return -EFAULT;
return i;
}
+diff -urNp linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c
+--- linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c 2010-08-26 19:47:12.000000000 -0400
++++ linux-2.6.35.7/drivers/media/video/v4l2-compat-ioctl32.c 2010-10-19 18:15:40.000000000 -0400
+@@ -193,17 +193,24 @@ static int put_video_window32(struct vid
+ struct video_code32 {
+ char loadwhat[16]; /* name or tag of file being passed */
+ compat_int_t datasize;
+- unsigned char *data;
++ compat_uptr_t data;
+ };
+
+-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up)
++static struct video_code __user *get_microcode32(struct video_code32 *kp)
+ {
+- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
+- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) ||
+- get_user(kp->datasize, &up->datasize) ||
+- copy_from_user(kp->data, up->data, up->datasize))
+- return -EFAULT;
+- return 0;
++ struct video_code __user *up;
++
++ up = compat_alloc_user_space(sizeof(*up));
++
++ /*
++ * NOTE! We don't actually care if these fail. If the
++ * user address is invalid, the native ioctl will do
++ * the error handling for us
++ */
++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat));
++ (void) put_user(kp->datasize, &up->datasize);
++ (void) put_user(compat_ptr(kp->data), &up->data);
++ return up;
+ }
+
+ #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32)
+@@ -744,7 +751,7 @@ static long do_video_ioctl(struct file *
+ struct video_tuner vt;
+ struct video_buffer vb;
+ struct video_window vw;
+- struct video_code vc;
++ struct video_code32 vc;
+ struct video_audio va;
+ #endif
+ struct v4l2_format v2f;
+@@ -823,8 +830,11 @@ static long do_video_ioctl(struct file *
+ break;
+
+ case VIDIOCSMICROCODE:
+- err = get_microcode32(&karg.vc, up);
+- compatible_arg = 0;
++ /* Copy the 32-bit "video_code32" to kernel space */
++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc)))
++ return -EFAULT;
++ /* Convert the 32-bit version to a 64-bit version in user space */
++ up = get_microcode32(&karg.vc);
+ break;
+
+ case VIDIOCSFREQ:
diff -urNp linux-2.6.35.7/drivers/message/fusion/mptbase.c linux-2.6.35.7/drivers/message/fusion/mptbase.c
--- linux-2.6.35.7/drivers/message/fusion/mptbase.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.7/drivers/message/fusion/mptbase.c 2010-09-17 20:12:37.000000000 -0400
+}
diff -urNp linux-2.6.35.7/grsecurity/grsec_init.c linux-2.6.35.7/grsecurity/grsec_init.c
--- linux-2.6.35.7/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/grsec_init.c 2010-09-17 20:12:37.000000000 -0400
-@@ -0,0 +1,266 @@
++++ linux-2.6.35.7/grsecurity/grsec_init.c 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,270 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+int grsec_socket_server_gid;
+int grsec_resource_logging;
+int grsec_disable_privio;
++int grsec_enable_log_rwxmaps;
+int grsec_lock;
+
+DEFINE_SPINLOCK(grsec_alert_lock);
+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
+ grsec_enable_audit_textrel = 1;
+#endif
++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
++ grsec_enable_log_rwxmaps = 1;
++#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+ grsec_enable_group = 1;
+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
+}
diff -urNp linux-2.6.35.7/grsecurity/grsec_log.c linux-2.6.35.7/grsecurity/grsec_log.c
--- linux-2.6.35.7/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/grsec_log.c 2010-09-28 19:11:11.000000000 -0400
-@@ -0,0 +1,306 @@
++++ linux-2.6.35.7/grsecurity/grsec_log.c 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,310 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
+ ulong1 = va_arg(ap, unsigned long);
+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
+ break;
++ case GR_RWXMAP:
++ file = va_arg(ap, struct file *);
++ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
++ break;
+ case GR_PSACCT:
