]> git.ipfire.org Git - ipfire-3.x.git/blame - pkgs/core/kernel/patches/grsecurity-2.1.14-2.6.33.1-201003201735.patch
projects / ipfire-3.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
kernel: Update to 2.6.34.
[ipfire-3.x.git] / pkgs / core / kernel / patches / grsecurity-2.1.14-2.6.33.1-201003201735.patch
CommitLineData
ae4e228f
MT		 1diff -urNp linux-2.6.33.1/arch/alpha/include/asm/elf.h linux-2.6.33.1/arch/alpha/include/asm/elf.h
2--- linux-2.6.33.1/arch/alpha/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
3+++ linux-2.6.33.1/arch/alpha/include/asm/elf.h 2010-03-20 16:58:38.417757561 -0400
4@@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
58c5fc13
MT		 5
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
7
8+#ifdef CONFIG_PAX_ASLR
9+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
10+
11+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
13+#endif
14+
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
ae4e228f
MT		 18diff -urNp linux-2.6.33.1/arch/alpha/include/asm/pgtable.h linux-2.6.33.1/arch/alpha/include/asm/pgtable.h
19--- linux-2.6.33.1/arch/alpha/include/asm/pgtable.h 2010-03-15 12:09:39.000000000 -0400
20+++ linux-2.6.33.1/arch/alpha/include/asm/pgtable.h 2010-03-20 16:58:38.417757561 -0400
58c5fc13
MT		 21@@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
25+
26+#ifdef CONFIG_PAX_PAGEEXEC
27+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
30+#else
31+# define PAGE_SHARED_NOEXEC PAGE_SHARED
32+# define PAGE_COPY_NOEXEC PAGE_COPY
33+# define PAGE_READONLY_NOEXEC PAGE_READONLY
34+#endif
35+
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
37
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
ae4e228f
MT		 39diff -urNp linux-2.6.33.1/arch/alpha/kernel/module.c linux-2.6.33.1/arch/alpha/kernel/module.c
40--- linux-2.6.33.1/arch/alpha/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
41+++ linux-2.6.33.1/arch/alpha/kernel/module.c 2010-03-20 16:58:38.417757561 -0400
58c5fc13
MT		 42@@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
43
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46- gp = (u64)me->module_core + me->core_size - 0x8000;
47+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
49
50 for (i = 0; i < n; i++) {
ae4e228f
MT		 51diff -urNp linux-2.6.33.1/arch/alpha/kernel/osf_sys.c linux-2.6.33.1/arch/alpha/kernel/osf_sys.c
52--- linux-2.6.33.1/arch/alpha/kernel/osf_sys.c 2010-03-15 12:09:39.000000000 -0400
53+++ linux-2.6.33.1/arch/alpha/kernel/osf_sys.c 2010-03-20 16:58:38.417757561 -0400
54@@ -1205,6 +1205,10 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 55 merely specific addresses, but regions of memory -- perhaps
56 this feature should be incorporated into all ports? */
57
58+#ifdef CONFIG_PAX_RANDMMAP
59+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
60+#endif
61+
62 if (addr) {
63 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
64 if (addr != (unsigned long) -ENOMEM)
ae4e228f 65@@ -1212,8 +1216,8 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 66 }
67
68 /* Next, try allocating at TASK_UNMAPPED_BASE. */
69- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
70- len, limit);
71+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
72+
73 if (addr != (unsigned long) -ENOMEM)
74 return addr;
75
ae4e228f
MT		 76diff -urNp linux-2.6.33.1/arch/alpha/mm/fault.c linux-2.6.33.1/arch/alpha/mm/fault.c
77--- linux-2.6.33.1/arch/alpha/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
78+++ linux-2.6.33.1/arch/alpha/mm/fault.c 2010-03-20 16:58:38.420782159 -0400
58c5fc13
MT		 79@@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
80 __reload_thread(pcb);
81 }
82
83+#ifdef CONFIG_PAX_PAGEEXEC
84+/*
85+ * PaX: decide what to do with offenders (regs->pc = fault address)
86+ *
87+ * returns 1 when task should be killed
88+ * 2 when patched PLT trampoline was detected
89+ * 3 when unpatched PLT trampoline was detected
90+ */
91+static int pax_handle_fetch_fault(struct pt_regs *regs)
92+{
93+
94+#ifdef CONFIG_PAX_EMUPLT
95+ int err;
96+
97+ do { /* PaX: patched PLT emulation #1 */
98+ unsigned int ldah, ldq, jmp;
99+
100+ err = get_user(ldah, (unsigned int *)regs->pc);
101+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
102+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
103+
104+ if (err)
105+ break;
106+
107+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
108+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
109+ jmp == 0x6BFB0000U)
110+ {
111+ unsigned long r27, addr;
112+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
113+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
114+
115+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
116+ err = get_user(r27, (unsigned long *)addr);
117+ if (err)
118+ break;
119+
120+ regs->r27 = r27;
121+ regs->pc = r27;
122+ return 2;
123+ }
124+ } while (0);
125+
126+ do { /* PaX: patched PLT emulation #2 */
127+ unsigned int ldah, lda, br;
128+
129+ err = get_user(ldah, (unsigned int *)regs->pc);
130+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
131+ err |= get_user(br, (unsigned int *)(regs->pc+8));
132+
133+ if (err)
134+ break;
135+
136+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
137+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
138+ (br & 0xFFE00000U) == 0xC3E00000U)
139+ {
140+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
141+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
142+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
143+
144+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
145+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
146+ return 2;
147+ }
148+ } while (0);
149+
150+ do { /* PaX: unpatched PLT emulation */
151+ unsigned int br;
152+
153+ err = get_user(br, (unsigned int *)regs->pc);
154+
155+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
156+ unsigned int br2, ldq, nop, jmp;
157+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
158+
159+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
160+ err = get_user(br2, (unsigned int *)addr);
161+ err |= get_user(ldq, (unsigned int *)(addr+4));
162+ err |= get_user(nop, (unsigned int *)(addr+8));
163+ err |= get_user(jmp, (unsigned int *)(addr+12));
164+ err |= get_user(resolver, (unsigned long *)(addr+16));
165+
166+ if (err)
167+ break;
168+
169+ if (br2 == 0xC3600000U &&
170+ ldq == 0xA77B000CU &&
171+ nop == 0x47FF041FU &&
172+ jmp == 0x6B7B0000U)
173+ {
174+ regs->r28 = regs->pc+4;
175+ regs->r27 = addr+16;
176+ regs->pc = resolver;
177+ return 3;
178+ }
179+ }
180+ } while (0);
181+#endif
182+
183+ return 1;
184+}
185+
186+void pax_report_insns(void *pc, void *sp)
187+{
188+ unsigned long i;
189+
190+ printk(KERN_ERR "PAX: bytes at PC: ");
191+ for (i = 0; i < 5; i++) {
192+ unsigned int c;
193+ if (get_user(c, (unsigned int *)pc+i))
194+ printk(KERN_CONT "???????? ");
195+ else
196+ printk(KERN_CONT "%08x ", c);
197+ }
198+ printk("\n");
199+}
200+#endif
201
202 /*
203 * This routine handles page faults. It determines the address,
204@@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
205 good_area:
206 si_code = SEGV_ACCERR;
207 if (cause < 0) {
208- if (!(vma->vm_flags & VM_EXEC))
209+ if (!(vma->vm_flags & VM_EXEC)) {
210+
211+#ifdef CONFIG_PAX_PAGEEXEC
212+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
213+ goto bad_area;
214+
215+ up_read(&mm->mmap_sem);
216+ switch (pax_handle_fetch_fault(regs)) {
217+
218+#ifdef CONFIG_PAX_EMUPLT
219+ case 2:
220+ case 3:
221+ return;
222+#endif
223+
224+ }
225+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
226+ do_group_exit(SIGKILL);
227+#else
228 goto bad_area;
229+#endif
230+
231+ }
232 } else if (!cause) {
233 /* Allow reads even for write-only mappings */
234 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
ae4e228f
MT		 235diff -urNp linux-2.6.33.1/arch/arm/include/asm/elf.h linux-2.6.33.1/arch/arm/include/asm/elf.h
236--- linux-2.6.33.1/arch/arm/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
237+++ linux-2.6.33.1/arch/arm/include/asm/elf.h 2010-03-20 16:58:38.440745685 -0400
238@@ -108,7 +108,14 @@ int dump_task_regs(struct task_struct *t
58c5fc13
MT		 239 the loader. We need to make sure that it is out of the way of the program
240 that it will "exec", and that there is sufficient room for the brk. */
241
242-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
243+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
244+
245+#ifdef CONFIG_PAX_ASLR
246+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
247+
248+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
249+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
250+#endif
251
252 /* When the program starts, a1 contains a pointer to a function to be
253 registered with atexit, as per the SVR4 ABI. A value of 0 means we
ae4e228f
MT		 254diff -urNp linux-2.6.33.1/arch/arm/include/asm/kmap_types.h linux-2.6.33.1/arch/arm/include/asm/kmap_types.h
255--- linux-2.6.33.1/arch/arm/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
256+++ linux-2.6.33.1/arch/arm/include/asm/kmap_types.h 2010-03-20 16:58:38.444581130 -0400
58c5fc13
MT		 257@@ -19,6 +19,7 @@ enum km_type {
258 KM_SOFTIRQ0,
259 KM_SOFTIRQ1,
260 KM_L2_CACHE,
261+ KM_CLEARPAGE,
262 KM_TYPE_NR
263 };
264
ae4e228f
MT		 265diff -urNp linux-2.6.33.1/arch/arm/include/asm/uaccess.h linux-2.6.33.1/arch/arm/include/asm/uaccess.h
266--- linux-2.6.33.1/arch/arm/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
267+++ linux-2.6.33.1/arch/arm/include/asm/uaccess.h 2010-03-20 16:58:38.444581130 -0400
268@@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
58c5fc13
MT		 269
270 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
271 {
272+ if ((long)n < 0)
273+ return n;
274+
275 if (access_ok(VERIFY_READ, from, n))
276 n = __copy_from_user(to, from, n);
277 else /* security hole - plug it */
ae4e228f 278@@ -412,6 +415,9 @@ static inline unsigned long __must_check
58c5fc13
MT		 279
280 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
281 {
282+ if ((long)n < 0)
283+ return n;
284+
285 if (access_ok(VERIFY_WRITE, to, n))
286 n = __copy_to_user(to, from, n);
287 return n;
ae4e228f
MT		 288diff -urNp linux-2.6.33.1/arch/arm/kernel/kgdb.c linux-2.6.33.1/arch/arm/kernel/kgdb.c
289--- linux-2.6.33.1/arch/arm/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
290+++ linux-2.6.33.1/arch/arm/kernel/kgdb.c 2010-03-20 16:58:38.468885430 -0400
291@@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
292 * and we handle the normal undef case within the do_undefinstr
293 * handler.
294 */
295-struct kgdb_arch arch_kgdb_ops = {
296+const struct kgdb_arch arch_kgdb_ops = {
297 #ifndef __ARMEB__
298 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
299 #else /* ! __ARMEB__ */
300diff -urNp linux-2.6.33.1/arch/arm/mach-at91/pm.c linux-2.6.33.1/arch/arm/mach-at91/pm.c
301--- linux-2.6.33.1/arch/arm/mach-at91/pm.c 2010-03-15 12:09:39.000000000 -0400
302+++ linux-2.6.33.1/arch/arm/mach-at91/pm.c 2010-03-20 16:58:38.468885430 -0400
303@@ -294,7 +294,7 @@ static void at91_pm_end(void)
304 }
305
306
307-static struct platform_suspend_ops at91_pm_ops ={
308+static const struct platform_suspend_ops at91_pm_ops ={
309 .valid = at91_pm_valid_state,
310 .begin = at91_pm_begin,
311 .enter = at91_pm_enter,
312diff -urNp linux-2.6.33.1/arch/arm/mach-omap1/pm.c linux-2.6.33.1/arch/arm/mach-omap1/pm.c
313--- linux-2.6.33.1/arch/arm/mach-omap1/pm.c 2010-03-15 12:09:39.000000000 -0400
314+++ linux-2.6.33.1/arch/arm/mach-omap1/pm.c 2010-03-20 16:58:38.472778666 -0400
315@@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
316
317
318
319-static struct platform_suspend_ops omap_pm_ops ={
320+static const struct platform_suspend_ops omap_pm_ops ={
321 .prepare = omap_pm_prepare,
322 .enter = omap_pm_enter,
323 .finish = omap_pm_finish,
324diff -urNp linux-2.6.33.1/arch/arm/mach-omap2/pm24xx.c linux-2.6.33.1/arch/arm/mach-omap2/pm24xx.c
325--- linux-2.6.33.1/arch/arm/mach-omap2/pm24xx.c 2010-03-15 12:09:39.000000000 -0400
326+++ linux-2.6.33.1/arch/arm/mach-omap2/pm24xx.c 2010-03-20 16:58:38.476775080 -0400
327@@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
328 enable_hlt();
329 }
330
331-static struct platform_suspend_ops omap_pm_ops = {
332+static const struct platform_suspend_ops omap_pm_ops = {
333 .prepare = omap2_pm_prepare,
334 .enter = omap2_pm_enter,
335 .finish = omap2_pm_finish,
336diff -urNp linux-2.6.33.1/arch/arm/mach-omap2/pm34xx.c linux-2.6.33.1/arch/arm/mach-omap2/pm34xx.c
337--- linux-2.6.33.1/arch/arm/mach-omap2/pm34xx.c 2010-03-15 12:09:39.000000000 -0400
338+++ linux-2.6.33.1/arch/arm/mach-omap2/pm34xx.c 2010-03-20 16:58:38.484767476 -0400
339@@ -650,7 +650,7 @@ static void omap3_pm_end(void)
340 return;
341 }
342
343-static struct platform_suspend_ops omap_pm_ops = {
344+static const struct platform_suspend_ops omap_pm_ops = {
345 .begin = omap3_pm_begin,
346 .end = omap3_pm_end,
347 .prepare = omap3_pm_prepare,
348diff -urNp linux-2.6.33.1/arch/arm/mach-pnx4008/pm.c linux-2.6.33.1/arch/arm/mach-pnx4008/pm.c
349--- linux-2.6.33.1/arch/arm/mach-pnx4008/pm.c 2010-03-15 12:09:39.000000000 -0400
350+++ linux-2.6.33.1/arch/arm/mach-pnx4008/pm.c 2010-03-20 16:58:38.488749331 -0400
351@@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
352 (state == PM_SUSPEND_MEM);
353 }
354
355-static struct platform_suspend_ops pnx4008_pm_ops = {
356+static const struct platform_suspend_ops pnx4008_pm_ops = {
357 .enter = pnx4008_pm_enter,
358 .valid = pnx4008_pm_valid,
359 };
360diff -urNp linux-2.6.33.1/arch/arm/mach-pxa/pm.c linux-2.6.33.1/arch/arm/mach-pxa/pm.c
361--- linux-2.6.33.1/arch/arm/mach-pxa/pm.c 2010-03-15 12:09:39.000000000 -0400
362+++ linux-2.6.33.1/arch/arm/mach-pxa/pm.c 2010-03-20 16:58:38.492744784 -0400
363@@ -95,7 +95,7 @@ void pxa_pm_finish(void)
364 pxa_cpu_pm_fns->finish();
365 }
366
367-static struct platform_suspend_ops pxa_pm_ops = {
368+static const struct platform_suspend_ops pxa_pm_ops = {
369 .valid = pxa_pm_valid,
370 .enter = pxa_pm_enter,
371 .prepare = pxa_pm_prepare,
372diff -urNp linux-2.6.33.1/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.33.1/arch/arm/mach-pxa/sharpsl_pm.c
373--- linux-2.6.33.1/arch/arm/mach-pxa/sharpsl_pm.c 2010-03-15 12:09:39.000000000 -0400
374+++ linux-2.6.33.1/arch/arm/mach-pxa/sharpsl_pm.c 2010-03-20 16:58:38.500761827 -0400
375@@ -892,7 +892,7 @@ static void sharpsl_apm_get_power_status
376 }
377
378 #ifdef CONFIG_PM
379-static struct platform_suspend_ops sharpsl_pm_ops = {
380+static const struct platform_suspend_ops sharpsl_pm_ops = {
381 .prepare = pxa_pm_prepare,
382 .finish = pxa_pm_finish,
383 .enter = corgi_pxa_pm_enter,
384diff -urNp linux-2.6.33.1/arch/arm/mach-sa1100/pm.c linux-2.6.33.1/arch/arm/mach-sa1100/pm.c
385--- linux-2.6.33.1/arch/arm/mach-sa1100/pm.c 2010-03-15 12:09:39.000000000 -0400
386+++ linux-2.6.33.1/arch/arm/mach-sa1100/pm.c 2010-03-20 16:58:38.504745508 -0400
387@@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
388 return virt_to_phys(sp);
389 }
390
391-static struct platform_suspend_ops sa11x0_pm_ops = {
392+static const struct platform_suspend_ops sa11x0_pm_ops = {
393 .enter = sa11x0_pm_enter,
394 .valid = suspend_valid_only_mem,
395 };
396diff -urNp linux-2.6.33.1/arch/arm/mm/fault.c linux-2.6.33.1/arch/arm/mm/fault.c
397--- linux-2.6.33.1/arch/arm/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
398+++ linux-2.6.33.1/arch/arm/mm/fault.c 2010-03-20 16:58:38.512762145 -0400
399@@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
400 }
401 #endif
402
403+#ifdef CONFIG_PAX_PAGEEXEC
404+ if (fsr & FSR_LNX_PF) {
405+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
406+ do_group_exit(SIGKILL);
407+ }
408+#endif
409+
410 tsk->thread.address = addr;
411 tsk->thread.error_code = fsr;
412 tsk->thread.trap_no = 14;
413@@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
414 }
415 #endif /* CONFIG_MMU */
416
417+#ifdef CONFIG_PAX_PAGEEXEC
418+void pax_report_insns(void *pc, void *sp)
419+{
420+ long i;
421+
422+ printk(KERN_ERR "PAX: bytes at PC: ");
423+ for (i = 0; i < 20; i++) {
424+ unsigned char c;
425+ if (get_user(c, (__force unsigned char __user *)pc+i))
426+ printk(KERN_CONT "?? ");
427+ else
428+ printk(KERN_CONT "%02x ", c);
429+ }
430+ printk("\n");
431+
432+ printk(KERN_ERR "PAX: bytes at SP-4: ");
433+ for (i = -1; i < 20; i++) {
434+ unsigned long c;
435+ if (get_user(c, (__force unsigned long __user *)sp+i))
436+ printk(KERN_CONT "???????? ");
437+ else
438+ printk(KERN_CONT "%08lx ", c);
439+ }
440+ printk("\n");
441+}
442+#endif
443+
444 /*
445 * First Level Translation Fault Handler
446 *
447diff -urNp linux-2.6.33.1/arch/arm/mm/mmap.c linux-2.6.33.1/arch/arm/mm/mmap.c
448--- linux-2.6.33.1/arch/arm/mm/mmap.c 2010-03-15 12:09:39.000000000 -0400
449+++ linux-2.6.33.1/arch/arm/mm/mmap.c 2010-03-20 16:58:38.512762145 -0400
450@@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 451 if (len > TASK_SIZE)
452 return -ENOMEM;
453
454+#ifdef CONFIG_PAX_RANDMMAP
455+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
456+#endif
457+
458 if (addr) {
459 if (do_align)
460 addr = COLOUR_ALIGN(addr, pgoff);
ae4e228f 461@@ -75,10 +79,10 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 462 return addr;
463 }
464 if (len > mm->cached_hole_size) {
465- start_addr = addr = mm->free_area_cache;
466+ start_addr = addr = mm->free_area_cache;
467 } else {
468- start_addr = addr = TASK_UNMAPPED_BASE;
469- mm->cached_hole_size = 0;
470+ start_addr = addr = mm->mmap_base;
471+ mm->cached_hole_size = 0;
472 }
473
474 full_search:
ae4e228f 475@@ -94,8 +98,8 @@ full_search:
58c5fc13
MT		 476 * Start a new search - just in case we missed
477 * some holes.
478 */
479- if (start_addr != TASK_UNMAPPED_BASE) {
480- start_addr = addr = TASK_UNMAPPED_BASE;
481+ if (start_addr != mm->mmap_base) {
482+ start_addr = addr = mm->mmap_base;
483 mm->cached_hole_size = 0;
484 goto full_search;
485 }
ae4e228f
MT		 486diff -urNp linux-2.6.33.1/arch/arm/plat-s3c/pm.c linux-2.6.33.1/arch/arm/plat-s3c/pm.c
487--- linux-2.6.33.1/arch/arm/plat-s3c/pm.c 2010-03-15 12:09:39.000000000 -0400
488+++ linux-2.6.33.1/arch/arm/plat-s3c/pm.c 2010-03-20 16:58:38.533259132 -0400
489@@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
490 s3c_pm_check_cleanup();
491 }
492
493-static struct platform_suspend_ops s3c_pm_ops = {
494+static const struct platform_suspend_ops s3c_pm_ops = {
495 .enter = s3c_pm_enter,
496 .prepare = s3c_pm_prepare,
497 .finish = s3c_pm_finish,
498diff -urNp linux-2.6.33.1/arch/avr32/include/asm/elf.h linux-2.6.33.1/arch/avr32/include/asm/elf.h
499--- linux-2.6.33.1/arch/avr32/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
500+++ linux-2.6.33.1/arch/avr32/include/asm/elf.h 2010-03-20 16:58:38.533259132 -0400
501@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
58c5fc13
MT		 502 the loader. We need to make sure that it is out of the way of the program
503 that it will "exec", and that there is sufficient room for the brk. */
504
505-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
506+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
507
508+#ifdef CONFIG_PAX_ASLR
509+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
510+
511+#define PAX_DELTA_MMAP_LEN 15
512+#define PAX_DELTA_STACK_LEN 15
513+#endif
514
515 /* This yields a mask that user programs can use to figure out what
516 instruction set this CPU supports. This could be done in user space,
ae4e228f
MT		 517diff -urNp linux-2.6.33.1/arch/avr32/include/asm/kmap_types.h linux-2.6.33.1/arch/avr32/include/asm/kmap_types.h
518--- linux-2.6.33.1/arch/avr32/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
519+++ linux-2.6.33.1/arch/avr32/include/asm/kmap_types.h 2010-03-20 16:58:38.533259132 -0400
58c5fc13
MT		 520@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
521 D(11) KM_IRQ1,
522 D(12) KM_SOFTIRQ0,
523 D(13) KM_SOFTIRQ1,
524-D(14) KM_TYPE_NR
525+D(14) KM_CLEARPAGE,
526+D(15) KM_TYPE_NR
527 };
528
529 #undef D
ae4e228f
MT		 530diff -urNp linux-2.6.33.1/arch/avr32/mach-at32ap/pm.c linux-2.6.33.1/arch/avr32/mach-at32ap/pm.c
531--- linux-2.6.33.1/arch/avr32/mach-at32ap/pm.c 2010-03-15 12:09:39.000000000 -0400
532+++ linux-2.6.33.1/arch/avr32/mach-at32ap/pm.c 2010-03-20 16:58:38.533259132 -0400
533@@ -176,7 +176,7 @@ out:
534 return 0;
535 }
536
537-static struct platform_suspend_ops avr32_pm_ops = {
538+static const struct platform_suspend_ops avr32_pm_ops = {
539 .valid = avr32_pm_valid_state,
540 .enter = avr32_pm_enter,
541 };
542diff -urNp linux-2.6.33.1/arch/avr32/mm/fault.c linux-2.6.33.1/arch/avr32/mm/fault.c
543--- linux-2.6.33.1/arch/avr32/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
544+++ linux-2.6.33.1/arch/avr32/mm/fault.c 2010-03-20 16:58:38.533259132 -0400
58c5fc13
MT		 545@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
546
547 int exception_trace = 1;
548
549+#ifdef CONFIG_PAX_PAGEEXEC
550+void pax_report_insns(void *pc, void *sp)
551+{
552+ unsigned long i;
553+
554+ printk(KERN_ERR "PAX: bytes at PC: ");
555+ for (i = 0; i < 20; i++) {
556+ unsigned char c;
557+ if (get_user(c, (unsigned char *)pc+i))
558+ printk(KERN_CONT "???????? ");
559+ else
560+ printk(KERN_CONT "%02x ", c);
561+ }
562+ printk("\n");
563+}
564+#endif
565+
566 /*
567 * This routine handles page faults. It determines the address and the
568 * problem, and then passes it off to one of the appropriate routines.
569@@ -157,6 +174,16 @@ bad_area:
570 up_read(&mm->mmap_sem);
571
572 if (user_mode(regs)) {
573+
574+#ifdef CONFIG_PAX_PAGEEXEC
575+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
576+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
577+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
578+ do_group_exit(SIGKILL);
579+ }
580+ }
581+#endif
582+
583 if (exception_trace && printk_ratelimit())
584 printk("%s%s[%d]: segfault at %08lx pc %08lx "
585 "sp %08lx ecr %lu\n",
ae4e228f
MT		 586diff -urNp linux-2.6.33.1/arch/blackfin/kernel/kgdb.c linux-2.6.33.1/arch/blackfin/kernel/kgdb.c
587--- linux-2.6.33.1/arch/blackfin/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
588+++ linux-2.6.33.1/arch/blackfin/kernel/kgdb.c 2010-03-20 16:58:38.533259132 -0400
589@@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
590 return -1; /* this means that we do not want to exit from the handler */
58c5fc13
MT		 591 }
592
ae4e228f
MT		 593-struct kgdb_arch arch_kgdb_ops = {
594+const struct kgdb_arch arch_kgdb_ops = {
595 .gdb_bpt_instr = {0xa1},
596 #ifdef CONFIG_SMP
597 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
598diff -urNp linux-2.6.33.1/arch/blackfin/mach-common/pm.c linux-2.6.33.1/arch/blackfin/mach-common/pm.c
599--- linux-2.6.33.1/arch/blackfin/mach-common/pm.c 2010-03-15 12:09:39.000000000 -0400
600+++ linux-2.6.33.1/arch/blackfin/mach-common/pm.c 2010-03-20 16:58:38.533259132 -0400
601@@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
58c5fc13
MT		 602 return 0;
603 }
604
ae4e228f
MT		 605-struct platform_suspend_ops bfin_pm_ops = {
606+const struct platform_suspend_ops bfin_pm_ops = {
607 .enter = bfin_pm_enter,
608 .valid = bfin_pm_valid,
609 };
610diff -urNp linux-2.6.33.1/arch/blackfin/mm/maccess.c linux-2.6.33.1/arch/blackfin/mm/maccess.c
611--- linux-2.6.33.1/arch/blackfin/mm/maccess.c 2010-03-15 12:09:39.000000000 -0400
612+++ linux-2.6.33.1/arch/blackfin/mm/maccess.c 2010-03-20 16:58:38.536529376 -0400
613@@ -16,7 +16,7 @@ static int validate_memory_access_addres
614 return bfin_mem_access_type(addr, size);
58c5fc13
MT		 615 }
616
ae4e228f
MT		 617-long probe_kernel_read(void *dst, void *src, size_t size)
618+long probe_kernel_read(void *dst, const void *src, size_t size)
58c5fc13 619 {
ae4e228f
MT		 620 unsigned long lsrc = (unsigned long)src;
621 int mem_type;
622@@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
623 return -EFAULT;
58c5fc13
MT		 624 }
625
ae4e228f
MT		 626-long probe_kernel_write(void *dst, void *src, size_t size)
627+long probe_kernel_write(void *dst, const void *src, size_t size)
58c5fc13 628 {
ae4e228f
MT		 629 unsigned long ldst = (unsigned long)dst;
630 int mem_type;
631diff -urNp linux-2.6.33.1/arch/frv/include/asm/kmap_types.h linux-2.6.33.1/arch/frv/include/asm/kmap_types.h
632--- linux-2.6.33.1/arch/frv/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
633+++ linux-2.6.33.1/arch/frv/include/asm/kmap_types.h 2010-03-20 16:58:38.536529376 -0400
58c5fc13
MT		 634@@ -23,6 +23,7 @@ enum km_type {
635 KM_IRQ1,
636 KM_SOFTIRQ0,
637 KM_SOFTIRQ1,
638+ KM_CLEARPAGE,
639 KM_TYPE_NR
640 };
641
ae4e228f
MT		 642diff -urNp linux-2.6.33.1/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.33.1/arch/ia64/hp/common/hwsw_iommu.c
643--- linux-2.6.33.1/arch/ia64/hp/common/hwsw_iommu.c 2010-03-15 12:09:39.000000000 -0400
644+++ linux-2.6.33.1/arch/ia64/hp/common/hwsw_iommu.c 2010-03-20 16:58:38.544753181 -0400
645@@ -17,7 +17,7 @@
646 #include <linux/swiotlb.h>
647 #include <asm/machvec.h>
58c5fc13 648
ae4e228f
MT		 649-extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
650+extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
58c5fc13 651
ae4e228f
MT		 652 /* swiotlb declarations & definitions: */
653 extern int swiotlb_late_init_with_default_size (size_t size);
654@@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
655 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
58c5fc13
MT		 656 }
657
ae4e228f
MT		 658-struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
659+const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
660 {
661 if (use_swiotlb(dev))
662 return &swiotlb_dma_ops;
663diff -urNp linux-2.6.33.1/arch/ia64/hp/common/sba_iommu.c linux-2.6.33.1/arch/ia64/hp/common/sba_iommu.c
664--- linux-2.6.33.1/arch/ia64/hp/common/sba_iommu.c 2010-03-15 12:09:39.000000000 -0400
665+++ linux-2.6.33.1/arch/ia64/hp/common/sba_iommu.c 2010-03-20 16:58:38.552757823 -0400
666@@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
667 },
668 };
58c5fc13 669
ae4e228f
MT		 670-extern struct dma_map_ops swiotlb_dma_ops;
671+extern const struct dma_map_ops swiotlb_dma_ops;
58c5fc13 672
ae4e228f
MT		 673 static int __init
674 sba_init(void)
675@@ -2211,7 +2211,7 @@ sba_page_override(char *str)
58c5fc13 676
ae4e228f 677 __setup("sbapagesize=",sba_page_override);
58c5fc13 678
ae4e228f
MT		 679-struct dma_map_ops sba_dma_ops = {
680+const struct dma_map_ops sba_dma_ops = {
681 .alloc_coherent = sba_alloc_coherent,
682 .free_coherent = sba_free_coherent,
683 .map_page = sba_map_page,
684diff -urNp linux-2.6.33.1/arch/ia64/ia32/binfmt_elf32.c linux-2.6.33.1/arch/ia64/ia32/binfmt_elf32.c
685--- linux-2.6.33.1/arch/ia64/ia32/binfmt_elf32.c 2010-03-15 12:09:39.000000000 -0400
686+++ linux-2.6.33.1/arch/ia64/ia32/binfmt_elf32.c 2010-03-20 16:58:38.556766787 -0400
58c5fc13
MT		 687@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
688
689 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
690
691+#ifdef CONFIG_PAX_ASLR
692+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
693+
694+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
695+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
696+#endif
697+
698 /* Ugly but avoids duplication */
699 #include "../../../fs/binfmt_elf.c"
700
ae4e228f
MT		 701diff -urNp linux-2.6.33.1/arch/ia64/ia32/ia32priv.h linux-2.6.33.1/arch/ia64/ia32/ia32priv.h
702--- linux-2.6.33.1/arch/ia64/ia32/ia32priv.h 2010-03-15 12:09:39.000000000 -0400
703+++ linux-2.6.33.1/arch/ia64/ia32/ia32priv.h 2010-03-20 16:58:38.556766787 -0400
58c5fc13
MT		 704@@ -296,7 +296,14 @@ typedef struct compat_siginfo {
705 #define ELF_DATA ELFDATA2LSB
706 #define ELF_ARCH EM_386
707
708-#define IA32_STACK_TOP IA32_PAGE_OFFSET
709+#ifdef CONFIG_PAX_RANDUSTACK
710+#define __IA32_DELTA_STACK (current->mm->delta_stack)
711+#else
712+#define __IA32_DELTA_STACK 0UL
713+#endif
714+
715+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
716+
717 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
718 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
719
ae4e228f
MT		 720diff -urNp linux-2.6.33.1/arch/ia64/include/asm/dma-mapping.h linux-2.6.33.1/arch/ia64/include/asm/dma-mapping.h
721--- linux-2.6.33.1/arch/ia64/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
722+++ linux-2.6.33.1/arch/ia64/include/asm/dma-mapping.h 2010-03-20 16:58:38.564763179 -0400
723@@ -12,7 +12,7 @@
58c5fc13 724
ae4e228f
MT		 725 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
726
727-extern struct dma_map_ops *dma_ops;
728+extern const struct dma_map_ops *dma_ops;
729 extern struct ia64_machine_vector ia64_mv;
730 extern void set_iommu_machvec(void);
58c5fc13 731
ae4e228f
MT		 732@@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
733 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
734 dma_addr_t *daddr, gfp_t gfp)
735 {
736- struct dma_map_ops *ops = platform_dma_get_ops(dev);
737+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
738 void *caddr;
739
740 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
741@@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
742 static inline void dma_free_coherent(struct device *dev, size_t size,
743 void *caddr, dma_addr_t daddr)
744 {
745- struct dma_map_ops *ops = platform_dma_get_ops(dev);
746+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
747 debug_dma_free_coherent(dev, size, caddr, daddr);
748 ops->free_coherent(dev, size, caddr, daddr);
749 }
750@@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
751
752 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
753 {
754- struct dma_map_ops *ops = platform_dma_get_ops(dev);
755+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
756 return ops->mapping_error(dev, daddr);
757 }
758
759 static inline int dma_supported(struct device *dev, u64 mask)
760 {
761- struct dma_map_ops *ops = platform_dma_get_ops(dev);
762+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
763 return ops->dma_supported(dev, mask);
764 }
765
766diff -urNp linux-2.6.33.1/arch/ia64/include/asm/elf.h linux-2.6.33.1/arch/ia64/include/asm/elf.h
767--- linux-2.6.33.1/arch/ia64/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
768+++ linux-2.6.33.1/arch/ia64/include/asm/elf.h 2010-03-20 16:58:38.564763179 -0400
769@@ -42,6 +42,13 @@
58c5fc13
MT		 770 */
771 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
772
773+#ifdef CONFIG_PAX_ASLR
774+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
775+
776+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
777+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
778+#endif
779+
780 #define PT_IA_64_UNWIND 0x70000001
781
782 /* IA-64 relocations: */
ae4e228f
MT		 783diff -urNp linux-2.6.33.1/arch/ia64/include/asm/machvec.h linux-2.6.33.1/arch/ia64/include/asm/machvec.h
784--- linux-2.6.33.1/arch/ia64/include/asm/machvec.h 2010-03-15 12:09:39.000000000 -0400
785+++ linux-2.6.33.1/arch/ia64/include/asm/machvec.h 2010-03-20 16:58:38.568641931 -0400
786@@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
787 /* DMA-mapping interface: */
788 typedef void ia64_mv_dma_init (void);
789 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
790-typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
791+typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
792
793 /*
794 * WARNING: The legacy I/O space is _architected_. Platforms are
795@@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
796 # endif /* CONFIG_IA64_GENERIC */
797
798 extern void swiotlb_dma_init(void);
799-extern struct dma_map_ops *dma_get_ops(struct device *);
800+extern const struct dma_map_ops *dma_get_ops(struct device *);
801
802 /*
803 * Define default versions so we can extend machvec for new platforms without having
804diff -urNp linux-2.6.33.1/arch/ia64/include/asm/pgtable.h linux-2.6.33.1/arch/ia64/include/asm/pgtable.h
805--- linux-2.6.33.1/arch/ia64/include/asm/pgtable.h 2010-03-15 12:09:39.000000000 -0400
806+++ linux-2.6.33.1/arch/ia64/include/asm/pgtable.h 2010-03-20 16:58:38.568641931 -0400
58c5fc13
MT		 807@@ -143,6 +143,17 @@
808 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
809 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
810 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
811+
812+#ifdef CONFIG_PAX_PAGEEXEC
813+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
814+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
815+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
816+#else
817+# define PAGE_SHARED_NOEXEC PAGE_SHARED
818+# define PAGE_READONLY_NOEXEC PAGE_READONLY
819+# define PAGE_COPY_NOEXEC PAGE_COPY
820+#endif
821+
822 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
823 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
824 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
ae4e228f
MT		 825diff -urNp linux-2.6.33.1/arch/ia64/include/asm/uaccess.h linux-2.6.33.1/arch/ia64/include/asm/uaccess.h
826--- linux-2.6.33.1/arch/ia64/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
827+++ linux-2.6.33.1/arch/ia64/include/asm/uaccess.h 2010-03-20 16:58:38.568641931 -0400
58c5fc13
MT		 828@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
829 const void *__cu_from = (from); \
830 long __cu_len = (n); \
831 \
832- if (__access_ok(__cu_to, __cu_len, get_fs())) \
ae4e228f 833+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
58c5fc13
MT		 834 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
835 __cu_len; \
836 })
837@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
838 long __cu_len = (n); \
839 \
840 __chk_user_ptr(__cu_from); \
841- if (__access_ok(__cu_from, __cu_len, get_fs())) \
ae4e228f 842+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
58c5fc13
MT		 843 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
844 __cu_len; \
845 })
ae4e228f
MT		 846diff -urNp linux-2.6.33.1/arch/ia64/kernel/dma-mapping.c linux-2.6.33.1/arch/ia64/kernel/dma-mapping.c
847--- linux-2.6.33.1/arch/ia64/kernel/dma-mapping.c 2010-03-15 12:09:39.000000000 -0400
848+++ linux-2.6.33.1/arch/ia64/kernel/dma-mapping.c 2010-03-20 16:58:38.568641931 -0400
849@@ -3,7 +3,7 @@
850 /* Set this to 1 if there is a HW IOMMU in the system */
851 int iommu_detected __read_mostly;
852
853-struct dma_map_ops *dma_ops;
854+const struct dma_map_ops *dma_ops;
855 EXPORT_SYMBOL(dma_ops);
856
857 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
858@@ -16,7 +16,7 @@ static int __init dma_init(void)
859 }
860 fs_initcall(dma_init);
861
862-struct dma_map_ops *dma_get_ops(struct device *dev)
863+const struct dma_map_ops *dma_get_ops(struct device *dev)
864 {
865 return dma_ops;
866 }
867diff -urNp linux-2.6.33.1/arch/ia64/kernel/module.c linux-2.6.33.1/arch/ia64/kernel/module.c
868--- linux-2.6.33.1/arch/ia64/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
869+++ linux-2.6.33.1/arch/ia64/kernel/module.c 2010-03-20 16:58:38.576761283 -0400
58c5fc13
MT		 870@@ -315,8 +315,7 @@ module_alloc (unsigned long size)
871 void
872 module_free (struct module *mod, void *module_region)
873 {
874- if (mod && mod->arch.init_unw_table &&
875- module_region == mod->module_init) {
876+ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
877 unw_remove_unwind_table(mod->arch.init_unw_table);
878 mod->arch.init_unw_table = NULL;
879 }
880@@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
881 }
882
883 static inline int
884+in_init_rx (const struct module *mod, uint64_t addr)
885+{
886+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
887+}
888+
889+static inline int
890+in_init_rw (const struct module *mod, uint64_t addr)
891+{
892+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
893+}
894+
895+static inline int
896 in_init (const struct module *mod, uint64_t addr)
897 {
898- return addr - (uint64_t) mod->module_init < mod->init_size;
899+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
900+}
901+
902+static inline int
903+in_core_rx (const struct module *mod, uint64_t addr)
904+{
905+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
906+}
907+
908+static inline int
909+in_core_rw (const struct module *mod, uint64_t addr)
910+{
911+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
912 }
913
914 static inline int
915 in_core (const struct module *mod, uint64_t addr)
916 {
917- return addr - (uint64_t) mod->module_core < mod->core_size;
918+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
919 }
920
921 static inline int
922@@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
923 break;
924
925 case RV_BDREL:
926- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
927+ if (in_init_rx(mod, val))
928+ val -= (uint64_t) mod->module_init_rx;
929+ else if (in_init_rw(mod, val))
930+ val -= (uint64_t) mod->module_init_rw;
931+ else if (in_core_rx(mod, val))
932+ val -= (uint64_t) mod->module_core_rx;
933+ else if (in_core_rw(mod, val))
934+ val -= (uint64_t) mod->module_core_rw;
935 break;
936
937 case RV_LTV:
938@@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
939 * addresses have been selected...
940 */
941 uint64_t gp;
942- if (mod->core_size > MAX_LTOFF)
943+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
944 /*
945 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
946 * at the end of the module.
947 */
948- gp = mod->core_size - MAX_LTOFF / 2;
949+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
950 else
951- gp = mod->core_size / 2;
952- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
953+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
954+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
955 mod->arch.gp = gp;
956 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
957 }
ae4e228f
MT		 958diff -urNp linux-2.6.33.1/arch/ia64/kernel/pci-dma.c linux-2.6.33.1/arch/ia64/kernel/pci-dma.c
959--- linux-2.6.33.1/arch/ia64/kernel/pci-dma.c 2010-03-15 12:09:39.000000000 -0400
960+++ linux-2.6.33.1/arch/ia64/kernel/pci-dma.c 2010-03-20 16:58:38.576761283 -0400
961@@ -43,7 +43,7 @@ struct device fallback_dev = {
962 .dma_mask = &fallback_dev.coherent_dma_mask,
963 };
964
965-extern struct dma_map_ops intel_dma_ops;
966+extern const struct dma_map_ops intel_dma_ops;
967
968 static int __init pci_iommu_init(void)
969 {
970diff -urNp linux-2.6.33.1/arch/ia64/kernel/pci-swiotlb.c linux-2.6.33.1/arch/ia64/kernel/pci-swiotlb.c
971--- linux-2.6.33.1/arch/ia64/kernel/pci-swiotlb.c 2010-03-15 12:09:39.000000000 -0400
972+++ linux-2.6.33.1/arch/ia64/kernel/pci-swiotlb.c 2010-03-20 16:58:38.576761283 -0400
973@@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
974 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
975 }
976
977-struct dma_map_ops swiotlb_dma_ops = {
978+const struct dma_map_ops swiotlb_dma_ops = {
979 .alloc_coherent = ia64_swiotlb_alloc_coherent,
980 .free_coherent = swiotlb_free_coherent,
981 .map_page = swiotlb_map_page,
982diff -urNp linux-2.6.33.1/arch/ia64/kernel/sys_ia64.c linux-2.6.33.1/arch/ia64/kernel/sys_ia64.c
983--- linux-2.6.33.1/arch/ia64/kernel/sys_ia64.c 2010-03-15 12:09:39.000000000 -0400
984+++ linux-2.6.33.1/arch/ia64/kernel/sys_ia64.c 2010-03-20 16:58:38.584549337 -0400
58c5fc13
MT		 985@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
986 if (REGION_NUMBER(addr) == RGN_HPAGE)
987 addr = 0;
988 #endif
989+
990+#ifdef CONFIG_PAX_RANDMMAP
991+ if (mm->pax_flags & MF_PAX_RANDMMAP)
992+ addr = mm->free_area_cache;
993+ else
994+#endif
995+
996 if (!addr)
997 addr = mm->free_area_cache;
998
999@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
1000 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1001 /* At this point: (!vma || addr < vma->vm_end). */
1002 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1003- if (start_addr != TASK_UNMAPPED_BASE) {
1004+ if (start_addr != mm->mmap_base) {
1005 /* Start a new search --- just in case we missed some holes. */
1006- addr = TASK_UNMAPPED_BASE;
1007+ addr = mm->mmap_base;
1008 goto full_search;
1009 }
1010 return -ENOMEM;
ae4e228f
MT		 1011diff -urNp linux-2.6.33.1/arch/ia64/kernel/topology.c linux-2.6.33.1/arch/ia64/kernel/topology.c
1012--- linux-2.6.33.1/arch/ia64/kernel/topology.c 2010-03-15 12:09:39.000000000 -0400
1013+++ linux-2.6.33.1/arch/ia64/kernel/topology.c 2010-03-20 16:58:38.584549337 -0400
1014@@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1015 return ret;
1016 }
1017
1018-static struct sysfs_ops cache_sysfs_ops = {
1019+static const struct sysfs_ops cache_sysfs_ops = {
1020 .show = cache_show
1021 };
1022
1023diff -urNp linux-2.6.33.1/arch/ia64/kernel/vmlinux.lds.S linux-2.6.33.1/arch/ia64/kernel/vmlinux.lds.S
1024--- linux-2.6.33.1/arch/ia64/kernel/vmlinux.lds.S 2010-03-15 12:09:39.000000000 -0400
1025+++ linux-2.6.33.1/arch/ia64/kernel/vmlinux.lds.S 2010-03-20 16:58:38.584549337 -0400
1026@@ -196,7 +196,7 @@ SECTIONS
1027 /* Per-cpu data: */
1028 . = ALIGN(PERCPU_PAGE_SIZE);
1029 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1030- __phys_per_cpu_start = __per_cpu_load;
1031+ __phys_per_cpu_start = per_cpu_load;
1032 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1033 * into percpu page size
1034 */
1035diff -urNp linux-2.6.33.1/arch/ia64/mm/fault.c linux-2.6.33.1/arch/ia64/mm/fault.c
1036--- linux-2.6.33.1/arch/ia64/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
1037+++ linux-2.6.33.1/arch/ia64/mm/fault.c 2010-03-20 16:58:38.584549337 -0400
58c5fc13
MT		 1038@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1039 return pte_present(pte);
1040 }
1041
1042+#ifdef CONFIG_PAX_PAGEEXEC
1043+void pax_report_insns(void *pc, void *sp)
1044+{
1045+ unsigned long i;
1046+
1047+ printk(KERN_ERR "PAX: bytes at PC: ");
1048+ for (i = 0; i < 8; i++) {
1049+ unsigned int c;
1050+ if (get_user(c, (unsigned int *)pc+i))
1051+ printk(KERN_CONT "???????? ");
1052+ else
1053+ printk(KERN_CONT "%08x ", c);
1054+ }
1055+ printk("\n");
1056+}
1057+#endif
1058+
1059 void __kprobes
1060 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1061 {
1062@@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1063 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1064 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1065
1066- if ((vma->vm_flags & mask) != mask)
1067+ if ((vma->vm_flags & mask) != mask) {
1068+
1069+#ifdef CONFIG_PAX_PAGEEXEC
1070+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1071+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1072+ goto bad_area;
1073+
1074+ up_read(&mm->mmap_sem);
1075+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1076+ do_group_exit(SIGKILL);
1077+ }
1078+#endif
1079+
1080 goto bad_area;
1081
1082+ }
1083+
1084 survive:
1085 /*
1086 * If for any reason at all we couldn't handle the fault, make
ae4e228f
MT		 1087diff -urNp linux-2.6.33.1/arch/ia64/mm/init.c linux-2.6.33.1/arch/ia64/mm/init.c
1088--- linux-2.6.33.1/arch/ia64/mm/init.c 2010-03-15 12:09:39.000000000 -0400
1089+++ linux-2.6.33.1/arch/ia64/mm/init.c 2010-03-20 16:58:38.584549337 -0400
58c5fc13
MT		 1090@@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1091 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1092 vma->vm_end = vma->vm_start + PAGE_SIZE;
1093 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1094+
1095+#ifdef CONFIG_PAX_PAGEEXEC
1096+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1097+ vma->vm_flags &= ~VM_EXEC;
1098+
1099+#ifdef CONFIG_PAX_MPROTECT
1100+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
1101+ vma->vm_flags &= ~VM_MAYEXEC;
1102+#endif
1103+
1104+ }
1105+#endif
1106+
1107 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1108 down_write(&current->mm->mmap_sem);
1109 if (insert_vm_struct(current->mm, vma)) {
ae4e228f
MT		 1110diff -urNp linux-2.6.33.1/arch/ia64/sn/pci/pci_dma.c linux-2.6.33.1/arch/ia64/sn/pci/pci_dma.c
1111--- linux-2.6.33.1/arch/ia64/sn/pci/pci_dma.c 2010-03-15 12:09:39.000000000 -0400
1112+++ linux-2.6.33.1/arch/ia64/sn/pci/pci_dma.c 2010-03-20 16:58:38.584549337 -0400
1113@@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1114 return ret;
58c5fc13
MT		 1115 }
1116
ae4e228f
MT		 1117-static struct dma_map_ops sn_dma_ops = {
1118+static const struct dma_map_ops sn_dma_ops = {
1119 .alloc_coherent = sn_dma_alloc_coherent,
1120 .free_coherent = sn_dma_free_coherent,
1121 .map_page = sn_dma_map_page,
1122diff -urNp linux-2.6.33.1/arch/m32r/lib/usercopy.c linux-2.6.33.1/arch/m32r/lib/usercopy.c
1123--- linux-2.6.33.1/arch/m32r/lib/usercopy.c 2010-03-15 12:09:39.000000000 -0400
1124+++ linux-2.6.33.1/arch/m32r/lib/usercopy.c 2010-03-20 16:58:38.584549337 -0400
58c5fc13
MT		 1125@@ -14,6 +14,9 @@
1126 unsigned long
1127 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1128 {
1129+ if ((long)n < 0)
1130+ return n;
1131+
1132 prefetch(from);
1133 if (access_ok(VERIFY_WRITE, to, n))
1134 __copy_user(to,from,n);
1135@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1136 unsigned long
1137 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1138 {
1139+ if ((long)n < 0)
1140+ return n;
1141+
1142 prefetchw(to);
1143 if (access_ok(VERIFY_READ, from, n))
1144 __copy_user_zeroing(to,from,n);
ae4e228f
MT		 1145diff -urNp linux-2.6.33.1/arch/mips/alchemy/devboards/pm.c linux-2.6.33.1/arch/mips/alchemy/devboards/pm.c
1146--- linux-2.6.33.1/arch/mips/alchemy/devboards/pm.c 2010-03-15 12:09:39.000000000 -0400
1147+++ linux-2.6.33.1/arch/mips/alchemy/devboards/pm.c 2010-03-20 16:58:38.588679980 -0400
1148@@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1149
1150 }
1151
1152-static struct platform_suspend_ops db1x_pm_ops = {
1153+static const struct platform_suspend_ops db1x_pm_ops = {
1154 .valid = suspend_valid_only_mem,
1155 .begin = db1x_pm_begin,
1156 .enter = db1x_pm_enter,
1157diff -urNp linux-2.6.33.1/arch/mips/include/asm/elf.h linux-2.6.33.1/arch/mips/include/asm/elf.h
1158--- linux-2.6.33.1/arch/mips/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
1159+++ linux-2.6.33.1/arch/mips/include/asm/elf.h 2010-03-20 16:58:38.588679980 -0400
1160@@ -367,4 +367,11 @@ extern int dump_task_fpu(struct task_str
58c5fc13
MT		 1161 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1162 #endif
1163
1164+#ifdef CONFIG_PAX_ASLR
1165+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1166+
1167+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1168+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1169+#endif
1170+
1171 #endif /* _ASM_ELF_H */
ae4e228f
MT		 1172diff -urNp linux-2.6.33.1/arch/mips/include/asm/page.h linux-2.6.33.1/arch/mips/include/asm/page.h
1173--- linux-2.6.33.1/arch/mips/include/asm/page.h 2010-03-15 12:09:39.000000000 -0400
1174+++ linux-2.6.33.1/arch/mips/include/asm/page.h 2010-03-20 16:58:38.592758361 -0400
1175@@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
58c5fc13
MT		 1176 #ifdef CONFIG_CPU_MIPS32
1177 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1178 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1179- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1180+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1181 #else
1182 typedef struct { unsigned long long pte; } pte_t;
1183 #define pte_val(x) ((x).pte)
ae4e228f
MT		 1184diff -urNp linux-2.6.33.1/arch/mips/include/asm/system.h linux-2.6.33.1/arch/mips/include/asm/system.h
1185--- linux-2.6.33.1/arch/mips/include/asm/system.h 2010-03-15 12:09:39.000000000 -0400
1186+++ linux-2.6.33.1/arch/mips/include/asm/system.h 2010-03-20 16:58:38.592758361 -0400
1187@@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
58c5fc13
MT		 1188 */
1189 #define __ARCH_WANT_UNLOCKED_CTXSW
1190
1191-extern unsigned long arch_align_stack(unsigned long sp);
1192+#define arch_align_stack(x) ((x) & ALMASK)
1193
1194 #endif /* _ASM_SYSTEM_H */
ae4e228f
MT		 1195diff -urNp linux-2.6.33.1/arch/mips/kernel/binfmt_elfn32.c linux-2.6.33.1/arch/mips/kernel/binfmt_elfn32.c
1196--- linux-2.6.33.1/arch/mips/kernel/binfmt_elfn32.c 2010-03-15 12:09:39.000000000 -0400
1197+++ linux-2.6.33.1/arch/mips/kernel/binfmt_elfn32.c 2010-03-20 16:58:38.592758361 -0400
58c5fc13
MT		 1198@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1199 #undef ELF_ET_DYN_BASE
1200 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1201
1202+#ifdef CONFIG_PAX_ASLR
1203+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1204+
1205+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1206+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1207+#endif
1208+
1209 #include <asm/processor.h>
1210 #include <linux/module.h>
1211 #include <linux/elfcore.h>
ae4e228f
MT		 1212diff -urNp linux-2.6.33.1/arch/mips/kernel/binfmt_elfo32.c linux-2.6.33.1/arch/mips/kernel/binfmt_elfo32.c
1213--- linux-2.6.33.1/arch/mips/kernel/binfmt_elfo32.c 2010-03-15 12:09:39.000000000 -0400
1214+++ linux-2.6.33.1/arch/mips/kernel/binfmt_elfo32.c 2010-03-20 16:58:38.592758361 -0400
58c5fc13
MT		 1215@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1216 #undef ELF_ET_DYN_BASE
1217 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1218
1219+#ifdef CONFIG_PAX_ASLR
1220+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1221+
1222+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1223+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1224+#endif
1225+
1226 #include <asm/processor.h>
1227
1228 /*
ae4e228f
MT		 1229diff -urNp linux-2.6.33.1/arch/mips/kernel/kgdb.c linux-2.6.33.1/arch/mips/kernel/kgdb.c
1230--- linux-2.6.33.1/arch/mips/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
1231+++ linux-2.6.33.1/arch/mips/kernel/kgdb.c 2010-03-20 16:58:38.592758361 -0400
1232@@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1233 return -1;
1234 }
1235
1236+/* cannot be const */
1237 struct kgdb_arch arch_kgdb_ops;
1238
1239 /*
1240diff -urNp linux-2.6.33.1/arch/mips/kernel/process.c linux-2.6.33.1/arch/mips/kernel/process.c
1241--- linux-2.6.33.1/arch/mips/kernel/process.c 2010-03-15 12:09:39.000000000 -0400
1242+++ linux-2.6.33.1/arch/mips/kernel/process.c 2010-03-20 16:58:38.592758361 -0400
58c5fc13
MT		 1243@@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1244 out:
1245 return pc;
1246 }
1247-
1248-/*
1249- * Don't forget that the stack pointer must be aligned on a 8 bytes
1250- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1251- */
1252-unsigned long arch_align_stack(unsigned long sp)
1253-{
1254- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1255- sp -= get_random_int() & ~PAGE_MASK;
1256-
1257- return sp & ALMASK;
1258-}
ae4e228f
MT		 1259diff -urNp linux-2.6.33.1/arch/mips/kernel/syscall.c linux-2.6.33.1/arch/mips/kernel/syscall.c
1260--- linux-2.6.33.1/arch/mips/kernel/syscall.c 2010-03-15 12:09:39.000000000 -0400
1261+++ linux-2.6.33.1/arch/mips/kernel/syscall.c 2010-03-20 16:58:38.592758361 -0400
1262@@ -102,6 +102,11 @@ unsigned long arch_get_unmapped_area(str
58c5fc13
MT		 1263 do_color_align = 0;
1264 if (filp || (flags & MAP_SHARED))
1265 do_color_align = 1;
1266+
1267+#ifdef CONFIG_PAX_RANDMMAP
1268+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1269+#endif
1270+
1271 if (addr) {
1272 if (do_color_align)
1273 addr = COLOUR_ALIGN(addr, pgoff);
ae4e228f 1274@@ -112,7 +117,7 @@ unsigned long arch_get_unmapped_area(str
58c5fc13
MT		 1275 (!vmm || addr + len <= vmm->vm_start))
1276 return addr;
1277 }
1278- addr = TASK_UNMAPPED_BASE;
1279+ addr = current->mm->mmap_base;
1280 if (do_color_align)
1281 addr = COLOUR_ALIGN(addr, pgoff);
1282 else
ae4e228f
MT		 1283diff -urNp linux-2.6.33.1/arch/mips/loongson/common/pm.c linux-2.6.33.1/arch/mips/loongson/common/pm.c
1284--- linux-2.6.33.1/arch/mips/loongson/common/pm.c 2010-03-15 12:09:39.000000000 -0400
1285+++ linux-2.6.33.1/arch/mips/loongson/common/pm.c 2010-03-20 16:58:38.608773091 -0400
1286@@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1287 }
1288 }
1289
1290-static struct platform_suspend_ops loongson_pm_ops = {
1291+static const struct platform_suspend_ops loongson_pm_ops = {
1292 .valid = loongson_pm_valid_state,
1293 .enter = loongson_pm_enter,
1294 };
1295diff -urNp linux-2.6.33.1/arch/mips/mm/fault.c linux-2.6.33.1/arch/mips/mm/fault.c
1296--- linux-2.6.33.1/arch/mips/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
1297+++ linux-2.6.33.1/arch/mips/mm/fault.c 2010-03-20 16:58:38.612819864 -0400
58c5fc13
MT		 1298@@ -26,6 +26,23 @@
1299 #include <asm/ptrace.h>
1300 #include <asm/highmem.h> /* For VMALLOC_END */
1301
1302+#ifdef CONFIG_PAX_PAGEEXEC
1303+void pax_report_insns(void *pc)
1304+{
1305+ unsigned long i;
1306+
1307+ printk(KERN_ERR "PAX: bytes at PC: ");
1308+ for (i = 0; i < 5; i++) {
1309+ unsigned int c;
1310+ if (get_user(c, (unsigned int *)pc+i))
1311+ printk(KERN_CONT "???????? ");
1312+ else
1313+ printk(KERN_CONT "%08x ", c);
1314+ }
1315+ printk("\n");
1316+}
1317+#endif
1318+
1319 /*
1320 * This routine handles page faults. It determines the address,
1321 * and the problem, and then passes it off to one of the appropriate
ae4e228f
MT		 1322diff -urNp linux-2.6.33.1/arch/parisc/include/asm/elf.h linux-2.6.33.1/arch/parisc/include/asm/elf.h
1323--- linux-2.6.33.1/arch/parisc/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
1324+++ linux-2.6.33.1/arch/parisc/include/asm/elf.h 2010-03-20 16:58:38.624763350 -0400
1325@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
58c5fc13
MT		 1326
1327 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1328
1329+#ifdef CONFIG_PAX_ASLR
1330+#define PAX_ELF_ET_DYN_BASE 0x10000UL
1331+
1332+#define PAX_DELTA_MMAP_LEN 16
1333+#define PAX_DELTA_STACK_LEN 16
1334+#endif
1335+
1336 /* This yields a mask that user programs can use to figure out what
1337 instruction set this CPU supports. This could be done in user space,
1338 but it's not easy, and we've already done it here. */
ae4e228f
MT		 1339diff -urNp linux-2.6.33.1/arch/parisc/include/asm/pgtable.h linux-2.6.33.1/arch/parisc/include/asm/pgtable.h
1340--- linux-2.6.33.1/arch/parisc/include/asm/pgtable.h 2010-03-15 12:09:39.000000000 -0400
1341+++ linux-2.6.33.1/arch/parisc/include/asm/pgtable.h 2010-03-20 16:58:38.628643492 -0400
58c5fc13
MT		 1342@@ -207,6 +207,17 @@
1343 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1344 #define PAGE_COPY PAGE_EXECREAD
1345 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1346+
1347+#ifdef CONFIG_PAX_PAGEEXEC
1348+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1349+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1350+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1351+#else
1352+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1353+# define PAGE_COPY_NOEXEC PAGE_COPY
1354+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1355+#endif
1356+
1357 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1358 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1359 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
ae4e228f
MT		 1360diff -urNp linux-2.6.33.1/arch/parisc/kernel/module.c linux-2.6.33.1/arch/parisc/kernel/module.c
1361--- linux-2.6.33.1/arch/parisc/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
1362+++ linux-2.6.33.1/arch/parisc/kernel/module.c 2010-03-20 16:58:38.636778509 -0400
58c5fc13
MT		 1363@@ -95,16 +95,38 @@
1364
1365 /* three functions to determine where in the module core
1366 * or init pieces the location is */
1367+static inline int in_init_rx(struct module *me, void *loc)
1368+{
1369+ return (loc >= me->module_init_rx &&
1370+ loc < (me->module_init_rx + me->init_size_rx));
1371+}
1372+
1373+static inline int in_init_rw(struct module *me, void *loc)
1374+{
1375+ return (loc >= me->module_init_rw &&
1376+ loc < (me->module_init_rw + me->init_size_rw));
1377+}
1378+
1379 static inline int in_init(struct module *me, void *loc)
1380 {
1381- return (loc >= me->module_init &&
1382- loc <= (me->module_init + me->init_size));
1383+ return in_init_rx(me, loc) || in_init_rw(me, loc);
1384+}
1385+
1386+static inline int in_core_rx(struct module *me, void *loc)
1387+{
1388+ return (loc >= me->module_core_rx &&
1389+ loc < (me->module_core_rx + me->core_size_rx));
1390+}
1391+
1392+static inline int in_core_rw(struct module *me, void *loc)
1393+{
1394+ return (loc >= me->module_core_rw &&
1395+ loc < (me->module_core_rw + me->core_size_rw));
1396 }
1397
1398 static inline int in_core(struct module *me, void *loc)
1399 {
1400- return (loc >= me->module_core &&
1401- loc <= (me->module_core + me->core_size));
1402+ return in_core_rx(me, loc) || in_core_rw(me, loc);
1403 }
1404
1405 static inline int in_local(struct module *me, void *loc)
1406@@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1407 }
1408
1409 /* align things a bit */
1410- me->core_size = ALIGN(me->core_size, 16);
1411- me->arch.got_offset = me->core_size;
1412- me->core_size += gots * sizeof(struct got_entry);
1413-
1414- me->core_size = ALIGN(me->core_size, 16);
1415- me->arch.fdesc_offset = me->core_size;
1416- me->core_size += fdescs * sizeof(Elf_Fdesc);
1417+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1418+ me->arch.got_offset = me->core_size_rw;
1419+ me->core_size_rw += gots * sizeof(struct got_entry);
1420+
1421+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1422+ me->arch.fdesc_offset = me->core_size_rw;
1423+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1424
1425 me->arch.got_max = gots;
1426 me->arch.fdesc_max = fdescs;
1427@@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1428
1429 BUG_ON(value == 0);
1430
1431- got = me->module_core + me->arch.got_offset;
1432+ got = me->module_core_rw + me->arch.got_offset;
1433 for (i = 0; got[i].addr; i++)
1434 if (got[i].addr == value)
1435 goto out;
1436@@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1437 #ifdef CONFIG_64BIT
1438 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1439 {
1440- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1441+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1442
1443 if (!value) {
1444 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1445@@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1446
1447 /* Create new one */
1448 fdesc->addr = value;
1449- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1450+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1451 return (Elf_Addr)fdesc;
1452 }
1453 #endif /* CONFIG_64BIT */
1454@@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1455
1456 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1457 end = table + sechdrs[me->arch.unwind_section].sh_size;
1458- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1459+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1460
1461 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1462 me->arch.unwind_section, table, end, gp);
ae4e228f
MT		 1463diff -urNp linux-2.6.33.1/arch/parisc/kernel/sys_parisc.c linux-2.6.33.1/arch/parisc/kernel/sys_parisc.c
1464--- linux-2.6.33.1/arch/parisc/kernel/sys_parisc.c 2010-03-15 12:09:39.000000000 -0400
1465+++ linux-2.6.33.1/arch/parisc/kernel/sys_parisc.c 2010-03-20 16:58:38.636778509 -0400
58c5fc13
MT		 1466@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1467 if (flags & MAP_FIXED)
1468 return addr;
1469 if (!addr)
1470- addr = TASK_UNMAPPED_BASE;
1471+ addr = current->mm->mmap_base;
1472
1473 if (filp) {
1474 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
ae4e228f
MT		 1475diff -urNp linux-2.6.33.1/arch/parisc/kernel/traps.c linux-2.6.33.1/arch/parisc/kernel/traps.c
1476--- linux-2.6.33.1/arch/parisc/kernel/traps.c 2010-03-15 12:09:39.000000000 -0400
1477+++ linux-2.6.33.1/arch/parisc/kernel/traps.c 2010-03-20 16:58:38.644755446 -0400
58c5fc13
MT		 1478@@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1479
1480 down_read(&current->mm->mmap_sem);
1481 vma = find_vma(current->mm,regs->iaoq[0]);
1482- if (vma && (regs->iaoq[0] >= vma->vm_start)
1483- && (vma->vm_flags & VM_EXEC)) {
1484-
1485+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1486 fault_address = regs->iaoq[0];
1487 fault_space = regs->iasq[0];
1488
ae4e228f
MT		 1489diff -urNp linux-2.6.33.1/arch/parisc/mm/fault.c linux-2.6.33.1/arch/parisc/mm/fault.c
1490--- linux-2.6.33.1/arch/parisc/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
1491+++ linux-2.6.33.1/arch/parisc/mm/fault.c 2010-03-20 16:58:38.644755446 -0400
58c5fc13
MT		 1492@@ -15,6 +15,7 @@
1493 #include <linux/sched.h>
1494 #include <linux/interrupt.h>
1495 #include <linux/module.h>
1496+#include <linux/unistd.h>
1497
1498 #include <asm/uaccess.h>
1499 #include <asm/traps.h>
1500@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1501 static unsigned long
1502 parisc_acctyp(unsigned long code, unsigned int inst)
1503 {
1504- if (code == 6 || code == 16)
1505+ if (code == 6 || code == 7 || code == 16)
1506 return VM_EXEC;
1507
1508 switch (inst & 0xf0000000) {
1509@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1510 }
1511 #endif
1512
1513+#ifdef CONFIG_PAX_PAGEEXEC
1514+/*
1515+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1516+ *
1517+ * returns 1 when task should be killed
1518+ * 2 when rt_sigreturn trampoline was detected
1519+ * 3 when unpatched PLT trampoline was detected
1520+ */
1521+static int pax_handle_fetch_fault(struct pt_regs *regs)
1522+{
1523+
1524+#ifdef CONFIG_PAX_EMUPLT
1525+ int err;
1526+
1527+ do { /* PaX: unpatched PLT emulation */
1528+ unsigned int bl, depwi;
1529+
1530+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1531+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1532+
1533+ if (err)
1534+ break;
1535+
1536+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1537+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1538+
1539+ err = get_user(ldw, (unsigned int *)addr);
1540+ err |= get_user(bv, (unsigned int *)(addr+4));
1541+ err |= get_user(ldw2, (unsigned int *)(addr+8));
1542+
1543+ if (err)
1544+ break;
1545+
1546+ if (ldw == 0x0E801096U &&
1547+ bv == 0xEAC0C000U &&
1548+ ldw2 == 0x0E881095U)
1549+ {
1550+ unsigned int resolver, map;
1551+
1552+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1553+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1554+ if (err)
1555+ break;
1556+
1557+ regs->gr[20] = instruction_pointer(regs)+8;
1558+ regs->gr[21] = map;
1559+ regs->gr[22] = resolver;
1560+ regs->iaoq[0] = resolver | 3UL;
1561+ regs->iaoq[1] = regs->iaoq[0] + 4;
1562+ return 3;
1563+ }
1564+ }
1565+ } while (0);
1566+#endif
1567+
1568+#ifdef CONFIG_PAX_EMUTRAMP
1569+
1570+#ifndef CONFIG_PAX_EMUSIGRT
1571+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1572+ return 1;
1573+#endif
1574+
1575+ do { /* PaX: rt_sigreturn emulation */
1576+ unsigned int ldi1, ldi2, bel, nop;
1577+
1578+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1579+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1580+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1581+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1582+
1583+ if (err)
1584+ break;
1585+
1586+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1587+ ldi2 == 0x3414015AU &&
1588+ bel == 0xE4008200U &&
1589+ nop == 0x08000240U)
1590+ {
1591+ regs->gr[25] = (ldi1 & 2) >> 1;
1592+ regs->gr[20] = __NR_rt_sigreturn;
1593+ regs->gr[31] = regs->iaoq[1] + 16;
1594+ regs->sr[0] = regs->iasq[1];
1595+ regs->iaoq[0] = 0x100UL;
1596+ regs->iaoq[1] = regs->iaoq[0] + 4;
1597+ regs->iasq[0] = regs->sr[2];
1598+ regs->iasq[1] = regs->sr[2];
1599+ return 2;
1600+ }
1601+ } while (0);
1602+#endif
1603+
1604+ return 1;
1605+}
1606+
1607+void pax_report_insns(void *pc, void *sp)
1608+{
1609+ unsigned long i;
1610+
1611+ printk(KERN_ERR "PAX: bytes at PC: ");
1612+ for (i = 0; i < 5; i++) {
1613+ unsigned int c;
1614+ if (get_user(c, (unsigned int *)pc+i))
1615+ printk(KERN_CONT "???????? ");
1616+ else
1617+ printk(KERN_CONT "%08x ", c);
1618+ }
1619+ printk("\n");
1620+}
1621+#endif
1622+
1623 int fixup_exception(struct pt_regs *regs)
1624 {
1625 const struct exception_table_entry *fix;
1626@@ -192,8 +303,33 @@ good_area:
1627
1628 acc_type = parisc_acctyp(code,regs->iir);
1629
1630- if ((vma->vm_flags & acc_type) != acc_type)
1631+ if ((vma->vm_flags & acc_type) != acc_type) {
1632+
1633+#ifdef CONFIG_PAX_PAGEEXEC
1634+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1635+ (address & ~3UL) == instruction_pointer(regs))
1636+ {
1637+ up_read(&mm->mmap_sem);
1638+ switch (pax_handle_fetch_fault(regs)) {
1639+
1640+#ifdef CONFIG_PAX_EMUPLT
1641+ case 3:
1642+ return;
1643+#endif
1644+
1645+#ifdef CONFIG_PAX_EMUTRAMP
1646+ case 2:
1647+ return;
1648+#endif
1649+
1650+ }
1651+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1652+ do_group_exit(SIGKILL);
1653+ }
1654+#endif
1655+
1656 goto bad_area;
1657+ }
1658
1659 /*
1660 * If for any reason at all we couldn't handle the fault, make
ae4e228f
MT		 1661diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/device.h linux-2.6.33.1/arch/powerpc/include/asm/device.h
1662--- linux-2.6.33.1/arch/powerpc/include/asm/device.h 2010-03-15 12:09:39.000000000 -0400
1663+++ linux-2.6.33.1/arch/powerpc/include/asm/device.h 2010-03-20 16:58:38.652757516 -0400
1664@@ -14,7 +14,7 @@ struct dev_archdata {
1665 struct device_node *of_node;
58c5fc13 1666
ae4e228f
MT		 1667 /* DMA operations on that device */
1668- struct dma_map_ops *dma_ops;
1669+ const struct dma_map_ops *dma_ops;
1670
1671 /*
1672 * When an iommu is in use, dma_data is used as a ptr to the base of the
1673diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/dma-mapping.h linux-2.6.33.1/arch/powerpc/include/asm/dma-mapping.h
1674--- linux-2.6.33.1/arch/powerpc/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
1675+++ linux-2.6.33.1/arch/powerpc/include/asm/dma-mapping.h 2010-03-20 16:58:38.664764295 -0400
1676@@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
1677 #ifdef CONFIG_PPC64
1678 extern struct dma_map_ops dma_iommu_ops;
1679 #endif
1680-extern struct dma_map_ops dma_direct_ops;
1681+extern const struct dma_map_ops dma_direct_ops;
1682
1683-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1684+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
58c5fc13 1685 {
ae4e228f
MT		 1686 /* We don't handle the NULL dev case for ISA for now. We could
1687 * do it via an out of line call but it is not needed for now. The
1688@@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
1689 return dev->archdata.dma_ops;
58c5fc13
MT		 1690 }
1691
ae4e228f
MT		 1692-static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1693+static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
58c5fc13 1694 {
ae4e228f 1695 dev->archdata.dma_ops = ops;
58c5fc13 1696 }
ae4e228f 1697@@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
58c5fc13 1698
ae4e228f 1699 static inline int dma_supported(struct device *dev, u64 mask)
58c5fc13 1700 {
ae4e228f
MT		 1701- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1702+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
58c5fc13 1703
ae4e228f
MT		 1704 if (unlikely(dma_ops == NULL))
1705 return 0;
1706@@ -132,7 +132,7 @@ static inline int dma_supported(struct d
1707
1708 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
58c5fc13 1709 {
ae4e228f
MT		 1710- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1711+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
58c5fc13 1712
ae4e228f
MT		 1713 if (unlikely(dma_ops == NULL))
1714 return -EIO;
1715@@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
1716 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1717 dma_addr_t *dma_handle, gfp_t flag)
1718 {
1719- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1720+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1721 void *cpu_addr;
1722
1723 BUG_ON(!dma_ops);
1724@@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
1725 static inline void dma_free_coherent(struct device *dev, size_t size,
1726 void *cpu_addr, dma_addr_t dma_handle)
58c5fc13 1727 {
ae4e228f
MT		 1728- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1729+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1730
1731 BUG_ON(!dma_ops);
1732
1733@@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
1734
1735 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1736 {
1737- struct dma_map_ops *dma_ops = get_dma_ops(dev);
1738+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1739
1740 if (dma_ops->mapping_error)
1741 return dma_ops->mapping_error(dev, dma_addr);
1742diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/elf.h linux-2.6.33.1/arch/powerpc/include/asm/elf.h
1743--- linux-2.6.33.1/arch/powerpc/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
1744+++ linux-2.6.33.1/arch/powerpc/include/asm/elf.h 2010-03-20 16:58:38.664764295 -0400
1745@@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
58c5fc13
MT		 1746 the loader. We need to make sure that it is out of the way of the program
1747 that it will "exec", and that there is sufficient room for the brk. */
1748
1749-extern unsigned long randomize_et_dyn(unsigned long base);
1750-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1751+#define ELF_ET_DYN_BASE (0x20000000)
1752+
1753+#ifdef CONFIG_PAX_ASLR
1754+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1755+
1756+#ifdef __powerpc64__
1757+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1758+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1759+#else
1760+#define PAX_DELTA_MMAP_LEN 15
1761+#define PAX_DELTA_STACK_LEN 15
1762+#endif
1763+#endif
1764
1765 /*
1766 * Our registers are always unsigned longs, whether we're a 32 bit
ae4e228f 1767@@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
58c5fc13
MT		 1768 (0x7ff >> (PAGE_SHIFT - 12)) : \
1769 (0x3ffff >> (PAGE_SHIFT - 12)))
1770
1771-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1772-#define arch_randomize_brk arch_randomize_brk
1773-
1774 #endif /* __KERNEL__ */
1775
1776 /*
ae4e228f
MT		 1777diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/iommu.h linux-2.6.33.1/arch/powerpc/include/asm/iommu.h
1778--- linux-2.6.33.1/arch/powerpc/include/asm/iommu.h 2010-03-15 12:09:39.000000000 -0400
1779+++ linux-2.6.33.1/arch/powerpc/include/asm/iommu.h 2010-03-20 16:58:38.664764295 -0400
1780@@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
1781 extern void iommu_init_early_dart(void);
1782 extern void iommu_init_early_pasemi(void);
1783
1784+/* dma-iommu.c */
1785+extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
1786+
1787 #ifdef CONFIG_PCI
1788 extern void pci_iommu_init(void);
1789 extern void pci_direct_iommu_init(void);
1790diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/kmap_types.h linux-2.6.33.1/arch/powerpc/include/asm/kmap_types.h
1791--- linux-2.6.33.1/arch/powerpc/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
1792+++ linux-2.6.33.1/arch/powerpc/include/asm/kmap_types.h 2010-03-20 16:58:38.664764295 -0400
58c5fc13
MT		 1793@@ -26,6 +26,7 @@ enum km_type {
1794 KM_SOFTIRQ1,
1795 KM_PPC_SYNC_PAGE,
1796 KM_PPC_SYNC_ICACHE,
1797+ KM_CLEARPAGE,
1798 KM_TYPE_NR
1799 };
1800
ae4e228f
MT		 1801diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/page_64.h linux-2.6.33.1/arch/powerpc/include/asm/page_64.h
1802--- linux-2.6.33.1/arch/powerpc/include/asm/page_64.h 2010-03-15 12:09:39.000000000 -0400
1803+++ linux-2.6.33.1/arch/powerpc/include/asm/page_64.h 2010-03-20 16:58:38.664764295 -0400
1804@@ -180,15 +180,18 @@ do { \
58c5fc13
MT		 1805 * stack by default, so in the absense of a PT_GNU_STACK program header
1806 * we turn execute permission off.
1807 */
1808-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1809- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1810+#define VM_STACK_DEFAULT_FLAGS32 \
1811+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1812+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1813
1814 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1815 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1816
1817+#ifndef CONFIG_PAX_PAGEEXEC
1818 #define VM_STACK_DEFAULT_FLAGS \
1819 (test_thread_flag(TIF_32BIT) ? \
1820 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
1821+#endif
1822
1823 #include <asm-generic/getorder.h>
1824
ae4e228f
MT		 1825diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/page.h linux-2.6.33.1/arch/powerpc/include/asm/page.h
1826--- linux-2.6.33.1/arch/powerpc/include/asm/page.h 2010-03-15 12:09:39.000000000 -0400
1827+++ linux-2.6.33.1/arch/powerpc/include/asm/page.h 2010-03-20 16:58:38.668753880 -0400
58c5fc13
MT		 1828@@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
1829 * and needs to be executable. This means the whole heap ends
1830 * up being executable.
1831 */
1832-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1833- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1834+#define VM_DATA_DEFAULT_FLAGS32 \
1835+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1836+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1837
1838 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1839 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
ae4e228f
MT		 1840@@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
1841 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
1842 #endif
1843
1844+#define ktla_ktva(addr) (addr)
1845+#define ktva_ktla(addr) (addr)
1846+
1847 #ifndef __ASSEMBLY__
1848
1849 #undef STRICT_MM_TYPECHECKS
1850diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/pci.h linux-2.6.33.1/arch/powerpc/include/asm/pci.h
1851--- linux-2.6.33.1/arch/powerpc/include/asm/pci.h 2010-03-15 12:09:39.000000000 -0400
1852+++ linux-2.6.33.1/arch/powerpc/include/asm/pci.h 2010-03-20 16:58:38.668753880 -0400
1853@@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
1854 }
1855
1856 #ifdef CONFIG_PCI
1857-extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1858-extern struct dma_map_ops *get_pci_dma_ops(void);
1859+extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1860+extern const struct dma_map_ops *get_pci_dma_ops(void);
1861 #else /* CONFIG_PCI */
1862 #define set_pci_dma_ops(d)
1863 #define get_pci_dma_ops() NULL
1864diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/pte-hash32.h linux-2.6.33.1/arch/powerpc/include/asm/pte-hash32.h
1865--- linux-2.6.33.1/arch/powerpc/include/asm/pte-hash32.h 2010-03-15 12:09:39.000000000 -0400
1866+++ linux-2.6.33.1/arch/powerpc/include/asm/pte-hash32.h 2010-03-20 16:58:38.668753880 -0400
58c5fc13
MT		 1867@@ -21,6 +21,7 @@
1868 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
1869 #define _PAGE_USER 0x004 /* usermode access allowed */
1870 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
ae4e228f 1871+#define _PAGE_EXEC _PAGE_GUARDED
58c5fc13
MT		 1872 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
1873 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
1874 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
ae4e228f
MT		 1875diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/reg.h linux-2.6.33.1/arch/powerpc/include/asm/reg.h
1876--- linux-2.6.33.1/arch/powerpc/include/asm/reg.h 2010-03-15 12:09:39.000000000 -0400
1877+++ linux-2.6.33.1/arch/powerpc/include/asm/reg.h 2010-03-20 16:58:38.672753614 -0400
1878@@ -191,6 +191,7 @@
58c5fc13
MT		 1879 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
1880 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
1881 #define DSISR_NOHPTE 0x40000000 /* no translation found */
1882+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
1883 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
1884 #define DSISR_ISSTORE 0x02000000 /* access was a store */
1885 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
ae4e228f
MT		 1886diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/swiotlb.h linux-2.6.33.1/arch/powerpc/include/asm/swiotlb.h
1887--- linux-2.6.33.1/arch/powerpc/include/asm/swiotlb.h 2010-03-15 12:09:39.000000000 -0400
1888+++ linux-2.6.33.1/arch/powerpc/include/asm/swiotlb.h 2010-03-20 16:58:38.672753614 -0400
1889@@ -13,7 +13,7 @@
1890
1891 #include <linux/swiotlb.h>
1892
1893-extern struct dma_map_ops swiotlb_dma_ops;
1894+extern const struct dma_map_ops swiotlb_dma_ops;
1895
1896 static inline void dma_mark_clean(void *addr, size_t size) {}
1897
1898diff -urNp linux-2.6.33.1/arch/powerpc/include/asm/uaccess.h linux-2.6.33.1/arch/powerpc/include/asm/uaccess.h
1899--- linux-2.6.33.1/arch/powerpc/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
1900+++ linux-2.6.33.1/arch/powerpc/include/asm/uaccess.h 2010-03-20 16:58:38.676578811 -0400
58c5fc13
MT		 1901@@ -327,52 +327,6 @@ do { \
1902 extern unsigned long __copy_tofrom_user(void __user *to,
1903 const void __user *from, unsigned long size);
1904
1905-#ifndef __powerpc64__
1906-
1907-static inline unsigned long copy_from_user(void *to,
1908- const void __user *from, unsigned long n)
1909-{
1910- unsigned long over;
1911-
1912- if (access_ok(VERIFY_READ, from, n))
1913- return __copy_tofrom_user((__force void __user *)to, from, n);
1914- if ((unsigned long)from < TASK_SIZE) {
1915- over = (unsigned long)from + n - TASK_SIZE;
1916- return __copy_tofrom_user((__force void __user *)to, from,
1917- n - over) + over;
1918- }
1919- return n;
1920-}
1921-
1922-static inline unsigned long copy_to_user(void __user *to,
1923- const void *from, unsigned long n)
1924-{
1925- unsigned long over;
1926-
1927- if (access_ok(VERIFY_WRITE, to, n))
1928- return __copy_tofrom_user(to, (__force void __user *)from, n);
1929- if ((unsigned long)to < TASK_SIZE) {
1930- over = (unsigned long)to + n - TASK_SIZE;
1931- return __copy_tofrom_user(to, (__force void __user *)from,
1932- n - over) + over;
1933- }
1934- return n;
1935-}
1936-
1937-#else /* __powerpc64__ */
1938-
1939-#define __copy_in_user(to, from, size) \
1940- __copy_tofrom_user((to), (from), (size))
1941-
1942-extern unsigned long copy_from_user(void *to, const void __user *from,
1943- unsigned long n);
1944-extern unsigned long copy_to_user(void __user *to, const void *from,
1945- unsigned long n);
1946-extern unsigned long copy_in_user(void __user *to, const void __user *from,
1947- unsigned long n);
1948-
1949-#endif /* __powerpc64__ */
1950-
1951 static inline unsigned long __copy_from_user_inatomic(void *to,
1952 const void __user *from, unsigned long n)
1953 {
ae4e228f 1954@@ -396,6 +350,10 @@ static inline unsigned long __copy_from_
58c5fc13
MT		 1955 if (ret == 0)
1956 return 0;
1957 }
ae4e228f 1958+
58c5fc13
MT		 1959+ if (!__builtin_constant_p(n))
1960+ check_object_size(to, n, false);
1961+
1962 return __copy_tofrom_user((__force void __user *)to, from, n);
1963 }
1964
ae4e228f 1965@@ -422,6 +380,10 @@ static inline unsigned long __copy_to_us
58c5fc13
MT		 1966 if (ret == 0)
1967 return 0;
1968 }
ae4e228f 1969+
58c5fc13
MT		 1970+ if (!__builtin_constant_p(n))
1971+ check_object_size(from, n, true);
1972+
1973 return __copy_tofrom_user(to, (__force const void __user *)from, n);
1974 }
1975
ae4e228f 1976@@ -439,6 +401,92 @@ static inline unsigned long __copy_to_us
58c5fc13
MT		 1977 return __copy_to_user_inatomic(to, from, size);
1978 }
1979
1980+#ifndef __powerpc64__
1981+
1982+static inline unsigned long __must_check copy_from_user(void *to,
1983+ const void __user *from, unsigned long n)
1984+{
1985+ unsigned long over;
1986+
ae4e228f 1987+ if ((long)n < 0)
58c5fc13
MT		 1988+ return n;
1989+
1990+ if (access_ok(VERIFY_READ, from, n)) {
1991+ if (!__builtin_constant_p(n))
1992+ check_object_size(to, n, false);
58c5fc13
MT		 1993+ return __copy_tofrom_user((__force void __user *)to, from, n);
1994+ }
1995+ if ((unsigned long)from < TASK_SIZE) {
1996+ over = (unsigned long)from + n - TASK_SIZE;
1997+ if (!__builtin_constant_p(n - over))
1998+ check_object_size(to, n - over, false);
1999+ return __copy_tofrom_user((__force void __user *)to, from,
2000+ n - over) + over;
2001+ }
2002+ return n;
2003+}
2004+
2005+static inline unsigned long __must_check copy_to_user(void __user *to,
2006+ const void *from, unsigned long n)
2007+{
2008+ unsigned long over;
2009+
ae4e228f 2010+ if ((long)n < 0)
58c5fc13
MT		 2011+ return n;
2012+
2013+ if (access_ok(VERIFY_WRITE, to, n)) {
2014+ if (!__builtin_constant_p(n))
2015+ check_object_size(from, n, true);
2016+ return __copy_tofrom_user(to, (__force void __user *)from, n);
2017+ }
2018+ if ((unsigned long)to < TASK_SIZE) {
2019+ over = (unsigned long)to + n - TASK_SIZE;
2020+ if (!__builtin_constant_p(n))
2021+ check_object_size(from, n - over, true);
2022+ return __copy_tofrom_user(to, (__force void __user *)from,
2023+ n - over) + over;
2024+ }
2025+ return n;
2026+}
2027+
2028+#else /* __powerpc64__ */
2029+
2030+#define __copy_in_user(to, from, size) \
2031+ __copy_tofrom_user((to), (from), (size))
2032+
ae4e228f 2033+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
58c5fc13 2034+{
ae4e228f 2035+ if ((long)n < 0 || n > INT_MAX)
58c5fc13
MT		 2036+ return n;
2037+
2038+ if (!__builtin_constant_p(n))
2039+ check_object_size(to, n, false);
2040+
2041+ if (likely(access_ok(VERIFY_READ, from, n)))
2042+ n = __copy_from_user(to, from, n);
2043+ else
2044+ memset(to, 0, n);
58c5fc13
MT		 2045+ return n;
2046+}
2047+
ae4e228f 2048+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
58c5fc13 2049+{
ae4e228f 2050+ if ((long)n < 0 || n > INT_MAX)
58c5fc13
MT		 2051+ return n;
2052+
2053+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
2054+ if (!__builtin_constant_p(n))
2055+ check_object_size(from, n, true);
2056+ n = __copy_to_user(to, from, n);
2057+ }
58c5fc13
MT		 2058+ return n;
2059+}
2060+
2061+extern unsigned long copy_in_user(void __user *to, const void __user *from,
2062+ unsigned long n);
2063+
2064+#endif /* __powerpc64__ */
2065+
2066 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2067
2068 static inline unsigned long clear_user(void __user *addr, unsigned long size)
ae4e228f
MT		 2069diff -urNp linux-2.6.33.1/arch/powerpc/kernel/cacheinfo.c linux-2.6.33.1/arch/powerpc/kernel/cacheinfo.c
2070--- linux-2.6.33.1/arch/powerpc/kernel/cacheinfo.c 2010-03-15 12:09:39.000000000 -0400
2071+++ linux-2.6.33.1/arch/powerpc/kernel/cacheinfo.c 2010-03-20 16:58:38.684761974 -0400
2072@@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2073 &cache_assoc_attr,
2074 };
2075
2076-static struct sysfs_ops cache_index_ops = {
2077+static const struct sysfs_ops cache_index_ops = {
2078 .show = cache_index_show,
2079 };
2080
2081diff -urNp linux-2.6.33.1/arch/powerpc/kernel/dma.c linux-2.6.33.1/arch/powerpc/kernel/dma.c
2082--- linux-2.6.33.1/arch/powerpc/kernel/dma.c 2010-03-15 12:09:39.000000000 -0400
2083+++ linux-2.6.33.1/arch/powerpc/kernel/dma.c 2010-03-20 16:58:38.700769723 -0400
2084@@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2085 }
2086 #endif
2087
2088-struct dma_map_ops dma_direct_ops = {
2089+const struct dma_map_ops dma_direct_ops = {
2090 .alloc_coherent = dma_direct_alloc_coherent,
2091 .free_coherent = dma_direct_free_coherent,
2092 .map_sg = dma_direct_map_sg,
2093diff -urNp linux-2.6.33.1/arch/powerpc/kernel/dma-iommu.c linux-2.6.33.1/arch/powerpc/kernel/dma-iommu.c
2094--- linux-2.6.33.1/arch/powerpc/kernel/dma-iommu.c 2010-03-15 12:09:39.000000000 -0400
2095+++ linux-2.6.33.1/arch/powerpc/kernel/dma-iommu.c 2010-03-20 16:58:38.708797745 -0400
2096@@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2097 }
2098
2099 /* We support DMA to/from any memory page via the iommu */
2100-static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2101+int dma_iommu_dma_supported(struct device *dev, u64 mask)
2102 {
2103 struct iommu_table *tbl = get_iommu_table_base(dev);
2104
2105diff -urNp linux-2.6.33.1/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.33.1/arch/powerpc/kernel/dma-swiotlb.c
2106--- linux-2.6.33.1/arch/powerpc/kernel/dma-swiotlb.c 2010-03-15 12:09:39.000000000 -0400
2107+++ linux-2.6.33.1/arch/powerpc/kernel/dma-swiotlb.c 2010-03-20 16:58:38.720772371 -0400
2108@@ -30,7 +30,7 @@ unsigned int ppc_swiotlb_enable;
2109 * map_page, and unmap_page on highmem, use normal dma_ops
2110 * for everything else.
2111 */
2112-struct dma_map_ops swiotlb_dma_ops = {
2113+const struct dma_map_ops swiotlb_dma_ops = {
2114 .alloc_coherent = dma_direct_alloc_coherent,
2115 .free_coherent = dma_direct_free_coherent,
2116 .map_sg = swiotlb_map_sg_attrs,
2117diff -urNp linux-2.6.33.1/arch/powerpc/kernel/exceptions-64e.S linux-2.6.33.1/arch/powerpc/kernel/exceptions-64e.S
2118--- linux-2.6.33.1/arch/powerpc/kernel/exceptions-64e.S 2010-03-15 12:09:39.000000000 -0400
2119+++ linux-2.6.33.1/arch/powerpc/kernel/exceptions-64e.S 2010-03-20 16:58:38.720772371 -0400
2120@@ -455,6 +455,7 @@ storage_fault_common:
2121 std r14,_DAR(r1)
2122 std r15,_DSISR(r1)
2123 addi r3,r1,STACK_FRAME_OVERHEAD
2124+ bl .save_nvgprs
2125 mr r4,r14
2126 mr r5,r15
2127 ld r14,PACA_EXGEN+EX_R14(r13)
2128@@ -464,8 +465,7 @@ storage_fault_common:
2129 cmpdi r3,0
2130 bne- 1f
2131 b .ret_from_except_lite
2132-1: bl .save_nvgprs
2133- mr r5,r3
2134+1: mr r5,r3
2135 addi r3,r1,STACK_FRAME_OVERHEAD
2136 ld r4,_DAR(r1)
2137 bl .bad_page_fault
2138diff -urNp linux-2.6.33.1/arch/powerpc/kernel/exceptions-64s.S linux-2.6.33.1/arch/powerpc/kernel/exceptions-64s.S
2139--- linux-2.6.33.1/arch/powerpc/kernel/exceptions-64s.S 2010-03-15 12:09:39.000000000 -0400
2140+++ linux-2.6.33.1/arch/powerpc/kernel/exceptions-64s.S 2010-03-20 16:58:38.720772371 -0400
2141@@ -829,10 +829,10 @@ handle_page_fault:
2142 11: ld r4,_DAR(r1)
2143 ld r5,_DSISR(r1)
2144 addi r3,r1,STACK_FRAME_OVERHEAD
2145+ bl .save_nvgprs
2146 bl .do_page_fault
2147 cmpdi r3,0
2148 beq+ 13f
2149- bl .save_nvgprs
2150 mr r5,r3
2151 addi r3,r1,STACK_FRAME_OVERHEAD
2152 lwz r4,_DAR(r1)
2153diff -urNp linux-2.6.33.1/arch/powerpc/kernel/ibmebus.c linux-2.6.33.1/arch/powerpc/kernel/ibmebus.c
2154--- linux-2.6.33.1/arch/powerpc/kernel/ibmebus.c 2010-03-15 12:09:39.000000000 -0400
2155+++ linux-2.6.33.1/arch/powerpc/kernel/ibmebus.c 2010-03-20 16:58:38.720772371 -0400
2156@@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2157 return 1;
2158 }
2159
2160-static struct dma_map_ops ibmebus_dma_ops = {
2161+static const struct dma_map_ops ibmebus_dma_ops = {
2162 .alloc_coherent = ibmebus_alloc_coherent,
2163 .free_coherent = ibmebus_free_coherent,
2164 .map_sg = ibmebus_map_sg,
2165diff -urNp linux-2.6.33.1/arch/powerpc/kernel/kgdb.c linux-2.6.33.1/arch/powerpc/kernel/kgdb.c
2166--- linux-2.6.33.1/arch/powerpc/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
2167+++ linux-2.6.33.1/arch/powerpc/kernel/kgdb.c 2010-03-20 16:58:38.720772371 -0400
2168@@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2169 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2170 return 0;
2171
2172- if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2173+ if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2174 regs->nip += 4;
2175
2176 return 1;
2177@@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2178 /*
2179 * Global data
2180 */
2181-struct kgdb_arch arch_kgdb_ops = {
2182+const struct kgdb_arch arch_kgdb_ops = {
2183 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2184 };
2185
2186diff -urNp linux-2.6.33.1/arch/powerpc/kernel/module_32.c linux-2.6.33.1/arch/powerpc/kernel/module_32.c
2187--- linux-2.6.33.1/arch/powerpc/kernel/module_32.c 2010-03-15 12:09:39.000000000 -0400
2188+++ linux-2.6.33.1/arch/powerpc/kernel/module_32.c 2010-03-20 16:58:38.724667855 -0400
58c5fc13
MT		 2189@@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2190 me->arch.core_plt_section = i;
2191 }
2192 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2193- printk("Module doesn't contain .plt or .init.plt sections.\n");
2194+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2195 return -ENOEXEC;
2196 }
2197
2198@@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2199
2200 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2201 /* Init, or core PLT? */
2202- if (location >= mod->module_core
2203- && location < mod->module_core + mod->core_size)
2204+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2205+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2206 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2207- else
2208+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2209+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2210 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2211+ else {
2212+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2213+ return ~0UL;
2214+ }
2215
2216 /* Find this entry, or if that fails, the next avail. entry */
2217 while (entry->jump[0]) {
ae4e228f
MT		 2218diff -urNp linux-2.6.33.1/arch/powerpc/kernel/module.c linux-2.6.33.1/arch/powerpc/kernel/module.c
2219--- linux-2.6.33.1/arch/powerpc/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
2220+++ linux-2.6.33.1/arch/powerpc/kernel/module.c 2010-03-20 16:58:38.724667855 -0400
2221@@ -31,11 +31,24 @@
2222
2223 LIST_HEAD(module_bug_list);
2224
2225+#ifdef CONFIG_PAX_KERNEXEC
2226 void *module_alloc(unsigned long size)
2227 {
2228 if (size == 0)
2229 return NULL;
2230
2231+ return vmalloc(size);
2232+}
2233+
2234+void *module_alloc_exec(unsigned long size)
2235+#else
2236+void *module_alloc(unsigned long size)
2237+#endif
2238+
2239+{
2240+ if (size == 0)
2241+ return NULL;
2242+
2243 return vmalloc_exec(size);
2244 }
2245
2246@@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2247 vfree(module_region);
2248 }
2249
2250+#ifdef CONFIG_PAX_KERNEXEC
2251+void module_free_exec(struct module *mod, void *module_region)
2252+{
2253+ module_free(mod, module_region);
2254+}
2255+#endif
2256+
2257 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2258 const Elf_Shdr *sechdrs,
2259 const char *name)
2260diff -urNp linux-2.6.33.1/arch/powerpc/kernel/pci-common.c linux-2.6.33.1/arch/powerpc/kernel/pci-common.c
2261--- linux-2.6.33.1/arch/powerpc/kernel/pci-common.c 2010-03-15 12:09:39.000000000 -0400
2262+++ linux-2.6.33.1/arch/powerpc/kernel/pci-common.c 2010-03-20 16:58:38.736620382 -0400
2263@@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2264 unsigned int ppc_pci_flags = 0;
2265
2266
2267-static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2268+static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2269
2270-void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2271+void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2272 {
2273 pci_dma_ops = dma_ops;
2274 }
2275
2276-struct dma_map_ops *get_pci_dma_ops(void)
2277+const struct dma_map_ops *get_pci_dma_ops(void)
2278 {
2279 return pci_dma_ops;
2280 }
2281diff -urNp linux-2.6.33.1/arch/powerpc/kernel/process.c linux-2.6.33.1/arch/powerpc/kernel/process.c
2282--- linux-2.6.33.1/arch/powerpc/kernel/process.c 2010-03-15 12:09:39.000000000 -0400
2283+++ linux-2.6.33.1/arch/powerpc/kernel/process.c 2010-03-20 16:58:38.740772809 -0400
2284@@ -1141,51 +1141,3 @@ unsigned long arch_align_stack(unsigned
58c5fc13
MT		 2285 sp -= get_random_int() & ~PAGE_MASK;
2286 return sp & ~0xf;
2287 }
2288-
2289-static inline unsigned long brk_rnd(void)
2290-{
2291- unsigned long rnd = 0;
2292-
2293- /* 8MB for 32bit, 1GB for 64bit */
2294- if (is_32bit_task())
2295- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2296- else
2297- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2298-
2299- return rnd << PAGE_SHIFT;
2300-}
2301-
2302-unsigned long arch_randomize_brk(struct mm_struct *mm)
2303-{
ae4e228f
MT		 2304- unsigned long base = mm->brk;
2305- unsigned long ret;
2306-
2307-#ifdef CONFIG_PPC_STD_MMU_64
2308- /*
2309- * If we are using 1TB segments and we are allowed to randomise
2310- * the heap, we can put it above 1TB so it is backed by a 1TB
2311- * segment. Otherwise the heap will be in the bottom 1TB
2312- * which always uses 256MB segments and this may result in a
2313- * performance penalty.
2314- */
2315- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2316- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2317-#endif
2318-
2319- ret = PAGE_ALIGN(base + brk_rnd());
58c5fc13
MT		 2320-
2321- if (ret < mm->brk)
2322- return mm->brk;
2323-
2324- return ret;
2325-}
2326-
2327-unsigned long randomize_et_dyn(unsigned long base)
2328-{
2329- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2330-
2331- if (ret < base)
2332- return base;
2333-
2334- return ret;
2335-}
ae4e228f
MT		 2336diff -urNp linux-2.6.33.1/arch/powerpc/kernel/signal_32.c linux-2.6.33.1/arch/powerpc/kernel/signal_32.c
2337--- linux-2.6.33.1/arch/powerpc/kernel/signal_32.c 2010-03-15 12:09:39.000000000 -0400
2338+++ linux-2.6.33.1/arch/powerpc/kernel/signal_32.c 2010-03-20 16:58:38.740772809 -0400
58c5fc13
MT		 2339@@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2340 /* Save user registers on the stack */
2341 frame = &rt_sf->uc.uc_mcontext;
2342 addr = frame;
2343- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2344+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2345 if (save_user_regs(regs, frame, 0, 1))
2346 goto badframe;
2347 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
ae4e228f
MT		 2348diff -urNp linux-2.6.33.1/arch/powerpc/kernel/signal_64.c linux-2.6.33.1/arch/powerpc/kernel/signal_64.c
2349--- linux-2.6.33.1/arch/powerpc/kernel/signal_64.c 2010-03-15 12:09:39.000000000 -0400
2350+++ linux-2.6.33.1/arch/powerpc/kernel/signal_64.c 2010-03-20 16:58:38.740772809 -0400
58c5fc13
MT		 2351@@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2352 current->thread.fpscr.val = 0;
2353
2354 /* Set up to return from userspace. */
2355- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2356+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2357 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2358 } else {
2359 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
ae4e228f
MT		 2360diff -urNp linux-2.6.33.1/arch/powerpc/kernel/vdso.c linux-2.6.33.1/arch/powerpc/kernel/vdso.c
2361--- linux-2.6.33.1/arch/powerpc/kernel/vdso.c 2010-03-15 12:09:39.000000000 -0400
2362+++ linux-2.6.33.1/arch/powerpc/kernel/vdso.c 2010-03-20 16:58:38.740772809 -0400
2363@@ -36,6 +36,7 @@
58c5fc13
MT		 2364 #include <asm/firmware.h>
2365 #include <asm/vdso.h>
2366 #include <asm/vdso_datapage.h>
2367+#include <asm/mman.h>
2368
2369 #include "setup.h"
2370
ae4e228f 2371@@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
58c5fc13
MT		 2372 vdso_base = VDSO32_MBASE;
2373 #endif
2374
2375- current->mm->context.vdso_base = 0;
2376+ current->mm->context.vdso_base = ~0UL;
2377
2378 /* vDSO has a problem and was disabled, just don't "enable" it for the
2379 * process
ae4e228f 2380@@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
58c5fc13 2381 vdso_base = get_unmapped_area(NULL, vdso_base,
ae4e228f
MT		 2382 (vdso_pages << PAGE_SHIFT) +
2383 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2384- 0, 0);
2385+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
58c5fc13
MT		 2386 if (IS_ERR_VALUE(vdso_base)) {
2387 rc = vdso_base;
2388 goto fail_mmapsem;
ae4e228f
MT		 2389diff -urNp linux-2.6.33.1/arch/powerpc/kernel/vio.c linux-2.6.33.1/arch/powerpc/kernel/vio.c
2390--- linux-2.6.33.1/arch/powerpc/kernel/vio.c 2010-03-15 12:09:39.000000000 -0400
2391+++ linux-2.6.33.1/arch/powerpc/kernel/vio.c 2010-03-20 16:58:38.744562669 -0400
2392@@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2393 vio_cmo_dealloc(viodev, alloc_size);
2394 }
2395
2396-struct dma_map_ops vio_dma_mapping_ops = {
2397+static const struct dma_map_ops vio_dma_mapping_ops = {
2398 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2399 .free_coherent = vio_dma_iommu_free_coherent,
2400 .map_sg = vio_dma_iommu_map_sg,
2401 .unmap_sg = vio_dma_iommu_unmap_sg,
2402+ .dma_supported = dma_iommu_dma_supported,
2403 .map_page = vio_dma_iommu_map_page,
2404 .unmap_page = vio_dma_iommu_unmap_page,
2405
2406@@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2407
2408 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2409 {
2410- vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2411 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2412 }
2413
2414diff -urNp linux-2.6.33.1/arch/powerpc/lib/usercopy_64.c linux-2.6.33.1/arch/powerpc/lib/usercopy_64.c
2415--- linux-2.6.33.1/arch/powerpc/lib/usercopy_64.c 2010-03-15 12:09:39.000000000 -0400
2416+++ linux-2.6.33.1/arch/powerpc/lib/usercopy_64.c 2010-03-20 16:58:38.748775088 -0400
58c5fc13
MT		 2417@@ -9,22 +9,6 @@
2418 #include <linux/module.h>
2419 #include <asm/uaccess.h>
2420
2421-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2422-{
2423- if (likely(access_ok(VERIFY_READ, from, n)))
2424- n = __copy_from_user(to, from, n);
2425- else
2426- memset(to, 0, n);
2427- return n;
2428-}
2429-
2430-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2431-{
2432- if (likely(access_ok(VERIFY_WRITE, to, n)))
2433- n = __copy_to_user(to, from, n);
2434- return n;
2435-}
2436-
2437 unsigned long copy_in_user(void __user *to, const void __user *from,
2438 unsigned long n)
2439 {
2440@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2441 return n;
2442 }
2443
2444-EXPORT_SYMBOL(copy_from_user);
2445-EXPORT_SYMBOL(copy_to_user);
2446 EXPORT_SYMBOL(copy_in_user);
2447
ae4e228f
MT		 2448diff -urNp linux-2.6.33.1/arch/powerpc/mm/fault.c linux-2.6.33.1/arch/powerpc/mm/fault.c
2449--- linux-2.6.33.1/arch/powerpc/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
2450+++ linux-2.6.33.1/arch/powerpc/mm/fault.c 2010-03-20 16:58:38.748775088 -0400
58c5fc13
MT		 2451@@ -30,6 +30,10 @@
2452 #include <linux/kprobes.h>
2453 #include <linux/kdebug.h>
ae4e228f 2454 #include <linux/perf_event.h>
58c5fc13
MT		 2455+#include <linux/slab.h>
2456+#include <linux/pagemap.h>
2457+#include <linux/compiler.h>
2458+#include <linux/unistd.h>
2459
2460 #include <asm/firmware.h>
2461 #include <asm/page.h>
ae4e228f 2462@@ -41,6 +45,7 @@
58c5fc13
MT		 2463 #include <asm/tlbflush.h>
2464 #include <asm/siginfo.h>
ae4e228f 2465 #include <mm/mmu_decl.h>
58c5fc13
MT		 2466+#include <asm/ptrace.h>
2467
58c5fc13 2468 #ifdef CONFIG_KPROBES
ae4e228f 2469 static inline int notify_page_fault(struct pt_regs *regs)
58c5fc13
MT		 2470@@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2471 }
2472 #endif
2473
2474+#ifdef CONFIG_PAX_PAGEEXEC
2475+/*
2476+ * PaX: decide what to do with offenders (regs->nip = fault address)
2477+ *
2478+ * returns 1 when task should be killed
2479+ */
2480+static int pax_handle_fetch_fault(struct pt_regs *regs)
2481+{
2482+ return 1;
2483+}
2484+
2485+void pax_report_insns(void *pc, void *sp)
2486+{
2487+ unsigned long i;
2488+
2489+ printk(KERN_ERR "PAX: bytes at PC: ");
2490+ for (i = 0; i < 5; i++) {
2491+ unsigned int c;
ae4e228f 2492+ if (get_user(c, (unsigned int __user *)pc+i))
58c5fc13
MT		 2493+ printk(KERN_CONT "???????? ");
2494+ else
2495+ printk(KERN_CONT "%08x ", c);
2496+ }
2497+ printk("\n");
2498+}
2499+#endif
2500+
2501 /*
2502 * Check whether the instruction at regs->nip is a store using
2503 * an update addressing form which will update r1.
2504@@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2505 * indicate errors in DSISR but can validly be set in SRR1.
2506 */
2507 if (trap == 0x400)
2508- error_code &= 0x48200000;
2509+ error_code &= 0x58200000;
2510 else
2511 is_write = error_code & DSISR_ISSTORE;
2512 #else
ae4e228f 2513@@ -256,7 +288,7 @@ good_area:
58c5fc13
MT		 2514 * "undefined". Of those that can be set, this is the only
2515 * one which seems bad.
2516 */
2517- if (error_code & 0x10000000)
2518+ if (error_code & DSISR_GUARDED)
2519 /* Guarded storage error. */
2520 goto bad_area;
2521 #endif /* CONFIG_8xx */
ae4e228f 2522@@ -271,7 +303,7 @@ good_area:
58c5fc13
MT		 2523 * processors use the same I/D cache coherency mechanism
2524 * as embedded.
2525 */
2526- if (error_code & DSISR_PROTFAULT)
2527+ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2528 goto bad_area;
2529 #endif /* CONFIG_PPC_STD_MMU */
2530
ae4e228f 2531@@ -341,6 +373,23 @@ bad_area:
58c5fc13
MT		 2532 bad_area_nosemaphore:
2533 /* User mode accesses cause a SIGSEGV */
2534 if (user_mode(regs)) {
2535+
2536+#ifdef CONFIG_PAX_PAGEEXEC
2537+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2538+#ifdef CONFIG_PPC_STD_MMU
2539+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2540+#else
2541+ if (is_exec && regs->nip == address) {
2542+#endif
2543+ switch (pax_handle_fetch_fault(regs)) {
2544+ }
2545+
2546+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2547+ do_group_exit(SIGKILL);
2548+ }
2549+ }
2550+#endif
2551+
2552 _exception(SIGSEGV, regs, code, address);
2553 return 0;
2554 }
ae4e228f
MT		 2555diff -urNp linux-2.6.33.1/arch/powerpc/mm/mmap_64.c linux-2.6.33.1/arch/powerpc/mm/mmap_64.c
2556--- linux-2.6.33.1/arch/powerpc/mm/mmap_64.c 2010-03-15 12:09:39.000000000 -0400
2557+++ linux-2.6.33.1/arch/powerpc/mm/mmap_64.c 2010-03-20 16:58:38.748775088 -0400
58c5fc13
MT		 2558@@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2559 */
2560 if (mmap_is_legacy()) {
2561 mm->mmap_base = TASK_UNMAPPED_BASE;
2562+
2563+#ifdef CONFIG_PAX_RANDMMAP
2564+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2565+ mm->mmap_base += mm->delta_mmap;
2566+#endif
2567+
2568 mm->get_unmapped_area = arch_get_unmapped_area;
2569 mm->unmap_area = arch_unmap_area;
2570 } else {
2571 mm->mmap_base = mmap_base();
2572+
2573+#ifdef CONFIG_PAX_RANDMMAP
2574+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2575+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2576+#endif
2577+
2578 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2579 mm->unmap_area = arch_unmap_area_topdown;
2580 }
ae4e228f
MT		 2581diff -urNp linux-2.6.33.1/arch/powerpc/mm/slice.c linux-2.6.33.1/arch/powerpc/mm/slice.c
2582--- linux-2.6.33.1/arch/powerpc/mm/slice.c 2010-03-15 12:09:39.000000000 -0400
2583+++ linux-2.6.33.1/arch/powerpc/mm/slice.c 2010-03-20 16:58:38.764771645 -0400
58c5fc13
MT		 2584@@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
2585 if (fixed && addr > (mm->task_size - len))
2586 return -EINVAL;
2587
2588+#ifdef CONFIG_PAX_RANDMMAP
2589+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2590+ addr = 0;
2591+#endif
2592+
2593 /* If hint, make sure it matches our alignment restrictions */
2594 if (!fixed && addr) {
2595 addr = _ALIGN_UP(addr, 1ul << pshift);
ae4e228f
MT		 2596diff -urNp linux-2.6.33.1/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.33.1/arch/powerpc/platforms/52xx/lite5200_pm.c
2597--- linux-2.6.33.1/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-03-15 12:09:39.000000000 -0400
2598+++ linux-2.6.33.1/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-03-20 16:58:38.776769493 -0400
2599@@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2600 lite5200_pm_target_state = PM_SUSPEND_ON;
2601 }
2602
2603-static struct platform_suspend_ops lite5200_pm_ops = {
2604+static const struct platform_suspend_ops lite5200_pm_ops = {
2605 .valid = lite5200_pm_valid,
2606 .begin = lite5200_pm_begin,
2607 .prepare = lite5200_pm_prepare,
2608diff -urNp linux-2.6.33.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.33.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2609--- linux-2.6.33.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-03-15 12:09:39.000000000 -0400
2610+++ linux-2.6.33.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-03-20 16:58:38.776769493 -0400
2611@@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
2612 iounmap(mbar);
2613 }
2614
2615-static struct platform_suspend_ops mpc52xx_pm_ops = {
2616+static const struct platform_suspend_ops mpc52xx_pm_ops = {
2617 .valid = mpc52xx_pm_valid,
2618 .prepare = mpc52xx_pm_prepare,
2619 .enter = mpc52xx_pm_enter,
2620diff -urNp linux-2.6.33.1/arch/powerpc/platforms/83xx/suspend.c linux-2.6.33.1/arch/powerpc/platforms/83xx/suspend.c
2621--- linux-2.6.33.1/arch/powerpc/platforms/83xx/suspend.c 2010-03-15 12:09:39.000000000 -0400
2622+++ linux-2.6.33.1/arch/powerpc/platforms/83xx/suspend.c 2010-03-20 16:58:38.776769493 -0400
2623@@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2624 return ret;
58c5fc13
MT		 2625 }
2626
ae4e228f
MT		 2627-static struct platform_suspend_ops mpc83xx_suspend_ops = {
2628+static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2629 .valid = mpc83xx_suspend_valid,
2630 .begin = mpc83xx_suspend_begin,
2631 .enter = mpc83xx_suspend_enter,
2632diff -urNp linux-2.6.33.1/arch/powerpc/platforms/cell/iommu.c linux-2.6.33.1/arch/powerpc/platforms/cell/iommu.c
2633--- linux-2.6.33.1/arch/powerpc/platforms/cell/iommu.c 2010-03-15 12:09:39.000000000 -0400
2634+++ linux-2.6.33.1/arch/powerpc/platforms/cell/iommu.c 2010-03-20 16:58:38.776769493 -0400
2635@@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2636
2637 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2638
2639-struct dma_map_ops dma_iommu_fixed_ops = {
2640+const struct dma_map_ops dma_iommu_fixed_ops = {
2641 .alloc_coherent = dma_fixed_alloc_coherent,
2642 .free_coherent = dma_fixed_free_coherent,
2643 .map_sg = dma_fixed_map_sg,
2644diff -urNp linux-2.6.33.1/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.33.1/arch/powerpc/platforms/ps3/system-bus.c
2645--- linux-2.6.33.1/arch/powerpc/platforms/ps3/system-bus.c 2010-03-15 12:09:39.000000000 -0400
2646+++ linux-2.6.33.1/arch/powerpc/platforms/ps3/system-bus.c 2010-03-20 16:58:38.776769493 -0400
2647@@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
2648 return mask >= DMA_BIT_MASK(32);
2649 }
2650
2651-static struct dma_map_ops ps3_sb_dma_ops = {
2652+static const struct dma_map_ops ps3_sb_dma_ops = {
2653 .alloc_coherent = ps3_alloc_coherent,
2654 .free_coherent = ps3_free_coherent,
2655 .map_sg = ps3_sb_map_sg,
2656@@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
2657 .unmap_page = ps3_unmap_page,
58c5fc13
MT		 2658 };
2659
ae4e228f
MT		 2660-static struct dma_map_ops ps3_ioc0_dma_ops = {
2661+static const struct dma_map_ops ps3_ioc0_dma_ops = {
2662 .alloc_coherent = ps3_alloc_coherent,
2663 .free_coherent = ps3_free_coherent,
2664 .map_sg = ps3_ioc0_map_sg,
2665diff -urNp linux-2.6.33.1/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.33.1/arch/powerpc/sysdev/fsl_pmc.c
2666--- linux-2.6.33.1/arch/powerpc/sysdev/fsl_pmc.c 2010-03-15 12:09:39.000000000 -0400
2667+++ linux-2.6.33.1/arch/powerpc/sysdev/fsl_pmc.c 2010-03-20 16:58:38.784767469 -0400
2668@@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
2669 return 1;
58c5fc13
MT		 2670 }
2671
ae4e228f
MT		 2672-static struct platform_suspend_ops pmc_suspend_ops = {
2673+static const struct platform_suspend_ops pmc_suspend_ops = {
2674 .valid = pmc_suspend_valid,
2675 .enter = pmc_suspend_enter,
58c5fc13 2676 };
ae4e228f
MT		 2677diff -urNp linux-2.6.33.1/arch/s390/include/asm/elf.h linux-2.6.33.1/arch/s390/include/asm/elf.h
2678--- linux-2.6.33.1/arch/s390/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
2679+++ linux-2.6.33.1/arch/s390/include/asm/elf.h 2010-03-20 16:58:38.792763717 -0400
2680@@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
2681 that it will "exec", and that there is sufficient room for the brk. */
2682 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
58c5fc13 2683
ae4e228f
MT		 2684+#ifdef CONFIG_PAX_ASLR
2685+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
58c5fc13 2686+
ae4e228f
MT		 2687+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2688+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2689+#endif
58c5fc13 2690+
ae4e228f
MT		 2691 /* This yields a mask that user programs can use to figure out what
2692 instruction set this CPU supports. */
58c5fc13 2693
ae4e228f
MT		 2694diff -urNp linux-2.6.33.1/arch/s390/include/asm/uaccess.h linux-2.6.33.1/arch/s390/include/asm/uaccess.h
2695--- linux-2.6.33.1/arch/s390/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
2696+++ linux-2.6.33.1/arch/s390/include/asm/uaccess.h 2010-03-20 16:58:38.800777709 -0400
2697@@ -234,6 +234,10 @@ static inline unsigned long __must_check
58c5fc13
MT		 2698 copy_to_user(void __user *to, const void *from, unsigned long n)
2699 {
2700 might_fault();
2701+
2702+ if ((long)n < 0)
2703+ return n;
2704+
2705 if (access_ok(VERIFY_WRITE, to, n))
2706 n = __copy_to_user(to, from, n);
2707 return n;
ae4e228f 2708@@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
58c5fc13
MT		 2709 static inline unsigned long __must_check
2710 __copy_from_user(void *to, const void __user *from, unsigned long n)
2711 {
2712+ if ((long)n < 0)
2713+ return n;
2714+
2715 if (__builtin_constant_p(n) && (n <= 256))
2716 return uaccess.copy_from_user_small(n, from, to);
2717 else
ae4e228f 2718@@ -285,6 +292,10 @@ static inline unsigned long __must_check
58c5fc13
MT		 2719 copy_from_user(void *to, const void __user *from, unsigned long n)
2720 {
2721 might_fault();
2722+
2723+ if ((long)n < 0)
2724+ return n;
2725+
2726 if (access_ok(VERIFY_READ, from, n))
2727 n = __copy_from_user(to, from, n);
2728 else
ae4e228f
MT		 2729diff -urNp linux-2.6.33.1/arch/s390/Kconfig linux-2.6.33.1/arch/s390/Kconfig
2730--- linux-2.6.33.1/arch/s390/Kconfig 2010-03-15 12:09:39.000000000 -0400
2731+++ linux-2.6.33.1/arch/s390/Kconfig 2010-03-20 16:58:38.812766228 -0400
2732@@ -222,13 +222,12 @@ config AUDIT_ARCH
2733
2734 config S390_EXEC_PROTECT
2735 bool "Data execute protection"
2736+ default y
2737 help
2738 This option allows to enable a buffer overflow protection for user
2739- space programs and it also selects the addressing mode option above.
2740- The kernel parameter noexec=on will enable this feature and also
2741- switch the addressing modes, default is disabled. Enabling this (via
2742- kernel parameter) on machines earlier than IBM System z9-109 EC/BC
2743- will reduce system performance.
2744+ space programs.
2745+ Enabling this on machines earlier than IBM System z9-109 EC/BC will
2746+ reduce system performance.
2747
2748 comment "Code generation options"
2749
2750diff -urNp linux-2.6.33.1/arch/s390/kernel/module.c linux-2.6.33.1/arch/s390/kernel/module.c
2751--- linux-2.6.33.1/arch/s390/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
2752+++ linux-2.6.33.1/arch/s390/kernel/module.c 2010-03-20 16:58:38.824764313 -0400
2753@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
58c5fc13
MT		 2754
2755 /* Increase core size by size of got & plt and set start
2756 offsets for got and plt. */
2757- me->core_size = ALIGN(me->core_size, 4);
2758- me->arch.got_offset = me->core_size;
2759- me->core_size += me->arch.got_size;
2760- me->arch.plt_offset = me->core_size;
2761- me->core_size += me->arch.plt_size;
2762+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
2763+ me->arch.got_offset = me->core_size_rw;
2764+ me->core_size_rw += me->arch.got_size;
2765+ me->arch.plt_offset = me->core_size_rx;
2766+ me->core_size_rx += me->arch.plt_size;
2767 return 0;
2768 }
2769
ae4e228f 2770@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 2771 if (info->got_initialized == 0) {
2772 Elf_Addr *gotent;
2773
2774- gotent = me->module_core + me->arch.got_offset +
2775+ gotent = me->module_core_rw + me->arch.got_offset +
2776 info->got_offset;
2777 *gotent = val;
2778 info->got_initialized = 1;
ae4e228f 2779@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 2780 else if (r_type == R_390_GOTENT ||
2781 r_type == R_390_GOTPLTENT)
2782 *(unsigned int *) loc =
2783- (val + (Elf_Addr) me->module_core - loc) >> 1;
2784+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2785 else if (r_type == R_390_GOT64 ||
2786 r_type == R_390_GOTPLT64)
2787 *(unsigned long *) loc = val;
ae4e228f 2788@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 2789 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2790 if (info->plt_initialized == 0) {
2791 unsigned int *ip;
2792- ip = me->module_core + me->arch.plt_offset +
2793+ ip = me->module_core_rx + me->arch.plt_offset +
2794 info->plt_offset;
2795 #ifndef CONFIG_64BIT
2796 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
ae4e228f 2797@@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 2798 val - loc + 0xffffUL < 0x1ffffeUL) ||
2799 (r_type == R_390_PLT32DBL &&
2800 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
2801- val = (Elf_Addr) me->module_core +
2802+ val = (Elf_Addr) me->module_core_rx +
2803 me->arch.plt_offset +
2804 info->plt_offset;
2805 val += rela->r_addend - loc;
ae4e228f 2806@@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 2807 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2808 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2809 val = val + rela->r_addend -
2810- ((Elf_Addr) me->module_core + me->arch.got_offset);
2811+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2812 if (r_type == R_390_GOTOFF16)
2813 *(unsigned short *) loc = val;
2814 else if (r_type == R_390_GOTOFF32)
ae4e228f 2815@@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 2816 break;
2817 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2818 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2819- val = (Elf_Addr) me->module_core + me->arch.got_offset +
2820+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2821 rela->r_addend - loc;
2822 if (r_type == R_390_GOTPC)
2823 *(unsigned int *) loc = val;
ae4e228f
MT		 2824diff -urNp linux-2.6.33.1/arch/s390/kernel/setup.c linux-2.6.33.1/arch/s390/kernel/setup.c
2825--- linux-2.6.33.1/arch/s390/kernel/setup.c 2010-03-15 12:09:39.000000000 -0400
2826+++ linux-2.6.33.1/arch/s390/kernel/setup.c 2010-03-20 16:58:38.824764313 -0400
2827@@ -298,7 +298,7 @@ static int __init early_parse_mem(char *
2828 }
2829 early_param("mem", early_parse_mem);
58c5fc13 2830
ae4e228f
MT		 2831-unsigned int user_mode = HOME_SPACE_MODE;
2832+unsigned int user_mode = SECONDARY_SPACE_MODE;
2833 EXPORT_SYMBOL_GPL(user_mode);
2834
2835 static int set_amode_and_uaccess(unsigned long user_amode,
2836@@ -327,17 +327,6 @@ static int set_amode_and_uaccess(unsigne
2837 }
2838 }
2839
2840-/*
2841- * Switch kernel/user addressing modes?
2842- */
2843-static int __init early_parse_switch_amode(char *p)
2844-{
2845- if (user_mode != SECONDARY_SPACE_MODE)
2846- user_mode = PRIMARY_SPACE_MODE;
2847- return 0;
2848-}
2849-early_param("switch_amode", early_parse_switch_amode);
2850-
2851 static int __init early_parse_user_mode(char *p)
2852 {
2853 if (p && strcmp(p, "primary") == 0)
2854@@ -354,20 +343,6 @@ static int __init early_parse_user_mode(
2855 }
2856 early_param("user_mode", early_parse_user_mode);
2857
2858-#ifdef CONFIG_S390_EXEC_PROTECT
2859-/*
2860- * Enable execute protection?
2861- */
2862-static int __init early_parse_noexec(char *p)
2863-{
2864- if (!strncmp(p, "off", 3))
2865- return 0;
2866- user_mode = SECONDARY_SPACE_MODE;
2867- return 0;
2868-}
2869-early_param("noexec", early_parse_noexec);
2870-#endif /* CONFIG_S390_EXEC_PROTECT */
2871-
2872 static void setup_addressing_mode(void)
2873 {
2874 if (user_mode == SECONDARY_SPACE_MODE) {
2875diff -urNp linux-2.6.33.1/arch/s390/mm/maccess.c linux-2.6.33.1/arch/s390/mm/maccess.c
2876--- linux-2.6.33.1/arch/s390/mm/maccess.c 2010-03-15 12:09:39.000000000 -0400
2877+++ linux-2.6.33.1/arch/s390/mm/maccess.c 2010-03-20 16:58:38.828581240 -0400
2878@@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
2879 return rc ? rc : count;
2880 }
2881
2882-long probe_kernel_write(void *dst, void *src, size_t size)
2883+long probe_kernel_write(void *dst, const void *src, size_t size)
2884 {
2885 long copied = 0;
2886
2887diff -urNp linux-2.6.33.1/arch/s390/mm/mmap.c linux-2.6.33.1/arch/s390/mm/mmap.c
2888--- linux-2.6.33.1/arch/s390/mm/mmap.c 2010-03-15 12:09:39.000000000 -0400
2889+++ linux-2.6.33.1/arch/s390/mm/mmap.c 2010-03-20 16:58:38.828581240 -0400
2890@@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
2891 */
2892 if (mmap_is_legacy()) {
2893 mm->mmap_base = TASK_UNMAPPED_BASE;
2894+
2895+#ifdef CONFIG_PAX_RANDMMAP
2896+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2897+ mm->mmap_base += mm->delta_mmap;
2898+#endif
2899+
2900 mm->get_unmapped_area = arch_get_unmapped_area;
2901 mm->unmap_area = arch_unmap_area;
2902 } else {
2903 mm->mmap_base = mmap_base();
2904+
2905+#ifdef CONFIG_PAX_RANDMMAP
2906+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2907+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2908+#endif
2909+
2910 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2911 mm->unmap_area = arch_unmap_area_topdown;
2912 }
2913@@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
2914 */
2915 if (mmap_is_legacy()) {
2916 mm->mmap_base = TASK_UNMAPPED_BASE;
2917+
2918+#ifdef CONFIG_PAX_RANDMMAP
2919+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2920+ mm->mmap_base += mm->delta_mmap;
2921+#endif
2922+
2923 mm->get_unmapped_area = s390_get_unmapped_area;
2924 mm->unmap_area = arch_unmap_area;
2925 } else {
2926 mm->mmap_base = mmap_base();
2927+
2928+#ifdef CONFIG_PAX_RANDMMAP
2929+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2930+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2931+#endif
2932+
2933 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
2934 mm->unmap_area = arch_unmap_area_topdown;
2935 }
2936diff -urNp linux-2.6.33.1/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.33.1/arch/sh/boards/mach-hp6xx/pm.c
2937--- linux-2.6.33.1/arch/sh/boards/mach-hp6xx/pm.c 2010-03-15 12:09:39.000000000 -0400
2938+++ linux-2.6.33.1/arch/sh/boards/mach-hp6xx/pm.c 2010-03-20 16:58:38.840778404 -0400
2939@@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
2940 return 0;
2941 }
2942
2943-static struct platform_suspend_ops hp6x0_pm_ops = {
2944+static const struct platform_suspend_ops hp6x0_pm_ops = {
2945 .enter = hp6x0_pm_enter,
2946 .valid = suspend_valid_only_mem,
2947 };
2948diff -urNp linux-2.6.33.1/arch/sh/include/asm/dma-mapping.h linux-2.6.33.1/arch/sh/include/asm/dma-mapping.h
2949--- linux-2.6.33.1/arch/sh/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
2950+++ linux-2.6.33.1/arch/sh/include/asm/dma-mapping.h 2010-03-20 16:58:38.844777279 -0400
2951@@ -1,10 +1,10 @@
2952 #ifndef __ASM_SH_DMA_MAPPING_H
2953 #define __ASM_SH_DMA_MAPPING_H
2954
2955-extern struct dma_map_ops *dma_ops;
2956+extern const struct dma_map_ops *dma_ops;
2957 extern void no_iommu_init(void);
2958
2959-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2960+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2961 {
2962 return dma_ops;
2963 }
2964@@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
2965
2966 static inline int dma_supported(struct device *dev, u64 mask)
2967 {
2968- struct dma_map_ops *ops = get_dma_ops(dev);
2969+ const struct dma_map_ops *ops = get_dma_ops(dev);
2970
2971 if (ops->dma_supported)
2972 return ops->dma_supported(dev, mask);
2973@@ -24,7 +24,7 @@ static inline int dma_supported(struct d
2974
2975 static inline int dma_set_mask(struct device *dev, u64 mask)
2976 {
2977- struct dma_map_ops *ops = get_dma_ops(dev);
2978+ const struct dma_map_ops *ops = get_dma_ops(dev);
2979
2980 if (!dev->dma_mask || !dma_supported(dev, mask))
2981 return -EIO;
2982@@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
2983
2984 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2985 {
2986- struct dma_map_ops *ops = get_dma_ops(dev);
2987+ const struct dma_map_ops *ops = get_dma_ops(dev);
2988
2989 if (ops->mapping_error)
2990 return ops->mapping_error(dev, dma_addr);
2991@@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
2992 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2993 dma_addr_t *dma_handle, gfp_t gfp)
2994 {
2995- struct dma_map_ops *ops = get_dma_ops(dev);
2996+ const struct dma_map_ops *ops = get_dma_ops(dev);
2997 void *memory;
2998
2999 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3000@@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3001 static inline void dma_free_coherent(struct device *dev, size_t size,
3002 void *vaddr, dma_addr_t dma_handle)
3003 {
3004- struct dma_map_ops *ops = get_dma_ops(dev);
3005+ const struct dma_map_ops *ops = get_dma_ops(dev);
3006
3007 WARN_ON(irqs_disabled()); /* for portability */
3008
3009diff -urNp linux-2.6.33.1/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.33.1/arch/sh/kernel/cpu/sh4/sq.c
3010--- linux-2.6.33.1/arch/sh/kernel/cpu/sh4/sq.c 2010-03-15 12:09:39.000000000 -0400
3011+++ linux-2.6.33.1/arch/sh/kernel/cpu/sh4/sq.c 2010-03-20 16:58:38.848768890 -0400
3012@@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3013 NULL,
3014 };
3015
3016-static struct sysfs_ops sq_sysfs_ops = {
3017+static const struct sysfs_ops sq_sysfs_ops = {
3018 .show = sq_sysfs_show,
3019 .store = sq_sysfs_store,
3020 };
3021diff -urNp linux-2.6.33.1/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.33.1/arch/sh/kernel/cpu/shmobile/pm.c
3022--- linux-2.6.33.1/arch/sh/kernel/cpu/shmobile/pm.c 2010-03-15 12:09:39.000000000 -0400
3023+++ linux-2.6.33.1/arch/sh/kernel/cpu/shmobile/pm.c 2010-03-20 16:58:38.852765354 -0400
3024@@ -140,7 +140,7 @@ static int sh_pm_enter(suspend_state_t s
3025 return 0;
3026 }
3027
3028-static struct platform_suspend_ops sh_pm_ops = {
3029+static const struct platform_suspend_ops sh_pm_ops = {
3030 .enter = sh_pm_enter,
3031 .valid = suspend_valid_only_mem,
3032 };
3033diff -urNp linux-2.6.33.1/arch/sh/kernel/dma-nommu.c linux-2.6.33.1/arch/sh/kernel/dma-nommu.c
3034--- linux-2.6.33.1/arch/sh/kernel/dma-nommu.c 2010-03-15 12:09:39.000000000 -0400
3035+++ linux-2.6.33.1/arch/sh/kernel/dma-nommu.c 2010-03-20 16:58:38.852765354 -0400
3036@@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3037 }
3038 #endif
3039
3040-struct dma_map_ops nommu_dma_ops = {
3041+const struct dma_map_ops nommu_dma_ops = {
3042 .alloc_coherent = dma_generic_alloc_coherent,
3043 .free_coherent = dma_generic_free_coherent,
3044 .map_page = nommu_map_page,
3045diff -urNp linux-2.6.33.1/arch/sh/kernel/kgdb.c linux-2.6.33.1/arch/sh/kernel/kgdb.c
3046--- linux-2.6.33.1/arch/sh/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
3047+++ linux-2.6.33.1/arch/sh/kernel/kgdb.c 2010-03-20 16:58:38.856769610 -0400
3048@@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3049 {
3050 }
3051
3052-struct kgdb_arch arch_kgdb_ops = {
3053+const struct kgdb_arch arch_kgdb_ops = {
3054 /* Breakpoint instruction: trapa #0x3c */
3055 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3056 .gdb_bpt_instr = { 0x3c, 0xc3 },
3057diff -urNp linux-2.6.33.1/arch/sh/mm/consistent.c linux-2.6.33.1/arch/sh/mm/consistent.c
3058--- linux-2.6.33.1/arch/sh/mm/consistent.c 2010-03-15 12:09:39.000000000 -0400
3059+++ linux-2.6.33.1/arch/sh/mm/consistent.c 2010-03-20 16:58:38.860748595 -0400
3060@@ -21,7 +21,7 @@
3061
3062 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3063
3064-struct dma_map_ops *dma_ops;
3065+const struct dma_map_ops *dma_ops;
3066 EXPORT_SYMBOL(dma_ops);
3067
3068 static int __init dma_init(void)
3069diff -urNp linux-2.6.33.1/arch/sparc/include/asm/atomic_64.h linux-2.6.33.1/arch/sparc/include/asm/atomic_64.h
3070--- linux-2.6.33.1/arch/sparc/include/asm/atomic_64.h 2010-03-15 12:09:39.000000000 -0400
3071+++ linux-2.6.33.1/arch/sparc/include/asm/atomic_64.h 2010-03-20 16:58:38.860748595 -0400
3072@@ -14,18 +14,38 @@
58c5fc13
MT		 3073 #define ATOMIC64_INIT(i) { (i) }
3074
3075 #define atomic_read(v) ((v)->counter)
ae4e228f
MT		 3076+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3077+{
3078+ return v->counter;
3079+}
58c5fc13 3080 #define atomic64_read(v) ((v)->counter)
ae4e228f
MT		 3081+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3082+{
3083+ return v->counter;
3084+}
58c5fc13
MT		 3085
3086 #define atomic_set(v, i) (((v)->counter) = i)
ae4e228f
MT		 3087+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3088+{
3089+ v->counter = i;
3090+}
58c5fc13 3091 #define atomic64_set(v, i) (((v)->counter) = i)
ae4e228f
MT		 3092+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3093+{
3094+ v->counter = i;
3095+}
58c5fc13
MT		 3096
3097 extern void atomic_add(int, atomic_t *);
3098+extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3099 extern void atomic64_add(int, atomic64_t *);
ae4e228f 3100+extern void atomic64_add_unchecked(int, atomic64_unchecked_t *);
58c5fc13
MT		 3101 extern void atomic_sub(int, atomic_t *);
3102+extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3103 extern void atomic64_sub(int, atomic64_t *);
3104
3105 extern int atomic_add_ret(int, atomic_t *);
ae4e228f
MT		 3106 extern int atomic64_add_ret(int, atomic64_t *);
3107+extern int atomic64_add_ret_unchecked(int, atomic64_unchecked_t *);
3108 extern int atomic_sub_ret(int, atomic_t *);
3109 extern int atomic64_sub_ret(int, atomic64_t *);
3110
3111@@ -34,6 +54,7 @@ extern int atomic64_sub_ret(int, atomic6
3112
3113 #define atomic_inc_return(v) atomic_add_ret(1, v)
3114 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3115+#define atomic64_inc_return_unchecked(v) atomic64_add_ret_unchecked(1, v)
3116
3117 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3118 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3119@@ -59,7 +80,15 @@ extern int atomic64_sub_ret(int, atomic6
58c5fc13
MT		 3120 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3121
3122 #define atomic_inc(v) atomic_add(1, v)
ae4e228f
MT		 3123+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3124+{
3125+ atomic_add_unchecked(1, v);
3126+}
58c5fc13 3127 #define atomic64_inc(v) atomic64_add(1, v)
ae4e228f
MT		 3128+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3129+{
3130+ atomic64_add_unchecked(1, v);
3131+}
58c5fc13
MT		 3132
3133 #define atomic_dec(v) atomic_sub(1, v)
ae4e228f
MT		 3134 #define atomic64_dec(v) atomic64_sub(1, v)
3135@@ -72,17 +101,28 @@ extern int atomic64_sub_ret(int, atomic6
58c5fc13
MT		 3136
3137 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3138 {
3139- int c, old;
3140+ int c, old, new;
3141 c = atomic_read(v);
3142 for (;;) {
3143- if (unlikely(c == (u)))
3144+ if (unlikely(c == u))
3145 break;
3146- old = atomic_cmpxchg((v), c, c + (a));
3147+
3148+ asm volatile("addcc %2, %0, %0\n"
3149+
3150+#ifdef CONFIG_PAX_REFCOUNT
3151+ "tvs %%icc, 6\n"
3152+#endif
3153+
3154+ : "=r" (new)
3155+ : "0" (c), "ir" (a)
3156+ : "cc");
3157+
3158+ old = atomic_cmpxchg(v, c, new);
3159 if (likely(old == c))
3160 break;
3161 c = old;
3162 }
3163- return c != (u);
3164+ return c != u;
3165 }
3166
3167 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
ae4e228f 3168@@ -93,17 +133,28 @@ static inline int atomic_add_unless(atom
58c5fc13
MT		 3169
3170 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
3171 {
3172- long c, old;
3173+ long c, old, new;
3174 c = atomic64_read(v);
3175 for (;;) {
3176- if (unlikely(c == (u)))
3177+ if (unlikely(c == u))
3178 break;
3179- old = atomic64_cmpxchg((v), c, c + (a));
3180+
3181+ asm volatile("addcc %2, %0, %0\n"
3182+
3183+#ifdef CONFIG_PAX_REFCOUNT
3184+ "tvs %%xcc, 6\n"
3185+#endif
3186+
3187+ : "=r" (new)
3188+ : "0" (c), "ir" (a)
3189+ : "cc");
3190+
3191+ old = atomic64_cmpxchg(v, c, new);
3192 if (likely(old == c))
3193 break;
3194 c = old;
3195 }
3196- return c != (u);
3197+ return c != u;
3198 }
3199
3200 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
ae4e228f
MT		 3201diff -urNp linux-2.6.33.1/arch/sparc/include/asm/dma-mapping.h linux-2.6.33.1/arch/sparc/include/asm/dma-mapping.h
3202--- linux-2.6.33.1/arch/sparc/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
3203+++ linux-2.6.33.1/arch/sparc/include/asm/dma-mapping.h 2010-03-20 16:58:38.881211488 -0400
3204@@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3205 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3206 #define dma_is_consistent(d, h) (1)
3207
3208-extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3209+extern struct const dma_map_ops *dma_ops, pci32_dma_ops;
3210 extern struct bus_type pci_bus_type;
3211
3212-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3213+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3214 {
3215 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3216 if (dev->bus == &pci_bus_type)
3217@@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3218 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3219 dma_addr_t *dma_handle, gfp_t flag)
3220 {
3221- struct dma_map_ops *ops = get_dma_ops(dev);
3222+ const struct dma_map_ops *ops = get_dma_ops(dev);
3223 void *cpu_addr;
3224
3225 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3226@@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3227 static inline void dma_free_coherent(struct device *dev, size_t size,
3228 void *cpu_addr, dma_addr_t dma_handle)
3229 {
3230- struct dma_map_ops *ops = get_dma_ops(dev);
3231+ const struct dma_map_ops *ops = get_dma_ops(dev);
3232
3233 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3234 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3235diff -urNp linux-2.6.33.1/arch/sparc/include/asm/elf_32.h linux-2.6.33.1/arch/sparc/include/asm/elf_32.h
3236--- linux-2.6.33.1/arch/sparc/include/asm/elf_32.h 2010-03-15 12:09:39.000000000 -0400
3237+++ linux-2.6.33.1/arch/sparc/include/asm/elf_32.h 2010-03-20 16:58:38.884769570 -0400
3238@@ -114,6 +114,13 @@ typedef struct {
58c5fc13
MT		 3239
3240 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3241
3242+#ifdef CONFIG_PAX_ASLR
3243+#define PAX_ELF_ET_DYN_BASE 0x10000UL
3244+
3245+#define PAX_DELTA_MMAP_LEN 16
3246+#define PAX_DELTA_STACK_LEN 16
3247+#endif
3248+
3249 /* This yields a mask that user programs can use to figure out what
3250 instruction set this cpu supports. This can NOT be done in userspace
3251 on Sparc. */
ae4e228f
MT		 3252diff -urNp linux-2.6.33.1/arch/sparc/include/asm/elf_64.h linux-2.6.33.1/arch/sparc/include/asm/elf_64.h
3253--- linux-2.6.33.1/arch/sparc/include/asm/elf_64.h 2010-03-15 12:09:39.000000000 -0400
3254+++ linux-2.6.33.1/arch/sparc/include/asm/elf_64.h 2010-03-20 16:58:38.892779813 -0400
3255@@ -162,6 +162,12 @@ typedef struct {
58c5fc13
MT		 3256 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3257 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3258
3259+#ifdef CONFIG_PAX_ASLR
3260+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3261+
ae4e228f
MT		 3262+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3263+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
58c5fc13
MT		 3264+#endif
3265
3266 /* This yields a mask that user programs can use to figure out what
3267 instruction set this cpu supports. */
ae4e228f
MT		 3268diff -urNp linux-2.6.33.1/arch/sparc/include/asm/pgtable_32.h linux-2.6.33.1/arch/sparc/include/asm/pgtable_32.h
3269--- linux-2.6.33.1/arch/sparc/include/asm/pgtable_32.h 2010-03-15 12:09:39.000000000 -0400
3270+++ linux-2.6.33.1/arch/sparc/include/asm/pgtable_32.h 2010-03-20 16:58:38.892779813 -0400
58c5fc13
MT		 3271@@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3272 BTFIXUPDEF_INT(page_none)
3273 BTFIXUPDEF_INT(page_copy)
3274 BTFIXUPDEF_INT(page_readonly)
3275+
3276+#ifdef CONFIG_PAX_PAGEEXEC
3277+BTFIXUPDEF_INT(page_shared_noexec)
3278+BTFIXUPDEF_INT(page_copy_noexec)
3279+BTFIXUPDEF_INT(page_readonly_noexec)
3280+#endif
3281+
3282 BTFIXUPDEF_INT(page_kernel)
3283
3284 #define PMD_SHIFT SUN4C_PMD_SHIFT
3285@@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3286 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3287 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3288
3289+#ifdef CONFIG_PAX_PAGEEXEC
3290+extern pgprot_t PAGE_SHARED_NOEXEC;
3291+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3292+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3293+#else
3294+# define PAGE_SHARED_NOEXEC PAGE_SHARED
3295+# define PAGE_COPY_NOEXEC PAGE_COPY
3296+# define PAGE_READONLY_NOEXEC PAGE_READONLY
3297+#endif
3298+
3299 extern unsigned long page_kernel;
3300
3301 #ifdef MODULE
ae4e228f
MT		 3302diff -urNp linux-2.6.33.1/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.33.1/arch/sparc/include/asm/pgtsrmmu.h
3303--- linux-2.6.33.1/arch/sparc/include/asm/pgtsrmmu.h 2010-03-15 12:09:39.000000000 -0400
3304+++ linux-2.6.33.1/arch/sparc/include/asm/pgtsrmmu.h 2010-03-20 16:58:38.917006269 -0400
58c5fc13
MT		 3305@@ -115,6 +115,13 @@
3306 SRMMU_EXEC | SRMMU_REF)
3307 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3308 SRMMU_EXEC | SRMMU_REF)
3309+
3310+#ifdef CONFIG_PAX_PAGEEXEC
3311+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3312+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3313+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3314+#endif
3315+
3316 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3317 SRMMU_DIRTY | SRMMU_REF)
3318
ae4e228f
MT		 3319diff -urNp linux-2.6.33.1/arch/sparc/include/asm/spinlock_64.h linux-2.6.33.1/arch/sparc/include/asm/spinlock_64.h
3320--- linux-2.6.33.1/arch/sparc/include/asm/spinlock_64.h 2010-03-15 12:09:39.000000000 -0400
3321+++ linux-2.6.33.1/arch/sparc/include/asm/spinlock_64.h 2010-03-20 16:58:38.917006269 -0400
3322@@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
58c5fc13
MT		 3323 __asm__ __volatile__ (
3324 "1: ldsw [%2], %0\n"
3325 " brlz,pn %0, 2f\n"
3326-"4: add %0, 1, %1\n"
3327+"4: addcc %0, 1, %1\n"
3328+
3329+#ifdef CONFIG_PAX_REFCOUNT
3330+" tvs %%icc, 6\n"
3331+#endif
3332+
3333 " cas [%2], %0, %1\n"
3334 " cmp %0, %1\n"
3335 " bne,pn %%icc, 1b\n"
ae4e228f 3336@@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
58c5fc13
MT		 3337 " .previous"
3338 : "=&r" (tmp1), "=&r" (tmp2)
3339 : "r" (lock)
3340- : "memory");
3341+ : "memory", "cc");
3342 }
3343
ae4e228f
MT		 3344 static int inline arch_read_trylock(arch_rwlock_t *lock)
3345@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
58c5fc13
MT		 3346 "1: ldsw [%2], %0\n"
3347 " brlz,a,pn %0, 2f\n"
3348 " mov 0, %0\n"
3349-" add %0, 1, %1\n"
3350+" addcc %0, 1, %1\n"
3351+
3352+#ifdef CONFIG_PAX_REFCOUNT
3353+" tvs %%icc, 6\n"
3354+#endif
3355+
3356 " cas [%2], %0, %1\n"
3357 " cmp %0, %1\n"
3358 " bne,pn %%icc, 1b\n"
ae4e228f 3359@@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
58c5fc13
MT		 3360
3361 __asm__ __volatile__(
3362 "1: lduw [%2], %0\n"
3363-" sub %0, 1, %1\n"
3364+" subcc %0, 1, %1\n"
3365+
3366+#ifdef CONFIG_PAX_REFCOUNT
ae4e228f 3367+" tvs %%icc, 6\n"
58c5fc13
MT		 3368+#endif
3369+
3370 " cas [%2], %0, %1\n"
3371 " cmp %0, %1\n"
3372 " bne,pn %%xcc, 1b\n"
ae4e228f
MT		 3373diff -urNp linux-2.6.33.1/arch/sparc/include/asm/uaccess_32.h linux-2.6.33.1/arch/sparc/include/asm/uaccess_32.h
3374--- linux-2.6.33.1/arch/sparc/include/asm/uaccess_32.h 2010-03-15 12:09:39.000000000 -0400
3375+++ linux-2.6.33.1/arch/sparc/include/asm/uaccess_32.h 2010-03-20 16:58:38.917006269 -0400
3376@@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
58c5fc13
MT		 3377
3378 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3379 {
3380- if (n && __access_ok((unsigned long) to, n))
3381+ if ((long)n < 0)
3382+ return n;
3383+
3384+ if (n && __access_ok((unsigned long) to, n)) {
3385+ if (!__builtin_constant_p(n))
3386+ check_object_size(from, n, true);
3387 return __copy_user(to, (__force void __user *) from, n);
3388- else
3389+ } else
3390 return n;
3391 }
3392
3393 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3394 {
3395+ if ((long)n < 0)
3396+ return n;
3397+
3398+ if (!__builtin_constant_p(n))
3399+ check_object_size(from, n, true);
3400+
3401 return __copy_user(to, (__force void __user *) from, n);
3402 }
3403
ae4e228f 3404@@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
58c5fc13 3405 {
ae4e228f
MT		 3406 int sz = __compiletime_object_size(to);
3407
58c5fc13
MT		 3408+ if ((long)n < 0)
3409+ return n;
3410+
ae4e228f
MT		 3411 if (unlikely(sz != -1 && sz < n)) {
3412 copy_from_user_overflow();
3413 return n;
3414 }
3415
3416- if (n && __access_ok((unsigned long) from, n))
58c5fc13
MT		 3417+ if (n && __access_ok((unsigned long) from, n)) {
3418+ if (!__builtin_constant_p(n))
3419+ check_object_size(to, n, false);
3420 return __copy_user((__force void __user *) to, from, n);
3421- else
3422+ } else
3423 return n;
3424 }
3425
3426 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3427 {
3428+ if ((long)n < 0)
3429+ return n;
58c5fc13
MT		 3430+
3431 return __copy_user((__force void __user *) to, from, n);
3432 }
3433
ae4e228f
MT		 3434diff -urNp linux-2.6.33.1/arch/sparc/include/asm/uaccess_64.h linux-2.6.33.1/arch/sparc/include/asm/uaccess_64.h
3435--- linux-2.6.33.1/arch/sparc/include/asm/uaccess_64.h 2010-03-15 12:09:39.000000000 -0400
3436+++ linux-2.6.33.1/arch/sparc/include/asm/uaccess_64.h 2010-03-20 16:58:38.924784570 -0400
3437@@ -10,6 +10,7 @@
3438 #include <linux/compiler.h>
3439 #include <linux/string.h>
3440 #include <linux/thread_info.h>
3441+#include <linux/kernel.h>
3442 #include <asm/asi.h>
3443 #include <asm/system.h>
3444 #include <asm/spitfire.h>
3445@@ -204,6 +205,7 @@ __asm__ __volatile__( \
3446 : "=r" (x) : "r" (__m(addr)), "i" (retval))
3447
3448 extern int __get_user_bad(void);
3449+extern void check_object_size(const void *ptr, unsigned long n, bool to);
3450
3451 extern void copy_from_user_overflow(void)
3452 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
3453@@ -224,6 +226,12 @@ copy_from_user(void *to, const void __us
3454 int sz = __compiletime_object_size(to);
3455 unsigned long ret = size;
3456
3457+ if ((long)size < 0 || size > INT_MAX)
58c5fc13
MT		 3458+ return size;
3459+
3460+ if (!__builtin_constant_p(size))
3461+ check_object_size(to, size, false);
3462+
ae4e228f
MT		 3463 if (likely(sz == -1 || sz >= size)) {
3464 ret = ___copy_from_user(to, from, size);
3465 if (unlikely(ret))
3466@@ -243,8 +251,15 @@ extern unsigned long copy_to_user_fixup(
58c5fc13
MT		 3467 static inline unsigned long __must_check
3468 copy_to_user(void __user *to, const void *from, unsigned long size)
3469 {
3470- unsigned long ret = ___copy_to_user(to, from, size);
3471+ unsigned long ret;
3472+
ae4e228f 3473+ if ((long)size < 0 || size > INT_MAX)
58c5fc13
MT		 3474+ return size;
3475+
3476+ if (!__builtin_constant_p(size))
3477+ check_object_size(from, size, true);
58c5fc13 3478
ae4e228f 3479+ ret = ___copy_to_user(to, from, size);
58c5fc13
MT		 3480 if (unlikely(ret))
3481 ret = copy_to_user_fixup(to, from, size);
ae4e228f
MT		 3482 return ret;
3483diff -urNp linux-2.6.33.1/arch/sparc/kernel/iommu.c linux-2.6.33.1/arch/sparc/kernel/iommu.c
3484--- linux-2.6.33.1/arch/sparc/kernel/iommu.c 2010-03-15 12:09:39.000000000 -0400
3485+++ linux-2.6.33.1/arch/sparc/kernel/iommu.c 2010-03-20 16:58:38.928788728 -0400
3486@@ -827,7 +827,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3487 spin_unlock_irqrestore(&iommu->lock, flags);
3488 }
3489
3490-static struct dma_map_ops sun4u_dma_ops = {
3491+static const struct dma_map_ops sun4u_dma_ops = {
3492 .alloc_coherent = dma_4u_alloc_coherent,
3493 .free_coherent = dma_4u_free_coherent,
3494 .map_page = dma_4u_map_page,
3495@@ -838,7 +838,7 @@ static struct dma_map_ops sun4u_dma_ops
3496 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3497 };
3498
3499-struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3500+const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3501 EXPORT_SYMBOL(dma_ops);
3502
3503 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3504diff -urNp linux-2.6.33.1/arch/sparc/kernel/ioport.c linux-2.6.33.1/arch/sparc/kernel/ioport.c
3505--- linux-2.6.33.1/arch/sparc/kernel/ioport.c 2010-03-15 12:09:39.000000000 -0400
3506+++ linux-2.6.33.1/arch/sparc/kernel/ioport.c 2010-03-20 16:58:38.940791948 -0400
3507@@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3508 BUG();
3509 }
3510
3511-struct dma_map_ops sbus_dma_ops = {
3512+const struct dma_map_ops sbus_dma_ops = {
3513 .alloc_coherent = sbus_alloc_coherent,
3514 .free_coherent = sbus_free_coherent,
3515 .map_page = sbus_map_page,
3516@@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3517 .sync_sg_for_device = sbus_sync_sg_for_device,
3518 };
3519
3520-struct dma_map_ops *dma_ops = &sbus_dma_ops;
3521+const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3522 EXPORT_SYMBOL(dma_ops);
3523
3524 static int __init sparc_register_ioport(void)
3525@@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3526 }
3527 }
3528
3529-struct dma_map_ops pci32_dma_ops = {
3530+const struct dma_map_ops pci32_dma_ops = {
3531 .alloc_coherent = pci32_alloc_coherent,
3532 .free_coherent = pci32_free_coherent,
3533 .map_page = pci32_map_page,
3534diff -urNp linux-2.6.33.1/arch/sparc/kernel/kgdb_32.c linux-2.6.33.1/arch/sparc/kernel/kgdb_32.c
3535--- linux-2.6.33.1/arch/sparc/kernel/kgdb_32.c 2010-03-15 12:09:39.000000000 -0400
3536+++ linux-2.6.33.1/arch/sparc/kernel/kgdb_32.c 2010-03-20 16:58:38.940791948 -0400
3537@@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
3538 {
3539 }
3540
3541-struct kgdb_arch arch_kgdb_ops = {
3542+const struct kgdb_arch arch_kgdb_ops = {
3543 /* Breakpoint instruction: ta 0x7d */
3544 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3545 };
3546diff -urNp linux-2.6.33.1/arch/sparc/kernel/kgdb_64.c linux-2.6.33.1/arch/sparc/kernel/kgdb_64.c
3547--- linux-2.6.33.1/arch/sparc/kernel/kgdb_64.c 2010-03-15 12:09:39.000000000 -0400
3548+++ linux-2.6.33.1/arch/sparc/kernel/kgdb_64.c 2010-03-20 16:58:38.940791948 -0400
3549@@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
3550 {
3551 }
3552
3553-struct kgdb_arch arch_kgdb_ops = {
3554+const struct kgdb_arch arch_kgdb_ops = {
3555 /* Breakpoint instruction: ta 0x72 */
3556 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
3557 };
3558diff -urNp linux-2.6.33.1/arch/sparc/kernel/Makefile linux-2.6.33.1/arch/sparc/kernel/Makefile
3559--- linux-2.6.33.1/arch/sparc/kernel/Makefile 2010-03-15 12:09:39.000000000 -0400
3560+++ linux-2.6.33.1/arch/sparc/kernel/Makefile 2010-03-20 16:58:38.944776638 -0400
58c5fc13
MT		 3561@@ -3,7 +3,7 @@
3562 #
3563
3564 asflags-y := -ansi
3565-ccflags-y := -Werror
3566+#ccflags-y := -Werror
3567
3568 extra-y := head_$(BITS).o
3569 extra-y += init_task.o
ae4e228f
MT		 3570diff -urNp linux-2.6.33.1/arch/sparc/kernel/pci_sun4v.c linux-2.6.33.1/arch/sparc/kernel/pci_sun4v.c
3571--- linux-2.6.33.1/arch/sparc/kernel/pci_sun4v.c 2010-03-15 12:09:39.000000000 -0400
3572+++ linux-2.6.33.1/arch/sparc/kernel/pci_sun4v.c 2010-03-20 16:58:38.944776638 -0400
3573@@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
3574 spin_unlock_irqrestore(&iommu->lock, flags);
3575 }
3576
3577-static struct dma_map_ops sun4v_dma_ops = {
3578+static const struct dma_map_ops sun4v_dma_ops = {
3579 .alloc_coherent = dma_4v_alloc_coherent,
3580 .free_coherent = dma_4v_free_coherent,
3581 .map_page = dma_4v_map_page,
3582diff -urNp linux-2.6.33.1/arch/sparc/kernel/sys_sparc_32.c linux-2.6.33.1/arch/sparc/kernel/sys_sparc_32.c
3583--- linux-2.6.33.1/arch/sparc/kernel/sys_sparc_32.c 2010-03-15 12:09:39.000000000 -0400
3584+++ linux-2.6.33.1/arch/sparc/kernel/sys_sparc_32.c 2010-03-20 16:58:38.944776638 -0400
3585@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
58c5fc13
MT		 3586 if (ARCH_SUN4C && len > 0x20000000)
3587 return -ENOMEM;
3588 if (!addr)
3589- addr = TASK_UNMAPPED_BASE;
3590+ addr = current->mm->mmap_base;
3591
3592 if (flags & MAP_SHARED)
3593 addr = COLOUR_ALIGN(addr);
ae4e228f
MT		 3594diff -urNp linux-2.6.33.1/arch/sparc/kernel/sys_sparc_64.c linux-2.6.33.1/arch/sparc/kernel/sys_sparc_64.c
3595--- linux-2.6.33.1/arch/sparc/kernel/sys_sparc_64.c 2010-03-15 12:09:39.000000000 -0400
3596+++ linux-2.6.33.1/arch/sparc/kernel/sys_sparc_64.c 2010-03-20 16:58:38.948763345 -0400
58c5fc13
MT		 3597@@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
3598 /* We do not accept a shared mapping if it would violate
3599 * cache aliasing constraints.
