim = shp->shm_dtim = 0;
49291 shp->shm_ctim = get_seconds();
49292 +#ifdef CONFIG_GRKERNSEC
49294 + struct timespec timeval;
49295 + do_posix_clock_monotonic_gettime(&timeval);
49297 + shp->shm_createtime = timeval.tv_sec;
49300 shp->shm_segsz = size;
49301 shp->shm_nattch = 0;
49302 shp->shm_file = file;
49303 @@ -761,8 +777,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
49307 - struct file *uninitialized_var(shm_file);
49309 lru_add_drain_all(); /* drain pagevecs to lru lists */
49311 shp = shm_lock_check(ns, shmid);
49312 @@ -895,9 +909,21 @@ long do_shmat(int shmid, char __user *sh
49316 +#ifdef CONFIG_GRKERNSEC
49317 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
49318 + shp->shm_perm.cuid, shmid) ||
49319 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
49325 path = shp->shm_file->f_path;
49328 +#ifdef CONFIG_GRKERNSEC
49329 + shp->shm_lapid = current->pid;
49331 size = i_size_read(path.dentry->d_inode);
49334 diff -urNp linux-2.6.38.1/kernel/acct.c linux-2.6.38.1/kernel/acct.c
49335 --- linux-2.6.38.1/kernel/acct.c 2011-03-14 21:20:32.000000000 -0400
49336 +++ linux-2.6.38.1/kernel/acct.c 2011-03-21 18:31:35.000000000 -0400
49337 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
49339 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
49340 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
49341 - file->f_op->write(file, (char *)&ac,
49342 + file->f_op->write(file, (__force char __user *)&ac,
49343 sizeof(acct_t), &file->f_pos);
49344 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
49346 diff -urNp linux-2.6.38.1/kernel/capability.c linux-2.6.38.1/kernel/capability.c
49347 --- linux-2.6.38.1/kernel/capability.c 2011-03-14 21:20:32.000000000 -0400
49348 +++ linux-2.6.38.1/kernel/capability.c 2011-03-21 18:31:35.000000000 -0400
49349 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
49350 * before modification is attempted and the application
49353 + if (tocopy > ARRAY_SIZE(kdata))
49356 if (copy_to_user(dataptr, kdata, tocopy
49357 * sizeof(struct __user_cap_data_struct))) {
49359 @@ -306,10 +309,26 @@ int capable(int cap)
49363 - if (security_capable(current_cred(), cap) == 0) {
49364 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable(cap)) {
49365 current->flags |= PF_SUPERPRIV;
49371 +int capable_nolog(int cap)
49373 + if (unlikely(!cap_valid(cap))) {
49374 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
49378 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
49379 + current->flags |= PF_SUPERPRIV;
49385 EXPORT_SYMBOL(capable);
49386 +EXPORT_SYMBOL(capable_nolog);
49387 diff -urNp linux-2.6.38.1/kernel/compat.c linux-2.6.38.1/kernel/compat.c
49388 --- linux-2.6.38.1/kernel/compat.c 2011-03-14 21:20:32.000000000 -0400
49389 +++ linux-2.6.38.1/kernel/compat.c 2011-03-21 18:31:35.000000000 -0400
49392 #include <linux/linkage.h>
49393 #include <linux/compat.h>
49394 +#include <linux/module.h>
49395 #include <linux/errno.h>
49396 #include <linux/time.h>
49397 #include <linux/signal.h>
49398 diff -urNp linux-2.6.38.1/kernel/configs.c linux-2.6.38.1/kernel/configs.c
49399 --- linux-2.6.38.1/kernel/configs.c 2011-03-14 21:20:32.000000000 -0400
49400 +++ linux-2.6.38.1/kernel/configs.c 2011-03-21 18:31:35.000000000 -0400
49401 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
49402 struct proc_dir_entry *entry;
49404 /* create the current config file */
49405 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
49406 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
49407 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
49408 + &ikconfig_file_ops);
49409 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49410 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
49411 + &ikconfig_file_ops);
49414 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
49415 &ikconfig_file_ops);
49421 diff -urNp linux-2.6.38.1/kernel/cred.c linux-2.6.38.1/kernel/cred.c
49422 --- linux-2.6.38.1/kernel/cred.c 2011-03-14 21:20:32.000000000 -0400
49423 +++ linux-2.6.38.1/kernel/cred.c 2011-03-21 18:31:35.000000000 -0400
49424 @@ -483,6 +483,8 @@ int commit_creds(struct cred *new)
49426 get_cred(new); /* we will require a ref for the subj creds too */
49428 + gr_set_role_label(task, new->uid, new->gid);
49430 /* dumpability changes */
49431 if (old->euid != new->euid ||
49432 old->egid != new->egid ||
49433 diff -urNp linux-2.6.38.1/kernel/debug/debug_core.c linux-2.6.38.1/kernel/debug/debug_core.c
49434 --- linux-2.6.38.1/kernel/debug/debug_core.c 2011-03-14 21:20:32.000000000 -0400
49435 +++ linux-2.6.38.1/kernel/debug/debug_core.c 2011-03-21 18:31:35.000000000 -0400
49436 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
49437 /* Guard for recursive entry */
49438 static int exception_level;
49440 -struct kgdb_io *dbg_io_ops;
49441 +const struct kgdb_io *dbg_io_ops;
49442 static DEFINE_SPINLOCK(kgdb_registration_lock);
49444 /* kgdb console driver is loaded */
49445 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
49447 * Register it with the KGDB core.
49449 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
49450 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
49454 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
49456 * Unregister it with the KGDB core.
49458 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
49459 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
49461 BUG_ON(kgdb_connected);
49463 diff -urNp linux-2.6.38.1/kernel/debug/kdb/kdb_main.c linux-2.6.38.1/kernel/debug/kdb/kdb_main.c
49464 --- linux-2.6.38.1/kernel/debug/kdb/kdb_main.c 2011-03-14 21:20:32.000000000 -0400
49465 +++ linux-2.6.38.1/kernel/debug/kdb/kdb_main.c 2011-03-21 18:31:35.000000000 -0400
49466 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
49467 list_for_each_entry(mod, kdb_modules, list) {
49469 kdb_printf("%-20s%8u 0x%p ", mod->name,
49470 - mod->core_size, (void *)mod);
49471 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
49472 #ifdef CONFIG_MODULE_UNLOAD
49473 kdb_printf("%4d ", module_refcount(mod));
49475 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
49476 kdb_printf(" (Loading)");
49478 kdb_printf(" (Live)");
49479 - kdb_printf(" 0x%p", mod->module_core);
49480 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49482 #ifdef CONFIG_MODULE_UNLOAD
49484 diff -urNp linux-2.6.38.1/kernel/exit.c linux-2.6.38.1/kernel/exit.c
49485 --- linux-2.6.38.1/kernel/exit.c 2011-03-14 21:20:32.000000000 -0400
49486 +++ linux-2.6.38.1/kernel/exit.c 2011-03-21 18:31:35.000000000 -0400
49488 #include <asm/pgtable.h>
49489 #include <asm/mmu_context.h>
49491 +#ifdef CONFIG_GRKERNSEC
49492 +extern rwlock_t grsec_exec_file_lock;
49495 static void exit_mm(struct task_struct * tsk);
49497 static void __unhash_process(struct task_struct *p, bool group_dead)
49498 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
49499 struct task_struct *leader;
49502 + gr_del_task_from_ip_table(p);
49504 tracehook_prepare_release_task(p);
49505 /* don't need to get the RCU readlock here - the process is dead and
49506 * can't be modifying its own credentials. But shut RCU-lockdep up */
49507 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
49509 write_lock_irq(&tasklist_lock);
49511 +#ifdef CONFIG_GRKERNSEC
49512 + write_lock(&grsec_exec_file_lock);
49513 + if (current->exec_file) {
49514 + fput(current->exec_file);
49515 + current->exec_file = NULL;
49517 + write_unlock(&grsec_exec_file_lock);
49520 ptrace_unlink(current);
49521 /* Reparent to init */
49522 current->real_parent = current->parent = kthreadd_task;
49523 list_move_tail(¤t->sibling, ¤t->real_parent->children);
49525 + gr_set_kernel_label(current);
49527 /* Set the exit signal to SIGCHLD so we signal init on exit */
49528 current->exit_signal = SIGCHLD;
49530 @@ -394,7 +411,7 @@ int allow_signal(int sig)
49531 * know it'll be handled, so that they don't get converted to
49532 * SIGKILL or just silently dropped.
49534 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
49535 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
49536 recalc_sigpending();
49537 spin_unlock_irq(¤t->sighand->siglock);
49539 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
49540 vsnprintf(current->comm, sizeof(current->comm), name, args);
49543 +#ifdef CONFIG_GRKERNSEC
49544 + write_lock(&grsec_exec_file_lock);
49545 + if (current->exec_file) {
49546 + fput(current->exec_file);
49547 + current->exec_file = NULL;
49549 + write_unlock(&grsec_exec_file_lock);
49552 + gr_set_kernel_label(current);
49555 * If we were started as result of loading a module, close all of the
49556 * user space pages. We don't need them, and if we didn't close them
49557 @@ -905,17 +933,17 @@ NORET_TYPE void do_exit(long code)
49558 struct task_struct *tsk = current;
49561 - profile_task_exit(tsk);
49563 - WARN_ON(atomic_read(&tsk->fs_excl));
49566 + * Check this first since set_fs() below depends on
49567 + * current_thread_info(), which we better not access when we're in
49568 + * interrupt context. Other than that, we want to do the set_fs()
49569 + * as early as possible.
49571 if (unlikely(in_interrupt()))
49572 panic("Aiee, killing interrupt handler!");
49573 - if (unlikely(!tsk->pid))
49574 - panic("Attempted to kill the idle task!");
49577 - * If do_exit is called because this processes oopsed, it's possible
49578 + * If do_exit is called because this processes Oops'ed, it's possible
49579 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
49580 * continuing. Amongst other possible reasons, this is to prevent
49581 * mm_release()->clear_child_tid() from writing to a user-controlled
49582 @@ -923,6 +951,13 @@ NORET_TYPE void do_exit(long code)
49586 + profile_task_exit(tsk);
49588 + WARN_ON(atomic_read(&tsk->fs_excl));
49590 + if (unlikely(!tsk->pid))
49591 + panic("Attempted to kill the idle task!");
49593 tracehook_report_exit(&code);
49595 validate_creds_for_do_exit(tsk);
49596 @@ -983,6 +1018,9 @@ NORET_TYPE void do_exit(long code)
49597 tsk->exit_code = code;
49598 taskstats_exit(tsk, group_dead);
49600 + gr_acl_handle_psacct(tsk, code);
49601 + gr_acl_handle_exit();
49606 diff -urNp linux-2.6.38.1/kernel/fork.c linux-2.6.38.1/kernel/fork.c
49607 --- linux-2.6.38.1/kernel/fork.c 2011-03-14 21:20:32.000000000 -0400
49608 +++ linux-2.6.38.1/kernel/fork.c 2011-03-21 18:31:35.000000000 -0400
49609 @@ -280,7 +280,7 @@ static struct task_struct *dup_task_stru
49610 *stackend = STACK_END_MAGIC; /* for overflow detection */
49612 #ifdef CONFIG_CC_STACKPROTECTOR
49613 - tsk->stack_canary = get_random_int();
49614 + tsk->stack_canary = pax_get_random_long();
49617 /* One for us, one for whoever does the "release_task()" (usually parent) */
49618 @@ -302,13 +302,78 @@ out:
49622 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
49624 + struct vm_area_struct *tmp;
49625 + unsigned long charge;
49626 + struct mempolicy *pol;
49627 + struct file *file;
49630 + if (mpnt->vm_flags & VM_ACCOUNT) {
49631 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49632 + if (security_vm_enough_memory(len))
49636 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49641 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
49642 + pol = mpol_dup(vma_policy(mpnt));
49644 + goto fail_nomem_policy;
49645 + vma_set_policy(tmp, pol);
49646 + if (anon_vma_fork(tmp, mpnt))
49647 + goto fail_nomem_anon_vma_fork;
49648 + tmp->vm_flags &= ~VM_LOCKED;
49649 + tmp->vm_next = tmp->vm_prev = NULL;
49650 + tmp->vm_mirror = NULL;
49651 + file = tmp->vm_file;
49653 + struct inode *inode = file->f_path.dentry->d_inode;
49654 + struct address_space *mapping = file->f_mapping;
49657 + if (tmp->vm_flags & VM_DENYWRITE)
49658 + atomic_dec(&inode->i_writecount);
49659 + spin_lock(&mapping->i_mmap_lock);
49660 + if (tmp->vm_flags & VM_SHARED)
49661 + mapping->i_mmap_writable++;
49662 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
49663 + flush_dcache_mmap_lock(mapping);
49664 + /* insert tmp into the share list, just after mpnt */
49665 + vma_prio_tree_add(tmp, mpnt);
49666 + flush_dcache_mmap_unlock(mapping);
49667 + spin_unlock(&mapping->i_mmap_lock);
49671 + * Clear hugetlb-related page reserves for children. This only
49672 + * affects MAP_PRIVATE mappings. Faults generated by the child
49673 + * are not guaranteed to succeed, even if read-only
49675 + if (is_vm_hugetlb_page(tmp))
49676 + reset_vma_resv_huge_pages(tmp);
49680 +fail_nomem_anon_vma_fork:
49682 +fail_nomem_policy:
49683 + kmem_cache_free(vm_area_cachep, tmp);
49685 + vm_unacct_memory(charge);
49689 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
49691 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
49692 struct rb_node **rb_link, *rb_parent;
49694 - unsigned long charge;
49695 - struct mempolicy *pol;
49697 down_write(&oldmm->mmap_sem);
49698 flush_cache_dup_mm(oldmm);
49699 @@ -320,8 +385,8 @@ static int dup_mmap(struct mm_struct *mm
49702 mm->mmap_cache = NULL;
49703 - mm->free_area_cache = oldmm->mmap_base;
49704 - mm->cached_hole_size = ~0UL;
49705 + mm->free_area_cache = oldmm->free_area_cache;
49706 + mm->cached_hole_size = oldmm->cached_hole_size;
49708 cpumask_clear(mm_cpumask(mm));
49709 mm->mm_rb = RB_ROOT;
49710 @@ -337,8 +402,6 @@ static int dup_mmap(struct mm_struct *mm
49713 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
49714 - struct file *file;
49716 if (mpnt->vm_flags & VM_DONTCOPY) {
49717 long pages = vma_pages(mpnt);
49718 mm->total_vm -= pages;
49719 @@ -346,56 +409,13 @@ static int dup_mmap(struct mm_struct *mm
49724 - if (mpnt->vm_flags & VM_ACCOUNT) {
49725 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49726 - if (security_vm_enough_memory(len))
49730 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49734 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
49735 - pol = mpol_dup(vma_policy(mpnt));
49736 - retval = PTR_ERR(pol);
49738 - goto fail_nomem_policy;
49739 - vma_set_policy(tmp, pol);
49741 - if (anon_vma_fork(tmp, mpnt))
49742 - goto fail_nomem_anon_vma_fork;
49743 - tmp->vm_flags &= ~VM_LOCKED;
49744 - tmp->vm_next = tmp->vm_prev = NULL;
49745 - file = tmp->vm_file;
49747 - struct inode *inode = file->f_path.dentry->d_inode;
49748 - struct address_space *mapping = file->f_mapping;
49751 - if (tmp->vm_flags & VM_DENYWRITE)
49752 - atomic_dec(&inode->i_writecount);
49753 - spin_lock(&mapping->i_mmap_lock);
49754 - if (tmp->vm_flags & VM_SHARED)
49755 - mapping->i_mmap_writable++;
49756 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
49757 - flush_dcache_mmap_lock(mapping);
49758 - /* insert tmp into the share list, just after mpnt */
49759 - vma_prio_tree_add(tmp, mpnt);
49760 - flush_dcache_mmap_unlock(mapping);
49761 - spin_unlock(&mapping->i_mmap_lock);
49762 + tmp = dup_vma(mm, mpnt);
49764 + retval = -ENOMEM;
49769 - * Clear hugetlb-related page reserves for children. This only
49770 - * affects MAP_PRIVATE mappings. Faults generated by the child
49771 - * are not guaranteed to succeed, even if read-only
49773 - if (is_vm_hugetlb_page(tmp))
49774 - reset_vma_resv_huge_pages(tmp);
49777 * Link in the new vma and copy the page table entries.
49780 @@ -416,6 +436,31 @@ static int dup_mmap(struct mm_struct *mm
49785 +#ifdef CONFIG_PAX_SEGMEXEC
49786 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
49787 + struct vm_area_struct *mpnt_m;
49789 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
49790 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
49792 + if (!mpnt->vm_mirror)
49795 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
49796 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
49797 + mpnt->vm_mirror = mpnt_m;
49799 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
49800 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
49801 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
49802 + mpnt->vm_mirror->vm_mirror = mpnt;
49809 /* a new mm has just been created */
49810 arch_dup_mmap(oldmm, mm);
49812 @@ -424,14 +469,6 @@ out:
49813 flush_tlb_mm(oldmm);
49814 up_write(&oldmm->mmap_sem);
49816 -fail_nomem_anon_vma_fork:
49818 -fail_nomem_policy:
49819 - kmem_cache_free(vm_area_cachep, tmp);
49821 - retval = -ENOMEM;
49822 - vm_unacct_memory(charge);
49826 static inline int mm_alloc_pgd(struct mm_struct * mm)
49827 @@ -778,13 +815,14 @@ static int copy_fs(unsigned long clone_f
49828 spin_unlock(&fs->lock);
49832 + atomic_inc(&fs->users);
49833 spin_unlock(&fs->lock);
49836 tsk->fs = copy_fs_struct(fs);
49839 + gr_set_chroot_entries(tsk, &tsk->fs->root);
49843 @@ -1042,10 +1080,13 @@ static struct task_struct *copy_process(
49845 if (!vx_nproc_avail(1))
49846 goto bad_fork_free;
49848 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
49850 if (atomic_read(&p->real_cred->user->processes) >=
49851 task_rlimit(p, RLIMIT_NPROC)) {
49852 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
49853 - p->real_cred->user != INIT_USER)
49854 + if (p->real_cred->user != INIT_USER &&
49855 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
49856 goto bad_fork_free;
49859 @@ -1199,6 +1240,8 @@ static struct task_struct *copy_process(
49860 goto bad_fork_free_pid;
49863 + gr_copy_label(p);
49865 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
49867 * Clear TID on mm_release()?
49868 @@ -1356,6 +1399,8 @@ bad_fork_cleanup_count:
49872 + gr_log_forkfail(retval);
49874 return ERR_PTR(retval);
49877 @@ -1444,6 +1489,8 @@ long do_fork(unsigned long clone_flags,
49878 if (clone_flags & CLONE_PARENT_SETTID)
49879 put_user(nr, parent_tidptr);
49881 + gr_handle_brute_check();
49883 if (clone_flags & CLONE_VFORK) {
49884 p->vfork_done = &vfork;
49885 init_completion(&vfork);
49886 @@ -1559,7 +1606,7 @@ static int unshare_fs(unsigned long unsh
49889 /* don't need lock here; in the worst case we'll do useless copy */
49890 - if (fs->users == 1)
49891 + if (atomic_read(&fs->users) == 1)
49894 *new_fsp = copy_fs_struct(fs);
49895 @@ -1682,7 +1729,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
49897 spin_lock(&fs->lock);
49898 current->fs = new_fs;
49900 + gr_set_chroot_entries(current, ¤t->fs->root);
49901 + if (atomic_dec_return(&fs->users))
49905 diff -urNp linux-2.6.38.1/kernel/futex.c linux-2.6.38.1/kernel/futex.c
49906 --- linux-2.6.38.1/kernel/futex.c 2011-03-14 21:20:32.000000000 -0400
49907 +++ linux-2.6.38.1/kernel/futex.c 2011-03-21 18:31:35.000000000 -0400
49909 #include <linux/mount.h>
49910 #include <linux/pagemap.h>
49911 #include <linux/syscalls.h>
49912 +#include <linux/ptrace.h>
49913 #include <linux/signal.h>
49914 #include <linux/module.h>
49915 #include <linux/magic.h>
49916 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
49917 struct page *page, *page_head;
49920 +#ifdef CONFIG_PAX_SEGMEXEC
49921 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
49926 * The futex address must be "naturally" aligned.
49928 @@ -2404,7 +2410,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49930 struct robust_list_head __user *head;
49932 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49933 const struct cred *cred = current_cred(), *pcred;
49936 if (!futex_cmpxchg_enabled)
49938 @@ -2420,11 +2428,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49942 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49943 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49946 pcred = __task_cred(p);
49947 if (cred->euid != pcred->euid &&
49948 cred->euid != pcred->uid &&
49949 !capable(CAP_SYS_PTRACE))
49952 head = p->robust_list;
49955 @@ -2667,6 +2680,7 @@ static int __init futex_init(void)
49959 + mm_segment_t oldfs;
49962 * This will fail and we want it. Some arch implementations do
49963 @@ -2678,7 +2692,10 @@ static int __init futex_init(void)
49964 * implementation, the non-functional ones will return
49967 + oldfs = get_fs();
49969 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
49971 if (curval == -EFAULT)
49972 futex_cmpxchg_enabled = 1;
49974 diff -urNp linux-2.6.38.1/kernel/futex_compat.c linux-2.6.38.1/kernel/futex_compat.c
49975 --- linux-2.6.38.1/kernel/futex_compat.c 2011-03-14 21:20:32.000000000 -0400
49976 +++ linux-2.6.38.1/kernel/futex_compat.c 2011-03-21 18:31:35.000000000 -0400
49978 #include <linux/compat.h>
49979 #include <linux/nsproxy.h>
49980 #include <linux/futex.h>
49981 +#include <linux/ptrace.h>
49983 #include <asm/uaccess.h>
49985 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
49987 struct compat_robust_list_head __user *head;
49989 - const struct cred *cred = current_cred(), *pcred;
49990 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49991 + const struct cred *cred = current_cred();
49992 + const struct cred *pcred;
49995 if (!futex_cmpxchg_enabled)
49997 @@ -152,11 +156,16 @@ compat_sys_get_robust_list(int pid, comp
50001 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50002 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
50005 pcred = __task_cred(p);
50006 if (cred->euid != pcred->euid &&
50007 cred->euid != pcred->uid &&
50008 !capable(CAP_SYS_PTRACE))
50011 head = p->compat_robust_list;
50014 diff -urNp linux-2.6.38.1/kernel/gcov/base.c linux-2.6.38.1/kernel/gcov/base.c
50015 --- linux-2.6.38.1/kernel/gcov/base.c 2011-03-14 21:20:32.000000000 -0400
50016 +++ linux-2.6.38.1/kernel/gcov/base.c 2011-03-21 18:31:35.000000000 -0400
50017 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
50020 #ifdef CONFIG_MODULES
50021 -static inline int within(void *addr, void *start, unsigned long size)
50023 - return ((addr >= start) && (addr < start + size));
50026 /* Update list and generate events when modules are unloaded. */
50027 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
50029 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
50031 /* Remove entries located in module from linked list. */
50032 for (info = gcov_info_head; info; info = info->next) {
50033 - if (within(info, mod->module_core, mod->core_size)) {
50034 + if (within_module_core_rw((unsigned long)info, mod)) {
50036 prev->next = info->next;
50038 diff -urNp linux-2.6.38.1/kernel/hrtimer.c linux-2.6.38.1/kernel/hrtimer.c
50039 --- linux-2.6.38.1/kernel/hrtimer.c 2011-03-14 21:20:32.000000000 -0400
50040 +++ linux-2.6.38.1/kernel/hrtimer.c 2011-03-21 18:31:35.000000000 -0400
50041 @@ -1371,7 +1371,7 @@ void hrtimer_peek_ahead_timers(void)
50042 local_irq_restore(flags);
50045 -static void run_hrtimer_softirq(struct softirq_action *h)
50046 +static void run_hrtimer_softirq(void)
50048 hrtimer_peek_ahead_timers();
50050 diff -urNp linux-2.6.38.1/kernel/jump_label.c linux-2.6.38.1/kernel/jump_label.c
50051 --- linux-2.6.38.1/kernel/jump_label.c 2011-03-14 21:20:32.000000000 -0400
50052 +++ linux-2.6.38.1/kernel/jump_label.c 2011-03-21 18:31:35.000000000 -0400
50053 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
50054 mutex_unlock(&jump_label_mutex);
50057 +static void jump_label_swap(void *a, void *b, int size)
50059 + struct jump_entry t;
50061 + t = *(struct jump_entry *)a;
50062 + pax_open_kernel();
50063 + *(struct jump_entry *)a = *(struct jump_entry *)b;
50064 + *(struct jump_entry *)b = t;
50065 + pax_close_kernel();
50068 static int jump_label_cmp(const void *a, const void *b)
50070 const struct jump_entry *jea = a;
50071 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
50073 size = (((unsigned long)stop - (unsigned long)start)
50074 / sizeof(struct jump_entry));
50075 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
50076 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
50079 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
50080 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
50081 count = e_module->nr_entries;
50082 iter = e_module->table;
50084 - if (within_module_init(iter->code, mod))
50085 + if (within_module_init(iter->code, mod)) {
50086 + pax_open_kernel();
50088 + pax_close_kernel();
50093 diff -urNp linux-2.6.38.1/kernel/kallsyms.c linux-2.6.38.1/kernel/kallsyms.c
50094 --- linux-2.6.38.1/kernel/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
50095 +++ linux-2.6.38.1/kernel/kallsyms.c 2011-03-21 18:31:35.000000000 -0400
50097 * Changed the compression method from stem compression to "table lookup"
50098 * compression (see scripts/kallsyms.c for a more complete description)
50100 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50101 +#define __INCLUDED_BY_HIDESYM 1
50103 #include <linux/kallsyms.h>
50104 #include <linux/module.h>
50105 #include <linux/init.h>
50106 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
50108 static inline int is_kernel_inittext(unsigned long addr)
50110 + if (system_state != SYSTEM_BOOTING)
50113 if (addr >= (unsigned long)_sinittext
50114 && addr <= (unsigned long)_einittext)
50119 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50120 +#ifdef CONFIG_MODULES
50121 +static inline int is_module_text(unsigned long addr)
50123 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
50126 + addr = ktla_ktva(addr);
50127 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
50130 +static inline int is_module_text(unsigned long addr)
50137 static inline int is_kernel_text(unsigned long addr)
50139 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
50140 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
50142 static inline int is_kernel(unsigned long addr)
50145 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50146 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
50149 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
50151 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
50155 return in_gate_area_no_task(addr);
50158 static int is_ksym_addr(unsigned long addr)
50161 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50162 + if (is_module_text(addr))
50167 return is_kernel(addr);
50169 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
50171 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
50173 - iter->name[0] = '\0';
50174 iter->nameoff = get_symbol_offset(new_pos);
50175 iter->pos = new_pos;
50177 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
50179 struct kallsym_iter *iter = m->private;
50181 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50182 + if (current_uid())
50186 /* Some debugging symbols have no name. Ignore them. */
50187 if (!iter->name[0])
50189 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
50190 struct kallsym_iter *iter;
50193 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
50194 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
50197 reset_iter(iter, 0);
50198 diff -urNp linux-2.6.38.1/kernel/kmod.c linux-2.6.38.1/kernel/kmod.c
50199 --- linux-2.6.38.1/kernel/kmod.c 2011-03-14 21:20:32.000000000 -0400
50200 +++ linux-2.6.38.1/kernel/kmod.c 2011-03-26 13:28:34.000000000 -0400
50201 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
50205 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
50206 + /* we could do a tighter check here, but some distros
50207 + are taking it upon themselves to remove CAP_SYS_MODULE
50208 + from even root-running apps which cause modules to be
50211 + if (current_uid()) {
50212 + gr_log_nonroot_mod_load(module_name);
50217 /* If modprobe needs a service that is in a module, we get a recursive
50218 * loop. Limit the number of running kmod threads to max_threads/2 or
50219 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
50220 diff -urNp linux-2.6.38.1/kernel/kprobes.c linux-2.6.38.1/kernel/kprobes.c
50221 --- linux-2.6.38.1/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
50222 +++ linux-2.6.38.1/kernel/kprobes.c 2011-03-21 18:31:35.000000000 -0400
50223 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
50224 * kernel image and loaded module images reside. This is required
50225 * so x86_64 can correctly handle the %rip-relative fixups.
50227 - kip->insns = module_alloc(PAGE_SIZE);
50228 + kip->insns = module_alloc_exec(PAGE_SIZE);
50232 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
50234 if (!list_is_singular(&kip->list)) {
50235 list_del(&kip->list);
50236 - module_free(NULL, kip->insns);
50237 + module_free_exec(NULL, kip->insns);
50241 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
50244 unsigned long offset = 0, size = 0;
50245 - char *modname, namebuf[128];
50246 + char *modname, namebuf[KSYM_NAME_LEN];
50247 const char *symbol_name;
50249 struct kprobe_blackpoint *kb;
50250 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
50251 const char *sym = NULL;
50252 unsigned int i = *(loff_t *) v;
50253 unsigned long offset = 0;
50254 - char *modname, namebuf[128];
50255 + char *modname, namebuf[KSYM_NAME_LEN];
50257 head = &kprobe_table[i];
50259 diff -urNp linux-2.6.38.1/kernel/lockdep.c linux-2.6.38.1/kernel/lockdep.c
50260 --- linux-2.6.38.1/kernel/lockdep.c 2011-03-14 21:20:32.000000000 -0400
50261 +++ linux-2.6.38.1/kernel/lockdep.c 2011-03-21 18:31:35.000000000 -0400
50262 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
50263 end = (unsigned long) &_end,
50264 addr = (unsigned long) obj;
50266 +#ifdef CONFIG_PAX_KERNEXEC
50267 + start = ktla_ktva(start);
50273 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
50274 if (!static_obj(lock->key)) {
50276 printk("INFO: trying to register non-static key.\n");
50277 + printk("lock:%pS key:%pS.\n", lock, lock->key);
50278 printk("the code is fine but needs lockdep annotation.\n");
50279 printk("turning off the locking correctness validator.\n");
50281 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
50285 - atomic_inc((atomic_t *)&class->ops);
50286 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
50287 if (very_verbose(class)) {
50288 printk("\nacquire class [%p] %s", class->key, class->name);
50289 if (class->name_version > 1)
50290 diff -urNp linux-2.6.38.1/kernel/lockdep_proc.c linux-2.6.38.1/kernel/lockdep_proc.c
50291 --- linux-2.6.38.1/kernel/lockdep_proc.c 2011-03-14 21:20:32.000000000 -0400
50292 +++ linux-2.6.38.1/kernel/lockdep_proc.c 2011-03-21 18:31:35.000000000 -0400
50293 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
50295 static void print_name(struct seq_file *m, struct lock_class *class)
50298 + char str[KSYM_NAME_LEN];
50299 const char *name = class->name;
50302 diff -urNp linux-2.6.38.1/kernel/module.c linux-2.6.38.1/kernel/module.c
50303 --- linux-2.6.38.1/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
50304 +++ linux-2.6.38.1/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
50305 @@ -118,7 +118,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
50307 /* Bounds of module allocation, for speeding __module_address.
50308 * Protected by module_mutex. */
50309 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
50310 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
50311 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
50313 int register_module_notifier(struct notifier_block * nb)
50315 @@ -282,7 +283,7 @@ bool each_symbol(bool (*fn)(const struct
50318 list_for_each_entry_rcu(mod, &modules, list) {
50319 - struct symsearch arr[] = {
50320 + struct symsearch modarr[] = {
50321 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
50322 NOT_GPL_ONLY, false },
50323 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
50324 @@ -304,7 +305,7 @@ bool each_symbol(bool (*fn)(const struct
50328 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
50329 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
50333 @@ -415,7 +416,7 @@ static inline void __percpu *mod_percpu(
50334 static int percpu_modalloc(struct module *mod,
50335 unsigned long size, unsigned long align)
50337 - if (align > PAGE_SIZE) {
50338 + if (align-1 >= PAGE_SIZE) {
50339 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
50340 mod->name, align, PAGE_SIZE);
50342 @@ -1143,7 +1144,7 @@ resolve_symbol_wait(struct module *mod,
50344 #ifdef CONFIG_SYSFS
50346 -#ifdef CONFIG_KALLSYMS
50347 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50348 static inline bool sect_empty(const Elf_Shdr *sect)
50350 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
50351 @@ -1612,17 +1613,17 @@ void unset_section_ro_nx(struct module *
50353 unsigned long total_pages;
50355 - if (mod->module_core == module_region) {
50356 + if (mod->module_core_rx == module_region) {
50357 /* Set core as NX+RW */
50358 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
50359 - set_memory_nx((unsigned long)mod->module_core, total_pages);
50360 - set_memory_rw((unsigned long)mod->module_core, total_pages);
50361 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
50362 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
50363 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
50365 - } else if (mod->module_init == module_region) {
50366 + } else if (mod->module_init_rx == module_region) {
50367 /* Set init as NX+RW */
50368 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
50369 - set_memory_nx((unsigned long)mod->module_init, total_pages);
50370 - set_memory_rw((unsigned long)mod->module_init, total_pages);
50371 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
50372 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
50373 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
50377 @@ -1633,14 +1634,14 @@ void set_all_modules_text_rw()
50379 mutex_lock(&module_mutex);
50380 list_for_each_entry_rcu(mod, &modules, list) {
50381 - if ((mod->module_core) && (mod->core_text_size)) {
50382 - set_page_attributes(mod->module_core,
50383 - mod->module_core + mod->core_text_size,
50384 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
50385 + set_page_attributes(mod->module_core_rx,
50386 + mod->module_core_rx + mod->core_size_rx,
50389 - if ((mod->module_init) && (mod->init_text_size)) {
50390 - set_page_attributes(mod->module_init,
50391 - mod->module_init + mod->init_text_size,
50392 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
50393 + set_page_attributes(mod->module_init_rx,
50394 + mod->module_init_rx + mod->init_size_rx,
50398 @@ -1654,14 +1655,14 @@ void set_all_modules_text_ro()
50400 mutex_lock(&module_mutex);
50401 list_for_each_entry_rcu(mod, &modules, list) {
50402 - if ((mod->module_core) && (mod->core_text_size)) {
50403 - set_page_attributes(mod->module_core,
50404 - mod->module_core + mod->core_text_size,
50405 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
50406 + set_page_attributes(mod->module_core_rx,
50407 + mod->module_core_rx + mod->core_size_rx,
50410 - if ((mod->module_init) && (mod->init_text_size)) {
50411 - set_page_attributes(mod->module_init,
50412 - mod->module_init + mod->init_text_size,
50413 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
50414 + set_page_attributes(mod->module_init_rx,
50415 + mod->module_init_rx + mod->init_size_rx,
50419 @@ -1696,17 +1697,20 @@ static void free_module(struct module *m
50420 destroy_params(mod->kp, mod->num_kp);
50422 /* This may be NULL, but that's OK */
50423 - unset_section_ro_nx(mod, mod->module_init);
50424 - module_free(mod, mod->module_init);
50425 + unset_section_ro_nx(mod, mod->module_init_rx);
50426 + module_free(mod, mod->module_init_rw);
50427 + module_free_exec(mod, mod->module_init_rx);
50429 percpu_modfree(mod);
50431 /* Free lock-classes: */
50432 - lockdep_free_key_range(mod->module_core, mod->core_size);
50433 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
50434 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
50436 /* Finally, free the core (containing the module structure) */
50437 - unset_section_ro_nx(mod, mod->module_core);
50438 - module_free(mod, mod->module_core);
50439 + unset_section_ro_nx(mod, mod->module_core_rx);
50440 + module_free_exec(mod, mod->module_core_rx);
50441 + module_free(mod, mod->module_core_rw);
50444 update_protections(current->mm);
50445 @@ -1799,7 +1803,9 @@ static int simplify_symbols(struct modul
50446 ksym = resolve_symbol_wait(mod, info, name);
50447 /* Ok if resolved. */
50448 if (ksym && !IS_ERR(ksym)) {
50449 + pax_open_kernel();
50450 sym[i].st_value = ksym->value;
50451 + pax_close_kernel();
50455 @@ -1818,7 +1824,9 @@ static int simplify_symbols(struct modul
50456 secbase = (unsigned long)mod_percpu(mod);
50458 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
50459 + pax_open_kernel();
50460 sym[i].st_value += secbase;
50461 + pax_close_kernel();
50465 @@ -1906,22 +1914,12 @@ static void layout_sections(struct modul
50466 || s->sh_entsize != ~0UL
50467 || strstarts(sname, ".init"))
50469 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
50470 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50471 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
50473 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
50474 DEBUGP("\t%s\n", name);
50477 - case 0: /* executable */
50478 - mod->core_size = debug_align(mod->core_size);
50479 - mod->core_text_size = mod->core_size;
50481 - case 1: /* RO: text and ro-data */
50482 - mod->core_size = debug_align(mod->core_size);
50483 - mod->core_ro_size = mod->core_size;
50485 - case 3: /* whole core */
50486 - mod->core_size = debug_align(mod->core_size);
50491 DEBUGP("Init section allocation order:\n");
50492 @@ -1935,23 +1933,13 @@ static void layout_sections(struct modul
50493 || s->sh_entsize != ~0UL
50494 || !strstarts(sname, ".init"))
50496 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
50497 - | INIT_OFFSET_MASK);
50498 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50499 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
50501 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
50502 + s->sh_entsize |= INIT_OFFSET_MASK;
50503 DEBUGP("\t%s\n", sname);
50506 - case 0: /* executable */
50507 - mod->init_size = debug_align(mod->init_size);
50508 - mod->init_text_size = mod->init_size;
50510 - case 1: /* RO: text and ro-data */
50511 - mod->init_size = debug_align(mod->init_size);
50512 - mod->init_ro_size = mod->init_size;
50514 - case 3: /* whole init */
50515 - mod->init_size = debug_align(mod->init_size);
50521 @@ -2119,7 +2107,7 @@ static void layout_symtab(struct module
50523 /* Put symbol section at end of init part of module. */
50524 symsect->sh_flags |= SHF_ALLOC;
50525 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
50526 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
50527 info->index.sym) | INIT_OFFSET_MASK;
50528 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
50530 @@ -2136,19 +2124,19 @@ static void layout_symtab(struct module
50533 /* Append room for core symbols at end of core part. */
50534 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
50535 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
50536 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
50537 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
50539 /* Put string table section at end of init part of module. */
50540 strsect->sh_flags |= SHF_ALLOC;
50541 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
50542 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
50543 info->index.str) | INIT_OFFSET_MASK;
50544 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
50546 /* Append room for core symbols' strings at end of core part. */
50547 - info->stroffs = mod->core_size;
50548 + info->stroffs = mod->core_size_rx;
50549 __set_bit(0, info->strmap);
50550 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
50551 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
50554 static void add_kallsyms(struct module *mod, const struct load_info *info)
50555 @@ -2164,11 +2152,13 @@ static void add_kallsyms(struct module *
50556 /* Make sure we get permanent strtab: don't use info->strtab. */
50557 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
50559 + pax_open_kernel();
50561 /* Set types up while we still have access to sections. */
50562 for (i = 0; i < mod->num_symtab; i++)
50563 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
50565 - mod->core_symtab = dst = mod->module_core + info->symoffs;
50566 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
50569 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
50570 @@ -2181,10 +2171,12 @@ static void add_kallsyms(struct module *
50572 mod->core_num_syms = ndst;
50574 - mod->core_strtab = s = mod->module_core + info->stroffs;
50575 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
50576 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
50577 if (test_bit(i, info->strmap))
50578 *++s = mod->strtab[i];
50580 + pax_close_kernel();
50583 static inline void layout_symtab(struct module *mod, struct load_info *info)
50584 @@ -2213,17 +2205,33 @@ static void dynamic_debug_remove(struct
50585 ddebug_remove_module(debug->modname);
50588 -static void *module_alloc_update_bounds(unsigned long size)
50589 +static void *module_alloc_update_bounds_rw(unsigned long size)
50591 void *ret = module_alloc(size);
50594 mutex_lock(&module_mutex);
50595 /* Update module bounds. */
50596 - if ((unsigned long)ret < module_addr_min)
50597 - module_addr_min = (unsigned long)ret;
50598 - if ((unsigned long)ret + size > module_addr_max)
50599 - module_addr_max = (unsigned long)ret + size;
50600 + if ((unsigned long)ret < module_addr_min_rw)
50601 + module_addr_min_rw = (unsigned long)ret;
50602 + if ((unsigned long)ret + size > module_addr_max_rw)
50603 + module_addr_max_rw = (unsigned long)ret + size;
50604 + mutex_unlock(&module_mutex);
50609 +static void *module_alloc_update_bounds_rx(unsigned long size)
50611 + void *ret = module_alloc_exec(size);
50614 + mutex_lock(&module_mutex);
50615 + /* Update module bounds. */
50616 + if ((unsigned long)ret < module_addr_min_rx)
50617 + module_addr_min_rx = (unsigned long)ret;
50618 + if ((unsigned long)ret + size > module_addr_max_rx)
50619 + module_addr_max_rx = (unsigned long)ret + size;
50620 mutex_unlock(&module_mutex);
50623 @@ -2516,7 +2524,7 @@ static int move_module(struct module *mo
50626 /* Do the allocs. */
50627 - ptr = module_alloc_update_bounds(mod->core_size);
50628 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
50630 * The pointer to this block is stored in the module structure
50631 * which is inside the block. Just mark it as not being a
50632 @@ -2526,23 +2534,50 @@ static int move_module(struct module *mo
50636 - memset(ptr, 0, mod->core_size);
50637 - mod->module_core = ptr;
50638 + memset(ptr, 0, mod->core_size_rw);
50639 + mod->module_core_rw = ptr;
50641 - ptr = module_alloc_update_bounds(mod->init_size);
50642 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
50644 * The pointer to this block is stored in the module structure
50645 * which is inside the block. This block doesn't need to be
50646 * scanned as it contains data and code that will be freed
50647 * after the module is initialized.