+ {
+ unsigned int wday, cday;
+#endif
+ return 0;
+}
+diff -urNp linux-2.6.35.7/grsecurity/grsec_pax.c linux-2.6.35.7/grsecurity/grsec_pax.c
+--- linux-2.6.35.7/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.35.7/grsecurity/grsec_pax.c 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,36 @@
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/mm.h>
++#include <linux/file.h>
++#include <linux/grinternal.h>
++#include <linux/grsecurity.h>
++
++void
++gr_log_textrel(struct vm_area_struct * vma)
++{
++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
++ if (grsec_enable_audit_textrel)
++ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
++#endif
++ return;
++}
++
++void
++gr_log_rwxmmap(struct file *file)
++{
++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
++ if (grsec_enable_log_rwxmaps)
++ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
++#endif
++ return;
++}
++
++void
++gr_log_rwxmprotect(struct file *file)
++{
++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
++ if (grsec_enable_log_rwxmaps)
++ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
++#endif
++ return;
++}
diff -urNp linux-2.6.35.7/grsecurity/grsec_ptrace.c linux-2.6.35.7/grsecurity/grsec_ptrace.c
--- linux-2.6.35.7/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.35.7/grsecurity/grsec_ptrace.c 2010-09-17 20:12:37.000000000 -0400
+}
diff -urNp linux-2.6.35.7/grsecurity/grsec_sysctl.c linux-2.6.35.7/grsecurity/grsec_sysctl.c
--- linux-2.6.35.7/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/grsec_sysctl.c 2010-09-17 20:18:57.000000000 -0400
-@@ -0,0 +1,424 @@
++++ linux-2.6.35.7/grsecurity/grsec_sysctl.c 2010-10-18 21:02:33.000000000 -0400
+@@ -0,0 +1,433 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/sysctl.h>
+ .proc_handler = &proc_dointvec,
+ },
+#endif
++#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
++ {
++ .procname = "rwxmap_logging",
++ .data = &grsec_enable_log_rwxmaps,
++ .maxlen = sizeof(int),
++ .mode = 0600,
++ .proc_handler = &proc_dointvec,
++ },
++#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+ {
+ .procname = "signal_logging",
+ { }
+};
+#endif
-diff -urNp linux-2.6.35.7/grsecurity/grsec_textrel.c linux-2.6.35.7/grsecurity/grsec_textrel.c
---- linux-2.6.35.7/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/grsec_textrel.c 2010-09-17 20:12:37.000000000 -0400
-@@ -0,0 +1,16 @@
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/mm.h>
-+#include <linux/file.h>
-+#include <linux/grinternal.h>
-+#include <linux/grsecurity.h>
-+
-+void
-+gr_log_textrel(struct vm_area_struct * vma)
-+{
-+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
-+ if (grsec_enable_audit_textrel)
-+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
-+#endif
-+ return;
-+}
diff -urNp linux-2.6.35.7/grsecurity/grsec_time.c linux-2.6.35.7/grsecurity/grsec_time.c
--- linux-2.6.35.7/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.35.7/grsecurity/grsec_time.c 2010-09-17 20:12:37.000000000 -0400
+}
diff -urNp linux-2.6.35.7/grsecurity/Kconfig linux-2.6.35.7/grsecurity/Kconfig
--- linux-2.6.35.7/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/Kconfig 2010-09-17 20:12:37.000000000 -0400
-@@ -0,0 +1,986 @@
++++ linux-2.6.35.7/grsecurity/Kconfig 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,995 @@
+#
+# grecurity configuration
+#
+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
+ the RBAC system), and thus does not create privacy concerns.
+
++config GRKERNSEC_RWXMAP_LOG
++ bool 'Denied RWX mmap/mprotect logging'
++ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
++ help
++ If you say Y here, calls to mmap() and mprotect() with explicit
++ usage of PROT_WRITE and PROT_EXEC together will be logged when
++ denied by the PAX_MPROTECT feature. If the sysctl option is
++ enabled, a sysctl option with name "rwxmap_logging" is created.