3600 */
3601- if ((flags & MAP_SHARED) &&
3602+ if ((filp || (flags & MAP_SHARED)) &&
3603 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3604 return -EINVAL;
3605 return addr;
3606@@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
3607 if (filp || (flags & MAP_SHARED))
3608 do_color_align = 1;
3609
3610+#ifdef CONFIG_PAX_RANDMMAP
3611+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3612+#endif
3613+
3614 if (addr) {
3615 if (do_color_align)
3616 addr = COLOUR_ALIGN(addr, pgoff);
3617@@ -153,9 +157,9 @@ unsigned long arch_get_unmapped_area(str
3618 }
3619
3620 if (len > mm->cached_hole_size) {
3621- start_addr = addr = mm->free_area_cache;
3622+ start_addr = addr = mm->free_area_cache;
3623 } else {
3624- start_addr = addr = TASK_UNMAPPED_BASE;
3625+ start_addr = addr = mm->mmap_base;
3626 mm->cached_hole_size = 0;
3627 }
3628
3629@@ -175,8 +179,8 @@ full_search:
3630 vma = find_vma(mm, VA_EXCLUDE_END);
3631 }
3632 if (unlikely(task_size < addr)) {
3633- if (start_addr != TASK_UNMAPPED_BASE) {
3634- start_addr = addr = TASK_UNMAPPED_BASE;
3635+ if (start_addr != mm->mmap_base) {
3636+ start_addr = addr = mm->mmap_base;
3637 mm->cached_hole_size = 0;
3638 goto full_search;
3639 }
3640@@ -216,7 +220,7 @@ arch_get_unmapped_area_topdown(struct fi
3641 /* We do not accept a shared mapping if it would violate
3642 * cache aliasing constraints.
3643 */
3644- if ((flags & MAP_SHARED) &&
3645+ if ((filp || (flags & MAP_SHARED)) &&
3646 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3647 return -EINVAL;
3648 return addr;
ae4e228f
MT		 3649@@ -386,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
3650 gap == RLIM_INFINITY ||
58c5fc13
MT		 3651 sysctl_legacy_va_layout) {
3652 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3653+
3654+#ifdef CONFIG_PAX_RANDMMAP
3655+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3656+ mm->mmap_base += mm->delta_mmap;
3657+#endif
3658+
3659 mm->get_unmapped_area = arch_get_unmapped_area;
3660 mm->unmap_area = arch_unmap_area;
3661 } else {
ae4e228f 3662@@ -398,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
58c5fc13
MT		 3663 gap = (task_size / 6 * 5);
3664
3665 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3666+
3667+#ifdef CONFIG_PAX_RANDMMAP
3668+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3669+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3670+#endif
3671+
3672 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3673 mm->unmap_area = arch_unmap_area_topdown;
3674 }
ae4e228f
MT		 3675diff -urNp linux-2.6.33.1/arch/sparc/kernel/traps_64.c linux-2.6.33.1/arch/sparc/kernel/traps_64.c
3676--- linux-2.6.33.1/arch/sparc/kernel/traps_64.c 2010-03-15 12:09:39.000000000 -0400
3677+++ linux-2.6.33.1/arch/sparc/kernel/traps_64.c 2010-03-20 16:58:38.948763345 -0400
58c5fc13
MT		 3678@@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
3679
3680 lvl -= 0x100;
3681 if (regs->tstate & TSTATE_PRIV) {
3682+
3683+#ifdef CONFIG_PAX_REFCOUNT
3684+ if (lvl == 6)
3685+ pax_report_refcount_overflow(regs);
3686+#endif
3687+
3688 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
3689 die_if_kernel(buffer, regs);
3690 }
3691@@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
3692 void bad_trap_tl1(struct pt_regs *regs, long lvl)
3693 {
3694 char buffer[32];
3695-
3696+
3697 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
3698 0, lvl, SIGTRAP) == NOTIFY_STOP)
3699 return;
3700
3701+#ifdef CONFIG_PAX_REFCOUNT
3702+ if (lvl == 6)
3703+ pax_report_refcount_overflow(regs);
3704+#endif
3705+
3706 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
3707
3708 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
ae4e228f
MT		 3709diff -urNp linux-2.6.33.1/arch/sparc/lib/atomic_64.S linux-2.6.33.1/arch/sparc/lib/atomic_64.S
3710--- linux-2.6.33.1/arch/sparc/lib/atomic_64.S 2010-03-15 12:09:39.000000000 -0400
3711+++ linux-2.6.33.1/arch/sparc/lib/atomic_64.S 2010-03-20 16:58:38.952780321 -0400
58c5fc13
MT		 3712@@ -18,7 +18,12 @@
3713 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
3714 BACKOFF_SETUP(%o2)
3715 1: lduw [%o1], %g1
3716- add %g1, %o0, %g7
3717+ addcc %g1, %o0, %g7
3718+
3719+#ifdef CONFIG_PAX_REFCOUNT
3720+ tvs %icc, 6
3721+#endif
3722+
3723 cas [%o1], %g1, %g7
3724 cmp %g1, %g7
3725 bne,pn %icc, 2f
3726@@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
3727 2: BACKOFF_SPIN(%o2, %o3, 1b)
3728 .size atomic_add, .-atomic_add
3729
3730+ .globl atomic_add_unchecked
3731+ .type atomic_add_unchecked,#function
3732+atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3733+ BACKOFF_SETUP(%o2)
3734+1: lduw [%o1], %g1
3735+ add %g1, %o0, %g7
3736+ cas [%o1], %g1, %g7
3737+ cmp %g1, %g7
3738+ bne,pn %icc, 2f
3739+ nop
3740+ retl
3741+ nop
3742+2: BACKOFF_SPIN(%o2, %o3, 1b)
3743+ .size atomic_add_unchecked, .-atomic_add_unchecked
3744+
3745 .globl atomic_sub
3746 .type atomic_sub,#function
3747 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3748 BACKOFF_SETUP(%o2)
3749 1: lduw [%o1], %g1
3750- sub %g1, %o0, %g7
3751+ subcc %g1, %o0, %g7
3752+
3753+#ifdef CONFIG_PAX_REFCOUNT
3754+ tvs %icc, 6
3755+#endif
3756+
3757 cas [%o1], %g1, %g7
3758 cmp %g1, %g7
3759 bne,pn %icc, 2f
3760@@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
3761 2: BACKOFF_SPIN(%o2, %o3, 1b)
3762 .size atomic_sub, .-atomic_sub
3763
3764+ .globl atomic_sub_unchecked
3765+ .type atomic_sub_unchecked,#function
3766+atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3767+ BACKOFF_SETUP(%o2)
3768+1: lduw [%o1], %g1
3769+ sub %g1, %o0, %g7
3770+ cas [%o1], %g1, %g7
3771+ cmp %g1, %g7
3772+ bne,pn %icc, 2f
3773+ nop
3774+ retl
3775+ nop
3776+2: BACKOFF_SPIN(%o2, %o3, 1b)
3777+ .size atomic_sub_unchecked, .-atomic_sub_unchecked
3778+
3779 .globl atomic_add_ret
3780 .type atomic_add_ret,#function
3781 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3782 BACKOFF_SETUP(%o2)
3783 1: lduw [%o1], %g1
3784- add %g1, %o0, %g7
3785+ addcc %g1, %o0, %g7
3786+
3787+#ifdef CONFIG_PAX_REFCOUNT
3788+ tvs %icc, 6
3789+#endif
3790+
3791 cas [%o1], %g1, %g7
3792 cmp %g1, %g7
3793 bne,pn %icc, 2f
3794@@ -64,7 +109,12 @@ atomic_add_ret: /* %o0 = increment, %o1
3795 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3796 BACKOFF_SETUP(%o2)
3797 1: lduw [%o1], %g1
3798- sub %g1, %o0, %g7
3799+ subcc %g1, %o0, %g7
3800+
3801+#ifdef CONFIG_PAX_REFCOUNT
3802+ tvs %icc, 6
3803+#endif
3804+
3805 cas [%o1], %g1, %g7
3806 cmp %g1, %g7
3807 bne,pn %icc, 2f
3808@@ -80,7 +130,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
3809 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
3810 BACKOFF_SETUP(%o2)
3811 1: ldx [%o1], %g1
3812- add %g1, %o0, %g7
3813+ addcc %g1, %o0, %g7
3814+
3815+#ifdef CONFIG_PAX_REFCOUNT
3816+ tvs %xcc, 6
3817+#endif
3818+
3819 casx [%o1], %g1, %g7
3820 cmp %g1, %g7
3821 bne,pn %xcc, 2f
ae4e228f
MT		 3822@@ -90,12 +145,32 @@ atomic64_add: /* %o0 = increment, %o1 =
3823 2: BACKOFF_SPIN(%o2, %o3, 1b)
3824 .size atomic64_add, .-atomic64_add
3825
3826+ .globl atomic64_add_unchecked
3827+ .type atomic64_add_unchecked,#function
3828+atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3829+ BACKOFF_SETUP(%o2)
3830+1: ldx [%o1], %g1
3831+ addcc %g1, %o0, %g7
3832+ casx [%o1], %g1, %g7
3833+ cmp %g1, %g7
3834+ bne,pn %xcc, 2f
3835+ nop
3836+ retl
3837+ nop
3838+2: BACKOFF_SPIN(%o2, %o3, 1b)
3839+ .size atomic64_add_unchecked, .-atomic64_add_unchecked
3840+
3841 .globl atomic64_sub
3842 .type atomic64_sub,#function
58c5fc13
MT		 3843 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3844 BACKOFF_SETUP(%o2)
3845 1: ldx [%o1], %g1
3846- sub %g1, %o0, %g7
3847+ subcc %g1, %o0, %g7
3848+
3849+#ifdef CONFIG_PAX_REFCOUNT
3850+ tvs %xcc, 6
3851+#endif
3852+
3853 casx [%o1], %g1, %g7
3854 cmp %g1, %g7
3855 bne,pn %xcc, 2f
ae4e228f 3856@@ -110,7 +185,12 @@ atomic64_sub: /* %o0 = decrement, %o1 =
58c5fc13
MT		 3857 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3858 BACKOFF_SETUP(%o2)
3859 1: ldx [%o1], %g1
3860- add %g1, %o0, %g7
3861+ addcc %g1, %o0, %g7
3862+
3863+#ifdef CONFIG_PAX_REFCOUNT
3864+ tvs %xcc, 6
3865+#endif
3866+
3867 casx [%o1], %g1, %g7
3868 cmp %g1, %g7
3869 bne,pn %xcc, 2f
ae4e228f
MT		 3870@@ -121,12 +201,33 @@ atomic64_add_ret: /* %o0 = increment, %o
3871 2: BACKOFF_SPIN(%o2, %o3, 1b)
3872 .size atomic64_add_ret, .-atomic64_add_ret
3873
3874+ .globl atomic64_add_ret_unchecked
3875+ .type atomic64_add_ret_unchecked,#function
3876+atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3877+ BACKOFF_SETUP(%o2)
3878+1: ldx [%o1], %g1
3879+ addcc %g1, %o0, %g7
3880+ casx [%o1], %g1, %g7
3881+ cmp %g1, %g7
3882+ bne,pn %xcc, 2f
3883+ add %g7, %o0, %g7
3884+ mov %g7, %o0
3885+ retl
3886+ nop
3887+2: BACKOFF_SPIN(%o2, %o3, 1b)
3888+ .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
3889+
3890 .globl atomic64_sub_ret
3891 .type atomic64_sub_ret,#function
58c5fc13
MT		 3892 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3893 BACKOFF_SETUP(%o2)
3894 1: ldx [%o1], %g1
3895- sub %g1, %o0, %g7
3896+ subcc %g1, %o0, %g7
3897+
3898+#ifdef CONFIG_PAX_REFCOUNT
3899+ tvs %xcc, 6
3900+#endif
3901+
3902 casx [%o1], %g1, %g7
3903 cmp %g1, %g7
3904 bne,pn %xcc, 2f
ae4e228f
MT		 3905diff -urNp linux-2.6.33.1/arch/sparc/lib/ksyms.c linux-2.6.33.1/arch/sparc/lib/ksyms.c
3906--- linux-2.6.33.1/arch/sparc/lib/ksyms.c 2010-03-15 12:09:39.000000000 -0400
3907+++ linux-2.6.33.1/arch/sparc/lib/ksyms.c 2010-03-20 16:58:38.956579787 -0400
3908@@ -142,8 +142,10 @@ EXPORT_SYMBOL(__downgrade_write);
58c5fc13
MT		 3909
3910 /* Atomic counter implementation. */
3911 EXPORT_SYMBOL(atomic_add);
3912+EXPORT_SYMBOL(atomic_add_unchecked);
3913 EXPORT_SYMBOL(atomic_add_ret);
3914 EXPORT_SYMBOL(atomic_sub);
3915+EXPORT_SYMBOL(atomic_sub_unchecked);
3916 EXPORT_SYMBOL(atomic_sub_ret);
3917 EXPORT_SYMBOL(atomic64_add);
3918 EXPORT_SYMBOL(atomic64_add_ret);
ae4e228f
MT		 3919diff -urNp linux-2.6.33.1/arch/sparc/lib/rwsem_64.S linux-2.6.33.1/arch/sparc/lib/rwsem_64.S
3920--- linux-2.6.33.1/arch/sparc/lib/rwsem_64.S 2010-03-15 12:09:39.000000000 -0400
3921+++ linux-2.6.33.1/arch/sparc/lib/rwsem_64.S 2010-03-20 16:58:38.956579787 -0400
58c5fc13
MT		 3922@@ -11,7 +11,12 @@
3923 .globl __down_read
3924 __down_read:
3925 1: lduw [%o0], %g1
3926- add %g1, 1, %g7
3927+ addcc %g1, 1, %g7
3928+
3929+#ifdef CONFIG_PAX_REFCOUNT
3930+ tvs %icc, 6
3931+#endif
3932+
3933 cas [%o0], %g1, %g7
3934 cmp %g1, %g7
3935 bne,pn %icc, 1b
3936@@ -33,7 +38,12 @@ __down_read:
3937 .globl __down_read_trylock
3938 __down_read_trylock:
3939 1: lduw [%o0], %g1
3940- add %g1, 1, %g7
3941+ addcc %g1, 1, %g7
3942+
3943+#ifdef CONFIG_PAX_REFCOUNT
3944+ tvs %icc, 6
3945+#endif
3946+
3947 cmp %g7, 0
3948 bl,pn %icc, 2f
3949 mov 0, %o1
3950@@ -51,7 +61,12 @@ __down_write:
3951 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
3952 1:
3953 lduw [%o0], %g3
3954- add %g3, %g1, %g7
3955+ addcc %g3, %g1, %g7
3956+
3957+#ifdef CONFIG_PAX_REFCOUNT
3958+ tvs %icc, 6
3959+#endif
3960+
3961 cas [%o0], %g3, %g7
3962 cmp %g3, %g7
3963 bne,pn %icc, 1b
3964@@ -77,7 +92,12 @@ __down_write_trylock:
3965 cmp %g3, 0
3966 bne,pn %icc, 2f
3967 mov 0, %o1
3968- add %g3, %g1, %g7
3969+ addcc %g3, %g1, %g7
3970+
3971+#ifdef CONFIG_PAX_REFCOUNT
3972+ tvs %icc, 6
3973+#endif
3974+
3975 cas [%o0], %g3, %g7
3976 cmp %g3, %g7
3977 bne,pn %icc, 1b
3978@@ -90,7 +110,12 @@ __down_write_trylock:
3979 __up_read:
3980 1:
3981 lduw [%o0], %g1
3982- sub %g1, 1, %g7
3983+ subcc %g1, 1, %g7
3984+
3985+#ifdef CONFIG_PAX_REFCOUNT
3986+ tvs %icc, 6
3987+#endif
3988+
3989 cas [%o0], %g1, %g7
3990 cmp %g1, %g7
3991 bne,pn %icc, 1b
3992@@ -118,7 +143,12 @@ __up_write:
3993 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
3994 1:
3995 lduw [%o0], %g3
3996- sub %g3, %g1, %g7
3997+ subcc %g3, %g1, %g7
3998+
3999+#ifdef CONFIG_PAX_REFCOUNT
4000+ tvs %icc, 6
4001+#endif
4002+
4003 cas [%o0], %g3, %g7
4004 cmp %g3, %g7
4005 bne,pn %icc, 1b
4006@@ -143,7 +173,12 @@ __downgrade_write:
4007 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4008 1:
4009 lduw [%o0], %g3
4010- sub %g3, %g1, %g7
4011+ subcc %g3, %g1, %g7
4012+
4013+#ifdef CONFIG_PAX_REFCOUNT
4014+ tvs %icc, 6
4015+#endif
4016+
4017 cas [%o0], %g3, %g7
4018 cmp %g3, %g7
4019 bne,pn %icc, 1b
ae4e228f
MT		 4020diff -urNp linux-2.6.33.1/arch/sparc/Makefile linux-2.6.33.1/arch/sparc/Makefile
4021--- linux-2.6.33.1/arch/sparc/Makefile 2010-03-15 12:09:39.000000000 -0400
4022+++ linux-2.6.33.1/arch/sparc/Makefile 2010-03-20 16:58:38.956579787 -0400
4023@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
58c5fc13
MT		 4024 # Export what is needed by arch/sparc/boot/Makefile
4025 export VMLINUX_INIT VMLINUX_MAIN
4026 VMLINUX_INIT := $(head-y) $(init-y)
4027-VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4028+VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4029 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4030 VMLINUX_MAIN += $(drivers-y) $(net-y)
4031
ae4e228f
MT		 4032diff -urNp linux-2.6.33.1/arch/sparc/mm/fault_32.c linux-2.6.33.1/arch/sparc/mm/fault_32.c
4033--- linux-2.6.33.1/arch/sparc/mm/fault_32.c 2010-03-15 12:09:39.000000000 -0400
4034+++ linux-2.6.33.1/arch/sparc/mm/fault_32.c 2010-03-20 16:58:38.956579787 -0400
4035@@ -22,6 +22,9 @@
58c5fc13
MT		 4036 #include <linux/interrupt.h>
4037 #include <linux/module.h>
4038 #include <linux/kdebug.h>
4039+#include <linux/slab.h>
4040+#include <linux/pagemap.h>
4041+#include <linux/compiler.h>
4042
4043 #include <asm/system.h>
4044 #include <asm/page.h>
ae4e228f 4045@@ -168,6 +171,267 @@ static unsigned long compute_si_addr(str
58c5fc13
MT		 4046 return safe_compute_effective_address(regs, insn);
4047 }
4048
4049+#ifdef CONFIG_PAX_PAGEEXEC
4050+#ifdef CONFIG_PAX_DLRESOLVE
ae4e228f 4051+static void pax_emuplt_close(struct vm_area_struct *vma)
58c5fc13
MT		 4052+{
4053+ vma->vm_mm->call_dl_resolve = 0UL;
4054+}
4055+
4056+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4057+{
4058+ unsigned int *kaddr;
4059+
4060+ vmf->page = alloc_page(GFP_HIGHUSER);
4061+ if (!vmf->page)
4062+ return VM_FAULT_OOM;
4063+
4064+ kaddr = kmap(vmf->page);
4065+ memset(kaddr, 0, PAGE_SIZE);
4066+ kaddr[0] = 0x9DE3BFA8U; /* save */
4067+ flush_dcache_page(vmf->page);
4068+ kunmap(vmf->page);
4069+ return VM_FAULT_MAJOR;
4070+}
4071+
4072+static const struct vm_operations_struct pax_vm_ops = {
4073+ .close = pax_emuplt_close,
4074+ .fault = pax_emuplt_fault
4075+};
4076+
4077+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4078+{
4079+ int ret;
4080+
4081+ vma->vm_mm = current->mm;
4082+ vma->vm_start = addr;
4083+ vma->vm_end = addr + PAGE_SIZE;
4084+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4085+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4086+ vma->vm_ops = &pax_vm_ops;
4087+
4088+ ret = insert_vm_struct(current->mm, vma);
4089+ if (ret)
4090+ return ret;
4091+
4092+ ++current->mm->total_vm;
4093+ return 0;
4094+}
4095+#endif
4096+
4097+/*
4098+ * PaX: decide what to do with offenders (regs->pc = fault address)
4099+ *
4100+ * returns 1 when task should be killed
4101+ * 2 when patched PLT trampoline was detected
4102+ * 3 when unpatched PLT trampoline was detected
4103+ */
4104+static int pax_handle_fetch_fault(struct pt_regs *regs)
4105+{
4106+
4107+#ifdef CONFIG_PAX_EMUPLT
4108+ int err;
4109+
4110+ do { /* PaX: patched PLT emulation #1 */
4111+ unsigned int sethi1, sethi2, jmpl;
4112+
4113+ err = get_user(sethi1, (unsigned int *)regs->pc);
4114+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4115+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4116+
4117+ if (err)
4118+ break;
4119+
4120+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4121+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4122+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4123+ {
4124+ unsigned int addr;
4125+
4126+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4127+ addr = regs->u_regs[UREG_G1];
4128+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4129+ regs->pc = addr;
4130+ regs->npc = addr+4;
4131+ return 2;
4132+ }
4133+ } while (0);
4134+
4135+ { /* PaX: patched PLT emulation #2 */
4136+ unsigned int ba;
4137+
4138+ err = get_user(ba, (unsigned int *)regs->pc);
4139+
4140+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4141+ unsigned int addr;
4142+
4143+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4144+ regs->pc = addr;
4145+ regs->npc = addr+4;
4146+ return 2;
4147+ }
4148+ }
4149+
4150+ do { /* PaX: patched PLT emulation #3 */
4151+ unsigned int sethi, jmpl, nop;
4152+
4153+ err = get_user(sethi, (unsigned int *)regs->pc);
4154+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4155+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4156+
4157+ if (err)
4158+ break;
4159+
4160+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4161+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4162+ nop == 0x01000000U)
4163+ {
4164+ unsigned int addr;
4165+
4166+ addr = (sethi & 0x003FFFFFU) << 10;
4167+ regs->u_regs[UREG_G1] = addr;
4168+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4169+ regs->pc = addr;
4170+ regs->npc = addr+4;
4171+ return 2;
4172+ }
4173+ } while (0);
4174+
4175+ do { /* PaX: unpatched PLT emulation step 1 */
4176+ unsigned int sethi, ba, nop;
4177+
4178+ err = get_user(sethi, (unsigned int *)regs->pc);
4179+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
4180+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4181+
4182+ if (err)
4183+ break;
4184+
4185+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4186+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4187+ nop == 0x01000000U)
4188+ {
4189+ unsigned int addr, save, call;
4190+
4191+ if ((ba & 0xFFC00000U) == 0x30800000U)
4192+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4193+ else
4194+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4195+
4196+ err = get_user(save, (unsigned int *)addr);
4197+ err |= get_user(call, (unsigned int *)(addr+4));
4198+ err |= get_user(nop, (unsigned int *)(addr+8));
4199+ if (err)
4200+ break;
4201+
4202+#ifdef CONFIG_PAX_DLRESOLVE
4203+ if (save == 0x9DE3BFA8U &&
4204+ (call & 0xC0000000U) == 0x40000000U &&
4205+ nop == 0x01000000U)
4206+ {
4207+ struct vm_area_struct *vma;
4208+ unsigned long call_dl_resolve;
4209+
4210+ down_read(&current->mm->mmap_sem);
4211+ call_dl_resolve = current->mm->call_dl_resolve;
4212+ up_read(&current->mm->mmap_sem);
4213+ if (likely(call_dl_resolve))
4214+ goto emulate;
4215+
4216+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4217+
4218+ down_write(&current->mm->mmap_sem);
4219+ if (current->mm->call_dl_resolve) {
4220+ call_dl_resolve = current->mm->call_dl_resolve;
4221+ up_write(&current->mm->mmap_sem);
4222+ if (vma)
4223+ kmem_cache_free(vm_area_cachep, vma);
4224+ goto emulate;
4225+ }
4226+
4227+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4228+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4229+ up_write(&current->mm->mmap_sem);
4230+ if (vma)
4231+ kmem_cache_free(vm_area_cachep, vma);
4232+ return 1;
4233+ }
4234+
4235+ if (pax_insert_vma(vma, call_dl_resolve)) {
4236+ up_write(&current->mm->mmap_sem);
4237+ kmem_cache_free(vm_area_cachep, vma);
4238+ return 1;
4239+ }
4240+
4241+ current->mm->call_dl_resolve = call_dl_resolve;
4242+ up_write(&current->mm->mmap_sem);
4243+
4244+emulate:
4245+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4246+ regs->pc = call_dl_resolve;
4247+ regs->npc = addr+4;
4248+ return 3;
4249+ }
4250+#endif
4251+
4252+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4253+ if ((save & 0xFFC00000U) == 0x05000000U &&
4254+ (call & 0xFFFFE000U) == 0x85C0A000U &&
4255+ nop == 0x01000000U)
4256+ {
4257+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4258+ regs->u_regs[UREG_G2] = addr + 4;
4259+ addr = (save & 0x003FFFFFU) << 10;
4260+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4261+ regs->pc = addr;
4262+ regs->npc = addr+4;
4263+ return 3;
4264+ }
4265+ }
4266+ } while (0);
4267+
4268+ do { /* PaX: unpatched PLT emulation step 2 */
4269+ unsigned int save, call, nop;
4270+
4271+ err = get_user(save, (unsigned int *)(regs->pc-4));
4272+ err |= get_user(call, (unsigned int *)regs->pc);
4273+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
4274+ if (err)
4275+ break;
4276+
4277+ if (save == 0x9DE3BFA8U &&
4278+ (call & 0xC0000000U) == 0x40000000U &&
4279+ nop == 0x01000000U)
4280+ {
4281+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4282+
4283+ regs->u_regs[UREG_RETPC] = regs->pc;
4284+ regs->pc = dl_resolve;
4285+ regs->npc = dl_resolve+4;
4286+ return 3;
4287+ }
4288+ } while (0);
4289+#endif
4290+
4291+ return 1;
4292+}
4293+
4294+void pax_report_insns(void *pc, void *sp)
4295+{
4296+ unsigned long i;
4297+
4298+ printk(KERN_ERR "PAX: bytes at PC: ");
ae4e228f 4299+ for (i = 0; i < 8; i++) {
58c5fc13
MT		 4300+ unsigned int c;
4301+ if (get_user(c, (unsigned int *)pc+i))
4302+ printk(KERN_CONT "???????? ");
4303+ else
4304+ printk(KERN_CONT "%08x ", c);
4305+ }
4306+ printk("\n");
4307+}
4308+#endif
4309+
4310 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
4311 unsigned long address)
4312 {
ae4e228f 4313@@ -234,6 +498,24 @@ good_area:
58c5fc13
MT		 4314 if(!(vma->vm_flags & VM_WRITE))
4315 goto bad_area;
4316 } else {
4317+
4318+#ifdef CONFIG_PAX_PAGEEXEC
4319+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4320+ up_read(&mm->mmap_sem);
4321+ switch (pax_handle_fetch_fault(regs)) {
4322+
4323+#ifdef CONFIG_PAX_EMUPLT
4324+ case 2:
4325+ case 3:
4326+ return;
4327+#endif
4328+
4329+ }
4330+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4331+ do_group_exit(SIGKILL);
4332+ }
4333+#endif
4334+
4335 /* Allow reads even for write-only mappings */
4336 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4337 goto bad_area;
ae4e228f
MT		 4338diff -urNp linux-2.6.33.1/arch/sparc/mm/fault_64.c linux-2.6.33.1/arch/sparc/mm/fault_64.c
4339--- linux-2.6.33.1/arch/sparc/mm/fault_64.c 2010-03-15 12:09:39.000000000 -0400
4340+++ linux-2.6.33.1/arch/sparc/mm/fault_64.c 2010-03-20 16:58:38.956579787 -0400
4341@@ -21,6 +21,9 @@
58c5fc13
MT		 4342 #include <linux/kprobes.h>
4343 #include <linux/kdebug.h>
4344 #include <linux/percpu.h>
4345+#include <linux/slab.h>
4346+#include <linux/pagemap.h>
4347+#include <linux/compiler.h>
4348
4349 #include <asm/page.h>
4350 #include <asm/pgtable.h>
ae4e228f 4351@@ -244,6 +247,456 @@ static void noinline __kprobes bogus_32b
58c5fc13
MT		 4352 show_regs(regs);
4353 }
4354
4355+#ifdef CONFIG_PAX_PAGEEXEC
4356+#ifdef CONFIG_PAX_DLRESOLVE
4357+static void pax_emuplt_close(struct vm_area_struct *vma)
4358+{
4359+ vma->vm_mm->call_dl_resolve = 0UL;
4360+}
4361+
4362+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4363+{
4364+ unsigned int *kaddr;
4365+
4366+ vmf->page = alloc_page(GFP_HIGHUSER);
4367+ if (!vmf->page)
4368+ return VM_FAULT_OOM;
4369+
4370+ kaddr = kmap(vmf->page);
4371+ memset(kaddr, 0, PAGE_SIZE);
4372+ kaddr[0] = 0x9DE3BFA8U; /* save */
4373+ flush_dcache_page(vmf->page);
4374+ kunmap(vmf->page);
4375+ return VM_FAULT_MAJOR;
4376+}
4377+
4378+static const struct vm_operations_struct pax_vm_ops = {
4379+ .close = pax_emuplt_close,
4380+ .fault = pax_emuplt_fault
4381+};
4382+
4383+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4384+{
4385+ int ret;
4386+
4387+ vma->vm_mm = current->mm;
4388+ vma->vm_start = addr;
4389+ vma->vm_end = addr + PAGE_SIZE;
4390+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4391+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4392+ vma->vm_ops = &pax_vm_ops;
4393+
4394+ ret = insert_vm_struct(current->mm, vma);
4395+ if (ret)
4396+ return ret;
4397+
4398+ ++current->mm->total_vm;
4399+ return 0;
4400+}
4401+#endif
4402+
4403+/*
4404+ * PaX: decide what to do with offenders (regs->tpc = fault address)
4405+ *
4406+ * returns 1 when task should be killed
4407+ * 2 when patched PLT trampoline was detected
4408+ * 3 when unpatched PLT trampoline was detected
4409+ */
4410+static int pax_handle_fetch_fault(struct pt_regs *regs)
4411+{
4412+
4413+#ifdef CONFIG_PAX_EMUPLT
4414+ int err;
4415+
4416+ do { /* PaX: patched PLT emulation #1 */
4417+ unsigned int sethi1, sethi2, jmpl;
4418+
4419+ err = get_user(sethi1, (unsigned int *)regs->tpc);
4420+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4421+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4422+
4423+ if (err)
4424+ break;
4425+
4426+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4427+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4428+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4429+ {
4430+ unsigned long addr;
4431+
4432+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4433+ addr = regs->u_regs[UREG_G1];
4434+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4435+
4436+ if (test_thread_flag(TIF_32BIT))
4437+ addr &= 0xFFFFFFFFUL;
4438+
4439+ regs->tpc = addr;
4440+ regs->tnpc = addr+4;
4441+ return 2;
4442+ }
4443+ } while (0);
4444+
4445+ { /* PaX: patched PLT emulation #2 */
4446+ unsigned int ba;
4447+
4448+ err = get_user(ba, (unsigned int *)regs->tpc);
4449+
4450+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4451+ unsigned long addr;
4452+
4453+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4454+
4455+ if (test_thread_flag(TIF_32BIT))
4456+ addr &= 0xFFFFFFFFUL;
4457+
4458+ regs->tpc = addr;
4459+ regs->tnpc = addr+4;
4460+ return 2;
4461+ }
4462+ }
4463+
4464+ do { /* PaX: patched PLT emulation #3 */
4465+ unsigned int sethi, jmpl, nop;
4466+
4467+ err = get_user(sethi, (unsigned int *)regs->tpc);
4468+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4469+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4470+
4471+ if (err)
4472+ break;
4473+
4474+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4475+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4476+ nop == 0x01000000U)
4477+ {
4478+ unsigned long addr;
4479+
4480+ addr = (sethi & 0x003FFFFFU) << 10;
4481+ regs->u_regs[UREG_G1] = addr;
4482+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4483+
4484+ if (test_thread_flag(TIF_32BIT))
4485+ addr &= 0xFFFFFFFFUL;
4486+
4487+ regs->tpc = addr;
4488+ regs->tnpc = addr+4;
4489+ return 2;
4490+ }
4491+ } while (0);
4492+
4493+ do { /* PaX: patched PLT emulation #4 */
ae4e228f 4494+ unsigned int sethi, mov1, call, mov2;
58c5fc13 4495+
ae4e228f
MT		 4496+ err = get_user(sethi, (unsigned int *)regs->tpc);
4497+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4498+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
4499+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
58c5fc13
MT		 4500+
4501+ if (err)
4502+ break;
4503+
ae4e228f
MT		 4504+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4505+ mov1 == 0x8210000FU &&
58c5fc13
MT		 4506+ (call & 0xC0000000U) == 0x40000000U &&
4507+ mov2 == 0x9E100001U)
4508+ {
4509+ unsigned long addr;
4510+
4511+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4512+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4513+
4514+ if (test_thread_flag(TIF_32BIT))
4515+ addr &= 0xFFFFFFFFUL;
4516+
4517+ regs->tpc = addr;
4518+ regs->tnpc = addr+4;
4519+ return 2;
4520+ }
4521+ } while (0);
4522+
4523+ do { /* PaX: patched PLT emulation #5 */
ae4e228f 4524+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
58c5fc13 4525+
ae4e228f
MT		 4526+ err = get_user(sethi, (unsigned int *)regs->tpc);
4527+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4528+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4529+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
4530+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
4531+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
4532+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
4533+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
58c5fc13
MT		 4534+
4535+ if (err)
4536+ break;
4537+
ae4e228f
MT		 4538+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4539+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
58c5fc13
MT		 4540+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4541+ (or1 & 0xFFFFE000U) == 0x82106000U &&
4542+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
ae4e228f 4543+ sllx == 0x83287020U &&
58c5fc13
MT		 4544+ jmpl == 0x81C04005U &&
4545+ nop == 0x01000000U)
4546+ {
4547+ unsigned long addr;
4548+
4549+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4550+ regs->u_regs[UREG_G1] <<= 32;
4551+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4552+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4553+ regs->tpc = addr;
4554+ regs->tnpc = addr+4;
4555+ return 2;
4556+ }
4557+ } while (0);
4558+
4559+ do { /* PaX: patched PLT emulation #6 */
ae4e228f 4560+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
58c5fc13 4561+
ae4e228f
MT		 4562+ err = get_user(sethi, (unsigned int *)regs->tpc);
4563+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4564+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4565+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
4566+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
4567+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
4568+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
58c5fc13
MT		 4569+
4570+ if (err)
4571+ break;
4572+
ae4e228f
MT		 4573+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4574+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
58c5fc13 4575+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
ae4e228f 4576+ sllx == 0x83287020U &&
58c5fc13
MT		 4577+ (or & 0xFFFFE000U) == 0x8A116000U &&
4578+ jmpl == 0x81C04005U &&
4579+ nop == 0x01000000U)
4580+ {
4581+ unsigned long addr;
4582+
4583+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
4584+ regs->u_regs[UREG_G1] <<= 32;
4585+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
4586+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4587+ regs->tpc = addr;
4588+ regs->tnpc = addr+4;
4589+ return 2;
4590+ }
4591+ } while (0);
4592+
4593+ do { /* PaX: unpatched PLT emulation step 1 */
4594+ unsigned int sethi, ba, nop;
4595+
4596+ err = get_user(sethi, (unsigned int *)regs->tpc);
4597+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4598+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4599+
4600+ if (err)
4601+ break;
4602+
4603+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4604+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4605+ nop == 0x01000000U)
4606+ {
4607+ unsigned long addr;
4608+ unsigned int save, call;
ae4e228f 4609+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
58c5fc13
MT		 4610+
4611+ if ((ba & 0xFFC00000U) == 0x30800000U)
4612+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4613+ else
4614+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4615+
4616+ if (test_thread_flag(TIF_32BIT))
4617+ addr &= 0xFFFFFFFFUL;
4618+
4619+ err = get_user(save, (unsigned int *)addr);
4620+ err |= get_user(call, (unsigned int *)(addr+4));
4621+ err |= get_user(nop, (unsigned int *)(addr+8));
4622+ if (err)
4623+ break;
4624+
4625+#ifdef CONFIG_PAX_DLRESOLVE
4626+ if (save == 0x9DE3BFA8U &&
4627+ (call & 0xC0000000U) == 0x40000000U &&
4628+ nop == 0x01000000U)
4629+ {
4630+ struct vm_area_struct *vma;
4631+ unsigned long call_dl_resolve;
4632+
4633+ down_read(&current->mm->mmap_sem);
4634+ call_dl_resolve = current->mm->call_dl_resolve;
4635+ up_read(&current->mm->mmap_sem);
4636+ if (likely(call_dl_resolve))
4637+ goto emulate;
4638+
4639+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4640+
4641+ down_write(&current->mm->mmap_sem);
4642+ if (current->mm->call_dl_resolve) {
4643+ call_dl_resolve = current->mm->call_dl_resolve;
4644+ up_write(&current->mm->mmap_sem);
4645+ if (vma)
4646+ kmem_cache_free(vm_area_cachep, vma);
4647+ goto emulate;
4648+ }
4649+
4650+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4651+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4652+ up_write(&current->mm->mmap_sem);
4653+ if (vma)
4654+ kmem_cache_free(vm_area_cachep, vma);
4655+ return 1;
4656+ }
4657+
4658+ if (pax_insert_vma(vma, call_dl_resolve)) {
4659+ up_write(&current->mm->mmap_sem);
4660+ kmem_cache_free(vm_area_cachep, vma);
4661+ return 1;
4662+ }
4663+
4664+ current->mm->call_dl_resolve = call_dl_resolve;
4665+ up_write(&current->mm->mmap_sem);
4666+
4667+emulate:
4668+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4669+ regs->tpc = call_dl_resolve;
4670+ regs->tnpc = addr+4;
4671+ return 3;
4672+ }
4673+#endif
4674+
4675+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4676+ if ((save & 0xFFC00000U) == 0x05000000U &&
4677+ (call & 0xFFFFE000U) == 0x85C0A000U &&
4678+ nop == 0x01000000U)
4679+ {
4680+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4681+ regs->u_regs[UREG_G2] = addr + 4;
4682+ addr = (save & 0x003FFFFFU) << 10;
4683+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4684+
4685+ if (test_thread_flag(TIF_32BIT))
4686+ addr &= 0xFFFFFFFFUL;
4687+
4688+ regs->tpc = addr;
4689+ regs->tnpc = addr+4;
4690+ return 3;
4691+ }
ae4e228f
MT		 4692+
4693+ /* PaX: 64-bit PLT stub */
4694+ err = get_user(sethi1, (unsigned int *)addr);
4695+ err |= get_user(sethi2, (unsigned int *)(addr+4));
4696+ err |= get_user(or1, (unsigned int *)(addr+8));
4697+ err |= get_user(or2, (unsigned int *)(addr+12));
4698+ err |= get_user(sllx, (unsigned int *)(addr+16));
4699+ err |= get_user(add, (unsigned int *)(addr+20));
4700+ err |= get_user(jmpl, (unsigned int *)(addr+24));
4701+ err |= get_user(nop, (unsigned int *)(addr+28));
4702+ if (err)
4703+ break;
4704+
4705+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
4706+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4707+ (or1 & 0xFFFFE000U) == 0x88112000U &&
4708+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
4709+ sllx == 0x89293020U &&
4710+ add == 0x8A010005U &&
4711+ jmpl == 0x89C14000U &&
4712+ nop == 0x01000000U)
4713+ {
4714+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4715+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4716+ regs->u_regs[UREG_G4] <<= 32;
4717+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4718+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
4719+ regs->u_regs[UREG_G4] = addr + 24;
4720+ addr = regs->u_regs[UREG_G5];
4721+ regs->tpc = addr;
4722+ regs->tnpc = addr+4;
4723+ return 3;
4724+ }
58c5fc13
MT		 4725+ }
4726+ } while (0);
4727+
4728+#ifdef CONFIG_PAX_DLRESOLVE
4729+ do { /* PaX: unpatched PLT emulation step 2 */
4730+ unsigned int save, call, nop;
4731+
4732+ err = get_user(save, (unsigned int *)(regs->tpc-4));
4733+ err |= get_user(call, (unsigned int *)regs->tpc);
4734+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
4735+ if (err)
4736+ break;
4737+
4738+ if (save == 0x9DE3BFA8U &&
4739+ (call & 0xC0000000U) == 0x40000000U &&
4740+ nop == 0x01000000U)
4741+ {
4742+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4743+
4744+ if (test_thread_flag(TIF_32BIT))
4745+ dl_resolve &= 0xFFFFFFFFUL;
4746+
4747+ regs->u_regs[UREG_RETPC] = regs->tpc;
4748+ regs->tpc = dl_resolve;
4749+ regs->tnpc = dl_resolve+4;
4750+ return 3;
4751+ }
4752+ } while (0);
4753+#endif
4754+
4755+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
4756+ unsigned int sethi, ba, nop;
4757+
4758+ err = get_user(sethi, (unsigned int *)regs->tpc);
4759+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4760+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4761+
4762+ if (err)
4763+ break;
4764+
4765+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4766+ (ba & 0xFFF00000U) == 0x30600000U &&
4767+ nop == 0x01000000U)
4768+ {
4769+ unsigned long addr;
4770+
4771+ addr = (sethi & 0x003FFFFFU) << 10;
4772+ regs->u_regs[UREG_G1] = addr;
4773+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4774+
4775+ if (test_thread_flag(TIF_32BIT))
4776+ addr &= 0xFFFFFFFFUL;
4777+
4778+ regs->tpc = addr;
4779+ regs->tnpc = addr+4;
4780+ return 2;
4781+ }
4782+ } while (0);
4783+
4784+#endif
4785+
4786+ return 1;
4787+}
4788+
4789+void pax_report_insns(void *pc, void *sp)
4790+{
4791+ unsigned long i;
4792+
4793+ printk(KERN_ERR "PAX: bytes at PC: ");
ae4e228f 4794+ for (i = 0; i < 8; i++) {
58c5fc13
MT		 4795+ unsigned int c;
4796+ if (get_user(c, (unsigned int *)pc+i))
4797+ printk(KERN_CONT "???????? ");
4798+ else
4799+ printk(KERN_CONT "%08x ", c);
4800+ }
4801+ printk("\n");
4802+}
4803+#endif
4804+
4805 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
4806 {
4807 struct mm_struct *mm = current->mm;
ae4e228f 4808@@ -312,6 +765,29 @@ asmlinkage void __kprobes do_sparc64_fau
58c5fc13
MT		 4809 if (!vma)
4810 goto bad_area;
4811
4812+#ifdef CONFIG_PAX_PAGEEXEC
4813+ /* PaX: detect ITLB misses on non-exec pages */
4814+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
4815+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
4816+ {
4817+ if (address != regs->tpc)
4818+ goto good_area;
4819+
4820+ up_read(&mm->mmap_sem);
4821+ switch (pax_handle_fetch_fault(regs)) {
4822+
4823+#ifdef CONFIG_PAX_EMUPLT
4824+ case 2:
4825+ case 3:
4826+ return;
4827+#endif
4828+
4829+ }
4830+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
4831+ do_group_exit(SIGKILL);
4832+ }
4833+#endif
4834+
4835 /* Pure DTLB misses do not tell us whether the fault causing
4836 * load/store/atomic was a write or not, it only says that there
4837 * was no match. So in such a case we (carefully) read the
ae4e228f
MT		 4838diff -urNp linux-2.6.33.1/arch/sparc/mm/init_32.c linux-2.6.33.1/arch/sparc/mm/init_32.c
4839--- linux-2.6.33.1/arch/sparc/mm/init_32.c 2010-03-15 12:09:39.000000000 -0400
4840+++ linux-2.6.33.1/arch/sparc/mm/init_32.c 2010-03-20 16:58:38.956579787 -0400
4841@@ -317,6 +317,9 @@ extern void device_scan(void);
58c5fc13
MT		 4842 pgprot_t PAGE_SHARED __read_mostly;
4843 EXPORT_SYMBOL(PAGE_SHARED);
4844
4845+pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
4846+EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
4847+
4848 void __init paging_init(void)
4849 {
4850 switch(sparc_cpu_model) {
ae4e228f 4851@@ -345,17 +348,17 @@ void __init paging_init(void)
58c5fc13
MT		 4852
4853 /* Initialize the protection map with non-constant, MMU dependent values. */
4854 protection_map[0] = PAGE_NONE;
4855- protection_map[1] = PAGE_READONLY;
4856- protection_map[2] = PAGE_COPY;
4857- protection_map[3] = PAGE_COPY;
4858+ protection_map[1] = PAGE_READONLY_NOEXEC;
4859+ protection_map[2] = PAGE_COPY_NOEXEC;
4860+ protection_map[3] = PAGE_COPY_NOEXEC;
4861 protection_map[4] = PAGE_READONLY;
4862 protection_map[5] = PAGE_READONLY;
4863 protection_map[6] = PAGE_COPY;
4864 protection_map[7] = PAGE_COPY;
4865 protection_map[8] = PAGE_NONE;
4866- protection_map[9] = PAGE_READONLY;
4867- protection_map[10] = PAGE_SHARED;
4868- protection_map[11] = PAGE_SHARED;
4869+ protection_map[9] = PAGE_READONLY_NOEXEC;
4870+ protection_map[10] = PAGE_SHARED_NOEXEC;
4871+ protection_map[11] = PAGE_SHARED_NOEXEC;
4872 protection_map[12] = PAGE_READONLY;
4873 protection_map[13] = PAGE_READONLY;
4874 protection_map[14] = PAGE_SHARED;
ae4e228f
MT		 4875diff -urNp linux-2.6.33.1/arch/sparc/mm/Makefile linux-2.6.33.1/arch/sparc/mm/Makefile
4876--- linux-2.6.33.1/arch/sparc/mm/Makefile 2010-03-15 12:09:39.000000000 -0400
4877+++ linux-2.6.33.1/arch/sparc/mm/Makefile 2010-03-20 16:58:38.968781407 -0400
58c5fc13
MT		 4878@@ -2,7 +2,7 @@
4879 #
4880
4881 asflags-y := -ansi
4882-ccflags-y := -Werror
4883+#ccflags-y := -Werror
4884
4885 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
4886 obj-y += fault_$(BITS).o
ae4e228f
MT		 4887diff -urNp linux-2.6.33.1/arch/sparc/mm/srmmu.c linux-2.6.33.1/arch/sparc/mm/srmmu.c
4888--- linux-2.6.33.1/arch/sparc/mm/srmmu.c 2010-03-15 12:09:39.000000000 -0400
4889+++ linux-2.6.33.1/arch/sparc/mm/srmmu.c 2010-03-20 16:58:38.968781407 -0400
4890@@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
58c5fc13
MT		 4891 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
4892 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
4893 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
4894+
4895+#ifdef CONFIG_PAX_PAGEEXEC
4896+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
4897+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
4898+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
4899+#endif
4900+
4901 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
4902 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
4903
ae4e228f
MT		 4904diff -urNp linux-2.6.33.1/arch/um/include/asm/kmap_types.h linux-2.6.33.1/arch/um/include/asm/kmap_types.h
4905--- linux-2.6.33.1/arch/um/include/asm/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
4906+++ linux-2.6.33.1/arch/um/include/asm/kmap_types.h 2010-03-20 16:58:38.968781407 -0400
58c5fc13
MT		 4907@@ -23,6 +23,7 @@ enum km_type {
4908 KM_IRQ1,
4909 KM_SOFTIRQ0,
4910 KM_SOFTIRQ1,
4911+ KM_CLEARPAGE,
4912 KM_TYPE_NR
4913 };
4914
ae4e228f
MT		 4915diff -urNp linux-2.6.33.1/arch/um/include/asm/page.h linux-2.6.33.1/arch/um/include/asm/page.h
4916--- linux-2.6.33.1/arch/um/include/asm/page.h 2010-03-15 12:09:39.000000000 -0400
4917+++ linux-2.6.33.1/arch/um/include/asm/page.h 2010-03-20 16:58:38.968781407 -0400
58c5fc13
MT		 4918@@ -14,6 +14,9 @@
4919 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
4920 #define PAGE_MASK (~(PAGE_SIZE-1))
4921
4922+#define ktla_ktva(addr) (addr)
4923+#define ktva_ktla(addr) (addr)
4924+
4925 #ifndef __ASSEMBLY__
4926
4927 struct page;
ae4e228f
MT		 4928diff -urNp linux-2.6.33.1/arch/um/sys-i386/syscalls.c linux-2.6.33.1/arch/um/sys-i386/syscalls.c
4929--- linux-2.6.33.1/arch/um/sys-i386/syscalls.c 2010-03-15 12:09:39.000000000 -0400
4930+++ linux-2.6.33.1/arch/um/sys-i386/syscalls.c 2010-03-20 16:58:38.968781407 -0400
58c5fc13
MT		 4931@@ -11,6 +11,21 @@
4932 #include "asm/uaccess.h"
4933 #include "asm/unistd.h"
4934
4935+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
4936+{
4937+ unsigned long pax_task_size = TASK_SIZE;
4938+
4939+#ifdef CONFIG_PAX_SEGMEXEC
4940+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
4941+ pax_task_size = SEGMEXEC_TASK_SIZE;
4942+#endif
4943+
4944+ if (len > pax_task_size || addr > pax_task_size - len)
4945+ return -EINVAL;
4946+
4947+ return 0;
4948+}
4949+
4950 /*
4951 * Perform the select(nd, in, out, ex, tv) and mmap() system
4952 * calls. Linux/i386 didn't use to be able to handle more than
ae4e228f
MT		 4953diff -urNp linux-2.6.33.1/arch/x86/boot/bitops.h linux-2.6.33.1/arch/x86/boot/bitops.h
4954--- linux-2.6.33.1/arch/x86/boot/bitops.h 2010-03-15 12:09:39.000000000 -0400
4955+++ linux-2.6.33.1/arch/x86/boot/bitops.h 2010-03-20 16:58:38.968781407 -0400
58c5fc13
MT		 4956@@ -26,7 +26,7 @@ static inline int variable_test_bit(int
4957 u8 v;
4958 const u32 *p = (const u32 *)addr;
4959
4960- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4961+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
4962 return v;
4963 }
4964
4965@@ -37,7 +37,7 @@ static inline int variable_test_bit(int
4966
4967 static inline void set_bit(int nr, void *addr)
4968 {
4969- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4970+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
4971 }
4972
4973 #endif /* BOOT_BITOPS_H */
ae4e228f
MT		 4974diff -urNp linux-2.6.33.1/arch/x86/boot/boot.h linux-2.6.33.1/arch/x86/boot/boot.h
4975--- linux-2.6.33.1/arch/x86/boot/boot.h 2010-03-15 12:09:39.000000000 -0400
4976+++ linux-2.6.33.1/arch/x86/boot/boot.h 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 4977@@ -82,7 +82,7 @@ static inline void io_delay(void)
4978 static inline u16 ds(void)
4979 {
4980 u16 seg;
4981- asm("movw %%ds,%0" : "=rm" (seg));
4982+ asm volatile("movw %%ds,%0" : "=rm" (seg));
4983 return seg;
4984 }
4985
4986@@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
4987 static inline int memcmp(const void *s1, const void *s2, size_t len)
4988 {
4989 u8 diff;
4990- asm("repe; cmpsb; setnz %0"
4991+ asm volatile("repe; cmpsb; setnz %0"
4992 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
4993 return diff;
4994 }
ae4e228f
MT		 4995diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/head_32.S linux-2.6.33.1/arch/x86/boot/compressed/head_32.S
4996--- linux-2.6.33.1/arch/x86/boot/compressed/head_32.S 2010-03-15 12:09:39.000000000 -0400
4997+++ linux-2.6.33.1/arch/x86/boot/compressed/head_32.S 2010-03-20 16:58:38.972657826 -0400
4998@@ -76,7 +76,7 @@ ENTRY(startup_32)
58c5fc13
MT		 4999 notl %eax
5000 andl %eax, %ebx
5001 #else
5002- movl $LOAD_PHYSICAL_ADDR, %ebx
5003+ movl $____LOAD_PHYSICAL_ADDR, %ebx
5004 #endif
5005
5006 /* Target address to relocate to for decompression */
ae4e228f 5007@@ -149,7 +149,7 @@ relocated:
58c5fc13
MT		 5008 * and where it was actually loaded.
5009 */
5010 movl %ebp, %ebx
5011- subl $LOAD_PHYSICAL_ADDR, %ebx
5012+ subl $____LOAD_PHYSICAL_ADDR, %ebx
5013 jz 2f /* Nothing to be done if loaded at compiled addr. */
5014 /*
5015 * Process relocations.
ae4e228f 5016@@ -157,8 +157,7 @@ relocated:
58c5fc13
MT		 5017
5018 1: subl $4, %edi
5019 movl (%edi), %ecx
5020- testl %ecx, %ecx
5021- jz 2f
5022+ jecxz 2f
5023 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5024 jmp 1b
5025 2:
ae4e228f
MT		 5026diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/head_64.S linux-2.6.33.1/arch/x86/boot/compressed/head_64.S
5027--- linux-2.6.33.1/arch/x86/boot/compressed/head_64.S 2010-03-15 12:09:39.000000000 -0400
5028+++ linux-2.6.33.1/arch/x86/boot/compressed/head_64.S 2010-03-20 16:58:38.972657826 -0400
5029@@ -91,7 +91,7 @@ ENTRY(startup_32)
58c5fc13
MT		 5030 notl %eax
5031 andl %eax, %ebx
5032 #else
5033- movl $LOAD_PHYSICAL_ADDR, %ebx
5034+ movl $____LOAD_PHYSICAL_ADDR, %ebx
5035 #endif
5036
5037 /* Target address to relocate to for decompression */
5038@@ -233,7 +233,7 @@ ENTRY(startup_64)
5039 notq %rax
5040 andq %rax, %rbp
5041 #else
5042- movq $LOAD_PHYSICAL_ADDR, %rbp
5043+ movq $____LOAD_PHYSICAL_ADDR, %rbp
5044 #endif
5045
5046 /* Target address to relocate to for decompression */
ae4e228f
MT		 5047diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/misc.c linux-2.6.33.1/arch/x86/boot/compressed/misc.c
5048--- linux-2.6.33.1/arch/x86/boot/compressed/misc.c 2010-03-15 12:09:39.000000000 -0400
5049+++ linux-2.6.33.1/arch/x86/boot/compressed/misc.c 2010-03-20 16:58:38.972657826 -0400
5050@@ -292,7 +292,7 @@ static void parse_elf(void *output)
58c5fc13
MT		 5051 case PT_LOAD:
5052 #ifdef CONFIG_RELOCATABLE
5053 dest = output;
5054- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5055+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5056 #else
5057 dest = (void *)(phdr->p_paddr);
5058 #endif
ae4e228f 5059@@ -339,7 +339,7 @@ asmlinkage void decompress_kernel(void *
58c5fc13
MT		 5060 error("Destination address too large");
5061 #endif
5062 #ifndef CONFIG_RELOCATABLE
5063- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5064+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5065 error("Wrong destination address");
5066 #endif
5067
ae4e228f
MT		 5068diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/mkpiggy.c linux-2.6.33.1/arch/x86/boot/compressed/mkpiggy.c
5069--- linux-2.6.33.1/arch/x86/boot/compressed/mkpiggy.c 2010-03-15 12:09:39.000000000 -0400
5070+++ linux-2.6.33.1/arch/x86/boot/compressed/mkpiggy.c 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 5071@@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5072
5073 offs = (olen > ilen) ? olen - ilen : 0;
5074 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5075- offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5076+ offs += 64*1024; /* Add 64K bytes slack */
5077 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5078
5079 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
ae4e228f
MT		 5080diff -urNp linux-2.6.33.1/arch/x86/boot/compressed/relocs.c linux-2.6.33.1/arch/x86/boot/compressed/relocs.c
5081--- linux-2.6.33.1/arch/x86/boot/compressed/relocs.c 2010-03-15 12:09:39.000000000 -0400
5082+++ linux-2.6.33.1/arch/x86/boot/compressed/relocs.c 2010-03-20 16:58:38.972657826 -0400
5083@@ -13,8 +13,11 @@
58c5fc13 5084
ae4e228f
MT		 5085 static void die(char *fmt, ...);
5086
5087+#include "../../../../include/generated/autoconf.h"
58c5fc13
MT		 5088+
5089 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5090 static Elf32_Ehdr ehdr;
5091+static Elf32_Phdr *phdr;
5092 static unsigned long reloc_count, reloc_idx;
5093 static unsigned long *relocs;
5094
ae4e228f 5095@@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
58c5fc13
MT		 5096 }
5097 }
5098
5099+static void read_phdrs(FILE *fp)
5100+{
5101+ unsigned int i;
5102+
5103+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5104+ if (!phdr) {
5105+ die("Unable to allocate %d program headers\n",
5106+ ehdr.e_phnum);
5107+ }
5108+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5109+ die("Seek to %d failed: %s\n",
5110+ ehdr.e_phoff, strerror(errno));
5111+ }
5112+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5113+ die("Cannot read ELF program headers: %s\n",
5114+ strerror(errno));
5115+ }
5116+ for(i = 0; i < ehdr.e_phnum; i++) {
5117+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5118+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5119+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5120+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5121+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5122+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5123+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5124+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5125+ }
5126+
5127+}
5128+
5129 static void read_shdrs(FILE *fp)
5130 {
5131- int i;
5132+ unsigned int i;
5133 Elf32_Shdr shdr;
5134
5135 secs = calloc(ehdr.e_shnum, sizeof(struct section));
ae4e228f 5136@@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
58c5fc13
MT		 5137
5138 static void read_strtabs(FILE *fp)
5139 {
5140- int i;
5141+ unsigned int i;
5142 for (i = 0; i < ehdr.e_shnum; i++) {
5143 struct section *sec = &secs[i];
5144 if (sec->shdr.sh_type != SHT_STRTAB) {
ae4e228f 5145@@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
58c5fc13
MT		 5146
5147 static void read_symtabs(FILE *fp)
5148 {
5149- int i,j;
5150+ unsigned int i,j;
5151 for (i = 0; i < ehdr.e_shnum; i++) {
5152 struct section *sec = &secs[i];
5153 if (sec->shdr.sh_type != SHT_SYMTAB) {
ae4e228f 5154@@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
58c5fc13
MT		 5155
5156 static void read_relocs(FILE *fp)
5157 {
5158- int i,j;
5159+ unsigned int i,j;
5160+ uint32_t base;
5161+
5162 for (i = 0; i < ehdr.e_shnum; i++) {
5163 struct section *sec = &secs[i];
5164 if (sec->shdr.sh_type != SHT_REL) {
ae4e228f 5165@@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
58c5fc13
MT		 5166 die("Cannot read symbol table: %s\n",
5167 strerror(errno));
5168 }
5169+ base = 0;
5170+ for (j = 0; j < ehdr.e_phnum; j++) {
5171+ if (phdr[j].p_type != PT_LOAD )
5172+ continue;
5173+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5174+ continue;
5175+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5176+ break;
5177+ }
5178 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5179 Elf32_Rel *rel = &sec->reltab[j];
5180- rel->r_offset = elf32_to_cpu(rel->r_offset);
5181+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5182 rel->r_info = elf32_to_cpu(rel->r_info);
5183 }
5184 }
ae4e228f 5185@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
58c5fc13
MT		 5186
5187 static void print_absolute_symbols(void)
5188 {
5189- int i;
5190+ unsigned int i;
5191 printf("Absolute symbols\n");
5192 printf(" Num: Value Size Type Bind Visibility Name\n");
5193 for (i = 0; i < ehdr.e_shnum; i++) {
5194 struct section *sec = &secs[i];
5195 char *sym_strtab;
5196 Elf32_Sym *sh_symtab;
5197- int j;
5198+ unsigned int j;
5199
5200 if (sec->shdr.sh_type != SHT_SYMTAB) {
5201 continue;
ae4e228f 5202@@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
58c5fc13
MT		 5203
5204 static void print_absolute_relocs(void)
5205 {
5206- int i, printed = 0;
5207+ unsigned int i, printed = 0;
5208
5209 for (i = 0; i < ehdr.e_shnum; i++) {
5210 struct section *sec = &secs[i];
5211 struct section *sec_applies, *sec_symtab;
5212 char *sym_strtab;
5213 Elf32_Sym *sh_symtab;
5214- int j;
5215+ unsigned int j;
5216 if (sec->shdr.sh_type != SHT_REL) {
5217 continue;
5218 }
ae4e228f 5219@@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
58c5fc13
MT		 5220
5221 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5222 {
5223- int i;
5224+ unsigned int i;
5225 /* Walk through the relocations */
5226 for (i = 0; i < ehdr.e_shnum; i++) {
5227 char *sym_strtab;
5228 Elf32_Sym *sh_symtab;
5229 struct section *sec_applies, *sec_symtab;
5230- int j;
5231+ unsigned int j;
5232 struct section *sec = &secs[i];
5233
5234 if (sec->shdr.sh_type != SHT_REL) {
ae4e228f
MT		 5235@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5236 !is_rel_reloc(sym_name(sym_strtab, sym))) {
58c5fc13
MT		 5237 continue;
5238 }
5239+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5240+ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5241+ continue;
5242+
5243+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5244+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
ae4e228f
MT		 5245+ if (!strcmp(sec_name(sym->st_shndx), ".data") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5246+ continue;
58c5fc13
MT		 5247+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5248+ continue;
5249+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5250+ continue;
5251+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5252+ continue;
5253+#endif
ae4e228f
MT		 5254+
5255 switch (r_type) {
5256 case R_386_NONE:
5257 case R_386_PC32:
5258@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
58c5fc13
MT		 5259
5260 static void emit_relocs(int as_text)
5261 {
5262- int i;
5263+ unsigned int i;
5264 /* Count how many relocations I have and allocate space for them. */
5265 reloc_count = 0;
5266 walk_relocs(count_reloc);
ae4e228f 5267@@ -665,6 +725,7 @@ int main(int argc, char **argv)
58c5fc13
MT		 5268 fname, strerror(errno));
5269 }
5270 read_ehdr(fp);
5271+ read_phdrs(fp);
5272 read_shdrs(fp);
5273 read_strtabs(fp);
5274 read_symtabs(fp);
ae4e228f
MT		 5275diff -urNp linux-2.6.33.1/arch/x86/boot/cpucheck.c linux-2.6.33.1/arch/x86/boot/cpucheck.c
5276--- linux-2.6.33.1/arch/x86/boot/cpucheck.c 2010-03-15 12:09:39.000000000 -0400
5277+++ linux-2.6.33.1/arch/x86/boot/cpucheck.c 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 5278@@ -74,7 +74,7 @@ static int has_fpu(void)
5279 u16 fcw = -1, fsw = -1;
5280 u32 cr0;
5281
5282- asm("movl %%cr0,%0" : "=r" (cr0));
5283+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
5284 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5285 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5286 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5287@@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5288 {
5289 u32 f0, f1;
5290
5291- asm("pushfl ; "
5292+ asm volatile("pushfl ; "
5293 "pushfl ; "
5294 "popl %0 ; "
5295 "movl %0,%1 ; "
5296@@ -115,7 +115,7 @@ static void get_flags(void)
5297 set_bit(X86_FEATURE_FPU, cpu.flags);
5298
5299 if (has_eflag(X86_EFLAGS_ID)) {
5300- asm("cpuid"
5301+ asm volatile("cpuid"
5302 : "=a" (max_intel_level),
5303 "=b" (cpu_vendor[0]),
5304 "=d" (cpu_vendor[1]),
5305@@ -124,7 +124,7 @@ static void get_flags(void)
5306
5307 if (max_intel_level >= 0x00000001 &&
5308 max_intel_level <= 0x0000ffff) {
5309- asm("cpuid"
5310+ asm volatile("cpuid"
5311 : "=a" (tfms),
5312 "=c" (cpu.flags[4]),
5313 "=d" (cpu.flags[0])
5314@@ -136,7 +136,7 @@ static void get_flags(void)
5315 cpu.model += ((tfms >> 16) & 0xf) << 4;
5316 }
5317
5318- asm("cpuid"
5319+ asm volatile("cpuid"
5320 : "=a" (max_amd_level)
5321 : "a" (0x80000000)
5322 : "ebx", "ecx", "edx");
5323@@ -144,7 +144,7 @@ static void get_flags(void)
5324 if (max_amd_level >= 0x80000001 &&
5325 max_amd_level <= 0x8000ffff) {
5326 u32 eax = 0x80000001;
5327- asm("cpuid"
5328+ asm volatile("cpuid"
5329 : "+a" (eax),
5330 "=c" (cpu.flags[6]),
5331 "=d" (cpu.flags[1])
5332@@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5333 u32 ecx = MSR_K7_HWCR;
5334 u32 eax, edx;
5335
5336- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5337+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5338 eax &= ~(1 << 15);
5339- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5340+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5341
5342 get_flags(); /* Make sure it really did something */
5343 err = check_flags();
5344@@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5345 u32 ecx = MSR_VIA_FCR;
5346 u32 eax, edx;
5347
5348- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5349+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5350 eax |= (1<<1)|(1<<7);
5351- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5352+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5353
5354 set_bit(X86_FEATURE_CX8, cpu.flags);
5355 err = check_flags();
5356@@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5357 u32 eax, edx;
5358 u32 level = 1;
5359
5360- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5361- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5362- asm("cpuid"
5363+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5364+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5365+ asm volatile("cpuid"
5366 : "+a" (level), "=d" (cpu.flags[0])
5367 : : "ecx", "ebx");
5368- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5369+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5370
5371 err = check_flags();
5372 }
ae4e228f
MT		 5373diff -urNp linux-2.6.33.1/arch/x86/boot/header.S linux-2.6.33.1/arch/x86/boot/header.S
5374--- linux-2.6.33.1/arch/x86/boot/header.S 2010-03-15 12:09:39.000000000 -0400
5375+++ linux-2.6.33.1/arch/x86/boot/header.S 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 5376@@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5377 # single linked list of
5378 # struct setup_data
5379
5380-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5381+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5382
5383 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5384 #define VO_INIT_SIZE (VO__end - VO__text)
ae4e228f
MT		 5385diff -urNp linux-2.6.33.1/arch/x86/boot/video-vesa.c linux-2.6.33.1/arch/x86/boot/video-vesa.c
5386--- linux-2.6.33.1/arch/x86/boot/video-vesa.c 2010-03-15 12:09:39.000000000 -0400
5387+++ linux-2.6.33.1/arch/x86/boot/video-vesa.c 2010-03-20 16:58:38.972657826 -0400
5388@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
58c5fc13
MT		 5389
5390 boot_params.screen_info.vesapm_seg = oreg.es;
5391 boot_params.screen_info.vesapm_off = oreg.di;
5392+ boot_params.screen_info.vesapm_size = oreg.cx;
5393 }
5394
5395 /*
ae4e228f
MT		 5396diff -urNp linux-2.6.33.1/arch/x86/ia32/ia32_signal.c linux-2.6.33.1/arch/x86/ia32/ia32_signal.c
5397--- linux-2.6.33.1/arch/x86/ia32/ia32_signal.c 2010-03-15 12:09:39.000000000 -0400
5398+++ linux-2.6.33.1/arch/x86/ia32/ia32_signal.c 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 5399@@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
5400 sp -= frame_size;
5401 /* Align the stack pointer according to the i386 ABI,
5402 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
5403- sp = ((sp + 4) & -16ul) - 4;
5404+ sp = ((sp - 12) & -16ul) - 4;
5405 return (void __user *) sp;
5406 }
5407
5408@@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
5409 0xb8,
5410 __NR_ia32_rt_sigreturn,
5411 0x80cd,
5412- 0,
5413+ 0
5414 };
5415
5416 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
ae4e228f
MT		 5417diff -urNp linux-2.6.33.1/arch/x86/include/asm/alternative.h linux-2.6.33.1/arch/x86/include/asm/alternative.h
5418--- linux-2.6.33.1/arch/x86/include/asm/alternative.h 2010-03-15 12:09:39.000000000 -0400
5419+++ linux-2.6.33.1/arch/x86/include/asm/alternative.h 2010-03-20 16:58:38.972657826 -0400
5420@@ -86,7 +86,7 @@ static inline void alternatives_smp_swit
58c5fc13 5421 " .byte 664f-663f\n" /* replacementlen */ \
ae4e228f 5422 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
58c5fc13
MT		 5423 ".previous\n" \
5424- ".section .altinstr_replacement, \"ax\"\n" \
5425+ ".section .altinstr_replacement, \"a\"\n" \
5426 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
5427 ".previous"
5428
ae4e228f
MT		 5429diff -urNp linux-2.6.33.1/arch/x86/include/asm/apm.h linux-2.6.33.1/arch/x86/include/asm/apm.h
5430--- linux-2.6.33.1/arch/x86/include/asm/apm.h 2010-03-15 12:09:39.000000000 -0400
5431+++ linux-2.6.33.1/arch/x86/include/asm/apm.h 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 5432@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
5433 __asm__ __volatile__(APM_DO_ZERO_SEGS
5434 "pushl %%edi\n\t"
5435 "pushl %%ebp\n\t"
5436- "lcall *%%cs:apm_bios_entry\n\t"
5437+ "lcall *%%ss:apm_bios_entry\n\t"
5438 "setc %%al\n\t"
5439 "popl %%ebp\n\t"
5440 "popl %%edi\n\t"
5441@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
5442 __asm__ __volatile__(APM_DO_ZERO_SEGS
5443 "pushl %%edi\n\t"
5444 "pushl %%ebp\n\t"
5445- "lcall *%%cs:apm_bios_entry\n\t"
5446+ "lcall *%%ss:apm_bios_entry\n\t"
5447 "setc %%bl\n\t"
5448 "popl %%ebp\n\t"
5449 "popl %%edi\n\t"
ae4e228f
MT		 5450diff -urNp linux-2.6.33.1/arch/x86/include/asm/atomic_32.h linux-2.6.33.1/arch/x86/include/asm/atomic_32.h
5451--- linux-2.6.33.1/arch/x86/include/asm/atomic_32.h 2010-03-15 12:09:39.000000000 -0400
5452+++ linux-2.6.33.1/arch/x86/include/asm/atomic_32.h 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 5453@@ -25,6 +25,17 @@ static inline int atomic_read(const atom
5454 }
5455
5456 /**
5457+ * atomic_read_unchecked - read atomic variable
5458+ * @v: pointer of type atomic_unchecked_t
5459+ *
5460+ * Atomically reads the value of @v.
5461+ */
5462+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5463+{
5464+ return v->counter;
5465+}
5466+
5467+/**
5468 * atomic_set - set atomic variable
5469 * @v: pointer of type atomic_t
5470 * @i: required value
5471@@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
5472 }
5473
5474 /**
5475+ * atomic_set_unchecked - set atomic variable
5476+ * @v: pointer of type atomic_unchecked_t
5477+ * @i: required value
5478+ *
5479+ * Atomically sets the value of @v to @i.
5480+ */
5481+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5482+{
5483+ v->counter = i;
5484+}
5485+
5486+/**
5487 * atomic_add - add integer to atomic variable
5488 * @i: integer value to add
5489 * @v: pointer of type atomic_t
5490@@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
5491 */
5492 static inline void atomic_add(int i, atomic_t *v)
5493 {
5494- asm volatile(LOCK_PREFIX "addl %1,%0"
5495+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
5496+
5497+#ifdef CONFIG_PAX_REFCOUNT
5498+ "jno 0f\n"
5499+ LOCK_PREFIX "subl %1,%0\n"
5500+ "into\n0:\n"
5501+ _ASM_EXTABLE(0b, 0b)
5502+#endif
5503+
5504+ : "+m" (v->counter)
5505+ : "ir" (i));
5506+}
5507+
5508+/**
5509+ * atomic_add_unchecked - add integer to atomic variable
5510+ * @i: integer value to add
5511+ * @v: pointer of type atomic_unchecked_t
5512+ *
5513+ * Atomically adds @i to @v.
5514+ */
5515+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5516+{
5517+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
5518 : "+m" (v->counter)
5519 : "ir" (i));
5520 }
5521@@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
5522 */
5523 static inline void atomic_sub(int i, atomic_t *v)
5524 {
5525- asm volatile(LOCK_PREFIX "subl %1,%0"
5526+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
5527+
5528+#ifdef CONFIG_PAX_REFCOUNT
5529+ "jno 0f\n"
5530+ LOCK_PREFIX "addl %1,%0\n"
5531+ "into\n0:\n"
5532+ _ASM_EXTABLE(0b, 0b)
5533+#endif
5534+
5535+ : "+m" (v->counter)
5536+ : "ir" (i));
5537+}
5538+
5539+/**
5540+ * atomic_sub_unchecked - subtract integer from atomic variable
5541+ * @i: integer value to subtract
5542+ * @v: pointer of type atomic_t
5543+ *
5544+ * Atomically subtracts @i from @v.
5545+ */
5546+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5547+{
5548+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
5549 : "+m" (v->counter)
5550 : "ir" (i));
5551 }
5552@@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
5553 {
5554 unsigned char c;
5555
5556- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5557+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
5558+
5559+#ifdef CONFIG_PAX_REFCOUNT
5560+ "jno 0f\n"
5561+ LOCK_PREFIX "addl %2,%0\n"
5562+ "into\n0:\n"
5563+ _ASM_EXTABLE(0b, 0b)
5564+#endif
5565+
5566+ "sete %1\n"
5567 : "+m" (v->counter), "=qm" (c)
5568 : "ir" (i) : "memory");
5569 return c;
5570@@ -91,7 +167,30 @@ static inline int atomic_sub_and_test(in
5571 */
5572 static inline void atomic_inc(atomic_t *v)
5573 {
5574- asm volatile(LOCK_PREFIX "incl %0"
5575+ asm volatile(LOCK_PREFIX "incl %0\n"
5576+
5577+#ifdef CONFIG_PAX_REFCOUNT
5578+ "into\n0:\n"
5579+ ".pushsection .fixup,\"ax\"\n"
5580+ "1:\n"
5581+ LOCK_PREFIX "decl %0\n"
5582+ "jmp 0b\n"
5583+ ".popsection\n"
5584+ _ASM_EXTABLE(0b, 1b)
5585+#endif
5586+
5587+ : "+m" (v->counter));
5588+}
5589+
5590+/**
5591+ * atomic_inc_unchecked - increment atomic variable
5592+ * @v: pointer of type atomic_unchecked_t
5593+ *
5594+ * Atomically increments @v by 1.
5595+ */
5596+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5597+{
5598+ asm volatile(LOCK_PREFIX "incl %0\n"
5599 : "+m" (v->counter));
5600 }
5601
5602@@ -103,7 +202,18 @@ static inline void atomic_inc(atomic_t *
5603 */
5604 static inline void atomic_dec(atomic_t *v)
5605 {
5606- asm volatile(LOCK_PREFIX "decl %0"
5607+ asm volatile(LOCK_PREFIX "decl %0\n"
5608+
5609+#ifdef CONFIG_PAX_REFCOUNT
5610+ "into\n0:\n"
5611+ ".pushsection .fixup,\"ax\"\n"
5612+ "1: \n"
5613+ LOCK_PREFIX "incl %0\n"
5614+ "jmp 0b\n"
5615+ ".popsection\n"
5616+ _ASM_EXTABLE(0b, 1b)
5617+#endif
5618+
5619 : "+m" (v->counter));
5620 }
5621
5622@@ -119,7 +229,19 @@ static inline int atomic_dec_and_test(at
5623 {
5624 unsigned char c;
5625
5626- asm volatile(LOCK_PREFIX "decl %0; sete %1"
5627+ asm volatile(LOCK_PREFIX "decl %0\n"
5628+
5629+#ifdef CONFIG_PAX_REFCOUNT
5630+ "into\n0:\n"
5631+ ".pushsection .fixup,\"ax\"\n"
5632+ "1: \n"
5633+ LOCK_PREFIX "incl %0\n"
5634+ "jmp 0b\n"
5635+ ".popsection\n"
5636+ _ASM_EXTABLE(0b, 1b)
5637+#endif
5638+
5639+ "sete %1\n"
5640 : "+m" (v->counter), "=qm" (c)
5641 : : "memory");
5642 return c != 0;
5643@@ -137,7 +259,19 @@ static inline int atomic_inc_and_test(at
5644 {
5645 unsigned char c;
5646
5647- asm volatile(LOCK_PREFIX "incl %0; sete %1"
5648+ asm volatile(LOCK_PREFIX "incl %0\n"
5649+
5650+#ifdef CONFIG_PAX_REFCOUNT
5651+ "into\n0:\n"
5652+ ".pushsection .fixup,\"ax\"\n"
5653+ "1: \n"
5654+ LOCK_PREFIX "decl %0\n"
5655+ "jmp 0b\n"
5656+ ".popsection\n"
5657+ _ASM_EXTABLE(0b, 1b)
5658+#endif
5659+
5660+ "sete %1\n"
5661 : "+m" (v->counter), "=qm" (c)
5662 : : "memory");
5663 return c != 0;
5664@@ -156,7 +290,16 @@ static inline int atomic_add_negative(in
5665 {
5666 unsigned char c;
5667
5668- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
5669+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
5670+
5671+#ifdef CONFIG_PAX_REFCOUNT
5672+ "jno 0f\n"
5673+ LOCK_PREFIX "subl %2,%0\n"
5674+ "into\n0:\n"
5675+ _ASM_EXTABLE(0b, 0b)
5676+#endif
5677+
5678+ "sets %1\n"
5679 : "+m" (v->counter), "=qm" (c)
5680 : "ir" (i) : "memory");
5681 return c;
ae4e228f 5682@@ -179,6 +322,46 @@ static inline int atomic_add_return(int
58c5fc13
MT		 5683 #endif
5684 /* Modern 486+ processor */
5685 __i = i;
58c5fc13
MT		 5686+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
5687+
5688+#ifdef CONFIG_PAX_REFCOUNT
5689+ "jno 0f\n"
5690+ "movl %0, %1\n"
5691+ "into\n0:\n"
5692+ _ASM_EXTABLE(0b, 0b)
5693+#endif
5694+
ae4e228f
MT		 5695+ : "+r" (i), "+m" (v->counter)
5696+ : : "memory");
5697+ return i + __i;
5698+
5699+#ifdef CONFIG_M386
5700+no_xadd: /* Legacy 386 processor */
5701+ local_irq_save(flags);
5702+ __i = atomic_read(v);
5703+ atomic_set(v, i + __i);
5704+ local_irq_restore(flags);
5705+ return i + __i;
5706+#endif
5707+}
5708+
5709+/**
5710+ * atomic_add_return_unchecked - add integer and return
5711+ * @v: pointer of type atomic_unchecked_t
5712+ * @i: integer value to add
5713+ *
5714+ * Atomically adds @i to @v and returns @i + @v
5715+ */
5716+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
5717+{
5718+ int __i;
5719+#ifdef CONFIG_M386
5720+ unsigned long flags;
5721+ if (unlikely(boot_cpu_data.x86 <= 3))
5722+ goto no_xadd;
5723+#endif
5724+ /* Modern 486+ processor */
5725+ __i = i;
5726 asm volatile(LOCK_PREFIX "xaddl %0, %1"
58c5fc13
MT		 5727 : "+r" (i), "+m" (v->counter)
5728 : : "memory");
ae4e228f 5729@@ -227,22 +410,34 @@ static inline int atomic_xchg(atomic_t *
58c5fc13
MT		 5730 */
5731 static inline int atomic_add_unless(atomic_t *v, int a, int u)
5732 {
5733- int c, old;
5734+ int c, old, new;
5735 c = atomic_read(v);
5736 for (;;) {
5737- if (unlikely(c == (u)))
5738+ if (unlikely(c == u))
5739 break;
5740- old = atomic_cmpxchg((v), c, c + (a));
5741+
5742+ asm volatile("addl %2,%0\n"
5743+
5744+#ifdef CONFIG_PAX_REFCOUNT
5745+ "into\n0:\n"
5746+ _ASM_EXTABLE(0b, 0b)
5747+#endif
5748+
5749+ : "=r" (new)
5750+ : "0" (c), "ir" (a));
5751+
5752+ old = atomic_cmpxchg(v, c, new);
5753 if (likely(old == c))
5754 break;
5755 c = old;
5756 }
5757- return c != (u);
5758+ return c != u;
5759 }
5760
5761 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
ae4e228f
MT		 5762
5763 #define atomic_inc_return(v) (atomic_add_return(1, v))
5764+#define atomic_inc_return_unchecked(v) (atomic_add_return_unchecked(1, v))
5765 #define atomic_dec_return(v) (atomic_sub_return(1, v))
5766
5767 /* These are x86-specific, used by some header files */
5768@@ -266,6 +461,14 @@ typedef struct {
5769 u64 __aligned(8) counter;
5770 } atomic64_t;
5771
5772+#ifdef CONFIG_PAX_REFCOUNT
5773+typedef struct {
5774+ u64 __aligned(8) counter;
5775+} atomic64_unchecked_t;
5776+#else
5777+typedef atomic64_t atomic64_unchecked_t;
5778+#endif
5779+
5780 #define ATOMIC64_INIT(val) { (val) }
5781
5782 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
5783diff -urNp linux-2.6.33.1/arch/x86/include/asm/atomic_64.h linux-2.6.33.1/arch/x86/include/asm/atomic_64.h
5784--- linux-2.6.33.1/arch/x86/include/asm/atomic_64.h 2010-03-15 12:09:39.000000000 -0400
5785+++ linux-2.6.33.1/arch/x86/include/asm/atomic_64.h 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 5786@@ -24,6 +24,17 @@ static inline int atomic_read(const atom
5787 }
5788
5789 /**
5790+ * atomic_read_unchecked - read atomic variable
5791+ * @v: pointer of type atomic_unchecked_t
5792+ *
5793+ * Atomically reads the value of @v.
5794+ */
5795+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
5796+{
5797+ return v->counter;
5798+}
5799+
5800+/**
5801 * atomic_set - set atomic variable
5802 * @v: pointer of type atomic_t
5803 * @i: required value
5804@@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
5805 }
5806
5807 /**
5808+ * atomic_set_unchecked - set atomic variable
5809+ * @v: pointer of type atomic_unchecked_t
5810+ * @i: required value
5811+ *
5812+ * Atomically sets the value of @v to @i.
5813+ */
5814+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
5815+{
5816+ v->counter = i;
5817+}
5818+
5819+/**
5820 * atomic_add - add integer to atomic variable
5821 * @i: integer value to add
5822 * @v: pointer of type atomic_t
5823@@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
5824 */
5825 static inline void atomic_add(int i, atomic_t *v)
5826 {
5827- asm volatile(LOCK_PREFIX "addl %1,%0"
5828+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
5829+
5830+#ifdef CONFIG_PAX_REFCOUNT
5831+ "jno 0f\n"
5832+ LOCK_PREFIX "subl %1,%0\n"
5833+ "int $4\n0:\n"
5834+ _ASM_EXTABLE(0b, 0b)
5835+#endif
5836+
5837+ : "=m" (v->counter)
5838+ : "ir" (i), "m" (v->counter));
5839+}
5840+
5841+/**
5842+ * atomic_add_unchecked - add integer to atomic variable
5843+ * @i: integer value to add
5844+ * @v: pointer of type atomic_unchecked_t
5845+ *
5846+ * Atomically adds @i to @v.
5847+ */
5848+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
5849+{
5850+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
5851 : "=m" (v->counter)
5852 : "ir" (i), "m" (v->counter));
5853 }
5854@@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
5855 */
5856 static inline void atomic_sub(int i, atomic_t *v)
5857 {
5858- asm volatile(LOCK_PREFIX "subl %1,%0"
5859+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
5860+
5861+#ifdef CONFIG_PAX_REFCOUNT
5862+ "jno 0f\n"
5863+ LOCK_PREFIX "addl %1,%0\n"
5864+ "int $4\n0:\n"
5865+ _ASM_EXTABLE(0b, 0b)
5866+#endif
5867+
5868+ : "=m" (v->counter)
5869+ : "ir" (i), "m" (v->counter));
5870+}
5871+
5872+/**
5873+ * atomic_sub_unchecked - subtract the atomic variable
5874+ * @i: integer value to subtract
5875+ * @v: pointer of type atomic_unchecked_t
5876+ *
5877+ * Atomically subtracts @i from @v.
5878+ */
5879+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
5880+{
5881+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
5882 : "=m" (v->counter)
5883 : "ir" (i), "m" (v->counter));
5884 }
5885@@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
5886 {
5887 unsigned char c;
5888
5889- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
5890+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
5891+
5892+#ifdef CONFIG_PAX_REFCOUNT
5893+ "jno 0f\n"
5894+ LOCK_PREFIX "addl %2,%0\n"
5895+ "int $4\n0:\n"
5896+ _ASM_EXTABLE(0b, 0b)
5897+#endif
5898+
5899+ "sete %1\n"
5900 : "=m" (v->counter), "=qm" (c)
5901 : "ir" (i), "m" (v->counter) : "memory");
5902 return c;
5903@@ -90,7 +166,32 @@ static inline int atomic_sub_and_test(in
5904 */
5905 static inline void atomic_inc(atomic_t *v)
5906 {
5907- asm volatile(LOCK_PREFIX "incl %0"
5908+ asm volatile(LOCK_PREFIX "incl %0\n"
5909+
5910+#ifdef CONFIG_PAX_REFCOUNT
5911+ "jno 0f\n"
5912+ "int $4\n0:\n"
5913+ ".pushsection .fixup,\"ax\"\n"
5914+ "1:\n"
5915+ LOCK_PREFIX "decl %0\n"
5916+ "jmp 0b\n"
5917+ ".popsection\n"
5918+ _ASM_EXTABLE(0b, 1b)
5919+#endif
5920+
5921+ : "=m" (v->counter)
5922+ : "m" (v->counter));
5923+}
5924+
5925+/**
5926+ * atomic_inc_unchecked - increment atomic variable
5927+ * @v: pointer of type atomic_unchecked_t
5928+ *
5929+ * Atomically increments @v by 1.
5930+ */
5931+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
5932+{
5933+ asm volatile(LOCK_PREFIX "incl %0\n"
5934 : "=m" (v->counter)
5935 : "m" (v->counter));
5936 }
5937@@ -103,7 +204,19 @@ static inline void atomic_inc(atomic_t *
5938 */
5939 static inline void atomic_dec(atomic_t *v)
5940 {
5941- asm volatile(LOCK_PREFIX "decl %0"
5942+ asm volatile(LOCK_PREFIX "decl %0\n"
5943+
5944+#ifdef CONFIG_PAX_REFCOUNT
5945+ "jno 0f\n"
5946+ "int $4\n0:\n"
5947+ ".pushsection .fixup,\"ax\"\n"
5948+ "1: \n"
5949+ LOCK_PREFIX "incl %0\n"
5950+ "jmp 0b\n"
5951+ ".popsection\n"
5952+ _ASM_EXTABLE(0b, 1b)
5953+#endif
5954+
5955 : "=m" (v->counter)
5956 : "m" (v->counter));
5957 }
5958@@ -120,7 +233,20 @@ static inline int atomic_dec_and_test(at
5959 {
5960 unsigned char c;
5961
5962- asm volatile(LOCK_PREFIX "decl %0; sete %1"
5963+ asm volatile(LOCK_PREFIX "decl %0\n"
5964+
5965+#ifdef CONFIG_PAX_REFCOUNT
5966+ "jno 0f\n"
5967+ "int $4\n0:\n"
5968+ ".pushsection .fixup,\"ax\"\n"
5969+ "1: \n"
5970+ LOCK_PREFIX "incl %0\n"
5971+ "jmp 0b\n"
5972+ ".popsection\n"
5973+ _ASM_EXTABLE(0b, 1b)
5974+#endif
5975+
5976+ "sete %1\n"
5977 : "=m" (v->counter), "=qm" (c)
5978 : "m" (v->counter) : "memory");
5979 return c != 0;
5980@@ -138,7 +264,20 @@ static inline int atomic_inc_and_test(at
5981 {
5982 unsigned char c;
5983
5984- asm volatile(LOCK_PREFIX "incl %0; sete %1"
5985+ asm volatile(LOCK_PREFIX "incl %0\n"
5986+
5987+#ifdef CONFIG_PAX_REFCOUNT
5988+ "jno 0f\n"
5989+ "int $4\n0:\n"
5990+ ".pushsection .fixup,\"ax\"\n"
5991+ "1: \n"
5992+ LOCK_PREFIX "decl %0\n"
5993+ "jmp 0b\n"
5994+ ".popsection\n"
5995+ _ASM_EXTABLE(0b, 1b)
5996+#endif
5997+
5998+ "sete %1\n"
5999 : "=m" (v->counter), "=qm" (c)
6000 : "m" (v->counter) : "memory");
6001 return c != 0;
6002@@ -157,7 +296,16 @@ static inline int atomic_add_negative(in
6003 {
6004 unsigned char c;
6005
6006- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6007+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
6008+
6009+#ifdef CONFIG_PAX_REFCOUNT
6010+ "jno 0f\n"
6011+ LOCK_PREFIX "subl %2,%0\n"
6012+ "int $4\n0:\n"
6013+ _ASM_EXTABLE(0b, 0b)
6014+#endif
6015+
6016+ "sets %1\n"
6017 : "=m" (v->counter), "=qm" (c)
6018 : "ir" (i), "m" (v->counter) : "memory");
6019 return c;
6020@@ -173,7 +321,15 @@ static inline int atomic_add_negative(in
6021 static inline int atomic_add_return(int i, atomic_t *v)
6022 {
6023 int __i = i;
6024- asm volatile(LOCK_PREFIX "xaddl %0, %1"
6025+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6026+
6027+#ifdef CONFIG_PAX_REFCOUNT
6028+ "jno 0f\n"
6029+ "movl %0, %1\n"
6030+ "int $4\n0:\n"
6031+ _ASM_EXTABLE(0b, 0b)
6032+#endif
6033+
6034 : "+r" (i), "+m" (v->counter)
6035 : : "memory");
6036 return i + __i;
ae4e228f
MT		 6037@@ -204,6 +360,18 @@ static inline long atomic64_read(const a
6038 }
6039
6040 /**
6041+ * atomic64_read_unchecked - read atomic64 variable
6042+ * @v: pointer of type atomic64_unchecked_t
6043+ *
6044+ * Atomically reads the value of @v.
6045+ * Doesn't imply a read memory barrier.
6046+ */
6047+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6048+{
6049+ return v->counter;
6050+}
6051+
6052+/**
6053 * atomic64_set - set atomic64 variable
6054 * @v: pointer to type atomic64_t
6055 * @i: required value
6056@@ -216,6 +384,18 @@ static inline void atomic64_set(atomic64
6057 }
6058
6059 /**
6060+ * atomic64_set_unchecked - set atomic64 variable
6061+ * @v: pointer to type atomic64_unchecked_t
6062+ * @i: required value
6063+ *
6064+ * Atomically sets the value of @v to @i.
6065+ */
6066+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6067+{
6068+ v->counter = i;
6069+}
6070+
6071+/**
6072 * atomic64_add - add integer to atomic64 variable
6073 * @i: integer value to add
6074 * @v: pointer to type atomic64_t
6075@@ -224,6 +404,28 @@ static inline void atomic64_set(atomic64
58c5fc13
MT		 6076 */
6077 static inline void atomic64_add(long i, atomic64_t *v)
6078 {
58c5fc13
MT		 6079+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
6080+
6081+#ifdef CONFIG_PAX_REFCOUNT
6082+ "jno 0f\n"
6083+ LOCK_PREFIX "subq %1,%0\n"
6084+ "int $4\n0:\n"
6085+ _ASM_EXTABLE(0b, 0b)
6086+#endif
6087+
ae4e228f
MT		 6088+ : "=m" (v->counter)
6089+ : "er" (i), "m" (v->counter));
6090+}
6091+
6092+/**
6093+ * atomic64_add_unchecked - add integer to atomic64 variable
6094+ * @i: integer value to add
6095+ * @v: pointer to type atomic64_unchecked_t
6096+ *
6097+ * Atomically adds @i to @v.
6098+ */
6099+static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6100+{
6101 asm volatile(LOCK_PREFIX "addq %1,%0"
58c5fc13
MT		 6102 : "=m" (v->counter)
6103 : "er" (i), "m" (v->counter));
ae4e228f 6104@@ -238,7 +440,15 @@ static inline void atomic64_add(long i,
58c5fc13
MT		 6105 */
6106 static inline void atomic64_sub(long i, atomic64_t *v)
6107 {
6108- asm volatile(LOCK_PREFIX "subq %1,%0"
6109+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
6110+
6111+#ifdef CONFIG_PAX_REFCOUNT
6112+ "jno 0f\n"
6113+ LOCK_PREFIX "addq %1,%0\n"
6114+ "int $4\n0:\n"
6115+ _ASM_EXTABLE(0b, 0b)
6116+#endif
6117+
6118 : "=m" (v->counter)
6119 : "er" (i), "m" (v->counter));
6120 }
ae4e228f 6121@@ -256,7 +466,16 @@ static inline int atomic64_sub_and_test(
58c5fc13
MT		 6122 {
6123 unsigned char c;
6124
6125- asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6126+ asm volatile(LOCK_PREFIX "subq %2,%0\n"
6127+
6128+#ifdef CONFIG_PAX_REFCOUNT
6129+ "jno 0f\n"
6130+ LOCK_PREFIX "addq %2,%0\n"
6131+ "int $4\n0:\n"
6132+ _ASM_EXTABLE(0b, 0b)
6133+#endif
6134+
6135+ "sete %1\n"
6136 : "=m" (v->counter), "=qm" (c)
6137 : "er" (i), "m" (v->counter) : "memory");
6138 return c;
ae4e228f 6139@@ -270,6 +489,31 @@ static inline int atomic64_sub_and_test(
58c5fc13
MT		 6140 */
6141 static inline void atomic64_inc(atomic64_t *v)
6142 {
58c5fc13
MT		 6143+ asm volatile(LOCK_PREFIX "incq %0\n"
6144+
6145+#ifdef CONFIG_PAX_REFCOUNT
6146+ "jno 0f\n"
6147+ "int $4\n0:\n"
6148+ ".pushsection .fixup,\"ax\"\n"
6149+ "1:\n"
6150+ LOCK_PREFIX "decq %0\n"
6151+ "jmp 0b\n"
6152+ ".popsection\n"
6153+ _ASM_EXTABLE(0b, 1b)
6154+#endif
6155+
ae4e228f
MT		 6156+ : "=m" (v->counter)
6157+ : "m" (v->counter));
6158+}
6159+
6160+/**
6161+ * atomic64_inc_unchecked - increment atomic64 variable
6162+ * @v: pointer to type atomic64_unchecked_t
6163+ *
6164+ * Atomically increments @v by 1.
6165+ */
6166+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6167+{
6168 asm volatile(LOCK_PREFIX "incq %0"
58c5fc13
MT		 6169 : "=m" (v->counter)
6170 : "m" (v->counter));
ae4e228f 6171@@ -283,7 +527,19 @@ static inline void atomic64_inc(atomic64
58c5fc13
MT		 6172 */
6173 static inline void atomic64_dec(atomic64_t *v)
6174 {
6175- asm volatile(LOCK_PREFIX "decq %0"
6176+ asm volatile(LOCK_PREFIX "decq %0\n"
6177+
6178+#ifdef CONFIG_PAX_REFCOUNT
6179+ "jno 0f\n"
6180+ "int $4\n0:\n"
6181+ ".pushsection .fixup,\"ax\"\n"
6182+ "1: \n"
6183+ LOCK_PREFIX "incq %0\n"
6184+ "jmp 0b\n"
6185+ ".popsection\n"
6186+ _ASM_EXTABLE(0b, 1b)
6187+#endif
6188+
6189 : "=m" (v->counter)
6190 : "m" (v->counter));
6191 }
ae4e228f 6192@@ -300,7 +556,20 @@ static inline int atomic64_dec_and_test(
58c5fc13
MT		 6193 {
6194 unsigned char c;
6195
6196- asm volatile(LOCK_PREFIX "decq %0; sete %1"
6197+ asm volatile(LOCK_PREFIX "decq %0\n"
6198+
6199+#ifdef CONFIG_PAX_REFCOUNT
6200+ "jno 0f\n"
6201+ "int $4\n0:\n"
6202+ ".pushsection .fixup,\"ax\"\n"
6203+ "1: \n"
6204+ LOCK_PREFIX "incq %0\n"
6205+ "jmp 0b\n"
6206+ ".popsection\n"
6207+ _ASM_EXTABLE(0b, 1b)
6208+#endif
6209+
6210+ "sete %1\n"
6211 : "=m" (v->counter), "=qm" (c)
6212 : "m" (v->counter) : "memory");
6213 return c != 0;
ae4e228f 6214@@ -318,7 +587,20 @@ static inline int atomic64_inc_and_test(
58c5fc13
MT		 6215 {
6216 unsigned char c;
6217
6218- asm volatile(LOCK_PREFIX "incq %0; sete %1"
6219+ asm volatile(LOCK_PREFIX "incq %0\n"
6220+
6221+#ifdef CONFIG_PAX_REFCOUNT
6222+ "jno 0f\n"
6223+ "int $4\n0:\n"
6224+ ".pushsection .fixup,\"ax\"\n"
6225+ "1: \n"
6226+ LOCK_PREFIX "decq %0\n"
6227+ "jmp 0b\n"
6228+ ".popsection\n"
6229+ _ASM_EXTABLE(0b, 1b)
6230+#endif
6231+
6232+ "sete %1\n"
6233 : "=m" (v->counter), "=qm" (c)
6234 : "m" (v->counter) : "memory");
6235 return c != 0;
ae4e228f 6236@@ -337,7 +619,16 @@ static inline int atomic64_add_negative(
58c5fc13
MT		 6237 {
6238 unsigned char c;
6239
6240- asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6241+ asm volatile(LOCK_PREFIX "addq %2,%0\n"
6242+
6243+#ifdef CONFIG_PAX_REFCOUNT
6244+ "jno 0f\n"
6245+ LOCK_PREFIX "subq %2,%0\n"
6246+ "int $4\n0:\n"
6247+ _ASM_EXTABLE(0b, 0b)
6248+#endif
6249+
6250+ "sets %1\n"
6251 : "=m" (v->counter), "=qm" (c)
6252 : "er" (i), "m" (v->counter) : "memory");
6253 return c;
ae4e228f 6254@@ -353,7 +644,31 @@ static inline int atomic64_add_negative(
58c5fc13
MT		 6255 static inline long atomic64_add_return(long i, atomic64_t *v)
6256 {
6257 long __i = i;
6258- asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6259+ asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6260+
6261+#ifdef CONFIG_PAX_REFCOUNT
6262+ "jno 0f\n"
6263+ "movq %0, %1\n"
6264+ "int $4\n0:\n"
6265+ _ASM_EXTABLE(0b, 0b)
6266+#endif
6267+
ae4e228f
MT		 6268+ : "+r" (i), "+m" (v->counter)
6269+ : : "memory");
6270+ return i + __i;
6271+}
6272+
6273+/**
6274+ * atomic64_add_return_unchecked - add and return
6275+ * @i: integer value to add
6276+ * @v: pointer to type atomic64_unchecked_t
6277+ *
6278+ * Atomically adds @i to @v and returns @i + @v
6279+ */
6280+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6281+{
6282+ long __i = i;
6283+ asm volatile(LOCK_PREFIX "xaddq %0, %1"
58c5fc13
MT		 6284 : "+r" (i), "+m" (v->counter)
6285 : : "memory");
6286 return i + __i;
ae4e228f
MT		 6287@@ -365,6 +680,7 @@ static inline long atomic64_sub_return(l
6288 }
6289
6290 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6291+#define atomic64_inc_return_unchecked(v) (atomic64_add_return_unchecked(1, (v)))
6292 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6293
6294 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6295@@ -398,17 +714,29 @@ static inline long atomic_xchg(atomic_t
58c5fc13
MT		 6296 */
6297 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6298 {
6299- int c, old;
6300+ int c, old, new;
6301 c = atomic_read(v);
6302 for (;;) {
6303- if (unlikely(c == (u)))
6304+ if (unlikely(c == u))
6305 break;
6306- old = atomic_cmpxchg((v), c, c + (a));
6307+
6308+ asm volatile("addl %2,%0\n"
6309+
6310+#ifdef CONFIG_PAX_REFCOUNT
6311+ "jno 0f\n"
6312+ "int $4\n0:\n"
6313+ _ASM_EXTABLE(0b, 0b)
6314+#endif
6315+
6316+ : "=r" (new)
6317+ : "0" (c), "ir" (a));
6318+
6319+ old = atomic_cmpxchg(v, c, new);
6320 if (likely(old == c))
6321 break;
6322 c = old;
6323 }
6324- return c != (u);
6325+ return c != u;
6326 }
6327
6328 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
ae4e228f 6329@@ -424,17 +752,29 @@ static inline int atomic_add_unless(atom
58c5fc13
MT		 6330 */
6331 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6332 {
6333- long c, old;
6334+ long c, old, new;
6335 c = atomic64_read(v);
6336 for (;;) {
6337- if (unlikely(c == (u)))
6338+ if (unlikely(c == u))
6339 break;
6340- old = atomic64_cmpxchg((v), c, c + (a));
6341+
6342+ asm volatile("addq %2,%0\n"
6343+
6344+#ifdef CONFIG_PAX_REFCOUNT
6345+ "jno 0f\n"
6346+ "int $4\n0:\n"
6347+ _ASM_EXTABLE(0b, 0b)
6348+#endif
6349+
6350+ : "=r" (new)
6351+ : "0" (c), "er" (a));
6352+
6353+ old = atomic64_cmpxchg((v), c, new);
6354 if (likely(old == c))
6355 break;
6356 c = old;
6357 }
6358- return c != (u);
6359+ return c != u;
6360 }
6361
6362 /**
ae4e228f
MT		 6363diff -urNp linux-2.6.33.1/arch/x86/include/asm/boot.h linux-2.6.33.1/arch/x86/include/asm/boot.h
6364--- linux-2.6.33.1/arch/x86/include/asm/boot.h 2010-03-15 12:09:39.000000000 -0400
6365+++ linux-2.6.33.1/arch/x86/include/asm/boot.h 2010-03-20 16:58:38.972657826 -0400
58c5fc13
MT		 6366@@ -11,10 +11,15 @@
6367 #include <asm/pgtable_types.h>
6368
6369 /* Physical address where kernel should be loaded. */
6370-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6371+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6372 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6373 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6374
6375+#ifndef __ASSEMBLY__
6376+extern unsigned char __LOAD_PHYSICAL_ADDR[];
6377+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6378+#endif
6379+
6380 /* Minimum kernel alignment, as a power of two */
6381 #ifdef CONFIG_X86_64
6382 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
ae4e228f
MT		 6383diff -urNp linux-2.6.33.1/arch/x86/include/asm/cache.h linux-2.6.33.1/arch/x86/include/asm/cache.h
6384--- linux-2.6.33.1/arch/x86/include/asm/cache.h 2010-03-15 12:09:39.000000000 -0400
6385+++ linux-2.6.33.1/arch/x86/include/asm/cache.h 2010-03-20 16:58:38.976510592 -0400
6386@@ -8,6 +8,7 @@
58c5fc13
MT		 6387 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6388
6389 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
6390+#define __read_only __attribute__((__section__(".data.read_only")))
6391
ae4e228f
MT		 6392 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6393 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
6394diff -urNp linux-2.6.33.1/arch/x86/include/asm/checksum_32.h linux-2.6.33.1/arch/x86/include/asm/checksum_32.h
6395--- linux-2.6.33.1/arch/x86/include/asm/checksum_32.h 2010-03-15 12:09:39.000000000 -0400
6396+++ linux-2.6.33.1/arch/x86/include/asm/checksum_32.h 2010-03-20 16:58:38.976510592 -0400
58c5fc13
MT		 6397@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6398 int len, __wsum sum,
6399 int *src_err_ptr, int *dst_err_ptr);
6400
6401+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6402+ int len, __wsum sum,
6403+ int *src_err_ptr, int *dst_err_ptr);
6404+
6405+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6406+ int len, __wsum sum,
6407+ int *src_err_ptr, int *dst_err_ptr);
6408+
6409 /*
6410 * Note: when you get a NULL pointer exception here this means someone
6411 * passed in an incorrect kernel address to one of these functions.
6412@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6413 int *err_ptr)
6414 {
6415 might_sleep();
6416- return csum_partial_copy_generic((__force void *)src, dst,
6417+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
6418 len, sum, err_ptr, NULL);
6419 }
6420
ae4e228f 6421@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
58c5fc13
MT		 6422 {
6423 might_sleep();
6424 if (access_ok(VERIFY_WRITE, dst, len))
6425- return csum_partial_copy_generic(src, (__force void *)dst,
6426+ return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6427 len, sum, NULL, err_ptr);
6428
6429 if (len)
ae4e228f
MT		 6430diff -urNp linux-2.6.33.1/arch/x86/include/asm/desc.h linux-2.6.33.1/arch/x86/include/asm/desc.h
6431--- linux-2.6.33.1/arch/x86/include/asm/desc.h 2010-03-15 12:09:39.000000000 -0400
6432+++ linux-2.6.33.1/arch/x86/include/asm/desc.h 2010-03-20 16:58:38.976510592 -0400
6433@@ -4,6 +4,7 @@
6434 #include <asm/desc_defs.h>
6435 #include <asm/ldt.h>
6436 #include <asm/mmu.h>
6437+#include <asm/pgtable.h>
6438 #include <linux/smp.h>
6439
6440 static inline void fill_ldt(struct desc_struct *desc,
6441@@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
58c5fc13
MT		 6442 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
6443 desc->type = (info->read_exec_only ^ 1) << 1;
6444 desc->type |= info->contents << 2;
6445+ desc->type |= info->seg_not_present ^ 1;
6446 desc->s = 1;
6447 desc->dpl = 0x3;
6448 desc->p = info->seg_not_present ^ 1;
ae4e228f 6449@@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
58c5fc13
MT		 6450 }
6451
6452 extern struct desc_ptr idt_descr;
6453-extern gate_desc idt_table[];
6454-
6455-struct gdt_page {
6456- struct desc_struct gdt[GDT_ENTRIES];
6457-} __attribute__((aligned(PAGE_SIZE)));
6458-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
6459+extern gate_desc idt_table[256];
6460
6461+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
6462 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
6463 {
6464- return per_cpu(gdt_page, cpu).gdt;
6465+ return cpu_gdt_table[cpu];
6466 }
6467
6468 #ifdef CONFIG_X86_64
ae4e228f 6469@@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
58c5fc13
MT		 6470 static inline void native_write_idt_entry(gate_desc *idt, int entry,
6471 const gate_desc *gate)
6472 {
ae4e228f 6473+ pax_open_kernel();
58c5fc13 6474 memcpy(&idt[entry], gate, sizeof(*gate));
ae4e228f 6475+ pax_close_kernel();
58c5fc13
MT		 6476 }
6477
6478 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
6479 const void *desc)
6480 {
ae4e228f 6481+ pax_open_kernel();
58c5fc13 6482 memcpy(&ldt[entry], desc, 8);
ae4e228f 6483+ pax_close_kernel();
58c5fc13
MT		 6484 }
6485
6486 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
6487 const void *desc, int type)
6488 {
6489 unsigned int size;
58c5fc13
MT		 6490+
6491 switch (type) {
6492 case DESC_TSS:
6493 size = sizeof(tss_desc);
ae4e228f 6494@@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
58c5fc13
MT		 6495 size = sizeof(struct desc_struct);
6496 break;
6497 }
6498+
ae4e228f 6499+ pax_open_kernel();
58c5fc13 6500 memcpy(&gdt[entry], desc, size);
ae4e228f 6501+ pax_close_kernel();
58c5fc13
MT		 6502 }
6503
6504 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
ae4e228f 6505@@ -211,7 +217,9 @@ static inline void native_set_ldt(const
58c5fc13
MT		 6506
6507 static inline void native_load_tr_desc(void)
6508 {
ae4e228f 6509+ pax_open_kernel();
58c5fc13 6510 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
ae4e228f 6511+ pax_close_kernel();
58c5fc13
MT		 6512 }
6513
6514 static inline void native_load_gdt(const struct desc_ptr *dtr)
ae4e228f 6515@@ -246,8 +254,10 @@ static inline void native_load_tls(struc
58c5fc13
MT		 6516 unsigned int i;
6517 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
6518
ae4e228f 6519+ pax_open_kernel();
58c5fc13
MT		 6520 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
6521 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
ae4e228f 6522+ pax_close_kernel();
58c5fc13
MT		 6523 }
6524
6525 #define _LDT_empty(info) \
ae4e228f 6526@@ -392,4 +402,16 @@ static inline void set_system_intr_gate_
58c5fc13
MT		 6527 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
6528 }
6529
6530+#ifdef CONFIG_X86_32
6531+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
6532+{
6533+ struct desc_struct d;
6534+
6535+ if (likely(limit))
6536+ limit = (limit - 1UL) >> PAGE_SHIFT;
6537+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
6538+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
6539+}
6540+#endif
6541+
6542 #endif /* _ASM_X86_DESC_H */
ae4e228f
MT		 6543diff -urNp linux-2.6.33.1/arch/x86/include/asm/device.h linux-2.6.33.1/arch/x86/include/asm/device.h
6544--- linux-2.6.33.1/arch/x86/include/asm/device.h 2010-03-15 12:09:39.000000000 -0400
6545+++ linux-2.6.33.1/arch/x86/include/asm/device.h 2010-03-20 16:58:38.976510592 -0400
6546@@ -6,7 +6,7 @@ struct dev_archdata {
6547 void *acpi_handle;
6548 #endif
6549 #ifdef CONFIG_X86_64
6550-struct dma_map_ops *dma_ops;
6551+ const struct dma_map_ops *dma_ops;
6552 #endif
6553 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
6554 void *iommu; /* hook for IOMMU specific extension */
6555diff -urNp linux-2.6.33.1/arch/x86/include/asm/dma-mapping.h linux-2.6.33.1/arch/x86/include/asm/dma-mapping.h
6556--- linux-2.6.33.1/arch/x86/include/asm/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
6557+++ linux-2.6.33.1/arch/x86/include/asm/dma-mapping.h 2010-03-20 16:58:38.976510592 -0400
6558@@ -26,9 +26,9 @@ extern int iommu_merge;
6559 extern struct device x86_dma_fallback_dev;
6560 extern int panic_on_overflow;
6561
6562-extern struct dma_map_ops *dma_ops;
6563+extern const struct dma_map_ops *dma_ops;
6564
6565-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
6566+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
6567 {
6568 #ifdef CONFIG_X86_32
6569 return dma_ops;
6570@@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
6571 /* Make sure we keep the same behaviour */
6572 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
6573 {
6574- struct dma_map_ops *ops = get_dma_ops(dev);
6575+ const struct dma_map_ops *ops = get_dma_ops(dev);
6576 if (ops->mapping_error)
6577 return ops->mapping_error(dev, dma_addr);
6578
6579@@ -123,7 +123,7 @@ static inline void *
6580 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
6581 gfp_t gfp)
6582 {
6583- struct dma_map_ops *ops = get_dma_ops(dev);
6584+ const struct dma_map_ops *ops = get_dma_ops(dev);
6585 void *memory;
6586
6587 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
6588@@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
6589 static inline void dma_free_coherent(struct device *dev, size_t size,
6590 void *vaddr, dma_addr_t bus)
6591 {
6592- struct dma_map_ops *ops = get_dma_ops(dev);
6593+ const struct dma_map_ops *ops = get_dma_ops(dev);
6594
6595 WARN_ON(irqs_disabled()); /* for portability */
6596
6597diff -urNp linux-2.6.33.1/arch/x86/include/asm/e820.h linux-2.6.33.1/arch/x86/include/asm/e820.h
6598--- linux-2.6.33.1/arch/x86/include/asm/e820.h 2010-03-15 12:09:39.000000000 -0400
6599+++ linux-2.6.33.1/arch/x86/include/asm/e820.h 2010-03-20 16:58:38.976510592 -0400
6600@@ -64,7 +64,7 @@ struct e820map {
6601 #define ISA_START_ADDRESS 0xa0000
58c5fc13 6602 #define ISA_END_ADDRESS 0x100000
58c5fc13
MT		 6603
6604-#define BIOS_BEGIN 0x000a0000
6605+#define BIOS_BEGIN 0x000c0000
6606 #define BIOS_END 0x00100000
6607
6608 #ifdef __KERNEL__
ae4e228f
MT		 6609diff -urNp linux-2.6.33.1/arch/x86/include/asm/elf.h linux-2.6.33.1/arch/x86/include/asm/elf.h
6610--- linux-2.6.33.1/arch/x86/include/asm/elf.h 2010-03-15 12:09:39.000000000 -0400
6611+++ linux-2.6.33.1/arch/x86/include/asm/elf.h 2010-03-20 16:58:38.976510592 -0400
6612@@ -237,7 +237,25 @@ extern int force_personality32;
58c5fc13
MT		 6613 the loader. We need to make sure that it is out of the way of the program
6614 that it will "exec", and that there is sufficient room for the brk. */
6615
6616+#ifdef CONFIG_PAX_SEGMEXEC
6617+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
6618+#else
6619 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
6620+#endif
6621+
6622+#ifdef CONFIG_PAX_ASLR
6623+#ifdef CONFIG_X86_32
6624+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
6625+
6626+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
6627+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
6628+#else
6629+#define PAX_ELF_ET_DYN_BASE 0x400000UL
6630+
6631+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
6632+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : 32)
6633+#endif
6634+#endif
6635
6636 /* This yields a mask that user programs can use to figure out what
6637 instruction set this CPU supports. This could be done in user space,
ae4e228f 6638@@ -291,8 +309,7 @@ do { \
58c5fc13
MT		 6639 #define ARCH_DLINFO \
6640 do { \
6641 if (vdso_enabled) \
6642- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
6643- (unsigned long)current->mm->context.vdso); \
6644+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
6645 } while (0)
6646
6647 #define AT_SYSINFO 32
ae4e228f 6648@@ -303,7 +320,7 @@ do { \
58c5fc13
MT		 6649
6650 #endif /* !CONFIG_X86_32 */
6651
6652-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
6653+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
6654
6655 #define VDSO_ENTRY \
6656 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
ae4e228f 6657@@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
58c5fc13
MT		 6658 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
6659 #define compat_arch_setup_additional_pages syscall32_setup_pages
6660
6661-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
6662-#define arch_randomize_brk arch_randomize_brk
6663-
6664 #endif /* _ASM_X86_ELF_H */
ae4e228f
MT		 6665diff -urNp linux-2.6.33.1/arch/x86/include/asm/futex.h linux-2.6.33.1/arch/x86/include/asm/futex.h
6666--- linux-2.6.33.1/arch/x86/include/asm/futex.h 2010-03-15 12:09:39.000000000 -0400
6667+++ linux-2.6.33.1/arch/x86/include/asm/futex.h 2010-03-20 16:58:38.976510592 -0400
58c5fc13
MT		 6668@@ -11,6 +11,40 @@
6669 #include <asm/processor.h>
6670 #include <asm/system.h>
6671
6672+#ifdef CONFIG_X86_32
6673+#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
6674+ asm volatile( \
6675+ "movw\t%w6, %%ds\n" \
6676+ "1:\t" insn "\n" \
6677+ "2:\tpushl\t%%ss\n" \
6678+ "\tpopl\t%%ds\n" \
6679+ "\t.section .fixup,\"ax\"\n" \
6680+ "3:\tmov\t%3, %1\n" \
6681+ "\tjmp\t2b\n" \
6682+ "\t.previous\n" \
6683+ _ASM_EXTABLE(1b, 3b) \
6684+ : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
6685+ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
6686+
6687+#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
6688+ asm volatile("movw\t%w7, %%es\n" \
6689+ "1:\tmovl\t%%es:%2, %0\n" \
6690+ "\tmovl\t%0, %3\n" \
6691+ "\t" insn "\n" \
6692+ "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
6693+ "\tjnz\t1b\n" \
6694+ "3:\tpushl\t%%ss\n" \
6695+ "\tpopl\t%%es\n" \
6696+ "\t.section .fixup,\"ax\"\n" \
6697+ "4:\tmov\t%5, %1\n" \
6698+ "\tjmp\t3b\n" \
6699+ "\t.previous\n" \
6700+ _ASM_EXTABLE(1b, 4b) \
6701+ _ASM_EXTABLE(2b, 4b) \
6702+ : "=&a" (oldval), "=&r" (ret), \
6703+ "+m" (*uaddr), "=&r" (tem) \
6704+ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
6705+#else
6706 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
6707 asm volatile("1:\t" insn "\n" \
6708 "2:\t.section .fixup,\"ax\"\n" \
6709@@ -36,8 +70,9 @@
6710 : "=&a" (oldval), "=&r" (ret), \
6711 "+m" (*uaddr), "=&r" (tem) \
6712 : "r" (oparg), "i" (-EFAULT), "1" (0))
6713+#endif
6714
6715-static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
6716+static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
6717 {
6718 int op = (encoded_op >> 28) & 7;
6719 int cmp = (encoded_op >> 24) & 15;
6720@@ -61,11 +96,20 @@ static inline int futex_atomic_op_inuser
6721
6722 switch (op) {
6723 case FUTEX_OP_SET:
6724+#ifdef CONFIG_X86_32
6725+ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
6726+#else
6727 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
6728+#endif
6729 break;
6730 case FUTEX_OP_ADD:
6731+#ifdef CONFIG_X86_32
6732+ __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
6733+ uaddr, oparg);
6734+#else
6735 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
6736 uaddr, oparg);
6737+#endif
6738 break;
6739 case FUTEX_OP_OR:
6740 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
6741@@ -109,7 +153,7 @@ static inline int futex_atomic_op_inuser
6742 return ret;
6743 }
6744
6745-static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
6746+static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
6747 int newval)
6748 {
6749
6750@@ -122,14 +166,27 @@ static inline int futex_atomic_cmpxchg_i
6751 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
6752 return -EFAULT;
6753
6754- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6755+ asm volatile(
6756+#ifdef CONFIG_X86_32
6757+ "\tmovw %w5, %%ds\n"
6758+ "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6759+ "2:\tpushl %%ss\n"
6760+ "\tpopl %%ds\n"
6761+ "\t.section .fixup, \"ax\"\n"
6762+#else
6763+ "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
6764 "2:\t.section .fixup, \"ax\"\n"
6765+#endif
6766 "3:\tmov %2, %0\n"
6767 "\tjmp 2b\n"
6768 "\t.previous\n"
6769 _ASM_EXTABLE(1b, 3b)
6770 : "=a" (oldval), "+m" (*uaddr)
6771+#ifdef CONFIG_X86_32
6772+ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
6773+#else
6774 : "i" (-EFAULT), "r" (newval), "0" (oldval)
6775+#endif
6776 : "memory"
6777 );
6778
ae4e228f
MT		 6779diff -urNp linux-2.6.33.1/arch/x86/include/asm/i387.h linux-2.6.33.1/arch/x86/include/asm/i387.h
6780--- linux-2.6.33.1/arch/x86/include/asm/i387.h 2010-03-15 12:09:39.000000000 -0400
6781+++ linux-2.6.33.1/arch/x86/include/asm/i387.h 2010-03-20 16:58:38.976510592 -0400
6782@@ -197,13 +197,8 @@ static inline int fxrstor_checking(struc
58c5fc13
MT		 6783 }
6784
6785 /* We need a safe address that is cheap to find and that is already
6786- in L1 during context switch. The best choices are unfortunately
6787- different for UP and SMP */
6788-#ifdef CONFIG_SMP
6789-#define safe_address (__per_cpu_offset[0])
6790-#else
6791-#define safe_address (kstat_cpu(0).cpustat.user)
6792-#endif
6793+ in L1 during context switch. */
6794+#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
6795
6796 /*
6797 * These must be called with preempt disabled
ae4e228f
MT		 6798diff -urNp linux-2.6.33.1/arch/x86/include/asm/io_64.h linux-2.6.33.1/arch/x86/include/asm/io_64.h
6799--- linux-2.6.33.1/arch/x86/include/asm/io_64.h 2010-03-15 12:09:39.000000000 -0400
6800+++ linux-2.6.33.1/arch/x86/include/asm/io_64.h 2010-03-20 16:58:38.976510592 -0400
58c5fc13
MT		 6801@@ -140,6 +140,17 @@ __OUTS(l)
6802
6803 #include <linux/vmalloc.h>
6804
6805+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
ae4e228f 6806+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
58c5fc13
MT		 6807+{
6808+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
6809+}
6810+
ae4e228f 6811+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
58c5fc13
MT		 6812+{
6813+ return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
6814+}
6815+
6816 #include <asm-generic/iomap.h>
6817
6818 void __memcpy_fromio(void *, unsigned long, unsigned);
ae4e228f
MT		 6819diff -urNp linux-2.6.33.1/arch/x86/include/asm/iommu.h linux-2.6.33.1/arch/x86/include/asm/iommu.h
6820--- linux-2.6.33.1/arch/x86/include/asm/iommu.h 2010-03-15 12:09:39.000000000 -0400
6821+++ linux-2.6.33.1/arch/x86/include/asm/iommu.h 2010-03-20 16:58:38.976510592 -0400
6822@@ -1,7 +1,7 @@
6823 #ifndef _ASM_X86_IOMMU_H
6824 #define _ASM_X86_IOMMU_H
6825
6826-extern struct dma_map_ops nommu_dma_ops;
6827+extern const struct dma_map_ops nommu_dma_ops;
6828 extern int force_iommu, no_iommu;
6829 extern int iommu_detected;
6830 extern int iommu_pass_through;
6831diff -urNp linux-2.6.33.1/arch/x86/include/asm/irqflags.h linux-2.6.33.1/arch/x86/include/asm/irqflags.h
6832--- linux-2.6.33.1/arch/x86/include/asm/irqflags.h 2010-03-15 12:09:39.000000000 -0400
6833+++ linux-2.6.33.1/arch/x86/include/asm/irqflags.h 2010-03-20 17:06:47.204705877 -0400
6834@@ -142,10 +142,77 @@ static inline unsigned long __raw_local_
6835 sti; \
6836 sysexit
6837
6838+/* PaX: special register usage in entry_64.S, beware */
6839+#ifdef CONFIG_PAX_KERNEXEC
6840+ .macro ljmpq sel, off
6841+ .byte 0x48; ljmp *1234f(%rip)
6842+ .pushsection .rodata
6843+ .align 16
6844+ 1234: .quad \off; .word \sel
6845+ .popsection
6846+ .endm
6847+
6848+#define PAX_EXIT_KERNEL \
6849+ push %rsi; \
6850+ mov %cs, %rsi; \
6851+ cmp $__KERNEXEC_KERNEL_CS, %esi;\
6852+ jnz 2f; \
6853+ mov %cr0, %rsi; \
6854+ btc $16, %rsi; \
6855+ ljmpq __KERNEL_CS, 1f; \
6856+1: mov %rsi, %cr0; \
6857+2: pop %rsi
6858+
6859+#define PAX_ENTER_KERNEL \
6860+ push %rsi; \
6861+ mov %cr0, %rsi; \
6862+ bts $16, %rsi; \
6863+ jnc 1f; \
6864+ mov %cs, %esi; \
6865+ cmp $__KERNEL_CS, %esi; \
6866+ jz 3f; \
6867+ ljmpq __KERNEL_CS, 3f; \
6868+1: ljmpq __KERNEXEC_KERNEL_CS, 2f; \
6869+2: mov %rsi, %cr0; \
6870+3: pop %rsi
6871+#else
6872+#define PAX_EXIT_KERNEL
6873+#define PAX_ENTER_KERNEL
6874+#endif
6875+
6876 #else
58c5fc13
MT		 6877 #define INTERRUPT_RETURN iret
6878 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
6879 #define GET_CR0_INTO_EAX movl %cr0, %eax
ae4e228f
MT		 6880+
6881+/* PaX: special register usage in entry_32.S, beware */
6882+#ifdef CONFIG_PAX_KERNEXEC
6883+#define PAX_EXIT_KERNEL \
6884+ mov %cs, %esi; \
6885+ cmp $__KERNEXEC_KERNEL_CS, %esi;\
6886+ jnz 2f; \
6887+ mov %cr0, %esi; \
6888+ btc $16, %esi; \
6889+ ljmp $__KERNEL_CS, $1f; \
6890+1: mov %esi, %cr0; \
6891+2:
6892+
6893+#define PAX_ENTER_KERNEL \
6894+ mov %cr0, %esi; \
6895+ bts $16, %esi; \
6896+ jnc 1f; \
6897+ mov %cs, %esi; \
6898+ cmp $__KERNEL_CS, %esi; \
6899+ jz 3f; \
6900+ ljmp $__KERNEL_CS, $3f; \
6901+1: ljmp $__KERNEXEC_KERNEL_CS, $2f;\
6902+2: mov %esi, %cr0; \
6903+3:
6904+#else
6905+#define PAX_EXIT_KERNEL
6906+#define PAX_ENTER_KERNEL
6907+#endif
6908+
58c5fc13
MT		 6909 #endif
6910
6911
ae4e228f
MT		 6912diff -urNp linux-2.6.33.1/arch/x86/include/asm/kvm_host.h linux-2.6.33.1/arch/x86/include/asm/kvm_host.h
6913--- linux-2.6.33.1/arch/x86/include/asm/kvm_host.h 2010-03-15 12:09:39.000000000 -0400
6914+++ linux-2.6.33.1/arch/x86/include/asm/kvm_host.h 2010-03-20 16:58:38.976510592 -0400
6915@@ -536,7 +536,7 @@ struct kvm_x86_ops {
6916 const struct trace_print_flags *exit_reasons_str;
58c5fc13
MT		 6917 };
6918
6919-extern struct kvm_x86_ops *kvm_x86_ops;
6920+extern const struct kvm_x86_ops *kvm_x86_ops;
6921
6922 int kvm_mmu_module_init(void);
6923 void kvm_mmu_module_exit(void);
ae4e228f
MT		 6924diff -urNp linux-2.6.33.1/arch/x86/include/asm/local.h linux-2.6.33.1/arch/x86/include/asm/local.h
6925--- linux-2.6.33.1/arch/x86/include/asm/local.h 2010-03-15 12:09:39.000000000 -0400
6926+++ linux-2.6.33.1/arch/x86/include/asm/local.h 2010-03-20 16:58:38.976510592 -0400
58c5fc13
MT		 6927@@ -18,26 +18,90 @@ typedef struct {
6928
6929 static inline void local_inc(local_t *l)
6930 {
6931- asm volatile(_ASM_INC "%0"
6932+ asm volatile(_ASM_INC "%0\n"
6933+
6934+#ifdef CONFIG_PAX_REFCOUNT
6935+#ifdef CONFIG_X86_32
6936+ "into\n0:\n"
6937+#else
6938+ "jno 0f\n"
6939+ "int $4\n0:\n"
6940+#endif
6941+ ".pushsection .fixup,\"ax\"\n"
6942+ "1:\n"
6943+ _ASM_DEC "%0\n"
6944+ "jmp 0b\n"
6945+ ".popsection\n"
6946+ _ASM_EXTABLE(0b, 1b)
6947+#endif
6948+
6949 : "+m" (l->a.counter));
6950 }
6951
6952 static inline void local_dec(local_t *l)
6953 {
6954- asm volatile(_ASM_DEC "%0"
6955+ asm volatile(_ASM_DEC "%0\n"
6956+
6957+#ifdef CONFIG_PAX_REFCOUNT
6958+#ifdef CONFIG_X86_32
6959+ "into\n0:\n"
6960+#else
6961+ "jno 0f\n"
6962+ "int $4\n0:\n"
6963+#endif
6964+ ".pushsection .fixup,\"ax\"\n"
6965+ "1:\n"
6966+ _ASM_INC "%0\n"
6967+ "jmp 0b\n"
6968+ ".popsection\n"
6969+ _ASM_EXTABLE(0b, 1b)
6970+#endif
6971+
6972 : "+m" (l->a.counter));
6973 }
6974
6975 static inline void local_add(long i, local_t *l)
6976 {
6977- asm volatile(_ASM_ADD "%1,%0"
6978+ asm volatile(_ASM_ADD "%1,%0\n"
6979+
6980+#ifdef CONFIG_PAX_REFCOUNT
6981+#ifdef CONFIG_X86_32
6982+ "into\n0:\n"
6983+#else
6984+ "jno 0f\n"
6985+ "int $4\n0:\n"
6986+#endif
6987+ ".pushsection .fixup,\"ax\"\n"
6988+ "1:\n"
6989+ _ASM_SUB "%1,%0\n"
6990+ "jmp 0b\n"
6991+ ".popsection\n"
6992+ _ASM_EXTABLE(0b, 1b)
6993+#endif
6994+
6995 : "+m" (l->a.counter)
6996 : "ir" (i));
6997 }
6998
6999 static inline void local_sub(long i, local_t *l)
7000 {
7001- asm volatile(_ASM_SUB "%1,%0"
7002+ asm volatile(_ASM_SUB "%1,%0\n"
7003+
7004+#ifdef CONFIG_PAX_REFCOUNT
7005+#ifdef CONFIG_X86_32
7006+ "into\n0:\n"
7007+#else
7008+ "jno 0f\n"
7009+ "int $4\n0:\n"
7010+#endif
7011+ ".pushsection .fixup,\"ax\"\n"
7012+ "1:\n"
7013+ _ASM_ADD "%1,%0\n"
7014+ "jmp 0b\n"
7015+ ".popsection\n"
7016+ _ASM_EXTABLE(0b, 1b)
7017+#endif
7018+
7019 : "+m" (l->a.counter)
7020 : "ir" (i));
7021 }
7022@@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7023 {
7024 unsigned char c;
7025
7026- asm volatile(_ASM_SUB "%2,%0; sete %1"
7027+ asm volatile(_ASM_SUB "%2,%0\n"
7028+
7029+#ifdef CONFIG_PAX_REFCOUNT
7030+#ifdef CONFIG_X86_32
7031+ "into\n0:\n"
7032+#else
7033+ "jno 0f\n"
7034+ "int $4\n0:\n"
7035+#endif
7036+ ".pushsection .fixup,\"ax\"\n"
7037+ "1:\n"
7038+ _ASM_ADD "%2,%0\n"
7039+ "jmp 0b\n"
7040+ ".popsection\n"
7041+ _ASM_EXTABLE(0b, 1b)
7042+#endif
7043+
7044+ "sete %1\n"
7045 : "+m" (l->a.counter), "=qm" (c)
7046 : "ir" (i) : "memory");
7047 return c;
7048@@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7049 {
7050 unsigned char c;
7051
7052- asm volatile(_ASM_DEC "%0; sete %1"
7053+ asm volatile(_ASM_DEC "%0\n"
7054+
7055+#ifdef CONFIG_PAX_REFCOUNT
7056+#ifdef CONFIG_X86_32
7057+ "into\n0:\n"
7058+#else
7059+ "jno 0f\n"
7060+ "int $4\n0:\n"
7061+#endif
7062+ ".pushsection .fixup,\"ax\"\n"
7063+ "1:\n"
7064+ _ASM_INC "%0\n"
7065+ "jmp 0b\n"
7066+ ".popsection\n"
7067+ _ASM_EXTABLE(0b, 1b)
7068+#endif
7069+
7070+ "sete %1\n"
7071 : "+m" (l->a.counter), "=qm" (c)
7072 : : "memory");
7073 return c != 0;
7074@@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7075 {
7076 unsigned char c;
7077
7078- asm volatile(_ASM_INC "%0; sete %1"
7079+ asm volatile(_ASM_INC "%0\n"
7080+
7081+#ifdef CONFIG_PAX_REFCOUNT
7082+#ifdef CONFIG_X86_32
7083+ "into\n0:\n"
7084+#else
7085+ "jno 0f\n"
7086+ "int $4\n0:\n"
7087+#endif
7088+ ".pushsection .fixup,\"ax\"\n"
7089+ "1:\n"
7090+ _ASM_DEC "%0\n"
7091+ "jmp 0b\n"
7092+ ".popsection\n"
7093+ _ASM_EXTABLE(0b, 1b)
7094+#endif
7095+
7096+ "sete %1\n"
7097 : "+m" (l->a.counter), "=qm" (c)
7098 : : "memory");
7099 return c != 0;
7100@@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7101 {
7102 unsigned char c;
7103
7104- asm volatile(_ASM_ADD "%2,%0; sets %1"
7105+ asm volatile(_ASM_ADD "%2,%0\n"
7106+
7107+#ifdef CONFIG_PAX_REFCOUNT
7108+#ifdef CONFIG_X86_32
7109+ "into\n0:\n"
7110+#else
7111+ "jno 0f\n"
7112+ "int $4\n0:\n"
7113+#endif
7114+ ".pushsection .fixup,\"ax\"\n"
7115+ "1:\n"
7116+ _ASM_SUB "%2,%0\n"
7117+ "jmp 0b\n"
7118+ ".popsection\n"
7119+ _ASM_EXTABLE(0b, 1b)
7120+#endif
7121+
7122+ "sets %1\n"
7123 : "+m" (l->a.counter), "=qm" (c)
7124 : "ir" (i) : "memory");
7125 return c;
7126@@ -133,7 +265,23 @@ static inline long local_add_return(long
7127 #endif
7128 /* Modern 486+ processor */
7129 __i = i;
7130- asm volatile(_ASM_XADD "%0, %1;"
7131+ asm volatile(_ASM_XADD "%0, %1\n"
7132+
7133+#ifdef CONFIG_PAX_REFCOUNT
7134+#ifdef CONFIG_X86_32
7135+ "into\n0:\n"
7136+#else
7137+ "jno 0f\n"
7138+ "int $4\n0:\n"
7139+#endif
7140+ ".pushsection .fixup,\"ax\"\n"
7141+ "1:\n"
7142+ _ASM_MOV "%0,%1\n"
7143+ "jmp 0b\n"
7144+ ".popsection\n"
7145+ _ASM_EXTABLE(0b, 1b)
7146+#endif
7147+
7148 : "+r" (i), "+m" (l->a.counter)
7149 : : "memory");
7150 return i + __i;
ae4e228f
MT		 7151diff -urNp linux-2.6.33.1/arch/x86/include/asm/microcode.h linux-2.6.33.1/arch/x86/include/asm/microcode.h
7152--- linux-2.6.33.1/arch/x86/include/asm/microcode.h 2010-03-15 12:09:39.000000000 -0400
7153+++ linux-2.6.33.1/arch/x86/include/asm/microcode.h 2010-03-20 16:58:38.976510592 -0400
7154@@ -12,13 +12,13 @@ struct device;
7155 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7156
7157 struct microcode_ops {
7158- enum ucode_state (*request_microcode_user) (int cpu,
7159+ enum ucode_state (* const request_microcode_user) (int cpu,
7160 const void __user *buf, size_t size);
7161
7162- enum ucode_state (*request_microcode_fw) (int cpu,
7163+ enum ucode_state (* const request_microcode_fw) (int cpu,
7164 struct device *device);
7165
7166- void (*microcode_fini_cpu) (int cpu);
7167+ void (* const microcode_fini_cpu) (int cpu);
7168
7169 /*
7170 * The generic 'microcode_core' part guarantees that
7171@@ -38,18 +38,18 @@ struct ucode_cpu_info {
7172 extern struct ucode_cpu_info ucode_cpu_info[];
7173
7174 #ifdef CONFIG_MICROCODE_INTEL
7175-extern struct microcode_ops * __init init_intel_microcode(void);
7176+extern const struct microcode_ops * __init init_intel_microcode(void);
7177 #else
7178-static inline struct microcode_ops * __init init_intel_microcode(void)
7179+static inline const struct microcode_ops * __init init_intel_microcode(void)
7180 {
7181 return NULL;
7182 }
7183 #endif /* CONFIG_MICROCODE_INTEL */
7184
7185 #ifdef CONFIG_MICROCODE_AMD
7186-extern struct microcode_ops * __init init_amd_microcode(void);
7187+extern const struct microcode_ops * __init init_amd_microcode(void);
7188 #else
7189-static inline struct microcode_ops * __init init_amd_microcode(void)
7190+static inline const struct microcode_ops * __init init_amd_microcode(void)
7191 {
7192 return NULL;
7193 }
7194diff -urNp linux-2.6.33.1/arch/x86/include/asm/mman.h linux-2.6.33.1/arch/x86/include/asm/mman.h
7195--- linux-2.6.33.1/arch/x86/include/asm/mman.h 2010-03-15 12:09:39.000000000 -0400
7196+++ linux-2.6.33.1/arch/x86/include/asm/mman.h 2010-03-20 16:58:38.976510592 -0400
7197@@ -5,4 +5,14 @@
7198
7199 #include <asm-generic/mman.h>
58c5fc13
MT		 7200
7201+#ifdef __KERNEL__
7202+#ifndef __ASSEMBLY__
7203+#ifdef CONFIG_X86_32
7204+#define arch_mmap_check i386_mmap_check
7205+int i386_mmap_check(unsigned long addr, unsigned long len,
7206+ unsigned long flags);
7207+#endif
7208+#endif
7209+#endif
7210+
7211 #endif /* _ASM_X86_MMAN_H */
ae4e228f
MT		 7212diff -urNp linux-2.6.33.1/arch/x86/include/asm/mmu_context.h linux-2.6.33.1/arch/x86/include/asm/mmu_context.h
7213--- linux-2.6.33.1/arch/x86/include/asm/mmu_context.h 2010-03-15 12:09:39.000000000 -0400
7214+++ linux-2.6.33.1/arch/x86/include/asm/mmu_context.h 2010-03-20 16:58:38.976510592 -0400
58c5fc13
MT		 7215@@ -34,11 +34,17 @@ static inline void switch_mm(struct mm_s
7216 struct task_struct *tsk)
7217 {
7218 unsigned cpu = smp_processor_id();
7219+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7220+ int tlbstate = TLBSTATE_OK;
7221+#endif
7222
7223 if (likely(prev != next)) {
7224 /* stop flush ipis for the previous mm */
ae4e228f 7225 cpumask_clear_cpu(cpu, mm_cpumask(prev));
58c5fc13
MT		 7226 #ifdef CONFIG_SMP
7227+#ifdef CONFIG_X86_32
7228+ tlbstate = percpu_read(cpu_tlbstate.state);
7229+#endif
7230 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7231 percpu_write(cpu_tlbstate.active_mm, next);
7232 #endif
7233@@ -52,6 +58,26 @@ static inline void switch_mm(struct mm_s
7234 */
7235 if (unlikely(prev->context.ldt != next->context.ldt))
7236 load_LDT_nolock(&next->context);
7237+
7238+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
ae4e228f 7239+ if (!(__supported_pte_mask & _PAGE_NX)) {
58c5fc13
MT		 7240+ smp_mb__before_clear_bit();
7241+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7242+ smp_mb__after_clear_bit();
7243+ cpu_set(cpu, next->context.cpu_user_cs_mask);
7244+ }
7245+#endif
7246+
7247+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7248+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
ae4e228f
MT		 7249+ prev->context.user_cs_limit != next->context.user_cs_limit))
7250+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
58c5fc13 7251+#ifdef CONFIG_SMP
ae4e228f 7252+ else if (unlikely(tlbstate != TLBSTATE_OK))
58c5fc13
MT		 7253+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7254+#endif
ae4e228f 7255+#endif
58c5fc13
MT		 7256+
7257 }
7258 #ifdef CONFIG_SMP
7259 else {
7260@@ -65,6 +91,19 @@ static inline void switch_mm(struct mm_s
7261 */
7262 load_cr3(next->pgd);
7263 load_LDT_nolock(&next->context);
7264+
7265+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
ae4e228f 7266+ if (!(__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 7267+ cpu_set(cpu, next->context.cpu_user_cs_mask);
7268+#endif
7269+
7270+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7271+#ifdef CONFIG_PAX_PAGEEXEC
ae4e228f 7272+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
58c5fc13
MT		 7273+#endif
7274+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7275+#endif
7276+
7277 }
7278 }
7279 #endif
ae4e228f
MT		 7280diff -urNp linux-2.6.33.1/arch/x86/include/asm/mmu.h linux-2.6.33.1/arch/x86/include/asm/mmu.h
7281--- linux-2.6.33.1/arch/x86/include/asm/mmu.h 2010-03-15 12:09:39.000000000 -0400
7282+++ linux-2.6.33.1/arch/x86/include/asm/mmu.h 2010-03-20 16:58:38.976510592 -0400
58c5fc13
MT		 7283@@ -9,10 +9,23 @@
7284 * we put the segment information here.
7285 */
7286 typedef struct {
7287- void *ldt;
7288+ struct desc_struct *ldt;
7289 int size;
7290 struct mutex lock;
7291- void *vdso;
7292+ unsigned long vdso;
7293+
7294+#ifdef CONFIG_X86_32
7295+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7296+ unsigned long user_cs_base;
7297+ unsigned long user_cs_limit;
7298+
7299+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7300+ cpumask_t cpu_user_cs_mask;
7301+#endif
7302+
7303+#endif
7304+#endif
7305+
7306 } mm_context_t;
7307
7308 #ifdef CONFIG_SMP
ae4e228f
MT		 7309diff -urNp linux-2.6.33.1/arch/x86/include/asm/module.h linux-2.6.33.1/arch/x86/include/asm/module.h
7310--- linux-2.6.33.1/arch/x86/include/asm/module.h 2010-03-15 12:09:39.000000000 -0400
7311+++ linux-2.6.33.1/arch/x86/include/asm/module.h 2010-03-20 16:58:38.976510592 -0400
7312@@ -65,7 +65,12 @@
58c5fc13
MT		 7313 # else
7314 # define MODULE_STACKSIZE ""
7315 # endif
7316-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
7317+# ifdef CONFIG_GRKERNSEC
7318+# define MODULE_GRSEC "GRSECURITY "
7319+# else
7320+# define MODULE_GRSEC ""
7321+# endif
7322+# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
7323 #endif
7324
7325 #endif /* _ASM_X86_MODULE_H */
ae4e228f
MT		 7326diff -urNp linux-2.6.33.1/arch/x86/include/asm/page_32_types.h linux-2.6.33.1/arch/x86/include/asm/page_32_types.h
7327--- linux-2.6.33.1/arch/x86/include/asm/page_32_types.h 2010-03-15 12:09:39.000000000 -0400
7328+++ linux-2.6.33.1/arch/x86/include/asm/page_32_types.h 2010-03-20 16:58:38.976510592 -0400
58c5fc13
MT		 7329@@ -15,6 +15,10 @@
7330 */
7331 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
7332
7333+#ifdef CONFIG_PAX_PAGEEXEC
7334+#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
7335+#endif
7336+
7337 #ifdef CONFIG_4KSTACKS
7338 #define THREAD_ORDER 0
7339 #else
ae4e228f
MT		 7340diff -urNp linux-2.6.33.1/arch/x86/include/asm/page_64_types.h linux-2.6.33.1/arch/x86/include/asm/page_64_types.h
7341--- linux-2.6.33.1/arch/x86/include/asm/page_64_types.h 2010-03-15 12:09:39.000000000 -0400
7342+++ linux-2.6.33.1/arch/x86/include/asm/page_64_types.h 2010-03-20 16:58:38.980670389 -0400
58c5fc13
MT		 7343@@ -39,6 +39,9 @@
7344 #define __START_KERNEL (__START_KERNEL_map + __PHYSICAL_START)
7345 #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
7346
7347+#define ktla_ktva(addr) (addr)
7348+#define ktva_ktla(addr) (addr)
7349+
7350 /* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */
7351 #define __PHYSICAL_MASK_SHIFT 46
7352 #define __VIRTUAL_MASK_SHIFT 47
ae4e228f
MT		 7353diff -urNp linux-2.6.33.1/arch/x86/include/asm/paravirt.h linux-2.6.33.1/arch/x86/include/asm/paravirt.h
7354--- linux-2.6.33.1/arch/x86/include/asm/paravirt.h 2010-03-15 12:09:39.000000000 -0400
7355+++ linux-2.6.33.1/arch/x86/include/asm/paravirt.h 2010-03-20 16:58:38.980670389 -0400
7356@@ -729,6 +729,21 @@ static inline void __set_fixmap(unsigned
7357 pv_mmu_ops.set_fixmap(idx, phys, flags);
7358 }
7359
7360+#ifdef CONFIG_PAX_KERNEXEC
7361+static inline unsigned long pax_open_kernel(void)
7362+{
7363+ return pv_mmu_ops.pax_open_kernel();
7364+}
7365+
7366+static inline unsigned long pax_close_kernel(void)
7367+{
7368+ return pv_mmu_ops.pax_close_kernel();
7369+}
7370+#else
7371+static inline unsigned long pax_open_kernel(void) { return 0; }
7372+static inline unsigned long pax_close_kernel(void) { return 0; }
7373+#endif
7374+
7375 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7376
7377 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7378@@ -945,7 +960,7 @@ extern void default_banner(void);
58c5fc13
MT		 7379
7380 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7381 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7382-#define PARA_INDIRECT(addr) *%cs:addr
7383+#define PARA_INDIRECT(addr) *%ss:addr
7384 #endif
7385
7386 #define INTERRUPT_RETURN \
ae4e228f
MT		 7387@@ -980,6 +995,34 @@ extern void default_banner(void);
7388 CLBR_NONE, \
7389 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
58c5fc13 7390
ae4e228f
MT		 7391+#ifdef CONFIG_PAX_KERNEXEC
7392+#define PAX_EXIT_KERNEL \
58c5fc13 7393+ push %eax; push %ecx; \
ae4e228f
MT		 7394+ mov %cs, %eax; \
7395+ cmp $__KERNEXEC_KERNEL_CS, %eax; \
7396+ jnz 2f; \
58c5fc13 7397+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
ae4e228f
MT		 7398+ btc $16, %eax; \
7399+ ljmp $__KERNEL_CS, $1f; \
7400+1: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7401+2: pop %ecx; pop %eax; \
58c5fc13 7402+
ae4e228f 7403+#define PAX_ENTER_KERNEL \
58c5fc13 7404+ push %eax; push %ecx; \
ae4e228f
MT		 7405+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7406+ bts $16, %eax; \
7407+ jnc 1f; \
7408+ mov %cs, %ecx; \
7409+ cmp $__KERNEL_CS, %ecx; \
7410+ jz 3f; \
7411+ ljmp $__KERNEL_CS, $3f; \
7412+1: ljmp $__KERNEXEC_KERNEL_CS, $2f; \
7413+2: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7414+3: pop %ecx; pop %eax;
7415+#else
7416+#define PAX_EXIT_KERNEL
7417+#define PAX_ENTER_KERNEL
7418+#endif
7419
7420 #else /* !CONFIG_X86_32 */
7421
7422@@ -1022,6 +1065,46 @@ extern void default_banner(void);
58c5fc13
MT		 7423 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
7424 CLBR_NONE, \
ae4e228f
MT		 7425 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7426+
7427+#ifdef CONFIG_PAX_KERNEXEC
7428+ .macro ljmpq sel, off
7429+ .byte 0x48; ljmp *1234f(%rip)
7430+ .pushsection .rodata
7431+ .align 16
7432+ 1234: .quad \off; .word \sel
7433+ .popsection
7434+ .endm
7435+
7436+#define PAX_EXIT_KERNEL \
7437+ PV_SAVE_REGS(CLBR_NONE); \
7438+ mov %cs, %rax; \
7439+ cmp $__KERNEXEC_KERNEL_CS, %eax; \
7440+ jnz 2f; \
7441+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7442+ btc $16, %rax; \
7443+ mov %rax, %rdi; \
7444+ ljmpq __KERNEL_CS, 1f; \
7445+1: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7446+2: PV_RESTORE_REGS(CLBR_NONE);
7447+
7448+#define PAX_ENTER_KERNEL \
7449+ PV_SAVE_REGS(CLBR_NONE); \
7450+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7451+ bts $16, %rax; \
7452+ jnc 1f; \
7453+ mov %cs, %rax; \
7454+ cmp $__KERNEL_CS, %eax; \
7455+ jz 3f; \
7456+ ljmpq __KERNEL_CS, 3f; \
7457+1: mov %rax, %rdi; \
7458+ ljmpq __KERNEXEC_KERNEL_CS, 2f; \
7459+2: call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);\
7460+3: PV_RESTORE_REGS(CLBR_NONE);
7461+#else
7462+#define PAX_EXIT_KERNEL
7463+#define PAX_ENTER_KERNEL
7464+#endif
7465+
7466 #endif /* CONFIG_X86_32 */
7467
7468 #endif /* __ASSEMBLY__ */
7469diff -urNp linux-2.6.33.1/arch/x86/include/asm/paravirt_types.h linux-2.6.33.1/arch/x86/include/asm/paravirt_types.h
7470--- linux-2.6.33.1/arch/x86/include/asm/paravirt_types.h 2010-03-15 12:09:39.000000000 -0400
7471+++ linux-2.6.33.1/arch/x86/include/asm/paravirt_types.h 2010-03-20 16:58:38.980670389 -0400
7472@@ -316,6 +316,12 @@ struct pv_mmu_ops {
7473 an mfn. We can tell which is which from the index. */
7474 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
7475 phys_addr_t phys, pgprot_t flags);
7476+
7477+#ifdef CONFIG_PAX_KERNEXEC
7478+ unsigned long (*pax_open_kernel)(void);
7479+ unsigned long (*pax_close_kernel)(void);
7480+#endif
7481+
7482 };
7483
7484 struct arch_spinlock;
7485diff -urNp linux-2.6.33.1/arch/x86/include/asm/pci_x86.h linux-2.6.33.1/arch/x86/include/asm/pci_x86.h
7486--- linux-2.6.33.1/arch/x86/include/asm/pci_x86.h 2010-03-15 12:09:39.000000000 -0400
7487+++ linux-2.6.33.1/arch/x86/include/asm/pci_x86.h 2010-03-20 16:58:38.980670389 -0400
7488@@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
7489 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
7490
7491 struct pci_raw_ops {
7492- int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7493+ int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7494 int reg, int len, u32 *val);
7495- int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7496+ int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7497 int reg, int len, u32 val);
7498 };
7499
7500-extern struct pci_raw_ops *raw_pci_ops;
7501-extern struct pci_raw_ops *raw_pci_ext_ops;
7502+extern const struct pci_raw_ops *raw_pci_ops;
7503+extern const struct pci_raw_ops *raw_pci_ext_ops;
7504
7505-extern struct pci_raw_ops pci_direct_conf1;
7506+extern const struct pci_raw_ops pci_direct_conf1;
7507 extern bool port_cf9_safe;
7508
7509 /* arch_initcall level */
7510diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgalloc.h linux-2.6.33.1/arch/x86/include/asm/pgalloc.h
7511--- linux-2.6.33.1/arch/x86/include/asm/pgalloc.h 2010-03-15 12:09:39.000000000 -0400
7512+++ linux-2.6.33.1/arch/x86/include/asm/pgalloc.h 2010-03-20 16:58:38.980670389 -0400
7513@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
58c5fc13
MT		 7514 pmd_t *pmd, pte_t *pte)
7515 {
7516 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7517+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
7518+}
7519+
7520+static inline void pmd_populate_user(struct mm_struct *mm,
7521+ pmd_t *pmd, pte_t *pte)
7522+{
7523+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
7524 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
7525 }
7526
ae4e228f
MT		 7527diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable-2level.h linux-2.6.33.1/arch/x86/include/asm/pgtable-2level.h
7528--- linux-2.6.33.1/arch/x86/include/asm/pgtable-2level.h 2010-03-15 12:09:39.000000000 -0400
7529+++ linux-2.6.33.1/arch/x86/include/asm/pgtable-2level.h 2010-03-20 16:58:38.980670389 -0400
7530@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
58c5fc13
MT		 7531
7532 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7533 {
ae4e228f 7534+ pax_open_kernel();
58c5fc13 7535 *pmdp = pmd;
ae4e228f 7536+ pax_close_kernel();
58c5fc13
MT		 7537 }
7538
7539 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
ae4e228f
MT		 7540diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable_32.h linux-2.6.33.1/arch/x86/include/asm/pgtable_32.h
7541--- linux-2.6.33.1/arch/x86/include/asm/pgtable_32.h 2010-03-15 12:09:39.000000000 -0400
7542+++ linux-2.6.33.1/arch/x86/include/asm/pgtable_32.h 2010-03-20 16:58:38.980670389 -0400
58c5fc13
MT		 7543@@ -26,8 +26,6 @@
7544 struct mm_struct;
7545 struct vm_area_struct;
7546
7547-extern pgd_t swapper_pg_dir[1024];
7548-
7549 static inline void pgtable_cache_init(void) { }
7550 static inline void check_pgt_cache(void) { }
7551 void paging_init(void);
7552@@ -48,6 +46,11 @@ extern void set_pmd_pfn(unsigned long, u
7553 # include <asm/pgtable-2level.h>
7554 #endif
7555
7556+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
7557+#ifdef CONFIG_X86_PAE
7558+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
7559+#endif
7560+
7561 #if defined(CONFIG_HIGHPTE)
7562 #define __KM_PTE \
7563 (in_nmi() ? KM_NMI_PTE : \
ae4e228f
MT		 7564@@ -72,7 +75,9 @@ extern void set_pmd_pfn(unsigned long, u
7565 /* Clear a kernel PTE and flush it from the TLB */
7566 #define kpte_clear_flush(ptep, vaddr) \
7567 do { \
7568+ pax_open_kernel(); \
7569 pte_clear(&init_mm, (vaddr), (ptep)); \
7570+ pax_close_kernel(); \
7571 __flush_tlb_one((vaddr)); \
7572 } while (0)
7573
7574@@ -84,6 +89,9 @@ do { \
58c5fc13
MT		 7575
7576 #endif /* !__ASSEMBLY__ */
7577
7578+#define HAVE_ARCH_UNMAPPED_AREA
7579+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
7580+
7581 /*
7582 * kern_addr_valid() is (1) for FLATMEM and (0) for
7583 * SPARSEMEM and DISCONTIGMEM
ae4e228f
MT		 7584diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable_32_types.h linux-2.6.33.1/arch/x86/include/asm/pgtable_32_types.h
7585--- linux-2.6.33.1/arch/x86/include/asm/pgtable_32_types.h 2010-03-15 12:09:39.000000000 -0400
7586+++ linux-2.6.33.1/arch/x86/include/asm/pgtable_32_types.h 2010-03-20 16:58:38.980670389 -0400
58c5fc13
MT		 7587@@ -8,7 +8,7 @@
7588 */
7589 #ifdef CONFIG_X86_PAE
7590 # include <asm/pgtable-3level_types.h>
7591-# define PMD_SIZE (1UL << PMD_SHIFT)
7592+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
7593 # define PMD_MASK (~(PMD_SIZE - 1))
7594 #else
7595 # include <asm/pgtable-2level_types.h>
7596@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
7597 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
7598 #endif
7599
7600+#ifdef CONFIG_PAX_KERNEXEC
7601+#ifndef __ASSEMBLY__
7602+extern unsigned char MODULES_EXEC_VADDR[];
7603+extern unsigned char MODULES_EXEC_END[];
7604+#endif
7605+#include <asm/boot.h>
7606+#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
7607+#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
7608+#else
7609+#define ktla_ktva(addr) (addr)
7610+#define ktva_ktla(addr) (addr)
7611+#endif
7612+
7613 #define MODULES_VADDR VMALLOC_START
7614 #define MODULES_END VMALLOC_END
7615 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
ae4e228f
MT		 7616diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable-3level.h linux-2.6.33.1/arch/x86/include/asm/pgtable-3level.h
7617--- linux-2.6.33.1/arch/x86/include/asm/pgtable-3level.h 2010-03-15 12:09:39.000000000 -0400
7618+++ linux-2.6.33.1/arch/x86/include/asm/pgtable-3level.h 2010-03-20 16:58:38.980670389 -0400
7619@@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
58c5fc13
MT		 7620
7621 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7622 {
ae4e228f 7623+ pax_open_kernel();
58c5fc13 7624 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
ae4e228f 7625+ pax_close_kernel();
58c5fc13
MT		 7626 }
7627
7628 static inline void native_set_pud(pud_t *pudp, pud_t pud)
7629 {
ae4e228f 7630+ pax_open_kernel();
58c5fc13 7631 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
ae4e228f 7632+ pax_close_kernel();
58c5fc13
MT		 7633 }
7634
7635 /*
ae4e228f
MT		 7636diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable_64.h linux-2.6.33.1/arch/x86/include/asm/pgtable_64.h
7637--- linux-2.6.33.1/arch/x86/include/asm/pgtable_64.h 2010-03-15 12:09:39.000000000 -0400
7638+++ linux-2.6.33.1/arch/x86/include/asm/pgtable_64.h 2010-03-20 16:58:38.980670389 -0400
58c5fc13
MT		 7639@@ -16,9 +16,12 @@
7640
7641 extern pud_t level3_kernel_pgt[512];
7642 extern pud_t level3_ident_pgt[512];
7643+extern pud_t level3_vmalloc_pgt[512];
7644+extern pud_t level3_vmemmap_pgt[512];
7645+extern pud_t level2_vmemmap_pgt[512];
7646 extern pmd_t level2_kernel_pgt[512];
7647 extern pmd_t level2_fixmap_pgt[512];
7648-extern pmd_t level2_ident_pgt[512];
ae4e228f 7649+extern pmd_t level2_ident_pgt[512*2];
58c5fc13
MT		 7650 extern pgd_t init_level4_pgt[];
7651
7652 #define swapper_pg_dir init_level4_pgt
ae4e228f 7653@@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
58c5fc13
MT		 7654
7655 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
7656 {
ae4e228f
MT		 7657+ pax_open_kernel();
7658 *pmdp = pmd;
7659+ pax_close_kernel();
7660 }
7661
7662 static inline void native_pmd_clear(pmd_t *pmd)
7663@@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
7664
7665 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
7666 {
7667+ pax_open_kernel();
7668 *pgdp = pgd;
7669+ pax_close_kernel();
7670 }
7671
7672 static inline void native_pgd_clear(pgd_t *pgd)
7673diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable.h linux-2.6.33.1/arch/x86/include/asm/pgtable.h
7674--- linux-2.6.33.1/arch/x86/include/asm/pgtable.h 2010-03-15 12:09:39.000000000 -0400
7675+++ linux-2.6.33.1/arch/x86/include/asm/pgtable.h 2010-03-20 16:58:38.980670389 -0400
7676@@ -76,12 +76,51 @@ extern struct list_head pgd_list;
7677
7678 #define arch_end_context_switch(prev) do {} while(0)
7679
7680+#define pax_open_kernel() native_pax_open_kernel()
7681+#define pax_close_kernel() native_pax_close_kernel()
7682 #endif /* CONFIG_PARAVIRT */
7683
7684+#define __HAVE_ARCH_PAX_OPEN_KERNEL
7685+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
58c5fc13
MT		 7686+
7687+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f
MT		 7688+static inline unsigned long native_pax_open_kernel(void)
7689+{
58c5fc13
MT		 7690+ unsigned long cr0;
7691+
ae4e228f
MT		 7692+ preempt_disable();
7693+ barrier();
7694+ cr0 = read_cr0() ^ X86_CR0_WP;
7695+ BUG_ON(unlikely(cr0 & X86_CR0_WP));
7696+ write_cr0(cr0);
7697+ return cr0 ^ X86_CR0_WP;
7698+}
58c5fc13 7699+
ae4e228f
MT		 7700+static inline unsigned long native_pax_close_kernel(void)
7701+{
7702+ unsigned long cr0;
58c5fc13 7703+
ae4e228f
MT		 7704+ cr0 = read_cr0() ^ X86_CR0_WP;
7705+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
7706+ write_cr0(cr0);
7707+ barrier();
7708+ preempt_enable_no_resched();
7709+ return cr0 ^ X86_CR0_WP;
7710+}
7711+#else
7712+static inline unsigned long native_pax_open_kernel(void) { return 0; }
7713+static inline unsigned long native_pax_close_kernel(void) { return 0; }
58c5fc13
MT		 7714+#endif
7715+
ae4e228f 7716 /*
58c5fc13
MT		 7717 * The following only work if pte_present() is true.