50649 - kmemleak_ignore(ptr);
50650 - if (!ptr && mod->init_size) {
50651 - module_free(mod, mod->module_core);
50652 + kmemleak_not_leak(ptr);
50653 + if (!ptr && mod->init_size_rw) {
50654 + module_free(mod, mod->module_core_rw);
50657 - memset(ptr, 0, mod->init_size);
50658 - mod->module_init = ptr;
50659 + memset(ptr, 0, mod->init_size_rw);
50660 + mod->module_init_rw = ptr;
50662 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
50663 + kmemleak_not_leak(ptr);
50665 + module_free(mod, mod->module_init_rw);
50666 + module_free(mod, mod->module_core_rw);
50670 + pax_open_kernel();
50671 + memset(ptr, 0, mod->core_size_rx);
50672 + pax_close_kernel();
50673 + mod->module_core_rx = ptr;
50675 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
50676 + kmemleak_not_leak(ptr);
50677 + if (!ptr && mod->init_size_rx) {
50678 + module_free_exec(mod, mod->module_core_rx);
50679 + module_free(mod, mod->module_init_rw);
50680 + module_free(mod, mod->module_core_rw);
50684 + pax_open_kernel();
50685 + memset(ptr, 0, mod->init_size_rx);
50686 + pax_close_kernel();
50687 + mod->module_init_rx = ptr;
50689 /* Transfer each section which specifies SHF_ALLOC */
50690 DEBUGP("final section addresses:\n");
50691 @@ -2553,16 +2588,45 @@ static int move_module(struct module *mo
50692 if (!(shdr->sh_flags & SHF_ALLOC))
50695 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
50696 - dest = mod->module_init
50697 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50699 - dest = mod->module_core + shdr->sh_entsize;
50700 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
50701 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50702 + dest = mod->module_init_rw
50703 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50705 + dest = mod->module_init_rx
50706 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50708 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50709 + dest = mod->module_core_rw + shdr->sh_entsize;
50711 + dest = mod->module_core_rx + shdr->sh_entsize;
50714 + if (shdr->sh_type != SHT_NOBITS) {
50716 +#ifdef CONFIG_PAX_KERNEXEC
50717 +#ifdef CONFIG_X86_64
50718 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
50719 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
50721 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
50722 + pax_open_kernel();
50723 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50724 + pax_close_kernel();
50728 - if (shdr->sh_type != SHT_NOBITS)
50729 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50731 /* Update sh_addr to point to copy in image. */
50732 - shdr->sh_addr = (unsigned long)dest;
50734 +#ifdef CONFIG_PAX_KERNEXEC
50735 + if (shdr->sh_flags & SHF_EXECINSTR)
50736 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
50740 + shdr->sh_addr = (unsigned long)dest;
50741 DEBUGP("\t0x%lx %s\n",
50742 shdr->sh_addr, info->secstrings + shdr->sh_name);
50744 @@ -2613,12 +2677,12 @@ static void flush_module_icache(const st
50745 * Do it before processing of module parameters, so the module
50746 * can provide parameter accessor functions of its own.
50748 - if (mod->module_init)
50749 - flush_icache_range((unsigned long)mod->module_init,
50750 - (unsigned long)mod->module_init
50751 - + mod->init_size);
50752 - flush_icache_range((unsigned long)mod->module_core,
50753 - (unsigned long)mod->module_core + mod->core_size);
50754 + if (mod->module_init_rx)
50755 + flush_icache_range((unsigned long)mod->module_init_rx,
50756 + (unsigned long)mod->module_init_rx
50757 + + mod->init_size_rx);
50758 + flush_icache_range((unsigned long)mod->module_core_rx,
50759 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
50763 @@ -2690,8 +2754,10 @@ static void module_deallocate(struct mod
50765 kfree(info->strmap);
50766 percpu_modfree(mod);
50767 - module_free(mod, mod->module_init);
50768 - module_free(mod, mod->module_core);
50769 + module_free_exec(mod, mod->module_init_rx);
50770 + module_free_exec(mod, mod->module_core_rx);
50771 + module_free(mod, mod->module_init_rw);
50772 + module_free(mod, mod->module_core_rw);
50775 static int post_relocation(struct module *mod, const struct load_info *info)
50776 @@ -2877,16 +2943,16 @@ SYSCALL_DEFINE3(init_module, void __user
50777 MODULE_STATE_COMING, mod);
50779 /* Set RO and NX regions for core */
50780 - set_section_ro_nx(mod->module_core,
50781 - mod->core_text_size,
50782 - mod->core_ro_size,
50784 + set_section_ro_nx(mod->module_core_rx,
50785 + mod->core_size_rx,
50786 + mod->core_size_rx,
50787 + mod->core_size_rx);
50789 /* Set RO and NX regions for init */
50790 - set_section_ro_nx(mod->module_init,
50791 - mod->init_text_size,
50792 - mod->init_ro_size,
50794 + set_section_ro_nx(mod->module_init_rx,
50795 + mod->init_size_rx,
50796 + mod->init_size_rx,
50797 + mod->init_size_rx);
50800 /* Start the module */
50801 @@ -2931,11 +2997,13 @@ SYSCALL_DEFINE3(init_module, void __user
50802 mod->symtab = mod->core_symtab;
50803 mod->strtab = mod->core_strtab;
50805 - unset_section_ro_nx(mod, mod->module_init);
50806 - module_free(mod, mod->module_init);
50807 - mod->module_init = NULL;
50808 - mod->init_size = 0;
50809 - mod->init_text_size = 0;
50810 + unset_section_ro_nx(mod, mod->module_init_rx);
50811 + module_free(mod, mod->module_init_rw);
50812 + module_free_exec(mod, mod->module_init_rx);
50813 + mod->module_init_rw = NULL;
50814 + mod->module_init_rx = NULL;
50815 + mod->init_size_rw = 0;
50816 + mod->init_size_rx = 0;
50817 mutex_unlock(&module_mutex);
50820 @@ -2966,10 +3034,16 @@ static const char *get_ksymbol(struct mo
50821 unsigned long nextval;
50823 /* At worse, next value is at end of module */
50824 - if (within_module_init(addr, mod))
50825 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
50826 + if (within_module_init_rx(addr, mod))
50827 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
50828 + else if (within_module_init_rw(addr, mod))
50829 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
50830 + else if (within_module_core_rx(addr, mod))
50831 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
50832 + else if (within_module_core_rw(addr, mod))
50833 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
50835 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
50838 /* Scan for closest preceeding symbol, and next symbol. (ELF
50839 starts real symbols at 1). */
50840 @@ -3215,7 +3289,7 @@ static int m_show(struct seq_file *m, vo
50843 seq_printf(m, "%s %u",
50844 - mod->name, mod->init_size + mod->core_size);
50845 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
50846 print_unload_info(m, mod);
50848 /* Informative for users. */
50849 @@ -3224,7 +3298,7 @@ static int m_show(struct seq_file *m, vo
50850 mod->state == MODULE_STATE_COMING ? "Loading":
50852 /* Used by oprofile and other similar tools. */
50853 - seq_printf(m, " 0x%p", mod->module_core);
50854 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
50858 @@ -3260,7 +3334,17 @@ static const struct file_operations proc
50860 static int __init proc_modules_init(void)
50862 +#ifndef CONFIG_GRKERNSEC_HIDESYM
50863 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50864 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50865 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50866 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
50868 proc_create("modules", 0, NULL, &proc_modules_operations);
50871 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50875 module_init(proc_modules_init);
50876 @@ -3319,12 +3403,12 @@ struct module *__module_address(unsigned
50878 struct module *mod;
50880 - if (addr < module_addr_min || addr > module_addr_max)
50881 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
50882 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
50885 list_for_each_entry_rcu(mod, &modules, list)
50886 - if (within_module_core(addr, mod)
50887 - || within_module_init(addr, mod))
50888 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
50892 @@ -3358,11 +3442,20 @@ bool is_module_text_address(unsigned lon
50894 struct module *__module_text_address(unsigned long addr)
50896 - struct module *mod = __module_address(addr);
50897 + struct module *mod;
50899 +#ifdef CONFIG_X86_32
50900 + addr = ktla_ktva(addr);
50903 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
50906 + mod = __module_address(addr);
50909 /* Make sure it's within the text section. */
50910 - if (!within(addr, mod->module_init, mod->init_text_size)
50911 - && !within(addr, mod->module_core, mod->core_text_size))
50912 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
50916 diff -urNp linux-2.6.38.1/kernel/panic.c linux-2.6.38.1/kernel/panic.c
50917 --- linux-2.6.38.1/kernel/panic.c 2011-03-14 21:20:32.000000000 -0400
50918 +++ linux-2.6.38.1/kernel/panic.c 2011-03-21 18:31:35.000000000 -0400
50919 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
50922 printk(KERN_WARNING "------------[ cut here ]------------\n");
50923 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
50924 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
50925 board = dmi_get_system_info(DMI_PRODUCT_NAME);
50927 printk(KERN_WARNING "Hardware name: %s\n", board);
50928 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
50930 void __stack_chk_fail(void)
50932 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
50934 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
50935 __builtin_return_address(0));
50937 EXPORT_SYMBOL(__stack_chk_fail);
50938 diff -urNp linux-2.6.38.1/kernel/pid.c linux-2.6.38.1/kernel/pid.c
50939 --- linux-2.6.38.1/kernel/pid.c 2011-03-14 21:20:32.000000000 -0400
50940 +++ linux-2.6.38.1/kernel/pid.c 2011-03-21 18:31:35.000000000 -0400
50942 #include <linux/rculist.h>
50943 #include <linux/bootmem.h>
50944 #include <linux/hash.h>
50945 +#include <linux/security.h>
50946 #include <linux/pid_namespace.h>
50947 #include <linux/init_task.h>
50948 #include <linux/syscalls.h>
50949 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
50951 int pid_max = PID_MAX_DEFAULT;
50953 -#define RESERVED_PIDS 300
50954 +#define RESERVED_PIDS 500
50956 int pid_max_min = RESERVED_PIDS + 1;
50957 int pid_max_max = PID_MAX_LIMIT;
50958 @@ -416,8 +417,15 @@ EXPORT_SYMBOL(pid_task);
50960 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
50962 + struct task_struct *task;
50964 rcu_lockdep_assert(rcu_read_lock_held());
50965 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50966 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50968 + if (gr_pid_is_chrooted(task))
50974 struct task_struct *find_task_by_vpid(pid_t vnr)
50975 diff -urNp linux-2.6.38.1/kernel/posix-cpu-timers.c linux-2.6.38.1/kernel/posix-cpu-timers.c
50976 --- linux-2.6.38.1/kernel/posix-cpu-timers.c 2011-03-14 21:20:32.000000000 -0400
50977 +++ linux-2.6.38.1/kernel/posix-cpu-timers.c 2011-03-21 18:31:35.000000000 -0400
50979 #include <linux/posix-timers.h>
50980 #include <linux/errno.h>
50981 #include <linux/math64.h>
50982 +#include <linux/security.h>
50983 #include <asm/uaccess.h>
50984 #include <linux/kernel_stat.h>
50985 #include <trace/events/timer.h>
50986 diff -urNp linux-2.6.38.1/kernel/posix-timers.c linux-2.6.38.1/kernel/posix-timers.c
50987 --- linux-2.6.38.1/kernel/posix-timers.c 2011-03-14 21:20:32.000000000 -0400
50988 +++ linux-2.6.38.1/kernel/posix-timers.c 2011-03-21 18:31:35.000000000 -0400
50990 #include <linux/compiler.h>
50991 #include <linux/idr.h>
50992 #include <linux/posix-timers.h>
50993 +#include <linux/grsecurity.h>
50994 #include <linux/syscalls.h>
50995 #include <linux/wait.h>
50996 #include <linux/workqueue.h>
50997 @@ -955,6 +956,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
50998 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
51001 + /* only the CLOCK_REALTIME clock can be set, all other clocks
51002 + have their clock_set fptr set to a nosettime dummy function
51003 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
51004 + call common_clock_set, which calls do_sys_settimeofday, which
51008 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
51011 diff -urNp linux-2.6.38.1/kernel/power/poweroff.c linux-2.6.38.1/kernel/power/poweroff.c
51012 --- linux-2.6.38.1/kernel/power/poweroff.c 2011-03-14 21:20:32.000000000 -0400
51013 +++ linux-2.6.38.1/kernel/power/poweroff.c 2011-03-21 18:31:35.000000000 -0400
51014 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
51015 .enable_mask = SYSRQ_ENABLE_BOOT,
51018 -static int pm_sysrq_init(void)
51019 +static int __init pm_sysrq_init(void)
51021 register_sysrq_key('o', &sysrq_poweroff_op);
51023 diff -urNp linux-2.6.38.1/kernel/power/process.c linux-2.6.38.1/kernel/power/process.c
51024 --- linux-2.6.38.1/kernel/power/process.c 2011-03-14 21:20:32.000000000 -0400
51025 +++ linux-2.6.38.1/kernel/power/process.c 2011-03-21 18:31:35.000000000 -0400
51026 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
51027 u64 elapsed_csecs64;
51028 unsigned int elapsed_csecs;
51029 bool wakeup = false;
51030 + bool timedout = false;
51032 do_gettimeofday(&start);
51034 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
51038 + if (time_after(jiffies, end_time))
51040 read_lock(&tasklist_lock);
51041 do_each_thread(g, p) {
51042 if (frozen(p) || !freezable(p))
51043 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
51044 * try_to_stop() after schedule() in ptrace/signal
51045 * stop sees TIF_FREEZE.
51047 - if (!task_is_stopped_or_traced(p) &&
51048 - !freezer_should_skip(p))
51049 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
51052 + printk(KERN_ERR "Task refusing to freeze:\n");
51053 + sched_show_task(p);
51056 } while_each_thread(g, p);
51057 read_unlock(&tasklist_lock);
51059 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
51063 - if (!todo || time_after(jiffies, end_time))
51064 + if (!todo || timedout)
51067 if (pm_wakeup_pending()) {
51068 diff -urNp linux-2.6.38.1/kernel/printk.c linux-2.6.38.1/kernel/printk.c
51069 --- linux-2.6.38.1/kernel/printk.c 2011-03-14 21:20:32.000000000 -0400
51070 +++ linux-2.6.38.1/kernel/printk.c 2011-03-23 22:30:08.000000000 -0400
51071 @@ -279,12 +279,17 @@ static int check_syslog_permissions(int
51072 if (from_file && type != SYSLOG_ACTION_OPEN)
51075 +#ifdef CONFIG_GRKERNSEC_DMESG
51076 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
51080 if (syslog_action_restricted(type)) {
51081 if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
51083 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
51084 if (capable(CAP_SYS_ADMIN)) {
51085 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
51086 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
51087 "but no CAP_SYSLOG (deprecated).\n");
51090 diff -urNp linux-2.6.38.1/kernel/ptrace.c linux-2.6.38.1/kernel/ptrace.c
51091 --- linux-2.6.38.1/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
51092 +++ linux-2.6.38.1/kernel/ptrace.c 2011-03-26 11:42:34.000000000 -0400
51093 @@ -116,7 +116,8 @@ int ptrace_check_attach(struct task_stru
51097 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
51098 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
51099 + unsigned int log)
51101 const struct cred *cred = current_cred(), *tcred;
51103 @@ -140,7 +141,9 @@ int __ptrace_may_access(struct task_stru
51104 cred->gid != tcred->egid ||
51105 cred->gid != tcred->sgid ||
51106 cred->gid != tcred->gid) &&
51107 - !capable(CAP_SYS_PTRACE)) {
51108 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
51109 + (log && !capable(CAP_SYS_PTRACE)))
51114 @@ -148,7 +151,9 @@ int __ptrace_may_access(struct task_stru
51117 dumpable = get_dumpable(task->mm);
51118 - if (!dumpable && !capable(CAP_SYS_PTRACE))
51120 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
51121 + (log && !capable(CAP_SYS_PTRACE))))
51124 return security_ptrace_access_check(task, mode);
51125 @@ -158,7 +163,16 @@ bool ptrace_may_access(struct task_struc
51129 - err = __ptrace_may_access(task, mode);
51130 + err = __ptrace_may_access(task, mode, 0);
51131 + task_unlock(task);
51135 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
51139 + err = __ptrace_may_access(task, mode, 1);
51143 @@ -185,7 +199,7 @@ static int ptrace_attach(struct task_str
51147 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
51148 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
51152 @@ -198,7 +212,7 @@ static int ptrace_attach(struct task_str
51153 goto unlock_tasklist;
51155 task->ptrace = PT_PTRACED;
51156 - if (capable(CAP_SYS_PTRACE))
51157 + if (capable_nolog(CAP_SYS_PTRACE))
51158 task->ptrace |= PT_PTRACE_CAP;
51160 __ptrace_link(task, current);
51161 @@ -369,7 +383,7 @@ int ptrace_readdata(struct task_struct *
51165 - if (copy_to_user(dst, buf, retval))
51166 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
51170 @@ -565,7 +579,7 @@ int ptrace_request(struct task_struct *c
51174 - void __user *datavp = (void __user *) data;
51175 + void __user *datavp = (__force void __user *) data;
51176 unsigned long __user *datalp = datavp;
51179 @@ -713,14 +727,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
51180 if (!vx_check(vx_task_xid(child), VS_WATCH_P | VS_IDENT))
51181 goto out_put_task_struct;
51183 + if (gr_handle_ptrace(child, request)) {
51185 + goto out_put_task_struct;
51188 if (request == PTRACE_ATTACH) {
51189 ret = ptrace_attach(child);
51191 * Some architectures need to do book-keeping after
51196 arch_ptrace_attach(child);
51197 + gr_audit_ptrace(child);
51199 goto out_put_task_struct;
51202 @@ -855,14 +876,21 @@ asmlinkage long compat_sys_ptrace(compat
51206 + if (gr_handle_ptrace(child, request)) {
51208 + goto out_put_task_struct;
51211 if (request == PTRACE_ATTACH) {
51212 ret = ptrace_attach(child);
51214 * Some architectures need to do book-keeping after
51219 arch_ptrace_attach(child);
51220 + gr_audit_ptrace(child);
51222 goto out_put_task_struct;
51225 diff -urNp linux-2.6.38.1/kernel/rcutree.c linux-2.6.38.1/kernel/rcutree.c
51226 --- linux-2.6.38.1/kernel/rcutree.c 2011-03-14 21:20:32.000000000 -0400
51227 +++ linux-2.6.38.1/kernel/rcutree.c 2011-03-21 18:31:35.000000000 -0400
51228 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
51230 * Do softirq processing for the current CPU.
51232 -static void rcu_process_callbacks(struct softirq_action *unused)
51233 +static void rcu_process_callbacks(void)
51236 * Memory references from any prior RCU read-side critical sections
51237 diff -urNp linux-2.6.38.1/kernel/rcutree_plugin.h linux-2.6.38.1/kernel/rcutree_plugin.h
51238 --- linux-2.6.38.1/kernel/rcutree_plugin.h 2011-03-14 21:20:32.000000000 -0400
51239 +++ linux-2.6.38.1/kernel/rcutree_plugin.h 2011-03-21 18:31:35.000000000 -0400
51240 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
51242 /* Clean up and exit. */
51243 smp_mb(); /* ensure expedited GP seen before counter increment. */
51244 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
51245 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
51247 mutex_unlock(&sync_rcu_preempt_exp_mutex);
51249 diff -urNp linux-2.6.38.1/kernel/resource.c linux-2.6.38.1/kernel/resource.c
51250 --- linux-2.6.38.1/kernel/resource.c 2011-03-14 21:20:32.000000000 -0400
51251 +++ linux-2.6.38.1/kernel/resource.c 2011-03-21 18:31:35.000000000 -0400
51252 @@ -133,8 +133,18 @@ static const struct file_operations proc
51254 static int __init ioresources_init(void)
51256 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51257 +#ifdef CONFIG_GRKERNSEC_PROC_USER
51258 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
51259 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
51260 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51261 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
51262 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
51265 proc_create("ioports", 0, NULL, &proc_ioports_operations);
51266 proc_create("iomem", 0, NULL, &proc_iomem_operations);
51270 __initcall(ioresources_init);
51271 diff -urNp linux-2.6.38.1/kernel/rtmutex.c linux-2.6.38.1/kernel/rtmutex.c
51272 --- linux-2.6.38.1/kernel/rtmutex.c 2011-03-14 21:20:32.000000000 -0400
51273 +++ linux-2.6.38.1/kernel/rtmutex.c 2011-03-21 18:31:35.000000000 -0400
51274 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
51276 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
51278 - WARN_ON(!pendowner->pi_blocked_on);
51279 + BUG_ON(!pendowner->pi_blocked_on);
51280 WARN_ON(pendowner->pi_blocked_on != waiter);
51281 WARN_ON(pendowner->pi_blocked_on->lock != lock);
51283 diff -urNp linux-2.6.38.1/kernel/sched.c linux-2.6.38.1/kernel/sched.c
51284 --- linux-2.6.38.1/kernel/sched.c 2011-03-23 17:20:08.000000000 -0400
51285 +++ linux-2.6.38.1/kernel/sched.c 2011-03-23 17:21:51.000000000 -0400
51286 @@ -4638,6 +4638,8 @@ int can_nice(const struct task_struct *p
51287 /* convert nice value [19,-20] to rlimit style value [1,40] */
51288 int nice_rlim = 20 - nice;
51290 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
51292 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
51293 capable(CAP_SYS_NICE));
51295 @@ -4671,7 +4673,8 @@ SYSCALL_DEFINE1(nice, int, increment)
51299 - if (increment < 0 && !can_nice(current, nice))
51300 + if (increment < 0 && (!can_nice(current, nice) ||
51301 + gr_handle_chroot_nice()))
51302 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
51304 retval = security_task_setnice(current, nice);
51305 @@ -4814,6 +4817,7 @@ recheck:
51306 unsigned long rlim_rtprio =
51307 task_rlimit(p, RLIMIT_RTPRIO);
51309 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
51310 /* can't set/change the rt policy */
51311 if (policy != p->policy && !rlim_rtprio)
51313 @@ -6942,7 +6946,7 @@ static void init_sched_groups_power(int
51317 - WARN_ON(!sd || !sd->groups);
51318 + BUG_ON(!sd || !sd->groups);
51320 if (cpu != group_first_cpu(sd->groups))
51322 diff -urNp linux-2.6.38.1/kernel/sched_fair.c linux-2.6.38.1/kernel/sched_fair.c
51323 --- linux-2.6.38.1/kernel/sched_fair.c 2011-03-14 21:20:32.000000000 -0400
51324 +++ linux-2.6.38.1/kernel/sched_fair.c 2011-03-21 18:31:35.000000000 -0400
51325 @@ -3960,7 +3960,7 @@ static void nohz_idle_balance(int this_c
51326 * run_rebalance_domains is triggered when needed from the scheduler tick.
51327 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
51329 -static void run_rebalance_domains(struct softirq_action *h)
51330 +static void run_rebalance_domains(void)
51332 int this_cpu = smp_processor_id();
51333 struct rq *this_rq = cpu_rq(this_cpu);
51334 diff -urNp linux-2.6.38.1/kernel/signal.c linux-2.6.38.1/kernel/signal.c
51335 --- linux-2.6.38.1/kernel/signal.c 2011-03-14 21:20:32.000000000 -0400
51336 +++ linux-2.6.38.1/kernel/signal.c 2011-03-21 18:31:35.000000000 -0400
51337 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
51339 int print_fatal_signals __read_mostly;
51341 -static void __user *sig_handler(struct task_struct *t, int sig)
51342 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
51344 return t->sighand->action[sig - 1].sa.sa_handler;
51347 -static int sig_handler_ignored(void __user *handler, int sig)
51348 +static int sig_handler_ignored(__sighandler_t handler, int sig)
51350 /* Is it explicitly or implicitly ignored? */
51351 return handler == SIG_IGN ||
51352 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
51353 static int sig_task_ignored(struct task_struct *t, int sig,
51354 int from_ancestor_ns)
51356 - void __user *handler;
51357 + __sighandler_t handler;
51359 handler = sig_handler(t, sig);
51361 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
51362 atomic_inc(&user->sigpending);
51365 + if (!override_rlimit)
51366 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
51368 if (override_rlimit ||
51369 atomic_read(&user->sigpending) <=
51370 task_rlimit(t, RLIMIT_SIGPENDING)) {
51371 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
51373 int unhandled_signal(struct task_struct *tsk, int sig)
51375 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
51376 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
51377 if (is_global_init(tsk))
51379 if (handler != SIG_IGN && handler != SIG_DFL)
51380 @@ -705,6 +708,10 @@ static int check_kill_permission(int sig
51381 sig, info, t, vx_task_xid(t), t->pid, current->xid);
51385 + if (gr_handle_signal(t, sig))
51389 return security_task_kill(t, info, sig, 0);
51391 @@ -1025,7 +1032,7 @@ __group_send_sig_info(int sig, struct si
51392 return send_signal(sig, info, p, 1);
51397 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
51399 return send_signal(sig, info, t, 0);
51400 @@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo *
51401 unsigned long int flags;
51402 int ret, blocked, ignored;
51403 struct k_sigaction *action;
51404 + int is_unhandled = 0;
51406 spin_lock_irqsave(&t->sighand->siglock, flags);
51407 action = &t->sighand->action[sig-1];
51408 @@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo *
51410 if (action->sa.sa_handler == SIG_DFL)
51411 t->signal->flags &= ~SIGNAL_UNKILLABLE;
51412 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
51413 + is_unhandled = 1;
51414 ret = specific_send_sig_info(sig, info, t);
51415 spin_unlock_irqrestore(&t->sighand->siglock, flags);
51417 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
51418 + normal operation */
51419 + if (is_unhandled) {
51420 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
51421 + gr_handle_crash(t, sig);
51427 @@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct
51428 ret = check_kill_permission(sig, info, p);
51432 + if (!ret && sig) {
51433 ret = do_send_sig_info(sig, info, p, true);
51435 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
51440 diff -urNp linux-2.6.38.1/kernel/smp.c linux-2.6.38.1/kernel/smp.c
51441 --- linux-2.6.38.1/kernel/smp.c 2011-03-23 17:20:08.000000000 -0400
51442 +++ linux-2.6.38.1/kernel/smp.c 2011-03-26 20:50:44.000000000 -0400
51443 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
51445 EXPORT_SYMBOL(smp_call_function);
51447 -void ipi_call_lock(void)
51448 +void ipi_call_lock(void) __acquires(call_function.lock)
51450 raw_spin_lock(&call_function.lock);
51453 -void ipi_call_unlock(void)
51454 +void ipi_call_unlock(void) __releases(call_function.lock)
51456 raw_spin_unlock(&call_function.lock);
51459 -void ipi_call_lock_irq(void)
51460 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
51462 raw_spin_lock_irq(&call_function.lock);
51465 -void ipi_call_unlock_irq(void)
51466 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
51468 raw_spin_unlock_irq(&call_function.lock);
51470 diff -urNp linux-2.6.38.1/kernel/softirq.c linux-2.6.38.1/kernel/softirq.c
51471 --- linux-2.6.38.1/kernel/softirq.c 2011-03-14 21:20:32.000000000 -0400
51472 +++ linux-2.6.38.1/kernel/softirq.c 2011-03-21 18:31:35.000000000 -0400
51473 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
51475 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
51477 -char *softirq_to_name[NR_SOFTIRQS] = {
51478 +const char * const softirq_to_name[NR_SOFTIRQS] = {
51479 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
51480 "TASKLET", "SCHED", "HRTIMER", "RCU"
51482 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
51484 asmlinkage void __do_softirq(void)
51486 - struct softirq_action *h;
51487 + const struct softirq_action *h;
51489 int max_restart = MAX_SOFTIRQ_RESTART;
51491 @@ -235,7 +235,7 @@ restart:
51492 kstat_incr_softirqs_this_cpu(vec_nr);
51494 trace_softirq_entry(vec_nr);
51497 trace_softirq_exit(vec_nr);
51498 if (unlikely(prev_count != preempt_count())) {
51499 printk(KERN_ERR "huh, entered softirq %u %s %p"
51500 @@ -365,7 +365,7 @@ void raise_softirq(unsigned int nr)
51501 local_irq_restore(flags);
51504 -void open_softirq(int nr, void (*action)(struct softirq_action *))
51505 +void open_softirq(int nr, void (*action)(void))
51507 softirq_vec[nr].action = action;
51509 @@ -421,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
51511 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
51513 -static void tasklet_action(struct softirq_action *a)
51514 +static void tasklet_action(void)
51516 struct tasklet_struct *list;
51518 @@ -456,7 +456,7 @@ static void tasklet_action(struct softir
51522 -static void tasklet_hi_action(struct softirq_action *a)
51523 +static void tasklet_hi_action(void)
51525 struct tasklet_struct *list;
51527 diff -urNp linux-2.6.38.1/kernel/sys.c linux-2.6.38.1/kernel/sys.c
51528 --- linux-2.6.38.1/kernel/sys.c 2011-03-14 21:20:32.000000000 -0400
51529 +++ linux-2.6.38.1/kernel/sys.c 2011-03-21 18:31:35.000000000 -0400
51530 @@ -136,6 +136,12 @@ static int set_one_prio(struct task_stru
51535 + if (gr_handle_chroot_setpriority(p, niceval)) {
51540 no_nice = security_task_setnice(p, niceval);
51543 @@ -517,6 +523,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
51547 + if (gr_check_group_change(new->gid, new->egid, -1))
51550 if (rgid != (gid_t) -1 ||
51551 (egid != (gid_t) -1 && egid != old->gid))
51552 new->sgid = new->egid;
51553 @@ -546,6 +555,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
51554 old = current_cred();
51558 + if (gr_check_group_change(gid, gid, gid))
51561 if (capable(CAP_SETGID))
51562 new->gid = new->egid = new->sgid = new->fsgid = gid;
51563 else if (gid == old->gid || gid == old->sgid)
51564 @@ -626,6 +639,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
51568 + if (gr_check_user_change(new->uid, new->euid, -1))
51571 if (new->uid != old->uid) {
51572 retval = set_user(new);
51574 @@ -670,6 +686,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
51575 old = current_cred();
51579 + if (gr_check_crash_uid(uid))
51581 + if (gr_check_user_change(uid, uid, uid))
51584 if (capable(CAP_SETUID)) {
51585 new->suid = new->uid = uid;
51586 if (uid != old->uid) {
51587 @@ -724,6 +746,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
51591 + if (gr_check_user_change(ruid, euid, -1))
51594 if (ruid != (uid_t) -1) {
51596 if (ruid != old->uid) {
51597 @@ -788,6 +813,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
51601 + if (gr_check_group_change(rgid, egid, -1))
51604 if (rgid != (gid_t) -1)
51606 if (egid != (gid_t) -1)
51607 @@ -834,6 +862,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51608 old = current_cred();
51609 old_fsuid = old->fsuid;
51611 + if (gr_check_user_change(-1, -1, uid))
51614 if (uid == old->uid || uid == old->euid ||
51615 uid == old->suid || uid == old->fsuid ||
51616 capable(CAP_SETUID)) {
51617 @@ -844,6 +875,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51625 @@ -870,12 +902,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
51626 if (gid == old->gid || gid == old->egid ||
51627 gid == old->sgid || gid == old->fsgid ||
51628 capable(CAP_SETGID)) {
51629 + if (gr_check_group_change(-1, -1, gid))
51632 if (gid != old_fsgid) {
51642 @@ -1616,7 +1652,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
51643 error = get_dumpable(me->mm);
51645 case PR_SET_DUMPABLE:
51646 - if (arg2 < 0 || arg2 > 1) {
51651 diff -urNp linux-2.6.38.1/kernel/sysctl.c linux-2.6.38.1/kernel/sysctl.c
51652 --- linux-2.6.38.1/kernel/sysctl.c 2011-03-14 21:20:32.000000000 -0400
51653 +++ linux-2.6.38.1/kernel/sysctl.c 2011-03-21 18:31:35.000000000 -0400
51657 #if defined(CONFIG_SYSCTL)
51658 +#include <linux/grsecurity.h>
51659 +#include <linux/grinternal.h>
51661 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
51662 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
51664 +extern int gr_handle_chroot_sysctl(const int op);
51666 /* External variables not in a header file. */
51667 extern int sysctl_overcommit_memory;
51668 @@ -190,6 +197,7 @@ static int sysrq_sysctl_handler(ctl_tabl
51672 +extern struct ctl_table grsecurity_table[];
51674 static struct ctl_table root_table[];
51675 static struct ctl_table_root sysctl_table_root;
51676 @@ -219,6 +227,20 @@ extern struct ctl_table epoll_table[];
51677 int sysctl_legacy_va_layout;
51680 +#ifdef CONFIG_PAX_SOFTMODE
51681 +static ctl_table pax_table[] = {
51683 + .procname = "softmode",
51684 + .data = &pax_softmode,
51685 + .maxlen = sizeof(unsigned int),
51687 + .proc_handler = &proc_dointvec,
51694 /* The default sysctl tables: */
51696 static struct ctl_table root_table[] = {
51697 @@ -265,6 +287,22 @@ static int max_extfrag_threshold = 1000;
51700 static struct ctl_table kern_table[] = {
51701 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
51703 + .procname = "grsecurity",
51705 + .child = grsecurity_table,
51709 +#ifdef CONFIG_PAX_SOFTMODE
51711 + .procname = "pax",
51713 + .child = pax_table,
51718 .procname = "sched_child_runs_first",
51719 .data = &sysctl_sched_child_runs_first,
51720 @@ -546,7 +584,7 @@ static struct ctl_table kern_table[] = {
51721 .data = &modprobe_path,
51722 .maxlen = KMOD_PATH_LEN,
51724 - .proc_handler = proc_dostring,
51725 + .proc_handler = proc_dostring_modpriv,
51728 .procname = "modules_disabled",
51729 @@ -708,16 +746,20 @@ static struct ctl_table kern_table[] = {
51735 .procname = "kptr_restrict",
51736 .data = &kptr_restrict,
51737 .maxlen = sizeof(int),
51739 .proc_handler = proc_dmesg_restrict,
51740 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51749 .procname = "ngroups_max",
51750 .data = &ngroups_max,
51751 @@ -1182,6 +1224,13 @@ static struct ctl_table vm_table[] = {
51752 .proc_handler = proc_dointvec_minmax,
51756 + .procname = "heap_stack_gap",
51757 + .data = &sysctl_heap_stack_gap,
51758 + .maxlen = sizeof(sysctl_heap_stack_gap),
51760 + .proc_handler = proc_doulongvec_minmax,
51764 .procname = "nr_trim_pages",
51765 @@ -1693,6 +1742,16 @@ int sysctl_perm(struct ctl_table_root *r
51769 + if (table->parent != NULL && table->parent->procname != NULL &&
51770 + table->procname != NULL &&
51771 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
51773 + if (gr_handle_chroot_sysctl(op))
51775 + error = gr_handle_sysctl(table, op);
51779 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
51782 @@ -2100,6 +2159,16 @@ int proc_dostring(struct ctl_table *tabl
51783 buffer, lenp, ppos);
51786 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51787 + void __user *buffer, size_t *lenp, loff_t *ppos)
51789 + if (write && !capable(CAP_SYS_MODULE))
51792 + return _proc_do_string(table->data, table->maxlen, write,
51793 + buffer, lenp, ppos);
51796 static size_t proc_skip_spaces(char **buf)
51799 @@ -2205,6 +2274,8 @@ static int proc_put_long(void __user **b
51803 + if (len > sizeof(tmp))
51804 + len = sizeof(tmp);
51805 if (copy_to_user(*buf, tmp, len))
51808 @@ -2510,8 +2581,11 @@ static int __do_proc_doulongvec_minmax(v
51811 val = convdiv * (*i) / convmul;
51814 err = proc_put_char(&buffer, &left, '\t');
51818 err = proc_put_long(&buffer, &left, val, false);
51821 @@ -2906,6 +2980,12 @@ int proc_dostring(struct ctl_table *tabl
51825 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51826 + void __user *buffer, size_t *lenp, loff_t *ppos)
51831 int proc_dointvec(struct ctl_table *table, int write,
51832 void __user *buffer, size_t *lenp, loff_t *ppos)
51834 @@ -2962,6 +3042,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
51835 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
51836 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
51837 EXPORT_SYMBOL(proc_dostring);
51838 +EXPORT_SYMBOL(proc_dostring_modpriv);
51839 EXPORT_SYMBOL(proc_doulongvec_minmax);
51840 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
51841 EXPORT_SYMBOL(register_sysctl_table);
51842 diff -urNp linux-2.6.38.1/kernel/sysctl_check.c linux-2.6.38.1/kernel/sysctl_check.c
51843 --- linux-2.6.38.1/kernel/sysctl_check.c 2011-03-14 21:20:32.000000000 -0400
51844 +++ linux-2.6.38.1/kernel/sysctl_check.c 2011-03-21 18:31:35.000000000 -0400
51845 @@ -131,6 +131,7 @@ int sysctl_check_table(struct nsproxy *n
51846 set_fail(&fail, table, "Directory with extra2");
51848 if ((table->proc_handler == proc_dostring) ||
51849 + (table->proc_handler == proc_dostring_modpriv) ||
51850 (table->proc_handler == proc_dointvec) ||
51851 (table->proc_handler == proc_dointvec_minmax) ||
51852 (table->proc_handler == proc_dointvec_jiffies) ||
51853 diff -urNp linux-2.6.38.1/kernel/taskstats.c linux-2.6.38.1/kernel/taskstats.c
51854 --- linux-2.6.38.1/kernel/taskstats.c 2011-03-14 21:20:32.000000000 -0400
51855 +++ linux-2.6.38.1/kernel/taskstats.c 2011-03-21 18:31:35.000000000 -0400
51857 #include <linux/cgroup.h>
51858 #include <linux/fs.h>
51859 #include <linux/file.h>
51860 +#include <linux/grsecurity.h>
51861 #include <net/genetlink.h>
51862 #include <asm/atomic.h>
51864 +extern int gr_is_taskstats_denied(int pid);
51867 * Maximum length of a cpumask that can be specified in
51868 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
51869 @@ -549,6 +552,9 @@ err:
51871 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
51873 + if (gr_is_taskstats_denied(current->pid))
51876 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
51877 return cmd_attr_register_cpumask(info);
51878 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
51879 diff -urNp linux-2.6.38.1/kernel/time/tick-broadcast.c linux-2.6.38.1/kernel/time/tick-broadcast.c
51880 --- linux-2.6.38.1/kernel/time/tick-broadcast.c 2011-03-14 21:20:32.000000000 -0400
51881 +++ linux-2.6.38.1/kernel/time/tick-broadcast.c 2011-03-21 18:31:35.000000000 -0400
51882 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
51883 * then clear the broadcast bit.