++
+config GRKERNSEC_AUDIT_TEXTREL
+ bool 'ELF text relocations logging (READ HELP)'
+ depends on PAX_MPROTECT
+endmenu
diff -urNp linux-2.6.35.7/grsecurity/Makefile linux-2.6.35.7/grsecurity/Makefile
--- linux-2.6.35.7/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/grsecurity/Makefile 2010-09-17 20:12:37.000000000 -0400
++++ linux-2.6.35.7/grsecurity/Makefile 2010-10-18 21:01:30.000000000 -0400
@@ -0,0 +1,29 @@
+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
+# during 2001-2009 it has been completely redesigned by Brad Spengler
+
+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
-+ grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
++ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
+
+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
+#endif
diff -urNp linux-2.6.35.7/include/linux/grinternal.h linux-2.6.35.7/include/linux/grinternal.h
--- linux-2.6.35.7/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/include/linux/grinternal.h 2010-09-28 19:04:00.000000000 -0400
-@@ -0,0 +1,211 @@
++++ linux-2.6.35.7/include/linux/grinternal.h 2010-10-18 21:05:08.000000000 -0400
+@@ -0,0 +1,214 @@
+#ifndef __GRINTERNAL_H
+#define __GRINTERNAL_H
+
+extern int grsec_audit_gid;
+extern int grsec_enable_group;
+extern int grsec_enable_audit_textrel;
++extern int grsec_enable_log_rwxmaps;
+extern int grsec_enable_mount;
+extern int grsec_enable_chdir;
+extern int grsec_resource_logging;
+ GR_SIG2,
+ GR_CRASH1,
+ GR_CRASH2,
-+ GR_PSACCT
++ GR_PSACCT,
++ GR_RWXMAP
+};
+
+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
++#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
+
+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
+
+#endif
diff -urNp linux-2.6.35.7/include/linux/grmsg.h linux-2.6.35.7/include/linux/grmsg.h
--- linux-2.6.35.7/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/include/linux/grmsg.h 2010-09-23 20:39:33.000000000 -0400
-@@ -0,0 +1,108 @@
++++ linux-2.6.35.7/include/linux/grmsg.h 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,110 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
++#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
++#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
+#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
+#define GR_VM86_MSG "denied use of vm86 by "
+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
diff -urNp linux-2.6.35.7/include/linux/grsecurity.h linux-2.6.35.7/include/linux/grsecurity.h
--- linux-2.6.35.7/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.35.7/include/linux/grsecurity.h 2010-09-17 20:12:37.000000000 -0400
-@@ -0,0 +1,203 @@
++++ linux-2.6.35.7/include/linux/grsecurity.h 2010-10-18 21:01:30.000000000 -0400
+@@ -0,0 +1,205 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
+void gr_log_unmount(const char *devname, const int retval);
+void gr_log_mount(const char *from, const char *to, const int retval);
+void gr_log_textrel(struct vm_area_struct *vma);
++void gr_log_rwxmmap(struct file *file);
++void gr_log_rwxmprotect(struct file *file);
+
+int gr_handle_follow_link(const struct inode *parent,
+ const struct inode *inode,
ret = do_mlockall(flags);
diff -urNp linux-2.6.35.7/mm/mmap.c linux-2.6.35.7/mm/mmap.c
--- linux-2.6.35.7/mm/mmap.c 2010-09-26 17:32:11.000000000 -0400
-+++ linux-2.6.35.7/mm/mmap.c 2010-09-27 21:47:18.000000000 -0400
++++ linux-2.6.35.7/mm/mmap.c 2010-10-18 21:01:30.000000000 -0400
@@ -44,6 +44,16 @@
#define arch_rebalance_pgtables(addr, len) (addr)
#endif
if (addr & ~PAGE_MASK)
return addr;
-@@ -1003,6 +1080,28 @@ unsigned long do_mmap_pgoff(struct file
+@@ -1003,6 +1080,31 @@ unsigned long do_mmap_pgoff(struct file
vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
+#ifdef CONFIG_PAX_MPROTECT
+ if (mm->pax_flags & MF_PAX_MPROTECT) {
-+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
++ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
++ gr_log_rwxmmap(file);
+
+#ifdef CONFIG_PAX_EMUPLT
+ vm_flags &= ~VM_EXEC;
+ return -EPERM;
+#endif
+
++ }
++
+ if (!(vm_flags & VM_EXEC))
+ vm_flags &= ~VM_MAYEXEC;
+ else
if (flags & MAP_LOCKED)
if (!can_do_mlock())