7718 * Undefined behaviour if not..
7719 */
7720+static inline int pte_user(pte_t pte)
7721+{
7722+ return pte_val(pte) & _PAGE_USER;
7723+}
7724+
7725 static inline int pte_dirty(pte_t pte)
7726 {
7727 return pte_flags(pte) & _PAGE_DIRTY;
ae4e228f 7728@@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
58c5fc13
MT		 7729 return pte_clear_flags(pte, _PAGE_RW);
7730 }
7731
7732+static inline pte_t pte_mkread(pte_t pte)
7733+{
7734+ return __pte(pte_val(pte) | _PAGE_USER);
7735+}
7736+
7737 static inline pte_t pte_mkexec(pte_t pte)
7738 {
7739- return pte_clear_flags(pte, _PAGE_NX);
7740+#ifdef CONFIG_X86_PAE
7741+ if (__supported_pte_mask & _PAGE_NX)
7742+ return pte_clear_flags(pte, _PAGE_NX);
7743+ else
7744+#endif
7745+ return pte_set_flags(pte, _PAGE_USER);
7746+}
7747+
7748+static inline pte_t pte_exprotect(pte_t pte)
7749+{
7750+#ifdef CONFIG_X86_PAE
7751+ if (__supported_pte_mask & _PAGE_NX)
7752+ return pte_set_flags(pte, _PAGE_NX);
7753+ else
7754+#endif
7755+ return pte_clear_flags(pte, _PAGE_USER);
7756 }
7757
7758 static inline pte_t pte_mkdirty(pte_t pte)
ae4e228f 7759@@ -474,7 +533,7 @@ static inline pud_t *pud_offset(pgd_t *p
58c5fc13
MT		 7760
7761 static inline int pgd_bad(pgd_t pgd)
7762 {
7763- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
7764+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
7765 }
7766
7767 static inline int pgd_none(pgd_t pgd)
ae4e228f
MT		 7768@@ -613,9 +672,12 @@ static inline void ptep_set_wrprotect(st
7769 * dst and src can be on the same page, but the range must not overlap,
7770 * and must not cross a page boundary.
58c5fc13 7771 */
ae4e228f
MT		 7772-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
7773+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
58c5fc13
MT		 7774 {
7775- memcpy(dst, src, count * sizeof(pgd_t));
ae4e228f
MT		 7776+ pax_open_kernel();
7777+ while (count--)
7778+ *dst++ = *src++;
7779+ pax_close_kernel();
58c5fc13
MT		 7780 }
7781
7782
ae4e228f
MT		 7783diff -urNp linux-2.6.33.1/arch/x86/include/asm/pgtable_types.h linux-2.6.33.1/arch/x86/include/asm/pgtable_types.h
7784--- linux-2.6.33.1/arch/x86/include/asm/pgtable_types.h 2010-03-15 12:09:39.000000000 -0400
7785+++ linux-2.6.33.1/arch/x86/include/asm/pgtable_types.h 2010-03-20 16:58:38.980670389 -0400
58c5fc13
MT		 7786@@ -16,12 +16,11 @@
7787 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
7788 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
7789 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
7790-#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
7791+#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
7792 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
7793 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
7794 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
7795-#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
7796-#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
7797+#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
7798 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
7799
7800 /* If _PAGE_BIT_PRESENT is clear, we use these: */
7801@@ -39,7 +38,6 @@
7802 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
7803 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
7804 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
7805-#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
7806 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
7807 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
7808 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
7809@@ -55,8 +53,10 @@
7810
7811 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
7812 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
7813-#else
7814+#elif defined(CONFIG_KMEMCHECK)
7815 #define _PAGE_NX (_AT(pteval_t, 0))
7816+#else
7817+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
7818 #endif
7819
7820 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
7821@@ -93,6 +93,9 @@
7822 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
7823 _PAGE_ACCESSED)
7824
7825+#define PAGE_READONLY_NOEXEC PAGE_READONLY
7826+#define PAGE_SHARED_NOEXEC PAGE_SHARED
7827+
7828 #define __PAGE_KERNEL_EXEC \
7829 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
7830 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
7831@@ -103,8 +106,8 @@
7832 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
7833 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
7834 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
7835-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
7836-#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
7837+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
7838+#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
7839 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
7840 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
7841 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
7842@@ -163,8 +166,8 @@
7843 * bits are combined, this will alow user to access the high address mapped
7844 * VDSO in the presence of CONFIG_COMPAT_VDSO
7845 */
7846-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
7847-#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
7848+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
7849+#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
7850 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
7851 #endif
7852
ae4e228f 7853@@ -278,7 +281,6 @@ typedef struct page *pgtable_t;
58c5fc13
MT		 7854
7855 extern pteval_t __supported_pte_mask;
ae4e228f
MT		 7856 extern void set_nx(void);
7857-extern int nx_enabled;
58c5fc13
MT		 7858
7859 #define pgprot_writecombine pgprot_writecombine
7860 extern pgprot_t pgprot_writecombine(pgprot_t prot);
ae4e228f
MT		 7861diff -urNp linux-2.6.33.1/arch/x86/include/asm/processor.h linux-2.6.33.1/arch/x86/include/asm/processor.h
7862--- linux-2.6.33.1/arch/x86/include/asm/processor.h 2010-03-15 12:09:39.000000000 -0400
7863+++ linux-2.6.33.1/arch/x86/include/asm/processor.h 2010-03-20 16:58:38.980670389 -0400
7864@@ -273,7 +273,7 @@ struct tss_struct {
58c5fc13
MT		 7865
7866 } ____cacheline_aligned;
7867
7868-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
7869+extern struct tss_struct init_tss[NR_CPUS];
7870
7871 /*
7872 * Save the original ist values for checking stack pointers during debugging
ae4e228f 7873@@ -913,8 +913,15 @@ static inline void spin_lock_prefetch(co
58c5fc13
MT		 7874 */
7875 #define TASK_SIZE PAGE_OFFSET
7876 #define TASK_SIZE_MAX TASK_SIZE
7877+
7878+#ifdef CONFIG_PAX_SEGMEXEC
7879+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
58c5fc13
MT		 7880+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
7881+#else
7882 #define STACK_TOP TASK_SIZE
7883-#define STACK_TOP_MAX STACK_TOP
7884+#endif
ae4e228f 7885+
58c5fc13
MT		 7886+#define STACK_TOP_MAX TASK_SIZE
7887
7888 #define INIT_THREAD { \
7889 .sp0 = sizeof(init_stack) + (long)&init_stack, \
ae4e228f 7890@@ -931,7 +938,7 @@ static inline void spin_lock_prefetch(co
58c5fc13
MT		 7891 */
7892 #define INIT_TSS { \
7893 .x86_tss = { \
7894- .sp0 = sizeof(init_stack) + (long)&init_stack, \
7895+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
7896 .ss0 = __KERNEL_DS, \
7897 .ss1 = __KERNEL_CS, \
7898 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
ae4e228f 7899@@ -942,11 +949,7 @@ static inline void spin_lock_prefetch(co
58c5fc13
MT		 7900 extern unsigned long thread_saved_pc(struct task_struct *tsk);
7901
7902 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
7903-#define KSTK_TOP(info) \
7904-({ \
7905- unsigned long *__ptr = (unsigned long *)(info); \
7906- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
7907-})
7908+#define KSTK_TOP(info) ((info)->task.thread.sp0)
7909
7910 /*
7911 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
ae4e228f 7912@@ -961,7 +964,7 @@ extern unsigned long thread_saved_pc(str
58c5fc13
MT		 7913 #define task_pt_regs(task) \
7914 ({ \
7915 struct pt_regs *__regs__; \
7916- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
7917+ __regs__ = (struct pt_regs *)((task)->thread.sp0); \
7918 __regs__ - 1; \
7919 })
7920
ae4e228f 7921@@ -977,7 +980,7 @@ extern unsigned long thread_saved_pc(str
58c5fc13
MT		 7922 * space during mmap's.
7923 */
7924 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
7925- 0xc0000000 : 0xFFFFe000)
7926+ 0xc0000000 : 0xFFFFf000)
7927
7928 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
7929 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
ae4e228f 7930@@ -1014,6 +1017,10 @@ extern void start_thread(struct pt_regs
58c5fc13
MT		 7931 */
7932 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
7933
7934+#ifdef CONFIG_PAX_SEGMEXEC
7935+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
7936+#endif
7937+
7938 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
7939
7940 /* Get/set a process' ability to use the timestamp counter instruction */
ae4e228f
MT		 7941diff -urNp linux-2.6.33.1/arch/x86/include/asm/ptrace.h linux-2.6.33.1/arch/x86/include/asm/ptrace.h
7942--- linux-2.6.33.1/arch/x86/include/asm/ptrace.h 2010-03-15 12:09:39.000000000 -0400
7943+++ linux-2.6.33.1/arch/x86/include/asm/ptrace.h 2010-03-20 16:58:38.984539447 -0400
7944@@ -152,28 +152,29 @@ static inline unsigned long regs_return_
58c5fc13
MT		 7945 }
7946
7947 /*
7948- * user_mode_vm(regs) determines whether a register set came from user mode.
7949+ * user_mode(regs) determines whether a register set came from user mode.
7950 * This is true if V8086 mode was enabled OR if the register set was from
7951 * protected mode with RPL-3 CS value. This tricky test checks that with
7952 * one comparison. Many places in the kernel can bypass this full check
7953- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
7954+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
7955+ * be used.
7956 */
7957-static inline int user_mode(struct pt_regs *regs)
7958+static inline int user_mode_novm(struct pt_regs *regs)
7959 {
7960 #ifdef CONFIG_X86_32
7961 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
7962 #else
7963- return !!(regs->cs & 3);
7964+ return !!(regs->cs & SEGMENT_RPL_MASK);
7965 #endif
7966 }
7967
7968-static inline int user_mode_vm(struct pt_regs *regs)
7969+static inline int user_mode(struct pt_regs *regs)
7970 {
7971 #ifdef CONFIG_X86_32
7972 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
7973 USER_RPL;
7974 #else
7975- return user_mode(regs);
7976+ return user_mode_novm(regs);
7977 #endif
7978 }
7979
ae4e228f
MT		 7980diff -urNp linux-2.6.33.1/arch/x86/include/asm/reboot.h linux-2.6.33.1/arch/x86/include/asm/reboot.h
7981--- linux-2.6.33.1/arch/x86/include/asm/reboot.h 2010-03-15 12:09:39.000000000 -0400
7982+++ linux-2.6.33.1/arch/x86/include/asm/reboot.h 2010-03-20 16:58:38.984539447 -0400
58c5fc13
MT		 7983@@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
7984
7985 void native_machine_crash_shutdown(struct pt_regs *regs);
7986 void native_machine_shutdown(void);
7987-void machine_real_restart(const unsigned char *code, int length);
7988+void machine_real_restart(const unsigned char *code, unsigned int length);
7989
7990 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
7991 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
ae4e228f
MT		 7992diff -urNp linux-2.6.33.1/arch/x86/include/asm/rwsem.h linux-2.6.33.1/arch/x86/include/asm/rwsem.h
7993--- linux-2.6.33.1/arch/x86/include/asm/rwsem.h 2010-03-15 12:09:39.000000000 -0400
7994+++ linux-2.6.33.1/arch/x86/include/asm/rwsem.h 2010-03-20 16:58:38.984539447 -0400
58c5fc13
MT		 7995@@ -106,10 +106,26 @@ static inline void __down_read(struct rw
7996 {
7997 asm volatile("# beginning down_read\n\t"
7998 LOCK_PREFIX " incl (%%eax)\n\t"
7999+
8000+#ifdef CONFIG_PAX_REFCOUNT
8001+#ifdef CONFIG_X86_32
8002+ "into\n0:\n"
8003+#else
8004+ "jno 0f\n"
8005+ "int $4\n0:\n"
8006+#endif
8007+ ".pushsection .fixup,\"ax\"\n"
8008+ "1:\n"
8009+ LOCK_PREFIX "decl (%%eax)\n"
8010+ "jmp 0b\n"
8011+ ".popsection\n"
8012+ _ASM_EXTABLE(0b, 1b)
8013+#endif
8014+
8015 /* adds 0x00000001, returns the old value */
8016- " jns 1f\n"
8017+ " jns 2f\n"
8018 " call call_rwsem_down_read_failed\n"
8019- "1:\n\t"
8020+ "2:\n\t"
8021 "# ending down_read\n\t"
8022 : "+m" (sem->count)
8023 : "a" (sem)
8024@@ -124,13 +140,29 @@ static inline int __down_read_trylock(st
8025 __s32 result, tmp;
8026 asm volatile("# beginning __down_read_trylock\n\t"
8027 " movl %0,%1\n\t"
8028- "1:\n\t"
8029+ "2:\n\t"
8030 " movl %1,%2\n\t"
8031 " addl %3,%2\n\t"
8032- " jle 2f\n\t"
8033+
8034+#ifdef CONFIG_PAX_REFCOUNT
8035+#ifdef CONFIG_X86_32
8036+ "into\n0:\n"
8037+#else
8038+ "jno 0f\n"
8039+ "int $4\n0:\n"
8040+#endif
8041+ ".pushsection .fixup,\"ax\"\n"
8042+ "1:\n"
8043+ "subl %3,%2\n"
8044+ "jmp 0b\n"
8045+ ".popsection\n"
8046+ _ASM_EXTABLE(0b, 1b)
8047+#endif
8048+
8049+ " jle 3f\n\t"
8050 LOCK_PREFIX " cmpxchgl %2,%0\n\t"
8051- " jnz 1b\n\t"
8052- "2:\n\t"
8053+ " jnz 2b\n\t"
8054+ "3:\n\t"
8055 "# ending __down_read_trylock\n\t"
8056 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8057 : "i" (RWSEM_ACTIVE_READ_BIAS)
8058@@ -148,12 +180,28 @@ static inline void __down_write_nested(s
8059 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8060 asm volatile("# beginning down_write\n\t"
8061 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
8062+
8063+#ifdef CONFIG_PAX_REFCOUNT
8064+#ifdef CONFIG_X86_32
8065+ "into\n0:\n"
8066+#else
8067+ "jno 0f\n"
8068+ "int $4\n0:\n"
8069+#endif
8070+ ".pushsection .fixup,\"ax\"\n"
8071+ "1:\n"
8072+ "movl %%edx,(%%eax)\n"
8073+ "jmp 0b\n"
8074+ ".popsection\n"
8075+ _ASM_EXTABLE(0b, 1b)
8076+#endif
8077+
8078 /* subtract 0x0000ffff, returns the old value */
8079 " testl %%edx,%%edx\n\t"
8080 /* was the count 0 before? */
8081- " jz 1f\n"
8082+ " jz 2f\n"
8083 " call call_rwsem_down_write_failed\n"
8084- "1:\n"
8085+ "2:\n"
8086 "# ending down_write"
8087 : "+m" (sem->count), "=d" (tmp)
8088 : "a" (sem), "1" (tmp)
8089@@ -186,10 +234,26 @@ static inline void __up_read(struct rw_s
8090 __s32 tmp = -RWSEM_ACTIVE_READ_BIAS;
8091 asm volatile("# beginning __up_read\n\t"
8092 LOCK_PREFIX " xadd %%edx,(%%eax)\n\t"
8093+
8094+#ifdef CONFIG_PAX_REFCOUNT
8095+#ifdef CONFIG_X86_32
8096+ "into\n0:\n"
8097+#else
8098+ "jno 0f\n"
8099+ "int $4\n0:\n"
8100+#endif
8101+ ".pushsection .fixup,\"ax\"\n"
8102+ "1:\n"
8103+ "movl %%edx,(%%eax)\n"
8104+ "jmp 0b\n"
8105+ ".popsection\n"
8106+ _ASM_EXTABLE(0b, 1b)
8107+#endif
8108+
8109 /* subtracts 1, returns the old value */
8110- " jns 1f\n\t"
8111+ " jns 2f\n\t"
8112 " call call_rwsem_wake\n"
8113- "1:\n"
8114+ "2:\n"
8115 "# ending __up_read\n"
8116 : "+m" (sem->count), "=d" (tmp)
8117 : "a" (sem), "1" (tmp)
8118@@ -204,11 +268,27 @@ static inline void __up_write(struct rw_
8119 asm volatile("# beginning __up_write\n\t"
8120 " movl %2,%%edx\n\t"
8121 LOCK_PREFIX " xaddl %%edx,(%%eax)\n\t"
8122+
8123+#ifdef CONFIG_PAX_REFCOUNT
8124+#ifdef CONFIG_X86_32
8125+ "into\n0:\n"
8126+#else
8127+ "jno 0f\n"
8128+ "int $4\n0:\n"
8129+#endif
8130+ ".pushsection .fixup,\"ax\"\n"
8131+ "1:\n"
8132+ "movl %%edx,(%%eax)\n"
8133+ "jmp 0b\n"
8134+ ".popsection\n"
8135+ _ASM_EXTABLE(0b, 1b)
8136+#endif
8137+
8138 /* tries to transition
8139 0xffff0001 -> 0x00000000 */
8140- " jz 1f\n"
8141+ " jz 2f\n"
8142 " call call_rwsem_wake\n"
8143- "1:\n\t"
8144+ "2:\n\t"
8145 "# ending __up_write\n"
8146 : "+m" (sem->count)
8147 : "a" (sem), "i" (-RWSEM_ACTIVE_WRITE_BIAS)
8148@@ -222,10 +302,26 @@ static inline void __downgrade_write(str
8149 {
8150 asm volatile("# beginning __downgrade_write\n\t"
8151 LOCK_PREFIX " addl %2,(%%eax)\n\t"
8152+
8153+#ifdef CONFIG_PAX_REFCOUNT
8154+#ifdef CONFIG_X86_32
8155+ "into\n0:\n"
8156+#else
8157+ "jno 0f\n"
8158+ "int $4\n0:\n"
8159+#endif
8160+ ".pushsection .fixup,\"ax\"\n"
8161+ "1:\n"
8162+ LOCK_PREFIX "subl %2,(%%eax)\n"
8163+ "jmp 0b\n"
8164+ ".popsection\n"
8165+ _ASM_EXTABLE(0b, 1b)
8166+#endif
8167+
8168 /* transitions 0xZZZZ0001 -> 0xYYYY0001 */
8169- " jns 1f\n\t"
8170+ " jns 2f\n\t"
8171 " call call_rwsem_downgrade_wake\n"
8172- "1:\n\t"
8173+ "2:\n\t"
8174 "# ending __downgrade_write\n"
8175 : "+m" (sem->count)
8176 : "a" (sem), "i" (-RWSEM_WAITING_BIAS)
8177@@ -237,7 +333,23 @@ static inline void __downgrade_write(str
8178 */
8179 static inline void rwsem_atomic_add(int delta, struct rw_semaphore *sem)
8180 {
8181- asm volatile(LOCK_PREFIX "addl %1,%0"
8182+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
8183+
8184+#ifdef CONFIG_PAX_REFCOUNT
8185+#ifdef CONFIG_X86_32
8186+ "into\n0:\n"
8187+#else
8188+ "jno 0f\n"
8189+ "int $4\n0:\n"
8190+#endif
8191+ ".pushsection .fixup,\"ax\"\n"
8192+ "1:\n"
8193+ LOCK_PREFIX "subl %1,%0\n"
8194+ "jmp 0b\n"
8195+ ".popsection\n"
8196+ _ASM_EXTABLE(0b, 1b)
8197+#endif
8198+
8199 : "+m" (sem->count)
8200 : "ir" (delta));
8201 }
8202@@ -249,7 +361,23 @@ static inline int rwsem_atomic_update(in
8203 {
8204 int tmp = delta;
8205
8206- asm volatile(LOCK_PREFIX "xadd %0,%1"
8207+ asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8208+
8209+#ifdef CONFIG_PAX_REFCOUNT
8210+#ifdef CONFIG_X86_32
8211+ "into\n0:\n"
8212+#else
8213+ "jno 0f\n"
8214+ "int $4\n0:\n"
8215+#endif
8216+ ".pushsection .fixup,\"ax\"\n"
8217+ "1:\n"
8218+ "movl %0,%1\n"
8219+ "jmp 0b\n"
8220+ ".popsection\n"
8221+ _ASM_EXTABLE(0b, 1b)
8222+#endif
8223+
8224 : "+r" (tmp), "+m" (sem->count)
8225 : : "memory");
8226
ae4e228f
MT		 8227diff -urNp linux-2.6.33.1/arch/x86/include/asm/segment.h linux-2.6.33.1/arch/x86/include/asm/segment.h
8228--- linux-2.6.33.1/arch/x86/include/asm/segment.h 2010-03-15 12:09:39.000000000 -0400
8229+++ linux-2.6.33.1/arch/x86/include/asm/segment.h 2010-03-20 16:58:38.984539447 -0400
8230@@ -62,8 +62,8 @@
8231 * 26 - ESPFIX small SS
8232 * 27 - per-cpu [ offset to per-cpu data area ]
8233 * 28 - stack_canary-20 [ for stack protector ]
8234- * 29 - unused
8235- * 30 - unused
8236+ * 29 - PCI BIOS CS
8237+ * 30 - PCI BIOS DS
8238 * 31 - TSS for double fault handler
8239 */
8240 #define GDT_ENTRY_TLS_MIN 6
8241@@ -77,6 +77,8 @@
8242
8243 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
8244
8245+#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8246+
8247 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
8248
8249 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
8250@@ -88,7 +90,7 @@
58c5fc13
MT		 8251 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
8252 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
8253
8254-#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8255+#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8256 #ifdef CONFIG_SMP
8257 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
8258 #else
ae4e228f 8259@@ -102,6 +104,12 @@
58c5fc13
MT		 8260 #define __KERNEL_STACK_CANARY 0
8261 #endif
8262
8263+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
8264+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8265+
8266+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
8267+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8268+
8269 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8270
8271 /*
ae4e228f 8272@@ -139,7 +147,7 @@
58c5fc13
MT		 8273 */
8274
8275 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8276-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8277+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8278
8279
8280 #else
ae4e228f
MT		 8281@@ -163,6 +171,8 @@
8282 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
8283 #define __USER32_DS __USER_DS
8284
8285+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8286+
8287 #define GDT_ENTRY_TSS 8 /* needs two entries */
8288 #define GDT_ENTRY_LDT 10 /* needs two entries */
8289 #define GDT_ENTRY_TLS_MIN 12
8290@@ -183,6 +193,7 @@
8291 #endif
8292
8293 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
8294+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
8295 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
8296 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
8297 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
8298diff -urNp linux-2.6.33.1/arch/x86/include/asm/spinlock.h linux-2.6.33.1/arch/x86/include/asm/spinlock.h
8299--- linux-2.6.33.1/arch/x86/include/asm/spinlock.h 2010-03-15 12:09:39.000000000 -0400
8300+++ linux-2.6.33.1/arch/x86/include/asm/spinlock.h 2010-03-20 16:58:38.984539447 -0400
8301@@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
8302 static inline void arch_read_lock(arch_rwlock_t *rw)
58c5fc13
MT		 8303 {
8304 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
8305- "jns 1f\n"
8306- "call __read_lock_failed\n\t"
8307+
8308+#ifdef CONFIG_PAX_REFCOUNT
8309+#ifdef CONFIG_X86_32
8310+ "into\n0:\n"
8311+#else
8312+ "jno 0f\n"
8313+ "int $4\n0:\n"
8314+#endif
8315+ ".pushsection .fixup,\"ax\"\n"
8316 "1:\n"
8317+ LOCK_PREFIX " addl $1,(%0)\n"
8318+ "jmp 0b\n"
8319+ ".popsection\n"
8320+ _ASM_EXTABLE(0b, 1b)
8321+#endif
8322+
8323+ "jns 2f\n"
8324+ "call __read_lock_failed\n\t"
8325+ "2:\n"
8326 ::LOCK_PTR_REG (rw) : "memory");
8327 }
8328
ae4e228f 8329 static inline void arch_write_lock(arch_rwlock_t *rw)
58c5fc13
MT		 8330 {
8331 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
8332- "jz 1f\n"
8333- "call __write_lock_failed\n\t"
8334+
8335+#ifdef CONFIG_PAX_REFCOUNT
8336+#ifdef CONFIG_X86_32
8337+ "into\n0:\n"
8338+#else
8339+ "jno 0f\n"
8340+ "int $4\n0:\n"
8341+#endif
8342+ ".pushsection .fixup,\"ax\"\n"
8343 "1:\n"
8344+ LOCK_PREFIX " addl %1,(%0)\n"
8345+ "jmp 0b\n"
8346+ ".popsection\n"
8347+ _ASM_EXTABLE(0b, 1b)
8348+#endif
8349+
8350+ "jz 2f\n"
8351+ "call __write_lock_failed\n\t"
8352+ "2:\n"
8353 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
8354 }
8355
ae4e228f 8356@@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
58c5fc13 8357
ae4e228f 8358 static inline void arch_read_unlock(arch_rwlock_t *rw)
58c5fc13
MT		 8359 {
8360- asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
8361+ asm volatile(LOCK_PREFIX "incl %0\n"
8362+
8363+#ifdef CONFIG_PAX_REFCOUNT
8364+#ifdef CONFIG_X86_32
8365+ "into\n0:\n"
8366+#else
8367+ "jno 0f\n"
8368+ "int $4\n0:\n"
8369+#endif
8370+ ".pushsection .fixup,\"ax\"\n"
8371+ "1:\n"
8372+ LOCK_PREFIX "decl %0\n"
8373+ "jmp 0b\n"
8374+ ".popsection\n"
8375+ _ASM_EXTABLE(0b, 1b)
8376+#endif
8377+
8378+ :"+m" (rw->lock) : : "memory");
8379 }
8380
ae4e228f 8381 static inline void arch_write_unlock(arch_rwlock_t *rw)
58c5fc13
MT		 8382 {
8383- asm volatile(LOCK_PREFIX "addl %1, %0"
8384+ asm volatile(LOCK_PREFIX "addl %1, %0\n"
8385+
8386+#ifdef CONFIG_PAX_REFCOUNT
8387+#ifdef CONFIG_X86_32
8388+ "into\n0:\n"
8389+#else
8390+ "jno 0f\n"
8391+ "int $4\n0:\n"
8392+#endif
8393+ ".pushsection .fixup,\"ax\"\n"
8394+ "1:\n"
8395+ LOCK_PREFIX "subl %1,%0\n"
8396+ "jmp 0b\n"
8397+ ".popsection\n"
8398+ _ASM_EXTABLE(0b, 1b)
8399+#endif
8400+
8401 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
8402 }
8403
ae4e228f
MT		 8404diff -urNp linux-2.6.33.1/arch/x86/include/asm/system.h linux-2.6.33.1/arch/x86/include/asm/system.h
8405--- linux-2.6.33.1/arch/x86/include/asm/system.h 2010-03-15 12:09:39.000000000 -0400
8406+++ linux-2.6.33.1/arch/x86/include/asm/system.h 2010-03-20 16:58:38.984539447 -0400
8407@@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
58c5fc13
MT		 8408 {
8409 unsigned long __limit;
8410 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
8411- return __limit + 1;
8412+ return __limit;
8413 }
8414
8415 static inline void native_clts(void)
ae4e228f 8416@@ -342,7 +342,7 @@ void enable_hlt(void);
58c5fc13
MT		 8417
8418 void cpu_idle_wait(void);
8419
8420-extern unsigned long arch_align_stack(unsigned long sp);
8421+#define arch_align_stack(x) ((x) & ~0xfUL)
8422 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
8423
8424 void default_idle(void);
ae4e228f
MT		 8425diff -urNp linux-2.6.33.1/arch/x86/include/asm/uaccess_32.h linux-2.6.33.1/arch/x86/include/asm/uaccess_32.h
8426--- linux-2.6.33.1/arch/x86/include/asm/uaccess_32.h 2010-03-15 12:09:39.000000000 -0400
8427+++ linux-2.6.33.1/arch/x86/include/asm/uaccess_32.h 2010-03-20 16:58:38.984539447 -0400
58c5fc13
MT		 8428@@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
8429 static __always_inline unsigned long __must_check
8430 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
8431 {
8432+ if ((long)n < 0)
8433+ return n;
8434+
8435 if (__builtin_constant_p(n)) {
8436 unsigned long ret;
8437
8438@@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
8439 return ret;
8440 }
8441 }
8442+ if (!__builtin_constant_p(n))
8443+ check_object_size(from, n, true);
8444 return __copy_to_user_ll(to, from, n);
8445 }
8446
8447@@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
8448 static __always_inline unsigned long
8449 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
8450 {
8451+ if ((long)n < 0)
8452+ return n;
8453+
8454 /* Avoid zeroing the tail if the copy fails..
8455 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
8456 * but as the zeroing behaviour is only significant when n is not
8457@@ -138,6 +146,10 @@ static __always_inline unsigned long
8458 __copy_from_user(void *to, const void __user *from, unsigned long n)
8459 {
8460 might_fault();
8461+
8462+ if ((long)n < 0)
8463+ return n;
8464+
8465 if (__builtin_constant_p(n)) {
8466 unsigned long ret;
8467
8468@@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
8469 return ret;
8470 }
8471 }
8472+ if (!__builtin_constant_p(n))
8473+ check_object_size(to, n, false);
8474 return __copy_from_user_ll(to, from, n);
8475 }
8476
8477@@ -160,6 +174,10 @@ static __always_inline unsigned long __c
8478 const void __user *from, unsigned long n)
8479 {
8480 might_fault();
8481+
8482+ if ((long)n < 0)
8483+ return n;
8484+
8485 if (__builtin_constant_p(n)) {
8486 unsigned long ret;
8487
ae4e228f 8488@@ -182,15 +200,19 @@ static __always_inline unsigned long
58c5fc13
MT		 8489 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
8490 unsigned long n)
8491 {
8492- return __copy_from_user_ll_nocache_nozero(to, from, n);
ae4e228f 8493-}
58c5fc13
MT		 8494+ if ((long)n < 0)
8495+ return n;
ae4e228f
MT		 8496
8497-unsigned long __must_check copy_to_user(void __user *to,
8498- const void *from, unsigned long n);
8499-unsigned long __must_check _copy_from_user(void *to,
8500- const void __user *from,
8501- unsigned long n);
58c5fc13
MT		 8502+ return __copy_from_user_ll_nocache_nozero(to, from, n);
8503+}
ae4e228f
MT		 8504
8505+extern void copy_to_user_overflow(void)
8506+#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
8507+ __compiletime_error("copy_to_user() buffer size is not provably correct")
8508+#else
8509+ __compiletime_warning("copy_to_user() buffer size is not provably correct")
8510+#endif
8511+;
8512
8513 extern void copy_from_user_overflow(void)
8514 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
8515@@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
8516 #endif
8517 ;
8518
8519-static inline unsigned long __must_check copy_from_user(void *to,
8520- const void __user *from,
8521- unsigned long n)
58c5fc13
MT		 8522+/**
8523+ * copy_to_user: - Copy a block of data into user space.
8524+ * @to: Destination address, in user space.
8525+ * @from: Source address, in kernel space.
8526+ * @n: Number of bytes to copy.
8527+ *
8528+ * Context: User context only. This function may sleep.
8529+ *
8530+ * Copy data from kernel space to user space.
8531+ *
8532+ * Returns number of bytes that could not be copied.
8533+ * On success, this will be zero.
8534+ */
ae4e228f 8535+static inline unsigned long __must_check
58c5fc13
MT		 8536+copy_to_user(void __user *to, const void *from, unsigned long n)
8537+{
ae4e228f
MT		 8538+ int sz = __compiletime_object_size(from);
8539+
8540+ if (unlikely(sz != -1 && sz < n))
8541+ copy_to_user_overflow();
8542+ else if (access_ok(VERIFY_WRITE, to, n))
58c5fc13
MT		 8543+ n = __copy_to_user(to, from, n);
8544+ return n;
8545+}
8546+
8547+/**
8548+ * copy_from_user: - Copy a block of data from user space.
8549+ * @to: Destination address, in kernel space.
8550+ * @from: Source address, in user space.
8551+ * @n: Number of bytes to copy.
8552+ *
8553+ * Context: User context only. This function may sleep.
8554+ *
8555+ * Copy data from user space to kernel space.
8556+ *
8557+ * Returns number of bytes that could not be copied.
8558+ * On success, this will be zero.
8559+ *
8560+ * If some data could not be copied, this function will pad the copied
8561+ * data to the requested size using zero bytes.
8562+ */
ae4e228f 8563+static inline unsigned long __must_check
58c5fc13 8564+copy_from_user(void *to, const void __user *from, unsigned long n)
ae4e228f
MT		 8565 {
8566 int sz = __compiletime_object_size(to);
8567
8568- if (likely(sz == -1 || sz >= n))
8569- n = _copy_from_user(to, from, n);
8570- else
8571+ if (unlikely(sz != -1 && sz < n))
8572 copy_from_user_overflow();
8573-
8574+ else if (access_ok(VERIFY_READ, from, n))
58c5fc13
MT		 8575+ n = __copy_from_user(to, from, n);
8576+ else if ((long)n > 0) {
8577+ if (!__builtin_constant_p(n))
8578+ check_object_size(to, n, false);
8579+ memset(to, 0, n);
8580+ }
ae4e228f 8581 return n;
58c5fc13
MT		 8582 }
8583
ae4e228f
MT		 8584diff -urNp linux-2.6.33.1/arch/x86/include/asm/uaccess_64.h linux-2.6.33.1/arch/x86/include/asm/uaccess_64.h
8585--- linux-2.6.33.1/arch/x86/include/asm/uaccess_64.h 2010-03-15 12:09:39.000000000 -0400
8586+++ linux-2.6.33.1/arch/x86/include/asm/uaccess_64.h 2010-03-20 16:58:38.984539447 -0400
58c5fc13
MT		 8587@@ -10,6 +10,8 @@
8588 #include <linux/lockdep.h>
8589 #include <asm/page.h>
8590
8591+#define set_fs(x) (current_thread_info()->addr_limit = (x))
8592+
8593 /*
8594 * Copy To/From Userspace
8595 */
ae4e228f
MT		 8596@@ -17,27 +19,26 @@
8597 /* Handles exceptions in both to and from, but doesn't do access_ok */
58c5fc13 8598 __must_check unsigned long
ae4e228f
MT		 8599 copy_user_generic(void *to, const void *from, unsigned len);
8600-
58c5fc13 8601-__must_check unsigned long
ae4e228f 8602-_copy_to_user(void __user *to, const void *from, unsigned len);
58c5fc13 8603-__must_check unsigned long
ae4e228f
MT		 8604-_copy_from_user(void *to, const void __user *from, unsigned len);
8605+static __always_inline __must_check unsigned long
8606+__copy_to_user(void __user *to, const void *from, unsigned len);
8607+static __always_inline __must_check unsigned long
8608+__copy_from_user(void *to, const void __user *from, unsigned len);
8609 __must_check unsigned long
58c5fc13
MT		 8610 copy_in_user(void __user *to, const void __user *from, unsigned len);
8611
ae4e228f
MT		 8612 static inline unsigned long __must_check copy_from_user(void *to,
8613 const void __user *from,
8614- unsigned long n)
8615+ unsigned n)
8616 {
8617- int sz = __compiletime_object_size(to);
8618-
8619 might_fault();
8620- if (likely(sz == -1 || sz >= n))
8621- n = _copy_from_user(to, from, n);
8622-#ifdef CONFIG_DEBUG_VM
8623- else
8624- WARN(1, "Buffer overflow detected!\n");
8625-#endif
8626+
8627+ if (access_ok(VERIFY_READ, from, n))
8628+ n = __copy_from_user(to, from, n);
8629+ else if ((int)n > 0) {
8630+ if (!__builtin_constant_p(n))
8631+ check_object_size(to, n, false);
8632+ memset(to, 0, n);
8633+ }
8634 return n;
8635 }
8636
8637@@ -46,17 +47,33 @@ int copy_to_user(void __user *dst, const
8638 {
8639 might_fault();
8640
8641- return _copy_to_user(dst, src, size);
8642+ if (access_ok(VERIFY_WRITE, dst, size))
8643+ size = __copy_to_user(dst, src, size);
8644+ return size;
8645 }
8646
58c5fc13
MT		 8647 static __always_inline __must_check
8648-int __copy_from_user(void *dst, const void __user *src, unsigned size)
8649+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
8650 {
8651- int ret = 0;
ae4e228f 8652+ int sz = __compiletime_object_size(dst);
58c5fc13
MT		 8653+ unsigned ret = 0;
8654
8655 might_fault();
8656- if (!__builtin_constant_p(size))
8657+
8658+ if ((int)size < 0)
8659+ return size;
8660+
ae4e228f
MT		 8661+ if (unlikely(sz != -1 && sz < size)) {
8662+#ifdef CONFIG_DEBUG_VM
8663+ WARN(1, "Buffer overflow detected!\n");
8664+#endif
8665+ return size;
8666+ }
8667+
58c5fc13
MT		 8668+ if (!__builtin_constant_p(size)) {
8669+ check_object_size(dst, size, false);
8670 return copy_user_generic(dst, (__force void *)src, size);
8671+ }
8672 switch (size) {
8673 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
8674 ret, "b", "b", "=q", 1);
ae4e228f 8675@@ -94,13 +111,27 @@ int __copy_from_user(void *dst, const vo
58c5fc13
MT		 8676 }
8677
8678 static __always_inline __must_check
8679-int __copy_to_user(void __user *dst, const void *src, unsigned size)
8680+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
8681 {
8682- int ret = 0;
ae4e228f 8683+ int sz = __compiletime_object_size(src);
58c5fc13
MT		 8684+ unsigned ret = 0;
8685
8686 might_fault();
8687- if (!__builtin_constant_p(size))
8688+
8689+ if ((int)size < 0)
8690+ return size;
8691+
ae4e228f
MT		 8692+ if (unlikely(sz != -1 && sz < size)) {
8693+#ifdef CONFIG_DEBUG_VM
8694+ WARN(1, "Buffer overflow detected!\n");
8695+#endif
8696+ return size;
8697+ }
8698+
58c5fc13
MT		 8699+ if (!__builtin_constant_p(size)) {
8700+ check_object_size(src, size, true);
8701 return copy_user_generic((__force void *)dst, src, size);
8702+ }
8703 switch (size) {
8704 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
8705 ret, "b", "b", "iq", 1);
ae4e228f 8706@@ -138,11 +169,15 @@ int __copy_to_user(void __user *dst, con
58c5fc13
MT		 8707 }
8708
8709 static __always_inline __must_check
8710-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
ae4e228f 8711+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
58c5fc13
MT		 8712 {
8713- int ret = 0;
58c5fc13
MT		 8714+ unsigned ret = 0;
8715
8716 might_fault();
8717+
8718+ if ((int)size < 0)
8719+ return size;
8720+
8721 if (!__builtin_constant_p(size))
8722 return copy_user_generic((__force void *)dst,
8723 (__force void *)src, size);
ae4e228f
MT		 8724@@ -206,30 +241,38 @@ __copy_from_user_inatomic(void *dst, con
8725 return copy_user_generic(dst, (__force const void *)src, size);
8726 }
58c5fc13
MT		 8727
8728-static __must_check __always_inline int
8729+static __must_check __always_inline unsigned long
8730 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
8731 {
8732+ if ((int)size < 0)
8733+ return size;
8734+
8735 return copy_user_generic((__force void *)dst, src, size);
8736 }
8737
8738-extern long __copy_user_nocache(void *dst, const void __user *src,
8739+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
8740 unsigned size, int zerorest);
8741
8742-static inline int
8743-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
8744+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
8745 {
8746 might_sleep();
8747+
8748+ if ((int)size < 0)
8749+ return size;
8750+
8751 return __copy_user_nocache(dst, src, size, 1);
8752 }
8753
8754-static inline int
8755-__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
8756+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
8757 unsigned size)
8758 {
8759+ if ((int)size < 0)
8760+ return size;
8761+
8762 return __copy_user_nocache(dst, src, size, 0);
8763 }
8764
8765-unsigned long
8766+extern unsigned long
8767 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
8768
8769 #endif /* _ASM_X86_UACCESS_64_H */
ae4e228f
MT		 8770diff -urNp linux-2.6.33.1/arch/x86/include/asm/uaccess.h linux-2.6.33.1/arch/x86/include/asm/uaccess.h
8771--- linux-2.6.33.1/arch/x86/include/asm/uaccess.h 2010-03-15 12:09:39.000000000 -0400
8772+++ linux-2.6.33.1/arch/x86/include/asm/uaccess.h 2010-03-20 16:58:38.984539447 -0400
58c5fc13
MT		 8773@@ -8,8 +8,11 @@
8774 #include <linux/thread_info.h>
8775 #include <linux/prefetch.h>
8776 #include <linux/string.h>
8777+#include <linux/sched.h>
8778+#include <linux/slab.h>
8779 #include <asm/asm.h>
8780 #include <asm/page.h>
8781+#include <asm/segment.h>
8782
8783 #define VERIFY_READ 0
8784 #define VERIFY_WRITE 1
8785@@ -29,7 +32,12 @@
8786
8787 #define get_ds() (KERNEL_DS)
8788 #define get_fs() (current_thread_info()->addr_limit)
8789+#ifdef CONFIG_X86_32
8790+void __set_fs(mm_segment_t x, int cpu);
8791+void set_fs(mm_segment_t x);
8792+#else
8793 #define set_fs(x) (current_thread_info()->addr_limit = (x))
8794+#endif
8795
8796 #define segment_eq(a, b) ((a).seg == (b).seg)
8797
ae4e228f 8798@@ -77,7 +85,33 @@
58c5fc13
MT		 8799 * checks that the pointer is in the user space range - after calling
8800 * this function, memory access functions may still return -EFAULT.
8801 */
8802-#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
ae4e228f 8803+#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
58c5fc13
MT		 8804+#define access_ok(type, addr, size) \
8805+({ \
ae4e228f
MT		 8806+ long __size = size; \
8807+ unsigned long __addr = (unsigned long)addr; \
8808+ unsigned long __addr_ao = __addr & PAGE_MASK; \
8809+ unsigned long __end_ao = __addr + __size - 1; \
8810+ bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
58c5fc13 8811+ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
ae4e228f 8812+ while(__addr_ao <= __end_ao) { \
58c5fc13 8813+ char __c_ao; \
ae4e228f
MT		 8814+ __addr_ao += PAGE_SIZE; \
8815+ if (__size > PAGE_SIZE) \
58c5fc13 8816+ cond_resched(); \
ae4e228f 8817+ if (__get_user(__c_ao, (char __user *)__addr)) \
58c5fc13 8818+ break; \
ae4e228f
MT		 8819+ if (type != VERIFY_WRITE) { \
8820+ __addr = __addr_ao; \
58c5fc13 8821+ continue; \
ae4e228f
MT		 8822+ } \
8823+ if (__put_user(__c_ao, (char __user *)__addr)) \
58c5fc13 8824+ break; \
ae4e228f 8825+ __addr = __addr_ao; \
58c5fc13
MT		 8826+ } \
8827+ } \
8828+ __ret_ao; \
8829+})
8830
8831 /*
8832 * The exception table consists of pairs of addresses: the first is the
ae4e228f 8833@@ -183,13 +217,21 @@ extern int __get_user_bad(void);
58c5fc13
MT		 8834 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
8835 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
8836
8837-
8838+#ifdef CONFIG_X86_32
8839+#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
8840+#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
8841+#else
8842+#define _ASM_LOAD_USER_DS(ds)
8843+#define _ASM_LOAD_KERNEL_DS
8844+#endif
8845
8846 #ifdef CONFIG_X86_32
8847 #define __put_user_asm_u64(x, addr, err, errret) \
8848- asm volatile("1: movl %%eax,0(%2)\n" \
8849- "2: movl %%edx,4(%2)\n" \
8850+ asm volatile(_ASM_LOAD_USER_DS(5) \
8851+ "1: movl %%eax,%%ds:0(%2)\n" \
8852+ "2: movl %%edx,%%ds:4(%2)\n" \
8853 "3:\n" \
8854+ _ASM_LOAD_KERNEL_DS \
8855 ".section .fixup,\"ax\"\n" \
8856 "4: movl %3,%0\n" \
8857 " jmp 3b\n" \
ae4e228f 8858@@ -197,15 +239,18 @@ extern int __get_user_bad(void);
58c5fc13
MT		 8859 _ASM_EXTABLE(1b, 4b) \
8860 _ASM_EXTABLE(2b, 4b) \
8861 : "=r" (err) \
8862- : "A" (x), "r" (addr), "i" (errret), "0" (err))
8863+ : "A" (x), "r" (addr), "i" (errret), "0" (err), \
8864+ "r"(__USER_DS))
8865
8866 #define __put_user_asm_ex_u64(x, addr) \
8867- asm volatile("1: movl %%eax,0(%1)\n" \
8868- "2: movl %%edx,4(%1)\n" \
8869+ asm volatile(_ASM_LOAD_USER_DS(2) \
8870+ "1: movl %%eax,%%ds:0(%1)\n" \
8871+ "2: movl %%edx,%%ds:4(%1)\n" \
8872 "3:\n" \
8873+ _ASM_LOAD_KERNEL_DS \
8874 _ASM_EXTABLE(1b, 2b - 1b) \
8875 _ASM_EXTABLE(2b, 3b - 2b) \
8876- : : "A" (x), "r" (addr))
8877+ : : "A" (x), "r" (addr), "r"(__USER_DS))
8878
8879 #define __put_user_x8(x, ptr, __ret_pu) \
8880 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
ae4e228f 8881@@ -374,16 +419,18 @@ do { \
58c5fc13
MT		 8882 } while (0)
8883
8884 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
8885- asm volatile("1: mov"itype" %2,%"rtype"1\n" \
8886+ asm volatile(_ASM_LOAD_USER_DS(5) \
8887+ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
8888 "2:\n" \
8889+ _ASM_LOAD_KERNEL_DS \
8890 ".section .fixup,\"ax\"\n" \
8891 "3: mov %3,%0\n" \
8892 " xor"itype" %"rtype"1,%"rtype"1\n" \
8893 " jmp 2b\n" \
8894 ".previous\n" \
8895 _ASM_EXTABLE(1b, 3b) \
8896- : "=r" (err), ltype(x) \
8897- : "m" (__m(addr)), "i" (errret), "0" (err))
8898+ : "=r" (err), ltype (x) \
8899+ : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
8900
8901 #define __get_user_size_ex(x, ptr, size) \
8902 do { \
ae4e228f 8903@@ -407,10 +454,12 @@ do { \
58c5fc13
MT		 8904 } while (0)
8905
8906 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
8907- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
8908+ asm volatile(_ASM_LOAD_USER_DS(2) \
8909+ "1: mov"itype" %%ds:%1,%"rtype"0\n" \
8910 "2:\n" \
8911+ _ASM_LOAD_KERNEL_DS \
8912 _ASM_EXTABLE(1b, 2b - 1b) \
8913- : ltype(x) : "m" (__m(addr)))
8914+ : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
8915
8916 #define __put_user_nocheck(x, ptr, size) \
8917 ({ \
ae4e228f
MT		 8918@@ -424,7 +473,7 @@ do { \
8919 int __gu_err; \
8920 unsigned long __gu_val; \
8921 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
8922- (x) = (__force __typeof__(*(ptr)))__gu_val; \
8923+ (x) = (__typeof__(*(ptr)))__gu_val; \
8924 __gu_err; \
8925 })
8926
8927@@ -438,21 +487,26 @@ struct __large_struct { unsigned long bu
58c5fc13
MT		 8928 * aliasing issues.
8929 */
8930 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
8931- asm volatile("1: mov"itype" %"rtype"1,%2\n" \
8932+ asm volatile(_ASM_LOAD_USER_DS(5) \
8933+ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
8934 "2:\n" \
8935+ _ASM_LOAD_KERNEL_DS \
8936 ".section .fixup,\"ax\"\n" \
8937 "3: mov %3,%0\n" \
8938 " jmp 2b\n" \
8939 ".previous\n" \
8940 _ASM_EXTABLE(1b, 3b) \
8941 : "=r"(err) \
8942- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
8943+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
8944+ "r"(__USER_DS))
8945
8946 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
8947- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
8948+ asm volatile(_ASM_LOAD_USER_DS(2) \
8949+ "1: mov"itype" %"rtype"0,%%ds:%1\n" \
8950 "2:\n" \
8951+ _ASM_LOAD_KERNEL_DS \
8952 _ASM_EXTABLE(1b, 2b - 1b) \
8953- : : ltype(x), "m" (__m(addr)))
8954+ : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
8955
8956 /*
8957 * uaccess_try and catch
ae4e228f
MT		 8958@@ -530,7 +584,7 @@ struct __large_struct { unsigned long bu
8959 #define get_user_ex(x, ptr) do { \
8960 unsigned long __gue_val; \
8961 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
8962- (x) = (__force __typeof__(*(ptr)))__gue_val; \
8963+ (x) = (__typeof__(*(ptr)))__gue_val; \
8964 } while (0)
8965
8966 #ifdef CONFIG_X86_WP_WORKS_OK
8967@@ -567,6 +621,7 @@ extern struct movsl_mask {
58c5fc13
MT		 8968
8969 #define ARCH_HAS_NOCACHE_UACCESS 1
8970
8971+#define ARCH_HAS_SORT_EXTABLE
8972 #ifdef CONFIG_X86_32
8973 # include "uaccess_32.h"
8974 #else
ae4e228f
MT		 8975diff -urNp linux-2.6.33.1/arch/x86/include/asm/vgtod.h linux-2.6.33.1/arch/x86/include/asm/vgtod.h
8976--- linux-2.6.33.1/arch/x86/include/asm/vgtod.h 2010-03-15 12:09:39.000000000 -0400
8977+++ linux-2.6.33.1/arch/x86/include/asm/vgtod.h 2010-03-20 16:58:38.984539447 -0400
58c5fc13
MT		 8978@@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
8979 int sysctl_enabled;
8980 struct timezone sys_tz;
8981 struct { /* extract of a clocksource struct */
8982+ char name[8];
8983 cycle_t (*vread)(void);
8984 cycle_t cycle_last;
8985 cycle_t mask;
ae4e228f
MT		 8986diff -urNp linux-2.6.33.1/arch/x86/include/asm/vmi.h linux-2.6.33.1/arch/x86/include/asm/vmi.h
8987--- linux-2.6.33.1/arch/x86/include/asm/vmi.h 2010-03-15 12:09:39.000000000 -0400
8988+++ linux-2.6.33.1/arch/x86/include/asm/vmi.h 2010-03-20 16:58:38.984539447 -0400
8989@@ -191,6 +191,7 @@ struct vrom_header {
8990 u8 reserved[96]; /* Reserved for headers */
8991 char vmi_init[8]; /* VMI_Init jump point */
8992 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
8993+ char rom_data[8048]; /* rest of the option ROM */
8994 } __attribute__((packed));
8995
8996 struct pnp_header {
8997diff -urNp linux-2.6.33.1/arch/x86/include/asm/vsyscall.h linux-2.6.33.1/arch/x86/include/asm/vsyscall.h
8998--- linux-2.6.33.1/arch/x86/include/asm/vsyscall.h 2010-03-15 12:09:39.000000000 -0400
8999+++ linux-2.6.33.1/arch/x86/include/asm/vsyscall.h 2010-03-20 16:58:38.984539447 -0400
58c5fc13
MT		 9000@@ -15,9 +15,10 @@ enum vsyscall_num {
9001
9002 #ifdef __KERNEL__
9003 #include <linux/seqlock.h>
9004+#include <linux/getcpu.h>
9005+#include <linux/time.h>
9006
9007 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9008-#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9009
9010 /* Definitions for CONFIG_GENERIC_TIME definitions */
9011 #define __section_vsyscall_gtod_data __attribute__ \
9012@@ -31,7 +32,6 @@ enum vsyscall_num {
9013 #define VGETCPU_LSL 2
9014
9015 extern int __vgetcpu_mode;
9016-extern volatile unsigned long __jiffies;
9017
9018 /* kernel space (writeable) */
9019 extern int vgetcpu_mode;
9020@@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9021
9022 extern void map_vsyscall(void);
9023
9024+extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9025+extern time_t vtime(time_t *t);
9026+extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9027 #endif /* __KERNEL__ */
9028
9029 #endif /* _ASM_X86_VSYSCALL_H */
ae4e228f
MT		 9030diff -urNp linux-2.6.33.1/arch/x86/Kconfig linux-2.6.33.1/arch/x86/Kconfig
9031--- linux-2.6.33.1/arch/x86/Kconfig 2010-03-15 12:09:39.000000000 -0400
9032+++ linux-2.6.33.1/arch/x86/Kconfig 2010-03-20 16:58:38.984539447 -0400
9033@@ -1088,7 +1088,7 @@ config PAGE_OFFSET
58c5fc13
MT		 9034 hex
9035 default 0xB0000000 if VMSPLIT_3G_OPT
9036 default 0x80000000 if VMSPLIT_2G
9037- default 0x78000000 if VMSPLIT_2G_OPT
9038+ default 0x70000000 if VMSPLIT_2G_OPT
9039 default 0x40000000 if VMSPLIT_1G
9040 default 0xC0000000
9041 depends on X86_32
ae4e228f 9042@@ -1422,7 +1422,7 @@ config ARCH_USES_PG_UNCACHED
58c5fc13
MT		 9043
9044 config EFI
9045 bool "EFI runtime service support"
9046- depends on ACPI
9047+ depends on ACPI && !PAX_KERNEXEC
9048 ---help---
9049 This enables the kernel to use EFI runtime services that are
9050 available (such as the EFI variable services).
ae4e228f
MT		 9051@@ -1509,6 +1509,7 @@ config KEXEC_JUMP
9052 config PHYSICAL_START
9053 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9054 default "0x1000000"
9055+ range 0x400000 0x40000000
9056 ---help---
9057 This gives the physical address where the kernel is loaded.
9058
9059@@ -1573,6 +1574,7 @@ config PHYSICAL_ALIGN
9060 hex
9061 prompt "Alignment value to which kernel should be aligned" if X86_32
9062 default "0x1000000"
9063+ range 0x400000 0x1000000 if PAX_KERNEXEC
9064 range 0x2000 0x1000000
9065 ---help---
9066 This value puts the alignment restrictions on physical address
9067@@ -1604,9 +1606,10 @@ config HOTPLUG_CPU
58c5fc13
MT		 9068 Say N if you want to disable CPU hotplug.
9069
9070 config COMPAT_VDSO
9071- def_bool y
9072+ def_bool n
9073 prompt "Compat VDSO support"
9074 depends on X86_32 || IA32_EMULATION
9075+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9076 ---help---
9077 Map the 32-bit VDSO to the predictable old-style address too.
ae4e228f
MT		 9078
9079diff -urNp linux-2.6.33.1/arch/x86/Kconfig.cpu linux-2.6.33.1/arch/x86/Kconfig.cpu
9080--- linux-2.6.33.1/arch/x86/Kconfig.cpu 2010-03-15 12:09:39.000000000 -0400
9081+++ linux-2.6.33.1/arch/x86/Kconfig.cpu 2010-03-20 16:58:38.984539447 -0400
9082@@ -336,7 +336,7 @@ config X86_PPRO_FENCE
58c5fc13
MT		 9083
9084 config X86_F00F_BUG
9085 def_bool y
9086- depends on M586MMX || M586TSC || M586 || M486 || M386
9087+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9088
9089 config X86_WP_WORKS_OK
9090 def_bool y
ae4e228f 9091@@ -356,7 +356,7 @@ config X86_POPAD_OK
58c5fc13
MT		 9092
9093 config X86_ALIGNMENT_16
9094 def_bool y
9095- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9096+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9097
9098 config X86_INTEL_USERCOPY
9099 def_bool y
ae4e228f 9100@@ -402,7 +402,7 @@ config X86_CMPXCHG64
58c5fc13
MT		 9101 # generates cmov.
9102 config X86_CMOV
9103 def_bool y
ae4e228f
MT		 9104- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9105+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
58c5fc13
MT		 9106
9107 config X86_MINIMUM_CPU_FAMILY
9108 int
ae4e228f
MT		 9109diff -urNp linux-2.6.33.1/arch/x86/Kconfig.debug linux-2.6.33.1/arch/x86/Kconfig.debug
9110--- linux-2.6.33.1/arch/x86/Kconfig.debug 2010-03-15 12:09:39.000000000 -0400
9111+++ linux-2.6.33.1/arch/x86/Kconfig.debug 2010-03-20 16:58:38.984539447 -0400
58c5fc13
MT		 9112@@ -99,7 +99,7 @@ config X86_PTDUMP
9113 config DEBUG_RODATA
9114 bool "Write protect kernel read-only data structures"
9115 default y
9116- depends on DEBUG_KERNEL
9117+ depends on DEBUG_KERNEL && BROKEN
9118 ---help---
9119 Mark the kernel read-only data as write-protected in the pagetables,
9120 in order to catch accidental (and incorrect) writes to such const
ae4e228f
MT		 9121diff -urNp linux-2.6.33.1/arch/x86/kernel/acpi/boot.c linux-2.6.33.1/arch/x86/kernel/acpi/boot.c
9122--- linux-2.6.33.1/arch/x86/kernel/acpi/boot.c 2010-03-15 12:09:39.000000000 -0400
9123+++ linux-2.6.33.1/arch/x86/kernel/acpi/boot.c 2010-03-20 16:58:38.988525305 -0400
9124@@ -1503,7 +1503,7 @@ static struct dmi_system_id __initdata a
58c5fc13
MT		 9125 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
9126 },
9127 },
9128- {}
9129+ { NULL, NULL, {{0, {0}}}, NULL}
9130 };
9131
9132 /*
ae4e228f
MT		 9133diff -urNp linux-2.6.33.1/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.33.1/arch/x86/kernel/acpi/realmode/wakeup.S
9134--- linux-2.6.33.1/arch/x86/kernel/acpi/realmode/wakeup.S 2010-03-15 12:09:39.000000000 -0400
9135+++ linux-2.6.33.1/arch/x86/kernel/acpi/realmode/wakeup.S 2010-03-20 16:58:38.988525305 -0400
58c5fc13
MT		 9136@@ -104,7 +104,7 @@ _start:
9137 movl %eax, %ecx
9138 orl %edx, %ecx
9139 jz 1f
9140- movl $0xc0000080, %ecx
9141+ mov $MSR_EFER, %ecx
9142 wrmsr
9143 1:
9144
ae4e228f
MT		 9145diff -urNp linux-2.6.33.1/arch/x86/kernel/acpi/sleep.c linux-2.6.33.1/arch/x86/kernel/acpi/sleep.c
9146--- linux-2.6.33.1/arch/x86/kernel/acpi/sleep.c 2010-03-15 12:09:39.000000000 -0400
9147+++ linux-2.6.33.1/arch/x86/kernel/acpi/sleep.c 2010-03-20 16:58:38.988525305 -0400
58c5fc13
MT		 9148@@ -11,11 +11,12 @@
9149 #include <linux/cpumask.h>
9150 #include <asm/segment.h>
9151 #include <asm/desc.h>
9152+#include <asm/e820.h>
9153
9154 #include "realmode/wakeup.h"
9155 #include "sleep.h"
9156
9157-unsigned long acpi_wakeup_address;
9158+unsigned long acpi_wakeup_address = 0x2000;
9159 unsigned long acpi_realmode_flags;
9160
9161 /* address in low memory of the wakeup routine. */
ae4e228f 9162@@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
58c5fc13
MT		 9163 header->trampoline_segment = setup_trampoline() >> 4;
9164 #ifdef CONFIG_SMP
9165 stack_start.sp = temp_stack + sizeof(temp_stack);
9166+
ae4e228f 9167+ pax_open_kernel();
58c5fc13
MT		 9168 early_gdt_descr.address =
9169 (unsigned long)get_cpu_gdt_table(smp_processor_id());
ae4e228f 9170+ pax_close_kernel();
58c5fc13
MT		 9171+
9172 initial_gs = per_cpu_offset(smp_processor_id());
9173 #endif
9174 initial_code = (unsigned long)wakeup_long64;
ae4e228f
MT		 9175diff -urNp linux-2.6.33.1/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.33.1/arch/x86/kernel/acpi/wakeup_32.S
9176--- linux-2.6.33.1/arch/x86/kernel/acpi/wakeup_32.S 2010-03-15 12:09:39.000000000 -0400
9177+++ linux-2.6.33.1/arch/x86/kernel/acpi/wakeup_32.S 2010-03-20 16:58:38.988525305 -0400
58c5fc13
MT		 9178@@ -30,13 +30,11 @@ wakeup_pmode_return:
9179 # and restore the stack ... but you need gdt for this to work
9180 movl saved_context_esp, %esp
9181
9182- movl %cs:saved_magic, %eax
9183- cmpl $0x12345678, %eax
9184+ cmpl $0x12345678, saved_magic
9185 jne bogus_magic
9186
9187 # jump to place where we left off
9188- movl saved_eip, %eax
9189- jmp *%eax
9190+ jmp *(saved_eip)
9191
9192 bogus_magic:
9193 jmp bogus_magic
ae4e228f
MT		 9194diff -urNp linux-2.6.33.1/arch/x86/kernel/alternative.c linux-2.6.33.1/arch/x86/kernel/alternative.c
9195--- linux-2.6.33.1/arch/x86/kernel/alternative.c 2010-03-15 12:09:39.000000000 -0400
9196+++ linux-2.6.33.1/arch/x86/kernel/alternative.c 2010-03-20 16:58:38.988525305 -0400
9197@@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
58c5fc13
MT		 9198
9199 BUG_ON(p->len > MAX_PATCH_LEN);
9200 /* prep the buffer with the original instructions */
9201- memcpy(insnbuf, p->instr, p->len);
9202+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
9203 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
9204 (unsigned long)p->instr, p->len);
9205
ae4e228f 9206@@ -492,12 +492,16 @@ void __init alternative_instructions(voi
58c5fc13
MT		 9207 * instructions. And on the local CPU you need to be protected again NMI or MCE
9208 * handlers seeing an inconsistent instruction while you patch.
9209 */
ae4e228f
MT		 9210-static void *__init_or_module text_poke_early(void *addr, const void *opcode,
9211+static void *__kprobes text_poke_early(void *addr, const void *opcode,
9212 size_t len)
58c5fc13
MT		 9213 {
9214 unsigned long flags;
58c5fc13
MT		 9215 local_irq_save(flags);
9216- memcpy(addr, opcode, len);
9217+
ae4e228f 9218+ pax_open_kernel();
58c5fc13 9219+ memcpy(ktla_ktva(addr), opcode, len);
ae4e228f 9220+ pax_close_kernel();
58c5fc13 9221+
58c5fc13 9222 sync_core();
ae4e228f 9223 local_irq_restore(flags);
58c5fc13 9224 /* Could also do a CLFLUSH here to speed up CPU recovery; but
ae4e228f 9225@@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
58c5fc13
MT		 9226 */
9227 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
9228 {
9229- unsigned long flags;
9230- char *vaddr;
9231+ unsigned char *vaddr = ktla_ktva(addr);
9232 struct page *pages[2];
9233- int i;
9234+ size_t i;
58c5fc13 9235
ae4e228f 9236 if (!core_kernel_text((unsigned long)addr)) {
58c5fc13
MT		 9237- pages[0] = vmalloc_to_page(addr);
9238- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
58c5fc13
MT		 9239+ pages[0] = vmalloc_to_page(vaddr);
9240+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
9241 } else {
9242- pages[0] = virt_to_page(addr);
9243+ pages[0] = virt_to_page(vaddr);
9244 WARN_ON(!PageReserved(pages[0]));
9245- pages[1] = virt_to_page(addr + PAGE_SIZE);
9246+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
9247 }
9248 BUG_ON(!pages[0]);
9249- local_irq_save(flags);
9250- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
9251- if (pages[1])
9252- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
9253- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
9254- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
9255- clear_fixmap(FIX_TEXT_POKE0);
9256- if (pages[1])
9257- clear_fixmap(FIX_TEXT_POKE1);
9258- local_flush_tlb();
9259- sync_core();
9260- /* Could also do a CLFLUSH here to speed up CPU recovery; but
9261- that causes hangs on some VIA CPUs. */
9262+ text_poke_early(addr, opcode, len);
9263 for (i = 0; i < len; i++)
9264- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
9265- local_irq_restore(flags);
9266+ BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
9267 return addr;
9268 }
ae4e228f
MT		 9269diff -urNp linux-2.6.33.1/arch/x86/kernel/amd_iommu.c linux-2.6.33.1/arch/x86/kernel/amd_iommu.c
9270--- linux-2.6.33.1/arch/x86/kernel/amd_iommu.c 2010-03-15 12:09:39.000000000 -0400
9271+++ linux-2.6.33.1/arch/x86/kernel/amd_iommu.c 2010-03-20 16:58:38.988525305 -0400
9272@@ -2210,7 +2210,7 @@ static void prealloc_protection_domains(
9273 }
9274 }
9275
9276-static struct dma_map_ops amd_iommu_dma_ops = {
9277+static const struct dma_map_ops amd_iommu_dma_ops = {
9278 .alloc_coherent = alloc_coherent,
9279 .free_coherent = free_coherent,
9280 .map_page = map_page,
9281diff -urNp linux-2.6.33.1/arch/x86/kernel/apic/io_apic.c linux-2.6.33.1/arch/x86/kernel/apic/io_apic.c
9282--- linux-2.6.33.1/arch/x86/kernel/apic/io_apic.c 2010-03-15 12:09:39.000000000 -0400
9283+++ linux-2.6.33.1/arch/x86/kernel/apic/io_apic.c 2010-03-20 16:58:38.988525305 -0400
9284@@ -701,7 +701,7 @@ struct IO_APIC_route_entry **alloc_ioapi
9285 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
9286 GFP_ATOMIC);
9287 if (!ioapic_entries)
9288- return 0;
9289+ return NULL;
58c5fc13 9290
ae4e228f
MT		 9291 for (apic = 0; apic < nr_ioapics; apic++) {
9292 ioapic_entries[apic] =
9293@@ -718,7 +718,7 @@ nomem:
9294 kfree(ioapic_entries[apic]);
9295 kfree(ioapic_entries);
58c5fc13 9296
ae4e228f
MT		 9297- return 0;
9298+ return NULL;
9299 }
58c5fc13 9300
ae4e228f
MT		 9301 /*
9302@@ -1135,7 +1135,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
9303 }
9304 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
9305
9306-void lock_vector_lock(void)
9307+void lock_vector_lock(void) __acquires(vector_lock)
9308 {
9309 /* Used to the online set of cpus does not change
9310 * during assign_irq_vector.
9311@@ -1143,7 +1143,7 @@ void lock_vector_lock(void)
9312 spin_lock(&vector_lock);
9313 }
9314
9315-void unlock_vector_lock(void)
9316+void unlock_vector_lock(void) __releases(vector_lock)
9317 {
9318 spin_unlock(&vector_lock);
9319 }
9320diff -urNp linux-2.6.33.1/arch/x86/kernel/apm_32.c linux-2.6.33.1/arch/x86/kernel/apm_32.c
9321--- linux-2.6.33.1/arch/x86/kernel/apm_32.c 2010-03-15 12:09:39.000000000 -0400
9322+++ linux-2.6.33.1/arch/x86/kernel/apm_32.c 2010-03-20 16:58:38.988525305 -0400
9323@@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
9324 * This is for buggy BIOS's that refer to (real mode) segment 0x40
9325 * even though they are called in protected mode.
9326 */
9327-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
9328+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
9329 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
9330
9331 static const char driver_version[] = "1.16ac"; /* no spaces */
9332@@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
58c5fc13
MT		 9333 BUG_ON(cpu != 0);
9334 gdt = get_cpu_gdt_table(cpu);
9335 save_desc_40 = gdt[0x40 / 8];
9336+
ae4e228f 9337+ pax_open_kernel();
58c5fc13 9338 gdt[0x40 / 8] = bad_bios_desc;
ae4e228f 9339+ pax_close_kernel();
58c5fc13 9340
58c5fc13
MT		 9341 apm_irq_save(flags);
9342 APM_DO_SAVE_SEGS;
ae4e228f 9343@@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
58c5fc13
MT		 9344 &call->esi);
9345 APM_DO_RESTORE_SEGS;
9346 apm_irq_restore(flags);
9347+
ae4e228f 9348+ pax_open_kernel();
58c5fc13 9349 gdt[0x40 / 8] = save_desc_40;
ae4e228f 9350+ pax_close_kernel();
58c5fc13
MT		 9351+
9352 put_cpu();
9353
9354 return call->eax & 0xff;
ae4e228f 9355@@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
58c5fc13
MT		 9356 BUG_ON(cpu != 0);
9357 gdt = get_cpu_gdt_table(cpu);
9358 save_desc_40 = gdt[0x40 / 8];
9359+
ae4e228f 9360+ pax_open_kernel();
58c5fc13 9361 gdt[0x40 / 8] = bad_bios_desc;
ae4e228f 9362+ pax_close_kernel();
58c5fc13 9363
58c5fc13
MT		 9364 apm_irq_save(flags);
9365 APM_DO_SAVE_SEGS;
ae4e228f 9366@@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
58c5fc13
MT		 9367 &call->eax);
9368 APM_DO_RESTORE_SEGS;
9369 apm_irq_restore(flags);
9370+
ae4e228f 9371+ pax_open_kernel();
58c5fc13 9372 gdt[0x40 / 8] = save_desc_40;
ae4e228f 9373+ pax_close_kernel();
58c5fc13
MT		 9374+
9375 put_cpu();
9376 return error;
9377 }
ae4e228f 9378@@ -975,7 +989,7 @@ recalc:
58c5fc13
MT		 9379
9380 static void apm_power_off(void)
9381 {
9382- unsigned char po_bios_call[] = {
9383+ const unsigned char po_bios_call[] = {
9384 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
9385 0x8e, 0xd0, /* movw ax,ss */
9386 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
ae4e228f 9387@@ -1931,7 +1945,10 @@ static const struct file_operations apm_
58c5fc13
MT		 9388 static struct miscdevice apm_device = {
9389 APM_MINOR_DEV,
9390 "apm_bios",
9391- &apm_bios_fops
9392+ &apm_bios_fops,
9393+ {NULL, NULL},
9394+ NULL,
9395+ NULL
9396 };
9397
9398
ae4e228f 9399@@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
58c5fc13
MT		 9400 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
9401 },
9402
9403- { }
9404+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
9405 };
9406
9407 /*
ae4e228f 9408@@ -2355,12 +2372,15 @@ static int __init apm_init(void)
58c5fc13
MT		 9409 * code to that CPU.
9410 */
9411 gdt = get_cpu_gdt_table(0);
9412+
ae4e228f
MT		 9413+ pax_open_kernel();
9414 set_desc_base(&gdt[APM_CS >> 3],
9415 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
9416 set_desc_base(&gdt[APM_CS_16 >> 3],
9417 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
9418 set_desc_base(&gdt[APM_DS >> 3],
9419 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
9420+ pax_close_kernel();
58c5fc13 9421
58c5fc13
MT		 9422 proc_create("apm", 0, NULL, &apm_file_ops);
9423
ae4e228f
MT		 9424diff -urNp linux-2.6.33.1/arch/x86/kernel/asm-offsets_32.c linux-2.6.33.1/arch/x86/kernel/asm-offsets_32.c
9425--- linux-2.6.33.1/arch/x86/kernel/asm-offsets_32.c 2010-03-15 12:09:39.000000000 -0400
9426+++ linux-2.6.33.1/arch/x86/kernel/asm-offsets_32.c 2010-03-20 16:58:38.988525305 -0400
9427@@ -115,6 +115,11 @@ void foo(void)
58c5fc13
MT		 9428 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
9429 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
9430 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
ae4e228f
MT		 9431+
9432+#ifdef CONFIG_PAX_KERNEXEC
58c5fc13 9433+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
ae4e228f
MT		 9434+#endif
9435+
58c5fc13
MT		 9436 #endif
9437
9438 #ifdef CONFIG_XEN
ae4e228f
MT		 9439diff -urNp linux-2.6.33.1/arch/x86/kernel/asm-offsets_64.c linux-2.6.33.1/arch/x86/kernel/asm-offsets_64.c
9440--- linux-2.6.33.1/arch/x86/kernel/asm-offsets_64.c 2010-03-15 12:09:39.000000000 -0400
9441+++ linux-2.6.33.1/arch/x86/kernel/asm-offsets_64.c 2010-03-20 16:58:38.988525305 -0400
9442@@ -63,6 +63,12 @@ int main(void)
9443 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
9444 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
9445 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
9446+
9447+#ifdef CONFIG_PAX_KERNEXEC
9448+ OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
9449+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
9450+#endif
9451+
9452 #endif
9453
9454
9455@@ -115,6 +121,7 @@ int main(void)
58c5fc13
MT		 9456 ENTRY(cr8);
9457 BLANK();
9458 #undef ENTRY
9459+ DEFINE(TSS_size, sizeof(struct tss_struct));
9460 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
9461 BLANK();
9462 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
ae4e228f
MT		 9463diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/common.c linux-2.6.33.1/arch/x86/kernel/cpu/common.c
9464--- linux-2.6.33.1/arch/x86/kernel/cpu/common.c 2010-03-15 12:09:39.000000000 -0400
9465+++ linux-2.6.33.1/arch/x86/kernel/cpu/common.c 2010-03-20 16:58:38.992510812 -0400
9466@@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
58c5fc13
MT		 9467
9468 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
9469
9470-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
9471-#ifdef CONFIG_X86_64
9472- /*
9473- * We need valid kernel segments for data and code in long mode too
9474- * IRET will check the segment types kkeil 2000/10/28
9475- * Also sysret mandates a special GDT layout
9476- *
9477- * TLS descriptors are currently at a different place compared to i386.
9478- * Hopefully nobody expects them at a fixed place (Wine?)
9479- */
ae4e228f
MT		 9480- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
9481- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
9482- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
9483- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
9484- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
9485- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
58c5fc13 9486-#else
ae4e228f
MT		 9487- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
9488- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9489- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
9490- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
58c5fc13
MT		 9491- /*
9492- * Segments used for calling PnP BIOS have byte granularity.
9493- * They code segments and data segments have fixed 64k limits,
9494- * the transfer segment sizes are set at run time.
9495- */
9496- /* 32-bit code */
ae4e228f 9497- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
58c5fc13 9498- /* 16-bit code */
ae4e228f 9499- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
58c5fc13 9500- /* 16-bit data */
ae4e228f 9501- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
58c5fc13 9502- /* 16-bit data */
ae4e228f 9503- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
58c5fc13 9504- /* 16-bit data */
ae4e228f 9505- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
58c5fc13
MT		 9506- /*
9507- * The APM segments have byte granularity and their bases
9508- * are set at run time. All have 64k limits.
9509- */
9510- /* 32-bit code */
ae4e228f 9511- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
58c5fc13 9512- /* 16-bit code */
ae4e228f 9513- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
58c5fc13 9514- /* data */
ae4e228f 9515- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
58c5fc13 9516-
ae4e228f
MT		 9517- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
9518- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
58c5fc13
MT		 9519- GDT_STACK_CANARY_INIT
9520-#endif
9521-} };
9522-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
9523-
9524 static int __init x86_xsave_setup(char *s)
9525 {
9526 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
ae4e228f 9527@@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
58c5fc13
MT		 9528 {
9529 struct desc_ptr gdt_descr;
9530
9531- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
9532+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
9533 gdt_descr.size = GDT_SIZE - 1;
9534 load_gdt(&gdt_descr);
9535 /* Reload the per-cpu base */
ae4e228f 9536@@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
58c5fc13
MT		 9537 /* Filter out anything that depends on CPUID levels we don't have */
9538 filter_cpuid_features(c, true);
9539
ae4e228f 9540+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
58c5fc13
MT		 9541+ setup_clear_cpu_cap(X86_FEATURE_SEP);
9542+#endif
9543+
9544 /* If the model name is still unset, do table lookup. */
9545 if (!c->x86_model_id[0]) {
9546 const char *p;
ae4e228f 9547@@ -1103,7 +1053,7 @@ void __cpuinit cpu_init(void)
58c5fc13
MT		 9548 int i;
9549
9550 cpu = stack_smp_processor_id();
9551- t = &per_cpu(init_tss, cpu);
9552+ t = init_tss + cpu;
ae4e228f 9553 oist = &per_cpu(orig_ist, cpu);
58c5fc13
MT		 9554
9555 #ifdef CONFIG_NUMA
ae4e228f 9556@@ -1201,7 +1151,7 @@ void __cpuinit cpu_init(void)
58c5fc13
MT		 9557 {
9558 int cpu = smp_processor_id();
9559 struct task_struct *curr = current;
9560- struct tss_struct *t = &per_cpu(init_tss, cpu);
9561+ struct tss_struct *t = init_tss + cpu;
9562 struct thread_struct *thread = &curr->thread;
9563
9564 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
ae4e228f
MT		 9565diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
9566--- linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-03-15 12:09:39.000000000 -0400
9567+++ linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-03-20 16:58:38.992510812 -0400
9568@@ -523,7 +523,7 @@ static const struct dmi_system_id sw_any
58c5fc13
MT		 9569 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
9570 },
9571 },
9572- { }
9573+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
9574 };
58c5fc13 9575
ae4e228f
MT		 9576 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
9577diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
9578--- linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-03-15 12:09:39.000000000 -0400
9579+++ linux-2.6.33.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-03-20 16:58:38.992510812 -0400
58c5fc13
MT		 9580@@ -225,7 +225,7 @@ static struct cpu_model models[] =
9581 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
9582 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
9583
9584- { NULL, }
9585+ { NULL, NULL, 0, NULL}
9586 };
9587 #undef _BANIAS
9588 #undef BANIAS
ae4e228f
MT		 9589diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/intel.c linux-2.6.33.1/arch/x86/kernel/cpu/intel.c
9590--- linux-2.6.33.1/arch/x86/kernel/cpu/intel.c 2010-03-15 12:09:39.000000000 -0400
9591+++ linux-2.6.33.1/arch/x86/kernel/cpu/intel.c 2010-03-20 16:58:38.992510812 -0400
9592@@ -139,7 +139,7 @@ static void __cpuinit trap_init_f00f_bug
58c5fc13
MT		 9593 * Update the IDT descriptor and reload the IDT so that
9594 * it uses the read-only mapped virtual address.
9595 */
9596- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
9597+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
9598 load_idt(&idt_descr);
9599 }
9600 #endif
ae4e228f
MT		 9601diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.33.1/arch/x86/kernel/cpu/intel_cacheinfo.c
9602--- linux-2.6.33.1/arch/x86/kernel/cpu/intel_cacheinfo.c 2010-03-15 12:09:39.000000000 -0400
9603+++ linux-2.6.33.1/arch/x86/kernel/cpu/intel_cacheinfo.c 2010-03-20 16:58:38.992510812 -0400
9604@@ -848,7 +848,7 @@ static ssize_t store(struct kobject *kob
9605 return ret;
9606 }
9607
9608-static struct sysfs_ops sysfs_ops = {
9609+static const struct sysfs_ops sysfs_ops = {
9610 .show = show,
9611 .store = store,
9612 };
9613diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/Makefile linux-2.6.33.1/arch/x86/kernel/cpu/Makefile
9614--- linux-2.6.33.1/arch/x86/kernel/cpu/Makefile 2010-03-15 12:09:39.000000000 -0400
9615+++ linux-2.6.33.1/arch/x86/kernel/cpu/Makefile 2010-03-20 16:58:38.992510812 -0400
9616@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
9617 CFLAGS_REMOVE_perf_event.o = -pg
58c5fc13
MT		 9618 endif
9619
9620-# Make sure load_percpu_segment has no stackprotector
9621-nostackp := $(call cc-option, -fno-stack-protector)
9622-CFLAGS_common.o := $(nostackp)
9623-
9624 obj-y := intel_cacheinfo.o addon_cpuid_features.o
9625 obj-y += proc.o capflags.o powerflags.o common.o
ae4e228f
MT		 9626 obj-y += vmware.o hypervisor.o sched.o
9627diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce_amd.c
9628--- linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce_amd.c 2010-03-15 12:09:39.000000000 -0400
9629+++ linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce_amd.c 2010-03-20 16:58:38.992510812 -0400
9630@@ -388,7 +388,7 @@ static ssize_t store(struct kobject *kob
9631 return ret;
9632 }
9633
9634-static struct sysfs_ops threshold_ops = {
9635+static const struct sysfs_ops threshold_ops = {
9636 .show = show,
9637 .store = store,
9638 };
9639diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce.c
9640--- linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce.c 2010-03-15 12:09:39.000000000 -0400
9641+++ linux-2.6.33.1/arch/x86/kernel/cpu/mcheck/mce.c 2010-03-20 16:58:38.992510812 -0400
9642@@ -201,7 +201,7 @@ static void print_mce(struct mce *m)
9643 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
9644 m->cs, m->ip);
9645
9646- if (m->cs == __KERNEL_CS)
9647+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
9648 print_symbol("{%s}", m->ip);
9649 pr_cont("\n");
9650 }
9651@@ -1444,14 +1444,14 @@ void __cpuinit mcheck_cpu_init(struct cp
58c5fc13
MT		 9652 */
9653
9654 static DEFINE_SPINLOCK(mce_state_lock);
9655-static int open_count; /* #times opened */
9656+static atomic_t open_count; /* #times opened */
9657 static int open_exclu; /* already open exclusive? */
9658
9659 static int mce_open(struct inode *inode, struct file *file)
9660 {
9661 spin_lock(&mce_state_lock);
9662
9663- if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
9664+ if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
9665 spin_unlock(&mce_state_lock);
9666
9667 return -EBUSY;
ae4e228f 9668@@ -1459,7 +1459,7 @@ static int mce_open(struct inode *inode,
58c5fc13
MT		 9669
9670 if (file->f_flags & O_EXCL)
9671 open_exclu = 1;
9672- open_count++;
9673+ atomic_inc(&open_count);
9674
9675 spin_unlock(&mce_state_lock);
9676
ae4e228f 9677@@ -1470,7 +1470,7 @@ static int mce_release(struct inode *ino
58c5fc13
MT		 9678 {
9679 spin_lock(&mce_state_lock);
9680
9681- open_count--;
9682+ atomic_dec(&open_count);
9683 open_exclu = 0;
9684
9685 spin_unlock(&mce_state_lock);
ae4e228f 9686@@ -1610,6 +1610,7 @@ static struct miscdevice mce_log_device
58c5fc13
MT		 9687 MISC_MCELOG_MINOR,
9688 "mcelog",
9689 &mce_chrdev_ops,
9690+ {NULL, NULL}, NULL, NULL
9691 };
9692
9693 /*
ae4e228f
MT		 9694diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/amd.c
9695--- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/amd.c 2010-03-15 12:09:39.000000000 -0400
9696+++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/amd.c 2010-03-20 16:58:38.992510812 -0400
9697@@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
9698 return 0;
9699 }
9700
9701-static struct mtrr_ops amd_mtrr_ops = {
9702+static const struct mtrr_ops amd_mtrr_ops = {
9703 .vendor = X86_VENDOR_AMD,
9704 .set = amd_set_mtrr,
9705 .get = amd_get_mtrr,
9706diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/centaur.c
9707--- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/centaur.c 2010-03-15 12:09:39.000000000 -0400
9708+++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/centaur.c 2010-03-20 16:58:38.992510812 -0400
9709@@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
9710 return 0;
9711 }
9712
9713-static struct mtrr_ops centaur_mtrr_ops = {
9714+static const struct mtrr_ops centaur_mtrr_ops = {
9715 .vendor = X86_VENDOR_CENTAUR,
9716 .set = centaur_set_mcr,
9717 .get = centaur_get_mcr,
9718diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/cyrix.c
9719--- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/cyrix.c 2010-03-15 12:09:39.000000000 -0400
9720+++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/cyrix.c 2010-03-20 16:58:38.992510812 -0400
9721@@ -265,7 +265,7 @@ static void cyrix_set_all(void)
9722 post_set();
9723 }
9724
9725-static struct mtrr_ops cyrix_mtrr_ops = {
9726+static const struct mtrr_ops cyrix_mtrr_ops = {
9727 .vendor = X86_VENDOR_CYRIX,
9728 .set_all = cyrix_set_all,
9729 .set = cyrix_set_arr,
9730diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/generic.c
9731--- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/generic.c 2010-03-15 12:09:39.000000000 -0400
9732+++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/generic.c 2010-03-20 16:58:38.992510812 -0400
9733@@ -29,7 +29,7 @@ static struct fixed_range_block fixed_ra
9734 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
9735 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
9736 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
58c5fc13
MT		 9737- {}
9738+ { 0, 0 }
9739 };
9740
9741 static unsigned long smp_changes_mask;
ae4e228f
MT		 9742@@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
9743 /*
9744 * Generic structure...
9745 */
9746-struct mtrr_ops generic_mtrr_ops = {
9747+const struct mtrr_ops generic_mtrr_ops = {
9748 .use_intel_if = 1,
9749 .set_all = generic_set_all,
9750 .get = generic_get_mtrr,
9751diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/main.c
9752--- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/main.c 2010-03-15 12:09:39.000000000 -0400
9753+++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/main.c 2010-03-20 16:58:38.996547732 -0400
9754@@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
9755 u64 size_or_mask, size_and_mask;
9756 static bool mtrr_aps_delayed_init;
9757
9758-static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
9759+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
9760
9761-struct mtrr_ops *mtrr_if;
9762+const struct mtrr_ops *mtrr_if;
9763
9764 static void set_mtrr(unsigned int reg, unsigned long base,
9765 unsigned long size, mtrr_type type);
9766
9767-void set_mtrr_ops(struct mtrr_ops *ops)
9768+void set_mtrr_ops(const struct mtrr_ops *ops)
9769 {
9770 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
9771 mtrr_ops[ops->vendor] = ops;
9772diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/mtrr.h
9773--- linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-03-15 12:09:39.000000000 -0400
9774+++ linux-2.6.33.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-03-20 16:58:38.996547732 -0400
9775@@ -12,19 +12,19 @@
9776 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
9777
9778 struct mtrr_ops {
9779- u32 vendor;
9780- u32 use_intel_if;
9781- void (*set)(unsigned int reg, unsigned long base,
9782+ const u32 vendor;
9783+ const u32 use_intel_if;
9784+ void (* const set)(unsigned int reg, unsigned long base,
9785 unsigned long size, mtrr_type type);
9786- void (*set_all)(void);
9787+ void (* const set_all)(void);
9788
9789- void (*get)(unsigned int reg, unsigned long *base,
9790+ void (* const get)(unsigned int reg, unsigned long *base,
9791 unsigned long *size, mtrr_type *type);
9792- int (*get_free_region)(unsigned long base, unsigned long size,
9793+ int (* const get_free_region)(unsigned long base, unsigned long size,
9794 int replace_reg);
9795- int (*validate_add_page)(unsigned long base, unsigned long size,
9796+ int (* const validate_add_page)(unsigned long base, unsigned long size,
9797 unsigned int type);
9798- int (*have_wrcomb)(void);
9799+ int (* const have_wrcomb)(void);
9800 };
9801
9802 extern int generic_get_free_region(unsigned long base, unsigned long size,
9803@@ -32,7 +32,7 @@ extern int generic_get_free_region(unsig
9804 extern int generic_validate_add_page(unsigned long base, unsigned long size,
9805 unsigned int type);
9806
9807-extern struct mtrr_ops generic_mtrr_ops;
9808+extern const struct mtrr_ops generic_mtrr_ops;
9809
9810 extern int positive_have_wrcomb(void);
9811
9812@@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
9813 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
9814 void get_mtrr_state(void);
9815
9816-extern void set_mtrr_ops(struct mtrr_ops *ops);
9817+extern void set_mtrr_ops(const struct mtrr_ops *ops);
9818
9819 extern u64 size_or_mask, size_and_mask;
9820-extern struct mtrr_ops *mtrr_if;
9821+extern const struct mtrr_ops *mtrr_if;
9822
9823 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
9824 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
9825diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.33.1/arch/x86/kernel/cpu/perfctr-watchdog.c
9826--- linux-2.6.33.1/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-03-15 12:09:39.000000000 -0400
9827+++ linux-2.6.33.1/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-03-20 16:58:38.996547732 -0400
9828@@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
9829
9830 /* Interface defining a CPU specific perfctr watchdog */
9831 struct wd_ops {
9832- int (*reserve)(void);
9833- void (*unreserve)(void);
9834- int (*setup)(unsigned nmi_hz);
9835- void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
9836- void (*stop)(void);
9837+ int (* const reserve)(void);
9838+ void (* const unreserve)(void);
9839+ int (* const setup)(unsigned nmi_hz);
9840+ void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
9841+ void (* const stop)(void);
9842 unsigned perfctr;
9843 unsigned evntsel;
9844 u64 checkbit;
9845@@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
9846 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
9847 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
9848
9849+/* cannot be const */
9850 static struct wd_ops intel_arch_wd_ops;
9851
9852 static int setup_intel_arch_watchdog(unsigned nmi_hz)
9853@@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
9854 return 1;
9855 }
58c5fc13 9856
ae4e228f
MT		 9857+/* cannot be const */
9858 static struct wd_ops intel_arch_wd_ops __read_mostly = {
9859 .reserve = single_msr_reserve,
9860 .unreserve = single_msr_unreserve,
9861diff -urNp linux-2.6.33.1/arch/x86/kernel/cpu/perf_event.c linux-2.6.33.1/arch/x86/kernel/cpu/perf_event.c
9862--- linux-2.6.33.1/arch/x86/kernel/cpu/perf_event.c 2010-03-15 12:09:39.000000000 -0400
9863+++ linux-2.6.33.1/arch/x86/kernel/cpu/perf_event.c 2010-03-20 16:58:38.996547732 -0400
9864@@ -2426,7 +2426,7 @@ perf_callchain_user(struct pt_regs *regs
9865 break;
58c5fc13 9866
ae4e228f
MT		 9867 callchain_store(entry, frame.return_address);
9868- fp = frame.next_frame;
9869+ fp = (__force const void __user *)frame.next_frame;
9870 }
9871 }
9872
9873diff -urNp linux-2.6.33.1/arch/x86/kernel/crash.c linux-2.6.33.1/arch/x86/kernel/crash.c
9874--- linux-2.6.33.1/arch/x86/kernel/crash.c 2010-03-15 12:09:39.000000000 -0400
9875+++ linux-2.6.33.1/arch/x86/kernel/crash.c 2010-03-20 16:58:38.996547732 -0400
9876@@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
58c5fc13
MT		 9877 regs = args->regs;
9878
9879 #ifdef CONFIG_X86_32
9880- if (!user_mode_vm(regs)) {
9881+ if (!user_mode(regs)) {
9882 crash_fixup_ss_esp(&fixed_regs, regs);
9883 regs = &fixed_regs;
9884 }
ae4e228f
MT		 9885diff -urNp linux-2.6.33.1/arch/x86/kernel/doublefault_32.c linux-2.6.33.1/arch/x86/kernel/doublefault_32.c
9886--- linux-2.6.33.1/arch/x86/kernel/doublefault_32.c 2010-03-15 12:09:39.000000000 -0400
9887+++ linux-2.6.33.1/arch/x86/kernel/doublefault_32.c 2010-03-20 16:58:38.996547732 -0400
58c5fc13
MT		 9888@@ -11,7 +11,7 @@
9889
9890 #define DOUBLEFAULT_STACKSIZE (1024)
9891 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
9892-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
9893+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
9894
9895 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
9896
9897@@ -21,7 +21,7 @@ static void doublefault_fn(void)
9898 unsigned long gdt, tss;
9899
9900 store_gdt(&gdt_desc);
9901- gdt = gdt_desc.address;
9902+ gdt = (unsigned long)gdt_desc.address;
9903
9904 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
9905
ae4e228f 9906@@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
58c5fc13
MT		 9907 /* 0x2 bit is always set */
9908 .flags = X86_EFLAGS_SF | 0x2,
9909 .sp = STACK_START,
9910- .es = __USER_DS,
9911+ .es = __KERNEL_DS,
9912 .cs = __KERNEL_CS,
9913 .ss = __KERNEL_DS,
9914- .ds = __USER_DS,
9915+ .ds = __KERNEL_DS,
9916 .fs = __KERNEL_PERCPU,
9917
9918 .__cr3 = __pa_nodebug(swapper_pg_dir),
ae4e228f
MT		 9919diff -urNp linux-2.6.33.1/arch/x86/kernel/dumpstack_32.c linux-2.6.33.1/arch/x86/kernel/dumpstack_32.c
9920--- linux-2.6.33.1/arch/x86/kernel/dumpstack_32.c 2010-03-15 12:09:39.000000000 -0400
9921+++ linux-2.6.33.1/arch/x86/kernel/dumpstack_32.c 2010-03-20 16:58:38.996547732 -0400
9922@@ -112,11 +112,12 @@ void show_registers(struct pt_regs *regs
58c5fc13
MT		 9923 * When in-kernel, we also print out the stack and code at the
9924 * time of the fault..
9925 */
9926- if (!user_mode_vm(regs)) {
9927+ if (!user_mode(regs)) {
9928 unsigned int code_prologue = code_bytes * 43 / 64;
9929 unsigned int code_len = code_bytes;
9930 unsigned char c;
9931 u8 *ip;
9932+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
9933
9934 printk(KERN_EMERG "Stack:\n");
9935 show_stack_log_lvl(NULL, regs, &regs->sp,
ae4e228f 9936@@ -124,10 +125,10 @@ void show_registers(struct pt_regs *regs
58c5fc13
MT		 9937
9938 printk(KERN_EMERG "Code: ");
9939
9940- ip = (u8 *)regs->ip - code_prologue;
9941+ ip = (u8 *)regs->ip - code_prologue + cs_base;
9942 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
9943 /* try starting at IP */
9944- ip = (u8 *)regs->ip;
9945+ ip = (u8 *)regs->ip + cs_base;
9946 code_len = code_len - code_prologue + 1;
9947 }
9948 for (i = 0; i < code_len; i++, ip++) {
ae4e228f 9949@@ -136,7 +137,7 @@ void show_registers(struct pt_regs *regs
58c5fc13
MT		 9950 printk(" Bad EIP value.");
9951 break;
9952 }
9953- if (ip == (u8 *)regs->ip)
9954+ if (ip == (u8 *)regs->ip + cs_base)
9955 printk("<%02x> ", c);
9956 else
9957 printk("%02x ", c);
ae4e228f 9958@@ -149,6 +150,7 @@ int is_valid_bugaddr(unsigned long ip)
58c5fc13
MT		 9959 {
9960 unsigned short ud2;
9961
9962+ ip = ktla_ktva(ip);
9963 if (ip < PAGE_OFFSET)
9964 return 0;
9965 if (probe_kernel_address((unsigned short *)ip, ud2))
ae4e228f
MT		 9966diff -urNp linux-2.6.33.1/arch/x86/kernel/dumpstack.c linux-2.6.33.1/arch/x86/kernel/dumpstack.c
9967--- linux-2.6.33.1/arch/x86/kernel/dumpstack.c 2010-03-15 12:09:39.000000000 -0400
9968+++ linux-2.6.33.1/arch/x86/kernel/dumpstack.c 2010-03-20 16:58:38.996547732 -0400
9969@@ -207,7 +207,7 @@ void dump_stack(void)
58c5fc13
MT		 9970 #endif
9971
9972 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
9973- current->pid, current->comm, print_tainted(),
9974+ task_pid_nr(current), current->comm, print_tainted(),
9975 init_utsname()->release,
9976 (int)strcspn(init_utsname()->version, " "),
9977 init_utsname()->version);
ae4e228f 9978@@ -268,7 +268,7 @@ void __kprobes oops_end(unsigned long fl
58c5fc13
MT		 9979 panic("Fatal exception in interrupt");
9980 if (panic_on_oops)
9981 panic("Fatal exception");
9982- do_exit(signr);
9983+ do_group_exit(signr);
9984 }
9985
9986 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
ae4e228f
MT		 9987@@ -295,7 +295,7 @@ int __kprobes __die(const char *str, str
9988
9989 show_registers(regs);
9990 #ifdef CONFIG_X86_32
9991- if (user_mode_vm(regs)) {
9992+ if (user_mode(regs)) {
9993 sp = regs->sp;
9994 ss = regs->ss & 0xffff;
9995 } else {
9996@@ -323,7 +323,7 @@ void die(const char *str, struct pt_regs
58c5fc13
MT		 9997 unsigned long flags = oops_begin();
9998 int sig = SIGSEGV;
9999
10000- if (!user_mode_vm(regs))
10001+ if (!user_mode(regs))
10002 report_bug(regs->ip, regs);
10003
10004 if (__die(str, regs, err))
ae4e228f
MT		 10005diff -urNp linux-2.6.33.1/arch/x86/kernel/e820.c linux-2.6.33.1/arch/x86/kernel/e820.c
10006--- linux-2.6.33.1/arch/x86/kernel/e820.c 2010-03-15 12:09:39.000000000 -0400
10007+++ linux-2.6.33.1/arch/x86/kernel/e820.c 2010-03-20 16:58:38.996547732 -0400
10008@@ -28,6 +28,8 @@
10009 #include <asm/setup.h>
10010 #include <asm/trampoline.h>
10011
10012+#include "acpi/realmode/wakeup.h"
10013+
10014 /*
10015 * The e820 map is the map that gets modified e.g. with command line parameters
10016 * and that is also registered with modifications in the kernel resource tree
10017@@ -741,8 +743,7 @@ static struct early_res early_res[MAX_EA
10018 */
10019 { PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE", 1 },
10020 #endif
10021-
58c5fc13 10022- {}
58c5fc13
MT		 10023+ { 0, 0, {0}, 0 }
10024 };
10025
10026 static int __init find_overlapped_early(u64 start, u64 end)
ae4e228f
MT		 10027diff -urNp linux-2.6.33.1/arch/x86/kernel/efi_32.c linux-2.6.33.1/arch/x86/kernel/efi_32.c
10028--- linux-2.6.33.1/arch/x86/kernel/efi_32.c 2010-03-15 12:09:39.000000000 -0400
10029+++ linux-2.6.33.1/arch/x86/kernel/efi_32.c 2010-03-20 16:58:38.996547732 -0400
58c5fc13
MT		 10030@@ -38,70 +38,38 @@
10031 */
10032
10033 static unsigned long efi_rt_eflags;
10034-static pgd_t efi_bak_pg_dir_pointer[2];
10035+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10036
10037-void efi_call_phys_prelog(void)
10038+void __init efi_call_phys_prelog(void)
10039 {
10040- unsigned long cr4;
10041- unsigned long temp;
10042 struct desc_ptr gdt_descr;
10043
10044 local_irq_save(efi_rt_eflags);
10045
10046- /*
10047- * If I don't have PAE, I should just duplicate two entries in page
10048- * directory. If I have PAE, I just need to duplicate one entry in
10049- * page directory.
10050- */
10051- cr4 = read_cr4_safe();
10052
10053- if (cr4 & X86_CR4_PAE) {
10054- efi_bak_pg_dir_pointer[0].pgd =
10055- swapper_pg_dir[pgd_index(0)].pgd;
10056- swapper_pg_dir[0].pgd =
10057- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10058- } else {
10059- efi_bak_pg_dir_pointer[0].pgd =
10060- swapper_pg_dir[pgd_index(0)].pgd;
10061- efi_bak_pg_dir_pointer[1].pgd =
10062- swapper_pg_dir[pgd_index(0x400000)].pgd;
10063- swapper_pg_dir[pgd_index(0)].pgd =
10064- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10065- temp = PAGE_OFFSET + 0x400000;
10066- swapper_pg_dir[pgd_index(0x400000)].pgd =
10067- swapper_pg_dir[pgd_index(temp)].pgd;
10068- }
10069+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10070+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10071+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10072
10073 /*
10074 * After the lock is released, the original page table is restored.
10075 */
10076 __flush_tlb_all();
10077
10078- gdt_descr.address = __pa(get_cpu_gdt_table(0));
10079+ gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10080 gdt_descr.size = GDT_SIZE - 1;
10081 load_gdt(&gdt_descr);
10082 }
10083
10084-void efi_call_phys_epilog(void)
10085+void __init efi_call_phys_epilog(void)
10086 {
10087- unsigned long cr4;
10088 struct desc_ptr gdt_descr;
10089
10090- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10091+ gdt_descr.address = get_cpu_gdt_table(0);
10092 gdt_descr.size = GDT_SIZE - 1;
10093 load_gdt(&gdt_descr);
10094
10095- cr4 = read_cr4_safe();
10096-
10097- if (cr4 & X86_CR4_PAE) {
10098- swapper_pg_dir[pgd_index(0)].pgd =
10099- efi_bak_pg_dir_pointer[0].pgd;
10100- } else {
10101- swapper_pg_dir[pgd_index(0)].pgd =
10102- efi_bak_pg_dir_pointer[0].pgd;
10103- swapper_pg_dir[pgd_index(0x400000)].pgd =
10104- efi_bak_pg_dir_pointer[1].pgd;
10105- }
10106+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10107
10108 /*
10109 * After the lock is released, the original page table is restored.
ae4e228f
MT		 10110diff -urNp linux-2.6.33.1/arch/x86/kernel/efi_stub_32.S linux-2.6.33.1/arch/x86/kernel/efi_stub_32.S
10111--- linux-2.6.33.1/arch/x86/kernel/efi_stub_32.S 2010-03-15 12:09:39.000000000 -0400
10112+++ linux-2.6.33.1/arch/x86/kernel/efi_stub_32.S 2010-03-20 16:58:38.996547732 -0400
58c5fc13
MT		 10113@@ -6,6 +6,7 @@
10114 */
10115
10116 #include <linux/linkage.h>
10117+#include <linux/init.h>
10118 #include <asm/page_types.h>
10119
10120 /*
10121@@ -20,7 +21,7 @@
10122 * service functions will comply with gcc calling convention, too.
10123 */
10124
10125-.text
10126+__INIT
10127 ENTRY(efi_call_phys)
10128 /*
10129 * 0. The function can only be called in Linux kernel. So CS has been
10130@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10131 * The mapping of lower virtual memory has been created in prelog and
10132 * epilog.
10133 */
10134- movl $1f, %edx
10135- subl $__PAGE_OFFSET, %edx
10136- jmp *%edx
10137+ jmp 1f-__PAGE_OFFSET
10138 1:
10139
10140 /*
10141@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10142 * parameter 2, ..., param n. To make things easy, we save the return
10143 * address of efi_call_phys in a global variable.
10144 */
10145- popl %edx
10146- movl %edx, saved_return_addr
10147- /* get the function pointer into ECX*/
10148- popl %ecx
10149- movl %ecx, efi_rt_function_ptr
10150- movl $2f, %edx
10151- subl $__PAGE_OFFSET, %edx
10152- pushl %edx
10153+ popl (saved_return_addr)
10154+ popl (efi_rt_function_ptr)
10155
10156 /*
10157 * 3. Clear PG bit in %CR0.
10158@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10159 /*
10160 * 5. Call the physical function.
10161 */
10162- jmp *%ecx
10163+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
10164
10165-2:
10166 /*
10167 * 6. After EFI runtime service returns, control will return to
10168 * following instruction. We'd better readjust stack pointer first.
10169@@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10170 movl %cr0, %edx
10171 orl $0x80000000, %edx
10172 movl %edx, %cr0
10173- jmp 1f
10174-1:
10175+
10176 /*
10177 * 8. Now restore the virtual mode from flat mode by
10178 * adding EIP with PAGE_OFFSET.
10179 */
10180- movl $1f, %edx
10181- jmp *%edx
10182+ jmp 1f+__PAGE_OFFSET
10183 1:
10184
10185 /*
10186 * 9. Balance the stack. And because EAX contain the return value,
10187 * we'd better not clobber it.
10188 */
10189- leal efi_rt_function_ptr, %edx
10190- movl (%edx), %ecx
10191- pushl %ecx
10192+ pushl (efi_rt_function_ptr)
10193
10194 /*
10195- * 10. Push the saved return address onto the stack and return.
10196+ * 10. Return to the saved return address.
10197 */
10198- leal saved_return_addr, %edx
10199- movl (%edx), %ecx
10200- pushl %ecx
10201- ret
10202+ jmpl *(saved_return_addr)
10203 ENDPROC(efi_call_phys)
10204 .previous
10205
10206-.data
10207+__INITDATA
10208 saved_return_addr:
10209 .long 0
10210 efi_rt_function_ptr:
ae4e228f
MT		 10211diff -urNp linux-2.6.33.1/arch/x86/kernel/entry_32.S linux-2.6.33.1/arch/x86/kernel/entry_32.S
10212--- linux-2.6.33.1/arch/x86/kernel/entry_32.S 2010-03-15 12:09:39.000000000 -0400
10213+++ linux-2.6.33.1/arch/x86/kernel/entry_32.S 2010-03-20 16:58:39.000574964 -0400
58c5fc13
MT		 10214@@ -191,7 +191,7 @@
10215
10216 #endif /* CONFIG_X86_32_LAZY_GS */
10217
10218-.macro SAVE_ALL
10219+.macro __SAVE_ALL _DS
10220 cld
10221 PUSH_GS
10222 pushl %fs
10223@@ -224,7 +224,7 @@
10224 pushl %ebx
10225 CFI_ADJUST_CFA_OFFSET 4
10226 CFI_REL_OFFSET ebx, 0
10227- movl $(__USER_DS), %edx
10228+ movl $\_DS, %edx
10229 movl %edx, %ds
10230 movl %edx, %es
10231 movl $(__KERNEL_PERCPU), %edx
ae4e228f 10232@@ -232,6 +232,15 @@
58c5fc13
MT		 10233 SET_KERNEL_GS %edx
10234 .endm
10235
10236+.macro SAVE_ALL
ae4e228f 10237+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13 10238+ __SAVE_ALL __KERNEL_DS
ae4e228f 10239+ PAX_ENTER_KERNEL
58c5fc13
MT		 10240+#else
10241+ __SAVE_ALL __USER_DS
10242+#endif
10243+.endm
10244+
10245 .macro RESTORE_INT_REGS
10246 popl %ebx
10247 CFI_ADJUST_CFA_OFFSET -4
ae4e228f 10248@@ -356,7 +365,15 @@ check_userspace:
58c5fc13
MT		 10249 movb PT_CS(%esp), %al
10250 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
10251 cmpl $USER_RPL, %eax
10252+
10253+#ifdef CONFIG_PAX_KERNEXEC
10254+ jae resume_userspace
ae4e228f
MT		 10255+
10256+ PAX_EXIT_KERNEL
58c5fc13
MT		 10257+ jmp resume_kernel
10258+#else
10259 jb resume_kernel # not returning to v8086 or userspace
10260+#endif
10261
10262 ENTRY(resume_userspace)
10263 LOCKDEP_SYS_EXIT
ae4e228f 10264@@ -422,10 +439,9 @@ sysenter_past_esp:
58c5fc13
MT		 10265 /*CFI_REL_OFFSET cs, 0*/
10266 /*
10267 * Push current_thread_info()->sysenter_return to the stack.
10268- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
10269- * pushed above; +8 corresponds to copy_thread's esp0 setting.
10270 */
10271- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
10272+ GET_THREAD_INFO(%ebp)
10273+ pushl TI_sysenter_return(%ebp)
10274 CFI_ADJUST_CFA_OFFSET 4
10275 CFI_REL_OFFSET eip, 0
10276
ae4e228f 10277@@ -438,9 +454,19 @@ sysenter_past_esp:
58c5fc13
MT		 10278 * Load the potential sixth argument from user stack.
10279 * Careful about security.
10280 */
10281+ movl PT_OLDESP(%esp),%ebp
10282+
10283+#ifdef CONFIG_PAX_MEMORY_UDEREF
10284+ mov PT_OLDSS(%esp),%ds
10285+1: movl %ds:(%ebp),%ebp
10286+ push %ss
10287+ pop %ds
10288+#else
10289 cmpl $__PAGE_OFFSET-3,%ebp
10290 jae syscall_fault
10291 1: movl (%ebp),%ebp
10292+#endif
10293+
10294 movl %ebp,PT_EBP(%esp)
10295 .section __ex_table,"a"
10296 .align 4
ae4e228f 10297@@ -463,12 +489,23 @@ sysenter_do_call:
58c5fc13
MT		 10298 testl $_TIF_ALLWORK_MASK, %ecx
10299 jne sysexit_audit
10300 sysenter_exit:
10301+
10302+#ifdef CONFIG_PAX_RANDKSTACK
10303+ pushl %eax
10304+ CFI_ADJUST_CFA_OFFSET 4
10305+ call pax_randomize_kstack
10306+ popl %eax
10307+ CFI_ADJUST_CFA_OFFSET -4
10308+#endif
10309+
10310 /* if something modifies registers it must also disable sysexit */
10311 movl PT_EIP(%esp), %edx
10312 movl PT_OLDESP(%esp), %ecx
10313 xorl %ebp,%ebp
10314 TRACE_IRQS_ON
10315 1: mov PT_FS(%esp), %fs
10316+2: mov PT_DS(%esp), %ds
10317+3: mov PT_ES(%esp), %es
10318 PTGS_TO_GS
10319 ENABLE_INTERRUPTS_SYSEXIT
10320
ae4e228f 10321@@ -512,11 +549,17 @@ sysexit_audit:
58c5fc13
MT		 10322
10323 CFI_ENDPROC
10324 .pushsection .fixup,"ax"
10325-2: movl $0,PT_FS(%esp)
10326+4: movl $0,PT_FS(%esp)
10327+ jmp 1b
10328+5: movl $0,PT_DS(%esp)
10329+ jmp 1b
10330+6: movl $0,PT_ES(%esp)
10331 jmp 1b
10332 .section __ex_table,"a"
10333 .align 4
10334- .long 1b,2b
10335+ .long 1b,4b
10336+ .long 2b,5b
10337+ .long 3b,6b
10338 .popsection
10339 PTGS_TO_GS_EX
10340 ENDPROC(ia32_sysenter_target)
ae4e228f 10341@@ -550,6 +593,10 @@ syscall_exit:
58c5fc13
MT		 10342 testl $_TIF_ALLWORK_MASK, %ecx # current->work
10343 jne syscall_exit_work
10344
10345+#ifdef CONFIG_PAX_RANDKSTACK
10346+ call pax_randomize_kstack
10347+#endif
10348+
10349 restore_all:
10350 TRACE_IRQS_IRET
10351 restore_all_notrace:
ae4e228f 10352@@ -614,7 +661,13 @@ ldt_ss:
58c5fc13
MT		 10353 mov PT_OLDESP(%esp), %eax /* load userspace esp */
10354 mov %dx, %ax /* eax: new kernel esp */
10355 sub %eax, %edx /* offset (low word is 0) */
10356- PER_CPU(gdt_page, %ebx)
10357+#ifdef CONFIG_SMP
10358+ movl PER_CPU_VAR(cpu_number), %ebx
10359+ shll $PAGE_SHIFT_asm, %ebx
10360+ addl $cpu_gdt_table, %ebx
10361+#else
10362+ movl $cpu_gdt_table, %ebx
10363+#endif
10364 shr $16, %edx
10365 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
10366 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
ae4e228f 10367@@ -654,25 +707,19 @@ work_resched:
58c5fc13
MT		 10368
10369 work_notifysig: # deal with pending signals and
10370 # notify-resume requests
10371+ movl %esp, %eax
10372 #ifdef CONFIG_VM86
10373 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
10374- movl %esp, %eax
10375- jne work_notifysig_v86 # returning to kernel-space or
10376+ jz 1f # returning to kernel-space or
10377 # vm86-space
10378- xorl %edx, %edx
10379- call do_notify_resume
10380- jmp resume_userspace_sig
10381
10382- ALIGN
10383-work_notifysig_v86:
10384 pushl %ecx # save ti_flags for do_notify_resume
10385 CFI_ADJUST_CFA_OFFSET 4
10386 call save_v86_state # %eax contains pt_regs pointer
10387 popl %ecx
10388 CFI_ADJUST_CFA_OFFSET -4
10389 movl %eax, %esp
10390-#else
10391- movl %esp, %eax
10392+1:
10393 #endif
10394 xorl %edx, %edx
10395 call do_notify_resume
ae4e228f 10396@@ -707,6 +754,10 @@ END(syscall_exit_work)
58c5fc13
MT		 10397
10398 RING0_INT_FRAME # can't unwind into user space anyway
10399 syscall_fault:
10400+#ifdef CONFIG_PAX_MEMORY_UDEREF
10401+ push %ss
10402+ pop %ds
10403+#endif
10404 GET_THREAD_INFO(%ebp)
10405 movl $-EFAULT,PT_EAX(%esp)
10406 jmp resume_userspace
ae4e228f 10407@@ -790,7 +841,13 @@ ptregs_clone:
58c5fc13
MT		 10408 * normal stack and adjusts ESP with the matching offset.
10409 */
10410 /* fixup the stack */
10411- PER_CPU(gdt_page, %ebx)
10412+#ifdef CONFIG_SMP
10413+ movl PER_CPU_VAR(cpu_number), %ebx
10414+ shll $PAGE_SHIFT_asm, %ebx
10415+ addl $cpu_gdt_table, %ebx
10416+#else
10417+ movl $cpu_gdt_table, %ebx
10418+#endif
10419 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
10420 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
10421 shl $16, %eax
ae4e228f
MT		 10422@@ -1254,7 +1311,6 @@ return_to_handler:
10423 jmp *%ecx
58c5fc13
MT		 10424 #endif
10425
10426-.section .rodata,"a"
10427 #include "syscall_table_32.S"
10428
10429 syscall_table_size=(.-sys_call_table)
ae4e228f 10430@@ -1306,12 +1362,15 @@ error_code:
58c5fc13
MT		 10431 movl %ecx, %fs
10432 UNWIND_ESPFIX_STACK
10433 GS_TO_REG %ecx
10434+
ae4e228f 10435+ PAX_ENTER_KERNEL
58c5fc13
MT		 10436+
10437 movl PT_GS(%esp), %edi # get the function address
10438 movl PT_ORIG_EAX(%esp), %edx # get the error code
10439 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
10440 REG_TO_PTGS %ecx
10441 SET_KERNEL_GS %ecx
10442- movl $(__USER_DS), %ecx
10443+ movl $(__KERNEL_DS), %ecx
10444 movl %ecx, %ds
10445 movl %ecx, %es
10446 TRACE_IRQS_OFF
ae4e228f 10447@@ -1407,6 +1466,9 @@ nmi_stack_correct:
58c5fc13
MT		 10448 xorl %edx,%edx # zero error code
10449 movl %esp,%eax # pt_regs pointer
10450 call do_nmi
10451+
ae4e228f 10452+ PAX_EXIT_KERNEL
58c5fc13
MT		 10453+
10454 jmp restore_all_notrace
10455 CFI_ENDPROC
10456
ae4e228f 10457@@ -1447,6 +1509,9 @@ nmi_espfix_stack:
58c5fc13
MT		 10458 FIXUP_ESPFIX_STACK # %eax == %esp
10459 xorl %edx,%edx # zero error code
10460 call do_nmi
10461+
ae4e228f 10462+ PAX_EXIT_KERNEL
58c5fc13
MT		 10463+
10464 RESTORE_REGS
10465 lss 12+4(%esp), %esp # back to espfix stack
10466 CFI_ADJUST_CFA_OFFSET -24
ae4e228f
MT		 10467diff -urNp linux-2.6.33.1/arch/x86/kernel/entry_64.S linux-2.6.33.1/arch/x86/kernel/entry_64.S
10468--- linux-2.6.33.1/arch/x86/kernel/entry_64.S 2010-03-15 12:09:39.000000000 -0400
10469+++ linux-2.6.33.1/arch/x86/kernel/entry_64.S 2010-03-20 16:58:39.000574964 -0400
10470@@ -53,6 +53,7 @@
10471 #include <asm/paravirt.h>
10472 #include <asm/ftrace.h>
10473 #include <asm/percpu.h>
10474+#include <asm/pgtable.h>
10475
10476 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
10477 #include <linux/elf-em.h>
10478@@ -800,6 +801,7 @@ END(interrupt)
10479 CFI_ADJUST_CFA_OFFSET 10*8
10480 call save_args
10481 PARTIAL_FRAME 0
10482+ PAX_ENTER_KERNEL
10483 call \func
10484 .endm
10485
10486@@ -825,6 +827,7 @@ ret_from_intr:
10487 CFI_DEF_CFA_REGISTER rsp
10488 CFI_ADJUST_CFA_OFFSET -8
10489 exit_intr:
10490+ PAX_EXIT_KERNEL
10491 GET_THREAD_INFO(%rcx)
10492 testl $3,CS-ARGOFFSET(%rsp)
10493 je retint_kernel
10494@@ -1040,6 +1043,7 @@ ENTRY(\sym)
10495 CFI_ADJUST_CFA_OFFSET 15*8
10496 call error_entry
10497 DEFAULT_FRAME 0
10498+ PAX_ENTER_KERNEL
10499 movq %rsp,%rdi /* pt_regs pointer */
10500 xorl %esi,%esi /* no error code */
10501 call \do_sym
10502@@ -1057,6 +1061,7 @@ ENTRY(\sym)
10503 subq $15*8, %rsp
10504 call save_paranoid
10505 TRACE_IRQS_OFF
10506+ PAX_ENTER_KERNEL
10507 movq %rsp,%rdi /* pt_regs pointer */
10508 xorl %esi,%esi /* no error code */
10509 call \do_sym
10510@@ -1074,9 +1079,15 @@ ENTRY(\sym)
10511 subq $15*8, %rsp
10512 call save_paranoid
58c5fc13 10513 TRACE_IRQS_OFF
ae4e228f 10514+ PAX_ENTER_KERNEL
58c5fc13
MT		 10515 movq %rsp,%rdi /* pt_regs pointer */
10516 xorl %esi,%esi /* no error code */
ae4e228f 10517- PER_CPU(init_tss, %r12)
58c5fc13 10518+#ifdef CONFIG_SMP
ae4e228f
MT		 10519+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
10520+ lea init_tss(%r12), %r12
58c5fc13 10521+#else
ae4e228f 10522+ lea init_tss(%rip), %r12
58c5fc13 10523+#endif
ae4e228f 10524 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
58c5fc13 10525 call \do_sym
ae4e228f
MT		 10526 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
10527@@ -1093,6 +1104,7 @@ ENTRY(\sym)
10528 CFI_ADJUST_CFA_OFFSET 15*8
10529 call error_entry
10530 DEFAULT_FRAME 0
10531+ PAX_ENTER_KERNEL
10532 movq %rsp,%rdi /* pt_regs pointer */
10533 movq ORIG_RAX(%rsp),%rsi /* get error code */
10534 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
10535@@ -1112,6 +1124,7 @@ ENTRY(\sym)
10536 call save_paranoid
10537 DEFAULT_FRAME 0
10538 TRACE_IRQS_OFF
10539+ PAX_ENTER_KERNEL
10540 movq %rsp,%rdi /* pt_regs pointer */
10541 movq ORIG_RAX(%rsp),%rsi /* get error code */
10542 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
10543@@ -1373,11 +1386,13 @@ ENTRY(paranoid_exit)
10544 testl $3,CS(%rsp)
10545 jnz paranoid_userspace
10546 paranoid_swapgs:
10547+ PAX_EXIT_KERNEL
10548 TRACE_IRQS_IRETQ 0
10549 SWAPGS_UNSAFE_STACK
10550 RESTORE_ALL 8
10551 jmp irq_return
10552 paranoid_restore:
10553+ PAX_EXIT_KERNEL
10554 TRACE_IRQS_IRETQ 0
10555 RESTORE_ALL 8
10556 jmp irq_return
10557@@ -1499,6 +1514,7 @@ ENTRY(nmi)
10558 CFI_ADJUST_CFA_OFFSET 15*8
10559 call save_paranoid
10560 DEFAULT_FRAME 0
10561+ PAX_ENTER_KERNEL
10562 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
10563 movq %rsp,%rdi
10564 movq $-1,%rsi
10565@@ -1514,6 +1530,7 @@ ENTRY(nmi)
10566 nmi_swapgs:
10567 SWAPGS_UNSAFE_STACK
10568 nmi_restore:
10569+ PAX_EXIT_KERNEL
10570 RESTORE_ALL 8
10571 jmp irq_return
10572 nmi_userspace:
10573diff -urNp linux-2.6.33.1/arch/x86/kernel/ftrace.c linux-2.6.33.1/arch/x86/kernel/ftrace.c
10574--- linux-2.6.33.1/arch/x86/kernel/ftrace.c 2010-03-15 12:09:39.000000000 -0400
10575+++ linux-2.6.33.1/arch/x86/kernel/ftrace.c 2010-03-20 16:58:39.000574964 -0400
10576@@ -151,7 +151,9 @@ void ftrace_nmi_enter(void)
10577 {
10578 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
10579 smp_rmb();
10580+ pax_open_kernel();
10581 ftrace_mod_code();
10582+ pax_close_kernel();
10583 atomic_inc(&nmi_update_count);
10584 }
10585 /* Must have previous changes seen before executions */
10586@@ -234,7 +236,7 @@ do_ftrace_mod_code(unsigned long ip, voi
10587
10588
10589
10590-static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
10591+static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
10592
10593 static unsigned char *ftrace_nop_replace(void)
10594 {
10595@@ -247,6 +249,8 @@ ftrace_modify_code(unsigned long ip, uns
10596 {
10597 unsigned char replaced[MCOUNT_INSN_SIZE];
10598
10599+ ip = ktla_ktva(ip);
10600+
10601 /*
10602 * Note: Due to modules and __init, code can
10603 * disappear and change, we need to protect against faulting
10604@@ -303,7 +307,7 @@ int ftrace_update_ftrace_func(ftrace_fun
58c5fc13
MT		 10605 unsigned char old[MCOUNT_INSN_SIZE], *new;
10606 int ret;
10607
10608- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
10609+ memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
10610 new = ftrace_call_replace(ip, (unsigned long)func);
ae4e228f
MT		 10611 ret = ftrace_modify_code(ip, old, new);
10612
10613@@ -356,15 +360,15 @@ int __init ftrace_dyn_arch_init(void *da
10614 switch (faulted) {
10615 case 0:
10616 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
10617- memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
10618+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
10619 break;
10620 case 1:
10621 pr_info("converting mcount calls to 66 66 66 66 90\n");
10622- memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
10623+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
10624 break;
10625 case 2:
10626 pr_info("converting mcount calls to jmp . + 5\n");
10627- memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
10628+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
10629 break;
10630 }
58c5fc13 10631
ae4e228f
MT		 10632@@ -385,6 +389,8 @@ static int ftrace_mod_jmp(unsigned long
10633 {
10634 unsigned char code[MCOUNT_INSN_SIZE];
10635
10636+ ip = ktla_ktva(ip);
10637+
10638 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
10639 return -EFAULT;
10640
10641diff -urNp linux-2.6.33.1/arch/x86/kernel/head32.c linux-2.6.33.1/arch/x86/kernel/head32.c
10642--- linux-2.6.33.1/arch/x86/kernel/head32.c 2010-03-15 12:09:39.000000000 -0400
10643+++ linux-2.6.33.1/arch/x86/kernel/head32.c 2010-03-20 16:58:39.000574964 -0400
10644@@ -16,6 +16,7 @@
10645 #include <asm/apic.h>
10646 #include <asm/io_apic.h>
58c5fc13 10647 #include <asm/bios_ebda.h>
58c5fc13
MT		 10648+#include <asm/boot.h>
10649
ae4e228f 10650 static void __init i386_default_early_setup(void)
58c5fc13 10651 {
ae4e228f 10652@@ -29,7 +30,7 @@ static void __init i386_default_early_se
58c5fc13 10653
ae4e228f
MT		 10654 void __init i386_start_kernel(void)
10655 {
58c5fc13
MT		 10656- reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
10657+ reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
10658
10659 #ifdef CONFIG_BLK_DEV_INITRD
10660 /* Reserve INITRD */
ae4e228f
MT		 10661diff -urNp linux-2.6.33.1/arch/x86/kernel/head_32.S linux-2.6.33.1/arch/x86/kernel/head_32.S
10662--- linux-2.6.33.1/arch/x86/kernel/head_32.S 2010-03-15 12:09:39.000000000 -0400
10663+++ linux-2.6.33.1/arch/x86/kernel/head_32.S 2010-03-20 16:58:39.000574964 -0400
10664@@ -21,10 +21,17 @@
10665 #include <asm/msr-index.h>
10666 #include <asm/cpufeature.h>
58c5fc13
MT		 10667 #include <asm/percpu.h>
10668+#include <asm/msr-index.h>
10669
10670 /* Physical address */
10671 #define pa(X) ((X) - __PAGE_OFFSET)
ae4e228f
MT		 10672
10673+#ifdef CONFIG_PAX_KERNEXEC
10674+#define ta(X) (X)
10675+#else
10676+#define ta(X) ((X) - __PAGE_OFFSET)
10677+#endif
10678+
10679 /*
10680 * References to members of the new_cpu_data structure.
10681 */
10682@@ -54,11 +61,7 @@
58c5fc13
MT		 10683 * and small than max_low_pfn, otherwise will waste some page table entries
10684 */
10685
10686-#if PTRS_PER_PMD > 1
10687-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
10688-#else
10689-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
10690-#endif
10691+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
10692
10693 /* Enough space to fit pagetables for the low memory linear map */
10694 MAPPING_BEYOND_END = \
ae4e228f 10695@@ -75,6 +78,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
58c5fc13
MT		 10696 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
10697
10698 /*
10699+ * Real beginning of normal "text" segment
10700+ */
10701+ENTRY(stext)
10702+ENTRY(_stext)
10703+
10704+/*
10705 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
10706 * %esi points to the real-mode code as a 32-bit pointer.
10707 * CS and DS must be 4 GB flat segments, but we don't depend on
ae4e228f 10708@@ -82,6 +91,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
58c5fc13
MT		 10709 * can.
10710 */
ae4e228f 10711 __HEAD
58c5fc13
MT		 10712+
10713+#ifdef CONFIG_PAX_KERNEXEC
10714+ jmp startup_32
10715+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
10716+.fill PAGE_SIZE-5,1,0xcc
10717+#endif
10718+
10719 ENTRY(startup_32)
10720 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
10721 us to not reload segments */
ae4e228f 10722@@ -99,6 +115,55 @@ ENTRY(startup_32)
58c5fc13
MT		 10723 movl %eax,%gs
10724 2:
10725
10726+#ifdef CONFIG_SMP
10727+ movl $pa(cpu_gdt_table),%edi
10728+ movl $__per_cpu_load,%eax
10729+ movw %ax,__KERNEL_PERCPU + 2(%edi)
10730+ rorl $16,%eax
10731+ movb %al,__KERNEL_PERCPU + 4(%edi)
10732+ movb %ah,__KERNEL_PERCPU + 7(%edi)
10733+ movl $__per_cpu_end - 1,%eax
ae4e228f 10734+ subl $__per_cpu_start,%eax
58c5fc13
MT		 10735+ movw %ax,__KERNEL_PERCPU + 0(%edi)
10736+#endif
10737+
10738+#ifdef CONFIG_PAX_MEMORY_UDEREF
10739+ movl $NR_CPUS,%ecx
10740+ movl $pa(cpu_gdt_table),%edi
10741+1:
10742+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
10743+ addl $PAGE_SIZE_asm,%edi
10744+ loop 1b
10745+#endif
10746+
10747+#ifdef CONFIG_PAX_KERNEXEC
10748+ movl $pa(boot_gdt),%edi
ae4e228f 10749+ movl $__LOAD_PHYSICAL_ADDR,%eax
58c5fc13
MT		 10750+ movw %ax,__BOOT_CS + 2(%edi)
10751+ rorl $16,%eax
10752+ movb %al,__BOOT_CS + 4(%edi)
10753+ movb %ah,__BOOT_CS + 7(%edi)
10754+ rorl $16,%eax
10755+
ae4e228f
MT		 10756+ ljmp $(__BOOT_CS),$1f
10757+1:
10758+
58c5fc13
MT		 10759+ movl $NR_CPUS,%ecx
10760+ movl $pa(cpu_gdt_table),%edi
ae4e228f 10761+ addl $__PAGE_OFFSET,%eax
58c5fc13
MT		 10762+1:
10763+ movw %ax,__KERNEL_CS + 2(%edi)
ae4e228f 10764+ movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
58c5fc13
MT		 10765+ rorl $16,%eax
10766+ movb %al,__KERNEL_CS + 4(%edi)
ae4e228f 10767+ movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
58c5fc13 10768+ movb %ah,__KERNEL_CS + 7(%edi)
ae4e228f 10769+ movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
58c5fc13
MT		 10770+ rorl $16,%eax
10771+ addl $PAGE_SIZE_asm,%edi
10772+ loop 1b
10773+#endif
10774+
10775 /*
10776 * Clear BSS first so that there are no surprises...
10777 */
ae4e228f 10778@@ -142,9 +207,7 @@ ENTRY(startup_32)
58c5fc13
MT		 10779 cmpl $num_subarch_entries, %eax
10780 jae bad_subarch
10781
10782- movl pa(subarch_entries)(,%eax,4), %eax
10783- subl $__PAGE_OFFSET, %eax
10784- jmp *%eax
10785+ jmp *pa(subarch_entries)(,%eax,4)
10786
10787 bad_subarch:
10788 WEAK(lguest_entry)
ae4e228f 10789@@ -156,10 +219,10 @@ WEAK(xen_entry)
58c5fc13
MT		 10790 __INITDATA
10791
10792 subarch_entries:
10793- .long default_entry /* normal x86/PC */
10794- .long lguest_entry /* lguest hypervisor */
10795- .long xen_entry /* Xen hypervisor */
ae4e228f
MT		 10796- .long default_entry /* Moorestown MID */
10797+ .long ta(default_entry) /* normal x86/PC */
10798+ .long ta(lguest_entry) /* lguest hypervisor */
10799+ .long ta(xen_entry) /* Xen hypervisor */
10800+ .long ta(default_entry) /* Moorestown MID */
58c5fc13
MT		 10801 num_subarch_entries = (. - subarch_entries) / 4
10802 .previous
10803 #endif /* CONFIG_PARAVIRT */
ae4e228f 10804@@ -220,8 +283,11 @@ default_entry:
58c5fc13
MT		 10805 movl %eax, pa(max_pfn_mapped)
10806
10807 /* Do early initialization of the fixmap area */
10808- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
10809- movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10810+#ifdef CONFIG_COMPAT_VDSO
10811+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10812+#else
10813+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
10814+#endif
10815 #else /* Not PAE */
10816
10817 page_pde_offset = (__PAGE_OFFSET >> 20);
ae4e228f 10818@@ -251,8 +317,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
58c5fc13
MT		 10819 movl %eax, pa(max_pfn_mapped)
10820
10821 /* Do early initialization of the fixmap area */
10822- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
10823- movl %eax,pa(swapper_pg_dir+0xffc)
10824+#ifdef CONFIG_COMPAT_VDSO
10825+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
10826+#else
10827+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
10828+#endif
10829 #endif
10830 jmp 3f
10831 /*
ae4e228f 10832@@ -299,6 +368,7 @@ ENTRY(startup_32_smp)
58c5fc13
MT		 10833 orl %edx,%eax
10834 movl %eax,%cr4
10835
10836+#ifdef CONFIG_X86_PAE
ae4e228f
MT		 10837 testb $X86_CR4_PAE, %al # check if PAE is enabled
10838 jz 6f
58c5fc13 10839
ae4e228f 10840@@ -323,6 +393,9 @@ ENTRY(startup_32_smp)
58c5fc13
MT		 10841 /* Make changes effective */
10842 wrmsr
10843
10844+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
58c5fc13 10845+#endif
ae4e228f 10846+
58c5fc13
MT		 10847 6:
10848
10849 /*
ae4e228f 10850@@ -348,9 +421,7 @@ ENTRY(startup_32_smp)
58c5fc13
MT		 10851
10852 #ifdef CONFIG_SMP
10853 cmpb $0, ready
10854- jz 1f /* Initial CPU cleans BSS */
10855- jmp checkCPUtype
10856-1:
10857+ jnz checkCPUtype /* Initial CPU cleans BSS */
10858 #endif /* CONFIG_SMP */
10859
10860 /*
ae4e228f 10861@@ -428,7 +499,7 @@ is386: movl $2,%ecx # set MP
58c5fc13
MT		 10862 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
10863 movl %eax,%ss # after changing gdt.
10864
10865- movl $(__USER_DS),%eax # DS/ES contains default USER segment
10866+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
10867 movl %eax,%ds
10868 movl %eax,%es
10869
ae4e228f 10870@@ -442,8 +513,11 @@ is386: movl $2,%ecx # set MP
58c5fc13
MT		 10871 */
10872 cmpb $0,ready
10873 jne 1f
10874- movl $per_cpu__gdt_page,%eax
10875+ movl $cpu_gdt_table,%eax
10876 movl $per_cpu__stack_canary,%ecx
10877+#ifdef CONFIG_SMP
10878+ addl $__per_cpu_load,%ecx
10879+#endif
10880 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
10881 shrl $16, %ecx
10882 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
ae4e228f 10883@@ -461,10 +535,6 @@ is386: movl $2,%ecx # set MP
58c5fc13
MT		 10884 #ifdef CONFIG_SMP
10885 movb ready, %cl
10886 movb $1, ready
10887- cmpb $0,%cl # the first CPU calls start_kernel
10888- je 1f
10889- movl (stack_start), %esp
10890-1:
10891 #endif /* CONFIG_SMP */
10892 jmp *(initial_code)
10893
ae4e228f 10894@@ -550,22 +620,22 @@ early_page_fault:
58c5fc13
MT		 10895 jmp early_fault
10896
10897 early_fault:
10898- cld
10899 #ifdef CONFIG_PRINTK
10900+ cmpl $1,%ss:early_recursion_flag
10901+ je hlt_loop
10902+ incl %ss:early_recursion_flag
10903+ cld
10904 pusha
10905 movl $(__KERNEL_DS),%eax
10906 movl %eax,%ds
10907 movl %eax,%es
10908- cmpl $2,early_recursion_flag
10909- je hlt_loop
10910- incl early_recursion_flag
10911 movl %cr2,%eax
10912 pushl %eax
10913 pushl %edx /* trapno */
10914 pushl $fault_msg
10915 call printk
10916+; call dump_stack
10917 #endif
10918- call dump_stack
10919 hlt_loop:
10920 hlt
10921 jmp hlt_loop
ae4e228f 10922@@ -573,8 +643,11 @@ hlt_loop:
58c5fc13
MT		 10923 /* This is the default interrupt "handler" :-) */
10924 ALIGN
10925 ignore_int:
10926- cld
10927 #ifdef CONFIG_PRINTK
10928+ cmpl $2,%ss:early_recursion_flag
10929+ je hlt_loop
10930+ incl %ss:early_recursion_flag
10931+ cld
10932 pushl %eax
10933 pushl %ecx
10934 pushl %edx
ae4e228f 10935@@ -583,9 +656,6 @@ ignore_int:
58c5fc13
MT		 10936 movl $(__KERNEL_DS),%eax
10937 movl %eax,%ds
10938 movl %eax,%es
10939- cmpl $2,early_recursion_flag
10940- je hlt_loop
10941- incl early_recursion_flag
10942 pushl 16(%esp)
10943 pushl 24(%esp)
10944 pushl 32(%esp)
ae4e228f 10945@@ -612,27 +682,37 @@ ENTRY(initial_code)
58c5fc13
MT		 10946 /*
10947 * BSS section
10948 */
ae4e228f 10949-__PAGE_ALIGNED_BSS
58c5fc13
MT		 10950- .align PAGE_SIZE_asm
10951 #ifdef CONFIG_X86_PAE
10952+.section .swapper_pg_pmd,"a",@progbits
10953 swapper_pg_pmd:
10954 .fill 1024*KPMDS,4,0
10955 #else
10956+.section .swapper_pg_dir,"a",@progbits
10957 ENTRY(swapper_pg_dir)
10958 .fill 1024,4,0
10959 #endif
10960+
10961 swapper_pg_fixmap:
10962 .fill 1024,4,0
10963+
10964+.section .empty_zero_page,"a",@progbits
10965 ENTRY(empty_zero_page)
10966 .fill 4096,1,0
10967
10968 /*
10969+ * The IDT has to be page-aligned to simplify the Pentium
10970+ * F0 0F bug workaround.. We have a special link segment
10971+ * for this.
10972+ */
10973+.section .idt,"a",@progbits
10974+ENTRY(idt_table)
10975+ .fill 256,8,0
10976+
10977+/*
10978 * This starts the data section.
10979 */
10980 #ifdef CONFIG_X86_PAE
ae4e228f 10981-__PAGE_ALIGNED_DATA
58c5fc13
MT		 10982- /* Page-aligned for the benefit of paravirt? */
10983- .align PAGE_SIZE_asm
10984+.section .swapper_pg_dir,"a",@progbits
10985 ENTRY(swapper_pg_dir)
10986 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
10987 # if KPMDS == 3
ae4e228f 10988@@ -655,11 +735,12 @@ ENTRY(swapper_pg_dir)
58c5fc13
MT		 10989
10990 .data
10991 ENTRY(stack_start)
10992- .long init_thread_union+THREAD_SIZE
10993+ .long init_thread_union+THREAD_SIZE-8
10994 .long __BOOT_DS
10995
10996 ready: .byte 0
10997
10998+.section .rodata,"a",@progbits
10999 early_recursion_flag:
11000 .long 0
11001
ae4e228f 11002@@ -695,7 +776,7 @@ fault_msg:
58c5fc13
MT		 11003 .word 0 # 32 bit align gdt_desc.address
11004 boot_gdt_descr:
11005 .word __BOOT_DS+7
11006- .long boot_gdt - __PAGE_OFFSET
11007+ .long pa(boot_gdt)
11008
11009 .word 0 # 32-bit align idt_desc.address
11010 idt_descr:
ae4e228f 11011@@ -706,7 +787,7 @@ idt_descr:
58c5fc13
MT		 11012 .word 0 # 32 bit align gdt_desc.address
11013 ENTRY(early_gdt_descr)
11014 .word GDT_ENTRIES*8-1
11015- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
11016+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
11017
11018 /*
11019 * The boot_gdt must mirror the equivalent in setup.S and is
ae4e228f 11020@@ -715,5 +796,65 @@ ENTRY(early_gdt_descr)
58c5fc13
MT		 11021 .align L1_CACHE_BYTES
11022 ENTRY(boot_gdt)
11023 .fill GDT_ENTRY_BOOT_CS,8,0
11024- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
11025- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
11026+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
11027+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
11028+
11029+ .align PAGE_SIZE_asm
11030+ENTRY(cpu_gdt_table)
11031+ .rept NR_CPUS
11032+ .quad 0x0000000000000000 /* NULL descriptor */
11033+ .quad 0x0000000000000000 /* 0x0b reserved */
11034+ .quad 0x0000000000000000 /* 0x13 reserved */
11035+ .quad 0x0000000000000000 /* 0x1b reserved */
ae4e228f
MT		 11036+
11037+#ifdef CONFIG_PAX_KERNEXEC
11038+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
11039+#else
58c5fc13 11040+ .quad 0x0000000000000000 /* 0x20 unused */
ae4e228f
MT		 11041+#endif
11042+
58c5fc13
MT		 11043+ .quad 0x0000000000000000 /* 0x28 unused */
11044+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
11045+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
11046+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
11047+ .quad 0x0000000000000000 /* 0x4b reserved */
11048+ .quad 0x0000000000000000 /* 0x53 reserved */
11049+ .quad 0x0000000000000000 /* 0x5b reserved */
11050+
11051+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
11052+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
11053+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
11054+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
11055+
11056+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
11057+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
11058+
11059+ /*
11060+ * Segments used for calling PnP BIOS have byte granularity.
11061+ * The code segments and data segments have fixed 64k limits,
11062+ * the transfer segment sizes are set at run time.
11063+ */
11064+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
11065+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
11066+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
11067+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
11068+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
11069+
11070+ /*
11071+ * The APM segments have byte granularity and their bases
11072+ * are set at run time. All have 64k limits.
11073+ */
11074+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
11075+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
11076+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
11077+
11078+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
11079+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
ae4e228f 11080+ .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
58c5fc13
MT		 11081+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
11082+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
11083+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
11084+
11085+ /* Be sure this is zeroed to avoid false validations in Xen */
11086+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
11087+ .endr
ae4e228f
MT		 11088diff -urNp linux-2.6.33.1/arch/x86/kernel/head_64.S linux-2.6.33.1/arch/x86/kernel/head_64.S
11089--- linux-2.6.33.1/arch/x86/kernel/head_64.S 2010-03-15 12:09:39.000000000 -0400
11090+++ linux-2.6.33.1/arch/x86/kernel/head_64.S 2010-03-20 16:58:39.000574964 -0400
11091@@ -19,6 +19,7 @@
11092 #include <asm/cache.h>
11093 #include <asm/processor-flags.h>
11094 #include <asm/percpu.h>
11095+#include <asm/cpufeature.h>
11096
11097 #ifdef CONFIG_PARAVIRT
11098 #include <asm/asm-offsets.h>
11099@@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
58c5fc13
MT		 11100 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
11101 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
11102 L3_START_KERNEL = pud_index(__START_KERNEL_map)
11103+L4_VMALLOC_START = pgd_index(VMALLOC_START)
11104+L3_VMALLOC_START = pud_index(VMALLOC_START)
11105+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
11106+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
11107
11108 .text
ae4e228f
MT		 11109 __HEAD
11110@@ -85,35 +90,22 @@ startup_64:
58c5fc13
MT		 11111 */
11112 addq %rbp, init_level4_pgt + 0(%rip)
11113 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
11114+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
11115+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
11116 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
11117
11118 addq %rbp, level3_ident_pgt + 0(%rip)
ae4e228f 11119+#ifndef CONFIG_XEN
58c5fc13 11120+ addq %rbp, level3_ident_pgt + 8(%rip)
ae4e228f 11121+#endif
58c5fc13
MT		 11122
11123- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
11124- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
11125+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
11126
11127- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
11128+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
11129+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
11130
11131- /* Add an Identity mapping if I am above 1G */
11132- leaq _text(%rip), %rdi
11133- andq $PMD_PAGE_MASK, %rdi
11134-
11135- movq %rdi, %rax
11136- shrq $PUD_SHIFT, %rax
11137- andq $(PTRS_PER_PUD - 1), %rax
11138- jz ident_complete
11139-
11140- leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
11141- leaq level3_ident_pgt(%rip), %rbx
11142- movq %rdx, 0(%rbx, %rax, 8)
11143-
11144- movq %rdi, %rax
11145- shrq $PMD_SHIFT, %rax
11146- andq $(PTRS_PER_PMD - 1), %rax
11147- leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
11148- leaq level2_spare_pgt(%rip), %rbx
11149- movq %rdx, 0(%rbx, %rax, 8)
11150-ident_complete:
11151+ addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
11152+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
11153
11154 /*
11155 * Fixup the kernel text+data virtual addresses. Note that
ae4e228f
MT		 11156@@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
11157 movl $MSR_EFER, %ecx
11158 rdmsr
11159 btsl $_EFER_SCE, %eax /* Enable System Call */
11160- btl $20,%edi /* No Execute supported? */
11161+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
58c5fc13
MT		 11162 jnc 1f
11163 btsl $_EFER_NX, %eax
11164+ leaq init_level4_pgt(%rip), %rdi
11165+ btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
11166+ btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
11167+ btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
ae4e228f 11168+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
58c5fc13
MT		 11169 1: wrmsr /* Make changes effective */
11170
11171 /* Setup cr0 */
ae4e228f 11172@@ -271,7 +268,7 @@ ENTRY(secondary_startup_64)
58c5fc13
MT		 11173 bad_address:
11174 jmp bad_address
11175
11176- .section ".init.text","ax"
11177+ __INIT
11178 #ifdef CONFIG_EARLY_PRINTK
11179 .globl early_idt_handlers
11180 early_idt_handlers:
ae4e228f 11181@@ -316,18 +313,23 @@ ENTRY(early_idt_handler)
58c5fc13
MT		 11182 #endif /* EARLY_PRINTK */
11183 1: hlt
11184 jmp 1b
11185+ .previous
11186
11187 #ifdef CONFIG_EARLY_PRINTK
11188+ __INITDATA
11189 early_recursion_flag:
11190 .long 0
11191+ .previous
11192
11193+ .section .rodata,"a",@progbits
11194 early_idt_msg:
11195 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
11196 early_idt_ripmsg:
11197 .asciz "RIP %s\n"
11198-#endif /* CONFIG_EARLY_PRINTK */
11199 .previous
11200+#endif /* CONFIG_EARLY_PRINTK */
11201
11202+ .section .rodata,"a",@progbits
11203 #define NEXT_PAGE(name) \
11204 .balign PAGE_SIZE; \
11205 ENTRY(name)
ae4e228f 11206@@ -351,13 +353,29 @@ NEXT_PAGE(init_level4_pgt)
58c5fc13
MT		 11207 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11208 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
11209 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11210+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
11211+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
11212+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
11213+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
11214 .org init_level4_pgt + L4_START_KERNEL*8, 0
11215 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
11216 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
11217
11218 NEXT_PAGE(level3_ident_pgt)
11219 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
11220+#ifdef CONFIG_XEN
11221 .fill 511,8,0
11222+#else
11223+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
ae4e228f 11224+ .fill 510,8,0
58c5fc13
MT		 11225+#endif
11226+
11227+NEXT_PAGE(level3_vmalloc_pgt)
11228+ .fill 512,8,0
11229+
11230+NEXT_PAGE(level3_vmemmap_pgt)
11231+ .fill L3_VMEMMAP_START,8,0
11232+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
11233
11234 NEXT_PAGE(level3_kernel_pgt)
11235 .fill L3_START_KERNEL,8,0
ae4e228f 11236@@ -365,20 +383,23 @@ NEXT_PAGE(level3_kernel_pgt)
58c5fc13
MT		 11237 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
11238 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
11239
11240+NEXT_PAGE(level2_vmemmap_pgt)
11241+ .fill 512,8,0
11242+
11243 NEXT_PAGE(level2_fixmap_pgt)
11244- .fill 506,8,0
11245- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
11246- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
11247- .fill 5,8,0
11248+ .fill 507,8,0
11249+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
11250+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
11251+ .fill 4,8,0
11252
11253-NEXT_PAGE(level1_fixmap_pgt)
11254+NEXT_PAGE(level1_vsyscall_pgt)
11255 .fill 512,8,0
11256
11257-NEXT_PAGE(level2_ident_pgt)
11258- /* Since I easily can, map the first 1G.
ae4e228f 11259+ /* Since I easily can, map the first 2G.
58c5fc13
MT		 11260 * Don't set NX because code runs from these pages.
11261 */
11262- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
11263+NEXT_PAGE(level2_ident_pgt)
ae4e228f 11264+ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
58c5fc13
MT		 11265
11266 NEXT_PAGE(level2_kernel_pgt)
11267 /*
ae4e228f 11268@@ -391,33 +412,55 @@ NEXT_PAGE(level2_kernel_pgt)
58c5fc13
MT		 11269 * If you want to increase this then increase MODULES_VADDR
11270 * too.)