51885 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
51886 - int cpu = smp_processor_id();
51887 + cpu = smp_processor_id();
51889 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
51890 tick_broadcast_clear_oneshot(cpu);
51891 diff -urNp linux-2.6.38.1/kernel/time/timekeeping.c linux-2.6.38.1/kernel/time/timekeeping.c
51892 --- linux-2.6.38.1/kernel/time/timekeeping.c 2011-03-14 21:20:32.000000000 -0400
51893 +++ linux-2.6.38.1/kernel/time/timekeeping.c 2011-03-21 18:31:35.000000000 -0400
51895 #include <linux/init.h>
51896 #include <linux/mm.h>
51897 #include <linux/sched.h>
51898 +#include <linux/grsecurity.h>
51899 #include <linux/sysdev.h>
51900 #include <linux/clocksource.h>
51901 #include <linux/jiffies.h>
51902 @@ -361,6 +362,8 @@ int do_settimeofday(struct timespec *tv)
51903 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
51906 + gr_log_timechange();
51908 write_seqlock_irqsave(&xtime_lock, flags);
51910 timekeeping_forward_now();
51911 diff -urNp linux-2.6.38.1/kernel/time/timer_list.c linux-2.6.38.1/kernel/time/timer_list.c
51912 --- linux-2.6.38.1/kernel/time/timer_list.c 2011-03-14 21:20:32.000000000 -0400
51913 +++ linux-2.6.38.1/kernel/time/timer_list.c 2011-03-21 18:31:35.000000000 -0400
51914 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
51916 static void print_name_offset(struct seq_file *m, void *sym)
51918 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51919 + SEQ_printf(m, "<%p>", NULL);
51921 char symname[KSYM_NAME_LEN];
51923 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
51924 SEQ_printf(m, "<%pK>", sym);
51926 SEQ_printf(m, "%s", symname);
51931 @@ -112,7 +116,11 @@ next_one:
51933 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
51935 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51936 + SEQ_printf(m, " .base: %p\n", NULL);
51938 SEQ_printf(m, " .base: %pK\n", base);
51940 SEQ_printf(m, " .index: %d\n",
51942 SEQ_printf(m, " .resolution: %Lu nsecs\n",
51943 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
51945 struct proc_dir_entry *pe;
51947 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51948 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
51950 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
51955 diff -urNp linux-2.6.38.1/kernel/time/timer_stats.c linux-2.6.38.1/kernel/time/timer_stats.c
51956 --- linux-2.6.38.1/kernel/time/timer_stats.c 2011-03-14 21:20:32.000000000 -0400
51957 +++ linux-2.6.38.1/kernel/time/timer_stats.c 2011-03-21 18:31:35.000000000 -0400
51958 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
51960 static void print_name_offset(struct seq_file *m, unsigned long addr)
51962 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51963 + seq_printf(m, "<%p>", NULL);
51965 char symname[KSYM_NAME_LEN];
51967 if (lookup_symbol_name(addr, symname) < 0)
51968 seq_printf(m, "<%p>", (void *)addr);
51970 seq_printf(m, "%s", symname);
51974 static int tstats_show(struct seq_file *m, void *v)
51975 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
51977 struct proc_dir_entry *pe;
51979 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51980 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
51982 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
51987 diff -urNp linux-2.6.38.1/kernel/time.c linux-2.6.38.1/kernel/time.c
51988 --- linux-2.6.38.1/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
51989 +++ linux-2.6.38.1/kernel/time.c 2011-03-21 18:31:35.000000000 -0400
51990 @@ -163,6 +163,11 @@ int do_sys_settimeofday(struct timespec
51994 + /* we log in do_settimeofday called below, so don't log twice
51997 + gr_log_timechange();
51999 /* SMP safe, global irq locking makes it work. */
52001 update_vsyscall_tz();
52002 diff -urNp linux-2.6.38.1/kernel/timer.c linux-2.6.38.1/kernel/timer.c
52003 --- linux-2.6.38.1/kernel/timer.c 2011-03-14 21:20:32.000000000 -0400
52004 +++ linux-2.6.38.1/kernel/timer.c 2011-03-21 18:31:35.000000000 -0400
52005 @@ -1276,7 +1276,7 @@ void update_process_times(int user_tick)
52007 * This function runs timers and the timer-tq in bottom half context.
52009 -static void run_timer_softirq(struct softirq_action *h)
52010 +static void run_timer_softirq(void)
52012 struct tvec_base *base = __this_cpu_read(tvec_bases);
52014 diff -urNp linux-2.6.38.1/kernel/trace/ftrace.c linux-2.6.38.1/kernel/trace/ftrace.c
52015 --- linux-2.6.38.1/kernel/trace/ftrace.c 2011-03-23 17:20:08.000000000 -0400
52016 +++ linux-2.6.38.1/kernel/trace/ftrace.c 2011-03-23 17:21:51.000000000 -0400
52017 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
52021 + ret = ftrace_arch_code_modify_prepare();
52022 + FTRACE_WARN_ON(ret);
52026 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
52027 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
52029 ftrace_bug(ret, ip);
52030 rec->flags |= FTRACE_FL_FAILED;
52034 + return ret ? 0 : 1;
52038 diff -urNp linux-2.6.38.1/kernel/trace/ring_buffer.c linux-2.6.38.1/kernel/trace/ring_buffer.c
52039 --- linux-2.6.38.1/kernel/trace/ring_buffer.c 2011-03-14 21:20:32.000000000 -0400
52040 +++ linux-2.6.38.1/kernel/trace/ring_buffer.c 2011-03-21 18:31:35.000000000 -0400
52041 @@ -669,7 +669,7 @@ static struct list_head *rb_list_head(st
52042 * the reader page). But if the next page is a header page,
52043 * its flags will be non zero.
52047 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
52048 struct buffer_page *page, struct list_head *list)
52050 diff -urNp linux-2.6.38.1/kernel/trace/trace.c linux-2.6.38.1/kernel/trace/trace.c
52051 --- linux-2.6.38.1/kernel/trace/trace.c 2011-03-14 21:20:32.000000000 -0400
52052 +++ linux-2.6.38.1/kernel/trace/trace.c 2011-03-21 18:31:35.000000000 -0400
52053 @@ -3967,10 +3967,9 @@ static const struct file_operations trac
52057 -static struct dentry *d_tracer;
52059 struct dentry *tracing_init_dentry(void)
52061 + static struct dentry *d_tracer;
52065 @@ -3990,10 +3989,9 @@ struct dentry *tracing_init_dentry(void)
52069 -static struct dentry *d_percpu;
52071 struct dentry *tracing_dentry_percpu(void)
52073 + static struct dentry *d_percpu;
52075 struct dentry *d_tracer;
52077 diff -urNp linux-2.6.38.1/kernel/trace/trace_events.c linux-2.6.38.1/kernel/trace/trace_events.c
52078 --- linux-2.6.38.1/kernel/trace/trace_events.c 2011-03-14 21:20:32.000000000 -0400
52079 +++ linux-2.6.38.1/kernel/trace/trace_events.c 2011-03-21 18:31:35.000000000 -0400
52080 @@ -1240,10 +1240,10 @@ static LIST_HEAD(ftrace_module_file_list
52081 struct ftrace_module_file_ops {
52082 struct list_head list;
52083 struct module *mod;
52084 - struct file_operations id;
52085 - struct file_operations enable;
52086 - struct file_operations format;
52087 - struct file_operations filter;
52088 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
52089 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
52090 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
52091 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
52094 static struct ftrace_module_file_ops *
52095 diff -urNp linux-2.6.38.1/kernel/trace/trace_output.c linux-2.6.38.1/kernel/trace/trace_output.c
52096 --- linux-2.6.38.1/kernel/trace/trace_output.c 2011-03-14 21:20:32.000000000 -0400
52097 +++ linux-2.6.38.1/kernel/trace/trace_output.c 2011-03-21 18:31:35.000000000 -0400
52098 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
52100 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
52102 - p = mangle_path(s->buffer + s->len, p, "\n");
52103 + p = mangle_path(s->buffer + s->len, p, "\n\\");
52105 s->len = p - s->buffer;
52107 diff -urNp linux-2.6.38.1/kernel/trace/trace_stack.c linux-2.6.38.1/kernel/trace/trace_stack.c
52108 --- linux-2.6.38.1/kernel/trace/trace_stack.c 2011-03-14 21:20:32.000000000 -0400
52109 +++ linux-2.6.38.1/kernel/trace/trace_stack.c 2011-03-21 18:31:35.000000000 -0400
52110 @@ -50,7 +50,7 @@ static inline void check_stack(void)
52113 /* we do not handle interrupt stacks yet */
52114 - if (!object_is_on_stack(&this_size))
52115 + if (!object_starts_on_stack(&this_size))
52118 local_irq_save(flags);
52119 diff -urNp linux-2.6.38.1/lib/bug.c linux-2.6.38.1/lib/bug.c
52120 --- linux-2.6.38.1/lib/bug.c 2011-03-14 21:20:32.000000000 -0400
52121 +++ linux-2.6.38.1/lib/bug.c 2011-03-21 18:31:35.000000000 -0400
52122 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
52123 return BUG_TRAP_TYPE_NONE;
52125 bug = find_bug(bugaddr);
52127 + return BUG_TRAP_TYPE_NONE;
52131 diff -urNp linux-2.6.38.1/lib/debugobjects.c linux-2.6.38.1/lib/debugobjects.c
52132 --- linux-2.6.38.1/lib/debugobjects.c 2011-03-14 21:20:32.000000000 -0400
52133 +++ linux-2.6.38.1/lib/debugobjects.c 2011-03-21 18:31:35.000000000 -0400
52134 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
52138 - is_on_stack = object_is_on_stack(addr);
52139 + is_on_stack = object_starts_on_stack(addr);
52140 if (is_on_stack == onstack)
52143 diff -urNp linux-2.6.38.1/lib/dma-debug.c linux-2.6.38.1/lib/dma-debug.c
52144 --- linux-2.6.38.1/lib/dma-debug.c 2011-03-14 21:20:32.000000000 -0400
52145 +++ linux-2.6.38.1/lib/dma-debug.c 2011-03-21 18:31:35.000000000 -0400
52146 @@ -862,7 +862,7 @@ out:
52148 static void check_for_stack(struct device *dev, void *addr)
52150 - if (object_is_on_stack(addr))
52151 + if (object_starts_on_stack(addr))
52152 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
52153 "stack [addr=%p]\n", addr);
52155 diff -urNp linux-2.6.38.1/lib/inflate.c linux-2.6.38.1/lib/inflate.c
52156 --- linux-2.6.38.1/lib/inflate.c 2011-03-14 21:20:32.000000000 -0400
52157 +++ linux-2.6.38.1/lib/inflate.c 2011-03-21 18:31:35.000000000 -0400
52158 @@ -269,7 +269,7 @@ static void free(void *where)
52159 malloc_ptr = free_mem_ptr;
52162 -#define malloc(a) kmalloc(a, GFP_KERNEL)
52163 +#define malloc(a) kmalloc((a), GFP_KERNEL)
52164 #define free(a) kfree(a)
52167 diff -urNp linux-2.6.38.1/lib/Kconfig.debug linux-2.6.38.1/lib/Kconfig.debug
52168 --- linux-2.6.38.1/lib/Kconfig.debug 2011-03-14 21:20:32.000000000 -0400
52169 +++ linux-2.6.38.1/lib/Kconfig.debug 2011-03-21 18:31:35.000000000 -0400
52170 @@ -1066,6 +1066,7 @@ config LATENCYTOP
52171 depends on DEBUG_KERNEL
52172 depends on STACKTRACE_SUPPORT
52174 + depends on !GRKERNSEC_HIDESYM
52175 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
52177 select KALLSYMS_ALL
52178 diff -urNp linux-2.6.38.1/lib/kref.c linux-2.6.38.1/lib/kref.c
52179 --- linux-2.6.38.1/lib/kref.c 2011-03-14 21:20:32.000000000 -0400
52180 +++ linux-2.6.38.1/lib/kref.c 2011-03-21 18:31:35.000000000 -0400
52181 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
52183 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
52185 - WARN_ON(release == NULL);
52186 + BUG_ON(release == NULL);
52187 WARN_ON(release == (void (*)(struct kref *))kfree);
52189 if (atomic_dec_and_test(&kref->refcount)) {
52190 diff -urNp linux-2.6.38.1/lib/radix-tree.c linux-2.6.38.1/lib/radix-tree.c
52191 --- linux-2.6.38.1/lib/radix-tree.c 2011-03-14 21:20:32.000000000 -0400
52192 +++ linux-2.6.38.1/lib/radix-tree.c 2011-03-21 18:31:35.000000000 -0400
52193 @@ -80,7 +80,7 @@ struct radix_tree_preload {
52195 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
52197 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
52198 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
52200 static inline void *ptr_to_indirect(void *ptr)
52202 diff -urNp linux-2.6.38.1/lib/vsprintf.c linux-2.6.38.1/lib/vsprintf.c
52203 --- linux-2.6.38.1/lib/vsprintf.c 2011-03-14 21:20:32.000000000 -0400
52204 +++ linux-2.6.38.1/lib/vsprintf.c 2011-03-21 18:31:35.000000000 -0400
52206 * - scnprintf and vscnprintf
52209 +#ifdef CONFIG_GRKERNSEC_HIDESYM
52210 +#define __INCLUDED_BY_HIDESYM 1
52212 #include <stdarg.h>
52213 #include <linux/module.h>
52214 #include <linux/types.h>
52215 @@ -574,7 +577,7 @@ char *symbol_string(char *buf, char *end
52216 unsigned long value = (unsigned long) ptr;
52217 #ifdef CONFIG_KALLSYMS
52218 char sym[KSYM_SYMBOL_LEN];
52219 - if (ext != 'f' && ext != 's')
52220 + if (ext != 'f' && ext != 's' && ext != 'a')
52221 sprint_symbol(sym, value);
52223 kallsyms_lookup(value, NULL, NULL, NULL, sym);
52224 @@ -936,7 +939,11 @@ char *uuid_string(char *buf, char *end,
52225 return string(buf, end, uuid, spec);
52228 +#ifdef CONFIG_GRKERNSEC_HIDESYM
52229 +int kptr_restrict = 2;
52231 int kptr_restrict = 1;
52235 * Show a '%p' thing. A kernel extension is that the '%p' is followed
52236 @@ -949,6 +956,8 @@ int kptr_restrict = 1;
52237 * - 'f' For simple symbolic function names without offset
52238 * - 'S' For symbolic direct pointers with offset
52239 * - 's' For symbolic direct pointers without offset
52240 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
52241 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
52242 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
52243 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
52244 * - 'M' For a 6-byte MAC address, it prints the address in the
52245 @@ -993,12 +1002,12 @@ char *pointer(const char *fmt, char *buf
52249 - * Print (null) with the same width as a pointer so it makes
52250 + * Print (nil) with the same width as a pointer so it makes
52251 * tabular output look nice.
52253 if (spec.field_width == -1)
52254 spec.field_width = 2 * sizeof(void *);
52255 - return string(buf, end, "(null)", spec);
52256 + return string(buf, end, "(nil)", spec);
52260 @@ -1008,6 +1017,13 @@ char *pointer(const char *fmt, char *buf
52264 +#ifdef CONFIG_GRKERNSEC_HIDESYM
52267 + return symbol_string(buf, end, ptr, spec, *fmt);
52271 return symbol_string(buf, end, ptr, spec, *fmt);
52274 @@ -1772,11 +1788,11 @@ int bstr_printf(char *buf, size_t size,
52275 typeof(type) value; \
52276 if (sizeof(type) == 8) { \
52277 args = PTR_ALIGN(args, sizeof(u32)); \
52278 - *(u32 *)&value = *(u32 *)args; \
52279 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
52280 + *(u32 *)&value = *(const u32 *)args; \
52281 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
52283 args = PTR_ALIGN(args, sizeof(type)); \
52284 - value = *(typeof(type) *)args; \
52285 + value = *(const typeof(type) *)args; \
52287 args += sizeof(type); \
52289 @@ -1839,7 +1855,7 @@ int bstr_printf(char *buf, size_t size,
52290 case FORMAT_TYPE_STR: {
52291 const char *str_arg = args;
52292 args += strlen(str_arg) + 1;
52293 - str = string(str, end, (char *)str_arg, spec);
52294 + str = string(str, end, str_arg, spec);
52298 diff -urNp linux-2.6.38.1/localversion-grsec linux-2.6.38.1/localversion-grsec
52299 --- linux-2.6.38.1/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
52300 +++ linux-2.6.38.1/localversion-grsec 2011-03-21 18:31:35.000000000 -0400
52303 diff -urNp linux-2.6.38.1/Makefile linux-2.6.38.1/Makefile
52304 --- linux-2.6.38.1/Makefile 2011-03-23 17:20:06.000000000 -0400
52305 +++ linux-2.6.38.1/Makefile 2011-03-23 17:21:43.000000000 -0400
52306 @@ -233,8 +233,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
52310 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
52311 -HOSTCXXFLAGS = -O2
52312 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
52313 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
52315 # Decide whether to build built-in, modular, or both.
52316 # Normally, just do built-in.
52317 @@ -681,7 +681,7 @@ export mod_strip_cmd
52320 ifeq ($(KBUILD_EXTMOD),)
52321 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
52322 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
52324 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
52325 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
52326 diff -urNp linux-2.6.38.1/mm/bootmem.c linux-2.6.38.1/mm/bootmem.c
52327 --- linux-2.6.38.1/mm/bootmem.c 2011-03-14 21:20:32.000000000 -0400
52328 +++ linux-2.6.38.1/mm/bootmem.c 2011-03-21 18:31:35.000000000 -0400
52329 @@ -201,19 +201,30 @@ static void __init __free_pages_memory(u
52330 unsigned long __init free_all_memory_core_early(int nodeid)
52334 + u64 start, end, startrange, endrange;
52335 unsigned long count = 0;
52336 - struct range *range = NULL;
52337 + struct range *range = NULL, rangerange = { 0, 0 };
52340 nr_range = get_free_all_memory_range(&range, nodeid);
52341 + startrange = __pa(range) >> PAGE_SHIFT;
52342 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
52344 for (i = 0; i < nr_range; i++) {
52345 start = range[i].start;
52346 end = range[i].end;
52347 + if (start <= endrange && startrange < end) {
52348 + BUG_ON(rangerange.start | rangerange.end);
52349 + rangerange = range[i];
52352 count += end - start;
52353 __free_pages_memory(start, end);
52355 + start = rangerange.start;
52356 + end = rangerange.end;
52357 + count += end - start;
52358 + __free_pages_memory(start, end);
52362 diff -urNp linux-2.6.38.1/mm/filemap.c linux-2.6.38.1/mm/filemap.c
52363 --- linux-2.6.38.1/mm/filemap.c 2011-03-14 21:20:32.000000000 -0400
52364 +++ linux-2.6.38.1/mm/filemap.c 2011-03-21 18:31:35.000000000 -0400
52365 @@ -1664,7 +1664,7 @@ int generic_file_mmap(struct file * file
52366 struct address_space *mapping = file->f_mapping;
52368 if (!mapping->a_ops->readpage)
52371 file_accessed(file);
52372 vma->vm_ops = &generic_file_vm_ops;
52373 vma->vm_flags |= VM_CAN_NONLINEAR;
52374 @@ -2060,6 +2060,7 @@ inline int generic_write_checks(struct f
52375 *pos = i_size_read(inode);
52377 if (limit != RLIM_INFINITY) {
52378 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
52379 if (*pos >= limit) {
52380 send_sig(SIGXFSZ, current, 0);
52382 diff -urNp linux-2.6.38.1/mm/fremap.c linux-2.6.38.1/mm/fremap.c
52383 --- linux-2.6.38.1/mm/fremap.c 2011-03-14 21:20:32.000000000 -0400
52384 +++ linux-2.6.38.1/mm/fremap.c 2011-03-21 18:31:35.000000000 -0400
52385 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
52387 vma = find_vma(mm, start);
52389 +#ifdef CONFIG_PAX_SEGMEXEC
52390 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
52395 * Make sure the vma is shared, that it supports prefaulting,
52396 * and that the remapped range is valid and fully within
52397 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
52399 * drop PG_Mlocked flag for over-mapped range
52401 - unsigned int saved_flags = vma->vm_flags;
52402 + unsigned long saved_flags = vma->vm_flags;
52403 munlock_vma_pages_range(vma, start, start + size);
52404 vma->vm_flags = saved_flags;
52406 diff -urNp linux-2.6.38.1/mm/highmem.c linux-2.6.38.1/mm/highmem.c
52407 --- linux-2.6.38.1/mm/highmem.c 2011-03-14 21:20:32.000000000 -0400
52408 +++ linux-2.6.38.1/mm/highmem.c 2011-03-21 18:31:35.000000000 -0400
52409 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
52410 * So no dangers, even with speculative execution.
52412 page = pte_page(pkmap_page_table[i]);
52413 + pax_open_kernel();
52414 pte_clear(&init_mm, (unsigned long)page_address(page),
52415 &pkmap_page_table[i]);
52417 + pax_close_kernel();
52418 set_page_address(page, NULL);
52421 @@ -186,9 +187,11 @@ start:
52424 vaddr = PKMAP_ADDR(last_pkmap_nr);
52426 + pax_open_kernel();
52427 set_pte_at(&init_mm, vaddr,
52428 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
52430 + pax_close_kernel();
52431 pkmap_count[last_pkmap_nr] = 1;
52432 set_page_address(page, (void *)vaddr);
52434 diff -urNp linux-2.6.38.1/mm/hugetlb.c linux-2.6.38.1/mm/hugetlb.c
52435 --- linux-2.6.38.1/mm/hugetlb.c 2011-03-14 21:20:32.000000000 -0400
52436 +++ linux-2.6.38.1/mm/hugetlb.c 2011-03-21 18:31:35.000000000 -0400
52437 @@ -2333,6 +2333,27 @@ static int unmap_ref_private(struct mm_s
52441 +#ifdef CONFIG_PAX_SEGMEXEC
52442 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
52444 + struct mm_struct *mm = vma->vm_mm;
52445 + struct vm_area_struct *vma_m;
52446 + unsigned long address_m;
52449 + vma_m = pax_find_mirror_vma(vma);
52453 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52454 + address_m = address + SEGMEXEC_TASK_SIZE;
52455 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
52456 + get_page(page_m);
52457 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
52458 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
52463 * Hugetlb_cow() should be called with page lock of the original hugepage held.
52465 @@ -2434,6 +2455,11 @@ retry_avoidcopy:
52466 make_huge_pte(vma, new_page, 1));
52467 page_remove_rmap(old_page);
52468 hugepage_add_new_anon_rmap(new_page, vma, address);
52470 +#ifdef CONFIG_PAX_SEGMEXEC
52471 + pax_mirror_huge_pte(vma, address, new_page);
52474 /* Make the old page be freed below */
52475 new_page = old_page;
52476 mmu_notifier_invalidate_range_end(mm,
52477 @@ -2585,6 +2611,10 @@ retry:
52478 && (vma->vm_flags & VM_SHARED)));
52479 set_huge_pte_at(mm, address, ptep, new_pte);
52481 +#ifdef CONFIG_PAX_SEGMEXEC
52482 + pax_mirror_huge_pte(vma, address, page);
52485 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
52486 /* Optimization, do the COW without a second fault */
52487 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
52488 @@ -2614,6 +2644,10 @@ int hugetlb_fault(struct mm_struct *mm,
52489 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
52490 struct hstate *h = hstate_vma(vma);
52492 +#ifdef CONFIG_PAX_SEGMEXEC
52493 + struct vm_area_struct *vma_m;
52496 ptep = huge_pte_offset(mm, address);
52498 entry = huge_ptep_get(ptep);
52499 @@ -2625,6 +2659,26 @@ int hugetlb_fault(struct mm_struct *mm,
52500 VM_FAULT_SET_HINDEX(h - hstates);
52503 +#ifdef CONFIG_PAX_SEGMEXEC
52504 + vma_m = pax_find_mirror_vma(vma);
52506 + unsigned long address_m;
52508 + if (vma->vm_start > vma_m->vm_start) {
52509 + address_m = address;
52510 + address -= SEGMEXEC_TASK_SIZE;
52512 + h = hstate_vma(vma);
52514 + address_m = address + SEGMEXEC_TASK_SIZE;
52516 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
52517 + return VM_FAULT_OOM;
52518 + address_m &= HPAGE_MASK;
52519 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
52523 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
52525 return VM_FAULT_OOM;
52526 diff -urNp linux-2.6.38.1/mm/Kconfig linux-2.6.38.1/mm/Kconfig
52527 --- linux-2.6.38.1/mm/Kconfig 2011-03-14 21:20:32.000000000 -0400
52528 +++ linux-2.6.38.1/mm/Kconfig 2011-03-21 18:31:35.000000000 -0400
52529 @@ -240,7 +240,7 @@ config KSM
52530 config DEFAULT_MMAP_MIN_ADDR
52531 int "Low address space to protect from user allocation"
52536 This is the portion of low virtual memory which should be protected
52537 from userspace allocation. Keeping a user from writing to low pages
52538 diff -urNp linux-2.6.38.1/mm/kmemleak.c linux-2.6.38.1/mm/kmemleak.c
52539 --- linux-2.6.38.1/mm/kmemleak.c 2011-03-14 21:20:32.000000000 -0400
52540 +++ linux-2.6.38.1/mm/kmemleak.c 2011-03-21 18:31:35.000000000 -0400
52541 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
52543 for (i = 0; i < object->trace_len; i++) {
52544 void *ptr = (void *)object->trace[i];
52545 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
52546 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
52550 diff -urNp linux-2.6.38.1/mm/maccess.c linux-2.6.38.1/mm/maccess.c
52551 --- linux-2.6.38.1/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
52552 +++ linux-2.6.38.1/mm/maccess.c 2011-03-21 18:31:35.000000000 -0400
52553 @@ -15,10 +15,10 @@
52554 * happens, handle that and return -EFAULT.
52557 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
52558 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
52559 __attribute__((alias("__probe_kernel_read")));
52561 -long __probe_kernel_read(void *dst, void *src, size_t size)
52562 +long __probe_kernel_read(void *dst, const void *src, size_t size)
52565 mm_segment_t old_fs = get_fs();
52566 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
52567 * Safely write to address @dst from the buffer at @src. If a kernel fault
52568 * happens, handle that and return -EFAULT.
52570 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
52571 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
52572 __attribute__((alias("__probe_kernel_write")));
52574 -long __probe_kernel_write(void *dst, void *src, size_t size)
52575 +long __probe_kernel_write(void *dst, const void *src, size_t size)
52578 mm_segment_t old_fs = get_fs();
52579 diff -urNp linux-2.6.38.1/mm/madvise.c linux-2.6.38.1/mm/madvise.c
52580 --- linux-2.6.38.1/mm/madvise.c 2011-03-14 21:20:32.000000000 -0400
52581 +++ linux-2.6.38.1/mm/madvise.c 2011-03-21 18:31:35.000000000 -0400
52582 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
52584 unsigned long new_flags = vma->vm_flags;
52586 +#ifdef CONFIG_PAX_SEGMEXEC
52587 + struct vm_area_struct *vma_m;
52590 switch (behavior) {
52592 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
52593 @@ -110,6 +114,13 @@ success:
52595 * vm_flags is protected by the mmap_sem held in write mode.
52598 +#ifdef CONFIG_PAX_SEGMEXEC
52599 + vma_m = pax_find_mirror_vma(vma);
52601 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
52604 vma->vm_flags = new_flags;
52607 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
52608 struct vm_area_struct ** prev,
52609 unsigned long start, unsigned long end)
52612 +#ifdef CONFIG_PAX_SEGMEXEC
52613 + struct vm_area_struct *vma_m;
52617 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
52619 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
52620 zap_page_range(vma, start, end - start, &details);
52622 zap_page_range(vma, start, end - start, NULL);
52624 +#ifdef CONFIG_PAX_SEGMEXEC
52625 + vma_m = pax_find_mirror_vma(vma);
52627 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
52628 + struct zap_details details = {
52629 + .nonlinear_vma = vma_m,
52630 + .last_index = ULONG_MAX,
52632 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
52634 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
52641 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
52645 +#ifdef CONFIG_PAX_SEGMEXEC
52646 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52647 + if (end > SEGMEXEC_TASK_SIZE)
52652 + if (end > TASK_SIZE)
52658 diff -urNp linux-2.6.38.1/mm/memory.c linux-2.6.38.1/mm/memory.c
52659 --- linux-2.6.38.1/mm/memory.c 2011-03-14 21:20:32.000000000 -0400
52660 +++ linux-2.6.38.1/mm/memory.c 2011-03-21 18:31:35.000000000 -0400
52661 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
52664 pmd = pmd_offset(pud, start);
52666 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
52668 pmd_free_tlb(tlb, pmd, start);
52673 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
52674 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
52675 if (end - 1 > ceiling - 1)
52678 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
52679 pud = pud_offset(pgd, start);
52681 pud_free_tlb(tlb, pud, start);
52687 @@ -1433,10 +1440,10 @@ int __get_user_pages(struct task_struct
52688 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
52692 + while (nr_pages) {
52693 struct vm_area_struct *vma;
52695 - vma = find_extend_vma(mm, start);
52696 + vma = find_vma(mm, start);
52697 if (!vma && in_gate_area(tsk, start)) {
52698 unsigned long pg = start & PAGE_MASK;
52699 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
52700 @@ -1489,7 +1496,7 @@ int __get_user_pages(struct task_struct
52705 + if (!vma || start < vma->vm_start ||
52706 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
52707 !(vm_flags & vma->vm_flags))
52708 return i ? : -EFAULT;
52709 @@ -1575,7 +1582,7 @@ int __get_user_pages(struct task_struct
52710 start += PAGE_SIZE;
52712 } while (nr_pages && start < vma->vm_end);
52713 - } while (nr_pages);
52718 @@ -1724,6 +1731,10 @@ static int insert_page(struct vm_area_st
52719 page_add_file_rmap(page);
52720 set_pte_at(mm, addr, pte, mk_pte(page, prot));
52722 +#ifdef CONFIG_PAX_SEGMEXEC
52723 + pax_mirror_file_pte(vma, addr, page, ptl);
52727 pte_unmap_unlock(pte, ptl);
52729 @@ -1758,10 +1769,22 @@ out:
52730 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
52734 +#ifdef CONFIG_PAX_SEGMEXEC
52735 + struct vm_area_struct *vma_m;
52738 if (addr < vma->vm_start || addr >= vma->vm_end)
52740 if (!page_count(page))
52743 +#ifdef CONFIG_PAX_SEGMEXEC
52744 + vma_m = pax_find_mirror_vma(vma);
52746 + vma_m->vm_flags |= VM_INSERTPAGE;
52749 vma->vm_flags |= VM_INSERTPAGE;
52750 return insert_page(vma, addr, page, vma->vm_page_prot);
52752 @@ -1847,6 +1870,7 @@ int vm_insert_mixed(struct vm_area_struc
52755 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
52756 + BUG_ON(vma->vm_mirror);
52758 if (addr < vma->vm_start || addr >= vma->vm_end)
52760 @@ -2162,6 +2186,186 @@ static inline void cow_user_page(struct
52761 copy_user_highpage(dst, src, va, vma);
52764 +#ifdef CONFIG_PAX_SEGMEXEC
52765 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
52767 + struct mm_struct *mm = vma->vm_mm;
52769 + pte_t *pte, entry;
52771 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
52773 + if (!pte_present(entry)) {
52774 + if (!pte_none(entry)) {
52775 + BUG_ON(pte_file(entry));
52776 + free_swap_and_cache(pte_to_swp_entry(entry));
52777 + pte_clear_not_present_full(mm, address, pte, 0);
52780 + struct page *page;
52782 + flush_cache_page(vma, address, pte_pfn(entry));
52783 + entry = ptep_clear_flush(vma, address, pte);
52784 + BUG_ON(pte_dirty(entry));
52785 + page = vm_normal_page(vma, address, entry);
52787 + update_hiwater_rss(mm);
52788 + if (PageAnon(page))
52789 + dec_mm_counter_fast(mm, MM_ANONPAGES);
52791 + dec_mm_counter_fast(mm, MM_FILEPAGES);
52792 + page_remove_rmap(page);
52793 + page_cache_release(page);
52796 + pte_unmap_unlock(pte, ptl);
52799 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
52801 + * the ptl of the lower mapped page is held on entry and is not released on exit
52802 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
52804 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52806 + struct mm_struct *mm = vma->vm_mm;
52807 + unsigned long address_m;
52808 + spinlock_t *ptl_m;
52809 + struct vm_area_struct *vma_m;
52811 + pte_t *pte_m, entry_m;
52813 + BUG_ON(!page_m || !PageAnon(page_m));
52815 + vma_m = pax_find_mirror_vma(vma);
52819 + BUG_ON(!PageLocked(page_m));
52820 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52821 + address_m = address + SEGMEXEC_TASK_SIZE;
52822 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52823 + pte_m = pte_offset_map(pmd_m, address_m);
52824 + ptl_m = pte_lockptr(mm, pmd_m);
52825 + if (ptl != ptl_m) {
52826 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52827 + if (!pte_none(*pte_m))
52831 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52832 + page_cache_get(page_m);
52833 + page_add_anon_rmap(page_m, vma_m, address_m);
52834 + inc_mm_counter_fast(mm, MM_ANONPAGES);
52835 + set_pte_at(mm, address_m, pte_m, entry_m);
52836 + update_mmu_cache(vma_m, address_m, entry_m);
52838 + if (ptl != ptl_m)
52839 + spin_unlock(ptl_m);
52840 + pte_unmap(pte_m);
52841 + unlock_page(page_m);
52844 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52846 + struct mm_struct *mm = vma->vm_mm;
52847 + unsigned long address_m;
52848 + spinlock_t *ptl_m;
52849 + struct vm_area_struct *vma_m;
52851 + pte_t *pte_m, entry_m;
52853 + BUG_ON(!page_m || PageAnon(page_m));
52855 + vma_m = pax_find_mirror_vma(vma);
52859 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52860 + address_m = address + SEGMEXEC_TASK_SIZE;
52861 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52862 + pte_m = pte_offset_map(pmd_m, address_m);
52863 + ptl_m = pte_lockptr(mm, pmd_m);
52864 + if (ptl != ptl_m) {
52865 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52866 + if (!pte_none(*pte_m))
52870 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52871 + page_cache_get(page_m);
52872 + page_add_file_rmap(page_m);
52873 + inc_mm_counter_fast(mm, MM_FILEPAGES);
52874 + set_pte_at(mm, address_m, pte_m, entry_m);
52875 + update_mmu_cache(vma_m, address_m, entry_m);
52877 + if (ptl != ptl_m)
52878 + spin_unlock(ptl_m);
52879 + pte_unmap(pte_m);
52882 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
52884 + struct mm_struct *mm = vma->vm_mm;
52885 + unsigned long address_m;
52886 + spinlock_t *ptl_m;
52887 + struct vm_area_struct *vma_m;
52889 + pte_t *pte_m, entry_m;
52891 + vma_m = pax_find_mirror_vma(vma);
52895 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52896 + address_m = address + SEGMEXEC_TASK_SIZE;
52897 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52898 + pte_m = pte_offset_map(pmd_m, address_m);
52899 + ptl_m = pte_lockptr(mm, pmd_m);
52900 + if (ptl != ptl_m) {
52901 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52902 + if (!pte_none(*pte_m))
52906 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
52907 + set_pte_at(mm, address_m, pte_m, entry_m);
52909 + if (ptl != ptl_m)
52910 + spin_unlock(ptl_m);
52911 + pte_unmap(pte_m);
52914 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
52916 + struct page *page_m;
52919 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
52923 + page_m = vm_normal_page(vma, address, entry);
52925 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
52926 + else if (PageAnon(page_m)) {
52927 + if (pax_find_mirror_vma(vma)) {
52928 + pte_unmap_unlock(pte, ptl);
52929 + lock_page(page_m);
52930 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
52931 + if (pte_same(entry, *pte))
52932 + pax_mirror_anon_pte(vma, address, page_m, ptl);
52934 + unlock_page(page_m);
52937 + pax_mirror_file_pte(vma, address, page_m, ptl);
52940 + pte_unmap_unlock(pte, ptl);
52945 * This routine handles present pages, when users try to write
52946 * to a shared page. It is done by copying the page to a new address
52947 @@ -2373,6 +2577,12 @@ gotten:
52949 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52950 if (likely(pte_same(*page_table, orig_pte))) {
52952 +#ifdef CONFIG_PAX_SEGMEXEC
52953 + if (pax_find_mirror_vma(vma))
52954 + BUG_ON(!trylock_page(new_page));
52958 if (!PageAnon(old_page)) {
52959 dec_mm_counter_fast(mm, MM_FILEPAGES);
52960 @@ -2424,6 +2634,10 @@ gotten:
52961 page_remove_rmap(old_page);
52964 +#ifdef CONFIG_PAX_SEGMEXEC
52965 + pax_mirror_anon_pte(vma, address, new_page, ptl);
52968 /* Free the old page.. */
52969 new_page = old_page;
52970 ret |= VM_FAULT_WRITE;
52971 @@ -2834,6 +3048,11 @@ static int do_swap_page(struct mm_struct
52973 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
52974 try_to_free_swap(page);
52976 +#ifdef CONFIG_PAX_SEGMEXEC
52977 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
52983 @@ -2857,6 +3076,11 @@ static int do_swap_page(struct mm_struct
52985 /* No need to invalidate - it was non-present before */
52986 update_mmu_cache(vma, address, page_table);
52988 +#ifdef CONFIG_PAX_SEGMEXEC
52989 + pax_mirror_anon_pte(vma, address, page, ptl);
52993 pte_unmap_unlock(page_table, ptl);
52995 @@ -2876,40 +3100,6 @@ out_release:
52999 - * This is like a special single-page "expand_{down|up}wards()",
53000 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
53001 - * doesn't hit another vma.