return -EPERM;
-@@ -1014,6 +1113,7 @@ unsigned long do_mmap_pgoff(struct file
+@@ -1014,6 +1116,7 @@ unsigned long do_mmap_pgoff(struct file
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
}
-@@ -1084,6 +1184,9 @@ unsigned long do_mmap_pgoff(struct file
+@@ -1084,6 +1187,9 @@ unsigned long do_mmap_pgoff(struct file
if (error)
return error;
return mmap_region(file, addr, len, flags, vm_flags, pgoff);
}
EXPORT_SYMBOL(do_mmap_pgoff);
-@@ -1160,10 +1263,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
+@@ -1160,10 +1266,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
*/
int vma_wants_writenotify(struct vm_area_struct *vma)
{
return 0;
/* The backer wishes to know when pages are first written to? */
-@@ -1212,14 +1315,24 @@ unsigned long mmap_region(struct file *f
+@@ -1212,14 +1318,24 @@ unsigned long mmap_region(struct file *f
unsigned long charged = 0;
struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
}
/* Check against address space limit. */
-@@ -1268,6 +1381,16 @@ munmap_back:
+@@ -1268,6 +1384,16 @@ munmap_back:
goto unacct_error;
}
vma->vm_mm = mm;
vma->vm_start = addr;
vma->vm_end = addr + len;
-@@ -1291,6 +1414,19 @@ munmap_back:
+@@ -1291,6 +1417,19 @@ munmap_back:
error = file->f_op->mmap(file, vma);
if (error)
goto unmap_and_free_vma;
if (vm_flags & VM_EXECUTABLE)
added_exe_file_vma(mm);
-@@ -1326,6 +1462,11 @@ munmap_back:
+@@ -1326,6 +1465,11 @@ munmap_back:
vma_link(mm, vma, prev, rb_link, rb_parent);
file = vma->vm_file;
/* Once vma denies write, undo our temporary denial count */
if (correct_wcount)
atomic_inc(&inode->i_writecount);
-@@ -1334,6 +1475,7 @@ out:
+@@ -1334,6 +1478,7 @@ out:
mm->total_vm += len >> PAGE_SHIFT;
vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
if (vm_flags & VM_LOCKED) {
if (!mlock_vma_pages_range(vma, addr, addr + len))
mm->locked_vm += (len >> PAGE_SHIFT);
-@@ -1351,6 +1493,12 @@ unmap_and_free_vma:
+@@ -1351,6 +1496,12 @@ unmap_and_free_vma:
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
charged = 0;
free_vma:
kmem_cache_free(vm_area_cachep, vma);
unacct_error:
if (charged)
-@@ -1358,6 +1506,33 @@ unacct_error:
+@@ -1358,6 +1509,33 @@ unacct_error:
return error;
}
/* Get an address range which is currently unmapped.
* For shmat() with addr=0.
*
-@@ -1384,18 +1559,23 @@ arch_get_unmapped_area(struct file *filp
+@@ -1384,18 +1562,23 @@ arch_get_unmapped_area(struct file *filp
if (flags & MAP_FIXED)
return addr;
}
full_search:
-@@ -1406,34 +1586,40 @@ full_search:
+@@ -1406,34 +1589,40 @@ full_search:
* Start a new search - just in case we missed
* some holes.
*/
mm->free_area_cache = addr;
mm->cached_hole_size = ~0UL;
}
-@@ -1451,7 +1637,7 @@ arch_get_unmapped_area_topdown(struct fi
+@@ -1451,7 +1640,7 @@ arch_get_unmapped_area_topdown(struct fi
{
struct vm_area_struct *vma;
struct mm_struct *mm = current->mm;
/* requested length too big for entire address space */
if (len > TASK_SIZE)
-@@ -1460,13 +1646,18 @@ arch_get_unmapped_area_topdown(struct fi
+@@ -1460,13 +1649,18 @@ arch_get_unmapped_area_topdown(struct fi
if (flags & MAP_FIXED)
return addr;
}
/* check if free_area_cache is useful for us */
-@@ -1481,7 +1672,7 @@ arch_get_unmapped_area_topdown(struct fi
+@@ -1481,7 +1675,7 @@ arch_get_unmapped_area_topdown(struct fi
/* make sure it can fit in the remaining address space */
if (addr > len) {
vma = find_vma(mm, addr-len);
/* remember the address as a hint for next time */
return (mm->free_area_cache = addr-len);
}
-@@ -1498,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
+@@ -1498,7 +1692,7 @@ arch_get_unmapped_area_topdown(struct fi
* return with success:
*/
vma = find_vma(mm, addr);
/* remember the address as a hint for next time */
return (mm->free_area_cache = addr);
-@@ -1517,13 +1708,21 @@ bottomup:
+@@ -1517,13 +1711,21 @@ bottomup:
* can happen with large stack limits and large mmap()
* allocations.
*/
mm->cached_hole_size = ~0UL;
return addr;
-@@ -1532,6 +1731,12 @@ bottomup:
+@@ -1532,6 +1734,12 @@ bottomup:
void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
{
/*
* Is this a new hole at the highest possible address?