11271 */
11272- PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
11273- KERNEL_IMAGE_SIZE/PMD_SIZE)
11274-
11275-NEXT_PAGE(level2_spare_pgt)
11276- .fill 512, 8, 0
11277+ PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
11278
11279 #undef PMDS
11280 #undef NEXT_PAGE
11281
11282- .data
11283+ .align PAGE_SIZE
11284+ENTRY(cpu_gdt_table)
11285+ .rept NR_CPUS
11286+ .quad 0x0000000000000000 /* NULL descriptor */
11287+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
11288+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
11289+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
11290+ .quad 0x00cffb000000ffff /* __USER32_CS */
11291+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
11292+ .quad 0x00affb000000ffff /* __USER_CS */
ae4e228f
MT		 11293+
11294+#ifdef CONFIG_PAX_KERNEXEC
11295+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
11296+#else
58c5fc13 11297+ .quad 0x0 /* unused */
ae4e228f
MT		 11298+#endif
11299+
58c5fc13
MT		 11300+ .quad 0,0 /* TSS */
11301+ .quad 0,0 /* LDT */
11302+ .quad 0,0,0 /* three TLS descriptors */
11303+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
11304+ /* asm/segment.h:GDT_ENTRIES must match this */
11305+
11306+ /* zero the remaining page */
11307+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
11308+ .endr
11309+
11310 .align 16
11311 .globl early_gdt_descr
11312 early_gdt_descr:
11313 .word GDT_ENTRIES*8-1
11314 early_gdt_descr_base:
11315- .quad INIT_PER_CPU_VAR(gdt_page)
11316+ .quad cpu_gdt_table
11317
11318 ENTRY(phys_base)
11319 /* This must match the first entry in level2_kernel_pgt */
11320 .quad 0x0000000000000000
11321
11322 #include "../../x86/xen/xen-head.S"
11323-
11324- .section .bss, "aw", @nobits
11325+
11326+ .section .rodata,"a",@progbits
11327 .align L1_CACHE_BYTES
11328 ENTRY(idt_table)
11329- .skip IDT_ENTRIES * 16
11330+ .fill 512,8,0
11331
ae4e228f 11332 __PAGE_ALIGNED_BSS
58c5fc13 11333 .align PAGE_SIZE
ae4e228f
MT		 11334diff -urNp linux-2.6.33.1/arch/x86/kernel/i386_ksyms_32.c linux-2.6.33.1/arch/x86/kernel/i386_ksyms_32.c
11335--- linux-2.6.33.1/arch/x86/kernel/i386_ksyms_32.c 2010-03-15 12:09:39.000000000 -0400
11336+++ linux-2.6.33.1/arch/x86/kernel/i386_ksyms_32.c 2010-03-20 16:58:39.000574964 -0400
11337@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
11338 EXPORT_SYMBOL(cmpxchg8b_emu);
58c5fc13
MT		 11339 #endif
11340
11341+EXPORT_SYMBOL_GPL(cpu_gdt_table);
11342+
11343 /* Networking helper routines. */
11344 EXPORT_SYMBOL(csum_partial_copy_generic);
11345+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
11346+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
11347
11348 EXPORT_SYMBOL(__get_user_1);
11349 EXPORT_SYMBOL(__get_user_2);
ae4e228f 11350@@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
58c5fc13
MT		 11351
11352 EXPORT_SYMBOL(csum_partial);
11353 EXPORT_SYMBOL(empty_zero_page);
11354+
11355+#ifdef CONFIG_PAX_KERNEXEC
11356+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
11357+#endif
ae4e228f
MT		 11358diff -urNp linux-2.6.33.1/arch/x86/kernel/init_task.c linux-2.6.33.1/arch/x86/kernel/init_task.c
11359--- linux-2.6.33.1/arch/x86/kernel/init_task.c 2010-03-15 12:09:39.000000000 -0400
11360+++ linux-2.6.33.1/arch/x86/kernel/init_task.c 2010-03-20 16:58:39.000574964 -0400
11361@@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
58c5fc13
MT		 11362 * section. Since TSS's are completely CPU-local, we want them
11363 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
11364 */
11365-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
11366-
11367+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
11368+EXPORT_SYMBOL(init_tss);
ae4e228f
MT		 11369diff -urNp linux-2.6.33.1/arch/x86/kernel/ioport.c linux-2.6.33.1/arch/x86/kernel/ioport.c
11370--- linux-2.6.33.1/arch/x86/kernel/ioport.c 2010-03-15 12:09:39.000000000 -0400
11371+++ linux-2.6.33.1/arch/x86/kernel/ioport.c 2010-03-20 16:58:39.000574964 -0400
58c5fc13
MT		 11372@@ -6,6 +6,7 @@
11373 #include <linux/sched.h>
11374 #include <linux/kernel.h>
11375 #include <linux/capability.h>
11376+#include <linux/security.h>
11377 #include <linux/errno.h>
11378 #include <linux/types.h>
11379 #include <linux/ioport.h>
11380@@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
11381
11382 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
11383 return -EINVAL;
11384+#ifdef CONFIG_GRKERNSEC_IO
11385+ if (turn_on) {
11386+ gr_handle_ioperm();
11387+ return -EPERM;
11388+ }
11389+#endif
11390 if (turn_on && !capable(CAP_SYS_RAWIO))
11391 return -EPERM;
11392
11393@@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
11394 * because the ->io_bitmap_max value must match the bitmap
11395 * contents:
11396 */
11397- tss = &per_cpu(init_tss, get_cpu());
11398+ tss = init_tss + get_cpu();
11399
11400 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
11401
ae4e228f 11402@@ -112,8 +119,13 @@ long sys_iopl(unsigned int level, struct
58c5fc13
MT		 11403 return -EINVAL;
11404 /* Trying to gain more privileges? */
11405 if (level > old) {
11406+#ifdef CONFIG_GRKERNSEC_IO
11407+ gr_handle_iopl();
11408+ return -EPERM;
11409+#else
11410 if (!capable(CAP_SYS_RAWIO))
11411 return -EPERM;
11412+#endif
11413 }
11414 regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
ae4e228f
MT		 11415 t->iopl = level << 12;
11416diff -urNp linux-2.6.33.1/arch/x86/kernel/irq_32.c linux-2.6.33.1/arch/x86/kernel/irq_32.c
11417--- linux-2.6.33.1/arch/x86/kernel/irq_32.c 2010-03-15 12:09:39.000000000 -0400
11418+++ linux-2.6.33.1/arch/x86/kernel/irq_32.c 2010-03-20 16:58:39.000574964 -0400
58c5fc13
MT		 11419@@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
11420 return 0;
11421
11422 /* build the stack frame on the IRQ stack */
11423- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
11424+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
11425 irqctx->tinfo.task = curctx->tinfo.task;
11426 irqctx->tinfo.previous_esp = current_stack_pointer;
11427
11428@@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
11429 irqctx->tinfo.previous_esp = current_stack_pointer;
11430
11431 /* build the stack frame on the softirq stack */
11432- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
11433+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
11434
11435 call_on_stack(__do_softirq, isp);
11436 /*
ae4e228f
MT		 11437diff -urNp linux-2.6.33.1/arch/x86/kernel/kgdb.c linux-2.6.33.1/arch/x86/kernel/kgdb.c
11438--- linux-2.6.33.1/arch/x86/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
11439+++ linux-2.6.33.1/arch/x86/kernel/kgdb.c 2010-03-20 16:58:39.004585163 -0400
11440@@ -89,7 +89,7 @@ void pt_regs_to_gdb_regs(unsigned long *
11441 gdb_regs[GDB_CS] = regs->cs;
11442 gdb_regs[GDB_FS] = 0xFFFF;
11443 gdb_regs[GDB_GS] = 0xFFFF;
11444- if (user_mode_vm(regs)) {
11445+ if (user_mode(regs)) {
11446 gdb_regs[GDB_SS] = regs->ss;
11447 gdb_regs[GDB_SP] = regs->sp;
11448 } else {
11449@@ -690,7 +690,7 @@ unsigned long kgdb_arch_pc(int exception
11450 return instruction_pointer(regs);
11451 }
11452
11453-struct kgdb_arch arch_kgdb_ops = {
11454+const struct kgdb_arch arch_kgdb_ops = {
11455 /* Breakpoint instruction: */
11456 .gdb_bpt_instr = { 0xcc },
11457 .flags = KGDB_HW_BREAKPOINT,
11458diff -urNp linux-2.6.33.1/arch/x86/kernel/kprobes.c linux-2.6.33.1/arch/x86/kernel/kprobes.c
11459--- linux-2.6.33.1/arch/x86/kernel/kprobes.c 2010-03-15 12:09:39.000000000 -0400
11460+++ linux-2.6.33.1/arch/x86/kernel/kprobes.c 2010-03-20 16:58:39.004585163 -0400
11461@@ -113,9 +113,13 @@ static void __kprobes set_jmp_op(void *f
58c5fc13
MT		 11462 char op;
11463 s32 raddr;
11464 } __attribute__((packed)) * jop;
11465- jop = (struct __arch_jmp_op *)from;
11466+
58c5fc13
MT		 11467+ jop = (struct __arch_jmp_op *)(ktla_ktva(from));
11468+
ae4e228f 11469+ pax_open_kernel();
58c5fc13
MT		 11470 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
11471 jop->op = RELATIVEJUMP_INSTRUCTION;
ae4e228f 11472+ pax_close_kernel();
58c5fc13
MT		 11473 }
11474
11475 /*
ae4e228f 11476@@ -323,16 +327,18 @@ static void __kprobes fix_riprel(struct
58c5fc13
MT		 11477
11478 static void __kprobes arch_copy_kprobe(struct kprobe *p)
11479 {
11480- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
ae4e228f 11481+ pax_open_kernel();
58c5fc13 11482+ memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
ae4e228f 11483+ pax_close_kernel();
58c5fc13
MT		 11484
11485 fix_riprel(p);
11486
11487- if (can_boost(p->addr))
11488+ if (can_boost(ktla_ktva(p->addr)))
11489 p->ainsn.boostable = 0;
11490 else
11491 p->ainsn.boostable = -1;
11492
11493- p->opcode = *p->addr;
11494+ p->opcode = *(ktla_ktva(p->addr));
11495 }
11496
11497 int __kprobes arch_prepare_kprobe(struct kprobe *p)
ae4e228f 11498@@ -412,7 +418,7 @@ static void __kprobes prepare_singlestep
58c5fc13
MT		 11499 if (p->opcode == BREAKPOINT_INSTRUCTION)
11500 regs->ip = (unsigned long)p->addr;
11501 else
11502- regs->ip = (unsigned long)p->ainsn.insn;
11503+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
11504 }
11505
11506 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
ae4e228f 11507@@ -433,7 +439,7 @@ static void __kprobes setup_singlestep(s
58c5fc13
MT		 11508 if (p->ainsn.boostable == 1 && !p->post_handler) {
11509 /* Boost up -- we can execute copied instructions directly */
11510 reset_current_kprobe();
11511- regs->ip = (unsigned long)p->ainsn.insn;
11512+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
11513 preempt_enable_no_resched();
11514 return;
11515 }
ae4e228f 11516@@ -490,7 +496,7 @@ static int __kprobes kprobe_handler(stru
58c5fc13
MT		 11517 struct kprobe_ctlblk *kcb;
11518
11519 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
11520- if (*addr != BREAKPOINT_INSTRUCTION) {
11521+ if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
11522 /*
11523 * The breakpoint instruction was removed right
11524 * after we hit it. Another cpu has removed
ae4e228f 11525@@ -742,7 +748,7 @@ static void __kprobes resume_execution(s
58c5fc13
MT		 11526 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
11527 {
11528 unsigned long *tos = stack_addr(regs);
11529- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
11530+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
11531 unsigned long orig_ip = (unsigned long)p->addr;
11532 kprobe_opcode_t *insn = p->ainsn.insn;
11533
ae4e228f 11534@@ -925,7 +931,7 @@ int __kprobes kprobe_exceptions_notify(s
58c5fc13
MT		 11535 struct die_args *args = data;
11536 int ret = NOTIFY_DONE;
11537
11538- if (args->regs && user_mode_vm(args->regs))
11539+ if (args->regs && user_mode(args->regs))
11540 return ret;
11541
11542 switch (val) {
ae4e228f
MT		 11543diff -urNp linux-2.6.33.1/arch/x86/kernel/ldt.c linux-2.6.33.1/arch/x86/kernel/ldt.c
11544--- linux-2.6.33.1/arch/x86/kernel/ldt.c 2010-03-15 12:09:39.000000000 -0400
11545+++ linux-2.6.33.1/arch/x86/kernel/ldt.c 2010-03-20 16:58:39.004585163 -0400
58c5fc13
MT		 11546@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
11547 if (reload) {
11548 #ifdef CONFIG_SMP
11549 preempt_disable();
11550- load_LDT(pc);
11551+ load_LDT_nolock(pc);
ae4e228f
MT		 11552 if (!cpumask_equal(mm_cpumask(current->mm),
11553 cpumask_of(smp_processor_id())))
58c5fc13
MT		 11554 smp_call_function(flush_ldt, current->mm, 1);
11555 preempt_enable();
11556 #else
11557- load_LDT(pc);
11558+ load_LDT_nolock(pc);
11559 #endif
11560 }
11561 if (oldsize) {
11562@@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
11563 return err;
11564
11565 for (i = 0; i < old->size; i++)
11566- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
11567+ write_ldt_entry(new->ldt, i, old->ldt + i);
11568 return 0;
11569 }
11570
11571@@ -115,6 +115,24 @@ int init_new_context(struct task_struct
11572 retval = copy_ldt(&mm->context, &old_mm->context);
11573 mutex_unlock(&old_mm->context.lock);
11574 }
11575+
11576+ if (tsk == current) {
11577+ mm->context.vdso = ~0UL;
11578+
11579+#ifdef CONFIG_X86_32
11580+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
11581+ mm->context.user_cs_base = 0UL;
11582+ mm->context.user_cs_limit = ~0UL;
11583+
11584+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
11585+ cpus_clear(mm->context.cpu_user_cs_mask);
11586+#endif
11587+
11588+#endif
11589+#endif
11590+
11591+ }
11592+
11593 return retval;
11594 }
11595
11596@@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
11597 }
11598 }
11599
11600+#ifdef CONFIG_PAX_SEGMEXEC
11601+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
11602+ error = -EINVAL;
11603+ goto out_unlock;
11604+ }
11605+#endif
11606+
11607 fill_ldt(&ldt, &ldt_info);
11608 if (oldmode)
11609 ldt.avl = 0;
ae4e228f
MT		 11610diff -urNp linux-2.6.33.1/arch/x86/kernel/machine_kexec_32.c linux-2.6.33.1/arch/x86/kernel/machine_kexec_32.c
11611--- linux-2.6.33.1/arch/x86/kernel/machine_kexec_32.c 2010-03-15 12:09:39.000000000 -0400
11612+++ linux-2.6.33.1/arch/x86/kernel/machine_kexec_32.c 2010-03-20 16:58:39.004585163 -0400
11613@@ -27,7 +27,7 @@
58c5fc13 11614 #include <asm/cacheflush.h>
ae4e228f 11615 #include <asm/debugreg.h>
58c5fc13
MT		 11616
11617-static void set_idt(void *newidt, __u16 limit)
11618+static void set_idt(struct desc_struct *newidt, __u16 limit)
11619 {
11620 struct desc_ptr curidt;
11621
ae4e228f 11622@@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
58c5fc13
MT		 11623 }
11624
11625
11626-static void set_gdt(void *newgdt, __u16 limit)
11627+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
11628 {
11629 struct desc_ptr curgdt;
11630
11631@@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
11632 }
11633
11634 control_page = page_address(image->control_code_page);
11635- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
11636+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
11637
11638 relocate_kernel_ptr = control_page;
11639 page_list[PA_CONTROL_PAGE] = __pa(control_page);
ae4e228f
MT		 11640diff -urNp linux-2.6.33.1/arch/x86/kernel/microcode_amd.c linux-2.6.33.1/arch/x86/kernel/microcode_amd.c
11641--- linux-2.6.33.1/arch/x86/kernel/microcode_amd.c 2010-03-15 12:09:39.000000000 -0400
11642+++ linux-2.6.33.1/arch/x86/kernel/microcode_amd.c 2010-03-20 16:58:39.004585163 -0400
11643@@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
11644 uci->mc = NULL;
11645 }
11646
11647-static struct microcode_ops microcode_amd_ops = {
11648+static const struct microcode_ops microcode_amd_ops = {
11649 .request_microcode_user = request_microcode_user,
11650 .request_microcode_fw = request_microcode_fw,
11651 .collect_cpu_info = collect_cpu_info_amd,
11652@@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
11653 .microcode_fini_cpu = microcode_fini_cpu_amd,
11654 };
58c5fc13 11655
ae4e228f
MT		 11656-struct microcode_ops * __init init_amd_microcode(void)
11657+const struct microcode_ops * __init init_amd_microcode(void)
11658 {
11659 return &microcode_amd_ops;
11660 }
11661diff -urNp linux-2.6.33.1/arch/x86/kernel/microcode_core.c linux-2.6.33.1/arch/x86/kernel/microcode_core.c
11662--- linux-2.6.33.1/arch/x86/kernel/microcode_core.c 2010-03-15 12:09:39.000000000 -0400
11663+++ linux-2.6.33.1/arch/x86/kernel/microcode_core.c 2010-03-20 16:58:39.004585163 -0400
11664@@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
11665
11666 #define MICROCODE_VERSION "2.00"
11667
11668-static struct microcode_ops *microcode_ops;
11669+static const struct microcode_ops *microcode_ops;
11670
11671 /*
11672 * Synchronization.
11673diff -urNp linux-2.6.33.1/arch/x86/kernel/microcode_intel.c linux-2.6.33.1/arch/x86/kernel/microcode_intel.c
11674--- linux-2.6.33.1/arch/x86/kernel/microcode_intel.c 2010-03-15 12:09:39.000000000 -0400
11675+++ linux-2.6.33.1/arch/x86/kernel/microcode_intel.c 2010-03-20 16:58:39.011824892 -0400
11676@@ -436,13 +436,13 @@ static enum ucode_state request_microcod
11677
11678 static int get_ucode_user(void *to, const void *from, size_t n)
11679 {
11680- return copy_from_user(to, from, n);
11681+ return copy_from_user(to, (__force const void __user *)from, n);
11682 }
11683
11684 static enum ucode_state
11685 request_microcode_user(int cpu, const void __user *buf, size_t size)
11686 {
11687- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
11688+ return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
11689 }
11690
11691 static void microcode_fini_cpu(int cpu)
11692@@ -453,7 +453,7 @@ static void microcode_fini_cpu(int cpu)
11693 uci->mc = NULL;
11694 }
11695
11696-static struct microcode_ops microcode_intel_ops = {
11697+static const struct microcode_ops microcode_intel_ops = {
11698 .request_microcode_user = request_microcode_user,
11699 .request_microcode_fw = request_microcode_fw,
11700 .collect_cpu_info = collect_cpu_info,
11701@@ -461,7 +461,7 @@ static struct microcode_ops microcode_in
11702 .microcode_fini_cpu = microcode_fini_cpu,
11703 };
11704
11705-struct microcode_ops * __init init_intel_microcode(void)
11706+const struct microcode_ops * __init init_intel_microcode(void)
11707 {
11708 return &microcode_intel_ops;
11709 }
11710diff -urNp linux-2.6.33.1/arch/x86/kernel/module.c linux-2.6.33.1/arch/x86/kernel/module.c
11711--- linux-2.6.33.1/arch/x86/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
11712+++ linux-2.6.33.1/arch/x86/kernel/module.c 2010-03-20 16:58:39.011824892 -0400
11713@@ -34,7 +34,7 @@
58c5fc13
MT		 11714 #define DEBUGP(fmt...)
11715 #endif
11716
11717-void *module_alloc(unsigned long size)
11718+static void *__module_alloc(unsigned long size, pgprot_t prot)
11719 {
11720 struct vm_struct *area;
11721
ae4e228f 11722@@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
58c5fc13
MT		 11723 if (!area)
11724 return NULL;
11725
11726- return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
11727- PAGE_KERNEL_EXEC);
11728+ return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
11729+}
11730+
58c5fc13
MT		 11731+void *module_alloc(unsigned long size)
11732+{
ae4e228f
MT		 11733+
11734+#ifdef CONFIG_PAX_KERNEXEC
58c5fc13 11735+ return __module_alloc(size, PAGE_KERNEL);
ae4e228f
MT		 11736+#else
11737+ return __module_alloc(size, PAGE_KERNEL_EXEC);
11738+#endif
11739+
11740 }
11741
11742 /* Free memory returned from module_alloc */
11743@@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
11744 vfree(module_region);
11745 }
11746
11747+#ifdef CONFIG_PAX_KERNEXEC
11748+#ifdef CONFIG_X86_32
58c5fc13
MT		 11749+void *module_alloc_exec(unsigned long size)
11750+{
11751+ struct vm_struct *area;
11752+
11753+ if (size == 0)
11754+ return NULL;
11755+
11756+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
ae4e228f 11757+ return area ? area->addr : NULL;
58c5fc13
MT		 11758+}
11759+EXPORT_SYMBOL(module_alloc_exec);
11760+
11761+void module_free_exec(struct module *mod, void *module_region)
11762+{
ae4e228f 11763+ vunmap(module_region);
58c5fc13
MT		 11764+}
11765+EXPORT_SYMBOL(module_free_exec);
11766+#else
58c5fc13
MT		 11767+void module_free_exec(struct module *mod, void *module_region)
11768+{
11769+ module_free(mod, module_region);
11770+}
11771+EXPORT_SYMBOL(module_free_exec);
11772+
11773+void *module_alloc_exec(unsigned long size)
11774+{
11775+ return __module_alloc(size, PAGE_KERNEL_RX);
11776+}
11777+EXPORT_SYMBOL(module_alloc_exec);
11778+#endif
58c5fc13 11779+#endif
ae4e228f
MT		 11780+
11781 /* We don't need anything special. */
11782 int module_frob_arch_sections(Elf_Ehdr *hdr,
11783 Elf_Shdr *sechdrs,
11784@@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
58c5fc13
MT		 11785 unsigned int i;
11786 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
11787 Elf32_Sym *sym;
11788- uint32_t *location;
11789+ uint32_t *plocation, location;
58c5fc13
MT		 11790
11791 DEBUGP("Applying relocate section %u to %u\n", relsec,
11792 sechdrs[relsec].sh_info);
11793 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
11794 /* This is where to make the change */
11795- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
11796- + rel[i].r_offset;
11797+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
11798+ location = (uint32_t)plocation;
11799+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
11800+ plocation = ktla_ktva((void *)plocation);
11801 /* This is the symbol it is referring to. Note that all
11802 undefined symbols have been resolved. */
11803 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
ae4e228f 11804@@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
58c5fc13
MT		 11805 switch (ELF32_R_TYPE(rel[i].r_info)) {
11806 case R_386_32:
11807 /* We add the value into the location given */
11808- *location += sym->st_value;
ae4e228f 11809+ pax_open_kernel();
58c5fc13 11810+ *plocation += sym->st_value;
ae4e228f 11811+ pax_close_kernel();
58c5fc13
MT		 11812 break;
11813 case R_386_PC32:
11814 /* Add the value, subtract its postition */
11815- *location += sym->st_value - (uint32_t)location;
ae4e228f 11816+ pax_open_kernel();
58c5fc13 11817+ *plocation += sym->st_value - location;
ae4e228f 11818+ pax_close_kernel();
58c5fc13
MT		 11819 break;
11820 default:
11821 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
ae4e228f 11822@@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
58c5fc13
MT		 11823 case R_X86_64_NONE:
11824 break;
11825 case R_X86_64_64:
ae4e228f 11826+ pax_open_kernel();
58c5fc13 11827 *(u64 *)loc = val;
ae4e228f 11828+ pax_close_kernel();
58c5fc13
MT		 11829 break;
11830 case R_X86_64_32:
ae4e228f 11831+ pax_open_kernel();
58c5fc13 11832 *(u32 *)loc = val;
ae4e228f 11833+ pax_close_kernel();
58c5fc13
MT		 11834 if (val != *(u32 *)loc)
11835 goto overflow;
11836 break;
11837 case R_X86_64_32S:
ae4e228f 11838+ pax_open_kernel();
58c5fc13 11839 *(s32 *)loc = val;
ae4e228f 11840+ pax_close_kernel();
58c5fc13
MT		 11841 if ((s64)val != *(s32 *)loc)
11842 goto overflow;
11843 break;
11844 case R_X86_64_PC32:
11845 val -= (u64)loc;
ae4e228f 11846+ pax_open_kernel();
58c5fc13 11847 *(u32 *)loc = val;
ae4e228f 11848+ pax_close_kernel();
58c5fc13
MT		 11849+
11850 #if 0
11851 if ((s64)val != *(s32 *)loc)
11852 goto overflow;
ae4e228f
MT		 11853diff -urNp linux-2.6.33.1/arch/x86/kernel/paravirt.c linux-2.6.33.1/arch/x86/kernel/paravirt.c
11854--- linux-2.6.33.1/arch/x86/kernel/paravirt.c 2010-03-15 12:09:39.000000000 -0400
11855+++ linux-2.6.33.1/arch/x86/kernel/paravirt.c 2010-03-20 16:58:39.012867487 -0400
11856@@ -120,9 +120,9 @@ unsigned paravirt_patch_jmp(void *insnbu
58c5fc13
MT		 11857
11858 /* Neat trick to map patch type back to the call within the
11859 * corresponding structure. */
11860-static void *get_call_destination(u8 type)
11861+static const void *get_call_destination(u8 type)
11862 {
11863- struct paravirt_patch_template tmpl = {
11864+ const struct paravirt_patch_template tmpl = {
11865 .pv_init_ops = pv_init_ops,
11866 .pv_time_ops = pv_time_ops,
11867 .pv_cpu_ops = pv_cpu_ops,
ae4e228f 11868@@ -133,13 +133,13 @@ static void *get_call_destination(u8 typ
58c5fc13
MT		 11869 .pv_lock_ops = pv_lock_ops,
11870 #endif
11871 };
11872- return *((void **)&tmpl + type);
11873+ return *((const void **)&tmpl + type);
11874 }
11875
11876 unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf,
11877 unsigned long addr, unsigned len)
11878 {
11879- void *opfunc = get_call_destination(type);
11880+ const void *opfunc = get_call_destination(type);
11881 unsigned ret;
11882
11883 if (opfunc == NULL)
ae4e228f 11884@@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
58c5fc13
MT		 11885 if (insn_len > len || start == NULL)
11886 insn_len = len;
11887 else
11888- memcpy(insnbuf, start, insn_len);
11889+ memcpy(insnbuf, ktla_ktva(start), insn_len);
11890
11891 return insn_len;
11892 }
ae4e228f 11893@@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
58c5fc13
MT		 11894 preempt_enable();
11895 }
11896
11897-struct pv_info pv_info = {
11898+struct pv_info pv_info __read_only = {
11899 .name = "bare hardware",
11900 .paravirt_enabled = 0,
11901 .kernel_rpl = 0,
11902 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
11903 };
11904
11905-struct pv_init_ops pv_init_ops = {
11906+struct pv_init_ops pv_init_ops __read_only = {
11907 .patch = native_patch,
58c5fc13
MT		 11908 };
11909
11910-struct pv_time_ops pv_time_ops = {
11911+struct pv_time_ops pv_time_ops __read_only = {
ae4e228f 11912 .sched_clock = native_sched_clock,
58c5fc13
MT		 11913 };
11914
11915-struct pv_irq_ops pv_irq_ops = {
11916+struct pv_irq_ops pv_irq_ops __read_only = {
58c5fc13
MT		 11917 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
11918 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
ae4e228f
MT		 11919 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
11920@@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
58c5fc13
MT		 11921 #endif
11922 };
11923
11924-struct pv_cpu_ops pv_cpu_ops = {
11925+struct pv_cpu_ops pv_cpu_ops __read_only = {
11926 .cpuid = native_cpuid,
11927 .get_debugreg = native_get_debugreg,
11928 .set_debugreg = native_set_debugreg,
ae4e228f 11929@@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
58c5fc13
MT		 11930 .end_context_switch = paravirt_nop,
11931 };
11932
11933-struct pv_apic_ops pv_apic_ops = {
11934+struct pv_apic_ops pv_apic_ops __read_only = {
11935 #ifdef CONFIG_X86_LOCAL_APIC
ae4e228f
MT		 11936 .startup_ipi_hook = paravirt_nop,
11937 #endif
11938@@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
58c5fc13
MT		 11939 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
11940 #endif
11941
11942-struct pv_mmu_ops pv_mmu_ops = {
11943+struct pv_mmu_ops pv_mmu_ops __read_only = {
ae4e228f
MT		 11944
11945 .read_cr2 = native_read_cr2,
11946 .write_cr2 = native_write_cr2,
11947@@ -467,6 +467,12 @@ struct pv_mmu_ops pv_mmu_ops = {
11948 },
11949
11950 .set_fixmap = native_set_fixmap,
11951+
11952+#ifdef CONFIG_PAX_KERNEXEC
11953+ .pax_open_kernel = native_pax_open_kernel,
11954+ .pax_close_kernel = native_pax_close_kernel,
11955+#endif
11956+
11957 };
11958
11959 EXPORT_SYMBOL_GPL(pv_time_ops);
11960diff -urNp linux-2.6.33.1/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.33.1/arch/x86/kernel/paravirt-spinlocks.c
11961--- linux-2.6.33.1/arch/x86/kernel/paravirt-spinlocks.c 2010-03-15 12:09:39.000000000 -0400
11962+++ linux-2.6.33.1/arch/x86/kernel/paravirt-spinlocks.c 2010-03-20 16:58:39.012867487 -0400
11963@@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
11964 arch_spin_lock(lock);
58c5fc13
MT		 11965 }
11966
11967-struct pv_lock_ops pv_lock_ops = {
11968+struct pv_lock_ops pv_lock_ops __read_only = {
11969 #ifdef CONFIG_SMP
11970 .spin_is_locked = __ticket_spin_is_locked,
11971 .spin_is_contended = __ticket_spin_is_contended,
ae4e228f
MT		 11972diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-calgary_64.c linux-2.6.33.1/arch/x86/kernel/pci-calgary_64.c
11973--- linux-2.6.33.1/arch/x86/kernel/pci-calgary_64.c 2010-03-15 12:09:39.000000000 -0400
11974+++ linux-2.6.33.1/arch/x86/kernel/pci-calgary_64.c 2010-03-20 16:58:39.012867487 -0400
11975@@ -470,7 +470,7 @@ static void calgary_free_coherent(struct
11976 free_pages((unsigned long)vaddr, get_order(size));
11977 }
11978
11979-static struct dma_map_ops calgary_dma_ops = {
11980+static const struct dma_map_ops calgary_dma_ops = {
11981 .alloc_coherent = calgary_alloc_coherent,
11982 .free_coherent = calgary_free_coherent,
11983 .map_sg = calgary_map_sg,
11984diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-dma.c linux-2.6.33.1/arch/x86/kernel/pci-dma.c
11985--- linux-2.6.33.1/arch/x86/kernel/pci-dma.c 2010-03-15 12:09:39.000000000 -0400
11986+++ linux-2.6.33.1/arch/x86/kernel/pci-dma.c 2010-03-20 16:58:39.012867487 -0400
11987@@ -15,7 +15,7 @@
11988
11989 static int forbid_dac __read_mostly;
11990
11991-struct dma_map_ops *dma_ops = &nommu_dma_ops;
11992+const struct dma_map_ops *dma_ops = &nommu_dma_ops;
11993 EXPORT_SYMBOL(dma_ops);
11994
11995 static int iommu_sac_force __read_mostly;
11996@@ -240,7 +240,7 @@ early_param("iommu", iommu_setup);
11997
11998 int dma_supported(struct device *dev, u64 mask)
11999 {
12000- struct dma_map_ops *ops = get_dma_ops(dev);
12001+ const struct dma_map_ops *ops = get_dma_ops(dev);
12002
12003 #ifdef CONFIG_PCI
12004 if (mask > 0xffffffff && forbid_dac > 0) {
12005diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-gart_64.c linux-2.6.33.1/arch/x86/kernel/pci-gart_64.c
12006--- linux-2.6.33.1/arch/x86/kernel/pci-gart_64.c 2010-03-15 12:09:39.000000000 -0400
12007+++ linux-2.6.33.1/arch/x86/kernel/pci-gart_64.c 2010-03-20 16:58:39.012867487 -0400
12008@@ -695,7 +695,7 @@ static __init int init_k8_gatt(struct ag
12009 return -1;
12010 }
12011
12012-static struct dma_map_ops gart_dma_ops = {
12013+static const struct dma_map_ops gart_dma_ops = {
12014 .map_sg = gart_map_sg,
12015 .unmap_sg = gart_unmap_sg,
12016 .map_page = gart_map_page,
12017diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-nommu.c linux-2.6.33.1/arch/x86/kernel/pci-nommu.c
12018--- linux-2.6.33.1/arch/x86/kernel/pci-nommu.c 2010-03-15 12:09:39.000000000 -0400
12019+++ linux-2.6.33.1/arch/x86/kernel/pci-nommu.c 2010-03-20 16:58:39.012867487 -0400
12020@@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
12021 flush_write_buffers();
12022 }
12023
12024-struct dma_map_ops nommu_dma_ops = {
12025+const struct dma_map_ops nommu_dma_ops = {
12026 .alloc_coherent = dma_generic_alloc_coherent,
12027 .free_coherent = nommu_free_coherent,
12028 .map_sg = nommu_map_sg,
12029diff -urNp linux-2.6.33.1/arch/x86/kernel/pci-swiotlb.c linux-2.6.33.1/arch/x86/kernel/pci-swiotlb.c
12030--- linux-2.6.33.1/arch/x86/kernel/pci-swiotlb.c 2010-03-15 12:09:39.000000000 -0400
12031+++ linux-2.6.33.1/arch/x86/kernel/pci-swiotlb.c 2010-03-20 16:58:39.012867487 -0400
12032@@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
12033 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
12034 }
12035
12036-static struct dma_map_ops swiotlb_dma_ops = {
12037+static const struct dma_map_ops swiotlb_dma_ops = {
12038 .mapping_error = swiotlb_dma_mapping_error,
12039 .alloc_coherent = x86_swiotlb_alloc_coherent,
12040 .free_coherent = swiotlb_free_coherent,
12041diff -urNp linux-2.6.33.1/arch/x86/kernel/process_32.c linux-2.6.33.1/arch/x86/kernel/process_32.c
12042--- linux-2.6.33.1/arch/x86/kernel/process_32.c 2010-03-15 12:09:39.000000000 -0400
12043+++ linux-2.6.33.1/arch/x86/kernel/process_32.c 2010-03-20 16:58:39.012867487 -0400
12044@@ -66,6 +66,7 @@ asmlinkage void ret_from_fork(void) __as
58c5fc13
MT		 12045 unsigned long thread_saved_pc(struct task_struct *tsk)
12046 {
12047 return ((unsigned long *)tsk->thread.sp)[3];
12048+//XXX return tsk->thread.eip;
12049 }
12050
12051 #ifndef CONFIG_SMP
ae4e228f
MT		 12052@@ -127,7 +128,7 @@ void __show_regs(struct pt_regs *regs, i
12053 unsigned long sp;
58c5fc13 12054 unsigned short ss, gs;
58c5fc13
MT		 12055
12056- if (user_mode_vm(regs)) {
12057+ if (user_mode(regs)) {
12058 sp = regs->sp;
12059 ss = regs->ss & 0xffff;
12060 gs = get_user_gs(regs);
ae4e228f 12061@@ -203,7 +204,7 @@ int copy_thread(unsigned long clone_flag
58c5fc13
MT		 12062 struct task_struct *tsk;
12063 int err;
12064
12065- childregs = task_pt_regs(p);
12066+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
12067 *childregs = *regs;
12068 childregs->ax = 0;
12069 childregs->sp = sp;
ae4e228f 12070@@ -237,6 +238,7 @@ int copy_thread(unsigned long clone_flag
58c5fc13
MT		 12071 * Set a new TLS for the child thread?
12072 */
12073 if (clone_flags & CLONE_SETTLS)
12074+//XXX needs set_fs()?
12075 err = do_set_thread_area(p, -1,
12076 (struct user_desc __user *)childregs->si, 0);
12077
ae4e228f 12078@@ -307,7 +309,7 @@ __switch_to(struct task_struct *prev_p,
58c5fc13
MT		 12079 struct thread_struct *prev = &prev_p->thread,
12080 *next = &next_p->thread;
12081 int cpu = smp_processor_id();
12082- struct tss_struct *tss = &per_cpu(init_tss, cpu);
12083+ struct tss_struct *tss = init_tss + cpu;
ae4e228f 12084 bool preload_fpu;
58c5fc13
MT		 12085
12086 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
ae4e228f 12087@@ -342,6 +344,11 @@ __switch_to(struct task_struct *prev_p,
58c5fc13
MT		 12088 */
12089 lazy_save_gs(prev->gs);
12090
12091+#ifdef CONFIG_PAX_MEMORY_UDEREF
12092+ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
12093+ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
12094+#endif
12095+
12096 /*
12097 * Load the per-thread Thread-Local Storage descriptor.
12098 */
ae4e228f 12099@@ -418,3 +425,27 @@ unsigned long get_wchan(struct task_stru
58c5fc13
MT		 12100 return 0;
12101 }
12102
12103+#ifdef CONFIG_PAX_RANDKSTACK
12104+asmlinkage void pax_randomize_kstack(void)
12105+{
12106+ struct thread_struct *thread = &current->thread;
12107+ unsigned long time;
12108+
12109+ if (!randomize_va_space)
12110+ return;
12111+
12112+ rdtscl(time);
12113+
12114+ /* P4 seems to return a 0 LSB, ignore it */
12115+#ifdef CONFIG_MPENTIUM4
12116+ time &= 0x1EUL;
12117+ time <<= 2;
12118+#else
12119+ time &= 0xFUL;
12120+ time <<= 3;
12121+#endif
12122+
12123+ thread->sp0 ^= time;
12124+ load_sp0(init_tss + smp_processor_id(), thread);
12125+}
12126+#endif
ae4e228f
MT		 12127diff -urNp linux-2.6.33.1/arch/x86/kernel/process_64.c linux-2.6.33.1/arch/x86/kernel/process_64.c
12128--- linux-2.6.33.1/arch/x86/kernel/process_64.c 2010-03-15 12:09:39.000000000 -0400
12129+++ linux-2.6.33.1/arch/x86/kernel/process_64.c 2010-03-20 16:58:39.012867487 -0400
12130@@ -88,7 +88,7 @@ static void __exit_idle(void)
58c5fc13
MT		 12131 void exit_idle(void)
12132 {
12133 /* idle loop has pid 0 */
12134- if (current->pid)
12135+ if (task_pid_nr(current))
12136 return;
12137 __exit_idle();
12138 }
ae4e228f 12139@@ -389,7 +389,7 @@ __switch_to(struct task_struct *prev_p,
58c5fc13
MT		 12140 struct thread_struct *prev = &prev_p->thread;
12141 struct thread_struct *next = &next_p->thread;
12142 int cpu = smp_processor_id();
12143- struct tss_struct *tss = &per_cpu(init_tss, cpu);
12144+ struct tss_struct *tss = init_tss + cpu;
12145 unsigned fsindex, gsindex;
ae4e228f 12146 bool preload_fpu;
58c5fc13 12147
ae4e228f 12148@@ -542,12 +542,11 @@ unsigned long get_wchan(struct task_stru
58c5fc13
MT		 12149 if (!p || p == current || p->state == TASK_RUNNING)
12150 return 0;
12151 stack = (unsigned long)task_stack_page(p);
12152- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
12153+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
12154 return 0;
12155 fp = *(u64 *)(p->thread.sp);
12156 do {
12157- if (fp < (unsigned long)stack ||
12158- fp >= (unsigned long)stack+THREAD_SIZE)
12159+ if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
12160 return 0;
12161 ip = *(u64 *)(fp+8);
12162 if (!in_sched_functions(ip))
ae4e228f
MT		 12163diff -urNp linux-2.6.33.1/arch/x86/kernel/process.c linux-2.6.33.1/arch/x86/kernel/process.c
12164--- linux-2.6.33.1/arch/x86/kernel/process.c 2010-03-15 12:09:39.000000000 -0400
12165+++ linux-2.6.33.1/arch/x86/kernel/process.c 2010-03-20 16:58:39.012867487 -0400
12166@@ -78,7 +78,7 @@ void exit_thread(void)
58c5fc13
MT		 12167 unsigned long *bp = t->io_bitmap_ptr;
12168
12169 if (bp) {
12170- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
12171+ struct tss_struct *tss = init_tss + get_cpu();
12172
12173 t->io_bitmap_ptr = NULL;
12174 clear_thread_flag(TIF_IO_BITMAP);
ae4e228f 12175@@ -105,7 +105,7 @@ void show_regs_common(void)
58c5fc13 12176
ae4e228f
MT		 12177 printk(KERN_CONT "\n");
12178 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s %s/%s\n",
12179- current->pid, current->comm, print_tainted(),
12180+ task_pid_nr(current), current->comm, print_tainted(),
12181 init_utsname()->release,
12182 (int)strcspn(init_utsname()->version, " "),
12183 init_utsname()->version, board, product);
12184@@ -115,6 +115,9 @@ void flush_thread(void)
12185 {
12186 struct task_struct *tsk = current;
58c5fc13
MT		 12187
12188+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
12189+ loadsegment(gs, 0);
12190+#endif
ae4e228f
MT		 12191 flush_ptrace_hw_breakpoint(tsk);
12192 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
12193 /*
12194@@ -272,8 +275,8 @@ int kernel_thread(int (*fn)(void *), voi
12195 regs.di = (unsigned long) arg;
12196
12197 #ifdef CONFIG_X86_32
12198- regs.ds = __USER_DS;
12199- regs.es = __USER_DS;
12200+ regs.ds = __KERNEL_DS;
12201+ regs.es = __KERNEL_DS;
12202 regs.fs = __KERNEL_PERCPU;
12203 regs.gs = __KERNEL_STACK_CANARY;
12204 #else
12205@@ -664,17 +667,3 @@ static int __init idle_setup(char *str)
58c5fc13
MT		 12206 return 0;
12207 }
12208 early_param("idle", idle_setup);
12209-
12210-unsigned long arch_align_stack(unsigned long sp)
12211-{
12212- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
12213- sp -= get_random_int() % 8192;
12214- return sp & ~0xf;
12215-}
12216-
12217-unsigned long arch_randomize_brk(struct mm_struct *mm)
12218-{
12219- unsigned long range_end = mm->brk + 0x02000000;
12220- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
12221-}
12222-
ae4e228f
MT		 12223diff -urNp linux-2.6.33.1/arch/x86/kernel/ptrace.c linux-2.6.33.1/arch/x86/kernel/ptrace.c
12224--- linux-2.6.33.1/arch/x86/kernel/ptrace.c 2010-03-15 12:09:39.000000000 -0400
12225+++ linux-2.6.33.1/arch/x86/kernel/ptrace.c 2010-03-20 16:58:39.012867487 -0400
12226@@ -1167,7 +1167,7 @@ static const struct user_regset_view use
12227 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
12228 {
12229 int ret;
12230- unsigned long __user *datap = (unsigned long __user *)data;
12231+ unsigned long __user *datap = (__force unsigned long __user *)data;
12232
12233 switch (request) {
12234 /* read the word at location addr in the USER area. */
12235@@ -1254,14 +1254,14 @@ long arch_ptrace(struct task_struct *chi
12236 if (addr < 0)
12237 return -EIO;
12238 ret = do_get_thread_area(child, addr,
12239- (struct user_desc __user *) data);
12240+ (__force struct user_desc __user *) data);
12241 break;
12242
12243 case PTRACE_SET_THREAD_AREA:
12244 if (addr < 0)
12245 return -EIO;
12246 ret = do_set_thread_area(child, addr,
12247- (struct user_desc __user *) data, 0);
12248+ (__force struct user_desc __user *) data, 0);
12249 break;
12250 #endif
12251
12252@@ -1280,12 +1280,12 @@ long arch_ptrace(struct task_struct *chi
12253 #ifdef CONFIG_X86_PTRACE_BTS
12254 case PTRACE_BTS_CONFIG:
12255 ret = ptrace_bts_config
12256- (child, data, (struct ptrace_bts_config __user *)addr);
12257+ (child, data, (__force struct ptrace_bts_config __user *)addr);
12258 break;
12259
12260 case PTRACE_BTS_STATUS:
12261 ret = ptrace_bts_status
12262- (child, data, (struct ptrace_bts_config __user *)addr);
12263+ (child, data, (__force struct ptrace_bts_config __user *)addr);
12264 break;
12265
12266 case PTRACE_BTS_SIZE:
12267@@ -1294,7 +1294,7 @@ long arch_ptrace(struct task_struct *chi
12268
12269 case PTRACE_BTS_GET:
12270 ret = ptrace_bts_read_record
12271- (child, data, (struct bts_struct __user *) addr);
12272+ (child, data, (__force struct bts_struct __user *) addr);
12273 break;
12274
12275 case PTRACE_BTS_CLEAR:
12276@@ -1303,7 +1303,7 @@ long arch_ptrace(struct task_struct *chi
12277
12278 case PTRACE_BTS_DRAIN:
12279 ret = ptrace_bts_drain
12280- (child, data, (struct bts_struct __user *) addr);
12281+ (child, data, (__force struct bts_struct __user *) addr);
12282 break;
12283 #endif /* CONFIG_X86_PTRACE_BTS */
12284
12285@@ -1690,7 +1690,7 @@ static void fill_sigtrap_info(struct tas
12286 memset(info, 0, sizeof(*info));
12287 info->si_signo = SIGTRAP;
12288 info->si_code = si_code;
12289- info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
12290+ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
12291 }
12292
12293 void user_single_step_siginfo(struct task_struct *tsk,
12294diff -urNp linux-2.6.33.1/arch/x86/kernel/reboot.c linux-2.6.33.1/arch/x86/kernel/reboot.c
12295--- linux-2.6.33.1/arch/x86/kernel/reboot.c 2010-03-15 12:09:39.000000000 -0400
12296+++ linux-2.6.33.1/arch/x86/kernel/reboot.c 2010-03-20 16:58:39.016512700 -0400
12297@@ -33,7 +33,7 @@ void (*pm_power_off)(void);
58c5fc13
MT		 12298 EXPORT_SYMBOL(pm_power_off);
12299
12300 static const struct desc_ptr no_idt = {};
12301-static int reboot_mode;
12302+static unsigned short reboot_mode;
12303 enum reboot_type reboot_type = BOOT_KBD;
12304 int reboot_force;
12305
ae4e228f
MT		 12306@@ -276,7 +276,7 @@ static struct dmi_system_id __initdata r
12307 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
58c5fc13
MT		 12308 },
12309 },
12310- { }
12311+ { NULL, NULL, {{0, {0}}}, NULL}
12312 };
12313
12314 static int __init reboot_init(void)
ae4e228f 12315@@ -292,12 +292,12 @@ core_initcall(reboot_init);
58c5fc13
MT		 12316 controller to pulse the CPU reset line, which is more thorough, but
12317 doesn't work with at least one type of 486 motherboard. It is easy
12318 to stop this code working; hence the copious comments. */
12319-static const unsigned long long
12320-real_mode_gdt_entries [3] =
12321+static struct desc_struct
12322+real_mode_gdt_entries [3] __read_only =
12323 {
12324- 0x0000000000000000ULL, /* Null descriptor */
12325- 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
12326- 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
ae4e228f
MT		 12327+ GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
12328+ GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
12329+ GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
58c5fc13
MT		 12330 };
12331
12332 static const struct desc_ptr
ae4e228f 12333@@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
58c5fc13
MT		 12334 * specified by the code and length parameters.
12335 * We assume that length will aways be less that 100!
12336 */
12337-void machine_real_restart(const unsigned char *code, int length)
12338+void machine_real_restart(const unsigned char *code, unsigned int length)
12339 {
12340 local_irq_disable();
12341
ae4e228f 12342@@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
58c5fc13
MT		 12343 /* Remap the kernel at virtual address zero, as well as offset zero
12344 from the kernel segment. This assumes the kernel segment starts at
12345 virtual address PAGE_OFFSET. */
12346- memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12347- sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
12348+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12349+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
12350
12351 /*
12352 * Use `swapper_pg_dir' as our page directory.
ae4e228f 12353@@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
58c5fc13
MT		 12354 boot)". This seems like a fairly standard thing that gets set by
12355 REBOOT.COM programs, and the previous reset routine did this
12356 too. */
12357- *((unsigned short *)0x472) = reboot_mode;
12358+ *(unsigned short *)(__va(0x472)) = reboot_mode;
12359
12360 /* For the switch to real mode, copy some code to low memory. It has
12361 to be in the first 64k because it is running in 16-bit mode, and it
12362 has to have the same physical and virtual address, because it turns
12363 off paging. Copy it near the end of the first page, out of the way
12364 of BIOS variables. */
12365- memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
12366- real_mode_switch, sizeof (real_mode_switch));
12367- memcpy((void *)(0x1000 - 100), code, length);
12368+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
12369+ memcpy(__va(0x1000 - 100), code, length);
12370
12371 /* Set up the IDT for real mode. */
12372 load_idt(&real_mode_idt);
ae4e228f
MT		 12373diff -urNp linux-2.6.33.1/arch/x86/kernel/setup.c linux-2.6.33.1/arch/x86/kernel/setup.c
12374--- linux-2.6.33.1/arch/x86/kernel/setup.c 2010-03-15 12:09:39.000000000 -0400
12375+++ linux-2.6.33.1/arch/x86/kernel/setup.c 2010-03-20 16:58:39.016512700 -0400
12376@@ -749,14 +749,14 @@ void __init setup_arch(char **cmdline_p)
58c5fc13
MT		 12377
12378 if (!boot_params.hdr.root_flags)
12379 root_mountflags &= ~MS_RDONLY;
12380- init_mm.start_code = (unsigned long) _text;
12381- init_mm.end_code = (unsigned long) _etext;
12382+ init_mm.start_code = ktla_ktva((unsigned long) _text);
12383+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
12384 init_mm.end_data = (unsigned long) _edata;
12385 init_mm.brk = _brk_end;
12386
12387- code_resource.start = virt_to_phys(_text);
12388- code_resource.end = virt_to_phys(_etext)-1;
12389- data_resource.start = virt_to_phys(_etext);
12390+ code_resource.start = virt_to_phys(ktla_ktva(_text));
12391+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
12392+ data_resource.start = virt_to_phys(_sdata);
12393 data_resource.end = virt_to_phys(_edata)-1;
12394 bss_resource.start = virt_to_phys(&__bss_start);
12395 bss_resource.end = virt_to_phys(&__bss_stop)-1;
ae4e228f
MT		 12396diff -urNp linux-2.6.33.1/arch/x86/kernel/setup_percpu.c linux-2.6.33.1/arch/x86/kernel/setup_percpu.c
12397--- linux-2.6.33.1/arch/x86/kernel/setup_percpu.c 2010-03-15 12:09:39.000000000 -0400
12398+++ linux-2.6.33.1/arch/x86/kernel/setup_percpu.c 2010-03-20 16:58:39.016512700 -0400
12399@@ -27,19 +27,17 @@
12400 # define DBG(fmt, ...) do { if (0) pr_dbg(fmt, ##__VA_ARGS__); } while (0)
58c5fc13
MT		 12401 #endif
12402
12403+#ifdef CONFIG_SMP
12404 DEFINE_PER_CPU(int, cpu_number);
12405 EXPORT_PER_CPU_SYMBOL(cpu_number);
12406+#endif
12407
12408-#ifdef CONFIG_X86_64
12409 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
12410-#else
12411-#define BOOT_PERCPU_OFFSET 0
12412-#endif
12413
12414 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
12415 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
12416
12417-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
12418+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
12419 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
12420 };
12421 EXPORT_SYMBOL(__per_cpu_offset);
ae4e228f 12422@@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
58c5fc13
MT		 12423 {
12424 #ifdef CONFIG_X86_32
ae4e228f
MT		 12425 struct desc_struct gdt;
12426+ unsigned long base = per_cpu_offset(cpu);
12427
58c5fc13
MT		 12428- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
12429- 0x2 | DESCTYPE_S, 0x8);
12430- gdt.s = 1;
ae4e228f
MT		 12431+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
12432+ 0x83 | DESCTYPE_S, 0xC);
12433 write_gdt_entry(get_cpu_gdt_table(cpu),
12434 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
58c5fc13 12435 #endif
ae4e228f 12436@@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
58c5fc13
MT		 12437 /* alrighty, percpu areas up and running */
12438 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
12439 for_each_possible_cpu(cpu) {
12440+#ifdef CONFIG_CC_STACKPROTECTOR
12441+#ifdef CONFIG_x86_32
12442+ unsigned long canary = per_cpu(stack_canary, cpu);
12443+#endif
12444+#endif
ae4e228f 12445 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
58c5fc13
MT		 12446 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
12447 per_cpu(cpu_number, cpu) = cpu;
ae4e228f 12448@@ -240,6 +243,12 @@ void __init setup_per_cpu_areas(void)
58c5fc13
MT		 12449 early_per_cpu_map(x86_cpu_to_node_map, cpu);
12450 #endif
12451 #endif
12452+#ifdef CONFIG_CC_STACKPROTECTOR
12453+#ifdef CONFIG_x86_32
12454+ if (cpu == boot_cpu_id)
12455+ per_cpu(stack_canary, cpu) = canary;
12456+#endif
12457+#endif
12458 /*
12459 * Up to this point, the boot CPU has been using .data.init
12460 * area. Reload any changed state for the boot CPU.
ae4e228f
MT		 12461diff -urNp linux-2.6.33.1/arch/x86/kernel/signal.c linux-2.6.33.1/arch/x86/kernel/signal.c
12462--- linux-2.6.33.1/arch/x86/kernel/signal.c 2010-03-15 12:09:39.000000000 -0400
12463+++ linux-2.6.33.1/arch/x86/kernel/signal.c 2010-03-20 16:58:39.016512700 -0400
12464@@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
58c5fc13
MT		 12465 * Align the stack pointer according to the i386 ABI,
12466 * i.e. so that on function entry ((sp + 4) & 15) == 0.
12467 */
12468- sp = ((sp + 4) & -16ul) - 4;
12469+ sp = ((sp - 12) & -16ul) - 4;
12470 #else /* !CONFIG_X86_32 */
12471 sp = round_down(sp, 16) - 8;
12472 #endif
ae4e228f
MT		 12473@@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
12474 * Return an always-bogus address instead so we will die with SIGSEGV.
12475 */
12476 if (onsigstack && !likely(on_sig_stack(sp)))
12477- return (void __user *)-1L;
12478+ return (__force void __user *)-1L;
12479
12480 /* save i387 state */
12481 if (used_math() && save_i387_xstate(*fpstate) < 0)
12482- return (void __user *)-1L;
12483+ return (__force void __user *)-1L;
12484
12485 return (void __user *)sp;
12486 }
12487@@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
58c5fc13
MT		 12488 }
12489
12490 if (current->mm->context.vdso)
12491- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
ae4e228f 12492+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
58c5fc13
MT		 12493 else
12494- restorer = &frame->retcode;
12495+ restorer = (void __user *)&frame->retcode;
12496 if (ka->sa.sa_flags & SA_RESTORER)
12497 restorer = ka->sa.sa_restorer;
12498
ae4e228f
MT		 12499@@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
12500 * reasons and because gdb uses it as a signature to notice
12501 * signal handler stack frames.
12502 */
12503- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
12504+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
12505
12506 if (err)
12507 return -EFAULT;
12508@@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str
58c5fc13
MT		 12509 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
12510
12511 /* Set up to return from userspace. */
12512- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
ae4e228f 12513+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
58c5fc13
MT		 12514 if (ka->sa.sa_flags & SA_RESTORER)
12515 restorer = ka->sa.sa_restorer;
12516 put_user_ex(restorer, &frame->pretcode);
ae4e228f
MT		 12517@@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str
12518 * reasons and because gdb uses it as a signature to notice
12519 * signal handler stack frames.
12520 */
12521- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
12522+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
12523 } put_user_catch(err);
12524
12525 if (err)
12526@@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re
58c5fc13
MT		 12527 * X86_32: vm86 regs switched out by assembly code before reaching
12528 * here, so testing against kernel CS suffices.
12529 */
12530- if (!user_mode(regs))
12531+ if (!user_mode_novm(regs))
12532 return;
12533
12534 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
ae4e228f
MT		 12535diff -urNp linux-2.6.33.1/arch/x86/kernel/smpboot.c linux-2.6.33.1/arch/x86/kernel/smpboot.c
12536--- linux-2.6.33.1/arch/x86/kernel/smpboot.c 2010-03-15 12:09:39.000000000 -0400
12537+++ linux-2.6.33.1/arch/x86/kernel/smpboot.c 2010-03-20 16:58:39.016512700 -0400
12538@@ -750,7 +750,11 @@ do_rest:
58c5fc13
MT		 12539 (unsigned long)task_stack_page(c_idle.idle) -
12540 KERNEL_STACK_OFFSET + THREAD_SIZE;
12541 #endif
12542+
ae4e228f 12543+ pax_open_kernel();
58c5fc13 12544 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
ae4e228f 12545+ pax_close_kernel();
58c5fc13
MT		 12546+
12547 initial_code = (unsigned long)start_secondary;
12548 stack_start.sp = (void *) c_idle.idle->thread.sp;
12549
ae4e228f
MT		 12550diff -urNp linux-2.6.33.1/arch/x86/kernel/step.c linux-2.6.33.1/arch/x86/kernel/step.c
12551--- linux-2.6.33.1/arch/x86/kernel/step.c 2010-03-15 12:09:39.000000000 -0400
12552+++ linux-2.6.33.1/arch/x86/kernel/step.c 2010-03-20 16:58:39.016512700 -0400
12553@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
12554 struct desc_struct *desc;
58c5fc13
MT		 12555 unsigned long base;
12556
12557- seg &= ~7UL;
12558+ seg >>= 3;
12559
12560 mutex_lock(&child->mm->context.lock);
12561- if (unlikely((seg >> 3) >= child->mm->context.size))
58c5fc13 12562+ if (unlikely(seg >= child->mm->context.size))
ae4e228f 12563 addr = -1L; /* bogus selector, access would fault */
58c5fc13 12564 else {
ae4e228f
MT		 12565 desc = child->mm->context.ldt + seg;
12566@@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
58c5fc13
MT		 12567 unsigned char opcode[15];
12568 unsigned long addr = convert_ip_to_linear(child, regs);
12569
12570+ if (addr == -EINVAL)
12571+ return 0;
12572+
12573 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
12574 for (i = 0; i < copied; i++) {
12575 switch (opcode[i]) {
ae4e228f 12576@@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
58c5fc13
MT		 12577
12578 #ifdef CONFIG_X86_64
12579 case 0x40 ... 0x4f:
12580- if (regs->cs != __USER_CS)
12581+ if ((regs->cs & 0xffff) != __USER_CS)
12582 /* 32-bit mode: register increment */
12583 return 0;
12584 /* 64-bit mode: REX prefix */
ae4e228f
MT		 12585diff -urNp linux-2.6.33.1/arch/x86/kernel/syscall_table_32.S linux-2.6.33.1/arch/x86/kernel/syscall_table_32.S
12586--- linux-2.6.33.1/arch/x86/kernel/syscall_table_32.S 2010-03-15 12:09:39.000000000 -0400
12587+++ linux-2.6.33.1/arch/x86/kernel/syscall_table_32.S 2010-03-20 16:58:39.016512700 -0400
58c5fc13
MT		 12588@@ -1,3 +1,4 @@
12589+.section .rodata,"a",@progbits
12590 ENTRY(sys_call_table)
12591 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
12592 .long sys_exit
ae4e228f
MT		 12593diff -urNp linux-2.6.33.1/arch/x86/kernel/sys_i386_32.c linux-2.6.33.1/arch/x86/kernel/sys_i386_32.c
12594--- linux-2.6.33.1/arch/x86/kernel/sys_i386_32.c 2010-03-15 12:09:39.000000000 -0400
12595+++ linux-2.6.33.1/arch/x86/kernel/sys_i386_32.c 2010-03-20 16:58:39.016512700 -0400
58c5fc13
MT		 12596@@ -24,6 +24,21 @@
12597
12598 #include <asm/syscalls.h>
12599
12600+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
12601+{
12602+ unsigned long pax_task_size = TASK_SIZE;
12603+
12604+#ifdef CONFIG_PAX_SEGMEXEC
12605+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
12606+ pax_task_size = SEGMEXEC_TASK_SIZE;
12607+#endif
12608+
12609+ if (len > pax_task_size || addr > pax_task_size - len)
12610+ return -EINVAL;
12611+
12612+ return 0;
12613+}
12614+
ae4e228f
MT		 12615 /*
12616 * Perform the select(nd, in, out, ex, tv) and mmap() system
12617 * calls. Linux/i386 didn't use to be able to handle more than
12618@@ -58,6 +73,205 @@ out:
58c5fc13
MT		 12619 return err;
12620 }
12621
12622+unsigned long
12623+arch_get_unmapped_area(struct file *filp, unsigned long addr,
12624+ unsigned long len, unsigned long pgoff, unsigned long flags)
12625+{
12626+ struct mm_struct *mm = current->mm;
12627+ struct vm_area_struct *vma;
12628+ unsigned long start_addr, pax_task_size = TASK_SIZE;
12629+
12630+#ifdef CONFIG_PAX_SEGMEXEC
12631+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
12632+ pax_task_size = SEGMEXEC_TASK_SIZE;
12633+#endif
12634+
12635+ if (len > pax_task_size)
12636+ return -ENOMEM;
12637+
12638+ if (flags & MAP_FIXED)
12639+ return addr;
12640+
12641+#ifdef CONFIG_PAX_RANDMMAP
12642+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12643+#endif
12644+
12645+ if (addr) {
12646+ addr = PAGE_ALIGN(addr);
12647+ vma = find_vma(mm, addr);
12648+ if (pax_task_size - len >= addr &&
12649+ (!vma || addr + len <= vma->vm_start))
12650+ return addr;
12651+ }
12652+ if (len > mm->cached_hole_size) {
12653+ start_addr = addr = mm->free_area_cache;
12654+ } else {
12655+ start_addr = addr = mm->mmap_base;
12656+ mm->cached_hole_size = 0;
12657+ }
12658+
12659+#ifdef CONFIG_PAX_PAGEEXEC
ae4e228f 12660+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
58c5fc13
MT		 12661+ start_addr = 0x00110000UL;
12662+
12663+#ifdef CONFIG_PAX_RANDMMAP
12664+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12665+ start_addr += mm->delta_mmap & 0x03FFF000UL;
12666+#endif
12667+
12668+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
12669+ start_addr = addr = mm->mmap_base;
12670+ else
12671+ addr = start_addr;
12672+ }
12673+#endif
12674+
12675+full_search:
12676+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
12677+ /* At this point: (!vma || addr < vma->vm_end). */
12678+ if (pax_task_size - len < addr) {
12679+ /*
12680+ * Start a new search - just in case we missed
12681+ * some holes.
12682+ */
12683+ if (start_addr != mm->mmap_base) {
12684+ start_addr = addr = mm->mmap_base;
12685+ mm->cached_hole_size = 0;
12686+ goto full_search;
12687+ }
12688+ return -ENOMEM;
12689+ }
12690+ if (!vma || addr + len <= vma->vm_start) {
12691+ /*
12692+ * Remember the place where we stopped the search:
12693+ */
12694+ mm->free_area_cache = addr + len;
12695+ return addr;
12696+ }
12697+ if (addr + mm->cached_hole_size < vma->vm_start)
12698+ mm->cached_hole_size = vma->vm_start - addr;
12699+ addr = vma->vm_end;
12700+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
12701+ start_addr = addr = mm->mmap_base;
12702+ mm->cached_hole_size = 0;
12703+ goto full_search;
12704+ }
12705+ }
12706+}
12707+
12708+unsigned long
12709+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12710+ const unsigned long len, const unsigned long pgoff,
12711+ const unsigned long flags)
12712+{
12713+ struct vm_area_struct *vma;
12714+ struct mm_struct *mm = current->mm;
12715+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
12716+
12717+#ifdef CONFIG_PAX_SEGMEXEC
12718+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
12719+ pax_task_size = SEGMEXEC_TASK_SIZE;
12720+#endif
12721+
12722+ /* requested length too big for entire address space */
12723+ if (len > pax_task_size)
12724+ return -ENOMEM;
12725+
12726+ if (flags & MAP_FIXED)
12727+ return addr;
12728+
12729+#ifdef CONFIG_PAX_PAGEEXEC
ae4e228f 12730+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
58c5fc13
MT		 12731+ goto bottomup;
12732+#endif
12733+
12734+#ifdef CONFIG_PAX_RANDMMAP
12735+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12736+#endif
12737+
12738+ /* requesting a specific address */
12739+ if (addr) {
12740+ addr = PAGE_ALIGN(addr);
12741+ vma = find_vma(mm, addr);
12742+ if (pax_task_size - len >= addr &&
12743+ (!vma || addr + len <= vma->vm_start))
12744+ return addr;
12745+ }
12746+
12747+ /* check if free_area_cache is useful for us */
12748+ if (len <= mm->cached_hole_size) {
12749+ mm->cached_hole_size = 0;
12750+ mm->free_area_cache = mm->mmap_base;
12751+ }
12752+
12753+ /* either no address requested or can't fit in requested address hole */
12754+ addr = mm->free_area_cache;
12755+
12756+ /* make sure it can fit in the remaining address space */
12757+ if (addr > len) {
12758+ vma = find_vma(mm, addr-len);
12759+ if (!vma || addr <= vma->vm_start)
12760+ /* remember the address as a hint for next time */
12761+ return (mm->free_area_cache = addr-len);
12762+ }
12763+
12764+ if (mm->mmap_base < len)
12765+ goto bottomup;
12766+
12767+ addr = mm->mmap_base-len;
12768+
12769+ do {
12770+ /*
12771+ * Lookup failure means no vma is above this address,
12772+ * else if new region fits below vma->vm_start,
12773+ * return with success:
12774+ */
12775+ vma = find_vma(mm, addr);
12776+ if (!vma || addr+len <= vma->vm_start)
12777+ /* remember the address as a hint for next time */
12778+ return (mm->free_area_cache = addr);
12779+
12780+ /* remember the largest hole we saw so far */
12781+ if (addr + mm->cached_hole_size < vma->vm_start)
12782+ mm->cached_hole_size = vma->vm_start - addr;
12783+
12784+ /* try just below the current vma->vm_start */
12785+ addr = vma->vm_start-len;
12786+ } while (len < vma->vm_start);
12787+
12788+bottomup:
12789+ /*
12790+ * A failed mmap() very likely causes application failure,
12791+ * so fall back to the bottom-up function here. This scenario
12792+ * can happen with large stack limits and large mmap()
12793+ * allocations.
12794+ */
12795+
12796+#ifdef CONFIG_PAX_SEGMEXEC
12797+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
12798+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
12799+ else
12800+#endif
12801+
12802+ mm->mmap_base = TASK_UNMAPPED_BASE;
12803+
12804+#ifdef CONFIG_PAX_RANDMMAP
12805+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12806+ mm->mmap_base += mm->delta_mmap;
12807+#endif
12808+
12809+ mm->free_area_cache = mm->mmap_base;
12810+ mm->cached_hole_size = ~0UL;
12811+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
12812+ /*
12813+ * Restore the topdown base:
12814+ */
12815+ mm->mmap_base = base;
12816+ mm->free_area_cache = base;
12817+ mm->cached_hole_size = ~0UL;
12818+
12819+ return addr;
12820+}
12821
12822 struct sel_arg_struct {
12823 unsigned long n;
ae4e228f
MT		 12824@@ -93,7 +307,7 @@ asmlinkage int sys_ipc(uint call, int fi
12825 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
12826 case SEMTIMEDOP:
12827 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
12828- (const struct timespec __user *)fifth);
12829+ (__force const struct timespec __user *)fifth);
12830
12831 case SEMGET:
12832 return sys_semget(first, second, third);
12833@@ -140,7 +354,7 @@ asmlinkage int sys_ipc(uint call, int fi
12834 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
12835 if (ret)
12836 return ret;
12837- return put_user(raddr, (ulong __user *) third);
12838+ return put_user(raddr, (__force ulong __user *) third);
12839 }
12840 case 1: /* iBCS2 emulator entry point */
12841 if (!segment_eq(get_fs(), get_ds()))
12842diff -urNp linux-2.6.33.1/arch/x86/kernel/sys_x86_64.c linux-2.6.33.1/arch/x86/kernel/sys_x86_64.c
12843--- linux-2.6.33.1/arch/x86/kernel/sys_x86_64.c 2010-03-15 12:09:39.000000000 -0400
12844+++ linux-2.6.33.1/arch/x86/kernel/sys_x86_64.c 2010-03-20 16:58:39.016512700 -0400
12845@@ -32,8 +32,8 @@ out:
58c5fc13
MT		 12846 return error;
12847 }
12848
12849-static void find_start_end(unsigned long flags, unsigned long *begin,
12850- unsigned long *end)
12851+static void find_start_end(struct mm_struct *mm, unsigned long flags,
12852+ unsigned long *begin, unsigned long *end)
12853 {
12854 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
12855 unsigned long new_begin;
ae4e228f 12856@@ -52,7 +52,7 @@ static void find_start_end(unsigned long
58c5fc13
MT		 12857 *begin = new_begin;
12858 }
12859 } else {
12860- *begin = TASK_UNMAPPED_BASE;
12861+ *begin = mm->mmap_base;
12862 *end = TASK_SIZE;
12863 }
12864 }
ae4e228f 12865@@ -69,11 +69,15 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 12866 if (flags & MAP_FIXED)
12867 return addr;
12868
12869- find_start_end(flags, &begin, &end);
12870+ find_start_end(mm, flags, &begin, &end);
12871
12872 if (len > end)
12873 return -ENOMEM;
12874
12875+#ifdef CONFIG_PAX_RANDMMAP
12876+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12877+#endif
12878+
12879 if (addr) {
12880 addr = PAGE_ALIGN(addr);
12881 vma = find_vma(mm, addr);
ae4e228f 12882@@ -128,7 +132,7 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 12883 {
12884 struct vm_area_struct *vma;
12885 struct mm_struct *mm = current->mm;
12886- unsigned long addr = addr0;
12887+ unsigned long base = mm->mmap_base, addr = addr0;
12888
12889 /* requested length too big for entire address space */
12890 if (len > TASK_SIZE)
ae4e228f 12891@@ -141,6 +145,10 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 12892 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
12893 goto bottomup;
12894
12895+#ifdef CONFIG_PAX_RANDMMAP
12896+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12897+#endif
12898+
12899 /* requesting a specific address */
12900 if (addr) {
12901 addr = PAGE_ALIGN(addr);
ae4e228f 12902@@ -198,13 +206,21 @@ bottomup:
58c5fc13
MT		 12903 * can happen with large stack limits and large mmap()
12904 * allocations.
12905 */
12906+ mm->mmap_base = TASK_UNMAPPED_BASE;
12907+
12908+#ifdef CONFIG_PAX_RANDMMAP
12909+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12910+ mm->mmap_base += mm->delta_mmap;
12911+#endif
12912+
12913+ mm->free_area_cache = mm->mmap_base;
12914 mm->cached_hole_size = ~0UL;
12915- mm->free_area_cache = TASK_UNMAPPED_BASE;
12916 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
12917 /*
12918 * Restore the topdown base:
12919 */
12920- mm->free_area_cache = mm->mmap_base;
12921+ mm->mmap_base = base;
12922+ mm->free_area_cache = base;
12923 mm->cached_hole_size = ~0UL;
12924
12925 return addr;
ae4e228f
MT		 12926diff -urNp linux-2.6.33.1/arch/x86/kernel/time.c linux-2.6.33.1/arch/x86/kernel/time.c
12927--- linux-2.6.33.1/arch/x86/kernel/time.c 2010-03-15 12:09:39.000000000 -0400
12928+++ linux-2.6.33.1/arch/x86/kernel/time.c 2010-03-20 16:58:39.020693949 -0400
12929@@ -26,17 +26,13 @@
12930 int timer_ack;
12931 #endif
12932
12933-#ifdef CONFIG_X86_64
12934-volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
12935-#endif
12936-
12937 unsigned long profile_pc(struct pt_regs *regs)
12938 {
58c5fc13
MT		 12939 unsigned long pc = instruction_pointer(regs);
12940
58c5fc13
MT		 12941- if (!user_mode_vm(regs) && in_lock_functions(pc)) {
12942+ if (!user_mode(regs) && in_lock_functions(pc)) {
12943 #ifdef CONFIG_FRAME_POINTER
12944- return *(unsigned long *)(regs->bp + sizeof(long));
12945+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
12946 #else
ae4e228f
MT		 12947 unsigned long *sp =
12948 (unsigned long *)kernel_stack_pointer(regs);
12949@@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
12950 * or above a saved flags. Eflags has bits 22-31 zero,
12951 * kernel addresses don't.
12952 */
58c5fc13
MT		 12953+
12954+#ifdef CONFIG_PAX_KERNEXEC
12955+ return ktla_ktva(sp[0]);
12956+#else
12957 if (sp[0] >> 22)
12958 return sp[0];
12959 if (sp[1] >> 22)
12960 return sp[1];
12961 #endif
12962+
12963+#endif
12964 }
58c5fc13
MT		 12965 return pc;
12966 }
ae4e228f
MT		 12967diff -urNp linux-2.6.33.1/arch/x86/kernel/tls.c linux-2.6.33.1/arch/x86/kernel/tls.c
12968--- linux-2.6.33.1/arch/x86/kernel/tls.c 2010-03-15 12:09:39.000000000 -0400
12969+++ linux-2.6.33.1/arch/x86/kernel/tls.c 2010-03-20 16:58:39.020693949 -0400
58c5fc13
MT		 12970@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
12971 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
12972 return -EINVAL;
12973
12974+#ifdef CONFIG_PAX_SEGMEXEC
12975+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
12976+ return -EINVAL;
12977+#endif
12978+
12979 set_tls_desc(p, idx, &info, 1);
12980
12981 return 0;
ae4e228f
MT		 12982diff -urNp linux-2.6.33.1/arch/x86/kernel/trampoline_32.S linux-2.6.33.1/arch/x86/kernel/trampoline_32.S
12983--- linux-2.6.33.1/arch/x86/kernel/trampoline_32.S 2010-03-15 12:09:39.000000000 -0400
12984+++ linux-2.6.33.1/arch/x86/kernel/trampoline_32.S 2010-03-20 16:58:39.020693949 -0400
12985@@ -32,6 +32,12 @@
12986 #include <asm/segment.h>
12987 #include <asm/page_types.h>
12988
12989+#ifdef CONFIG_PAX_KERNEXEC
12990+#define ta(X) (X)
12991+#else
12992+#define ta(X) ((X) - __PAGE_OFFSET)
12993+#endif
12994+
12995 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
12996 __CPUINITRODATA
12997 .code16
12998@@ -60,7 +66,7 @@ r_base = .
12999 inc %ax # protected mode (PE) bit
13000 lmsw %ax # into protected mode
13001 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
13002- ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
13003+ ljmpl $__BOOT_CS, $ta(startup_32_smp)
13004
13005 # These need to be in the same 64K segment as the above;
13006 # hence we don't use the boot_gdt_descr defined in head.S
13007diff -urNp linux-2.6.33.1/arch/x86/kernel/traps.c linux-2.6.33.1/arch/x86/kernel/traps.c
13008--- linux-2.6.33.1/arch/x86/kernel/traps.c 2010-03-15 12:09:39.000000000 -0400
13009+++ linux-2.6.33.1/arch/x86/kernel/traps.c 2010-03-20 16:58:39.020693949 -0400
13010@@ -69,12 +69,6 @@ asmlinkage int system_call(void);
58c5fc13
MT		 13011
13012 /* Do we ignore FPU interrupts ? */
13013 char ignore_fpu_irq;
13014-
13015-/*
13016- * The IDT has to be page-aligned to simplify the Pentium
ae4e228f 13017- * F0 0F bug workaround.
58c5fc13 13018- */
ae4e228f 13019-gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
58c5fc13
MT		 13020 #endif
13021
13022 DECLARE_BITMAP(used_vectors, NR_VECTORS);
ae4e228f 13023@@ -112,19 +106,19 @@ static inline void preempt_conditional_c
58c5fc13
MT		 13024 static inline void
13025 die_if_kernel(const char *str, struct pt_regs *regs, long err)
13026 {
13027- if (!user_mode_vm(regs))
13028+ if (!user_mode(regs))
13029 die(str, regs, err);
13030 }
13031 #endif
ae4e228f
MT		 13032
13033 static void __kprobes
13034-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
13035+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
13036 long error_code, siginfo_t *info)
13037 {
58c5fc13
MT		 13038 struct task_struct *tsk = current;
13039
13040 #ifdef CONFIG_X86_32
13041- if (regs->flags & X86_VM_MASK) {
13042+ if (v8086_mode(regs)) {
13043 /*
13044 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
13045 * On nmi (interrupt 2), do_trap should not be called.
ae4e228f 13046@@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
58c5fc13
MT		 13047 }
13048 #endif
13049
13050- if (!user_mode(regs))
13051+ if (!user_mode_novm(regs))
13052 goto kernel_trap;
13053
13054 #ifdef CONFIG_X86_32
ae4e228f 13055@@ -158,7 +152,7 @@ trap_signal:
58c5fc13
MT		 13056 printk_ratelimit()) {
13057 printk(KERN_INFO
13058 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
13059- tsk->comm, tsk->pid, str,
13060+ tsk->comm, task_pid_nr(tsk), str,
13061 regs->ip, regs->sp, error_code);
13062 print_vma_addr(" in ", regs->ip);
13063 printk("\n");
ae4e228f
MT		 13064@@ -175,8 +169,20 @@ kernel_trap:
13065 if (!fixup_exception(regs)) {
13066 tsk->thread.error_code = error_code;
58c5fc13 13067 tsk->thread.trap_no = trapnr;
ae4e228f
MT		 13068+
13069+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13070+ if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
13071+ str = "PAX: suspicious stack segment fault";
13072+#endif
13073+
58c5fc13
MT		 13074 die(str, regs, error_code);
13075 }
13076+
13077+#ifdef CONFIG_PAX_REFCOUNT
13078+ if (trapnr == 4)
13079+ pax_report_refcount_overflow(regs);
13080+#endif
13081+
13082 return;
13083
13084 #ifdef CONFIG_X86_32
ae4e228f 13085@@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
58c5fc13
MT		 13086 conditional_sti(regs);
13087
13088 #ifdef CONFIG_X86_32
13089- if (regs->flags & X86_VM_MASK)
13090+ if (v8086_mode(regs))
13091 goto gp_in_vm86;
13092 #endif
13093
13094 tsk = current;
13095- if (!user_mode(regs))
13096+ if (!user_mode_novm(regs))
13097 goto gp_in_kernel;
13098
13099+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
ae4e228f 13100+ if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
58c5fc13
MT		 13101+ struct mm_struct *mm = tsk->mm;
13102+ unsigned long limit;
13103+
13104+ down_write(&mm->mmap_sem);
13105+ limit = mm->context.user_cs_limit;
13106+ if (limit < TASK_SIZE) {
13107+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
13108+ up_write(&mm->mmap_sem);
13109+ return;
13110+ }
13111+ up_write(&mm->mmap_sem);
13112+ }
13113+#endif
13114+
13115 tsk->thread.error_code = error_code;
13116 tsk->thread.trap_no = 13;
13117
ae4e228f 13118@@ -305,6 +327,13 @@ gp_in_kernel:
58c5fc13
MT		 13119 if (notify_die(DIE_GPF, "general protection fault", regs,
13120 error_code, 13, SIGSEGV) == NOTIFY_STOP)
13121 return;
13122+
13123+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
ae4e228f 13124+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
58c5fc13
MT		 13125+ die("PAX: suspicious general protection fault", regs, error_code);
13126+ else
13127+#endif
13128+
13129 die("general protection fault", regs, error_code);
13130 }
13131
ae4e228f
MT		 13132@@ -556,7 +585,7 @@ dotraplinkage void __kprobes do_debug(st
13133 /* It's safe to allow irq's after DR6 has been saved */
13134 preempt_conditional_sti(regs);
58c5fc13 13135
ae4e228f
MT		 13136- if (regs->flags & X86_VM_MASK) {
13137+ if (v8086_mode(regs)) {
13138 handle_vm86_trap((struct kernel_vm86_regs *) regs,
13139 error_code, 1);
13140 return;
13141@@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
13142 * We already checked v86 mode above, so we can check for kernel mode
13143 * by just checking the CPL of CS.
58c5fc13 13144 */
ae4e228f
MT		 13145- if ((dr6 & DR_STEP) && !user_mode(regs)) {
13146+ if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
13147 tsk->thread.debugreg6 &= ~DR_STEP;
13148 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
13149 regs->flags &= ~X86_EFLAGS_TF;
13150@@ -736,7 +765,7 @@ do_simd_coprocessor_error(struct pt_regs
58c5fc13
MT		 13151 * Handle strange cache flush from user space exception
13152 * in all other cases. This is undocumented behaviour.
13153 */
13154- if (regs->flags & X86_VM_MASK) {
13155+ if (v8086_mode(regs)) {
13156 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
13157 return;
13158 }
ae4e228f
MT		 13159diff -urNp linux-2.6.33.1/arch/x86/kernel/tsc.c linux-2.6.33.1/arch/x86/kernel/tsc.c
13160--- linux-2.6.33.1/arch/x86/kernel/tsc.c 2010-03-15 12:09:39.000000000 -0400
13161+++ linux-2.6.33.1/arch/x86/kernel/tsc.c 2010-03-20 16:58:39.020693949 -0400
13162@@ -795,7 +795,7 @@ static struct dmi_system_id __initdata b
58c5fc13
MT		 13163 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
13164 },
13165 },
13166- {}
13167+ { NULL, NULL, {{0, {0}}}, NULL}
13168 };
13169
13170 static void __init check_system_tsc_reliable(void)
ae4e228f
MT		 13171diff -urNp linux-2.6.33.1/arch/x86/kernel/vm86_32.c linux-2.6.33.1/arch/x86/kernel/vm86_32.c
13172--- linux-2.6.33.1/arch/x86/kernel/vm86_32.c 2010-03-15 12:09:39.000000000 -0400
13173+++ linux-2.6.33.1/arch/x86/kernel/vm86_32.c 2010-03-20 16:58:39.020693949 -0400
13174@@ -41,6 +41,7 @@
13175 #include <linux/ptrace.h>
13176 #include <linux/audit.h>
13177 #include <linux/stddef.h>
13178+#include <linux/grsecurity.h>
13179
13180 #include <asm/uaccess.h>
13181 #include <asm/io.h>
13182@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
58c5fc13
MT		 13183 do_exit(SIGSEGV);
13184 }
13185
13186- tss = &per_cpu(init_tss, get_cpu());
13187+ tss = init_tss + get_cpu();
13188 current->thread.sp0 = current->thread.saved_sp0;
13189 current->thread.sysenter_cs = __KERNEL_CS;
13190 load_sp0(tss, &current->thread);
ae4e228f
MT		 13191@@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
13192 struct task_struct *tsk;
13193 int tmp, ret = -EPERM;
13194
13195+#ifdef CONFIG_GRKERNSEC_VM86
13196+ if (!capable(CAP_SYS_RAWIO)) {
13197+ gr_handle_vm86();
13198+ goto out;
13199+ }
13200+#endif
13201+
13202 tsk = current;
13203 if (tsk->thread.saved_sp0)
13204 goto out;
13205@@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
13206 int tmp, ret;
13207 struct vm86plus_struct __user *v86;
13208
13209+#ifdef CONFIG_GRKERNSEC_VM86
13210+ if (!capable(CAP_SYS_RAWIO)) {
13211+ gr_handle_vm86();
13212+ ret = -EPERM;
13213+ goto out;
13214+ }
13215+#endif
13216+
13217 tsk = current;
13218 switch (cmd) {
13219 case VM86_REQUEST_IRQ:
13220@@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
58c5fc13
MT		 13221 tsk->thread.saved_fs = info->regs32->fs;
13222 tsk->thread.saved_gs = get_user_gs(info->regs32);
13223
13224- tss = &per_cpu(init_tss, get_cpu());
13225+ tss = init_tss + get_cpu();
13226 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
13227 if (cpu_has_sep)
13228 tsk->thread.sysenter_cs = 0;
ae4e228f
MT		 13229@@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
13230 goto cannot_handle;
13231 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
13232 goto cannot_handle;
13233- intr_ptr = (unsigned long __user *) (i << 2);
13234+ intr_ptr = (__force unsigned long __user *) (i << 2);
13235 if (get_user(segoffs, intr_ptr))
13236 goto cannot_handle;
13237 if ((segoffs >> 16) == BIOSSEG)
13238diff -urNp linux-2.6.33.1/arch/x86/kernel/vmi_32.c linux-2.6.33.1/arch/x86/kernel/vmi_32.c
13239--- linux-2.6.33.1/arch/x86/kernel/vmi_32.c 2010-03-15 12:09:39.000000000 -0400
13240+++ linux-2.6.33.1/arch/x86/kernel/vmi_32.c 2010-03-20 16:58:39.020693949 -0400
13241@@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
13242 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
13243
13244 #define call_vrom_func(rom,func) \
13245- (((VROMFUNC *)(rom->func))())
13246+ (((VROMFUNC *)(ktva_ktla(rom.func)))())
13247
13248 #define call_vrom_long_func(rom,func,arg) \
13249- (((VROMLONGFUNC *)(rom->func)) (arg))
13250+({\
13251+ u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
13252+ struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
13253+ __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
13254+ __reloc;\
13255+})
13256
13257-static struct vrom_header *vmi_rom;
13258+static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
13259 static int disable_pge;
13260 static int disable_pse;
13261 static int disable_sep;
13262@@ -76,10 +81,10 @@ static struct {
13263 void (*set_initial_ap_state)(int, int);
13264 void (*halt)(void);
13265 void (*set_lazy_mode)(int mode);
13266-} vmi_ops;
13267+} vmi_ops __read_only;
13268
13269 /* Cached VMI operations */
13270-struct vmi_timer_ops vmi_timer_ops;
13271+struct vmi_timer_ops vmi_timer_ops __read_only;
13272
13273 /*
13274 * VMI patching routines.
13275@@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
13276 static inline void patch_offset(void *insnbuf,
13277 unsigned long ip, unsigned long dest)
13278 {
13279- *(unsigned long *)(insnbuf+1) = dest-ip-5;
13280+ *(unsigned long *)(insnbuf+1) = dest-ip-5;
13281 }
13282
13283 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
13284@@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
58c5fc13
MT		 13285 {
13286 u64 reloc;
13287 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
58c5fc13
MT		 13288+
13289 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
13290 switch(rel->type) {
13291 case VMI_RELOCATION_CALL_REL:
ae4e228f 13292@@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
58c5fc13
MT		 13293
13294 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
13295 {
13296- const pte_t pte = { .pte = 0 };
13297+ const pte_t pte = __pte(0ULL);
13298 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
13299 }
13300
13301 static void vmi_pmd_clear(pmd_t *pmd)
13302 {
13303- const pte_t pte = { .pte = 0 };
13304+ const pte_t pte = __pte(0ULL);
13305 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
13306 }
13307 #endif
ae4e228f 13308@@ -438,8 +444,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
58c5fc13
MT		 13309 ap.ss = __KERNEL_DS;
13310 ap.esp = (unsigned long) start_esp;
13311
13312- ap.ds = __USER_DS;
13313- ap.es = __USER_DS;
13314+ ap.ds = __KERNEL_DS;
13315+ ap.es = __KERNEL_DS;
13316 ap.fs = __KERNEL_PERCPU;
13317 ap.gs = __KERNEL_STACK_CANARY;
13318
ae4e228f
MT		 13319@@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
13320 paravirt_leave_lazy_mmu();
13321 }
58c5fc13
MT		 13322
13323+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f
MT		 13324+static unsigned long vmi_pax_open_kernel(void)
13325+{
13326+ return 0;
13327+}
13328+
13329+static unsigned long vmi_pax_close_kernel(void)
13330+{
13331+ return 0;
13332+}
58c5fc13
MT		 13333+#endif
13334+
ae4e228f
MT		 13335 static inline int __init check_vmi_rom(struct vrom_header *rom)
13336 {
13337 struct pci_header *pci;
13338@@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
13339 return 0;
13340 if (rom->vrom_signature != VMI_SIGNATURE)
58c5fc13 13341 return 0;
ae4e228f
MT		 13342+ if (rom->rom_length * 512 > sizeof(*rom)) {
13343+ printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
13344+ return 0;
13345+ }
13346 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
13347 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
13348 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
13349@@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
13350 struct vrom_header *romstart;
13351 romstart = (struct vrom_header *)isa_bus_to_virt(base);
13352 if (check_vmi_rom(romstart)) {
13353- vmi_rom = romstart;
13354+ vmi_rom = *romstart;
13355 return 1;
13356 }
58c5fc13 13357 }
ae4e228f 13358@@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
58c5fc13
MT		 13359
13360 para_fill(pv_irq_ops.safe_halt, Halt);
13361
13362+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f
MT		 13363+ pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
13364+ pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
58c5fc13
MT		 13365+#endif
13366+
13367 /*
13368 * Alternative instruction rewriting doesn't happen soon enough
13369 * to convert VMI_IRET to a call instead of a jump; so we have
ae4e228f
MT		 13370@@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
13371
13372 void __init vmi_init(void)
13373 {
13374- if (!vmi_rom)
13375+ if (!vmi_rom.rom_signature)
13376 probe_vmi_rom();
13377 else
13378- check_vmi_rom(vmi_rom);
13379+ check_vmi_rom(&vmi_rom);
13380
13381 /* In case probing for or validating the ROM failed, basil */
13382- if (!vmi_rom)
13383+ if (!vmi_rom.rom_signature)
13384 return;
13385
13386- reserve_top_address(-vmi_rom->virtual_top);
13387+ reserve_top_address(-vmi_rom.virtual_top);
13388
13389 #ifdef CONFIG_X86_IO_APIC
13390 /* This is virtual hardware; timer routing is wired correctly */
13391@@ -874,7 +901,7 @@ void __init vmi_activate(void)
13392 {
13393 unsigned long flags;
13394
13395- if (!vmi_rom)
13396+ if (!vmi_rom.rom_signature)
13397 return;
13398
13399 local_irq_save(flags);
13400diff -urNp linux-2.6.33.1/arch/x86/kernel/vmlinux.lds.S linux-2.6.33.1/arch/x86/kernel/vmlinux.lds.S
13401--- linux-2.6.33.1/arch/x86/kernel/vmlinux.lds.S 2010-03-15 12:09:39.000000000 -0400
13402+++ linux-2.6.33.1/arch/x86/kernel/vmlinux.lds.S 2010-03-20 16:58:39.020693949 -0400
58c5fc13
MT		 13403@@ -26,6 +26,22 @@
13404 #include <asm/page_types.h>
13405 #include <asm/cache.h>
13406 #include <asm/boot.h>
13407+#include <asm/segment.h>
13408+
13409+#undef PMD_SIZE
13410+#undef PMD_SHIFT
13411+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
13412+#define PMD_SHIFT 21
13413+#else
13414+#define PMD_SHIFT 22
13415+#endif
13416+#define PMD_SIZE (1 << PMD_SHIFT)
13417+
13418+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13419+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
13420+#else
13421+#define __KERNEL_TEXT_OFFSET 0
13422+#endif
13423
13424 #undef i386 /* in case the preprocessor is a 32bit one */
13425
ae4e228f 13426@@ -34,13 +50,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
58c5fc13
MT		 13427 #ifdef CONFIG_X86_32
13428 OUTPUT_ARCH(i386)
13429 ENTRY(phys_startup_32)
13430-jiffies = jiffies_64;
13431 #else
13432 OUTPUT_ARCH(i386:x86-64)
13433 ENTRY(phys_startup_64)
13434-jiffies_64 = jiffies;
13435 #endif
13436
13437+jiffies = jiffies_64;
13438+
ae4e228f
MT		 13439 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
13440 /*
13441 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
13442@@ -69,31 +85,46 @@ jiffies_64 = jiffies;
13443
58c5fc13
MT		 13444 PHDRS {
13445 text PT_LOAD FLAGS(5); /* R_E */
13446- data PT_LOAD FLAGS(7); /* RWE */
ae4e228f
MT		 13447+#ifdef CONFIG_XEN
13448+ rodata PT_LOAD FLAGS(5); /* R_E */
13449+#else
58c5fc13 13450+ rodata PT_LOAD FLAGS(4); /* R__ */
ae4e228f
MT		 13451+#endif
13452+#ifdef CONFIG_X86_32
13453+ module PT_LOAD FLAGS(5); /* R_E */
13454+#endif
58c5fc13
MT		 13455+ data PT_LOAD FLAGS(6); /* RW_ */
13456 #ifdef CONFIG_X86_64
ae4e228f 13457 user PT_LOAD FLAGS(5); /* R_E */
58c5fc13
MT		 13458+#endif
13459+ init.begin PT_LOAD FLAGS(6); /* RW_ */
13460 #ifdef CONFIG_SMP
ae4e228f 13461 percpu PT_LOAD FLAGS(6); /* RW_ */
58c5fc13
MT		 13462 #endif
13463+ text.init PT_LOAD FLAGS(5); /* R_E */
13464+ text.exit PT_LOAD FLAGS(5); /* R_E */
13465 init PT_LOAD FLAGS(7); /* RWE */
13466-#endif
13467 note PT_NOTE FLAGS(0); /* ___ */
13468 }
13469
13470 SECTIONS
13471 {
13472 #ifdef CONFIG_X86_32
13473- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
13474- phys_startup_32 = startup_32 - LOAD_OFFSET;
13475+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
13476 #else
13477- . = __START_KERNEL;
13478- phys_startup_64 = startup_64 - LOAD_OFFSET;
13479+ . = __START_KERNEL;
13480 #endif
13481
13482 /* Text and read-only data */
ae4e228f
MT		 13483- .text : AT(ADDR(.text) - LOAD_OFFSET) {
13484- _text = .;
58c5fc13 13485+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
ae4e228f 13486 /* bootstrapping code */
58c5fc13
MT		 13487+#ifdef CONFIG_X86_32
13488+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13489+#else
13490+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
13491+#endif
13492+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
ae4e228f
MT		 13493+ _text = .;
13494 HEAD_TEXT
58c5fc13 13495 #ifdef CONFIG_X86_32
58c5fc13 13496 . = ALIGN(PAGE_SIZE);
ae4e228f
MT		 13497@@ -108,30 +139,66 @@ SECTIONS
13498 IRQENTRY_TEXT
13499 *(.fixup)
13500 *(.gnu.warning)
13501- /* End of text section */
13502- _etext = .;
58c5fc13
MT		 13503 } :text = 0x9090
13504
13505- NOTES :text :note
13506+ . += __KERNEL_TEXT_OFFSET;
13507+
13508+ . = ALIGN(PAGE_SIZE);
13509+ NOTES :rodata :note
13510
ae4e228f
MT		 13511- EXCEPTION_TABLE(16) :text = 0x9090
13512+ EXCEPTION_TABLE(16) :rodata
58c5fc13 13513
ae4e228f 13514 X64_ALIGN_DEBUG_RODATA_BEGIN
58c5fc13 13515 RO_DATA(PAGE_SIZE)
ae4e228f 13516 X64_ALIGN_DEBUG_RODATA_END
58c5fc13
MT		 13517
13518+#ifdef CONFIG_X86_32
13519+ . = ALIGN(PAGE_SIZE);
13520+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
13521+ *(.idt)
13522+ . = ALIGN(PAGE_SIZE);
13523+ *(.empty_zero_page)
13524+ *(.swapper_pg_pmd)
13525+ *(.swapper_pg_dir)
58c5fc13
MT		 13526+ }
13527+
ae4e228f
MT		 13528+ . = ALIGN(PAGE_SIZE);
13529+ .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
13530+ *(.vmi.rom)
13531+ } :module
13532+
58c5fc13
MT		 13533+ . = ALIGN(PAGE_SIZE);
13534+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
ae4e228f
MT		 13535+
13536+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
58c5fc13
MT		 13537+ MODULES_EXEC_VADDR = .;
13538+ BYTE(0)
ae4e228f 13539+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
58c5fc13
MT		 13540+ . = ALIGN(PMD_SIZE);
13541+ MODULES_EXEC_END = . - 1;
58c5fc13 13542+#endif
ae4e228f
MT		 13543+
13544+ } :module
58c5fc13
MT		 13545+#endif
13546+
13547 /* Data */
13548 .data : AT(ADDR(.data) - LOAD_OFFSET) {
ae4e228f
MT		 13549+ /* End of text section */
13550+ _etext = . - __KERNEL_TEXT_OFFSET;
58c5fc13
MT		 13551+
13552+#ifdef CONFIG_PAX_KERNEXEC
13553+ . = ALIGN(PMD_SIZE);
13554+#else
13555+ . = ALIGN(PAGE_SIZE);
13556+#endif
13557+
13558 /* Start of data section */
13559 _sdata = .;
13560
13561 /* init_task */
13562 INIT_TASK_DATA(THREAD_SIZE)
13563
13564-#ifdef CONFIG_X86_32
13565- /* 32 bit has nosave before _edata */
13566 NOSAVE_DATA
13567-#endif
13568
13569 PAGE_ALIGNED_DATA(PAGE_SIZE)
ae4e228f
MT		 13570
13571@@ -194,12 +261,6 @@ SECTIONS
58c5fc13
MT		 13572 }
13573 vgetcpu_mode = VVIRT(.vgetcpu_mode);
13574
ae4e228f 13575- . = ALIGN(L1_CACHE_BYTES);
58c5fc13
MT		 13576- .jiffies : AT(VLOAD(.jiffies)) {
13577- *(.jiffies)
13578- }
13579- jiffies = VVIRT(.jiffies);
13580-
13581 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
13582 *(.vsyscall_3)
13583 }
ae4e228f 13584@@ -215,12 +276,19 @@ SECTIONS
58c5fc13
MT		 13585 #endif /* CONFIG_X86_64 */
13586
13587 /* Init code and data - will be freed after init */
13588- . = ALIGN(PAGE_SIZE);
13589 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
13590+ BYTE(0)
13591+
13592+#ifdef CONFIG_PAX_KERNEXEC
13593+ . = ALIGN(PMD_SIZE);
13594+#else
13595+ . = ALIGN(PAGE_SIZE);
13596+#endif
13597+
13598 __init_begin = .; /* paired with __init_end */
13599- }
13600+ } :init.begin
13601
13602-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
13603+#ifdef CONFIG_SMP
13604 /*
13605 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
13606 * output PHDR, so the next output section - .init.text - should
ae4e228f 13607@@ -229,12 +297,27 @@ SECTIONS
58c5fc13
MT		 13608 PERCPU_VADDR(0, :percpu)
13609 #endif
13610
ae4e228f 13611- INIT_TEXT_SECTION(PAGE_SIZE)
58c5fc13
MT		 13612-#ifdef CONFIG_X86_64
13613- :init
13614-#endif
ae4e228f
MT		 13615+ . = ALIGN(PAGE_SIZE);
13616+ init_begin = .;
13617+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
13618+ VMLINUX_SYMBOL(_sinittext) = .;
13619+ INIT_TEXT
13620+ VMLINUX_SYMBOL(_einittext) = .;
13621+ . = ALIGN(PAGE_SIZE);
58c5fc13
MT		 13622+ } :text.init
13623+
13624+ /*
13625+ * .exit.text is discard at runtime, not link time, to deal with
13626+ * references from .altinstructions and .eh_frame
13627+ */
13628+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
13629+ EXIT_TEXT
13630+ . = ALIGN(16);
13631+ } :text.exit
13632+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
13633
ae4e228f
MT		 13634- INIT_DATA_SECTION(16)
13635+ . = ALIGN(PAGE_SIZE);
13636+ INIT_DATA_SECTION(16) :init
58c5fc13 13637
ae4e228f
MT		 13638 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
13639 __x86_cpu_dev_start = .;
13640@@ -260,19 +343,11 @@ SECTIONS
58c5fc13
MT		 13641 *(.altinstr_replacement)
13642 }
13643
13644- /*
13645- * .exit.text is discard at runtime, not link time, to deal with
13646- * references from .altinstructions and .eh_frame
13647- */
13648- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
13649- EXIT_TEXT
13650- }
13651-
13652 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
13653 EXIT_DATA
13654 }
58c5fc13
MT		 13655
13656-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
13657+#ifndef CONFIG_SMP
13658 PERCPU(PAGE_SIZE)
13659 #endif
13660
ae4e228f 13661@@ -295,12 +370,6 @@ SECTIONS
58c5fc13
MT		 13662 . = ALIGN(PAGE_SIZE);
13663 }
13664
13665-#ifdef CONFIG_X86_64
13666- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
13667- NOSAVE_DATA
13668- }
13669-#endif
13670-
13671 /* BSS */
13672 . = ALIGN(PAGE_SIZE);
13673 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
ae4e228f 13674@@ -316,6 +385,7 @@ SECTIONS
58c5fc13
MT		 13675 __brk_base = .;
13676 . += 64 * 1024; /* 64k alignment slop space */
13677 *(.brk_reservation) /* areas brk users have reserved */
13678+ . = ALIGN(PMD_SIZE);
13679 __brk_limit = .;
13680 }
13681
ae4e228f 13682@@ -342,13 +412,12 @@ SECTIONS
58c5fc13
MT		 13683 * for the boot processor.
13684 */
13685 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
13686-INIT_PER_CPU(gdt_page);
13687 INIT_PER_CPU(irq_stack_union);
13688
13689 /*
13690 * Build-time check on the image size:
13691 */
13692-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
13693+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
13694 "kernel image bigger than KERNEL_IMAGE_SIZE");
13695
13696 #ifdef CONFIG_SMP
ae4e228f
MT		 13697diff -urNp linux-2.6.33.1/arch/x86/kernel/vsyscall_64.c linux-2.6.33.1/arch/x86/kernel/vsyscall_64.c
13698--- linux-2.6.33.1/arch/x86/kernel/vsyscall_64.c 2010-03-15 12:09:39.000000000 -0400
13699+++ linux-2.6.33.1/arch/x86/kernel/vsyscall_64.c 2010-03-20 16:58:39.020693949 -0400
13700@@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
58c5fc13
MT		 13701
13702 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
13703 /* copy vsyscall data */
13704+ strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
13705 vsyscall_gtod_data.clock.vread = clock->vread;
13706 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
13707 vsyscall_gtod_data.clock.mask = clock->mask;
ae4e228f 13708@@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
58c5fc13
MT		 13709 We do this here because otherwise user space would do it on
13710 its own in a likely inferior way (no access to jiffies).
13711 If you don't like it pass NULL. */
13712- if (tcache && tcache->blob[0] == (j = __jiffies)) {
13713+ if (tcache && tcache->blob[0] == (j = jiffies)) {
13714 p = tcache->blob[1];
13715 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
13716 /* Load per CPU data from RDTSCP */
ae4e228f
MT		 13717diff -urNp linux-2.6.33.1/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.33.1/arch/x86/kernel/x8664_ksyms_64.c
13718--- linux-2.6.33.1/arch/x86/kernel/x8664_ksyms_64.c 2010-03-15 12:09:39.000000000 -0400
13719+++ linux-2.6.33.1/arch/x86/kernel/x8664_ksyms_64.c 2010-03-20 16:58:39.020693949 -0400
13720@@ -28,8 +28,6 @@ EXPORT_SYMBOL(__put_user_8);
58c5fc13
MT		 13721
13722 EXPORT_SYMBOL(copy_user_generic);
13723 EXPORT_SYMBOL(__copy_user_nocache);
ae4e228f
MT		 13724-EXPORT_SYMBOL(_copy_from_user);
13725-EXPORT_SYMBOL(_copy_to_user);
58c5fc13
MT		 13726
13727 EXPORT_SYMBOL(copy_page);
ae4e228f
MT		 13728 EXPORT_SYMBOL(clear_page);
13729diff -urNp linux-2.6.33.1/arch/x86/kernel/xsave.c linux-2.6.33.1/arch/x86/kernel/xsave.c
13730--- linux-2.6.33.1/arch/x86/kernel/xsave.c 2010-03-15 12:09:39.000000000 -0400
13731+++ linux-2.6.33.1/arch/x86/kernel/xsave.c 2010-03-20 16:58:39.020693949 -0400
13732@@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
13733 fx_sw_user->xstate_size > fx_sw_user->extended_size)
13734 return -1;
13735
13736- err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
13737+ err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
13738 fx_sw_user->extended_size -
13739 FP_XSTATE_MAGIC2_SIZE));
13740 /*
13741@@ -196,7 +196,7 @@ fx_only:
13742 * the other extended state.
13743 */
13744 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
13745- return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
13746+ return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
13747 }
13748
13749 /*
13750@@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
13751 if (task_thread_info(tsk)->status & TS_XSAVE)
13752 err = restore_user_xstate(buf);
13753 else
13754- err = fxrstor_checking((__force struct i387_fxsave_struct *)
13755+ err = fxrstor_checking((struct i387_fxsave_struct __user *)
13756 buf);
13757 if (unlikely(err)) {
13758 /*
13759diff -urNp linux-2.6.33.1/arch/x86/kvm/emulate.c linux-2.6.33.1/arch/x86/kvm/emulate.c
13760--- linux-2.6.33.1/arch/x86/kvm/emulate.c 2010-03-15 12:09:39.000000000 -0400
13761+++ linux-2.6.33.1/arch/x86/kvm/emulate.c 2010-03-20 16:58:39.024538149 -0400
13762@@ -413,6 +413,7 @@ static u32 group2_table[] = {
13763
13764 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
13765 do { \
13766+ unsigned long _tmp; \
13767 __asm__ __volatile__ ( \
13768 _PRE_EFLAGS("0", "4", "2") \
13769 _op _suffix " %"_x"3,%1; " \
13770@@ -426,8 +427,6 @@ static u32 group2_table[] = {
13771 /* Raw emulation: instruction has two explicit operands. */
13772 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
13773 do { \
13774- unsigned long _tmp; \
13775- \
13776 switch ((_dst).bytes) { \
13777 case 2: \
13778 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
13779@@ -443,7 +442,6 @@ static u32 group2_table[] = {
13780
13781 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
13782 do { \
13783- unsigned long _tmp; \
13784 switch ((_dst).bytes) { \
13785 case 1: \
13786 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
13787diff -urNp linux-2.6.33.1/arch/x86/kvm/svm.c linux-2.6.33.1/arch/x86/kvm/svm.c
13788--- linux-2.6.33.1/arch/x86/kvm/svm.c 2010-03-15 12:09:39.000000000 -0400
13789+++ linux-2.6.33.1/arch/x86/kvm/svm.c 2010-03-20 16:58:39.024538149 -0400
13790@@ -2428,7 +2428,11 @@ static void reload_tss(struct kvm_vcpu *
58c5fc13
MT		 13791 int cpu = raw_smp_processor_id();
13792
ae4e228f 13793 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
58c5fc13 13794+
ae4e228f
MT		 13795+ pax_open_kernel();
13796 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
13797+ pax_close_kernel();
58c5fc13
MT		 13798+
13799 load_TR_desc();
13800 }
13801
ae4e228f
MT		 13802@@ -2910,7 +2914,7 @@ static bool svm_gb_page_enable(void)
13803 return true;
58c5fc13
MT		 13804 }
13805
13806-static struct kvm_x86_ops svm_x86_ops = {
13807+static const struct kvm_x86_ops svm_x86_ops = {
13808 .cpu_has_kvm_support = has_svm,
13809 .disabled_by_bios = is_disabled,
13810 .hardware_setup = svm_hardware_setup,
ae4e228f
MT		 13811diff -urNp linux-2.6.33.1/arch/x86/kvm/vmx.c linux-2.6.33.1/arch/x86/kvm/vmx.c
13812--- linux-2.6.33.1/arch/x86/kvm/vmx.c 2010-03-15 12:09:39.000000000 -0400
13813+++ linux-2.6.33.1/arch/x86/kvm/vmx.c 2010-03-20 16:58:39.024538149 -0400
13814@@ -580,7 +580,11 @@ static void reload_tss(void)
58c5fc13 13815
58c5fc13
MT		 13816 kvm_get_gdt(&gdt);
13817 descs = (void *)gdt.base;
13818+
ae4e228f 13819+ pax_open_kernel();
58c5fc13 13820 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
ae4e228f 13821+ pax_close_kernel();
58c5fc13
MT		 13822+
13823 load_TR_desc();
13824 }
13825
ae4e228f 13826@@ -1385,8 +1389,11 @@ static __init int hardware_setup(void)
58c5fc13
MT		 13827 if (!cpu_has_vmx_flexpriority())
13828 flexpriority_enabled = 0;
13829
13830- if (!cpu_has_vmx_tpr_shadow())
13831- kvm_x86_ops->update_cr8_intercept = NULL;
13832+ if (!cpu_has_vmx_tpr_shadow()) {
ae4e228f 13833+ pax_open_kernel();
58c5fc13 13834+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
ae4e228f 13835+ pax_close_kernel();
58c5fc13
MT		 13836+ }
13837
ae4e228f
MT		 13838 if (enable_ept && !cpu_has_vmx_ept_2m_page())
13839 kvm_disable_largepages();
13840@@ -2357,7 +2364,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
58c5fc13
MT		 13841 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
13842
13843 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
13844- vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
13845+ vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
13846 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
13847 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
13848 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
ae4e228f 13849@@ -3742,6 +3749,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
58c5fc13
MT		 13850 "jmp .Lkvm_vmx_return \n\t"
13851 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
13852 ".Lkvm_vmx_return: "
13853+
13854+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13855+ "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
13856+ ".Lkvm_vmx_return2: "
13857+#endif
13858+
13859 /* Save guest registers, load host registers, keep flags */
13860 "xchg %0, (%%"R"sp) \n\t"
13861 "mov %%"R"ax, %c[rax](%0) \n\t"
ae4e228f 13862@@ -3788,6 +3801,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
58c5fc13
MT		 13863 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
13864 #endif
13865 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
13866+
13867+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13868+ ,[cs]"i"(__KERNEL_CS)
13869+#endif
13870+
13871 : "cc", "memory"
13872 , R"bx", R"di", R"si"
13873 #ifdef CONFIG_X86_64
ae4e228f 13874@@ -3806,7 +3824,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
58c5fc13
MT		 13875 if (vmx->rmode.irq.pending)
13876 fixup_rmode_irq(vmx);
13877
13878- asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
13879+ asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
13880 vmx->launched = 1;
13881
13882 vmx_complete_interrupts(vmx);
ae4e228f
MT		 13883@@ -3974,7 +3992,7 @@ static bool vmx_gb_page_enable(void)
13884 return false;
58c5fc13
MT		 13885 }
13886
13887-static struct kvm_x86_ops vmx_x86_ops = {
13888+static const struct kvm_x86_ops vmx_x86_ops = {
13889 .cpu_has_kvm_support = cpu_has_kvm_support,
13890 .disabled_by_bios = vmx_disabled_by_bios,
13891 .hardware_setup = hardware_setup,
ae4e228f
MT		 13892diff -urNp linux-2.6.33.1/arch/x86/kvm/x86.c linux-2.6.33.1/arch/x86/kvm/x86.c
13893--- linux-2.6.33.1/arch/x86/kvm/x86.c 2010-03-15 12:09:39.000000000 -0400
13894+++ linux-2.6.33.1/arch/x86/kvm/x86.c 2010-03-20 16:58:39.024538149 -0400
13895@@ -83,7 +83,7 @@ static void update_cr8_intercept(struct
13896 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
13897 struct kvm_cpuid_entry2 __user *entries);
58c5fc13
MT		 13898
13899-struct kvm_x86_ops *kvm_x86_ops;
13900+const struct kvm_x86_ops *kvm_x86_ops;
13901 EXPORT_SYMBOL_GPL(kvm_x86_ops);
13902
ae4e228f
MT		 13903 int ignore_msrs = 0;
13904@@ -109,38 +109,38 @@ static struct kvm_shared_msrs_global __r
13905 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
13906
58c5fc13
MT		 13907 struct kvm_stats_debugfs_item debugfs_entries[] = {
13908- { "pf_fixed", VCPU_STAT(pf_fixed) },
13909- { "pf_guest", VCPU_STAT(pf_guest) },
13910- { "tlb_flush", VCPU_STAT(tlb_flush) },
13911- { "invlpg", VCPU_STAT(invlpg) },
13912- { "exits", VCPU_STAT(exits) },
13913- { "io_exits", VCPU_STAT(io_exits) },
13914- { "mmio_exits", VCPU_STAT(mmio_exits) },
13915- { "signal_exits", VCPU_STAT(signal_exits) },
13916- { "irq_window", VCPU_STAT(irq_window_exits) },
13917- { "nmi_window", VCPU_STAT(nmi_window_exits) },
13918- { "halt_exits", VCPU_STAT(halt_exits) },
13919- { "halt_wakeup", VCPU_STAT(halt_wakeup) },
13920- { "hypercalls", VCPU_STAT(hypercalls) },
13921- { "request_irq", VCPU_STAT(request_irq_exits) },
13922- { "irq_exits", VCPU_STAT(irq_exits) },
13923- { "host_state_reload", VCPU_STAT(host_state_reload) },
13924- { "efer_reload", VCPU_STAT(efer_reload) },
13925- { "fpu_reload", VCPU_STAT(fpu_reload) },
13926- { "insn_emulation", VCPU_STAT(insn_emulation) },
13927- { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
13928- { "irq_injections", VCPU_STAT(irq_injections) },
13929- { "nmi_injections", VCPU_STAT(nmi_injections) },
13930- { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
13931- { "mmu_pte_write", VM_STAT(mmu_pte_write) },
13932- { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
13933- { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
13934- { "mmu_flooded", VM_STAT(mmu_flooded) },
13935- { "mmu_recycled", VM_STAT(mmu_recycled) },
13936- { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
13937- { "mmu_unsync", VM_STAT(mmu_unsync) },
13938- { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
13939- { "largepages", VM_STAT(lpages) },
13940+ { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
13941+ { "pf_guest", VCPU_STAT(pf_guest), NULL },
13942+ { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
13943+ { "invlpg", VCPU_STAT(invlpg), NULL },
13944+ { "exits", VCPU_STAT(exits), NULL },
13945+ { "io_exits", VCPU_STAT(io_exits), NULL },
13946+ { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
13947+ { "signal_exits", VCPU_STAT(signal_exits), NULL },
13948+ { "irq_window", VCPU_STAT(irq_window_exits), NULL },
13949+ { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
13950+ { "halt_exits", VCPU_STAT(halt_exits), NULL },
13951+ { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
13952+ { "hypercalls", VCPU_STAT(hypercalls), NULL },
13953+ { "request_irq", VCPU_STAT(request_irq_exits), NULL },
13954+ { "irq_exits", VCPU_STAT(irq_exits), NULL },
13955+ { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
13956+ { "efer_reload", VCPU_STAT(efer_reload), NULL },
13957+ { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
13958+ { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
13959+ { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
13960+ { "irq_injections", VCPU_STAT(irq_injections), NULL },
13961+ { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
13962+ { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
13963+ { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
13964+ { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
13965+ { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
13966+ { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
13967+ { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
13968+ { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
13969+ { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
13970+ { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
13971+ { "largepages", VM_STAT(lpages), NULL },
13972 { NULL }
13973 };
13974
ae4e228f
MT		 13975@@ -1405,6 +1405,8 @@ long kvm_arch_dev_ioctl(struct file *fil
13976 if (n < msr_list.nmsrs)
13977 goto out;
13978 r = -EFAULT;
13979+ if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
13980+ goto out;
13981 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
13982 num_msrs_to_save * sizeof(u32)))
13983 goto out;
13984@@ -1787,7 +1789,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
58c5fc13
MT		 13985 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
13986 struct kvm_interrupt *irq)
13987 {
13988- if (irq->irq < 0 || irq->irq >= 256)
13989+ if (irq->irq >= 256)
13990 return -EINVAL;
13991 if (irqchip_in_kernel(vcpu->kvm))
13992 return -ENXIO;
ae4e228f
MT		 13993@@ -3414,10 +3416,10 @@ static void kvm_timer_init(void)
13994 }
13995 }
58c5fc13
MT		 13996
13997-int kvm_arch_init(void *opaque)
13998+int kvm_arch_init(const void *opaque)
13999 {
ae4e228f 14000 int r;
58c5fc13
MT		 14001- struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
14002+ const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
14003
14004 if (kvm_x86_ops) {
14005 printk(KERN_ERR "kvm: already loaded the other module\n");
ae4e228f
MT		 14006diff -urNp linux-2.6.33.1/arch/x86/lib/checksum_32.S linux-2.6.33.1/arch/x86/lib/checksum_32.S
14007--- linux-2.6.33.1/arch/x86/lib/checksum_32.S 2010-03-15 12:09:39.000000000 -0400
14008+++ linux-2.6.33.1/arch/x86/lib/checksum_32.S 2010-03-20 16:58:39.024538149 -0400
58c5fc13
MT		 14009@@ -28,7 +28,8 @@
14010 #include <linux/linkage.h>
14011 #include <asm/dwarf2.h>
14012 #include <asm/errno.h>
14013-
14014+#include <asm/segment.h>
14015+
14016 /*
14017 * computes a partial checksum, e.g. for TCP/UDP fragments
14018 */
14019@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
14020
14021 #define ARGBASE 16
14022 #define FP 12
14023-
14024-ENTRY(csum_partial_copy_generic)
14025+
14026+ENTRY(csum_partial_copy_generic_to_user)
14027 CFI_STARTPROC
14028+ pushl $(__USER_DS)
14029+ CFI_ADJUST_CFA_OFFSET 4
14030+ popl %es
14031+ CFI_ADJUST_CFA_OFFSET -4
14032+ jmp csum_partial_copy_generic
14033+
14034+ENTRY(csum_partial_copy_generic_from_user)
14035+ pushl $(__USER_DS)
14036+ CFI_ADJUST_CFA_OFFSET 4
14037+ popl %ds
14038+ CFI_ADJUST_CFA_OFFSET -4
14039+
14040+ENTRY(csum_partial_copy_generic)
14041 subl $4,%esp
14042 CFI_ADJUST_CFA_OFFSET 4
14043 pushl %edi
14044@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
14045 jmp 4f
14046 SRC(1: movw (%esi), %bx )
14047 addl $2, %esi
14048-DST( movw %bx, (%edi) )
14049+DST( movw %bx, %es:(%edi) )
14050 addl $2, %edi
14051 addw %bx, %ax
14052 adcl $0, %eax
14053@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
14054 SRC(1: movl (%esi), %ebx )
14055 SRC( movl 4(%esi), %edx )
14056 adcl %ebx, %eax
14057-DST( movl %ebx, (%edi) )
14058+DST( movl %ebx, %es:(%edi) )
14059 adcl %edx, %eax
14060-DST( movl %edx, 4(%edi) )
14061+DST( movl %edx, %es:4(%edi) )
14062
14063 SRC( movl 8(%esi), %ebx )
14064 SRC( movl 12(%esi), %edx )
14065 adcl %ebx, %eax
14066-DST( movl %ebx, 8(%edi) )
14067+DST( movl %ebx, %es:8(%edi) )
14068 adcl %edx, %eax
14069-DST( movl %edx, 12(%edi) )
14070+DST( movl %edx, %es:12(%edi) )
14071
14072 SRC( movl 16(%esi), %ebx )
14073 SRC( movl 20(%esi), %edx )
14074 adcl %ebx, %eax
14075-DST( movl %ebx, 16(%edi) )
14076+DST( movl %ebx, %es:16(%edi) )
14077 adcl %edx, %eax
14078-DST( movl %edx, 20(%edi) )
14079+DST( movl %edx, %es:20(%edi) )
14080
14081 SRC( movl 24(%esi), %ebx )
14082 SRC( movl 28(%esi), %edx )
14083 adcl %ebx, %eax
14084-DST( movl %ebx, 24(%edi) )
14085+DST( movl %ebx, %es:24(%edi) )
14086 adcl %edx, %eax
14087-DST( movl %edx, 28(%edi) )
14088+DST( movl %edx, %es:28(%edi) )
14089
14090 lea 32(%esi), %esi
14091 lea 32(%edi), %edi
14092@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
14093 shrl $2, %edx # This clears CF
14094 SRC(3: movl (%esi), %ebx )
14095 adcl %ebx, %eax
14096-DST( movl %ebx, (%edi) )
14097+DST( movl %ebx, %es:(%edi) )
14098 lea 4(%esi), %esi
14099 lea 4(%edi), %edi
14100 dec %edx
14101@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
14102 jb 5f
14103 SRC( movw (%esi), %cx )
14104 leal 2(%esi), %esi
14105-DST( movw %cx, (%edi) )
14106+DST( movw %cx, %es:(%edi) )
14107 leal 2(%edi), %edi
14108 je 6f
14109 shll $16,%ecx
14110 SRC(5: movb (%esi), %cl )
14111-DST( movb %cl, (%edi) )
14112+DST( movb %cl, %es:(%edi) )
14113 6: addl %ecx, %eax
14114 adcl $0, %eax
14115 7:
14116@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
14117
14118 6001:
14119 movl ARGBASE+20(%esp), %ebx # src_err_ptr
14120- movl $-EFAULT, (%ebx)
14121+ movl $-EFAULT, %ss:(%ebx)
14122
14123 # zero the complete destination - computing the rest
14124 # is too much work
14125@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
14126
14127 6002:
14128 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
14129- movl $-EFAULT,(%ebx)
14130+ movl $-EFAULT,%ss:(%ebx)
14131 jmp 5000b
14132
14133 .previous
14134
14135+ pushl %ss
14136+ CFI_ADJUST_CFA_OFFSET 4
14137+ popl %ds
14138+ CFI_ADJUST_CFA_OFFSET -4
14139+ pushl %ss
14140+ CFI_ADJUST_CFA_OFFSET 4
14141+ popl %es
14142+ CFI_ADJUST_CFA_OFFSET -4
14143 popl %ebx
14144 CFI_ADJUST_CFA_OFFSET -4
14145 CFI_RESTORE ebx
14146@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
14147 CFI_ADJUST_CFA_OFFSET -4
14148 ret
14149 CFI_ENDPROC
14150-ENDPROC(csum_partial_copy_generic)
14151+ENDPROC(csum_partial_copy_generic_to_user)
14152
14153 #else
14154
14155 /* Version for PentiumII/PPro */
14156
14157 #define ROUND1(x) \
14158+ nop; nop; nop; \
14159 SRC(movl x(%esi), %ebx ) ; \
14160 addl %ebx, %eax ; \
14161- DST(movl %ebx, x(%edi) ) ;
14162+ DST(movl %ebx, %es:x(%edi)) ;
14163
14164 #define ROUND(x) \
14165+ nop; nop; nop; \
14166 SRC(movl x(%esi), %ebx ) ; \
14167 adcl %ebx, %eax ; \
14168- DST(movl %ebx, x(%edi) ) ;
14169+ DST(movl %ebx, %es:x(%edi)) ;
14170
14171 #define ARGBASE 12
14172-
14173-ENTRY(csum_partial_copy_generic)
14174+
14175+ENTRY(csum_partial_copy_generic_to_user)
14176 CFI_STARTPROC
14177+ pushl $(__USER_DS)
14178+ CFI_ADJUST_CFA_OFFSET 4
14179+ popl %es
14180+ CFI_ADJUST_CFA_OFFSET -4
14181+ jmp csum_partial_copy_generic
14182+
14183+ENTRY(csum_partial_copy_generic_from_user)
14184+ pushl $(__USER_DS)
14185+ CFI_ADJUST_CFA_OFFSET 4
14186+ popl %ds
14187+ CFI_ADJUST_CFA_OFFSET -4
14188+
14189+ENTRY(csum_partial_copy_generic)
14190 pushl %ebx
14191 CFI_ADJUST_CFA_OFFSET 4
14192 CFI_REL_OFFSET ebx, 0
14193@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
14194 subl %ebx, %edi
14195 lea -1(%esi),%edx
14196 andl $-32,%edx
14197- lea 3f(%ebx,%ebx), %ebx
14198+ lea 3f(%ebx,%ebx,2), %ebx
14199 testl %esi, %esi
14200 jmp *%ebx
14201 1: addl $64,%esi
14202@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
14203 jb 5f
14204 SRC( movw (%esi), %dx )
14205 leal 2(%esi), %esi
14206-DST( movw %dx, (%edi) )
14207+DST( movw %dx, %es:(%edi) )
14208 leal 2(%edi), %edi
14209 je 6f
14210 shll $16,%edx
14211 5:
14212 SRC( movb (%esi), %dl )
14213-DST( movb %dl, (%edi) )
14214+DST( movb %dl, %es:(%edi) )
14215 6: addl %edx, %eax
14216 adcl $0, %eax
14217 7:
14218 .section .fixup, "ax"
14219 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
14220- movl $-EFAULT, (%ebx)
14221+ movl $-EFAULT, %ss:(%ebx)
14222 # zero the complete destination (computing the rest is too much work)
14223 movl ARGBASE+8(%esp),%edi # dst
14224 movl ARGBASE+12(%esp),%ecx # len
14225@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
14226 rep; stosb
14227 jmp 7b
14228 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
14229- movl $-EFAULT, (%ebx)
14230+ movl $-EFAULT, %ss:(%ebx)
14231 jmp 7b
14232 .previous
14233
14234+ pushl %ss
14235+ CFI_ADJUST_CFA_OFFSET 4
14236+ popl %ds
14237+ CFI_ADJUST_CFA_OFFSET -4
14238+ pushl %ss
14239+ CFI_ADJUST_CFA_OFFSET 4
14240+ popl %es
14241+ CFI_ADJUST_CFA_OFFSET -4
14242 popl %esi
14243 CFI_ADJUST_CFA_OFFSET -4
14244 CFI_RESTORE esi
14245@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
14246 CFI_RESTORE ebx
14247 ret
14248 CFI_ENDPROC
14249-ENDPROC(csum_partial_copy_generic)
14250+ENDPROC(csum_partial_copy_generic_to_user)
14251
14252 #undef ROUND
14253 #undef ROUND1
ae4e228f
MT		 14254diff -urNp linux-2.6.33.1/arch/x86/lib/clear_page_64.S linux-2.6.33.1/arch/x86/lib/clear_page_64.S
14255--- linux-2.6.33.1/arch/x86/lib/clear_page_64.S 2010-03-15 12:09:39.000000000 -0400
14256+++ linux-2.6.33.1/arch/x86/lib/clear_page_64.S 2010-03-20 16:58:39.028522513 -0400
58c5fc13
MT		 14257@@ -43,7 +43,7 @@ ENDPROC(clear_page)
14258
14259 #include <asm/cpufeature.h>
14260
14261- .section .altinstr_replacement,"ax"
14262+ .section .altinstr_replacement,"a"
14263 1: .byte 0xeb /* jmp <disp8> */
14264 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
14265 2:
ae4e228f
MT		 14266diff -urNp linux-2.6.33.1/arch/x86/lib/copy_page_64.S linux-2.6.33.1/arch/x86/lib/copy_page_64.S
14267--- linux-2.6.33.1/arch/x86/lib/copy_page_64.S 2010-03-15 12:09:39.000000000 -0400
14268+++ linux-2.6.33.1/arch/x86/lib/copy_page_64.S 2010-03-20 16:58:39.028522513 -0400
58c5fc13
MT		 14269@@ -104,7 +104,7 @@ ENDPROC(copy_page)
14270
14271 #include <asm/cpufeature.h>
14272
14273- .section .altinstr_replacement,"ax"
14274+ .section .altinstr_replacement,"a"
14275 1: .byte 0xeb /* jmp <disp8> */
14276 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
14277 2:
ae4e228f
MT		 14278diff -urNp linux-2.6.33.1/arch/x86/lib/copy_user_64.S linux-2.6.33.1/arch/x86/lib/copy_user_64.S
14279--- linux-2.6.33.1/arch/x86/lib/copy_user_64.S 2010-03-15 12:09:39.000000000 -0400
14280+++ linux-2.6.33.1/arch/x86/lib/copy_user_64.S 2010-03-20 16:58:39.028522513 -0400
58c5fc13
MT		 14281@@ -21,7 +21,7 @@
14282 .byte 0xe9 /* 32bit jump */
14283 .long \orig-1f /* by default jump to orig */
14284 1:
14285- .section .altinstr_replacement,"ax"
14286+ .section .altinstr_replacement,"a"
14287 2: .byte 0xe9 /* near jump with 32bit immediate */
14288 .long \alt-1b /* offset */ /* or alternatively to alt */
14289 .previous
14290@@ -64,32 +64,6 @@
14291 #endif
14292 .endm
14293
14294-/* Standard copy_to_user with segment limit checking */
ae4e228f 14295-ENTRY(_copy_to_user)
58c5fc13
MT		 14296- CFI_STARTPROC
14297- GET_THREAD_INFO(%rax)
14298- movq %rdi,%rcx
14299- addq %rdx,%rcx
14300- jc bad_to_user
14301- cmpq TI_addr_limit(%rax),%rcx
14302- jae bad_to_user
14303- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14304- CFI_ENDPROC
ae4e228f 14305-ENDPROC(_copy_to_user)
58c5fc13
MT		 14306-
14307-/* Standard copy_from_user with segment limit checking */
ae4e228f 14308-ENTRY(_copy_from_user)
58c5fc13
MT		 14309- CFI_STARTPROC
14310- GET_THREAD_INFO(%rax)
14311- movq %rsi,%rcx
14312- addq %rdx,%rcx
14313- jc bad_from_user
14314- cmpq TI_addr_limit(%rax),%rcx
14315- jae bad_from_user
14316- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
14317- CFI_ENDPROC
ae4e228f 14318-ENDPROC(_copy_from_user)
58c5fc13
MT		 14319-
14320 ENTRY(copy_user_generic)
14321 CFI_STARTPROC
14322 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
ae4e228f 14323@@ -101,6 +75,8 @@ ENDPROC(copy_user_generic)
58c5fc13
MT		 14324 ENTRY(bad_from_user)
14325 bad_from_user:
14326 CFI_STARTPROC
14327+ testl %edx,%edx
14328+ js bad_to_user
14329 movl %edx,%ecx
14330 xorl %eax,%eax
14331 rep
ae4e228f
MT		 14332diff -urNp linux-2.6.33.1/arch/x86/lib/getuser.S linux-2.6.33.1/arch/x86/lib/getuser.S
14333--- linux-2.6.33.1/arch/x86/lib/getuser.S 2010-03-15 12:09:39.000000000 -0400
14334+++ linux-2.6.33.1/arch/x86/lib/getuser.S 2010-03-20 16:58:39.028522513 -0400
14335@@ -33,14 +33,28 @@
58c5fc13
MT		 14336 #include <asm/asm-offsets.h>
14337 #include <asm/thread_info.h>
14338 #include <asm/asm.h>
14339+#include <asm/segment.h>
14340
14341 .text
14342 ENTRY(__get_user_1)
ae4e228f 14343 CFI_STARTPROC
58c5fc13 14344+
ae4e228f 14345+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14346+ pushl $(__USER_DS)
14347+ popl %ds
ae4e228f
MT		 14348+#else
14349 GET_THREAD_INFO(%_ASM_DX)
14350 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14351 jae bad_get_user
58c5fc13
MT		 14352+#endif
14353+
14354 1: movzb (%_ASM_AX),%edx
14355+
ae4e228f 14356+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14357+ pushl %ss
14358+ pop %ds
14359+#endif
14360+
14361 xor %eax,%eax
14362 ret
14363 CFI_ENDPROC
ae4e228f
MT		 14364@@ -49,11 +63,24 @@ ENDPROC(__get_user_1)
14365 ENTRY(__get_user_2)
14366 CFI_STARTPROC
14367 add $1,%_ASM_AX
58c5fc13 14368+
ae4e228f 14369+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14370+ pushl $(__USER_DS)
14371+ popl %ds
ae4e228f
MT		 14372+#else
14373 jc bad_get_user
14374 GET_THREAD_INFO(%_ASM_DX)
14375 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14376 jae bad_get_user
58c5fc13
MT		 14377+#endif
14378+
14379 2: movzwl -1(%_ASM_AX),%edx
14380+
ae4e228f 14381+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14382+ pushl %ss
14383+ pop %ds
14384+#endif
14385+
14386 xor %eax,%eax
14387 ret
14388 CFI_ENDPROC
ae4e228f
MT		 14389@@ -62,11 +89,24 @@ ENDPROC(__get_user_2)
14390 ENTRY(__get_user_4)
14391 CFI_STARTPROC
14392 add $3,%_ASM_AX
58c5fc13 14393+
ae4e228f 14394+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14395+ pushl $(__USER_DS)
14396+ popl %ds
ae4e228f
MT		 14397+#else
14398 jc bad_get_user
14399 GET_THREAD_INFO(%_ASM_DX)
14400 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
14401 jae bad_get_user
58c5fc13
MT		 14402+#endif
14403+
14404 3: mov -3(%_ASM_AX),%edx
14405+
ae4e228f 14406+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14407+ pushl %ss
14408+ pop %ds
14409+#endif
14410+
14411 xor %eax,%eax
14412 ret
14413 CFI_ENDPROC
ae4e228f 14414@@ -89,6 +129,12 @@ ENDPROC(__get_user_8)
58c5fc13
MT		 14415
14416 bad_get_user:
14417 CFI_STARTPROC
14418+
ae4e228f 14419+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14420+ pushl %ss
14421+ pop %ds
14422+#endif
14423+
14424 xor %edx,%edx
14425 mov $(-EFAULT),%_ASM_AX
14426 ret
ae4e228f
MT		 14427diff -urNp linux-2.6.33.1/arch/x86/lib/memcpy_64.S linux-2.6.33.1/arch/x86/lib/memcpy_64.S
14428--- linux-2.6.33.1/arch/x86/lib/memcpy_64.S 2010-03-15 12:09:39.000000000 -0400
14429+++ linux-2.6.33.1/arch/x86/lib/memcpy_64.S 2010-03-20 16:58:39.028522513 -0400
58c5fc13
MT		 14430@@ -128,7 +128,7 @@ ENDPROC(__memcpy)
14431 * It is also a lot simpler. Use this when possible:
14432 */
14433
14434- .section .altinstr_replacement, "ax"
14435+ .section .altinstr_replacement, "a"
14436 1: .byte 0xeb /* jmp <disp8> */
14437 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
14438 2:
ae4e228f
MT		 14439diff -urNp linux-2.6.33.1/arch/x86/lib/memset_64.S linux-2.6.33.1/arch/x86/lib/memset_64.S
14440--- linux-2.6.33.1/arch/x86/lib/memset_64.S 2010-03-15 12:09:39.000000000 -0400
14441+++ linux-2.6.33.1/arch/x86/lib/memset_64.S 2010-03-20 16:58:39.028522513 -0400
58c5fc13
MT		 14442@@ -118,7 +118,7 @@ ENDPROC(__memset)
14443
14444 #include <asm/cpufeature.h>
14445
14446- .section .altinstr_replacement,"ax"
14447+ .section .altinstr_replacement,"a"
14448 1: .byte 0xeb /* jmp <disp8> */
14449 .byte (memset_c - memset) - (2f - 1b) /* offset */
14450 2:
ae4e228f
MT		 14451diff -urNp linux-2.6.33.1/arch/x86/lib/mmx_32.c linux-2.6.33.1/arch/x86/lib/mmx_32.c
14452--- linux-2.6.33.1/arch/x86/lib/mmx_32.c 2010-03-15 12:09:39.000000000 -0400
14453+++ linux-2.6.33.1/arch/x86/lib/mmx_32.c 2010-03-20 16:58:39.028522513 -0400
58c5fc13
MT		 14454@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
14455 {
14456 void *p;
14457 int i;
14458+ unsigned long cr0;
14459
14460 if (unlikely(in_interrupt()))
14461 return __memcpy(to, from, len);
14462@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
14463 kernel_fpu_begin();
14464
14465 __asm__ __volatile__ (
14466- "1: prefetch (%0)\n" /* This set is 28 bytes */
14467- " prefetch 64(%0)\n"
14468- " prefetch 128(%0)\n"
14469- " prefetch 192(%0)\n"
14470- " prefetch 256(%0)\n"
14471+ "1: prefetch (%1)\n" /* This set is 28 bytes */
14472+ " prefetch 64(%1)\n"
14473+ " prefetch 128(%1)\n"
14474+ " prefetch 192(%1)\n"
14475+ " prefetch 256(%1)\n"
14476 "2: \n"
14477 ".section .fixup, \"ax\"\n"
14478- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14479+ "3: \n"
14480+
14481+#ifdef CONFIG_PAX_KERNEXEC
14482+ " movl %%cr0, %0\n"
14483+ " movl %0, %%eax\n"
14484+ " andl $0xFFFEFFFF, %%eax\n"
14485+ " movl %%eax, %%cr0\n"
14486+#endif
14487+
14488+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14489+
14490+#ifdef CONFIG_PAX_KERNEXEC
14491+ " movl %0, %%cr0\n"
14492+#endif
14493+
14494 " jmp 2b\n"
14495 ".previous\n"
14496 _ASM_EXTABLE(1b, 3b)
14497- : : "r" (from));
14498+ : "=&r" (cr0) : "r" (from) : "ax");
14499
14500 for ( ; i > 5; i--) {
14501 __asm__ __volatile__ (
14502- "1: prefetch 320(%0)\n"
14503- "2: movq (%0), %%mm0\n"
14504- " movq 8(%0), %%mm1\n"
14505- " movq 16(%0), %%mm2\n"
14506- " movq 24(%0), %%mm3\n"
14507- " movq %%mm0, (%1)\n"
14508- " movq %%mm1, 8(%1)\n"
14509- " movq %%mm2, 16(%1)\n"
14510- " movq %%mm3, 24(%1)\n"
14511- " movq 32(%0), %%mm0\n"
14512- " movq 40(%0), %%mm1\n"
14513- " movq 48(%0), %%mm2\n"
14514- " movq 56(%0), %%mm3\n"
14515- " movq %%mm0, 32(%1)\n"
14516- " movq %%mm1, 40(%1)\n"
14517- " movq %%mm2, 48(%1)\n"
14518- " movq %%mm3, 56(%1)\n"
14519+ "1: prefetch 320(%1)\n"
14520+ "2: movq (%1), %%mm0\n"
14521+ " movq 8(%1), %%mm1\n"
14522+ " movq 16(%1), %%mm2\n"
14523+ " movq 24(%1), %%mm3\n"
14524+ " movq %%mm0, (%2)\n"
14525+ " movq %%mm1, 8(%2)\n"
14526+ " movq %%mm2, 16(%2)\n"
14527+ " movq %%mm3, 24(%2)\n"
14528+ " movq 32(%1), %%mm0\n"
14529+ " movq 40(%1), %%mm1\n"
14530+ " movq 48(%1), %%mm2\n"
14531+ " movq 56(%1), %%mm3\n"
14532+ " movq %%mm0, 32(%2)\n"
14533+ " movq %%mm1, 40(%2)\n"
14534+ " movq %%mm2, 48(%2)\n"
14535+ " movq %%mm3, 56(%2)\n"
14536 ".section .fixup, \"ax\"\n"
14537- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14538+ "3:\n"
14539+
14540+#ifdef CONFIG_PAX_KERNEXEC
14541+ " movl %%cr0, %0\n"
14542+ " movl %0, %%eax\n"
14543+ " andl $0xFFFEFFFF, %%eax\n"
14544+ " movl %%eax, %%cr0\n"
14545+#endif
14546+
14547+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14548+
14549+#ifdef CONFIG_PAX_KERNEXEC
14550+ " movl %0, %%cr0\n"
14551+#endif
14552+
14553 " jmp 2b\n"
14554 ".previous\n"
14555 _ASM_EXTABLE(1b, 3b)
14556- : : "r" (from), "r" (to) : "memory");
14557+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14558
14559 from += 64;
14560 to += 64;
14561@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
14562 static void fast_copy_page(void *to, void *from)
14563 {
14564 int i;
14565+ unsigned long cr0;
14566
14567 kernel_fpu_begin();
14568
14569@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
14570 * but that is for later. -AV
14571 */
14572 __asm__ __volatile__(
14573- "1: prefetch (%0)\n"
14574- " prefetch 64(%0)\n"
14575- " prefetch 128(%0)\n"
14576- " prefetch 192(%0)\n"
14577- " prefetch 256(%0)\n"
14578+ "1: prefetch (%1)\n"
14579+ " prefetch 64(%1)\n"
14580+ " prefetch 128(%1)\n"
14581+ " prefetch 192(%1)\n"
14582+ " prefetch 256(%1)\n"
14583 "2: \n"
14584 ".section .fixup, \"ax\"\n"
14585- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14586+ "3: \n"
14587+
14588+#ifdef CONFIG_PAX_KERNEXEC
14589+ " movl %%cr0, %0\n"
14590+ " movl %0, %%eax\n"
14591+ " andl $0xFFFEFFFF, %%eax\n"
14592+ " movl %%eax, %%cr0\n"
14593+#endif
14594+
14595+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14596+
14597+#ifdef CONFIG_PAX_KERNEXEC
14598+ " movl %0, %%cr0\n"
14599+#endif
14600+
14601 " jmp 2b\n"
14602 ".previous\n"
14603- _ASM_EXTABLE(1b, 3b) : : "r" (from));
14604+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
14605
14606 for (i = 0; i < (4096-320)/64; i++) {
14607 __asm__ __volatile__ (
14608- "1: prefetch 320(%0)\n"
14609- "2: movq (%0), %%mm0\n"
14610- " movntq %%mm0, (%1)\n"
14611- " movq 8(%0), %%mm1\n"
14612- " movntq %%mm1, 8(%1)\n"
14613- " movq 16(%0), %%mm2\n"
14614- " movntq %%mm2, 16(%1)\n"
14615- " movq 24(%0), %%mm3\n"
14616- " movntq %%mm3, 24(%1)\n"
14617- " movq 32(%0), %%mm4\n"
14618- " movntq %%mm4, 32(%1)\n"
14619- " movq 40(%0), %%mm5\n"
14620- " movntq %%mm5, 40(%1)\n"
14621- " movq 48(%0), %%mm6\n"
14622- " movntq %%mm6, 48(%1)\n"
14623- " movq 56(%0), %%mm7\n"
14624- " movntq %%mm7, 56(%1)\n"
14625+ "1: prefetch 320(%1)\n"
14626+ "2: movq (%1), %%mm0\n"
14627+ " movntq %%mm0, (%2)\n"
14628+ " movq 8(%1), %%mm1\n"
14629+ " movntq %%mm1, 8(%2)\n"
14630+ " movq 16(%1), %%mm2\n"
14631+ " movntq %%mm2, 16(%2)\n"
14632+ " movq 24(%1), %%mm3\n"
14633+ " movntq %%mm3, 24(%2)\n"
14634+ " movq 32(%1), %%mm4\n"
14635+ " movntq %%mm4, 32(%2)\n"
14636+ " movq 40(%1), %%mm5\n"
14637+ " movntq %%mm5, 40(%2)\n"
14638+ " movq 48(%1), %%mm6\n"
14639+ " movntq %%mm6, 48(%2)\n"
14640+ " movq 56(%1), %%mm7\n"
14641+ " movntq %%mm7, 56(%2)\n"
14642 ".section .fixup, \"ax\"\n"
14643- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14644+ "3:\n"
14645+
14646+#ifdef CONFIG_PAX_KERNEXEC
14647+ " movl %%cr0, %0\n"
14648+ " movl %0, %%eax\n"
14649+ " andl $0xFFFEFFFF, %%eax\n"
14650+ " movl %%eax, %%cr0\n"
14651+#endif
14652+
14653+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14654+
14655+#ifdef CONFIG_PAX_KERNEXEC
14656+ " movl %0, %%cr0\n"
14657+#endif
14658+
14659 " jmp 2b\n"
14660 ".previous\n"
14661- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
14662+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14663
14664 from += 64;
14665 to += 64;
14666@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
14667 static void fast_copy_page(void *to, void *from)
14668 {
14669 int i;
14670+ unsigned long cr0;
14671
14672 kernel_fpu_begin();
14673
14674 __asm__ __volatile__ (
14675- "1: prefetch (%0)\n"
14676- " prefetch 64(%0)\n"
14677- " prefetch 128(%0)\n"
14678- " prefetch 192(%0)\n"
14679- " prefetch 256(%0)\n"
14680+ "1: prefetch (%1)\n"
14681+ " prefetch 64(%1)\n"
14682+ " prefetch 128(%1)\n"
14683+ " prefetch 192(%1)\n"
14684+ " prefetch 256(%1)\n"
14685 "2: \n"
14686 ".section .fixup, \"ax\"\n"
14687- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14688+ "3: \n"
14689+
14690+#ifdef CONFIG_PAX_KERNEXEC
14691+ " movl %%cr0, %0\n"
14692+ " movl %0, %%eax\n"
14693+ " andl $0xFFFEFFFF, %%eax\n"
14694+ " movl %%eax, %%cr0\n"
14695+#endif
14696+
14697+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
14698+
14699+#ifdef CONFIG_PAX_KERNEXEC
14700+ " movl %0, %%cr0\n"
14701+#endif
14702+
14703 " jmp 2b\n"
14704 ".previous\n"
14705- _ASM_EXTABLE(1b, 3b) : : "r" (from));
14706+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
14707
14708 for (i = 0; i < 4096/64; i++) {
14709 __asm__ __volatile__ (
14710- "1: prefetch 320(%0)\n"
14711- "2: movq (%0), %%mm0\n"
14712- " movq 8(%0), %%mm1\n"
14713- " movq 16(%0), %%mm2\n"
14714- " movq 24(%0), %%mm3\n"
14715- " movq %%mm0, (%1)\n"
14716- " movq %%mm1, 8(%1)\n"
14717- " movq %%mm2, 16(%1)\n"
14718- " movq %%mm3, 24(%1)\n"
14719- " movq 32(%0), %%mm0\n"
14720- " movq 40(%0), %%mm1\n"
14721- " movq 48(%0), %%mm2\n"
14722- " movq 56(%0), %%mm3\n"
14723- " movq %%mm0, 32(%1)\n"
14724- " movq %%mm1, 40(%1)\n"
14725- " movq %%mm2, 48(%1)\n"
14726- " movq %%mm3, 56(%1)\n"
14727+ "1: prefetch 320(%1)\n"
14728+ "2: movq (%1), %%mm0\n"
14729+ " movq 8(%1), %%mm1\n"
14730+ " movq 16(%1), %%mm2\n"
14731+ " movq 24(%1), %%mm3\n"
14732+ " movq %%mm0, (%2)\n"
14733+ " movq %%mm1, 8(%2)\n"
14734+ " movq %%mm2, 16(%2)\n"
14735+ " movq %%mm3, 24(%2)\n"
14736+ " movq 32(%1), %%mm0\n"
14737+ " movq 40(%1), %%mm1\n"
14738+ " movq 48(%1), %%mm2\n"
14739+ " movq 56(%1), %%mm3\n"
14740+ " movq %%mm0, 32(%2)\n"
14741+ " movq %%mm1, 40(%2)\n"
14742+ " movq %%mm2, 48(%2)\n"
14743+ " movq %%mm3, 56(%2)\n"
14744 ".section .fixup, \"ax\"\n"
14745- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14746+ "3:\n"
14747+
14748+#ifdef CONFIG_PAX_KERNEXEC
14749+ " movl %%cr0, %0\n"
14750+ " movl %0, %%eax\n"
14751+ " andl $0xFFFEFFFF, %%eax\n"
14752+ " movl %%eax, %%cr0\n"
14753+#endif
14754+
14755+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
14756+
14757+#ifdef CONFIG_PAX_KERNEXEC
14758+ " movl %0, %%cr0\n"
14759+#endif
14760+
14761 " jmp 2b\n"
14762 ".previous\n"
14763 _ASM_EXTABLE(1b, 3b)
14764- : : "r" (from), "r" (to) : "memory");
14765+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
14766
14767 from += 64;
14768 to += 64;
ae4e228f
MT		 14769diff -urNp linux-2.6.33.1/arch/x86/lib/putuser.S linux-2.6.33.1/arch/x86/lib/putuser.S
14770--- linux-2.6.33.1/arch/x86/lib/putuser.S 2010-03-15 12:09:39.000000000 -0400
14771+++ linux-2.6.33.1/arch/x86/lib/putuser.S 2010-03-20 16:58:39.028522513 -0400
58c5fc13
MT		 14772@@ -15,6 +15,7 @@
14773 #include <asm/thread_info.h>
14774 #include <asm/errno.h>
14775 #include <asm/asm.h>
14776+#include <asm/segment.h>
14777
14778
14779 /*
ae4e228f
MT		 14780@@ -29,59 +30,120 @@
14781 * as they get called from within inline assembly.
14782 */
14783
14784-#define ENTER CFI_STARTPROC ; \
14785- GET_THREAD_INFO(%_ASM_BX)
14786+#define ENTER CFI_STARTPROC
14787 #define EXIT ret ; \
14788 CFI_ENDPROC
14789
14790 .text
14791 ENTRY(__put_user_1)
58c5fc13 14792 ENTER
58c5fc13 14793+
ae4e228f 14794+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14795+ pushl $(__USER_DS)
14796+ popl %ds
ae4e228f
MT		 14797+#else
14798+ GET_THREAD_INFO(%_ASM_BX)
14799 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
14800 jae bad_put_user
58c5fc13
MT		 14801+#endif
14802+
14803 1: movb %al,(%_ASM_CX)
14804+
ae4e228f 14805+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14806+ pushl %ss
14807+ popl %ds
14808+#endif
14809+
14810 xor %eax,%eax
14811 EXIT
14812 ENDPROC(__put_user_1)
ae4e228f
MT		 14813
14814 ENTRY(__put_user_2)
14815 ENTER
58c5fc13 14816+
ae4e228f 14817+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14818+ pushl $(__USER_DS)
14819+ popl %ds
ae4e228f
MT		 14820+#else
14821+ GET_THREAD_INFO(%_ASM_BX)
14822 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
14823 sub $1,%_ASM_BX
14824 cmp %_ASM_BX,%_ASM_CX
14825 jae bad_put_user
58c5fc13
MT		 14826+#endif
14827+
14828 2: movw %ax,(%_ASM_CX)
14829+
ae4e228f 14830+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14831+ pushl %ss
14832+ popl %ds
14833+#endif
14834+
14835 xor %eax,%eax
14836 EXIT
14837 ENDPROC(__put_user_2)
ae4e228f
MT		 14838
14839 ENTRY(__put_user_4)
14840 ENTER
58c5fc13 14841+
ae4e228f 14842+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14843+ pushl $(__USER_DS)
14844+ popl %ds
ae4e228f
MT		 14845+#else
14846+ GET_THREAD_INFO(%_ASM_BX)
14847 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
14848 sub $3,%_ASM_BX
14849 cmp %_ASM_BX,%_ASM_CX
14850 jae bad_put_user
58c5fc13
MT		 14851+#endif
14852+
14853 3: movl %eax,(%_ASM_CX)
14854+
ae4e228f 14855+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14856+ pushl %ss
14857+ popl %ds
14858+#endif
14859+
14860 xor %eax,%eax
14861 EXIT
14862 ENDPROC(__put_user_4)
ae4e228f
MT		 14863
14864 ENTRY(__put_user_8)
14865 ENTER
58c5fc13 14866+
ae4e228f 14867+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14868+ pushl $(__USER_DS)
14869+ popl %ds
ae4e228f
MT		 14870+#else
14871+ GET_THREAD_INFO(%_ASM_BX)
14872 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
14873 sub $7,%_ASM_BX
14874 cmp %_ASM_BX,%_ASM_CX
14875 jae bad_put_user
58c5fc13
MT		 14876+#endif
14877+
14878 4: mov %_ASM_AX,(%_ASM_CX)
14879 #ifdef CONFIG_X86_32
14880 5: movl %edx,4(%_ASM_CX)
14881 #endif
14882+
ae4e228f 14883+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14884+ pushl %ss
14885+ popl %ds
14886+#endif
14887+
14888 xor %eax,%eax
14889 EXIT
14890 ENDPROC(__put_user_8)
14891
14892 bad_put_user:
14893 CFI_STARTPROC
14894+
ae4e228f 14895+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 14896+ pushl %ss
14897+ popl %ds
14898+#endif
14899+
14900 movl $-EFAULT,%eax
14901 EXIT
14902 END(bad_put_user)
ae4e228f
MT		 14903diff -urNp linux-2.6.33.1/arch/x86/lib/usercopy_32.c linux-2.6.33.1/arch/x86/lib/usercopy_32.c
14904--- linux-2.6.33.1/arch/x86/lib/usercopy_32.c 2010-03-15 12:09:39.000000000 -0400
14905+++ linux-2.6.33.1/arch/x86/lib/usercopy_32.c 2010-03-20 16:58:39.028522513 -0400
58c5fc13
MT		 14906@@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
14907 * Copy a null terminated string from userspace.
14908 */
14909
14910-#define __do_strncpy_from_user(dst, src, count, res) \
14911-do { \
14912- int __d0, __d1, __d2; \
14913- might_fault(); \
14914- __asm__ __volatile__( \
14915- " testl %1,%1\n" \
14916- " jz 2f\n" \
14917- "0: lodsb\n" \
14918- " stosb\n" \
14919- " testb %%al,%%al\n" \
14920- " jz 1f\n" \
14921- " decl %1\n" \
14922- " jnz 0b\n" \
14923- "1: subl %1,%0\n" \
14924- "2:\n" \
14925- ".section .fixup,\"ax\"\n" \
14926- "3: movl %5,%0\n" \
14927- " jmp 2b\n" \
14928- ".previous\n" \
14929- _ASM_EXTABLE(0b,3b) \
14930- : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
14931- "=&D" (__d2) \
14932- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
14933- : "memory"); \
14934-} while (0)
14935+static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
14936+{
14937+ int __d0, __d1, __d2;
14938+ long res = -EFAULT;
14939+
14940+ might_fault();
14941+ __asm__ __volatile__(
14942+ " movw %w10,%%ds\n"
14943+ " testl %1,%1\n"
14944+ " jz 2f\n"
14945+ "0: lodsb\n"
14946+ " stosb\n"
14947+ " testb %%al,%%al\n"
14948+ " jz 1f\n"
14949+ " decl %1\n"
14950+ " jnz 0b\n"
14951+ "1: subl %1,%0\n"
14952+ "2:\n"
14953+ " pushl %%ss\n"
14954+ " popl %%ds\n"
14955+ ".section .fixup,\"ax\"\n"
14956+ "3: movl %5,%0\n"
14957+ " jmp 2b\n"
14958+ ".previous\n"
14959+ _ASM_EXTABLE(0b,3b)
14960+ : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
14961+ "=&D" (__d2)
14962+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
14963+ "r"(__USER_DS)
14964+ : "memory");
14965+ return res;
14966+}
14967
14968 /**
14969 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
14970@@ -85,9 +92,7 @@ do { \
14971 long
14972 __strncpy_from_user(char *dst, const char __user *src, long count)
14973 {
14974- long res;
14975- __do_strncpy_from_user(dst, src, count, res);
14976- return res;
14977+ return __do_strncpy_from_user(dst, src, count);
14978 }
14979 EXPORT_SYMBOL(__strncpy_from_user);
14980
14981@@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
14982 {
14983 long res = -EFAULT;
14984 if (access_ok(VERIFY_READ, src, 1))
14985- __do_strncpy_from_user(dst, src, count, res);
14986+ res = __do_strncpy_from_user(dst, src, count);
14987 return res;
14988 }
14989 EXPORT_SYMBOL(strncpy_from_user);
14990@@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
14991 * Zero Userspace
14992 */
14993
14994-#define __do_clear_user(addr,size) \
14995-do { \
14996- int __d0; \
14997- might_fault(); \
14998- __asm__ __volatile__( \
14999- "0: rep; stosl\n" \
15000- " movl %2,%0\n" \
15001- "1: rep; stosb\n" \
15002- "2:\n" \
15003- ".section .fixup,\"ax\"\n" \
15004- "3: lea 0(%2,%0,4),%0\n" \
15005- " jmp 2b\n" \
15006- ".previous\n" \
15007- _ASM_EXTABLE(0b,3b) \
15008- _ASM_EXTABLE(1b,2b) \
15009- : "=&c"(size), "=&D" (__d0) \
15010- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
15011-} while (0)
15012+static unsigned long __do_clear_user(void __user *addr, unsigned long size)
15013+{
15014+ int __d0;
15015+
15016+ might_fault();
15017+ __asm__ __volatile__(
15018+ " movw %w6,%%es\n"
15019+ "0: rep; stosl\n"
15020+ " movl %2,%0\n"
15021+ "1: rep; stosb\n"
15022+ "2:\n"
15023+ " pushl %%ss\n"
15024+ " popl %%es\n"
15025+ ".section .fixup,\"ax\"\n"
15026+ "3: lea 0(%2,%0,4),%0\n"
15027+ " jmp 2b\n"
15028+ ".previous\n"
15029+ _ASM_EXTABLE(0b,3b)
15030+ _ASM_EXTABLE(1b,2b)
15031+ : "=&c"(size), "=&D" (__d0)
15032+ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
15033+ "r"(__USER_DS));
15034+ return size;
15035+}
15036
15037 /**
15038 * clear_user: - Zero a block of memory in user space.