53003 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
53005 - address &= PAGE_MASK;
53006 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
53007 - struct vm_area_struct *prev = vma->vm_prev;
53010 - * Is there a mapping abutting this one below?
53012 - * That's only ok if it's the same stack mapping
53013 - * that has gotten split..
53015 - if (prev && prev->vm_end == address)
53016 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
53018 - expand_stack(vma, address - PAGE_SIZE);
53020 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
53021 - struct vm_area_struct *next = vma->vm_next;
53023 - /* As VM_GROWSDOWN but s/below/above/ */
53024 - if (next && next->vm_start == address + PAGE_SIZE)
53025 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
53027 - expand_upwards(vma, address + PAGE_SIZE);
53033 * We enter with non-exclusive mmap_sem (to exclude vma changes,
53034 * but allow concurrent faults), and pte mapped but not yet locked.
53035 * We return with mmap_sem still held, but pte unmapped and unlocked.
53036 @@ -2918,27 +3108,23 @@ static int do_anonymous_page(struct mm_s
53037 unsigned long address, pte_t *page_table, pmd_t *pmd,
53038 unsigned int flags)
53040 - struct page *page;
53041 + struct page *page = NULL;
53045 - pte_unmap(page_table);
53047 - /* Check if we need to add a guard page to the stack */
53048 - if (check_stack_guard_page(vma, address) < 0)
53049 - return VM_FAULT_SIGBUS;
53051 - /* Use the zero-page for reads */
53052 if (!(flags & FAULT_FLAG_WRITE)) {
53053 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
53054 vma->vm_page_prot));
53055 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
53056 + ptl = pte_lockptr(mm, pmd);
53058 if (!pte_none(*page_table))
53063 /* Allocate our own private page. */
53064 + pte_unmap(page_table);
53066 if (unlikely(anon_vma_prepare(vma)))
53068 page = alloc_zeroed_user_highpage_movable(vma, address);
53069 @@ -2957,6 +3143,11 @@ static int do_anonymous_page(struct mm_s
53070 if (!pte_none(*page_table))
53073 +#ifdef CONFIG_PAX_SEGMEXEC
53074 + if (pax_find_mirror_vma(vma))
53075 + BUG_ON(!trylock_page(page));
53078 inc_mm_counter_fast(mm, MM_ANONPAGES);
53079 page_add_new_anon_rmap(page, vma, address);
53081 @@ -2964,6 +3155,12 @@ setpte:
53083 /* No need to invalidate - it was non-present before */
53084 update_mmu_cache(vma, address, page_table);
53086 +#ifdef CONFIG_PAX_SEGMEXEC
53088 + pax_mirror_anon_pte(vma, address, page, ptl);
53092 pte_unmap_unlock(page_table, ptl);
53094 @@ -3101,6 +3298,12 @@ static int __do_fault(struct mm_struct *
53096 /* Only go through if we didn't race with anybody else... */
53097 if (likely(pte_same(*page_table, orig_pte))) {
53099 +#ifdef CONFIG_PAX_SEGMEXEC
53100 + if (anon && pax_find_mirror_vma(vma))
53101 + BUG_ON(!trylock_page(page));
53104 flush_icache_page(vma, page);
53105 entry = mk_pte(page, vma->vm_page_prot);
53106 if (flags & FAULT_FLAG_WRITE)
53107 @@ -3120,6 +3323,14 @@ static int __do_fault(struct mm_struct *
53109 /* no need to invalidate: a not-present page won't be cached */
53110 update_mmu_cache(vma, address, page_table);
53112 +#ifdef CONFIG_PAX_SEGMEXEC
53114 + pax_mirror_anon_pte(vma, address, page, ptl);
53116 + pax_mirror_file_pte(vma, address, page, ptl);
53121 mem_cgroup_uncharge_page(page);
53122 @@ -3267,6 +3478,12 @@ int handle_pte_fault(struct mm_struct *m
53123 if (flags & FAULT_FLAG_WRITE)
53124 flush_tlb_fix_spurious_fault(vma, address);
53127 +#ifdef CONFIG_PAX_SEGMEXEC
53128 + pax_mirror_pte(vma, address, pte, pmd, ptl);
53133 pte_unmap_unlock(pte, ptl);
53135 @@ -3283,6 +3500,10 @@ int handle_mm_fault(struct mm_struct *mm
53139 +#ifdef CONFIG_PAX_SEGMEXEC
53140 + struct vm_area_struct *vma_m;
53143 __set_current_state(TASK_RUNNING);
53145 count_vm_event(PGFAULT);
53146 @@ -3293,6 +3514,34 @@ int handle_mm_fault(struct mm_struct *mm
53147 if (unlikely(is_vm_hugetlb_page(vma)))
53148 return hugetlb_fault(mm, vma, address, flags);
53150 +#ifdef CONFIG_PAX_SEGMEXEC
53151 + vma_m = pax_find_mirror_vma(vma);
53153 + unsigned long address_m;
53158 + if (vma->vm_start > vma_m->vm_start) {
53159 + address_m = address;
53160 + address -= SEGMEXEC_TASK_SIZE;
53163 + address_m = address + SEGMEXEC_TASK_SIZE;
53165 + pgd_m = pgd_offset(mm, address_m);
53166 + pud_m = pud_alloc(mm, pgd_m, address_m);
53168 + return VM_FAULT_OOM;
53169 + pmd_m = pmd_alloc(mm, pud_m, address_m);
53171 + return VM_FAULT_OOM;
53172 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
53173 + return VM_FAULT_OOM;
53174 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
53178 pgd = pgd_offset(mm, address);
53179 pud = pud_alloc(mm, pgd, address);
53181 @@ -3426,7 +3675,7 @@ static int __init gate_vma_init(void)
53182 gate_vma.vm_start = FIXADDR_USER_START;
53183 gate_vma.vm_end = FIXADDR_USER_END;
53184 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
53185 - gate_vma.vm_page_prot = __P101;
53186 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
53188 * Make sure the vDSO gets into every core dump.
53189 * Dumping its contents makes post-mortem fully interpretable later
53190 diff -urNp linux-2.6.38.1/mm/memory-failure.c linux-2.6.38.1/mm/memory-failure.c
53191 --- linux-2.6.38.1/mm/memory-failure.c 2011-03-14 21:20:32.000000000 -0400
53192 +++ linux-2.6.38.1/mm/memory-failure.c 2011-03-21 18:31:35.000000000 -0400
53193 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
53195 int sysctl_memory_failure_recovery __read_mostly = 1;
53197 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
53198 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
53200 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
53202 @@ -1012,7 +1012,7 @@ int __memory_failure(unsigned long pfn,
53205 nr_pages = 1 << compound_trans_order(hpage);
53206 - atomic_long_add(nr_pages, &mce_bad_pages);
53207 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
53210 * We need/can do nothing about count=0 pages.
53211 @@ -1042,7 +1042,7 @@ int __memory_failure(unsigned long pfn,
53212 if (!PageHWPoison(hpage)
53213 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
53214 || (p != hpage && TestSetPageHWPoison(hpage))) {
53215 - atomic_long_sub(nr_pages, &mce_bad_pages);
53216 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
53219 set_page_hwpoison_huge_page(hpage);
53220 @@ -1100,7 +1100,7 @@ int __memory_failure(unsigned long pfn,
53222 if (hwpoison_filter(p)) {
53223 if (TestClearPageHWPoison(p))
53224 - atomic_long_sub(nr_pages, &mce_bad_pages);
53225 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
53226 unlock_page(hpage);
53229 @@ -1226,7 +1226,7 @@ int unpoison_memory(unsigned long pfn)
53232 if (TestClearPageHWPoison(p))
53233 - atomic_long_sub(nr_pages, &mce_bad_pages);
53234 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
53235 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
53238 @@ -1240,7 +1240,7 @@ int unpoison_memory(unsigned long pfn)
53240 if (TestClearPageHWPoison(page)) {
53241 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
53242 - atomic_long_sub(nr_pages, &mce_bad_pages);
53243 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
53245 if (PageHuge(page))
53246 clear_page_hwpoison_huge_page(page);
53247 @@ -1353,7 +1353,7 @@ static int soft_offline_huge_page(struct
53250 if (!PageHWPoison(hpage))
53251 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
53252 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
53253 set_page_hwpoison_huge_page(hpage);
53254 dequeue_hwpoisoned_huge_page(hpage);
53255 /* keep elevated page count for bad page */
53256 @@ -1482,7 +1482,7 @@ int soft_offline_page(struct page *page,
53260 - atomic_long_add(1, &mce_bad_pages);
53261 + atomic_long_add_unchecked(1, &mce_bad_pages);
53262 SetPageHWPoison(page);
53263 /* keep elevated page count for bad page */
53265 diff -urNp linux-2.6.38.1/mm/mempolicy.c linux-2.6.38.1/mm/mempolicy.c
53266 --- linux-2.6.38.1/mm/mempolicy.c 2011-03-14 21:20:32.000000000 -0400
53267 +++ linux-2.6.38.1/mm/mempolicy.c 2011-03-21 18:31:35.000000000 -0400
53268 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
53269 unsigned long vmstart;
53270 unsigned long vmend;
53272 +#ifdef CONFIG_PAX_SEGMEXEC
53273 + struct vm_area_struct *vma_m;
53276 vma = find_vma_prev(mm, start, &prev);
53277 if (!vma || vma->vm_start > start)
53279 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
53280 err = policy_vma(vma, new_pol);
53284 +#ifdef CONFIG_PAX_SEGMEXEC
53285 + vma_m = pax_find_mirror_vma(vma);
53287 + err = policy_vma(vma_m, new_pol);
53296 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
53301 +#ifdef CONFIG_PAX_SEGMEXEC
53302 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
53303 + if (end > SEGMEXEC_TASK_SIZE)
53308 + if (end > TASK_SIZE)
53314 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
53318 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53319 + if (mm != current->mm &&
53320 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
53327 * Check if this process has the right to modify the specified
53328 * process. The right exists if the process has administrative
53329 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
53331 tcred = __task_cred(task);
53332 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
53333 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
53334 - !capable(CAP_SYS_NICE)) {
53335 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
53339 @@ -2635,7 +2667,7 @@ int show_numa_map(struct seq_file *m, vo
53342 seq_printf(m, " file=");
53343 - seq_path(m, &file->f_path, "\n\t= ");
53344 + seq_path(m, &file->f_path, "\n\t\\= ");
53345 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
53346 seq_printf(m, " heap");
53347 } else if (vma->vm_start <= mm->start_stack &&
53348 diff -urNp linux-2.6.38.1/mm/migrate.c linux-2.6.38.1/mm/migrate.c
53349 --- linux-2.6.38.1/mm/migrate.c 2011-03-14 21:20:32.000000000 -0400
53350 +++ linux-2.6.38.1/mm/migrate.c 2011-03-21 18:31:35.000000000 -0400
53351 @@ -1299,6 +1299,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
53355 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53356 + if (mm != current->mm &&
53357 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
53364 * Check if this process has the right to modify the specified
53365 * process. The right exists if the process has administrative
53366 @@ -1308,8 +1316,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
53368 tcred = __task_cred(task);
53369 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
53370 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
53371 - !capable(CAP_SYS_NICE)) {
53372 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
53376 diff -urNp linux-2.6.38.1/mm/mlock.c linux-2.6.38.1/mm/mlock.c
53377 --- linux-2.6.38.1/mm/mlock.c 2011-03-14 21:20:32.000000000 -0400
53378 +++ linux-2.6.38.1/mm/mlock.c 2011-03-21 18:31:35.000000000 -0400
53380 #include <linux/pagemap.h>
53381 #include <linux/mempolicy.h>
53382 #include <linux/syscalls.h>
53383 +#include <linux/security.h>
53384 #include <linux/sched.h>
53385 #include <linux/module.h>
53386 #include <linux/rmap.h>
53387 @@ -135,13 +136,6 @@ void munlock_vma_page(struct page *page)
53391 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
53393 - return (vma->vm_flags & VM_GROWSDOWN) &&
53394 - (vma->vm_start == addr) &&
53395 - !vma_stack_continue(vma->vm_prev, addr);
53399 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
53401 @@ -188,12 +182,6 @@ static long __mlock_vma_pages_range(stru
53402 if (vma->vm_flags & VM_LOCKED)
53403 gup_flags |= FOLL_MLOCK;
53405 - /* We don't try to access the guard page of a stack vma */
53406 - if (stack_guard_page(vma, start)) {
53407 - addr += PAGE_SIZE;
53411 return __get_user_pages(current, mm, addr, nr_pages, gup_flags,
53412 NULL, NULL, nonblocking);
53414 @@ -393,6 +381,9 @@ static int do_mlock(unsigned long start,
53418 + if (end > TASK_SIZE)
53421 vma = find_vma_prev(current->mm, start, &prev);
53422 if (!vma || vma->vm_start > start)
53424 @@ -403,6 +394,11 @@ static int do_mlock(unsigned long start,
53425 for (nstart = start ; ; ) {
53426 unsigned int newflags;
53428 +#ifdef CONFIG_PAX_SEGMEXEC
53429 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
53433 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
53435 newflags = vma->vm_flags | VM_LOCKED;
53436 @@ -508,6 +504,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
53437 lock_limit >>= PAGE_SHIFT;
53439 /* check against resource limits */
53440 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
53441 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
53442 error = do_mlock(start, len, 1);
53443 up_write(¤t->mm->mmap_sem);
53444 @@ -531,17 +528,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
53445 static int do_mlockall(int flags)
53447 struct vm_area_struct * vma, * prev = NULL;
53448 - unsigned int def_flags = 0;
53450 if (flags & MCL_FUTURE)
53451 - def_flags = VM_LOCKED;
53452 - current->mm->def_flags = def_flags;
53453 + current->mm->def_flags |= VM_LOCKED;
53455 + current->mm->def_flags &= ~VM_LOCKED;
53456 if (flags == MCL_FUTURE)
53459 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
53460 - unsigned int newflags;
53461 + unsigned long newflags;
53463 +#ifdef CONFIG_PAX_SEGMEXEC
53464 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
53468 + BUG_ON(vma->vm_end > TASK_SIZE);
53469 newflags = vma->vm_flags | VM_LOCKED;
53470 if (!(flags & MCL_CURRENT))
53471 newflags &= ~VM_LOCKED;
53472 @@ -573,6 +576,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
53473 lock_limit >>= PAGE_SHIFT;
53476 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
53477 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
53478 capable(CAP_IPC_LOCK))
53479 ret = do_mlockall(flags);
53480 diff -urNp linux-2.6.38.1/mm/mmap.c linux-2.6.38.1/mm/mmap.c
53481 --- linux-2.6.38.1/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
53482 +++ linux-2.6.38.1/mm/mmap.c 2011-03-21 23:47:41.000000000 -0400
53484 #define arch_rebalance_pgtables(addr, len) (addr)
53487 +static inline void verify_mm_writelocked(struct mm_struct *mm)
53489 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
53490 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
53491 + up_read(&mm->mmap_sem);
53497 static void unmap_region(struct mm_struct *mm,
53498 struct vm_area_struct *vma, struct vm_area_struct *prev,
53499 unsigned long start, unsigned long end);
53500 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
53501 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
53504 -pgprot_t protection_map[16] = {
53505 +pgprot_t protection_map[16] __read_only = {
53506 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
53507 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
53510 pgprot_t vm_get_page_prot(unsigned long vm_flags)
53512 - return __pgprot(pgprot_val(protection_map[vm_flags &
53513 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
53514 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
53515 pgprot_val(arch_vm_get_page_prot(vm_flags)));
53517 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53518 + if (!(__supported_pte_mask & _PAGE_NX) &&
53519 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
53520 + (vm_flags & (VM_READ | VM_WRITE)))
53521 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
53526 EXPORT_SYMBOL(vm_get_page_prot);
53528 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
53529 int sysctl_overcommit_ratio = 50; /* default is 50% */
53530 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
53531 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
53532 struct percpu_counter vm_committed_as;
53535 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
53536 struct vm_area_struct *next = vma->vm_next;
53539 + BUG_ON(vma->vm_mirror);
53540 if (vma->vm_ops && vma->vm_ops->close)
53541 vma->vm_ops->close(vma);
53542 if (vma->vm_file) {
53543 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
53544 * not page aligned -Ram Gupta
53546 rlim = rlimit(RLIMIT_DATA);
53547 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
53548 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
53549 (mm->end_data - mm->start_data) > rlim)
53551 @@ -719,6 +741,12 @@ static int
53552 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
53553 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53556 +#ifdef CONFIG_PAX_SEGMEXEC
53557 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
53561 if (is_mergeable_vma(vma, file, vm_flags) &&
53562 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53563 if (vma->vm_pgoff == vm_pgoff)
53564 @@ -738,6 +766,12 @@ static int
53565 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
53566 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53569 +#ifdef CONFIG_PAX_SEGMEXEC
53570 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
53574 if (is_mergeable_vma(vma, file, vm_flags) &&
53575 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53577 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
53578 struct vm_area_struct *vma_merge(struct mm_struct *mm,
53579 struct vm_area_struct *prev, unsigned long addr,
53580 unsigned long end, unsigned long vm_flags,
53581 - struct anon_vma *anon_vma, struct file *file,
53582 + struct anon_vma *anon_vma, struct file *file,
53583 pgoff_t pgoff, struct mempolicy *policy)
53585 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
53586 struct vm_area_struct *area, *next;
53589 +#ifdef CONFIG_PAX_SEGMEXEC
53590 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
53591 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
53593 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
53597 * We later require that vma->vm_flags == vm_flags,
53598 * so this tests vma->vm_flags & VM_SPECIAL, too.
53599 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
53600 if (next && next->vm_end == end) /* cases 6, 7, 8 */
53601 next = next->vm_next;
53603 +#ifdef CONFIG_PAX_SEGMEXEC
53605 + prev_m = pax_find_mirror_vma(prev);
53607 + area_m = pax_find_mirror_vma(area);
53609 + next_m = pax_find_mirror_vma(next);
53613 * Can it merge with the predecessor?
53615 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
53617 err = vma_adjust(prev, prev->vm_start,
53618 next->vm_end, prev->vm_pgoff, NULL);
53619 - } else /* cases 2, 5, 7 */
53621 +#ifdef CONFIG_PAX_SEGMEXEC
53622 + if (!err && prev_m)
53623 + err = vma_adjust(prev_m, prev_m->vm_start,
53624 + next_m->vm_end, prev_m->vm_pgoff, NULL);
53627 + } else { /* cases 2, 5, 7 */
53628 err = vma_adjust(prev, prev->vm_start,
53629 end, prev->vm_pgoff, NULL);
53631 +#ifdef CONFIG_PAX_SEGMEXEC
53632 + if (!err && prev_m)
53633 + err = vma_adjust(prev_m, prev_m->vm_start,
53634 + end_m, prev_m->vm_pgoff, NULL);
53640 khugepaged_enter_vma_merge(prev);
53641 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
53642 mpol_equal(policy, vma_policy(next)) &&
53643 can_vma_merge_before(next, vm_flags,
53644 anon_vma, file, pgoff+pglen)) {
53645 - if (prev && addr < prev->vm_end) /* case 4 */
53646 + if (prev && addr < prev->vm_end) { /* case 4 */
53647 err = vma_adjust(prev, prev->vm_start,
53648 addr, prev->vm_pgoff, NULL);
53649 - else /* cases 3, 8 */
53651 +#ifdef CONFIG_PAX_SEGMEXEC
53652 + if (!err && prev_m)
53653 + err = vma_adjust(prev_m, prev_m->vm_start,
53654 + addr_m, prev_m->vm_pgoff, NULL);
53657 + } else { /* cases 3, 8 */
53658 err = vma_adjust(area, addr, next->vm_end,
53659 next->vm_pgoff - pglen, NULL);
53661 +#ifdef CONFIG_PAX_SEGMEXEC
53662 + if (!err && area_m)
53663 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
53664 + next_m->vm_pgoff - pglen, NULL);
53670 khugepaged_enter_vma_merge(area);
53671 @@ -958,14 +1038,11 @@ none:
53672 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
53673 struct file *file, long pages)
53675 - const unsigned long stack_flags
53676 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
53679 mm->shared_vm += pages;
53680 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
53681 mm->exec_vm += pages;
53682 - } else if (flags & stack_flags)
53683 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
53684 mm->stack_vm += pages;
53685 if (flags & (VM_RESERVED|VM_IO))
53686 mm->reserved_vm += pages;
53687 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
53688 * (the exception is when the underlying filesystem is noexec
53689 * mounted, in which case we dont add PROT_EXEC.)
53691 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
53692 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
53693 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
53696 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
53697 /* Obtain the address to map to. we verify (or select) it and ensure
53698 * that it represents a valid section of the address space.
53700 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
53701 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
53702 if (addr & ~PAGE_MASK)
53705 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
53706 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
53707 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
53709 +#ifdef CONFIG_PAX_MPROTECT
53710 + if (mm->pax_flags & MF_PAX_MPROTECT) {
53711 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
53712 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
53713 + gr_log_rwxmmap(file);
53715 +#ifdef CONFIG_PAX_EMUPLT
53716 + vm_flags &= ~VM_EXEC;
53723 + if (!(vm_flags & VM_EXEC))
53724 + vm_flags &= ~VM_MAYEXEC;
53726 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
53727 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
53730 + vm_flags &= ~VM_MAYWRITE;
53734 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53735 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
53736 + vm_flags &= ~VM_PAGEEXEC;
53739 if (flags & MAP_LOCKED)
53740 if (!can_do_mlock())
53742 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
53743 locked += mm->locked_vm;
53744 lock_limit = rlimit(RLIMIT_MEMLOCK);
53745 lock_limit >>= PAGE_SHIFT;
53746 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53747 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
53750 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
53754 + if (!gr_acl_handle_mmap(file, prot))
53757 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
53759 EXPORT_SYMBOL(do_mmap_pgoff);
53760 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
53762 int vma_wants_writenotify(struct vm_area_struct *vma)
53764 - unsigned int vm_flags = vma->vm_flags;
53765 + unsigned long vm_flags = vma->vm_flags;
53767 /* If it was private or non-writable, the write bit is already clear */
53768 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
53769 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
53772 /* The backer wishes to know when pages are first written to? */
53773 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
53774 unsigned long charged = 0;
53775 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
53777 +#ifdef CONFIG_PAX_SEGMEXEC
53778 + struct vm_area_struct *vma_m = NULL;
53782 + * mm->mmap_sem is required to protect against another thread
53783 + * changing the mappings in case we sleep.
53785 + verify_mm_writelocked(mm);
53787 /* Clear old maps */
53790 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53791 if (vma && vma->vm_start < addr + len) {
53792 if (do_munmap(mm, addr, len))
53794 - goto munmap_back;
53795 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53796 + BUG_ON(vma && vma->vm_start < addr + len);
53799 /* Check against address space limit. */
53800 @@ -1295,6 +1416,16 @@ munmap_back:
53804 +#ifdef CONFIG_PAX_SEGMEXEC
53805 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
53806 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53815 vma->vm_start = addr;
53816 vma->vm_end = addr + len;
53817 @@ -1318,6 +1449,19 @@ munmap_back:
53818 error = file->f_op->mmap(file, vma);
53820 goto unmap_and_free_vma;
53822 +#ifdef CONFIG_PAX_SEGMEXEC
53823 + if (vma_m && (vm_flags & VM_EXECUTABLE))
53824 + added_exe_file_vma(mm);
53827 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53828 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
53829 + vma->vm_flags |= VM_PAGEEXEC;
53830 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53834 if (vm_flags & VM_EXECUTABLE)
53835 added_exe_file_vma(mm);
53837 @@ -1353,6 +1497,11 @@ munmap_back:
53838 vma_link(mm, vma, prev, rb_link, rb_parent);
53839 file = vma->vm_file;
53841 +#ifdef CONFIG_PAX_SEGMEXEC
53843 + BUG_ON(pax_mirror_vma(vma_m, vma));
53846 /* Once vma denies write, undo our temporary denial count */
53847 if (correct_wcount)
53848 atomic_inc(&inode->i_writecount);
53849 @@ -1361,6 +1510,7 @@ out:
53851 mm->total_vm += len >> PAGE_SHIFT;
53852 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
53853 + track_exec_limit(mm, addr, addr + len, vm_flags);
53854 if (vm_flags & VM_LOCKED) {
53855 if (!mlock_vma_pages_range(vma, addr, addr + len))
53856 mm->locked_vm += (len >> PAGE_SHIFT);
53857 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
53858 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
53862 +#ifdef CONFIG_PAX_SEGMEXEC
53864 + kmem_cache_free(vm_area_cachep, vma_m);
53867 kmem_cache_free(vm_area_cachep, vma);
53870 @@ -1385,6 +1541,44 @@ unacct_error:
53874 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
53877 +#ifdef CONFIG_STACK_GROWSUP
53878 + if (addr > sysctl_heap_stack_gap)
53879 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
53881 + vma = find_vma(current->mm, 0);
53882 + if (vma && (vma->vm_flags & VM_GROWSUP))
53888 + if (addr + len > vma->vm_start)
53891 + if (vma->vm_flags & VM_GROWSDOWN)
53892 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
53893 +#ifdef CONFIG_STACK_GROWSUP
53894 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
53895 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
53901 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
53903 + if (vma->vm_start < len)
53905 + if (!(vma->vm_flags & VM_GROWSDOWN))
53906 + return vma->vm_start - len;
53907 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
53908 + return vma->vm_start - len - sysctl_heap_stack_gap;
53912 /* Get an address range which is currently unmapped.
53913 * For shmat() with addr=0.
53915 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
53916 if (flags & MAP_FIXED)
53919 +#ifdef CONFIG_PAX_RANDMMAP
53920 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53924 addr = PAGE_ALIGN(addr);
53925 - vma = find_vma(mm, addr);
53926 - if (TASK_SIZE - len >= addr &&
53927 - (!vma || addr + len <= vma->vm_start))
53929 + if (TASK_SIZE - len >= addr) {
53930 + vma = find_vma(mm, addr);
53931 + if (check_heap_stack_gap(vma, addr, len))
53935 if (len > mm->cached_hole_size) {
53936 - start_addr = addr = mm->free_area_cache;
53937 + start_addr = addr = mm->free_area_cache;
53939 - start_addr = addr = TASK_UNMAPPED_BASE;
53940 - mm->cached_hole_size = 0;
53941 + start_addr = addr = mm->mmap_base;
53942 + mm->cached_hole_size = 0;
53946 @@ -1433,34 +1632,40 @@ full_search:
53947 * Start a new search - just in case we missed
53950 - if (start_addr != TASK_UNMAPPED_BASE) {
53951 - addr = TASK_UNMAPPED_BASE;
53952 - start_addr = addr;
53953 + if (start_addr != mm->mmap_base) {
53954 + start_addr = addr = mm->mmap_base;
53955 mm->cached_hole_size = 0;
53960 - if (!vma || addr + len <= vma->vm_start) {
53962 - * Remember the place where we stopped the search:
53964 - mm->free_area_cache = addr + len;
53967 + if (check_heap_stack_gap(vma, addr, len))
53969 if (addr + mm->cached_hole_size < vma->vm_start)
53970 mm->cached_hole_size = vma->vm_start - addr;
53971 addr = vma->vm_end;
53975 + * Remember the place where we stopped the search:
53977 + mm->free_area_cache = addr + len;
53982 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
53985 +#ifdef CONFIG_PAX_SEGMEXEC
53986 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53991 * Is this a new hole at the lowest possible address?
53993 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
53994 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
53995 mm->free_area_cache = addr;
53996 mm->cached_hole_size = ~0UL;
53998 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
54000 struct vm_area_struct *vma;
54001 struct mm_struct *mm = current->mm;
54002 - unsigned long addr = addr0;
54003 + unsigned long base = mm->mmap_base, addr = addr0;
54005 /* requested length too big for entire address space */
54006 if (len > TASK_SIZE)
54007 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
54008 if (flags & MAP_FIXED)
54011 +#ifdef CONFIG_PAX_RANDMMAP
54012 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
54015 /* requesting a specific address */
54017 addr = PAGE_ALIGN(addr);
54018 - vma = find_vma(mm, addr);
54019 - if (TASK_SIZE - len >= addr &&
54020 - (!vma || addr + len <= vma->vm_start))
54022 + if (TASK_SIZE - len >= addr) {
54023 + vma = find_vma(mm, addr);
54024 + if (check_heap_stack_gap(vma, addr, len))
54029 /* check if free_area_cache is useful for us */
54030 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
54031 /* make sure it can fit in the remaining address space */
54033 vma = find_vma(mm, addr-len);
54034 - if (!vma || addr <= vma->vm_start)
54035 + if (check_heap_stack_gap(vma, addr - len, len))
54036 /* remember the address as a hint for next time */
54037 return (mm->free_area_cache = addr-len);
54039 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
54040 * return with success:
54042 vma = find_vma(mm, addr);
54043 - if (!vma || addr+len <= vma->vm_start)
54044 + if (check_heap_stack_gap(vma, addr, len))
54045 /* remember the address as a hint for next time */
54046 return (mm->free_area_cache = addr);
54048 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
54049 mm->cached_hole_size = vma->vm_start - addr;
54051 /* try just below the current vma->vm_start */
54052 - addr = vma->vm_start-len;
54053 - } while (len < vma->vm_start);
54054 + addr = skip_heap_stack_gap(vma, len);
54055 + } while (!IS_ERR_VALUE(addr));
54059 @@ -1544,13 +1754,21 @@ bottomup:
54060 * can happen with large stack limits and large mmap()
54063 + mm->mmap_base = TASK_UNMAPPED_BASE;
54065 +#ifdef CONFIG_PAX_RANDMMAP
54066 + if (mm->pax_flags & MF_PAX_RANDMMAP)
54067 + mm->mmap_base += mm->delta_mmap;
54070 + mm->free_area_cache = mm->mmap_base;
54071 mm->cached_hole_size = ~0UL;
54072 - mm->free_area_cache = TASK_UNMAPPED_BASE;
54073 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
54075 * Restore the topdown base:
54077 - mm->free_area_cache = mm->mmap_base;
54078 + mm->mmap_base = base;
54079 + mm->free_area_cache = base;
54080 mm->cached_hole_size = ~0UL;
54083 @@ -1559,6 +1777,12 @@ bottomup:
54085 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
54088 +#ifdef CONFIG_PAX_SEGMEXEC
54089 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
54094 * Is this a new hole at the highest possible address?
54096 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
54097 mm->free_area_cache = addr;
54099 /* dont allow allocations above current base */
54100 - if (mm->free_area_cache > mm->mmap_base)
54101 + if (mm->free_area_cache > mm->mmap_base) {
54102 mm->free_area_cache = mm->mmap_base;
54103 + mm->cached_hole_size = ~0UL;
54108 @@ -1675,6 +1901,28 @@ out:
54109 return prev ? prev->vm_next : vma;
54112 +#ifdef CONFIG_PAX_SEGMEXEC
54113 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
54115 + struct vm_area_struct *vma_m;
54117 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
54118 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
54119 + BUG_ON(vma->vm_mirror);
54122 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
54123 + vma_m = vma->vm_mirror;
54124 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
54125 + BUG_ON(vma->vm_file != vma_m->vm_file);
54126 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
54127 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
54128 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
54129 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
54135 * Verify that the stack growth is acceptable and
54136 * update accounting. This is shared with both the
54137 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
54140 /* Stack limit test */
54141 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
54142 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
54145 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
54146 locked = mm->locked_vm + grow;
54147 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
54148 limit >>= PAGE_SHIFT;
54149 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
54150 if (locked > limit && !capable(CAP_IPC_LOCK))
54153 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
54154 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
54155 * vma is the last one with address > vma->vm_end. Have to extend vma.
54157 +#ifndef CONFIG_IA64
54160 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
54165 if (!(vma->vm_flags & VM_GROWSUP))
54168 + /* Also guard against wrapping around to address 0. */
54169 + if (address < PAGE_ALIGN(address+1))
54170 + address = PAGE_ALIGN(address+1);
54175 * We must make sure the anon_vma is allocated
54176 * so that the anon_vma locking is not a noop.
54178 if (unlikely(anon_vma_prepare(vma)))
54180 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
54181 + if (locknext && anon_vma_prepare(vma->vm_next))
54183 vma_lock_anon_vma(vma);
54185 + vma_lock_anon_vma(vma->vm_next);
54188 * vma->vm_start/vm_end cannot change under us because the caller
54189 * is required to hold the mmap_sem in read mode. We need the
54190 - * anon_vma lock to serialize against concurrent expand_stacks.
54191 - * Also guard against wrapping around to address 0.
54192 + * anon_vma locks to serialize against concurrent expand_stacks
54193 + * and expand_upwards.
54195 - if (address < PAGE_ALIGN(address+4))
54196 - address = PAGE_ALIGN(address+4);
54198 - vma_unlock_anon_vma(vma);
54203 /* Somebody else might have raced and expanded it already */
54204 - if (address > vma->vm_end) {
54205 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
54207 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
54208 unsigned long size, grow;
54210 size = address - vma->vm_start;
54211 @@ -1773,6 +2034,8 @@ int expand_upwards(struct vm_area_struct
54212 perf_event_mmap(vma);
54216 + vma_unlock_anon_vma(vma->vm_next);
54217 vma_unlock_anon_vma(vma);
54218 khugepaged_enter_vma_merge(vma);
54220 @@ -1786,6 +2049,8 @@ static int expand_downwards(struct vm_ar
54221 unsigned long address)
54224 + bool lockprev = false;
54225 + struct vm_area_struct *prev;
54228 * We must make sure the anon_vma is allocated
54229 @@ -1799,6 +2064,15 @@ static int expand_downwards(struct vm_ar
54233 + prev = vma->vm_prev;
54234 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
54235 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
54237 + if (lockprev && anon_vma_prepare(prev))
54240 + vma_lock_anon_vma(prev);
54242 vma_lock_anon_vma(vma);
54245 @@ -1808,9 +2082,17 @@ static int expand_downwards(struct vm_ar
54248 /* Somebody else might have raced and expanded it already */
54249 - if (address < vma->vm_start) {
54250 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
54252 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
54253 unsigned long size, grow;
54255 +#ifdef CONFIG_PAX_SEGMEXEC
54256 + struct vm_area_struct *vma_m;
54258 + vma_m = pax_find_mirror_vma(vma);
54261 size = vma->vm_end - address;
54262 grow = (vma->vm_start - address) >> PAGE_SHIFT;
54264 @@ -1818,10 +2100,21 @@ static int expand_downwards(struct vm_ar
54266 vma->vm_start = address;
54267 vma->vm_pgoff -= grow;
54268 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
54270 +#ifdef CONFIG_PAX_SEGMEXEC
54272 + vma_m->vm_start -= grow << PAGE_SHIFT;
54273 + vma_m->vm_pgoff -= grow;
54277 perf_event_mmap(vma);
54280 vma_unlock_anon_vma(vma);
54282 + vma_unlock_anon_vma(prev);
54283 khugepaged_enter_vma_merge(vma);
54286 @@ -1896,6 +2189,13 @@ static void remove_vma_list(struct mm_st
54288 long nrpages = vma_pages(vma);
54290 +#ifdef CONFIG_PAX_SEGMEXEC
54291 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
54292 + vma = remove_vma(vma);
54297 mm->total_vm -= nrpages;
54298 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
54299 vma = remove_vma(vma);
54300 @@ -1941,6 +2241,16 @@ detach_vmas_to_be_unmapped(struct mm_str
54301 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
54302 vma->vm_prev = NULL;
54305 +#ifdef CONFIG_PAX_SEGMEXEC
54306 + if (vma->vm_mirror) {
54307 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
54308 + vma->vm_mirror->vm_mirror = NULL;
54309 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
54310 + vma->vm_mirror = NULL;
54314 rb_erase(&vma->vm_rb, &mm->mm_rb);
54317 @@ -1969,14 +2279,33 @@ static int __split_vma(struct mm_struct
54318 struct vm_area_struct *new;
54321 +#ifdef CONFIG_PAX_SEGMEXEC
54322 + struct vm_area_struct *vma_m, *new_m = NULL;
54323 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
54326 if (is_vm_hugetlb_page(vma) && (addr &
54327 ~(huge_page_mask(hstate_vma(vma)))))
54330 +#ifdef CONFIG_PAX_SEGMEXEC
54331 + vma_m = pax_find_mirror_vma(vma);
54334 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
54338 +#ifdef CONFIG_PAX_SEGMEXEC
54340 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
54342 + kmem_cache_free(vm_area_cachep, new);
54348 /* most fields are the same, copy all, and then fixup */
54351 @@ -1989,6 +2318,22 @@ static int __split_vma(struct mm_struct
54352 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
54355 +#ifdef CONFIG_PAX_SEGMEXEC
54358 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
54359 + new_m->vm_mirror = new;
54360 + new->vm_mirror = new_m;
54363 + new_m->vm_end = addr_m;
54365 + new_m->vm_start = addr_m;
54366 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
54371 pol = mpol_dup(vma_policy(vma));
54373 err = PTR_ERR(pol);
54374 @@ -2014,6 +2359,42 @@ static int __split_vma(struct mm_struct
54376 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
54378 +#ifdef CONFIG_PAX_SEGMEXEC
54379 + if (!err && vma_m) {
54380 + if (anon_vma_clone(new_m, vma_m))
54381 + goto out_free_mpol;
54384 + vma_set_policy(new_m, pol);
54386 + if (new_m->vm_file) {
54387 + get_file(new_m->vm_file);
54388 + if (vma_m->vm_flags & VM_EXECUTABLE)
54389 + added_exe_file_vma(mm);
54392 + if (new_m->vm_ops && new_m->vm_ops->open)
54393 + new_m->vm_ops->open(new_m);
54396 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
54397 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
54399 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
54402 + if (new_m->vm_ops && new_m->vm_ops->close)
54403 + new_m->vm_ops->close(new_m);
54404 + if (new_m->vm_file) {
54405 + if (vma_m->vm_flags & VM_EXECUTABLE)
54406 + removed_exe_file_vma(mm);
54407 + fput(new_m->vm_file);
54417 @@ -2026,10 +2407,18 @@ static int __split_vma(struct mm_struct
54418 removed_exe_file_vma(mm);
54419 fput(new->vm_file);
54421 - unlink_anon_vmas(new);
54426 +#ifdef CONFIG_PAX_SEGMEXEC
54428 + unlink_anon_vmas(new_m);
54429 + kmem_cache_free(vm_area_cachep, new_m);
54433 + unlink_anon_vmas(new);
54434 kmem_cache_free(vm_area_cachep, new);
54437 @@ -2042,6 +2431,15 @@ static int __split_vma(struct mm_struct
54438 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
54439 unsigned long addr, int new_below)
54442 +#ifdef CONFIG_PAX_SEGMEXEC
54443 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
54444 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
54445 + if (mm->map_count >= sysctl_max_map_count-1)
54450 if (mm->map_count >= sysctl_max_map_count)
54453 @@ -2053,11 +2451,30 @@ int split_vma(struct mm_struct *mm, stru
54454 * work. This now handles partial unmappings.