*/
-@@ -1539,8 +1744,10 @@ void arch_unmap_area_topdown(struct mm_s
+@@ -1539,8 +1747,10 @@ void arch_unmap_area_topdown(struct mm_s
mm->free_area_cache = addr;
/* dont allow allocations above current base */
}
unsigned long
-@@ -1648,6 +1855,34 @@ out:
+@@ -1648,6 +1858,34 @@ out:
return prev ? prev->vm_next : vma;
}
/*
* Verify that the stack growth is acceptable and
* update accounting. This is shared with both the
-@@ -1664,6 +1899,7 @@ static int acct_stack_growth(struct vm_a
+@@ -1664,6 +1902,7 @@ static int acct_stack_growth(struct vm_a
return -ENOMEM;
/* Stack limit test */
if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
return -ENOMEM;
-@@ -1674,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
+@@ -1674,6 +1913,7 @@ static int acct_stack_growth(struct vm_a
locked = mm->locked_vm + grow;
limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
limit >>= PAGE_SHIFT;
if (locked > limit && !capable(CAP_IPC_LOCK))
return -ENOMEM;
}
-@@ -1704,37 +1941,47 @@ static int acct_stack_growth(struct vm_a
+@@ -1704,37 +1944,47 @@ static int acct_stack_growth(struct vm_a
* PA-RISC uses this for its stack; IA64 for its Register Backing Store.
* vma is the last one with address > vma->vm_end. Have to extend vma.
*/
unsigned long size, grow;
size = address - vma->vm_start;
-@@ -1744,6 +1991,8 @@ int expand_upwards(struct vm_area_struct
+@@ -1744,6 +1994,8 @@ int expand_upwards(struct vm_area_struct
if (!error)
vma->vm_end = address;
}
anon_vma_unlock(vma);
return error;
}
-@@ -1755,7 +2004,8 @@ int expand_upwards(struct vm_area_struct
+@@ -1755,7 +2007,8 @@ int expand_upwards(struct vm_area_struct
static int expand_downwards(struct vm_area_struct *vma,
unsigned long address)
{
/*
* We must make sure the anon_vma is allocated
-@@ -1769,6 +2019,15 @@ static int expand_downwards(struct vm_ar
+@@ -1769,6 +2022,15 @@ static int expand_downwards(struct vm_ar
if (error)
return error;
anon_vma_lock(vma);
/*
-@@ -1778,9 +2037,17 @@ static int expand_downwards(struct vm_ar
+@@ -1778,9 +2040,17 @@ static int expand_downwards(struct vm_ar
*/
/* Somebody else might have raced and expanded it already */
size = vma->vm_end - address;
grow = (vma->vm_start - address) >> PAGE_SHIFT;
-@@ -1788,9 +2055,20 @@ static int expand_downwards(struct vm_ar
+@@ -1788,9 +2058,20 @@ static int expand_downwards(struct vm_ar
if (!error) {
vma->vm_start = address;
vma->vm_pgoff -= grow;
return error;
}
-@@ -1864,6 +2142,13 @@ static void remove_vma_list(struct mm_st
+@@ -1864,6 +2145,13 @@ static void remove_vma_list(struct mm_st
do {
long nrpages = vma_pages(vma);
mm->total_vm -= nrpages;
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
vma = remove_vma(vma);
-@@ -1909,6 +2194,16 @@ detach_vmas_to_be_unmapped(struct mm_str
+@@ -1909,6 +2197,16 @@ detach_vmas_to_be_unmapped(struct mm_str
insertion_point = (prev ? &prev->vm_next : &mm->mmap);
vma->vm_prev = NULL;
do {
rb_erase(&vma->vm_rb, &mm->mm_rb);
mm->map_count--;
tail_vma = vma;
-@@ -1937,14 +2232,33 @@ static int __split_vma(struct mm_struct
+@@ -1937,14 +2235,33 @@ static int __split_vma(struct mm_struct
struct vm_area_struct *new;
int err = -ENOMEM;
/* most fields are the same, copy all, and then fixup */
*new = *vma;
-@@ -1957,6 +2271,22 @@ static int __split_vma(struct mm_struct
+@@ -1957,6 +2274,22 @@ static int __split_vma(struct mm_struct
new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
}
pol = mpol_dup(vma_policy(vma));
if (IS_ERR(pol)) {
err = PTR_ERR(pol);
-@@ -1982,6 +2312,42 @@ static int __split_vma(struct mm_struct
+@@ -1982,6 +2315,42 @@ static int __split_vma(struct mm_struct
else
err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
/* Success. */
if (!err)
return 0;
-@@ -1994,10 +2360,18 @@ static int __split_vma(struct mm_struct
+@@ -1994,10 +2363,18 @@ static int __split_vma(struct mm_struct
removed_exe_file_vma(mm);
fput(new->vm_file);
}
kmem_cache_free(vm_area_cachep, new);
out_err:
return err;
-@@ -2010,6 +2384,15 @@ static int __split_vma(struct mm_struct
+@@ -2010,6 +2387,15 @@ static int __split_vma(struct mm_struct
int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
unsigned long addr, int new_below)
{
if (mm->map_count >= sysctl_max_map_count)
return -ENOMEM;
-@@ -2021,11 +2404,30 @@ int split_vma(struct mm_struct *mm, stru
+@@ -2021,11 +2407,30 @@ int split_vma(struct mm_struct *mm, stru
* work. This now handles partial unmappings.