15039@@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
15040 {
15041 might_fault();
15042 if (access_ok(VERIFY_WRITE, to, n))
15043- __do_clear_user(to, n);
15044+ n = __do_clear_user(to, n);
15045 return n;
15046 }
15047 EXPORT_SYMBOL(clear_user);
15048@@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
15049 unsigned long
15050 __clear_user(void __user *to, unsigned long n)
15051 {
15052- __do_clear_user(to, n);
15053- return n;
15054+ return __do_clear_user(to, n);
15055 }
15056 EXPORT_SYMBOL(__clear_user);
15057
15058@@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
15059 might_fault();
15060
15061 __asm__ __volatile__(
15062+ " movw %w8,%%es\n"
15063 " testl %0, %0\n"
15064 " jz 3f\n"
15065- " andl %0,%%ecx\n"
15066+ " movl %0,%%ecx\n"
15067 "0: repne; scasb\n"
15068 " setne %%al\n"
15069 " subl %%ecx,%0\n"
15070 " addl %0,%%eax\n"
15071 "1:\n"
15072+ " pushl %%ss\n"
15073+ " popl %%es\n"
15074 ".section .fixup,\"ax\"\n"
15075 "2: xorl %%eax,%%eax\n"
15076 " jmp 1b\n"
15077@@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
15078 " .long 0b,2b\n"
15079 ".previous"
15080 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
15081- :"0" (n), "1" (s), "2" (0), "3" (mask)
15082+ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
15083 :"cc");
15084 return res & mask;
15085 }
15086@@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
15087
15088 #ifdef CONFIG_X86_INTEL_USERCOPY
15089 static unsigned long
15090-__copy_user_intel(void __user *to, const void *from, unsigned long size)
15091+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
15092+{
15093+ int d0, d1;
15094+ __asm__ __volatile__(
15095+ " movw %w6, %%es\n"
15096+ " .align 2,0x90\n"
15097+ "1: movl 32(%4), %%eax\n"
15098+ " cmpl $67, %0\n"
15099+ " jbe 3f\n"
15100+ "2: movl 64(%4), %%eax\n"
15101+ " .align 2,0x90\n"
15102+ "3: movl 0(%4), %%eax\n"
15103+ "4: movl 4(%4), %%edx\n"
15104+ "5: movl %%eax, %%es:0(%3)\n"
15105+ "6: movl %%edx, %%es:4(%3)\n"
15106+ "7: movl 8(%4), %%eax\n"
15107+ "8: movl 12(%4),%%edx\n"
15108+ "9: movl %%eax, %%es:8(%3)\n"
15109+ "10: movl %%edx, %%es:12(%3)\n"
15110+ "11: movl 16(%4), %%eax\n"
15111+ "12: movl 20(%4), %%edx\n"
15112+ "13: movl %%eax, %%es:16(%3)\n"
15113+ "14: movl %%edx, %%es:20(%3)\n"
15114+ "15: movl 24(%4), %%eax\n"
15115+ "16: movl 28(%4), %%edx\n"
15116+ "17: movl %%eax, %%es:24(%3)\n"
15117+ "18: movl %%edx, %%es:28(%3)\n"
15118+ "19: movl 32(%4), %%eax\n"
15119+ "20: movl 36(%4), %%edx\n"
15120+ "21: movl %%eax, %%es:32(%3)\n"
15121+ "22: movl %%edx, %%es:36(%3)\n"
15122+ "23: movl 40(%4), %%eax\n"
15123+ "24: movl 44(%4), %%edx\n"
15124+ "25: movl %%eax, %%es:40(%3)\n"
15125+ "26: movl %%edx, %%es:44(%3)\n"
15126+ "27: movl 48(%4), %%eax\n"
15127+ "28: movl 52(%4), %%edx\n"
15128+ "29: movl %%eax, %%es:48(%3)\n"
15129+ "30: movl %%edx, %%es:52(%3)\n"
15130+ "31: movl 56(%4), %%eax\n"
15131+ "32: movl 60(%4), %%edx\n"
15132+ "33: movl %%eax, %%es:56(%3)\n"
15133+ "34: movl %%edx, %%es:60(%3)\n"
15134+ " addl $-64, %0\n"
15135+ " addl $64, %4\n"
15136+ " addl $64, %3\n"
15137+ " cmpl $63, %0\n"
15138+ " ja 1b\n"
15139+ "35: movl %0, %%eax\n"
15140+ " shrl $2, %0\n"
15141+ " andl $3, %%eax\n"
15142+ " cld\n"
15143+ "99: rep; movsl\n"
15144+ "36: movl %%eax, %0\n"
15145+ "37: rep; movsb\n"
15146+ "100:\n"
15147+ " pushl %%ss\n"
15148+ " popl %%es\n"
15149+ ".section .fixup,\"ax\"\n"
15150+ "101: lea 0(%%eax,%0,4),%0\n"
15151+ " jmp 100b\n"
15152+ ".previous\n"
15153+ ".section __ex_table,\"a\"\n"
15154+ " .align 4\n"
15155+ " .long 1b,100b\n"
15156+ " .long 2b,100b\n"
15157+ " .long 3b,100b\n"
15158+ " .long 4b,100b\n"
15159+ " .long 5b,100b\n"
15160+ " .long 6b,100b\n"
15161+ " .long 7b,100b\n"
15162+ " .long 8b,100b\n"
15163+ " .long 9b,100b\n"
15164+ " .long 10b,100b\n"
15165+ " .long 11b,100b\n"
15166+ " .long 12b,100b\n"
15167+ " .long 13b,100b\n"
15168+ " .long 14b,100b\n"
15169+ " .long 15b,100b\n"
15170+ " .long 16b,100b\n"
15171+ " .long 17b,100b\n"
15172+ " .long 18b,100b\n"
15173+ " .long 19b,100b\n"
15174+ " .long 20b,100b\n"
15175+ " .long 21b,100b\n"
15176+ " .long 22b,100b\n"
15177+ " .long 23b,100b\n"
15178+ " .long 24b,100b\n"
15179+ " .long 25b,100b\n"
15180+ " .long 26b,100b\n"
15181+ " .long 27b,100b\n"
15182+ " .long 28b,100b\n"
15183+ " .long 29b,100b\n"
15184+ " .long 30b,100b\n"
15185+ " .long 31b,100b\n"
15186+ " .long 32b,100b\n"
15187+ " .long 33b,100b\n"
15188+ " .long 34b,100b\n"
15189+ " .long 35b,100b\n"
15190+ " .long 36b,100b\n"
15191+ " .long 37b,100b\n"
15192+ " .long 99b,101b\n"
15193+ ".previous"
15194+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
15195+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15196+ : "eax", "edx", "memory");
15197+ return size;
15198+}
15199+
15200+static unsigned long
15201+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
15202 {
15203 int d0, d1;
15204 __asm__ __volatile__(
15205+ " movw %w6, %%ds\n"
15206 " .align 2,0x90\n"
15207 "1: movl 32(%4), %%eax\n"
15208 " cmpl $67, %0\n"
15209@@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
15210 " .align 2,0x90\n"
15211 "3: movl 0(%4), %%eax\n"
15212 "4: movl 4(%4), %%edx\n"
15213- "5: movl %%eax, 0(%3)\n"
15214- "6: movl %%edx, 4(%3)\n"
15215+ "5: movl %%eax, %%es:0(%3)\n"
15216+ "6: movl %%edx, %%es:4(%3)\n"
15217 "7: movl 8(%4), %%eax\n"
15218 "8: movl 12(%4),%%edx\n"
15219- "9: movl %%eax, 8(%3)\n"
15220- "10: movl %%edx, 12(%3)\n"
15221+ "9: movl %%eax, %%es:8(%3)\n"
15222+ "10: movl %%edx, %%es:12(%3)\n"
15223 "11: movl 16(%4), %%eax\n"
15224 "12: movl 20(%4), %%edx\n"
15225- "13: movl %%eax, 16(%3)\n"
15226- "14: movl %%edx, 20(%3)\n"
15227+ "13: movl %%eax, %%es:16(%3)\n"
15228+ "14: movl %%edx, %%es:20(%3)\n"
15229 "15: movl 24(%4), %%eax\n"
15230 "16: movl 28(%4), %%edx\n"
15231- "17: movl %%eax, 24(%3)\n"
15232- "18: movl %%edx, 28(%3)\n"
15233+ "17: movl %%eax, %%es:24(%3)\n"
15234+ "18: movl %%edx, %%es:28(%3)\n"
15235 "19: movl 32(%4), %%eax\n"
15236 "20: movl 36(%4), %%edx\n"
15237- "21: movl %%eax, 32(%3)\n"
15238- "22: movl %%edx, 36(%3)\n"
15239+ "21: movl %%eax, %%es:32(%3)\n"
15240+ "22: movl %%edx, %%es:36(%3)\n"
15241 "23: movl 40(%4), %%eax\n"
15242 "24: movl 44(%4), %%edx\n"
15243- "25: movl %%eax, 40(%3)\n"
15244- "26: movl %%edx, 44(%3)\n"
15245+ "25: movl %%eax, %%es:40(%3)\n"
15246+ "26: movl %%edx, %%es:44(%3)\n"
15247 "27: movl 48(%4), %%eax\n"
15248 "28: movl 52(%4), %%edx\n"
15249- "29: movl %%eax, 48(%3)\n"
15250- "30: movl %%edx, 52(%3)\n"
15251+ "29: movl %%eax, %%es:48(%3)\n"
15252+ "30: movl %%edx, %%es:52(%3)\n"
15253 "31: movl 56(%4), %%eax\n"
15254 "32: movl 60(%4), %%edx\n"
15255- "33: movl %%eax, 56(%3)\n"
15256- "34: movl %%edx, 60(%3)\n"
15257+ "33: movl %%eax, %%es:56(%3)\n"
15258+ "34: movl %%edx, %%es:60(%3)\n"
15259 " addl $-64, %0\n"
15260 " addl $64, %4\n"
15261 " addl $64, %3\n"
15262@@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
15263 "36: movl %%eax, %0\n"
15264 "37: rep; movsb\n"
15265 "100:\n"
15266+ " pushl %%ss\n"
15267+ " popl %%ds\n"
15268 ".section .fixup,\"ax\"\n"
15269 "101: lea 0(%%eax,%0,4),%0\n"
15270 " jmp 100b\n"
15271@@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
15272 " .long 99b,101b\n"
15273 ".previous"
15274 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15275- : "1"(to), "2"(from), "0"(size)
15276+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15277 : "eax", "edx", "memory");
15278 return size;
15279 }
15280@@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
15281 {
15282 int d0, d1;
15283 __asm__ __volatile__(
15284+ " movw %w6, %%ds\n"
15285 " .align 2,0x90\n"
15286 "0: movl 32(%4), %%eax\n"
15287 " cmpl $67, %0\n"
15288@@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
15289 " .align 2,0x90\n"
15290 "2: movl 0(%4), %%eax\n"
15291 "21: movl 4(%4), %%edx\n"
15292- " movl %%eax, 0(%3)\n"
15293- " movl %%edx, 4(%3)\n"
15294+ " movl %%eax, %%es:0(%3)\n"
15295+ " movl %%edx, %%es:4(%3)\n"
15296 "3: movl 8(%4), %%eax\n"
15297 "31: movl 12(%4),%%edx\n"
15298- " movl %%eax, 8(%3)\n"
15299- " movl %%edx, 12(%3)\n"
15300+ " movl %%eax, %%es:8(%3)\n"
15301+ " movl %%edx, %%es:12(%3)\n"
15302 "4: movl 16(%4), %%eax\n"
15303 "41: movl 20(%4), %%edx\n"
15304- " movl %%eax, 16(%3)\n"
15305- " movl %%edx, 20(%3)\n"
15306+ " movl %%eax, %%es:16(%3)\n"
15307+ " movl %%edx, %%es:20(%3)\n"
15308 "10: movl 24(%4), %%eax\n"
15309 "51: movl 28(%4), %%edx\n"
15310- " movl %%eax, 24(%3)\n"
15311- " movl %%edx, 28(%3)\n"
15312+ " movl %%eax, %%es:24(%3)\n"
15313+ " movl %%edx, %%es:28(%3)\n"
15314 "11: movl 32(%4), %%eax\n"
15315 "61: movl 36(%4), %%edx\n"
15316- " movl %%eax, 32(%3)\n"
15317- " movl %%edx, 36(%3)\n"
15318+ " movl %%eax, %%es:32(%3)\n"
15319+ " movl %%edx, %%es:36(%3)\n"
15320 "12: movl 40(%4), %%eax\n"
15321 "71: movl 44(%4), %%edx\n"
15322- " movl %%eax, 40(%3)\n"
15323- " movl %%edx, 44(%3)\n"
15324+ " movl %%eax, %%es:40(%3)\n"
15325+ " movl %%edx, %%es:44(%3)\n"
15326 "13: movl 48(%4), %%eax\n"
15327 "81: movl 52(%4), %%edx\n"
15328- " movl %%eax, 48(%3)\n"
15329- " movl %%edx, 52(%3)\n"
15330+ " movl %%eax, %%es:48(%3)\n"
15331+ " movl %%edx, %%es:52(%3)\n"
15332 "14: movl 56(%4), %%eax\n"
15333 "91: movl 60(%4), %%edx\n"
15334- " movl %%eax, 56(%3)\n"
15335- " movl %%edx, 60(%3)\n"
15336+ " movl %%eax, %%es:56(%3)\n"
15337+ " movl %%edx, %%es:60(%3)\n"
15338 " addl $-64, %0\n"
15339 " addl $64, %4\n"
15340 " addl $64, %3\n"
15341@@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
15342 " movl %%eax,%0\n"
15343 "7: rep; movsb\n"
15344 "8:\n"
15345+ " pushl %%ss\n"
15346+ " popl %%ds\n"
15347 ".section .fixup,\"ax\"\n"
15348 "9: lea 0(%%eax,%0,4),%0\n"
15349 "16: pushl %0\n"
15350@@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
15351 " .long 7b,16b\n"
15352 ".previous"
15353 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15354- : "1"(to), "2"(from), "0"(size)
15355+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15356 : "eax", "edx", "memory");
15357 return size;
15358 }
15359@@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
15360 int d0, d1;
15361
15362 __asm__ __volatile__(
15363+ " movw %w6, %%ds\n"
15364 " .align 2,0x90\n"
15365 "0: movl 32(%4), %%eax\n"
15366 " cmpl $67, %0\n"
15367@@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
15368 " .align 2,0x90\n"
15369 "2: movl 0(%4), %%eax\n"
15370 "21: movl 4(%4), %%edx\n"
15371- " movnti %%eax, 0(%3)\n"
15372- " movnti %%edx, 4(%3)\n"
15373+ " movnti %%eax, %%es:0(%3)\n"
15374+ " movnti %%edx, %%es:4(%3)\n"
15375 "3: movl 8(%4), %%eax\n"
15376 "31: movl 12(%4),%%edx\n"
15377- " movnti %%eax, 8(%3)\n"
15378- " movnti %%edx, 12(%3)\n"
15379+ " movnti %%eax, %%es:8(%3)\n"
15380+ " movnti %%edx, %%es:12(%3)\n"
15381 "4: movl 16(%4), %%eax\n"
15382 "41: movl 20(%4), %%edx\n"
15383- " movnti %%eax, 16(%3)\n"
15384- " movnti %%edx, 20(%3)\n"
15385+ " movnti %%eax, %%es:16(%3)\n"
15386+ " movnti %%edx, %%es:20(%3)\n"
15387 "10: movl 24(%4), %%eax\n"
15388 "51: movl 28(%4), %%edx\n"
15389- " movnti %%eax, 24(%3)\n"
15390- " movnti %%edx, 28(%3)\n"
15391+ " movnti %%eax, %%es:24(%3)\n"
15392+ " movnti %%edx, %%es:28(%3)\n"
15393 "11: movl 32(%4), %%eax\n"
15394 "61: movl 36(%4), %%edx\n"
15395- " movnti %%eax, 32(%3)\n"
15396- " movnti %%edx, 36(%3)\n"
15397+ " movnti %%eax, %%es:32(%3)\n"
15398+ " movnti %%edx, %%es:36(%3)\n"
15399 "12: movl 40(%4), %%eax\n"
15400 "71: movl 44(%4), %%edx\n"
15401- " movnti %%eax, 40(%3)\n"
15402- " movnti %%edx, 44(%3)\n"
15403+ " movnti %%eax, %%es:40(%3)\n"
15404+ " movnti %%edx, %%es:44(%3)\n"
15405 "13: movl 48(%4), %%eax\n"
15406 "81: movl 52(%4), %%edx\n"
15407- " movnti %%eax, 48(%3)\n"
15408- " movnti %%edx, 52(%3)\n"
15409+ " movnti %%eax, %%es:48(%3)\n"
15410+ " movnti %%edx, %%es:52(%3)\n"
15411 "14: movl 56(%4), %%eax\n"
15412 "91: movl 60(%4), %%edx\n"
15413- " movnti %%eax, 56(%3)\n"
15414- " movnti %%edx, 60(%3)\n"
15415+ " movnti %%eax, %%es:56(%3)\n"
15416+ " movnti %%edx, %%es:60(%3)\n"
15417 " addl $-64, %0\n"
15418 " addl $64, %4\n"
15419 " addl $64, %3\n"
15420@@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
15421 " movl %%eax,%0\n"
15422 "7: rep; movsb\n"
15423 "8:\n"
15424+ " pushl %%ss\n"
15425+ " popl %%ds\n"
15426 ".section .fixup,\"ax\"\n"
15427 "9: lea 0(%%eax,%0,4),%0\n"
15428 "16: pushl %0\n"
15429@@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
15430 " .long 7b,16b\n"
15431 ".previous"
15432 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15433- : "1"(to), "2"(from), "0"(size)
15434+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15435 : "eax", "edx", "memory");
15436 return size;
15437 }
15438@@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
15439 int d0, d1;
15440
15441 __asm__ __volatile__(
15442+ " movw %w6, %%ds\n"
15443 " .align 2,0x90\n"
15444 "0: movl 32(%4), %%eax\n"
15445 " cmpl $67, %0\n"
15446@@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
15447 " .align 2,0x90\n"
15448 "2: movl 0(%4), %%eax\n"
15449 "21: movl 4(%4), %%edx\n"
15450- " movnti %%eax, 0(%3)\n"
15451- " movnti %%edx, 4(%3)\n"
15452+ " movnti %%eax, %%es:0(%3)\n"
15453+ " movnti %%edx, %%es:4(%3)\n"
15454 "3: movl 8(%4), %%eax\n"
15455 "31: movl 12(%4),%%edx\n"
15456- " movnti %%eax, 8(%3)\n"
15457- " movnti %%edx, 12(%3)\n"
15458+ " movnti %%eax, %%es:8(%3)\n"
15459+ " movnti %%edx, %%es:12(%3)\n"
15460 "4: movl 16(%4), %%eax\n"
15461 "41: movl 20(%4), %%edx\n"
15462- " movnti %%eax, 16(%3)\n"
15463- " movnti %%edx, 20(%3)\n"
15464+ " movnti %%eax, %%es:16(%3)\n"
15465+ " movnti %%edx, %%es:20(%3)\n"
15466 "10: movl 24(%4), %%eax\n"
15467 "51: movl 28(%4), %%edx\n"
15468- " movnti %%eax, 24(%3)\n"
15469- " movnti %%edx, 28(%3)\n"
15470+ " movnti %%eax, %%es:24(%3)\n"
15471+ " movnti %%edx, %%es:28(%3)\n"
15472 "11: movl 32(%4), %%eax\n"
15473 "61: movl 36(%4), %%edx\n"
15474- " movnti %%eax, 32(%3)\n"
15475- " movnti %%edx, 36(%3)\n"
15476+ " movnti %%eax, %%es:32(%3)\n"
15477+ " movnti %%edx, %%es:36(%3)\n"
15478 "12: movl 40(%4), %%eax\n"
15479 "71: movl 44(%4), %%edx\n"
15480- " movnti %%eax, 40(%3)\n"
15481- " movnti %%edx, 44(%3)\n"
15482+ " movnti %%eax, %%es:40(%3)\n"
15483+ " movnti %%edx, %%es:44(%3)\n"
15484 "13: movl 48(%4), %%eax\n"
15485 "81: movl 52(%4), %%edx\n"
15486- " movnti %%eax, 48(%3)\n"
15487- " movnti %%edx, 52(%3)\n"
15488+ " movnti %%eax, %%es:48(%3)\n"
15489+ " movnti %%edx, %%es:52(%3)\n"
15490 "14: movl 56(%4), %%eax\n"
15491 "91: movl 60(%4), %%edx\n"
15492- " movnti %%eax, 56(%3)\n"
15493- " movnti %%edx, 60(%3)\n"
15494+ " movnti %%eax, %%es:56(%3)\n"
15495+ " movnti %%edx, %%es:60(%3)\n"
15496 " addl $-64, %0\n"
15497 " addl $64, %4\n"
15498 " addl $64, %3\n"
15499@@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
15500 " movl %%eax,%0\n"
15501 "7: rep; movsb\n"
15502 "8:\n"
15503+ " pushl %%ss\n"
15504+ " popl %%ds\n"
15505 ".section .fixup,\"ax\"\n"
15506 "9: lea 0(%%eax,%0,4),%0\n"
15507 "16: jmp 8b\n"
15508@@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
15509 " .long 7b,16b\n"
15510 ".previous"
15511 : "=&c"(size), "=&D" (d0), "=&S" (d1)
15512- : "1"(to), "2"(from), "0"(size)
15513+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
15514 : "eax", "edx", "memory");
15515 return size;
15516 }
15517@@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
15518 */
15519 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
15520 unsigned long size);
15521-unsigned long __copy_user_intel(void __user *to, const void *from,
15522+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
15523+ unsigned long size);
15524+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
15525 unsigned long size);
15526 unsigned long __copy_user_zeroing_intel_nocache(void *to,
15527 const void __user *from, unsigned long size);
15528 #endif /* CONFIG_X86_INTEL_USERCOPY */
15529
15530 /* Generic arbitrary sized copy. */
15531-#define __copy_user(to, from, size) \
15532-do { \
15533- int __d0, __d1, __d2; \
15534- __asm__ __volatile__( \
15535- " cmp $7,%0\n" \
15536- " jbe 1f\n" \
15537- " movl %1,%0\n" \
15538- " negl %0\n" \
15539- " andl $7,%0\n" \
15540- " subl %0,%3\n" \
15541- "4: rep; movsb\n" \
15542- " movl %3,%0\n" \
15543- " shrl $2,%0\n" \
15544- " andl $3,%3\n" \
15545- " .align 2,0x90\n" \
15546- "0: rep; movsl\n" \
15547- " movl %3,%0\n" \
15548- "1: rep; movsb\n" \
15549- "2:\n" \
15550- ".section .fixup,\"ax\"\n" \
15551- "5: addl %3,%0\n" \
15552- " jmp 2b\n" \
15553- "3: lea 0(%3,%0,4),%0\n" \
15554- " jmp 2b\n" \
15555- ".previous\n" \
15556- ".section __ex_table,\"a\"\n" \
15557- " .align 4\n" \
15558- " .long 4b,5b\n" \
15559- " .long 0b,3b\n" \
15560- " .long 1b,2b\n" \
15561- ".previous" \
15562- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
15563- : "3"(size), "0"(size), "1"(to), "2"(from) \
15564- : "memory"); \
15565-} while (0)
15566-
15567-#define __copy_user_zeroing(to, from, size) \
15568-do { \
15569- int __d0, __d1, __d2; \
15570- __asm__ __volatile__( \
15571- " cmp $7,%0\n" \
15572- " jbe 1f\n" \
15573- " movl %1,%0\n" \
15574- " negl %0\n" \
15575- " andl $7,%0\n" \
15576- " subl %0,%3\n" \
15577- "4: rep; movsb\n" \
15578- " movl %3,%0\n" \
15579- " shrl $2,%0\n" \
15580- " andl $3,%3\n" \
15581- " .align 2,0x90\n" \
15582- "0: rep; movsl\n" \
15583- " movl %3,%0\n" \
15584- "1: rep; movsb\n" \
15585- "2:\n" \
15586- ".section .fixup,\"ax\"\n" \
15587- "5: addl %3,%0\n" \
15588- " jmp 6f\n" \
15589- "3: lea 0(%3,%0,4),%0\n" \
15590- "6: pushl %0\n" \
15591- " pushl %%eax\n" \
15592- " xorl %%eax,%%eax\n" \
15593- " rep; stosb\n" \
15594- " popl %%eax\n" \
15595- " popl %0\n" \
15596- " jmp 2b\n" \
15597- ".previous\n" \
15598- ".section __ex_table,\"a\"\n" \
15599- " .align 4\n" \
15600- " .long 4b,5b\n" \
15601- " .long 0b,3b\n" \
15602- " .long 1b,6b\n" \
15603- ".previous" \
15604- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
15605- : "3"(size), "0"(size), "1"(to), "2"(from) \
15606- : "memory"); \
15607-} while (0)
15608+static unsigned long
15609+__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
15610+{
15611+ int __d0, __d1, __d2;
15612+
15613+ __asm__ __volatile__(
15614+ " movw %w8,%%es\n"
15615+ " cmp $7,%0\n"
15616+ " jbe 1f\n"
15617+ " movl %1,%0\n"
15618+ " negl %0\n"
15619+ " andl $7,%0\n"
15620+ " subl %0,%3\n"
15621+ "4: rep; movsb\n"
15622+ " movl %3,%0\n"
15623+ " shrl $2,%0\n"
15624+ " andl $3,%3\n"
15625+ " .align 2,0x90\n"
15626+ "0: rep; movsl\n"
15627+ " movl %3,%0\n"
15628+ "1: rep; movsb\n"
15629+ "2:\n"
15630+ " pushl %%ss\n"
15631+ " popl %%es\n"
15632+ ".section .fixup,\"ax\"\n"
15633+ "5: addl %3,%0\n"
15634+ " jmp 2b\n"
15635+ "3: lea 0(%3,%0,4),%0\n"
15636+ " jmp 2b\n"
15637+ ".previous\n"
15638+ ".section __ex_table,\"a\"\n"
15639+ " .align 4\n"
15640+ " .long 4b,5b\n"
15641+ " .long 0b,3b\n"
15642+ " .long 1b,2b\n"
15643+ ".previous"
15644+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15645+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15646+ : "memory");
15647+ return size;
15648+}
15649+
15650+static unsigned long
15651+__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
15652+{
15653+ int __d0, __d1, __d2;
15654+
15655+ __asm__ __volatile__(
15656+ " movw %w8,%%ds\n"
15657+ " cmp $7,%0\n"
15658+ " jbe 1f\n"
15659+ " movl %1,%0\n"
15660+ " negl %0\n"
15661+ " andl $7,%0\n"
15662+ " subl %0,%3\n"
15663+ "4: rep; movsb\n"
15664+ " movl %3,%0\n"
15665+ " shrl $2,%0\n"
15666+ " andl $3,%3\n"
15667+ " .align 2,0x90\n"
15668+ "0: rep; movsl\n"
15669+ " movl %3,%0\n"
15670+ "1: rep; movsb\n"
15671+ "2:\n"
15672+ " pushl %%ss\n"
15673+ " popl %%ds\n"
15674+ ".section .fixup,\"ax\"\n"
15675+ "5: addl %3,%0\n"
15676+ " jmp 2b\n"
15677+ "3: lea 0(%3,%0,4),%0\n"
15678+ " jmp 2b\n"
15679+ ".previous\n"
15680+ ".section __ex_table,\"a\"\n"
15681+ " .align 4\n"
15682+ " .long 4b,5b\n"
15683+ " .long 0b,3b\n"
15684+ " .long 1b,2b\n"
15685+ ".previous"
15686+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15687+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15688+ : "memory");
15689+ return size;
15690+}
15691+
15692+static unsigned long
15693+__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
15694+{
15695+ int __d0, __d1, __d2;
15696+
15697+ __asm__ __volatile__(
15698+ " movw %w8,%%ds\n"
15699+ " cmp $7,%0\n"
15700+ " jbe 1f\n"
15701+ " movl %1,%0\n"
15702+ " negl %0\n"
15703+ " andl $7,%0\n"
15704+ " subl %0,%3\n"
15705+ "4: rep; movsb\n"
15706+ " movl %3,%0\n"
15707+ " shrl $2,%0\n"
15708+ " andl $3,%3\n"
15709+ " .align 2,0x90\n"
15710+ "0: rep; movsl\n"
15711+ " movl %3,%0\n"
15712+ "1: rep; movsb\n"
15713+ "2:\n"
15714+ " pushl %%ss\n"
15715+ " popl %%ds\n"
15716+ ".section .fixup,\"ax\"\n"
15717+ "5: addl %3,%0\n"
15718+ " jmp 6f\n"
15719+ "3: lea 0(%3,%0,4),%0\n"
15720+ "6: pushl %0\n"
15721+ " pushl %%eax\n"
15722+ " xorl %%eax,%%eax\n"
15723+ " rep; stosb\n"
15724+ " popl %%eax\n"
15725+ " popl %0\n"
15726+ " jmp 2b\n"
15727+ ".previous\n"
15728+ ".section __ex_table,\"a\"\n"
15729+ " .align 4\n"
15730+ " .long 4b,5b\n"
15731+ " .long 0b,3b\n"
15732+ " .long 1b,6b\n"
15733+ ".previous"
15734+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
15735+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
15736+ : "memory");
15737+ return size;
15738+}
15739
15740 unsigned long __copy_to_user_ll(void __user *to, const void *from,
15741 unsigned long n)
15742@@ -775,9 +966,9 @@ survive:
15743 }
15744 #endif
15745 if (movsl_is_ok(to, from, n))
15746- __copy_user(to, from, n);
15747+ n = __generic_copy_to_user(to, from, n);
15748 else
15749- n = __copy_user_intel(to, from, n);
15750+ n = __generic_copy_to_user_intel(to, from, n);
15751 return n;
15752 }
15753 EXPORT_SYMBOL(__copy_to_user_ll);
15754@@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
15755 unsigned long n)
15756 {
15757 if (movsl_is_ok(to, from, n))
15758- __copy_user_zeroing(to, from, n);
15759+ n = __copy_user_zeroing(to, from, n);
15760 else
15761 n = __copy_user_zeroing_intel(to, from, n);
15762 return n;
15763@@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
15764 unsigned long n)
15765 {
15766 if (movsl_is_ok(to, from, n))
15767- __copy_user(to, from, n);
15768+ n = __generic_copy_from_user(to, from, n);
15769 else
15770- n = __copy_user_intel((void __user *)to,
15771- (const void *)from, n);
15772+ n = __generic_copy_from_user_intel(to, from, n);
15773 return n;
15774 }
15775 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
15776@@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
15777 if (n > 64 && cpu_has_xmm2)
15778 n = __copy_user_zeroing_intel_nocache(to, from, n);
15779 else
15780- __copy_user_zeroing(to, from, n);
15781+ n = __copy_user_zeroing(to, from, n);
15782 #else
15783- __copy_user_zeroing(to, from, n);
15784+ n = __copy_user_zeroing(to, from, n);
15785 #endif
15786 return n;
15787 }
ae4e228f 15788@@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
58c5fc13
MT		 15789 if (n > 64 && cpu_has_xmm2)
15790 n = __copy_user_intel_nocache(to, from, n);
15791 else
15792- __copy_user(to, from, n);
15793+ n = __generic_copy_from_user(to, from, n);
15794 #else
15795- __copy_user(to, from, n);
15796+ n = __generic_copy_from_user(to, from, n);
15797 #endif
15798 return n;
15799 }
15800 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
15801
15802-/**
15803- * copy_to_user: - Copy a block of data into user space.
15804- * @to: Destination address, in user space.
15805- * @from: Source address, in kernel space.
15806- * @n: Number of bytes to copy.
15807- *
15808- * Context: User context only. This function may sleep.
15809- *
15810- * Copy data from kernel space to user space.
15811- *
15812- * Returns number of bytes that could not be copied.
15813- * On success, this will be zero.
15814- */
15815-unsigned long
15816-copy_to_user(void __user *to, const void *from, unsigned long n)
ae4e228f 15817+void copy_from_user_overflow(void)
58c5fc13
MT		 15818 {
15819- if (access_ok(VERIFY_WRITE, to, n))
15820- n = __copy_to_user(to, from, n);
15821- return n;
ae4e228f 15822+ WARN(1, "Buffer overflow detected!\n");
58c5fc13
MT		 15823 }
15824-EXPORT_SYMBOL(copy_to_user);
ae4e228f 15825+EXPORT_SYMBOL(copy_from_user_overflow);
58c5fc13
MT		 15826
15827-/**
15828- * copy_from_user: - Copy a block of data from user space.
15829- * @to: Destination address, in kernel space.
15830- * @from: Source address, in user space.
15831- * @n: Number of bytes to copy.
15832- *
15833- * Context: User context only. This function may sleep.
15834- *
15835- * Copy data from user space to kernel space.
15836- *
15837- * Returns number of bytes that could not be copied.
15838- * On success, this will be zero.
15839- *
15840- * If some data could not be copied, this function will pad the copied
15841- * data to the requested size using zero bytes.
15842- */
15843-unsigned long
ae4e228f
MT		 15844-_copy_from_user(void *to, const void __user *from, unsigned long n)
15845+void copy_to_user_overflow(void)
58c5fc13
MT		 15846 {
15847- if (access_ok(VERIFY_READ, from, n))
15848- n = __copy_from_user(to, from, n);
15849- else
15850- memset(to, 0, n);
15851- return n;
ae4e228f
MT		 15852+ WARN(1, "Buffer overflow detected!\n");
15853 }
15854-EXPORT_SYMBOL(_copy_from_user);
15855+EXPORT_SYMBOL(copy_to_user_overflow);
15856
15857-void copy_from_user_overflow(void)
15858+#ifdef CONFIG_PAX_MEMORY_UDEREF
15859+void __set_fs(mm_segment_t x, int cpu)
15860 {
15861- WARN(1, "Buffer overflow detected!\n");
15862+ unsigned long limit = x.seg;
15863+ struct desc_struct d;
15864+
15865+ current_thread_info()->addr_limit = x;
15866+ if (unlikely(paravirt_enabled()))
15867+ return;
15868+
15869+ if (likely(limit))
15870+ limit = (limit - 1UL) >> PAGE_SHIFT;
15871+ pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
15872+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
15873 }
15874-EXPORT_SYMBOL(copy_from_user_overflow);
15875+
15876+void set_fs(mm_segment_t x)
15877+{
58c5fc13
MT		 15878+ __set_fs(x, get_cpu());
15879+ put_cpu();
ae4e228f
MT		 15880+}
15881+EXPORT_SYMBOL(copy_from_user);
58c5fc13
MT		 15882+#else
15883+void set_fs(mm_segment_t x)
15884+{
15885+ current_thread_info()->addr_limit = x;
15886+}
15887+#endif
15888+
15889+EXPORT_SYMBOL(set_fs);
ae4e228f
MT		 15890diff -urNp linux-2.6.33.1/arch/x86/Makefile linux-2.6.33.1/arch/x86/Makefile
15891--- linux-2.6.33.1/arch/x86/Makefile 2010-03-15 12:09:39.000000000 -0400
15892+++ linux-2.6.33.1/arch/x86/Makefile 2010-03-20 16:58:39.028522513 -0400
15893@@ -192,3 +192,12 @@ define archhelp
58c5fc13
MT		 15894 echo ' FDARGS="..." arguments for the booted kernel'
15895 echo ' FDINITRD=file initrd for the booted kernel'
15896 endef
15897+
15898+define OLD_LD
15899+
15900+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
15901+*** Please upgrade your binutils to 2.18 or newer
15902+endef
15903+
15904+archprepare:
15905+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
ae4e228f
MT		 15906diff -urNp linux-2.6.33.1/arch/x86/mm/extable.c linux-2.6.33.1/arch/x86/mm/extable.c
15907--- linux-2.6.33.1/arch/x86/mm/extable.c 2010-03-15 12:09:39.000000000 -0400
15908+++ linux-2.6.33.1/arch/x86/mm/extable.c 2010-03-20 16:58:39.032549699 -0400
15909@@ -1,14 +1,71 @@
58c5fc13
MT		 15910 #include <linux/module.h>
15911 #include <linux/spinlock.h>
15912+#include <linux/sort.h>
15913 #include <asm/uaccess.h>
ae4e228f 15914+#include <asm/pgtable.h>
58c5fc13
MT		 15915
15916+/*
15917+ * The exception table needs to be sorted so that the binary
15918+ * search that we use to find entries in it works properly.
15919+ * This is used both for the kernel exception table and for
15920+ * the exception tables of modules that get loaded.
15921+ */
15922+static int cmp_ex(const void *a, const void *b)
15923+{
15924+ const struct exception_table_entry *x = a, *y = b;
15925+
15926+ /* avoid overflow */
15927+ if (x->insn > y->insn)
15928+ return 1;
15929+ if (x->insn < y->insn)
15930+ return -1;
15931+ return 0;
15932+}
15933+
15934+static void swap_ex(void *a, void *b, int size)
15935+{
15936+ struct exception_table_entry t, *x = a, *y = b;
15937+
58c5fc13
MT		 15938+ t = *x;
15939+
ae4e228f 15940+ pax_open_kernel();
58c5fc13
MT		 15941+ *x = *y;
15942+ *y = t;
ae4e228f 15943+ pax_close_kernel();
58c5fc13
MT		 15944+}
15945+
15946+void sort_extable(struct exception_table_entry *start,
15947+ struct exception_table_entry *finish)
15948+{
15949+ sort(start, finish - start, sizeof(struct exception_table_entry),
15950+ cmp_ex, swap_ex);
15951+}
15952+
15953+#ifdef CONFIG_MODULES
15954+/*
15955+ * If the exception table is sorted, any referring to the module init
15956+ * will be at the beginning or the end.
15957+ */
15958+void trim_init_extable(struct module *m)
15959+{
15960+ /*trim the beginning*/
15961+ while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
15962+ m->extable++;
15963+ m->num_exentries--;
15964+ }
15965+ /*trim the end*/
15966+ while (m->num_exentries &&
15967+ within_module_init(m->extable[m->num_exentries-1].insn, m))
15968+ m->num_exentries--;
15969+}
15970+#endif /* CONFIG_MODULES */
15971
15972 int fixup_exception(struct pt_regs *regs)
15973 {
15974 const struct exception_table_entry *fixup;
15975
15976 #ifdef CONFIG_PNPBIOS
15977- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
15978+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
15979 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
15980 extern u32 pnp_bios_is_utter_crap;
15981 pnp_bios_is_utter_crap = 1;
ae4e228f
MT		 15982diff -urNp linux-2.6.33.1/arch/x86/mm/fault.c linux-2.6.33.1/arch/x86/mm/fault.c
15983--- linux-2.6.33.1/arch/x86/mm/fault.c 2010-03-15 12:09:39.000000000 -0400
15984+++ linux-2.6.33.1/arch/x86/mm/fault.c 2010-03-20 16:58:39.032549699 -0400
58c5fc13
MT		 15985@@ -11,10 +11,14 @@
15986 #include <linux/kprobes.h> /* __kprobes, ... */
15987 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
ae4e228f 15988 #include <linux/perf_event.h> /* perf_sw_event */
58c5fc13
MT		 15989+#include <linux/unistd.h>
15990+#include <linux/compiler.h>
15991
15992 #include <asm/traps.h> /* dotraplinkage, ... */
15993 #include <asm/pgalloc.h> /* pgd_*(), ... */
15994 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
15995+#include <asm/vsyscall.h>
15996+#include <asm/tlbflush.h>
15997
15998 /*
15999 * Page fault error code bits:
ae4e228f 16000@@ -52,7 +56,7 @@ static inline int __kprobes notify_page_
58c5fc13
MT		 16001 int ret = 0;
16002
16003 /* kprobe_running() needs smp_processor_id() */
16004- if (kprobes_built_in() && !user_mode_vm(regs)) {
16005+ if (kprobes_built_in() && !user_mode(regs)) {
16006 preempt_disable();
16007 if (kprobe_running() && kprobe_fault_handler(regs, 14))
16008 ret = 1;
ae4e228f 16009@@ -173,6 +177,30 @@ force_sig_info_fault(int si_signo, int s
58c5fc13
MT		 16010 force_sig_info(si_signo, &info, tsk);
16011 }
16012
16013+#ifdef CONFIG_PAX_EMUTRAMP
16014+static int pax_handle_fetch_fault(struct pt_regs *regs);
16015+#endif
16016+
16017+#ifdef CONFIG_PAX_PAGEEXEC
16018+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
16019+{
16020+ pgd_t *pgd;
16021+ pud_t *pud;
16022+ pmd_t *pmd;
16023+
16024+ pgd = pgd_offset(mm, address);
16025+ if (!pgd_present(*pgd))
16026+ return NULL;
16027+ pud = pud_offset(pgd, address);
16028+ if (!pud_present(*pud))
16029+ return NULL;
16030+ pmd = pmd_offset(pud, address);
16031+ if (!pmd_present(*pmd))
16032+ return NULL;
16033+ return pmd;
16034+}
16035+#endif
16036+
16037 DEFINE_SPINLOCK(pgd_lock);
16038 LIST_HEAD(pgd_list);
16039
ae4e228f 16040@@ -536,7 +564,7 @@ static int is_errata93(struct pt_regs *r
58c5fc13
MT		 16041 static int is_errata100(struct pt_regs *regs, unsigned long address)
16042 {
16043 #ifdef CONFIG_X86_64
16044- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
16045+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
16046 return 1;
16047 #endif
16048 return 0;
ae4e228f 16049@@ -563,7 +591,7 @@ static int is_f00f_bug(struct pt_regs *r
58c5fc13
MT		 16050 }
16051
16052 static const char nx_warning[] = KERN_CRIT
16053-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
16054+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
16055
16056 static void
16057 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
ae4e228f 16058@@ -572,15 +600,26 @@ show_fault_oops(struct pt_regs *regs, un
58c5fc13
MT		 16059 if (!oops_may_print())
16060 return;
16061
16062- if (error_code & PF_INSTR) {
ae4e228f 16063+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
58c5fc13
MT		 16064 unsigned int level;
16065
16066 pte_t *pte = lookup_address(address, &level);
16067
16068 if (pte && pte_present(*pte) && !pte_exec(*pte))
16069- printk(nx_warning, current_uid());
16070+ printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
16071 }
16072
16073+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f 16074+ if (init_mm.start_code <= address && address < init_mm.end_code) {
58c5fc13 16075+ if (current->signal->curr_ip)
ae4e228f
MT		 16076+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
16077+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
58c5fc13
MT		 16078+ else
16079+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
16080+ current->comm, task_pid_nr(current), current_uid(), current_euid());
16081+ }
16082+#endif
16083+
16084 printk(KERN_ALERT "BUG: unable to handle kernel ");
16085 if (address < PAGE_SIZE)
16086 printk(KERN_CONT "NULL pointer dereference");
ae4e228f 16087@@ -705,6 +744,68 @@ __bad_area_nosemaphore(struct pt_regs *r
58c5fc13
MT		 16088 unsigned long address, int si_code)
16089 {
16090 struct task_struct *tsk = current;
16091+ struct mm_struct *mm = tsk->mm;
16092+
16093+#ifdef CONFIG_X86_64
16094+ if (mm && (error_code & PF_INSTR)) {
16095+ if (regs->ip == (unsigned long)vgettimeofday) {
16096+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
16097+ return;
16098+ } else if (regs->ip == (unsigned long)vtime) {
16099+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
16100+ return;
16101+ } else if (regs->ip == (unsigned long)vgetcpu) {
16102+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
16103+ return;
16104+ }
16105+ }
16106+#endif
16107+
16108+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16109+ if (mm && (error_code & PF_USER)) {
16110+ unsigned long ip = regs->ip;
16111+
16112+ if (v8086_mode(regs))
16113+ ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
16114+
16115+ /*
16116+ * It's possible to have interrupts off here:
16117+ */
16118+ local_irq_enable();
16119+
16120+#ifdef CONFIG_PAX_PAGEEXEC
16121+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
ae4e228f 16122+ (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
58c5fc13
MT		 16123+
16124+#ifdef CONFIG_PAX_EMUTRAMP
16125+ switch (pax_handle_fetch_fault(regs)) {
16126+ case 2:
16127+ return;
16128+ }
16129+#endif
16130+
16131+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16132+ do_group_exit(SIGKILL);
16133+ }
16134+#endif
16135+
16136+#ifdef CONFIG_PAX_SEGMEXEC
16137+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
16138+
16139+#ifdef CONFIG_PAX_EMUTRAMP
16140+ switch (pax_handle_fetch_fault(regs)) {
16141+ case 2:
16142+ return;
16143+ }
16144+#endif
16145+
16146+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16147+ do_group_exit(SIGKILL);
16148+ }
16149+#endif
16150+
16151+ }
16152+#endif
16153
16154 /* User mode accesses just cause a SIGSEGV */
16155 if (error_code & PF_USER) {
ae4e228f 16156@@ -849,6 +950,106 @@ static int spurious_fault_check(unsigned
58c5fc13
MT		 16157 return 1;
16158 }
16159
16160+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16161+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
16162+{
16163+ pte_t *pte;
16164+ pmd_t *pmd;
16165+ spinlock_t *ptl;
16166+ unsigned char pte_mask;
16167+
ae4e228f 16168+ if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
58c5fc13
MT		 16169+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
16170+ return 0;
16171+
16172+ /* PaX: it's our fault, let's handle it if we can */
16173+
16174+ /* PaX: take a look at read faults before acquiring any locks */
16175+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
16176+ /* instruction fetch attempt from a protected page in user mode */
16177+ up_read(&mm->mmap_sem);
16178+
16179+#ifdef CONFIG_PAX_EMUTRAMP
16180+ switch (pax_handle_fetch_fault(regs)) {
16181+ case 2:
16182+ return 1;
16183+ }
16184+#endif
16185+
16186+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
16187+ do_group_exit(SIGKILL);
16188+ }
16189+
16190+ pmd = pax_get_pmd(mm, address);
16191+ if (unlikely(!pmd))
16192+ return 0;
16193+
16194+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
16195+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
16196+ pte_unmap_unlock(pte, ptl);
16197+ return 0;
16198+ }
16199+
16200+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
16201+ /* write attempt to a protected page in user mode */
16202+ pte_unmap_unlock(pte, ptl);
16203+ return 0;
16204+ }
16205+
16206+#ifdef CONFIG_SMP
16207+ if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
16208+#else
16209+ if (likely(address > get_limit(regs->cs)))
16210+#endif
16211+ {
16212+ set_pte(pte, pte_mkread(*pte));
16213+ __flush_tlb_one(address);
16214+ pte_unmap_unlock(pte, ptl);
16215+ up_read(&mm->mmap_sem);
16216+ return 1;
16217+ }
16218+
16219+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
16220+
16221+ /*
16222+ * PaX: fill DTLB with user rights and retry
16223+ */
16224+ __asm__ __volatile__ (
16225+#ifdef CONFIG_PAX_MEMORY_UDEREF
16226+ "movw %w4,%%es\n"
16227+#endif
16228+ "orb %2,(%1)\n"
16229+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
16230+/*
16231+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
16232+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
16233+ * page fault when examined during a TLB load attempt. this is true not only
16234+ * for PTEs holding a non-present entry but also present entries that will
16235+ * raise a page fault (such as those set up by PaX, or the copy-on-write
16236+ * mechanism). in effect it means that we do *not* need to flush the TLBs
16237+ * for our target pages since their PTEs are simply not in the TLBs at all.
16238+
16239+ * the best thing in omitting it is that we gain around 15-20% speed in the
16240+ * fast path of the page fault handler and can get rid of tracing since we
16241+ * can no longer flush unintended entries.
16242+ */
16243+ "invlpg (%0)\n"
16244+#endif
16245+ "testb $0,%%es:(%0)\n"
16246+ "xorb %3,(%1)\n"
16247+#ifdef CONFIG_PAX_MEMORY_UDEREF
16248+ "pushl %%ss\n"
16249+ "popl %%es\n"
16250+#endif
16251+ :
16252+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
16253+ : "memory", "cc");
16254+ pte_unmap_unlock(pte, ptl);
16255+ up_read(&mm->mmap_sem);
16256+ return 1;
16257+}
16258+#endif
16259+
16260 /*
16261 * Handle a spurious fault caused by a stale TLB entry.
16262 *
ae4e228f 16263@@ -915,6 +1116,9 @@ int show_unhandled_signals = 1;
58c5fc13
MT		 16264 static inline int
16265 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
16266 {
ae4e228f 16267+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
58c5fc13
MT		 16268+ return 1;
16269+
16270 if (write) {
16271 /* write, present and write, not present: */
16272 if (unlikely(!(vma->vm_flags & VM_WRITE)))
ae4e228f 16273@@ -948,17 +1152,16 @@ do_page_fault(struct pt_regs *regs, unsi
58c5fc13
MT		 16274 {
16275 struct vm_area_struct *vma;
16276 struct task_struct *tsk;
16277- unsigned long address;
16278 struct mm_struct *mm;
16279 int write;
16280 int fault;
16281
16282+ /* Get the faulting address: */
16283+ const unsigned long address = read_cr2();
16284+
16285 tsk = current;
16286 mm = tsk->mm;
16287
16288- /* Get the faulting address: */
16289- address = read_cr2();
16290-
16291 /*
16292 * Detect and handle instructions that would cause a page fault for
16293 * both a tracked kernel page and a userspace page.
ae4e228f 16294@@ -1018,7 +1221,7 @@ do_page_fault(struct pt_regs *regs, unsi
58c5fc13
MT		 16295 * User-mode registers count as a user access even for any
16296 * potential system fault or CPU buglet:
16297 */
16298- if (user_mode_vm(regs)) {
16299+ if (user_mode(regs)) {
16300 local_irq_enable();
16301 error_code |= PF_USER;
16302 } else {
ae4e228f 16303@@ -1072,6 +1275,11 @@ do_page_fault(struct pt_regs *regs, unsi
58c5fc13
MT		 16304 might_sleep();
16305 }
16306
16307+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16308+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
16309+ return;
16310+#endif
16311+
16312 vma = find_vma(mm, address);
16313 if (unlikely(!vma)) {
16314 bad_area(regs, error_code, address);
ae4e228f 16315@@ -1083,18 +1291,24 @@ do_page_fault(struct pt_regs *regs, unsi
58c5fc13
MT		 16316 bad_area(regs, error_code, address);
16317 return;
16318 }
16319- if (error_code & PF_USER) {
16320- /*
16321- * Accessing the stack below %sp is always a bug.
16322- * The large cushion allows instructions like enter
16323- * and pusha to work. ("enter $65535, $31" pushes
16324- * 32 pointers and then decrements %sp by 65535.)
16325- */
16326- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
16327- bad_area(regs, error_code, address);
16328- return;
16329- }
16330+ /*
16331+ * Accessing the stack below %sp is always a bug.
16332+ * The large cushion allows instructions like enter
16333+ * and pusha to work. ("enter $65535, $31" pushes
16334+ * 32 pointers and then decrements %sp by 65535.)
16335+ */
16336+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
16337+ bad_area(regs, error_code, address);
16338+ return;
16339+ }
16340+
16341+#ifdef CONFIG_PAX_SEGMEXEC
16342+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
16343+ bad_area(regs, error_code, address);
16344+ return;
16345 }
16346+#endif
16347+
16348 if (unlikely(expand_stack(vma, address))) {
16349 bad_area(regs, error_code, address);
16350 return;
ae4e228f 16351@@ -1138,3 +1352,199 @@ good_area:
58c5fc13
MT		 16352
16353 up_read(&mm->mmap_sem);
16354 }
16355+
16356+#ifdef CONFIG_PAX_EMUTRAMP
16357+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
16358+{
16359+ int err;
16360+
16361+ do { /* PaX: gcc trampoline emulation #1 */
16362+ unsigned char mov1, mov2;
16363+ unsigned short jmp;
16364+ unsigned int addr1, addr2;
16365+
16366+#ifdef CONFIG_X86_64
16367+ if ((regs->ip + 11) >> 32)
16368+ break;
16369+#endif
16370+
16371+ err = get_user(mov1, (unsigned char __user *)regs->ip);
16372+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
16373+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
16374+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
16375+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
16376+
16377+ if (err)
16378+ break;
16379+
16380+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
16381+ regs->cx = addr1;
16382+ regs->ax = addr2;
16383+ regs->ip = addr2;
16384+ return 2;
16385+ }
16386+ } while (0);
16387+
16388+ do { /* PaX: gcc trampoline emulation #2 */
16389+ unsigned char mov, jmp;
16390+ unsigned int addr1, addr2;
16391+
16392+#ifdef CONFIG_X86_64
16393+ if ((regs->ip + 9) >> 32)
16394+ break;
16395+#endif
16396+
16397+ err = get_user(mov, (unsigned char __user *)regs->ip);
16398+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
16399+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
16400+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
16401+
16402+ if (err)
16403+ break;
16404+
16405+ if (mov == 0xB9 && jmp == 0xE9) {
16406+ regs->cx = addr1;
16407+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
16408+ return 2;
16409+ }
16410+ } while (0);
16411+
16412+ return 1; /* PaX in action */
16413+}
16414+
16415+#ifdef CONFIG_X86_64
16416+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
16417+{
16418+ int err;
16419+
16420+ do { /* PaX: gcc trampoline emulation #1 */
16421+ unsigned short mov1, mov2, jmp1;
16422+ unsigned char jmp2;
16423+ unsigned int addr1;
16424+ unsigned long addr2;
16425+
16426+ err = get_user(mov1, (unsigned short __user *)regs->ip);
16427+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
16428+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
16429+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
16430+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
16431+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
16432+
16433+ if (err)
16434+ break;
16435+
16436+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
16437+ regs->r11 = addr1;
16438+ regs->r10 = addr2;
16439+ regs->ip = addr1;
16440+ return 2;
16441+ }
16442+ } while (0);
16443+
16444+ do { /* PaX: gcc trampoline emulation #2 */
16445+ unsigned short mov1, mov2, jmp1;
16446+ unsigned char jmp2;
16447+ unsigned long addr1, addr2;
16448+
16449+ err = get_user(mov1, (unsigned short __user *)regs->ip);
16450+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
16451+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
16452+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
16453+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
16454+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
16455+
16456+ if (err)
16457+ break;
16458+
16459+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
16460+ regs->r11 = addr1;
16461+ regs->r10 = addr2;
16462+ regs->ip = addr1;
16463+ return 2;
16464+ }
16465+ } while (0);
16466+
16467+ return 1; /* PaX in action */
16468+}
16469+#endif
16470+
16471+/*
16472+ * PaX: decide what to do with offenders (regs->ip = fault address)
16473+ *
16474+ * returns 1 when task should be killed
16475+ * 2 when gcc trampoline was detected
16476+ */
16477+static int pax_handle_fetch_fault(struct pt_regs *regs)
16478+{
16479+ if (v8086_mode(regs))
16480+ return 1;
16481+
16482+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
16483+ return 1;
16484+
16485+#ifdef CONFIG_X86_32
16486+ return pax_handle_fetch_fault_32(regs);
16487+#else
16488+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
16489+ return pax_handle_fetch_fault_32(regs);
16490+ else
16491+ return pax_handle_fetch_fault_64(regs);
16492+#endif
16493+}
16494+#endif
16495+
16496+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16497+void pax_report_insns(void *pc, void *sp)
16498+{
16499+ long i;
16500+
16501+ printk(KERN_ERR "PAX: bytes at PC: ");
16502+ for (i = 0; i < 20; i++) {
16503+ unsigned char c;
ae4e228f 16504+ if (get_user(c, (__force unsigned char __user *)pc+i))
58c5fc13
MT		 16505+ printk(KERN_CONT "?? ");
16506+ else
16507+ printk(KERN_CONT "%02x ", c);
16508+ }
16509+ printk("\n");
16510+
16511+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
ae4e228f 16512+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
58c5fc13 16513+ unsigned long c;
ae4e228f 16514+ if (get_user(c, (__force unsigned long __user *)sp+i))
58c5fc13
MT		 16515+#ifdef CONFIG_X86_32
16516+ printk(KERN_CONT "???????? ");
16517+#else
16518+ printk(KERN_CONT "???????????????? ");
16519+#endif
16520+ else
16521+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
16522+ }
16523+ printk("\n");
16524+}
16525+#endif
58c5fc13 16526+
ae4e228f
MT		 16527+/**
16528+ * probe_kernel_write(): safely attempt to write to a location
16529+ * @dst: address to write to
16530+ * @src: pointer to the data that shall be written
16531+ * @size: size of the data chunk
16532+ *
16533+ * Safely write to address @dst from the buffer at @src. If a kernel fault
16534+ * happens, handle that and return -EFAULT.
16535+ */
16536+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
16537+{
16538+ long ret;
16539+ mm_segment_t old_fs = get_fs();
16540+
16541+ set_fs(KERNEL_DS);
16542+ pagefault_disable();
16543+ pax_open_kernel();
16544+ ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
16545+ pax_close_kernel();
16546+ pagefault_enable();
16547+ set_fs(old_fs);
16548+
16549+ return ret ? -EFAULT : 0;
16550+}
16551diff -urNp linux-2.6.33.1/arch/x86/mm/gup.c linux-2.6.33.1/arch/x86/mm/gup.c
16552--- linux-2.6.33.1/arch/x86/mm/gup.c 2010-03-15 12:09:39.000000000 -0400
16553+++ linux-2.6.33.1/arch/x86/mm/gup.c 2010-03-20 16:58:39.032549699 -0400
16554@@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
16555 addr = start;
16556 len = (unsigned long) nr_pages << PAGE_SHIFT;
16557 end = start + len;
16558- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
16559+ if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
16560 (void __user *)start, len)))
16561 return 0;
58c5fc13 16562
ae4e228f
MT		 16563diff -urNp linux-2.6.33.1/arch/x86/mm/highmem_32.c linux-2.6.33.1/arch/x86/mm/highmem_32.c
16564--- linux-2.6.33.1/arch/x86/mm/highmem_32.c 2010-03-15 12:09:39.000000000 -0400
16565+++ linux-2.6.33.1/arch/x86/mm/highmem_32.c 2010-03-20 16:58:39.032549699 -0400
16566@@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
58c5fc13
MT		 16567 idx = type + KM_TYPE_NR*smp_processor_id();
16568 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
16569 BUG_ON(!pte_none(*(kmap_pte-idx)));
16570+
ae4e228f 16571+ pax_open_kernel();
58c5fc13 16572 set_pte(kmap_pte-idx, mk_pte(page, prot));
ae4e228f 16573+ pax_close_kernel();
58c5fc13 16574
58c5fc13
MT		 16575 return (void *)vaddr;
16576 }
ae4e228f
MT		 16577diff -urNp linux-2.6.33.1/arch/x86/mm/hugetlbpage.c linux-2.6.33.1/arch/x86/mm/hugetlbpage.c
16578--- linux-2.6.33.1/arch/x86/mm/hugetlbpage.c 2010-03-15 12:09:39.000000000 -0400
16579+++ linux-2.6.33.1/arch/x86/mm/hugetlbpage.c 2010-03-20 16:58:39.032549699 -0400
58c5fc13
MT		 16580@@ -267,13 +267,18 @@ static unsigned long hugetlb_get_unmappe
16581 struct hstate *h = hstate_file(file);
16582 struct mm_struct *mm = current->mm;
16583 struct vm_area_struct *vma;
16584- unsigned long start_addr;
16585+ unsigned long start_addr, pax_task_size = TASK_SIZE;
16586+
16587+#ifdef CONFIG_PAX_SEGMEXEC
16588+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
16589+ pax_task_size = SEGMEXEC_TASK_SIZE;
16590+#endif
16591
16592 if (len > mm->cached_hole_size) {
16593- start_addr = mm->free_area_cache;
16594+ start_addr = mm->free_area_cache;
16595 } else {
16596- start_addr = TASK_UNMAPPED_BASE;
16597- mm->cached_hole_size = 0;
16598+ start_addr = mm->mmap_base;
16599+ mm->cached_hole_size = 0;
16600 }
16601
16602 full_search:
16603@@ -281,13 +286,13 @@ full_search:
16604
16605 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
16606 /* At this point: (!vma || addr < vma->vm_end). */
16607- if (TASK_SIZE - len < addr) {
16608+ if (pax_task_size - len < addr) {
16609 /*
16610 * Start a new search - just in case we missed
16611 * some holes.
16612 */
16613- if (start_addr != TASK_UNMAPPED_BASE) {
16614- start_addr = TASK_UNMAPPED_BASE;
16615+ if (start_addr != mm->mmap_base) {
16616+ start_addr = mm->mmap_base;
16617 mm->cached_hole_size = 0;
16618 goto full_search;
16619 }
16620@@ -310,9 +315,8 @@ static unsigned long hugetlb_get_unmappe
16621 struct hstate *h = hstate_file(file);
16622 struct mm_struct *mm = current->mm;
16623 struct vm_area_struct *vma, *prev_vma;
16624- unsigned long base = mm->mmap_base, addr = addr0;
16625+ unsigned long base = mm->mmap_base, addr;
16626 unsigned long largest_hole = mm->cached_hole_size;
16627- int first_time = 1;
16628
16629 /* don't allow allocations above current base */
16630 if (mm->free_area_cache > base)
16631@@ -322,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
16632 largest_hole = 0;
16633 mm->free_area_cache = base;
16634 }
16635-try_again:
16636+
16637 /* make sure it can fit in the remaining address space */
16638 if (mm->free_area_cache < len)
16639 goto fail;
16640@@ -364,22 +368,26 @@ try_again:
16641
16642 fail:
16643 /*
16644- * if hint left us with no space for the requested
16645- * mapping then try again:
16646- */
16647- if (first_time) {
16648- mm->free_area_cache = base;
16649- largest_hole = 0;
16650- first_time = 0;
16651- goto try_again;
16652- }
16653- /*
16654 * A failed mmap() very likely causes application failure,
16655 * so fall back to the bottom-up function here. This scenario
16656 * can happen with large stack limits and large mmap()
16657 * allocations.
16658 */
16659- mm->free_area_cache = TASK_UNMAPPED_BASE;
16660+
16661+#ifdef CONFIG_PAX_SEGMEXEC
16662+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
16663+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
16664+ else
16665+#endif
16666+
16667+ mm->mmap_base = TASK_UNMAPPED_BASE;
16668+
16669+#ifdef CONFIG_PAX_RANDMMAP
16670+ if (mm->pax_flags & MF_PAX_RANDMMAP)
16671+ mm->mmap_base += mm->delta_mmap;
16672+#endif
16673+
16674+ mm->free_area_cache = mm->mmap_base;
16675 mm->cached_hole_size = ~0UL;
16676 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
16677 len, pgoff, flags);
16678@@ -387,6 +395,7 @@ fail:
16679 /*
16680 * Restore the topdown base:
16681 */
16682+ mm->mmap_base = base;
16683 mm->free_area_cache = base;
16684 mm->cached_hole_size = ~0UL;
16685
16686@@ -400,10 +409,17 @@ hugetlb_get_unmapped_area(struct file *f
16687 struct hstate *h = hstate_file(file);
16688 struct mm_struct *mm = current->mm;
16689 struct vm_area_struct *vma;
16690+ unsigned long pax_task_size = TASK_SIZE;
16691
16692 if (len & ~huge_page_mask(h))
16693 return -EINVAL;
16694- if (len > TASK_SIZE)
16695+
16696+#ifdef CONFIG_PAX_SEGMEXEC
16697+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
16698+ pax_task_size = SEGMEXEC_TASK_SIZE;
16699+#endif
16700+
16701+ if (len > pax_task_size)
16702 return -ENOMEM;
16703
16704 if (flags & MAP_FIXED) {
16705@@ -415,7 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
16706 if (addr) {
16707 addr = ALIGN(addr, huge_page_size(h));
16708 vma = find_vma(mm, addr);
16709- if (TASK_SIZE - len >= addr &&
16710+ if (pax_task_size - len >= addr &&
16711 (!vma || addr + len <= vma->vm_start))
16712 return addr;
16713 }
ae4e228f
MT		 16714diff -urNp linux-2.6.33.1/arch/x86/mm/init_32.c linux-2.6.33.1/arch/x86/mm/init_32.c
16715--- linux-2.6.33.1/arch/x86/mm/init_32.c 2010-03-15 12:09:39.000000000 -0400
16716+++ linux-2.6.33.1/arch/x86/mm/init_32.c 2010-03-20 16:58:39.032549699 -0400
16717@@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
58c5fc13
MT		 16718 }
16719
16720 /*
16721- * Creates a middle page table and puts a pointer to it in the
16722- * given global directory entry. This only returns the gd entry
16723- * in non-PAE compilation mode, since the middle layer is folded.
16724- */
16725-static pmd_t * __init one_md_table_init(pgd_t *pgd)
16726-{
16727- pud_t *pud;
16728- pmd_t *pmd_table;
16729-
16730-#ifdef CONFIG_X86_PAE
16731- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
16732- if (after_bootmem)
ae4e228f 16733- pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
58c5fc13
MT		 16734- else
16735- pmd_table = (pmd_t *)alloc_low_page();
16736- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
16737- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
16738- pud = pud_offset(pgd, 0);
16739- BUG_ON(pmd_table != pmd_offset(pud, 0));
16740-
16741- return pmd_table;
16742- }
16743-#endif
16744- pud = pud_offset(pgd, 0);
16745- pmd_table = pmd_offset(pud, 0);
16746-
16747- return pmd_table;
16748-}
16749-
16750-/*
16751 * Create a page table and place a pointer to it in a middle page
16752 * directory entry:
16753 */
ae4e228f 16754@@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
58c5fc13
MT		 16755 page_table = (pte_t *)alloc_low_page();
16756
16757 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
16758+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16759+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
16760+#else
16761 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
16762+#endif
16763 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
16764 }
16765
16766 return pte_offset_kernel(pmd, 0);
16767 }
16768
16769+static pmd_t * __init one_md_table_init(pgd_t *pgd)
16770+{
16771+ pud_t *pud;
16772+ pmd_t *pmd_table;
16773+
16774+ pud = pud_offset(pgd, 0);
16775+ pmd_table = pmd_offset(pud, 0);
16776+
16777+ return pmd_table;
16778+}
16779+
16780 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
16781 {
16782 int pgd_idx = pgd_index(vaddr);
ae4e228f 16783@@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
58c5fc13
MT		 16784 int pgd_idx, pmd_idx;
16785 unsigned long vaddr;
16786 pgd_t *pgd;
16787+ pud_t *pud;
16788 pmd_t *pmd;
16789 pte_t *pte = NULL;
16790
ae4e228f 16791@@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
58c5fc13
MT		 16792 pgd = pgd_base + pgd_idx;
16793
16794 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
16795- pmd = one_md_table_init(pgd);
16796- pmd = pmd + pmd_index(vaddr);
16797+ pud = pud_offset(pgd, vaddr);
16798+ pmd = pmd_offset(pud, vaddr);
16799+
16800+#ifdef CONFIG_X86_PAE
16801+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
16802+#endif
16803+
16804 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
16805 pmd++, pmd_idx++) {
16806 pte = page_table_kmap_check(one_page_table_init(pmd),
ae4e228f 16807@@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
58c5fc13
MT		 16808 }
16809 }
16810
16811-static inline int is_kernel_text(unsigned long addr)
16812+static inline int is_kernel_text(unsigned long start, unsigned long end)
16813 {
16814- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
16815- return 1;
16816- return 0;
ae4e228f 16817+ if ((start > ktla_ktva((unsigned long)_etext) ||
58c5fc13
MT		 16818+ end <= ktla_ktva((unsigned long)_stext)) &&
16819+ (start > ktla_ktva((unsigned long)_einittext) ||
16820+ end <= ktla_ktva((unsigned long)_sinittext)) &&
ae4e228f
MT		 16821+
16822+#ifdef CONFIG_ACPI_SLEEP
16823+ (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
16824+#endif
16825+
58c5fc13
MT		 16826+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
16827+ return 0;
16828+ return 1;
16829 }
16830
16831 /*
ae4e228f 16832@@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
58c5fc13
MT		 16833 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
16834 unsigned long start_pfn, end_pfn;
16835 pgd_t *pgd_base = swapper_pg_dir;
16836- int pgd_idx, pmd_idx, pte_ofs;
16837+ unsigned int pgd_idx, pmd_idx, pte_ofs;
16838 unsigned long pfn;
16839 pgd_t *pgd;
16840+ pud_t *pud;
16841 pmd_t *pmd;
16842 pte_t *pte;
16843 unsigned pages_2m, pages_4k;
ae4e228f 16844@@ -278,8 +279,13 @@ repeat:
58c5fc13
MT		 16845 pfn = start_pfn;
16846 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
16847 pgd = pgd_base + pgd_idx;
16848- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
16849- pmd = one_md_table_init(pgd);
16850+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
16851+ pud = pud_offset(pgd, 0);
16852+ pmd = pmd_offset(pud, 0);
16853+
16854+#ifdef CONFIG_X86_PAE
16855+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
16856+#endif
16857
16858 if (pfn >= end_pfn)
16859 continue;
ae4e228f 16860@@ -291,14 +297,13 @@ repeat:
58c5fc13
MT		 16861 #endif
16862 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
16863 pmd++, pmd_idx++) {
16864- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
16865+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
16866
16867 /*
16868 * Map with big pages if possible, otherwise
16869 * create normal page tables:
16870 */
16871 if (use_pse) {
16872- unsigned int addr2;
16873 pgprot_t prot = PAGE_KERNEL_LARGE;
16874 /*
16875 * first pass will use the same initial
ae4e228f 16876@@ -308,11 +313,7 @@ repeat:
58c5fc13
MT		 16877 __pgprot(PTE_IDENT_ATTR |
16878 _PAGE_PSE);
16879
16880- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
16881- PAGE_OFFSET + PAGE_SIZE-1;
16882-
16883- if (is_kernel_text(addr) ||
16884- is_kernel_text(addr2))
16885+ if (is_kernel_text(address, address + PMD_SIZE))
16886 prot = PAGE_KERNEL_LARGE_EXEC;
16887
16888 pages_2m++;
ae4e228f 16889@@ -329,7 +330,7 @@ repeat:
58c5fc13
MT		 16890 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
16891 pte += pte_ofs;
16892 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
16893- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
16894+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
16895 pgprot_t prot = PAGE_KERNEL;
16896 /*
16897 * first pass will use the same initial
ae4e228f 16898@@ -337,7 +338,7 @@ repeat:
58c5fc13
MT		 16899 */
16900 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
16901
16902- if (is_kernel_text(addr))
16903+ if (is_kernel_text(address, address + PAGE_SIZE))
16904 prot = PAGE_KERNEL_EXEC;
16905
16906 pages_4k++;
ae4e228f 16907@@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
58c5fc13
MT		 16908
16909 pud = pud_offset(pgd, va);
16910 pmd = pmd_offset(pud, va);
16911- if (!pmd_present(*pmd))
16912+ if (!pmd_present(*pmd) || pmd_huge(*pmd))
16913 break;
16914
16915 pte = pte_offset_kernel(pmd, va);
ae4e228f 16916@@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
58c5fc13
MT		 16917
16918 static void __init pagetable_init(void)
16919 {
16920- pgd_t *pgd_base = swapper_pg_dir;
16921-
16922- permanent_kmaps_init(pgd_base);
16923+ permanent_kmaps_init(swapper_pg_dir);
16924 }
16925
16926 #ifdef CONFIG_ACPI_SLEEP
ae4e228f 16927@@ -551,12 +550,12 @@ static void __init pagetable_init(void)
58c5fc13
MT		 16928 * ACPI suspend needs this for resume, because things like the intel-agp
16929 * driver might have split up a kernel 4MB mapping.
16930 */
16931-char swsusp_pg_dir[PAGE_SIZE]
16932+pgd_t swsusp_pg_dir[PTRS_PER_PGD]
16933 __attribute__ ((aligned(PAGE_SIZE)));
16934
16935 static inline void save_pg_dir(void)
16936 {
16937- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
16938+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
16939 }
16940 #else /* !CONFIG_ACPI_SLEEP */
16941 static inline void save_pg_dir(void)
ae4e228f 16942@@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
58c5fc13
MT		 16943 flush_tlb_all();
16944 }
16945
16946-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
16947+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
16948 EXPORT_SYMBOL_GPL(__supported_pte_mask);
16949
16950 /* user-defined highmem size */
ae4e228f
MT		 16951@@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
16952 * Initialize the boot-time allocator (with low memory only):
16953 */
16954 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
16955- bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
16956+ bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
16957 PAGE_SIZE);
16958 if (bootmap == -1L)
16959 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
16960@@ -881,7 +880,7 @@ void __init mem_init(void)
58c5fc13
MT		 16961 set_highmem_pages_init();
16962
16963 codesize = (unsigned long) &_etext - (unsigned long) &_text;
16964- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
16965+ datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
16966 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
16967
ae4e228f
MT		 16968 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
16969@@ -922,10 +921,10 @@ void __init mem_init(void)
58c5fc13
MT		 16970 ((unsigned long)&__init_end -
16971 (unsigned long)&__init_begin) >> 10,
16972
16973- (unsigned long)&_etext, (unsigned long)&_edata,
16974- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
16975+ (unsigned long)&_sdata, (unsigned long)&_edata,
16976+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
16977
16978- (unsigned long)&_text, (unsigned long)&_etext,
16979+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
16980 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
16981
16982 /*
ae4e228f
MT		 16983@@ -1006,6 +1005,7 @@ void set_kernel_text_rw(void)
16984 if (!kernel_set_to_readonly)
16985 return;
58c5fc13 16986
ae4e228f
MT		 16987+ start = ktla_ktva(start);
16988 pr_debug("Set kernel text: %lx - %lx for read write\n",
16989 start, start+size);
16990
16991@@ -1020,6 +1020,7 @@ void set_kernel_text_ro(void)
16992 if (!kernel_set_to_readonly)
16993 return;
16994
16995+ start = ktla_ktva(start);
16996 pr_debug("Set kernel text: %lx - %lx for read only\n",
16997 start, start+size);
16998
16999@@ -1031,6 +1032,7 @@ void mark_rodata_ro(void)
17000 unsigned long start = PFN_ALIGN(_text);
17001 unsigned long size = PFN_ALIGN(_etext) - start;
17002
17003+ start = ktla_ktva(start);
17004 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
17005 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
17006 size >> 10);
17007diff -urNp linux-2.6.33.1/arch/x86/mm/init_64.c linux-2.6.33.1/arch/x86/mm/init_64.c
17008--- linux-2.6.33.1/arch/x86/mm/init_64.c 2010-03-15 12:09:39.000000000 -0400
17009+++ linux-2.6.33.1/arch/x86/mm/init_64.c 2010-03-20 16:58:39.032549699 -0400
17010@@ -73,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
17011 * around without checking the pgd every time.
17012 */
17013
17014-pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
17015+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
17016 EXPORT_SYMBOL_GPL(__supported_pte_mask);
17017
17018 int force_personality32;
17019@@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
58c5fc13
MT		 17020 pmd = fill_pmd(pud, vaddr);
17021 pte = fill_pte(pmd, vaddr);
17022
ae4e228f 17023+ pax_open_kernel();
58c5fc13 17024 set_pte(pte, new_pte);
ae4e228f 17025+ pax_close_kernel();
58c5fc13 17026
58c5fc13
MT		 17027 /*
17028 * It's enough to flush this one mapping.
ae4e228f 17029@@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
58c5fc13
MT		 17030 pgd = pgd_offset_k((unsigned long)__va(phys));
17031 if (pgd_none(*pgd)) {
17032 pud = (pud_t *) spp_getpage();
17033- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
17034- _PAGE_USER));
17035+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
17036 }
17037 pud = pud_offset(pgd, (unsigned long)__va(phys));
17038 if (pud_none(*pud)) {
17039 pmd = (pmd_t *) spp_getpage();
17040- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
17041- _PAGE_USER));
17042+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
17043 }
17044 pmd = pmd_offset(pud, phys);
17045 BUG_ON(!pmd_none(*pmd));
ae4e228f 17046@@ -882,8 +882,8 @@ int kern_addr_valid(unsigned long addr)
58c5fc13
MT		 17047 static struct vm_area_struct gate_vma = {
17048 .vm_start = VSYSCALL_START,
17049 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
17050- .vm_page_prot = PAGE_READONLY_EXEC,
17051- .vm_flags = VM_READ | VM_EXEC
17052+ .vm_page_prot = PAGE_READONLY,
17053+ .vm_flags = VM_READ
17054 };
17055
17056 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
ae4e228f 17057@@ -917,7 +917,7 @@ int in_gate_area_no_task(unsigned long a
58c5fc13
MT		 17058
17059 const char *arch_vma_name(struct vm_area_struct *vma)
17060 {
17061- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
17062+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
17063 return "[vdso]";
17064 if (vma == &gate_vma)
17065 return "[vsyscall]";
ae4e228f
MT		 17066diff -urNp linux-2.6.33.1/arch/x86/mm/init.c linux-2.6.33.1/arch/x86/mm/init.c
17067--- linux-2.6.33.1/arch/x86/mm/init.c 2010-03-15 12:09:39.000000000 -0400
17068+++ linux-2.6.33.1/arch/x86/mm/init.c 2010-03-20 16:58:39.036535097 -0400
17069@@ -69,11 +69,7 @@ static void __init find_early_table_spac
17070 * cause a hotspot and fill up ZONE_DMA. The page tables
17071 * need roughly 0.5KB per GB.
17072 */
17073-#ifdef CONFIG_X86_32
17074- start = 0x7000;
17075-#else
17076- start = 0x8000;
17077-#endif
17078+ start = 0x100000;
17079 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
17080 tables, PAGE_SIZE);
17081 if (e820_table_start == -1UL)
17082@@ -327,7 +323,13 @@ unsigned long __init_refok init_memory_m
58c5fc13
MT		 17083 */
17084 int devmem_is_allowed(unsigned long pagenr)
17085 {
17086- if (pagenr <= 256)
17087+ if (!pagenr)
17088+ return 1;
17089+#ifdef CONFIG_VM86
17090+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
17091+ return 1;
17092+#endif
17093+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
17094 return 1;
17095 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
17096 return 0;
ae4e228f 17097@@ -375,6 +377,87 @@ void free_init_pages(char *what, unsigne
58c5fc13
MT		 17098
17099 void free_initmem(void)
17100 {
17101+
17102+#ifdef CONFIG_PAX_KERNEXEC
17103+ pgd_t *pgd;
17104+ pud_t *pud;
17105+ pmd_t *pmd;
17106+
17107+#ifdef CONFIG_X86_32
17108+ /* PaX: limit KERNEL_CS to actual size */
17109+ unsigned long addr, limit;
17110+ struct desc_struct d;
17111+ int cpu;
17112+
ae4e228f 17113+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
58c5fc13
MT		 17114+ limit = (limit - 1UL) >> PAGE_SHIFT;
17115+
17116+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
17117+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
17118+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
17119+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
17120+ }
17121+
17122+ /* PaX: make KERNEL_CS read-only */
ae4e228f
MT		 17123+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
17124+ if (!paravirt_enabled())
17125+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
17126+/*
17127+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
17128+ pgd = pgd_offset_k(addr);
17129+ pud = pud_offset(pgd, addr);
17130+ pmd = pmd_offset(pud, addr);
17131+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17132+ }
17133+*/
58c5fc13 17134+#ifdef CONFIG_X86_PAE
ae4e228f 17135+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
58c5fc13
MT		 17136+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
17137+ pgd = pgd_offset_k(addr);
17138+ pud = pud_offset(pgd, addr);
17139+ pmd = pmd_offset(pud, addr);
17140+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17141+ }
17142+#endif
ae4e228f
MT		 17143+
17144+#ifdef CONFIG_MODULES
17145+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
17146+#endif
17147+
58c5fc13
MT		 17148+#else
17149+ unsigned long addr, end;
17150+
17151+ /* PaX: make kernel code/rodata read-only, rest non-executable */
17152+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
17153+ pgd = pgd_offset_k(addr);
17154+ pud = pud_offset(pgd, addr);
17155+ pmd = pmd_offset(pud, addr);
ae4e228f
MT		 17156+ if (!pmd_present(*pmd))
17157+ continue;
58c5fc13
MT		 17158+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
17159+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17160+ else
17161+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17162+ }
17163+
17164+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
17165+ end = addr + KERNEL_IMAGE_SIZE;
17166+ for (; addr < end; addr += PMD_SIZE) {
17167+ pgd = pgd_offset_k(addr);
17168+ pud = pud_offset(pgd, addr);
17169+ pmd = pmd_offset(pud, addr);
ae4e228f
MT		 17170+ if (!pmd_present(*pmd))
17171+ continue;
58c5fc13
MT		 17172+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
17173+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
17174+ else
17175+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
17176+ }
17177+#endif
17178+
17179+ flush_tlb_all();
17180+#endif
17181+
17182 free_init_pages("unused kernel memory",
17183 (unsigned long)(&__init_begin),
17184 (unsigned long)(&__init_end));
ae4e228f
MT		 17185diff -urNp linux-2.6.33.1/arch/x86/mm/iomap_32.c linux-2.6.33.1/arch/x86/mm/iomap_32.c
17186--- linux-2.6.33.1/arch/x86/mm/iomap_32.c 2010-03-15 12:09:39.000000000 -0400
17187+++ linux-2.6.33.1/arch/x86/mm/iomap_32.c 2010-03-20 16:58:39.036535097 -0400
17188@@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
58c5fc13
MT		 17189 debug_kmap_atomic(type);
17190 idx = type + KM_TYPE_NR * smp_processor_id();
17191 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17192+
ae4e228f 17193+ pax_open_kernel();
58c5fc13 17194 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
ae4e228f 17195+ pax_close_kernel();
58c5fc13
MT		 17196+
17197 arch_flush_lazy_mmu_mode();
17198
17199 return (void *)vaddr;
ae4e228f
MT		 17200diff -urNp linux-2.6.33.1/arch/x86/mm/ioremap.c linux-2.6.33.1/arch/x86/mm/ioremap.c
17201--- linux-2.6.33.1/arch/x86/mm/ioremap.c 2010-03-15 12:09:39.000000000 -0400
17202+++ linux-2.6.33.1/arch/x86/mm/ioremap.c 2010-03-20 16:58:39.036535097 -0400
17203@@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
58c5fc13
MT		 17204 * Second special case: Some BIOSen report the PC BIOS
17205 * area (640->1Mb) as ram even though it is not.
17206 */
17207- if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
17208- pagenr < (BIOS_END >> PAGE_SHIFT))
17209+ if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
17210+ pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
17211 return 0;
17212
17213 for (i = 0; i < e820.nr_map; i++) {
ae4e228f 17214@@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
58c5fc13
MT		 17215 /*
17216 * Don't allow anybody to remap normal RAM that we're using..
17217 */
17218- for (pfn = phys_addr >> PAGE_SHIFT;
17219- (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
17220- pfn++) {
17221-
17222+ for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
17223 int is_ram = page_is_ram(pfn);
17224
ae4e228f
MT		 17225- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
17226+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
17227 return NULL;
17228 WARN_ON_ONCE(is_ram);
58c5fc13 17229 }
ae4e228f 17230@@ -383,7 +380,7 @@ static int __init early_ioremap_debug_se
58c5fc13
MT		 17231 early_param("early_ioremap_debug", early_ioremap_debug_setup);
17232
17233 static __initdata int after_paging_init;
17234-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
17235+static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
17236
17237 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
17238 {
ae4e228f 17239@@ -415,8 +412,7 @@ void __init early_ioremap_init(void)
58c5fc13
MT		 17240 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
17241
17242 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
17243- memset(bm_pte, 0, sizeof(bm_pte));
17244- pmd_populate_kernel(&init_mm, pmd, bm_pte);
17245+ pmd_populate_user(&init_mm, pmd, bm_pte);
17246
17247 /*
17248 * The boot-ioremap range spans multiple pmds, for which
ae4e228f
MT		 17249diff -urNp linux-2.6.33.1/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.33.1/arch/x86/mm/kmemcheck/kmemcheck.c
17250--- linux-2.6.33.1/arch/x86/mm/kmemcheck/kmemcheck.c 2010-03-15 12:09:39.000000000 -0400
17251+++ linux-2.6.33.1/arch/x86/mm/kmemcheck/kmemcheck.c 2010-03-20 16:58:39.036535097 -0400
17252@@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
17253 * memory (e.g. tracked pages)? For now, we need this to avoid
17254 * invoking kmemcheck for PnP BIOS calls.
17255 */
17256- if (regs->flags & X86_VM_MASK)
17257+ if (v8086_mode(regs))
17258 return false;
17259- if (regs->cs != __KERNEL_CS)
17260+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
17261 return false;
17262
17263 pte = kmemcheck_pte_lookup(address);
17264diff -urNp linux-2.6.33.1/arch/x86/mm/mmap.c linux-2.6.33.1/arch/x86/mm/mmap.c
17265--- linux-2.6.33.1/arch/x86/mm/mmap.c 2010-03-15 12:09:39.000000000 -0400
17266+++ linux-2.6.33.1/arch/x86/mm/mmap.c 2010-03-20 16:58:39.036535097 -0400
17267@@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
17268 * Leave an at least ~128 MB hole with possible stack randomization.
58c5fc13 17269 */
ae4e228f 17270 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
58c5fc13
MT		 17271-#define MAX_GAP (TASK_SIZE/6*5)
17272+#define MAX_GAP (pax_task_size/6*5)
17273
17274 /*
17275 * True on X86_32 or when emulating IA32 on X86_64
ae4e228f 17276@@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
58c5fc13
MT		 17277 return rnd << PAGE_SHIFT;
17278 }
17279
17280-static unsigned long mmap_base(void)
17281+static unsigned long mmap_base(struct mm_struct *mm)
17282 {
17283 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
17284+ unsigned long pax_task_size = TASK_SIZE;
17285+
17286+#ifdef CONFIG_PAX_SEGMEXEC
17287+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
17288+ pax_task_size = SEGMEXEC_TASK_SIZE;
17289+#endif
17290
17291 if (gap < MIN_GAP)
17292 gap = MIN_GAP;
17293 else if (gap > MAX_GAP)
17294 gap = MAX_GAP;
17295
17296- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
17297+ return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
17298 }
17299
17300 /*
17301 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
17302 * does, but not when emulating X86_32
17303 */
17304-static unsigned long mmap_legacy_base(void)
17305+static unsigned long mmap_legacy_base(struct mm_struct *mm)
17306 {
17307- if (mmap_is_ia32())
17308+ if (mmap_is_ia32()) {
17309+
17310+#ifdef CONFIG_PAX_SEGMEXEC
17311+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
17312+ return SEGMEXEC_TASK_UNMAPPED_BASE;
17313+ else
17314+#endif
17315+
17316 return TASK_UNMAPPED_BASE;
17317- else
17318+ } else
17319 return TASK_UNMAPPED_BASE + mmap_rnd();
17320 }
17321
ae4e228f 17322@@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
58c5fc13
MT		 17323 void arch_pick_mmap_layout(struct mm_struct *mm)
17324 {
17325 if (mmap_is_legacy()) {
17326- mm->mmap_base = mmap_legacy_base();
17327+ mm->mmap_base = mmap_legacy_base(mm);
17328+
17329+#ifdef CONFIG_PAX_RANDMMAP
17330+ if (mm->pax_flags & MF_PAX_RANDMMAP)
17331+ mm->mmap_base += mm->delta_mmap;
17332+#endif
17333+
17334 mm->get_unmapped_area = arch_get_unmapped_area;
17335 mm->unmap_area = arch_unmap_area;
17336 } else {
17337- mm->mmap_base = mmap_base();
17338+ mm->mmap_base = mmap_base(mm);
17339+
17340+#ifdef CONFIG_PAX_RANDMMAP
17341+ if (mm->pax_flags & MF_PAX_RANDMMAP)
17342+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
17343+#endif
17344+
17345 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
17346 mm->unmap_area = arch_unmap_area_topdown;
17347 }
ae4e228f
MT		 17348diff -urNp linux-2.6.33.1/arch/x86/mm/numa_32.c linux-2.6.33.1/arch/x86/mm/numa_32.c
17349--- linux-2.6.33.1/arch/x86/mm/numa_32.c 2010-03-15 12:09:39.000000000 -0400
17350+++ linux-2.6.33.1/arch/x86/mm/numa_32.c 2010-03-20 16:58:39.036535097 -0400
58c5fc13
MT		 17351@@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
17352 }
17353 #endif
17354
17355-extern unsigned long find_max_low_pfn(void);
17356 extern unsigned long highend_pfn, highstart_pfn;
17357
17358 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
ae4e228f
MT		 17359diff -urNp linux-2.6.33.1/arch/x86/mm/pageattr.c linux-2.6.33.1/arch/x86/mm/pageattr.c
17360--- linux-2.6.33.1/arch/x86/mm/pageattr.c 2010-03-15 12:09:39.000000000 -0400
17361+++ linux-2.6.33.1/arch/x86/mm/pageattr.c 2010-03-20 16:58:39.036535097 -0400
17362@@ -268,9 +268,10 @@ static inline pgprot_t static_protection
58c5fc13
MT		 17363 * Does not cover __inittext since that is gone later on. On
17364 * 64bit we do not enforce !NX on the low mapping
17365 */
17366- if (within(address, (unsigned long)_text, (unsigned long)_etext))
17367+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
17368 pgprot_val(forbidden) |= _PAGE_NX;
17369
17370+#ifdef CONFIG_DEBUG_RODATA
17371 /*
17372 * The .rodata section needs to be read-only. Using the pfn
17373 * catches all aliases.
ae4e228f 17374@@ -278,6 +279,7 @@ static inline pgprot_t static_protection
58c5fc13
MT		 17375 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
17376 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
17377 pgprot_val(forbidden) |= _PAGE_RW;
17378+#endif
17379
ae4e228f
MT		 17380 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
17381 /*
17382@@ -347,7 +349,10 @@ EXPORT_SYMBOL_GPL(lookup_address);
58c5fc13
MT		 17383 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
17384 {
58c5fc13 17385 /* change init_mm */
ae4e228f 17386+ pax_open_kernel();
58c5fc13 17387 set_pte_atomic(kpte, pte);
ae4e228f 17388+ pax_close_kernel();
58c5fc13
MT		 17389+
17390 #ifdef CONFIG_X86_32
17391 if (!SHARED_KERNEL_PMD) {
17392 struct page *page;
ae4e228f
MT		 17393diff -urNp linux-2.6.33.1/arch/x86/mm/pageattr-test.c linux-2.6.33.1/arch/x86/mm/pageattr-test.c
17394--- linux-2.6.33.1/arch/x86/mm/pageattr-test.c 2010-03-15 12:09:39.000000000 -0400
17395+++ linux-2.6.33.1/arch/x86/mm/pageattr-test.c 2010-03-20 16:58:39.036535097 -0400
58c5fc13
MT		 17396@@ -36,7 +36,7 @@ enum {
17397
17398 static int pte_testbit(pte_t pte)
17399 {
17400- return pte_flags(pte) & _PAGE_UNUSED1;
17401+ return pte_flags(pte) & _PAGE_CPA_TEST;
17402 }
17403
17404 struct split_state {
ae4e228f
MT		 17405diff -urNp linux-2.6.33.1/arch/x86/mm/pat.c linux-2.6.33.1/arch/x86/mm/pat.c
17406--- linux-2.6.33.1/arch/x86/mm/pat.c 2010-03-15 12:09:39.000000000 -0400
17407+++ linux-2.6.33.1/arch/x86/mm/pat.c 2010-03-20 16:58:39.036535097 -0400
17408@@ -259,7 +259,7 @@ chk_conflict(struct memtype *new, struct
58c5fc13
MT		 17409
17410 conflict:
17411 printk(KERN_INFO "%s:%d conflicting memory types "
17412- "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
17413+ "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
17414 new->end, cattr_name(new->type), cattr_name(entry->type));
17415 return -EBUSY;
17416 }
ae4e228f 17417@@ -555,7 +555,7 @@ unlock_ret:
58c5fc13
MT		 17418
17419 if (err) {
17420 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
17421- current->comm, current->pid, start, end);
17422+ current->comm, task_pid_nr(current), start, end);
17423 }
17424
17425 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
ae4e228f 17426@@ -750,7 +750,7 @@ int kernel_map_sync_memtype(u64 base, un
58c5fc13
MT		 17427 printk(KERN_INFO
17428 "%s:%d ioremap_change_attr failed %s "
17429 "for %Lx-%Lx\n",
17430- current->comm, current->pid,
17431+ current->comm, task_pid_nr(current),
17432 cattr_name(flags),
17433 base, (unsigned long long)(base + size));
17434 return -EINVAL;
ae4e228f 17435@@ -808,7 +808,7 @@ static int reserve_pfn_range(u64 paddr,
58c5fc13
MT		 17436 free_memtype(paddr, paddr + size);
17437 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
17438 " for %Lx-%Lx, got %s\n",
17439- current->comm, current->pid,
17440+ current->comm, task_pid_nr(current),
17441 cattr_name(want_flags),
17442 (unsigned long long)paddr,
17443 (unsigned long long)(paddr + size),
ae4e228f
MT		 17444diff -urNp linux-2.6.33.1/arch/x86/mm/pgtable_32.c linux-2.6.33.1/arch/x86/mm/pgtable_32.c
17445--- linux-2.6.33.1/arch/x86/mm/pgtable_32.c 2010-03-15 12:09:39.000000000 -0400
17446+++ linux-2.6.33.1/arch/x86/mm/pgtable_32.c 2010-03-20 16:58:39.036535097 -0400
17447@@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
58c5fc13
MT		 17448 return;
17449 }
17450 pte = pte_offset_kernel(pmd, vaddr);
17451+
ae4e228f 17452+ pax_open_kernel();
58c5fc13
MT		 17453 if (pte_val(pteval))
17454 set_pte_at(&init_mm, vaddr, pte, pteval);
17455 else
17456 pte_clear(&init_mm, vaddr, pte);
ae4e228f 17457+ pax_close_kernel();
58c5fc13 17458
58c5fc13
MT		 17459 /*
17460 * It's enough to flush this one mapping.
ae4e228f
MT		 17461diff -urNp linux-2.6.33.1/arch/x86/mm/tlb.c linux-2.6.33.1/arch/x86/mm/tlb.c
17462--- linux-2.6.33.1/arch/x86/mm/tlb.c 2010-03-15 12:09:39.000000000 -0400
17463+++ linux-2.6.33.1/arch/x86/mm/tlb.c 2010-03-20 16:58:39.036535097 -0400
17464@@ -13,7 +13,7 @@
58c5fc13
MT		 17465 #include <asm/uv/uv.h>
17466
17467 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
17468- = { &init_mm, 0, };
17469+ = { &init_mm, 0 };
17470
17471 /*
17472 * Smarter SMP flushing macros.
ae4e228f
MT		 17473diff -urNp linux-2.6.33.1/arch/x86/oprofile/backtrace.c linux-2.6.33.1/arch/x86/oprofile/backtrace.c
17474--- linux-2.6.33.1/arch/x86/oprofile/backtrace.c 2010-03-15 12:09:39.000000000 -0400
17475+++ linux-2.6.33.1/arch/x86/oprofile/backtrace.c 2010-03-20 17:06:47.204705877 -0400
17476@@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
17477 struct frame_head bufhead[2];
17478
17479 /* Also check accessibility of one struct frame_head beyond */
17480- if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
17481+ if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
17482 return NULL;
17483 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
17484 return NULL;
17485@@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
58c5fc13
MT		 17486 {
17487 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
17488
17489- if (!user_mode_vm(regs)) {
17490+ if (!user_mode(regs)) {
17491 unsigned long stack = kernel_stack_pointer(regs);
17492 if (depth)
17493 dump_trace(NULL, regs, (unsigned long *)stack, 0,
ae4e228f
MT		 17494diff -urNp linux-2.6.33.1/arch/x86/oprofile/op_model_p4.c linux-2.6.33.1/arch/x86/oprofile/op_model_p4.c
17495--- linux-2.6.33.1/arch/x86/oprofile/op_model_p4.c 2010-03-15 12:09:39.000000000 -0400
17496+++ linux-2.6.33.1/arch/x86/oprofile/op_model_p4.c 2010-03-20 16:58:39.036535097 -0400
17497@@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
58c5fc13
MT		 17498 #endif
17499 }
17500
17501-static int inline addr_increment(void)
17502+static inline int addr_increment(void)
17503 {
17504 #ifdef CONFIG_SMP
17505 return smp_num_siblings == 2 ? 2 : 1;
ae4e228f
MT		 17506diff -urNp linux-2.6.33.1/arch/x86/pci/common.c linux-2.6.33.1/arch/x86/pci/common.c
17507--- linux-2.6.33.1/arch/x86/pci/common.c 2010-03-15 12:09:39.000000000 -0400
17508+++ linux-2.6.33.1/arch/x86/pci/common.c 2010-03-20 16:58:39.036535097 -0400
17509@@ -31,8 +31,8 @@ int noioapicreroute = 1;
17510 int pcibios_last_bus = -1;
17511 unsigned long pirq_table_addr;
17512 struct pci_bus *pci_root_bus;
17513-struct pci_raw_ops *raw_pci_ops;
17514-struct pci_raw_ops *raw_pci_ext_ops;
17515+const struct pci_raw_ops *raw_pci_ops;
17516+const struct pci_raw_ops *raw_pci_ext_ops;
17517
17518 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
17519 int reg, int len, u32 *val)
58c5fc13
MT		 17520@@ -370,7 +370,7 @@ static const struct dmi_system_id __devi
17521 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
17522 },
17523 },
17524- {}
17525+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
17526 };
17527
17528 void __init dmi_check_pciprobe(void)
ae4e228f
MT		 17529diff -urNp linux-2.6.33.1/arch/x86/pci/direct.c linux-2.6.33.1/arch/x86/pci/direct.c
17530--- linux-2.6.33.1/arch/x86/pci/direct.c 2010-03-15 12:09:39.000000000 -0400
17531+++ linux-2.6.33.1/arch/x86/pci/direct.c 2010-03-20 16:58:39.040721575 -0400
17532@@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
17533
17534 #undef PCI_CONF1_ADDRESS
17535
17536-struct pci_raw_ops pci_direct_conf1 = {
17537+const struct pci_raw_ops pci_direct_conf1 = {
17538 .read = pci_conf1_read,
17539 .write = pci_conf1_write,
17540 };
17541@@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
17542
17543 #undef PCI_CONF2_ADDRESS
17544
17545-struct pci_raw_ops pci_direct_conf2 = {
17546+const struct pci_raw_ops pci_direct_conf2 = {
17547 .read = pci_conf2_read,
17548 .write = pci_conf2_write,
17549 };
17550@@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
17551 * This should be close to trivial, but it isn't, because there are buggy
17552 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
17553 */
17554-static int __init pci_sanity_check(struct pci_raw_ops *o)
17555+static int __init pci_sanity_check(const struct pci_raw_ops *o)
17556 {
17557 u32 x = 0;
17558 int year, devfn;
17559diff -urNp linux-2.6.33.1/arch/x86/pci/fixup.c linux-2.6.33.1/arch/x86/pci/fixup.c
17560--- linux-2.6.33.1/arch/x86/pci/fixup.c 2010-03-15 12:09:39.000000000 -0400
17561+++ linux-2.6.33.1/arch/x86/pci/fixup.c 2010-03-20 16:58:39.040721575 -0400
58c5fc13
MT		 17562@@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
17563 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
17564 },
17565 },
17566- {}
17567+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17568 };
17569
17570 /*
17571@@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
17572 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
17573 },
17574 },
17575- { }
17576+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17577 };
17578
17579 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
ae4e228f
MT		 17580diff -urNp linux-2.6.33.1/arch/x86/pci/irq.c linux-2.6.33.1/arch/x86/pci/irq.c
17581--- linux-2.6.33.1/arch/x86/pci/irq.c 2010-03-15 12:09:39.000000000 -0400
17582+++ linux-2.6.33.1/arch/x86/pci/irq.c 2010-03-20 16:58:39.040721575 -0400
58c5fc13
MT		 17583@@ -543,7 +543,7 @@ static __init int intel_router_probe(str
17584 static struct pci_device_id __initdata pirq_440gx[] = {
17585 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
17586 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
17587- { },
17588+ { PCI_DEVICE(0, 0) }
17589 };
17590
17591 /* 440GX has a proprietary PIRQ router -- don't use it */
17592@@ -1107,7 +1107,7 @@ static struct dmi_system_id __initdata p
17593 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
17594 },
17595 },
17596- { }
17597+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
17598 };
17599
17600 int __init pcibios_irq_init(void)
ae4e228f
MT		 17601diff -urNp linux-2.6.33.1/arch/x86/pci/mmconfig_32.c linux-2.6.33.1/arch/x86/pci/mmconfig_32.c
17602--- linux-2.6.33.1/arch/x86/pci/mmconfig_32.c 2010-03-15 12:09:39.000000000 -0400
17603+++ linux-2.6.33.1/arch/x86/pci/mmconfig_32.c 2010-03-20 16:58:39.040721575 -0400
17604@@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
17605 return 0;
17606 }
17607
17608-static struct pci_raw_ops pci_mmcfg = {
17609+static const struct pci_raw_ops pci_mmcfg = {
17610 .read = pci_mmcfg_read,
17611 .write = pci_mmcfg_write,
17612 };
17613diff -urNp linux-2.6.33.1/arch/x86/pci/mmconfig_64.c linux-2.6.33.1/arch/x86/pci/mmconfig_64.c
17614--- linux-2.6.33.1/arch/x86/pci/mmconfig_64.c 2010-03-15 12:09:39.000000000 -0400
17615+++ linux-2.6.33.1/arch/x86/pci/mmconfig_64.c 2010-03-20 16:58:39.040721575 -0400
17616@@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
17617 return 0;
17618 }
17619
17620-static struct pci_raw_ops pci_mmcfg = {
17621+static const struct pci_raw_ops pci_mmcfg = {
17622 .read = pci_mmcfg_read,
17623 .write = pci_mmcfg_write,
17624 };
17625diff -urNp linux-2.6.33.1/arch/x86/pci/numaq_32.c linux-2.6.33.1/arch/x86/pci/numaq_32.c
17626--- linux-2.6.33.1/arch/x86/pci/numaq_32.c 2010-03-15 12:09:39.000000000 -0400
17627+++ linux-2.6.33.1/arch/x86/pci/numaq_32.c 2010-03-20 16:58:39.040721575 -0400
17628@@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
17629
17630 #undef PCI_CONF1_MQ_ADDRESS
17631
17632-static struct pci_raw_ops pci_direct_conf1_mq = {
17633+static const struct pci_raw_ops pci_direct_conf1_mq = {
17634 .read = pci_conf1_mq_read,
17635 .write = pci_conf1_mq_write
17636 };
17637diff -urNp linux-2.6.33.1/arch/x86/pci/olpc.c linux-2.6.33.1/arch/x86/pci/olpc.c
17638--- linux-2.6.33.1/arch/x86/pci/olpc.c 2010-03-15 12:09:39.000000000 -0400
17639+++ linux-2.6.33.1/arch/x86/pci/olpc.c 2010-03-20 16:58:39.040721575 -0400
17640@@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
17641 return 0;
17642 }
17643
17644-static struct pci_raw_ops pci_olpc_conf = {
17645+static const struct pci_raw_ops pci_olpc_conf = {
17646 .read = pci_olpc_read,
17647 .write = pci_olpc_write,
17648 };
17649diff -urNp linux-2.6.33.1/arch/x86/pci/pcbios.c linux-2.6.33.1/arch/x86/pci/pcbios.c
17650--- linux-2.6.33.1/arch/x86/pci/pcbios.c 2010-03-15 12:09:39.000000000 -0400
17651+++ linux-2.6.33.1/arch/x86/pci/pcbios.c 2010-03-20 16:58:39.040721575 -0400
17652@@ -56,50 +56,93 @@ union bios32 {
58c5fc13
MT		 17653 static struct {
17654 unsigned long address;
17655 unsigned short segment;
17656-} bios32_indirect = { 0, __KERNEL_CS };
17657+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
17658
17659 /*
17660 * Returns the entry point for the given service, NULL on error
17661 */
17662
17663-static unsigned long bios32_service(unsigned long service)
17664+static unsigned long __devinit bios32_service(unsigned long service)
17665 {
17666 unsigned char return_code; /* %al */
17667 unsigned long address; /* %ebx */
17668 unsigned long length; /* %ecx */
17669 unsigned long entry; /* %edx */
17670 unsigned long flags;
17671+ struct desc_struct d, *gdt;
58c5fc13
MT		 17672
17673 local_irq_save(flags);
17674- __asm__("lcall *(%%edi); cld"
17675+
17676+ gdt = get_cpu_gdt_table(smp_processor_id());
17677+
58c5fc13
MT		 17678+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
17679+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
17680+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
17681+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
17682+
58c5fc13
MT		 17683+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
17684 : "=a" (return_code),
17685 "=b" (address),
17686 "=c" (length),
17687 "=d" (entry)
17688 : "0" (service),
17689 "1" (0),
17690- "D" (&bios32_indirect));
17691+ "D" (&bios32_indirect),
17692+ "r"(__PCIBIOS_DS)
17693+ : "memory");
17694+
ae4e228f 17695+ pax_open_kernel();
58c5fc13
MT		 17696+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
17697+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
17698+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
17699+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
ae4e228f 17700+ pax_close_kernel();
58c5fc13
MT		 17701+
17702 local_irq_restore(flags);
17703
17704 switch (return_code) {
17705- case 0:
17706- return address + entry;
17707- case 0x80: /* Not present */
17708- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
17709- return 0;
17710- default: /* Shouldn't happen */
17711- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
17712- service, return_code);
17713+ case 0: {
17714+ int cpu;
17715+ unsigned char flags;
17716+
17717+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
17718+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
17719+ printk(KERN_WARNING "bios32_service: not valid\n");
17720 return 0;
17721+ }
17722+ address = address + PAGE_OFFSET;
17723+ length += 16UL; /* some BIOSs underreport this... */
17724+ flags = 4;
17725+ if (length >= 64*1024*1024) {
17726+ length >>= PAGE_SHIFT;
17727+ flags |= 8;
17728+ }
17729+
58c5fc13
MT		 17730+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
17731+ gdt = get_cpu_gdt_table(cpu);
17732+ pack_descriptor(&d, address, length, 0x9b, flags);
17733+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
17734+ pack_descriptor(&d, address, length, 0x93, flags);
17735+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
17736+ }
58c5fc13
MT		 17737+ return entry;
17738+ }
17739+ case 0x80: /* Not present */
17740+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
17741+ return 0;
17742+ default: /* Shouldn't happen */
17743+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
17744+ service, return_code);
17745+ return 0;
17746 }
17747 }
17748
17749 static struct {
17750 unsigned long address;
17751 unsigned short segment;
17752-} pci_indirect = { 0, __KERNEL_CS };
17753+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
17754
17755-static int pci_bios_present;
17756+static int pci_bios_present __read_only;
17757
17758 static int __devinit check_pcibios(void)
17759 {
ae4e228f 17760@@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
58c5fc13
MT		 17761 unsigned long flags, pcibios_entry;
17762
17763 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
17764- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
17765+ pci_indirect.address = pcibios_entry;
17766
17767 local_irq_save(flags);
17768- __asm__(
17769- "lcall *(%%edi); cld\n\t"
17770+ __asm__("movw %w6, %%ds\n\t"
17771+ "lcall *%%ss:(%%edi); cld\n\t"
17772+ "push %%ss\n\t"
17773+ "pop %%ds\n\t"
17774 "jc 1f\n\t"
17775 "xor %%ah, %%ah\n"
17776 "1:"
ae4e228f 17777@@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
58c5fc13
MT		 17778 "=b" (ebx),
17779 "=c" (ecx)
17780 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
17781- "D" (&pci_indirect)
17782+ "D" (&pci_indirect),
17783+ "r" (__PCIBIOS_DS)
17784 : "memory");
17785 local_irq_restore(flags);
17786
ae4e228f 17787@@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 17788
17789 switch (len) {
17790 case 1:
17791- __asm__("lcall *(%%esi); cld\n\t"
17792+ __asm__("movw %w6, %%ds\n\t"
17793+ "lcall *%%ss:(%%esi); cld\n\t"
17794+ "push %%ss\n\t"
17795+ "pop %%ds\n\t"
17796 "jc 1f\n\t"
17797 "xor %%ah, %%ah\n"
17798 "1:"
ae4e228f 17799@@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 17800 : "1" (PCIBIOS_READ_CONFIG_BYTE),
17801 "b" (bx),
17802 "D" ((long)reg),
17803- "S" (&pci_indirect));
17804+ "S" (&pci_indirect),
17805+ "r" (__PCIBIOS_DS));
17806 /*
17807 * Zero-extend the result beyond 8 bits, do not trust the
17808 * BIOS having done it:
ae4e228f 17809@@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 17810 *value &= 0xff;
17811 break;
17812 case 2:
17813- __asm__("lcall *(%%esi); cld\n\t"
17814+ __asm__("movw %w6, %%ds\n\t"
17815+ "lcall *%%ss:(%%esi); cld\n\t"
17816+ "push %%ss\n\t"
17817+ "pop %%ds\n\t"
17818 "jc 1f\n\t"
17819 "xor %%ah, %%ah\n"
17820 "1:"
ae4e228f 17821@@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 17822 : "1" (PCIBIOS_READ_CONFIG_WORD),
17823 "b" (bx),
17824 "D" ((long)reg),
17825- "S" (&pci_indirect));
17826+ "S" (&pci_indirect),
17827+ "r" (__PCIBIOS_DS));
17828 /*
17829 * Zero-extend the result beyond 16 bits, do not trust the
17830 * BIOS having done it:
ae4e228f 17831@@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 17832 *value &= 0xffff;
17833 break;
17834 case 4:
17835- __asm__("lcall *(%%esi); cld\n\t"
17836+ __asm__("movw %w6, %%ds\n\t"
17837+ "lcall *%%ss:(%%esi); cld\n\t"
17838+ "push %%ss\n\t"
17839+ "pop %%ds\n\t"
17840 "jc 1f\n\t"
17841 "xor %%ah, %%ah\n"
17842 "1:"
ae4e228f 17843@@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 17844 : "1" (PCIBIOS_READ_CONFIG_DWORD),
17845 "b" (bx),
17846 "D" ((long)reg),
17847- "S" (&pci_indirect));
17848+ "S" (&pci_indirect),
17849+ "r" (__PCIBIOS_DS));
17850 break;
17851 }
17852
ae4e228f 17853@@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
58c5fc13
MT		 17854
17855 switch (len) {
17856 case 1:
17857- __asm__("lcall *(%%esi); cld\n\t"
17858+ __asm__("movw %w6, %%ds\n\t"
17859+ "lcall *%%ss:(%%esi); cld\n\t"
17860+ "push %%ss\n\t"
17861+ "pop %%ds\n\t"
17862 "jc 1f\n\t"
17863 "xor %%ah, %%ah\n"
17864 "1:"
ae4e228f 17865@@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
58c5fc13
MT		 17866 "c" (value),
17867 "b" (bx),
17868 "D" ((long)reg),
17869- "S" (&pci_indirect));
17870+ "S" (&pci_indirect),
17871+ "r" (__PCIBIOS_DS));
17872 break;
17873 case 2:
17874- __asm__("lcall *(%%esi); cld\n\t"
17875+ __asm__("movw %w6, %%ds\n\t"
17876+ "lcall *%%ss:(%%esi); cld\n\t"
17877+ "push %%ss\n\t"
17878+ "pop %%ds\n\t"
17879 "jc 1f\n\t"
17880 "xor %%ah, %%ah\n"
17881 "1:"
ae4e228f 17882@@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
58c5fc13
MT		 17883 "c" (value),
17884 "b" (bx),
17885 "D" ((long)reg),
17886- "S" (&pci_indirect));
17887+ "S" (&pci_indirect),
17888+ "r" (__PCIBIOS_DS));
17889 break;
17890 case 4:
17891- __asm__("lcall *(%%esi); cld\n\t"
17892+ __asm__("movw %w6, %%ds\n\t"
17893+ "lcall *%%ss:(%%esi); cld\n\t"
17894+ "push %%ss\n\t"
17895+ "pop %%ds\n\t"
17896 "jc 1f\n\t"
17897 "xor %%ah, %%ah\n"
17898 "1:"
ae4e228f 17899@@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
58c5fc13
MT		 17900 "c" (value),
17901 "b" (bx),
17902 "D" ((long)reg),
17903- "S" (&pci_indirect));
17904+ "S" (&pci_indirect),
17905+ "r" (__PCIBIOS_DS));
17906 break;
17907 }
17908
ae4e228f
MT		 17909@@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
17910 * Function table for BIOS32 access
17911 */
17912
17913-static struct pci_raw_ops pci_bios_access = {
17914+static const struct pci_raw_ops pci_bios_access = {
17915 .read = pci_bios_read,
17916 .write = pci_bios_write
17917 };
17918@@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
17919 * Try to find PCI BIOS.
17920 */
17921
17922-static struct pci_raw_ops * __devinit pci_find_bios(void)
17923+static const struct pci_raw_ops * __devinit pci_find_bios(void)
17924 {
17925 union bios32 *check;
17926 unsigned char sum;
17927@@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
58c5fc13
MT		 17928
17929 DBG("PCI: Fetching IRQ routing table... ");
17930 __asm__("push %%es\n\t"
17931+ "movw %w8, %%ds\n\t"
17932 "push %%ds\n\t"
17933 "pop %%es\n\t"
17934- "lcall *(%%esi); cld\n\t"
17935+ "lcall *%%ss:(%%esi); cld\n\t"
17936 "pop %%es\n\t"
17937+ "push %%ss\n\t"
17938+ "pop %%ds\n"
17939 "jc 1f\n\t"
17940 "xor %%ah, %%ah\n"
17941 "1:"
ae4e228f 17942@@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
58c5fc13
MT		 17943 "1" (0),
17944 "D" ((long) &opt),
17945 "S" (&pci_indirect),
17946- "m" (opt)
17947+ "m" (opt),
17948+ "r" (__PCIBIOS_DS)
17949 : "memory");
17950 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
17951 if (ret & 0xff00)
ae4e228f 17952@@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
58c5fc13
MT		 17953 {
17954 int ret;
17955
17956- __asm__("lcall *(%%esi); cld\n\t"
17957+ __asm__("movw %w5, %%ds\n\t"
17958+ "lcall *%%ss:(%%esi); cld\n\t"
17959+ "push %%ss\n\t"
17960+ "pop %%ds\n"
17961 "jc 1f\n\t"
17962 "xor %%ah, %%ah\n"
17963 "1:"
ae4e228f 17964@@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
58c5fc13
MT		 17965 : "0" (PCIBIOS_SET_PCI_HW_INT),
17966 "b" ((dev->bus->number << 8) | dev->devfn),
17967 "c" ((irq << 8) | (pin + 10)),
17968- "S" (&pci_indirect));
17969+ "S" (&pci_indirect),
17970+ "r" (__PCIBIOS_DS));
17971 return !(ret & 0xff00);
17972 }
17973 EXPORT_SYMBOL(pcibios_set_irq_routing);
ae4e228f
MT		 17974diff -urNp linux-2.6.33.1/arch/x86/power/cpu.c linux-2.6.33.1/arch/x86/power/cpu.c
17975--- linux-2.6.33.1/arch/x86/power/cpu.c 2010-03-15 12:09:39.000000000 -0400
17976+++ linux-2.6.33.1/arch/x86/power/cpu.c 2010-03-20 16:58:39.040721575 -0400
17977@@ -127,7 +127,7 @@ static void do_fpu_end(void)
58c5fc13
MT		 17978 static void fix_processor_context(void)
17979 {
17980 int cpu = smp_processor_id();
17981- struct tss_struct *t = &per_cpu(init_tss, cpu);
17982+ struct tss_struct *t = init_tss + cpu;
58c5fc13
MT		 17983
17984 set_tss_desc(cpu, t); /*
17985 * This just modifies memory; should not be
ae4e228f 17986@@ -137,7 +137,9 @@ static void fix_processor_context(void)
58c5fc13
MT		 17987 */
17988
17989 #ifdef CONFIG_X86_64
ae4e228f 17990+ pax_open_kernel();
58c5fc13 17991 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
ae4e228f 17992+ pax_close_kernel();
58c5fc13 17993
58c5fc13
MT		 17994 syscall_init(); /* This sets MSR_*STAR and related */
17995 #endif
ae4e228f
MT		 17996diff -urNp linux-2.6.33.1/arch/x86/vdso/Makefile linux-2.6.33.1/arch/x86/vdso/Makefile
17997--- linux-2.6.33.1/arch/x86/vdso/Makefile 2010-03-15 12:09:39.000000000 -0400
17998+++ linux-2.6.33.1/arch/x86/vdso/Makefile 2010-03-20 16:58:39.040721575 -0400
58c5fc13
MT		 17999@@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
18000 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
18001 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
18002
ae4e228f
MT		 18003-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
18004+VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
58c5fc13
MT		 18005 GCOV_PROFILE := n
18006
18007 #
ae4e228f
MT		 18008diff -urNp linux-2.6.33.1/arch/x86/vdso/vclock_gettime.c linux-2.6.33.1/arch/x86/vdso/vclock_gettime.c
18009--- linux-2.6.33.1/arch/x86/vdso/vclock_gettime.c 2010-03-15 12:09:39.000000000 -0400
18010+++ linux-2.6.33.1/arch/x86/vdso/vclock_gettime.c 2010-03-20 16:58:39.044545939 -0400
58c5fc13
MT		 18011@@ -22,24 +22,48 @@
18012 #include <asm/hpet.h>
18013 #include <asm/unistd.h>
18014 #include <asm/io.h>
18015+#include <asm/fixmap.h>
18016 #include "vextern.h"
18017
18018 #define gtod vdso_vsyscall_gtod_data
18019
18020+notrace noinline long __vdso_fallback_time(long *t)
18021+{
18022+ long secs;
18023+ asm volatile("syscall"
18024+ : "=a" (secs)
18025+ : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
18026+ return secs;
18027+}
18028+
18029 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
18030 {
18031 long ret;
18032 asm("syscall" : "=a" (ret) :
18033- "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
18034+ "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
18035 return ret;
18036 }
18037
18038+notrace static inline cycle_t __vdso_vread_hpet(void)
18039+{
18040+ return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
18041+}
18042+
18043+notrace static inline cycle_t __vdso_vread_tsc(void)
18044+{
18045+ cycle_t ret = (cycle_t)vget_cycles();
18046+
18047+ return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
18048+}
18049+
18050 notrace static inline long vgetns(void)
18051 {
18052 long v;
18053- cycles_t (*vread)(void);
18054- vread = gtod->clock.vread;
18055- v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
18056+ if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
18057+ v = __vdso_vread_tsc();
18058+ else
18059+ v = __vdso_vread_hpet();
18060+ v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
18061 return (v * gtod->clock.mult) >> gtod->clock.shift;
18062 }
18063
ae4e228f 18064@@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
58c5fc13
MT		 18065
18066 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
18067 {
ae4e228f 18068- if (likely(gtod->sysctl_enabled))
58c5fc13
MT		 18069+ if (likely(gtod->sysctl_enabled &&
18070+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
18071+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
18072 switch (clock) {
18073 case CLOCK_REALTIME:
ae4e228f
MT		 18074 if (likely(gtod->clock.vread))
18075@@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
58c5fc13
MT		 18076 int clock_gettime(clockid_t, struct timespec *)
18077 __attribute__((weak, alias("__vdso_clock_gettime")));
18078
18079-notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
18080+notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
18081 {
18082 long ret;
18083- if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
18084+ asm("syscall" : "=a" (ret) :
18085+ "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
18086+ return ret;
18087+}
18088+
18089+notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
18090+{
18091+ if (likely(gtod->sysctl_enabled &&
18092+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
18093+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
18094+ {
18095 if (likely(tv != NULL)) {
18096 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
18097 offsetof(struct timespec, tv_nsec) ||
ae4e228f 18098@@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
58c5fc13
MT		 18099 }
18100 return 0;
18101 }
18102- asm("syscall" : "=a" (ret) :
18103- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
18104- return ret;
18105+ return __vdso_fallback_gettimeofday(tv, tz);
18106 }
18107 int gettimeofday(struct timeval *, struct timezone *)
18108 __attribute__((weak, alias("__vdso_gettimeofday")));
ae4e228f
MT		 18109diff -urNp linux-2.6.33.1/arch/x86/vdso/vdso32-setup.c linux-2.6.33.1/arch/x86/vdso/vdso32-setup.c
18110--- linux-2.6.33.1/arch/x86/vdso/vdso32-setup.c 2010-03-15 12:09:39.000000000 -0400
18111+++ linux-2.6.33.1/arch/x86/vdso/vdso32-setup.c 2010-03-20 16:58:39.044545939 -0400
58c5fc13
MT		 18112@@ -25,6 +25,7 @@
18113 #include <asm/tlbflush.h>
18114 #include <asm/vdso.h>
18115 #include <asm/proto.h>
18116+#include <asm/mman.h>
18117
18118 enum {
18119 VDSO_DISABLED = 0,
18120@@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
18121 void enable_sep_cpu(void)
18122 {
18123 int cpu = get_cpu();
18124- struct tss_struct *tss = &per_cpu(init_tss, cpu);
18125+ struct tss_struct *tss = init_tss + cpu;
18126
18127 if (!boot_cpu_has(X86_FEATURE_SEP)) {
18128 put_cpu();
18129@@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
18130 gate_vma.vm_start = FIXADDR_USER_START;
18131 gate_vma.vm_end = FIXADDR_USER_END;
18132 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
18133- gate_vma.vm_page_prot = __P101;
18134+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
18135 /*
18136 * Make sure the vDSO gets into every core dump.
18137 * Dumping its contents makes post-mortem fully interpretable later
18138@@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
18139 if (compat)
18140 addr = VDSO_HIGH_BASE;
18141 else {
18142- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
18143+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
18144 if (IS_ERR_VALUE(addr)) {
18145 ret = addr;
18146 goto up_fail;
18147 }
18148 }
18149
18150- current->mm->context.vdso = (void *)addr;
18151+ current->mm->context.vdso = addr;
18152
18153 if (compat_uses_vma || !compat) {
18154 /*
ae4e228f
MT		 18155@@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
18156 }
18157
18158 current_thread_info()->sysenter_return =
18159- VDSO32_SYMBOL(addr, SYSENTER_RETURN);
18160+ (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
58c5fc13
MT		 18161
18162 up_fail:
18163 if (ret)
18164- current->mm->context.vdso = NULL;
18165+ current->mm->context.vdso = 0;
18166
18167 up_write(&mm->mmap_sem);
18168
ae4e228f 18169@@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
58c5fc13
MT		 18170
18171 const char *arch_vma_name(struct vm_area_struct *vma)
18172 {
18173- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18174+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18175 return "[vdso]";
18176+
18177+#ifdef CONFIG_PAX_SEGMEXEC
18178+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
18179+ return "[vdso]";
18180+#endif
18181+
18182 return NULL;
18183 }
18184
ae4e228f 18185@@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
58c5fc13
MT		 18186 struct mm_struct *mm = tsk->mm;
18187
18188 /* Check to see if this task was created in compat vdso mode */
18189- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
18190+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
18191 return &gate_vma;
18192 return NULL;
18193 }
ae4e228f
MT		 18194diff -urNp linux-2.6.33.1/arch/x86/vdso/vdso.lds.S linux-2.6.33.1/arch/x86/vdso/vdso.lds.S
18195--- linux-2.6.33.1/arch/x86/vdso/vdso.lds.S 2010-03-15 12:09:39.000000000 -0400
18196+++ linux-2.6.33.1/arch/x86/vdso/vdso.lds.S 2010-03-20 16:58:39.044545939 -0400
58c5fc13
MT		 18197@@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
18198 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
18199 #include "vextern.h"
18200 #undef VEXTERN
18201+
18202+#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
18203+VEXTERN(fallback_gettimeofday)
18204+VEXTERN(fallback_time)
18205+VEXTERN(getcpu)
18206+#undef VEXTERN
ae4e228f
MT		 18207diff -urNp linux-2.6.33.1/arch/x86/vdso/vextern.h linux-2.6.33.1/arch/x86/vdso/vextern.h
18208--- linux-2.6.33.1/arch/x86/vdso/vextern.h 2010-03-15 12:09:39.000000000 -0400
18209+++ linux-2.6.33.1/arch/x86/vdso/vextern.h 2010-03-20 16:58:39.044545939 -0400
58c5fc13
MT		 18210@@ -11,6 +11,5 @@
18211 put into vextern.h and be referenced as a pointer with vdso prefix.
18212 The main kernel later fills in the values. */
18213
18214-VEXTERN(jiffies)
18215 VEXTERN(vgetcpu_mode)
18216 VEXTERN(vsyscall_gtod_data)
ae4e228f
MT		 18217diff -urNp linux-2.6.33.1/arch/x86/vdso/vma.c linux-2.6.33.1/arch/x86/vdso/vma.c
18218--- linux-2.6.33.1/arch/x86/vdso/vma.c 2010-03-15 12:09:39.000000000 -0400
18219+++ linux-2.6.33.1/arch/x86/vdso/vma.c 2010-03-20 16:58:39.044545939 -0400
58c5fc13
MT		 18220@@ -57,7 +57,7 @@ static int __init init_vdso_vars(void)
18221 if (!vbase)
18222 goto oom;
18223
18224- if (memcmp(vbase, "\177ELF", 4)) {
18225+ if (memcmp(vbase, ELFMAG, SELFMAG)) {
18226 printk("VDSO: I'm broken; not ELF\n");
18227 vdso_enabled = 0;
18228 }
18229@@ -66,6 +66,7 @@ static int __init init_vdso_vars(void)
18230 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
18231 #include "vextern.h"
18232 #undef VEXTERN
18233+ vunmap(vbase);
18234 return 0;
18235
18236 oom:
18237@@ -116,7 +117,7 @@ int arch_setup_additional_pages(struct l
18238 goto up_fail;
18239 }
18240
18241- current->mm->context.vdso = (void *)addr;
18242+ current->mm->context.vdso = addr;
18243
18244 ret = install_special_mapping(mm, addr, vdso_size,
18245 VM_READ|VM_EXEC|
18246@@ -124,7 +125,7 @@ int arch_setup_additional_pages(struct l
18247 VM_ALWAYSDUMP,
18248 vdso_pages);
18249 if (ret) {
18250- current->mm->context.vdso = NULL;
18251+ current->mm->context.vdso = 0;
18252 goto up_fail;
18253 }
18254
18255@@ -132,10 +133,3 @@ up_fail:
18256 up_write(&mm->mmap_sem);
18257 return ret;
18258 }
18259-
18260-static __init int vdso_setup(char *s)
18261-{
18262- vdso_enabled = simple_strtoul(s, NULL, 0);
18263- return 0;
18264-}
18265-__setup("vdso=", vdso_setup);
ae4e228f
MT		 18266diff -urNp linux-2.6.33.1/arch/x86/xen/enlighten.c linux-2.6.33.1/arch/x86/xen/enlighten.c
18267--- linux-2.6.33.1/arch/x86/xen/enlighten.c 2010-03-15 12:09:39.000000000 -0400
18268+++ linux-2.6.33.1/arch/x86/xen/enlighten.c 2010-03-20 16:58:39.044545939 -0400
18269@@ -73,8 +73,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
58c5fc13
MT		 18270
18271 struct shared_info xen_dummy_shared_info;
18272
18273-void *xen_initial_gdt;
18274-
18275 /*
18276 * Point at some empty memory to start with. We map the real shared_info
18277 * page as soon as fixmap is up and running.
ae4e228f 18278@@ -550,7 +548,7 @@ static void xen_write_idt_entry(gate_des
58c5fc13
MT		 18279
18280 preempt_disable();
18281
18282- start = __get_cpu_var(idt_desc).address;
18283+ start = (unsigned long)__get_cpu_var(idt_desc).address;
18284 end = start + __get_cpu_var(idt_desc).size + 1;
18285
18286 xen_mc_flush();
ae4e228f 18287@@ -1133,13 +1131,6 @@ asmlinkage void __init xen_start_kernel(
58c5fc13
MT		 18288
18289 machine_ops = xen_machine_ops;
18290
18291- /*
18292- * The only reliable way to retain the initial address of the
18293- * percpu gdt_page is to remember it here, so we can go and
18294- * mark it RW later, when the initial percpu area is freed.
18295- */
18296- xen_initial_gdt = &per_cpu(gdt_page, 0);
18297-
18298 xen_smp_init();
18299
ae4e228f
MT		 18300 pgd = (pgd_t *)xen_start_info->pt_base;
18301diff -urNp linux-2.6.33.1/arch/x86/xen/mmu.c linux-2.6.33.1/arch/x86/xen/mmu.c
18302--- linux-2.6.33.1/arch/x86/xen/mmu.c 2010-03-15 12:09:39.000000000 -0400
18303+++ linux-2.6.33.1/arch/x86/xen/mmu.c 2010-03-20 16:58:39.044545939 -0400
18304@@ -1711,6 +1711,8 @@ __init pgd_t *xen_setup_kernel_pagetable
58c5fc13
MT		 18305 convert_pfn_mfn(init_level4_pgt);
18306 convert_pfn_mfn(level3_ident_pgt);
18307 convert_pfn_mfn(level3_kernel_pgt);
18308+ convert_pfn_mfn(level3_vmalloc_pgt);
18309+ convert_pfn_mfn(level3_vmemmap_pgt);
18310
18311 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
18312 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
ae4e228f 18313@@ -1729,7 +1731,10 @@ __init pgd_t *xen_setup_kernel_pagetable
58c5fc13
MT		 18314 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
18315 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
18316 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
18317+ set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
18318+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
18319 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
18320+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
18321 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
18322 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
18323
ae4e228f
MT		 18324diff -urNp linux-2.6.33.1/arch/x86/xen/smp.c linux-2.6.33.1/arch/x86/xen/smp.c
18325--- linux-2.6.33.1/arch/x86/xen/smp.c 2010-03-15 12:09:39.000000000 -0400
18326+++ linux-2.6.33.1/arch/x86/xen/smp.c 2010-03-20 16:58:39.044545939 -0400
18327@@ -168,11 +168,6 @@ static void __init xen_smp_prepare_boot_
58c5fc13
MT		 18328 {
18329 BUG_ON(smp_processor_id() != 0);
18330 native_smp_prepare_boot_cpu();
18331-
18332- /* We've switched to the "real" per-cpu gdt, so make sure the
18333- old memory can be recycled */
18334- make_lowmem_page_readwrite(xen_initial_gdt);
18335-
18336 xen_setup_vcpu_info_placement();
18337 }
18338
ae4e228f 18339@@ -232,8 +227,8 @@ cpu_initialize_context(unsigned int cpu,
58c5fc13
MT		 18340 gdt = get_cpu_gdt_table(cpu);
18341
18342 ctxt->flags = VGCF_IN_KERNEL;
18343- ctxt->user_regs.ds = __USER_DS;
18344- ctxt->user_regs.es = __USER_DS;
18345+ ctxt->user_regs.ds = __KERNEL_DS;
18346+ ctxt->user_regs.es = __KERNEL_DS;
18347 ctxt->user_regs.ss = __KERNEL_DS;
18348 #ifdef CONFIG_X86_32
18349 ctxt->user_regs.fs = __KERNEL_PERCPU;
ae4e228f
MT		 18350diff -urNp linux-2.6.33.1/arch/x86/xen/xen-ops.h linux-2.6.33.1/arch/x86/xen/xen-ops.h
18351--- linux-2.6.33.1/arch/x86/xen/xen-ops.h 2010-03-15 12:09:39.000000000 -0400
18352+++ linux-2.6.33.1/arch/x86/xen/xen-ops.h 2010-03-20 16:58:39.044545939 -0400
58c5fc13
MT		 18353@@ -10,8 +10,6 @@
18354 extern const char xen_hypervisor_callback[];
18355 extern const char xen_failsafe_callback[];
18356
18357-extern void *xen_initial_gdt;
18358-
18359 struct trap_info;
18360 void xen_copy_trap_info(struct trap_info *traps);
18361
ae4e228f
MT		 18362diff -urNp linux-2.6.33.1/block/blk-integrity.c linux-2.6.33.1/block/blk-integrity.c
18363--- linux-2.6.33.1/block/blk-integrity.c 2010-03-15 12:09:39.000000000 -0400
18364+++ linux-2.6.33.1/block/blk-integrity.c 2010-03-20 16:58:39.052902082 -0400
18365@@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
18366 NULL,
18367 };
58c5fc13 18368
ae4e228f
MT		 18369-static struct sysfs_ops integrity_ops = {
18370+static const struct sysfs_ops integrity_ops = {
18371 .show = &integrity_attr_show,
18372 .store = &integrity_attr_store,
18373 };
18374diff -urNp linux-2.6.33.1/block/blk-iopoll.c linux-2.6.33.1/block/blk-iopoll.c
18375--- linux-2.6.33.1/block/blk-iopoll.c 2010-03-15 12:09:39.000000000 -0400
18376+++ linux-2.6.33.1/block/blk-iopoll.c 2010-03-20 16:58:39.068779508 -0400
18377@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
18378 }
18379 EXPORT_SYMBOL(blk_iopoll_complete);
18380
18381-static void blk_iopoll_softirq(struct softirq_action *h)
18382+static void blk_iopoll_softirq(void)
18383 {
18384 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
18385 int rearm = 0, budget = blk_iopoll_budget;
18386diff -urNp linux-2.6.33.1/block/blk-map.c linux-2.6.33.1/block/blk-map.c
18387--- linux-2.6.33.1/block/blk-map.c 2010-03-15 12:09:39.000000000 -0400
18388+++ linux-2.6.33.1/block/blk-map.c 2010-03-20 16:58:39.068779508 -0400
18389@@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
18390 * direct dma. else, set up kernel bounce buffers
18391 */
18392 uaddr = (unsigned long) ubuf;
18393- if (blk_rq_aligned(q, ubuf, len) && !map_data)
18394+ if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
18395 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
18396 else
18397 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
18398@@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
18399 if (!len || !kbuf)
18400 return -EINVAL;
58c5fc13 18401
ae4e228f
MT		 18402- do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
18403+ do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
18404 if (do_copy)
18405 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
18406 else
18407diff -urNp linux-2.6.33.1/block/blk-softirq.c linux-2.6.33.1/block/blk-softirq.c
18408--- linux-2.6.33.1/block/blk-softirq.c 2010-03-15 12:09:39.000000000 -0400
18409+++ linux-2.6.33.1/block/blk-softirq.c 2010-03-20 16:58:39.068779508 -0400
18410@@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
18411 * Softirq action handler - move entries to local list and loop over them
18412 * while passing them to the queue registered handler.
18413 */
18414-static void blk_done_softirq(struct softirq_action *h)
18415+static void blk_done_softirq(void)
18416 {
18417 struct list_head *cpu_list, local_list;
58c5fc13 18418
ae4e228f
MT		 18419diff -urNp linux-2.6.33.1/block/blk-sysfs.c linux-2.6.33.1/block/blk-sysfs.c
18420--- linux-2.6.33.1/block/blk-sysfs.c 2010-03-15 12:09:39.000000000 -0400
18421+++ linux-2.6.33.1/block/blk-sysfs.c 2010-03-20 16:58:39.068779508 -0400
18422@@ -447,7 +447,7 @@ static void blk_release_queue(struct kob
18423 kmem_cache_free(blk_requestq_cachep, q);
58c5fc13
MT		 18424 }
18425
ae4e228f
MT		 18426-static struct sysfs_ops queue_sysfs_ops = {
18427+static const struct sysfs_ops queue_sysfs_ops = {
18428 .show = queue_attr_show,
18429 .store = queue_attr_store,
18430 };
18431diff -urNp linux-2.6.33.1/block/elevator.c linux-2.6.33.1/block/elevator.c
18432--- linux-2.6.33.1/block/elevator.c 2010-03-15 12:09:39.000000000 -0400
18433+++ linux-2.6.33.1/block/elevator.c 2010-03-20 16:58:39.073372227 -0400
18434@@ -883,7 +883,7 @@ elv_attr_store(struct kobject *kobj, str
18435 return error;
18436 }
58c5fc13 18437
ae4e228f
MT		 18438-static struct sysfs_ops elv_sysfs_ops = {
18439+static const struct sysfs_ops elv_sysfs_ops = {
18440 .show = elv_attr_show,
18441 .store = elv_attr_store,
18442 };
18443diff -urNp linux-2.6.33.1/crypto/lrw.c linux-2.6.33.1/crypto/lrw.c
18444--- linux-2.6.33.1/crypto/lrw.c 2010-03-15 12:09:39.000000000 -0400
18445+++ linux-2.6.33.1/crypto/lrw.c 2010-03-20 16:58:39.077284706 -0400
58c5fc13
MT		 18446@@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
18447 struct priv *ctx = crypto_tfm_ctx(parent);
18448 struct crypto_cipher *child = ctx->child;
18449 int err, i;
18450- be128 tmp = { 0 };
18451+ be128 tmp = { 0, 0 };
18452 int bsize = crypto_cipher_blocksize(child);
18453
18454 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
ae4e228f
MT		 18455diff -urNp linux-2.6.33.1/Documentation/dontdiff linux-2.6.33.1/Documentation/dontdiff
18456--- linux-2.6.33.1/Documentation/dontdiff 2010-03-15 12:09:39.000000000 -0400
18457+++ linux-2.6.33.1/Documentation/dontdiff 2010-03-20 16:58:39.077284706 -0400
58c5fc13
MT		 18458@@ -3,6 +3,7 @@
18459 *.bin
18460 *.cpio
18461 *.csp
18462+*.dbg
18463 *.dsp
18464 *.dvi
18465 *.elf
ae4e228f
MT		 18466@@ -40,6 +41,7 @@
18467 *.ver
18468 *.xml
18469 *_MODULES
18470+*_reg_safe.h
18471 *_vga16.c
18472 *~
18473 *.9
18474@@ -49,11 +51,16 @@
58c5fc13
MT		 18475 53c700_d.h
18476 CVS
18477 ChangeSet
18478+GPATH
18479+GRTAGS
18480+GSYMS
18481+GTAGS
18482 Image
18483 Kerntypes
18484 Module.markers
18485 Module.symvers
18486 PENDING
18487+PERF*
18488 SCCS
18489 System.map*
18490 TAGS
ae4e228f 18491@@ -77,7 +84,9 @@ btfixupprep
58c5fc13
MT		 18492 build
18493 bvmlinux
18494 bzImage*
18495+capflags.c
18496 classlist.h*
18497+common-cmds.h
18498 comp*.log
18499 compile.h*
18500 conf
ae4e228f
MT		 18501@@ -107,13 +116,15 @@ generated
18502 genheaders
58c5fc13
MT		 18503 genksyms
18504 *_gray256.c
18505+hash
18506 ihex2fw
18507 ikconfig.h*
ae4e228f 18508+inat-tables.c
58c5fc13
MT		 18509 initramfs_data.cpio
18510+initramfs_data.cpio.bz2
18511 initramfs_data.cpio.gz
18512 initramfs_list
18513 kallsyms
18514-kconfig
18515 keywords.c
18516 ksym.c*
18517 ksym.h*
ae4e228f 18518@@ -137,10 +148,13 @@ mkboot
58c5fc13
MT		 18519 mkbugboot
18520 mkcpustr
18521 mkdep
18522+mkpiggy
18523 mkprep
ae4e228f 18524+mkregtable
58c5fc13
MT		 18525 mktables
18526 mktree
ae4e228f
MT		 18527 modpost
18528+modules.builtin
18529 modules.order
18530 modversions.h*
18531 ncscope.*
18532@@ -153,6 +167,7 @@ patches*
58c5fc13
MT		 18533 pca200e.bin
18534 pca200e_ecd.bin2
18535 piggy.gz
18536+piggy.S
18537 piggyback
18538 pnmtologo
18539 ppc_defs.h*
ae4e228f 18540@@ -167,6 +182,7 @@ setup
58c5fc13
MT		 18541 setup.bin
18542 setup.elf
18543 sImage
18544+slabinfo
18545 sm_tbl*
18546 split-include
18547 syscalltab.h
ae4e228f 18548@@ -190,14 +206,20 @@ version.h*
58c5fc13
MT		 18549 vmlinux
18550 vmlinux-*
18551 vmlinux.aout
18552+vmlinux.bin.all
18553+vmlinux.bin.bz2
18554 vmlinux.lds
18555+vmlinux.relocs
18556+voffset.h
18557 vsyscall.lds
18558 vsyscall_32.lds
18559 wanxlfw.inc
18560 uImage
18561 unifdef
18562+utsrelease.h
18563 wakeup.bin
18564 wakeup.elf
18565 wakeup.lds
18566 zImage*
18567 zconf.hash.c
18568+zoffset.h
ae4e228f
MT		 18569diff -urNp linux-2.6.33.1/Documentation/filesystems/sysfs.txt linux-2.6.33.1/Documentation/filesystems/sysfs.txt
18570--- linux-2.6.33.1/Documentation/filesystems/sysfs.txt 2010-03-15 12:09:39.000000000 -0400
18571+++ linux-2.6.33.1/Documentation/filesystems/sysfs.txt 2010-03-20 16:58:39.077284706 -0400
18572@@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
18573 show and store methods of the attribute owners.
18574
18575 struct sysfs_ops {
18576- ssize_t (*show)(struct kobject *, struct attribute *, char *);
18577- ssize_t (*store)(struct kobject *, struct attribute *, const char *);
18578+ ssize_t (* const show)(struct kobject *, struct attribute *, char *);
18579+ ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
18580 };
18581
18582 [ Subsystems should have already defined a struct kobj_type as a
18583diff -urNp linux-2.6.33.1/Documentation/kernel-parameters.txt linux-2.6.33.1/Documentation/kernel-parameters.txt
18584--- linux-2.6.33.1/Documentation/kernel-parameters.txt 2010-03-15 12:09:39.000000000 -0400
18585+++ linux-2.6.33.1/Documentation/kernel-parameters.txt 2010-03-20 16:58:39.081342736 -0400
18586@@ -1865,6 +1865,12 @@ and is between 256 and 4096 characters.
58c5fc13
MT		 18587 the specified number of seconds. This is to be used if
18588 your oopses keep scrolling off the screen.
18589
18590+ pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
18591+ virtualization environments that don't cope well with the
18592+ expand down segment used by UDEREF on X86-32.
18593+
18594+ pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
18595+
18596 pcbit= [HW,ISDN]
18597
18598 pcd. [PARIDE]
ae4e228f
MT		 18599diff -urNp linux-2.6.33.1/drivers/acpi/battery.c linux-2.6.33.1/drivers/acpi/battery.c
18600--- linux-2.6.33.1/drivers/acpi/battery.c 2010-03-15 12:09:39.000000000 -0400
18601+++ linux-2.6.33.1/drivers/acpi/battery.c 2010-03-20 16:58:39.097283097 -0400
18602@@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
18603 }
18604
18605 static struct battery_file {
18606- struct file_operations ops;
18607+ const struct file_operations ops;
18608 mode_t mode;
18609 const char *name;
18610 } acpi_battery_file[] = {
18611diff -urNp linux-2.6.33.1/drivers/acpi/blacklist.c linux-2.6.33.1/drivers/acpi/blacklist.c
18612--- linux-2.6.33.1/drivers/acpi/blacklist.c 2010-03-15 12:09:39.000000000 -0400
18613+++ linux-2.6.33.1/drivers/acpi/blacklist.c 2010-03-20 16:58:39.097283097 -0400
18614@@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
58c5fc13
MT		 18615 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
18616 "Incorrect _ADR", 1},
18617
18618- {""}
ae4e228f 18619+ {"", "", 0, NULL, all_versions, NULL, 0}
58c5fc13
MT		 18620 };
18621
18622 #if CONFIG_ACPI_BLACKLIST_YEAR
ae4e228f
MT		 18623diff -urNp linux-2.6.33.1/drivers/acpi/dock.c linux-2.6.33.1/drivers/acpi/dock.c
18624--- linux-2.6.33.1/drivers/acpi/dock.c 2010-03-15 12:09:39.000000000 -0400
18625+++ linux-2.6.33.1/drivers/acpi/dock.c 2010-03-20 16:58:39.097283097 -0400
18626@@ -76,7 +76,7 @@ struct dock_dependent_device {
18627 struct list_head list;
18628 struct list_head hotplug_list;
18629 acpi_handle handle;
18630- struct acpi_dock_ops *ops;
18631+ const struct acpi_dock_ops *ops;
18632 void *context;
18633 };
18634
18635@@ -588,7 +588,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
18636 * the dock driver after _DCK is executed.
18637 */
18638 int
18639-register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
18640+register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
18641 void *context)
18642 {
18643 struct dock_dependent_device *dd;
18644diff -urNp linux-2.6.33.1/drivers/acpi/osl.c linux-2.6.33.1/drivers/acpi/osl.c
18645--- linux-2.6.33.1/drivers/acpi/osl.c 2010-03-15 12:09:39.000000000 -0400
18646+++ linux-2.6.33.1/drivers/acpi/osl.c 2010-03-20 16:58:39.101703980 -0400
18647@@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
58c5fc13
MT		 18648 void __iomem *virt_addr;
18649
18650 virt_addr = ioremap(phys_addr, width);
18651+ if (!virt_addr)
18652+ return AE_NO_MEMORY;
18653 if (!value)
18654 value = &dummy;
18655
ae4e228f 18656@@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
58c5fc13
MT		 18657 void __iomem *virt_addr;
18658
18659 virt_addr = ioremap(phys_addr, width);
18660+ if (!virt_addr)
18661+ return AE_NO_MEMORY;
18662
18663 switch (width) {
18664 case 8:
ae4e228f
MT		 18665diff -urNp linux-2.6.33.1/drivers/acpi/processor_core.c linux-2.6.33.1/drivers/acpi/processor_core.c
18666--- linux-2.6.33.1/drivers/acpi/processor_core.c 2010-03-15 12:09:39.000000000 -0400
18667+++ linux-2.6.33.1/drivers/acpi/processor_core.c 2010-03-20 16:58:39.109290821 -0400
18668@@ -734,7 +734,7 @@ static int __cpuinit acpi_processor_add(
58c5fc13
MT		 18669 return 0;
18670 }
18671
18672- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
18673+ BUG_ON(pr->id >= nr_cpu_ids);
18674
18675 /*
18676 * Buggy BIOS check
ae4e228f
MT		 18677diff -urNp linux-2.6.33.1/drivers/acpi/processor_idle.c linux-2.6.33.1/drivers/acpi/processor_idle.c
18678--- linux-2.6.33.1/drivers/acpi/processor_idle.c 2010-03-15 12:09:39.000000000 -0400
18679+++ linux-2.6.33.1/drivers/acpi/processor_idle.c 2010-03-20 16:58:39.109290821 -0400
18680@@ -118,7 +118,7 @@ static struct dmi_system_id __cpuinitdat
18681 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
18682 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
18683 (void *)1},
58c5fc13
MT		 18684- {},
18685+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
18686 };
18687
18688
ae4e228f
MT		 18689diff -urNp linux-2.6.33.1/drivers/acpi/sleep.c linux-2.6.33.1/drivers/acpi/sleep.c
18690--- linux-2.6.33.1/drivers/acpi/sleep.c 2010-03-15 12:09:39.000000000 -0400
18691+++ linux-2.6.33.1/drivers/acpi/sleep.c 2010-03-20 16:58:39.113276130 -0400
18692@@ -302,7 +302,7 @@ static int acpi_suspend_state_valid(susp
18693 }
18694 }
18695
18696-static struct platform_suspend_ops acpi_suspend_ops = {
18697+static const struct platform_suspend_ops acpi_suspend_ops = {
18698 .valid = acpi_suspend_state_valid,
18699 .begin = acpi_suspend_begin,
18700 .prepare_late = acpi_pm_prepare,
18701@@ -330,7 +330,7 @@ static int acpi_suspend_begin_old(suspen
18702 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
18703 * been requested.
18704 */
18705-static struct platform_suspend_ops acpi_suspend_ops_old = {
18706+static const struct platform_suspend_ops acpi_suspend_ops_old = {
18707 .valid = acpi_suspend_state_valid,
18708 .begin = acpi_suspend_begin_old,
18709 .prepare_late = acpi_pm_disable_gpes,
18710@@ -557,7 +557,7 @@ static void acpi_pm_enable_gpes(void)
18711 acpi_enable_all_runtime_gpes();
18712 }
18713
18714-static struct platform_hibernation_ops acpi_hibernation_ops = {
18715+static const struct platform_hibernation_ops acpi_hibernation_ops = {
18716 .begin = acpi_hibernation_begin,
18717 .end = acpi_pm_end,
18718 .pre_snapshot = acpi_hibernation_pre_snapshot,
18719@@ -610,7 +610,7 @@ static int acpi_hibernation_pre_snapshot
18720 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
18721 * been requested.
18722 */
18723-static struct platform_hibernation_ops acpi_hibernation_ops_old = {
18724+static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
18725 .begin = acpi_hibernation_begin_old,
18726 .end = acpi_pm_end,
18727 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
18728diff -urNp linux-2.6.33.1/drivers/acpi/video.c linux-2.6.33.1/drivers/acpi/video.c
18729--- linux-2.6.33.1/drivers/acpi/video.c 2010-03-15 12:09:39.000000000 -0400
18730+++ linux-2.6.33.1/drivers/acpi/video.c 2010-03-20 16:58:39.136890536 -0400
18731@@ -366,7 +366,7 @@ static int acpi_video_set_brightness(str
18732 vd->brightness->levels[request_level]);
18733 }
18734
18735-static struct backlight_ops acpi_backlight_ops = {
18736+static const struct backlight_ops acpi_backlight_ops = {
18737 .get_brightness = acpi_video_get_brightness,
18738 .update_status = acpi_video_set_brightness,
18739 };
18740diff -urNp linux-2.6.33.1/drivers/ata/ahci.c linux-2.6.33.1/drivers/ata/ahci.c
18741--- linux-2.6.33.1/drivers/ata/ahci.c 2010-03-15 12:09:39.000000000 -0400
18742+++ linux-2.6.33.1/drivers/ata/ahci.c 2010-03-20 16:58:39.153286662 -0400
18743@@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
18744 .sdev_attrs = ahci_sdev_attrs,
18745 };
18746
18747-static struct ata_port_operations ahci_ops = {
18748+static const struct ata_port_operations ahci_ops = {
18749 .inherits = &sata_pmp_port_ops,
18750
18751 .qc_defer = sata_pmp_qc_defer_cmd_switch,
18752@@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
18753 .port_stop = ahci_port_stop,
18754 };
18755
18756-static struct ata_port_operations ahci_vt8251_ops = {
18757+static const struct ata_port_operations ahci_vt8251_ops = {
18758 .inherits = &ahci_ops,
18759 .hardreset = ahci_vt8251_hardreset,
18760 };
18761
18762-static struct ata_port_operations ahci_p5wdh_ops = {
18763+static const struct ata_port_operations ahci_p5wdh_ops = {
18764 .inherits = &ahci_ops,
18765 .hardreset = ahci_p5wdh_hardreset,
18766 };
18767
18768-static struct ata_port_operations ahci_sb600_ops = {
18769+static const struct ata_port_operations ahci_sb600_ops = {
18770 .inherits = &ahci_ops,
18771 .softreset = ahci_sb600_softreset,
18772 .pmp_softreset = ahci_sb600_softreset,
18773@@ -681,7 +681,7 @@ static const struct pci_device_id ahci_p
58c5fc13
MT		 18774 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
18775 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
18776
18777- { } /* terminate list */
18778+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
18779 };
18780
18781
ae4e228f
MT		 18782diff -urNp linux-2.6.33.1/drivers/ata/ata_generic.c linux-2.6.33.1/drivers/ata/ata_generic.c
18783--- linux-2.6.33.1/drivers/ata/ata_generic.c 2010-03-15 12:09:39.000000000 -0400
18784+++ linux-2.6.33.1/drivers/ata/ata_generic.c 2010-03-20 16:58:39.156781730 -0400
18785@@ -95,7 +95,7 @@ static struct scsi_host_template generic
18786 ATA_BMDMA_SHT(DRV_NAME),
18787 };
18788
18789-static struct ata_port_operations generic_port_ops = {
18790+static const struct ata_port_operations generic_port_ops = {
18791 .inherits = &ata_bmdma_port_ops,
18792 .cable_detect = ata_cable_unknown,
18793 .set_mode = generic_set_mode,
18794diff -urNp linux-2.6.33.1/drivers/ata/ata_piix.c linux-2.6.33.1/drivers/ata/ata_piix.c
18795--- linux-2.6.33.1/drivers/ata/ata_piix.c 2010-03-15 12:09:39.000000000 -0400
18796+++ linux-2.6.33.1/drivers/ata/ata_piix.c 2010-03-20 16:58:39.160672594 -0400
58c5fc13
MT		 18797@@ -291,7 +291,7 @@ static const struct pci_device_id piix_p
18798 { 0x8086, 0x3b2d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
18799 /* SATA Controller IDE (PCH) */
18800 { 0x8086, 0x3b2e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
18801- { } /* terminate list */
18802+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
18803 };
18804
18805 static struct pci_driver piix_pci_driver = {
ae4e228f
MT		 18806@@ -309,7 +309,7 @@ static struct scsi_host_template piix_sh
18807 ATA_BMDMA_SHT(DRV_NAME),
18808 };
18809
18810-static struct ata_port_operations piix_pata_ops = {
18811+static const struct ata_port_operations piix_pata_ops = {
18812 .inherits = &ata_bmdma32_port_ops,
18813 .cable_detect = ata_cable_40wire,
18814 .set_piomode = piix_set_piomode,
18815@@ -317,22 +317,22 @@ static struct ata_port_operations piix_p
18816 .prereset = piix_pata_prereset,
18817 };
18818
18819-static struct ata_port_operations piix_vmw_ops = {
18820+static const struct ata_port_operations piix_vmw_ops = {
18821 .inherits = &piix_pata_ops,
18822 .bmdma_status = piix_vmw_bmdma_status,
18823 };
18824
18825-static struct ata_port_operations ich_pata_ops = {
18826+static const struct ata_port_operations ich_pata_ops = {
18827 .inherits = &piix_pata_ops,
18828 .cable_detect = ich_pata_cable_detect,
18829 .set_dmamode = ich_set_dmamode,
18830 };
18831
18832-static struct ata_port_operations piix_sata_ops = {
18833+static const struct ata_port_operations piix_sata_ops = {
18834 .inherits = &ata_bmdma32_port_ops,
18835 };
18836
18837-static struct ata_port_operations piix_sidpr_sata_ops = {
18838+static const struct ata_port_operations piix_sidpr_sata_ops = {
18839 .inherits = &piix_sata_ops,
18840 .hardreset = sata_std_hardreset,
18841 .scr_read = piix_sidpr_scr_read,
58c5fc13
MT		 18842@@ -608,7 +608,7 @@ static const struct ich_laptop ich_lapto
18843 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
18844 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
18845 /* end marker */
18846- { 0, }
18847+ { 0, 0, 0 }
18848 };
18849
18850 /**
18851@@ -1086,7 +1086,7 @@ static int piix_broken_suspend(void)
18852 },
18853 },
18854
18855- { } /* terminate list */
18856+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
18857 };
18858 static const char *oemstrs[] = {
18859 "Tecra M3,",
ae4e228f
MT		 18860diff -urNp linux-2.6.33.1/drivers/ata/libata-acpi.c linux-2.6.33.1/drivers/ata/libata-acpi.c
18861--- linux-2.6.33.1/drivers/ata/libata-acpi.c 2010-03-15 12:09:39.000000000 -0400
18862+++ linux-2.6.33.1/drivers/ata/libata-acpi.c 2010-03-20 16:58:39.164792430 -0400
18863@@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
18864 ata_acpi_uevent(dev->link->ap, dev, event);
18865 }
18866
18867-static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
18868+static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
18869 .handler = ata_acpi_dev_notify_dock,
18870 .uevent = ata_acpi_dev_uevent,
18871 };
18872
18873-static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
18874+static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
18875 .handler = ata_acpi_ap_notify_dock,
18876 .uevent = ata_acpi_ap_uevent,
18877 };
18878diff -urNp linux-2.6.33.1/drivers/ata/libata-core.c linux-2.6.33.1/drivers/ata/libata-core.c
18879--- linux-2.6.33.1/drivers/ata/libata-core.c 2010-03-15 12:09:39.000000000 -0400
18880+++ linux-2.6.33.1/drivers/ata/libata-core.c 2010-03-20 16:58:39.176796856 -0400
58c5fc13
MT		 18881@@ -896,7 +896,7 @@ static const struct ata_xfer_ent {
18882 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
18883 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
18884 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
18885- { -1, },
18886+ { -1, 0, 0 }
18887 };
18888
18889 /**
ae4e228f 18890@@ -3163,7 +3163,7 @@ static const struct ata_timing ata_timin
58c5fc13
MT		 18891 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
18892 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
18893
18894- { 0xFF }
18895+ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
18896 };
18897
18898 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
ae4e228f 18899@@ -4385,7 +4385,7 @@ static const struct ata_blacklist_entry
58c5fc13
MT		 18900 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
18901
18902 /* End Marker */
18903- { }
18904+ { NULL, NULL, 0 }
18905 };
18906
18907 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
ae4e228f
MT		 18908@@ -5961,7 +5961,7 @@ static void ata_host_stop(struct device
18909 * LOCKING:
18910 * None.