54455 * Jeremy Fitzhardinge <jeremy@goop.org>
54457 +#ifdef CONFIG_PAX_SEGMEXEC
54458 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54460 + int ret = __do_munmap(mm, start, len);
54461 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
54464 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
54467 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54469 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54473 struct vm_area_struct *vma, *prev, *last;
54476 + * mm->mmap_sem is required to protect against another thread
54477 + * changing the mappings in case we sleep.
54479 + verify_mm_writelocked(mm);
54481 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
54484 @@ -2131,6 +2548,8 @@ int do_munmap(struct mm_struct *mm, unsi
54485 /* Fix up all other VM information */
54486 remove_vma_list(mm, vma);
54488 + track_exec_limit(mm, start, end, 0UL);
54493 @@ -2143,22 +2562,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
54495 profile_munmap(addr);
54497 +#ifdef CONFIG_PAX_SEGMEXEC
54498 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
54499 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
54503 down_write(&mm->mmap_sem);
54504 ret = do_munmap(mm, addr, len);
54505 up_write(&mm->mmap_sem);
54509 -static inline void verify_mm_writelocked(struct mm_struct *mm)
54511 -#ifdef CONFIG_DEBUG_VM
54512 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
54514 - up_read(&mm->mmap_sem);
54520 * this is really a simplified "do_mmap". it only handles
54521 * anonymous maps. eventually we may be able to do some
54522 @@ -2172,6 +2587,7 @@ unsigned long do_brk(unsigned long addr,
54523 struct rb_node ** rb_link, * rb_parent;
54524 pgoff_t pgoff = addr >> PAGE_SHIFT;
54526 + unsigned long charged;
54528 len = PAGE_ALIGN(len);
54530 @@ -2183,16 +2599,30 @@ unsigned long do_brk(unsigned long addr,
54532 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
54534 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
54535 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
54536 + flags &= ~VM_EXEC;
54538 +#ifdef CONFIG_PAX_MPROTECT
54539 + if (mm->pax_flags & MF_PAX_MPROTECT)
54540 + flags &= ~VM_MAYEXEC;
54546 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
54547 if (error & ~PAGE_MASK)
54550 + charged = len >> PAGE_SHIFT;
54553 * mlock MCL_FUTURE?
54555 if (mm->def_flags & VM_LOCKED) {
54556 unsigned long locked, lock_limit;
54557 - locked = len >> PAGE_SHIFT;
54558 + locked = charged;
54559 locked += mm->locked_vm;
54560 lock_limit = rlimit(RLIMIT_MEMLOCK);
54561 lock_limit >>= PAGE_SHIFT;
54562 @@ -2209,22 +2639,22 @@ unsigned long do_brk(unsigned long addr,
54564 * Clear old maps. this also does some error checking for us
54567 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54568 if (vma && vma->vm_start < addr + len) {
54569 if (do_munmap(mm, addr, len))
54571 - goto munmap_back;
54572 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54573 + BUG_ON(vma && vma->vm_start < addr + len);
54576 /* Check against address space limits *after* clearing old maps... */
54577 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
54578 + if (!may_expand_vm(mm, charged))
54581 if (mm->map_count > sysctl_max_map_count)
54584 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
54585 + if (security_vm_enough_memory(charged))
54588 /* Can we just expand an old private anonymous mapping? */
54589 @@ -2238,7 +2668,7 @@ unsigned long do_brk(unsigned long addr,
54591 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54593 - vm_unacct_memory(len >> PAGE_SHIFT);
54594 + vm_unacct_memory(charged);
54598 @@ -2252,11 +2682,12 @@ unsigned long do_brk(unsigned long addr,
54599 vma_link(mm, vma, prev, rb_link, rb_parent);
54601 perf_event_mmap(vma);
54602 - mm->total_vm += len >> PAGE_SHIFT;
54603 + mm->total_vm += charged;
54604 if (flags & VM_LOCKED) {
54605 if (!mlock_vma_pages_range(vma, addr, addr + len))
54606 - mm->locked_vm += (len >> PAGE_SHIFT);
54607 + mm->locked_vm += charged;
54609 + track_exec_limit(mm, addr, addr + len, flags);
54613 @@ -2303,8 +2734,10 @@ void exit_mmap(struct mm_struct *mm)
54614 * Walk the list again, actually closing and freeing it,
54615 * with preemption enabled, without holding any MM locks.
54619 + vma->vm_mirror = NULL;
54620 vma = remove_vma(vma);
54623 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
54625 @@ -2318,6 +2751,13 @@ int insert_vm_struct(struct mm_struct *
54626 struct vm_area_struct * __vma, * prev;
54627 struct rb_node ** rb_link, * rb_parent;
54629 +#ifdef CONFIG_PAX_SEGMEXEC
54630 + struct vm_area_struct *vma_m = NULL;
54633 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
54637 * The vm_pgoff of a purely anonymous vma should be irrelevant
54638 * until its first write fault, when page's anon_vma and index
54639 @@ -2340,7 +2780,22 @@ int insert_vm_struct(struct mm_struct *
54640 if ((vma->vm_flags & VM_ACCOUNT) &&
54641 security_vm_enough_memory_mm(mm, vma_pages(vma)))
54644 +#ifdef CONFIG_PAX_SEGMEXEC
54645 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
54646 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54652 vma_link(mm, vma, prev, rb_link, rb_parent);
54654 +#ifdef CONFIG_PAX_SEGMEXEC
54656 + BUG_ON(pax_mirror_vma(vma_m, vma));
54662 @@ -2358,6 +2813,8 @@ struct vm_area_struct *copy_vma(struct v
54663 struct rb_node **rb_link, *rb_parent;
54664 struct mempolicy *pol;
54666 + BUG_ON(vma->vm_mirror);
54669 * If anonymous vma has not yet been faulted, update new pgoff
54670 * to match new location, to increase its chance of merging.
54671 @@ -2407,6 +2864,39 @@ struct vm_area_struct *copy_vma(struct v
54672 kmem_cache_free(vm_area_cachep, new_vma);
54676 +#ifdef CONFIG_PAX_SEGMEXEC
54677 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
54679 + struct vm_area_struct *prev_m;
54680 + struct rb_node **rb_link_m, *rb_parent_m;
54681 + struct mempolicy *pol_m;
54683 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
54684 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
54685 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
54687 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
54688 + if (anon_vma_clone(vma_m, vma))
54690 + pol_m = vma_policy(vma_m);
54692 + vma_set_policy(vma_m, pol_m);
54693 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
54694 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
54695 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
54696 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
54697 + if (vma_m->vm_file)
54698 + get_file(vma_m->vm_file);
54699 + if (vma_m->vm_ops && vma_m->vm_ops->open)
54700 + vma_m->vm_ops->open(vma_m);
54701 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
54702 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
54703 + vma_m->vm_mirror = vma;
54704 + vma->vm_mirror = vma_m;
54710 * Return true if the calling process may expand its vm space by the passed
54711 @@ -2418,7 +2908,7 @@ int may_expand_vm(struct mm_struct *mm,
54714 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
54716 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
54717 if (cur + npages > lim)
54720 @@ -2489,6 +2979,22 @@ int install_special_mapping(struct mm_st
54721 vma->vm_start = addr;
54722 vma->vm_end = addr + len;
54724 +#ifdef CONFIG_PAX_MPROTECT
54725 + if (mm->pax_flags & MF_PAX_MPROTECT) {
54726 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
54727 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
54729 + if (!(vm_flags & VM_EXEC))
54730 + vm_flags &= ~VM_MAYEXEC;
54732 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
54733 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
54736 + vm_flags &= ~VM_MAYWRITE;
54740 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
54741 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
54743 diff -urNp linux-2.6.38.1/mm/mprotect.c linux-2.6.38.1/mm/mprotect.c
54744 --- linux-2.6.38.1/mm/mprotect.c 2011-03-14 21:20:32.000000000 -0400
54745 +++ linux-2.6.38.1/mm/mprotect.c 2011-03-21 18:31:35.000000000 -0400
54746 @@ -23,10 +23,16 @@
54747 #include <linux/mmu_notifier.h>
54748 #include <linux/migrate.h>
54749 #include <linux/perf_event.h>
54751 +#ifdef CONFIG_PAX_MPROTECT
54752 +#include <linux/elf.h>
54755 #include <asm/uaccess.h>
54756 #include <asm/pgtable.h>
54757 #include <asm/cacheflush.h>
54758 #include <asm/tlbflush.h>
54759 +#include <asm/mmu_context.h>
54761 #ifndef pgprot_modify
54762 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
54763 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
54764 flush_tlb_range(vma, start, end);
54767 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54768 +/* called while holding the mmap semaphor for writing except stack expansion */
54769 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
54771 + unsigned long oldlimit, newlimit = 0UL;
54773 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
54776 + spin_lock(&mm->page_table_lock);
54777 + oldlimit = mm->context.user_cs_limit;
54778 + if ((prot & VM_EXEC) && oldlimit < end)
54779 + /* USER_CS limit moved up */
54781 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
54782 + /* USER_CS limit moved down */
54783 + newlimit = start;
54786 + mm->context.user_cs_limit = newlimit;
54790 + cpus_clear(mm->context.cpu_user_cs_mask);
54791 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
54794 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
54796 + spin_unlock(&mm->page_table_lock);
54797 + if (newlimit == end) {
54798 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
54800 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
54801 + if (is_vm_hugetlb_page(vma))
54802 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
54804 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
54810 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
54811 unsigned long start, unsigned long end, unsigned long newflags)
54812 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
54814 int dirty_accountable = 0;
54816 +#ifdef CONFIG_PAX_SEGMEXEC
54817 + struct vm_area_struct *vma_m = NULL;
54818 + unsigned long start_m, end_m;
54820 + start_m = start + SEGMEXEC_TASK_SIZE;
54821 + end_m = end + SEGMEXEC_TASK_SIZE;
54824 if (newflags == oldflags) {
54829 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
54830 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
54832 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
54835 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
54840 * If we make a private mapping writable we increase our commit;
54841 * but (without finer accounting) cannot reduce our commit if we
54842 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
54846 +#ifdef CONFIG_PAX_SEGMEXEC
54847 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
54848 + if (start != vma->vm_start) {
54849 + error = split_vma(mm, vma, start, 1);
54852 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
54853 + *pprev = (*pprev)->vm_next;
54856 + if (end != vma->vm_end) {
54857 + error = split_vma(mm, vma, end, 0);
54862 + if (pax_find_mirror_vma(vma)) {
54863 + error = __do_munmap(mm, start_m, end_m - start_m);
54867 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54872 + vma->vm_flags = newflags;
54873 + error = pax_mirror_vma(vma_m, vma);
54875 + vma->vm_flags = oldflags;
54883 * First try to merge with previous and/or next vma.
54885 @@ -204,9 +306,21 @@ success:
54886 * vm_flags and vm_page_prot are protected by the mmap_sem
54887 * held in write mode.
54890 +#ifdef CONFIG_PAX_SEGMEXEC
54891 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
54892 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
54895 vma->vm_flags = newflags;
54897 +#ifdef CONFIG_PAX_MPROTECT
54898 + if (mm->binfmt && mm->binfmt->handle_mprotect)
54899 + mm->binfmt->handle_mprotect(vma, newflags);
54902 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
54903 - vm_get_page_prot(newflags));
54904 + vm_get_page_prot(vma->vm_flags));
54906 if (vma_wants_writenotify(vma)) {
54907 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
54908 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54913 +#ifdef CONFIG_PAX_SEGMEXEC
54914 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
54915 + if (end > SEGMEXEC_TASK_SIZE)
54920 + if (end > TASK_SIZE)
54923 if (!arch_validate_prot(prot))
54926 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54928 * Does the application expect PROT_READ to imply PROT_EXEC:
54930 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
54931 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
54934 vm_flags = calc_vm_prot_bits(prot);
54935 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54936 if (start > vma->vm_start)
54939 +#ifdef CONFIG_PAX_MPROTECT
54940 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
54941 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
54944 for (nstart = start ; ; ) {
54945 unsigned long newflags;
54947 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54949 /* newflags >> 4 shift VM_MAY% in place of VM_% */
54950 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
54951 + if (prot & (PROT_WRITE | PROT_EXEC))
54952 + gr_log_rwxmprotect(vma->vm_file);
54958 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
54962 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54963 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
54967 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
54971 if (nstart < prev->vm_end)
54972 diff -urNp linux-2.6.38.1/mm/mremap.c linux-2.6.38.1/mm/mremap.c
54973 --- linux-2.6.38.1/mm/mremap.c 2011-03-14 21:20:32.000000000 -0400
54974 +++ linux-2.6.38.1/mm/mremap.c 2011-03-21 18:31:35.000000000 -0400
54975 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
54977 pte = ptep_clear_flush(vma, old_addr, old_pte);
54978 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
54980 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54981 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
54982 + pte = pte_exprotect(pte);
54985 set_pte_at(mm, new_addr, new_pte, pte);
54988 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
54989 if (is_vm_hugetlb_page(vma))
54992 +#ifdef CONFIG_PAX_SEGMEXEC
54993 + if (pax_find_mirror_vma(vma))
54997 /* We can't remap across vm area boundaries */
54998 if (old_len > vma->vm_end - addr)
55000 @@ -322,20 +333,25 @@ static unsigned long mremap_to(unsigned
55001 unsigned long ret = -EINVAL;
55002 unsigned long charged = 0;
55003 unsigned long map_flags;
55004 + unsigned long pax_task_size = TASK_SIZE;
55006 if (new_addr & ~PAGE_MASK)
55009 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
55010 +#ifdef CONFIG_PAX_SEGMEXEC
55011 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
55012 + pax_task_size = SEGMEXEC_TASK_SIZE;
55015 + pax_task_size -= PAGE_SIZE;
55017 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
55020 /* Check if the location we're moving into overlaps the
55021 * old location at all, and fail if it does.
55023 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
55026 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
55027 + if (addr + old_len > new_addr && new_addr + new_len > addr)
55030 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
55031 @@ -407,6 +423,7 @@ unsigned long do_mremap(unsigned long ad
55032 struct vm_area_struct *vma;
55033 unsigned long ret = -EINVAL;
55034 unsigned long charged = 0;
55035 + unsigned long pax_task_size = TASK_SIZE;
55037 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
55039 @@ -425,6 +442,17 @@ unsigned long do_mremap(unsigned long ad
55043 +#ifdef CONFIG_PAX_SEGMEXEC
55044 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
55045 + pax_task_size = SEGMEXEC_TASK_SIZE;
55048 + pax_task_size -= PAGE_SIZE;
55050 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
55051 + old_len > pax_task_size || addr > pax_task_size-old_len)
55054 if (flags & MREMAP_FIXED) {
55055 if (flags & MREMAP_MAYMOVE)
55056 ret = mremap_to(addr, old_len, new_addr, new_len);
55057 @@ -474,6 +502,7 @@ unsigned long do_mremap(unsigned long ad
55061 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
55065 @@ -500,7 +529,13 @@ unsigned long do_mremap(unsigned long ad
55066 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
55070 + map_flags = vma->vm_flags;
55071 ret = move_vma(vma, addr, old_len, new_len, new_addr);
55072 + if (!(ret & ~PAGE_MASK)) {
55073 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
55074 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
55078 if (ret & ~PAGE_MASK)
55079 diff -urNp linux-2.6.38.1/mm/nommu.c linux-2.6.38.1/mm/nommu.c
55080 --- linux-2.6.38.1/mm/nommu.c 2011-03-14 21:20:32.000000000 -0400
55081 +++ linux-2.6.38.1/mm/nommu.c 2011-03-21 18:31:35.000000000 -0400
55082 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
55083 int sysctl_overcommit_ratio = 50; /* default is 50% */
55084 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
55085 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
55086 -int heap_stack_gap = 0;
55088 atomic_long_t mmap_pages_allocated;
55090 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
55091 EXPORT_SYMBOL(find_vma);
55095 - * - we don't extend stack VMAs under NOMMU conditions
55097 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
55099 - return find_vma(mm, addr);
55103 * expand a stack to a given address
55104 * - not supported under NOMMU conditions
55106 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
55108 /* most fields are the same, copy all, and then fixup */
55110 + INIT_LIST_HEAD(&new->anon_vma_chain);
55111 *region = *vma->vm_region;
55112 new->vm_region = region;
55114 diff -urNp linux-2.6.38.1/mm/page_alloc.c linux-2.6.38.1/mm/page_alloc.c
55115 --- linux-2.6.38.1/mm/page_alloc.c 2011-03-14 21:20:32.000000000 -0400
55116 +++ linux-2.6.38.1/mm/page_alloc.c 2011-03-21 18:31:35.000000000 -0400
55117 @@ -644,6 +644,10 @@ static bool free_pages_prepare(struct pa
55121 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
55122 + unsigned long index = 1UL << order;
55125 trace_mm_page_free_direct(page, order);
55126 kmemcheck_free_shadow(page, order);
55128 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
55129 debug_check_no_obj_freed(page_address(page),
55130 PAGE_SIZE << order);
55133 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
55134 + for (; index; --index)
55135 + sanitize_highpage(page + index - 1);
55138 arch_free_page(page, order);
55139 kernel_map_pages(page, 1 << order, 0);
55141 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
55142 arch_alloc_page(page, order);
55143 kernel_map_pages(page, 1 << order, 1);
55145 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
55146 if (gfp_flags & __GFP_ZERO)
55147 prep_zero_page(page, order, gfp_flags);
55150 if (order && (gfp_flags & __GFP_COMP))
55151 prep_compound_page(page, order);
55152 diff -urNp linux-2.6.38.1/mm/percpu.c linux-2.6.38.1/mm/percpu.c
55153 --- linux-2.6.38.1/mm/percpu.c 2011-03-14 21:20:32.000000000 -0400
55154 +++ linux-2.6.38.1/mm/percpu.c 2011-03-21 18:31:35.000000000 -0400
55155 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
55156 static unsigned int pcpu_last_unit_cpu __read_mostly;
55158 /* the address of the first chunk which starts with the kernel static area */
55159 -void *pcpu_base_addr __read_mostly;
55160 +void *pcpu_base_addr __read_only;
55161 EXPORT_SYMBOL_GPL(pcpu_base_addr);
55163 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
55164 diff -urNp linux-2.6.38.1/mm/rmap.c linux-2.6.38.1/mm/rmap.c
55165 --- linux-2.6.38.1/mm/rmap.c 2011-03-14 21:20:32.000000000 -0400
55166 +++ linux-2.6.38.1/mm/rmap.c 2011-03-21 18:31:35.000000000 -0400
55167 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
55168 struct anon_vma *anon_vma = vma->anon_vma;
55169 struct anon_vma_chain *avc;
55171 +#ifdef CONFIG_PAX_SEGMEXEC
55172 + struct anon_vma_chain *avc_m = NULL;
55176 if (unlikely(!anon_vma)) {
55177 struct mm_struct *mm = vma->vm_mm;
55178 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
55182 +#ifdef CONFIG_PAX_SEGMEXEC
55183 + avc_m = anon_vma_chain_alloc();
55185 + goto out_enomem_free_avc;
55188 anon_vma = find_mergeable_anon_vma(vma);
55191 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
55192 /* page_table_lock to protect against threads */
55193 spin_lock(&mm->page_table_lock);
55194 if (likely(!vma->anon_vma)) {
55196 +#ifdef CONFIG_PAX_SEGMEXEC
55197 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
55200 + BUG_ON(vma_m->anon_vma);
55201 + vma_m->anon_vma = anon_vma;
55202 + avc_m->anon_vma = anon_vma;
55203 + avc_m->vma = vma;
55204 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
55205 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
55210 vma->anon_vma = anon_vma;
55211 avc->anon_vma = anon_vma;
55213 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
55215 if (unlikely(allocated))
55216 anon_vma_free(allocated);
55218 +#ifdef CONFIG_PAX_SEGMEXEC
55219 + if (unlikely(avc_m))
55220 + anon_vma_chain_free(avc_m);
55224 anon_vma_chain_free(avc);
55228 out_enomem_free_avc:
55230 +#ifdef CONFIG_PAX_SEGMEXEC
55232 + anon_vma_chain_free(avc_m);
55235 anon_vma_chain_free(avc);
55238 @@ -189,7 +226,7 @@ static void anon_vma_chain_link(struct v
55239 * Attach the anon_vmas from src to dst.
55240 * Returns 0 on success, -ENOMEM on failure.
55242 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
55243 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
55245 struct anon_vma_chain *avc, *pavc;
55247 @@ -211,7 +248,7 @@ int anon_vma_clone(struct vm_area_struct
55248 * the corresponding VMA in the parent process is attached to.
55249 * Returns 0 on success, non-zero on failure.
55251 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
55252 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
55254 struct anon_vma_chain *avc;
55255 struct anon_vma *anon_vma;
55256 diff -urNp linux-2.6.38.1/mm/shmem.c linux-2.6.38.1/mm/shmem.c
55257 --- linux-2.6.38.1/mm/shmem.c 2011-03-14 21:20:32.000000000 -0400
55258 +++ linux-2.6.38.1/mm/shmem.c 2011-03-21 18:31:35.000000000 -0400
55260 #include <linux/percpu_counter.h>
55261 #include <linux/swap.h>
55263 -static struct vfsmount *shm_mnt;
55264 +struct vfsmount *shm_mnt;
55266 #ifdef CONFIG_SHMEM
55268 @@ -1070,6 +1070,8 @@ static int shmem_writepage(struct page *
55271 entry = shmem_swp_entry(info, index, NULL);
55276 * The more uptodate page coming down from a stacked
55277 diff -urNp linux-2.6.38.1/mm/slab.c linux-2.6.38.1/mm/slab.c
55278 --- linux-2.6.38.1/mm/slab.c 2011-03-14 21:20:32.000000000 -0400
55279 +++ linux-2.6.38.1/mm/slab.c 2011-03-21 18:31:35.000000000 -0400
55280 @@ -284,7 +284,7 @@ struct kmem_list3 {
55281 * Need this for bootstrapping a per node allocator.
55283 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
55284 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
55285 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
55286 #define CACHE_CACHE 0
55287 #define SIZE_AC MAX_NUMNODES
55288 #define SIZE_L3 (2 * MAX_NUMNODES)
55289 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
55290 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
55292 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
55293 - const struct slab *slab, void *obj)
55294 + const struct slab *slab, const void *obj)
55296 u32 offset = (obj - slab->s_mem);
55297 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
55298 @@ -560,14 +560,14 @@ struct cache_names {
55299 static struct cache_names __initdata cache_names[] = {
55300 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
55301 #include <linux/kmalloc_sizes.h>
55307 static struct arraycache_init initarray_cache __initdata =
55308 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
55309 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
55310 static struct arraycache_init initarray_generic =
55311 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
55312 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
55314 /* internal cache of cache description objs */
55315 static struct kmem_cache cache_cache = {
55316 @@ -4535,15 +4535,66 @@ static const struct file_operations proc
55318 static int __init slab_proc_init(void)
55320 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
55321 + mode_t gr_mode = S_IRUGO;
55323 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55324 + gr_mode = S_IRUSR;
55327 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
55328 #ifdef CONFIG_DEBUG_SLAB_LEAK
55329 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
55330 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
55334 module_init(slab_proc_init);
55337 +void check_object_size(const void *ptr, unsigned long n, bool to)
55340 +#ifdef CONFIG_PAX_USERCOPY
55341 + struct kmem_cache *cachep;
55342 + struct slab *slabp;
55343 + struct page *page;
55344 + unsigned int objnr;
55345 + unsigned long offset;
55350 + if (ZERO_OR_NULL_PTR(ptr))
55353 + if (!virt_addr_valid(ptr))
55356 + page = virt_to_head_page(ptr);
55358 + if (!PageSlab(page)) {
55359 + if (object_is_on_stack(ptr, n) == -1)
55364 + cachep = page_get_cache(page);
55365 + slabp = page_get_slab(page);
55366 + objnr = obj_to_index(cachep, slabp, ptr);
55367 + BUG_ON(objnr >= cachep->num);
55368 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
55369 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
55374 + pax_report_leak_to_user(ptr, n);
55376 + pax_report_overflow_from_user(ptr, n);
55380 +EXPORT_SYMBOL(check_object_size);
55383 * ksize - get the actual amount of memory allocated for a given object
55384 * @objp: Pointer to the object
55385 diff -urNp linux-2.6.38.1/mm/slob.c linux-2.6.38.1/mm/slob.c
55386 --- linux-2.6.38.1/mm/slob.c 2011-03-14 21:20:32.000000000 -0400
55387 +++ linux-2.6.38.1/mm/slob.c 2011-03-21 18:31:35.000000000 -0400
55389 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
55390 * alloc_pages() directly, allocating compound pages so the page order
55391 * does not have to be separately tracked, and also stores the exact
55392 - * allocation size in page->private so that it can be used to accurately
55393 + * allocation size in slob_page->size so that it can be used to accurately
55394 * provide ksize(). These objects are detected in kfree() because slob_page()
55395 * is false for them.
55400 #include <linux/kernel.h>
55401 +#include <linux/sched.h>
55402 #include <linux/slab.h>
55403 #include <linux/mm.h>
55404 #include <linux/swap.h> /* struct reclaim_state */
55405 @@ -102,7 +103,8 @@ struct slob_page {
55406 unsigned long flags; /* mandatory */
55407 atomic_t _count; /* mandatory */
55408 slobidx_t units; /* free units left in page */
55409 - unsigned long pad[2];
55410 + unsigned long pad[1];
55411 + unsigned long size; /* size when >=PAGE_SIZE */
55412 slob_t *free; /* first free slob_t in page */
55413 struct list_head list; /* linked list of free pages */
55415 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
55417 static inline int is_slob_page(struct slob_page *sp)
55419 - return PageSlab((struct page *)sp);
55420 + return PageSlab((struct page *)sp) && !sp->size;
55423 static inline void set_slob_page(struct slob_page *sp)
55424 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
55426 static inline struct slob_page *slob_page(const void *addr)
55428 - return (struct slob_page *)virt_to_page(addr);
55429 + return (struct slob_page *)virt_to_head_page(addr);
55433 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
55435 * Return the size of a slob block.
55437 -static slobidx_t slob_units(slob_t *s)
55438 +static slobidx_t slob_units(const slob_t *s)
55442 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
55444 * Return the next free slob block pointer after this one.
55446 -static slob_t *slob_next(slob_t *s)
55447 +static slob_t *slob_next(const slob_t *s)
55449 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
55451 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
55453 * Returns true if s is the last free block in its page.
55455 -static int slob_last(slob_t *s)
55456 +static int slob_last(const slob_t *s)
55458 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
55460 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
55464 + set_slob_page(page);
55465 return page_address(page);
55468 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
55472 - set_slob_page(sp);
55474 spin_lock_irqsave(&slob_lock, flags);
55475 sp->units = SLOB_UNITS(PAGE_SIZE);
55478 INIT_LIST_HEAD(&sp->list);
55479 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
55480 set_slob_page_free(sp, slob_list);
55481 @@ -476,10 +479,9 @@ out:
55482 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
55485 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
55486 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
55489 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55493 lockdep_trace_alloc(gfp);
55494 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
55499 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
55500 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
55501 + m[0].units = size;
55502 + m[1].units = align;
55503 ret = (void *)m + align;
55505 trace_kmalloc_node(_RET_IP_, ret,
55506 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
55508 ret = slob_new_pages(gfp, order, node);
55510 - struct page *page;
55511 - page = virt_to_page(ret);
55512 - page->private = size;
55513 + struct slob_page *sp;
55514 + sp = slob_page(ret);
55518 trace_kmalloc_node(_RET_IP_, ret,
55519 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
55520 kmemleak_alloc(ret, size, 1, gfp);
55524 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
55526 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55528 + return __kmalloc_node_align(size, gfp, node, align);
55530 EXPORT_SYMBOL(__kmalloc_node);
55532 void kfree(const void *block)
55533 @@ -531,13 +543,84 @@ void kfree(const void *block)
55534 sp = slob_page(block);
55535 if (is_slob_page(sp)) {
55536 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55537 - unsigned int *m = (unsigned int *)(block - align);
55538 - slob_free(m, *m + align);
55540 + slob_t *m = (slob_t *)(block - align);
55541 + slob_free(m, m[0].units + align);
55543 + clear_slob_page(sp);
55544 + free_slob_page(sp);
55546 put_page(&sp->page);
55549 EXPORT_SYMBOL(kfree);
55551 +void check_object_size(const void *ptr, unsigned long n, bool to)
55554 +#ifdef CONFIG_PAX_USERCOPY
55555 + struct slob_page *sp;
55556 + const slob_t *free;
55557 + const void *base;
55562 + if (ZERO_OR_NULL_PTR(ptr))
55565 + if (!virt_addr_valid(ptr))
55568 + sp = slob_page(ptr);
55569 + if (!PageSlab((struct page*)sp)) {
55570 + if (object_is_on_stack(ptr, n) == -1)
55576 + base = page_address(&sp->page);
55577 + if (base <= ptr && n <= sp->size - (ptr - base))
55582 + /* some tricky double walking to find the chunk */
55583 + base = (void *)((unsigned long)ptr & PAGE_MASK);
55586 + while (!slob_last(free) && (void *)free <= ptr) {
55587 + base = free + slob_units(free);
55588 + free = slob_next(free);
55591 + while (base < (void *)free) {
55592 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
55593 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
55596 + if (ptr < base + align)
55599 + offset = ptr - base - align;
55600 + if (offset < m) {
55601 + if (n <= m - offset)
55610 + pax_report_leak_to_user(ptr, n);
55612 + pax_report_overflow_from_user(ptr, n);
55616 +EXPORT_SYMBOL(check_object_size);
55618 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
55619 size_t ksize(const void *block)
55621 @@ -550,10 +633,10 @@ size_t ksize(const void *block)
55622 sp = slob_page(block);
55623 if (is_slob_page(sp)) {
55624 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55625 - unsigned int *m = (unsigned int *)(block - align);
55626 - return SLOB_UNITS(*m) * SLOB_UNIT;
55627 + slob_t *m = (slob_t *)(block - align);
55628 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
55630 - return sp->page.private;
55633 EXPORT_SYMBOL(ksize);
55635 @@ -608,17 +691,25 @@ void *kmem_cache_alloc_node(struct kmem_
55639 +#ifdef CONFIG_PAX_USERCOPY
55640 + b = __kmalloc_node_align(c->size, flags, node, c->align);
55642 if (c->size < PAGE_SIZE) {
55643 b = slob_alloc(c->size, flags, c->align, node);
55644 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55645 SLOB_UNITS(c->size) * SLOB_UNIT,
55648 + struct slob_page *sp;
55650 b = slob_new_pages(flags, get_order(c->size), node);
55651 + sp = slob_page(b);
55652 + sp->size = c->size;
55653 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55654 PAGE_SIZE << get_order(c->size),
55661 @@ -630,10 +721,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
55663 static void __kmem_cache_free(void *b, int size)
55665 - if (size < PAGE_SIZE)
55666 + struct slob_page *sp = slob_page(b);
55668 + if (is_slob_page(sp))
55669 slob_free(b, size);
55672 + clear_slob_page(sp);
55673 + free_slob_page(sp);
55675 slob_free_pages(b, get_order(size));
55679 static void kmem_rcu_free(struct rcu_head *head)
55680 @@ -646,14 +743,23 @@ static void kmem_rcu_free(struct rcu_hea
55682 void kmem_cache_free(struct kmem_cache *c, void *b)
55684 + int size = c->size;
55686 +#ifdef CONFIG_PAX_USERCOPY
55687 + if (size + c->align < PAGE_SIZE) {
55688 + size += c->align;
55693 kmemleak_free_recursive(b, c->flags);
55694 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
55695 struct slob_rcu *slob_rcu;
55696 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
55697 - slob_rcu->size = c->size;
55698 + slob_rcu = b + (size - sizeof(struct slob_rcu));
55699 + slob_rcu->size = size;
55700 call_rcu(&slob_rcu->head, kmem_rcu_free);
55702 - __kmem_cache_free(b, c->size);
55703 + __kmem_cache_free(b, size);
55706 trace_kmem_cache_free(_RET_IP_, b);
55707 diff -urNp linux-2.6.38.1/mm/slub.c linux-2.6.38.1/mm/slub.c
55708 --- linux-2.6.38.1/mm/slub.c 2011-03-14 21:20:32.000000000 -0400
55709 +++ linux-2.6.38.1/mm/slub.c 2011-03-21 18:31:35.000000000 -0400
55710 @@ -390,7 +390,7 @@ static void print_track(const char *s, s
55714 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
55715 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
55716 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
55719 @@ -1927,6 +1927,8 @@ void kmem_cache_free(struct kmem_cache *
55721 page = virt_to_head_page(x);
55723 + BUG_ON(!PageSlab(page));
55725 slab_free(s, page, x, _RET_IP_);
55727 trace_kmem_cache_free(_RET_IP_, x);
55728 @@ -1960,7 +1962,7 @@ static int slub_min_objects;
55729 * Merge control. If this is set then no merging of slab caches will occur.
55730 * (Could be removed. This was introduced to pacify the merge skeptics.)
55732 -static int slub_nomerge;
55733 +static int slub_nomerge = 1;
55736 * Calculate the order of allocation given an slab object size.
55737 @@ -2370,7 +2372,7 @@ static int kmem_cache_open(struct kmem_c
55738 * list to avoid pounding the page allocator excessively.
55740 set_min_partial(s, ilog2(s->size));
55742 + atomic_set(&s->refcount, 1);
55744 s->remote_node_defrag_ratio = 1000;
55746 @@ -2482,8 +2484,7 @@ static inline int kmem_cache_close(struc
55747 void kmem_cache_destroy(struct kmem_cache *s)
55749 down_write(&slub_lock);
55751 - if (!s->refcount) {
55752 + if (atomic_dec_and_test(&s->refcount)) {
55753 list_del(&s->list);
55754 if (kmem_cache_close(s)) {
55755 printk(KERN_ERR "SLUB %s: %s called for cache that "
55756 @@ -2693,6 +2694,46 @@ void *__kmalloc_node(size_t size, gfp_t
55757 EXPORT_SYMBOL(__kmalloc_node);
55760 +void check_object_size(const void *ptr, unsigned long n, bool to)
55763 +#ifdef CONFIG_PAX_USERCOPY
55764 + struct page *page;
55765 + struct kmem_cache *s;
55766 + unsigned long offset;
55771 + if (ZERO_OR_NULL_PTR(ptr))
55774 + if (!virt_addr_valid(ptr))
55777 + page = virt_to_head_page(ptr);
55779 + if (!PageSlab(page)) {
55780 + if (object_is_on_stack(ptr, n) == -1)
55786 + offset = (ptr - page_address(page)) % s->size;
55787 + if (offset <= s->objsize && n <= s->objsize - offset)
55792 + pax_report_leak_to_user(ptr, n);
55794 + pax_report_overflow_from_user(ptr, n);
55798 +EXPORT_SYMBOL(check_object_size);
55800 size_t ksize(const void *object)
55803 @@ -2958,7 +2999,7 @@ static void __init kmem_cache_bootstrap_
55806 list_add(&s->list, &slab_caches);
55807 - s->refcount = -1;
55808 + atomic_set(&s->refcount, -1);
55810 for_each_node_state(node, N_NORMAL_MEMORY) {
55811 struct kmem_cache_node *n = get_node(s, node);
55812 @@ -3153,7 +3194,7 @@ static int slab_unmergeable(struct kmem_
55814 * We may have set a slab to be unmergeable during bootstrap.
55816 - if (s->refcount < 0)
55817 + if (atomic_read(&s->refcount) < 0)
55821 @@ -3212,7 +3253,7 @@ struct kmem_cache *kmem_cache_create(con
55822 down_write(&slub_lock);
55823 s = find_mergeable(size, align, flags, name, ctor);
55826 + atomic_inc(&s->refcount);
55828 * Adjust the object sizes so that we clear
55829 * the complete object on kzalloc.
55830 @@ -3221,7 +3262,7 @@ struct kmem_cache *kmem_cache_create(con
55831 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
55833 if (sysfs_slab_alias(s, name)) {
55835 + atomic_dec(&s->refcount);
55838 up_write(&slub_lock);
55839 @@ -3954,7 +3995,7 @@ SLAB_ATTR_RO(ctor);
55841 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
55843 - return sprintf(buf, "%d\n", s->refcount - 1);
55844 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
55846 SLAB_ATTR_RO(aliases);
55848 @@ -4691,7 +4732,13 @@ static const struct file_operations proc
55850 static int __init slab_proc_init(void)
55852 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
55853 + mode_t gr_mode = S_IRUGO;
55855 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55856 + gr_mode = S_IRUSR;
55859 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
55862 module_init(slab_proc_init);
55863 diff -urNp linux-2.6.38.1/mm/util.c linux-2.6.38.1/mm/util.c
55864 --- linux-2.6.38.1/mm/util.c 2011-03-14 21:20:32.000000000 -0400
55865 +++ linux-2.6.38.1/mm/util.c 2011-03-21 18:31:35.000000000 -0400
55866 @@ -219,6 +219,12 @@ EXPORT_SYMBOL(strndup_user);
55867 void arch_pick_mmap_layout(struct mm_struct *mm)
55869 mm->mmap_base = TASK_UNMAPPED_BASE;
55871 +#ifdef CONFIG_PAX_RANDMMAP
55872 + if (mm->pax_flags & MF_PAX_RANDMMAP)
55873 + mm->mmap_base += mm->delta_mmap;
55876 mm->get_unmapped_area = arch_get_unmapped_area;
55877 mm->unmap_area = arch_unmap_area;
55879 diff -urNp linux-2.6.38.1/mm/vmalloc.c linux-2.6.38.1/mm/vmalloc.c
55880 --- linux-2.6.38.1/mm/vmalloc.c 2011-03-14 21:20:32.000000000 -0400
55881 +++ linux-2.6.38.1/mm/vmalloc.c 2011-03-21 18:31:35.000000000 -0400
55882 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
55884 pte = pte_offset_kernel(pmd, addr);
55886 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55887 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55889 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55890 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
55891 + BUG_ON(!pte_exec(*pte));
55892 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
55898 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55899 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55901 } while (pte++, addr += PAGE_SIZE, addr != end);
55904 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
55905 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
55908 + int ret = -ENOMEM;
55911 * nr is a running index into the array which helps higher level
55912 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
55913 pte = pte_alloc_kernel(pmd, addr);
55917 + pax_open_kernel();
55919 struct page *page = pages[*nr];
55921 - if (WARN_ON(!pte_none(*pte)))
55923 - if (WARN_ON(!page))
55925 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55926 + if (pgprot_val(prot) & _PAGE_NX)
55929 + if (WARN_ON(!pte_none(*pte))) {
55933 + if (WARN_ON(!page)) {
55937 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
55939 } while (pte++, addr += PAGE_SIZE, addr != end);
55943 + pax_close_kernel();
55947 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
55948 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
55949 * and fall back on vmalloc() if that fails. Others
55950 * just put it in the vmalloc space.