* Jeremy Fitzhardinge <jeremy@goop.org>
*/
if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
return -EINVAL;
-@@ -2099,6 +2501,8 @@ int do_munmap(struct mm_struct *mm, unsi
+@@ -2099,6 +2504,8 @@ int do_munmap(struct mm_struct *mm, unsi
/* Fix up all other VM information */
remove_vma_list(mm, vma);
return 0;
}
-@@ -2111,22 +2515,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
+@@ -2111,22 +2518,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
profile_munmap(addr);
/*
* this is really a simplified "do_mmap". it only handles
* anonymous maps. eventually we may be able to do some
-@@ -2140,6 +2540,7 @@ unsigned long do_brk(unsigned long addr,
+@@ -2140,6 +2543,7 @@ unsigned long do_brk(unsigned long addr,
struct rb_node ** rb_link, * rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
len = PAGE_ALIGN(len);
if (!len)
-@@ -2151,16 +2552,30 @@ unsigned long do_brk(unsigned long addr,
+@@ -2151,16 +2555,30 @@ unsigned long do_brk(unsigned long addr,
flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
locked += mm->locked_vm;
lock_limit = rlimit(RLIMIT_MEMLOCK);
lock_limit >>= PAGE_SHIFT;
-@@ -2177,22 +2592,22 @@ unsigned long do_brk(unsigned long addr,
+@@ -2177,22 +2595,22 @@ unsigned long do_brk(unsigned long addr,
/*
* Clear old maps. this also does some error checking for us
*/
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -2206,7 +2621,7 @@ unsigned long do_brk(unsigned long addr,
+@@ -2206,7 +2624,7 @@ unsigned long do_brk(unsigned long addr,
*/
vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
if (!vma) {
return -ENOMEM;
}
-@@ -2219,11 +2634,12 @@ unsigned long do_brk(unsigned long addr,
+@@ -2219,11 +2637,12 @@ unsigned long do_brk(unsigned long addr,
vma->vm_page_prot = vm_get_page_prot(flags);
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
return addr;
}
-@@ -2270,8 +2686,10 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2270,8 +2689,10 @@ void exit_mmap(struct mm_struct *mm)
* Walk the list again, actually closing and freeing it,
* with preemption enabled, without holding any MM locks.
*/
BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
}
-@@ -2285,6 +2703,10 @@ int insert_vm_struct(struct mm_struct *
+@@ -2285,6 +2706,10 @@ int insert_vm_struct(struct mm_struct *
struct vm_area_struct * __vma, * prev;
struct rb_node ** rb_link, * rb_parent;
/*
* The vm_pgoff of a purely anonymous vma should be irrelevant
* until its first write fault, when page's anon_vma and index
-@@ -2307,7 +2729,22 @@ int insert_vm_struct(struct mm_struct *
+@@ -2307,7 +2732,22 @@ int insert_vm_struct(struct mm_struct *
if ((vma->vm_flags & VM_ACCOUNT) &&
security_vm_enough_memory_mm(mm, vma_pages(vma)))
return -ENOMEM;
return 0;
}
-@@ -2325,6 +2762,8 @@ struct vm_area_struct *copy_vma(struct v
+@@ -2325,6 +2765,8 @@ struct vm_area_struct *copy_vma(struct v
struct rb_node **rb_link, *rb_parent;
struct mempolicy *pol;
/*
* If anonymous vma has not yet been faulted, update new pgoff
* to match new location, to increase its chance of merging.