18911 */
18912-static void ata_finalize_port_ops(struct ata_port_operations *ops)
18913+static void ata_finalize_port_ops(const struct ata_port_operations *ops)
18914 {
18915 static DEFINE_SPINLOCK(lock);
18916 const struct ata_port_operations *cur;
18917@@ -5973,6 +5973,7 @@ static void ata_finalize_port_ops(struct
18918 return;
18919
18920 spin_lock(&lock);
18921+ pax_open_kernel();
18922
18923 for (cur = ops->inherits; cur; cur = cur->inherits) {
18924 void **inherit = (void **)cur;
18925@@ -5986,8 +5987,9 @@ static void ata_finalize_port_ops(struct
18926 if (IS_ERR(*pp))
18927 *pp = NULL;
18928
18929- ops->inherits = NULL;
18930+ ((struct ata_port_operations *)ops)->inherits = NULL;
18931
18932+ pax_close_kernel();
18933 spin_unlock(&lock);
18934 }
18935
18936@@ -6084,7 +6086,7 @@ int ata_host_start(struct ata_host *host
18937 */
18938 /* KILLME - the only user left is ipr */
18939 void ata_host_init(struct ata_host *host, struct device *dev,
18940- unsigned long flags, struct ata_port_operations *ops)
18941+ unsigned long flags, const struct ata_port_operations *ops)
18942 {
18943 spin_lock_init(&host->lock);
18944 host->dev = dev;
18945@@ -6754,7 +6756,7 @@ static void ata_dummy_error_handler(stru
18946 /* truly dummy */
18947 }
18948
18949-struct ata_port_operations ata_dummy_port_ops = {
18950+const struct ata_port_operations ata_dummy_port_ops = {
18951 .qc_prep = ata_noop_qc_prep,
18952 .qc_issue = ata_dummy_qc_issue,
18953 .error_handler = ata_dummy_error_handler,
18954diff -urNp linux-2.6.33.1/drivers/ata/libata-eh.c linux-2.6.33.1/drivers/ata/libata-eh.c
18955--- linux-2.6.33.1/drivers/ata/libata-eh.c 2010-03-15 12:09:39.000000000 -0400
18956+++ linux-2.6.33.1/drivers/ata/libata-eh.c 2010-03-20 16:58:39.180707680 -0400
18957@@ -3675,7 +3675,7 @@ void ata_do_eh(struct ata_port *ap, ata_
18958 */
18959 void ata_std_error_handler(struct ata_port *ap)
18960 {
18961- struct ata_port_operations *ops = ap->ops;
18962+ const struct ata_port_operations *ops = ap->ops;
18963 ata_reset_fn_t hardreset = ops->hardreset;
18964
18965 /* ignore built-in hardreset if SCR access is not available */
18966diff -urNp linux-2.6.33.1/drivers/ata/libata-pmp.c linux-2.6.33.1/drivers/ata/libata-pmp.c
18967--- linux-2.6.33.1/drivers/ata/libata-pmp.c 2010-03-15 12:09:39.000000000 -0400
18968+++ linux-2.6.33.1/drivers/ata/libata-pmp.c 2010-03-20 16:58:39.180707680 -0400
18969@@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
18970 */
18971 static int sata_pmp_eh_recover(struct ata_port *ap)
18972 {
18973- struct ata_port_operations *ops = ap->ops;
18974+ const struct ata_port_operations *ops = ap->ops;
18975 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
18976 struct ata_link *pmp_link = &ap->link;
18977 struct ata_device *pmp_dev = pmp_link->device;
18978diff -urNp linux-2.6.33.1/drivers/ata/pata_acpi.c linux-2.6.33.1/drivers/ata/pata_acpi.c
18979--- linux-2.6.33.1/drivers/ata/pata_acpi.c 2010-03-15 12:09:39.000000000 -0400
18980+++ linux-2.6.33.1/drivers/ata/pata_acpi.c 2010-03-20 16:58:39.188784803 -0400
18981@@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
18982 ATA_BMDMA_SHT(DRV_NAME),
18983 };
18984
18985-static struct ata_port_operations pacpi_ops = {
18986+static const struct ata_port_operations pacpi_ops = {
18987 .inherits = &ata_bmdma_port_ops,
18988 .qc_issue = pacpi_qc_issue,
18989 .cable_detect = pacpi_cable_detect,
18990diff -urNp linux-2.6.33.1/drivers/ata/pata_ali.c linux-2.6.33.1/drivers/ata/pata_ali.c
18991--- linux-2.6.33.1/drivers/ata/pata_ali.c 2010-03-15 12:09:39.000000000 -0400
18992+++ linux-2.6.33.1/drivers/ata/pata_ali.c 2010-03-20 16:58:39.188784803 -0400
18993@@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
18994 * Port operations for PIO only ALi
18995 */
18996
18997-static struct ata_port_operations ali_early_port_ops = {
18998+static const struct ata_port_operations ali_early_port_ops = {
18999 .inherits = &ata_sff_port_ops,
19000 .cable_detect = ata_cable_40wire,
19001 .set_piomode = ali_set_piomode,
19002@@ -382,7 +382,7 @@ static const struct ata_port_operations
19003 * Port operations for DMA capable ALi without cable
19004 * detect
19005 */
19006-static struct ata_port_operations ali_20_port_ops = {
19007+static const struct ata_port_operations ali_20_port_ops = {
19008 .inherits = &ali_dma_base_ops,
19009 .cable_detect = ata_cable_40wire,
19010 .mode_filter = ali_20_filter,
19011@@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
19012 /*
19013 * Port operations for DMA capable ALi with cable detect
19014 */
19015-static struct ata_port_operations ali_c2_port_ops = {
19016+static const struct ata_port_operations ali_c2_port_ops = {
19017 .inherits = &ali_dma_base_ops,
19018 .check_atapi_dma = ali_check_atapi_dma,
19019 .cable_detect = ali_c2_cable_detect,
19020@@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
19021 /*
19022 * Port operations for DMA capable ALi with cable detect
19023 */
19024-static struct ata_port_operations ali_c4_port_ops = {
19025+static const struct ata_port_operations ali_c4_port_ops = {
19026 .inherits = &ali_dma_base_ops,
19027 .check_atapi_dma = ali_check_atapi_dma,
19028 .cable_detect = ali_c2_cable_detect,
19029@@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
19030 /*
19031 * Port operations for DMA capable ALi with cable detect and LBA48
19032 */
19033-static struct ata_port_operations ali_c5_port_ops = {
19034+static const struct ata_port_operations ali_c5_port_ops = {
19035 .inherits = &ali_dma_base_ops,
19036 .check_atapi_dma = ali_check_atapi_dma,
19037 .dev_config = ali_warn_atapi_dma,
19038diff -urNp linux-2.6.33.1/drivers/ata/pata_amd.c linux-2.6.33.1/drivers/ata/pata_amd.c
19039--- linux-2.6.33.1/drivers/ata/pata_amd.c 2010-03-15 12:09:39.000000000 -0400
19040+++ linux-2.6.33.1/drivers/ata/pata_amd.c 2010-03-20 16:58:39.214454463 -0400
19041@@ -397,28 +397,28 @@ static const struct ata_port_operations
19042 .prereset = amd_pre_reset,
19043 };
19044
19045-static struct ata_port_operations amd33_port_ops = {
19046+static const struct ata_port_operations amd33_port_ops = {
19047 .inherits = &amd_base_port_ops,
19048 .cable_detect = ata_cable_40wire,
19049 .set_piomode = amd33_set_piomode,
19050 .set_dmamode = amd33_set_dmamode,
19051 };
19052
19053-static struct ata_port_operations amd66_port_ops = {
19054+static const struct ata_port_operations amd66_port_ops = {
19055 .inherits = &amd_base_port_ops,
19056 .cable_detect = ata_cable_unknown,
19057 .set_piomode = amd66_set_piomode,
19058 .set_dmamode = amd66_set_dmamode,
19059 };
19060
19061-static struct ata_port_operations amd100_port_ops = {
19062+static const struct ata_port_operations amd100_port_ops = {
19063 .inherits = &amd_base_port_ops,
19064 .cable_detect = ata_cable_unknown,
19065 .set_piomode = amd100_set_piomode,
19066 .set_dmamode = amd100_set_dmamode,
19067 };
19068
19069-static struct ata_port_operations amd133_port_ops = {
19070+static const struct ata_port_operations amd133_port_ops = {
19071 .inherits = &amd_base_port_ops,
19072 .cable_detect = amd_cable_detect,
19073 .set_piomode = amd133_set_piomode,
19074@@ -433,13 +433,13 @@ static const struct ata_port_operations
19075 .host_stop = nv_host_stop,
19076 };
19077
19078-static struct ata_port_operations nv100_port_ops = {
19079+static const struct ata_port_operations nv100_port_ops = {
19080 .inherits = &nv_base_port_ops,
19081 .set_piomode = nv100_set_piomode,
19082 .set_dmamode = nv100_set_dmamode,
19083 };
19084
19085-static struct ata_port_operations nv133_port_ops = {
19086+static const struct ata_port_operations nv133_port_ops = {
19087 .inherits = &nv_base_port_ops,
19088 .set_piomode = nv133_set_piomode,
19089 .set_dmamode = nv133_set_dmamode,
19090diff -urNp linux-2.6.33.1/drivers/ata/pata_artop.c linux-2.6.33.1/drivers/ata/pata_artop.c
19091--- linux-2.6.33.1/drivers/ata/pata_artop.c 2010-03-15 12:09:39.000000000 -0400
19092+++ linux-2.6.33.1/drivers/ata/pata_artop.c 2010-03-20 16:58:39.220796895 -0400
19093@@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
19094 ATA_BMDMA_SHT(DRV_NAME),
19095 };
19096
19097-static struct ata_port_operations artop6210_ops = {
19098+static const struct ata_port_operations artop6210_ops = {
19099 .inherits = &ata_bmdma_port_ops,
19100 .cable_detect = ata_cable_40wire,
19101 .set_piomode = artop6210_set_piomode,
19102@@ -320,7 +320,7 @@ static struct ata_port_operations artop6
19103 .qc_defer = artop6210_qc_defer,
19104 };
19105
19106-static struct ata_port_operations artop6260_ops = {
19107+static const struct ata_port_operations artop6260_ops = {
19108 .inherits = &ata_bmdma_port_ops,
19109 .cable_detect = artop6260_cable_detect,
19110 .set_piomode = artop6260_set_piomode,
19111diff -urNp linux-2.6.33.1/drivers/ata/pata_at32.c linux-2.6.33.1/drivers/ata/pata_at32.c
19112--- linux-2.6.33.1/drivers/ata/pata_at32.c 2010-03-15 12:09:39.000000000 -0400
19113+++ linux-2.6.33.1/drivers/ata/pata_at32.c 2010-03-20 16:58:39.220796895 -0400
19114@@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
19115 ATA_PIO_SHT(DRV_NAME),
19116 };
19117
19118-static struct ata_port_operations at32_port_ops = {
19119+static const struct ata_port_operations at32_port_ops = {
19120 .inherits = &ata_sff_port_ops,
19121 .cable_detect = ata_cable_40wire,
19122 .set_piomode = pata_at32_set_piomode,
19123diff -urNp linux-2.6.33.1/drivers/ata/pata_at91.c linux-2.6.33.1/drivers/ata/pata_at91.c
19124--- linux-2.6.33.1/drivers/ata/pata_at91.c 2010-03-15 12:09:39.000000000 -0400
19125+++ linux-2.6.33.1/drivers/ata/pata_at91.c 2010-03-20 16:58:39.224661770 -0400
19126@@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
19127 ATA_PIO_SHT(DRV_NAME),
19128 };
19129
19130-static struct ata_port_operations pata_at91_port_ops = {
19131+static const struct ata_port_operations pata_at91_port_ops = {
19132 .inherits = &ata_sff_port_ops,
19133
19134 .sff_data_xfer = pata_at91_data_xfer_noirq,
19135diff -urNp linux-2.6.33.1/drivers/ata/pata_atiixp.c linux-2.6.33.1/drivers/ata/pata_atiixp.c
19136--- linux-2.6.33.1/drivers/ata/pata_atiixp.c 2010-03-15 12:09:39.000000000 -0400
19137+++ linux-2.6.33.1/drivers/ata/pata_atiixp.c 2010-03-20 16:58:39.224661770 -0400
19138@@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
19139 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19140 };
19141
19142-static struct ata_port_operations atiixp_port_ops = {
19143+static const struct ata_port_operations atiixp_port_ops = {
19144 .inherits = &ata_bmdma_port_ops,
19145
19146 .qc_prep = ata_sff_dumb_qc_prep,
19147diff -urNp linux-2.6.33.1/drivers/ata/pata_atp867x.c linux-2.6.33.1/drivers/ata/pata_atp867x.c
19148--- linux-2.6.33.1/drivers/ata/pata_atp867x.c 2010-03-15 12:09:39.000000000 -0400
19149+++ linux-2.6.33.1/drivers/ata/pata_atp867x.c 2010-03-20 16:58:39.224661770 -0400
19150@@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
19151 ATA_BMDMA_SHT(DRV_NAME),
19152 };
19153
19154-static struct ata_port_operations atp867x_ops = {
19155+static const struct ata_port_operations atp867x_ops = {
19156 .inherits = &ata_bmdma_port_ops,
19157 .cable_detect = atp867x_cable_detect,
19158 .set_piomode = atp867x_set_piomode,
19159diff -urNp linux-2.6.33.1/drivers/ata/pata_bf54x.c linux-2.6.33.1/drivers/ata/pata_bf54x.c
19160--- linux-2.6.33.1/drivers/ata/pata_bf54x.c 2010-03-15 12:09:39.000000000 -0400
19161+++ linux-2.6.33.1/drivers/ata/pata_bf54x.c 2010-03-20 16:58:39.236808133 -0400
19162@@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
19163 .dma_boundary = ATA_DMA_BOUNDARY,
19164 };
19165
19166-static struct ata_port_operations bfin_pata_ops = {
19167+static const struct ata_port_operations bfin_pata_ops = {
19168 .inherits = &ata_sff_port_ops,
19169
19170 .set_piomode = bfin_set_piomode,
19171diff -urNp linux-2.6.33.1/drivers/ata/pata_cmd640.c linux-2.6.33.1/drivers/ata/pata_cmd640.c
19172--- linux-2.6.33.1/drivers/ata/pata_cmd640.c 2010-03-15 12:09:39.000000000 -0400
19173+++ linux-2.6.33.1/drivers/ata/pata_cmd640.c 2010-03-20 16:58:39.244791590 -0400
19174@@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
19175 ATA_BMDMA_SHT(DRV_NAME),
19176 };
19177
19178-static struct ata_port_operations cmd640_port_ops = {
19179+static const struct ata_port_operations cmd640_port_ops = {
19180 .inherits = &ata_bmdma_port_ops,
19181 /* In theory xfer_noirq is not needed once we kill the prefetcher */
19182 .sff_data_xfer = ata_sff_data_xfer_noirq,
19183diff -urNp linux-2.6.33.1/drivers/ata/pata_cmd64x.c linux-2.6.33.1/drivers/ata/pata_cmd64x.c
19184--- linux-2.6.33.1/drivers/ata/pata_cmd64x.c 2010-03-15 12:09:39.000000000 -0400
19185+++ linux-2.6.33.1/drivers/ata/pata_cmd64x.c 2010-03-20 16:58:39.252794847 -0400
19186@@ -275,18 +275,18 @@ static const struct ata_port_operations
19187 .set_dmamode = cmd64x_set_dmamode,
19188 };
19189
19190-static struct ata_port_operations cmd64x_port_ops = {
19191+static const struct ata_port_operations cmd64x_port_ops = {
19192 .inherits = &cmd64x_base_ops,
19193 .cable_detect = ata_cable_40wire,
19194 };
19195
19196-static struct ata_port_operations cmd646r1_port_ops = {
19197+static const struct ata_port_operations cmd646r1_port_ops = {
19198 .inherits = &cmd64x_base_ops,
19199 .bmdma_stop = cmd646r1_bmdma_stop,
19200 .cable_detect = ata_cable_40wire,
19201 };
19202
19203-static struct ata_port_operations cmd648_port_ops = {
19204+static const struct ata_port_operations cmd648_port_ops = {
19205 .inherits = &cmd64x_base_ops,
19206 .bmdma_stop = cmd648_bmdma_stop,
19207 .cable_detect = cmd648_cable_detect,
19208diff -urNp linux-2.6.33.1/drivers/ata/pata_cs5520.c linux-2.6.33.1/drivers/ata/pata_cs5520.c
19209--- linux-2.6.33.1/drivers/ata/pata_cs5520.c 2010-03-15 12:09:39.000000000 -0400
19210+++ linux-2.6.33.1/drivers/ata/pata_cs5520.c 2010-03-20 16:58:39.268797665 -0400
19211@@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
19212 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19213 };
19214
19215-static struct ata_port_operations cs5520_port_ops = {
19216+static const struct ata_port_operations cs5520_port_ops = {
19217 .inherits = &ata_bmdma_port_ops,
19218 .qc_prep = ata_sff_dumb_qc_prep,
19219 .cable_detect = ata_cable_40wire,
19220diff -urNp linux-2.6.33.1/drivers/ata/pata_cs5530.c linux-2.6.33.1/drivers/ata/pata_cs5530.c
19221--- linux-2.6.33.1/drivers/ata/pata_cs5530.c 2010-03-15 12:09:39.000000000 -0400
19222+++ linux-2.6.33.1/drivers/ata/pata_cs5530.c 2010-03-20 16:58:39.272512019 -0400
19223@@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
19224 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19225 };
19226
19227-static struct ata_port_operations cs5530_port_ops = {
19228+static const struct ata_port_operations cs5530_port_ops = {
19229 .inherits = &ata_bmdma_port_ops,
19230
19231 .qc_prep = ata_sff_dumb_qc_prep,
19232diff -urNp linux-2.6.33.1/drivers/ata/pata_cs5535.c linux-2.6.33.1/drivers/ata/pata_cs5535.c
19233--- linux-2.6.33.1/drivers/ata/pata_cs5535.c 2010-03-15 12:09:39.000000000 -0400
19234+++ linux-2.6.33.1/drivers/ata/pata_cs5535.c 2010-03-20 16:58:39.272512019 -0400
19235@@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
19236 ATA_BMDMA_SHT(DRV_NAME),
19237 };
19238
19239-static struct ata_port_operations cs5535_port_ops = {
19240+static const struct ata_port_operations cs5535_port_ops = {
19241 .inherits = &ata_bmdma_port_ops,
19242 .cable_detect = cs5535_cable_detect,
19243 .set_piomode = cs5535_set_piomode,
19244diff -urNp linux-2.6.33.1/drivers/ata/pata_cs5536.c linux-2.6.33.1/drivers/ata/pata_cs5536.c
19245--- linux-2.6.33.1/drivers/ata/pata_cs5536.c 2010-03-15 12:09:39.000000000 -0400
19246+++ linux-2.6.33.1/drivers/ata/pata_cs5536.c 2010-03-20 16:58:39.272512019 -0400
19247@@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
19248 ATA_BMDMA_SHT(DRV_NAME),
19249 };
19250
19251-static struct ata_port_operations cs5536_port_ops = {
19252+static const struct ata_port_operations cs5536_port_ops = {
19253 .inherits = &ata_bmdma32_port_ops,
19254 .cable_detect = cs5536_cable_detect,
19255 .set_piomode = cs5536_set_piomode,
19256diff -urNp linux-2.6.33.1/drivers/ata/pata_cypress.c linux-2.6.33.1/drivers/ata/pata_cypress.c
19257--- linux-2.6.33.1/drivers/ata/pata_cypress.c 2010-03-15 12:09:39.000000000 -0400
19258+++ linux-2.6.33.1/drivers/ata/pata_cypress.c 2010-03-20 16:58:39.272512019 -0400
19259@@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
19260 ATA_BMDMA_SHT(DRV_NAME),
19261 };
19262
19263-static struct ata_port_operations cy82c693_port_ops = {
19264+static const struct ata_port_operations cy82c693_port_ops = {
19265 .inherits = &ata_bmdma_port_ops,
19266 .cable_detect = ata_cable_40wire,
19267 .set_piomode = cy82c693_set_piomode,
19268diff -urNp linux-2.6.33.1/drivers/ata/pata_efar.c linux-2.6.33.1/drivers/ata/pata_efar.c
19269--- linux-2.6.33.1/drivers/ata/pata_efar.c 2010-03-15 12:09:39.000000000 -0400
19270+++ linux-2.6.33.1/drivers/ata/pata_efar.c 2010-03-20 16:58:39.272512019 -0400
19271@@ -223,7 +223,7 @@ static struct scsi_host_template efar_sh
19272 ATA_BMDMA_SHT(DRV_NAME),
19273 };
19274
19275-static struct ata_port_operations efar_ops = {
19276+static const struct ata_port_operations efar_ops = {
19277 .inherits = &ata_bmdma_port_ops,
19278 .cable_detect = efar_cable_detect,
19279 .set_piomode = efar_set_piomode,
19280diff -urNp linux-2.6.33.1/drivers/ata/pata_hpt366.c linux-2.6.33.1/drivers/ata/pata_hpt366.c
19281--- linux-2.6.33.1/drivers/ata/pata_hpt366.c 2010-03-15 12:09:39.000000000 -0400
19282+++ linux-2.6.33.1/drivers/ata/pata_hpt366.c 2010-03-20 16:58:39.272512019 -0400
19283@@ -280,7 +280,7 @@ static struct scsi_host_template hpt36x_
19284 * Configuration for HPT366/68
19285 */
19286
19287-static struct ata_port_operations hpt366_port_ops = {
19288+static const struct ata_port_operations hpt366_port_ops = {
19289 .inherits = &ata_bmdma_port_ops,
19290 .cable_detect = hpt36x_cable_detect,
19291 .mode_filter = hpt366_filter,
19292diff -urNp linux-2.6.33.1/drivers/ata/pata_hpt37x.c linux-2.6.33.1/drivers/ata/pata_hpt37x.c
19293--- linux-2.6.33.1/drivers/ata/pata_hpt37x.c 2010-03-15 12:09:39.000000000 -0400
19294+++ linux-2.6.33.1/drivers/ata/pata_hpt37x.c 2010-03-20 16:58:39.272512019 -0400
19295@@ -583,7 +583,7 @@ static struct scsi_host_template hpt37x_
19296 * Configuration for HPT370
19297 */
19298
19299-static struct ata_port_operations hpt370_port_ops = {
19300+static const struct ata_port_operations hpt370_port_ops = {
19301 .inherits = &ata_bmdma_port_ops,
19302
19303 .bmdma_stop = hpt370_bmdma_stop,
19304@@ -599,7 +599,7 @@ static struct ata_port_operations hpt370
19305 * Configuration for HPT370A. Close to 370 but less filters
19306 */
19307
19308-static struct ata_port_operations hpt370a_port_ops = {
19309+static const struct ata_port_operations hpt370a_port_ops = {
19310 .inherits = &hpt370_port_ops,
19311 .mode_filter = hpt370a_filter,
19312 };
19313@@ -609,7 +609,7 @@ static struct ata_port_operations hpt370
19314 * and DMA mode setting functionality.
19315 */
19316
19317-static struct ata_port_operations hpt372_port_ops = {
19318+static const struct ata_port_operations hpt372_port_ops = {
19319 .inherits = &ata_bmdma_port_ops,
19320
19321 .bmdma_stop = hpt37x_bmdma_stop,
19322@@ -625,7 +625,7 @@ static struct ata_port_operations hpt372
19323 * but we have a different cable detection procedure for function 1.
19324 */
19325
19326-static struct ata_port_operations hpt374_fn1_port_ops = {
19327+static const struct ata_port_operations hpt374_fn1_port_ops = {
19328 .inherits = &hpt372_port_ops,
19329 .cable_detect = hpt374_fn1_cable_detect,
19330 .prereset = hpt37x_pre_reset,
19331diff -urNp linux-2.6.33.1/drivers/ata/pata_hpt3x2n.c linux-2.6.33.1/drivers/ata/pata_hpt3x2n.c
19332--- linux-2.6.33.1/drivers/ata/pata_hpt3x2n.c 2010-03-15 12:09:39.000000000 -0400
19333+++ linux-2.6.33.1/drivers/ata/pata_hpt3x2n.c 2010-03-20 16:58:39.276654661 -0400
19334@@ -339,7 +339,7 @@ static struct scsi_host_template hpt3x2n
19335 * Configuration for HPT3x2n.
19336 */
19337
19338-static struct ata_port_operations hpt3x2n_port_ops = {
19339+static const struct ata_port_operations hpt3x2n_port_ops = {
19340 .inherits = &ata_bmdma_port_ops,
19341
19342 .bmdma_stop = hpt3x2n_bmdma_stop,
19343diff -urNp linux-2.6.33.1/drivers/ata/pata_hpt3x3.c linux-2.6.33.1/drivers/ata/pata_hpt3x3.c
19344--- linux-2.6.33.1/drivers/ata/pata_hpt3x3.c 2010-03-15 12:09:39.000000000 -0400
19345+++ linux-2.6.33.1/drivers/ata/pata_hpt3x3.c 2010-03-20 16:58:39.284801841 -0400
19346@@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
19347 ATA_BMDMA_SHT(DRV_NAME),
19348 };
19349
19350-static struct ata_port_operations hpt3x3_port_ops = {
19351+static const struct ata_port_operations hpt3x3_port_ops = {
19352 .inherits = &ata_bmdma_port_ops,
19353 .cable_detect = ata_cable_40wire,
19354 .set_piomode = hpt3x3_set_piomode,
19355diff -urNp linux-2.6.33.1/drivers/ata/pata_icside.c linux-2.6.33.1/drivers/ata/pata_icside.c
19356--- linux-2.6.33.1/drivers/ata/pata_icside.c 2010-03-15 12:09:39.000000000 -0400
19357+++ linux-2.6.33.1/drivers/ata/pata_icside.c 2010-03-20 16:58:39.284801841 -0400
19358@@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
19359 }
19360 }
19361
19362-static struct ata_port_operations pata_icside_port_ops = {
19363+static const struct ata_port_operations pata_icside_port_ops = {
19364 .inherits = &ata_sff_port_ops,
19365 /* no need to build any PRD tables for DMA */
19366 .qc_prep = ata_noop_qc_prep,
19367diff -urNp linux-2.6.33.1/drivers/ata/pata_isapnp.c linux-2.6.33.1/drivers/ata/pata_isapnp.c
19368--- linux-2.6.33.1/drivers/ata/pata_isapnp.c 2010-03-15 12:09:39.000000000 -0400
19369+++ linux-2.6.33.1/drivers/ata/pata_isapnp.c 2010-03-20 16:58:39.292806212 -0400
19370@@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
19371 ATA_PIO_SHT(DRV_NAME),
19372 };
19373
19374-static struct ata_port_operations isapnp_port_ops = {
19375+static const struct ata_port_operations isapnp_port_ops = {
19376 .inherits = &ata_sff_port_ops,
19377 .cable_detect = ata_cable_40wire,
19378 };
19379
19380-static struct ata_port_operations isapnp_noalt_port_ops = {
19381+static const struct ata_port_operations isapnp_noalt_port_ops = {
19382 .inherits = &ata_sff_port_ops,
19383 .cable_detect = ata_cable_40wire,
19384 /* No altstatus so we don't want to use the lost interrupt poll */
19385diff -urNp linux-2.6.33.1/drivers/ata/pata_it8213.c linux-2.6.33.1/drivers/ata/pata_it8213.c
19386--- linux-2.6.33.1/drivers/ata/pata_it8213.c 2010-03-15 12:09:39.000000000 -0400
19387+++ linux-2.6.33.1/drivers/ata/pata_it8213.c 2010-03-20 16:58:39.296567577 -0400
19388@@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
19389 };
19390
19391
19392-static struct ata_port_operations it8213_ops = {
19393+static const struct ata_port_operations it8213_ops = {
19394 .inherits = &ata_bmdma_port_ops,
19395 .cable_detect = it8213_cable_detect,
19396 .set_piomode = it8213_set_piomode,
19397diff -urNp linux-2.6.33.1/drivers/ata/pata_it821x.c linux-2.6.33.1/drivers/ata/pata_it821x.c
19398--- linux-2.6.33.1/drivers/ata/pata_it821x.c 2010-03-15 12:09:39.000000000 -0400
19399+++ linux-2.6.33.1/drivers/ata/pata_it821x.c 2010-03-20 16:58:39.296567577 -0400
19400@@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
19401 ATA_BMDMA_SHT(DRV_NAME),
19402 };
19403
19404-static struct ata_port_operations it821x_smart_port_ops = {
19405+static const struct ata_port_operations it821x_smart_port_ops = {
19406 .inherits = &ata_bmdma_port_ops,
19407
19408 .check_atapi_dma= it821x_check_atapi_dma,
19409@@ -814,7 +814,7 @@ static struct ata_port_operations it821x
19410 .port_start = it821x_port_start,
19411 };
19412
19413-static struct ata_port_operations it821x_passthru_port_ops = {
19414+static const struct ata_port_operations it821x_passthru_port_ops = {
19415 .inherits = &ata_bmdma_port_ops,
19416
19417 .check_atapi_dma= it821x_check_atapi_dma,
19418@@ -830,7 +830,7 @@ static struct ata_port_operations it821x
19419 .port_start = it821x_port_start,
19420 };
19421
19422-static struct ata_port_operations it821x_rdc_port_ops = {
19423+static const struct ata_port_operations it821x_rdc_port_ops = {
19424 .inherits = &ata_bmdma_port_ops,
19425
19426 .check_atapi_dma= it821x_check_atapi_dma,
19427diff -urNp linux-2.6.33.1/drivers/ata/pata_ixp4xx_cf.c linux-2.6.33.1/drivers/ata/pata_ixp4xx_cf.c
19428--- linux-2.6.33.1/drivers/ata/pata_ixp4xx_cf.c 2010-03-15 12:09:39.000000000 -0400
19429+++ linux-2.6.33.1/drivers/ata/pata_ixp4xx_cf.c 2010-03-20 16:58:39.296567577 -0400
19430@@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
19431 ATA_PIO_SHT(DRV_NAME),
19432 };
19433
19434-static struct ata_port_operations ixp4xx_port_ops = {
19435+static const struct ata_port_operations ixp4xx_port_ops = {
19436 .inherits = &ata_sff_port_ops,
19437 .sff_data_xfer = ixp4xx_mmio_data_xfer,
19438 .cable_detect = ata_cable_40wire,
19439diff -urNp linux-2.6.33.1/drivers/ata/pata_jmicron.c linux-2.6.33.1/drivers/ata/pata_jmicron.c
19440--- linux-2.6.33.1/drivers/ata/pata_jmicron.c 2010-03-15 12:09:39.000000000 -0400
19441+++ linux-2.6.33.1/drivers/ata/pata_jmicron.c 2010-03-20 16:58:39.296567577 -0400
19442@@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
19443 ATA_BMDMA_SHT(DRV_NAME),
19444 };
19445
19446-static struct ata_port_operations jmicron_ops = {
19447+static const struct ata_port_operations jmicron_ops = {
19448 .inherits = &ata_bmdma_port_ops,
19449 .prereset = jmicron_pre_reset,
19450 };
19451diff -urNp linux-2.6.33.1/drivers/ata/pata_legacy.c linux-2.6.33.1/drivers/ata/pata_legacy.c
19452--- linux-2.6.33.1/drivers/ata/pata_legacy.c 2010-03-15 12:09:39.000000000 -0400
19453+++ linux-2.6.33.1/drivers/ata/pata_legacy.c 2010-03-20 16:58:39.296567577 -0400
19454@@ -113,7 +113,7 @@ struct legacy_probe {
19455
19456 struct legacy_controller {
19457 const char *name;
19458- struct ata_port_operations *ops;
19459+ const struct ata_port_operations *ops;
19460 unsigned int pio_mask;
19461 unsigned int flags;
19462 unsigned int pflags;
19463@@ -230,12 +230,12 @@ static const struct ata_port_operations
19464 * pio_mask as well.
19465 */
19466
19467-static struct ata_port_operations simple_port_ops = {
19468+static const struct ata_port_operations simple_port_ops = {
19469 .inherits = &legacy_base_port_ops,
19470 .sff_data_xfer = ata_sff_data_xfer_noirq,
19471 };
19472
19473-static struct ata_port_operations legacy_port_ops = {
19474+static const struct ata_port_operations legacy_port_ops = {
19475 .inherits = &legacy_base_port_ops,
19476 .sff_data_xfer = ata_sff_data_xfer_noirq,
19477 .set_mode = legacy_set_mode,
19478@@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
19479 return buflen;
19480 }
19481
19482-static struct ata_port_operations pdc20230_port_ops = {
19483+static const struct ata_port_operations pdc20230_port_ops = {
19484 .inherits = &legacy_base_port_ops,
19485 .set_piomode = pdc20230_set_piomode,
19486 .sff_data_xfer = pdc_data_xfer_vlb,
19487@@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
19488 ioread8(ap->ioaddr.status_addr);
19489 }
19490
19491-static struct ata_port_operations ht6560a_port_ops = {
19492+static const struct ata_port_operations ht6560a_port_ops = {
19493 .inherits = &legacy_base_port_ops,
19494 .set_piomode = ht6560a_set_piomode,
19495 };
19496@@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
19497 ioread8(ap->ioaddr.status_addr);
19498 }
19499
19500-static struct ata_port_operations ht6560b_port_ops = {
19501+static const struct ata_port_operations ht6560b_port_ops = {
19502 .inherits = &legacy_base_port_ops,
19503 .set_piomode = ht6560b_set_piomode,
19504 };
19505@@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
19506 }
19507
19508
19509-static struct ata_port_operations opti82c611a_port_ops = {
19510+static const struct ata_port_operations opti82c611a_port_ops = {
19511 .inherits = &legacy_base_port_ops,
19512 .set_piomode = opti82c611a_set_piomode,
19513 };
19514@@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
19515 return ata_sff_qc_issue(qc);
19516 }
19517
19518-static struct ata_port_operations opti82c46x_port_ops = {
19519+static const struct ata_port_operations opti82c46x_port_ops = {
19520 .inherits = &legacy_base_port_ops,
19521 .set_piomode = opti82c46x_set_piomode,
19522 .qc_issue = opti82c46x_qc_issue,
19523@@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
19524 return 0;
19525 }
19526
19527-static struct ata_port_operations qdi6500_port_ops = {
19528+static const struct ata_port_operations qdi6500_port_ops = {
19529 .inherits = &legacy_base_port_ops,
19530 .set_piomode = qdi6500_set_piomode,
19531 .qc_issue = qdi_qc_issue,
19532 .sff_data_xfer = vlb32_data_xfer,
19533 };
19534
19535-static struct ata_port_operations qdi6580_port_ops = {
19536+static const struct ata_port_operations qdi6580_port_ops = {
19537 .inherits = &legacy_base_port_ops,
19538 .set_piomode = qdi6580_set_piomode,
19539 .sff_data_xfer = vlb32_data_xfer,
19540 };
19541
19542-static struct ata_port_operations qdi6580dp_port_ops = {
19543+static const struct ata_port_operations qdi6580dp_port_ops = {
19544 .inherits = &legacy_base_port_ops,
19545 .set_piomode = qdi6580dp_set_piomode,
19546 .qc_issue = qdi_qc_issue,
19547@@ -863,7 +863,7 @@ static int winbond_port(struct platform_
19548 return 0;
19549 }
19550
19551-static struct ata_port_operations winbond_port_ops = {
19552+static const struct ata_port_operations winbond_port_ops = {
19553 .inherits = &legacy_base_port_ops,
19554 .set_piomode = winbond_set_piomode,
19555 .sff_data_xfer = vlb32_data_xfer,
19556@@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
19557 int pio_modes = controller->pio_mask;
19558 unsigned long io = probe->port;
19559 u32 mask = (1 << probe->slot);
19560- struct ata_port_operations *ops = controller->ops;
19561+ const struct ata_port_operations *ops = controller->ops;
19562 struct legacy_data *ld = &legacy_data[probe->slot];
19563 struct ata_host *host = NULL;
19564 struct ata_port *ap;
19565diff -urNp linux-2.6.33.1/drivers/ata/pata_macio.c linux-2.6.33.1/drivers/ata/pata_macio.c
19566--- linux-2.6.33.1/drivers/ata/pata_macio.c 2010-03-15 12:09:39.000000000 -0400
19567+++ linux-2.6.33.1/drivers/ata/pata_macio.c 2010-03-20 16:58:39.300646647 -0400
19568@@ -915,7 +915,7 @@ static struct scsi_host_template pata_ma
19569 .slave_configure = pata_macio_slave_config,
19570 };
19571
19572-static struct ata_port_operations pata_macio_ops = {
19573+static const struct ata_port_operations pata_macio_ops = {
19574 .inherits = &ata_sff_port_ops,
19575
19576 .freeze = pata_macio_freeze,
19577diff -urNp linux-2.6.33.1/drivers/ata/pata_marvell.c linux-2.6.33.1/drivers/ata/pata_marvell.c
19578--- linux-2.6.33.1/drivers/ata/pata_marvell.c 2010-03-15 12:09:39.000000000 -0400
19579+++ linux-2.6.33.1/drivers/ata/pata_marvell.c 2010-03-20 16:58:39.300646647 -0400
19580@@ -100,7 +100,7 @@ static struct scsi_host_template marvell
19581 ATA_BMDMA_SHT(DRV_NAME),
19582 };
19583
19584-static struct ata_port_operations marvell_ops = {
19585+static const struct ata_port_operations marvell_ops = {
19586 .inherits = &ata_bmdma_port_ops,
19587 .cable_detect = marvell_cable_detect,
19588 .prereset = marvell_pre_reset,
19589diff -urNp linux-2.6.33.1/drivers/ata/pata_mpc52xx.c linux-2.6.33.1/drivers/ata/pata_mpc52xx.c
19590--- linux-2.6.33.1/drivers/ata/pata_mpc52xx.c 2010-03-15 12:09:39.000000000 -0400
19591+++ linux-2.6.33.1/drivers/ata/pata_mpc52xx.c 2010-03-20 16:58:39.300646647 -0400
19592@@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
19593 ATA_PIO_SHT(DRV_NAME),
19594 };
19595
19596-static struct ata_port_operations mpc52xx_ata_port_ops = {
19597+static const struct ata_port_operations mpc52xx_ata_port_ops = {
19598 .inherits = &ata_sff_port_ops,
19599 .sff_dev_select = mpc52xx_ata_dev_select,
19600 .set_piomode = mpc52xx_ata_set_piomode,
19601diff -urNp linux-2.6.33.1/drivers/ata/pata_mpiix.c linux-2.6.33.1/drivers/ata/pata_mpiix.c
19602--- linux-2.6.33.1/drivers/ata/pata_mpiix.c 2010-03-15 12:09:39.000000000 -0400
19603+++ linux-2.6.33.1/drivers/ata/pata_mpiix.c 2010-03-20 16:58:39.300646647 -0400
19604@@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
19605 ATA_PIO_SHT(DRV_NAME),
19606 };
19607
19608-static struct ata_port_operations mpiix_port_ops = {
19609+static const struct ata_port_operations mpiix_port_ops = {
19610 .inherits = &ata_sff_port_ops,
19611 .qc_issue = mpiix_qc_issue,
19612 .cable_detect = ata_cable_40wire,
19613diff -urNp linux-2.6.33.1/drivers/ata/pata_netcell.c linux-2.6.33.1/drivers/ata/pata_netcell.c
19614--- linux-2.6.33.1/drivers/ata/pata_netcell.c 2010-03-15 12:09:39.000000000 -0400
19615+++ linux-2.6.33.1/drivers/ata/pata_netcell.c 2010-03-20 16:58:39.300646647 -0400
19616@@ -34,7 +34,7 @@ static struct scsi_host_template netcell
19617 ATA_BMDMA_SHT(DRV_NAME),
19618 };
19619
19620-static struct ata_port_operations netcell_ops = {
19621+static const struct ata_port_operations netcell_ops = {
19622 .inherits = &ata_bmdma_port_ops,
19623 .cable_detect = ata_cable_80wire,
19624 .read_id = netcell_read_id,
19625diff -urNp linux-2.6.33.1/drivers/ata/pata_ninja32.c linux-2.6.33.1/drivers/ata/pata_ninja32.c
19626--- linux-2.6.33.1/drivers/ata/pata_ninja32.c 2010-03-15 12:09:39.000000000 -0400
19627+++ linux-2.6.33.1/drivers/ata/pata_ninja32.c 2010-03-20 16:58:39.304517814 -0400
19628@@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
19629 ATA_BMDMA_SHT(DRV_NAME),
19630 };
19631
19632-static struct ata_port_operations ninja32_port_ops = {
19633+static const struct ata_port_operations ninja32_port_ops = {
19634 .inherits = &ata_bmdma_port_ops,
19635 .sff_dev_select = ninja32_dev_select,
19636 .cable_detect = ata_cable_40wire,
19637diff -urNp linux-2.6.33.1/drivers/ata/pata_ns87410.c linux-2.6.33.1/drivers/ata/pata_ns87410.c
19638--- linux-2.6.33.1/drivers/ata/pata_ns87410.c 2010-03-15 12:09:39.000000000 -0400
19639+++ linux-2.6.33.1/drivers/ata/pata_ns87410.c 2010-03-20 16:58:39.304517814 -0400
19640@@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
19641 ATA_PIO_SHT(DRV_NAME),
19642 };
19643
19644-static struct ata_port_operations ns87410_port_ops = {
19645+static const struct ata_port_operations ns87410_port_ops = {
19646 .inherits = &ata_sff_port_ops,
19647 .qc_issue = ns87410_qc_issue,
19648 .cable_detect = ata_cable_40wire,
19649diff -urNp linux-2.6.33.1/drivers/ata/pata_ns87415.c linux-2.6.33.1/drivers/ata/pata_ns87415.c
19650--- linux-2.6.33.1/drivers/ata/pata_ns87415.c 2010-03-15 12:09:39.000000000 -0400
19651+++ linux-2.6.33.1/drivers/ata/pata_ns87415.c 2010-03-20 16:58:39.304517814 -0400
19652@@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
19653 }
19654 #endif /* 87560 SuperIO Support */
19655
19656-static struct ata_port_operations ns87415_pata_ops = {
19657+static const struct ata_port_operations ns87415_pata_ops = {
19658 .inherits = &ata_bmdma_port_ops,
19659
19660 .check_atapi_dma = ns87415_check_atapi_dma,
19661@@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
19662 };
19663
19664 #if defined(CONFIG_SUPERIO)
19665-static struct ata_port_operations ns87560_pata_ops = {
19666+static const struct ata_port_operations ns87560_pata_ops = {
19667 .inherits = &ns87415_pata_ops,
19668 .sff_tf_read = ns87560_tf_read,
19669 .sff_check_status = ns87560_check_status,
19670diff -urNp linux-2.6.33.1/drivers/ata/pata_octeon_cf.c linux-2.6.33.1/drivers/ata/pata_octeon_cf.c
19671--- linux-2.6.33.1/drivers/ata/pata_octeon_cf.c 2010-03-15 12:09:39.000000000 -0400
19672+++ linux-2.6.33.1/drivers/ata/pata_octeon_cf.c 2010-03-20 16:58:39.304517814 -0400
19673@@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
19674 return 0;
19675 }
19676
19677+/* cannot be const */
19678 static struct ata_port_operations octeon_cf_ops = {
19679 .inherits = &ata_sff_port_ops,
19680 .check_atapi_dma = octeon_cf_check_atapi_dma,
19681diff -urNp linux-2.6.33.1/drivers/ata/pata_oldpiix.c linux-2.6.33.1/drivers/ata/pata_oldpiix.c
19682--- linux-2.6.33.1/drivers/ata/pata_oldpiix.c 2010-03-15 12:09:39.000000000 -0400
19683+++ linux-2.6.33.1/drivers/ata/pata_oldpiix.c 2010-03-20 16:58:39.304517814 -0400
19684@@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
19685 ATA_BMDMA_SHT(DRV_NAME),
19686 };
19687
19688-static struct ata_port_operations oldpiix_pata_ops = {
19689+static const struct ata_port_operations oldpiix_pata_ops = {
19690 .inherits = &ata_bmdma_port_ops,
19691 .qc_issue = oldpiix_qc_issue,
19692 .cable_detect = ata_cable_40wire,
19693diff -urNp linux-2.6.33.1/drivers/ata/pata_opti.c linux-2.6.33.1/drivers/ata/pata_opti.c
19694--- linux-2.6.33.1/drivers/ata/pata_opti.c 2010-03-15 12:09:39.000000000 -0400
19695+++ linux-2.6.33.1/drivers/ata/pata_opti.c 2010-03-20 16:58:39.304517814 -0400
19696@@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
19697 ATA_PIO_SHT(DRV_NAME),
19698 };
19699
19700-static struct ata_port_operations opti_port_ops = {
19701+static const struct ata_port_operations opti_port_ops = {
19702 .inherits = &ata_sff_port_ops,
19703 .cable_detect = ata_cable_40wire,
19704 .set_piomode = opti_set_piomode,
19705diff -urNp linux-2.6.33.1/drivers/ata/pata_optidma.c linux-2.6.33.1/drivers/ata/pata_optidma.c
19706--- linux-2.6.33.1/drivers/ata/pata_optidma.c 2010-03-15 12:09:39.000000000 -0400
19707+++ linux-2.6.33.1/drivers/ata/pata_optidma.c 2010-03-20 16:58:39.308536639 -0400
19708@@ -337,7 +337,7 @@ static struct scsi_host_template optidma
19709 ATA_BMDMA_SHT(DRV_NAME),
19710 };
19711
19712-static struct ata_port_operations optidma_port_ops = {
19713+static const struct ata_port_operations optidma_port_ops = {
19714 .inherits = &ata_bmdma_port_ops,
19715 .cable_detect = ata_cable_40wire,
19716 .set_piomode = optidma_set_pio_mode,
19717@@ -346,7 +346,7 @@ static struct ata_port_operations optidm
19718 .prereset = optidma_pre_reset,
19719 };
19720
19721-static struct ata_port_operations optiplus_port_ops = {
19722+static const struct ata_port_operations optiplus_port_ops = {
19723 .inherits = &optidma_port_ops,
19724 .set_piomode = optiplus_set_pio_mode,
19725 .set_dmamode = optiplus_set_dma_mode,
19726diff -urNp linux-2.6.33.1/drivers/ata/pata_palmld.c linux-2.6.33.1/drivers/ata/pata_palmld.c
19727--- linux-2.6.33.1/drivers/ata/pata_palmld.c 2010-03-15 12:09:39.000000000 -0400
19728+++ linux-2.6.33.1/drivers/ata/pata_palmld.c 2010-03-20 16:58:39.308536639 -0400
19729@@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
19730 ATA_PIO_SHT(DRV_NAME),
19731 };
19732
19733-static struct ata_port_operations palmld_port_ops = {
19734+static const struct ata_port_operations palmld_port_ops = {
19735 .inherits = &ata_sff_port_ops,
19736 .sff_data_xfer = ata_sff_data_xfer_noirq,
19737 .cable_detect = ata_cable_40wire,
19738diff -urNp linux-2.6.33.1/drivers/ata/pata_pcmcia.c linux-2.6.33.1/drivers/ata/pata_pcmcia.c
19739--- linux-2.6.33.1/drivers/ata/pata_pcmcia.c 2010-03-15 12:09:39.000000000 -0400
19740+++ linux-2.6.33.1/drivers/ata/pata_pcmcia.c 2010-03-20 16:58:39.308536639 -0400
19741@@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
19742 ATA_PIO_SHT(DRV_NAME),
19743 };
19744
19745-static struct ata_port_operations pcmcia_port_ops = {
19746+static const struct ata_port_operations pcmcia_port_ops = {
19747 .inherits = &ata_sff_port_ops,
19748 .sff_data_xfer = ata_sff_data_xfer_noirq,
19749 .cable_detect = ata_cable_40wire,
19750 .set_mode = pcmcia_set_mode,
19751 };
19752
19753-static struct ata_port_operations pcmcia_8bit_port_ops = {
19754+static const struct ata_port_operations pcmcia_8bit_port_ops = {
19755 .inherits = &ata_sff_port_ops,
19756 .sff_data_xfer = ata_data_xfer_8bit,
19757 .cable_detect = ata_cable_40wire,
19758@@ -253,7 +253,7 @@ static int pcmcia_init_one(struct pcmcia
19759 unsigned long io_base, ctl_base;
19760 void __iomem *io_addr, *ctl_addr;
19761 int n_ports = 1;
19762- struct ata_port_operations *ops = &pcmcia_port_ops;
19763+ const struct ata_port_operations *ops = &pcmcia_port_ops;
19764
19765 info = kzalloc(sizeof(*info), GFP_KERNEL);
19766 if (info == NULL)
19767diff -urNp linux-2.6.33.1/drivers/ata/pata_pdc2027x.c linux-2.6.33.1/drivers/ata/pata_pdc2027x.c
19768--- linux-2.6.33.1/drivers/ata/pata_pdc2027x.c 2010-03-15 12:09:39.000000000 -0400
19769+++ linux-2.6.33.1/drivers/ata/pata_pdc2027x.c 2010-03-20 16:58:39.308536639 -0400
19770@@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
19771 ATA_BMDMA_SHT(DRV_NAME),
19772 };
19773
19774-static struct ata_port_operations pdc2027x_pata100_ops = {
19775+static const struct ata_port_operations pdc2027x_pata100_ops = {
19776 .inherits = &ata_bmdma_port_ops,
19777 .check_atapi_dma = pdc2027x_check_atapi_dma,
19778 .cable_detect = pdc2027x_cable_detect,
19779 .prereset = pdc2027x_prereset,
19780 };
19781
19782-static struct ata_port_operations pdc2027x_pata133_ops = {
19783+static const struct ata_port_operations pdc2027x_pata133_ops = {
19784 .inherits = &pdc2027x_pata100_ops,
19785 .mode_filter = pdc2027x_mode_filter,
19786 .set_piomode = pdc2027x_set_piomode,
19787diff -urNp linux-2.6.33.1/drivers/ata/pata_pdc202xx_old.c linux-2.6.33.1/drivers/ata/pata_pdc202xx_old.c
19788--- linux-2.6.33.1/drivers/ata/pata_pdc202xx_old.c 2010-03-15 12:09:39.000000000 -0400
19789+++ linux-2.6.33.1/drivers/ata/pata_pdc202xx_old.c 2010-03-20 16:58:39.308536639 -0400
19790@@ -265,7 +265,7 @@ static struct scsi_host_template pdc202x
19791 ATA_BMDMA_SHT(DRV_NAME),
19792 };
19793
19794-static struct ata_port_operations pdc2024x_port_ops = {
19795+static const struct ata_port_operations pdc2024x_port_ops = {
19796 .inherits = &ata_bmdma_port_ops,
19797
19798 .cable_detect = ata_cable_40wire,
19799@@ -273,7 +273,7 @@ static struct ata_port_operations pdc202
19800 .set_dmamode = pdc202xx_set_dmamode,
19801 };
19802
19803-static struct ata_port_operations pdc2026x_port_ops = {
19804+static const struct ata_port_operations pdc2026x_port_ops = {
19805 .inherits = &pdc2024x_port_ops,
19806
19807 .check_atapi_dma = pdc2026x_check_atapi_dma,
19808diff -urNp linux-2.6.33.1/drivers/ata/pata_piccolo.c linux-2.6.33.1/drivers/ata/pata_piccolo.c
19809--- linux-2.6.33.1/drivers/ata/pata_piccolo.c 2010-03-15 12:09:39.000000000 -0400
19810+++ linux-2.6.33.1/drivers/ata/pata_piccolo.c 2010-03-20 16:58:39.308536639 -0400
19811@@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
19812 ATA_BMDMA_SHT(DRV_NAME),
19813 };
19814
19815-static struct ata_port_operations tosh_port_ops = {
19816+static const struct ata_port_operations tosh_port_ops = {
19817 .inherits = &ata_bmdma_port_ops,
19818 .cable_detect = ata_cable_unknown,
19819 .set_piomode = tosh_set_piomode,
19820diff -urNp linux-2.6.33.1/drivers/ata/pata_platform.c linux-2.6.33.1/drivers/ata/pata_platform.c
19821--- linux-2.6.33.1/drivers/ata/pata_platform.c 2010-03-15 12:09:39.000000000 -0400
19822+++ linux-2.6.33.1/drivers/ata/pata_platform.c 2010-03-20 16:58:39.312510954 -0400
19823@@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
19824 ATA_PIO_SHT(DRV_NAME),
19825 };
19826
19827-static struct ata_port_operations pata_platform_port_ops = {
19828+static const struct ata_port_operations pata_platform_port_ops = {
19829 .inherits = &ata_sff_port_ops,
19830 .sff_data_xfer = ata_sff_data_xfer_noirq,
19831 .cable_detect = ata_cable_unknown,
19832diff -urNp linux-2.6.33.1/drivers/ata/pata_qdi.c linux-2.6.33.1/drivers/ata/pata_qdi.c
19833--- linux-2.6.33.1/drivers/ata/pata_qdi.c 2010-03-15 12:09:39.000000000 -0400
19834+++ linux-2.6.33.1/drivers/ata/pata_qdi.c 2010-03-20 16:58:39.312510954 -0400
19835@@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
19836 ATA_PIO_SHT(DRV_NAME),
19837 };
19838
19839-static struct ata_port_operations qdi6500_port_ops = {
19840+static const struct ata_port_operations qdi6500_port_ops = {
19841 .inherits = &ata_sff_port_ops,
19842 .qc_issue = qdi_qc_issue,
19843 .sff_data_xfer = qdi_data_xfer,
19844@@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
19845 .set_piomode = qdi6500_set_piomode,
19846 };
19847
19848-static struct ata_port_operations qdi6580_port_ops = {
19849+static const struct ata_port_operations qdi6580_port_ops = {
19850 .inherits = &qdi6500_port_ops,
19851 .set_piomode = qdi6580_set_piomode,
19852 };
19853diff -urNp linux-2.6.33.1/drivers/ata/pata_radisys.c linux-2.6.33.1/drivers/ata/pata_radisys.c
19854--- linux-2.6.33.1/drivers/ata/pata_radisys.c 2010-03-15 12:09:39.000000000 -0400
19855+++ linux-2.6.33.1/drivers/ata/pata_radisys.c 2010-03-20 16:58:39.312510954 -0400
19856@@ -187,7 +187,7 @@ static struct scsi_host_template radisys
19857 ATA_BMDMA_SHT(DRV_NAME),
19858 };
19859
19860-static struct ata_port_operations radisys_pata_ops = {
19861+static const struct ata_port_operations radisys_pata_ops = {
19862 .inherits = &ata_bmdma_port_ops,
19863 .qc_issue = radisys_qc_issue,
19864 .cable_detect = ata_cable_unknown,
19865diff -urNp linux-2.6.33.1/drivers/ata/pata_rb532_cf.c linux-2.6.33.1/drivers/ata/pata_rb532_cf.c
19866--- linux-2.6.33.1/drivers/ata/pata_rb532_cf.c 2010-03-15 12:09:39.000000000 -0400
19867+++ linux-2.6.33.1/drivers/ata/pata_rb532_cf.c 2010-03-20 16:58:39.312510954 -0400
19868@@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
19869 return IRQ_HANDLED;
19870 }
19871
19872-static struct ata_port_operations rb532_pata_port_ops = {
19873+static const struct ata_port_operations rb532_pata_port_ops = {
19874 .inherits = &ata_sff_port_ops,
19875 .sff_data_xfer = ata_sff_data_xfer32,
19876 };
19877diff -urNp linux-2.6.33.1/drivers/ata/pata_rdc.c linux-2.6.33.1/drivers/ata/pata_rdc.c
19878--- linux-2.6.33.1/drivers/ata/pata_rdc.c 2010-03-15 12:09:39.000000000 -0400
19879+++ linux-2.6.33.1/drivers/ata/pata_rdc.c 2010-03-20 16:58:39.312510954 -0400
19880@@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
19881 pci_write_config_byte(dev, 0x48, udma_enable);
19882 }
19883
19884-static struct ata_port_operations rdc_pata_ops = {
19885+static const struct ata_port_operations rdc_pata_ops = {
19886 .inherits = &ata_bmdma32_port_ops,
19887 .cable_detect = rdc_pata_cable_detect,
19888 .set_piomode = rdc_set_piomode,
19889diff -urNp linux-2.6.33.1/drivers/ata/pata_rz1000.c linux-2.6.33.1/drivers/ata/pata_rz1000.c
19890--- linux-2.6.33.1/drivers/ata/pata_rz1000.c 2010-03-15 12:09:39.000000000 -0400
19891+++ linux-2.6.33.1/drivers/ata/pata_rz1000.c 2010-03-20 16:58:39.312510954 -0400
19892@@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
19893 ATA_PIO_SHT(DRV_NAME),
19894 };
19895
19896-static struct ata_port_operations rz1000_port_ops = {
19897+static const struct ata_port_operations rz1000_port_ops = {
19898 .inherits = &ata_sff_port_ops,
19899 .cable_detect = ata_cable_40wire,
19900 .set_mode = rz1000_set_mode,
19901diff -urNp linux-2.6.33.1/drivers/ata/pata_sc1200.c linux-2.6.33.1/drivers/ata/pata_sc1200.c
19902--- linux-2.6.33.1/drivers/ata/pata_sc1200.c 2010-03-15 12:09:39.000000000 -0400
19903+++ linux-2.6.33.1/drivers/ata/pata_sc1200.c 2010-03-20 16:58:39.312510954 -0400
19904@@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
19905 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
19906 };
19907
19908-static struct ata_port_operations sc1200_port_ops = {
19909+static const struct ata_port_operations sc1200_port_ops = {
19910 .inherits = &ata_bmdma_port_ops,
19911 .qc_prep = ata_sff_dumb_qc_prep,
19912 .qc_issue = sc1200_qc_issue,
19913diff -urNp linux-2.6.33.1/drivers/ata/pata_scc.c linux-2.6.33.1/drivers/ata/pata_scc.c
19914--- linux-2.6.33.1/drivers/ata/pata_scc.c 2010-03-15 12:09:39.000000000 -0400
19915+++ linux-2.6.33.1/drivers/ata/pata_scc.c 2010-03-20 16:58:39.316539767 -0400
19916@@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
19917 ATA_BMDMA_SHT(DRV_NAME),
19918 };
19919
19920-static struct ata_port_operations scc_pata_ops = {
19921+static const struct ata_port_operations scc_pata_ops = {
19922 .inherits = &ata_bmdma_port_ops,
19923
19924 .set_piomode = scc_set_piomode,
19925diff -urNp linux-2.6.33.1/drivers/ata/pata_sch.c linux-2.6.33.1/drivers/ata/pata_sch.c
19926--- linux-2.6.33.1/drivers/ata/pata_sch.c 2010-03-15 12:09:39.000000000 -0400
19927+++ linux-2.6.33.1/drivers/ata/pata_sch.c 2010-03-20 16:58:39.316539767 -0400
19928@@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
19929 ATA_BMDMA_SHT(DRV_NAME),
19930 };
19931
19932-static struct ata_port_operations sch_pata_ops = {
19933+static const struct ata_port_operations sch_pata_ops = {
19934 .inherits = &ata_bmdma_port_ops,
19935 .cable_detect = ata_cable_unknown,
19936 .set_piomode = sch_set_piomode,
19937diff -urNp linux-2.6.33.1/drivers/ata/pata_serverworks.c linux-2.6.33.1/drivers/ata/pata_serverworks.c
19938--- linux-2.6.33.1/drivers/ata/pata_serverworks.c 2010-03-15 12:09:39.000000000 -0400
19939+++ linux-2.6.33.1/drivers/ata/pata_serverworks.c 2010-03-20 16:58:39.316539767 -0400
19940@@ -299,7 +299,7 @@ static struct scsi_host_template serverw
19941 ATA_BMDMA_SHT(DRV_NAME),
19942 };
19943
19944-static struct ata_port_operations serverworks_osb4_port_ops = {
19945+static const struct ata_port_operations serverworks_osb4_port_ops = {
19946 .inherits = &ata_bmdma_port_ops,
19947 .cable_detect = serverworks_cable_detect,
19948 .mode_filter = serverworks_osb4_filter,
19949@@ -307,7 +307,7 @@ static struct ata_port_operations server
19950 .set_dmamode = serverworks_set_dmamode,
19951 };
19952
19953-static struct ata_port_operations serverworks_csb_port_ops = {
19954+static const struct ata_port_operations serverworks_csb_port_ops = {
19955 .inherits = &serverworks_osb4_port_ops,
19956 .mode_filter = serverworks_csb_filter,
19957 };
19958diff -urNp linux-2.6.33.1/drivers/ata/pata_sil680.c linux-2.6.33.1/drivers/ata/pata_sil680.c
19959--- linux-2.6.33.1/drivers/ata/pata_sil680.c 2010-03-15 12:09:39.000000000 -0400
19960+++ linux-2.6.33.1/drivers/ata/pata_sil680.c 2010-03-20 16:58:39.316539767 -0400
19961@@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
19962 ATA_BMDMA_SHT(DRV_NAME),
19963 };
19964
19965-static struct ata_port_operations sil680_port_ops = {
19966+static const struct ata_port_operations sil680_port_ops = {
19967 .inherits = &ata_bmdma32_port_ops,
19968 .cable_detect = sil680_cable_detect,
19969 .set_piomode = sil680_set_piomode,
19970diff -urNp linux-2.6.33.1/drivers/ata/pata_sis.c linux-2.6.33.1/drivers/ata/pata_sis.c
19971--- linux-2.6.33.1/drivers/ata/pata_sis.c 2010-03-15 12:09:39.000000000 -0400
19972+++ linux-2.6.33.1/drivers/ata/pata_sis.c 2010-03-20 16:58:39.320616216 -0400
19973@@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
19974 ATA_BMDMA_SHT(DRV_NAME),
19975 };
19976
19977-static struct ata_port_operations sis_133_for_sata_ops = {
19978+static const struct ata_port_operations sis_133_for_sata_ops = {
19979 .inherits = &ata_bmdma_port_ops,
19980 .set_piomode = sis_133_set_piomode,
19981 .set_dmamode = sis_133_set_dmamode,
19982 .cable_detect = sis_133_cable_detect,
19983 };
19984
19985-static struct ata_port_operations sis_base_ops = {
19986+static const struct ata_port_operations sis_base_ops = {
19987 .inherits = &ata_bmdma_port_ops,
19988 .prereset = sis_pre_reset,
19989 };
19990
19991-static struct ata_port_operations sis_133_ops = {
19992+static const struct ata_port_operations sis_133_ops = {
19993 .inherits = &sis_base_ops,
19994 .set_piomode = sis_133_set_piomode,
19995 .set_dmamode = sis_133_set_dmamode,
19996 .cable_detect = sis_133_cable_detect,
19997 };
19998
19999-static struct ata_port_operations sis_133_early_ops = {
20000+static const struct ata_port_operations sis_133_early_ops = {
20001 .inherits = &sis_base_ops,
20002 .set_piomode = sis_100_set_piomode,
20003 .set_dmamode = sis_133_early_set_dmamode,
20004 .cable_detect = sis_66_cable_detect,
20005 };
20006
20007-static struct ata_port_operations sis_100_ops = {
20008+static const struct ata_port_operations sis_100_ops = {
20009 .inherits = &sis_base_ops,
20010 .set_piomode = sis_100_set_piomode,
20011 .set_dmamode = sis_100_set_dmamode,
20012 .cable_detect = sis_66_cable_detect,
20013 };
20014
20015-static struct ata_port_operations sis_66_ops = {
20016+static const struct ata_port_operations sis_66_ops = {
20017 .inherits = &sis_base_ops,
20018 .set_piomode = sis_old_set_piomode,
20019 .set_dmamode = sis_66_set_dmamode,
20020 .cable_detect = sis_66_cable_detect,
20021 };
20022
20023-static struct ata_port_operations sis_old_ops = {
20024+static const struct ata_port_operations sis_old_ops = {
20025 .inherits = &sis_base_ops,
20026 .set_piomode = sis_old_set_piomode,
20027 .set_dmamode = sis_old_set_dmamode,
20028diff -urNp linux-2.6.33.1/drivers/ata/pata_sl82c105.c linux-2.6.33.1/drivers/ata/pata_sl82c105.c
20029--- linux-2.6.33.1/drivers/ata/pata_sl82c105.c 2010-03-15 12:09:39.000000000 -0400
20030+++ linux-2.6.33.1/drivers/ata/pata_sl82c105.c 2010-03-20 16:58:39.320616216 -0400
20031@@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
20032 ATA_BMDMA_SHT(DRV_NAME),
20033 };
20034
20035-static struct ata_port_operations sl82c105_port_ops = {
20036+static const struct ata_port_operations sl82c105_port_ops = {
20037 .inherits = &ata_bmdma_port_ops,
20038 .qc_defer = sl82c105_qc_defer,
20039 .bmdma_start = sl82c105_bmdma_start,
20040diff -urNp linux-2.6.33.1/drivers/ata/pata_triflex.c linux-2.6.33.1/drivers/ata/pata_triflex.c
20041--- linux-2.6.33.1/drivers/ata/pata_triflex.c 2010-03-15 12:09:39.000000000 -0400
20042+++ linux-2.6.33.1/drivers/ata/pata_triflex.c 2010-03-20 16:58:39.320616216 -0400
20043@@ -178,7 +178,7 @@ static struct scsi_host_template triflex
20044 ATA_BMDMA_SHT(DRV_NAME),
20045 };
20046
20047-static struct ata_port_operations triflex_port_ops = {
20048+static const struct ata_port_operations triflex_port_ops = {
20049 .inherits = &ata_bmdma_port_ops,
20050 .bmdma_start = triflex_bmdma_start,
20051 .bmdma_stop = triflex_bmdma_stop,
20052diff -urNp linux-2.6.33.1/drivers/ata/pata_via.c linux-2.6.33.1/drivers/ata/pata_via.c
20053--- linux-2.6.33.1/drivers/ata/pata_via.c 2010-03-15 12:09:39.000000000 -0400
20054+++ linux-2.6.33.1/drivers/ata/pata_via.c 2010-03-20 16:58:39.320616216 -0400
20055@@ -452,7 +452,7 @@ static struct scsi_host_template via_sht
20056 ATA_BMDMA_SHT(DRV_NAME),
20057 };
20058
20059-static struct ata_port_operations via_port_ops = {
20060+static const struct ata_port_operations via_port_ops = {
20061 .inherits = &ata_bmdma_port_ops,
20062 .cable_detect = via_cable_detect,
20063 .set_piomode = via_set_piomode,
20064@@ -463,7 +463,7 @@ static struct ata_port_operations via_po
20065 .mode_filter = via_mode_filter,
20066 };
20067
20068-static struct ata_port_operations via_port_ops_noirq = {
20069+static const struct ata_port_operations via_port_ops_noirq = {
20070 .inherits = &via_port_ops,
20071 .sff_data_xfer = ata_sff_data_xfer_noirq,
20072 };
20073diff -urNp linux-2.6.33.1/drivers/ata/pata_winbond.c linux-2.6.33.1/drivers/ata/pata_winbond.c
20074--- linux-2.6.33.1/drivers/ata/pata_winbond.c 2010-03-15 12:09:39.000000000 -0400
20075+++ linux-2.6.33.1/drivers/ata/pata_winbond.c 2010-03-20 16:58:39.346062317 -0400
20076@@ -125,7 +125,7 @@ static struct scsi_host_template winbond
20077 ATA_PIO_SHT(DRV_NAME),
20078 };
20079
20080-static struct ata_port_operations winbond_port_ops = {
20081+static const struct ata_port_operations winbond_port_ops = {
20082 .inherits = &ata_sff_port_ops,
20083 .sff_data_xfer = winbond_data_xfer,
20084 .cable_detect = ata_cable_40wire,
20085diff -urNp linux-2.6.33.1/drivers/ata/pdc_adma.c linux-2.6.33.1/drivers/ata/pdc_adma.c
20086--- linux-2.6.33.1/drivers/ata/pdc_adma.c 2010-03-15 12:09:39.000000000 -0400
20087+++ linux-2.6.33.1/drivers/ata/pdc_adma.c 2010-03-20 16:58:39.348522755 -0400
20088@@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
20089 .dma_boundary = ADMA_DMA_BOUNDARY,
20090 };
20091
20092-static struct ata_port_operations adma_ata_ops = {
20093+static const struct ata_port_operations adma_ata_ops = {
20094 .inherits = &ata_sff_port_ops,
20095
20096 .lost_interrupt = ATA_OP_NULL,
20097diff -urNp linux-2.6.33.1/drivers/ata/sata_fsl.c linux-2.6.33.1/drivers/ata/sata_fsl.c
20098--- linux-2.6.33.1/drivers/ata/sata_fsl.c 2010-03-15 12:09:39.000000000 -0400
20099+++ linux-2.6.33.1/drivers/ata/sata_fsl.c 2010-03-20 16:58:39.348522755 -0400
20100@@ -1260,7 +1260,7 @@ static struct scsi_host_template sata_fs
20101 .dma_boundary = ATA_DMA_BOUNDARY,
20102 };
20103
20104-static struct ata_port_operations sata_fsl_ops = {
20105+static const struct ata_port_operations sata_fsl_ops = {
20106 .inherits = &sata_pmp_port_ops,
20107
20108 .qc_defer = ata_std_qc_defer,
20109diff -urNp linux-2.6.33.1/drivers/ata/sata_inic162x.c linux-2.6.33.1/drivers/ata/sata_inic162x.c
20110--- linux-2.6.33.1/drivers/ata/sata_inic162x.c 2010-03-15 12:09:39.000000000 -0400
20111+++ linux-2.6.33.1/drivers/ata/sata_inic162x.c 2010-03-20 16:58:39.348522755 -0400
20112@@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
20113 return 0;
20114 }
20115
20116-static struct ata_port_operations inic_port_ops = {
20117+static const struct ata_port_operations inic_port_ops = {
20118 .inherits = &sata_port_ops,
20119
20120 .check_atapi_dma = inic_check_atapi_dma,
20121diff -urNp linux-2.6.33.1/drivers/ata/sata_mv.c linux-2.6.33.1/drivers/ata/sata_mv.c
20122--- linux-2.6.33.1/drivers/ata/sata_mv.c 2010-03-15 12:09:39.000000000 -0400
20123+++ linux-2.6.33.1/drivers/ata/sata_mv.c 2010-03-20 16:58:39.352614445 -0400
20124@@ -662,7 +662,7 @@ static struct scsi_host_template mv6_sht
20125 .dma_boundary = MV_DMA_BOUNDARY,
20126 };
20127
20128-static struct ata_port_operations mv5_ops = {
20129+static const struct ata_port_operations mv5_ops = {
20130 .inherits = &ata_sff_port_ops,
20131
20132 .lost_interrupt = ATA_OP_NULL,
20133@@ -684,7 +684,7 @@ static struct ata_port_operations mv5_op
20134 .port_stop = mv_port_stop,
20135 };
20136
20137-static struct ata_port_operations mv6_ops = {
20138+static const struct ata_port_operations mv6_ops = {
20139 .inherits = &mv5_ops,
20140 .dev_config = mv6_dev_config,
20141 .scr_read = mv_scr_read,
20142@@ -704,7 +704,7 @@ static struct ata_port_operations mv6_op
20143 .bmdma_status = mv_bmdma_status,
20144 };
20145
20146-static struct ata_port_operations mv_iie_ops = {
20147+static const struct ata_port_operations mv_iie_ops = {
20148 .inherits = &mv6_ops,
20149 .dev_config = ATA_OP_NULL,
20150 .qc_prep = mv_qc_prep_iie,
20151diff -urNp linux-2.6.33.1/drivers/ata/sata_nv.c linux-2.6.33.1/drivers/ata/sata_nv.c
20152--- linux-2.6.33.1/drivers/ata/sata_nv.c 2010-03-15 12:09:39.000000000 -0400
20153+++ linux-2.6.33.1/drivers/ata/sata_nv.c 2010-03-20 16:58:39.352614445 -0400
20154@@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
20155 * cases. Define nv_hardreset() which only kicks in for post-boot
20156 * probing and use it for all variants.
20157 */
20158-static struct ata_port_operations nv_generic_ops = {
20159+static const struct ata_port_operations nv_generic_ops = {
20160 .inherits = &ata_bmdma_port_ops,
20161 .lost_interrupt = ATA_OP_NULL,
20162 .scr_read = nv_scr_read,
20163@@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
20164 .hardreset = nv_hardreset,
20165 };
20166
20167-static struct ata_port_operations nv_nf2_ops = {
20168+static const struct ata_port_operations nv_nf2_ops = {
20169 .inherits = &nv_generic_ops,
20170 .freeze = nv_nf2_freeze,
20171 .thaw = nv_nf2_thaw,
20172 };
20173
20174-static struct ata_port_operations nv_ck804_ops = {
20175+static const struct ata_port_operations nv_ck804_ops = {
20176 .inherits = &nv_generic_ops,
20177 .freeze = nv_ck804_freeze,
20178 .thaw = nv_ck804_thaw,
20179 .host_stop = nv_ck804_host_stop,
20180 };
20181
20182-static struct ata_port_operations nv_adma_ops = {
20183+static const struct ata_port_operations nv_adma_ops = {
20184 .inherits = &nv_ck804_ops,
20185
20186 .check_atapi_dma = nv_adma_check_atapi_dma,
20187@@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
20188 .host_stop = nv_adma_host_stop,
20189 };
20190
20191-static struct ata_port_operations nv_swncq_ops = {
20192+static const struct ata_port_operations nv_swncq_ops = {
20193 .inherits = &nv_generic_ops,
20194
20195 .qc_defer = ata_std_qc_defer,
20196diff -urNp linux-2.6.33.1/drivers/ata/sata_promise.c linux-2.6.33.1/drivers/ata/sata_promise.c
20197--- linux-2.6.33.1/drivers/ata/sata_promise.c 2010-03-15 12:09:39.000000000 -0400
20198+++ linux-2.6.33.1/drivers/ata/sata_promise.c 2010-03-20 16:58:39.352614445 -0400
20199@@ -195,7 +195,7 @@ static const struct ata_port_operations
20200 .error_handler = pdc_error_handler,
20201 };
20202
20203-static struct ata_port_operations pdc_sata_ops = {
20204+static const struct ata_port_operations pdc_sata_ops = {
20205 .inherits = &pdc_common_ops,
20206 .cable_detect = pdc_sata_cable_detect,
20207 .freeze = pdc_sata_freeze,
20208@@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
20209
20210 /* First-generation chips need a more restrictive ->check_atapi_dma op,
20211 and ->freeze/thaw that ignore the hotplug controls. */
20212-static struct ata_port_operations pdc_old_sata_ops = {
20213+static const struct ata_port_operations pdc_old_sata_ops = {
20214 .inherits = &pdc_sata_ops,
20215 .freeze = pdc_freeze,
20216 .thaw = pdc_thaw,
20217 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
20218 };
20219
20220-static struct ata_port_operations pdc_pata_ops = {
20221+static const struct ata_port_operations pdc_pata_ops = {
20222 .inherits = &pdc_common_ops,
20223 .cable_detect = pdc_pata_cable_detect,
20224 .freeze = pdc_freeze,
20225diff -urNp linux-2.6.33.1/drivers/ata/sata_qstor.c linux-2.6.33.1/drivers/ata/sata_qstor.c
20226--- linux-2.6.33.1/drivers/ata/sata_qstor.c 2010-03-15 12:09:39.000000000 -0400
20227+++ linux-2.6.33.1/drivers/ata/sata_qstor.c 2010-03-20 16:58:39.356512831 -0400
20228@@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
20229 .dma_boundary = QS_DMA_BOUNDARY,
20230 };
20231
20232-static struct ata_port_operations qs_ata_ops = {
20233+static const struct ata_port_operations qs_ata_ops = {
20234 .inherits = &ata_sff_port_ops,
20235
20236 .check_atapi_dma = qs_check_atapi_dma,
20237diff -urNp linux-2.6.33.1/drivers/ata/sata_sil24.c linux-2.6.33.1/drivers/ata/sata_sil24.c
20238--- linux-2.6.33.1/drivers/ata/sata_sil24.c 2010-03-15 12:09:39.000000000 -0400
20239+++ linux-2.6.33.1/drivers/ata/sata_sil24.c 2010-03-20 16:58:39.364799637 -0400
20240@@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
20241 .dma_boundary = ATA_DMA_BOUNDARY,
20242 };
20243
20244-static struct ata_port_operations sil24_ops = {
20245+static const struct ata_port_operations sil24_ops = {
20246 .inherits = &sata_pmp_port_ops,
20247
20248 .qc_defer = sil24_qc_defer,
20249diff -urNp linux-2.6.33.1/drivers/ata/sata_sil.c linux-2.6.33.1/drivers/ata/sata_sil.c
20250--- linux-2.6.33.1/drivers/ata/sata_sil.c 2010-03-15 12:09:39.000000000 -0400
20251+++ linux-2.6.33.1/drivers/ata/sata_sil.c 2010-03-20 16:58:39.368722008 -0400
20252@@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
20253 .sg_tablesize = ATA_MAX_PRD
20254 };
20255
20256-static struct ata_port_operations sil_ops = {
20257+static const struct ata_port_operations sil_ops = {
20258 .inherits = &ata_bmdma32_port_ops,
20259 .dev_config = sil_dev_config,
20260 .set_mode = sil_set_mode,
20261diff -urNp linux-2.6.33.1/drivers/ata/sata_sis.c linux-2.6.33.1/drivers/ata/sata_sis.c
20262--- linux-2.6.33.1/drivers/ata/sata_sis.c 2010-03-15 12:09:39.000000000 -0400
20263+++ linux-2.6.33.1/drivers/ata/sata_sis.c 2010-03-20 16:58:39.368722008 -0400
20264@@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
20265 ATA_BMDMA_SHT(DRV_NAME),
20266 };
20267
20268-static struct ata_port_operations sis_ops = {
20269+static const struct ata_port_operations sis_ops = {
20270 .inherits = &ata_bmdma_port_ops,
20271 .scr_read = sis_scr_read,
20272 .scr_write = sis_scr_write,
20273diff -urNp linux-2.6.33.1/drivers/ata/sata_svw.c linux-2.6.33.1/drivers/ata/sata_svw.c
20274--- linux-2.6.33.1/drivers/ata/sata_svw.c 2010-03-15 12:09:39.000000000 -0400
20275+++ linux-2.6.33.1/drivers/ata/sata_svw.c 2010-03-20 16:58:39.368722008 -0400
20276@@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
20277 };
20278
20279
20280-static struct ata_port_operations k2_sata_ops = {
20281+static const struct ata_port_operations k2_sata_ops = {
20282 .inherits = &ata_bmdma_port_ops,
20283 .sff_tf_load = k2_sata_tf_load,
20284 .sff_tf_read = k2_sata_tf_read,
20285diff -urNp linux-2.6.33.1/drivers/ata/sata_sx4.c linux-2.6.33.1/drivers/ata/sata_sx4.c
20286--- linux-2.6.33.1/drivers/ata/sata_sx4.c 2010-03-15 12:09:39.000000000 -0400
20287+++ linux-2.6.33.1/drivers/ata/sata_sx4.c 2010-03-20 16:58:39.368722008 -0400
20288@@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
20289 };
20290
20291 /* TODO: inherit from base port_ops after converting to new EH */
20292-static struct ata_port_operations pdc_20621_ops = {
20293+static const struct ata_port_operations pdc_20621_ops = {
20294 .inherits = &ata_sff_port_ops,
20295
20296 .check_atapi_dma = pdc_check_atapi_dma,
20297diff -urNp linux-2.6.33.1/drivers/ata/sata_uli.c linux-2.6.33.1/drivers/ata/sata_uli.c
20298--- linux-2.6.33.1/drivers/ata/sata_uli.c 2010-03-15 12:09:39.000000000 -0400
20299+++ linux-2.6.33.1/drivers/ata/sata_uli.c 2010-03-20 16:58:39.372783452 -0400
20300@@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
20301 ATA_BMDMA_SHT(DRV_NAME),
20302 };
20303
20304-static struct ata_port_operations uli_ops = {
20305+static const struct ata_port_operations uli_ops = {
20306 .inherits = &ata_bmdma_port_ops,
20307 .scr_read = uli_scr_read,
20308 .scr_write = uli_scr_write,
20309diff -urNp linux-2.6.33.1/drivers/ata/sata_via.c linux-2.6.33.1/drivers/ata/sata_via.c
20310--- linux-2.6.33.1/drivers/ata/sata_via.c 2010-03-15 12:09:39.000000000 -0400
20311+++ linux-2.6.33.1/drivers/ata/sata_via.c 2010-03-20 16:58:39.372783452 -0400
20312@@ -112,31 +112,31 @@ static struct scsi_host_template svia_sh
20313 ATA_BMDMA_SHT(DRV_NAME),
20314 };
20315
20316-static struct ata_port_operations svia_base_ops = {
20317+static const struct ata_port_operations svia_base_ops = {
20318 .inherits = &ata_bmdma_port_ops,
20319 .sff_tf_load = svia_tf_load,
20320 };
20321
20322-static struct ata_port_operations vt6420_sata_ops = {
20323+static const struct ata_port_operations vt6420_sata_ops = {
20324 .inherits = &svia_base_ops,
20325 .freeze = svia_noop_freeze,
20326 .prereset = vt6420_prereset,
20327 };
20328
20329-static struct ata_port_operations vt6421_pata_ops = {
20330+static const struct ata_port_operations vt6421_pata_ops = {
20331 .inherits = &svia_base_ops,
20332 .cable_detect = vt6421_pata_cable_detect,
20333 .set_piomode = vt6421_set_pio_mode,
20334 .set_dmamode = vt6421_set_dma_mode,
20335 };
20336
20337-static struct ata_port_operations vt6421_sata_ops = {
20338+static const struct ata_port_operations vt6421_sata_ops = {
20339 .inherits = &svia_base_ops,
20340 .scr_read = svia_scr_read,
20341 .scr_write = svia_scr_write,
20342 };
20343
20344-static struct ata_port_operations vt8251_ops = {
20345+static const struct ata_port_operations vt8251_ops = {
20346 .inherits = &svia_base_ops,
20347 .hardreset = sata_std_hardreset,
20348 .scr_read = vt8251_scr_read,
20349diff -urNp linux-2.6.33.1/drivers/ata/sata_vsc.c linux-2.6.33.1/drivers/ata/sata_vsc.c
20350--- linux-2.6.33.1/drivers/ata/sata_vsc.c 2010-03-15 12:09:39.000000000 -0400
20351+++ linux-2.6.33.1/drivers/ata/sata_vsc.c 2010-03-20 16:58:39.372783452 -0400
20352@@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
20353 };
20354
20355
20356-static struct ata_port_operations vsc_sata_ops = {
20357+static const struct ata_port_operations vsc_sata_ops = {
20358 .inherits = &ata_bmdma_port_ops,
20359 /* The IRQ handling is not quite standard SFF behaviour so we
20360 cannot use the default lost interrupt handler */
20361diff -urNp linux-2.6.33.1/drivers/atm/adummy.c linux-2.6.33.1/drivers/atm/adummy.c
20362--- linux-2.6.33.1/drivers/atm/adummy.c 2010-03-15 12:09:39.000000000 -0400
20363+++ linux-2.6.33.1/drivers/atm/adummy.c 2010-03-20 16:58:39.380807655 -0400
58c5fc13
MT		 20364@@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
20365 vcc->pop(vcc, skb);
20366 else
20367 dev_kfree_skb_any(skb);
20368- atomic_inc(&vcc->stats->tx);
20369+ atomic_inc_unchecked(&vcc->stats->tx);
20370
20371 return 0;
20372 }
ae4e228f
MT		 20373diff -urNp linux-2.6.33.1/drivers/atm/ambassador.c linux-2.6.33.1/drivers/atm/ambassador.c
20374--- linux-2.6.33.1/drivers/atm/ambassador.c 2010-03-15 12:09:39.000000000 -0400
20375+++ linux-2.6.33.1/drivers/atm/ambassador.c 2010-03-20 16:58:39.414343197 -0400
58c5fc13
MT		 20376@@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
20377 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
20378
20379 // VC layer stats
20380- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20381+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20382
20383 // free the descriptor
20384 kfree (tx_descr);
20385@@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
20386 dump_skb ("<<<", vc, skb);
20387
20388 // VC layer stats
20389- atomic_inc(&atm_vcc->stats->rx);
20390+ atomic_inc_unchecked(&atm_vcc->stats->rx);
20391 __net_timestamp(skb);
20392 // end of our responsability
20393 atm_vcc->push (atm_vcc, skb);
20394@@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
20395 } else {
20396 PRINTK (KERN_INFO, "dropped over-size frame");
20397 // should we count this?
20398- atomic_inc(&atm_vcc->stats->rx_drop);
20399+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20400 }
20401
20402 } else {
ae4e228f 20403@@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
58c5fc13
MT		 20404 }
20405
20406 if (check_area (skb->data, skb->len)) {
20407- atomic_inc(&atm_vcc->stats->tx_err);
20408+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
20409 return -ENOMEM; // ?
20410 }
20411
ae4e228f
MT		 20412diff -urNp linux-2.6.33.1/drivers/atm/atmtcp.c linux-2.6.33.1/drivers/atm/atmtcp.c
20413--- linux-2.6.33.1/drivers/atm/atmtcp.c 2010-03-15 12:09:39.000000000 -0400
20414+++ linux-2.6.33.1/drivers/atm/atmtcp.c 2010-03-20 16:58:39.414343197 -0400
58c5fc13
MT		 20415@@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
20416 if (vcc->pop) vcc->pop(vcc,skb);
20417 else dev_kfree_skb(skb);
20418 if (dev_data) return 0;
20419- atomic_inc(&vcc->stats->tx_err);
20420+ atomic_inc_unchecked(&vcc->stats->tx_err);
20421 return -ENOLINK;
20422 }
20423 size = skb->len+sizeof(struct atmtcp_hdr);
20424@@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
20425 if (!new_skb) {
20426 if (vcc->pop) vcc->pop(vcc,skb);
20427 else dev_kfree_skb(skb);
20428- atomic_inc(&vcc->stats->tx_err);
20429+ atomic_inc_unchecked(&vcc->stats->tx_err);
20430 return -ENOBUFS;
20431 }
20432 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
20433@@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
20434 if (vcc->pop) vcc->pop(vcc,skb);
20435 else dev_kfree_skb(skb);
20436 out_vcc->push(out_vcc,new_skb);
20437- atomic_inc(&vcc->stats->tx);
20438- atomic_inc(&out_vcc->stats->rx);
20439+ atomic_inc_unchecked(&vcc->stats->tx);
20440+ atomic_inc_unchecked(&out_vcc->stats->rx);
20441 return 0;
20442 }
20443
20444@@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
20445 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
20446 read_unlock(&vcc_sklist_lock);
20447 if (!out_vcc) {
20448- atomic_inc(&vcc->stats->tx_err);
20449+ atomic_inc_unchecked(&vcc->stats->tx_err);
20450 goto done;
20451 }
20452 skb_pull(skb,sizeof(struct atmtcp_hdr));
20453@@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
20454 __net_timestamp(new_skb);
20455 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
20456 out_vcc->push(out_vcc,new_skb);
20457- atomic_inc(&vcc->stats->tx);
20458- atomic_inc(&out_vcc->stats->rx);
20459+ atomic_inc_unchecked(&vcc->stats->tx);
20460+ atomic_inc_unchecked(&out_vcc->stats->rx);
20461 done:
20462 if (vcc->pop) vcc->pop(vcc,skb);
20463 else dev_kfree_skb(skb);
ae4e228f
MT		 20464diff -urNp linux-2.6.33.1/drivers/atm/eni.c linux-2.6.33.1/drivers/atm/eni.c
20465--- linux-2.6.33.1/drivers/atm/eni.c 2010-03-15 12:09:39.000000000 -0400
20466+++ linux-2.6.33.1/drivers/atm/eni.c 2010-03-20 16:58:39.441488287 -0400
58c5fc13
MT		 20467@@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
20468 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
20469 vcc->dev->number);
20470 length = 0;
20471- atomic_inc(&vcc->stats->rx_err);
20472+ atomic_inc_unchecked(&vcc->stats->rx_err);
20473 }
20474 else {
20475 length = ATM_CELL_SIZE-1; /* no HEC */
20476@@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
20477 size);
20478 }
20479 eff = length = 0;
20480- atomic_inc(&vcc->stats->rx_err);
20481+ atomic_inc_unchecked(&vcc->stats->rx_err);
20482 }
20483 else {
20484 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
20485@@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
20486 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
20487 vcc->dev->number,vcc->vci,length,size << 2,descr);
20488 length = eff = 0;
20489- atomic_inc(&vcc->stats->rx_err);
20490+ atomic_inc_unchecked(&vcc->stats->rx_err);
20491 }
20492 }
20493 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
20494@@ -770,7 +770,7 @@ rx_dequeued++;
20495 vcc->push(vcc,skb);
20496 pushed++;
20497 }
20498- atomic_inc(&vcc->stats->rx);
20499+ atomic_inc_unchecked(&vcc->stats->rx);
20500 }
20501 wake_up(&eni_dev->rx_wait);
20502 }
20503@@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
20504 PCI_DMA_TODEVICE);
20505 if (vcc->pop) vcc->pop(vcc,skb);
20506 else dev_kfree_skb_irq(skb);
20507- atomic_inc(&vcc->stats->tx);
20508+ atomic_inc_unchecked(&vcc->stats->tx);
20509 wake_up(&eni_dev->tx_wait);
20510 dma_complete++;
20511 }
ae4e228f
MT		 20512diff -urNp linux-2.6.33.1/drivers/atm/firestream.c linux-2.6.33.1/drivers/atm/firestream.c
20513--- linux-2.6.33.1/drivers/atm/firestream.c 2010-03-15 12:09:39.000000000 -0400
20514+++ linux-2.6.33.1/drivers/atm/firestream.c 2010-03-20 16:58:39.441488287 -0400
58c5fc13
MT		 20515@@ -748,7 +748,7 @@ static void process_txdone_queue (struct
20516 }
20517 }
20518
20519- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20520+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20521
20522 fs_dprintk (FS_DEBUG_TXMEM, "i");
20523 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
20524@@ -815,7 +815,7 @@ static void process_incoming (struct fs_
20525 #endif
20526 skb_put (skb, qe->p1 & 0xffff);
20527 ATM_SKB(skb)->vcc = atm_vcc;
20528- atomic_inc(&atm_vcc->stats->rx);
20529+ atomic_inc_unchecked(&atm_vcc->stats->rx);
20530 __net_timestamp(skb);
20531 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
20532 atm_vcc->push (atm_vcc, skb);
20533@@ -836,12 +836,12 @@ static void process_incoming (struct fs_
20534 kfree (pe);
20535 }
20536 if (atm_vcc)
20537- atomic_inc(&atm_vcc->stats->rx_drop);
20538+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20539 break;
20540 case 0x1f: /* Reassembly abort: no buffers. */
20541 /* Silently increment error counter. */
20542 if (atm_vcc)
20543- atomic_inc(&atm_vcc->stats->rx_drop);
20544+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
20545 break;
20546 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
20547 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
ae4e228f
MT		 20548diff -urNp linux-2.6.33.1/drivers/atm/fore200e.c linux-2.6.33.1/drivers/atm/fore200e.c
20549--- linux-2.6.33.1/drivers/atm/fore200e.c 2010-03-15 12:09:39.000000000 -0400
20550+++ linux-2.6.33.1/drivers/atm/fore200e.c 2010-03-20 16:58:39.457804294 -0400
58c5fc13
MT		 20551@@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
20552 #endif
20553 /* check error condition */
20554 if (*entry->status & STATUS_ERROR)
20555- atomic_inc(&vcc->stats->tx_err);
20556+ atomic_inc_unchecked(&vcc->stats->tx_err);
20557 else
20558- atomic_inc(&vcc->stats->tx);
20559+ atomic_inc_unchecked(&vcc->stats->tx);
20560 }
20561 }
20562
20563@@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
20564 if (skb == NULL) {
20565 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
20566
20567- atomic_inc(&vcc->stats->rx_drop);
20568+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20569 return -ENOMEM;
20570 }
20571
20572@@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
20573
20574 dev_kfree_skb_any(skb);
20575
20576- atomic_inc(&vcc->stats->rx_drop);
20577+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20578 return -ENOMEM;
20579 }
20580
20581 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
20582
20583 vcc->push(vcc, skb);
20584- atomic_inc(&vcc->stats->rx);
20585+ atomic_inc_unchecked(&vcc->stats->rx);
20586
20587 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
20588
20589@@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
20590 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
20591 fore200e->atm_dev->number,
20592 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
20593- atomic_inc(&vcc->stats->rx_err);
20594+ atomic_inc_unchecked(&vcc->stats->rx_err);
20595 }
20596 }
20597
20598@@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
20599 goto retry_here;
20600 }
20601
20602- atomic_inc(&vcc->stats->tx_err);
20603+ atomic_inc_unchecked(&vcc->stats->tx_err);
20604
20605 fore200e->tx_sat++;
20606 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
ae4e228f
MT		 20607diff -urNp linux-2.6.33.1/drivers/atm/he.c linux-2.6.33.1/drivers/atm/he.c
20608--- linux-2.6.33.1/drivers/atm/he.c 2010-03-15 12:09:39.000000000 -0400
20609+++ linux-2.6.33.1/drivers/atm/he.c 2010-03-20 16:58:39.488806819 -0400
20610@@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
58c5fc13
MT		 20611
20612 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
20613 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
20614- atomic_inc(&vcc->stats->rx_drop);
20615+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20616 goto return_host_buffers;
20617 }
20618
ae4e228f 20619@@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
58c5fc13
MT		 20620 RBRQ_LEN_ERR(he_dev->rbrq_head)
20621 ? "LEN_ERR" : "",
20622 vcc->vpi, vcc->vci);
20623- atomic_inc(&vcc->stats->rx_err);
20624+ atomic_inc_unchecked(&vcc->stats->rx_err);
20625 goto return_host_buffers;
20626 }
20627
ae4e228f 20628@@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
58c5fc13
MT		 20629 vcc->push(vcc, skb);
20630 spin_lock(&he_dev->global_lock);
20631
20632- atomic_inc(&vcc->stats->rx);
20633+ atomic_inc_unchecked(&vcc->stats->rx);
20634
20635 return_host_buffers:
20636 ++pdus_assembled;
ae4e228f 20637@@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
58c5fc13
MT		 20638 tpd->vcc->pop(tpd->vcc, tpd->skb);
20639 else
20640 dev_kfree_skb_any(tpd->skb);
20641- atomic_inc(&tpd->vcc->stats->tx_err);
20642+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
20643 }
20644 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
20645 return;
ae4e228f 20646@@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 20647 vcc->pop(vcc, skb);
20648 else
20649 dev_kfree_skb_any(skb);
20650- atomic_inc(&vcc->stats->tx_err);
20651+ atomic_inc_unchecked(&vcc->stats->tx_err);
20652 return -EINVAL;
20653 }
20654
ae4e228f 20655@@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 20656 vcc->pop(vcc, skb);
20657 else
20658 dev_kfree_skb_any(skb);
20659- atomic_inc(&vcc->stats->tx_err);
20660+ atomic_inc_unchecked(&vcc->stats->tx_err);
20661 return -EINVAL;
20662 }
20663 #endif
ae4e228f 20664@@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 20665 vcc->pop(vcc, skb);
20666 else
20667 dev_kfree_skb_any(skb);
20668- atomic_inc(&vcc->stats->tx_err);
20669+ atomic_inc_unchecked(&vcc->stats->tx_err);
20670 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20671 return -ENOMEM;
20672 }
ae4e228f 20673@@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 20674 vcc->pop(vcc, skb);
20675 else
20676 dev_kfree_skb_any(skb);
20677- atomic_inc(&vcc->stats->tx_err);
20678+ atomic_inc_unchecked(&vcc->stats->tx_err);
20679 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20680 return -ENOMEM;
20681 }
ae4e228f 20682@@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 20683 __enqueue_tpd(he_dev, tpd, cid);
20684 spin_unlock_irqrestore(&he_dev->global_lock, flags);
20685
20686- atomic_inc(&vcc->stats->tx);
20687+ atomic_inc_unchecked(&vcc->stats->tx);
20688
20689 return 0;
20690 }
ae4e228f
MT		 20691diff -urNp linux-2.6.33.1/drivers/atm/horizon.c linux-2.6.33.1/drivers/atm/horizon.c
20692--- linux-2.6.33.1/drivers/atm/horizon.c 2010-03-15 12:09:39.000000000 -0400
20693+++ linux-2.6.33.1/drivers/atm/horizon.c 2010-03-20 16:58:39.496821217 -0400
58c5fc13
MT		 20694@@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
20695 {
20696 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
20697 // VC layer stats
20698- atomic_inc(&vcc->stats->rx);
20699+ atomic_inc_unchecked(&vcc->stats->rx);
20700 __net_timestamp(skb);
20701 // end of our responsability
20702 vcc->push (vcc, skb);
20703@@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
20704 dev->tx_iovec = NULL;
20705
20706 // VC layer stats
20707- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
20708+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
20709
20710 // free the skb
20711 hrz_kfree_skb (skb);
ae4e228f
MT		 20712diff -urNp linux-2.6.33.1/drivers/atm/idt77252.c linux-2.6.33.1/drivers/atm/idt77252.c
20713--- linux-2.6.33.1/drivers/atm/idt77252.c 2010-03-15 12:09:39.000000000 -0400
20714+++ linux-2.6.33.1/drivers/atm/idt77252.c 2010-03-20 16:58:39.496821217 -0400
58c5fc13
MT		 20715@@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
20716 else
20717 dev_kfree_skb(skb);
20718
20719- atomic_inc(&vcc->stats->tx);
20720+ atomic_inc_unchecked(&vcc->stats->tx);
20721 }
20722
20723 atomic_dec(&scq->used);
20724@@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
20725 if ((sb = dev_alloc_skb(64)) == NULL) {
20726 printk("%s: Can't allocate buffers for aal0.\n",
20727 card->name);
20728- atomic_add(i, &vcc->stats->rx_drop);
20729+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
20730 break;
20731 }
20732 if (!atm_charge(vcc, sb->truesize)) {
20733 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
20734 card->name);
20735- atomic_add(i - 1, &vcc->stats->rx_drop);
20736+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
20737 dev_kfree_skb(sb);
20738 break;
20739 }
20740@@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
20741 ATM_SKB(sb)->vcc = vcc;
20742 __net_timestamp(sb);
20743 vcc->push(vcc, sb);
20744- atomic_inc(&vcc->stats->rx);
20745+ atomic_inc_unchecked(&vcc->stats->rx);
20746
20747 cell += ATM_CELL_PAYLOAD;
20748 }
20749@@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
20750 "(CDC: %08x)\n",
20751 card->name, len, rpp->len, readl(SAR_REG_CDC));
20752 recycle_rx_pool_skb(card, rpp);
20753- atomic_inc(&vcc->stats->rx_err);
20754+ atomic_inc_unchecked(&vcc->stats->rx_err);
20755 return;
20756 }
20757 if (stat & SAR_RSQE_CRC) {
20758 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
20759 recycle_rx_pool_skb(card, rpp);
20760- atomic_inc(&vcc->stats->rx_err);
20761+ atomic_inc_unchecked(&vcc->stats->rx_err);
20762 return;
20763 }
20764 if (skb_queue_len(&rpp->queue) > 1) {
20765@@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
20766 RXPRINTK("%s: Can't alloc RX skb.\n",
20767 card->name);
20768 recycle_rx_pool_skb(card, rpp);
20769- atomic_inc(&vcc->stats->rx_err);
20770+ atomic_inc_unchecked(&vcc->stats->rx_err);
20771 return;
20772 }
20773 if (!atm_charge(vcc, skb->truesize)) {
20774@@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
20775 __net_timestamp(skb);
20776
20777 vcc->push(vcc, skb);
20778- atomic_inc(&vcc->stats->rx);
20779+ atomic_inc_unchecked(&vcc->stats->rx);
20780
20781 return;
20782 }
20783@@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
20784 __net_timestamp(skb);
20785
20786 vcc->push(vcc, skb);
20787- atomic_inc(&vcc->stats->rx);
20788+ atomic_inc_unchecked(&vcc->stats->rx);
20789
20790 if (skb->truesize > SAR_FB_SIZE_3)
20791 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
20792@@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
20793 if (vcc->qos.aal != ATM_AAL0) {
20794 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
20795 card->name, vpi, vci);
20796- atomic_inc(&vcc->stats->rx_drop);
20797+ atomic_inc_unchecked(&vcc->stats->rx_drop);
20798 goto drop;
20799 }
20800
20801 if ((sb = dev_alloc_skb(64)) == NULL) {
20802 printk("%s: Can't allocate buffers for AAL0.\n",
20803 card->name);
20804- atomic_inc(&vcc->stats->rx_err);
20805+ atomic_inc_unchecked(&vcc->stats->rx_err);
20806 goto drop;
20807 }
20808
20809@@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
20810 ATM_SKB(sb)->vcc = vcc;
20811 __net_timestamp(sb);
20812 vcc->push(vcc, sb);
20813- atomic_inc(&vcc->stats->rx);
20814+ atomic_inc_unchecked(&vcc->stats->rx);
20815
20816 drop:
20817 skb_pull(queue, 64);
20818@@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20819
20820 if (vc == NULL) {
20821 printk("%s: NULL connection in send().\n", card->name);
20822- atomic_inc(&vcc->stats->tx_err);
20823+ atomic_inc_unchecked(&vcc->stats->tx_err);
20824 dev_kfree_skb(skb);
20825 return -EINVAL;
20826 }
20827 if (!test_bit(VCF_TX, &vc->flags)) {
20828 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
20829- atomic_inc(&vcc->stats->tx_err);
20830+ atomic_inc_unchecked(&vcc->stats->tx_err);
20831 dev_kfree_skb(skb);
20832 return -EINVAL;
20833 }
20834@@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20835 break;
20836 default:
20837 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
20838- atomic_inc(&vcc->stats->tx_err);
20839+ atomic_inc_unchecked(&vcc->stats->tx_err);
20840 dev_kfree_skb(skb);
20841 return -EINVAL;
20842 }
20843
20844 if (skb_shinfo(skb)->nr_frags != 0) {
20845 printk("%s: No scatter-gather yet.\n", card->name);
20846- atomic_inc(&vcc->stats->tx_err);
20847+ atomic_inc_unchecked(&vcc->stats->tx_err);
20848 dev_kfree_skb(skb);
20849 return -EINVAL;
20850 }
20851@@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
20852
20853 err = queue_skb(card, vc, skb, oam);
20854 if (err) {
20855- atomic_inc(&vcc->stats->tx_err);
20856+ atomic_inc_unchecked(&vcc->stats->tx_err);
20857 dev_kfree_skb(skb);
20858 return err;
20859 }
20860@@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
20861 skb = dev_alloc_skb(64);
20862 if (!skb) {
20863 printk("%s: Out of memory in send_oam().\n", card->name);
20864- atomic_inc(&vcc->stats->tx_err);
20865+ atomic_inc_unchecked(&vcc->stats->tx_err);
20866 return -ENOMEM;
20867 }
20868 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
ae4e228f
MT		 20869diff -urNp linux-2.6.33.1/drivers/atm/iphase.c linux-2.6.33.1/drivers/atm/iphase.c
20870--- linux-2.6.33.1/drivers/atm/iphase.c 2010-03-15 12:09:39.000000000 -0400
20871+++ linux-2.6.33.1/drivers/atm/iphase.c 2010-03-20 16:58:39.500808414 -0400
58c5fc13
MT		 20872@@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
20873 status = (u_short) (buf_desc_ptr->desc_mode);
20874 if (status & (RX_CER | RX_PTE | RX_OFL))
20875 {
20876- atomic_inc(&vcc->stats->rx_err);
20877+ atomic_inc_unchecked(&vcc->stats->rx_err);
20878 IF_ERR(printk("IA: bad packet, dropping it");)
20879 if (status & RX_CER) {
20880 IF_ERR(printk(" cause: packet CRC error\n");)
20881@@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
20882 len = dma_addr - buf_addr;
20883 if (len > iadev->rx_buf_sz) {
20884 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
20885- atomic_inc(&vcc->stats->rx_err);
20886+ atomic_inc_unchecked(&vcc->stats->rx_err);
20887 goto out_free_desc;
20888 }
20889
20890@@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
20891 ia_vcc = INPH_IA_VCC(vcc);
20892 if (ia_vcc == NULL)
20893 {
20894- atomic_inc(&vcc->stats->rx_err);
20895+ atomic_inc_unchecked(&vcc->stats->rx_err);
20896 dev_kfree_skb_any(skb);
20897 atm_return(vcc, atm_guess_pdu2truesize(len));
20898 goto INCR_DLE;
20899@@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
20900 if ((length > iadev->rx_buf_sz) || (length >
20901 (skb->len - sizeof(struct cpcs_trailer))))
20902 {
20903- atomic_inc(&vcc->stats->rx_err);
20904+ atomic_inc_unchecked(&vcc->stats->rx_err);
20905 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
20906 length, skb->len);)
20907 dev_kfree_skb_any(skb);
20908@@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
20909
20910 IF_RX(printk("rx_dle_intr: skb push");)
20911 vcc->push(vcc,skb);
20912- atomic_inc(&vcc->stats->rx);
20913+ atomic_inc_unchecked(&vcc->stats->rx);
20914 iadev->rx_pkt_cnt++;
20915 }
20916 INCR_DLE:
20917@@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
20918 {
20919 struct k_sonet_stats *stats;
20920 stats = &PRIV(_ia_dev[board])->sonet_stats;
20921- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
20922- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
20923- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
20924- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
20925- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
20926- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
20927- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
20928- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
20929- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
20930+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
20931+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
20932+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
20933+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
20934+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
20935+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
20936+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
20937+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
20938+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
20939 }
20940 ia_cmds.status = 0;
20941 break;
20942@@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
20943 if ((desc == 0) || (desc > iadev->num_tx_desc))
20944 {
20945 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
20946- atomic_inc(&vcc->stats->tx);
20947+ atomic_inc_unchecked(&vcc->stats->tx);
20948 if (vcc->pop)
20949 vcc->pop(vcc, skb);
20950 else
20951@@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
20952 ATM_DESC(skb) = vcc->vci;
20953 skb_queue_tail(&iadev->tx_dma_q, skb);
20954
20955- atomic_inc(&vcc->stats->tx);
20956+ atomic_inc_unchecked(&vcc->stats->tx);
20957 iadev->tx_pkt_cnt++;
20958 /* Increment transaction counter */
20959 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
20960
20961 #if 0
20962 /* add flow control logic */
20963- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
20964+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
20965 if (iavcc->vc_desc_cnt > 10) {
20966 vcc->tx_quota = vcc->tx_quota * 3 / 4;
20967 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
ae4e228f
MT		 20968diff -urNp linux-2.6.33.1/drivers/atm/lanai.c linux-2.6.33.1/drivers/atm/lanai.c
20969--- linux-2.6.33.1/drivers/atm/lanai.c 2010-03-15 12:09:39.000000000 -0400
20970+++ linux-2.6.33.1/drivers/atm/lanai.c 2010-03-20 16:58:39.504511968 -0400
58c5fc13
MT		 20971@@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
20972 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
20973 lanai_endtx(lanai, lvcc);
20974 lanai_free_skb(lvcc->tx.atmvcc, skb);
20975- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
20976+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
20977 }
20978
20979 /* Try to fill the buffer - don't call unless there is backlog */
20980@@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
20981 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
20982 __net_timestamp(skb);
20983 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
20984- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
20985+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
20986 out:
20987 lvcc->rx.buf.ptr = end;
20988 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
20989@@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
20990 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
20991 "vcc %d\n", lanai->number, (unsigned int) s, vci);
20992 lanai->stats.service_rxnotaal5++;
20993- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
20994+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
20995 return 0;
20996 }
20997 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
20998@@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
20999 int bytes;
21000 read_unlock(&vcc_sklist_lock);
21001 DPRINTK("got trashed rx pdu on vci %d\n", vci);
21002- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
21003+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
21004 lvcc->stats.x.aal5.service_trash++;
21005 bytes = (SERVICE_GET_END(s) * 16) -
21006 (((unsigned long) lvcc->rx.buf.ptr) -
21007@@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
21008 }
21009 if (s & SERVICE_STREAM) {
21010 read_unlock(&vcc_sklist_lock);
21011- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
21012+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
21013 lvcc->stats.x.aal5.service_stream++;
21014 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
21015 "PDU on VCI %d!\n", lanai->number, vci);
21016@@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
21017 return 0;
21018 }
21019 DPRINTK("got rx crc error on vci %d\n", vci);
21020- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
21021+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
21022 lvcc->stats.x.aal5.service_rxcrc++;
21023 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
21024 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
ae4e228f
MT		 21025diff -urNp linux-2.6.33.1/drivers/atm/nicstar.c linux-2.6.33.1/drivers/atm/nicstar.c
21026--- linux-2.6.33.1/drivers/atm/nicstar.c 2010-03-15 12:09:39.000000000 -0400
21027+++ linux-2.6.33.1/drivers/atm/nicstar.c 2010-03-20 16:58:39.504511968 -0400
58c5fc13
MT		 21028@@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
21029 if ((vc = (vc_map *) vcc->dev_data) == NULL)
21030 {
21031 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
21032- atomic_inc(&vcc->stats->tx_err);
21033+ atomic_inc_unchecked(&vcc->stats->tx_err);
21034 dev_kfree_skb_any(skb);
21035 return -EINVAL;
21036 }
21037@@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
21038 if (!vc->tx)
21039 {
21040 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
21041- atomic_inc(&vcc->stats->tx_err);
21042+ atomic_inc_unchecked(&vcc->stats->tx_err);
21043 dev_kfree_skb_any(skb);
21044 return -EINVAL;
21045 }
21046@@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
21047 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
21048 {
21049 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
21050- atomic_inc(&vcc->stats->tx_err);
21051+ atomic_inc_unchecked(&vcc->stats->tx_err);
21052 dev_kfree_skb_any(skb);
21053 return -EINVAL;
21054 }
21055@@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
21056 if (skb_shinfo(skb)->nr_frags != 0)
21057 {
21058 printk("nicstar%d: No scatter-gather yet.\n", card->index);
21059- atomic_inc(&vcc->stats->tx_err);
21060+ atomic_inc_unchecked(&vcc->stats->tx_err);
21061 dev_kfree_skb_any(skb);
21062 return -EINVAL;
21063 }
21064@@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
21065
21066 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
21067 {
21068- atomic_inc(&vcc->stats->tx_err);
21069+ atomic_inc_unchecked(&vcc->stats->tx_err);
21070 dev_kfree_skb_any(skb);
21071 return -EIO;
21072 }
21073- atomic_inc(&vcc->stats->tx);
21074+ atomic_inc_unchecked(&vcc->stats->tx);
21075
21076 return 0;
21077 }
21078@@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
21079 {
21080 printk("nicstar%d: Can't allocate buffers for aal0.\n",
21081 card->index);
21082- atomic_add(i,&vcc->stats->rx_drop);
21083+ atomic_add_unchecked(i,&vcc->stats->rx_drop);
21084 break;
21085 }
21086 if (!atm_charge(vcc, sb->truesize))
21087 {
21088 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
21089 card->index);
21090- atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
21091+ atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
21092 dev_kfree_skb_any(sb);
21093 break;
21094 }
21095@@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
21096 ATM_SKB(sb)->vcc = vcc;
21097 __net_timestamp(sb);
21098 vcc->push(vcc, sb);
21099- atomic_inc(&vcc->stats->rx);
21100+ atomic_inc_unchecked(&vcc->stats->rx);
21101 cell += ATM_CELL_PAYLOAD;
21102 }
21103
21104@@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
21105 if (iovb == NULL)
21106 {
21107 printk("nicstar%d: Out of iovec buffers.\n", card->index);
21108- atomic_inc(&vcc->stats->rx_drop);
21109+ atomic_inc_unchecked(&vcc->stats->rx_drop);
21110 recycle_rx_buf(card, skb);
21111 return;
21112 }
21113@@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
21114 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
21115 {
21116 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
21117- atomic_inc(&vcc->stats->rx_err);
21118+ atomic_inc_unchecked(&vcc->stats->rx_err);
21119 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
21120 NS_SKB(iovb)->iovcnt = 0;
21121 iovb->len = 0;
21122@@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
21123 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
21124 card->index);
21125 which_list(card, skb);
21126- atomic_inc(&vcc->stats->rx_err);
21127+ atomic_inc_unchecked(&vcc->stats->rx_err);
21128 recycle_rx_buf(card, skb);
21129 vc->rx_iov = NULL;
21130 recycle_iov_buf(card, iovb);
21131@@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
21132 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
21133 card->index);
21134 which_list(card, skb);
21135- atomic_inc(&vcc->stats->rx_err);
21136+ atomic_inc_unchecked(&vcc->stats->rx_err);
21137 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21138 NS_SKB(iovb)->iovcnt);
21139 vc->rx_iov = NULL;
21140@@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
21141 printk(" - PDU size mismatch.\n");
21142 else
21143 printk(".\n");
21144- atomic_inc(&vcc->stats->rx_err);
21145+ atomic_inc_unchecked(&vcc->stats->rx_err);
21146 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21147 NS_SKB(iovb)->iovcnt);
21148 vc->rx_iov = NULL;
21149@@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
21150 if (!atm_charge(vcc, skb->truesize))
21151 {
21152 push_rxbufs(card, skb);
21153- atomic_inc(&vcc->stats->rx_drop);
21154+ atomic_inc_unchecked(&vcc->stats->rx_drop);
21155 }
21156 else
21157 {
21158@@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
21159 ATM_SKB(skb)->vcc = vcc;
21160 __net_timestamp(skb);
21161 vcc->push(vcc, skb);
21162- atomic_inc(&vcc->stats->rx);
21163+ atomic_inc_unchecked(&vcc->stats->rx);
21164 }
21165 }
21166 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
21167@@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
21168 if (!atm_charge(vcc, sb->truesize))
21169 {
21170 push_rxbufs(card, sb);
21171- atomic_inc(&vcc->stats->rx_drop);
21172+ atomic_inc_unchecked(&vcc->stats->rx_drop);
21173 }
21174 else
21175 {
21176@@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
21177 ATM_SKB(sb)->vcc = vcc;
21178 __net_timestamp(sb);
21179 vcc->push(vcc, sb);
21180- atomic_inc(&vcc->stats->rx);
21181+ atomic_inc_unchecked(&vcc->stats->rx);
21182 }
21183
21184 push_rxbufs(card, skb);
21185@@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
21186 if (!atm_charge(vcc, skb->truesize))
21187 {
21188 push_rxbufs(card, skb);
21189- atomic_inc(&vcc->stats->rx_drop);
21190+ atomic_inc_unchecked(&vcc->stats->rx_drop);
21191 }
21192 else
21193 {
21194@@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
21195 ATM_SKB(skb)->vcc = vcc;
21196 __net_timestamp(skb);
21197 vcc->push(vcc, skb);
21198- atomic_inc(&vcc->stats->rx);
21199+ atomic_inc_unchecked(&vcc->stats->rx);
21200 }
21201
21202 push_rxbufs(card, sb);
21203@@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
21204 if (hb == NULL)
21205 {
21206 printk("nicstar%d: Out of huge buffers.\n", card->index);
21207- atomic_inc(&vcc->stats->rx_drop);
21208+ atomic_inc_unchecked(&vcc->stats->rx_drop);
21209 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
21210 NS_SKB(iovb)->iovcnt);
21211 vc->rx_iov = NULL;
21212@@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
21213 }
21214 else
21215 dev_kfree_skb_any(hb);
21216- atomic_inc(&vcc->stats->rx_drop);
21217+ atomic_inc_unchecked(&vcc->stats->rx_drop);
21218 }
21219 else
21220 {
21221@@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
21222 #endif /* NS_USE_DESTRUCTORS */
21223 __net_timestamp(hb);
21224 vcc->push(vcc, hb);
21225- atomic_inc(&vcc->stats->rx);
21226+ atomic_inc_unchecked(&vcc->stats->rx);
21227 }
21228 }
21229
ae4e228f
MT		 21230diff -urNp linux-2.6.33.1/drivers/atm/solos-pci.c linux-2.6.33.1/drivers/atm/solos-pci.c
21231--- linux-2.6.33.1/drivers/atm/solos-pci.c 2010-03-15 12:09:39.000000000 -0400
21232+++ linux-2.6.33.1/drivers/atm/solos-pci.c 2010-03-20 16:58:39.512795633 -0400
21233@@ -714,7 +714,7 @@ void solos_bh(unsigned long card_arg)
58c5fc13
MT		 21234 }
21235 atm_charge(vcc, skb->truesize);
21236 vcc->push(vcc, skb);
21237- atomic_inc(&vcc->stats->rx);
21238+ atomic_inc_unchecked(&vcc->stats->rx);
21239 break;
21240
21241 case PKT_STATUS:
ae4e228f 21242@@ -1017,7 +1017,7 @@ static uint32_t fpga_tx(struct solos_car
58c5fc13
MT		 21243 vcc = SKB_CB(oldskb)->vcc;
21244
21245 if (vcc) {
21246- atomic_inc(&vcc->stats->tx);
21247+ atomic_inc_unchecked(&vcc->stats->tx);
21248 solos_pop(vcc, oldskb);
21249 } else
21250 dev_kfree_skb_irq(oldskb);
ae4e228f
MT		 21251diff -urNp linux-2.6.33.1/drivers/atm/suni.c linux-2.6.33.1/drivers/atm/suni.c
21252--- linux-2.6.33.1/drivers/atm/suni.c 2010-03-15 12:09:39.000000000 -0400
21253+++ linux-2.6.33.1/drivers/atm/suni.c 2010-03-20 16:58:39.516795609 -0400
58c5fc13
MT		 21254@@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
21255
21256
21257 #define ADD_LIMITED(s,v) \
21258- atomic_add((v),&stats->s); \
21259- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
21260+ atomic_add_unchecked((v),&stats->s); \
21261+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
21262
21263
21264 static void suni_hz(unsigned long from_timer)
ae4e228f
MT		 21265diff -urNp linux-2.6.33.1/drivers/atm/uPD98402.c linux-2.6.33.1/drivers/atm/uPD98402.c
21266--- linux-2.6.33.1/drivers/atm/uPD98402.c 2010-03-15 12:09:39.000000000 -0400
21267+++ linux-2.6.33.1/drivers/atm/uPD98402.c 2010-03-20 16:58:39.516795609 -0400
58c5fc13
MT		 21268@@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
21269 struct sonet_stats tmp;
21270 int error = 0;
21271
21272- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
21273+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
21274 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
21275 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
21276 if (zero && !error) {
21277@@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
21278
21279
21280 #define ADD_LIMITED(s,v) \
21281- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
21282- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
21283- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
21284+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
21285+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
21286+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
21287
21288
21289 static void stat_event(struct atm_dev *dev)
21290@@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
21291 if (reason & uPD98402_INT_PFM) stat_event(dev);
21292 if (reason & uPD98402_INT_PCO) {
21293 (void) GET(PCOCR); /* clear interrupt cause */
21294- atomic_add(GET(HECCT),
21295+ atomic_add_unchecked(GET(HECCT),
21296 &PRIV(dev)->sonet_stats.uncorr_hcs);
21297 }
21298 if ((reason & uPD98402_INT_RFO) &&
21299@@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
21300 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
21301 uPD98402_INT_LOS),PIMR); /* enable them */
21302 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
21303- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
21304- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
21305- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
21306+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
21307+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
21308+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
21309 return 0;
21310 }
21311
ae4e228f
MT		 21312diff -urNp linux-2.6.33.1/drivers/atm/zatm.c linux-2.6.33.1/drivers/atm/zatm.c
21313--- linux-2.6.33.1/drivers/atm/zatm.c 2010-03-15 12:09:39.000000000 -0400
21314+++ linux-2.6.33.1/drivers/atm/zatm.c 2010-03-20 16:58:39.516795609 -0400
58c5fc13
MT		 21315@@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
21316 }
21317 if (!size) {
21318 dev_kfree_skb_irq(skb);
21319- if (vcc) atomic_inc(&vcc->stats->rx_err);
21320+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
21321 continue;
21322 }
21323 if (!atm_charge(vcc,skb->truesize)) {
21324@@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
21325 skb->len = size;
21326 ATM_SKB(skb)->vcc = vcc;
21327 vcc->push(vcc,skb);
21328- atomic_inc(&vcc->stats->rx);
21329+ atomic_inc_unchecked(&vcc->stats->rx);
21330 }
21331 zout(pos & 0xffff,MTA(mbx));
21332 #if 0 /* probably a stupid idea */
21333@@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
21334 skb_queue_head(&zatm_vcc->backlog,skb);
21335 break;
21336 }
21337- atomic_inc(&vcc->stats->tx);
21338+ atomic_inc_unchecked(&vcc->stats->tx);
21339 wake_up(&zatm_vcc->tx_wait);
21340 }
21341
ae4e228f
MT		 21342diff -urNp linux-2.6.33.1/drivers/base/bus.c linux-2.6.33.1/drivers/base/bus.c
21343--- linux-2.6.33.1/drivers/base/bus.c 2010-03-15 12:09:39.000000000 -0400
21344+++ linux-2.6.33.1/drivers/base/bus.c 2010-03-20 16:58:39.548804768 -0400
21345@@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
21346 return ret;
58c5fc13
MT		 21347 }
21348
ae4e228f
MT		 21349-static struct sysfs_ops driver_sysfs_ops = {
21350+static const struct sysfs_ops driver_sysfs_ops = {
21351 .show = drv_attr_show,
21352 .store = drv_attr_store,
21353 };
21354@@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
21355 return ret;
58c5fc13
MT		 21356 }
21357
ae4e228f
MT		 21358-static struct sysfs_ops bus_sysfs_ops = {
21359+static const struct sysfs_ops bus_sysfs_ops = {
21360 .show = bus_attr_show,
21361 .store = bus_attr_store,
21362 };
21363@@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
21364 return 0;
21365 }
21366
21367-static struct kset_uevent_ops bus_uevent_ops = {
21368+static const struct kset_uevent_ops bus_uevent_ops = {
21369 .filter = bus_uevent_filter,
21370 };
21371
21372diff -urNp linux-2.6.33.1/drivers/base/class.c linux-2.6.33.1/drivers/base/class.c
21373--- linux-2.6.33.1/drivers/base/class.c 2010-03-15 12:09:39.000000000 -0400
21374+++ linux-2.6.33.1/drivers/base/class.c 2010-03-20 16:58:39.548804768 -0400
21375@@ -63,7 +63,7 @@ static void class_release(struct kobject
21376 kfree(cp);
21377 }
21378
21379-static struct sysfs_ops class_sysfs_ops = {
21380+static const struct sysfs_ops class_sysfs_ops = {
21381 .show = class_attr_show,
21382 .store = class_attr_store,
21383 };
21384diff -urNp linux-2.6.33.1/drivers/base/core.c linux-2.6.33.1/drivers/base/core.c
21385--- linux-2.6.33.1/drivers/base/core.c 2010-03-15 12:09:39.000000000 -0400
21386+++ linux-2.6.33.1/drivers/base/core.c 2010-03-20 16:58:39.548804768 -0400
21387@@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
21388 return ret;
21389 }
21390
21391-static struct sysfs_ops dev_sysfs_ops = {
21392+static const struct sysfs_ops dev_sysfs_ops = {
21393 .show = dev_attr_show,
21394 .store = dev_attr_store,
21395 };
21396@@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
21397 return retval;
21398 }
21399
21400-static struct kset_uevent_ops device_uevent_ops = {
21401+static const struct kset_uevent_ops device_uevent_ops = {
21402 .filter = dev_uevent_filter,
21403 .name = dev_uevent_name,
21404 .uevent = dev_uevent,
21405diff -urNp linux-2.6.33.1/drivers/base/memory.c linux-2.6.33.1/drivers/base/memory.c
21406--- linux-2.6.33.1/drivers/base/memory.c 2010-03-15 12:09:39.000000000 -0400
21407+++ linux-2.6.33.1/drivers/base/memory.c 2010-03-20 16:58:39.553060820 -0400
21408@@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
21409 return retval;
21410 }
21411
21412-static struct kset_uevent_ops memory_uevent_ops = {
21413+static const struct kset_uevent_ops memory_uevent_ops = {
21414 .name = memory_uevent_name,
21415 .uevent = memory_uevent,
21416 };
21417diff -urNp linux-2.6.33.1/drivers/base/sys.c linux-2.6.33.1/drivers/base/sys.c
21418--- linux-2.6.33.1/drivers/base/sys.c 2010-03-15 12:09:39.000000000 -0400
21419+++ linux-2.6.33.1/drivers/base/sys.c 2010-03-20 16:58:39.553060820 -0400
21420@@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
21421 return -EIO;
21422 }
21423
21424-static struct sysfs_ops sysfs_ops = {
21425+static const struct sysfs_ops sysfs_ops = {
21426 .show = sysdev_show,
21427 .store = sysdev_store,
21428 };
21429@@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
21430 return -EIO;
21431 }
21432
21433-static struct sysfs_ops sysfs_class_ops = {
21434+static const struct sysfs_ops sysfs_class_ops = {
21435 .show = sysdev_class_show,
21436 .store = sysdev_class_store,
21437 };
21438diff -urNp linux-2.6.33.1/drivers/block/pktcdvd.c linux-2.6.33.1/drivers/block/pktcdvd.c
21439--- linux-2.6.33.1/drivers/block/pktcdvd.c 2010-03-15 12:09:39.000000000 -0400
21440+++ linux-2.6.33.1/drivers/block/pktcdvd.c 2010-03-20 16:58:39.568810035 -0400
21441@@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
21442 return len;
21443 }
21444
21445-static struct sysfs_ops kobj_pkt_ops = {
21446+static const struct sysfs_ops kobj_pkt_ops = {
21447 .show = kobj_pkt_show,
21448 .store = kobj_pkt_store
21449 };
21450diff -urNp linux-2.6.33.1/drivers/char/agp/frontend.c linux-2.6.33.1/drivers/char/agp/frontend.c
21451--- linux-2.6.33.1/drivers/char/agp/frontend.c 2010-03-15 12:09:39.000000000 -0400
21452+++ linux-2.6.33.1/drivers/char/agp/frontend.c 2010-03-20 16:58:39.572812162 -0400
21453@@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
58c5fc13
MT		 21454 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
21455 return -EFAULT;
21456
21457- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
21458+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
21459 return -EFAULT;
21460
21461 client = agp_find_client_by_pid(reserve.pid);
ae4e228f
MT		 21462diff -urNp linux-2.6.33.1/drivers/char/agp/intel-agp.c linux-2.6.33.1/drivers/char/agp/intel-agp.c
21463--- linux-2.6.33.1/drivers/char/agp/intel-agp.c 2010-03-15 12:09:39.000000000 -0400
21464+++ linux-2.6.33.1/drivers/char/agp/intel-agp.c 2010-03-20 16:58:39.588814817 -0400
21465@@ -2575,7 +2575,7 @@ static struct pci_device_id agp_intel_pc
21466 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB),
21467 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MA_HB),
21468 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB),
58c5fc13
MT		 21469- { }
21470+ { 0, 0, 0, 0, 0, 0, 0 }
21471 };
21472
21473 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
ae4e228f
MT		 21474diff -urNp linux-2.6.33.1/drivers/char/hpet.c linux-2.6.33.1/drivers/char/hpet.c
21475--- linux-2.6.33.1/drivers/char/hpet.c 2010-03-15 12:09:39.000000000 -0400
21476+++ linux-2.6.33.1/drivers/char/hpet.c 2010-03-20 16:58:39.592808427 -0400
58c5fc13
MT		 21477@@ -995,7 +995,7 @@ static struct acpi_driver hpet_acpi_driv
21478 },
21479 };
21480
21481-static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
21482+static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
21483
21484 static int __init hpet_init(void)
21485 {
ae4e228f
MT		 21486diff -urNp linux-2.6.33.1/drivers/char/hvc_beat.c linux-2.6.33.1/drivers/char/hvc_beat.c
21487--- linux-2.6.33.1/drivers/char/hvc_beat.c 2010-03-15 12:09:39.000000000 -0400
21488+++ linux-2.6.33.1/drivers/char/hvc_beat.c 2010-03-20 16:58:39.596613651 -0400
21489@@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
21490 return cnt;
21491 }
21492
21493-static struct hv_ops hvc_beat_get_put_ops = {
21494+static const struct hv_ops hvc_beat_get_put_ops = {
21495 .get_chars = hvc_beat_get_chars,
21496 .put_chars = hvc_beat_put_chars,
21497 };
21498diff -urNp linux-2.6.33.1/drivers/char/hvc_console.c linux-2.6.33.1/drivers/char/hvc_console.c
21499--- linux-2.6.33.1/drivers/char/hvc_console.c 2010-03-15 12:09:39.000000000 -0400
21500+++ linux-2.6.33.1/drivers/char/hvc_console.c 2010-03-20 16:58:39.596613651 -0400
21501@@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
21502 * console interfaces but can still be used as a tty device. This has to be
21503 * static because kmalloc will not work during early console init.
21504 */
21505-static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
21506+static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
21507 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
21508 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
21509
21510@@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
21511 * vty adapters do NOT get an hvc_instantiate() callback since they
21512 * appear after early console init.
21513 */
21514-int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
21515+int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
21516 {
21517 struct hvc_struct *hp;
21518
21519@@ -749,7 +749,7 @@ static const struct tty_operations hvc_o
21520 };
21521
21522 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
21523- struct hv_ops *ops, int outbuf_size)
21524+ const struct hv_ops *ops, int outbuf_size)
21525 {
21526 struct hvc_struct *hp;
21527 int i;
21528diff -urNp linux-2.6.33.1/drivers/char/hvc_console.h linux-2.6.33.1/drivers/char/hvc_console.h
21529--- linux-2.6.33.1/drivers/char/hvc_console.h 2010-03-15 12:09:39.000000000 -0400
21530+++ linux-2.6.33.1/drivers/char/hvc_console.h 2010-03-20 16:58:39.596613651 -0400
21531@@ -55,7 +55,7 @@ struct hvc_struct {
21532 int outbuf_size;
21533 int n_outbuf;
21534 uint32_t vtermno;
21535- struct hv_ops *ops;
21536+ const struct hv_ops *ops;
21537 int irq_requested;
21538 int data;
21539 struct winsize ws;
21540@@ -76,11 +76,11 @@ struct hv_ops {
21541 };
21542
21543 /* Register a vterm and a slot index for use as a console (console_init) */
21544-extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
21545+extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
21546
21547 /* register a vterm for hvc tty operation (module_init or hotplug add) */
21548 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
21549- struct hv_ops *ops, int outbuf_size);
21550+ const struct hv_ops *ops, int outbuf_size);
21551 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
21552 extern int hvc_remove(struct hvc_struct *hp);
21553
21554diff -urNp linux-2.6.33.1/drivers/char/hvc_iseries.c linux-2.6.33.1/drivers/char/hvc_iseries.c
21555--- linux-2.6.33.1/drivers/char/hvc_iseries.c 2010-03-15 12:09:39.000000000 -0400
21556+++ linux-2.6.33.1/drivers/char/hvc_iseries.c 2010-03-20 16:58:39.596613651 -0400
21557@@ -197,7 +197,7 @@ done:
21558 return sent;
21559 }
21560
21561-static struct hv_ops hvc_get_put_ops = {
21562+static const struct hv_ops hvc_get_put_ops = {
21563 .get_chars = get_chars,
21564 .put_chars = put_chars,
21565 .notifier_add = notifier_add_irq,
21566diff -urNp linux-2.6.33.1/drivers/char/hvc_iucv.c linux-2.6.33.1/drivers/char/hvc_iucv.c
21567--- linux-2.6.33.1/drivers/char/hvc_iucv.c 2010-03-15 12:09:39.000000000 -0400
21568+++ linux-2.6.33.1/drivers/char/hvc_iucv.c 2010-03-20 16:58:39.596613651 -0400
21569@@ -922,7 +922,7 @@ static int hvc_iucv_pm_restore_thaw(stru
21570
21571
21572 /* HVC operations */
21573-static struct hv_ops hvc_iucv_ops = {
21574+static const struct hv_ops hvc_iucv_ops = {
21575 .get_chars = hvc_iucv_get_chars,
21576 .put_chars = hvc_iucv_put_chars,
21577 .notifier_add = hvc_iucv_notifier_add,
21578diff -urNp linux-2.6.33.1/drivers/char/hvc_rtas.c linux-2.6.33.1/drivers/char/hvc_rtas.c
21579--- linux-2.6.33.1/drivers/char/hvc_rtas.c 2010-03-15 12:09:39.000000000 -0400
21580+++ linux-2.6.33.1/drivers/char/hvc_rtas.c 2010-03-20 16:58:39.600817341 -0400
21581@@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
21582 return i;
21583 }
21584
21585-static struct hv_ops hvc_rtas_get_put_ops = {
21586+static const struct hv_ops hvc_rtas_get_put_ops = {
21587 .get_chars = hvc_rtas_read_console,
21588 .put_chars = hvc_rtas_write_console,
21589 };
21590diff -urNp linux-2.6.33.1/drivers/char/hvcs.c linux-2.6.33.1/drivers/char/hvcs.c
21591--- linux-2.6.33.1/drivers/char/hvcs.c 2010-03-15 12:09:39.000000000 -0400
21592+++ linux-2.6.33.1/drivers/char/hvcs.c 2010-03-20 16:58:39.600817341 -0400
58c5fc13
MT		 21593@@ -269,7 +269,7 @@ struct hvcs_struct {
21594 unsigned int index;
21595
21596 struct tty_struct *tty;
21597- int open_count;
21598+ atomic_t open_count;
21599
21600 /*
21601 * Used to tell the driver kernel_thread what operations need to take
21602@@ -419,7 +419,7 @@ static ssize_t hvcs_vterm_state_store(st
21603
21604 spin_lock_irqsave(&hvcsd->lock, flags);
21605
21606- if (hvcsd->open_count > 0) {
21607+ if (atomic_read(&hvcsd->open_count) > 0) {
21608 spin_unlock_irqrestore(&hvcsd->lock, flags);
21609 printk(KERN_INFO "HVCS: vterm state unchanged. "
21610 "The hvcs device node is still in use.\n");
21611@@ -1135,7 +1135,7 @@ static int hvcs_open(struct tty_struct *
21612 if ((retval = hvcs_partner_connect(hvcsd)))
21613 goto error_release;
21614
21615- hvcsd->open_count = 1;
21616+ atomic_set(&hvcsd->open_count, 1);
21617 hvcsd->tty = tty;
21618 tty->driver_data = hvcsd;
21619
21620@@ -1169,7 +1169,7 @@ fast_open:
21621
21622 spin_lock_irqsave(&hvcsd->lock, flags);
21623 kref_get(&hvcsd->kref);
21624- hvcsd->open_count++;
21625+ atomic_inc(&hvcsd->open_count);
21626 hvcsd->todo_mask |= HVCS_SCHED_READ;
21627 spin_unlock_irqrestore(&hvcsd->lock, flags);
21628
21629@@ -1213,7 +1213,7 @@ static void hvcs_close(struct tty_struct
21630 hvcsd = tty->driver_data;
21631
21632 spin_lock_irqsave(&hvcsd->lock, flags);
21633- if (--hvcsd->open_count == 0) {
21634+ if (atomic_dec_and_test(&hvcsd->open_count)) {
21635
21636 vio_disable_interrupts(hvcsd->vdev);
21637
21638@@ -1239,10 +1239,10 @@ static void hvcs_close(struct tty_struct
21639 free_irq(irq, hvcsd);
21640 kref_put(&hvcsd->kref, destroy_hvcs_struct);
21641 return;
21642- } else if (hvcsd->open_count < 0) {
21643+ } else if (atomic_read(&hvcsd->open_count) < 0) {
21644 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
21645 " is missmanaged.\n",
21646- hvcsd->vdev->unit_address, hvcsd->open_count);
21647+ hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
21648 }
21649
21650 spin_unlock_irqrestore(&hvcsd->lock, flags);
21651@@ -1258,7 +1258,7 @@ static void hvcs_hangup(struct tty_struc
21652
21653 spin_lock_irqsave(&hvcsd->lock, flags);
21654 /* Preserve this so that we know how many kref refs to put */
21655- temp_open_count = hvcsd->open_count;
21656+ temp_open_count = atomic_read(&hvcsd->open_count);
21657
21658 /*
21659 * Don't kref put inside the spinlock because the destruction
21660@@ -1273,7 +1273,7 @@ static void hvcs_hangup(struct tty_struc
21661 hvcsd->tty->driver_data = NULL;
21662 hvcsd->tty = NULL;
21663
21664- hvcsd->open_count = 0;
21665+ atomic_set(&hvcsd->open_count, 0);
21666
21667 /* This will drop any buffered data on the floor which is OK in a hangup
21668 * scenario. */
21669@@ -1344,7 +1344,7 @@ static int hvcs_write(struct tty_struct
21670 * the middle of a write operation? This is a crummy place to do this
21671 * but we want to keep it all in the spinlock.
21672 */
21673- if (hvcsd->open_count <= 0) {
21674+ if (atomic_read(&hvcsd->open_count) <= 0) {
21675 spin_unlock_irqrestore(&hvcsd->lock, flags);
21676 return -ENODEV;
21677 }
21678@@ -1418,7 +1418,7 @@ static int hvcs_write_room(struct tty_st
21679 {
21680 struct hvcs_struct *hvcsd = tty->driver_data;
21681
21682- if (!hvcsd || hvcsd->open_count <= 0)
21683+ if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
21684 return 0;
21685
21686 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
ae4e228f
MT		 21687diff -urNp linux-2.6.33.1/drivers/char/hvc_udbg.c linux-2.6.33.1/drivers/char/hvc_udbg.c
21688--- linux-2.6.33.1/drivers/char/hvc_udbg.c 2010-03-15 12:09:39.000000000 -0400
21689+++ linux-2.6.33.1/drivers/char/hvc_udbg.c 2010-03-20 16:58:39.600817341 -0400
21690@@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
21691 return i;
21692 }
21693
21694-static struct hv_ops hvc_udbg_ops = {
21695+static const struct hv_ops hvc_udbg_ops = {
21696 .get_chars = hvc_udbg_get,
21697 .put_chars = hvc_udbg_put,
21698 };
21699diff -urNp linux-2.6.33.1/drivers/char/hvc_vio.c linux-2.6.33.1/drivers/char/hvc_vio.c
21700--- linux-2.6.33.1/drivers/char/hvc_vio.c 2010-03-15 12:09:39.000000000 -0400
21701+++ linux-2.6.33.1/drivers/char/hvc_vio.c 2010-03-20 16:58:39.600817341 -0400
21702@@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
21703 return got;
21704 }
21705
21706-static struct hv_ops hvc_get_put_ops = {
21707+static const struct hv_ops hvc_get_put_ops = {
21708 .get_chars = filtered_get_chars,
21709 .put_chars = hvc_put_chars,
21710 .notifier_add = notifier_add_irq,
21711diff -urNp linux-2.6.33.1/drivers/char/hvc_xen.c linux-2.6.33.1/drivers/char/hvc_xen.c
21712--- linux-2.6.33.1/drivers/char/hvc_xen.c 2010-03-15 12:09:39.000000000 -0400
21713+++ linux-2.6.33.1/drivers/char/hvc_xen.c 2010-03-20 16:58:39.604556535 -0400
21714@@ -122,7 +122,7 @@ static int read_console(uint32_t vtermno
21715 return recv;
21716 }
21717
21718-static struct hv_ops hvc_ops = {
21719+static const struct hv_ops hvc_ops = {
21720 .get_chars = read_console,
21721 .put_chars = write_console,
21722 .notifier_add = notifier_add_irq,
21723diff -urNp linux-2.6.33.1/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.33.1/drivers/char/ipmi/ipmi_msghandler.c
21724--- linux-2.6.33.1/drivers/char/ipmi/ipmi_msghandler.c 2010-03-15 12:09:39.000000000 -0400
21725+++ linux-2.6.33.1/drivers/char/ipmi/ipmi_msghandler.c 2010-03-20 16:58:39.604556535 -0400
21726@@ -414,7 +414,7 @@ struct ipmi_smi {
58c5fc13
MT		 21727 struct proc_dir_entry *proc_dir;
21728 char proc_dir_name[10];
21729
21730- atomic_t stats[IPMI_NUM_STATS];
21731+ atomic_unchecked_t stats[IPMI_NUM_STATS];
21732
21733 /*
21734 * run_to_completion duplicate of smb_info, smi_info
ae4e228f 21735@@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
58c5fc13
MT		 21736
21737
21738 #define ipmi_inc_stat(intf, stat) \
21739- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
21740+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
21741 #define ipmi_get_stat(intf, stat) \
21742- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
21743+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
21744
21745 static int is_lan_addr(struct ipmi_addr *addr)
21746 {
ae4e228f 21747@@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
58c5fc13
MT		 21748 INIT_LIST_HEAD(&intf->cmd_rcvrs);
21749 init_waitqueue_head(&intf->waitq);
21750 for (i = 0; i < IPMI_NUM_STATS; i++)
21751- atomic_set(&intf->stats[i], 0);
21752+ atomic_set_unchecked(&intf->stats[i], 0);
21753
21754 intf->proc_dir = NULL;
21755
ae4e228f
MT		 21756diff -urNp linux-2.6.33.1/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.33.1/drivers/char/ipmi/ipmi_si_intf.c
21757--- linux-2.6.33.1/drivers/char/ipmi/ipmi_si_intf.c 2010-03-15 12:09:39.000000000 -0400
21758+++ linux-2.6.33.1/drivers/char/ipmi/ipmi_si_intf.c 2010-03-20 16:58:39.608700771 -0400
21759@@ -278,7 +278,7 @@ struct smi_info {
58c5fc13
MT		 21760 unsigned char slave_addr;
21761
21762 /* Counters and things for the proc filesystem. */
21763- atomic_t stats[SI_NUM_STATS];
21764+ atomic_unchecked_t stats[SI_NUM_STATS];
21765
21766 struct task_struct *thread;
21767
ae4e228f 21768@@ -286,9 +286,9 @@ struct smi_info {
58c5fc13
MT		 21769 };
21770
21771 #define smi_inc_stat(smi, stat) \
21772- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
21773+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
21774 #define smi_get_stat(smi, stat) \
21775- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
21776+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
21777
21778 #define SI_MAX_PARMS 4
21779
ae4e228f 21780@@ -3020,7 +3020,7 @@ static int try_smi_init(struct smi_info
58c5fc13
MT		 21781 atomic_set(&new_smi->req_events, 0);
21782 new_smi->run_to_completion = 0;
21783 for (i = 0; i < SI_NUM_STATS; i++)
21784- atomic_set(&new_smi->stats[i], 0);
21785+ atomic_set_unchecked(&new_smi->stats[i], 0);
21786
21787 new_smi->interrupt_disabled = 0;
21788 atomic_set(&new_smi->stop_operation, 0);
ae4e228f
MT		 21789diff -urNp linux-2.6.33.1/drivers/char/keyboard.c linux-2.6.33.1/drivers/char/keyboard.c
21790--- linux-2.6.33.1/drivers/char/keyboard.c 2010-03-15 12:09:39.000000000 -0400
21791+++ linux-2.6.33.1/drivers/char/keyboard.c 2010-03-20 16:58:39.608700771 -0400
21792@@ -652,6 +652,16 @@ static void k_spec(struct vc_data *vc, u
58c5fc13
MT		 21793 kbd->kbdmode == VC_MEDIUMRAW) &&
21794 value != KVAL(K_SAK))
21795 return; /* SAK is allowed even in raw mode */
21796+
21797+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
21798+ {
21799+ void *func = fn_handler[value];
21800+ if (func == fn_show_state || func == fn_show_ptregs ||
21801+ func == fn_show_mem)
21802+ return;
21803+ }
21804+#endif
21805+
21806 fn_handler[value](vc);
21807 }
21808
ae4e228f 21809@@ -1405,7 +1415,7 @@ static const struct input_device_id kbd_
58c5fc13
MT		 21810 .evbit = { BIT_MASK(EV_SND) },
21811 },
21812
21813- { }, /* Terminating entry */
21814+ { 0 }, /* Terminating entry */
21815 };
21816
21817 MODULE_DEVICE_TABLE(input, kbd_ids);
ae4e228f
MT		 21818diff -urNp linux-2.6.33.1/drivers/char/mem.c linux-2.6.33.1/drivers/char/mem.c
21819--- linux-2.6.33.1/drivers/char/mem.c 2010-03-15 12:09:39.000000000 -0400
21820+++ linux-2.6.33.1/drivers/char/mem.c 2010-03-20 16:58:39.608700771 -0400
58c5fc13
MT		 21821@@ -18,6 +18,7 @@
21822 #include <linux/raw.h>
21823 #include <linux/tty.h>
21824 #include <linux/capability.h>
21825+#include <linux/security.h>
21826 #include <linux/ptrace.h>
21827 #include <linux/device.h>
21828 #include <linux/highmem.h>
ae4e228f 21829@@ -34,6 +35,10 @@
58c5fc13
MT		 21830 # include <linux/efi.h>
21831 #endif
21832
21833+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
21834+extern struct file_operations grsec_fops;
21835+#endif
21836+
ae4e228f
MT		 21837 static inline unsigned long size_inside_page(unsigned long start,
21838 unsigned long size)
21839 {
21840@@ -191,6 +196,11 @@ static ssize_t write_mem(struct file * f
58c5fc13
MT		 21841 if (!valid_phys_addr_range(p, count))
21842 return -EFAULT;
21843
21844+#ifdef CONFIG_GRKERNSEC_KMEM
21845+ gr_handle_mem_write();
21846+ return -EPERM;
21847+#endif
21848+
21849 written = 0;
21850
21851 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
ae4e228f 21852@@ -311,6 +321,11 @@ static int mmap_mem(struct file * file,
58c5fc13
MT		 21853 &vma->vm_page_prot))
21854 return -EINVAL;
21855
21856+#ifdef CONFIG_GRKERNSEC_KMEM
21857+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
21858+ return -EPERM;
21859+#endif
21860+
21861 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
21862 size,
21863 vma->vm_page_prot);
ae4e228f 21864@@ -527,6 +542,11 @@ static ssize_t write_kmem(struct file *
58c5fc13 21865 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
ae4e228f 21866 int err = 0;
58c5fc13
MT		 21867
21868+#ifdef CONFIG_GRKERNSEC_KMEM
21869+ gr_handle_kmem_write();
21870+ return -EPERM;
21871+#endif
21872+
21873 if (p < (unsigned long) high_memory) {
ae4e228f
MT		 21874 unsigned long to_write = min_t(unsigned long, count,
21875 (unsigned long)high_memory - p);
21876@@ -727,6 +747,16 @@ static loff_t memory_lseek(struct file *
58c5fc13
MT		 21877
21878 static int open_port(struct inode * inode, struct file * filp)
21879 {
21880+#ifdef CONFIG_GRKERNSEC_KMEM
21881+ gr_handle_open_port();
21882+ return -EPERM;
21883+#endif
21884+
21885+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
21886+}
21887+
21888+static int open_mem(struct inode * inode, struct file * filp)
21889+{
21890 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
21891 }
21892
ae4e228f 21893@@ -734,7 +764,6 @@ static int open_port(struct inode * inod
58c5fc13
MT		 21894 #define full_lseek null_lseek
21895 #define write_zero write_null
21896 #define read_full read_zero
21897-#define open_mem open_port
21898 #define open_kmem open_mem
21899 #define open_oldmem open_mem
21900
ae4e228f 21901@@ -850,6 +879,9 @@ static const struct memdev {
58c5fc13 21902 #ifdef CONFIG_CRASH_DUMP
ae4e228f 21903 [12] = { "oldmem", 0, &oldmem_fops, NULL },
58c5fc13
MT		 21904 #endif
21905+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
ae4e228f 21906+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
58c5fc13
MT		 21907+#endif
21908 };
21909
21910 static int memory_open(struct inode *inode, struct file *filp)
ae4e228f
MT		 21911diff -urNp linux-2.6.33.1/drivers/char/nvram.c linux-2.6.33.1/drivers/char/nvram.c
21912--- linux-2.6.33.1/drivers/char/nvram.c 2010-03-15 12:09:39.000000000 -0400
21913+++ linux-2.6.33.1/drivers/char/nvram.c 2010-03-20 16:58:39.612523711 -0400
21914@@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
21915
21916 spin_unlock_irq(&rtc_lock);
58c5fc13 21917
ae4e228f
MT		 21918- if (copy_to_user(buf, contents, tmp - contents))
21919+ if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
21920 return -EFAULT;
21921
21922 *ppos = i;
21923@@ -434,7 +434,10 @@ static const struct file_operations nvra
58c5fc13
MT		 21924 static struct miscdevice nvram_dev = {
21925 NVRAM_MINOR,
21926 "nvram",
21927- &nvram_fops
21928+ &nvram_fops,
21929+ {NULL, NULL},
21930+ NULL,
21931+ NULL
21932 };
21933
21934 static int __init nvram_init(void)
ae4e228f
MT		 21935diff -urNp linux-2.6.33.1/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.33.1/drivers/char/pcmcia/ipwireless/tty.c
21936--- linux-2.6.33.1/drivers/char/pcmcia/ipwireless/tty.c 2010-03-15 12:09:39.000000000 -0400
21937+++ linux-2.6.33.1/drivers/char/pcmcia/ipwireless/tty.c 2010-03-20 16:58:39.612523711 -0400
58c5fc13
MT		 21938@@ -51,7 +51,7 @@ struct ipw_tty {
21939 int tty_type;
21940 struct ipw_network *network;
21941 struct tty_struct *linux_tty;
21942- int open_count;
21943+ atomic_t open_count;
21944 unsigned int control_lines;
21945 struct mutex ipw_tty_mutex;
21946 int tx_bytes_queued;
21947@@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
21948 mutex_unlock(&tty->ipw_tty_mutex);
21949 return -ENODEV;
21950 }
21951- if (tty->open_count == 0)
21952+ if (atomic_read(&tty->open_count) == 0)
21953 tty->tx_bytes_queued = 0;
21954
21955- tty->open_count++;
21956+ atomic_inc(&tty->open_count);
21957
21958 tty->linux_tty = linux_tty;
21959 linux_tty->driver_data = tty;
21960@@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
21961
21962 static void do_ipw_close(struct ipw_tty *tty)
21963 {
21964- tty->open_count--;
21965-
21966- if (tty->open_count == 0) {
21967+ if (atomic_dec_return(&tty->open_count) == 0) {
21968 struct tty_struct *linux_tty = tty->linux_tty;
21969
21970 if (linux_tty != NULL) {
21971@@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
21972 return;
21973
21974 mutex_lock(&tty->ipw_tty_mutex);
21975- if (tty->open_count == 0) {
21976+ if (atomic_read(&tty->open_count) == 0) {
21977 mutex_unlock(&tty->ipw_tty_mutex);
21978 return;
21979 }
21980@@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
21981 return;
21982 }
21983
21984- if (!tty->open_count) {
21985+ if (!atomic_read(&tty->open_count)) {
21986 mutex_unlock(&tty->ipw_tty_mutex);
21987 return;
21988 }
21989@@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
21990 return -ENODEV;
21991
21992 mutex_lock(&tty->ipw_tty_mutex);
21993- if (!tty->open_count) {
21994+ if (!atomic_read(&tty->open_count)) {
21995 mutex_unlock(&tty->ipw_tty_mutex);
21996 return -EINVAL;
21997 }
21998@@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
21999 if (!tty)
22000 return -ENODEV;
22001
22002- if (!tty->open_count)
22003+ if (!atomic_read(&tty->open_count))
22004 return -EINVAL;
22005
22006 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
22007@@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
22008 if (!tty)
22009 return 0;
22010
22011- if (!tty->open_count)
22012+ if (!atomic_read(&tty->open_count))
22013 return 0;
22014
22015 return tty->tx_bytes_queued;
22016@@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
22017 if (!tty)
22018 return -ENODEV;
22019
22020- if (!tty->open_count)
22021+ if (!atomic_read(&tty->open_count))
22022 return -EINVAL;
22023
22024 return get_control_lines(tty);
22025@@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
22026 if (!tty)
22027 return -ENODEV;
22028
22029- if (!tty->open_count)
22030+ if (!atomic_read(&tty->open_count))
22031 return -EINVAL;
22032
22033 return set_control_lines(tty, set, clear);
22034@@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
22035 if (!tty)
22036 return -ENODEV;
22037
22038- if (!tty->open_count)
22039+ if (!atomic_read(&tty->open_count))
22040 return -EINVAL;
22041
22042 /* FIXME: Exactly how is the tty object locked here .. */
22043@@ -591,7 +589,7 @@ void ipwireless_tty_free(struct ipw_tty
22044 against a parallel ioctl etc */
22045 mutex_lock(&ttyj->ipw_tty_mutex);
22046 }
22047- while (ttyj->open_count)
22048+ while (atomic_read(&ttyj->open_count))
22049 do_ipw_close(ttyj);
22050 ipwireless_disassociate_network_ttys(network,
22051 ttyj->channel_idx);
ae4e228f
MT		 22052diff -urNp linux-2.6.33.1/drivers/char/pty.c linux-2.6.33.1/drivers/char/pty.c
22053--- linux-2.6.33.1/drivers/char/pty.c 2010-03-15 12:09:39.000000000 -0400
22054+++ linux-2.6.33.1/drivers/char/pty.c 2010-03-20 16:58:39.612523711 -0400
22055@@ -676,7 +676,18 @@ static int ptmx_open(struct inode *inode
22056 return ret;
22057 }
22058
22059-static struct file_operations ptmx_fops;
22060+static const struct file_operations ptmx_fops = {
22061+ .llseek = no_llseek,
22062+ .read = tty_read,
22063+ .write = tty_write,
22064+ .poll = tty_poll,
22065+ .unlocked_ioctl = tty_ioctl,
22066+ .compat_ioctl = tty_compat_ioctl,
22067+ .open = ptmx_open,
22068+ .release = tty_release,
22069+ .fasync = tty_fasync,
22070+};
22071+
22072
22073 static void __init unix98_pty_init(void)
22074 {
22075@@ -730,9 +741,6 @@ static void __init unix98_pty_init(void)
22076 register_sysctl_table(pty_root_table);
22077
22078 /* Now create the /dev/ptmx special device */
22079- tty_default_fops(&ptmx_fops);
22080- ptmx_fops.open = ptmx_open;
22081-
22082 cdev_init(&ptmx_cdev, &ptmx_fops);
22083 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
22084 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
22085diff -urNp linux-2.6.33.1/drivers/char/random.c linux-2.6.33.1/drivers/char/random.c
22086--- linux-2.6.33.1/drivers/char/random.c 2010-03-15 12:09:39.000000000 -0400
22087+++ linux-2.6.33.1/drivers/char/random.c 2010-03-20 16:58:39.620815282 -0400
22088@@ -254,8 +254,13 @@
58c5fc13
MT		 22089 /*
22090 * Configuration information
22091 */
22092+#ifdef CONFIG_GRKERNSEC_RANDNET
22093+#define INPUT_POOL_WORDS 512
22094+#define OUTPUT_POOL_WORDS 128
22095+#else
22096 #define INPUT_POOL_WORDS 128
22097 #define OUTPUT_POOL_WORDS 32
22098+#endif
22099 #define SEC_XFER_SIZE 512
22100
22101 /*
ae4e228f 22102@@ -292,10 +297,17 @@ static struct poolinfo {
58c5fc13
MT		 22103 int poolwords;
22104 int tap1, tap2, tap3, tap4, tap5;
22105 } poolinfo_table[] = {
22106+#ifdef CONFIG_GRKERNSEC_RANDNET
22107+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
22108+ { 512, 411, 308, 208, 104, 1 },
22109+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
22110+ { 128, 103, 76, 51, 25, 1 },
22111+#else
22112 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
22113 { 128, 103, 76, 51, 25, 1 },
22114 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
22115 { 32, 26, 20, 14, 7, 1 },
22116+#endif
22117 #if 0
22118 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
22119 { 2048, 1638, 1231, 819, 411, 1 },
ae4e228f
MT		 22120@@ -903,7 +915,7 @@ static ssize_t extract_entropy_user(stru
22121
22122 extract_buf(r, tmp);
22123 i = min_t(int, nbytes, EXTRACT_SIZE);
22124- if (copy_to_user(buf, tmp, i)) {
22125+ if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
22126 ret = -EFAULT;
22127 break;
22128 }
22129@@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
58c5fc13
MT		 22130 #include <linux/sysctl.h>
22131
22132 static int min_read_thresh = 8, min_write_thresh;
22133-static int max_read_thresh = INPUT_POOL_WORDS * 32;
22134+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
22135 static int max_write_thresh = INPUT_POOL_WORDS * 32;
22136 static char sysctl_bootid[16];
22137
ae4e228f
MT		 22138diff -urNp linux-2.6.33.1/drivers/char/sonypi.c linux-2.6.33.1/drivers/char/sonypi.c
22139--- linux-2.6.33.1/drivers/char/sonypi.c 2010-03-15 12:09:39.000000000 -0400
22140+++ linux-2.6.33.1/drivers/char/sonypi.c 2010-03-20 16:58:39.624516836 -0400
58c5fc13
MT		 22141@@ -490,7 +490,7 @@ static struct sonypi_device {
22142 spinlock_t fifo_lock;
22143 wait_queue_head_t fifo_proc_list;
22144 struct fasync_struct *fifo_async;
22145- int open_count;
22146+ atomic_t open_count;
22147 int model;
22148 struct input_dev *input_jog_dev;
22149 struct input_dev *input_key_dev;
ae4e228f 22150@@ -897,7 +897,7 @@ static int sonypi_misc_fasync(int fd, st
58c5fc13
MT		 22151 static int sonypi_misc_release(struct inode *inode, struct file *file)
22152 {
22153 mutex_lock(&sonypi_device.lock);
22154- sonypi_device.open_count--;
22155+ atomic_dec(&sonypi_device.open_count);
22156 mutex_unlock(&sonypi_device.lock);
22157 return 0;
22158 }
ae4e228f
MT		 22159@@ -906,9 +906,9 @@ static int sonypi_misc_open(struct inode
22160 {
58c5fc13
MT		 22161 mutex_lock(&sonypi_device.lock);
22162 /* Flush input queue on first open */
22163- if (!sonypi_device.open_count)
22164+ if (!atomic_read(&sonypi_device.open_count))
ae4e228f 22165 kfifo_reset(&sonypi_device.fifo);
58c5fc13
MT		 22166- sonypi_device.open_count++;
22167+ atomic_inc(&sonypi_device.open_count);
22168 mutex_unlock(&sonypi_device.lock);
ae4e228f 22169
58c5fc13 22170 return 0;
ae4e228f
MT		 22171diff -urNp linux-2.6.33.1/drivers/char/tpm/tpm_bios.c linux-2.6.33.1/drivers/char/tpm/tpm_bios.c
22172--- linux-2.6.33.1/drivers/char/tpm/tpm_bios.c 2010-03-15 12:09:39.000000000 -0400
22173+++ linux-2.6.33.1/drivers/char/tpm/tpm_bios.c 2010-03-20 16:58:39.624516836 -0400
22174@@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
22175 event = addr;
22176
22177 if ((event->event_type == 0 && event->event_size == 0) ||
22178- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
22179+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
22180 return NULL;
22181
22182 return addr;
22183@@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
22184 return NULL;
22185
22186 if ((event->event_type == 0 && event->event_size == 0) ||
22187- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
22188+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
22189 return NULL;
22190
22191 (*pos)++;
22192@@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
22193 int i;
22194
22195 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
22196- seq_putc(m, data[i]);
22197+ if (!seq_putc(m, data[i]))
22198+ return -EFAULT;
22199
58c5fc13
MT		 22200 return 0;
22201 }
ae4e228f
MT		 22202@@ -409,6 +410,11 @@ static int read_log(struct tpm_bios_log
22203 log->bios_event_log_end = log->bios_event_log + len;
58c5fc13 22204
ae4e228f
MT		 22205 virt = acpi_os_map_memory(start, len);
22206+ if (!virt) {
22207+ kfree(log->bios_event_log);
22208+ log->bios_event_log = NULL;
22209+ return -EFAULT;
22210+ }
22211
22212 memcpy(log->bios_event_log, virt, len);
22213
22214diff -urNp linux-2.6.33.1/drivers/char/tty_io.c linux-2.6.33.1/drivers/char/tty_io.c
22215--- linux-2.6.33.1/drivers/char/tty_io.c 2010-03-15 12:09:39.000000000 -0400
22216+++ linux-2.6.33.1/drivers/char/tty_io.c 2010-03-20 16:58:39.628796519 -0400
22217@@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
22218 DEFINE_MUTEX(tty_mutex);
22219 EXPORT_SYMBOL(tty_mutex);
22220
22221-static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
22222-static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
22223 ssize_t redirected_tty_write(struct file *, const char __user *,
22224 size_t, loff_t *);
22225-static unsigned int tty_poll(struct file *, poll_table *);
22226 static int tty_open(struct inode *, struct file *);
22227 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
22228-#ifdef CONFIG_COMPAT
22229-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
22230- unsigned long arg);
22231-#else
22232-#define tty_compat_ioctl NULL
22233-#endif
22234-static int tty_fasync(int fd, struct file *filp, int on);
22235 static void release_tty(struct tty_struct *tty, int idx);
22236 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
22237 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
22238@@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
22239 * read calls may be outstanding in parallel.
22240 */
22241
22242-static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
22243+ssize_t tty_read(struct file *file, char __user *buf, size_t count,
22244 loff_t *ppos)
22245 {
22246 int i;
22247@@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
22248 return i;
22249 }
22250
22251+EXPORT_SYMBOL(tty_read);
22252+
22253 void tty_write_unlock(struct tty_struct *tty)
22254 {
22255 mutex_unlock(&tty->atomic_write_lock);
22256@@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
22257 * write method will not be invoked in parallel for each device.
22258 */
22259
22260-static ssize_t tty_write(struct file *file, const char __user *buf,
22261+ssize_t tty_write(struct file *file, const char __user *buf,
22262 size_t count, loff_t *ppos)
22263 {
22264 struct tty_struct *tty;
22265@@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
22266 return ret;
22267 }
22268
22269+EXPORT_SYMBOL(tty_write);
22270+
22271 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
22272 size_t count, loff_t *ppos)
22273 {
22274@@ -1894,6 +1888,8 @@ got_driver:
22275
22276
22277
22278+EXPORT_SYMBOL(tty_release);
22279+
22280 /**
22281 * tty_poll - check tty status
22282 * @filp: file being polled
22283@@ -1906,7 +1902,7 @@ got_driver:
22284 * may be re-entered freely by other callers.
22285 */
58c5fc13 22286
ae4e228f
MT		 22287-static unsigned int tty_poll(struct file *filp, poll_table *wait)
22288+unsigned int tty_poll(struct file *filp, poll_table *wait)
22289 {
22290 struct tty_struct *tty;
22291 struct tty_ldisc *ld;
22292@@ -1923,7 +1919,9 @@ static unsigned int tty_poll(struct file
22293 return ret;
22294 }
22295
22296-static int tty_fasync(int fd, struct file *filp, int on)
22297+EXPORT_SYMBOL(tty_poll);
22298+
22299+int tty_fasync(int fd, struct file *filp, int on)
22300 {
22301 struct tty_struct *tty;
22302 unsigned long flags;
22303@@ -1967,6 +1965,8 @@ out:
22304 return retval;
22305 }
22306
22307+EXPORT_SYMBOL(tty_fasync);
22308+
22309 /**
22310 * tiocsti - fake input character
22311 * @tty: tty to fake input into
22312@@ -2599,8 +2599,10 @@ long tty_ioctl(struct file *file, unsign
22313 return retval;
22314 }
22315
22316+EXPORT_SYMBOL(tty_ioctl);
22317+
22318 #ifdef CONFIG_COMPAT
22319-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
22320+long tty_compat_ioctl(struct file *file, unsigned int cmd,
22321 unsigned long arg)
22322 {
22323 struct inode *inode = file->f_dentry->d_inode;
22324@@ -2624,6 +2626,9 @@ static long tty_compat_ioctl(struct file
22325
22326 return retval;
22327 }
22328+
22329+EXPORT_SYMBOL(tty_compat_ioctl);
22330+
22331 #endif
22332
22333 /*
22334@@ -3067,11 +3072,6 @@ struct tty_struct *get_current_tty(void)
22335 }
22336 EXPORT_SYMBOL_GPL(get_current_tty);
22337
22338-void tty_default_fops(struct file_operations *fops)
22339-{
22340- *fops = tty_fops;
22341-}
22342-
22343 /*
22344 * Initialize the console device. This is called *early*, so
22345 * we can't necessarily depend on lots of kernel help here.