55952 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
55953 +#ifdef CONFIG_MODULES
55954 +#ifdef MODULES_VADDR
55955 unsigned long addr = (unsigned long)x;
55956 if (addr >= MODULES_VADDR && addr < MODULES_END)
55960 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55961 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
55967 return is_vmalloc_addr(x);
55970 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
55972 if (!pgd_none(*pgd)) {
55973 pud_t *pud = pud_offset(pgd, addr);
55975 + if (!pud_large(*pud))
55977 if (!pud_none(*pud)) {
55978 pmd_t *pmd = pmd_offset(pud, addr);
55980 + if (!pmd_large(*pmd))
55982 if (!pmd_none(*pmd)) {
55985 @@ -1244,6 +1284,16 @@ static struct vm_struct *__get_vm_area_n
55986 struct vm_struct *area;
55988 BUG_ON(in_interrupt());
55990 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55991 + if (flags & VM_KERNEXEC) {
55992 + if (start != VMALLOC_START || end != VMALLOC_END)
55994 + start = (unsigned long)MODULES_EXEC_VADDR;
55995 + end = (unsigned long)MODULES_EXEC_END;
55999 if (flags & VM_IOREMAP) {
56000 int bit = fls(size);
56002 @@ -1462,6 +1512,11 @@ void *vmap(struct page **pages, unsigned
56003 if (count > totalram_pages)
56006 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
56007 + if (!(pgprot_val(prot) & _PAGE_NX))
56008 + flags |= VM_KERNEXEC;
56011 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
56012 __builtin_return_address(0));
56014 @@ -1558,6 +1613,13 @@ void *__vmalloc_node_range(unsigned long
56015 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
56018 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
56019 + if (!(pgprot_val(prot) & _PAGE_NX))
56020 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
56021 + node, gfp_mask, caller);
56025 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
56028 @@ -1597,6 +1659,7 @@ static void *__vmalloc_node(unsigned lon
56029 gfp_mask, prot, node, caller);
56033 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
56035 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
56036 @@ -1620,6 +1683,7 @@ static inline void *__vmalloc_node_flags
56037 * For tight control over page level allocator and protection flags
56038 * use __vmalloc() instead.
56041 void *vmalloc(unsigned long size)
56043 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
56044 @@ -1636,6 +1700,7 @@ EXPORT_SYMBOL(vmalloc);
56045 * For tight control over page level allocator and protection flags
56046 * use __vmalloc() instead.
56049 void *vzalloc(unsigned long size)
56051 return __vmalloc_node_flags(size, -1,
56052 @@ -1650,6 +1715,7 @@ EXPORT_SYMBOL(vzalloc);
56053 * The resulting memory area is zeroed so it can be mapped to userspace
56054 * without leaking data.
56056 +#undef vmalloc_user
56057 void *vmalloc_user(unsigned long size)
56059 struct vm_struct *area;
56060 @@ -1677,6 +1743,7 @@ EXPORT_SYMBOL(vmalloc_user);
56061 * For tight control over page level allocator and protection flags
56062 * use __vmalloc() instead.
56064 +#undef vmalloc_node
56065 void *vmalloc_node(unsigned long size, int node)
56067 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
56068 @@ -1696,6 +1763,7 @@ EXPORT_SYMBOL(vmalloc_node);
56069 * For tight control over page level allocator and protection flags
56070 * use __vmalloc_node() instead.
56072 +#undef vzalloc_node
56073 void *vzalloc_node(unsigned long size, int node)
56075 return __vmalloc_node_flags(size, node,
56076 @@ -1718,10 +1786,10 @@ EXPORT_SYMBOL(vzalloc_node);
56077 * For tight control over page level allocator and protection flags
56078 * use __vmalloc() instead.
56081 +#undef vmalloc_exec
56082 void *vmalloc_exec(unsigned long size)
56084 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
56085 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
56086 -1, __builtin_return_address(0));
56089 @@ -1740,6 +1808,7 @@ void *vmalloc_exec(unsigned long size)
56090 * Allocate enough 32bit PA addressable pages to cover @size from the
56091 * page level allocator and map them into contiguous kernel virtual space.
56094 void *vmalloc_32(unsigned long size)
56096 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
56097 @@ -1754,6 +1823,7 @@ EXPORT_SYMBOL(vmalloc_32);
56098 * The resulting memory area is 32bit addressable and zeroed so it can be
56099 * mapped to userspace without leaking data.
56101 +#undef vmalloc_32_user
56102 void *vmalloc_32_user(unsigned long size)
56104 struct vm_struct *area;
56105 @@ -2018,6 +2088,8 @@ int remap_vmalloc_range(struct vm_area_s
56106 unsigned long uaddr = vma->vm_start;
56107 unsigned long usize = vma->vm_end - vma->vm_start;
56109 + BUG_ON(vma->vm_mirror);
56111 if ((PAGE_SIZE-1) & (unsigned long)addr)
56114 diff -urNp linux-2.6.38.1/mm/vmstat.c linux-2.6.38.1/mm/vmstat.c
56115 --- linux-2.6.38.1/mm/vmstat.c 2011-03-14 21:20:32.000000000 -0400
56116 +++ linux-2.6.38.1/mm/vmstat.c 2011-03-21 18:31:35.000000000 -0400
56117 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
56119 * vm_stat contains the global counters
56121 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
56122 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
56123 EXPORT_SYMBOL(vm_stat);
56126 @@ -451,7 +451,7 @@ void refresh_cpu_vm_stats(int cpu)
56127 v = p->vm_stat_diff[i];
56128 p->vm_stat_diff[i] = 0;
56129 local_irq_restore(flags);
56130 - atomic_long_add(v, &zone->vm_stat[i]);
56131 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
56132 global_diff[i] += v;
56134 /* 3 seconds idle till flush */
56135 @@ -489,7 +489,7 @@ void refresh_cpu_vm_stats(int cpu)
56137 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
56138 if (global_diff[i])
56139 - atomic_long_add(global_diff[i], &vm_stat[i]);
56140 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
56144 @@ -1188,10 +1188,20 @@ static int __init setup_vmstat(void)
56145 start_cpu_timer(cpu);
56147 #ifdef CONFIG_PROC_FS
56148 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
56149 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
56150 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
56151 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
56153 + mode_t gr_mode = S_IRUGO;
56154 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
56155 + gr_mode = S_IRUSR;
56157 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
56158 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
56159 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
56160 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
56162 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
56164 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
56169 diff -urNp linux-2.6.38.1/net/8021q/vlan.c linux-2.6.38.1/net/8021q/vlan.c
56170 --- linux-2.6.38.1/net/8021q/vlan.c 2011-03-14 21:20:32.000000000 -0400
56171 +++ linux-2.6.38.1/net/8021q/vlan.c 2011-03-21 18:31:35.000000000 -0400
56172 @@ -589,8 +589,7 @@ static int vlan_ioctl_handler(struct net
56174 if (!capable(CAP_NET_ADMIN))
56176 - if ((args.u.name_type >= 0) &&
56177 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
56178 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
56179 struct vlan_net *vn;
56181 vn = net_generic(net, vlan_net_id);
56182 diff -urNp linux-2.6.38.1/net/atm/atm_misc.c linux-2.6.38.1/net/atm/atm_misc.c
56183 --- linux-2.6.38.1/net/atm/atm_misc.c 2011-03-14 21:20:32.000000000 -0400
56184 +++ linux-2.6.38.1/net/atm/atm_misc.c 2011-03-21 18:31:35.000000000 -0400
56185 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
56186 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
56188 atm_return(vcc, truesize);
56189 - atomic_inc(&vcc->stats->rx_drop);
56190 + atomic_inc_unchecked(&vcc->stats->rx_drop);
56193 EXPORT_SYMBOL(atm_charge);
56194 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
56197 atm_return(vcc, guess);
56198 - atomic_inc(&vcc->stats->rx_drop);
56199 + atomic_inc_unchecked(&vcc->stats->rx_drop);
56202 EXPORT_SYMBOL(atm_alloc_charge);
56203 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
56205 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
56207 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
56208 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
56210 #undef __HANDLE_ITEM
56212 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
56214 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
56216 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
56217 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
56219 #undef __HANDLE_ITEM
56221 diff -urNp linux-2.6.38.1/net/atm/proc.c linux-2.6.38.1/net/atm/proc.c
56222 --- linux-2.6.38.1/net/atm/proc.c 2011-03-14 21:20:32.000000000 -0400
56223 +++ linux-2.6.38.1/net/atm/proc.c 2011-03-21 18:31:35.000000000 -0400
56224 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
56225 const struct k_atm_aal_stats *stats)
56227 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
56228 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
56229 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
56230 - atomic_read(&stats->rx_drop));
56231 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
56232 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
56233 + atomic_read_unchecked(&stats->rx_drop));
56236 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
56237 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
56239 struct sock *sk = sk_atm(vcc);
56241 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56242 + seq_printf(seq, "%p ", NULL);
56244 seq_printf(seq, "%p ", vcc);
56248 seq_printf(seq, "Unassigned ");
56250 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
56253 seq_printf(seq, sizeof(void *) == 4 ?
56254 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56255 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
56257 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
56260 seq_printf(seq, "%3d %3d %5d ",
56261 vcc->dev->number, vcc->vpi, vcc->vci);
56262 diff -urNp linux-2.6.38.1/net/atm/resources.c linux-2.6.38.1/net/atm/resources.c
56263 --- linux-2.6.38.1/net/atm/resources.c 2011-03-14 21:20:32.000000000 -0400
56264 +++ linux-2.6.38.1/net/atm/resources.c 2011-03-21 18:31:35.000000000 -0400
56265 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
56266 static void copy_aal_stats(struct k_atm_aal_stats *from,
56267 struct atm_aal_stats *to)
56269 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
56270 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
56272 #undef __HANDLE_ITEM
56274 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
56275 static void subtract_aal_stats(struct k_atm_aal_stats *from,
56276 struct atm_aal_stats *to)
56278 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
56279 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
56281 #undef __HANDLE_ITEM
56283 diff -urNp linux-2.6.38.1/net/bluetooth/bnep/sock.c linux-2.6.38.1/net/bluetooth/bnep/sock.c
56284 --- linux-2.6.38.1/net/bluetooth/bnep/sock.c 2011-03-14 21:20:32.000000000 -0400
56285 +++ linux-2.6.38.1/net/bluetooth/bnep/sock.c 2011-03-21 18:31:35.000000000 -0400
56286 @@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket
56290 + ca.device[sizeof(ca.device)-1] = 0;
56292 err = bnep_add_connection(&ca, nsock);
56294 diff -urNp linux-2.6.38.1/net/bluetooth/sco.c linux-2.6.38.1/net/bluetooth/sco.c
56295 --- linux-2.6.38.1/net/bluetooth/sco.c 2011-03-14 21:20:32.000000000 -0400
56296 +++ linux-2.6.38.1/net/bluetooth/sco.c 2011-03-21 18:31:35.000000000 -0400
56297 @@ -703,6 +703,7 @@ static int sco_sock_getsockopt_old(struc
56301 + memset(&cinfo, 0, sizeof(cinfo));
56302 cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
56303 memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
56305 diff -urNp linux-2.6.38.1/net/bridge/br_multicast.c linux-2.6.38.1/net/bridge/br_multicast.c
56306 --- linux-2.6.38.1/net/bridge/br_multicast.c 2011-03-14 21:20:32.000000000 -0400
56307 +++ linux-2.6.38.1/net/bridge/br_multicast.c 2011-03-21 18:31:35.000000000 -0400
56308 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
56309 nexthdr = ip6h->nexthdr;
56310 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
56312 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
56313 + if (nexthdr != IPPROTO_ICMPV6)
56316 /* Okay, we found ICMPv6 header */
56317 diff -urNp linux-2.6.38.1/net/bridge/netfilter/ebtables.c linux-2.6.38.1/net/bridge/netfilter/ebtables.c
56318 --- linux-2.6.38.1/net/bridge/netfilter/ebtables.c 2011-03-14 21:20:32.000000000 -0400
56319 +++ linux-2.6.38.1/net/bridge/netfilter/ebtables.c 2011-03-21 18:31:35.000000000 -0400
56320 @@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, c
56321 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
56324 + tmp.name[sizeof(tmp.name)-1] = 0;
56326 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
56327 newinfo = vmalloc(sizeof(*newinfo) + countersize);
56329 @@ -1510,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
56330 tmp.valid_hooks = t->table->valid_hooks;
56332 mutex_unlock(&ebt_mutex);
56333 - if (copy_to_user(user, &tmp, *len) != 0){
56334 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
56335 BUGPRINT("c2u Didn't work\n");
56338 diff -urNp linux-2.6.38.1/net/can/bcm.c linux-2.6.38.1/net/can/bcm.c
56339 --- linux-2.6.38.1/net/can/bcm.c 2011-03-14 21:20:32.000000000 -0400
56340 +++ linux-2.6.38.1/net/can/bcm.c 2011-03-21 18:31:35.000000000 -0400
56341 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
56342 struct bcm_sock *bo = bcm_sk(sk);
56345 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56346 + seq_printf(m, ">>> socket %p", NULL);
56347 + seq_printf(m, " / sk %p", NULL);
56348 + seq_printf(m, " / bo %p", NULL);
56350 seq_printf(m, ">>> socket %p", sk->sk_socket);
56351 seq_printf(m, " / sk %p", sk);
56352 seq_printf(m, " / bo %p", bo);
56354 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
56355 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
56356 seq_printf(m, " <<<\n");
56357 diff -urNp linux-2.6.38.1/net/core/dev.c linux-2.6.38.1/net/core/dev.c
56358 --- linux-2.6.38.1/net/core/dev.c 2011-03-14 21:20:32.000000000 -0400
56359 +++ linux-2.6.38.1/net/core/dev.c 2011-03-21 18:31:35.000000000 -0400
56360 @@ -1124,7 +1124,7 @@ void dev_load(struct net *net, const cha
56361 if (no_module && capable(CAP_NET_ADMIN))
56362 no_module = request_module("netdev-%s", name);
56363 if (no_module && capable(CAP_SYS_MODULE)) {
56364 - if (!request_module("%s", name))
56365 + if (!request_module("%s", name))
56366 pr_err("Loading kernel module for a network device "
56367 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
56368 "instead\n", name);
56369 @@ -2787,7 +2787,7 @@ int netif_rx_ni(struct sk_buff *skb)
56371 EXPORT_SYMBOL(netif_rx_ni);
56373 -static void net_tx_action(struct softirq_action *h)
56374 +static void net_tx_action(void)
56376 struct softnet_data *sd = &__get_cpu_var(softnet_data);
56378 @@ -3697,7 +3697,7 @@ void netif_napi_del(struct napi_struct *
56380 EXPORT_SYMBOL(netif_napi_del);
56382 -static void net_rx_action(struct softirq_action *h)
56383 +static void net_rx_action(void)
56385 struct softnet_data *sd = &__get_cpu_var(softnet_data);
56386 unsigned long time_limit = jiffies + 2;
56387 diff -urNp linux-2.6.38.1/net/core/sock.c linux-2.6.38.1/net/core/sock.c
56388 --- linux-2.6.38.1/net/core/sock.c 2011-03-14 21:20:32.000000000 -0400
56389 +++ linux-2.6.38.1/net/core/sock.c 2011-03-21 18:31:35.000000000 -0400
56390 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
56394 - if (copy_to_user(optval, address, len))
56395 + if (len > sizeof(address) || copy_to_user(optval, address, len))
56399 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
56403 - if (copy_to_user(optval, &v, len))
56404 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
56407 if (put_user(len, optlen))
56408 diff -urNp linux-2.6.38.1/net/dccp/ccids/ccid3.c linux-2.6.38.1/net/dccp/ccids/ccid3.c
56409 --- linux-2.6.38.1/net/dccp/ccids/ccid3.c 2011-03-14 21:20:32.000000000 -0400
56410 +++ linux-2.6.38.1/net/dccp/ccids/ccid3.c 2011-03-21 18:31:35.000000000 -0400
56412 static int ccid3_debug;
56413 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
56415 -#define ccid3_pr_debug(format, a...)
56416 +#define ccid3_pr_debug(format, a...) do {} while (0)
56420 diff -urNp linux-2.6.38.1/net/dccp/dccp.h linux-2.6.38.1/net/dccp/dccp.h
56421 --- linux-2.6.38.1/net/dccp/dccp.h 2011-03-14 21:20:32.000000000 -0400
56422 +++ linux-2.6.38.1/net/dccp/dccp.h 2011-03-21 18:31:35.000000000 -0400
56423 @@ -44,9 +44,9 @@ extern int dccp_debug;
56424 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
56425 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
56427 -#define dccp_pr_debug(format, a...)
56428 -#define dccp_pr_debug_cat(format, a...)
56429 -#define dccp_debug(format, a...)
56430 +#define dccp_pr_debug(format, a...) do {} while (0)
56431 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
56432 +#define dccp_debug(format, a...) do {} while (0)
56435 extern struct inet_hashinfo dccp_hashinfo;
56436 diff -urNp linux-2.6.38.1/net/decnet/sysctl_net_decnet.c linux-2.6.38.1/net/decnet/sysctl_net_decnet.c
56437 --- linux-2.6.38.1/net/decnet/sysctl_net_decnet.c 2011-03-14 21:20:32.000000000 -0400
56438 +++ linux-2.6.38.1/net/decnet/sysctl_net_decnet.c 2011-03-21 18:31:35.000000000 -0400
56439 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
56441 if (len > *lenp) len = *lenp;
56443 - if (copy_to_user(buffer, addr, len))
56444 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
56448 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
56450 if (len > *lenp) len = *lenp;
56452 - if (copy_to_user(buffer, devname, len))
56453 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
56457 diff -urNp linux-2.6.38.1/net/econet/Kconfig linux-2.6.38.1/net/econet/Kconfig
56458 --- linux-2.6.38.1/net/econet/Kconfig 2011-03-14 21:20:32.000000000 -0400
56459 +++ linux-2.6.38.1/net/econet/Kconfig 2011-03-21 18:31:35.000000000 -0400
56463 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
56464 - depends on EXPERIMENTAL && INET
56465 + depends on EXPERIMENTAL && INET && BROKEN
56467 Econet is a fairly old and slow networking protocol mainly used by
56468 Acorn computers to access file and print servers. It uses native
56469 diff -urNp linux-2.6.38.1/net/ipv4/inet_diag.c linux-2.6.38.1/net/ipv4/inet_diag.c
56470 --- linux-2.6.38.1/net/ipv4/inet_diag.c 2011-03-14 21:20:32.000000000 -0400
56471 +++ linux-2.6.38.1/net/ipv4/inet_diag.c 2011-03-21 18:31:35.000000000 -0400
56472 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
56473 r->idiag_retrans = 0;
56475 r->id.idiag_if = sk->sk_bound_dev_if;
56477 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56478 + r->id.idiag_cookie[0] = 0;
56479 + r->id.idiag_cookie[1] = 0;
56481 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
56482 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
56485 r->id.idiag_sport = inet->inet_sport;
56486 r->id.idiag_dport = inet->inet_dport;
56487 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
56488 r->idiag_family = tw->tw_family;
56489 r->idiag_retrans = 0;
56490 r->id.idiag_if = tw->tw_bound_dev_if;
56492 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56493 + r->id.idiag_cookie[0] = 0;
56494 + r->id.idiag_cookie[1] = 0;
56496 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
56497 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
56500 r->id.idiag_sport = tw->tw_sport;
56501 r->id.idiag_dport = tw->tw_dport;
56502 r->id.idiag_src[0] = tw->tw_rcv_saddr;
56503 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
56507 +#ifndef CONFIG_GRKERNSEC_HIDESYM
56509 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
56510 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
56511 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
56512 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
56517 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
56518 @@ -582,8 +597,14 @@ static int inet_diag_fill_req(struct sk_
56519 r->idiag_retrans = req->retrans;
56521 r->id.idiag_if = sk->sk_bound_dev_if;
56523 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56524 + r->id.idiag_cookie[0] = 0;
56525 + r->id.idiag_cookie[1] = 0;
56527 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
56528 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
56531 tmo = req->expires - jiffies;
56533 diff -urNp linux-2.6.38.1/net/ipv4/inet_hashtables.c linux-2.6.38.1/net/ipv4/inet_hashtables.c
56534 --- linux-2.6.38.1/net/ipv4/inet_hashtables.c 2011-03-14 21:20:32.000000000 -0400
56535 +++ linux-2.6.38.1/net/ipv4/inet_hashtables.c 2011-03-21 18:31:35.000000000 -0400
56536 @@ -18,11 +18,14 @@
56537 #include <linux/sched.h>
56538 #include <linux/slab.h>
56539 #include <linux/wait.h>
56540 +#include <linux/security.h>
56542 #include <net/inet_connection_sock.h>
56543 #include <net/inet_hashtables.h>
56544 #include <net/route.h>
56545 #include <net/ip.h>
56547 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
56550 * Allocate and initialize a new local port bind bucket.
56551 * The bindhash mutex for snum's hash chain must be held here.
56552 @@ -529,6 +532,8 @@ ok:
56553 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
56554 spin_unlock(&head->lock);
56556 + gr_update_task_in_ip_table(current, inet_sk(sk));
56559 inet_twsk_deschedule(tw, death_row);
56561 diff -urNp linux-2.6.38.1/net/ipv4/inetpeer.c linux-2.6.38.1/net/ipv4/inetpeer.c
56562 --- linux-2.6.38.1/net/ipv4/inetpeer.c 2011-03-14 21:20:32.000000000 -0400
56563 +++ linux-2.6.38.1/net/ipv4/inetpeer.c 2011-03-21 18:31:35.000000000 -0400
56564 @@ -509,8 +509,8 @@ struct inet_peer *inet_getpeer(struct in
56567 atomic_set(&p->refcnt, 1);
56568 - atomic_set(&p->rid, 0);
56569 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->a4));
56570 + atomic_set_unchecked(&p->rid, 0);
56571 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->a4));
56572 p->tcp_ts_stamp = 0;
56573 INIT_LIST_HEAD(&p->unused);
56575 diff -urNp linux-2.6.38.1/net/ipv4/ip_fragment.c linux-2.6.38.1/net/ipv4/ip_fragment.c
56576 --- linux-2.6.38.1/net/ipv4/ip_fragment.c 2011-03-14 21:20:32.000000000 -0400
56577 +++ linux-2.6.38.1/net/ipv4/ip_fragment.c 2011-03-21 18:31:35.000000000 -0400
56578 @@ -298,7 +298,7 @@ static inline int ip_frag_too_far(struct
56582 - end = atomic_inc_return(&peer->rid);
56583 + end = atomic_inc_return_unchecked(&peer->rid);
56586 rc = qp->q.fragments && (end - start) > max;
56587 diff -urNp linux-2.6.38.1/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.38.1/net/ipv4/netfilter/nf_nat_snmp_basic.c
56588 --- linux-2.6.38.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-14 21:20:32.000000000 -0400
56589 +++ linux-2.6.38.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-21 18:31:35.000000000 -0400
56590 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
56594 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
56595 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
56596 if (*octets == NULL) {
56597 if (net_ratelimit())
56598 pr_notice("OOM in bsalg (%d)\n", __LINE__);
56599 diff -urNp linux-2.6.38.1/net/ipv4/route.c linux-2.6.38.1/net/ipv4/route.c
56600 --- linux-2.6.38.1/net/ipv4/route.c 2011-03-14 21:20:32.000000000 -0400
56601 +++ linux-2.6.38.1/net/ipv4/route.c 2011-03-21 18:31:35.000000000 -0400
56602 @@ -2857,7 +2857,7 @@ static int rt_fill_info(struct net *net,
56603 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
56605 inet_peer_refcheck(rt->peer);
56606 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
56607 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
56608 if (rt->peer->tcp_ts_stamp) {
56609 ts = rt->peer->tcp_ts;
56610 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
56611 diff -urNp linux-2.6.38.1/net/ipv4/tcp_ipv4.c linux-2.6.38.1/net/ipv4/tcp_ipv4.c
56612 --- linux-2.6.38.1/net/ipv4/tcp_ipv4.c 2011-03-14 21:20:32.000000000 -0400
56613 +++ linux-2.6.38.1/net/ipv4/tcp_ipv4.c 2011-03-21 18:31:35.000000000 -0400
56614 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
56615 int sysctl_tcp_low_latency __read_mostly;
56616 EXPORT_SYMBOL(sysctl_tcp_low_latency);
56618 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56619 +extern int grsec_enable_blackhole;
56622 #ifdef CONFIG_TCP_MD5SIG
56623 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
56624 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
56628 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56629 + if (!grsec_enable_blackhole)
56631 tcp_v4_send_reset(rsk, skb);
56634 @@ -1655,12 +1661,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
56635 TCP_SKB_CB(skb)->sacked = 0;
56637 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56640 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56643 goto no_tcp_socket;
56647 - if (sk->sk_state == TCP_TIME_WAIT)
56648 + if (sk->sk_state == TCP_TIME_WAIT) {
56649 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56655 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
56656 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56657 @@ -1710,6 +1723,10 @@ no_tcp_socket:
56659 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56661 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56662 + if (!grsec_enable_blackhole || (ret == 1 &&
56663 + (skb->dev->flags & IFF_LOOPBACK)))
56665 tcp_v4_send_reset(NULL, skb);
56668 @@ -2373,7 +2390,11 @@ static void get_openreq4(struct sock *sk
56669 0, /* non standard timer */
56670 0, /* open_requests have no inode */
56671 atomic_read(&sk->sk_refcnt),
56672 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56680 @@ -2423,7 +2444,12 @@ static void get_tcp4_sock(struct sock *s
56682 icsk->icsk_probes_out,
56684 - atomic_read(&sk->sk_refcnt), sk,
56685 + atomic_read(&sk->sk_refcnt),
56686 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56691 jiffies_to_clock_t(icsk->icsk_rto),
56692 jiffies_to_clock_t(icsk->icsk_ack.ato),
56693 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
56694 @@ -2451,7 +2477,13 @@ static void get_timewait4_sock(struct in
56695 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
56696 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
56697 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56698 - atomic_read(&tw->tw_refcnt), tw, len);
56699 + atomic_read(&tw->tw_refcnt),
56700 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56709 diff -urNp linux-2.6.38.1/net/ipv4/tcp_minisocks.c linux-2.6.38.1/net/ipv4/tcp_minisocks.c
56710 --- linux-2.6.38.1/net/ipv4/tcp_minisocks.c 2011-03-14 21:20:32.000000000 -0400
56711 +++ linux-2.6.38.1/net/ipv4/tcp_minisocks.c 2011-03-21 18:31:35.000000000 -0400
56713 #include <net/inet_common.h>
56714 #include <net/xfrm.h>
56716 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56717 +extern int grsec_enable_blackhole;
56720 int sysctl_tcp_syncookies __read_mostly = 1;
56721 EXPORT_SYMBOL(sysctl_tcp_syncookies);
56723 @@ -745,6 +749,10 @@ listen_overflow:
56726 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
56728 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56729 + if (!grsec_enable_blackhole)
56731 if (!(flg & TCP_FLAG_RST))
56732 req->rsk_ops->send_reset(sk, skb);
56734 diff -urNp linux-2.6.38.1/net/ipv4/tcp_probe.c linux-2.6.38.1/net/ipv4/tcp_probe.c
56735 --- linux-2.6.38.1/net/ipv4/tcp_probe.c 2011-03-14 21:20:32.000000000 -0400
56736 +++ linux-2.6.38.1/net/ipv4/tcp_probe.c 2011-03-21 18:31:35.000000000 -0400
56737 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
56738 if (cnt + width >= len)
56741 - if (copy_to_user(buf + cnt, tbuf, width))
56742 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
56746 diff -urNp linux-2.6.38.1/net/ipv4/tcp_timer.c linux-2.6.38.1/net/ipv4/tcp_timer.c
56747 --- linux-2.6.38.1/net/ipv4/tcp_timer.c 2011-03-14 21:20:32.000000000 -0400
56748 +++ linux-2.6.38.1/net/ipv4/tcp_timer.c 2011-03-21 18:31:35.000000000 -0400
56750 #include <linux/gfp.h>
56751 #include <net/tcp.h>
56753 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56754 +extern int grsec_lastack_retries;
56757 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
56758 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
56759 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
56760 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
56764 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56765 + if ((sk->sk_state == TCP_LAST_ACK) &&
56766 + (grsec_lastack_retries > 0) &&
56767 + (grsec_lastack_retries < retry_until))
56768 + retry_until = grsec_lastack_retries;
56771 if (retransmits_timed_out(sk, retry_until,
56772 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
56773 /* Has it gone just too far? */
56774 diff -urNp linux-2.6.38.1/net/ipv4/udp.c linux-2.6.38.1/net/ipv4/udp.c
56775 --- linux-2.6.38.1/net/ipv4/udp.c 2011-03-14 21:20:32.000000000 -0400
56776 +++ linux-2.6.38.1/net/ipv4/udp.c 2011-03-21 18:31:35.000000000 -0400
56778 #include <linux/types.h>
56779 #include <linux/fcntl.h>
56780 #include <linux/module.h>
56781 +#include <linux/security.h>
56782 #include <linux/socket.h>
56783 #include <linux/sockios.h>
56784 #include <linux/igmp.h>
56785 @@ -107,6 +108,10 @@
56786 #include <net/xfrm.h>
56787 #include "udp_impl.h"
56789 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56790 +extern int grsec_enable_blackhole;
56793 struct udp_table udp_table __read_mostly;
56794 EXPORT_SYMBOL(udp_table);
56796 @@ -564,6 +569,9 @@ found:
56800 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
56801 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
56804 * This routine is called by the ICMP module when it gets some
56805 * sort of error condition. If err < 0 then the socket should
56806 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
56807 dport = usin->sin_port;
56811 + err = gr_search_udp_sendmsg(sk, usin);
56815 if (sk->sk_state != TCP_ESTABLISHED)
56816 return -EDESTADDRREQ;
56818 + err = gr_search_udp_sendmsg(sk, NULL);
56822 daddr = inet->inet_daddr;
56823 dport = inet->inet_dport;
56824 /* Open fast path for connected socket.
56825 @@ -1139,6 +1156,10 @@ try_again:
56829 + err = gr_search_udp_recvmsg(sk, skb);
56833 ulen = skb->len - sizeof(struct udphdr);
56836 @@ -1623,6 +1644,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
56839 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
56840 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56841 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56843 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
56846 @@ -2050,7 +2074,12 @@ static void udp4_format_sock(struct sock
56847 sk_wmem_alloc_get(sp),
56848 sk_rmem_alloc_get(sp),
56849 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
56850 - atomic_read(&sp->sk_refcnt), sp,
56851 + atomic_read(&sp->sk_refcnt),
56852 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56857 atomic_read(&sp->sk_drops), len);
56860 diff -urNp linux-2.6.38.1/net/ipv6/exthdrs.c linux-2.6.38.1/net/ipv6/exthdrs.c
56861 --- linux-2.6.38.1/net/ipv6/exthdrs.c 2011-03-14 21:20:32.000000000 -0400
56862 +++ linux-2.6.38.1/net/ipv6/exthdrs.c 2011-03-21 18:31:35.000000000 -0400
56863 @@ -634,7 +634,7 @@ static struct tlvtype_proc tlvprochopopt
56864 .type = IPV6_TLV_JUMBO,
56865 .func = ipv6_hop_jumbo,
56871 int ipv6_parse_hopopts(struct sk_buff *skb)
56872 diff -urNp linux-2.6.38.1/net/ipv6/raw.c linux-2.6.38.1/net/ipv6/raw.c
56873 --- linux-2.6.38.1/net/ipv6/raw.c 2011-03-14 21:20:32.000000000 -0400
56874 +++ linux-2.6.38.1/net/ipv6/raw.c 2011-03-21 18:31:35.000000000 -0400
56875 @@ -602,7 +602,7 @@ out:
56879 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
56880 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
56881 struct flowi *fl, struct dst_entry **dstp,
56882 unsigned int flags)
56884 @@ -1262,7 +1262,13 @@ static void raw6_sock_seq_show(struct se
56888 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
56889 + atomic_read(&sp->sk_refcnt),
56890 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56895 + atomic_read(&sp->sk_drops));
56898 static int raw6_seq_show(struct seq_file *seq, void *v)
56899 diff -urNp linux-2.6.38.1/net/ipv6/tcp_ipv6.c linux-2.6.38.1/net/ipv6/tcp_ipv6.c
56900 --- linux-2.6.38.1/net/ipv6/tcp_ipv6.c 2011-03-14 21:20:32.000000000 -0400
56901 +++ linux-2.6.38.1/net/ipv6/tcp_ipv6.c 2011-03-21 18:31:35.000000000 -0400
56902 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
56906 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56907 +extern int grsec_enable_blackhole;
56910 static void tcp_v6_hash(struct sock *sk)
56912 if (sk->sk_state != TCP_CLOSE) {
56913 @@ -1676,6 +1680,9 @@ static int tcp_v6_do_rcv(struct sock *sk
56917 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56918 + if (!grsec_enable_blackhole)
56920 tcp_v6_send_reset(sk, skb);
56923 @@ -1755,12 +1762,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
56924 TCP_SKB_CB(skb)->sacked = 0;
56926 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56929 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56932 goto no_tcp_socket;
56936 - if (sk->sk_state == TCP_TIME_WAIT)
56937 + if (sk->sk_state == TCP_TIME_WAIT) {
56938 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56944 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
56945 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56946 @@ -1808,6 +1823,10 @@ no_tcp_socket:
56948 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56950 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56951 + if (!grsec_enable_blackhole || (ret == 1 &&
56952 + (skb->dev->flags & IFF_LOOPBACK)))
56954 tcp_v6_send_reset(NULL, skb);
56957 @@ -2068,7 +2087,13 @@ static void get_openreq6(struct seq_file
56959 0, /* non standard timer */
56960 0, /* open_requests have no inode */
56963 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56971 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
56972 @@ -2118,7 +2143,12 @@ static void get_tcp6_sock(struct seq_fil
56974 icsk->icsk_probes_out,
56976 - atomic_read(&sp->sk_refcnt), sp,
56977 + atomic_read(&sp->sk_refcnt),
56978 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56983 jiffies_to_clock_t(icsk->icsk_rto),
56984 jiffies_to_clock_t(icsk->icsk_ack.ato),
56985 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
56986 @@ -2153,7 +2183,13 @@ static void get_timewait6_sock(struct se
56987 dest->s6_addr32[2], dest->s6_addr32[3], destp,
56988 tw->tw_substate, 0, 0,
56989 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56990 - atomic_read(&tw->tw_refcnt), tw);
56991 + atomic_read(&tw->tw_refcnt),
56992 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57000 static int tcp6_seq_show(struct seq_file *seq, void *v)
57001 diff -urNp linux-2.6.38.1/net/ipv6/udp.c linux-2.6.38.1/net/ipv6/udp.c
57002 --- linux-2.6.38.1/net/ipv6/udp.c 2011-03-14 21:20:32.000000000 -0400
57003 +++ linux-2.6.38.1/net/ipv6/udp.c 2011-03-21 18:31:35.000000000 -0400
57005 #include <linux/seq_file.h>
57006 #include "udp_impl.h"
57008 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
57009 +extern int grsec_enable_blackhole;
57012 int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
57014 const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
57015 @@ -773,6 +777,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
57016 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
57017 proto == IPPROTO_UDPLITE);
57019 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
57020 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
57022 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
57025 @@ -1407,7 +1414,12 @@ static void udp6_sock_seq_show(struct se
57029 - atomic_read(&sp->sk_refcnt), sp,
57030 + atomic_read(&sp->sk_refcnt),
57031 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57036 atomic_read(&sp->sk_drops));
57039 diff -urNp linux-2.6.38.1/net/irda/ircomm/ircomm_tty.c linux-2.6.38.1/net/irda/ircomm/ircomm_tty.c
57040 --- linux-2.6.38.1/net/irda/ircomm/ircomm_tty.c 2011-03-14 21:20:32.000000000 -0400
57041 +++ linux-2.6.38.1/net/irda/ircomm/ircomm_tty.c 2011-03-21 18:31:35.000000000 -0400
57042 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
57043 add_wait_queue(&self->open_wait, &wait);
57045 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
57046 - __FILE__,__LINE__, tty->driver->name, self->open_count );
57047 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
57049 /* As far as I can see, we protect open_count - Jean II */
57050 spin_lock_irqsave(&self->spinlock, flags);
57051 if (!tty_hung_up_p(filp)) {
57053 - self->open_count--;
57054 + local_dec(&self->open_count);
57056 spin_unlock_irqrestore(&self->spinlock, flags);
57057 - self->blocked_open++;
57058 + local_inc(&self->blocked_open);
57061 if (tty->termios->c_cflag & CBAUD) {
57062 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
57065 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
57066 - __FILE__,__LINE__, tty->driver->name, self->open_count );
57067 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
57071 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
57073 /* ++ is not atomic, so this should be protected - Jean II */
57074 spin_lock_irqsave(&self->spinlock, flags);
57075 - self->open_count++;
57076 + local_inc(&self->open_count);
57077 spin_unlock_irqrestore(&self->spinlock, flags);
57079 - self->blocked_open--;
57080 + local_dec(&self->blocked_open);
57082 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
57083 - __FILE__,__LINE__, tty->driver->name, self->open_count);
57084 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
57087 self->flags |= ASYNC_NORMAL_ACTIVE;
57088 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
57090 /* ++ is not atomic, so this should be protected - Jean II */
57091 spin_lock_irqsave(&self->spinlock, flags);
57092 - self->open_count++;
57093 + local_inc(&self->open_count);
57095 tty->driver_data = self;
57097 spin_unlock_irqrestore(&self->spinlock, flags);
57099 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
57100 - self->line, self->open_count);
57101 + self->line, local_read(&self->open_count));
57103 /* Not really used by us, but lets do it anyway */
57104 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
57105 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
57109 - if ((tty->count == 1) && (self->open_count != 1)) {
57110 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
57112 * Uh, oh. tty->count is 1, which means that the tty
57113 * structure will be freed. state->count should always
57114 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
57116 IRDA_DEBUG(0, "%s(), bad serial port count; "
57117 "tty->count is 1, state->count is %d\n", __func__ ,
57118 - self->open_count);
57119 - self->open_count = 1;
57120 + local_read(&self->open_count));
57121 + local_set(&self->open_count, 1);
57124 - if (--self->open_count < 0) {
57125 + if (local_dec_return(&self->open_count) < 0) {
57126 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
57127 - __func__, self->line, self->open_count);
57128 - self->open_count = 0;
57129 + __func__, self->line, local_read(&self->open_count));
57130 + local_set(&self->open_count, 0);
57132 - if (self->open_count) {
57133 + if (local_read(&self->open_count)) {
57134 spin_unlock_irqrestore(&self->spinlock, flags);
57136 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
57137 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
57141 - if (self->blocked_open) {
57142 + if (local_read(&self->blocked_open)) {
57143 if (self->close_delay)
57144 schedule_timeout_interruptible(self->close_delay);
57145 wake_up_interruptible(&self->open_wait);
57146 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
57147 spin_lock_irqsave(&self->spinlock, flags);
57148 self->flags &= ~ASYNC_NORMAL_ACTIVE;
57150 - self->open_count = 0;
57151 + local_set(&self->open_count, 0);
57152 spin_unlock_irqrestore(&self->spinlock, flags);
57154 wake_up_interruptible(&self->open_wait);
57155 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
57158 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
57159 - seq_printf(m, "Open count: %d\n", self->open_count);
57160 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
57161 seq_printf(m, "Max data size: %d\n", self->max_data_size);
57162 seq_printf(m, "Max header size: %d\n", self->max_header_size);
57164 diff -urNp linux-2.6.38.1/net/key/af_key.c linux-2.6.38.1/net/key/af_key.c
57165 --- linux-2.6.38.1/net/key/af_key.c 2011-03-14 21:20:32.000000000 -0400
57166 +++ linux-2.6.38.1/net/key/af_key.c 2011-03-21 18:31:35.000000000 -0400
57167 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
57168 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
57170 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
57171 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57176 atomic_read(&s->sk_refcnt),
57177 sk_rmem_alloc_get(s),
57178 sk_wmem_alloc_get(s),
57179 diff -urNp linux-2.6.38.1/net/mac80211/ieee80211_i.h linux-2.6.38.1/net/mac80211/ieee80211_i.h
57180 --- linux-2.6.38.1/net/mac80211/ieee80211_i.h 2011-03-14 21:20:32.000000000 -0400
57181 +++ linux-2.6.38.1/net/mac80211/ieee80211_i.h 2011-03-21 18:31:35.000000000 -0400
57183 #include <net/ieee80211_radiotap.h>
57184 #include <net/cfg80211.h>
57185 #include <net/mac80211.h>
57186 +#include <asm/local.h>
57188 #include "sta_info.h"
57190 @@ -716,7 +717,7 @@ struct ieee80211_local {
57191 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
57192 spinlock_t queue_stop_reason_lock;
57195 + local_t open_count;
57196 int monitors, cooked_mntrs;
57197 /* number of interfaces with corresponding FIF_ flags */
57198 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
57199 diff -urNp linux-2.6.38.1/net/mac80211/iface.c linux-2.6.38.1/net/mac80211/iface.c
57200 --- linux-2.6.38.1/net/mac80211/iface.c 2011-03-14 21:20:32.000000000 -0400
57201 +++ linux-2.6.38.1/net/mac80211/iface.c 2011-03-21 18:31:35.000000000 -0400
57202 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
57206 - if (local->open_count == 0) {
57207 + if (local_read(&local->open_count) == 0) {
57208 res = drv_start(local);
57211 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
57212 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
57214 if (!is_valid_ether_addr(dev->dev_addr)) {
57215 - if (!local->open_count)
57216 + if (!local_read(&local->open_count))
57218 return -EADDRNOTAVAIL;
57220 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
57221 mutex_unlock(&local->mtx);
57224 - local->open_count++;
57225 + local_inc(&local->open_count);
57227 if (hw_reconf_flags) {
57228 ieee80211_hw_config(local, hw_reconf_flags);
57229 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
57231 drv_remove_interface(local, &sdata->vif);
57233 - if (!local->open_count)
57234 + if (!local_read(&local->open_count))
57238 @@ -473,7 +473,7 @@ static void ieee80211_do_stop(struct iee
57242 - local->open_count--;
57243 + local_dec(&local->open_count);
57245 switch (sdata->vif.type) {
57246 case NL80211_IFTYPE_AP_VLAN:
57247 @@ -532,7 +532,7 @@ static void ieee80211_do_stop(struct iee
57249 ieee80211_recalc_ps(local, -1);
57251 - if (local->open_count == 0) {
57252 + if (local_read(&local->open_count) == 0) {
57253 if (local->ops->napi_poll)
57254 napi_disable(&local->napi);
57255 ieee80211_clear_tx_pending(local);
57256 diff -urNp linux-2.6.38.1/net/mac80211/main.c linux-2.6.38.1/net/mac80211/main.c
57257 --- linux-2.6.38.1/net/mac80211/main.c 2011-03-14 21:20:32.000000000 -0400
57258 +++ linux-2.6.38.1/net/mac80211/main.c 2011-03-21 18:31:35.000000000 -0400
57259 @@ -161,7 +161,7 @@ int ieee80211_hw_config(struct ieee80211
57260 local->hw.conf.power_level = power;
57263 - if (changed && local->open_count) {
57264 + if (changed && local_read(&local->open_count)) {
57265 ret = drv_config(local, changed);
57268 diff -urNp linux-2.6.38.1/net/mac80211/pm.c linux-2.6.38.1/net/mac80211/pm.c
57269 --- linux-2.6.38.1/net/mac80211/pm.c 2011-03-14 21:20:32.000000000 -0400
57270 +++ linux-2.6.38.1/net/mac80211/pm.c 2011-03-21 18:31:35.000000000 -0400
57271 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
57274 /* stop hardware - this must stop RX */
57275 - if (local->open_count)
57276 + if (local_read(&local->open_count))
57277 ieee80211_stop_device(local);
57279 local->suspended = true;
57280 diff -urNp linux-2.6.38.1/net/mac80211/rate.c linux-2.6.38.1/net/mac80211/rate.c
57281 --- linux-2.6.38.1/net/mac80211/rate.c 2011-03-14 21:20:32.000000000 -0400
57282 +++ linux-2.6.38.1/net/mac80211/rate.c 2011-03-21 18:31:35.000000000 -0400
57283 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
57287 - if (local->open_count)
57288 + if (local_read(&local->open_count))
57291 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
57292 diff -urNp linux-2.6.38.1/net/mac80211/rc80211_pid_debugfs.c linux-2.6.38.1/net/mac80211/rc80211_pid_debugfs.c
57293 --- linux-2.6.38.1/net/mac80211/rc80211_pid_debugfs.c 2011-03-14 21:20:32.000000000 -0400
57294 +++ linux-2.6.38.1/net/mac80211/rc80211_pid_debugfs.c 2011-03-21 18:31:35.000000000 -0400
57295 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
57297 spin_unlock_irqrestore(&events->lock, status);
57299 - if (copy_to_user(buf, pb, p))
57300 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
57304 diff -urNp linux-2.6.38.1/net/mac80211/tx.c linux-2.6.38.1/net/mac80211/tx.c
57305 --- linux-2.6.38.1/net/mac80211/tx.c 2011-03-14 21:20:32.000000000 -0400
57306 +++ linux-2.6.38.1/net/mac80211/tx.c 2011-03-21 18:31:35.000000000 -0400
57307 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
57308 return cpu_to_le16(dur);
57311 -static int inline is_ieee80211_device(struct ieee80211_local *local,
57312 +static inline int is_ieee80211_device(struct ieee80211_local *local,
57313 struct net_device *dev)
57315 return local == wdev_priv(dev->ieee80211_ptr);
57316 diff -urNp linux-2.6.38.1/net/mac80211/util.c linux-2.6.38.1/net/mac80211/util.c
57317 --- linux-2.6.38.1/net/mac80211/util.c 2011-03-14 21:20:32.000000000 -0400
57318 +++ linux-2.6.38.1/net/mac80211/util.c 2011-03-21 18:31:35.000000000 -0400
57319 @@ -1135,7 +1135,7 @@ int ieee80211_reconfig(struct ieee80211_
57320 local->resuming = true;
57322 /* restart hardware */
57323 - if (local->open_count) {
57324 + if (local_read(&local->open_count)) {
57326 * Upon resume hardware can sometimes be goofy due to
57327 * various platform / driver / bus issues, so restarting
57328 diff -urNp linux-2.6.38.1/net/netfilter/Kconfig linux-2.6.38.1/net/netfilter/Kconfig
57329 --- linux-2.6.38.1/net/netfilter/Kconfig 2011-03-14 21:20:32.000000000 -0400
57330 +++ linux-2.6.38.1/net/netfilter/Kconfig 2011-03-21 18:31:35.000000000 -0400