-@@ -2374,6 +2813,39 @@ struct vm_area_struct *copy_vma(struct v
+@@ -2374,6 +2816,39 @@ struct vm_area_struct *copy_vma(struct v
kmem_cache_free(vm_area_cachep, new_vma);
return NULL;
}
/*
* Return true if the calling process may expand its vm space by the passed
-@@ -2385,7 +2857,7 @@ int may_expand_vm(struct mm_struct *mm,
+@@ -2385,7 +2860,7 @@ int may_expand_vm(struct mm_struct *mm,
unsigned long lim;
lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
if (cur + npages > lim)
return 0;
return 1;
-@@ -2455,6 +2927,17 @@ int install_special_mapping(struct mm_st
+@@ -2455,6 +2930,17 @@ int install_special_mapping(struct mm_st
vma->vm_start = addr;
vma->vm_end = addr + len;
diff -urNp linux-2.6.35.7/mm/mprotect.c linux-2.6.35.7/mm/mprotect.c
--- linux-2.6.35.7/mm/mprotect.c 2010-08-26 19:47:12.000000000 -0400
-+++ linux-2.6.35.7/mm/mprotect.c 2010-09-17 20:12:37.000000000 -0400
++++ linux-2.6.35.7/mm/mprotect.c 2010-10-18 21:01:30.000000000 -0400
@@ -23,10 +23,16 @@
#include <linux/mmu_notifier.h>
#include <linux/migrate.h>
prot |= PROT_EXEC;
vm_flags = calc_vm_prot_bits(prot);
-@@ -276,6 +401,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
+@@ -276,6 +401,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
if (start > vma->vm_start)
prev = vma;
-+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
-+ error = -EACCES;
-+ goto out;
-+ }
-+
+#ifdef CONFIG_PAX_MPROTECT
+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
for (nstart = start ; ; ) {
unsigned long newflags;
-@@ -300,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
+@@ -285,6 +415,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
+
+ /* newflags >> 4 shift VM_MAY% in place of VM_% */
+ if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
++ if (prot & (PROT_WRITE | PROT_EXEC))
++ gr_log_rwxmprotect(vma->vm_file);
++
++ error = -EACCES;
++ goto out;
++ }
++
++ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
+ error = -EACCES;
+ goto out;
+ }
+@@ -300,6 +438,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
if (error)
goto out;
perf_event_mmap(vma);
atomic_read(&s->sk_refcnt),
s->sk_type,
ntohs(po->num),
+diff -urNp linux-2.6.35.7/net/rds/page.c linux-2.6.35.7/net/rds/page.c
+--- linux-2.6.35.7/net/rds/page.c 2010-08-26 19:47:12.000000000 -0400
++++ linux-2.6.35.7/net/rds/page.c 2010-10-19 18:14:31.000000000 -0400
+@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page
+ unsigned long ret;
+ void *addr;
+
+- if (to_user)
++ addr = kmap(page);
++ if (to_user) {
+ rds_stats_add(s_copy_to_user, bytes);
+- else
++ ret = copy_to_user(ptr, addr + offset, bytes);
++ } else {
+ rds_stats_add(s_copy_from_user, bytes);
+-
+- addr = kmap_atomic(page, KM_USER0);
+- if (to_user)
+- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes);
+- else
+- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes);
+- kunmap_atomic(addr, KM_USER0);
+-
+- if (ret) {
+- addr = kmap(page);
+- if (to_user)
+- ret = copy_to_user(ptr, addr + offset, bytes);
+- else
+- ret = copy_from_user(addr + offset, ptr, bytes);
+- kunmap(page);
+- if (ret)
+- return -EFAULT;
++ ret = copy_from_user(addr + offset, ptr, bytes);
+ }
++ kunmap(page);
+
+- return 0;
++ return ret ? -EFAULT : 0;
+ }
+ EXPORT_SYMBOL_GPL(rds_page_copy_user);
+
diff -urNp linux-2.6.35.7/net/rose/af_rose.c linux-2.6.35.7/net/rose/af_rose.c
--- linux-2.6.35.7/net/rose/af_rose.c 2010-08-26 19:47:12.000000000 -0400
+++ linux-2.6.35.7/net/rose/af_rose.c 2010-09-20 17:16:28.000000000 -0400