22346diff -urNp linux-2.6.33.1/drivers/char/tty_ldisc.c linux-2.6.33.1/drivers/char/tty_ldisc.c
22347--- linux-2.6.33.1/drivers/char/tty_ldisc.c 2010-03-15 12:09:39.000000000 -0400
22348+++ linux-2.6.33.1/drivers/char/tty_ldisc.c 2010-03-20 16:58:39.628796519 -0400
22349@@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
58c5fc13
MT		 22350 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
22351 struct tty_ldisc_ops *ldo = ld->ops;
22352
22353- ldo->refcount--;
22354+ atomic_dec(&ldo->refcount);
22355 module_put(ldo->owner);
22356 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22357
ae4e228f 22358@@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
58c5fc13
MT		 22359 spin_lock_irqsave(&tty_ldisc_lock, flags);
22360 tty_ldiscs[disc] = new_ldisc;
22361 new_ldisc->num = disc;
22362- new_ldisc->refcount = 0;
22363+ atomic_set(&new_ldisc->refcount, 0);
22364 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22365
22366 return ret;
ae4e228f 22367@@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
58c5fc13
MT		 22368 return -EINVAL;
22369
22370 spin_lock_irqsave(&tty_ldisc_lock, flags);
22371- if (tty_ldiscs[disc]->refcount)
22372+ if (atomic_read(&tty_ldiscs[disc]->refcount))
22373 ret = -EBUSY;
22374 else
22375 tty_ldiscs[disc] = NULL;
ae4e228f
MT		 22376@@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
22377 if (ldops) {
22378 ret = ERR_PTR(-EAGAIN);
22379 if (try_module_get(ldops->owner)) {
58c5fc13
MT		 22380- ldops->refcount++;
22381+ atomic_inc(&ldops->refcount);
ae4e228f
MT		 22382 ret = ldops;
22383 }
22384 }
22385@@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
22386 unsigned long flags;
22387
22388 spin_lock_irqsave(&tty_ldisc_lock, flags);
22389- ldops->refcount--;
22390+ atomic_dec(&ldops->refcount);
22391 module_put(ldops->owner);
22392 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
22393 }
22394diff -urNp linux-2.6.33.1/drivers/char/virtio_console.c linux-2.6.33.1/drivers/char/virtio_console.c
22395--- linux-2.6.33.1/drivers/char/virtio_console.c 2010-03-15 12:09:39.000000000 -0400
22396+++ linux-2.6.33.1/drivers/char/virtio_console.c 2010-03-20 16:58:39.628796519 -0400
22397@@ -44,6 +44,7 @@ static unsigned int in_len;
22398 static char *in, *inbuf;
22399
22400 /* The operations for our console. */
22401+/* cannot be const */
22402 static struct hv_ops virtio_cons;
22403
22404 /* The hvc device */
22405diff -urNp linux-2.6.33.1/drivers/char/vt_ioctl.c linux-2.6.33.1/drivers/char/vt_ioctl.c
22406--- linux-2.6.33.1/drivers/char/vt_ioctl.c 2010-03-15 12:09:39.000000000 -0400
22407+++ linux-2.6.33.1/drivers/char/vt_ioctl.c 2010-03-20 16:58:39.632763861 -0400
22408@@ -226,6 +226,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
58c5fc13
MT		 22409 case KDSKBENT:
22410 if (!perm)
22411 return -EPERM;
22412+
22413+#ifdef CONFIG_GRKERNSEC
22414+ if (!capable(CAP_SYS_TTY_CONFIG))
22415+ return -EPERM;
22416+#endif
22417+
22418 if (!i && v == K_NOSUCHMAP) {
22419 /* deallocate map */
22420 key_map = key_maps[s];
ae4e228f 22421@@ -366,6 +372,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
58c5fc13
MT		 22422 goto reterr;
22423 }
22424
22425+#ifdef CONFIG_GRKERNSEC
22426+ if (!capable(CAP_SYS_TTY_CONFIG)) {
22427+ ret = -EPERM;
22428+ goto reterr;
22429+ }
22430+#endif
22431+
22432 q = func_table[i];
22433 first_free = funcbufptr + (funcbufsize - funcbufleft);
22434 for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
ae4e228f
MT		 22435diff -urNp linux-2.6.33.1/drivers/cpufreq/cpufreq.c linux-2.6.33.1/drivers/cpufreq/cpufreq.c
22436--- linux-2.6.33.1/drivers/cpufreq/cpufreq.c 2010-03-15 12:09:39.000000000 -0400
22437+++ linux-2.6.33.1/drivers/cpufreq/cpufreq.c 2010-03-20 16:58:39.632763861 -0400
22438@@ -766,7 +766,7 @@ static void cpufreq_sysfs_release(struct
22439 complete(&policy->kobj_unregister);
58c5fc13
MT		 22440 }
22441
ae4e228f
MT		 22442-static struct sysfs_ops sysfs_ops = {
22443+static const struct sysfs_ops sysfs_ops = {
22444 .show = show,
22445 .store = store,
22446 };
22447diff -urNp linux-2.6.33.1/drivers/cpuidle/sysfs.c linux-2.6.33.1/drivers/cpuidle/sysfs.c
22448--- linux-2.6.33.1/drivers/cpuidle/sysfs.c 2010-03-15 12:09:39.000000000 -0400
22449+++ linux-2.6.33.1/drivers/cpuidle/sysfs.c 2010-03-20 16:58:39.640816327 -0400
22450@@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
22451 return ret;
22452 }
22453
22454-static struct sysfs_ops cpuidle_sysfs_ops = {
22455+static const struct sysfs_ops cpuidle_sysfs_ops = {
22456 .show = cpuidle_show,
22457 .store = cpuidle_store,
22458 };
22459@@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
22460 return ret;
22461 }
22462
22463-static struct sysfs_ops cpuidle_state_sysfs_ops = {
22464+static const struct sysfs_ops cpuidle_state_sysfs_ops = {
22465 .show = cpuidle_state_show,
22466 };
22467
22468diff -urNp linux-2.6.33.1/drivers/dma/ioat/dma.c linux-2.6.33.1/drivers/dma/ioat/dma.c
22469--- linux-2.6.33.1/drivers/dma/ioat/dma.c 2010-03-15 12:09:39.000000000 -0400
22470+++ linux-2.6.33.1/drivers/dma/ioat/dma.c 2010-03-20 16:58:39.664561584 -0400
22471@@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
22472 return entry->show(&chan->common, page);
22473 }
22474
22475-struct sysfs_ops ioat_sysfs_ops = {
22476+const struct sysfs_ops ioat_sysfs_ops = {
22477 .show = ioat_attr_show,
22478 };
22479
22480diff -urNp linux-2.6.33.1/drivers/dma/ioat/dma.h linux-2.6.33.1/drivers/dma/ioat/dma.h
22481--- linux-2.6.33.1/drivers/dma/ioat/dma.h 2010-03-15 12:09:39.000000000 -0400
22482+++ linux-2.6.33.1/drivers/dma/ioat/dma.h 2010-03-20 16:58:39.664561584 -0400
22483@@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
22484 unsigned long *phys_complete);
22485 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
22486 void ioat_kobject_del(struct ioatdma_device *device);
22487-extern struct sysfs_ops ioat_sysfs_ops;
22488+extern const struct sysfs_ops ioat_sysfs_ops;
22489 extern struct ioat_sysfs_entry ioat_version_attr;
22490 extern struct ioat_sysfs_entry ioat_cap_attr;
22491 #endif /* IOATDMA_H */
22492diff -urNp linux-2.6.33.1/drivers/edac/edac_core.h linux-2.6.33.1/drivers/edac/edac_core.h
22493--- linux-2.6.33.1/drivers/edac/edac_core.h 2010-03-15 12:09:39.000000000 -0400
22494+++ linux-2.6.33.1/drivers/edac/edac_core.h 2010-03-20 16:58:39.668813885 -0400
22495@@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
58c5fc13
MT		 22496
22497 #else /* !CONFIG_EDAC_DEBUG */
22498
22499-#define debugf0( ... )
22500-#define debugf1( ... )
22501-#define debugf2( ... )
22502-#define debugf3( ... )
22503-#define debugf4( ... )
22504+#define debugf0( ... ) do {} while (0)
22505+#define debugf1( ... ) do {} while (0)
22506+#define debugf2( ... ) do {} while (0)
22507+#define debugf3( ... ) do {} while (0)
22508+#define debugf4( ... ) do {} while (0)
22509
22510 #endif /* !CONFIG_EDAC_DEBUG */
22511
ae4e228f
MT		 22512diff -urNp linux-2.6.33.1/drivers/edac/edac_device_sysfs.c linux-2.6.33.1/drivers/edac/edac_device_sysfs.c
22513--- linux-2.6.33.1/drivers/edac/edac_device_sysfs.c 2010-03-15 12:09:39.000000000 -0400
22514+++ linux-2.6.33.1/drivers/edac/edac_device_sysfs.c 2010-03-20 16:58:39.672639279 -0400
22515@@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
22516 }
22517
22518 /* edac_dev file operations for an 'ctl_info' */
22519-static struct sysfs_ops device_ctl_info_ops = {
22520+static const struct sysfs_ops device_ctl_info_ops = {
22521 .show = edac_dev_ctl_info_show,
22522 .store = edac_dev_ctl_info_store
22523 };
22524@@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
22525 }
22526
22527 /* edac_dev file operations for an 'instance' */
22528-static struct sysfs_ops device_instance_ops = {
22529+static const struct sysfs_ops device_instance_ops = {
22530 .show = edac_dev_instance_show,
22531 .store = edac_dev_instance_store
22532 };
22533@@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
22534 }
22535
22536 /* edac_dev file operations for a 'block' */
22537-static struct sysfs_ops device_block_ops = {
22538+static const struct sysfs_ops device_block_ops = {
22539 .show = edac_dev_block_show,
22540 .store = edac_dev_block_store
22541 };
22542diff -urNp linux-2.6.33.1/drivers/edac/edac_mc_sysfs.c linux-2.6.33.1/drivers/edac/edac_mc_sysfs.c
22543--- linux-2.6.33.1/drivers/edac/edac_mc_sysfs.c 2010-03-15 12:09:39.000000000 -0400
22544+++ linux-2.6.33.1/drivers/edac/edac_mc_sysfs.c 2010-03-20 16:58:39.676823381 -0400
22545@@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
22546 return -EIO;
22547 }
22548
22549-static struct sysfs_ops csrowfs_ops = {
22550+static const struct sysfs_ops csrowfs_ops = {
22551 .show = csrowdev_show,
22552 .store = csrowdev_store
22553 };
22554@@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
22555 }
22556
22557 /* Intermediate show/store table */
22558-static struct sysfs_ops mci_ops = {
22559+static const struct sysfs_ops mci_ops = {
22560 .show = mcidev_show,
22561 .store = mcidev_store
22562 };
22563diff -urNp linux-2.6.33.1/drivers/edac/edac_pci_sysfs.c linux-2.6.33.1/drivers/edac/edac_pci_sysfs.c
22564--- linux-2.6.33.1/drivers/edac/edac_pci_sysfs.c 2010-03-15 12:09:39.000000000 -0400
22565+++ linux-2.6.33.1/drivers/edac/edac_pci_sysfs.c 2010-03-20 16:58:39.680817937 -0400
22566@@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
22567 }
22568
22569 /* fs_ops table */
22570-static struct sysfs_ops pci_instance_ops = {
22571+static const struct sysfs_ops pci_instance_ops = {
22572 .show = edac_pci_instance_show,
22573 .store = edac_pci_instance_store
22574 };
22575@@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
22576 return -EIO;
22577 }
22578
22579-static struct sysfs_ops edac_pci_sysfs_ops = {
22580+static const struct sysfs_ops edac_pci_sysfs_ops = {
22581 .show = edac_pci_dev_show,
22582 .store = edac_pci_dev_store
22583 };
22584diff -urNp linux-2.6.33.1/drivers/firmware/dmi_scan.c linux-2.6.33.1/drivers/firmware/dmi_scan.c
22585--- linux-2.6.33.1/drivers/firmware/dmi_scan.c 2010-03-15 12:09:39.000000000 -0400
22586+++ linux-2.6.33.1/drivers/firmware/dmi_scan.c 2010-03-20 16:58:39.680817937 -0400
22587@@ -388,11 +388,6 @@ void __init dmi_scan_machine(void)
58c5fc13
MT		 22588 }
22589 }
22590 else {
22591- /*
22592- * no iounmap() for that ioremap(); it would be a no-op, but
22593- * it's so early in setup that sucker gets confused into doing
22594- * what it shouldn't if we actually call it.
22595- */
22596 p = dmi_ioremap(0xF0000, 0x10000);
22597 if (p == NULL)
22598 goto error;
ae4e228f
MT		 22599diff -urNp linux-2.6.33.1/drivers/firmware/edd.c linux-2.6.33.1/drivers/firmware/edd.c
22600--- linux-2.6.33.1/drivers/firmware/edd.c 2010-03-15 12:09:39.000000000 -0400
22601+++ linux-2.6.33.1/drivers/firmware/edd.c 2010-03-20 16:58:39.680817937 -0400
22602@@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
22603 return ret;
58c5fc13
MT		 22604 }
22605
ae4e228f
MT		 22606-static struct sysfs_ops edd_attr_ops = {
22607+static const struct sysfs_ops edd_attr_ops = {
22608 .show = edd_attr_show,
22609 };
22610
22611diff -urNp linux-2.6.33.1/drivers/firmware/efivars.c linux-2.6.33.1/drivers/firmware/efivars.c
22612--- linux-2.6.33.1/drivers/firmware/efivars.c 2010-03-15 12:09:39.000000000 -0400
22613+++ linux-2.6.33.1/drivers/firmware/efivars.c 2010-03-20 16:58:39.680817937 -0400
22614@@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
22615 return ret;
22616 }
22617
22618-static struct sysfs_ops efivar_attr_ops = {
22619+static const struct sysfs_ops efivar_attr_ops = {
22620 .show = efivar_attr_show,
22621 .store = efivar_attr_store,
22622 };
22623diff -urNp linux-2.6.33.1/drivers/firmware/iscsi_ibft.c linux-2.6.33.1/drivers/firmware/iscsi_ibft.c
22624--- linux-2.6.33.1/drivers/firmware/iscsi_ibft.c 2010-03-15 12:09:39.000000000 -0400
22625+++ linux-2.6.33.1/drivers/firmware/iscsi_ibft.c 2010-03-20 16:58:39.680817937 -0400
22626@@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
22627 return ret;
22628 }
22629
22630-static struct sysfs_ops ibft_attr_ops = {
22631+static const struct sysfs_ops ibft_attr_ops = {
22632 .show = ibft_show_attribute,
22633 };
22634
22635diff -urNp linux-2.6.33.1/drivers/firmware/memmap.c linux-2.6.33.1/drivers/firmware/memmap.c
22636--- linux-2.6.33.1/drivers/firmware/memmap.c 2010-03-15 12:09:39.000000000 -0400
22637+++ linux-2.6.33.1/drivers/firmware/memmap.c 2010-03-20 16:58:39.684538507 -0400
22638@@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
22639 NULL
22640 };
58c5fc13 22641
ae4e228f
MT		 22642-static struct sysfs_ops memmap_attr_ops = {
22643+static const struct sysfs_ops memmap_attr_ops = {
22644 .show = memmap_attr_show,
22645 };
22646
22647diff -urNp linux-2.6.33.1/drivers/gpu/drm/drm_drv.c linux-2.6.33.1/drivers/gpu/drm/drm_drv.c
22648--- linux-2.6.33.1/drivers/gpu/drm/drm_drv.c 2010-03-15 12:09:39.000000000 -0400
22649+++ linux-2.6.33.1/drivers/gpu/drm/drm_drv.c 2010-03-20 16:58:39.696814507 -0400
22650@@ -448,7 +448,7 @@ long drm_ioctl(struct file *filp,
22651
22652 dev = file_priv->minor->dev;
58c5fc13
MT		 22653 atomic_inc(&dev->ioctl_count);
22654- atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
22655+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
22656 ++file_priv->ioctl_count;
22657
22658 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
ae4e228f
MT		 22659diff -urNp linux-2.6.33.1/drivers/gpu/drm/drm_fops.c linux-2.6.33.1/drivers/gpu/drm/drm_fops.c
22660--- linux-2.6.33.1/drivers/gpu/drm/drm_fops.c 2010-03-15 12:09:39.000000000 -0400
22661+++ linux-2.6.33.1/drivers/gpu/drm/drm_fops.c 2010-03-20 16:58:39.704802989 -0400
58c5fc13
MT		 22662@@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
22663 }
22664
22665 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
22666- atomic_set(&dev->counts[i], 0);
22667+ atomic_set_unchecked(&dev->counts[i], 0);
22668
22669 dev->sigdata.lock = NULL;
22670
22671@@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
22672
22673 retcode = drm_open_helper(inode, filp, dev);
22674 if (!retcode) {
22675- atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
22676+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
22677 spin_lock(&dev->count_lock);
22678- if (!dev->open_count++) {
22679+ if (atomic_inc_return(&dev->open_count) == 1) {
22680 spin_unlock(&dev->count_lock);
22681 retcode = drm_setup(dev);
22682 goto out;
ae4e228f 22683@@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
58c5fc13
MT		 22684
22685 lock_kernel();
22686
22687- DRM_DEBUG("open_count = %d\n", dev->open_count);
22688+ DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
22689
22690 if (dev->driver->preclose)
22691 dev->driver->preclose(dev, file_priv);
ae4e228f 22692@@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
58c5fc13
MT		 22693 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
22694 task_pid_nr(current),
22695 (long)old_encode_dev(file_priv->minor->device),
22696- dev->open_count);
22697+ atomic_read(&dev->open_count));
22698
22699 /* if the master has gone away we can't do anything with the lock */
22700 if (file_priv->minor->master)
ae4e228f 22701@@ -565,9 +565,9 @@ int drm_release(struct inode *inode, str
58c5fc13
MT		 22702 * End inline drm_release
22703 */
22704
22705- atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
22706+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
22707 spin_lock(&dev->count_lock);
22708- if (!--dev->open_count) {
22709+ if (atomic_dec_and_test(&dev->open_count)) {
22710 if (atomic_read(&dev->ioctl_count)) {
22711 DRM_ERROR("Device busy: %d\n",
22712 atomic_read(&dev->ioctl_count));
ae4e228f
MT		 22713diff -urNp linux-2.6.33.1/drivers/gpu/drm/drm_ioctl.c linux-2.6.33.1/drivers/gpu/drm/drm_ioctl.c
22714--- linux-2.6.33.1/drivers/gpu/drm/drm_ioctl.c 2010-03-15 12:09:39.000000000 -0400
22715+++ linux-2.6.33.1/drivers/gpu/drm/drm_ioctl.c 2010-03-20 16:58:39.704802989 -0400
58c5fc13
MT		 22716@@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
22717 stats->data[i].value =
22718 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
22719 else
22720- stats->data[i].value = atomic_read(&dev->counts[i]);
22721+ stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
22722 stats->data[i].type = dev->types[i];
22723 }
22724
ae4e228f
MT		 22725diff -urNp linux-2.6.33.1/drivers/gpu/drm/drm_lock.c linux-2.6.33.1/drivers/gpu/drm/drm_lock.c
22726--- linux-2.6.33.1/drivers/gpu/drm/drm_lock.c 2010-03-15 12:09:39.000000000 -0400
22727+++ linux-2.6.33.1/drivers/gpu/drm/drm_lock.c 2010-03-20 16:58:39.712815966 -0400
58c5fc13
MT		 22728@@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
22729 if (drm_lock_take(&master->lock, lock->context)) {
22730 master->lock.file_priv = file_priv;
22731 master->lock.lock_time = jiffies;
22732- atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
22733+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
22734 break; /* Got lock */
22735 }
22736
22737@@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
22738 return -EINVAL;
22739 }
22740
22741- atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
22742+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
22743
22744 /* kernel_context_switch isn't used by any of the x86 drm
22745 * modules but is required by the Sparc driver.
ae4e228f
MT		 22746diff -urNp linux-2.6.33.1/drivers/gpu/drm/i810/i810_dma.c linux-2.6.33.1/drivers/gpu/drm/i810/i810_dma.c
22747--- linux-2.6.33.1/drivers/gpu/drm/i810/i810_dma.c 2010-03-15 12:09:39.000000000 -0400
22748+++ linux-2.6.33.1/drivers/gpu/drm/i810/i810_dma.c 2010-03-20 16:58:39.712815966 -0400
58c5fc13
MT		 22749@@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
22750 dma->buflist[vertex->idx],
22751 vertex->discard, vertex->used);
22752
22753- atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
22754- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
22755+ atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
22756+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
22757 sarea_priv->last_enqueue = dev_priv->counter - 1;
22758 sarea_priv->last_dispatch = (int)hw_status[5];
22759
22760@@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
22761 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
22762 mc->last_render);
22763
22764- atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
22765- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
22766+ atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
22767+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
22768 sarea_priv->last_enqueue = dev_priv->counter - 1;
22769 sarea_priv->last_dispatch = (int)hw_status[5];
22770
ae4e228f
MT		 22771diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7017.c
22772--- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7017.c 2010-03-15 12:09:39.000000000 -0400
22773+++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7017.c 2010-03-20 16:58:39.720824119 -0400
22774@@ -444,7 +444,7 @@ static void ch7017_destroy(struct intel_
22775 }
22776 }
22777
22778-struct intel_dvo_dev_ops ch7017_ops = {
22779+const struct intel_dvo_dev_ops ch7017_ops = {
22780 .init = ch7017_init,
22781 .detect = ch7017_detect,
22782 .mode_valid = ch7017_mode_valid,
22783diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7xxx.c
22784--- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-03-15 12:09:39.000000000 -0400
22785+++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-03-20 16:58:39.724540120 -0400
22786@@ -358,7 +358,7 @@ static void ch7xxx_destroy(struct intel_
22787 }
58c5fc13
MT		 22788 }
22789
ae4e228f
MT		 22790-struct intel_dvo_dev_ops ch7xxx_ops = {
22791+const struct intel_dvo_dev_ops ch7xxx_ops = {
22792 .init = ch7xxx_init,
22793 .detect = ch7xxx_detect,
22794 .mode_valid = ch7xxx_mode_valid,
22795diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo.h linux-2.6.33.1/drivers/gpu/drm/i915/dvo.h
22796--- linux-2.6.33.1/drivers/gpu/drm/i915/dvo.h 2010-03-15 12:09:39.000000000 -0400
22797+++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo.h 2010-03-20 16:58:39.724540120 -0400
22798@@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
22799 *
22800 * \return singly-linked list of modes or NULL if no modes found.
22801 */
22802- struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
22803+ struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
22804
22805 /**
22806 * Clean up driver-specific bits of the output
22807 */
22808- void (*destroy) (struct intel_dvo_device *dvo);
22809+ void (* const destroy) (struct intel_dvo_device *dvo);
22810
22811 /**
22812 * Debugging hook to dump device registers to log file
22813 */
22814- void (*dump_regs)(struct intel_dvo_device *dvo);
22815+ void (* const dump_regs)(struct intel_dvo_device *dvo);
22816 };
22817
22818-extern struct intel_dvo_dev_ops sil164_ops;
22819-extern struct intel_dvo_dev_ops ch7xxx_ops;
22820-extern struct intel_dvo_dev_ops ivch_ops;
22821-extern struct intel_dvo_dev_ops tfp410_ops;
22822-extern struct intel_dvo_dev_ops ch7017_ops;
22823+extern const struct intel_dvo_dev_ops sil164_ops;
22824+extern const struct intel_dvo_dev_ops ch7xxx_ops;
22825+extern const struct intel_dvo_dev_ops ivch_ops;
22826+extern const struct intel_dvo_dev_ops tfp410_ops;
22827+extern const struct intel_dvo_dev_ops ch7017_ops;
22828
22829 #endif /* _INTEL_DVO_H */
22830diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ivch.c
22831--- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ivch.c 2010-03-15 12:09:39.000000000 -0400
22832+++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_ivch.c 2010-03-20 16:58:39.724540120 -0400
22833@@ -431,7 +431,7 @@ static void ivch_destroy(struct intel_dv
22834 }
22835 }
22836
22837-struct intel_dvo_dev_ops ivch_ops= {
22838+const struct intel_dvo_dev_ops ivch_ops= {
22839 .init = ivch_init,
22840 .dpms = ivch_dpms,
22841 .save = ivch_save,
22842diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_sil164.c
22843--- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_sil164.c 2010-03-15 12:09:39.000000000 -0400
22844+++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_sil164.c 2010-03-20 16:58:39.724540120 -0400
22845@@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
22846 }
22847 }
22848
22849-struct intel_dvo_dev_ops sil164_ops = {
22850+const struct intel_dvo_dev_ops sil164_ops = {
22851 .init = sil164_init,
22852 .detect = sil164_detect,
22853 .mode_valid = sil164_mode_valid,
22854diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.33.1/drivers/gpu/drm/i915/dvo_tfp410.c
22855--- linux-2.6.33.1/drivers/gpu/drm/i915/dvo_tfp410.c 2010-03-15 12:09:39.000000000 -0400
22856+++ linux-2.6.33.1/drivers/gpu/drm/i915/dvo_tfp410.c 2010-03-20 16:58:39.724540120 -0400
22857@@ -325,7 +325,7 @@ static void tfp410_destroy(struct intel_
22858 }
22859 }
22860
22861-struct intel_dvo_dev_ops tfp410_ops = {
22862+const struct intel_dvo_dev_ops tfp410_ops = {
22863 .init = tfp410_init,
22864 .detect = tfp410_detect,
22865 .mode_valid = tfp410_mode_valid,
22866diff -urNp linux-2.6.33.1/drivers/gpu/drm/i915/i915_drv.c linux-2.6.33.1/drivers/gpu/drm/i915/i915_drv.c
22867--- linux-2.6.33.1/drivers/gpu/drm/i915/i915_drv.c 2010-03-15 12:09:39.000000000 -0400
22868+++ linux-2.6.33.1/drivers/gpu/drm/i915/i915_drv.c 2010-03-20 16:58:39.724540120 -0400
22869@@ -470,7 +470,7 @@ const struct dev_pm_ops i915_pm_ops = {
22870 .restore = i915_pm_resume,
22871 };
22872
58c5fc13
MT		 22873-static struct vm_operations_struct i915_gem_vm_ops = {
22874+static const struct vm_operations_struct i915_gem_vm_ops = {
22875 .fault = i915_gem_fault,
22876 .open = drm_gem_vm_open,
22877 .close = drm_gem_vm_close,
ae4e228f
MT		 22878diff -urNp linux-2.6.33.1/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.33.1/drivers/gpu/drm/nouveau/nouveau_backlight.c
22879--- linux-2.6.33.1/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-03-15 12:09:39.000000000 -0400
22880+++ linux-2.6.33.1/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-03-20 16:58:39.737935163 -0400
22881@@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
22882 return 0;
22883 }
22884
22885-static struct backlight_ops nv40_bl_ops = {
22886+static const struct backlight_ops nv40_bl_ops = {
22887 .options = BL_CORE_SUSPENDRESUME,
22888 .get_brightness = nv40_get_intensity,
22889 .update_status = nv40_set_intensity,
22890@@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
22891 return 0;
22892 }
22893
22894-static struct backlight_ops nv50_bl_ops = {
22895+static const struct backlight_ops nv50_bl_ops = {
22896 .options = BL_CORE_SUSPENDRESUME,
22897 .get_brightness = nv50_get_intensity,
22898 .update_status = nv50_set_intensity,
22899diff -urNp linux-2.6.33.1/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.33.1/drivers/gpu/drm/radeon/mkregtable.c
22900--- linux-2.6.33.1/drivers/gpu/drm/radeon/mkregtable.c 2010-03-15 12:09:39.000000000 -0400
22901+++ linux-2.6.33.1/drivers/gpu/drm/radeon/mkregtable.c 2010-03-20 16:58:39.737935163 -0400
22902@@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
22903 regex_t mask_rex;
22904 regmatch_t match[4];
22905 char buf[1024];
22906- size_t end;
22907+ long end;
22908 int len;
22909 int done = 0;
22910 int r;
22911 unsigned o;
22912 struct offset *offset;
22913 char last_reg_s[10];
22914- int last_reg;
22915+ unsigned long last_reg;
22916
22917 if (regcomp
22918 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
22919diff -urNp linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_atombios.c
22920--- linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_atombios.c 2010-03-15 12:09:39.000000000 -0400
22921+++ linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_atombios.c 2010-03-20 16:58:39.737935163 -0400
22922@@ -637,14 +637,14 @@ static uint16_t atombios_get_connector_o
22923 }
58c5fc13
MT		 22924 }
22925
22926-struct bios_connector {
22927+static struct bios_connector {
22928 bool valid;
ae4e228f 22929 uint16_t line_mux;
58c5fc13
MT		 22930 uint16_t devices;
22931 int connector_type;
22932 struct radeon_i2c_bus_rec ddc_bus;
ae4e228f 22933 struct radeon_hpd hpd;
58c5fc13 22934-};
ae4e228f 22935+} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
58c5fc13
MT		 22936
22937 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
22938 drm_device
ae4e228f 22939@@ -660,7 +660,6 @@ bool radeon_get_atom_connector_info_from
58c5fc13
MT		 22940 uint8_t dac;
22941 union atom_supported_devices *supported_devices;
ae4e228f 22942 int i, j, max_device;
58c5fc13
MT		 22943- struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
22944
22945 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
22946
ae4e228f
MT		 22947diff -urNp linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_state.c
22948--- linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_state.c 2010-03-15 12:09:39.000000000 -0400
22949+++ linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_state.c 2010-03-20 16:58:39.757317099 -0400
22950@@ -2139,7 +2139,7 @@ static int radeon_cp_clear(struct drm_de
22951 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
22952 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
22953
22954- if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
22955+ if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
22956 sarea_priv->nbox * sizeof(depth_boxes[0])))
22957 return -EFAULT;
22958
22959@@ -3014,7 +3014,7 @@ static int radeon_cp_getparam(struct drm
58c5fc13
MT		 22960 {
22961 drm_radeon_private_t *dev_priv = dev->dev_private;
22962 drm_radeon_getparam_t *param = data;
22963- int value;
22964+ int value = 0;
22965
22966 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
22967
ae4e228f
MT		 22968diff -urNp linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_ttm.c
22969--- linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_ttm.c 2010-03-15 12:09:39.000000000 -0400
22970+++ linux-2.6.33.1/drivers/gpu/drm/radeon/radeon_ttm.c 2010-03-20 16:58:39.760772786 -0400
22971@@ -564,27 +564,10 @@ void radeon_ttm_fini(struct radeon_devic
58c5fc13
MT		 22972 DRM_INFO("radeon: ttm finalized\n");
22973 }
22974
22975-static struct vm_operations_struct radeon_ttm_vm_ops;
ae4e228f 22976-static const struct vm_operations_struct *ttm_vm_ops = NULL;
58c5fc13
MT		 22977-
22978-static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
22979-{
22980- struct ttm_buffer_object *bo;
22981- int r;
22982-
22983- bo = (struct ttm_buffer_object *)vma->vm_private_data;
22984- if (bo == NULL) {
22985- return VM_FAULT_NOPAGE;
22986- }
22987- r = ttm_vm_ops->fault(vma, vmf);
22988- return r;
22989-}
22990-
22991 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
22992 {
22993 struct drm_file *file_priv;
22994 struct radeon_device *rdev;
22995- int r;
22996
22997 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
22998 return drm_mmap(filp, vma);
ae4e228f 22999@@ -592,20 +575,9 @@ int radeon_mmap(struct file *filp, struc
58c5fc13
MT		 23000
23001 file_priv = (struct drm_file *)filp->private_data;
23002 rdev = file_priv->minor->dev->dev_private;
23003- if (rdev == NULL) {
23004+ if (!rdev)
23005 return -EINVAL;
23006- }
23007- r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
23008- if (unlikely(r != 0)) {
23009- return r;
23010- }
23011- if (unlikely(ttm_vm_ops == NULL)) {
23012- ttm_vm_ops = vma->vm_ops;
23013- radeon_ttm_vm_ops = *ttm_vm_ops;
23014- radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
23015- }
23016- vma->vm_ops = &radeon_ttm_vm_ops;
23017- return 0;
23018+ return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
23019 }
23020
23021
ae4e228f
MT		 23022diff -urNp linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo.c
23023--- linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo.c 2010-03-15 12:09:39.000000000 -0400
23024+++ linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo.c 2010-03-20 16:58:39.760772786 -0400
23025@@ -128,7 +128,7 @@ static struct attribute *ttm_bo_global_a
23026 NULL
23027 };
23028
23029-static struct sysfs_ops ttm_bo_global_ops = {
23030+static const struct sysfs_ops ttm_bo_global_ops = {
23031 .show = &ttm_bo_global_show
23032 };
23033
23034diff -urNp linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo_vm.c
23035--- linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-03-15 12:09:39.000000000 -0400
23036+++ linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-03-20 16:58:39.760772786 -0400
58c5fc13
MT		 23037@@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
23038 {
23039 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
23040 vma->vm_private_data;
23041- struct ttm_bo_device *bdev = bo->bdev;
23042+ struct ttm_bo_device *bdev;
23043 unsigned long bus_base;
23044 unsigned long bus_offset;
23045 unsigned long bus_size;
23046@@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
23047 unsigned long address = (unsigned long)vmf->virtual_address;
23048 int retval = VM_FAULT_NOPAGE;
23049
23050+ if (!bo)
23051+ return VM_FAULT_NOPAGE;
23052+ bdev = bo->bdev;
23053+
23054 /*
23055 * Work around locking order reversal in fault / nopfn
23056 * between mmap_sem and bo_reserve: Perform a trylock operation
ae4e228f
MT		 23057diff -urNp linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_global.c
23058--- linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_global.c 2010-03-15 12:09:39.000000000 -0400
23059+++ linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_global.c 2010-03-20 16:58:39.764713262 -0400
23060@@ -36,7 +36,7 @@
23061 struct ttm_global_item {
23062 struct mutex mutex;
23063 void *object;
23064- int refcount;
23065+ atomic_t refcount;
23066 };
58c5fc13 23067
ae4e228f
MT		 23068 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
23069@@ -49,7 +49,7 @@ void ttm_global_init(void)
23070 struct ttm_global_item *item = &glob[i];
23071 mutex_init(&item->mutex);
23072 item->object = NULL;
23073- item->refcount = 0;
23074+ atomic_set(&item->refcount, 0);
23075 }
23076 }
23077
23078@@ -59,7 +59,7 @@ void ttm_global_release(void)
23079 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
23080 struct ttm_global_item *item = &glob[i];
23081 BUG_ON(item->object != NULL);
23082- BUG_ON(item->refcount != 0);
23083+ BUG_ON(atomic_read(&item->refcount) != 0);
23084 }
23085 }
23086
23087@@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
23088 void *object;
23089
23090 mutex_lock(&item->mutex);
23091- if (item->refcount == 0) {
23092+ if (atomic_read(&item->refcount) == 0) {
23093 item->object = kzalloc(ref->size, GFP_KERNEL);
23094 if (unlikely(item->object == NULL)) {
23095 ret = -ENOMEM;
23096@@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
23097 goto out_err;
23098
23099 }
23100- ++item->refcount;
23101+ atomic_inc(&item->refcount);
23102 ref->object = item->object;
23103 object = item->object;
23104 mutex_unlock(&item->mutex);
23105@@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
23106 struct ttm_global_item *item = &glob[ref->global_type];
23107
23108 mutex_lock(&item->mutex);
23109- BUG_ON(item->refcount == 0);
23110+ BUG_ON(atomic_read(&item->refcount) == 0);
23111 BUG_ON(ref->object != item->object);
23112- if (--item->refcount == 0) {
23113+ if (atomic_dec_and_test(&item->refcount)) {
23114 ref->release(ref);
23115 item->object = NULL;
23116 }
23117diff -urNp linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_memory.c
23118--- linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_memory.c 2010-03-15 12:09:39.000000000 -0400
23119+++ linux-2.6.33.1/drivers/gpu/drm/ttm/ttm_memory.c 2010-03-20 16:58:39.764713262 -0400
23120@@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
23121 NULL
23122 };
23123
23124-static struct sysfs_ops ttm_mem_zone_ops = {
23125+static const struct sysfs_ops ttm_mem_zone_ops = {
23126 .show = &ttm_mem_zone_show,
23127 .store = &ttm_mem_zone_store
23128 };
23129diff -urNp linux-2.6.33.1/drivers/hwmon/k8temp.c linux-2.6.33.1/drivers/hwmon/k8temp.c
23130--- linux-2.6.33.1/drivers/hwmon/k8temp.c 2010-03-15 12:09:39.000000000 -0400
23131+++ linux-2.6.33.1/drivers/hwmon/k8temp.c 2010-03-20 16:58:39.764713262 -0400
58c5fc13
MT		 23132@@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
23133
ae4e228f 23134 static const struct pci_device_id k8temp_ids[] = {
58c5fc13
MT		 23135 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
23136- { 0 },
23137+ { 0, 0, 0, 0, 0, 0, 0 },
23138 };
23139
23140 MODULE_DEVICE_TABLE(pci, k8temp_ids);
ae4e228f
MT		 23141diff -urNp linux-2.6.33.1/drivers/hwmon/sis5595.c linux-2.6.33.1/drivers/hwmon/sis5595.c
23142--- linux-2.6.33.1/drivers/hwmon/sis5595.c 2010-03-15 12:09:39.000000000 -0400
23143+++ linux-2.6.33.1/drivers/hwmon/sis5595.c 2010-03-20 16:58:39.772823109 -0400
58c5fc13
MT		 23144@@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
23145
ae4e228f 23146 static const struct pci_device_id sis5595_pci_ids[] = {
58c5fc13
MT		 23147 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
23148- { 0, }
23149+ { 0, 0, 0, 0, 0, 0, 0 }
23150 };
23151
23152 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
ae4e228f
MT		 23153diff -urNp linux-2.6.33.1/drivers/hwmon/via686a.c linux-2.6.33.1/drivers/hwmon/via686a.c
23154--- linux-2.6.33.1/drivers/hwmon/via686a.c 2010-03-15 12:09:39.000000000 -0400
23155+++ linux-2.6.33.1/drivers/hwmon/via686a.c 2010-03-20 16:58:39.780824922 -0400
58c5fc13
MT		 23156@@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
23157
ae4e228f 23158 static const struct pci_device_id via686a_pci_ids[] = {
58c5fc13
MT		 23159 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
23160- { 0, }
23161+ { 0, 0, 0, 0, 0, 0, 0 }
23162 };
23163
23164 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
ae4e228f
MT		 23165diff -urNp linux-2.6.33.1/drivers/hwmon/vt8231.c linux-2.6.33.1/drivers/hwmon/vt8231.c
23166--- linux-2.6.33.1/drivers/hwmon/vt8231.c 2010-03-15 12:09:39.000000000 -0400
23167+++ linux-2.6.33.1/drivers/hwmon/vt8231.c 2010-03-20 16:58:39.784811184 -0400
58c5fc13
MT		 23168@@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
23169
ae4e228f 23170 static const struct pci_device_id vt8231_pci_ids[] = {
58c5fc13
MT		 23171 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
23172- { 0, }
23173+ { 0, 0, 0, 0, 0, 0, 0 }
23174 };
23175
23176 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
ae4e228f
MT		 23177diff -urNp linux-2.6.33.1/drivers/hwmon/w83791d.c linux-2.6.33.1/drivers/hwmon/w83791d.c
23178--- linux-2.6.33.1/drivers/hwmon/w83791d.c 2010-03-15 12:09:39.000000000 -0400
23179+++ linux-2.6.33.1/drivers/hwmon/w83791d.c 2010-03-20 16:58:39.796811468 -0400
23180@@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
58c5fc13
MT		 23181 struct i2c_board_info *info);
23182 static int w83791d_remove(struct i2c_client *client);
23183
23184-static int w83791d_read(struct i2c_client *client, u8 register);
23185-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
23186+static int w83791d_read(struct i2c_client *client, u8 reg);
23187+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
23188 static struct w83791d_data *w83791d_update_device(struct device *dev);
23189
23190 #ifdef DEBUG
ae4e228f
MT		 23191diff -urNp linux-2.6.33.1/drivers/i2c/busses/i2c-i801.c linux-2.6.33.1/drivers/i2c/busses/i2c-i801.c
23192--- linux-2.6.33.1/drivers/i2c/busses/i2c-i801.c 2010-03-15 12:09:39.000000000 -0400
23193+++ linux-2.6.33.1/drivers/i2c/busses/i2c-i801.c 2010-03-20 16:58:39.804825087 -0400
58c5fc13
MT		 23194@@ -578,7 +578,7 @@ static struct pci_device_id i801_ids[] =
23195 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_4) },
23196 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
23197 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
23198- { 0, }
23199+ { 0, 0, 0, 0, 0, 0, 0 }
23200 };
23201
23202 MODULE_DEVICE_TABLE (pci, i801_ids);
ae4e228f
MT		 23203diff -urNp linux-2.6.33.1/drivers/i2c/busses/i2c-piix4.c linux-2.6.33.1/drivers/i2c/busses/i2c-piix4.c
23204--- linux-2.6.33.1/drivers/i2c/busses/i2c-piix4.c 2010-03-15 12:09:39.000000000 -0400
23205+++ linux-2.6.33.1/drivers/i2c/busses/i2c-piix4.c 2010-03-20 16:58:39.821741415 -0400
23206@@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
58c5fc13
MT		 23207 .ident = "IBM",
23208 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
23209 },
23210- { },
ae4e228f 23211+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
58c5fc13
MT		 23212 };
23213
23214 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
ae4e228f 23215@@ -491,7 +491,7 @@ static struct pci_device_id piix4_ids[]
58c5fc13
MT		 23216 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
23217 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
23218 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
23219- { 0, }
23220+ { 0, 0, 0, 0, 0, 0, 0 }
23221 };
23222
23223 MODULE_DEVICE_TABLE (pci, piix4_ids);
ae4e228f
MT		 23224diff -urNp linux-2.6.33.1/drivers/i2c/busses/i2c-sis630.c linux-2.6.33.1/drivers/i2c/busses/i2c-sis630.c
23225--- linux-2.6.33.1/drivers/i2c/busses/i2c-sis630.c 2010-03-15 12:09:39.000000000 -0400
23226+++ linux-2.6.33.1/drivers/i2c/busses/i2c-sis630.c 2010-03-20 16:58:39.832567311 -0400
58c5fc13
MT		 23227@@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
23228 static struct pci_device_id sis630_ids[] __devinitdata = {
23229 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
23230 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
23231- { 0, }
23232+ { 0, 0, 0, 0, 0, 0, 0 }
23233 };
23234
23235 MODULE_DEVICE_TABLE (pci, sis630_ids);
ae4e228f
MT		 23236diff -urNp linux-2.6.33.1/drivers/i2c/busses/i2c-sis96x.c linux-2.6.33.1/drivers/i2c/busses/i2c-sis96x.c
23237--- linux-2.6.33.1/drivers/i2c/busses/i2c-sis96x.c 2010-03-15 12:09:39.000000000 -0400
23238+++ linux-2.6.33.1/drivers/i2c/busses/i2c-sis96x.c 2010-03-20 16:58:39.832567311 -0400
58c5fc13
MT		 23239@@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
23240
23241 static struct pci_device_id sis96x_ids[] = {
23242 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
23243- { 0, }
23244+ { 0, 0, 0, 0, 0, 0, 0 }
23245 };
23246
23247 MODULE_DEVICE_TABLE (pci, sis96x_ids);
ae4e228f
MT		 23248diff -urNp linux-2.6.33.1/drivers/ide/ide-cd.c linux-2.6.33.1/drivers/ide/ide-cd.c
23249--- linux-2.6.33.1/drivers/ide/ide-cd.c 2010-03-15 12:09:39.000000000 -0400
23250+++ linux-2.6.33.1/drivers/ide/ide-cd.c 2010-03-20 16:58:39.844814079 -0400
23251@@ -766,7 +766,7 @@ static void cdrom_do_block_pc(ide_drive_
23252 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
23253 if ((unsigned long)buf & alignment
23254 || blk_rq_bytes(rq) & q->dma_pad_mask
23255- || object_is_on_stack(buf))
23256+ || object_starts_on_stack(buf))
23257 drive->dma = 0;
23258 }
23259 }
23260diff -urNp linux-2.6.33.1/drivers/ieee1394/dv1394.c linux-2.6.33.1/drivers/ieee1394/dv1394.c
23261--- linux-2.6.33.1/drivers/ieee1394/dv1394.c 2010-03-15 12:09:39.000000000 -0400
23262+++ linux-2.6.33.1/drivers/ieee1394/dv1394.c 2010-03-20 16:58:39.856823569 -0400
58c5fc13
MT		 23263@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
23264 based upon DIF section and sequence
23265 */
23266
23267-static void inline
23268+static inline void
23269 frame_put_packet (struct frame *f, struct packet *p)
23270 {
23271 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
23272@@ -2178,7 +2178,7 @@ static const struct ieee1394_device_id d
23273 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
23274 .version = AVC_SW_VERSION_ENTRY & 0xffffff
23275 },
23276- { }
23277+ { 0, 0, 0, 0, 0, 0 }
23278 };
23279
23280 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
ae4e228f
MT		 23281diff -urNp linux-2.6.33.1/drivers/ieee1394/eth1394.c linux-2.6.33.1/drivers/ieee1394/eth1394.c
23282--- linux-2.6.33.1/drivers/ieee1394/eth1394.c 2010-03-15 12:09:39.000000000 -0400
23283+++ linux-2.6.33.1/drivers/ieee1394/eth1394.c 2010-03-20 16:58:39.865827641 -0400
23284@@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
58c5fc13
MT		 23285 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
23286 .version = ETHER1394_GASP_VERSION,
23287 },
23288- {}
23289+ { 0, 0, 0, 0, 0, 0 }
23290 };
23291
23292 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
ae4e228f
MT		 23293diff -urNp linux-2.6.33.1/drivers/ieee1394/hosts.c linux-2.6.33.1/drivers/ieee1394/hosts.c
23294--- linux-2.6.33.1/drivers/ieee1394/hosts.c 2010-03-15 12:09:39.000000000 -0400
23295+++ linux-2.6.33.1/drivers/ieee1394/hosts.c 2010-03-20 16:58:39.865827641 -0400
58c5fc13
MT		 23296@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
23297 }
23298
23299 static struct hpsb_host_driver dummy_driver = {
23300+ .name = "dummy",
23301 .transmit_packet = dummy_transmit_packet,
23302 .devctl = dummy_devctl,
23303 .isoctl = dummy_isoctl
ae4e228f
MT		 23304diff -urNp linux-2.6.33.1/drivers/ieee1394/ohci1394.c linux-2.6.33.1/drivers/ieee1394/ohci1394.c
23305--- linux-2.6.33.1/drivers/ieee1394/ohci1394.c 2010-03-15 12:09:39.000000000 -0400
23306+++ linux-2.6.33.1/drivers/ieee1394/ohci1394.c 2010-03-20 16:58:39.873869022 -0400
23307@@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
58c5fc13
MT		 23308 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
23309
23310 /* Module Parameters */
23311-static int phys_dma = 1;
23312+static int phys_dma;
23313 module_param(phys_dma, int, 0444);
23314-MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
23315+MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
23316
23317 static void dma_trm_tasklet(unsigned long data);
23318 static void dma_trm_reset(struct dma_trm_ctx *d);
ae4e228f 23319@@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
58c5fc13
MT		 23320 .subvendor = PCI_ANY_ID,
23321 .subdevice = PCI_ANY_ID,
23322 },
23323- { 0, },
23324+ { 0, 0, 0, 0, 0, 0, 0 },
23325 };
23326
23327 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
ae4e228f
MT		 23328diff -urNp linux-2.6.33.1/drivers/ieee1394/raw1394.c linux-2.6.33.1/drivers/ieee1394/raw1394.c
23329--- linux-2.6.33.1/drivers/ieee1394/raw1394.c 2010-03-15 12:09:39.000000000 -0400
23330+++ linux-2.6.33.1/drivers/ieee1394/raw1394.c 2010-03-20 16:58:39.873869022 -0400
23331@@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
58c5fc13
MT		 23332 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
23333 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
23334 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
23335- {}
23336+ { 0, 0, 0, 0, 0, 0 }
23337 };
23338
23339 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
ae4e228f
MT		 23340diff -urNp linux-2.6.33.1/drivers/ieee1394/sbp2.c linux-2.6.33.1/drivers/ieee1394/sbp2.c
23341--- linux-2.6.33.1/drivers/ieee1394/sbp2.c 2010-03-15 12:09:39.000000000 -0400
23342+++ linux-2.6.33.1/drivers/ieee1394/sbp2.c 2010-03-20 16:58:39.877823938 -0400
58c5fc13
MT		 23343@@ -290,7 +290,7 @@ static const struct ieee1394_device_id s
23344 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
23345 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
23346 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
23347- {}
23348+ { 0, 0, 0, 0, 0, 0 }
23349 };
23350 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
23351
ae4e228f 23352@@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
58c5fc13
MT		 23353 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
23354 MODULE_LICENSE("GPL");
23355
23356-static int sbp2_module_init(void)
23357+static int __init sbp2_module_init(void)
23358 {
23359 int ret;
23360
ae4e228f
MT		 23361diff -urNp linux-2.6.33.1/drivers/ieee1394/video1394.c linux-2.6.33.1/drivers/ieee1394/video1394.c
23362--- linux-2.6.33.1/drivers/ieee1394/video1394.c 2010-03-15 12:09:39.000000000 -0400
23363+++ linux-2.6.33.1/drivers/ieee1394/video1394.c 2010-03-20 16:58:39.877823938 -0400
23364@@ -1311,7 +1311,7 @@ static const struct ieee1394_device_id v
58c5fc13
MT		 23365 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
23366 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
23367 },
23368- { }
23369+ { 0, 0, 0, 0, 0, 0 }
23370 };
23371
23372 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
ae4e228f
MT		 23373diff -urNp linux-2.6.33.1/drivers/infiniband/core/cm.c linux-2.6.33.1/drivers/infiniband/core/cm.c
23374--- linux-2.6.33.1/drivers/infiniband/core/cm.c 2010-03-15 12:09:39.000000000 -0400
23375+++ linux-2.6.33.1/drivers/infiniband/core/cm.c 2010-03-20 16:58:39.905667556 -0400
23376@@ -112,7 +112,7 @@ static char const counter_group_names[CM
23377
23378 struct cm_counter_group {
23379 struct kobject obj;
23380- atomic_long_t counter[CM_ATTR_COUNT];
23381+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
23382 };
23383
23384 struct cm_counter_attribute {
23385@@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
23386 struct ib_mad_send_buf *msg = NULL;
23387 int ret;
23388
23389- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23390+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23391 counter[CM_REQ_COUNTER]);
23392
23393 /* Quick state check to discard duplicate REQs. */
23394@@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
23395 if (!cm_id_priv)
23396 return;
58c5fc13 23397
ae4e228f
MT		 23398- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23399+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23400 counter[CM_REP_COUNTER]);
23401 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
23402 if (ret)
23403@@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
23404 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
23405 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
23406 spin_unlock_irq(&cm_id_priv->lock);
23407- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23408+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23409 counter[CM_RTU_COUNTER]);
23410 goto out;
23411 }
23412@@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
23413 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
23414 dreq_msg->local_comm_id);
23415 if (!cm_id_priv) {
23416- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23417+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23418 counter[CM_DREQ_COUNTER]);
23419 cm_issue_drep(work->port, work->mad_recv_wc);
23420 return -EINVAL;
23421@@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
23422 case IB_CM_MRA_REP_RCVD:
23423 break;
23424 case IB_CM_TIMEWAIT:
23425- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23426+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23427 counter[CM_DREQ_COUNTER]);
23428 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
23429 goto unlock;
23430@@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
23431 cm_free_msg(msg);
23432 goto deref;
23433 case IB_CM_DREQ_RCVD:
23434- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23435+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23436 counter[CM_DREQ_COUNTER]);
23437 goto unlock;
23438 default:
23439@@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
23440 ib_modify_mad(cm_id_priv->av.port->mad_agent,
23441 cm_id_priv->msg, timeout)) {
23442 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
23443- atomic_long_inc(&work->port->
23444+ atomic_long_inc_unchecked(&work->port->
23445 counter_group[CM_RECV_DUPLICATES].
23446 counter[CM_MRA_COUNTER]);
23447 goto out;
23448@@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
23449 break;
23450 case IB_CM_MRA_REQ_RCVD:
23451 case IB_CM_MRA_REP_RCVD:
23452- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23453+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23454 counter[CM_MRA_COUNTER]);
23455 /* fall through */
23456 default:
23457@@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
23458 case IB_CM_LAP_IDLE:
23459 break;
23460 case IB_CM_MRA_LAP_SENT:
23461- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23462+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23463 counter[CM_LAP_COUNTER]);
23464 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
23465 goto unlock;
23466@@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
23467 cm_free_msg(msg);
23468 goto deref;
23469 case IB_CM_LAP_RCVD:
23470- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23471+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23472 counter[CM_LAP_COUNTER]);
23473 goto unlock;
23474 default:
23475@@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
23476 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
23477 if (cur_cm_id_priv) {
23478 spin_unlock_irq(&cm.lock);
23479- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
23480+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
23481 counter[CM_SIDR_REQ_COUNTER]);
23482 goto out; /* Duplicate message. */
23483 }
23484@@ -3183,10 +3183,10 @@ static void cm_send_handler(struct ib_ma
23485 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
23486 msg->retries = 1;
23487
23488- atomic_long_add(1 + msg->retries,
23489+ atomic_long_add_unchecked(1 + msg->retries,
23490 &port->counter_group[CM_XMIT].counter[attr_index]);
23491 if (msg->retries)
23492- atomic_long_add(msg->retries,
23493+ atomic_long_add_unchecked(msg->retries,
23494 &port->counter_group[CM_XMIT_RETRIES].
23495 counter[attr_index]);
23496
23497@@ -3396,7 +3396,7 @@ static void cm_recv_handler(struct ib_ma
23498 }
23499
23500 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
23501- atomic_long_inc(&port->counter_group[CM_RECV].
23502+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
23503 counter[attr_id - CM_ATTR_ID_OFFSET]);
23504
23505 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
23506@@ -3594,10 +3594,10 @@ static ssize_t cm_show_counter(struct ko
23507 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
23508
23509 return sprintf(buf, "%ld\n",
23510- atomic_long_read(&group->counter[cm_attr->index]));
23511+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
23512 }
23513
23514-static struct sysfs_ops cm_counter_ops = {
23515+static const struct sysfs_ops cm_counter_ops = {
23516 .show = cm_show_counter
58c5fc13
MT		 23517 };
23518
ae4e228f
MT		 23519diff -urNp linux-2.6.33.1/drivers/infiniband/core/sysfs.c linux-2.6.33.1/drivers/infiniband/core/sysfs.c
23520--- linux-2.6.33.1/drivers/infiniband/core/sysfs.c 2010-03-15 12:09:39.000000000 -0400
23521+++ linux-2.6.33.1/drivers/infiniband/core/sysfs.c 2010-03-20 16:58:39.912829502 -0400
23522@@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
23523 return port_attr->show(p, port_attr, buf);
58c5fc13
MT		 23524 }
23525
ae4e228f
MT		 23526-static struct sysfs_ops port_sysfs_ops = {
23527+static const struct sysfs_ops port_sysfs_ops = {
23528 .show = port_attr_show
58c5fc13 23529 };
ae4e228f
MT		 23530
23531diff -urNp linux-2.6.33.1/drivers/input/keyboard/atkbd.c linux-2.6.33.1/drivers/input/keyboard/atkbd.c
23532--- linux-2.6.33.1/drivers/input/keyboard/atkbd.c 2010-03-15 12:09:39.000000000 -0400
23533+++ linux-2.6.33.1/drivers/input/keyboard/atkbd.c 2010-03-20 16:58:39.929160943 -0400
23534@@ -1229,7 +1229,7 @@ static struct serio_device_id atkbd_seri
58c5fc13
MT		 23535 .id = SERIO_ANY,
23536 .extra = SERIO_ANY,
23537 },
23538- { 0 }
23539+ { 0, 0, 0, 0 }
23540 };
23541
23542 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
ae4e228f
MT		 23543diff -urNp linux-2.6.33.1/drivers/input/mouse/lifebook.c linux-2.6.33.1/drivers/input/mouse/lifebook.c
23544--- linux-2.6.33.1/drivers/input/mouse/lifebook.c 2010-03-15 12:09:39.000000000 -0400
23545+++ linux-2.6.33.1/drivers/input/mouse/lifebook.c 2010-03-20 16:58:39.929160943 -0400
23546@@ -122,7 +122,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 23547 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
23548 },
23549 },
23550- { }
23551+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
23552 };
23553
ae4e228f
MT		 23554 void __init lifebook_module_init(void)
23555diff -urNp linux-2.6.33.1/drivers/input/mouse/psmouse-base.c linux-2.6.33.1/drivers/input/mouse/psmouse-base.c
23556--- linux-2.6.33.1/drivers/input/mouse/psmouse-base.c 2010-03-15 12:09:39.000000000 -0400
23557+++ linux-2.6.33.1/drivers/input/mouse/psmouse-base.c 2010-03-20 16:58:39.936833108 -0400
23558@@ -1442,7 +1442,7 @@ static struct serio_device_id psmouse_se
58c5fc13
MT		 23559 .id = SERIO_ANY,
23560 .extra = SERIO_ANY,
23561 },
23562- { 0 }
23563+ { 0, 0, 0, 0 }
23564 };
23565
23566 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
ae4e228f
MT		 23567diff -urNp linux-2.6.33.1/drivers/input/mouse/synaptics.c linux-2.6.33.1/drivers/input/mouse/synaptics.c
23568--- linux-2.6.33.1/drivers/input/mouse/synaptics.c 2010-03-15 12:09:39.000000000 -0400
23569+++ linux-2.6.33.1/drivers/input/mouse/synaptics.c 2010-03-20 16:58:39.944836883 -0400
23570@@ -438,7 +438,7 @@ static void synaptics_process_packet(str
58c5fc13
MT		 23571 break;
23572 case 2:
23573 if (SYN_MODEL_PEN(priv->model_id))
23574- ; /* Nothing, treat a pen as a single finger */
23575+ break; /* Nothing, treat a pen as a single finger */
23576 break;
23577 case 4 ... 15:
23578 if (SYN_CAP_PALMDETECT(priv->capabilities))
ae4e228f
MT		 23579@@ -654,7 +654,6 @@ static const struct dmi_system_id __init
23580 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
58c5fc13
MT		 23581 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
23582 },
ae4e228f
MT		 23583-
23584 },
23585 {
23586 /* Toshiba Portege M300 */
23587@@ -663,9 +662,8 @@ static const struct dmi_system_id __init
23588 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
23589 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
23590 },
23591-
58c5fc13
MT		 23592 },
23593- { }
23594+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
58c5fc13 23595 #endif
ae4e228f 23596 };
58c5fc13 23597
ae4e228f
MT		 23598diff -urNp linux-2.6.33.1/drivers/input/mousedev.c linux-2.6.33.1/drivers/input/mousedev.c
23599--- linux-2.6.33.1/drivers/input/mousedev.c 2010-03-15 12:09:39.000000000 -0400
23600+++ linux-2.6.33.1/drivers/input/mousedev.c 2010-03-20 16:58:39.952834604 -0400
23601@@ -760,7 +760,7 @@ static ssize_t mousedev_read(struct file
23602
23603 spin_unlock_irq(&client->packet_lock);
23604
23605- if (copy_to_user(buffer, data, count))
23606+ if (count > sizeof(data) || copy_to_user(buffer, data, count))
23607 return -EFAULT;
23608
23609 return count;
23610@@ -1057,7 +1057,7 @@ static struct input_handler mousedev_han
58c5fc13
MT		 23611
23612 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
23613 static struct miscdevice psaux_mouse = {
23614- PSMOUSE_MINOR, "psaux", &mousedev_fops
23615+ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
23616 };
23617 static int psaux_registered;
23618 #endif
ae4e228f
MT		 23619diff -urNp linux-2.6.33.1/drivers/input/serio/i8042-x86ia64io.h linux-2.6.33.1/drivers/input/serio/i8042-x86ia64io.h
23620--- linux-2.6.33.1/drivers/input/serio/i8042-x86ia64io.h 2010-03-15 12:09:39.000000000 -0400
23621+++ linux-2.6.33.1/drivers/input/serio/i8042-x86ia64io.h 2010-03-20 16:58:39.964826079 -0400
23622@@ -172,7 +172,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 23623 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
23624 },
23625 },
23626- { }
23627+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23628 };
23629
23630 /*
ae4e228f 23631@@ -402,7 +402,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 23632 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
23633 },
23634 },
23635- { }
23636+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23637 };
23638
ae4e228f
MT		 23639 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
23640@@ -469,7 +469,7 @@ static const struct dmi_system_id __init
23641 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
58c5fc13
MT		 23642 },
23643 },
23644- { }
23645+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23646 };
23647
23648 #ifdef CONFIG_PNP
ae4e228f 23649@@ -488,7 +488,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 23650 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
23651 },
23652 },
23653- { }
ae4e228f
MT		 23654+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23655 };
23656
23657 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
23658@@ -512,7 +512,7 @@ static const struct dmi_system_id __init
23659 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
23660 },
23661 },
23662- { }
58c5fc13
MT		 23663+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23664 };
23665 #endif
23666
ae4e228f 23667@@ -586,7 +586,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 23668 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
23669 },
23670 },
23671- { }
23672+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
23673 };
23674
23675 #endif /* CONFIG_X86 */
ae4e228f
MT		 23676diff -urNp linux-2.6.33.1/drivers/input/serio/serio_raw.c linux-2.6.33.1/drivers/input/serio/serio_raw.c
23677--- linux-2.6.33.1/drivers/input/serio/serio_raw.c 2010-03-15 12:09:39.000000000 -0400
23678+++ linux-2.6.33.1/drivers/input/serio/serio_raw.c 2010-03-20 16:58:39.964826079 -0400
23679@@ -377,7 +377,7 @@ static struct serio_device_id serio_raw_
58c5fc13
MT		 23680 .id = SERIO_ANY,
23681 .extra = SERIO_ANY,
23682 },
23683- { 0 }
23684+ { 0, 0, 0, 0 }
23685 };
23686
23687 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
ae4e228f
MT		 23688diff -urNp linux-2.6.33.1/drivers/isdn/gigaset/common.c linux-2.6.33.1/drivers/isdn/gigaset/common.c
23689--- linux-2.6.33.1/drivers/isdn/gigaset/common.c 2010-03-15 12:09:39.000000000 -0400
23690+++ linux-2.6.33.1/drivers/isdn/gigaset/common.c 2010-03-20 16:58:39.984838298 -0400
23691@@ -732,7 +732,7 @@ struct cardstate *gigaset_initcs(struct
58c5fc13
MT		 23692 cs->commands_pending = 0;
23693 cs->cur_at_seq = 0;
23694 cs->gotfwver = -1;
23695- cs->open_count = 0;
23696+ atomic_set(&cs->open_count, 0);
23697 cs->dev = NULL;
23698 cs->tty = NULL;
23699 cs->tty_dev = NULL;
ae4e228f
MT		 23700diff -urNp linux-2.6.33.1/drivers/isdn/gigaset/gigaset.h linux-2.6.33.1/drivers/isdn/gigaset/gigaset.h
23701--- linux-2.6.33.1/drivers/isdn/gigaset/gigaset.h 2010-03-15 12:09:39.000000000 -0400
23702+++ linux-2.6.33.1/drivers/isdn/gigaset/gigaset.h 2010-03-20 16:58:39.988819691 -0400
23703@@ -440,7 +440,7 @@ struct cardstate {
58c5fc13
MT		 23704 spinlock_t cmdlock;
23705 unsigned curlen, cmdbytes;
23706
23707- unsigned open_count;
23708+ atomic_t open_count;
23709 struct tty_struct *tty;
23710 struct tasklet_struct if_wake_tasklet;
23711 unsigned control_state;
ae4e228f
MT		 23712diff -urNp linux-2.6.33.1/drivers/isdn/gigaset/interface.c linux-2.6.33.1/drivers/isdn/gigaset/interface.c
23713--- linux-2.6.33.1/drivers/isdn/gigaset/interface.c 2010-03-15 12:09:39.000000000 -0400
23714+++ linux-2.6.33.1/drivers/isdn/gigaset/interface.c 2010-03-20 16:58:39.996850965 -0400
58c5fc13 23715@@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
ae4e228f 23716 return -ERESTARTSYS;
58c5fc13
MT		 23717 tty->driver_data = cs;
23718
23719- ++cs->open_count;
23720-
23721- if (cs->open_count == 1) {
23722+ if (atomic_inc_return(&cs->open_count) == 1) {
23723 spin_lock_irqsave(&cs->lock, flags);
23724 cs->tty = tty;
23725 spin_unlock_irqrestore(&cs->lock, flags);
23726@@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
23727
23728 if (!cs->connected)
23729 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23730- else if (!cs->open_count)
23731+ else if (!atomic_read(&cs->open_count))
23732 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23733 else {
23734- if (!--cs->open_count) {
23735+ if (!atomic_dec_return(&cs->open_count)) {
23736 spin_lock_irqsave(&cs->lock, flags);
23737 cs->tty = NULL;
23738 spin_unlock_irqrestore(&cs->lock, flags);
23739@@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
23740 if (!cs->connected) {
23741 gig_dbg(DEBUG_IF, "not connected");
23742 retval = -ENODEV;
23743- } else if (!cs->open_count)
23744+ } else if (!atomic_read(&cs->open_count))
23745 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23746 else {
23747 retval = 0;
ae4e228f 23748@@ -360,7 +358,7 @@ static int if_write(struct tty_struct *t
58c5fc13
MT		 23749 if (!cs->connected) {
23750 gig_dbg(DEBUG_IF, "not connected");
23751 retval = -ENODEV;
23752- } else if (!cs->open_count)
23753+ } else if (!atomic_read(&cs->open_count))
23754 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23755 else if (cs->mstate != MS_LOCKED) {
23756 dev_warn(cs->dev, "can't write to unlocked device\n");
ae4e228f 23757@@ -394,7 +392,7 @@ static int if_write_room(struct tty_stru
58c5fc13
MT		 23758 if (!cs->connected) {
23759 gig_dbg(DEBUG_IF, "not connected");
23760 retval = -ENODEV;
23761- } else if (!cs->open_count)
23762+ } else if (!atomic_read(&cs->open_count))
23763 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23764 else if (cs->mstate != MS_LOCKED) {
23765 dev_warn(cs->dev, "can't write to unlocked device\n");
ae4e228f
MT		 23766@@ -424,7 +422,7 @@ static int if_chars_in_buffer(struct tty
23767
23768 if (!cs->connected)
58c5fc13 23769 gig_dbg(DEBUG_IF, "not connected");
ae4e228f
MT		 23770- else if (!cs->open_count)
23771+ else if (!atomic_read(&cs->open_count))
58c5fc13 23772 dev_warn(cs->dev, "%s: device not opened\n", __func__);
ae4e228f 23773 else if (cs->mstate != MS_LOCKED)
58c5fc13 23774 dev_warn(cs->dev, "can't write to unlocked device\n");
ae4e228f 23775@@ -452,7 +450,7 @@ static void if_throttle(struct tty_struc
58c5fc13
MT		 23776
23777 if (!cs->connected)
23778 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23779- else if (!cs->open_count)
23780+ else if (!atomic_read(&cs->open_count))
23781 dev_warn(cs->dev, "%s: device not opened\n", __func__);
ae4e228f
MT		 23782 else
23783 gig_dbg(DEBUG_ANY, "%s: not implemented\n", __func__);
23784@@ -476,7 +474,7 @@ static void if_unthrottle(struct tty_str
58c5fc13
MT		 23785
23786 if (!cs->connected)
23787 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
23788- else if (!cs->open_count)
23789+ else if (!atomic_read(&cs->open_count))
23790 dev_warn(cs->dev, "%s: device not opened\n", __func__);
ae4e228f
MT		 23791 else
23792 gig_dbg(DEBUG_ANY, "%s: not implemented\n", __func__);
23793@@ -507,7 +505,7 @@ static void if_set_termios(struct tty_st
58c5fc13
MT		 23794 goto out;
23795 }
23796
23797- if (!cs->open_count) {
23798+ if (!atomic_read(&cs->open_count)) {
23799 dev_warn(cs->dev, "%s: device not opened\n", __func__);
23800 goto out;
23801 }
ae4e228f
MT		 23802diff -urNp linux-2.6.33.1/drivers/isdn/hardware/avm/b1.c linux-2.6.33.1/drivers/isdn/hardware/avm/b1.c
23803--- linux-2.6.33.1/drivers/isdn/hardware/avm/b1.c 2010-03-15 12:09:39.000000000 -0400
23804+++ linux-2.6.33.1/drivers/isdn/hardware/avm/b1.c 2010-03-20 16:58:40.004515803 -0400
23805@@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
23806 }
23807 if (left) {
23808 if (t4file->user) {
23809- if (copy_from_user(buf, dp, left))
23810+ if (left > sizeof(buf) || copy_from_user(buf, dp, left))
23811 return -EFAULT;
23812 } else {
23813 memcpy(buf, dp, left);
23814@@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
23815 }
23816 if (left) {
23817 if (config->user) {
23818- if (copy_from_user(buf, dp, left))
23819+ if (left > sizeof(buf) || copy_from_user(buf, dp, left))
23820 return -EFAULT;
23821 } else {
23822 memcpy(buf, dp, left);
23823diff -urNp linux-2.6.33.1/drivers/isdn/icn/icn.c linux-2.6.33.1/drivers/isdn/icn/icn.c
23824--- linux-2.6.33.1/drivers/isdn/icn/icn.c 2010-03-15 12:09:39.000000000 -0400
23825+++ linux-2.6.33.1/drivers/isdn/icn/icn.c 2010-03-20 16:58:40.012833882 -0400
23826@@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
23827 if (count > len)
23828 count = len;
23829 if (user) {
23830- if (copy_from_user(msg, buf, count))
23831+ if (count > sizeof(msg) || copy_from_user(msg, buf, count))
23832 return -EFAULT;
23833 } else
23834 memcpy(msg, buf, count);
23835diff -urNp linux-2.6.33.1/drivers/lguest/core.c linux-2.6.33.1/drivers/lguest/core.c
23836--- linux-2.6.33.1/drivers/lguest/core.c 2010-03-15 12:09:39.000000000 -0400
23837+++ linux-2.6.33.1/drivers/lguest/core.c 2010-03-20 16:58:40.012833882 -0400
23838@@ -91,9 +91,17 @@ static __init int map_switcher(void)
58c5fc13
MT		 23839 * it's worked so far. The end address needs +1 because __get_vm_area
23840 * allocates an extra guard page, so we need space for that.
23841 */
23842+
23843+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23844+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
23845+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
23846+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
23847+#else
23848 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
23849 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
23850 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
23851+#endif
23852+
23853 if (!switcher_vma) {
23854 err = -ENOMEM;
23855 printk("lguest: could not map switcher pages high\n");
ae4e228f
MT		 23856diff -urNp linux-2.6.33.1/drivers/macintosh/via-pmu-backlight.c linux-2.6.33.1/drivers/macintosh/via-pmu-backlight.c
23857--- linux-2.6.33.1/drivers/macintosh/via-pmu-backlight.c 2010-03-15 12:09:39.000000000 -0400
23858+++ linux-2.6.33.1/drivers/macintosh/via-pmu-backlight.c 2010-03-20 16:58:40.016740354 -0400
23859@@ -15,7 +15,7 @@
23860
23861 #define MAX_PMU_LEVEL 0xFF
23862
23863-static struct backlight_ops pmu_backlight_data;
23864+static const struct backlight_ops pmu_backlight_data;
23865 static DEFINE_SPINLOCK(pmu_backlight_lock);
23866 static int sleeping, uses_pmu_bl;
23867 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
23868@@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
23869 return bd->props.brightness;
23870 }
23871
23872-static struct backlight_ops pmu_backlight_data = {
23873+static const struct backlight_ops pmu_backlight_data = {
23874 .get_brightness = pmu_backlight_get_brightness,
23875 .update_status = pmu_backlight_update_status,
23876
23877diff -urNp linux-2.6.33.1/drivers/macintosh/via-pmu.c linux-2.6.33.1/drivers/macintosh/via-pmu.c
23878--- linux-2.6.33.1/drivers/macintosh/via-pmu.c 2010-03-15 12:09:39.000000000 -0400
23879+++ linux-2.6.33.1/drivers/macintosh/via-pmu.c 2010-03-20 16:58:40.028838991 -0400
23880@@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
23881 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
23882 }
23883
23884-static struct platform_suspend_ops pmu_pm_ops = {
23885+static const struct platform_suspend_ops pmu_pm_ops = {
23886 .enter = powerbook_sleep,
23887 .valid = pmu_sleep_valid,
23888 };
23889diff -urNp linux-2.6.33.1/drivers/md/bitmap.c linux-2.6.33.1/drivers/md/bitmap.c
23890--- linux-2.6.33.1/drivers/md/bitmap.c 2010-03-15 12:09:39.000000000 -0400
23891+++ linux-2.6.33.1/drivers/md/bitmap.c 2010-03-20 16:58:40.032827823 -0400
58c5fc13
MT		 23892@@ -58,7 +58,7 @@
23893 # if DEBUG > 0
23894 # define PRINTK(x...) printk(KERN_DEBUG x)
23895 # else
23896-# define PRINTK(x...)
23897+# define PRINTK(x...) do {} while (0)
23898 # endif
23899 #endif
23900
ae4e228f
MT		 23901diff -urNp linux-2.6.33.1/drivers/md/dm-sysfs.c linux-2.6.33.1/drivers/md/dm-sysfs.c
23902--- linux-2.6.33.1/drivers/md/dm-sysfs.c 2010-03-15 12:09:39.000000000 -0400
23903+++ linux-2.6.33.1/drivers/md/dm-sysfs.c 2010-03-20 16:58:40.040842627 -0400
23904@@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
23905 NULL,
23906 };
23907
23908-static struct sysfs_ops dm_sysfs_ops = {
23909+static const struct sysfs_ops dm_sysfs_ops = {
23910 .show = dm_attr_show,
23911 };
23912
23913diff -urNp linux-2.6.33.1/drivers/md/dm-table.c linux-2.6.33.1/drivers/md/dm-table.c
23914--- linux-2.6.33.1/drivers/md/dm-table.c 2010-03-15 12:09:39.000000000 -0400
23915+++ linux-2.6.33.1/drivers/md/dm-table.c 2010-03-20 16:58:40.048835074 -0400
23916@@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
58c5fc13
MT		 23917 if (!dev_size)
23918 return 0;
23919
23920- if ((start >= dev_size) || (start + len > dev_size)) {
23921+ if ((start >= dev_size) || (len > dev_size - start)) {
23922 DMWARN("%s: %s too small for target: "
23923 "start=%llu, len=%llu, dev_size=%llu",
23924 dm_device_name(ti->table->md), bdevname(bdev, b),
ae4e228f
MT		 23925diff -urNp linux-2.6.33.1/drivers/md/md.c linux-2.6.33.1/drivers/md/md.c
23926--- linux-2.6.33.1/drivers/md/md.c 2010-03-15 12:09:39.000000000 -0400
23927+++ linux-2.6.33.1/drivers/md/md.c 2010-03-20 16:58:40.084837077 -0400
23928@@ -2642,7 +2642,7 @@ static void rdev_free(struct kobject *ko
23929 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
23930 kfree(rdev);
23931 }
23932-static struct sysfs_ops rdev_sysfs_ops = {
23933+static const struct sysfs_ops rdev_sysfs_ops = {
23934 .show = rdev_attr_show,
23935 .store = rdev_attr_store,
23936 };
23937@@ -4059,7 +4059,7 @@ static void md_free(struct kobject *ko)
23938 kfree(mddev);
23939 }
23940
23941-static struct sysfs_ops md_sysfs_ops = {
23942+static const struct sysfs_ops md_sysfs_ops = {
23943 .show = md_attr_show,
23944 .store = md_attr_store,
23945 };
23946@@ -6187,7 +6187,7 @@ static int md_seq_show(struct seq_file *
58c5fc13
MT		 23947 chunk_kb ? "KB" : "B");
23948 if (bitmap->file) {
23949 seq_printf(seq, ", file: ");
23950- seq_path(seq, &bitmap->file->f_path, " \t\n");
23951+ seq_path(seq, &bitmap->file->f_path, " \t\n\\");
23952 }
23953
23954 seq_printf(seq, "\n");
ae4e228f 23955@@ -6281,7 +6281,7 @@ static int is_mddev_idle(mddev_t *mddev,
58c5fc13
MT		 23956 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
23957 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
23958 (int)part_stat_read(&disk->part0, sectors[1]) -
23959- atomic_read(&disk->sync_io);
23960+ atomic_read_unchecked(&disk->sync_io);
23961 /* sync IO will cause sync_io to increase before the disk_stats
23962 * as sync_io is counted when a request starts, and
23963 * disk_stats is counted when it completes.
ae4e228f
MT		 23964diff -urNp linux-2.6.33.1/drivers/md/md.h linux-2.6.33.1/drivers/md/md.h
23965--- linux-2.6.33.1/drivers/md/md.h 2010-03-15 12:09:39.000000000 -0400
23966+++ linux-2.6.33.1/drivers/md/md.h 2010-03-20 16:58:40.084837077 -0400
23967@@ -327,7 +327,7 @@ static inline void rdev_dec_pending(mdk_
58c5fc13
MT		 23968
23969 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
23970 {
23971- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
23972+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
23973 }
23974
23975 struct mdk_personality
ae4e228f
MT		 23976diff -urNp linux-2.6.33.1/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.33.1/drivers/media/dvb/dvb-core/dvbdev.c
23977--- linux-2.6.33.1/drivers/media/dvb/dvb-core/dvbdev.c 2010-03-15 12:09:39.000000000 -0400
23978+++ linux-2.6.33.1/drivers/media/dvb/dvb-core/dvbdev.c 2010-03-20 16:58:40.088543139 -0400
23979@@ -191,6 +191,7 @@ int dvb_register_device(struct dvb_adapt
23980 const struct dvb_device *template, void *priv, int type)
23981 {
23982 struct dvb_device *dvbdev;
23983+ /* cannot be const */
23984 struct file_operations *dvbdevfops;
23985 struct device *clsdev;
23986 int minor;
23987diff -urNp linux-2.6.33.1/drivers/media/radio/radio-cadet.c linux-2.6.33.1/drivers/media/radio/radio-cadet.c
23988--- linux-2.6.33.1/drivers/media/radio/radio-cadet.c 2010-03-15 12:09:39.000000000 -0400
23989+++ linux-2.6.33.1/drivers/media/radio/radio-cadet.c 2010-03-20 16:58:40.096832684 -0400
23990@@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
23991 while (i < count && dev->rdsin != dev->rdsout)
23992 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
23993
23994- if (copy_to_user(data, readbuf, i))
23995+ if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
23996 return -EFAULT;
23997 return i;
58c5fc13 23998 }
ae4e228f
MT		 23999diff -urNp linux-2.6.33.1/drivers/message/i2o/i2o_proc.c linux-2.6.33.1/drivers/message/i2o/i2o_proc.c
24000--- linux-2.6.33.1/drivers/message/i2o/i2o_proc.c 2010-03-15 12:09:39.000000000 -0400
24001+++ linux-2.6.33.1/drivers/message/i2o/i2o_proc.c 2010-03-20 16:58:40.104831679 -0400
58c5fc13
MT		 24002@@ -259,13 +259,6 @@ static char *scsi_devices[] = {
24003 "Array Controller Device"
24004 };
24005
24006-static char *chtostr(u8 * chars, int n)
24007-{
24008- char tmp[256];
24009- tmp[0] = 0;
24010- return strncat(tmp, (char *)chars, n);
24011-}
24012-
24013 static int i2o_report_query_status(struct seq_file *seq, int block_status,
24014 char *group)
24015 {
24016@@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
24017
24018 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
24019 seq_printf(seq, "%-#8x", ddm_table.module_id);
24020- seq_printf(seq, "%-29s",
24021- chtostr(ddm_table.module_name_version, 28));
24022+ seq_printf(seq, "%-.28s", ddm_table.module_name_version);
24023 seq_printf(seq, "%9d ", ddm_table.data_size);
24024 seq_printf(seq, "%8d", ddm_table.code_size);
24025
24026@@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
24027
24028 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
24029 seq_printf(seq, "%-#8x", dst->module_id);
24030- seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
24031- seq_printf(seq, "%-9s", chtostr(dst->date, 8));
24032+ seq_printf(seq, "%-.28s", dst->module_name_version);
24033+ seq_printf(seq, "%-.8s", dst->date);
24034 seq_printf(seq, "%8d ", dst->module_size);
24035 seq_printf(seq, "%8d ", dst->mpb_size);
24036 seq_printf(seq, "0x%04x", dst->module_flags);
24037@@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
24038 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
24039 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
24040 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
24041- seq_printf(seq, "Vendor info : %s\n",
24042- chtostr((u8 *) (work32 + 2), 16));
24043- seq_printf(seq, "Product info : %s\n",
24044- chtostr((u8 *) (work32 + 6), 16));
24045- seq_printf(seq, "Description : %s\n",
24046- chtostr((u8 *) (work32 + 10), 16));
24047- seq_printf(seq, "Product rev. : %s\n",
24048- chtostr((u8 *) (work32 + 14), 8));
24049+ seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
24050+ seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
24051+ seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
24052+ seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
24053
24054 seq_printf(seq, "Serial number : ");
24055 print_serial_number(seq, (u8 *) (work32 + 16),
24056@@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
24057 }
24058
24059 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
24060- seq_printf(seq, "Module name : %s\n",
24061- chtostr(result.module_name, 24));
24062- seq_printf(seq, "Module revision : %s\n",
24063- chtostr(result.module_rev, 8));
24064+ seq_printf(seq, "Module name : %.24s\n", result.module_name);
24065+ seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
24066
24067 seq_printf(seq, "Serial number : ");
24068 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
24069@@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
24070 return 0;
24071 }
24072
24073- seq_printf(seq, "Device name : %s\n",
24074- chtostr(result.device_name, 64));
24075- seq_printf(seq, "Service name : %s\n",
24076- chtostr(result.service_name, 64));
24077- seq_printf(seq, "Physical name : %s\n",
24078- chtostr(result.physical_location, 64));
24079- seq_printf(seq, "Instance number : %s\n",
24080- chtostr(result.instance_number, 4));
24081+ seq_printf(seq, "Device name : %.64s\n", result.device_name);
24082+ seq_printf(seq, "Service name : %.64s\n", result.service_name);
24083+ seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
24084+ seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
24085
24086 return 0;
24087 }
ae4e228f
MT		 24088diff -urNp linux-2.6.33.1/drivers/misc/kgdbts.c linux-2.6.33.1/drivers/misc/kgdbts.c
24089--- linux-2.6.33.1/drivers/misc/kgdbts.c 2010-03-15 12:09:39.000000000 -0400
24090+++ linux-2.6.33.1/drivers/misc/kgdbts.c 2010-03-20 16:58:40.120597489 -0400
24091@@ -118,7 +118,7 @@
24092 } while (0)
24093 #define MAX_CONFIG_LEN 40
24094
24095-static struct kgdb_io kgdbts_io_ops;
24096+static const struct kgdb_io kgdbts_io_ops;
24097 static char get_buf[BUFMAX];
24098 static int get_buf_cnt;
24099 static char put_buf[BUFMAX];
24100@@ -1108,7 +1108,7 @@ static void kgdbts_post_exp_handler(void
24101 module_put(THIS_MODULE);
24102 }
24103
24104-static struct kgdb_io kgdbts_io_ops = {
24105+static const struct kgdb_io kgdbts_io_ops = {
24106 .name = "kgdbts",
24107 .read_char = kgdbts_get_char,
24108 .write_char = kgdbts_put_char,
24109diff -urNp linux-2.6.33.1/drivers/misc/sgi-gru/gruhandles.c linux-2.6.33.1/drivers/misc/sgi-gru/gruhandles.c
24110--- linux-2.6.33.1/drivers/misc/sgi-gru/gruhandles.c 2010-03-15 12:09:39.000000000 -0400
24111+++ linux-2.6.33.1/drivers/misc/sgi-gru/gruhandles.c 2010-03-20 16:58:40.120597489 -0400
24112@@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
24113 unsigned long nsec;
24114
24115 nsec = CLKS2NSEC(clks);
24116- atomic_long_inc(&mcs_op_statistics[op].count);
24117- atomic_long_add(nsec, &mcs_op_statistics[op].total);
24118+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
24119+ atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
24120 if (mcs_op_statistics[op].max < nsec)
24121 mcs_op_statistics[op].max = nsec;
24122 }
24123diff -urNp linux-2.6.33.1/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.33.1/drivers/misc/sgi-gru/gruprocfs.c
24124--- linux-2.6.33.1/drivers/misc/sgi-gru/gruprocfs.c 2010-03-15 12:09:39.000000000 -0400
24125+++ linux-2.6.33.1/drivers/misc/sgi-gru/gruprocfs.c 2010-03-20 16:58:40.120597489 -0400
24126@@ -32,9 +32,9 @@
24127
24128 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
24129
24130-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
24131+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
24132 {
24133- unsigned long val = atomic_long_read(v);
24134+ unsigned long val = atomic_long_read_unchecked(v);
24135
24136 seq_printf(s, "%16lu %s\n", val, id);
24137 }
24138@@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
24139
24140 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
24141 for (op = 0; op < mcsop_last; op++) {
24142- count = atomic_long_read(&mcs_op_statistics[op].count);
24143- total = atomic_long_read(&mcs_op_statistics[op].total);
24144+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
24145+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
24146 max = mcs_op_statistics[op].max;
24147 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
24148 count ? total / count : 0, max);
24149diff -urNp linux-2.6.33.1/drivers/misc/sgi-gru/grutables.h linux-2.6.33.1/drivers/misc/sgi-gru/grutables.h
24150--- linux-2.6.33.1/drivers/misc/sgi-gru/grutables.h 2010-03-15 12:09:39.000000000 -0400
24151+++ linux-2.6.33.1/drivers/misc/sgi-gru/grutables.h 2010-03-20 16:58:40.124833908 -0400
24152@@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
24153 * GRU statistics.
24154 */
24155 struct gru_stats_s {
24156- atomic_long_t vdata_alloc;
24157- atomic_long_t vdata_free;
24158- atomic_long_t gts_alloc;
24159- atomic_long_t gts_free;
24160- atomic_long_t gms_alloc;
24161- atomic_long_t gms_free;
24162- atomic_long_t gts_double_allocate;
24163- atomic_long_t assign_context;
24164- atomic_long_t assign_context_failed;
24165- atomic_long_t free_context;
24166- atomic_long_t load_user_context;
24167- atomic_long_t load_kernel_context;
24168- atomic_long_t lock_kernel_context;
24169- atomic_long_t unlock_kernel_context;
24170- atomic_long_t steal_user_context;
24171- atomic_long_t steal_kernel_context;
24172- atomic_long_t steal_context_failed;
24173- atomic_long_t nopfn;
24174- atomic_long_t asid_new;
24175- atomic_long_t asid_next;
24176- atomic_long_t asid_wrap;
24177- atomic_long_t asid_reuse;
24178- atomic_long_t intr;
24179- atomic_long_t intr_cbr;
24180- atomic_long_t intr_tfh;
24181- atomic_long_t intr_spurious;
24182- atomic_long_t intr_mm_lock_failed;
24183- atomic_long_t call_os;
24184- atomic_long_t call_os_wait_queue;
24185- atomic_long_t user_flush_tlb;
24186- atomic_long_t user_unload_context;
24187- atomic_long_t user_exception;
24188- atomic_long_t set_context_option;
24189- atomic_long_t check_context_retarget_intr;
24190- atomic_long_t check_context_unload;
24191- atomic_long_t tlb_dropin;
24192- atomic_long_t tlb_preload_page;
24193- atomic_long_t tlb_dropin_fail_no_asid;
24194- atomic_long_t tlb_dropin_fail_upm;
24195- atomic_long_t tlb_dropin_fail_invalid;
24196- atomic_long_t tlb_dropin_fail_range_active;
24197- atomic_long_t tlb_dropin_fail_idle;
24198- atomic_long_t tlb_dropin_fail_fmm;
24199- atomic_long_t tlb_dropin_fail_no_exception;
24200- atomic_long_t tfh_stale_on_fault;
24201- atomic_long_t mmu_invalidate_range;
24202- atomic_long_t mmu_invalidate_page;
24203- atomic_long_t flush_tlb;
24204- atomic_long_t flush_tlb_gru;
24205- atomic_long_t flush_tlb_gru_tgh;
24206- atomic_long_t flush_tlb_gru_zero_asid;
24207-
24208- atomic_long_t copy_gpa;
24209- atomic_long_t read_gpa;
24210-
24211- atomic_long_t mesq_receive;
24212- atomic_long_t mesq_receive_none;
24213- atomic_long_t mesq_send;
24214- atomic_long_t mesq_send_failed;
24215- atomic_long_t mesq_noop;
24216- atomic_long_t mesq_send_unexpected_error;
24217- atomic_long_t mesq_send_lb_overflow;
24218- atomic_long_t mesq_send_qlimit_reached;
24219- atomic_long_t mesq_send_amo_nacked;
24220- atomic_long_t mesq_send_put_nacked;
24221- atomic_long_t mesq_page_overflow;
24222- atomic_long_t mesq_qf_locked;
24223- atomic_long_t mesq_qf_noop_not_full;
24224- atomic_long_t mesq_qf_switch_head_failed;
24225- atomic_long_t mesq_qf_unexpected_error;
24226- atomic_long_t mesq_noop_unexpected_error;
24227- atomic_long_t mesq_noop_lb_overflow;
24228- atomic_long_t mesq_noop_qlimit_reached;
24229- atomic_long_t mesq_noop_amo_nacked;
24230- atomic_long_t mesq_noop_put_nacked;
24231- atomic_long_t mesq_noop_page_overflow;
24232+ atomic_long_unchecked_t vdata_alloc;
24233+ atomic_long_unchecked_t vdata_free;
24234+ atomic_long_unchecked_t gts_alloc;
24235+ atomic_long_unchecked_t gts_free;
24236+ atomic_long_unchecked_t gms_alloc;
24237+ atomic_long_unchecked_t gms_free;
24238+ atomic_long_unchecked_t gts_double_allocate;
24239+ atomic_long_unchecked_t assign_context;
24240+ atomic_long_unchecked_t assign_context_failed;
24241+ atomic_long_unchecked_t free_context;
24242+ atomic_long_unchecked_t load_user_context;
24243+ atomic_long_unchecked_t load_kernel_context;
24244+ atomic_long_unchecked_t lock_kernel_context;
24245+ atomic_long_unchecked_t unlock_kernel_context;
24246+ atomic_long_unchecked_t steal_user_context;
24247+ atomic_long_unchecked_t steal_kernel_context;
24248+ atomic_long_unchecked_t steal_context_failed;
24249+ atomic_long_unchecked_t nopfn;
24250+ atomic_long_unchecked_t asid_new;
24251+ atomic_long_unchecked_t asid_next;
24252+ atomic_long_unchecked_t asid_wrap;
24253+ atomic_long_unchecked_t asid_reuse;
24254+ atomic_long_unchecked_t intr;
24255+ atomic_long_unchecked_t intr_cbr;
24256+ atomic_long_unchecked_t intr_tfh;
24257+ atomic_long_unchecked_t intr_spurious;
24258+ atomic_long_unchecked_t intr_mm_lock_failed;
24259+ atomic_long_unchecked_t call_os;
24260+ atomic_long_unchecked_t call_os_wait_queue;
24261+ atomic_long_unchecked_t user_flush_tlb;
24262+ atomic_long_unchecked_t user_unload_context;
24263+ atomic_long_unchecked_t user_exception;
24264+ atomic_long_unchecked_t set_context_option;
24265+ atomic_long_unchecked_t check_context_retarget_intr;
24266+ atomic_long_unchecked_t check_context_unload;
24267+ atomic_long_unchecked_t tlb_dropin;
24268+ atomic_long_unchecked_t tlb_preload_page;
24269+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
24270+ atomic_long_unchecked_t tlb_dropin_fail_upm;
24271+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
24272+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
24273+ atomic_long_unchecked_t tlb_dropin_fail_idle;
24274+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
24275+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
24276+ atomic_long_unchecked_t tfh_stale_on_fault;
24277+ atomic_long_unchecked_t mmu_invalidate_range;
24278+ atomic_long_unchecked_t mmu_invalidate_page;
24279+ atomic_long_unchecked_t flush_tlb;
24280+ atomic_long_unchecked_t flush_tlb_gru;
24281+ atomic_long_unchecked_t flush_tlb_gru_tgh;
24282+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
24283+
24284+ atomic_long_unchecked_t copy_gpa;
24285+ atomic_long_unchecked_t read_gpa;
24286+
24287+ atomic_long_unchecked_t mesq_receive;
24288+ atomic_long_unchecked_t mesq_receive_none;
24289+ atomic_long_unchecked_t mesq_send;
24290+ atomic_long_unchecked_t mesq_send_failed;
24291+ atomic_long_unchecked_t mesq_noop;
24292+ atomic_long_unchecked_t mesq_send_unexpected_error;
24293+ atomic_long_unchecked_t mesq_send_lb_overflow;
24294+ atomic_long_unchecked_t mesq_send_qlimit_reached;
24295+ atomic_long_unchecked_t mesq_send_amo_nacked;
24296+ atomic_long_unchecked_t mesq_send_put_nacked;
24297+ atomic_long_unchecked_t mesq_page_overflow;
24298+ atomic_long_unchecked_t mesq_qf_locked;
24299+ atomic_long_unchecked_t mesq_qf_noop_not_full;
24300+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
24301+ atomic_long_unchecked_t mesq_qf_unexpected_error;
24302+ atomic_long_unchecked_t mesq_noop_unexpected_error;
24303+ atomic_long_unchecked_t mesq_noop_lb_overflow;
24304+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
24305+ atomic_long_unchecked_t mesq_noop_amo_nacked;
24306+ atomic_long_unchecked_t mesq_noop_put_nacked;
24307+ atomic_long_unchecked_t mesq_noop_page_overflow;
58c5fc13 24308
58c5fc13 24309 };
58c5fc13 24310
ae4e228f
MT		 24311@@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
24312 tghop_invalidate, mcsop_last};
58c5fc13 24313
ae4e228f
MT		 24314 struct mcs_op_statistic {
24315- atomic_long_t count;
24316- atomic_long_t total;
24317+ atomic_long_unchecked_t count;
24318+ atomic_long_unchecked_t total;
24319 unsigned long max;
58c5fc13
MT		 24320 };
24321
ae4e228f 24322@@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
58c5fc13 24323
ae4e228f
MT		 24324 #define STAT(id) do { \
24325 if (gru_options & OPT_STATS) \
24326- atomic_long_inc(&gru_stats.id); \
24327+ atomic_long_inc_unchecked(&gru_stats.id); \
24328 } while (0)
58c5fc13 24329
ae4e228f
MT		 24330 #ifdef CONFIG_SGI_GRU_DEBUG
24331diff -urNp linux-2.6.33.1/drivers/mtd/devices/doc2000.c linux-2.6.33.1/drivers/mtd/devices/doc2000.c
24332--- linux-2.6.33.1/drivers/mtd/devices/doc2000.c 2010-03-15 12:09:39.000000000 -0400
24333+++ linux-2.6.33.1/drivers/mtd/devices/doc2000.c 2010-03-20 16:58:40.128534904 -0400
58c5fc13
MT		 24334@@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
24335
24336 /* The ECC will not be calculated correctly if less than 512 is written */
24337 /* DBB-
24338- if (len != 0x200 && eccbuf)
24339+ if (len != 0x200)
24340 printk(KERN_WARNING
24341 "ECC needs a full sector write (adr: %lx size %lx)\n",
24342 (long) to, (long) len);
ae4e228f
MT		 24343diff -urNp linux-2.6.33.1/drivers/mtd/devices/doc2001.c linux-2.6.33.1/drivers/mtd/devices/doc2001.c
24344--- linux-2.6.33.1/drivers/mtd/devices/doc2001.c 2010-03-15 12:09:39.000000000 -0400
24345+++ linux-2.6.33.1/drivers/mtd/devices/doc2001.c 2010-03-20 17:13:45.197003644 -0400
24346@@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
24347 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
24348
58c5fc13 24349 /* Don't allow read past end of device */
ae4e228f
MT		 24350- if (from >= this->totlen)
24351+ if (from >= this->totlen || !len)
58c5fc13 24352 return -EINVAL;
58c5fc13
MT		 24353
24354 /* Don't allow a single read to cross a 512-byte block boundary */
ae4e228f
MT		 24355diff -urNp linux-2.6.33.1/drivers/mtd/ubi/build.c linux-2.6.33.1/drivers/mtd/ubi/build.c
24356--- linux-2.6.33.1/drivers/mtd/ubi/build.c 2010-03-15 12:09:39.000000000 -0400
24357+++ linux-2.6.33.1/drivers/mtd/ubi/build.c 2010-03-20 16:58:40.128534904 -0400
24358@@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
24359 static int __init bytes_str_to_int(const char *str)
24360 {
24361 char *endp;
24362- unsigned long result;
24363+ unsigned long result, scale = 1;
58c5fc13
MT		 24364
24365 result = simple_strtoul(str, &endp, 0);
ae4e228f
MT		 24366 if (str == endp || result >= INT_MAX) {
24367@@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
24368
24369 switch (*endp) {
24370 case 'G':
24371- result *= 1024;
24372+ scale *= 1024;
24373 case 'M':
24374- result *= 1024;
24375+ scale *= 1024;
24376 case 'K':
24377- result *= 1024;
24378+ scale *= 1024;
24379 if (endp[1] == 'i' && endp[2] == 'B')
24380 endp += 2;
24381 case '\0':
24382@@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
58c5fc13 24383 return -EINVAL;
ae4e228f
MT		 24384 }
24385
24386- return result;
24387+ if ((intoverflow_t)result*scale >= INT_MAX) {
24388+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
24389+ str);
24390+ return -EINVAL;
24391+ }
24392+
24393+ return result*scale;
24394 }
24395
24396 /**
24397diff -urNp linux-2.6.33.1/drivers/net/e1000e/82571.c linux-2.6.33.1/drivers/net/e1000e/82571.c
24398--- linux-2.6.33.1/drivers/net/e1000e/82571.c 2010-03-15 12:09:39.000000000 -0400
24399+++ linux-2.6.33.1/drivers/net/e1000e/82571.c 2010-03-20 16:58:40.152824721 -0400
24400@@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
24401 {
24402 struct e1000_hw *hw = &adapter->hw;
24403 struct e1000_mac_info *mac = &hw->mac;
24404+ /* cannot be const */
24405 struct e1000_mac_operations *func = &mac->ops;
24406 u32 swsm = 0;
24407 u32 swsm2 = 0;
24408@@ -1688,7 +1689,7 @@ static void e1000_clear_hw_cntrs_82571(s
24409 er32(ICRXDMTC);
24410 }
24411
24412-static struct e1000_mac_operations e82571_mac_ops = {
24413+static const struct e1000_mac_operations e82571_mac_ops = {
24414 /* .check_mng_mode: mac type dependent */
24415 /* .check_for_link: media type dependent */
24416 .id_led_init = e1000e_id_led_init,
24417@@ -1708,7 +1709,7 @@ static struct e1000_mac_operations e8257
24418 .setup_led = e1000e_setup_led_generic,
24419 };
24420
24421-static struct e1000_phy_operations e82_phy_ops_igp = {
24422+static const struct e1000_phy_operations e82_phy_ops_igp = {
24423 .acquire = e1000_get_hw_semaphore_82571,
24424 .check_polarity = e1000_check_polarity_igp,
24425 .check_reset_block = e1000e_check_reset_block_generic,
24426@@ -1726,7 +1727,7 @@ static struct e1000_phy_operations e82_p
24427 .cfg_on_link_up = NULL,
24428 };
24429
24430-static struct e1000_phy_operations e82_phy_ops_m88 = {
24431+static const struct e1000_phy_operations e82_phy_ops_m88 = {
24432 .acquire = e1000_get_hw_semaphore_82571,
24433 .check_polarity = e1000_check_polarity_m88,
24434 .check_reset_block = e1000e_check_reset_block_generic,
24435@@ -1744,7 +1745,7 @@ static struct e1000_phy_operations e82_p
24436 .cfg_on_link_up = NULL,
24437 };
24438
24439-static struct e1000_phy_operations e82_phy_ops_bm = {
24440+static const struct e1000_phy_operations e82_phy_ops_bm = {
24441 .acquire = e1000_get_hw_semaphore_82571,
24442 .check_polarity = e1000_check_polarity_m88,
24443 .check_reset_block = e1000e_check_reset_block_generic,
24444@@ -1762,7 +1763,7 @@ static struct e1000_phy_operations e82_p
24445 .cfg_on_link_up = NULL,
24446 };
24447
24448-static struct e1000_nvm_operations e82571_nvm_ops = {
24449+static const struct e1000_nvm_operations e82571_nvm_ops = {
24450 .acquire = e1000_acquire_nvm_82571,
24451 .read = e1000e_read_nvm_eerd,
24452 .release = e1000_release_nvm_82571,
24453diff -urNp linux-2.6.33.1/drivers/net/e1000e/e1000.h linux-2.6.33.1/drivers/net/e1000e/e1000.h
24454--- linux-2.6.33.1/drivers/net/e1000e/e1000.h 2010-03-15 12:09:39.000000000 -0400
24455+++ linux-2.6.33.1/drivers/net/e1000e/e1000.h 2010-03-20 16:58:40.152824721 -0400
24456@@ -379,9 +379,9 @@ struct e1000_info {
24457 u32 pba;
24458 u32 max_hw_frame_size;
24459 s32 (*get_variants)(struct e1000_adapter *);
24460- struct e1000_mac_operations *mac_ops;
24461- struct e1000_phy_operations *phy_ops;
24462- struct e1000_nvm_operations *nvm_ops;
24463+ const struct e1000_mac_operations *mac_ops;
24464+ const struct e1000_phy_operations *phy_ops;
24465+ const struct e1000_nvm_operations *nvm_ops;
24466 };
24467
24468 /* hardware capability, feature, and workaround flags */
24469diff -urNp linux-2.6.33.1/drivers/net/e1000e/es2lan.c linux-2.6.33.1/drivers/net/e1000e/es2lan.c
24470--- linux-2.6.33.1/drivers/net/e1000e/es2lan.c 2010-03-15 12:09:39.000000000 -0400
24471+++ linux-2.6.33.1/drivers/net/e1000e/es2lan.c 2010-03-20 16:58:40.152824721 -0400
24472@@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
24473 {
24474 struct e1000_hw *hw = &adapter->hw;
24475 struct e1000_mac_info *mac = &hw->mac;
24476+ /* cannot be const */
24477 struct e1000_mac_operations *func = &mac->ops;
24478
24479 /* Set media type */
24480@@ -1402,7 +1403,7 @@ static void e1000_clear_hw_cntrs_80003es
24481 er32(ICRXDMTC);
24482 }
24483
24484-static struct e1000_mac_operations es2_mac_ops = {
24485+static const struct e1000_mac_operations es2_mac_ops = {
24486 .id_led_init = e1000e_id_led_init,
24487 .check_mng_mode = e1000e_check_mng_mode_generic,
24488 /* check_for_link dependent on media type */
24489@@ -1422,7 +1423,7 @@ static struct e1000_mac_operations es2_m
24490 .setup_led = e1000e_setup_led_generic,
24491 };
24492
24493-static struct e1000_phy_operations es2_phy_ops = {
24494+static const struct e1000_phy_operations es2_phy_ops = {
24495 .acquire = e1000_acquire_phy_80003es2lan,
24496 .check_polarity = e1000_check_polarity_m88,
24497 .check_reset_block = e1000e_check_reset_block_generic,
24498@@ -1440,7 +1441,7 @@ static struct e1000_phy_operations es2_p
24499 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
24500 };
24501
24502-static struct e1000_nvm_operations es2_nvm_ops = {
24503+static const struct e1000_nvm_operations es2_nvm_ops = {
24504 .acquire = e1000_acquire_nvm_80003es2lan,
24505 .read = e1000e_read_nvm_eerd,
24506 .release = e1000_release_nvm_80003es2lan,
24507diff -urNp linux-2.6.33.1/drivers/net/e1000e/hw.h linux-2.6.33.1/drivers/net/e1000e/hw.h
24508--- linux-2.6.33.1/drivers/net/e1000e/hw.h 2010-03-15 12:09:39.000000000 -0400
24509+++ linux-2.6.33.1/drivers/net/e1000e/hw.h 2010-03-20 16:58:40.156835598 -0400
24510@@ -783,13 +783,13 @@ struct e1000_phy_operations {
24511
24512 /* Function pointers for the NVM. */
24513 struct e1000_nvm_operations {
24514- s32 (*acquire)(struct e1000_hw *);
24515- s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
24516- void (*release)(struct e1000_hw *);
24517- s32 (*update)(struct e1000_hw *);
24518- s32 (*valid_led_default)(struct e1000_hw *, u16 *);
24519- s32 (*validate)(struct e1000_hw *);
24520- s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
24521+ s32 (* const acquire)(struct e1000_hw *);
24522+ s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
24523+ void (* const release)(struct e1000_hw *);
24524+ s32 (* const update)(struct e1000_hw *);
24525+ s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
24526+ s32 (* const validate)(struct e1000_hw *);
24527+ s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
24528 };
24529
24530 struct e1000_mac_info {
24531@@ -864,6 +864,7 @@ struct e1000_phy_info {
24532 };
24533
24534 struct e1000_nvm_info {
24535+ /* cannot be const */
24536 struct e1000_nvm_operations ops;
24537
24538 enum e1000_nvm_type type;
24539diff -urNp linux-2.6.33.1/drivers/net/e1000e/ich8lan.c linux-2.6.33.1/drivers/net/e1000e/ich8lan.c
24540--- linux-2.6.33.1/drivers/net/e1000e/ich8lan.c 2010-03-15 12:09:39.000000000 -0400
24541+++ linux-2.6.33.1/drivers/net/e1000e/ich8lan.c 2010-03-20 16:58:40.168822418 -0400
24542@@ -3361,7 +3361,7 @@ static void e1000_clear_hw_cntrs_ich8lan
24543 }
24544 }
24545
24546-static struct e1000_mac_operations ich8_mac_ops = {
24547+static const struct e1000_mac_operations ich8_mac_ops = {
24548 .id_led_init = e1000e_id_led_init,
24549 .check_mng_mode = e1000_check_mng_mode_ich8lan,
24550 .check_for_link = e1000_check_for_copper_link_ich8lan,
24551@@ -3379,7 +3379,7 @@ static struct e1000_mac_operations ich8_
24552 /* id_led_init dependent on mac type */
24553 };
24554
24555-static struct e1000_phy_operations ich8_phy_ops = {
24556+static const struct e1000_phy_operations ich8_phy_ops = {
24557 .acquire = e1000_acquire_swflag_ich8lan,
24558 .check_reset_block = e1000_check_reset_block_ich8lan,
24559 .commit = NULL,
24560@@ -3393,7 +3393,7 @@ static struct e1000_phy_operations ich8_
24561 .write_reg = e1000e_write_phy_reg_igp,
24562 };
24563
24564-static struct e1000_nvm_operations ich8_nvm_ops = {
24565+static const struct e1000_nvm_operations ich8_nvm_ops = {
24566 .acquire = e1000_acquire_nvm_ich8lan,
24567 .read = e1000_read_nvm_ich8lan,
24568 .release = e1000_release_nvm_ich8lan,
24569diff -urNp linux-2.6.33.1/drivers/net/ibmveth.c linux-2.6.33.1/drivers/net/ibmveth.c
24570--- linux-2.6.33.1/drivers/net/ibmveth.c 2010-03-15 12:09:39.000000000 -0400
24571+++ linux-2.6.33.1/drivers/net/ibmveth.c 2010-03-20 16:58:40.180852292 -0400
24572@@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
24573 NULL,
24574 };
24575
24576-static struct sysfs_ops veth_pool_ops = {
24577+static const struct sysfs_ops veth_pool_ops = {
24578 .show = veth_pool_show,
24579 .store = veth_pool_store,
24580 };
24581diff -urNp linux-2.6.33.1/drivers/net/igb/e1000_82575.c linux-2.6.33.1/drivers/net/igb/e1000_82575.c
24582--- linux-2.6.33.1/drivers/net/igb/e1000_82575.c 2010-03-15 12:09:39.000000000 -0400
24583+++ linux-2.6.33.1/drivers/net/igb/e1000_82575.c 2010-03-20 16:58:40.192835070 -0400
24584@@ -1583,7 +1583,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
24585 return ret_val;
24586 }
24587
24588-static struct e1000_mac_operations e1000_mac_ops_82575 = {
24589+static const struct e1000_mac_operations e1000_mac_ops_82575 = {
24590 .init_hw = igb_init_hw_82575,
24591 .check_for_link = igb_check_for_link_82575,
24592 .rar_set = igb_rar_set,
24593@@ -1591,13 +1591,13 @@ static struct e1000_mac_operations e1000
24594 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
24595 };
24596
24597-static struct e1000_phy_operations e1000_phy_ops_82575 = {
24598+static const struct e1000_phy_operations e1000_phy_ops_82575 = {
24599 .acquire = igb_acquire_phy_82575,
24600 .get_cfg_done = igb_get_cfg_done_82575,
24601 .release = igb_release_phy_82575,
24602 };
24603
24604-static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
24605+static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
24606 .acquire = igb_acquire_nvm_82575,
24607 .read = igb_read_nvm_eerd,
24608 .release = igb_release_nvm_82575,
24609diff -urNp linux-2.6.33.1/drivers/net/igb/e1000_hw.h linux-2.6.33.1/drivers/net/igb/e1000_hw.h
24610--- linux-2.6.33.1/drivers/net/igb/e1000_hw.h 2010-03-15 12:09:39.000000000 -0400
24611+++ linux-2.6.33.1/drivers/net/igb/e1000_hw.h 2010-03-20 16:58:40.192835070 -0400
24612@@ -316,17 +316,17 @@ struct e1000_phy_operations {
24613 };
24614
24615 struct e1000_nvm_operations {
24616- s32 (*acquire)(struct e1000_hw *);
24617- s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
24618- void (*release)(struct e1000_hw *);
24619- s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
24620+ s32 (* const acquire)(struct e1000_hw *);
24621+ s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
24622+ void (* const release)(struct e1000_hw *);
24623+ s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
24624 };
24625
24626 struct e1000_info {
24627 s32 (*get_invariants)(struct e1000_hw *);
24628- struct e1000_mac_operations *mac_ops;
24629- struct e1000_phy_operations *phy_ops;
24630- struct e1000_nvm_operations *nvm_ops;
24631+ const struct e1000_mac_operations *mac_ops;
24632+ const struct e1000_phy_operations *phy_ops;
24633+ const struct e1000_nvm_operations *nvm_ops;
24634 };
24635
24636 extern const struct e1000_info e1000_82575_info;
24637@@ -412,6 +412,7 @@ struct e1000_phy_info {
24638 };
24639
24640 struct e1000_nvm_info {
24641+ /* cannot be const */
24642 struct e1000_nvm_operations ops;
24643
24644 enum e1000_nvm_type type;
24645diff -urNp linux-2.6.33.1/drivers/net/irda/vlsi_ir.c linux-2.6.33.1/drivers/net/irda/vlsi_ir.c
24646--- linux-2.6.33.1/drivers/net/irda/vlsi_ir.c 2010-03-15 12:09:39.000000000 -0400
24647+++ linux-2.6.33.1/drivers/net/irda/vlsi_ir.c 2010-03-20 16:58:40.204836200 -0400
24648@@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
58c5fc13
MT		 24649 /* no race - tx-ring already empty */
24650 vlsi_set_baud(idev, iobase);
24651 netif_wake_queue(ndev);
24652- }
24653- else
24654- ;
24655+ } else {
24656 /* keep the speed change pending like it would
24657 * for any len>0 packet. tx completion interrupt
24658 * will apply it when the tx ring becomes empty.
24659 */
24660+ }
24661 spin_unlock_irqrestore(&idev->lock, flags);
24662 dev_kfree_skb_any(skb);
ae4e228f
MT		 24663 return NETDEV_TX_OK;
24664diff -urNp linux-2.6.33.1/drivers/net/iseries_veth.c linux-2.6.33.1/drivers/net/iseries_veth.c
24665--- linux-2.6.33.1/drivers/net/iseries_veth.c 2010-03-15 12:09:39.000000000 -0400
24666+++ linux-2.6.33.1/drivers/net/iseries_veth.c 2010-03-20 16:58:40.227948499 -0400
24667@@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
24668 NULL
24669 };
24670
24671-static struct sysfs_ops veth_cnx_sysfs_ops = {
24672+static const struct sysfs_ops veth_cnx_sysfs_ops = {
24673 .show = veth_cnx_attribute_show
24674 };
24675
24676@@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
24677 NULL
24678 };
24679
24680-static struct sysfs_ops veth_port_sysfs_ops = {
24681+static const struct sysfs_ops veth_port_sysfs_ops = {
24682 .show = veth_port_attribute_show
24683 };
24684
24685diff -urNp linux-2.6.33.1/drivers/net/pcnet32.c linux-2.6.33.1/drivers/net/pcnet32.c
24686--- linux-2.6.33.1/drivers/net/pcnet32.c 2010-03-15 12:09:39.000000000 -0400
24687+++ linux-2.6.33.1/drivers/net/pcnet32.c 2010-03-20 16:58:40.232840159 -0400
24688@@ -80,7 +80,7 @@ static int cards_found;
58c5fc13
MT		 24689 /*
24690 * VLB I/O addresses
24691 */
24692-static unsigned int pcnet32_portlist[] __initdata =
24693+static unsigned int pcnet32_portlist[] __devinitdata =
24694 { 0x300, 0x320, 0x340, 0x360, 0 };
24695
24696 static int pcnet32_debug = 0;
ae4e228f
MT		 24697diff -urNp linux-2.6.33.1/drivers/net/ppp_generic.c linux-2.6.33.1/drivers/net/ppp_generic.c
24698--- linux-2.6.33.1/drivers/net/ppp_generic.c 2010-03-15 12:09:39.000000000 -0400
24699+++ linux-2.6.33.1/drivers/net/ppp_generic.c 2010-03-20 16:58:40.236519222 -0400
24700@@ -988,7 +988,6 @@ ppp_net_ioctl(struct net_device *dev, st
24701 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
24702 struct ppp_stats stats;
24703 struct ppp_comp_stats cstats;
24704- char *vers;
24705
24706 switch (cmd) {
24707 case SIOCGPPPSTATS:
24708@@ -1010,8 +1009,7 @@ ppp_net_ioctl(struct net_device *dev, st
24709 break;
24710
24711 case SIOCGPPPVER:
24712- vers = PPP_VERSION;
24713- if (copy_to_user(addr, vers, strlen(vers) + 1))
24714+ if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
24715 break;
24716 err = 0;
24717 break;
24718diff -urNp linux-2.6.33.1/drivers/net/tg3.h linux-2.6.33.1/drivers/net/tg3.h
24719--- linux-2.6.33.1/drivers/net/tg3.h 2010-03-15 12:09:39.000000000 -0400
24720+++ linux-2.6.33.1/drivers/net/tg3.h 2010-03-20 16:58:40.244857185 -0400
24721@@ -101,6 +101,7 @@
58c5fc13
MT		 24722 #define CHIPREV_ID_5750_A0 0x4000
24723 #define CHIPREV_ID_5750_A1 0x4001
24724 #define CHIPREV_ID_5750_A3 0x4003
24725+#define CHIPREV_ID_5750_C1 0x4201
24726 #define CHIPREV_ID_5750_C2 0x4202
24727 #define CHIPREV_ID_5752_A0_HW 0x5000
24728 #define CHIPREV_ID_5752_A0 0x6000
ae4e228f
MT		 24729diff -urNp linux-2.6.33.1/drivers/net/tulip/de4x5.c linux-2.6.33.1/drivers/net/tulip/de4x5.c
24730--- linux-2.6.33.1/drivers/net/tulip/de4x5.c 2010-03-15 12:09:39.000000000 -0400
24731+++ linux-2.6.33.1/drivers/net/tulip/de4x5.c 2010-03-20 16:58:40.269912385 -0400
24732@@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
24733 for (i=0; i<ETH_ALEN; i++) {
24734 tmp.addr[i] = dev->dev_addr[i];
24735 }
24736- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
24737+ if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
24738 break;
24739
24740 case DE4X5_SET_HWADDR: /* Set the hardware address */
24741@@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
24742 spin_lock_irqsave(&lp->lock, flags);
24743 memcpy(&statbuf, &lp->pktStats, ioc->len);
24744 spin_unlock_irqrestore(&lp->lock, flags);
24745- if (copy_to_user(ioc->data, &statbuf, ioc->len))
24746+ if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
24747 return -EFAULT;
24748 break;
24749 }
24750diff -urNp linux-2.6.33.1/drivers/net/usb/hso.c linux-2.6.33.1/drivers/net/usb/hso.c
24751--- linux-2.6.33.1/drivers/net/usb/hso.c 2010-03-15 12:09:39.000000000 -0400
24752+++ linux-2.6.33.1/drivers/net/usb/hso.c 2010-03-20 16:58:40.272671924 -0400
58c5fc13
MT		 24753@@ -258,7 +258,7 @@ struct hso_serial {
24754
24755 /* from usb_serial_port */
24756 struct tty_struct *tty;
24757- int open_count;
24758+ atomic_t open_count;
24759 spinlock_t serial_lock;
24760
24761 int (*write_data) (struct hso_serial *serial);
ae4e228f 24762@@ -1203,7 +1203,7 @@ static void put_rxbuf_data_and_resubmit_
58c5fc13
MT		 24763 struct urb *urb;
24764
24765 urb = serial->rx_urb[0];
24766- if (serial->open_count > 0) {
24767+ if (atomic_read(&serial->open_count) > 0) {
24768 count = put_rxbuf_data(urb, serial);
24769 if (count == -1)
24770 return;
ae4e228f 24771@@ -1239,7 +1239,7 @@ static void hso_std_serial_read_bulk_cal
58c5fc13
MT		 24772 DUMP1(urb->transfer_buffer, urb->actual_length);
24773
24774 /* Anyone listening? */
24775- if (serial->open_count == 0)
24776+ if (atomic_read(&serial->open_count) == 0)
24777 return;
24778
24779 if (status == 0) {
ae4e228f 24780@@ -1334,8 +1334,7 @@ static int hso_serial_open(struct tty_st
58c5fc13
MT		 24781 spin_unlock_irq(&serial->serial_lock);
24782
24783 /* check for port already opened, if not set the termios */
24784- serial->open_count++;
24785- if (serial->open_count == 1) {
24786+ if (atomic_inc_return(&serial->open_count) == 1) {
24787 tty->low_latency = 1;
24788 serial->rx_state = RX_IDLE;
24789 /* Force default termio settings */
ae4e228f 24790@@ -1348,7 +1347,7 @@ static int hso_serial_open(struct tty_st
58c5fc13
MT		 24791 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
24792 if (result) {
24793 hso_stop_serial_device(serial->parent);
24794- serial->open_count--;
24795+ atomic_dec(&serial->open_count);
24796 kref_put(&serial->parent->ref, hso_serial_ref_free);
24797 }
24798 } else {
ae4e228f 24799@@ -1385,10 +1384,10 @@ static void hso_serial_close(struct tty_
58c5fc13
MT		 24800
24801 /* reset the rts and dtr */
24802 /* do the actual close */
24803- serial->open_count--;
24804+ atomic_dec(&serial->open_count);
ae4e228f 24805
58c5fc13
MT		 24806- if (serial->open_count <= 0) {
24807- serial->open_count = 0;
24808+ if (atomic_read(&serial->open_count) <= 0) {
24809+ atomic_set(&serial->open_count, 0);
24810 spin_lock_irq(&serial->serial_lock);
24811 if (serial->tty == tty) {
24812 serial->tty->driver_data = NULL;
ae4e228f 24813@@ -1470,7 +1469,7 @@ static void hso_serial_set_termios(struc
58c5fc13
MT		 24814
24815 /* the actual setup */
24816 spin_lock_irqsave(&serial->serial_lock, flags);
24817- if (serial->open_count)
24818+ if (atomic_read(&serial->open_count))
24819 _hso_serial_set_termios(tty, old);
24820 else
24821 tty->termios = old;
ae4e228f
MT		 24822@@ -1933,7 +1932,7 @@ static void intr_callback(struct urb *ur
24823 D1("Pending read interrupt on port %d\n", i);
24824 spin_lock(&serial->serial_lock);
24825 if (serial->rx_state == RX_IDLE &&
24826- serial->open_count > 0) {
24827+ atomic_read(&serial->open_count) > 0) {
24828 /* Setup and send a ctrl req read on
24829 * port i */
24830 if (!serial->rx_urb_filled[0]) {
24831@@ -3124,7 +3123,7 @@ static int hso_resume(struct usb_interfa
58c5fc13
MT		 24832 /* Start all serial ports */
24833 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
24834 if (serial_table[i] && (serial_table[i]->interface == iface)) {
24835- if (dev2ser(serial_table[i])->open_count) {
24836+ if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
24837 result =
24838 hso_start_serial_device(serial_table[i], GFP_NOIO);
24839 hso_kick_transmit(dev2ser(serial_table[i]));
ae4e228f
MT		 24840diff -urNp linux-2.6.33.1/drivers/net/wireless/b43/debugfs.c linux-2.6.33.1/drivers/net/wireless/b43/debugfs.c
24841--- linux-2.6.33.1/drivers/net/wireless/b43/debugfs.c 2010-03-15 12:09:39.000000000 -0400
24842+++ linux-2.6.33.1/drivers/net/wireless/b43/debugfs.c 2010-03-20 16:58:40.276838321 -0400
24843@@ -43,7 +43,7 @@ static struct dentry *rootdir;
24844 struct b43_debugfs_fops {
24845 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
24846 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
24847- struct file_operations fops;
24848+ const struct file_operations fops;
24849 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
24850 size_t file_struct_offset;
24851 };
24852diff -urNp linux-2.6.33.1/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.33.1/drivers/net/wireless/b43legacy/debugfs.c
24853--- linux-2.6.33.1/drivers/net/wireless/b43legacy/debugfs.c 2010-03-15 12:09:39.000000000 -0400
24854+++ linux-2.6.33.1/drivers/net/wireless/b43legacy/debugfs.c 2010-03-20 16:58:40.292572897 -0400
24855@@ -44,7 +44,7 @@ static struct dentry *rootdir;
24856 struct b43legacy_debugfs_fops {
24857 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
24858 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
24859- struct file_operations fops;
24860+ const struct file_operations fops;
24861 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
24862 size_t file_struct_offset;
24863 /* Take wl->irq_lock before calling read/write? */
24864diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-1000.c
24865--- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-1000.c 2010-03-15 12:09:39.000000000 -0400
24866+++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-1000.c 2010-03-20 16:58:40.296852154 -0400
24867@@ -140,7 +140,7 @@ static struct iwl_lib_ops iwl1000_lib =
24868 },
24869 };
24870
24871-static struct iwl_ops iwl1000_ops = {
24872+static const struct iwl_ops iwl1000_ops = {
24873 .ucode = &iwl5000_ucode,
24874 .lib = &iwl1000_lib,
24875 .hcmd = &iwl5000_hcmd,
24876diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-3945.c
24877--- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-3945.c 2010-03-15 12:09:39.000000000 -0400
24878+++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-3945.c 2010-03-20 16:58:40.308852389 -0400
24879@@ -2804,7 +2804,7 @@ static struct iwl_hcmd_utils_ops iwl3945
24880 .rts_tx_cmd_flag = iwlcore_rts_tx_cmd_flag,
24881 };
24882
24883-static struct iwl_ops iwl3945_ops = {
24884+static const struct iwl_ops iwl3945_ops = {
24885 .ucode = &iwl3945_ucode,
24886 .lib = &iwl3945_lib,
24887 .hcmd = &iwl3945_hcmd,
24888diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-4965.c
24889--- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-03-15 12:09:39.000000000 -0400
24890+++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-4965.c 2010-03-20 16:58:40.316840649 -0400
24891@@ -2208,7 +2208,7 @@ static struct iwl_lib_ops iwl4965_lib =
24892 },
24893 };
24894
24895-static struct iwl_ops iwl4965_ops = {
24896+static const struct iwl_ops iwl4965_ops = {
24897 .ucode = &iwl4965_ucode,
24898 .lib = &iwl4965_lib,
24899 .hcmd = &iwl4965_hcmd,
24900diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-5000.c
24901--- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-5000.c 2010-03-15 12:09:39.000000000 -0400
24902+++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-5000.c 2010-03-20 16:58:40.338443044 -0400
24903@@ -1553,7 +1553,7 @@ static struct iwl_lib_ops iwl5150_lib =
24904 },
24905 };
24906
24907-static struct iwl_ops iwl5000_ops = {
24908+static const struct iwl_ops iwl5000_ops = {
24909 .ucode = &iwl5000_ucode,
24910 .lib = &iwl5000_lib,
24911 .hcmd = &iwl5000_hcmd,
24912@@ -1561,7 +1561,7 @@ static struct iwl_ops iwl5000_ops = {
24913 .led = &iwlagn_led_ops,
24914 };
24915
24916-static struct iwl_ops iwl5150_ops = {
24917+static const struct iwl_ops iwl5150_ops = {
24918 .ucode = &iwl5000_ucode,
24919 .lib = &iwl5150_lib,
24920 .hcmd = &iwl5000_hcmd,
24921diff -urNp linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-6000.c
24922--- linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-6000.c 2010-03-15 12:09:39.000000000 -0400
24923+++ linux-2.6.33.1/drivers/net/wireless/iwlwifi/iwl-6000.c 2010-03-20 16:58:40.338443044 -0400
24924@@ -252,7 +252,7 @@ static struct iwl_lib_ops iwl6000_lib =
24925 },
24926 };
24927
24928-static struct iwl_ops iwl6000_ops = {
24929+static const struct iwl_ops iwl6000_ops = {
24930 .ucode = &iwl5000_ucode,
24931 .lib = &iwl6000_lib,
24932 .hcmd = &iwl5000_hcmd,
24933@@ -267,7 +267,7 @@ static struct iwl_hcmd_utils_ops iwl6050
24934 .calc_rssi = iwl5000_calc_rssi,
24935 };
24936
24937-static struct iwl_ops iwl6050_ops = {
24938+static const struct iwl_ops iwl6050_ops = {
24939 .ucode = &iwl5000_ucode,
24940 .lib = &iwl6000_lib,
24941 .hcmd = &iwl5000_hcmd,
24942diff -urNp linux-2.6.33.1/drivers/net/wireless/libertas/debugfs.c linux-2.6.33.1/drivers/net/wireless/libertas/debugfs.c
24943--- linux-2.6.33.1/drivers/net/wireless/libertas/debugfs.c 2010-03-15 12:09:39.000000000 -0400
24944+++ linux-2.6.33.1/drivers/net/wireless/libertas/debugfs.c 2010-03-20 16:58:40.348846186 -0400
24945@@ -717,7 +717,7 @@ out_unlock:
24946 struct lbs_debugfs_files {
24947 const char *name;
24948 int perm;
24949- struct file_operations fops;
24950+ const struct file_operations fops;
24951 };
24952
24953 static const struct lbs_debugfs_files debugfs_files[] = {
24954diff -urNp linux-2.6.33.1/drivers/oprofile/buffer_sync.c linux-2.6.33.1/drivers/oprofile/buffer_sync.c
24955--- linux-2.6.33.1/drivers/oprofile/buffer_sync.c 2010-03-15 12:09:39.000000000 -0400
24956+++ linux-2.6.33.1/drivers/oprofile/buffer_sync.c 2010-03-20 16:58:40.357847963 -0400
24957@@ -340,7 +340,7 @@ static void add_data(struct op_entry *en
58c5fc13
MT		 24958 if (cookie == NO_COOKIE)
24959 offset = pc;
24960 if (cookie == INVALID_COOKIE) {
24961- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
24962+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
24963 offset = pc;
24964 }
24965 if (cookie != last_cookie) {
ae4e228f 24966@@ -384,14 +384,14 @@ add_sample(struct mm_struct *mm, struct
58c5fc13
MT		 24967 /* add userspace sample */
24968
24969 if (!mm) {
24970- atomic_inc(&oprofile_stats.sample_lost_no_mm);
24971+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
24972 return 0;
24973 }
24974
24975 cookie = lookup_dcookie(mm, s->eip, &offset);
24976
24977 if (cookie == INVALID_COOKIE) {
24978- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
24979+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
24980 return 0;
24981 }
24982
ae4e228f 24983@@ -560,7 +560,7 @@ void sync_buffer(int cpu)
58c5fc13
MT		 24984 /* ignore backtraces if failed to add a sample */
24985 if (state == sb_bt_start) {
24986 state = sb_bt_ignore;
24987- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
24988+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
24989 }
24990 }
24991 release_mm(mm);
ae4e228f
MT		 24992diff -urNp linux-2.6.33.1/drivers/oprofile/event_buffer.c linux-2.6.33.1/drivers/oprofile/event_buffer.c
24993--- linux-2.6.33.1/drivers/oprofile/event_buffer.c 2010-03-15 12:09:39.000000000 -0400
24994+++ linux-2.6.33.1/drivers/oprofile/event_buffer.c 2010-03-20 16:58:40.360587811 -0400
24995@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
24996 }
24997
58c5fc13
MT		 24998 if (buffer_pos == buffer_size) {
24999- atomic_inc(&oprofile_stats.event_lost_overflow);
25000+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
25001 return;
25002 }
25003
ae4e228f
MT		 25004diff -urNp linux-2.6.33.1/drivers/oprofile/oprof.c linux-2.6.33.1/drivers/oprofile/oprof.c
25005--- linux-2.6.33.1/drivers/oprofile/oprof.c 2010-03-15 12:09:39.000000000 -0400
25006+++ linux-2.6.33.1/drivers/oprofile/oprof.c 2010-03-20 16:58:40.368849108 -0400
25007@@ -110,7 +110,7 @@ static void switch_worker(struct work_st
25008 if (oprofile_ops.switch_events())
25009 return;
58c5fc13 25010
ae4e228f
MT		 25011- atomic_inc(&oprofile_stats.multiplex_counter);
25012+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
25013 start_switch_worker();
25014 }
58c5fc13 25015
ae4e228f
MT		 25016diff -urNp linux-2.6.33.1/drivers/oprofile/oprofilefs.c linux-2.6.33.1/drivers/oprofile/oprofilefs.c
25017--- linux-2.6.33.1/drivers/oprofile/oprofilefs.c 2010-03-15 12:09:39.000000000 -0400
25018+++ linux-2.6.33.1/drivers/oprofile/oprofilefs.c 2010-03-20 16:58:40.372843891 -0400
58c5fc13
MT		 25019@@ -187,7 +187,7 @@ static const struct file_operations atom
25020
25021
25022 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
25023- char const *name, atomic_t *val)
25024+ char const *name, atomic_unchecked_t *val)
25025 {
25026 struct dentry *d = __oprofilefs_create_file(sb, root, name,
25027 &atomic_ro_fops, 0444);
ae4e228f
MT		 25028diff -urNp linux-2.6.33.1/drivers/oprofile/oprofile_stats.c linux-2.6.33.1/drivers/oprofile/oprofile_stats.c
25029--- linux-2.6.33.1/drivers/oprofile/oprofile_stats.c 2010-03-15 12:09:39.000000000 -0400
25030+++ linux-2.6.33.1/drivers/oprofile/oprofile_stats.c 2010-03-20 16:58:40.376630331 -0400
25031@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
58c5fc13
MT		 25032 cpu_buf->sample_invalid_eip = 0;
25033 }
25034
25035- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
25036- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
25037- atomic_set(&oprofile_stats.event_lost_overflow, 0);
25038- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
ae4e228f 25039- atomic_set(&oprofile_stats.multiplex_counter, 0);
58c5fc13
MT		 25040+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
25041+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
25042+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
25043+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
ae4e228f 25044+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
58c5fc13
MT		 25045 }
25046
25047
ae4e228f
MT		 25048diff -urNp linux-2.6.33.1/drivers/oprofile/oprofile_stats.h linux-2.6.33.1/drivers/oprofile/oprofile_stats.h
25049--- linux-2.6.33.1/drivers/oprofile/oprofile_stats.h 2010-03-15 12:09:39.000000000 -0400
25050+++ linux-2.6.33.1/drivers/oprofile/oprofile_stats.h 2010-03-20 16:58:40.376630331 -0400
25051@@ -13,11 +13,11 @@
58c5fc13
MT		 25052 #include <asm/atomic.h>
25053
25054 struct oprofile_stat_struct {
25055- atomic_t sample_lost_no_mm;
25056- atomic_t sample_lost_no_mapping;
25057- atomic_t bt_lost_no_mapping;
25058- atomic_t event_lost_overflow;
ae4e228f 25059- atomic_t multiplex_counter;
58c5fc13
MT		 25060+ atomic_unchecked_t sample_lost_no_mm;
25061+ atomic_unchecked_t sample_lost_no_mapping;
25062+ atomic_unchecked_t bt_lost_no_mapping;
25063+ atomic_unchecked_t event_lost_overflow;
ae4e228f 25064+ atomic_unchecked_t multiplex_counter;
58c5fc13
MT		 25065 };
25066
25067 extern struct oprofile_stat_struct oprofile_stats;
ae4e228f
MT		 25068diff -urNp linux-2.6.33.1/drivers/parisc/pdc_stable.c linux-2.6.33.1/drivers/parisc/pdc_stable.c
25069--- linux-2.6.33.1/drivers/parisc/pdc_stable.c 2010-03-15 12:09:39.000000000 -0400
25070+++ linux-2.6.33.1/drivers/parisc/pdc_stable.c 2010-03-20 16:58:40.392862259 -0400
25071@@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
25072 return ret;
25073 }
25074
25075-static struct sysfs_ops pdcspath_attr_ops = {
25076+static const struct sysfs_ops pdcspath_attr_ops = {
25077 .show = pdcspath_attr_show,
25078 .store = pdcspath_attr_store,
25079 };
25080diff -urNp linux-2.6.33.1/drivers/parport/procfs.c linux-2.6.33.1/drivers/parport/procfs.c
25081--- linux-2.6.33.1/drivers/parport/procfs.c 2010-03-15 12:09:39.000000000 -0400
25082+++ linux-2.6.33.1/drivers/parport/procfs.c 2010-03-20 16:58:40.392862259 -0400
25083@@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
25084
25085 *ppos += len;
25086
25087- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
25088+ return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
25089 }
25090
25091 #ifdef CONFIG_PARPORT_1284
25092@@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
25093
25094 *ppos += len;
25095
25096- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
25097+ return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
25098 }
25099 #endif /* IEEE1284.3 support. */
25100
25101diff -urNp linux-2.6.33.1/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.33.1/drivers/pci/hotplug/acpiphp_glue.c
25102--- linux-2.6.33.1/drivers/pci/hotplug/acpiphp_glue.c 2010-03-15 12:09:39.000000000 -0400
25103+++ linux-2.6.33.1/drivers/pci/hotplug/acpiphp_glue.c 2010-03-20 16:58:40.418811417 -0400
25104@@ -109,7 +109,7 @@ static int post_dock_fixups(struct notif
25105 }
25106
25107
25108-static struct acpi_dock_ops acpiphp_dock_ops = {
25109+static const struct acpi_dock_ops acpiphp_dock_ops = {
25110 .handler = handle_hotplug_event_func,
25111 };
25112
25113diff -urNp linux-2.6.33.1/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.33.1/drivers/pci/hotplug/cpqphp_nvram.c
25114--- linux-2.6.33.1/drivers/pci/hotplug/cpqphp_nvram.c 2010-03-15 12:09:39.000000000 -0400
25115+++ linux-2.6.33.1/drivers/pci/hotplug/cpqphp_nvram.c 2010-03-20 16:58:40.420729851 -0400
58c5fc13
MT		 25116@@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
25117
25118 void compaq_nvram_init (void __iomem *rom_start)
25119 {
25120+
25121+#ifndef CONFIG_PAX_KERNEXEC
25122 if (rom_start) {
25123 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
25124 }
25125+#endif
25126+
25127 dbg("int15 entry = %p\n", compaq_int15_entry_point);
25128
25129 /* initialize our int15 lock */
ae4e228f
MT		 25130diff -urNp linux-2.6.33.1/drivers/pci/hotplug/fakephp.c linux-2.6.33.1/drivers/pci/hotplug/fakephp.c
25131--- linux-2.6.33.1/drivers/pci/hotplug/fakephp.c 2010-03-15 12:09:39.000000000 -0400
25132+++ linux-2.6.33.1/drivers/pci/hotplug/fakephp.c 2010-03-20 16:58:40.420729851 -0400
25133@@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
25134 }
25135
25136 static struct kobj_type legacy_ktype = {
25137- .sysfs_ops = &(struct sysfs_ops){
25138+ .sysfs_ops = &(const struct sysfs_ops){
25139 .store = legacy_store, .show = legacy_show
25140 },
25141 .release = &legacy_release,
25142diff -urNp linux-2.6.33.1/drivers/pci/intel-iommu.c linux-2.6.33.1/drivers/pci/intel-iommu.c
25143--- linux-2.6.33.1/drivers/pci/intel-iommu.c 2010-03-15 12:09:39.000000000 -0400
25144+++ linux-2.6.33.1/drivers/pci/intel-iommu.c 2010-03-20 16:58:40.428854036 -0400
25145@@ -2940,7 +2940,7 @@ static int intel_mapping_error(struct de
25146 return !dma_addr;
25147 }
25148
25149-struct dma_map_ops intel_dma_ops = {
25150+const struct dma_map_ops intel_dma_ops = {
25151 .alloc_coherent = intel_alloc_coherent,
25152 .free_coherent = intel_free_coherent,
25153 .map_sg = intel_map_sg,
25154diff -urNp linux-2.6.33.1/drivers/pci/pcie/portdrv_pci.c linux-2.6.33.1/drivers/pci/pcie/portdrv_pci.c
25155--- linux-2.6.33.1/drivers/pci/pcie/portdrv_pci.c 2010-03-15 12:09:39.000000000 -0400
25156+++ linux-2.6.33.1/drivers/pci/pcie/portdrv_pci.c 2010-03-20 16:58:40.432849247 -0400
25157@@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
58c5fc13
MT		 25158 static const struct pci_device_id port_pci_ids[] = { {
25159 /* handle any PCI-Express port */
25160 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
25161- }, { /* end: all zeroes */ }
25162+ }, { 0, 0, 0, 0, 0, 0, 0 }
25163 };
25164 MODULE_DEVICE_TABLE(pci, port_pci_ids);
25165
ae4e228f
MT		 25166diff -urNp linux-2.6.33.1/drivers/pci/proc.c linux-2.6.33.1/drivers/pci/proc.c
25167--- linux-2.6.33.1/drivers/pci/proc.c 2010-03-15 12:09:39.000000000 -0400
25168+++ linux-2.6.33.1/drivers/pci/proc.c 2010-03-20 16:58:40.432849247 -0400
58c5fc13
MT		 25169@@ -480,7 +480,16 @@ static const struct file_operations proc
25170 static int __init pci_proc_init(void)
25171 {
25172 struct pci_dev *dev = NULL;
25173+
25174+#ifdef CONFIG_GRKERNSEC_PROC_ADD
25175+#ifdef CONFIG_GRKERNSEC_PROC_USER
25176+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
25177+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
25178+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
25179+#endif
25180+#else
25181 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
25182+#endif
25183 proc_create("devices", 0, proc_bus_pci_dir,
25184 &proc_bus_pci_dev_operations);
25185 proc_initialized = 1;
ae4e228f
MT		 25186diff -urNp linux-2.6.33.1/drivers/pci/slot.c linux-2.6.33.1/drivers/pci/slot.c
25187--- linux-2.6.33.1/drivers/pci/slot.c 2010-03-15 12:09:39.000000000 -0400
25188+++ linux-2.6.33.1/drivers/pci/slot.c 2010-03-20 16:58:40.436850488 -0400
25189@@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
25190 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
25191 }
25192
25193-static struct sysfs_ops pci_slot_sysfs_ops = {
25194+static const struct sysfs_ops pci_slot_sysfs_ops = {
25195 .show = pci_slot_attr_show,
25196 .store = pci_slot_attr_store,
25197 };
25198diff -urNp linux-2.6.33.1/drivers/pcmcia/ti113x.h linux-2.6.33.1/drivers/pcmcia/ti113x.h
25199--- linux-2.6.33.1/drivers/pcmcia/ti113x.h 2010-03-15 12:09:39.000000000 -0400
25200+++ linux-2.6.33.1/drivers/pcmcia/ti113x.h 2010-03-20 16:58:40.444846583 -0400
58c5fc13
MT		 25201@@ -903,7 +903,7 @@ static struct pci_device_id ene_tune_tbl
25202 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
25203 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
25204
25205- {}
25206+ { 0, 0, 0, 0, 0, 0, 0 }
25207 };
25208
25209 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
ae4e228f
MT		 25210diff -urNp linux-2.6.33.1/drivers/pcmcia/yenta_socket.c linux-2.6.33.1/drivers/pcmcia/yenta_socket.c
25211--- linux-2.6.33.1/drivers/pcmcia/yenta_socket.c 2010-03-15 12:09:39.000000000 -0400
25212+++ linux-2.6.33.1/drivers/pcmcia/yenta_socket.c 2010-03-20 16:58:40.460864210 -0400
25213@@ -1432,7 +1432,7 @@ static struct pci_device_id yenta_table[
58c5fc13
MT		 25214
25215 /* match any cardbus bridge */
25216 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
25217- { /* all zeroes */ }
25218+ { 0, 0, 0, 0, 0, 0, 0 }
25219 };
25220 MODULE_DEVICE_TABLE(pci, yenta_table);
25221
ae4e228f
MT		 25222diff -urNp linux-2.6.33.1/drivers/platform/x86/acer-wmi.c linux-2.6.33.1/drivers/platform/x86/acer-wmi.c
25223--- linux-2.6.33.1/drivers/platform/x86/acer-wmi.c 2010-03-15 12:09:39.000000000 -0400
25224+++ linux-2.6.33.1/drivers/platform/x86/acer-wmi.c 2010-03-20 16:58:40.464856812 -0400
25225@@ -915,7 +915,7 @@ static int update_bl_status(struct backl
25226 return 0;
25227 }
25228
25229-static struct backlight_ops acer_bl_ops = {
25230+static const struct backlight_ops acer_bl_ops = {
25231 .get_brightness = read_brightness,
25232 .update_status = update_bl_status,
25233 };
25234diff -urNp linux-2.6.33.1/drivers/platform/x86/asus_acpi.c linux-2.6.33.1/drivers/platform/x86/asus_acpi.c
25235--- linux-2.6.33.1/drivers/platform/x86/asus_acpi.c 2010-03-15 12:09:39.000000000 -0400
25236+++ linux-2.6.33.1/drivers/platform/x86/asus_acpi.c 2010-03-20 16:58:40.480866604 -0400
25237@@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
25238 return 0;
25239 }
25240
25241-static struct backlight_ops asus_backlight_data = {
25242+static const struct backlight_ops asus_backlight_data = {
25243 .get_brightness = read_brightness,
25244 .update_status = set_brightness_status,
25245 };
25246diff -urNp linux-2.6.33.1/drivers/platform/x86/asus-laptop.c linux-2.6.33.1/drivers/platform/x86/asus-laptop.c
25247--- linux-2.6.33.1/drivers/platform/x86/asus-laptop.c 2010-03-15 12:09:39.000000000 -0400
25248+++ linux-2.6.33.1/drivers/platform/x86/asus-laptop.c 2010-03-20 16:58:40.480866604 -0400
25249@@ -251,7 +251,7 @@ static struct backlight_device *asus_bac
25250 */
25251 static int read_brightness(struct backlight_device *bd);
25252 static int update_bl_status(struct backlight_device *bd);
25253-static struct backlight_ops asusbl_ops = {
25254+static const struct backlight_ops asusbl_ops = {
25255 .get_brightness = read_brightness,
25256 .update_status = update_bl_status,
25257 };
25258diff -urNp linux-2.6.33.1/drivers/platform/x86/classmate-laptop.c linux-2.6.33.1/drivers/platform/x86/classmate-laptop.c
25259--- linux-2.6.33.1/drivers/platform/x86/classmate-laptop.c 2010-03-15 12:09:39.000000000 -0400
25260+++ linux-2.6.33.1/drivers/platform/x86/classmate-laptop.c 2010-03-20 16:58:40.484567094 -0400
25261@@ -452,7 +452,7 @@ static int cmpc_bl_update_status(struct
25262 return -1;
25263 }
25264
25265-static struct backlight_ops cmpc_bl_ops = {
25266+static const struct backlight_ops cmpc_bl_ops = {
25267 .get_brightness = cmpc_bl_get_brightness,
25268 .update_status = cmpc_bl_update_status
25269 };
25270diff -urNp linux-2.6.33.1/drivers/platform/x86/compal-laptop.c linux-2.6.33.1/drivers/platform/x86/compal-laptop.c
25271--- linux-2.6.33.1/drivers/platform/x86/compal-laptop.c 2010-03-15 12:09:39.000000000 -0400
25272+++ linux-2.6.33.1/drivers/platform/x86/compal-laptop.c 2010-03-20 16:58:40.484567094 -0400
25273@@ -162,7 +162,7 @@ static int bl_update_status(struct backl
25274 return set_lcd_level(b->props.brightness);
25275 }
25276
25277-static struct backlight_ops compalbl_ops = {
25278+static const struct backlight_ops compalbl_ops = {
25279 .get_brightness = bl_get_brightness,
25280 .update_status = bl_update_status,
25281 };
25282diff -urNp linux-2.6.33.1/drivers/platform/x86/dell-laptop.c linux-2.6.33.1/drivers/platform/x86/dell-laptop.c
25283--- linux-2.6.33.1/drivers/platform/x86/dell-laptop.c 2010-03-15 12:09:39.000000000 -0400
25284+++ linux-2.6.33.1/drivers/platform/x86/dell-laptop.c 2010-03-20 16:58:40.484567094 -0400
25285@@ -333,7 +333,7 @@ static int dell_get_intensity(struct bac
25286 return buffer.output[1];
25287 }
25288
25289-static struct backlight_ops dell_ops = {
25290+static const struct backlight_ops dell_ops = {
25291 .get_brightness = dell_get_intensity,
25292 .update_status = dell_send_intensity,
25293 };
25294diff -urNp linux-2.6.33.1/drivers/platform/x86/eeepc-laptop.c linux-2.6.33.1/drivers/platform/x86/eeepc-laptop.c
25295--- linux-2.6.33.1/drivers/platform/x86/eeepc-laptop.c 2010-03-15 12:09:39.000000000 -0400
25296+++ linux-2.6.33.1/drivers/platform/x86/eeepc-laptop.c 2010-03-20 16:58:40.484567094 -0400
25297@@ -1096,7 +1096,7 @@ static int update_bl_status(struct backl
25298 return set_brightness(bd, bd->props.brightness);
25299 }
25300
25301-static struct backlight_ops eeepcbl_ops = {
25302+static const struct backlight_ops eeepcbl_ops = {
25303 .get_brightness = read_brightness,
25304 .update_status = update_bl_status,
25305 };
25306diff -urNp linux-2.6.33.1/drivers/platform/x86/fujitsu-laptop.c linux-2.6.33.1/drivers/platform/x86/fujitsu-laptop.c
25307--- linux-2.6.33.1/drivers/platform/x86/fujitsu-laptop.c 2010-03-15 12:09:39.000000000 -0400
25308+++ linux-2.6.33.1/drivers/platform/x86/fujitsu-laptop.c 2010-03-20 16:58:40.488600423 -0400
25309@@ -436,7 +436,7 @@ static int bl_update_status(struct backl
25310 return ret;
25311 }
25312
25313-static struct backlight_ops fujitsubl_ops = {
25314+static const struct backlight_ops fujitsubl_ops = {
25315 .get_brightness = bl_get_brightness,
25316 .update_status = bl_update_status,
25317 };
25318diff -urNp linux-2.6.33.1/drivers/platform/x86/msi-laptop.c linux-2.6.33.1/drivers/platform/x86/msi-laptop.c
25319--- linux-2.6.33.1/drivers/platform/x86/msi-laptop.c 2010-03-15 12:09:39.000000000 -0400
25320+++ linux-2.6.33.1/drivers/platform/x86/msi-laptop.c 2010-03-20 16:58:40.488600423 -0400
25321@@ -161,7 +161,7 @@ static int bl_update_status(struct backl
25322 return set_lcd_level(b->props.brightness);
25323 }
25324
25325-static struct backlight_ops msibl_ops = {
25326+static const struct backlight_ops msibl_ops = {
25327 .get_brightness = bl_get_brightness,
25328 .update_status = bl_update_status,
25329 };
25330diff -urNp linux-2.6.33.1/drivers/platform/x86/msi-wmi.c linux-2.6.33.1/drivers/platform/x86/msi-wmi.c
25331--- linux-2.6.33.1/drivers/platform/x86/msi-wmi.c 2010-03-15 12:09:39.000000000 -0400
25332+++ linux-2.6.33.1/drivers/platform/x86/msi-wmi.c 2010-03-20 16:58:40.488600423 -0400
25333@@ -138,7 +138,7 @@ static int bl_set_status(struct backligh
25334 return msi_wmi_set_block(0, backlight_map[bright]);
25335 }
25336
25337-static struct backlight_ops msi_backlight_ops = {
25338+static const struct backlight_ops msi_backlight_ops = {
25339 .get_brightness = bl_get,
25340 .update_status = bl_set_status,
25341 };
25342diff -urNp linux-2.6.33.1/drivers/platform/x86/panasonic-laptop.c linux-2.6.33.1/drivers/platform/x86/panasonic-laptop.c
25343--- linux-2.6.33.1/drivers/platform/x86/panasonic-laptop.c 2010-03-15 12:09:39.000000000 -0400
25344+++ linux-2.6.33.1/drivers/platform/x86/panasonic-laptop.c 2010-03-20 16:58:40.488600423 -0400
25345@@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
25346 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
25347 }
25348
25349-static struct backlight_ops pcc_backlight_ops = {
25350+static const struct backlight_ops pcc_backlight_ops = {
25351 .get_brightness = bl_get,
25352 .update_status = bl_set_status,
25353 };
25354diff -urNp linux-2.6.33.1/drivers/platform/x86/sony-laptop.c linux-2.6.33.1/drivers/platform/x86/sony-laptop.c
25355--- linux-2.6.33.1/drivers/platform/x86/sony-laptop.c 2010-03-15 12:09:39.000000000 -0400
25356+++ linux-2.6.33.1/drivers/platform/x86/sony-laptop.c 2010-03-20 16:58:40.508859925 -0400
25357@@ -853,7 +853,7 @@ static int sony_backlight_get_brightness
25358 }
25359
25360 static struct backlight_device *sony_backlight_device;
25361-static struct backlight_ops sony_backlight_ops = {
25362+static const struct backlight_ops sony_backlight_ops = {
25363 .update_status = sony_backlight_update_status,
25364 .get_brightness = sony_backlight_get_brightness,
25365 };
25366diff -urNp linux-2.6.33.1/drivers/platform/x86/thinkpad_acpi.c linux-2.6.33.1/drivers/platform/x86/thinkpad_acpi.c
25367--- linux-2.6.33.1/drivers/platform/x86/thinkpad_acpi.c 2010-03-15 12:09:39.000000000 -0400
25368+++ linux-2.6.33.1/drivers/platform/x86/thinkpad_acpi.c 2010-03-20 16:58:40.516859801 -0400
25369@@ -6131,7 +6131,7 @@ static void tpacpi_brightness_notify_cha
25370 BACKLIGHT_UPDATE_HOTKEY);
25371 }
25372
25373-static struct backlight_ops ibm_backlight_data = {
25374+static const struct backlight_ops ibm_backlight_data = {
25375 .get_brightness = brightness_get,
25376 .update_status = brightness_update_status,
25377 };
25378diff -urNp linux-2.6.33.1/drivers/platform/x86/toshiba_acpi.c linux-2.6.33.1/drivers/platform/x86/toshiba_acpi.c
25379--- linux-2.6.33.1/drivers/platform/x86/toshiba_acpi.c 2010-03-15 12:09:39.000000000 -0400
25380+++ linux-2.6.33.1/drivers/platform/x86/toshiba_acpi.c 2010-03-20 16:58:40.520536360 -0400
25381@@ -706,7 +706,7 @@ static acpi_status remove_device(void)
25382 return AE_OK;
25383 }
25384
25385-static struct backlight_ops toshiba_backlight_data = {
25386+static const struct backlight_ops toshiba_backlight_data = {
25387 .get_brightness = get_lcd,
25388 .update_status = set_lcd_status,
25389 };
25390diff -urNp linux-2.6.33.1/drivers/pnp/pnpbios/bioscalls.c linux-2.6.33.1/drivers/pnp/pnpbios/bioscalls.c
25391--- linux-2.6.33.1/drivers/pnp/pnpbios/bioscalls.c 2010-03-15 12:09:39.000000000 -0400
25392+++ linux-2.6.33.1/drivers/pnp/pnpbios/bioscalls.c 2010-03-20 16:58:40.524855697 -0400
25393@@ -60,7 +60,7 @@ do { \
25394 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
58c5fc13
MT		 25395 } while(0)
25396
ae4e228f
MT		 25397-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
25398+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
25399 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
58c5fc13
MT		 25400
25401 /*
ae4e228f 25402@@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
58c5fc13
MT		 25403
25404 cpu = get_cpu();
25405 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
25406+
ae4e228f 25407+ pax_open_kernel();
58c5fc13 25408 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
ae4e228f 25409+ pax_close_kernel();
58c5fc13 25410
58c5fc13
MT		 25411 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
25412 spin_lock_irqsave(&pnp_bios_lock, flags);
ae4e228f 25413@@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
58c5fc13
MT		 25414 :"memory");
25415 spin_unlock_irqrestore(&pnp_bios_lock, flags);
25416
ae4e228f 25417+ pax_open_kernel();
58c5fc13 25418 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
ae4e228f 25419+ pax_close_kernel();
58c5fc13
MT		 25420+
25421 put_cpu();
25422
25423 /* If we get here and this is set then the PnP BIOS faulted on us. */
ae4e228f 25424@@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
58c5fc13
MT		 25425 return status;
25426 }
25427
25428-void pnpbios_calls_init(union pnp_bios_install_struct *header)
25429+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
25430 {
25431 int i;
25432
ae4e228f 25433@@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
58c5fc13
MT		 25434 pnp_bios_callpoint.offset = header->fields.pm16offset;
25435 pnp_bios_callpoint.segment = PNP_CS16;
25436
ae4e228f 25437+ pax_open_kernel();
58c5fc13 25438+
ae4e228f
MT		 25439 for_each_possible_cpu(i) {
25440 struct desc_struct *gdt = get_cpu_gdt_table(i);
25441 if (!gdt)
25442@@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
25443 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
25444 (unsigned long)__va(header->fields.pm16dseg));
58c5fc13
MT		 25445 }
25446+
ae4e228f 25447+ pax_close_kernel();
58c5fc13 25448 }
ae4e228f
MT		 25449diff -urNp linux-2.6.33.1/drivers/pnp/quirks.c linux-2.6.33.1/drivers/pnp/quirks.c
25450--- linux-2.6.33.1/drivers/pnp/quirks.c 2010-03-15 12:09:39.000000000 -0400
25451+++ linux-2.6.33.1/drivers/pnp/quirks.c 2010-03-20 16:58:40.528847437 -0400
25452@@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
58c5fc13
MT		 25453 /* PnP resources that might overlap PCI BARs */
25454 {"PNP0c01", quirk_system_pci_resources},
25455 {"PNP0c02", quirk_system_pci_resources},
25456- {""}
25457+ {"", NULL}
25458 };
25459
25460 void pnp_fixup_device(struct pnp_dev *dev)
ae4e228f
MT		 25461diff -urNp linux-2.6.33.1/drivers/pnp/resource.c linux-2.6.33.1/drivers/pnp/resource.c
25462--- linux-2.6.33.1/drivers/pnp/resource.c 2010-03-15 12:09:39.000000000 -0400
25463+++ linux-2.6.33.1/drivers/pnp/resource.c 2010-03-20 16:58:40.532529204 -0400
58c5fc13
MT		 25464@@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
25465 return 1;
25466
25467 /* check if the resource is valid */
25468- if (*irq < 0 || *irq > 15)
25469+ if (*irq > 15)
25470 return 0;
25471
25472 /* check if the resource is reserved */
25473@@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
25474 return 1;
25475
25476 /* check if the resource is valid */
25477- if (*dma < 0 || *dma == 4 || *dma > 7)
25478+ if (*dma == 4 || *dma > 7)
25479 return 0;
25480
25481 /* check if the resource is reserved */
ae4e228f
MT		 25482diff -urNp linux-2.6.33.1/drivers/s390/cio/qdio_debug.c linux-2.6.33.1/drivers/s390/cio/qdio_debug.c
25483--- linux-2.6.33.1/drivers/s390/cio/qdio_debug.c 2010-03-15 12:09:39.000000000 -0400
25484+++ linux-2.6.33.1/drivers/s390/cio/qdio_debug.c 2010-03-20 16:58:40.552847675 -0400
25485@@ -215,7 +215,7 @@ static int qperf_seq_open(struct inode *
25486 filp->f_path.dentry->d_inode->i_private);
58c5fc13
MT		 25487 }
25488
ae4e228f
MT		 25489-static struct file_operations debugfs_perf_fops = {
25490+static const struct file_operations debugfs_perf_fops = {
58c5fc13 25491 .owner = THIS_MODULE,
ae4e228f 25492 .open = qperf_seq_open,
58c5fc13 25493 .read = seq_read,
ae4e228f
MT		 25494diff -urNp linux-2.6.33.1/drivers/scsi/ipr.c linux-2.6.33.1/drivers/scsi/ipr.c
25495--- linux-2.6.33.1/drivers/scsi/ipr.c 2010-03-15 12:09:39.000000000 -0400
25496+++ linux-2.6.33.1/drivers/scsi/ipr.c 2010-03-20 16:58:40.596672237 -0400
25497@@ -5291,7 +5291,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
25498 return true;
58c5fc13
MT		 25499 }
25500
ae4e228f
MT		 25501-static struct ata_port_operations ipr_sata_ops = {
25502+static const struct ata_port_operations ipr_sata_ops = {
25503 .phy_reset = ipr_ata_phy_reset,
25504 .hardreset = ipr_sata_reset,
25505 .post_internal_cmd = ipr_ata_post_internal,
25506diff -urNp linux-2.6.33.1/drivers/scsi/libfc/fc_exch.c linux-2.6.33.1/drivers/scsi/libfc/fc_exch.c
25507--- linux-2.6.33.1/drivers/scsi/libfc/fc_exch.c 2010-03-15 12:09:39.000000000 -0400
25508+++ linux-2.6.33.1/drivers/scsi/libfc/fc_exch.c 2010-03-20 16:58:40.600909572 -0400
25509@@ -100,12 +100,12 @@ struct fc_exch_mgr {
58c5fc13
MT		 25510 * all together if not used XXX
25511 */
25512 struct {
25513- atomic_t no_free_exch;
25514- atomic_t no_free_exch_xid;
25515- atomic_t xid_not_found;
25516- atomic_t xid_busy;
25517- atomic_t seq_not_found;
25518- atomic_t non_bls_resp;
25519+ atomic_unchecked_t no_free_exch;
25520+ atomic_unchecked_t no_free_exch_xid;
25521+ atomic_unchecked_t xid_not_found;
25522+ atomic_unchecked_t xid_busy;
25523+ atomic_unchecked_t seq_not_found;
25524+ atomic_unchecked_t non_bls_resp;
25525 } stats;
58c5fc13 25526 };
ae4e228f
MT		 25527 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
25528@@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
58c5fc13
MT		 25529 /* allocate memory for exchange */
25530 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
25531 if (!ep) {
25532- atomic_inc(&mp->stats.no_free_exch);
25533+ atomic_inc_unchecked(&mp->stats.no_free_exch);
25534 goto out;
25535 }
25536 memset(ep, 0, sizeof(*ep));
ae4e228f 25537@@ -718,7 +718,7 @@ out:
58c5fc13
MT		 25538 return ep;
25539 err:
ae4e228f 25540 spin_unlock_bh(&pool->lock);
58c5fc13
MT		 25541- atomic_inc(&mp->stats.no_free_exch_xid);
25542+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
25543 mempool_free(ep, mp->ep_pool);
25544 return NULL;
25545 }
ae4e228f 25546@@ -868,7 +868,7 @@ static enum fc_pf_rjt_reason fc_seq_look
58c5fc13
MT		 25547 xid = ntohs(fh->fh_ox_id); /* we originated exch */
25548 ep = fc_exch_find(mp, xid);
25549 if (!ep) {
25550- atomic_inc(&mp->stats.xid_not_found);
25551+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25552 reject = FC_RJT_OX_ID;
25553 goto out;
25554 }
ae4e228f 25555@@ -898,7 +898,7 @@ static enum fc_pf_rjt_reason fc_seq_look
58c5fc13
MT		 25556 ep = fc_exch_find(mp, xid);
25557 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
25558 if (ep) {
25559- atomic_inc(&mp->stats.xid_busy);
25560+ atomic_inc_unchecked(&mp->stats.xid_busy);
25561 reject = FC_RJT_RX_ID;
25562 goto rel;
25563 }
ae4e228f 25564@@ -909,7 +909,7 @@ static enum fc_pf_rjt_reason fc_seq_look
58c5fc13
MT		 25565 }
25566 xid = ep->xid; /* get our XID */
25567 } else if (!ep) {
25568- atomic_inc(&mp->stats.xid_not_found);
25569+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25570 reject = FC_RJT_RX_ID; /* XID not found */
25571 goto out;
25572 }
ae4e228f 25573@@ -930,7 +930,7 @@ static enum fc_pf_rjt_reason fc_seq_look
58c5fc13
MT		 25574 } else {
25575 sp = &ep->seq;
25576 if (sp->id != fh->fh_seq_id) {
25577- atomic_inc(&mp->stats.seq_not_found);
25578+ atomic_inc_unchecked(&mp->stats.seq_not_found);
25579 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
25580 goto rel;
25581 }
ae4e228f 25582@@ -1317,22 +1317,22 @@ static void fc_exch_recv_seq_resp(struct
58c5fc13
MT		 25583
25584 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
25585 if (!ep) {
25586- atomic_inc(&mp->stats.xid_not_found);
25587+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25588 goto out;
25589 }
25590 if (ep->esb_stat & ESB_ST_COMPLETE) {
25591- atomic_inc(&mp->stats.xid_not_found);
25592+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25593 goto out;
25594 }
25595 if (ep->rxid == FC_XID_UNKNOWN)
25596 ep->rxid = ntohs(fh->fh_rx_id);
25597 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
25598- atomic_inc(&mp->stats.xid_not_found);
25599+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25600 goto rel;
25601 }
25602 if (ep->did != ntoh24(fh->fh_s_id) &&
25603 ep->did != FC_FID_FLOGI) {
25604- atomic_inc(&mp->stats.xid_not_found);
25605+ atomic_inc_unchecked(&mp->stats.xid_not_found);
25606 goto rel;
25607 }
25608 sof = fr_sof(fp);
ae4e228f 25609@@ -1343,7 +1343,7 @@ static void fc_exch_recv_seq_resp(struct
58c5fc13
MT		 25610 } else {
25611 sp = &ep->seq;
25612 if (sp->id != fh->fh_seq_id) {
25613- atomic_inc(&mp->stats.seq_not_found);
25614+ atomic_inc_unchecked(&mp->stats.seq_not_found);
25615 goto rel;
25616 }
25617 }
ae4e228f 25618@@ -1406,9 +1406,9 @@ static void fc_exch_recv_resp(struct fc_
58c5fc13 25619 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
ae4e228f
MT		 25620
25621 if (!sp)
58c5fc13
MT		 25622- atomic_inc(&mp->stats.xid_not_found);
25623+ atomic_inc_unchecked(&mp->stats.xid_not_found);
ae4e228f 25624 else
58c5fc13
MT		 25625- atomic_inc(&mp->stats.non_bls_resp);
25626+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
ae4e228f 25627
58c5fc13 25628 fc_frame_free(fp);
ae4e228f
MT		 25629 }
25630diff -urNp linux-2.6.33.1/drivers/scsi/libsas/sas_ata.c linux-2.6.33.1/drivers/scsi/libsas/sas_ata.c
25631--- linux-2.6.33.1/drivers/scsi/libsas/sas_ata.c 2010-03-15 12:09:39.000000000 -0400
25632+++ linux-2.6.33.1/drivers/scsi/libsas/sas_ata.c 2010-03-20 16:58:40.625874020 -0400
25633@@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
25634 }
25635 }
25636
25637-static struct ata_port_operations sas_sata_ops = {
25638+static const struct ata_port_operations sas_sata_ops = {
25639 .phy_reset = sas_ata_phy_reset,
25640 .post_internal_cmd = sas_ata_post_internal,
25641 .qc_prep = ata_noop_qc_prep,
25642diff -urNp linux-2.6.33.1/drivers/scsi/scsi_logging.h linux-2.6.33.1/drivers/scsi/scsi_logging.h
25643--- linux-2.6.33.1/drivers/scsi/scsi_logging.h 2010-03-15 12:09:39.000000000 -0400
25644+++ linux-2.6.33.1/drivers/scsi/scsi_logging.h 2010-03-20 16:58:40.673358427 -0400
58c5fc13
MT		 25645@@ -51,7 +51,7 @@ do { \
25646 } while (0); \
25647 } while (0)
25648 #else
25649-#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
25650+#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
25651 #endif /* CONFIG_SCSI_LOGGING */
25652
25653 /*
ae4e228f
MT		 25654diff -urNp linux-2.6.33.1/drivers/scsi/sg.c linux-2.6.33.1/drivers/scsi/sg.c
25655--- linux-2.6.33.1/drivers/scsi/sg.c 2010-03-15 12:09:39.000000000 -0400
25656+++ linux-2.6.33.1/drivers/scsi/sg.c 2010-03-20 16:58:40.692870926 -0400
25657@@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
25658 const struct file_operations * fops;
58c5fc13
MT		 25659 };
25660
ae4e228f
MT		 25661-static struct sg_proc_leaf sg_proc_leaf_arr[] = {
25662+static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
25663 {"allow_dio", &adio_fops},
25664 {"debug", &debug_fops},
25665 {"def_reserved_size", &dressz_fops},
25666@@ -2307,7 +2307,7 @@ sg_proc_init(void)
25667 {
25668 int k, mask;
25669 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
25670- struct sg_proc_leaf * leaf;
25671+ const struct sg_proc_leaf * leaf;
25672
25673 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
25674 if (!sg_proc_sgp)
25675diff -urNp linux-2.6.33.1/drivers/serial/8250_pci.c linux-2.6.33.1/drivers/serial/8250_pci.c
25676--- linux-2.6.33.1/drivers/serial/8250_pci.c 2010-03-15 12:09:39.000000000 -0400
25677+++ linux-2.6.33.1/drivers/serial/8250_pci.c 2010-03-20 16:58:40.736223750 -0400
25678@@ -3664,7 +3664,7 @@ static struct pci_device_id serial_pci_t
58c5fc13
MT		 25679 PCI_ANY_ID, PCI_ANY_ID,
25680 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
25681 0xffff00, pbn_default },
25682- { 0, }
25683+ { 0, 0, 0, 0, 0, 0, 0 }
25684 };
25685
25686 static struct pci_driver serial_pci_driver = {
ae4e228f
MT		 25687diff -urNp linux-2.6.33.1/drivers/serial/kgdboc.c linux-2.6.33.1/drivers/serial/kgdboc.c
25688--- linux-2.6.33.1/drivers/serial/kgdboc.c 2010-03-15 12:09:39.000000000 -0400
25689+++ linux-2.6.33.1/drivers/serial/kgdboc.c 2010-03-20 16:58:40.745176799 -0400
25690@@ -18,7 +18,7 @@
25691
25692 #define MAX_CONFIG_LEN 40
25693
25694-static struct kgdb_io kgdboc_io_ops;
25695+static const struct kgdb_io kgdboc_io_ops;
25696
25697 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
25698 static int configured = -1;
25699@@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
25700 module_put(THIS_MODULE);
25701 }
25702
25703-static struct kgdb_io kgdboc_io_ops = {
25704+static const struct kgdb_io kgdboc_io_ops = {
25705 .name = "kgdboc",
25706 .read_char = kgdboc_get_char,
25707 .write_char = kgdboc_put_char,
25708diff -urNp linux-2.6.33.1/drivers/staging/b3dfg/b3dfg.c linux-2.6.33.1/drivers/staging/b3dfg/b3dfg.c
25709--- linux-2.6.33.1/drivers/staging/b3dfg/b3dfg.c 2010-03-15 12:09:39.000000000 -0400
25710+++ linux-2.6.33.1/drivers/staging/b3dfg/b3dfg.c 2010-03-20 16:58:40.760695484 -0400
25711@@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
58c5fc13
MT		 25712 return VM_FAULT_NOPAGE;
25713 }
25714
25715-static struct vm_operations_struct b3dfg_vm_ops = {
25716+static const struct vm_operations_struct b3dfg_vm_ops = {
25717 .fault = b3dfg_vma_fault,
25718 };
25719
ae4e228f 25720@@ -836,7 +836,7 @@ static int b3dfg_mmap(struct file *filp,
58c5fc13
MT		 25721 return r;
25722 }
25723
25724-static struct file_operations b3dfg_fops = {
25725+static const struct file_operations b3dfg_fops = {
25726 .owner = THIS_MODULE,
25727 .open = b3dfg_open,
25728 .release = b3dfg_release,
ae4e228f
MT		 25729diff -urNp linux-2.6.33.1/drivers/staging/comedi/comedi_fops.c linux-2.6.33.1/drivers/staging/comedi/comedi_fops.c
25730--- linux-2.6.33.1/drivers/staging/comedi/comedi_fops.c 2010-03-15 12:09:39.000000000 -0400
25731+++ linux-2.6.33.1/drivers/staging/comedi/comedi_fops.c 2010-03-20 16:58:40.772884102 -0400
25732@@ -1384,7 +1384,7 @@ void comedi_unmap(struct vm_area_struct
58c5fc13
MT		 25733 mutex_unlock(&dev->mutex);
25734 }
25735
25736-static struct vm_operations_struct comedi_vm_ops = {
25737+static const struct vm_operations_struct comedi_vm_ops = {
ae4e228f 25738 .close = comedi_unmap,
58c5fc13
MT		 25739 };
25740
ae4e228f
MT		 25741diff -urNp linux-2.6.33.1/drivers/staging/dream/pmem.c linux-2.6.33.1/drivers/staging/dream/pmem.c
25742--- linux-2.6.33.1/drivers/staging/dream/pmem.c 2010-03-15 12:09:39.000000000 -0400
25743+++ linux-2.6.33.1/drivers/staging/dream/pmem.c 2010-03-20 16:58:40.792529665 -0400
25744@@ -174,7 +174,7 @@ static int pmem_mmap(struct file *, stru
25745 static int pmem_open(struct inode *, struct file *);
25746 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
25747
25748-struct file_operations pmem_fops = {
25749+const struct file_operations pmem_fops = {
25750 .release = pmem_release,
25751 .mmap = pmem_mmap,
25752 .open = pmem_open,
25753@@ -1202,7 +1202,7 @@ static ssize_t debug_read(struct file *f
25754 return simple_read_from_buffer(buf, count, ppos, buffer, n);
25755 }
58c5fc13 25756
ae4e228f
MT		 25757-static struct file_operations debug_fops = {
25758+static const struct file_operations debug_fops = {
25759 .read = debug_read,
25760 .open = debug_open,
25761 };
25762diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.33.1/drivers/staging/dream/qdsp5/adsp_driver.c
25763--- linux-2.6.33.1/drivers/staging/dream/qdsp5/adsp_driver.c 2010-03-15 12:09:39.000000000 -0400
25764+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/adsp_driver.c 2010-03-20 16:58:40.796888570 -0400
25765@@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
25766 static dev_t adsp_devno;
25767 static struct class *adsp_class;
25768
25769-static struct file_operations adsp_fops = {
25770+static const struct file_operations adsp_fops = {
25771 .owner = THIS_MODULE,
25772 .open = adsp_open,
25773 .unlocked_ioctl = adsp_ioctl,
25774diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_aac.c
25775--- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_aac.c 2010-03-15 12:09:39.000000000 -0400
25776+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_aac.c 2010-03-20 16:58:40.808875958 -0400
25777@@ -1022,7 +1022,7 @@ done:
25778 return rc;
25779 }
58c5fc13 25780
ae4e228f
MT		 25781-static struct file_operations audio_aac_fops = {
25782+static const struct file_operations audio_aac_fops = {
25783 .owner = THIS_MODULE,
25784 .open = audio_open,
25785 .release = audio_release,
25786diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_amrnb.c
25787--- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-03-15 12:09:39.000000000 -0400
25788+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-03-20 16:58:40.808875958 -0400
25789@@ -833,7 +833,7 @@ done:
25790 return rc;
25791 }
25792
25793-static struct file_operations audio_amrnb_fops = {
25794+static const struct file_operations audio_amrnb_fops = {
25795 .owner = THIS_MODULE,
25796 .open = audamrnb_open,
25797 .release = audamrnb_release,
25798diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_evrc.c
25799--- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_evrc.c 2010-03-15 12:09:39.000000000 -0400
25800+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_evrc.c 2010-03-20 16:58:40.812532082 -0400
25801@@ -805,7 +805,7 @@ dma_fail:
25802 return rc;
25803 }
25804
25805-static struct file_operations audio_evrc_fops = {
25806+static const struct file_operations audio_evrc_fops = {
25807 .owner = THIS_MODULE,
25808 .open = audevrc_open,
25809 .release = audevrc_release,
25810diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_in.c
25811--- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_in.c 2010-03-15 12:09:39.000000000 -0400
25812+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_in.c 2010-03-20 16:58:40.812532082 -0400
25813@@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
25814 return 0;
25815 }
25816
25817-static struct file_operations audio_fops = {
25818+static const struct file_operations audio_fops = {
25819 .owner = THIS_MODULE,
25820 .open = audio_in_open,
25821 .release = audio_in_release,
25822@@ -922,7 +922,7 @@ static struct file_operations audio_fops
25823 .unlocked_ioctl = audio_in_ioctl,
25824 };
25825
25826-static struct file_operations audpre_fops = {
25827+static const struct file_operations audpre_fops = {
25828 .owner = THIS_MODULE,
25829 .open = audpre_open,
25830 .unlocked_ioctl = audpre_ioctl,
25831diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_mp3.c
25832--- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_mp3.c 2010-03-15 12:09:39.000000000 -0400
25833+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_mp3.c 2010-03-20 16:58:40.812532082 -0400
25834@@ -941,7 +941,7 @@ done:
25835 return rc;
25836 }
25837
25838-static struct file_operations audio_mp3_fops = {
25839+static const struct file_operations audio_mp3_fops = {
25840 .owner = THIS_MODULE,
25841 .open = audio_open,
25842 .release = audio_release,
25843diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_out.c
25844--- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_out.c 2010-03-15 12:09:39.000000000 -0400
25845+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_out.c 2010-03-20 16:58:40.812532082 -0400
25846@@ -806,7 +806,7 @@ static int audpp_open(struct inode *inod
25847 return 0;
25848 }
25849
25850-static struct file_operations audio_fops = {
25851+static const struct file_operations audio_fops = {
25852 .owner = THIS_MODULE,
25853 .open = audio_open,
25854 .release = audio_release,
25855@@ -815,7 +815,7 @@ static struct file_operations audio_fops
25856 .unlocked_ioctl = audio_ioctl,
25857 };
25858
25859-static struct file_operations audpp_fops = {
25860+static const struct file_operations audpp_fops = {
25861 .owner = THIS_MODULE,
25862 .open = audpp_open,
25863 .unlocked_ioctl = audpp_ioctl,
25864diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_qcelp.c
25865--- linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-03-15 12:09:39.000000000 -0400
25866+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-03-20 16:58:40.816705807 -0400
25867@@ -816,7 +816,7 @@ err:
25868 return rc;
25869 }
25870
25871-static struct file_operations audio_qcelp_fops = {
25872+static const struct file_operations audio_qcelp_fops = {
58c5fc13 25873 .owner = THIS_MODULE,
ae4e228f
MT		 25874 .open = audqcelp_open,
25875 .release = audqcelp_release,
25876diff -urNp linux-2.6.33.1/drivers/staging/dream/qdsp5/snd.c linux-2.6.33.1/drivers/staging/dream/qdsp5/snd.c
25877--- linux-2.6.33.1/drivers/staging/dream/qdsp5/snd.c 2010-03-15 12:09:39.000000000 -0400
25878+++ linux-2.6.33.1/drivers/staging/dream/qdsp5/snd.c 2010-03-20 16:58:40.816705807 -0400
25879@@ -242,7 +242,7 @@ err:
25880 return rc;
25881 }
25882
25883-static struct file_operations snd_fops = {
25884+static const struct file_operations snd_fops = {
25885 .owner = THIS_MODULE,
25886 .open = snd_open,
25887 .release = snd_release,
25888diff -urNp linux-2.6.33.1/drivers/staging/dream/smd/smd_qmi.c linux-2.6.33.1/drivers/staging/dream/smd/smd_qmi.c
25889--- linux-2.6.33.1/drivers/staging/dream/smd/smd_qmi.c 2010-03-15 12:09:39.000000000 -0400
25890+++ linux-2.6.33.1/drivers/staging/dream/smd/smd_qmi.c 2010-03-20 16:58:40.828884259 -0400
25891@@ -788,7 +788,7 @@ static int qmi_release(struct inode *ip,
25892 return 0;
25893 }
25894
25895-static struct file_operations qmi_fops = {
25896+static const struct file_operations qmi_fops = {
25897 .owner = THIS_MODULE,
25898 .read = qmi_read,
25899 .write = qmi_write,
25900diff -urNp linux-2.6.33.1/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.33.1/drivers/staging/dream/smd/smd_rpcrouter_device.c
25901--- linux-2.6.33.1/drivers/staging/dream/smd/smd_rpcrouter_device.c 2010-03-15 12:09:39.000000000 -0400
25902+++ linux-2.6.33.1/drivers/staging/dream/smd/smd_rpcrouter_device.c 2010-03-20 16:58:40.828884259 -0400
25903@@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
25904 return rc;
25905 }
25906
25907-static struct file_operations rpcrouter_server_fops = {
25908+static const struct file_operations rpcrouter_server_fops = {
25909 .owner = THIS_MODULE,
25910 .open = rpcrouter_open,
25911 .release = rpcrouter_release,
25912@@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
25913 .unlocked_ioctl = rpcrouter_ioctl,
25914 };
25915
25916-static struct file_operations rpcrouter_router_fops = {
25917+static const struct file_operations rpcrouter_router_fops = {
25918 .owner = THIS_MODULE,
25919 .open = rpcrouter_open,
25920 .release = rpcrouter_release,
25921diff -urNp linux-2.6.33.1/drivers/staging/go7007/go7007-v4l2.c linux-2.6.33.1/drivers/staging/go7007/go7007-v4l2.c
25922--- linux-2.6.33.1/drivers/staging/go7007/go7007-v4l2.c 2010-03-15 12:09:39.000000000 -0400
25923+++ linux-2.6.33.1/drivers/staging/go7007/go7007-v4l2.c 2010-03-20 16:58:40.858660027 -0400
25924@@ -1674,7 +1674,7 @@ static int go7007_vm_fault(struct vm_are
58c5fc13
MT		 25925 return 0;
25926 }
25927
25928-static struct vm_operations_struct go7007_vm_ops = {
25929+static const struct vm_operations_struct go7007_vm_ops = {
25930 .open = go7007_vm_open,
25931 .close = go7007_vm_close,
25932 .fault = go7007_vm_fault,
ae4e228f
MT		 25933diff -urNp linux-2.6.33.1/drivers/staging/hv/blkvsc_drv.c linux-2.6.33.1/drivers/staging/hv/blkvsc_drv.c
25934--- linux-2.6.33.1/drivers/staging/hv/blkvsc_drv.c 2010-03-15 12:09:39.000000000 -0400
25935+++ linux-2.6.33.1/drivers/staging/hv/blkvsc_drv.c 2010-03-20 16:58:40.876878598 -0400
25936@@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
25937 /* The one and only one */
25938 static struct blkvsc_driver_context g_blkvsc_drv;
25939
25940-static struct block_device_operations block_ops = {
25941+static const struct block_device_operations block_ops = {
25942 .owner = THIS_MODULE,
25943 .open = blkvsc_open,
25944 .release = blkvsc_release,
25945diff -urNp linux-2.6.33.1/drivers/staging/panel/panel.c linux-2.6.33.1/drivers/staging/panel/panel.c
25946--- linux-2.6.33.1/drivers/staging/panel/panel.c 2010-03-15 12:09:39.000000000 -0400
25947+++ linux-2.6.33.1/drivers/staging/panel/panel.c 2010-03-20 16:58:40.888879754 -0400
25948@@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
58c5fc13
MT		 25949 return 0;
25950 }
25951
25952-static struct file_operations lcd_fops = {
25953+static const struct file_operations lcd_fops = {
25954 .write = lcd_write,
25955 .open = lcd_open,
25956 .release = lcd_release,
ae4e228f 25957@@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
58c5fc13
MT		 25958 return 0;
25959 }
25960
25961-static struct file_operations keypad_fops = {
25962+static const struct file_operations keypad_fops = {
25963 .read = keypad_read, /* read */
25964 .open = keypad_open, /* open */
25965 .release = keypad_release, /* close */
ae4e228f
MT		 25966diff -urNp linux-2.6.33.1/drivers/staging/phison/phison.c linux-2.6.33.1/drivers/staging/phison/phison.c
25967--- linux-2.6.33.1/drivers/staging/phison/phison.c 2010-03-15 12:09:39.000000000 -0400
25968+++ linux-2.6.33.1/drivers/staging/phison/phison.c 2010-03-20 16:58:40.896878917 -0400
25969@@ -43,7 +43,7 @@ static struct scsi_host_template phison_
25970 ATA_BMDMA_SHT(DRV_NAME),
25971 };
25972
25973-static struct ata_port_operations phison_ops = {
25974+static const struct ata_port_operations phison_ops = {
25975 .inherits = &ata_bmdma_port_ops,
25976 .prereset = phison_pre_reset,
25977 };
25978diff -urNp linux-2.6.33.1/drivers/staging/poch/poch.c linux-2.6.33.1/drivers/staging/poch/poch.c
25979--- linux-2.6.33.1/drivers/staging/poch/poch.c 2010-03-15 12:09:39.000000000 -0400
25980+++ linux-2.6.33.1/drivers/staging/poch/poch.c 2010-03-20 16:58:40.920050870 -0400
25981@@ -1032,7 +1032,7 @@ static int poch_ioctl(struct inode *inod
58c5fc13
MT		 25982 return 0;
25983 }
25984
25985-static struct file_operations poch_fops = {
25986+static const struct file_operations poch_fops = {
25987 .owner = THIS_MODULE,
25988 .open = poch_open,
25989 .release = poch_release,
ae4e228f
MT		 25990diff -urNp linux-2.6.33.1/drivers/staging/pohmelfs/inode.c linux-2.6.33.1/drivers/staging/pohmelfs/inode.c
25991--- linux-2.6.33.1/drivers/staging/pohmelfs/inode.c 2010-03-15 12:09:39.000000000 -0400
25992+++ linux-2.6.33.1/drivers/staging/pohmelfs/inode.c 2010-03-20 16:58:40.936891697 -0400
25993@@ -1854,7 +1854,7 @@ static int pohmelfs_fill_super(struct su
25994 mutex_init(&psb->mcache_lock);
25995 psb->mcache_root = RB_ROOT;
25996 psb->mcache_timeout = msecs_to_jiffies(5000);
25997- atomic_long_set(&psb->mcache_gen, 0);
25998+ atomic_long_set_unchecked(&psb->mcache_gen, 0);
25999
26000 psb->trans_max_pages = 100;
26001
26002diff -urNp linux-2.6.33.1/drivers/staging/pohmelfs/mcache.c linux-2.6.33.1/drivers/staging/pohmelfs/mcache.c
26003--- linux-2.6.33.1/drivers/staging/pohmelfs/mcache.c 2010-03-15 12:09:39.000000000 -0400
26004+++ linux-2.6.33.1/drivers/staging/pohmelfs/mcache.c 2010-03-20 16:58:40.936891697 -0400
26005@@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
26006 m->data = data;
26007 m->start = start;
26008 m->size = size;
26009- m->gen = atomic_long_inc_return(&psb->mcache_gen);
26010+ m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
26011
26012 mutex_lock(&psb->mcache_lock);
26013 err = pohmelfs_mcache_insert(psb, m);
26014diff -urNp linux-2.6.33.1/drivers/staging/pohmelfs/netfs.h linux-2.6.33.1/drivers/staging/pohmelfs/netfs.h
26015--- linux-2.6.33.1/drivers/staging/pohmelfs/netfs.h 2010-03-15 12:09:39.000000000 -0400
26016+++ linux-2.6.33.1/drivers/staging/pohmelfs/netfs.h 2010-03-20 16:58:40.940661223 -0400
26017@@ -571,7 +571,7 @@ struct pohmelfs_config;
26018 struct pohmelfs_sb {
26019 struct rb_root mcache_root;
26020 struct mutex mcache_lock;
26021- atomic_long_t mcache_gen;
26022+ atomic_long_unchecked_t mcache_gen;
26023 unsigned long mcache_timeout;
26024
26025 unsigned int idx;
26026diff -urNp linux-2.6.33.1/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.33.1/drivers/staging/ramzswap/ramzswap_drv.c
26027--- linux-2.6.33.1/drivers/staging/ramzswap/ramzswap_drv.c 2010-03-15 12:09:39.000000000 -0400
26028+++ linux-2.6.33.1/drivers/staging/ramzswap/ramzswap_drv.c 2010-03-20 16:58:40.944873774 -0400
26029@@ -1288,7 +1288,7 @@ out:
26030 return ret;
58c5fc13
MT		 26031 }
26032
ae4e228f
MT		 26033-static struct block_device_operations ramzswap_devops = {
26034+static const struct block_device_operations ramzswap_devops = {
26035 .ioctl = ramzswap_ioctl,
26036 .owner = THIS_MODULE,
26037 };
26038diff -urNp linux-2.6.33.1/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.33.1/drivers/staging/rtl8192u/ieee80211/proc.c
26039--- linux-2.6.33.1/drivers/staging/rtl8192u/ieee80211/proc.c 2010-03-15 12:09:39.000000000 -0400
26040+++ linux-2.6.33.1/drivers/staging/rtl8192u/ieee80211/proc.c 2010-03-20 16:58:40.944873774 -0400
58c5fc13
MT		 26041@@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
26042 return seq_open(file, &crypto_seq_ops);
26043 }
26044
26045-static struct file_operations proc_crypto_ops = {
26046+static const struct file_operations proc_crypto_ops = {
26047 .open = crypto_info_open,
26048 .read = seq_read,
26049 .llseek = seq_lseek,
ae4e228f
MT		 26050diff -urNp linux-2.6.33.1/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.33.1/drivers/staging/samsung-laptop/samsung-laptop.c
26051--- linux-2.6.33.1/drivers/staging/samsung-laptop/samsung-laptop.c 2010-03-15 12:09:39.000000000 -0400
26052+++ linux-2.6.33.1/drivers/staging/samsung-laptop/samsung-laptop.c 2010-03-20 16:58:40.952877179 -0400
26053@@ -268,7 +268,7 @@ static int update_status(struct backligh
58c5fc13
MT		 26054 return 0;
26055 }
26056
ae4e228f
MT		 26057-static struct backlight_ops backlight_ops = {
26058+static const struct backlight_ops backlight_ops = {
26059 .get_brightness = get_brightness,
26060 .update_status = update_status,
26061 };
26062diff -urNp linux-2.6.33.1/drivers/staging/sep/sep_driver.c linux-2.6.33.1/drivers/staging/sep/sep_driver.c
26063--- linux-2.6.33.1/drivers/staging/sep/sep_driver.c 2010-03-15 12:09:39.000000000 -0400
26064+++ linux-2.6.33.1/drivers/staging/sep/sep_driver.c 2010-03-20 16:58:40.956865691 -0400
26065@@ -2605,7 +2605,7 @@ static struct pci_driver sep_pci_driver
26066 static dev_t sep_devno;
26067
26068 /* the files operations structure of the driver */
26069-static struct file_operations sep_file_operations = {
26070+static const struct file_operations sep_file_operations = {
26071 .owner = THIS_MODULE,
26072 .ioctl = sep_ioctl,
26073 .poll = sep_poll,
26074diff -urNp linux-2.6.33.1/drivers/staging/vme/devices/vme_user.c linux-2.6.33.1/drivers/staging/vme/devices/vme_user.c
26075--- linux-2.6.33.1/drivers/staging/vme/devices/vme_user.c 2010-03-15 12:09:39.000000000 -0400
26076+++ linux-2.6.33.1/drivers/staging/vme/devices/vme_user.c 2010-03-20 16:58:40.956865691 -0400
26077@@ -135,7 +135,7 @@ static int vme_user_ioctl(struct inode *
26078 static int __init vme_user_probe(struct device *, int, int);
26079 static int __exit vme_user_remove(struct device *, int, int);
26080
26081-static struct file_operations vme_user_fops = {
26082+static const struct file_operations vme_user_fops = {
26083 .open = vme_user_open,
26084 .release = vme_user_release,
26085 .read = vme_user_read,
26086diff -urNp linux-2.6.33.1/drivers/uio/uio.c linux-2.6.33.1/drivers/uio/uio.c
26087--- linux-2.6.33.1/drivers/uio/uio.c 2010-03-15 12:09:39.000000000 -0400
26088+++ linux-2.6.33.1/drivers/uio/uio.c 2010-03-20 16:58:40.964892465 -0400
26089@@ -129,7 +129,7 @@ static ssize_t map_type_show(struct kobj
26090 return entry->show(mem, buf);
26091 }
26092
26093-static struct sysfs_ops map_sysfs_ops = {
26094+static const struct sysfs_ops map_sysfs_ops = {
26095 .show = map_type_show,
26096 };
26097
26098@@ -217,7 +217,7 @@ static ssize_t portio_type_show(struct k
26099 return entry->show(port, buf);
26100 }
26101
26102-static struct sysfs_ops portio_sysfs_ops = {
26103+static const struct sysfs_ops portio_sysfs_ops = {
26104 .show = portio_type_show,
26105 };
26106
26107diff -urNp linux-2.6.33.1/drivers/usb/atm/usbatm.c linux-2.6.33.1/drivers/usb/atm/usbatm.c
26108--- linux-2.6.33.1/drivers/usb/atm/usbatm.c 2010-03-15 12:09:39.000000000 -0400
26109+++ linux-2.6.33.1/drivers/usb/atm/usbatm.c 2010-03-20 16:58:40.976907794 -0400
58c5fc13
MT		 26110@@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
26111 if (printk_ratelimit())
26112 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
26113 __func__, vpi, vci);
26114- atomic_inc(&vcc->stats->rx_err);
26115+ atomic_inc_unchecked(&vcc->stats->rx_err);
26116 return;
26117 }
26118
26119@@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
26120 if (length > ATM_MAX_AAL5_PDU) {
26121 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
26122 __func__, length, vcc);
26123- atomic_inc(&vcc->stats->rx_err);
26124+ atomic_inc_unchecked(&vcc->stats->rx_err);
26125 goto out;
26126 }
26127
26128@@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
26129 if (sarb->len < pdu_length) {
26130 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
26131 __func__, pdu_length, sarb->len, vcc);
26132- atomic_inc(&vcc->stats->rx_err);
26133+ atomic_inc_unchecked(&vcc->stats->rx_err);
26134 goto out;
26135 }
26136
26137 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
26138 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
26139 __func__, vcc);
26140- atomic_inc(&vcc->stats->rx_err);
26141+ atomic_inc_unchecked(&vcc->stats->rx_err);
26142 goto out;
26143 }
26144
26145@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
26146 if (printk_ratelimit())
26147 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
26148 __func__, length);
26149- atomic_inc(&vcc->stats->rx_drop);
26150+ atomic_inc_unchecked(&vcc->stats->rx_drop);
26151 goto out;
26152 }
26153
26154@@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
26155
26156 vcc->push(vcc, skb);
26157
26158- atomic_inc(&vcc->stats->rx);
26159+ atomic_inc_unchecked(&vcc->stats->rx);
26160 out:
26161 skb_trim(sarb, 0);
26162 }
26163@@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
26164 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
26165
26166 usbatm_pop(vcc, skb);
26167- atomic_inc(&vcc->stats->tx);
26168+ atomic_inc_unchecked(&vcc->stats->tx);
26169
26170 skb = skb_dequeue(&instance->sndqueue);
26171 }
26172@@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
26173 if (!left--)
26174 return sprintf(page,
26175 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
26176- atomic_read(&atm_dev->stats.aal5.tx),
26177- atomic_read(&atm_dev->stats.aal5.tx_err),
26178- atomic_read(&atm_dev->stats.aal5.rx),
26179- atomic_read(&atm_dev->stats.aal5.rx_err),
26180- atomic_read(&atm_dev->stats.aal5.rx_drop));
26181+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
26182+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
26183+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
26184+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
26185+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
26186
26187 if (!left--) {
26188 if (instance->disconnected)
ae4e228f
MT		 26189diff -urNp linux-2.6.33.1/drivers/usb/class/cdc-acm.c linux-2.6.33.1/drivers/usb/class/cdc-acm.c
26190--- linux-2.6.33.1/drivers/usb/class/cdc-acm.c 2010-03-15 12:09:39.000000000 -0400
26191+++ linux-2.6.33.1/drivers/usb/class/cdc-acm.c 2010-03-20 16:58:40.993421809 -0400
26192@@ -1590,7 +1590,7 @@ static struct usb_device_id acm_ids[] =
26193 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
58c5fc13
MT		 26194 USB_CDC_ACM_PROTO_AT_CDMA) },
26195
58c5fc13
MT		 26196- { }
26197+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
26198 };
26199
26200 MODULE_DEVICE_TABLE(usb, acm_ids);
ae4e228f
MT		 26201diff -urNp linux-2.6.33.1/drivers/usb/class/usblp.c linux-2.6.33.1/drivers/usb/class/usblp.c
26202--- linux-2.6.33.1/drivers/usb/class/usblp.c 2010-03-15 12:09:39.000000000 -0400
26203+++ linux-2.6.33.1/drivers/usb/class/usblp.c 2010-03-20 16:58:41.016571934 -0400
58c5fc13
MT		 26204@@ -228,7 +228,7 @@ static const struct quirk_printer_struct
26205 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
26206 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
26207 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
26208- { 0, 0 }
26209+ { 0, 0, 0 }
26210 };
26211
26212 static int usblp_wwait(struct usblp *usblp, int nonblock);
26213@@ -1412,7 +1412,7 @@ static struct usb_device_id usblp_ids []
26214 { USB_INTERFACE_INFO(7, 1, 2) },
26215 { USB_INTERFACE_INFO(7, 1, 3) },
26216 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
26217- { } /* Terminating entry */
26218+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26219 };
26220
26221 MODULE_DEVICE_TABLE (usb, usblp_ids);
ae4e228f
MT		 26222diff -urNp linux-2.6.33.1/drivers/usb/core/hcd.c linux-2.6.33.1/drivers/usb/core/hcd.c
26223--- linux-2.6.33.1/drivers/usb/core/hcd.c 2010-03-15 12:09:39.000000000 -0400
26224+++ linux-2.6.33.1/drivers/usb/core/hcd.c 2010-03-20 16:58:41.020890314 -0400
26225@@ -2266,7 +2266,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
26226
26227 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
26228
26229-struct usb_mon_operations *mon_ops;
26230+const struct usb_mon_operations *mon_ops;
26231
26232 /*
26233 * The registration is unlocked.