57331 @@ -709,6 +709,16 @@ config NETFILTER_XT_MATCH_ESP
57333 To compile it as a module, choose M here. If unsure, say N.
57335 +config NETFILTER_XT_MATCH_GRADM
57336 + tristate '"gradm" match support'
57337 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
57338 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
57340 + The gradm match allows to match on grsecurity RBAC being enabled.
57341 + It is useful when iptables rules are applied early on bootup to
57342 + prevent connections to the machine (except from a trusted host)
57343 + while the RBAC system is disabled.
57345 config NETFILTER_XT_MATCH_HASHLIMIT
57346 tristate '"hashlimit" match support'
57347 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
57348 diff -urNp linux-2.6.38.1/net/netfilter/Makefile linux-2.6.38.1/net/netfilter/Makefile
57349 --- linux-2.6.38.1/net/netfilter/Makefile 2011-03-14 21:20:32.000000000 -0400
57350 +++ linux-2.6.38.1/net/netfilter/Makefile 2011-03-21 18:31:35.000000000 -0400
57351 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
57352 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
57353 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
57354 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
57355 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
57356 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
57357 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
57358 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
57359 diff -urNp linux-2.6.38.1/net/netfilter/nf_conntrack_netlink.c linux-2.6.38.1/net/netfilter/nf_conntrack_netlink.c
57360 --- linux-2.6.38.1/net/netfilter/nf_conntrack_netlink.c 2011-03-14 21:20:32.000000000 -0400
57361 +++ linux-2.6.38.1/net/netfilter/nf_conntrack_netlink.c 2011-03-21 18:31:35.000000000 -0400
57362 @@ -761,7 +761,7 @@ static const struct nla_policy tuple_nla
57364 ctnetlink_parse_tuple(const struct nlattr * const cda[],
57365 struct nf_conntrack_tuple *tuple,
57366 - enum ctattr_tuple type, u_int8_t l3num)
57367 + enum ctattr_type type, u_int8_t l3num)
57369 struct nlattr *tb[CTA_TUPLE_MAX+1];
57371 diff -urNp linux-2.6.38.1/net/netfilter/xt_gradm.c linux-2.6.38.1/net/netfilter/xt_gradm.c
57372 --- linux-2.6.38.1/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
57373 +++ linux-2.6.38.1/net/netfilter/xt_gradm.c 2011-03-21 18:31:35.000000000 -0400
57376 + * gradm match for netfilter
57377 + * Copyright © Zbigniew Krzystolik, 2010
57379 + * This program is free software; you can redistribute it and/or modify
57380 + * it under the terms of the GNU General Public License; either version
57381 + * 2 or 3 as published by the Free Software Foundation.
57383 +#include <linux/module.h>
57384 +#include <linux/moduleparam.h>
57385 +#include <linux/skbuff.h>
57386 +#include <linux/netfilter/x_tables.h>
57387 +#include <linux/grsecurity.h>
57388 +#include <linux/netfilter/xt_gradm.h>
57391 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
57393 + const struct xt_gradm_mtinfo *info = par->matchinfo;
57394 + bool retval = false;
57395 + if (gr_acl_is_enabled())
57397 + return retval ^ info->invflags;
57400 +static struct xt_match gradm_mt_reg __read_mostly = {
57403 + .family = NFPROTO_UNSPEC,
57404 + .match = gradm_mt,
57405 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
57406 + .me = THIS_MODULE,
57409 +static int __init gradm_mt_init(void)
57411 + return xt_register_match(&gradm_mt_reg);
57414 +static void __exit gradm_mt_exit(void)
57416 + xt_unregister_match(&gradm_mt_reg);
57419 +module_init(gradm_mt_init);
57420 +module_exit(gradm_mt_exit);
57421 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
57422 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
57423 +MODULE_LICENSE("GPL");
57424 +MODULE_ALIAS("ipt_gradm");
57425 +MODULE_ALIAS("ip6t_gradm");
57426 diff -urNp linux-2.6.38.1/net/netlink/af_netlink.c linux-2.6.38.1/net/netlink/af_netlink.c
57427 --- linux-2.6.38.1/net/netlink/af_netlink.c 2011-03-14 21:20:32.000000000 -0400
57428 +++ linux-2.6.38.1/net/netlink/af_netlink.c 2011-03-21 18:31:35.000000000 -0400
57429 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
57430 struct netlink_sock *nlk = nlk_sk(s);
57432 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
57433 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57440 nlk->groups ? (u32)nlk->groups[0] : 0,
57441 sk_rmem_alloc_get(s),
57442 sk_wmem_alloc_get(s),
57443 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57448 atomic_read(&s->sk_refcnt),
57449 atomic_read(&s->sk_drops),
57451 diff -urNp linux-2.6.38.1/net/netrom/af_netrom.c linux-2.6.38.1/net/netrom/af_netrom.c
57452 --- linux-2.6.38.1/net/netrom/af_netrom.c 2011-03-14 21:20:32.000000000 -0400
57453 +++ linux-2.6.38.1/net/netrom/af_netrom.c 2011-03-21 18:31:35.000000000 -0400
57454 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
57455 struct sock *sk = sock->sk;
57456 struct nr_sock *nr = nr_sk(sk);
57458 + memset(sax, 0, sizeof(*sax));
57461 if (sk->sk_state != TCP_ESTABLISHED) {
57462 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
57463 *uaddr_len = sizeof(struct full_sockaddr_ax25);
57465 sax->fsa_ax25.sax25_family = AF_NETROM;
57466 - sax->fsa_ax25.sax25_ndigis = 0;
57467 sax->fsa_ax25.sax25_call = nr->source_addr;
57468 *uaddr_len = sizeof(struct sockaddr_ax25);
57470 diff -urNp linux-2.6.38.1/net/packet/af_packet.c linux-2.6.38.1/net/packet/af_packet.c
57471 --- linux-2.6.38.1/net/packet/af_packet.c 2011-03-14 21:20:32.000000000 -0400
57472 +++ linux-2.6.38.1/net/packet/af_packet.c 2011-03-21 18:31:35.000000000 -0400
57473 @@ -2134,7 +2134,7 @@ static int packet_getsockopt(struct sock
57474 case PACKET_HDRLEN:
57475 if (len > sizeof(int))
57477 - if (copy_from_user(&val, optval, len))
57478 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
57482 @@ -2172,7 +2172,7 @@ static int packet_getsockopt(struct sock
57484 if (put_user(len, optlen))
57486 - if (copy_to_user(optval, data, len))
57487 + if (len > sizeof(st) || copy_to_user(optval, data, len))
57491 @@ -2684,7 +2684,11 @@ static int packet_seq_show(struct seq_fi
57494 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
57495 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57500 atomic_read(&s->sk_refcnt),
57503 diff -urNp linux-2.6.38.1/net/phonet/af_phonet.c linux-2.6.38.1/net/phonet/af_phonet.c
57504 --- linux-2.6.38.1/net/phonet/af_phonet.c 2011-03-14 21:20:32.000000000 -0400
57505 +++ linux-2.6.38.1/net/phonet/af_phonet.c 2011-03-21 18:31:35.000000000 -0400
57506 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
57508 struct phonet_protocol *pp;
57510 - if (protocol >= PHONET_NPROTO)
57511 + if (protocol < 0 || protocol >= PHONET_NPROTO)
57515 @@ -463,7 +463,7 @@ int __init_or_module phonet_proto_regist
57519 - if (protocol >= PHONET_NPROTO)
57520 + if (protocol < 0 || protocol >= PHONET_NPROTO)
57523 err = proto_register(pp->prot, 1);
57524 diff -urNp linux-2.6.38.1/net/phonet/socket.c linux-2.6.38.1/net/phonet/socket.c
57525 --- linux-2.6.38.1/net/phonet/socket.c 2011-03-14 21:20:32.000000000 -0400
57526 +++ linux-2.6.38.1/net/phonet/socket.c 2011-03-21 18:31:35.000000000 -0400
57527 @@ -637,7 +637,12 @@ static int pn_sock_seq_show(struct seq_f
57529 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
57530 sock_i_uid(sk), sock_i_ino(sk),
57531 - atomic_read(&sk->sk_refcnt), sk,
57532 + atomic_read(&sk->sk_refcnt),
57533 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57538 atomic_read(&sk->sk_drops), &len);
57540 seq_printf(seq, "%*s\n", 127 - len, "");
57541 diff -urNp linux-2.6.38.1/net/sctp/proc.c linux-2.6.38.1/net/sctp/proc.c
57542 --- linux-2.6.38.1/net/sctp/proc.c 2011-03-14 21:20:32.000000000 -0400
57543 +++ linux-2.6.38.1/net/sctp/proc.c 2011-03-21 18:31:35.000000000 -0400
57544 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
57545 sctp_for_each_hentry(epb, node, &head->chain) {
57548 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
57549 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
57550 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57555 sctp_sk(sk)->type, sk->sk_state, hash,
57556 epb->bind_addr.port,
57557 sock_i_uid(sk), sock_i_ino(sk));
57558 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
57560 "%8p %8p %-3d %-3d %-2d %-4d "
57561 "%4d %8d %8d %7d %5lu %-5d %5d ",
57562 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
57563 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57568 + sctp_sk(sk)->type, sk->sk_state,
57569 assoc->state, hash,
57571 assoc->sndbuf_used,
57572 diff -urNp linux-2.6.38.1/net/sctp/socket.c linux-2.6.38.1/net/sctp/socket.c
57573 --- linux-2.6.38.1/net/sctp/socket.c 2011-03-14 21:20:32.000000000 -0400
57574 +++ linux-2.6.38.1/net/sctp/socket.c 2011-03-21 18:31:35.000000000 -0400
57575 @@ -1496,7 +1496,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
57576 struct sctp_sndrcvinfo *sinfo;
57577 struct sctp_initmsg *sinit;
57578 sctp_assoc_t associd = 0;
57579 - sctp_cmsgs_t cmsgs = { NULL };
57580 + sctp_cmsgs_t cmsgs = { NULL, NULL };
57582 sctp_scope_t scope;
57584 @@ -4435,7 +4435,7 @@ static int sctp_getsockopt_peer_addrs(st
57585 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
57586 if (space_left < addrlen)
57588 - if (copy_to_user(to, &temp, addrlen))
57589 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
57593 diff -urNp linux-2.6.38.1/net/socket.c linux-2.6.38.1/net/socket.c
57594 --- linux-2.6.38.1/net/socket.c 2011-03-14 21:20:32.000000000 -0400
57595 +++ linux-2.6.38.1/net/socket.c 2011-03-21 18:31:35.000000000 -0400
57597 #include <linux/nsproxy.h>
57598 #include <linux/magic.h>
57599 #include <linux/slab.h>
57600 +#include <linux/in.h>
57602 #include <asm/uaccess.h>
57603 #include <asm/unistd.h>
57604 @@ -105,6 +106,8 @@
57605 #include <linux/sockios.h>
57606 #include <linux/atalk.h>
57608 +#include <linux/grsock.h>
57610 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
57611 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
57612 unsigned long nr_segs, loff_t pos);
57613 @@ -326,7 +329,7 @@ static struct dentry *sockfs_mount(struc
57614 &sockfs_dentry_operations, SOCKFS_MAGIC);
57617 -static struct vfsmount *sock_mnt __read_mostly;
57618 +struct vfsmount *sock_mnt __read_mostly;
57620 static struct file_system_type sock_fs_type = {
57622 @@ -1174,6 +1177,8 @@ int __sock_create(struct net *net, int f
57623 return -EAFNOSUPPORT;
57624 if (type < 0 || type >= SOCK_MAX)
57626 + if (protocol < 0)
57631 @@ -1306,6 +1311,16 @@ SYSCALL_DEFINE3(socket, int, family, int
57632 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
57633 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
57635 + if(!gr_search_socket(family, type, protocol)) {
57636 + retval = -EACCES;
57640 + if (gr_handle_sock_all(family, type, protocol)) {
57641 + retval = -EACCES;
57645 retval = sock_create(family, type, protocol, &sock);
57648 @@ -1418,6 +1433,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57650 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
57652 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
57656 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
57660 err = security_socket_bind(sock,
57661 (struct sockaddr *)&address,
57663 @@ -1426,6 +1449,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57664 (struct sockaddr *)
57665 &address, addrlen);
57668 fput_light(sock->file, fput_needed);
57671 @@ -1449,10 +1473,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
57672 if ((unsigned)backlog > somaxconn)
57673 backlog = somaxconn;
57675 + if (gr_handle_sock_server_other(sock->sk)) {
57680 + err = gr_search_listen(sock);
57684 err = security_socket_listen(sock, backlog);
57686 err = sock->ops->listen(sock, backlog);
57689 fput_light(sock->file, fput_needed);
57692 @@ -1496,6 +1530,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57693 newsock->type = sock->type;
57694 newsock->ops = sock->ops;
57696 + if (gr_handle_sock_server_other(sock->sk)) {
57698 + sock_release(newsock);
57702 + err = gr_search_accept(sock);
57704 + sock_release(newsock);
57709 * We don't need try_module_get here, as the listening socket (sock)
57710 * has the protocol module (sock->ops->owner) held.
57711 @@ -1534,6 +1580,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57712 fd_install(newfd, newfile);
57715 + gr_attach_curr_ip(newsock->sk);
57718 fput_light(sock->file, fput_needed);
57720 @@ -1566,6 +1614,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57723 struct socket *sock;
57724 + struct sockaddr *sck;
57725 struct sockaddr_storage address;
57726 int err, fput_needed;
57728 @@ -1576,6 +1625,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57732 + sck = (struct sockaddr *)&address;
57734 + if (gr_handle_sock_client(sck)) {
57739 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
57744 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
57746 diff -urNp linux-2.6.38.1/net/sunrpc/sched.c linux-2.6.38.1/net/sunrpc/sched.c
57747 --- linux-2.6.38.1/net/sunrpc/sched.c 2011-03-23 17:20:08.000000000 -0400
57748 +++ linux-2.6.38.1/net/sunrpc/sched.c 2011-03-23 17:21:51.000000000 -0400
57749 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
57751 static void rpc_task_set_debuginfo(struct rpc_task *task)
57753 - static atomic_t rpc_pid;
57754 + static atomic_unchecked_t rpc_pid;
57756 - task->tk_pid = atomic_inc_return(&rpc_pid);
57757 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
57760 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
57761 diff -urNp linux-2.6.38.1/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.38.1/net/sunrpc/xprtrdma/svc_rdma.c
57762 --- linux-2.6.38.1/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-14 21:20:32.000000000 -0400
57763 +++ linux-2.6.38.1/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-21 18:31:35.000000000 -0400
57764 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
57768 - if (len && copy_to_user(buffer, str_buf, len))
57769 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
57773 diff -urNp linux-2.6.38.1/net/sysctl_net.c linux-2.6.38.1/net/sysctl_net.c
57774 --- linux-2.6.38.1/net/sysctl_net.c 2011-03-14 21:20:32.000000000 -0400
57775 +++ linux-2.6.38.1/net/sysctl_net.c 2011-03-21 18:31:35.000000000 -0400
57776 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
57777 struct ctl_table *table)
57779 /* Allow network administrator to have same access as root. */
57780 - if (capable(CAP_NET_ADMIN)) {
57781 + if (capable_nolog(CAP_NET_ADMIN)) {
57782 int mode = (table->mode >> 6) & 7;
57783 return (mode << 6) | (mode << 3) | mode;
57785 diff -urNp linux-2.6.38.1/net/tipc/socket.c linux-2.6.38.1/net/tipc/socket.c
57786 --- linux-2.6.38.1/net/tipc/socket.c 2011-03-14 21:20:32.000000000 -0400
57787 +++ linux-2.6.38.1/net/tipc/socket.c 2011-03-21 18:31:35.000000000 -0400
57788 @@ -1447,8 +1447,9 @@ static int connect(struct socket *sock,
57793 - ; /* leave "res" unchanged */
57795 + /* leave "res" unchanged */
57797 sock->state = SS_DISCONNECTING;
57800 diff -urNp linux-2.6.38.1/net/unix/af_unix.c linux-2.6.38.1/net/unix/af_unix.c
57801 --- linux-2.6.38.1/net/unix/af_unix.c 2011-03-14 21:20:32.000000000 -0400
57802 +++ linux-2.6.38.1/net/unix/af_unix.c 2011-03-21 18:31:35.000000000 -0400
57803 @@ -765,6 +765,12 @@ static struct sock *unix_find_other(stru
57804 err = -ECONNREFUSED;
57805 if (!S_ISSOCK(inode->i_mode))
57808 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
57813 u = unix_find_socket_byinode(inode);
57816 @@ -785,6 +791,13 @@ static struct sock *unix_find_other(stru
57818 struct dentry *dentry;
57819 dentry = unix_sk(u)->dentry;
57821 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
57828 touch_atime(unix_sk(u)->mnt, dentry);
57830 @@ -870,11 +883,18 @@ static int unix_bind(struct socket *sock
57831 err = security_path_mknod(&nd.path, dentry, mode, 0);
57833 goto out_mknod_drop_write;
57834 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
57836 + goto out_mknod_drop_write;
57838 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
57839 out_mknod_drop_write:
57840 mnt_drop_write(nd.path.mnt);
57842 goto out_mknod_dput;
57844 + gr_handle_create(dentry, nd.path.mnt);
57846 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
57847 dput(nd.path.dentry);
57848 nd.path.dentry = dentry;
57849 @@ -892,6 +912,11 @@ out_mknod_drop_write:
57853 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57854 + put_pid(sk->sk_peer_pid);
57855 + sk->sk_peer_pid = get_pid(task_tgid(current));
57858 list = &unix_socket_table[addr->hash];
57860 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
57861 @@ -2235,7 +2260,11 @@ static int unix_seq_show(struct seq_file
57862 unix_state_lock(s);
57864 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
57865 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57870 atomic_read(&s->sk_refcnt),
57872 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
57873 diff -urNp linux-2.6.38.1/net/wireless/reg.c linux-2.6.38.1/net/wireless/reg.c
57874 --- linux-2.6.38.1/net/wireless/reg.c 2011-03-14 21:20:32.000000000 -0400
57875 +++ linux-2.6.38.1/net/wireless/reg.c 2011-03-21 18:31:35.000000000 -0400
57877 printk(KERN_DEBUG pr_fmt(format), ##args); \
57880 -#define REG_DBG_PRINT(args...)
57881 +#define REG_DBG_PRINT(args...) do {} while (0)
57884 /* Receipt of information from last regulatory request */
57885 diff -urNp linux-2.6.38.1/net/wireless/wext-core.c linux-2.6.38.1/net/wireless/wext-core.c
57886 --- linux-2.6.38.1/net/wireless/wext-core.c 2011-03-14 21:20:32.000000000 -0400
57887 +++ linux-2.6.38.1/net/wireless/wext-core.c 2011-03-21 18:31:35.000000000 -0400
57888 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
57891 /* Support for very large requests */
57892 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
57893 - (user_length > descr->max_tokens)) {
57894 + if (user_length > descr->max_tokens) {
57895 /* Allow userspace to GET more than max so
57896 * we can support any size GET requests.
57897 * There is still a limit : -ENOMEM.
57898 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
57902 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
57904 - * If this is a GET, but not NOMAX, it means that the extra
57905 - * data is not bounded by userspace, but by max_tokens. Thus
57906 - * set the length to max_tokens. This matches the extra data
57908 - * The driver should fill it with the number of tokens it
57909 - * provided, and it may check iwp->length rather than having
57910 - * knowledge of max_tokens. If the driver doesn't change the
57911 - * iwp->length, this ioctl just copies back max_token tokens
57912 - * filled with zeroes. Hopefully the driver isn't claiming
57913 - * them to be valid data.
57915 - iwp->length = descr->max_tokens;
57918 err = handler(dev, info, (union iwreq_data *) iwp, extra);
57920 iwp->length += essid_compat;
57921 diff -urNp linux-2.6.38.1/net/x25/x25_facilities.c linux-2.6.38.1/net/x25/x25_facilities.c
57922 --- linux-2.6.38.1/net/x25/x25_facilities.c 2011-03-14 21:20:32.000000000 -0400
57923 +++ linux-2.6.38.1/net/x25/x25_facilities.c 2011-03-21 18:31:35.000000000 -0400
57924 @@ -167,7 +167,8 @@ int x25_parse_facilities(struct sk_buff
57927 printk(KERN_DEBUG "X.25: unknown facility %02X,"
57928 - "length %d\n", p[0], p[1]);
57929 + "length %d, values %02X, %02X\n",
57930 + p[0], p[1], p[2], p[3]);
57934 diff -urNp linux-2.6.38.1/net/xfrm/xfrm_policy.c linux-2.6.38.1/net/xfrm/xfrm_policy.c
57935 --- linux-2.6.38.1/net/xfrm/xfrm_policy.c 2011-03-14 21:20:32.000000000 -0400
57936 +++ linux-2.6.38.1/net/xfrm/xfrm_policy.c 2011-03-21 18:31:35.000000000 -0400
57937 @@ -1507,7 +1507,7 @@ free_dst:
57943 xfrm_dst_alloc_copy(void **target, void *src, int size)
57946 @@ -1519,7 +1519,7 @@ xfrm_dst_alloc_copy(void **target, void
57952 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
57954 #ifdef CONFIG_XFRM_SUB_POLICY
57955 @@ -1531,7 +1531,7 @@ xfrm_dst_update_parent(struct dst_entry
57961 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
57963 #ifdef CONFIG_XFRM_SUB_POLICY
57964 diff -urNp linux-2.6.38.1/scripts/basic/fixdep.c linux-2.6.38.1/scripts/basic/fixdep.c
57965 --- linux-2.6.38.1/scripts/basic/fixdep.c 2011-03-14 21:20:32.000000000 -0400
57966 +++ linux-2.6.38.1/scripts/basic/fixdep.c 2011-03-21 18:31:35.000000000 -0400
57967 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
57969 static void parse_config_file(const char *map, size_t len)
57971 - const int *end = (const int *) (map + len);
57972 + const unsigned int *end = (const unsigned int *) (map + len);
57973 /* start at +1, so that p can never be < map */
57974 - const int *m = (const int *) map + 1;
57975 + const unsigned int *m = (const unsigned int *) map + 1;
57978 for (; m < end; m++) {
57979 @@ -405,7 +405,7 @@ static void print_deps(void)
57980 static void traps(void)
57982 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
57983 - int *p = (int *)test;
57984 + unsigned int *p = (unsigned int *)test;
57986 if (*p != INT_CONF) {
57987 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
57988 diff -urNp linux-2.6.38.1/scripts/kallsyms.c linux-2.6.38.1/scripts/kallsyms.c
57989 --- linux-2.6.38.1/scripts/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
57990 +++ linux-2.6.38.1/scripts/kallsyms.c 2011-03-21 18:31:35.000000000 -0400
57991 @@ -43,10 +43,10 @@ struct text_range {
57993 static unsigned long long _text;
57994 static struct text_range text_ranges[] = {
57995 - { "_stext", "_etext" },
57996 - { "_sinittext", "_einittext" },
57997 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
57998 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
57999 + { "_stext", "_etext", 0, 0 },
58000 + { "_sinittext", "_einittext", 0, 0 },
58001 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
58002 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
58004 #define text_range_text (&text_ranges[0])
58005 #define text_range_inittext (&text_ranges[1])
58006 diff -urNp linux-2.6.38.1/scripts/mod/file2alias.c linux-2.6.38.1/scripts/mod/file2alias.c
58007 --- linux-2.6.38.1/scripts/mod/file2alias.c 2011-03-14 21:20:32.000000000 -0400
58008 +++ linux-2.6.38.1/scripts/mod/file2alias.c 2011-03-21 18:31:35.000000000 -0400
58009 @@ -72,7 +72,7 @@ static void device_id_check(const char *
58010 unsigned long size, unsigned long id_size,
58016 if (size % id_size || size < id_size) {
58017 if (cross_build != 0)
58018 @@ -102,7 +102,7 @@ static void device_id_check(const char *
58019 /* USB is special because the bcdDevice can be matched against a numeric range */
58020 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
58021 static void do_usb_entry(struct usb_device_id *id,
58022 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
58023 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
58024 unsigned char range_lo, unsigned char range_hi,
58025 unsigned char max, struct module *mod)
58027 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
58028 for (i = 0; i < count; i++) {
58029 const char *id = (char *)devs[i].id;
58030 char acpi_id[sizeof(devs[0].id)];
58034 buf_printf(&mod->dev_table_buf,
58035 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
58036 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
58038 for (j = 0; j < PNP_MAX_DEVICES; j++) {
58039 const char *id = (char *)card->devs[j].id;
58041 + unsigned int i2, j2;
58045 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
58046 /* add an individual alias for every device entry */
58048 char acpi_id[sizeof(card->devs[0].id)];
58052 buf_printf(&mod->dev_table_buf,
58053 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
58054 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
58055 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
58059 + unsigned int i, j;
58061 sprintf(alias, "dmi*");
58063 diff -urNp linux-2.6.38.1/scripts/mod/modpost.c linux-2.6.38.1/scripts/mod/modpost.c
58064 --- linux-2.6.38.1/scripts/mod/modpost.c 2011-03-14 21:20:32.000000000 -0400
58065 +++ linux-2.6.38.1/scripts/mod/modpost.c 2011-03-21 18:31:35.000000000 -0400
58066 @@ -896,6 +896,7 @@ enum mismatch {
58067 ANY_INIT_TO_ANY_EXIT,
58068 ANY_EXIT_TO_ANY_INIT,
58069 EXPORT_TO_INIT_EXIT,
58073 struct sectioncheck {
58074 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
58075 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
58076 .mismatch = EXPORT_TO_INIT_EXIT,
58077 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
58079 +/* Do not reference code from writable data */
58081 + .fromsec = { DATA_SECTIONS, NULL },
58082 + .tosec = { TEXT_SECTIONS, NULL },
58083 + .mismatch = DATA_TO_TEXT
58087 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
58089 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
58091 - if (sym->st_value == addr)
58093 /* Find a symbol nearby - addr are maybe negative */
58094 d = sym->st_value - addr;
58098 d = addr - sym->st_value;
58099 if (d < distance) {
58100 @@ -1401,6 +1408,14 @@ static void report_sec_mismatch(const ch
58101 tosym, prl_to, prl_to, tosym);
58104 + case DATA_TO_TEXT:
58107 + "The variable %s references\n"
58108 + "the %s %s%s%s\n",
58109 + fromsym, to, sec2annotation(tosec), tosym, to_p);
58113 fprintf(stderr, "\n");
58115 @@ -1724,7 +1739,7 @@ void __attribute__((format(printf, 2, 3)
58119 -void buf_write(struct buffer *buf, const char *s, int len)
58120 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
58122 if (buf->size - buf->pos < len) {
58123 buf->size += len + SZ;
58124 @@ -1936,7 +1951,7 @@ static void write_if_changed(struct buff
58125 if (fstat(fileno(file), &st) < 0)
58128 - if (st.st_size != b->pos)
58129 + if (st.st_size != (off_t)b->pos)
58132 tmp = NOFAIL(malloc(b->pos));
58133 diff -urNp linux-2.6.38.1/scripts/mod/modpost.h linux-2.6.38.1/scripts/mod/modpost.h
58134 --- linux-2.6.38.1/scripts/mod/modpost.h 2011-03-14 21:20:32.000000000 -0400
58135 +++ linux-2.6.38.1/scripts/mod/modpost.h 2011-03-21 18:31:35.000000000 -0400
58136 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
58142 + unsigned int pos;
58143 + unsigned int size;
58146 void __attribute__((format(printf, 2, 3)))
58147 buf_printf(struct buffer *buf, const char *fmt, ...);
58150 -buf_write(struct buffer *buf, const char *s, int len);
58151 +buf_write(struct buffer *buf, const char *s, unsigned int len);
58154 struct module *next;
58155 diff -urNp linux-2.6.38.1/scripts/mod/sumversion.c linux-2.6.38.1/scripts/mod/sumversion.c
58156 --- linux-2.6.38.1/scripts/mod/sumversion.c 2011-03-14 21:20:32.000000000 -0400
58157 +++ linux-2.6.38.1/scripts/mod/sumversion.c 2011-03-21 18:31:35.000000000 -0400
58158 @@ -470,7 +470,7 @@ static void write_version(const char *fi
58162 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
58163 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
58164 warn("writing sum in %s failed: %s\n",
58165 filename, strerror(errno));
58167 diff -urNp linux-2.6.38.1/scripts/pnmtologo.c linux-2.6.38.1/scripts/pnmtologo.c
58168 --- linux-2.6.38.1/scripts/pnmtologo.c 2011-03-14 21:20:32.000000000 -0400
58169 +++ linux-2.6.38.1/scripts/pnmtologo.c 2011-03-21 18:31:35.000000000 -0400
58170 @@ -237,14 +237,14 @@ static void write_header(void)
58171 fprintf(out, " * Linux logo %s\n", logoname);
58172 fputs(" */\n\n", out);
58173 fputs("#include <linux/linux_logo.h>\n\n", out);
58174 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
58175 + fprintf(out, "static unsigned char %s_data[] = {\n",
58179 static void write_footer(void)
58181 fputs("\n};\n\n", out);
58182 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
58183 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
58184 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
58185 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
58186 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
58187 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
58188 fputs("\n};\n\n", out);
58190 /* write logo clut */
58191 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
58192 + fprintf(out, "static unsigned char %s_clut[] = {\n",
58195 for (i = 0; i < logo_clutsize; i++) {
58196 diff -urNp linux-2.6.38.1/security/apparmor/lsm.c linux-2.6.38.1/security/apparmor/lsm.c
58197 --- linux-2.6.38.1/security/apparmor/lsm.c 2011-03-14 21:20:32.000000000 -0400
58198 +++ linux-2.6.38.1/security/apparmor/lsm.c 2011-03-21 18:31:35.000000000 -0400
58199 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
58203 -static struct security_operations apparmor_ops = {
58204 +static struct security_operations apparmor_ops __read_only = {
58205 .name = "apparmor",
58207 .ptrace_access_check = apparmor_ptrace_access_check,
58208 diff -urNp linux-2.6.38.1/security/commoncap.c linux-2.6.38.1/security/commoncap.c
58209 --- linux-2.6.38.1/security/commoncap.c 2011-03-14 21:20:32.000000000 -0400
58210 +++ linux-2.6.38.1/security/commoncap.c 2011-03-21 18:31:35.000000000 -0400
58212 #include <linux/prctl.h>
58213 #include <linux/securebits.h>
58214 // #include <linux/vs_context.h>
58215 +#include <net/sock.h>
58218 * If a non-root user executes a setuid-root binary in
58219 @@ -50,9 +51,11 @@ static void warn_setuid_and_fcaps_mixed(
58223 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
58225 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
58227 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
58228 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
58232 @@ -534,6 +537,9 @@ int cap_bprm_secureexec(struct linux_bin
58234 const struct cred *cred = current_cred();
58236 + if (gr_acl_enable_at_secure())
58239 if (cred->uid != 0) {
58240 if (bprm->cap_effective)
58242 diff -urNp linux-2.6.38.1/security/integrity/ima/ima_api.c linux-2.6.38.1/security/integrity/ima/ima_api.c
58243 --- linux-2.6.38.1/security/integrity/ima/ima_api.c 2011-03-14 21:20:32.000000000 -0400
58244 +++ linux-2.6.38.1/security/integrity/ima/ima_api.c 2011-03-21 18:31:35.000000000 -0400
58245 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
58248 /* can overflow, only indicator */
58249 - atomic_long_inc(&ima_htable.violations);
58250 + atomic_long_inc_unchecked(&ima_htable.violations);
58252 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
58254 diff -urNp linux-2.6.38.1/security/integrity/ima/ima_fs.c linux-2.6.38.1/security/integrity/ima/ima_fs.c
58255 --- linux-2.6.38.1/security/integrity/ima/ima_fs.c 2011-03-14 21:20:32.000000000 -0400
58256 +++ linux-2.6.38.1/security/integrity/ima/ima_fs.c 2011-03-21 18:31:35.000000000 -0400
58257 @@ -28,12 +28,12 @@
58258 static int valid_policy = 1;
58259 #define TMPBUFLEN 12
58260 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
58261 - loff_t *ppos, atomic_long_t *val)
58262 + loff_t *ppos, atomic_long_unchecked_t *val)
58264 char tmpbuf[TMPBUFLEN];
58267 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
58268 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
58269 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
58272 diff -urNp linux-2.6.38.1/security/integrity/ima/ima.h linux-2.6.38.1/security/integrity/ima/ima.h
58273 --- linux-2.6.38.1/security/integrity/ima/ima.h 2011-03-14 21:20:32.000000000 -0400
58274 +++ linux-2.6.38.1/security/integrity/ima/ima.h 2011-03-21 18:31:35.000000000 -0400
58275 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
58276 extern spinlock_t ima_queue_lock;
58278 struct ima_h_table {
58279 - atomic_long_t len; /* number of stored measurements in the list */
58280 - atomic_long_t violations;
58281 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
58282 + atomic_long_unchecked_t violations;
58283 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
58285 extern struct ima_h_table ima_htable;
58286 diff -urNp linux-2.6.38.1/security/integrity/ima/ima_queue.c linux-2.6.38.1/security/integrity/ima/ima_queue.c
58287 --- linux-2.6.38.1/security/integrity/ima/ima_queue.c 2011-03-14 21:20:32.000000000 -0400
58288 +++ linux-2.6.38.1/security/integrity/ima/ima_queue.c 2011-03-21 18:31:35.000000000 -0400
58289 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
58290 INIT_LIST_HEAD(&qe->later);
58291 list_add_tail_rcu(&qe->later, &ima_measurements);
58293 - atomic_long_inc(&ima_htable.len);
58294 + atomic_long_inc_unchecked(&ima_htable.len);
58295 key = ima_hash_key(entry->digest);
58296 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
58298 diff -urNp linux-2.6.38.1/security/Kconfig linux-2.6.38.1/security/Kconfig
58299 --- linux-2.6.38.1/security/Kconfig 2011-03-14 21:20:32.000000000 -0400
58300 +++ linux-2.6.38.1/security/Kconfig 2011-03-21 18:31:35.000000000 -0400
58303 menu "Security options"
58305 +source grsecurity/Kconfig
58309 + config ARCH_TRACK_EXEC_LIMIT
58312 + config PAX_PER_CPU_PGD
58315 + config TASK_SIZE_MAX_SHIFT
58317 + depends on X86_64
58318 + default 47 if !PAX_PER_CPU_PGD
58319 + default 42 if PAX_PER_CPU_PGD
58321 + config PAX_ENABLE_PAE
58323 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
58326 + bool "Enable various PaX features"
58327 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
58329 + This allows you to enable various PaX features. PaX adds
58330 + intrusion prevention mechanisms to the kernel that reduce
58331 + the risks posed by exploitable memory corruption bugs.
58333 +menu "PaX Control"
58336 +config PAX_SOFTMODE
58337 + bool 'Support soft mode'
58338 + select PAX_PT_PAX_FLAGS
58340 + Enabling this option will allow you to run PaX in soft mode, that
58341 + is, PaX features will not be enforced by default, only on executables
58342 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
58343 + is the only way to mark executables for soft mode use.
58345 + Soft mode can be activated by using the "pax_softmode=1" kernel command
58346 + line option on boot. Furthermore you can control various PaX features
58347 + at runtime via the entries in /proc/sys/kernel/pax.
58350 + bool 'Use legacy ELF header marking'
58352 + Enabling this option will allow you to control PaX features on
58353 + a per executable basis via the 'chpax' utility available at
58354 + http://pax.grsecurity.net/. The control flags will be read from
58355 + an otherwise reserved part of the ELF header. This marking has
58356 + numerous drawbacks (no support for soft-mode, toolchain does not
58357 + know about the non-standard use of the ELF header) therefore it
58358 + has been deprecated in favour of PT_PAX_FLAGS support.
58360 + If you have applications not marked by the PT_PAX_FLAGS ELF
58361 + program header then you MUST enable this option otherwise they
58362 + will not get any protection.
58364 + Note that if you enable PT_PAX_FLAGS marking support as well,
58365 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
58367 +config PAX_PT_PAX_FLAGS
58368 + bool 'Use ELF program header marking'
58370 + Enabling this option will allow you to control PaX features on
58371 + a per executable basis via the 'paxctl' utility available at
58372 + http://pax.grsecurity.net/. The control flags will be read from
58373 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
58374 + has the benefits of supporting both soft mode and being fully
58375 + integrated into the toolchain (the binutils patch is available
58376 + from http://pax.grsecurity.net).
58378 + If you have applications not marked by the PT_PAX_FLAGS ELF
58379 + program header then you MUST enable the EI_PAX marking support
58380 + otherwise they will not get any protection.
58382 + Note that if you enable the legacy EI_PAX marking support as well,
58383 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
58386 + prompt 'MAC system integration'
58387 + default PAX_HAVE_ACL_FLAGS
58389 + Mandatory Access Control systems have the option of controlling
58390 + PaX flags on a per executable basis, choose the method supported
58391 + by your particular system.
58393 + - "none": if your MAC system does not interact with PaX,
58394 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
58395 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
58397 + NOTE: this option is for developers/integrators only.
58399 + config PAX_NO_ACL_FLAGS
58402 + config PAX_HAVE_ACL_FLAGS
58405 + config PAX_HOOK_ACL_FLAGS
58411 +menu "Non-executable pages"
58415 + bool "Enforce non-executable pages"
58416 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
58418 + By design some architectures do not allow for protecting memory
58419 + pages against execution or even if they do, Linux does not make
58420 + use of this feature. In practice this means that if a page is
58421 + readable (such as the stack or heap) it is also executable.
58423 + There is a well known exploit technique that makes use of this
58424 + fact and a common programming mistake where an attacker can
58425 + introduce code of his choice somewhere in the attacked program's
58426 + memory (typically the stack or the heap) and then execute it.
58428 + If the attacked program was running with different (typically
58429 + higher) privileges than that of the attacker, then he can elevate
58430 + his own privilege level (e.g. get a root shell, write to files for
58431 + which he does not have write access to, etc).
58433 + Enabling this option will let you choose from various features
58434 + that prevent the injection and execution of 'foreign' code in
58437 + This will also break programs that rely on the old behaviour and
58438 + expect that dynamically allocated memory via the malloc() family
58439 + of functions is executable (which it is not). Notable examples
58440 + are the XFree86 4.x server, the java runtime and wine.
58442 +config PAX_PAGEEXEC
58443 + bool "Paging based non-executable pages"
58444 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
58445 + select S390_SWITCH_AMODE if S390
58446 + select S390_EXEC_PROTECT if S390
58447 + select ARCH_TRACK_EXEC_LIMIT if X86_32
58449 + This implementation is based on the paging feature of the CPU.
58450 + On i386 without hardware non-executable bit support there is a
58451 + variable but usually low performance impact, however on Intel's
58452 + P4 core based CPUs it is very high so you should not enable this
58453 + for kernels meant to be used on such CPUs.
58455 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
58456 + with hardware non-executable bit support there is no performance
58457 + impact, on ppc the impact is negligible.
58459 + Note that several architectures require various emulations due to
58460 + badly designed userland ABIs, this will cause a performance impact
58461 + but will disappear as soon as userland is fixed. For example, ppc
58462 + userland MUST have been built with secure-plt by a recent toolchain.
58464 +config PAX_SEGMEXEC
58465 + bool "Segmentation based non-executable pages"
58466 + depends on PAX_NOEXEC && X86_32
58468 + This implementation is based on the segmentation feature of the
58469 + CPU and has a very small performance impact, however applications
58470 + will be limited to a 1.5 GB address space instead of the normal
58473 +config PAX_EMUTRAMP
58474 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
58475 + default y if PARISC
58477 + There are some programs and libraries that for one reason or
58478 + another attempt to execute special small code snippets from
58479 + non-executable memory pages. Most notable examples are the
58480 + signal handler return code generated by the kernel itself and
58481 + the GCC trampolines.
58483 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
58484 + such programs will no longer work under your kernel.
58486 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
58487 + utilities to enable trampoline emulation for the affected programs
58488 + yet still have the protection provided by the non-executable pages.
58490 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
58491 + your system will not even boot.
58493 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
58494 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
58495 + for the affected files.
58497 + NOTE: enabling this feature *may* open up a loophole in the
58498 + protection provided by non-executable pages that an attacker
58499 + could abuse. Therefore the best solution is to not have any
58500 + files on your system that would require this option. This can
58501 + be achieved by not using libc5 (which relies on the kernel
58502 + signal handler return code) and not using or rewriting programs
58503 + that make use of the nested function implementation of GCC.
58504 + Skilled users can just fix GCC itself so that it implements
58505 + nested function calls in a way that does not interfere with PaX.
58507 +config PAX_EMUSIGRT
58508 + bool "Automatically emulate sigreturn trampolines"
58509 + depends on PAX_EMUTRAMP && PARISC
58512 + Enabling this option will have the kernel automatically detect
58513 + and emulate signal return trampolines executing on the stack
58514 + that would otherwise lead to task termination.
58516 + This solution is intended as a temporary one for users with
58517 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
58518 + Modula-3 runtime, etc) or executables linked to such, basically
58519 + everything that does not specify its own SA_RESTORER function in
58520 + normal executable memory like glibc 2.1+ does.
58522 + On parisc you MUST enable this option, otherwise your system will
58525 + NOTE: this feature cannot be disabled on a per executable basis
58526 + and since it *does* open up a loophole in the protection provided
58527 + by non-executable pages, the best solution is to not have any
58528 + files on your system that would require this option.
58530 +config PAX_MPROTECT
58531 + bool "Restrict mprotect()"
58532 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
58534 + Enabling this option will prevent programs from
58535 + - changing the executable status of memory pages that were
58536 + not originally created as executable,
58537 + - making read-only executable pages writable again,
58538 + - creating executable pages from anonymous memory,
58539 + - making read-only-after-relocations (RELRO) data pages writable again.
58541 + You should say Y here to complete the protection provided by
58542 + the enforcement of non-executable pages.
58544 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58545 + this feature on a per file basis.
58547 +config PAX_MPROTECT_COMPAT
58548 + bool "Use legacy/compat protection demoting (read help)"
58549 + depends on PAX_MPROTECT
58552 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
58553 + by sending the proper error code to the application. For some broken
58554 + userland, this can cause problems with Python or other applications. The
58555 + current implementation however allows for applications like clamav to
58556 + detect if JIT compilation/execution is allowed and to fall back gracefully
58557 + to an interpreter-based mode if it does not. While we encourage everyone
58558 + to use the current implementation as-is and push upstream to fix broken
58559 + userland (note that the RWX logging option can assist with this), in some
58560 + environments this may not be possible. Having to disable MPROTECT
58561 + completely on certain binaries reduces the security benefit of PaX,
58562 + so this option is provided for those environments to revert to the old
58565 +config PAX_ELFRELOCS
58566 + bool "Allow ELF text relocations (read help)"
58567 + depends on PAX_MPROTECT
58570 + Non-executable pages and mprotect() restrictions are effective
58571 + in preventing the introduction of new executable code into an
58572 + attacked task's address space. There remain only two venues
58573 + for this kind of attack: if the attacker can execute already
58574 + existing code in the attacked task then he can either have it
58575 + create and mmap() a file containing his code or have it mmap()
58576 + an already existing ELF library that does not have position
58577 + independent code in it and use mprotect() on it to make it
58578 + writable and copy his code there. While protecting against
58579 + the former approach is beyond PaX, the latter can be prevented
58580 + by having only PIC ELF libraries on one's system (which do not
58581 + need to relocate their code). If you are sure this is your case,
58582 + as is the case with all modern Linux distributions, then leave
58583 + this option disabled. You should say 'n' here.
58585 +config PAX_ETEXECRELOCS
58586 + bool "Allow ELF ET_EXEC text relocations"
58587 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
58588 + select PAX_ELFRELOCS
58591 + On some architectures there are incorrectly created applications
58592 + that require text relocations and would not work without enabling
58593 + this option. If you are an alpha, ia64 or parisc user, you should
58594 + enable this option and disable it once you have made sure that
58595 + none of your applications need it.
58598 + bool "Automatically emulate ELF PLT"
58599 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
58602 + Enabling this option will have the kernel automatically detect
58603 + and emulate the Procedure Linkage Table entries in ELF files.
58604 + On some architectures such entries are in writable memory, and
58605 + become non-executable leading to task termination. Therefore
58606 + it is mandatory that you enable this option on alpha, parisc,
58607 + sparc and sparc64, otherwise your system would not even boot.
58609 + NOTE: this feature *does* open up a loophole in the protection
58610 + provided by the non-executable pages, therefore the proper
58611 + solution is to modify the toolchain to produce a PLT that does
58612 + not need to be writable.
58614 +config PAX_DLRESOLVE
58615 + bool 'Emulate old glibc resolver stub'
58616 + depends on PAX_EMUPLT && SPARC
58619 + This option is needed if userland has an old glibc (before 2.4)
58620 + that puts a 'save' instruction into the runtime generated resolver
58621 + stub that needs special emulation.
58623 +config PAX_KERNEXEC
58624 + bool "Enforce non-executable kernel pages"
58625 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
58626 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
58628 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
58629 + that is, enabling this option will make it harder to inject
58630 + and execute 'foreign' code in kernel memory itself.
58632 +config PAX_KERNEXEC_MODULE_TEXT
58633 + int "Minimum amount of memory reserved for module code"
58635 + depends on PAX_KERNEXEC && X86_32 && MODULES
58637 + Due to implementation details the kernel must reserve a fixed
58638 + amount of memory for module code at compile time that cannot be
58639 + changed at runtime. Here you can specify the minimum amount
58640 + in MB that will be reserved. Due to the same implementation
58641 + details this size will always be rounded up to the next 2/4 MB
58642 + boundary (depends on PAE) so the actually available memory for
58643 + module code will usually be more than this minimum.
58645 + The default 4 MB should be enough for most users but if you have
58646 + an excessive number of modules (e.g., most distribution configs
58647 + compile many drivers as modules) or use huge modules such as
58648 + nvidia's kernel driver, you will need to adjust this amount.
58649 + A good rule of thumb is to look at your currently loaded kernel
58650 + modules and add up their sizes.
58654 +menu "Address Space Layout Randomization"
58658 + bool "Address Space Layout Randomization"
58659 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
58661 + Many if not most exploit techniques rely on the knowledge of
58662 + certain addresses in the attacked program. The following options
58663 + will allow the kernel to apply a certain amount of randomization
58664 + to specific parts of the program thereby forcing an attacker to
58665 + guess them in most cases. Any failed guess will most likely crash
58666 + the attacked program which allows the kernel to detect such attempts
58667 + and react on them. PaX itself provides no reaction mechanisms,
58668 + instead it is strongly encouraged that you make use of Nergal's
58669 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
58670 + (http://www.grsecurity.net/) built-in crash detection features or
58671 + develop one yourself.
58673 + By saying Y here you can choose to randomize the following areas:
58674 + - top of the task's kernel stack
58675 + - top of the task's userland stack
58676 + - base address for mmap() requests that do not specify one
58677 + (this includes all libraries)
58678 + - base address of the main executable
58680 + It is strongly recommended to say Y here as address space layout
58681 + randomization has negligible impact on performance yet it provides
58682 + a very effective protection.
58684 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58685 + this feature on a per file basis.
58687 +config PAX_RANDKSTACK
58688 + bool "Randomize kernel stack base"
58689 + depends on PAX_ASLR && X86_TSC && X86_32
58691 + By saying Y here the kernel will randomize every task's kernel
58692 + stack on every system call. This will not only force an attacker
58693 + to guess it but also prevent him from making use of possible
58694 + leaked information about it.
58696 + Since the kernel stack is a rather scarce resource, randomization
58697 + may cause unexpected stack overflows, therefore you should very
58698 + carefully test your system. Note that once enabled in the kernel
58699 + configuration, this feature cannot be disabled on a per file basis.
58701 +config PAX_RANDUSTACK
58702 + bool "Randomize user stack base"
58703 + depends on PAX_ASLR
58705 + By saying Y here the kernel will randomize every task's userland
58706 + stack. The randomization is done in two steps where the second
58707 + one may apply a big amount of shift to the top of the stack and
58708 + cause problems for programs that want to use lots of memory (more
58709 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
58710 + For this reason the second step can be controlled by 'chpax' or
58711 + 'paxctl' on a per file basis.
58713 +config PAX_RANDMMAP
58714 + bool "Randomize mmap() base"
58715 + depends on PAX_ASLR
58717 + By saying Y here the kernel will use a randomized base address for
58718 + mmap() requests that do not specify one themselves. As a result
58719 + all dynamically loaded libraries will appear at random addresses
58720 + and therefore be harder to exploit by a technique where an attacker
58721 + attempts to execute library code for his purposes (e.g. spawn a
58722 + shell from an exploited program that is running at an elevated
58723 + privilege level).
58725 + Furthermore, if a program is relinked as a dynamic ELF file, its
58726 + base address will be randomized as well, completing the full
58727 + randomization of the address space layout. Attacking such programs
58728 + becomes a guess game. You can find an example of doing this at
58729 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
58730 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
58732 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
58733 + feature on a per file basis.
58737 +menu "Miscellaneous hardening features"
58739 +config PAX_MEMORY_SANITIZE
58740 + bool "Sanitize all freed memory"
58742 + By saying Y here the kernel will erase memory pages as soon as they
58743 + are freed. This in turn reduces the lifetime of data stored in the
58744 + pages, making it less likely that sensitive information such as
58745 + passwords, cryptographic secrets, etc stay in memory for too long.
58747 + This is especially useful for programs whose runtime is short, long
58748 + lived processes and the kernel itself benefit from this as long as
58749 + they operate on whole memory pages and ensure timely freeing of pages
58750 + that may hold sensitive information.
58752 + The tradeoff is performance impact, on a single CPU system kernel
58753 + compilation sees a 3% slowdown, other systems and workloads may vary
58754 + and you are advised to test this feature on your expected workload
58755 + before deploying it.
58757 + Note that this feature does not protect data stored in live pages,
58758 + e.g., process memory swapped to disk may stay there for a long time.
58760 +config PAX_MEMORY_UDEREF
58761 + bool "Prevent invalid userland pointer dereference"
58762 + depends on X86 && !UML_X86 && !XEN
58763 + select PAX_PER_CPU_PGD if X86_64
58765 + By saying Y here the kernel will be prevented from dereferencing
58766 + userland pointers in contexts where the kernel expects only kernel
58767 + pointers. This is both a useful runtime debugging feature and a
58768 + security measure that prevents exploiting a class of kernel bugs.
58770 + The tradeoff is that some virtualization solutions may experience
58771 + a huge slowdown and therefore you should not enable this feature
58772 + for kernels meant to run in such environments. Whether a given VM
58773 + solution is affected or not is best determined by simply trying it
58774 + out, the performance impact will be obvious right on boot as this
58775 + mechanism engages from very early on. A good rule of thumb is that
58776 + VMs running on CPUs without hardware virtualization support (i.e.,
58777 + the majority of IA-32 CPUs) will likely experience the slowdown.
58779 +config PAX_REFCOUNT
58780 + bool "Prevent various kernel object reference counter overflows"
58781 + depends on GRKERNSEC && (X86 || SPARC64)
58783 + By saying Y here the kernel will detect and prevent overflowing
58784 + various (but not all) kinds of object reference counters. Such
58785 + overflows can normally occur due to bugs only and are often, if
58786 + not always, exploitable.
58788 + The tradeoff is that data structures protected by an overflowed
58789 + refcount will never be freed and therefore will leak memory. Note
58790 + that this leak also happens even without this protection but in
58791 + that case the overflow can eventually trigger the freeing of the
58792 + data structure while it is still being used elsewhere, resulting
58793 + in the exploitable situation that this feature prevents.
58795 + Since this has a negligible performance impact, you should enable
58798 +config PAX_USERCOPY
58799 + bool "Bounds check heap object copies between kernel and userland"
58800 + depends on X86 || PPC || SPARC
58801 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
58803 + By saying Y here the kernel will enforce the size of heap objects
58804 + when they are copied in either direction between the kernel and
58805 + userland, even if only a part of the heap object is copied.
58807 + Specifically, this checking prevents information leaking from the
58808 + kernel heap during kernel to userland copies (if the kernel heap
58809 + object is otherwise fully initialized) and prevents kernel heap
58810 + overflows during userland to kernel copies.
58812 + Note that the current implementation provides the strictest checks
58813 + for the SLUB allocator.
58815 + If frame pointers are enabled on x86, this option will also restrict
58816 + copies into and out of the kernel stack to local variables within a
58819 + Since this has a negligible performance impact, you should enable
58827 bool "Enable access key retention support"
58829 @@ -167,7 +688,7 @@ config INTEL_TXT
58830 config LSM_MMAP_MIN_ADDR
58831 int "Low address space for LSM to protect from user allocation"
58832 depends on SECURITY && SECURITY_SELINUX
58836 This is the portion of low virtual memory which should be protected
58837 from userspace allocation. Keeping a user from writing to low pages
58838 diff -urNp linux-2.6.38.1/security/min_addr.c linux-2.6.38.1/security/min_addr.c
58839 --- linux-2.6.38.1/security/min_addr.c 2011-03-14 21:20:32.000000000 -0400
58840 +++ linux-2.6.38.1/security/min_addr.c 2011-03-21 18:31:35.000000000 -0400
58841 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
58843 static void update_mmap_min_addr(void)
58846 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
58847 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
58848 mmap_min_addr = dac_mmap_min_addr;
58849 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
58851 mmap_min_addr = dac_mmap_min_addr;
58857 diff -urNp linux-2.6.38.1/security/security.c linux-2.6.38.1/security/security.c
58858 --- linux-2.6.38.1/security/security.c 2011-03-14 21:20:32.000000000 -0400
58859 +++ linux-2.6.38.1/security/security.c 2011-03-21 18:31:35.000000000 -0400
58860 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
58861 /* things that live in capability.c */
58862 extern void __init security_fixup_ops(struct security_operations *ops);
58864 -static struct security_operations *security_ops;
58865 -static struct security_operations default_security_ops = {
58866 +static struct security_operations *security_ops __read_only;
58867 +static struct security_operations default_security_ops __read_only = {
58871 @@ -67,7 +67,9 @@ int __init security_init(void)
58873 void reset_security_ops(void)
58875 + pax_open_kernel();
58876 security_ops = &default_security_ops;
58877 + pax_close_kernel();
58880 /* Save user chosen LSM */
58881 diff -urNp linux-2.6.38.1/security/selinux/hooks.c linux-2.6.38.1/security/selinux/hooks.c
58882 --- linux-2.6.38.1/security/selinux/hooks.c 2011-03-14 21:20:32.000000000 -0400
58883 +++ linux-2.6.38.1/security/selinux/hooks.c 2011-03-21 18:31:35.000000000 -0400
58885 #define NUM_SEL_MNT_OPTS 5
58887 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
58888 -extern struct security_operations *security_ops;
58890 /* SECMARK reference count */
58891 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
58892 @@ -5395,7 +5394,7 @@ static int selinux_key_getsecurity(struc
58896 -static struct security_operations selinux_ops = {
58897 +static struct security_operations selinux_ops __read_only = {
58900 .ptrace_access_check = selinux_ptrace_access_check,
58901 diff -urNp linux-2.6.38.1/security/smack/smack_lsm.c linux-2.6.38.1/security/smack/smack_lsm.c
58902 --- linux-2.6.38.1/security/smack/smack_lsm.c 2011-03-14 21:20:32.000000000 -0400
58903 +++ linux-2.6.38.1/security/smack/smack_lsm.c 2011-03-21 18:31:35.000000000 -0400
58904 @@ -3179,7 +3179,7 @@ static int smack_inode_getsecctx(struct
58908 -struct security_operations smack_ops = {
58909 +struct security_operations smack_ops __read_only = {
58912 .ptrace_access_check = smack_ptrace_access_check,
58913 diff -urNp linux-2.6.38.1/security/tomoyo/tomoyo.c linux-2.6.38.1/security/tomoyo/tomoyo.c
58914 --- linux-2.6.38.1/security/tomoyo/tomoyo.c 2011-03-14 21:20:32.000000000 -0400
58915 +++ linux-2.6.38.1/security/tomoyo/tomoyo.c 2011-03-21 18:31:35.000000000 -0400
58916 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
58917 * tomoyo_security_ops is a "struct security_operations" which is used for
58918 * registering TOMOYO.
58920 -static struct security_operations tomoyo_security_ops = {
58921 +static struct security_operations tomoyo_security_ops __read_only = {
58923 .cred_alloc_blank = tomoyo_cred_alloc_blank,
58924 .cred_prepare = tomoyo_cred_prepare,
58925 diff -urNp linux-2.6.38.1/sound/aoa/codecs/onyx.c linux-2.6.38.1/sound/aoa/codecs/onyx.c
58926 --- linux-2.6.38.1/sound/aoa/codecs/onyx.c 2011-03-14 21:20:32.000000000 -0400
58927 +++ linux-2.6.38.1/sound/aoa/codecs/onyx.c 2011-03-21 18:31:35.000000000 -0400
58928 @@ -54,7 +54,7 @@ struct onyx {
58933 + local_t open_count;
58934 struct codec_info *codec_info;
58936 /* mutex serializes concurrent access to the device
58937 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
58938 struct onyx *onyx = cii->codec_data;
58940 mutex_lock(&onyx->mutex);
58941 - onyx->open_count++;
58942 + local_inc(&onyx->open_count);
58943 mutex_unlock(&onyx->mutex);
58946 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
58947 struct onyx *onyx = cii->codec_data;
58949 mutex_lock(&onyx->mutex);
58950 - onyx->open_count--;
58951 - if (!onyx->open_count)
58952 + if (local_dec_and_test(&onyx->open_count))
58953 onyx->spdif_locked = onyx->analog_locked = 0;
58954 mutex_unlock(&onyx->mutex);
58956 diff -urNp linux-2.6.38.1/sound/aoa/codecs/onyx.h linux-2.6.38.1/sound/aoa/codecs/onyx.h
58957 --- linux-2.6.38.1/sound/aoa/codecs/onyx.h 2011-03-14 21:20:32.000000000 -0400
58958 +++ linux-2.6.38.1/sound/aoa/codecs/onyx.h 2011-03-21 18:31:35.000000000 -0400
58960 #include <linux/i2c.h>
58961 #include <asm/pmac_low_i2c.h>
58962 #include <asm/prom.h>
58963 +#include <asm/local.h>
58965 /* PCM3052 register definitions */
58967 diff -urNp linux-2.6.38.1/sound/core/oss/pcm_oss.c linux-2.6.38.1/sound/core/oss/pcm_oss.c
58968 --- linux-2.6.38.1/sound/core/oss/pcm_oss.c 2011-03-14 21:20:32.000000000 -0400
58969 +++ linux-2.6.38.1/sound/core/oss/pcm_oss.c 2011-03-21 18:31:35.000000000 -0400
58970 @@ -2971,8 +2971,8 @@ static void snd_pcm_oss_proc_done(struct
58973 #else /* !CONFIG_SND_VERBOSE_PROCFS */
58974 -#define snd_pcm_oss_proc_init(pcm)
58975 -#define snd_pcm_oss_proc_done(pcm)
58976 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
58977 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
58978 #endif /* CONFIG_SND_VERBOSE_PROCFS */
58981 diff -urNp linux-2.6.38.1/sound/core/seq/seq_lock.h linux-2.6.38.1/sound/core/seq/seq_lock.h
58982 --- linux-2.6.38.1/sound/core/seq/seq_lock.h 2011-03-14 21:20:32.000000000 -0400
58983 +++ linux-2.6.38.1/sound/core/seq/seq_lock.h 2011-03-21 18:31:35.000000000 -0400
58984 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
58985 #else /* SMP || CONFIG_SND_DEBUG */
58987 typedef spinlock_t snd_use_lock_t; /* dummy */
58988 -#define snd_use_lock_init(lockp) /**/
58989 -#define snd_use_lock_use(lockp) /**/
58990 -#define snd_use_lock_free(lockp) /**/
58991 -#define snd_use_lock_sync(lockp) /**/
58992 +#define snd_use_lock_init(lockp) do {} while (0)
58993 +#define snd_use_lock_use(lockp) do {} while (0)
58994 +#define snd_use_lock_free(lockp) do {} while (0)
58995 +#define snd_use_lock_sync(lockp) do {} while (0)
58997 #endif /* SMP || CONFIG_SND_DEBUG */
58999 diff -urNp linux-2.6.38.1/sound/drivers/mts64.c linux-2.6.38.1/sound/drivers/mts64.c
59000 --- linux-2.6.38.1/sound/drivers/mts64.c 2011-03-14 21:20:32.000000000 -0400
59001 +++ linux-2.6.38.1/sound/drivers/mts64.c 2011-03-21 18:31:35.000000000 -0400
59003 #include <sound/initval.h>
59004 #include <sound/rawmidi.h>
59005 #include <sound/control.h>
59006 +#include <asm/local.h>
59008 #define CARD_NAME "Miditerminal 4140"
59009 #define DRIVER_NAME "MTS64"
59010 @@ -66,7 +67,7 @@ struct mts64 {
59011 struct pardevice *pardev;
59012 int pardev_claimed;
59015 + local_t open_count;
59016 int current_midi_output_port;
59017 int current_midi_input_port;
59018 u8 mode[MTS64_NUM_INPUT_PORTS];
59019 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
59021 struct mts64 *mts = substream->rmidi->private_data;
59023 - if (mts->open_count == 0) {
59024 + if (local_read(&mts->open_count) == 0) {
59025 /* We don't need a spinlock here, because this is just called
59026 if the device has not been opened before.
59027 So there aren't any IRQs from the device */
59028 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
59032 - ++(mts->open_count);
59033 + local_inc(&mts->open_count);
59037 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
59038 struct mts64 *mts = substream->rmidi->private_data;
59039 unsigned long flags;
59041 - --(mts->open_count);
59042 - if (mts->open_count == 0) {
59043 + if (local_dec_return(&mts->open_count) == 0) {
59044 /* We need the spinlock_irqsave here because we can still
59045 have IRQs at this point */
59046 spin_lock_irqsave(&mts->lock, flags);
59047 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
59051 - } else if (mts->open_count < 0)
59052 - mts->open_count = 0;
59053 + } else if (local_read(&mts->open_count) < 0)
59054 + local_set(&mts->open_count, 0);
59058 diff -urNp linux-2.6.38.1/sound/drivers/portman2x4.c linux-2.6.38.1/sound/drivers/portman2x4.c
59059 --- linux-2.6.38.1/sound/drivers/portman2x4.c 2011-03-14 21:20:32.000000000 -0400
59060 +++ linux-2.6.38.1/sound/drivers/portman2x4.c 2011-03-21 18:31:35.000000000 -0400
59062 #include <sound/initval.h>
59063 #include <sound/rawmidi.h>
59064 #include <sound/control.h>
59065 +#include <asm/local.h>
59067 #define CARD_NAME "Portman 2x4"
59068 #define DRIVER_NAME "portman"
59069 @@ -84,7 +85,7 @@ struct portman {
59070 struct pardevice *pardev;
59071 int pardev_claimed;
59074 + local_t open_count;
59075 int mode[PORTMAN_NUM_INPUT_PORTS];
59076 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
59078 diff -urNp linux-2.6.38.1/sound/oss/sb_audio.c linux-2.6.38.1/sound/oss/sb_audio.c
59079 --- linux-2.6.38.1/sound/oss/sb_audio.c 2011-03-14 21:20:32.000000000 -0400
59080 +++ linux-2.6.38.1/sound/oss/sb_audio.c 2011-03-21 18:31:35.000000000 -0400
59081 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
59082 buf16 = (signed short *)(localbuf + localoffs);
59085 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
59086 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
59087 if (copy_from_user(lbuf8,
59088 userbuf+useroffs + p,
59090 diff -urNp linux-2.6.38.1/sound/oss/swarm_cs4297a.c linux-2.6.38.1/sound/oss/swarm_cs4297a.c
59091 --- linux-2.6.38.1/sound/oss/swarm_cs4297a.c 2011-03-14 21:20:32.000000000 -0400
59092 +++ linux-2.6.38.1/sound/oss/swarm_cs4297a.c 2011-03-21 18:31:35.000000000 -0400
59093 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
59095 struct cs4297a_state *s;
59099 #ifndef CONFIG_BCM_CS4297A_CSWARM
59101 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
59103 char *sb1250_duart_present;
59110 val = SOUND_MASK_LINE;
59111 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
59112 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
59113 val = initvol[i].vol;
59114 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
59117 // cs4297a_write_ac97(s, 0x18, 0x0808);
59119 // cs4297a_write_ac97(s, 0x5e, 0x180);
59120 cs4297a_write_ac97(s, 0x02, 0x0808);
59121 cs4297a_write_ac97(s, 0x18, 0x0808);
59125 list_add(&s->list, &cs4297a_devs);
59127 diff -urNp linux-2.6.38.1/sound/pci/ac97/ac97_patch.c linux-2.6.38.1/sound/pci/ac97/ac97_patch.c
59128 --- linux-2.6.38.1/sound/pci/ac97/ac97_patch.c 2011-03-14 21:20:32.000000000 -0400
59129 +++ linux-2.6.38.1/sound/pci/ac97/ac97_patch.c 2011-03-21 18:31:35.000000000 -0400
59130 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
59131 { AC97_VIDEO, 0x9f1f },
59132 { AC97_AUX, 0x9f1f },
59133 { AC97_PCM, 0x9f1f },
59134 - { } /* terminator */
59135 + { 0, 0 } /* terminator */
59138 static int patch_ad1819(struct snd_ac97 * ac97)
59139 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
59140 { AC97_AUX, 0x1f1f },
59141 { AC97_PCM, 0x1f1f },
59142 { AC97_REC_GAIN, 0x0f0f },
59143 - { } /* terminator */
59144 + { 0, 0 } /* terminator */
59147 static int patch_lm4550(struct snd_ac97 *ac97)
59148 diff -urNp linux-2.6.38.1/sound/pci/ens1370.c linux-2.6.38.1/sound/pci/ens1370.c
59149 --- linux-2.6.38.1/sound/pci/ens1370.c 2011-03-14 21:20:32.000000000 -0400
59150 +++ linux-2.6.38.1/sound/pci/ens1370.c 2011-03-21 18:31:35.000000000 -0400
59151 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
59152 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
59153 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
59156 + { 0, 0, 0, 0, 0, 0, 0 }
59159 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
59160 diff -urNp linux-2.6.38.1/sound/pci/hda/patch_hdmi.c linux-2.6.38.1/sound/pci/hda/patch_hdmi.c
59161 --- linux-2.6.38.1/sound/pci/hda/patch_hdmi.c 2011-03-14 21:20:32.000000000 -0400
59162 +++ linux-2.6.38.1/sound/pci/hda/patch_hdmi.c 2011-03-21 18:31:35.000000000 -0400
59163 @@ -733,10 +733,10 @@ static void hdmi_non_intrinsic_event(str
59178 diff -urNp linux-2.6.38.1/sound/pci/intel8x0.c linux-2.6.38.1/sound/pci/intel8x0.c
59179 --- linux-2.6.38.1/sound/pci/intel8x0.c 2011-03-14 21:20:32.000000000 -0400
59180 +++ linux-2.6.38.1/sound/pci/intel8x0.c 2011-03-21 18:31:35.000000000 -0400
59181 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
59182 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
59183 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
59184 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
59186 + { 0, 0, 0, 0, 0, 0, 0 }
59189 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
59190 @@ -2141,7 +2141,7 @@ static struct ac97_quirk ac97_quirks[] _
59191 .type = AC97_TUNE_HP_ONLY
59194 - { } /* terminator */
59195 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
59198 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
59199 diff -urNp linux-2.6.38.1/sound/pci/intel8x0m.c linux-2.6.38.1/sound/pci/intel8x0m.c
59200 --- linux-2.6.38.1/sound/pci/intel8x0m.c 2011-03-14 21:20:32.000000000 -0400
59201 +++ linux-2.6.38.1/sound/pci/intel8x0m.c 2011-03-21 18:31:35.000000000 -0400
59202 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
59203 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
59204 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
59207 + { 0, 0, 0, 0, 0, 0, 0 }
59210 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
59211 @@ -1264,7 +1264,7 @@ static struct shortname_table {
59212 { 0x5455, "ALi M5455" },
59213 { 0x746d, "AMD AMD8111" },
59219 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
59220 diff -urNp linux-2.6.38.1/usr/gen_init_cpio.c linux-2.6.38.1/usr/gen_init_cpio.c
59221 --- linux-2.6.38.1/usr/gen_init_cpio.c 2011-03-14 21:20:32.000000000 -0400
59222 +++ linux-2.6.38.1/usr/gen_init_cpio.c 2011-03-21 18:31:35.000000000 -0400
59223 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
59232 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
59233 *env_var = *expanded = '\0';
59234 strncat(env_var, start + 2, end - start - 2);
59235 strncat(expanded, new_location, start - new_location);
59236 - strncat(expanded, getenv(env_var), PATH_MAX);
59237 - strncat(expanded, end + 1, PATH_MAX);
59238 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
59239 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
59240 strncpy(new_location, expanded, PATH_MAX);
59241 + new_location[PATH_MAX] = 0;
59245 diff -urNp linux-2.6.38.1/virt/kvm/kvm_main.c linux-2.6.38.1/virt/kvm/kvm_main.c
59246 --- linux-2.6.38.1/virt/kvm/kvm_main.c 2011-03-14 21:20:32.000000000 -0400
59247 +++ linux-2.6.38.1/virt/kvm/kvm_main.c 2011-03-21 18:31:35.000000000 -0400
59248 @@ -1521,7 +1521,7 @@ static int kvm_vcpu_release(struct inode
59252 -static struct file_operations kvm_vcpu_fops = {
59253 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
59254 .release = kvm_vcpu_release,
59255 .unlocked_ioctl = kvm_vcpu_ioctl,
59256 .compat_ioctl = kvm_vcpu_ioctl,
59257 @@ -1990,7 +1990,7 @@ static int kvm_vm_mmap(struct file *file
59261 -static struct file_operations kvm_vm_fops = {
59262 +static struct file_operations kvm_vm_fops = { /* cannot be const */
59263 .release = kvm_vm_release,
59264 .unlocked_ioctl = kvm_vm_ioctl,
59265 #ifdef CONFIG_COMPAT
59266 @@ -2088,7 +2088,7 @@ out:
59270 -static struct file_operations kvm_chardev_ops = {
59271 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
59272 .unlocked_ioctl = kvm_dev_ioctl,
59273 .compat_ioctl = kvm_dev_ioctl,
59274 .llseek = noop_llseek,
59275 @@ -2098,6 +2098,9 @@ static struct miscdevice kvm_dev = {
59284 static void hardware_enable_nolock(void *junk)
59285 @@ -2443,7 +2446,7 @@ static void kvm_sched_out(struct preempt
59286 kvm_arch_vcpu_put(vcpu);
59289 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59290 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59291 struct module *module)