26234@@ -2276,7 +2276,7 @@ struct usb_mon_operations *mon_ops;
26235 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
26236 */
26237
26238-int usb_mon_register (struct usb_mon_operations *ops)
26239+int usb_mon_register (const struct usb_mon_operations *ops)
26240 {
26241
26242 if (mon_ops)
26243diff -urNp linux-2.6.33.1/drivers/usb/core/hcd.h linux-2.6.33.1/drivers/usb/core/hcd.h
26244--- linux-2.6.33.1/drivers/usb/core/hcd.h 2010-03-15 12:09:39.000000000 -0400
26245+++ linux-2.6.33.1/drivers/usb/core/hcd.h 2010-03-20 16:58:41.032566122 -0400
26246@@ -501,13 +501,13 @@ static inline void usbfs_cleanup(void) {
26247 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
26248
26249 struct usb_mon_operations {
26250- void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
26251- void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
26252- void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
26253+ void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
26254+ void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
26255+ void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
26256 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
26257 };
26258
26259-extern struct usb_mon_operations *mon_ops;
26260+extern const struct usb_mon_operations *mon_ops;
26261
26262 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
26263 {
26264@@ -529,7 +529,7 @@ static inline void usbmon_urb_complete(s
26265 (*mon_ops->urb_complete)(bus, urb, status);
58c5fc13
MT		 26266 }
26267
ae4e228f
MT		 26268-int usb_mon_register(struct usb_mon_operations *ops);
26269+int usb_mon_register(const struct usb_mon_operations *ops);
26270 void usb_mon_deregister(void);
26271
26272 #else
26273diff -urNp linux-2.6.33.1/drivers/usb/core/hub.c linux-2.6.33.1/drivers/usb/core/hub.c
26274--- linux-2.6.33.1/drivers/usb/core/hub.c 2010-03-15 12:09:39.000000000 -0400
26275+++ linux-2.6.33.1/drivers/usb/core/hub.c 2010-03-20 16:58:41.044569139 -0400
26276@@ -3462,7 +3462,7 @@ static struct usb_device_id hub_id_table
58c5fc13
MT		 26277 .bDeviceClass = USB_CLASS_HUB},
26278 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
26279 .bInterfaceClass = USB_CLASS_HUB},
26280- { } /* Terminating entry */
26281+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26282 };
26283
26284 MODULE_DEVICE_TABLE (usb, hub_id_table);
ae4e228f
MT		 26285diff -urNp linux-2.6.33.1/drivers/usb/core/message.c linux-2.6.33.1/drivers/usb/core/message.c
26286--- linux-2.6.33.1/drivers/usb/core/message.c 2010-03-15 12:09:39.000000000 -0400
26287+++ linux-2.6.33.1/drivers/usb/core/message.c 2010-03-20 16:58:41.048891316 -0400
26288@@ -909,8 +909,8 @@ char *usb_cache_string(struct usb_device
26289 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
58c5fc13
MT		 26290 if (buf) {
26291 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
26292- if (len > 0) {
ae4e228f 26293- smallbuf = kmalloc(++len, GFP_NOIO);
58c5fc13 26294+ if (len++ > 0) {
ae4e228f 26295+ smallbuf = kmalloc(len, GFP_NOIO);
58c5fc13
MT		 26296 if (!smallbuf)
26297 return buf;
26298 memcpy(smallbuf, buf, len);
ae4e228f
MT		 26299diff -urNp linux-2.6.33.1/drivers/usb/host/ehci-pci.c linux-2.6.33.1/drivers/usb/host/ehci-pci.c
26300--- linux-2.6.33.1/drivers/usb/host/ehci-pci.c 2010-03-15 12:09:39.000000000 -0400
26301+++ linux-2.6.33.1/drivers/usb/host/ehci-pci.c 2010-03-20 16:58:41.060592249 -0400
26302@@ -422,7 +422,7 @@ static const struct pci_device_id pci_id
58c5fc13
MT		 26303 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
26304 .driver_data = (unsigned long) &ehci_pci_hc_driver,
26305 },
26306- { /* end: all zeroes */ }
26307+ { 0, 0, 0, 0, 0, 0, 0 }
26308 };
26309 MODULE_DEVICE_TABLE(pci, pci_ids);
26310
ae4e228f
MT		 26311diff -urNp linux-2.6.33.1/drivers/usb/host/uhci-hcd.c linux-2.6.33.1/drivers/usb/host/uhci-hcd.c
26312--- linux-2.6.33.1/drivers/usb/host/uhci-hcd.c 2010-03-15 12:09:39.000000000 -0400
26313+++ linux-2.6.33.1/drivers/usb/host/uhci-hcd.c 2010-03-20 16:58:41.072592318 -0400
26314@@ -941,7 +941,7 @@ static const struct pci_device_id uhci_p
58c5fc13
MT		 26315 /* handle any USB UHCI controller */
26316 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
26317 .driver_data = (unsigned long) &uhci_driver,
26318- }, { /* end: all zeroes */ }
26319+ }, { 0, 0, 0, 0, 0, 0, 0 }
26320 };
26321
26322 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
ae4e228f
MT		 26323diff -urNp linux-2.6.33.1/drivers/usb/misc/appledisplay.c linux-2.6.33.1/drivers/usb/misc/appledisplay.c
26324--- linux-2.6.33.1/drivers/usb/misc/appledisplay.c 2010-03-15 12:09:39.000000000 -0400
26325+++ linux-2.6.33.1/drivers/usb/misc/appledisplay.c 2010-03-20 16:58:41.076561776 -0400
26326@@ -179,7 +179,7 @@ static int appledisplay_bl_get_brightnes
26327 return pdata->msgdata[1];
58c5fc13
MT		 26328 }
26329
ae4e228f
MT		 26330-static struct backlight_ops appledisplay_bl_data = {
26331+static const struct backlight_ops appledisplay_bl_data = {
26332 .get_brightness = appledisplay_bl_get_brightness,
26333 .update_status = appledisplay_bl_update_status,
26334 };
26335diff -urNp linux-2.6.33.1/drivers/usb/mon/mon_main.c linux-2.6.33.1/drivers/usb/mon/mon_main.c
26336--- linux-2.6.33.1/drivers/usb/mon/mon_main.c 2010-03-15 12:09:39.000000000 -0400
26337+++ linux-2.6.33.1/drivers/usb/mon/mon_main.c 2010-03-20 16:58:41.084588620 -0400
26338@@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
26339 /*
26340 * Ops
26341 */
26342-static struct usb_mon_operations mon_ops_0 = {
26343+static const struct usb_mon_operations mon_ops_0 = {
26344 .urb_submit = mon_submit,
26345 .urb_submit_error = mon_submit_error,
26346 .urb_complete = mon_complete,
26347diff -urNp linux-2.6.33.1/drivers/usb/storage/debug.h linux-2.6.33.1/drivers/usb/storage/debug.h
26348--- linux-2.6.33.1/drivers/usb/storage/debug.h 2010-03-15 12:09:39.000000000 -0400
26349+++ linux-2.6.33.1/drivers/usb/storage/debug.h 2010-03-20 16:58:41.084588620 -0400
58c5fc13
MT		 26350@@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
26351 #define US_DEBUGPX(x...) printk( x )
26352 #define US_DEBUG(x) x
26353 #else
26354-#define US_DEBUGP(x...)
26355-#define US_DEBUGPX(x...)
26356-#define US_DEBUG(x)
26357+#define US_DEBUGP(x...) do {} while (0)
26358+#define US_DEBUGPX(x...) do {} while (0)
26359+#define US_DEBUG(x) do {} while (0)
26360 #endif
26361
26362 #endif
ae4e228f
MT		 26363diff -urNp linux-2.6.33.1/drivers/usb/storage/usb.c linux-2.6.33.1/drivers/usb/storage/usb.c
26364--- linux-2.6.33.1/drivers/usb/storage/usb.c 2010-03-15 12:09:39.000000000 -0400
26365+++ linux-2.6.33.1/drivers/usb/storage/usb.c 2010-03-20 16:58:41.084588620 -0400
26366@@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
58c5fc13
MT		 26367
26368 static struct us_unusual_dev us_unusual_dev_list[] = {
26369 # include "unusual_devs.h"
26370- { } /* Terminating entry */
26371+ { NULL, NULL, 0, 0, NULL } /* Terminating entry */
26372 };
26373
26374 #undef UNUSUAL_DEV
ae4e228f
MT		 26375diff -urNp linux-2.6.33.1/drivers/usb/storage/usual-tables.c linux-2.6.33.1/drivers/usb/storage/usual-tables.c
26376--- linux-2.6.33.1/drivers/usb/storage/usual-tables.c 2010-03-15 12:09:39.000000000 -0400
26377+++ linux-2.6.33.1/drivers/usb/storage/usual-tables.c 2010-03-20 16:58:41.084588620 -0400
58c5fc13
MT		 26378@@ -48,7 +48,7 @@
26379
26380 struct usb_device_id usb_storage_usb_ids[] = {
26381 # include "unusual_devs.h"
26382- { } /* Terminating entry */
26383+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
26384 };
26385 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
26386
ae4e228f
MT		 26387diff -urNp linux-2.6.33.1/drivers/uwb/wlp/messages.c linux-2.6.33.1/drivers/uwb/wlp/messages.c
26388--- linux-2.6.33.1/drivers/uwb/wlp/messages.c 2010-03-15 12:09:39.000000000 -0400
26389+++ linux-2.6.33.1/drivers/uwb/wlp/messages.c 2010-03-20 16:58:41.096879476 -0400
58c5fc13
MT		 26390@@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
26391 size_t len = skb->len;
26392 size_t used;
26393 ssize_t result;
26394- struct wlp_nonce enonce, rnonce;
26395+ struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
26396 enum wlp_assc_error assc_err;
26397 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
26398 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
ae4e228f
MT		 26399diff -urNp linux-2.6.33.1/drivers/uwb/wlp/sysfs.c linux-2.6.33.1/drivers/uwb/wlp/sysfs.c
26400--- linux-2.6.33.1/drivers/uwb/wlp/sysfs.c 2010-03-15 12:09:39.000000000 -0400
26401+++ linux-2.6.33.1/drivers/uwb/wlp/sysfs.c 2010-03-20 16:58:41.104559489 -0400
26402@@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
26403 return ret;
26404 }
26405
26406-static
26407-struct sysfs_ops wss_sysfs_ops = {
26408+static const struct sysfs_ops wss_sysfs_ops = {
26409 .show = wlp_wss_attr_show,
26410 .store = wlp_wss_attr_store,
26411 };
26412diff -urNp linux-2.6.33.1/drivers/video/atmel_lcdfb.c linux-2.6.33.1/drivers/video/atmel_lcdfb.c
26413--- linux-2.6.33.1/drivers/video/atmel_lcdfb.c 2010-03-15 12:09:39.000000000 -0400
26414+++ linux-2.6.33.1/drivers/video/atmel_lcdfb.c 2010-03-20 16:58:41.116887355 -0400
26415@@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
26416 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
26417 }
26418
26419-static struct backlight_ops atmel_lcdc_bl_ops = {
26420+static const struct backlight_ops atmel_lcdc_bl_ops = {
26421 .update_status = atmel_bl_update_status,
26422 .get_brightness = atmel_bl_get_brightness,
26423 };
26424diff -urNp linux-2.6.33.1/drivers/video/aty/aty128fb.c linux-2.6.33.1/drivers/video/aty/aty128fb.c
26425--- linux-2.6.33.1/drivers/video/aty/aty128fb.c 2010-03-15 12:09:39.000000000 -0400
26426+++ linux-2.6.33.1/drivers/video/aty/aty128fb.c 2010-03-20 16:58:41.141056447 -0400
26427@@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
26428 return bd->props.brightness;
26429 }
26430
26431-static struct backlight_ops aty128_bl_data = {
26432+static const struct backlight_ops aty128_bl_data = {
26433 .get_brightness = aty128_bl_get_brightness,
26434 .update_status = aty128_bl_update_status,
26435 };
26436diff -urNp linux-2.6.33.1/drivers/video/aty/atyfb_base.c linux-2.6.33.1/drivers/video/aty/atyfb_base.c
26437--- linux-2.6.33.1/drivers/video/aty/atyfb_base.c 2010-03-15 12:09:39.000000000 -0400
26438+++ linux-2.6.33.1/drivers/video/aty/atyfb_base.c 2010-03-20 16:58:41.141056447 -0400
26439@@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
26440 return bd->props.brightness;
26441 }
26442
26443-static struct backlight_ops aty_bl_data = {
26444+static const struct backlight_ops aty_bl_data = {
26445 .get_brightness = aty_bl_get_brightness,
26446 .update_status = aty_bl_update_status,
26447 };
26448diff -urNp linux-2.6.33.1/drivers/video/aty/radeon_backlight.c linux-2.6.33.1/drivers/video/aty/radeon_backlight.c
26449--- linux-2.6.33.1/drivers/video/aty/radeon_backlight.c 2010-03-15 12:09:39.000000000 -0400
26450+++ linux-2.6.33.1/drivers/video/aty/radeon_backlight.c 2010-03-20 16:58:41.144609392 -0400
26451@@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
26452 return bd->props.brightness;
26453 }
26454
26455-static struct backlight_ops radeon_bl_data = {
26456+static const struct backlight_ops radeon_bl_data = {
26457 .get_brightness = radeon_bl_get_brightness,
26458 .update_status = radeon_bl_update_status,
26459 };
26460diff -urNp linux-2.6.33.1/drivers/video/bf54x-lq043fb.c linux-2.6.33.1/drivers/video/bf54x-lq043fb.c
26461--- linux-2.6.33.1/drivers/video/bf54x-lq043fb.c 2010-03-15 12:09:39.000000000 -0400
26462+++ linux-2.6.33.1/drivers/video/bf54x-lq043fb.c 2010-03-20 16:58:41.172899299 -0400
26463@@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
58c5fc13
MT		 26464 return 0;
26465 }
26466
ae4e228f
MT		 26467-static struct backlight_ops bfin_lq043fb_bl_ops = {
26468+static const struct backlight_ops bfin_lq043fb_bl_ops = {
26469 .get_brightness = bl_get_brightness,
58c5fc13 26470 };
ae4e228f
MT		 26471
26472diff -urNp linux-2.6.33.1/drivers/video/bfin-t350mcqb-fb.c linux-2.6.33.1/drivers/video/bfin-t350mcqb-fb.c
26473--- linux-2.6.33.1/drivers/video/bfin-t350mcqb-fb.c 2010-03-15 12:09:39.000000000 -0400
26474+++ linux-2.6.33.1/drivers/video/bfin-t350mcqb-fb.c 2010-03-20 16:58:41.172899299 -0400
26475@@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
26476 return 0;
26477 }
26478
26479-static struct backlight_ops bfin_lq043fb_bl_ops = {
26480+static const struct backlight_ops bfin_lq043fb_bl_ops = {
26481 .get_brightness = bl_get_brightness,
26482 };
26483
26484diff -urNp linux-2.6.33.1/drivers/video/fbmem.c linux-2.6.33.1/drivers/video/fbmem.c
26485--- linux-2.6.33.1/drivers/video/fbmem.c 2010-03-15 12:09:39.000000000 -0400
26486+++ linux-2.6.33.1/drivers/video/fbmem.c 2010-03-20 16:58:41.176758490 -0400
58c5fc13
MT		 26487@@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
26488 image->dx += image->width + 8;
26489 }
26490 } else if (rotate == FB_ROTATE_UD) {
26491- for (x = 0; x < num && image->dx >= 0; x++) {
26492+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
26493 info->fbops->fb_imageblit(info, image);
26494 image->dx -= image->width + 8;
26495 }
26496@@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
26497 image->dy += image->height + 8;
26498 }
26499 } else if (rotate == FB_ROTATE_CCW) {
26500- for (x = 0; x < num && image->dy >= 0; x++) {
26501+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
26502 info->fbops->fb_imageblit(info, image);
26503 image->dy -= image->height + 8;
26504 }
ae4e228f 26505@@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
58c5fc13
MT		 26506 return -EFAULT;
26507 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
26508 return -EINVAL;
26509- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
26510+ if (con2fb.framebuffer >= FB_MAX)
26511 return -EINVAL;
26512 if (!registered_fb[con2fb.framebuffer])
26513 request_module("fb%d", con2fb.framebuffer);
ae4e228f
MT		 26514diff -urNp linux-2.6.33.1/drivers/video/fbmon.c linux-2.6.33.1/drivers/video/fbmon.c
26515--- linux-2.6.33.1/drivers/video/fbmon.c 2010-03-15 12:09:39.000000000 -0400
26516+++ linux-2.6.33.1/drivers/video/fbmon.c 2010-03-20 16:58:41.184890729 -0400
58c5fc13
MT		 26517@@ -45,7 +45,7 @@
26518 #ifdef DEBUG
26519 #define DPRINTK(fmt, args...) printk(fmt,## args)
26520 #else
26521-#define DPRINTK(fmt, args...)
26522+#define DPRINTK(fmt, args...) do {} while (0)
26523 #endif
26524
26525 #define FBMON_FIX_HEADER 1
ae4e228f
MT		 26526diff -urNp linux-2.6.33.1/drivers/video/i810/i810_accel.c linux-2.6.33.1/drivers/video/i810/i810_accel.c
26527--- linux-2.6.33.1/drivers/video/i810/i810_accel.c 2010-03-15 12:09:39.000000000 -0400
26528+++ linux-2.6.33.1/drivers/video/i810/i810_accel.c 2010-03-20 16:58:41.188702176 -0400
58c5fc13
MT		 26529@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
26530 }
26531 }
26532 printk("ringbuffer lockup!!!\n");
26533+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
26534 i810_report_error(mmio);
26535 par->dev_flags |= LOCKUP;
26536 info->pixmap.scan_align = 1;
ae4e228f
MT		 26537diff -urNp linux-2.6.33.1/drivers/video/i810/i810_main.c linux-2.6.33.1/drivers/video/i810/i810_main.c
26538--- linux-2.6.33.1/drivers/video/i810/i810_main.c 2010-03-15 12:09:39.000000000 -0400
26539+++ linux-2.6.33.1/drivers/video/i810/i810_main.c 2010-03-20 16:58:41.196891711 -0400
58c5fc13
MT		 26540@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
26541 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
26542 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
26543 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
26544- { 0 },
26545+ { 0, 0, 0, 0, 0, 0, 0 },
26546 };
26547
26548 static struct pci_driver i810fb_driver = {
ae4e228f
MT		 26549diff -urNp linux-2.6.33.1/drivers/video/modedb.c linux-2.6.33.1/drivers/video/modedb.c
26550--- linux-2.6.33.1/drivers/video/modedb.c 2010-03-15 12:09:39.000000000 -0400
26551+++ linux-2.6.33.1/drivers/video/modedb.c 2010-03-20 16:58:41.200859456 -0400
26552@@ -39,240 +39,240 @@ static const struct fb_videomode modedb[
58c5fc13
MT		 26553 {
26554 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
26555 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
26556- 0, FB_VMODE_NONINTERLACED
26557+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26558 }, {
26559 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
26560 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
26561- 0, FB_VMODE_NONINTERLACED
26562+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26563 }, {
26564 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
26565 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
26566- 0, FB_VMODE_NONINTERLACED
26567+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26568 }, {
26569 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
26570 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
26571- 0, FB_VMODE_INTERLACED
26572+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26573 }, {
26574 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
26575 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
26576- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26577+ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26578 }, {
26579 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
26580 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
26581- 0, FB_VMODE_NONINTERLACED
26582+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26583 }, {
26584 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
26585 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
26586- 0, FB_VMODE_NONINTERLACED
26587+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26588 }, {
26589 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
26590 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
26591- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26592+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26593 }, {
26594 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
26595 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
26596- 0, FB_VMODE_NONINTERLACED
26597+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26598 }, {
26599 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
26600 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
26601- 0, FB_VMODE_INTERLACED
26602+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26603 }, {
26604 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
26605 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
26606- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26607+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26608 }, {
26609 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
26610 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
26611- 0, FB_VMODE_NONINTERLACED
26612+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26613 }, {
26614 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
26615 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
26616- 0, FB_VMODE_NONINTERLACED
26617+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26618 }, {
26619 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
26620 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
26621- 0, FB_VMODE_NONINTERLACED
26622+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26623 }, {
26624 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
26625 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
26626- 0, FB_VMODE_NONINTERLACED
26627+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26628 }, {
26629 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
26630 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
26631- 0, FB_VMODE_NONINTERLACED
26632+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26633 }, {
26634 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
26635 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
26636- 0, FB_VMODE_INTERLACED
26637+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26638 }, {
26639 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
26640 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
26641- 0, FB_VMODE_NONINTERLACED
26642+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26643 }, {
26644 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
26645 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
26646- 0, FB_VMODE_NONINTERLACED
26647+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26648 }, {
26649 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
26650 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
26651- 0, FB_VMODE_NONINTERLACED
26652+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26653 }, {
26654 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
26655 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
26656- 0, FB_VMODE_NONINTERLACED
26657+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26658 }, {
26659 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
26660 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
26661- 0, FB_VMODE_NONINTERLACED
26662+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26663 }, {
26664 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
26665 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
26666- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26667+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26668 }, {
26669 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
26670 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
26671- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26672+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26673 }, {
26674 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
26675 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
26676- 0, FB_VMODE_NONINTERLACED
26677+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26678 }, {
26679 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
26680 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
26681- 0, FB_VMODE_NONINTERLACED
26682+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26683 }, {
26684 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
26685 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
26686- 0, FB_VMODE_NONINTERLACED
26687+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26688 }, {
26689 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
26690 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
26691- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26692+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26693 }, {
26694 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
26695 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
26696- 0, FB_VMODE_NONINTERLACED
26697+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26698 }, {
26699 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
26700 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
26701- 0, FB_VMODE_NONINTERLACED
26702+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26703 }, {
26704 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
26705 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
26706- 0, FB_VMODE_NONINTERLACED
26707+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26708 }, {
26709 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
26710 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
26711- 0, FB_VMODE_NONINTERLACED
26712+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26713 }, {
26714 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
26715 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
26716- 0, FB_VMODE_NONINTERLACED
26717+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26718 }, {
26719 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
26720 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
26721- 0, FB_VMODE_NONINTERLACED
26722+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26723 }, {
26724 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
26725 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
26726- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26727+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26728 }, {
26729 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
26730 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
26731- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26732+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26733 }, {
26734 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
26735 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
26736- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26737+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26738 }, {
26739 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
26740 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
26741- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26742+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26743 }, {
26744 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
26745 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
26746- 0, FB_VMODE_NONINTERLACED
26747+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26748 }, {
26749 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
26750 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
26751- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26752+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26753 }, {
26754 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
26755 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
26756- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26757+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26758 }, {
26759 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
26760 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
26761- 0, FB_VMODE_NONINTERLACED
26762+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26763 }, {
26764 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
26765 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
26766- 0, FB_VMODE_NONINTERLACED
26767+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26768 }, {
26769 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
26770 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
26771- 0, FB_VMODE_DOUBLE
26772+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26773 }, {
26774 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
26775 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
26776- 0, FB_VMODE_DOUBLE
26777+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26778 }, {
26779 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
26780 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
26781- 0, FB_VMODE_DOUBLE
26782+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26783 }, {
26784 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
26785 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
26786- 0, FB_VMODE_DOUBLE
26787+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26788 }, {
26789 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
26790 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
26791- 0, FB_VMODE_DOUBLE
26792+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26793 }, {
26794 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
26795 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
26796- 0, FB_VMODE_DOUBLE
26797+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26798 }, {
26799 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
26800 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
26801- 0, FB_VMODE_DOUBLE
26802+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26803 }, {
26804 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
26805 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
26806- 0, FB_VMODE_DOUBLE
26807+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26808 }, {
26809 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
26810 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
26811- 0, FB_VMODE_DOUBLE
26812+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26813 }, {
26814 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
26815 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
26816- 0, FB_VMODE_DOUBLE
26817+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
26818 }, {
26819 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
26820 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
26821 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
26822- FB_VMODE_NONINTERLACED
26823+ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26824 }, {
26825 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
26826 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
26827- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
26828+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26829 }, {
26830 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
26831 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
26832- 0, FB_VMODE_NONINTERLACED
26833+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26834 }, {
26835 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
26836 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
26837- 0, FB_VMODE_NONINTERLACED
26838+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
26839 }, {
26840 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
26841 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
26842- 0, FB_VMODE_INTERLACED
26843+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26844 }, {
26845 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
26846 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
26847- 0, FB_VMODE_INTERLACED
26848+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
26849 },
26850 };
26851
ae4e228f
MT		 26852diff -urNp linux-2.6.33.1/drivers/video/nvidia/nv_backlight.c linux-2.6.33.1/drivers/video/nvidia/nv_backlight.c
26853--- linux-2.6.33.1/drivers/video/nvidia/nv_backlight.c 2010-03-15 12:09:39.000000000 -0400
26854+++ linux-2.6.33.1/drivers/video/nvidia/nv_backlight.c 2010-03-20 16:58:41.200859456 -0400
26855@@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
26856 return bd->props.brightness;
26857 }
26858
26859-static struct backlight_ops nvidia_bl_ops = {
26860+static const struct backlight_ops nvidia_bl_ops = {
26861 .get_brightness = nvidia_bl_get_brightness,
26862 .update_status = nvidia_bl_update_status,
26863 };
26864diff -urNp linux-2.6.33.1/drivers/video/omap2/displays/panel-taal.c linux-2.6.33.1/drivers/video/omap2/displays/panel-taal.c
26865--- linux-2.6.33.1/drivers/video/omap2/displays/panel-taal.c 2010-03-15 12:09:39.000000000 -0400
26866+++ linux-2.6.33.1/drivers/video/omap2/displays/panel-taal.c 2010-03-20 16:58:41.208900904 -0400
26867@@ -313,7 +313,7 @@ static int taal_bl_get_intensity(struct
26868 return 0;
26869 }
26870
26871-static struct backlight_ops taal_bl_ops = {
26872+static const struct backlight_ops taal_bl_ops = {
26873 .get_brightness = taal_bl_get_intensity,
26874 .update_status = taal_bl_update_status,
26875 };
26876diff -urNp linux-2.6.33.1/drivers/video/omap2/dss/manager.c linux-2.6.33.1/drivers/video/omap2/dss/manager.c
26877--- linux-2.6.33.1/drivers/video/omap2/dss/manager.c 2010-03-15 12:09:39.000000000 -0400
26878+++ linux-2.6.33.1/drivers/video/omap2/dss/manager.c 2010-03-20 16:58:41.220903696 -0400
26879@@ -341,7 +341,7 @@ static ssize_t manager_attr_store(struct
26880 return manager_attr->store(manager, buf, size);
26881 }
26882
26883-static struct sysfs_ops manager_sysfs_ops = {
26884+static const struct sysfs_ops manager_sysfs_ops = {
26885 .show = manager_attr_show,
26886 .store = manager_attr_store,
26887 };
26888diff -urNp linux-2.6.33.1/drivers/video/omap2/dss/overlay.c linux-2.6.33.1/drivers/video/omap2/dss/overlay.c
26889--- linux-2.6.33.1/drivers/video/omap2/dss/overlay.c 2010-03-15 12:09:39.000000000 -0400
26890+++ linux-2.6.33.1/drivers/video/omap2/dss/overlay.c 2010-03-20 16:58:41.220903696 -0400
26891@@ -320,7 +320,7 @@ static ssize_t overlay_attr_store(struct
26892 return overlay_attr->store(overlay, buf, size);
58c5fc13
MT		 26893 }
26894
ae4e228f
MT		 26895-static struct sysfs_ops overlay_sysfs_ops = {
26896+static const struct sysfs_ops overlay_sysfs_ops = {
26897 .show = overlay_attr_show,
26898 .store = overlay_attr_store,
58c5fc13 26899 };
ae4e228f
MT		 26900diff -urNp linux-2.6.33.1/drivers/video/riva/fbdev.c linux-2.6.33.1/drivers/video/riva/fbdev.c
26901--- linux-2.6.33.1/drivers/video/riva/fbdev.c 2010-03-15 12:09:39.000000000 -0400
26902+++ linux-2.6.33.1/drivers/video/riva/fbdev.c 2010-03-20 16:58:41.252568052 -0400
26903@@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
26904 return bd->props.brightness;
26905 }
26906
26907-static struct backlight_ops riva_bl_ops = {
26908+static const struct backlight_ops riva_bl_ops = {
26909 .get_brightness = riva_bl_get_brightness,
26910 .update_status = riva_bl_update_status,
26911 };
26912diff -urNp linux-2.6.33.1/drivers/video/uvesafb.c linux-2.6.33.1/drivers/video/uvesafb.c
26913--- linux-2.6.33.1/drivers/video/uvesafb.c 2010-03-15 12:09:39.000000000 -0400
26914+++ linux-2.6.33.1/drivers/video/uvesafb.c 2010-03-20 16:58:41.260895734 -0400
58c5fc13
MT		 26915@@ -18,6 +18,7 @@
26916 #include <linux/fb.h>
26917 #include <linux/io.h>
26918 #include <linux/mutex.h>
26919+#include <linux/moduleloader.h>
26920 #include <video/edid.h>
26921 #include <video/uvesafb.h>
26922 #ifdef CONFIG_X86
ae4e228f 26923@@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
58c5fc13
MT		 26924 NULL,
26925 };
26926
26927- return call_usermodehelper(v86d_path, argv, envp, 1);
26928+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
26929 }
26930
26931 /*
ae4e228f 26932@@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
58c5fc13
MT		 26933 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
26934 par->pmi_setpal = par->ypan = 0;
26935 } else {
26936+
26937+#ifdef CONFIG_PAX_KERNEXEC
26938+#ifdef CONFIG_MODULES
58c5fc13
MT		 26939+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
26940+#endif
26941+ if (!par->pmi_code) {
26942+ par->pmi_setpal = par->ypan = 0;
26943+ return 0;
26944+ }
26945+#endif
26946+
26947 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
26948 + task->t.regs.edi);
26949+
26950+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
ae4e228f 26951+ pax_open_kernel();
58c5fc13 26952+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
ae4e228f 26953+ pax_close_kernel();
58c5fc13
MT		 26954+
26955+ par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
26956+ par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
26957+#else
26958 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
26959 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
26960+#endif
26961+
26962 printk(KERN_INFO "uvesafb: protected mode interface info at "
26963 "%04x:%04x\n",
26964 (u16)task->t.regs.es, (u16)task->t.regs.edi);
ae4e228f 26965@@ -1799,6 +1822,11 @@ out:
58c5fc13
MT		 26966 if (par->vbe_modes)
26967 kfree(par->vbe_modes);
26968
26969+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26970+ if (par->pmi_code)
26971+ module_free_exec(NULL, par->pmi_code);
26972+#endif
26973+
26974 framebuffer_release(info);
26975 return err;
26976 }
ae4e228f 26977@@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
58c5fc13
MT		 26978 kfree(par->vbe_state_orig);
26979 if (par->vbe_state_saved)
26980 kfree(par->vbe_state_saved);
26981+
26982+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
26983+ if (par->pmi_code)
26984+ module_free_exec(NULL, par->pmi_code);
26985+#endif
26986+
26987 }
26988
26989 framebuffer_release(info);
ae4e228f
MT		 26990diff -urNp linux-2.6.33.1/drivers/video/vesafb.c linux-2.6.33.1/drivers/video/vesafb.c
26991--- linux-2.6.33.1/drivers/video/vesafb.c 2010-03-15 12:09:39.000000000 -0400
26992+++ linux-2.6.33.1/drivers/video/vesafb.c 2010-03-20 16:58:41.264903169 -0400
58c5fc13
MT		 26993@@ -9,6 +9,7 @@
26994 */
26995
26996 #include <linux/module.h>
26997+#include <linux/moduleloader.h>
26998 #include <linux/kernel.h>
26999 #include <linux/errno.h>
27000 #include <linux/string.h>
27001@@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
27002 static int vram_total __initdata; /* Set total amount of memory */
27003 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
27004 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
27005-static void (*pmi_start)(void) __read_mostly;
27006-static void (*pmi_pal) (void) __read_mostly;
27007+static void (*pmi_start)(void) __read_only;
27008+static void (*pmi_pal) (void) __read_only;
27009 static int depth __read_mostly;
27010 static int vga_compat __read_mostly;
27011 /* --------------------------------------------------------------------- */
27012@@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
27013 unsigned int size_vmode;
27014 unsigned int size_remap;
27015 unsigned int size_total;
27016+ void *pmi_code = NULL;
27017
27018 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
27019 return -ENODEV;
27020@@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
27021 size_remap = size_total;
27022 vesafb_fix.smem_len = size_remap;
27023
27024-#ifndef __i386__
27025- screen_info.vesapm_seg = 0;
27026-#endif
27027-
27028 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
27029 printk(KERN_WARNING
27030 "vesafb: cannot reserve video memory at 0x%lx\n",
27031@@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
27032 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
27033 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
27034
27035+#ifdef __i386__
27036+
27037+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27038+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
27039+ if (!pmi_code)
27040+#elif !defined(CONFIG_PAX_KERNEXEC)
27041+ if (0)
27042+#endif
27043+
27044+#endif
27045+ screen_info.vesapm_seg = 0;
27046+
27047 if (screen_info.vesapm_seg) {
27048- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
27049- screen_info.vesapm_seg,screen_info.vesapm_off);
27050+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
27051+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
27052 }
27053
27054 if (screen_info.vesapm_seg < 0xc000)
ae4e228f 27055@@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
58c5fc13
MT		 27056
27057 if (ypan || pmi_setpal) {
27058 unsigned short *pmi_base;
27059- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
27060- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
27061- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
27062+
58c5fc13
MT		 27063+ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
27064+
27065+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
ae4e228f 27066+ pax_open_kernel();
58c5fc13
MT		 27067+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
27068+#else
27069+ pmi_code = pmi_base;
27070+#endif
27071+
27072+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
27073+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
27074+
27075+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27076+ pmi_start = ktva_ktla(pmi_start);
27077+ pmi_pal = ktva_ktla(pmi_pal);
ae4e228f 27078+ pax_close_kernel();
58c5fc13
MT		 27079+#endif
27080+
27081 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
27082 if (pmi_base[3]) {
27083 printk(KERN_INFO "vesafb: pmi: ports = ");
ae4e228f 27084@@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
58c5fc13
MT		 27085 info->node, info->fix.id);
27086 return 0;
27087 err:
27088+
27089+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
27090+ module_free_exec(NULL, pmi_code);
27091+#endif
27092+
27093 if (info->screen_base)
27094 iounmap(info->screen_base);
27095 framebuffer_release(info);
ae4e228f
MT		 27096diff -urNp linux-2.6.33.1/drivers/xen/sys-hypervisor.c linux-2.6.33.1/drivers/xen/sys-hypervisor.c
27097--- linux-2.6.33.1/drivers/xen/sys-hypervisor.c 2010-03-15 12:09:39.000000000 -0400
27098+++ linux-2.6.33.1/drivers/xen/sys-hypervisor.c 2010-03-20 16:58:41.272886902 -0400
27099@@ -426,7 +426,7 @@ static ssize_t hyp_sysfs_store(struct ko
27100 return 0;
27101 }
27102
27103-static struct sysfs_ops hyp_sysfs_ops = {
27104+static const struct sysfs_ops hyp_sysfs_ops = {
27105 .show = hyp_sysfs_show,
27106 .store = hyp_sysfs_store,
27107 };
27108diff -urNp linux-2.6.33.1/fs/9p/vfs_inode.c linux-2.6.33.1/fs/9p/vfs_inode.c
27109--- linux-2.6.33.1/fs/9p/vfs_inode.c 2010-03-15 12:09:39.000000000 -0400
27110+++ linux-2.6.33.1/fs/9p/vfs_inode.c 2010-03-20 16:58:41.284893283 -0400
27111@@ -1041,7 +1041,7 @@ static void *v9fs_vfs_follow_link(struct
58c5fc13
MT		 27112 static void
27113 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
27114 {
27115- char *s = nd_get_link(nd);
27116+ const char *s = nd_get_link(nd);
27117
27118 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
27119 IS_ERR(s) ? "<error>" : s);
ae4e228f
MT		 27120diff -urNp linux-2.6.33.1/fs/aio.c linux-2.6.33.1/fs/aio.c
27121--- linux-2.6.33.1/fs/aio.c 2010-03-15 12:09:39.000000000 -0400
27122+++ linux-2.6.33.1/fs/aio.c 2010-03-20 16:58:41.305540612 -0400
27123@@ -129,7 +129,7 @@ static int aio_setup_ring(struct kioctx
58c5fc13
MT		 27124 size += sizeof(struct io_event) * nr_events;
27125 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
27126
27127- if (nr_pages < 0)
27128+ if (nr_pages <= 0)
27129 return -EINVAL;
27130
27131 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
ae4e228f
MT		 27132diff -urNp linux-2.6.33.1/fs/attr.c linux-2.6.33.1/fs/attr.c
27133--- linux-2.6.33.1/fs/attr.c 2010-03-15 12:09:39.000000000 -0400
27134+++ linux-2.6.33.1/fs/attr.c 2010-03-20 16:58:41.305540612 -0400
27135@@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
27136 unsigned long limit;
27137
27138 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
27139+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
27140 if (limit != RLIM_INFINITY && offset > limit)
27141 goto out_sig;
27142 if (offset > inode->i_sb->s_maxbytes)
27143diff -urNp linux-2.6.33.1/fs/autofs/root.c linux-2.6.33.1/fs/autofs/root.c
27144--- linux-2.6.33.1/fs/autofs/root.c 2010-03-15 12:09:39.000000000 -0400
27145+++ linux-2.6.33.1/fs/autofs/root.c 2010-03-20 16:58:41.316888614 -0400
58c5fc13
MT		 27146@@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
27147 set_bit(n,sbi->symlink_bitmap);
27148 sl = &sbi->symlink[n];
27149 sl->len = strlen(symname);
27150- sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
27151+ slsize = sl->len+1;
27152+ sl->data = kmalloc(slsize, GFP_KERNEL);
27153 if (!sl->data) {
27154 clear_bit(n,sbi->symlink_bitmap);
27155 unlock_kernel();
ae4e228f
MT		 27156diff -urNp linux-2.6.33.1/fs/autofs4/symlink.c linux-2.6.33.1/fs/autofs4/symlink.c
27157--- linux-2.6.33.1/fs/autofs4/symlink.c 2010-03-15 12:09:39.000000000 -0400
27158+++ linux-2.6.33.1/fs/autofs4/symlink.c 2010-03-20 16:58:41.324896891 -0400
58c5fc13
MT		 27159@@ -15,7 +15,7 @@
27160 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
27161 {
27162 struct autofs_info *ino = autofs4_dentry_ino(dentry);
27163- nd_set_link(nd, (char *)ino->u.symlink);
27164+ nd_set_link(nd, ino->u.symlink);
27165 return NULL;
27166 }
27167
ae4e228f
MT		 27168diff -urNp linux-2.6.33.1/fs/befs/linuxvfs.c linux-2.6.33.1/fs/befs/linuxvfs.c
27169--- linux-2.6.33.1/fs/befs/linuxvfs.c 2010-03-15 12:09:39.000000000 -0400
27170+++ linux-2.6.33.1/fs/befs/linuxvfs.c 2010-03-20 16:58:41.332900573 -0400
58c5fc13
MT		 27171@@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
27172 {
27173 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
27174 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
27175- char *link = nd_get_link(nd);
27176+ const char *link = nd_get_link(nd);
27177 if (!IS_ERR(link))
27178 kfree(link);
27179 }
ae4e228f
MT		 27180diff -urNp linux-2.6.33.1/fs/binfmt_aout.c linux-2.6.33.1/fs/binfmt_aout.c
27181--- linux-2.6.33.1/fs/binfmt_aout.c 2010-03-15 12:09:39.000000000 -0400
27182+++ linux-2.6.33.1/fs/binfmt_aout.c 2010-03-20 16:58:41.336873242 -0400
58c5fc13
MT		 27183@@ -16,6 +16,7 @@
27184 #include <linux/string.h>
27185 #include <linux/fs.h>
27186 #include <linux/file.h>
27187+#include <linux/security.h>
27188 #include <linux/stat.h>
27189 #include <linux/fcntl.h>
27190 #include <linux/ptrace.h>
ae4e228f 27191@@ -114,10 +115,12 @@ static int aout_core_dump(struct coredum
58c5fc13
MT		 27192
27193 /* If the size of the dump file exceeds the rlimit, then see what would happen
27194 if we wrote the stack, but not the data area. */
27195+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
ae4e228f 27196 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
58c5fc13
MT		 27197 dump.u_dsize = 0;
27198
27199 /* Make sure we have enough room to write the stack and data areas. */
27200+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
ae4e228f 27201 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
58c5fc13
MT		 27202 dump.u_ssize = 0;
27203
ae4e228f 27204@@ -250,6 +253,8 @@ static int load_aout_binary(struct linux
58c5fc13
MT		 27205 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
27206 if (rlim >= RLIM_INFINITY)
27207 rlim = ~0;
27208+
27209+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
27210 if (ex.a_data + ex.a_bss > rlim)
27211 return -ENOMEM;
27212
ae4e228f 27213@@ -278,6 +283,27 @@ static int load_aout_binary(struct linux
58c5fc13
MT		 27214 install_exec_creds(bprm);
27215 current->flags &= ~PF_FORKNOEXEC;
27216
27217+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
27218+ current->mm->pax_flags = 0UL;
27219+#endif
27220+
27221+#ifdef CONFIG_PAX_PAGEEXEC
27222+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
27223+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
27224+
27225+#ifdef CONFIG_PAX_EMUTRAMP
27226+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
27227+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
27228+#endif
27229+
27230+#ifdef CONFIG_PAX_MPROTECT
27231+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
27232+ current->mm->pax_flags |= MF_PAX_MPROTECT;
27233+#endif
27234+
27235+ }
27236+#endif
27237+
27238 if (N_MAGIC(ex) == OMAGIC) {
27239 unsigned long text_addr, map_size;
27240 loff_t pos;
ae4e228f 27241@@ -350,7 +376,7 @@ static int load_aout_binary(struct linux
58c5fc13
MT		 27242
27243 down_write(&current->mm->mmap_sem);
27244 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
27245- PROT_READ | PROT_WRITE | PROT_EXEC,
27246+ PROT_READ | PROT_WRITE,
27247 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
27248 fd_offset + ex.a_text);
27249 up_write(&current->mm->mmap_sem);
ae4e228f
MT		 27250diff -urNp linux-2.6.33.1/fs/binfmt_elf.c linux-2.6.33.1/fs/binfmt_elf.c
27251--- linux-2.6.33.1/fs/binfmt_elf.c 2010-03-15 12:09:39.000000000 -0400
27252+++ linux-2.6.33.1/fs/binfmt_elf.c 2010-03-20 16:58:41.348904798 -0400
27253@@ -50,6 +50,10 @@ static int elf_core_dump(struct coredump
58c5fc13
MT		 27254 #define elf_core_dump NULL
27255 #endif
27256
27257+#ifdef CONFIG_PAX_MPROTECT
27258+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
27259+#endif
27260+
27261 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
27262 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
27263 #else
ae4e228f 27264@@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
58c5fc13
MT		 27265 .load_binary = load_elf_binary,
27266 .load_shlib = load_elf_library,
27267 .core_dump = elf_core_dump,
27268+
27269+#ifdef CONFIG_PAX_MPROTECT
27270+ .handle_mprotect= elf_handle_mprotect,
27271+#endif
27272+
27273 .min_coredump = ELF_EXEC_PAGESIZE,
27274 .hasvdso = 1
27275 };
ae4e228f 27276@@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
58c5fc13
MT		 27277
27278 static int set_brk(unsigned long start, unsigned long end)
27279 {
27280+ unsigned long e = end;
27281+
27282 start = ELF_PAGEALIGN(start);
27283 end = ELF_PAGEALIGN(end);
27284 if (end > start) {
ae4e228f 27285@@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
58c5fc13
MT		 27286 if (BAD_ADDR(addr))
27287 return addr;
27288 }
27289- current->mm->start_brk = current->mm->brk = end;
27290+ current->mm->start_brk = current->mm->brk = e;
27291 return 0;
27292 }
27293
ae4e228f 27294@@ -148,7 +159,7 @@ create_elf_tables(struct linux_binprm *b
58c5fc13
MT		 27295 elf_addr_t __user *u_rand_bytes;
27296 const char *k_platform = ELF_PLATFORM;
27297 const char *k_base_platform = ELF_BASE_PLATFORM;
27298- unsigned char k_rand_bytes[16];
27299+ u32 k_rand_bytes[4];
27300 int items;
27301 elf_addr_t *elf_info;
27302 int ei_index = 0;
ae4e228f 27303@@ -195,6 +206,10 @@ create_elf_tables(struct linux_binprm *b
58c5fc13
MT		 27304 * Generate 16 random bytes for userspace PRNG seeding.
27305 */
27306 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
27307+ srandom32(k_rand_bytes[0] ^ random32());
27308+ srandom32(k_rand_bytes[1] ^ random32());
27309+ srandom32(k_rand_bytes[2] ^ random32());
27310+ srandom32(k_rand_bytes[3] ^ random32());
27311 u_rand_bytes = (elf_addr_t __user *)
27312 STACK_ALLOC(p, sizeof(k_rand_bytes));
27313 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
ae4e228f 27314@@ -385,10 +400,10 @@ static unsigned long load_elf_interp(str
58c5fc13
MT		 27315 {
27316 struct elf_phdr *elf_phdata;
27317 struct elf_phdr *eppnt;
27318- unsigned long load_addr = 0;
27319+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
27320 int load_addr_set = 0;
27321 unsigned long last_bss = 0, elf_bss = 0;
27322- unsigned long error = ~0UL;
27323+ unsigned long error = -EINVAL;
27324 unsigned long total_size;
27325 int retval, i, size;
27326
ae4e228f 27327@@ -434,6 +449,11 @@ static unsigned long load_elf_interp(str
58c5fc13
MT		 27328 goto out_close;
27329 }
27330
27331+#ifdef CONFIG_PAX_SEGMEXEC
27332+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
27333+ pax_task_size = SEGMEXEC_TASK_SIZE;
27334+#endif
27335+
27336 eppnt = elf_phdata;
27337 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
27338 if (eppnt->p_type == PT_LOAD) {
ae4e228f 27339@@ -477,8 +497,8 @@ static unsigned long load_elf_interp(str
58c5fc13
MT		 27340 k = load_addr + eppnt->p_vaddr;
27341 if (BAD_ADDR(k) ||
27342 eppnt->p_filesz > eppnt->p_memsz ||
27343- eppnt->p_memsz > TASK_SIZE ||
27344- TASK_SIZE - eppnt->p_memsz < k) {
27345+ eppnt->p_memsz > pax_task_size ||
27346+ pax_task_size - eppnt->p_memsz < k) {
27347 error = -ENOMEM;
27348 goto out_close;
27349 }
ae4e228f 27350@@ -532,6 +552,177 @@ out:
58c5fc13
MT		 27351 return error;
27352 }
27353
27354+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
27355+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
27356+{
27357+ unsigned long pax_flags = 0UL;
27358+
27359+#ifdef CONFIG_PAX_PAGEEXEC
27360+ if (elf_phdata->p_flags & PF_PAGEEXEC)
27361+ pax_flags |= MF_PAX_PAGEEXEC;
27362+#endif
27363+
27364+#ifdef CONFIG_PAX_SEGMEXEC
27365+ if (elf_phdata->p_flags & PF_SEGMEXEC)
27366+ pax_flags |= MF_PAX_SEGMEXEC;
27367+#endif
27368+
27369+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27370+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
ae4e228f 27371+ if ((__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 27372+ pax_flags &= ~MF_PAX_SEGMEXEC;
27373+ else
27374+ pax_flags &= ~MF_PAX_PAGEEXEC;
27375+ }
27376+#endif
27377+
27378+#ifdef CONFIG_PAX_EMUTRAMP
27379+ if (elf_phdata->p_flags & PF_EMUTRAMP)
27380+ pax_flags |= MF_PAX_EMUTRAMP;
27381+#endif
27382+
27383+#ifdef CONFIG_PAX_MPROTECT
27384+ if (elf_phdata->p_flags & PF_MPROTECT)
27385+ pax_flags |= MF_PAX_MPROTECT;
27386+#endif
27387+
27388+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
27389+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
27390+ pax_flags |= MF_PAX_RANDMMAP;
27391+#endif
27392+
27393+ return pax_flags;
27394+}
27395+#endif
27396+
27397+#ifdef CONFIG_PAX_PT_PAX_FLAGS
27398+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
27399+{
27400+ unsigned long pax_flags = 0UL;
27401+
27402+#ifdef CONFIG_PAX_PAGEEXEC
27403+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
27404+ pax_flags |= MF_PAX_PAGEEXEC;
27405+#endif
27406+
27407+#ifdef CONFIG_PAX_SEGMEXEC
27408+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
27409+ pax_flags |= MF_PAX_SEGMEXEC;
27410+#endif
27411+
27412+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27413+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
ae4e228f 27414+ if ((__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 27415+ pax_flags &= ~MF_PAX_SEGMEXEC;
27416+ else
27417+ pax_flags &= ~MF_PAX_PAGEEXEC;
27418+ }
27419+#endif
27420+
27421+#ifdef CONFIG_PAX_EMUTRAMP
27422+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
27423+ pax_flags |= MF_PAX_EMUTRAMP;
27424+#endif
27425+
27426+#ifdef CONFIG_PAX_MPROTECT
27427+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
27428+ pax_flags |= MF_PAX_MPROTECT;
27429+#endif
27430+
27431+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
27432+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
27433+ pax_flags |= MF_PAX_RANDMMAP;
27434+#endif
27435+
27436+ return pax_flags;
27437+}
27438+#endif
27439+
27440+#ifdef CONFIG_PAX_EI_PAX
27441+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
27442+{
27443+ unsigned long pax_flags = 0UL;
27444+
27445+#ifdef CONFIG_PAX_PAGEEXEC
27446+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
27447+ pax_flags |= MF_PAX_PAGEEXEC;
27448+#endif
27449+
27450+#ifdef CONFIG_PAX_SEGMEXEC
27451+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
27452+ pax_flags |= MF_PAX_SEGMEXEC;
27453+#endif
27454+
27455+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
27456+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
ae4e228f 27457+ if ((__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 27458+ pax_flags &= ~MF_PAX_SEGMEXEC;
27459+ else
27460+ pax_flags &= ~MF_PAX_PAGEEXEC;
27461+ }
27462+#endif
27463+
27464+#ifdef CONFIG_PAX_EMUTRAMP
27465+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
27466+ pax_flags |= MF_PAX_EMUTRAMP;
27467+#endif
27468+
27469+#ifdef CONFIG_PAX_MPROTECT
27470+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
27471+ pax_flags |= MF_PAX_MPROTECT;
27472+#endif
27473+
27474+#ifdef CONFIG_PAX_ASLR
27475+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
27476+ pax_flags |= MF_PAX_RANDMMAP;
27477+#endif
27478+
27479+ return pax_flags;
27480+}
27481+#endif
27482+
27483+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
27484+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
27485+{
27486+ unsigned long pax_flags = 0UL;
27487+
27488+#ifdef CONFIG_PAX_PT_PAX_FLAGS
27489+ unsigned long i;
27490+#endif
27491+
27492+#ifdef CONFIG_PAX_EI_PAX
27493+ pax_flags = pax_parse_ei_pax(elf_ex);
27494+#endif
27495+
27496+#ifdef CONFIG_PAX_PT_PAX_FLAGS
27497+ for (i = 0UL; i < elf_ex->e_phnum; i++)
27498+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
27499+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
27500+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
27501+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
27502+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
27503+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
27504+ return -EINVAL;
27505+
27506+#ifdef CONFIG_PAX_SOFTMODE
27507+ if (pax_softmode)
27508+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
27509+ else
27510+#endif
27511+
27512+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
27513+ break;
27514+ }
27515+#endif
27516+
27517+ if (0 > pax_check_flags(&pax_flags))
27518+ return -EINVAL;
27519+
27520+ current->mm->pax_flags = pax_flags;
27521+ return 0;
27522+}
27523+#endif
27524+
27525 /*
27526 * These are the functions used to load ELF style executables and shared
27527 * libraries. There is no binary dependent code anywhere else.
ae4e228f 27528@@ -548,6 +739,11 @@ static unsigned long randomize_stack_top
58c5fc13
MT		 27529 {
27530 unsigned int random_variable = 0;
27531
27532+#ifdef CONFIG_PAX_RANDUSTACK
27533+ if (randomize_va_space)
27534+ return stack_top - current->mm->delta_stack;
27535+#endif
27536+
27537 if ((current->flags & PF_RANDOMIZE) &&
27538 !(current->personality & ADDR_NO_RANDOMIZE)) {
27539 random_variable = get_random_int() & STACK_RND_MASK;
ae4e228f 27540@@ -566,7 +762,7 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 27541 unsigned long load_addr = 0, load_bias = 0;
27542 int load_addr_set = 0;
27543 char * elf_interpreter = NULL;
27544- unsigned long error;
27545+ unsigned long error = 0;
27546 struct elf_phdr *elf_ppnt, *elf_phdata;
27547 unsigned long elf_bss, elf_brk;
27548 int retval, i;
ae4e228f 27549@@ -576,11 +772,11 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 27550 unsigned long start_code, end_code, start_data, end_data;
27551 unsigned long reloc_func_desc = 0;
27552 int executable_stack = EXSTACK_DEFAULT;
27553- unsigned long def_flags = 0;
27554 struct {
27555 struct elfhdr elf_ex;
27556 struct elfhdr interp_elf_ex;
27557 } *loc;
27558+ unsigned long pax_task_size = TASK_SIZE;
27559
27560 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
27561 if (!loc) {
ae4e228f 27562@@ -718,11 +914,80 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 27563
27564 /* OK, This is the point of no return */
27565 current->flags &= ~PF_FORKNOEXEC;
27566- current->mm->def_flags = def_flags;
27567+
27568+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
27569+ current->mm->pax_flags = 0UL;
27570+#endif
27571+
27572+#ifdef CONFIG_PAX_DLRESOLVE
27573+ current->mm->call_dl_resolve = 0UL;
27574+#endif
27575+
27576+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
27577+ current->mm->call_syscall = 0UL;
27578+#endif
27579+
27580+#ifdef CONFIG_PAX_ASLR
27581+ current->mm->delta_mmap = 0UL;
27582+ current->mm->delta_stack = 0UL;
27583+#endif
27584+
27585+ current->mm->def_flags = 0;
27586+
27587+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
27588+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
27589+ send_sig(SIGKILL, current, 0);
27590+ goto out_free_dentry;
27591+ }
27592+#endif
27593+
27594+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
27595+ pax_set_initial_flags(bprm);
27596+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
27597+ if (pax_set_initial_flags_func)
27598+ (pax_set_initial_flags_func)(bprm);
27599+#endif
27600+
27601+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
ae4e228f 27602+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
58c5fc13
MT		 27603+ current->mm->context.user_cs_limit = PAGE_SIZE;
27604+ current->mm->def_flags |= VM_PAGEEXEC;
27605+ }
27606+#endif
27607+
27608+#ifdef CONFIG_PAX_SEGMEXEC
27609+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
27610+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
27611+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
27612+ pax_task_size = SEGMEXEC_TASK_SIZE;
27613+ }
27614+#endif
27615+
27616+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
27617+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27618+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
27619+ put_cpu();
27620+ }
27621+#endif
ae4e228f
MT		 27622
27623 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
27624 may depend on the personality. */
27625 SET_PERSONALITY(loc->elf_ex);
58c5fc13
MT		 27626+
27627+#ifdef CONFIG_PAX_ASLR
27628+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
27629+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
27630+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
27631+ }
27632+#endif
58c5fc13
MT		 27633+
27634+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
27635+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
27636+ executable_stack = EXSTACK_DISABLE_X;
27637+ current->personality &= ~READ_IMPLIES_EXEC;
27638+ } else
27639+#endif
27640+
27641 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
27642 current->personality |= READ_IMPLIES_EXEC;
27643
ae4e228f 27644@@ -804,6 +1069,20 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 27645 #else
27646 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
27647 #endif
27648+
27649+#ifdef CONFIG_PAX_RANDMMAP
27650+ /* PaX: randomize base address at the default exe base if requested */
27651+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
27652+#ifdef CONFIG_SPARC64
27653+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
27654+#else
27655+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
27656+#endif
27657+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
27658+ elf_flags |= MAP_FIXED;
27659+ }
27660+#endif
27661+
27662 }
27663
27664 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
ae4e228f 27665@@ -836,9 +1115,9 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 27666 * allowed task size. Note that p_filesz must always be
27667 * <= p_memsz so it is only necessary to check p_memsz.
27668 */
27669- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
27670- elf_ppnt->p_memsz > TASK_SIZE ||
27671- TASK_SIZE - elf_ppnt->p_memsz < k) {
27672+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
27673+ elf_ppnt->p_memsz > pax_task_size ||
27674+ pax_task_size - elf_ppnt->p_memsz < k) {
27675 /* set_brk can never work. Avoid overflows. */
27676 send_sig(SIGKILL, current, 0);
27677 retval = -EINVAL;
ae4e228f 27678@@ -866,6 +1145,11 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 27679 start_data += load_bias;
27680 end_data += load_bias;
27681
27682+#ifdef CONFIG_PAX_RANDMMAP
27683+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
27684+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
27685+#endif
27686+
27687 /* Calling set_brk effectively mmaps the pages that we need
27688 * for the bss and break sections. We must do this before
27689 * mapping in the interpreter, to make sure it doesn't wind
ae4e228f 27690@@ -877,9 +1161,11 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 27691 goto out_free_dentry;
27692 }
27693 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
27694- send_sig(SIGSEGV, current, 0);
27695- retval = -EFAULT; /* Nobody gets to see this, but.. */
27696- goto out_free_dentry;
27697+ /*
27698+ * This bss-zeroing can fail if the ELF
27699+ * file specifies odd protections. So
27700+ * we don't check the return value
27701+ */
27702 }
27703
27704 if (elf_interpreter) {
ae4e228f 27705@@ -1107,8 +1393,10 @@ static int dump_seek(struct file *file,
58c5fc13
MT		 27706 unsigned long n = off;
27707 if (n > PAGE_SIZE)
27708 n = PAGE_SIZE;
27709- if (!dump_write(file, buf, n))
27710+ if (!dump_write(file, buf, n)) {
27711+ free_page((unsigned long)buf);
27712 return 0;
27713+ }
27714 off -= n;
27715 }
27716 free_page((unsigned long)buf);
ae4e228f 27717@@ -1120,7 +1408,7 @@ static int dump_seek(struct file *file,
58c5fc13
MT		 27718 * Decide what to dump of a segment, part, all or none.
27719 */
27720 static unsigned long vma_dump_size(struct vm_area_struct *vma,
27721- unsigned long mm_flags)
27722+ unsigned long mm_flags, long signr)
27723 {
27724 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
27725
ae4e228f 27726@@ -1154,7 +1442,7 @@ static unsigned long vma_dump_size(struc
58c5fc13
MT		 27727 if (vma->vm_file == NULL)
27728 return 0;
27729
27730- if (FILTER(MAPPED_PRIVATE))
27731+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
27732 goto whole;
27733
27734 /*
ae4e228f 27735@@ -1250,9 +1538,12 @@ static int writenote(struct memelfnote *
58c5fc13
MT		 27736 #undef DUMP_WRITE
27737
ae4e228f
MT		 27738 #define DUMP_WRITE(addr, nr) \
27739+ do { \
58c5fc13 27740+ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
ae4e228f
MT		 27741 if ((size += (nr)) > cprm->limit || \
27742 !dump_write(cprm->file, (addr), (nr))) \
58c5fc13 27743- goto end_coredump;
ae4e228f 27744+ goto end_coredump; \
58c5fc13 27745+ } while (0);
ae4e228f
MT		 27746
27747 static void fill_elf_header(struct elfhdr *elf, int segs,
27748 u16 machine, u32 flags, u8 osabi)
27749@@ -1381,9 +1672,9 @@ static void fill_auxv_note(struct memelf
27750 {
27751 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
27752 int i = 0;
27753- do
27754+ do {
27755 i += 2;
27756- while (auxv[i - 2] != AT_NULL);
27757+ } while (auxv[i - 2] != AT_NULL);
27758 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
27759 }
27760
27761@@ -1969,7 +2260,7 @@ static int elf_core_dump(struct coredump
58c5fc13
MT		 27762 phdr.p_offset = offset;
27763 phdr.p_vaddr = vma->vm_start;
27764 phdr.p_paddr = 0;
27765- phdr.p_filesz = vma_dump_size(vma, mm_flags);
ae4e228f 27766+ phdr.p_filesz = vma_dump_size(vma, mm_flags, cprm->signr);
58c5fc13
MT		 27767 phdr.p_memsz = vma->vm_end - vma->vm_start;
27768 offset += phdr.p_filesz;
27769 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
ae4e228f 27770@@ -2002,7 +2293,7 @@ static int elf_core_dump(struct coredump
58c5fc13
MT		 27771 unsigned long addr;
27772 unsigned long end;
27773
27774- end = vma->vm_start + vma_dump_size(vma, mm_flags);
ae4e228f 27775+ end = vma->vm_start + vma_dump_size(vma, mm_flags, cprm->signr);
58c5fc13
MT		 27776
27777 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
27778 struct page *page;
ae4e228f
MT		 27779@@ -2011,6 +2302,7 @@ static int elf_core_dump(struct coredump
27780 page = get_dump_page(addr);
27781 if (page) {
27782 void *kaddr = kmap(page);
27783+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
27784 stop = ((size += PAGE_SIZE) > cprm->limit) ||
27785 !dump_write(cprm->file, kaddr,
27786 PAGE_SIZE);
27787@@ -2039,6 +2331,97 @@ out:
27788
27789 #endif /* CONFIG_ELF_CORE */
58c5fc13
MT		 27790
27791+#ifdef CONFIG_PAX_MPROTECT
27792+/* PaX: non-PIC ELF libraries need relocations on their executable segments
27793+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
27794+ * we'll remove VM_MAYWRITE for good on RELRO segments.
27795+ *
27796+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
27797+ * basis because we want to allow the common case and not the special ones.
27798+ */
27799+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
27800+{
27801+ struct elfhdr elf_h;
27802+ struct elf_phdr elf_p;
27803+ unsigned long i;
27804+ unsigned long oldflags;
27805+ bool is_textrel_rw, is_textrel_rx, is_relro;
27806+
27807+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
27808+ return;
27809+
27810+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
27811+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
27812+
27813+#ifdef CONFIG_PAX_NOELFRELOCS
27814+ is_textrel_rw = false;
27815+ is_textrel_rx = false;
27816+#else
27817+ /* possible TEXTREL */
27818+ is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
27819+ is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
27820+#endif
27821+
27822+ /* possible RELRO */
27823+ is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
27824+
27825+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
27826+ return;
27827+
27828+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
27829+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
27830+
27831+#ifdef CONFIG_PAX_ETEXECRELOCS
27832+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
27833+#else
27834+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
27835+#endif
27836+
27837+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
27838+ !elf_check_arch(&elf_h) ||
27839+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
27840+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
27841+ return;
27842+
27843+ for (i = 0UL; i < elf_h.e_phnum; i++) {
27844+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
27845+ return;
27846+ switch (elf_p.p_type) {
27847+ case PT_DYNAMIC:
27848+ if (!is_textrel_rw && !is_textrel_rx)
27849+ continue;
27850+ i = 0UL;
27851+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
27852+ elf_dyn dyn;
27853+
27854+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
27855+ return;
27856+ if (dyn.d_tag == DT_NULL)
27857+ return;
27858+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
27859+ gr_log_textrel(vma);
27860+ if (is_textrel_rw)
27861+ vma->vm_flags |= VM_MAYWRITE;
27862+ else
27863+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
27864+ vma->vm_flags &= ~VM_MAYWRITE;
27865+ return;
27866+ }
27867+ i++;
27868+ }
27869+ return;
27870+
27871+ case PT_GNU_RELRO:
27872+ if (!is_relro)
27873+ continue;
27874+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
27875+ vma->vm_flags &= ~VM_MAYWRITE;
27876+ return;
27877+ }
27878+ }
27879+}
27880+#endif
27881+
27882 static int __init init_elf_binfmt(void)
27883 {
27884 return register_binfmt(&elf_format);
ae4e228f
MT		 27885diff -urNp linux-2.6.33.1/fs/binfmt_flat.c linux-2.6.33.1/fs/binfmt_flat.c
27886--- linux-2.6.33.1/fs/binfmt_flat.c 2010-03-15 12:09:39.000000000 -0400
27887+++ linux-2.6.33.1/fs/binfmt_flat.c 2010-03-20 16:58:41.369218937 -0400
27888@@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
58c5fc13
MT		 27889 realdatastart = (unsigned long) -ENOMEM;
27890 printk("Unable to allocate RAM for process data, errno %d\n",
27891 (int)-realdatastart);
27892+ down_write(&current->mm->mmap_sem);
27893 do_munmap(current->mm, textpos, text_len);
27894+ up_write(&current->mm->mmap_sem);
27895 ret = realdatastart;
27896 goto err;
27897 }
ae4e228f 27898@@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
58c5fc13 27899 }
ae4e228f 27900 if (IS_ERR_VALUE(result)) {
58c5fc13
MT		 27901 printk("Unable to read data+bss, errno %d\n", (int)-result);
27902+ down_write(&current->mm->mmap_sem);
27903 do_munmap(current->mm, textpos, text_len);
27904 do_munmap(current->mm, realdatastart, data_len + extra);
27905+ up_write(&current->mm->mmap_sem);
27906 ret = result;
27907 goto err;
27908 }
ae4e228f 27909@@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
58c5fc13 27910 }
ae4e228f 27911 if (IS_ERR_VALUE(result)) {
58c5fc13
MT		 27912 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
27913+ down_write(&current->mm->mmap_sem);
27914 do_munmap(current->mm, textpos, text_len + data_len + extra +
27915 MAX_SHARED_LIBS * sizeof(unsigned long));
27916+ up_write(&current->mm->mmap_sem);
27917 ret = result;
27918 goto err;
27919 }
ae4e228f
MT		 27920diff -urNp linux-2.6.33.1/fs/binfmt_misc.c linux-2.6.33.1/fs/binfmt_misc.c
27921--- linux-2.6.33.1/fs/binfmt_misc.c 2010-03-15 12:09:39.000000000 -0400
27922+++ linux-2.6.33.1/fs/binfmt_misc.c 2010-03-20 16:58:41.384059578 -0400
58c5fc13
MT		 27923@@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
27924 static struct tree_descr bm_files[] = {
27925 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
27926 [3] = {"register", &bm_register_operations, S_IWUSR},
27927- /* last one */ {""}
27928+ /* last one */ {"", NULL, 0}
27929 };
27930 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
27931 if (!err)
ae4e228f
MT		 27932diff -urNp linux-2.6.33.1/fs/bio.c linux-2.6.33.1/fs/bio.c
27933--- linux-2.6.33.1/fs/bio.c 2010-03-15 12:09:39.000000000 -0400
27934+++ linux-2.6.33.1/fs/bio.c 2010-03-20 16:58:41.384547944 -0400
27935@@ -1217,7 +1217,7 @@ static void bio_copy_kern_endio(struct b
27936 const int read = bio_data_dir(bio) == READ;
27937 struct bio_map_data *bmd = bio->bi_private;
27938 int i;
27939- char *p = bmd->sgvecs[0].iov_base;
27940+ char *p = (__force char *)bmd->sgvecs[0].iov_base;
27941
27942 __bio_for_each_segment(bvec, bio, i, 0) {
27943 char *addr = page_address(bvec->bv_page);
27944diff -urNp linux-2.6.33.1/fs/btrfs/ctree.c linux-2.6.33.1/fs/btrfs/ctree.c
27945--- linux-2.6.33.1/fs/btrfs/ctree.c 2010-03-15 12:09:39.000000000 -0400
27946+++ linux-2.6.33.1/fs/btrfs/ctree.c 2010-03-20 16:58:41.388867884 -0400
27947@@ -3645,7 +3645,6 @@ setup_items_for_insert(struct btrfs_tran
27948
27949 ret = 0;
27950 if (slot == 0) {
27951- struct btrfs_disk_key disk_key;
27952 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
27953 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
27954 }
27955diff -urNp linux-2.6.33.1/fs/btrfs/disk-io.c linux-2.6.33.1/fs/btrfs/disk-io.c
27956--- linux-2.6.33.1/fs/btrfs/disk-io.c 2010-03-15 12:09:39.000000000 -0400
27957+++ linux-2.6.33.1/fs/btrfs/disk-io.c 2010-03-20 16:58:41.388867884 -0400
27958@@ -39,7 +39,7 @@
27959 #include "tree-log.h"
27960 #include "free-space-cache.h"
27961
27962-static struct extent_io_ops btree_extent_io_ops;
27963+static const struct extent_io_ops btree_extent_io_ops;
27964 static void end_workqueue_fn(struct btrfs_work *work);
27965 static void free_fs_root(struct btrfs_root *root);
27966
27967@@ -2605,7 +2605,7 @@ out:
58c5fc13
MT		 27968 return 0;
27969 }
27970
ae4e228f
MT		 27971-static struct extent_io_ops btree_extent_io_ops = {
27972+static const struct extent_io_ops btree_extent_io_ops = {
27973 .write_cache_pages_lock_hook = btree_lock_page_hook,
27974 .readpage_end_io_hook = btree_readpage_end_io_hook,
27975 .submit_bio_hook = btree_submit_bio_hook,
27976diff -urNp linux-2.6.33.1/fs/btrfs/extent_io.h linux-2.6.33.1/fs/btrfs/extent_io.h
27977--- linux-2.6.33.1/fs/btrfs/extent_io.h 2010-03-15 12:09:39.000000000 -0400
27978+++ linux-2.6.33.1/fs/btrfs/extent_io.h 2010-03-20 16:58:41.392898040 -0400
27979@@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
27980 struct bio *bio, int mirror_num,
27981 unsigned long bio_flags);
27982 struct extent_io_ops {
27983- int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
27984+ int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
27985 u64 start, u64 end, int *page_started,
27986 unsigned long *nr_written);
27987- int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
27988- int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
27989+ int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
27990+ int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
27991 extent_submit_bio_hook_t *submit_bio_hook;
27992- int (*merge_bio_hook)(struct page *page, unsigned long offset,
27993+ int (* const merge_bio_hook)(struct page *page, unsigned long offset,
27994 size_t size, struct bio *bio,
27995 unsigned long bio_flags);
27996- int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
27997- int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
27998+ int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
27999+ int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
28000 u64 start, u64 end,
28001 struct extent_state *state);
28002- int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
28003+ int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
28004 u64 start, u64 end,
28005 struct extent_state *state);
28006- int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
28007+ int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
28008 struct extent_state *state);
28009- int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
28010+ int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
28011 struct extent_state *state, int uptodate);
28012- int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
28013+ int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
28014 unsigned long old, unsigned long bits);
28015- int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
28016+ int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
28017 unsigned long bits);
28018- int (*merge_extent_hook)(struct inode *inode,
28019+ int (* const merge_extent_hook)(struct inode *inode,
28020 struct extent_state *new,
28021 struct extent_state *other);
28022- int (*split_extent_hook)(struct inode *inode,
28023+ int (* const split_extent_hook)(struct inode *inode,
28024 struct extent_state *orig, u64 split);
28025- int (*write_cache_pages_lock_hook)(struct page *page);
28026+ int (* const write_cache_pages_lock_hook)(struct page *page);
28027 };
28028
28029 struct extent_io_tree {
28030@@ -88,7 +88,7 @@ struct extent_io_tree {
28031 u64 dirty_bytes;
28032 spinlock_t lock;
28033 spinlock_t buffer_lock;
28034- struct extent_io_ops *ops;
28035+ const struct extent_io_ops *ops;
28036 };
28037
28038 struct extent_state {
28039diff -urNp linux-2.6.33.1/fs/btrfs/free-space-cache.c linux-2.6.33.1/fs/btrfs/free-space-cache.c
28040--- linux-2.6.33.1/fs/btrfs/free-space-cache.c 2010-03-15 12:09:39.000000000 -0400
28041+++ linux-2.6.33.1/fs/btrfs/free-space-cache.c 2010-03-20 16:58:41.392898040 -0400
28042@@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
28043
28044 while(1) {
28045 if (entry->bytes < bytes || entry->offset < min_start) {
28046- struct rb_node *node;
28047-
28048 node = rb_next(&entry->offset_index);
28049 if (!node)
28050 break;
28051@@ -1226,7 +1224,7 @@ again:
28052 */
28053 while (entry->bitmap || found_bitmap ||
28054 (!entry->bitmap && entry->bytes < min_bytes)) {
28055- struct rb_node *node = rb_next(&entry->offset_index);
28056+ node = rb_next(&entry->offset_index);
28057
28058 if (entry->bitmap && entry->bytes > bytes + empty_size) {
28059 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
28060diff -urNp linux-2.6.33.1/fs/btrfs/inode.c linux-2.6.33.1/fs/btrfs/inode.c
28061--- linux-2.6.33.1/fs/btrfs/inode.c 2010-03-15 12:09:39.000000000 -0400
28062+++ linux-2.6.33.1/fs/btrfs/inode.c 2010-03-20 16:58:41.396902904 -0400
28063@@ -63,7 +63,7 @@ static const struct inode_operations btr
28064 static const struct address_space_operations btrfs_aops;
28065 static const struct address_space_operations btrfs_symlink_aops;
28066 static const struct file_operations btrfs_dir_file_operations;
28067-static struct extent_io_ops btrfs_extent_io_ops;
28068+static const struct extent_io_ops btrfs_extent_io_ops;
58c5fc13
MT		 28069
28070 static struct kmem_cache *btrfs_inode_cachep;
ae4e228f
MT		 28071 struct kmem_cache *btrfs_trans_handle_cachep;
28072@@ -5973,7 +5973,7 @@ static const struct file_operations btrf
28073 .fsync = btrfs_sync_file,
28074 };
58c5fc13 28075
ae4e228f
MT		 28076-static struct extent_io_ops btrfs_extent_io_ops = {
28077+static const struct extent_io_ops btrfs_extent_io_ops = {
28078 .fill_delalloc = run_delalloc_range,
28079 .submit_bio_hook = btrfs_submit_bio_hook,
28080 .merge_bio_hook = btrfs_merge_bio_hook,
28081diff -urNp linux-2.6.33.1/fs/btrfs/sysfs.c linux-2.6.33.1/fs/btrfs/sysfs.c
28082--- linux-2.6.33.1/fs/btrfs/sysfs.c 2010-03-15 12:09:39.000000000 -0400
28083+++ linux-2.6.33.1/fs/btrfs/sysfs.c 2010-03-20 16:58:41.404901120 -0400
28084@@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
28085 complete(&root->kobj_unregister);
28086 }
28087
28088-static struct sysfs_ops btrfs_super_attr_ops = {
28089+static const struct sysfs_ops btrfs_super_attr_ops = {
28090 .show = btrfs_super_attr_show,
28091 .store = btrfs_super_attr_store,
28092 };
28093
28094-static struct sysfs_ops btrfs_root_attr_ops = {
28095+static const struct sysfs_ops btrfs_root_attr_ops = {
28096 .show = btrfs_root_attr_show,
28097 .store = btrfs_root_attr_store,
28098 };
28099diff -urNp linux-2.6.33.1/fs/buffer.c linux-2.6.33.1/fs/buffer.c
28100--- linux-2.6.33.1/fs/buffer.c 2010-03-15 12:09:39.000000000 -0400
28101+++ linux-2.6.33.1/fs/buffer.c 2010-03-20 16:58:41.408897047 -0400
58c5fc13
MT		 28102@@ -25,6 +25,7 @@
28103 #include <linux/percpu.h>
28104 #include <linux/slab.h>
28105 #include <linux/capability.h>
28106+#include <linux/security.h>
28107 #include <linux/blkdev.h>
28108 #include <linux/file.h>
28109 #include <linux/quotaops.h>
ae4e228f
MT		 28110diff -urNp linux-2.6.33.1/fs/cachefiles/daemon.c linux-2.6.33.1/fs/cachefiles/daemon.c
28111--- linux-2.6.33.1/fs/cachefiles/daemon.c 2010-03-15 12:09:39.000000000 -0400
28112+++ linux-2.6.33.1/fs/cachefiles/daemon.c 2010-03-20 16:58:41.408897047 -0400
28113@@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
28114 if (n > buflen)
28115 return -EMSGSIZE;
28116
28117- if (copy_to_user(_buffer, buffer, n) != 0)
28118+ if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
28119 return -EFAULT;
58c5fc13 28120
ae4e228f
MT		 28121 return n;
28122diff -urNp linux-2.6.33.1/fs/cachefiles/rdwr.c linux-2.6.33.1/fs/cachefiles/rdwr.c
28123--- linux-2.6.33.1/fs/cachefiles/rdwr.c 2010-03-15 12:09:39.000000000 -0400
28124+++ linux-2.6.33.1/fs/cachefiles/rdwr.c 2010-03-20 16:58:41.412812404 -0400
28125@@ -944,7 +944,7 @@ int cachefiles_write_page(struct fscache
28126 old_fs = get_fs();
28127 set_fs(KERNEL_DS);
28128 ret = file->f_op->write(
28129- file, (const void __user *) data, len, &pos);
28130+ file, (__force const void __user *) data, len, &pos);
28131 set_fs(old_fs);
28132 kunmap(page);
28133 if (ret != len)
28134diff -urNp linux-2.6.33.1/fs/cifs/cifs_uniupr.h linux-2.6.33.1/fs/cifs/cifs_uniupr.h
28135--- linux-2.6.33.1/fs/cifs/cifs_uniupr.h 2010-03-15 12:09:39.000000000 -0400
28136+++ linux-2.6.33.1/fs/cifs/cifs_uniupr.h 2010-03-20 16:58:41.416893406 -0400
58c5fc13
MT		 28137@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
28138 {0x0490, 0x04cc, UniCaseRangeU0490},
28139 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
28140 {0xff40, 0xff5a, UniCaseRangeUff40},
28141- {0}
28142+ {0, 0, NULL}
28143 };
28144 #endif
28145
ae4e228f
MT		 28146diff -urNp linux-2.6.33.1/fs/cifs/link.c linux-2.6.33.1/fs/cifs/link.c
28147--- linux-2.6.33.1/fs/cifs/link.c 2010-03-15 12:09:39.000000000 -0400
28148+++ linux-2.6.33.1/fs/cifs/link.c 2010-03-20 16:58:41.416893406 -0400
58c5fc13
MT		 28149@@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
28150
28151 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
28152 {
28153- char *p = nd_get_link(nd);
28154+ const char *p = nd_get_link(nd);
28155 if (!IS_ERR(p))
28156 kfree(p);
28157 }
ae4e228f
MT		 28158diff -urNp linux-2.6.33.1/fs/compat_binfmt_elf.c linux-2.6.33.1/fs/compat_binfmt_elf.c
28159--- linux-2.6.33.1/fs/compat_binfmt_elf.c 2010-03-15 12:09:39.000000000 -0400
28160+++ linux-2.6.33.1/fs/compat_binfmt_elf.c 2010-03-20 16:58:41.424927933 -0400
58c5fc13
MT		 28161@@ -29,10 +29,12 @@
28162 #undef elfhdr
28163 #undef elf_phdr
28164 #undef elf_note
ae4e228f 28165+#undef elf_dyn
58c5fc13
MT		 28166 #undef elf_addr_t
28167 #define elfhdr elf32_hdr
28168 #define elf_phdr elf32_phdr
28169 #define elf_note elf32_note
28170+#define elf_dyn Elf32_Dyn
28171 #define elf_addr_t Elf32_Addr
28172
28173 /*
ae4e228f
MT		 28174diff -urNp linux-2.6.33.1/fs/compat.c linux-2.6.33.1/fs/compat.c
28175--- linux-2.6.33.1/fs/compat.c 2010-03-15 12:09:39.000000000 -0400
28176+++ linux-2.6.33.1/fs/compat.c 2010-03-20 16:58:41.424927933 -0400
28177@@ -1408,14 +1408,12 @@ static int compat_copy_strings(int argc,
58c5fc13
MT		 28178 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
28179 struct page *page;
28180
28181-#ifdef CONFIG_STACK_GROWSUP
28182 ret = expand_stack_downwards(bprm->vma, pos);
28183 if (ret < 0) {
28184 /* We've exceed the stack rlimit. */
28185 ret = -E2BIG;
28186 goto out;
28187 }
28188-#endif
28189 ret = get_user_pages(current, bprm->mm, pos,
28190 1, 1, 1, &page, NULL);
28191 if (ret <= 0) {
ae4e228f 28192@@ -1461,6 +1459,11 @@ int compat_do_execve(char * filename,
58c5fc13
MT		 28193 compat_uptr_t __user *envp,
28194 struct pt_regs * regs)
28195 {
28196+#ifdef CONFIG_GRKERNSEC
28197+ struct file *old_exec_file;
28198+ struct acl_subject_label *old_acl;
28199+ struct rlimit old_rlim[RLIM_NLIMITS];
28200+#endif
28201 struct linux_binprm *bprm;
28202 struct file *file;
28203 struct files_struct *displaced;
ae4e228f 28204@@ -1497,6 +1500,14 @@ int compat_do_execve(char * filename,
58c5fc13
MT		 28205 bprm->filename = filename;
28206 bprm->interp = filename;
28207
28208+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
28209+ retval = -EAGAIN;
28210+ if (gr_handle_nproc())
28211+ goto out_file;
28212+ retval = -EACCES;
28213+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
28214+ goto out_file;
28215+
28216 retval = bprm_mm_init(bprm);
28217 if (retval)
28218 goto out_file;
ae4e228f 28219@@ -1526,9 +1537,40 @@ int compat_do_execve(char * filename,
58c5fc13
MT		 28220 if (retval < 0)
28221 goto out;
28222
28223+ if (!gr_tpe_allow(file)) {
28224+ retval = -EACCES;
28225+ goto out;
28226+ }
28227+
28228+ if (gr_check_crash_exec(file)) {
28229+ retval = -EACCES;
28230+ goto out;
28231+ }
28232+
28233+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
28234+
28235+ gr_handle_exec_args(bprm, (char __user * __user *)argv);
28236+
28237+#ifdef CONFIG_GRKERNSEC
28238+ old_acl = current->acl;
28239+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
28240+ old_exec_file = current->exec_file;
28241+ get_file(file);
28242+ current->exec_file = file;
28243+#endif
28244+
28245+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
28246+ bprm->unsafe & LSM_UNSAFE_SHARE);
28247+ if (retval < 0)
28248+ goto out_fail;
28249+
28250 retval = search_binary_handler(bprm, regs);
28251 if (retval < 0)
28252- goto out;
28253+ goto out_fail;
28254+#ifdef CONFIG_GRKERNSEC
28255+ if (old_exec_file)
28256+ fput(old_exec_file);
28257+#endif
28258
ae4e228f
MT		 28259 current->stack_start = current->mm->start_stack;
28260
28261@@ -1541,6 +1583,14 @@ int compat_do_execve(char * filename,
58c5fc13
MT		 28262 put_files_struct(displaced);
28263 return retval;
28264
28265+out_fail:
28266+#ifdef CONFIG_GRKERNSEC
28267+ current->acl = old_acl;
28268+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
28269+ fput(current->exec_file);
28270+ current->exec_file = old_exec_file;
28271+#endif
28272+
28273 out:
28274 if (bprm->mm)
28275 mmput(bprm->mm);
ae4e228f
MT		 28276diff -urNp linux-2.6.33.1/fs/debugfs/inode.c linux-2.6.33.1/fs/debugfs/inode.c
28277--- linux-2.6.33.1/fs/debugfs/inode.c 2010-03-15 12:09:39.000000000 -0400
28278+++ linux-2.6.33.1/fs/debugfs/inode.c 2010-03-20 16:58:41.432715858 -0400
28279@@ -128,7 +128,7 @@ static inline int debugfs_positive(struc
58c5fc13
MT		 28280
28281 static int debug_fill_super(struct super_block *sb, void *data, int silent)
28282 {
28283- static struct tree_descr debug_files[] = {{""}};
28284+ static struct tree_descr debug_files[] = {{"", NULL, 0}};
28285
28286 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
28287 }
ae4e228f
MT		 28288diff -urNp linux-2.6.33.1/fs/dlm/lockspace.c linux-2.6.33.1/fs/dlm/lockspace.c
28289--- linux-2.6.33.1/fs/dlm/lockspace.c 2010-03-15 12:09:39.000000000 -0400
28290+++ linux-2.6.33.1/fs/dlm/lockspace.c 2010-03-20 16:58:41.444895285 -0400
28291@@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
28292 kfree(ls);
58c5fc13
MT		 28293 }
28294
ae4e228f
MT		 28295-static struct sysfs_ops dlm_attr_ops = {
28296+static const struct sysfs_ops dlm_attr_ops = {
28297 .show = dlm_attr_show,
28298 .store = dlm_attr_store,
28299 };
28300diff -urNp linux-2.6.33.1/fs/ecryptfs/inode.c linux-2.6.33.1/fs/ecryptfs/inode.c
28301--- linux-2.6.33.1/fs/ecryptfs/inode.c 2010-03-15 12:09:39.000000000 -0400
28302+++ linux-2.6.33.1/fs/ecryptfs/inode.c 2010-03-20 16:58:41.460901500 -0400
28303@@ -685,7 +685,7 @@ ecryptfs_readlink(struct dentry *dentry,
28304 old_fs = get_fs();
28305 set_fs(get_ds());
28306 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
28307- (char __user *)lower_buf,
28308+ (__force char __user *)lower_buf,
28309 lower_bufsiz);
28310 set_fs(old_fs);
28311 if (rc >= 0) {
28312@@ -729,7 +729,7 @@ static void *ecryptfs_follow_link(struct
28313 }
28314 old_fs = get_fs();
28315 set_fs(get_ds());
28316- rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
28317+ rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
28318 set_fs(old_fs);
28319 if (rc < 0) {
28320 kfree(buf);
28321@@ -744,7 +744,7 @@ out:
28322 static void
28323 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
28324 {
28325- char *buf = nd_get_link(nd);
28326+ const char *buf = nd_get_link(nd);
28327 if (!IS_ERR(buf)) {
28328 /* Free the char* */
28329 kfree(buf);
28330diff -urNp linux-2.6.33.1/fs/ecryptfs/miscdev.c linux-2.6.33.1/fs/ecryptfs/miscdev.c
28331--- linux-2.6.33.1/fs/ecryptfs/miscdev.c 2010-03-15 12:09:39.000000000 -0400
28332+++ linux-2.6.33.1/fs/ecryptfs/miscdev.c 2010-03-20 16:58:41.460901500 -0400
28333@@ -327,7 +327,7 @@ check_list:
28334 goto out_unlock_msg_ctx;
28335 i = 5;
28336 if (msg_ctx->msg) {
28337- if (copy_to_user(&buf[i], packet_length, packet_length_size))
28338+ if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
28339 goto out_unlock_msg_ctx;
28340 i += packet_length_size;
28341 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
28342diff -urNp linux-2.6.33.1/fs/exec.c linux-2.6.33.1/fs/exec.c
28343--- linux-2.6.33.1/fs/exec.c 2010-03-15 12:09:39.000000000 -0400
28344+++ linux-2.6.33.1/fs/exec.c 2010-03-20 16:58:41.472962075 -0400
58c5fc13 28345@@ -55,12 +55,24 @@
58c5fc13
MT		 28346 #include <linux/fsnotify.h>
28347 #include <linux/fs_struct.h>
ae4e228f 28348 #include <linux/pipe_fs_i.h>
58c5fc13
MT		 28349+#include <linux/random.h>
28350+#include <linux/seq_file.h>
28351+
28352+#ifdef CONFIG_PAX_REFCOUNT
28353+#include <linux/kallsyms.h>
28354+#include <linux/kdebug.h>
28355+#endif
28356
28357 #include <asm/uaccess.h>
28358 #include <asm/mmu_context.h>
28359 #include <asm/tlb.h>
28360 #include "internal.h"
28361
28362+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
28363+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
28364+EXPORT_SYMBOL(pax_set_initial_flags_func);
28365+#endif
28366+
28367 int core_uses_pid;
28368 char core_pattern[CORENAME_MAX_SIZE] = "core";
ae4e228f
MT		 28369 unsigned int core_pipe_limit;
28370@@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
58c5fc13
MT		 28371 goto out;
28372
28373 file = do_filp_open(AT_FDCWD, tmp,
28374- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
28375+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
28376 MAY_READ | MAY_EXEC | MAY_OPEN);
28377 putname(tmp);
28378 error = PTR_ERR(file);
ae4e228f 28379@@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
58c5fc13
MT		 28380 int write)
28381 {
28382 struct page *page;
28383- int ret;
28384
28385-#ifdef CONFIG_STACK_GROWSUP
28386- if (write) {
28387- ret = expand_stack_downwards(bprm->vma, pos);
28388- if (ret < 0)
28389- return NULL;
28390- }
28391-#endif
28392- ret = get_user_pages(current, bprm->mm, pos,
28393- 1, write, 1, &page, NULL);
28394- if (ret <= 0)
28395+ if (0 > expand_stack_downwards(bprm->vma, pos))
28396+ return NULL;
28397+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
28398 return NULL;
28399
28400 if (write) {
ae4e228f 28401@@ -245,6 +249,11 @@ static int __bprm_mm_init(struct linux_b
58c5fc13
MT		 28402 vma->vm_end = STACK_TOP_MAX;
28403 vma->vm_start = vma->vm_end - PAGE_SIZE;
28404 vma->vm_flags = VM_STACK_FLAGS;
28405+
28406+#ifdef CONFIG_PAX_SEGMEXEC
28407+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
28408+#endif
28409+
28410 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
28411 err = insert_vm_struct(mm, vma);
28412 if (err)
ae4e228f 28413@@ -253,6 +262,12 @@ static int __bprm_mm_init(struct linux_b
58c5fc13
MT		 28414 mm->stack_vm = mm->total_vm = 1;
28415 up_write(&mm->mmap_sem);
28416 bprm->p = vma->vm_end - sizeof(void *);
28417+
28418+#ifdef CONFIG_PAX_RANDUSTACK
28419+ if (randomize_va_space)
28420+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
28421+#endif
28422+
28423 return 0;
28424 err:
28425 up_write(&mm->mmap_sem);
ae4e228f
MT		 28426@@ -474,7 +489,7 @@ int copy_strings_kernel(int argc,char **
28427 int r;
28428 mm_segment_t oldfs = get_fs();
28429 set_fs(KERNEL_DS);
28430- r = copy_strings(argc, (char __user * __user *)argv, bprm);
28431+ r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
28432 set_fs(oldfs);
28433 return r;
28434 }
28435@@ -504,7 +519,8 @@ static int shift_arg_pages(struct vm_are
58c5fc13
MT		 28436 unsigned long new_end = old_end - shift;
28437 struct mmu_gather *tlb;
28438
28439- BUG_ON(new_start > new_end);
28440+ if (new_start >= new_end || new_start < mmap_min_addr)
28441+ return -EFAULT;
28442
28443 /*
28444 * ensure there are no vmas between where we want to go
ae4e228f 28445@@ -513,6 +529,10 @@ static int shift_arg_pages(struct vm_are
58c5fc13
MT		 28446 if (vma != find_vma(mm, new_start))
28447 return -EFAULT;
28448
28449+#ifdef CONFIG_PAX_SEGMEXEC
28450+ BUG_ON(pax_find_mirror_vma(vma));
28451+#endif
28452+
28453 /*
28454 * cover the whole range: [new_start, old_end)
28455 */
ae4e228f 28456@@ -604,8 +624,28 @@ int setup_arg_pages(struct linux_binprm
58c5fc13
MT		 28457 bprm->exec -= stack_shift;
28458
28459 down_write(&mm->mmap_sem);
28460+
28461+ /* Move stack pages down in memory. */
28462+ if (stack_shift) {
28463+ ret = shift_arg_pages(vma, stack_shift);
28464+ if (ret)
28465+ goto out_unlock;
28466+ }
28467+
28468 vm_flags = VM_STACK_FLAGS;
28469
58c5fc13
MT		 28470+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28471+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
28472+ vm_flags &= ~VM_EXEC;
28473+
28474+#ifdef CONFIG_PAX_MPROTECT
28475+ if (mm->pax_flags & MF_PAX_MPROTECT)
28476+ vm_flags &= ~VM_MAYEXEC;
28477+#endif
28478+
28479+ }
28480+#endif
28481+
ae4e228f
MT		 28482 /*
28483 * Adjust stack execute permissions; explicitly enable for
28484 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
28485@@ -623,13 +663,6 @@ int setup_arg_pages(struct linux_binprm
58c5fc13
MT		 28486 goto out_unlock;
28487 BUG_ON(prev != vma);
28488
28489- /* Move stack pages down in memory. */
28490- if (stack_shift) {
28491- ret = shift_arg_pages(vma, stack_shift);
ae4e228f
MT		 28492- if (ret)
28493- goto out_unlock;
58c5fc13
MT		 28494- }
28495-
ae4e228f
MT		 28496 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
28497 stack_size = vma->vm_end - vma->vm_start;
28498 /*
28499@@ -666,7 +699,7 @@ struct file *open_exec(const char *name)
58c5fc13
MT		 28500 int err;
28501
28502 file = do_filp_open(AT_FDCWD, name,
28503- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
28504+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
28505 MAY_EXEC | MAY_OPEN);
28506 if (IS_ERR(file))
28507 goto out;
ae4e228f
MT		 28508@@ -703,7 +736,7 @@ int kernel_read(struct file *file, loff_
28509 old_fs = get_fs();
28510 set_fs(get_ds());
28511 /* The cast to a user pointer is valid due to the set_fs() */
28512- result = vfs_read(file, (void __user *)addr, count, &pos);
28513+ result = vfs_read(file, (__force void __user *)addr, count, &pos);
28514 set_fs(old_fs);
28515 return result;
28516 }
28517@@ -1120,7 +1153,7 @@ int check_unsafe_exec(struct linux_binpr
58c5fc13
MT		 28518 }
28519 rcu_read_unlock();
28520
28521- if (p->fs->users > n_fs) {
28522+ if (atomic_read(&p->fs->users) > n_fs) {
28523 bprm->unsafe |= LSM_UNSAFE_SHARE;
28524 } else {
28525 res = -EAGAIN;
ae4e228f 28526@@ -1316,6 +1349,11 @@ int do_execve(char * filename,
58c5fc13
MT		 28527 char __user *__user *envp,
28528 struct pt_regs * regs)
28529 {
28530+#ifdef CONFIG_GRKERNSEC
28531+ struct file *old_exec_file;
28532+ struct acl_subject_label *old_acl;
28533+ struct rlimit old_rlim[RLIM_NLIMITS];
28534+#endif
28535 struct linux_binprm *bprm;
28536 struct file *file;
28537 struct files_struct *displaced;
ae4e228f 28538@@ -1352,6 +1390,18 @@ int do_execve(char * filename,
58c5fc13
MT		 28539 bprm->filename = filename;
28540 bprm->interp = filename;
28541
28542+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
28543+
28544+ if (gr_handle_nproc()) {
28545+ retval = -EAGAIN;
28546+ goto out_file;
28547+ }
28548+
28549+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
28550+ retval = -EACCES;
28551+ goto out_file;
28552+ }
28553+
28554 retval = bprm_mm_init(bprm);
28555 if (retval)
28556 goto out_file;
ae4e228f 28557@@ -1381,10 +1431,41 @@ int do_execve(char * filename,
58c5fc13
MT		 28558 if (retval < 0)
28559 goto out;
28560
28561+ if (!gr_tpe_allow(file)) {
28562+ retval = -EACCES;
28563+ goto out;
28564+ }
28565+
28566+ if (gr_check_crash_exec(file)) {
28567+ retval = -EACCES;
28568+ goto out;
28569+ }
28570+
28571+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
28572+
28573+ gr_handle_exec_args(bprm, argv);
28574+
28575+#ifdef CONFIG_GRKERNSEC
28576+ old_acl = current->acl;
28577+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
28578+ old_exec_file = current->exec_file;
28579+ get_file(file);
28580+ current->exec_file = file;
28581+#endif
28582+
28583+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
28584+ bprm->unsafe & LSM_UNSAFE_SHARE);
28585+ if (retval < 0)
28586+ goto out_fail;
28587+
28588 current->flags &= ~PF_KTHREAD;
28589 retval = search_binary_handler(bprm,regs);
28590 if (retval < 0)
28591- goto out;
28592+ goto out_fail;
28593+#ifdef CONFIG_GRKERNSEC
28594+ if (old_exec_file)
28595+ fput(old_exec_file);
28596+#endif
28597
ae4e228f
MT		 28598 current->stack_start = current->mm->start_stack;
28599
28600@@ -1397,6 +1478,14 @@ int do_execve(char * filename,
58c5fc13
MT		 28601 put_files_struct(displaced);
28602 return retval;
28603
28604+out_fail:
28605+#ifdef CONFIG_GRKERNSEC
28606+ current->acl = old_acl;
28607+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
28608+ fput(current->exec_file);
28609+ current->exec_file = old_exec_file;
28610+#endif
28611+
28612 out:
28613 if (bprm->mm)
28614 mmput (bprm->mm);
ae4e228f 28615@@ -1560,6 +1649,169 @@ out:
58c5fc13
MT		 28616 return ispipe;
28617 }
28618
28619+int pax_check_flags(unsigned long *flags)
28620+{
28621+ int retval = 0;
28622+
28623+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
28624+ if (*flags & MF_PAX_SEGMEXEC)
28625+ {
28626+ *flags &= ~MF_PAX_SEGMEXEC;
28627+ retval = -EINVAL;
28628+ }
28629+#endif
28630+
28631+ if ((*flags & MF_PAX_PAGEEXEC)
28632+
28633+#ifdef CONFIG_PAX_PAGEEXEC
28634+ && (*flags & MF_PAX_SEGMEXEC)
28635+#endif
28636+
28637+ )
28638+ {
28639+ *flags &= ~MF_PAX_PAGEEXEC;
28640+ retval = -EINVAL;
28641+ }
28642+
28643+ if ((*flags & MF_PAX_MPROTECT)
28644+
28645+#ifdef CONFIG_PAX_MPROTECT
28646+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
28647+#endif
28648+
28649+ )
28650+ {
28651+ *flags &= ~MF_PAX_MPROTECT;
28652+ retval = -EINVAL;
28653+ }
28654+
28655+ if ((*flags & MF_PAX_EMUTRAMP)
28656+
28657+#ifdef CONFIG_PAX_EMUTRAMP
28658+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
28659+#endif
28660+
28661+ )
28662+ {
28663+ *flags &= ~MF_PAX_EMUTRAMP;
28664+ retval = -EINVAL;
28665+ }
28666+
28667+ return retval;
28668+}
28669+
28670+EXPORT_SYMBOL(pax_check_flags);
28671+
28672+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28673+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
28674+{
28675+ struct task_struct *tsk = current;
28676+ struct mm_struct *mm = current->mm;
28677+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
28678+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
28679+ char *path_exec = NULL;
28680+ char *path_fault = NULL;
28681+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
28682+
28683+ if (buffer_exec && buffer_fault) {
28684+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
28685+
28686+ down_read(&mm->mmap_sem);
28687+ vma = mm->mmap;
28688+ while (vma && (!vma_exec || !vma_fault)) {
28689+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
28690+ vma_exec = vma;
28691+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
28692+ vma_fault = vma;
28693+ vma = vma->vm_next;
28694+ }
28695+ if (vma_exec) {
28696+ path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
28697+ if (IS_ERR(path_exec))
28698+ path_exec = "<path too long>";
28699+ else {
28700+ path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
28701+ if (path_exec) {
28702+ *path_exec = 0;
28703+ path_exec = buffer_exec;
28704+ } else
28705+ path_exec = "<path too long>";
28706+ }
28707+ }
28708+ if (vma_fault) {
28709+ start = vma_fault->vm_start;
28710+ end = vma_fault->vm_end;
28711+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
28712+ if (vma_fault->vm_file) {
28713+ path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
28714+ if (IS_ERR(path_fault))
28715+ path_fault = "<path too long>";
28716+ else {
28717+ path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
28718+ if (path_fault) {
28719+ *path_fault = 0;
28720+ path_fault = buffer_fault;
28721+ } else
28722+ path_fault = "<path too long>";
28723+ }
28724+ } else
28725+ path_fault = "<anonymous mapping>";
28726+ }
28727+ up_read(&mm->mmap_sem);
28728+ }
28729+ if (tsk->signal->curr_ip)
ae4e228f 28730+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
58c5fc13
MT		 28731+ else
28732+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
28733+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
28734+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
28735+ task_uid(tsk), task_euid(tsk), pc, sp);
28736+ free_page((unsigned long)buffer_exec);
28737+ free_page((unsigned long)buffer_fault);
28738+ pax_report_insns(pc, sp);
28739+ do_coredump(SIGKILL, SIGKILL, regs);
28740+}
28741+#endif
28742+
28743+#ifdef CONFIG_PAX_REFCOUNT
28744+void pax_report_refcount_overflow(struct pt_regs *regs)
28745+{
28746+ if (current->signal->curr_ip)
ae4e228f
MT		 28747+ printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
28748+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
58c5fc13
MT		 28749+ else
28750+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
28751+ current->comm, task_pid_nr(current), current_uid(), current_euid());
28752+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
28753+ show_regs(regs);
ae4e228f 28754+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
58c5fc13
MT		 28755+}
28756+#endif
28757+
28758+#ifdef CONFIG_PAX_USERCOPY
28759+void pax_report_leak_to_user(const void *ptr, unsigned long len)
28760+{
28761+ if (current->signal->curr_ip)
ae4e228f
MT		 28762+ printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
28763+ &current->signal->curr_ip, ptr, len);
58c5fc13
MT		 28764+ else
28765+ printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
28766+ dump_stack();
28767+ do_group_exit(SIGKILL);
28768+}
28769+
28770+void pax_report_overflow_from_user(const void *ptr, unsigned long len)
28771+{
ae4e228f
MT		 28772+ if (current->signal->curr_ip)
28773+ printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
28774+ &current->signal->curr_ip, ptr, len);
28775+ else
28776+ printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
58c5fc13
MT		 28777+ dump_stack();
28778+ do_group_exit(SIGKILL);
28779+}
28780+#endif
28781+
28782 static int zap_process(struct task_struct *start)
28783 {
28784 struct task_struct *t;
ae4e228f
MT		 28785@@ -1762,17 +2014,17 @@ static void wait_for_dump_helpers(struct
28786 pipe = file->f_path.dentry->d_inode->i_pipe;
28787
28788 pipe_lock(pipe);
28789- pipe->readers++;
28790- pipe->writers--;
28791+ atomic_inc(&pipe->readers);
28792+ atomic_dec(&pipe->writers);
28793
28794- while ((pipe->readers > 1) && (!signal_pending(current))) {
28795+ while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
28796 wake_up_interruptible_sync(&pipe->wait);
28797 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
28798 pipe_wait(pipe);
28799 }
28800
28801- pipe->readers--;
28802- pipe->writers++;
28803+ atomic_dec(&pipe->readers);
28804+ atomic_inc(&pipe->writers);
28805 pipe_unlock(pipe);
28806
28807 }
28808@@ -1846,6 +2098,10 @@ void do_coredump(long signr, int exit_co
58c5fc13
MT		 28809 */
28810 clear_thread_flag(TIF_SIGPENDING);
28811
28812+ if (signr == SIGKILL || signr == SIGILL)
28813+ gr_handle_brute_attach(current);
28814+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
28815+
28816 /*
28817 * lock_kernel() because format_corename() is controlled by sysctl, which
28818 * uses lock_kernel()
ae4e228f
MT		 28819diff -urNp linux-2.6.33.1/fs/ext2/balloc.c linux-2.6.33.1/fs/ext2/balloc.c
28820--- linux-2.6.33.1/fs/ext2/balloc.c 2010-03-15 12:09:39.000000000 -0400
28821+++ linux-2.6.33.1/fs/ext2/balloc.c 2010-03-20 16:58:41.476618429 -0400
58c5fc13
MT		 28822@@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
28823
28824 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
28825 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
28826- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
28827+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
28828 sbi->s_resuid != current_fsuid() &&
28829 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
28830 return 0;
ae4e228f
MT		 28831diff -urNp linux-2.6.33.1/fs/ext3/balloc.c linux-2.6.33.1/fs/ext3/balloc.c
28832--- linux-2.6.33.1/fs/ext3/balloc.c 2010-03-15 12:09:39.000000000 -0400
28833+++ linux-2.6.33.1/fs/ext3/balloc.c 2010-03-20 16:58:41.484909301 -0400
58c5fc13
MT		 28834@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
28835
28836 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
28837 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
28838- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
28839+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
28840 sbi->s_resuid != current_fsuid() &&
28841 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
28842 return 0;
ae4e228f
MT		 28843diff -urNp linux-2.6.33.1/fs/ext3/namei.c linux-2.6.33.1/fs/ext3/namei.c
28844--- linux-2.6.33.1/fs/ext3/namei.c 2010-03-15 12:09:39.000000000 -0400
28845+++ linux-2.6.33.1/fs/ext3/namei.c 2010-03-20 16:58:41.496970241 -0400
58c5fc13
MT		 28846@@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
28847 char *data1 = (*bh)->b_data, *data2;
28848 unsigned split, move, size;
28849 struct ext3_dir_entry_2 *de = NULL, *de2;
28850- int err = 0, i;
28851+ int i, err = 0;
28852
28853 bh2 = ext3_append (handle, dir, &newblock, &err);
28854 if (!(bh2)) {
ae4e228f
MT		 28855diff -urNp linux-2.6.33.1/fs/ext3/xattr.c linux-2.6.33.1/fs/ext3/xattr.c
28856--- linux-2.6.33.1/fs/ext3/xattr.c 2010-03-15 12:09:39.000000000 -0400
28857+++ linux-2.6.33.1/fs/ext3/xattr.c 2010-03-20 16:58:41.500911319 -0400
58c5fc13
MT		 28858@@ -89,8 +89,8 @@
28859 printk("\n"); \
28860 } while (0)
28861 #else
28862-# define ea_idebug(f...)
28863-# define ea_bdebug(f...)
28864+# define ea_idebug(f...) do {} while (0)
28865+# define ea_bdebug(f...) do {} while (0)
28866 #endif
28867
28868 static void ext3_xattr_cache_insert(struct buffer_head *);
ae4e228f
MT		 28869diff -urNp linux-2.6.33.1/fs/ext4/balloc.c linux-2.6.33.1/fs/ext4/balloc.c
28870--- linux-2.6.33.1/fs/ext4/balloc.c 2010-03-15 12:09:39.000000000 -0400
28871+++ linux-2.6.33.1/fs/ext4/balloc.c 2010-03-20 16:58:41.500911319 -0400
28872@@ -535,7 +535,7 @@ int ext4_has_free_blocks(struct ext4_sb_
58c5fc13
MT		 28873 /* Hm, nope. Are (enough) root reserved blocks available? */
28874 if (sbi->s_resuid == current_fsuid() ||
28875 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
28876- capable(CAP_SYS_RESOURCE)) {
28877+ capable_nolog(CAP_SYS_RESOURCE)) {
28878 if (free_blocks >= (nblocks + dirty_blocks))
28879 return 1;
28880 }
ae4e228f
MT		 28881diff -urNp linux-2.6.33.1/fs/ext4/ioctl.c linux-2.6.33.1/fs/ext4/ioctl.c
28882--- linux-2.6.33.1/fs/ext4/ioctl.c 2010-03-15 12:09:39.000000000 -0400
28883+++ linux-2.6.33.1/fs/ext4/ioctl.c 2010-03-20 16:58:41.500911319 -0400
28884@@ -221,6 +221,9 @@ setversion_out:
28885 struct file *donor_filp;
28886 int err;
28887
28888+ /* temporary workaround for bugs in here */
28889+ return -EOPNOTSUPP;
28890+
28891 if (!(filp->f_mode & FMODE_READ) ||
28892 !(filp->f_mode & FMODE_WRITE))
28893 return -EBADF;
28894diff -urNp linux-2.6.33.1/fs/ext4/namei.c linux-2.6.33.1/fs/ext4/namei.c
28895--- linux-2.6.33.1/fs/ext4/namei.c 2010-03-15 12:09:39.000000000 -0400
28896+++ linux-2.6.33.1/fs/ext4/namei.c 2010-03-20 16:58:41.504537056 -0400
58c5fc13
MT		 28897@@ -1203,7 +1203,7 @@ static struct ext4_dir_entry_2 *do_split
28898 char *data1 = (*bh)->b_data, *data2;
28899 unsigned split, move, size;
28900 struct ext4_dir_entry_2 *de = NULL, *de2;
28901- int err = 0, i;
28902+ int i, err = 0;
28903
28904 bh2 = ext4_append (handle, dir, &newblock, &err);
28905 if (!(bh2)) {
ae4e228f
MT		 28906diff -urNp linux-2.6.33.1/fs/ext4/super.c linux-2.6.33.1/fs/ext4/super.c
28907--- linux-2.6.33.1/fs/ext4/super.c 2010-03-15 12:09:39.000000000 -0400
28908+++ linux-2.6.33.1/fs/ext4/super.c 2010-03-20 16:58:41.512931908 -0400
28909@@ -2292,7 +2292,7 @@ static void ext4_sb_release(struct kobje
28910 }
28911
28912
28913-static struct sysfs_ops ext4_attr_ops = {
28914+static const struct sysfs_ops ext4_attr_ops = {
28915 .show = ext4_attr_show,
28916 .store = ext4_attr_store,
28917 };
28918diff -urNp linux-2.6.33.1/fs/fcntl.c linux-2.6.33.1/fs/fcntl.c
28919--- linux-2.6.33.1/fs/fcntl.c 2010-03-15 12:09:39.000000000 -0400
28920+++ linux-2.6.33.1/fs/fcntl.c 2010-03-20 16:58:41.516920875 -0400
28921@@ -344,6 +344,7 @@ static long do_fcntl(int fd, unsigned in
58c5fc13
MT		 28922 switch (cmd) {
28923 case F_DUPFD:
28924 case F_DUPFD_CLOEXEC:
28925+ gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
28926 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
28927 break;
28928 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
ae4e228f 28929@@ -500,7 +501,8 @@ static inline int sigio_perm(struct task
58c5fc13
MT		 28930 ret = ((fown->euid == 0 ||
28931 fown->euid == cred->suid || fown->euid == cred->uid ||
28932 fown->uid == cred->suid || fown->uid == cred->uid) &&
28933- !security_file_send_sigiotask(p, fown, sig));
28934+ !security_file_send_sigiotask(p, fown, sig) &&
28935+ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
28936 rcu_read_unlock();
28937 return ret;
28938 }
ae4e228f
MT		 28939diff -urNp linux-2.6.33.1/fs/fifo.c linux-2.6.33.1/fs/fifo.c
28940--- linux-2.6.33.1/fs/fifo.c 2010-03-15 12:09:39.000000000 -0400
28941+++ linux-2.6.33.1/fs/fifo.c 2010-03-20 16:58:41.516920875 -0400
28942@@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
28943 */
28944 filp->f_op = &read_pipefifo_fops;
28945 pipe->r_counter++;
28946- if (pipe->readers++ == 0)
28947+ if (atomic_inc_return(&pipe->readers) == 1)
28948 wake_up_partner(inode);
28949
28950- if (!pipe->writers) {
28951+ if (!atomic_read(&pipe->writers)) {
28952 if ((filp->f_flags & O_NONBLOCK)) {
28953 /* suppress POLLHUP until we have
28954 * seen a writer */
28955@@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
28956 * errno=ENXIO when there is no process reading the FIFO.
28957 */
28958 ret = -ENXIO;
28959- if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
28960+ if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
28961 goto err;
28962
28963 filp->f_op = &write_pipefifo_fops;
28964 pipe->w_counter++;
28965- if (!pipe->writers++)
28966+ if (atomic_inc_return(&pipe->writers) == 1)
28967 wake_up_partner(inode);
28968
28969- if (!pipe->readers) {
28970+ if (!atomic_read(&pipe->readers)) {
28971 wait_for_partner(inode, &pipe->r_counter);
28972 if (signal_pending(current))
28973 goto err_wr;
28974@@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
28975 */
28976 filp->f_op = &rdwr_pipefifo_fops;
28977
28978- pipe->readers++;
28979- pipe->writers++;
28980+ atomic_inc(&pipe->readers);
28981+ atomic_inc(&pipe->writers);
28982 pipe->r_counter++;
28983 pipe->w_counter++;
28984- if (pipe->readers == 1 || pipe->writers == 1)
28985+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
28986 wake_up_partner(inode);
28987 break;
28988
28989@@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
28990 return 0;
28991
28992 err_rd:
28993- if (!--pipe->readers)
28994+ if (atomic_dec_and_test(&pipe->readers))
28995 wake_up_interruptible(&pipe->wait);
28996 ret = -ERESTARTSYS;
28997 goto err;
28998
28999 err_wr:
29000- if (!--pipe->writers)
29001+ if (atomic_dec_and_test(&pipe->writers))
29002 wake_up_interruptible(&pipe->wait);
29003 ret = -ERESTARTSYS;
29004 goto err;
29005
29006 err:
29007- if (!pipe->readers && !pipe->writers)
29008+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
29009 free_pipe_info(inode);
29010
29011 err_nocleanup:
29012diff -urNp linux-2.6.33.1/fs/file.c linux-2.6.33.1/fs/file.c
29013--- linux-2.6.33.1/fs/file.c 2010-03-15 12:09:39.000000000 -0400
29014+++ linux-2.6.33.1/fs/file.c 2010-03-20 16:58:41.516920875 -0400
29015@@ -14,6 +14,7 @@
58c5fc13
MT		 29016 #include <linux/slab.h>
29017 #include <linux/vmalloc.h>
29018 #include <linux/file.h>
29019+#include <linux/security.h>
29020 #include <linux/fdtable.h>
29021 #include <linux/bitops.h>
29022 #include <linux/interrupt.h>
ae4e228f 29023@@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
58c5fc13
MT		 29024 * N.B. For clone tasks sharing a files structure, this test
29025 * will limit the total number of files that can be opened.
29026 */
29027+
29028+ gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
29029 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
29030 return -EMFILE;
29031
ae4e228f
MT		 29032diff -urNp linux-2.6.33.1/fs/fs_struct.c linux-2.6.33.1/fs/fs_struct.c
29033--- linux-2.6.33.1/fs/fs_struct.c 2010-03-15 12:09:39.000000000 -0400
29034+++ linux-2.6.33.1/fs/fs_struct.c 2010-03-20 16:58:41.516920875 -0400
29035@@ -45,10 +45,12 @@ void chroot_fs_refs(struct path *old_roo
29036 struct task_struct *g, *p;
29037 struct fs_struct *fs;
29038 int count = 0;
29039+ unsigned long flags;
29040
29041 read_lock(&tasklist_lock);
29042 do_each_thread(g, p) {
29043 task_lock(p);
29044+ gr_fs_write_lock_irqsave(p, flags);
29045 fs = p->fs;
29046 if (fs) {
29047 write_lock(&fs->lock);
29048@@ -66,6 +68,7 @@ void chroot_fs_refs(struct path *old_roo
29049 }
29050 write_unlock(&fs->lock);
29051 }
29052+ gr_fs_write_unlock_irqrestore(p, flags);
29053 task_unlock(p);
29054 } while_each_thread(g, p);
29055 read_unlock(&tasklist_lock);
29056@@ -83,14 +86,17 @@ void free_fs_struct(struct fs_struct *fs
29057 void exit_fs(struct task_struct *tsk)
29058 {
29059 struct fs_struct *fs = tsk->fs;
29060+ unsigned long flags;
29061
29062 if (fs) {
29063 int kill;
58c5fc13 29064 task_lock(tsk);
ae4e228f 29065+ gr_fs_write_lock_irqsave(tsk, flags);
58c5fc13
MT		 29066 write_lock(&fs->lock);
29067 tsk->fs = NULL;
29068- kill = !--fs->users;
29069+ kill = !atomic_dec_return(&fs->users);
29070 write_unlock(&fs->lock);
ae4e228f 29071+ gr_fs_write_unlock_irqrestore(tsk, flags);
58c5fc13
MT		 29072 task_unlock(tsk);
29073 if (kill)
ae4e228f
MT		 29074 free_fs_struct(fs);
29075@@ -102,7 +108,7 @@ struct fs_struct *copy_fs_struct(struct
58c5fc13
MT		 29076 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
29077 /* We don't need to lock fs - think why ;-) */
29078 if (fs) {
29079- fs->users = 1;
29080+ atomic_set(&fs->users, 1);
29081 fs->in_exec = 0;
29082 rwlock_init(&fs->lock);
29083 fs->umask = old->umask;
ae4e228f
MT		 29084@@ -121,15 +127,18 @@ int unshare_fs_struct(void)
29085 struct fs_struct *fs = current->fs;
29086 struct fs_struct *new_fs = copy_fs_struct(fs);
29087 int kill;
29088+ unsigned long flags;
29089
29090 if (!new_fs)
29091 return -ENOMEM;
58c5fc13
MT		 29092
29093 task_lock(current);
ae4e228f 29094+ gr_fs_write_lock_irqsave(current, flags);
58c5fc13
MT		 29095 write_lock(&fs->lock);
29096- kill = !--fs->users;
29097+ kill = !atomic_dec_return(&fs->users);
29098 current->fs = new_fs;
29099 write_unlock(&fs->lock);
ae4e228f 29100+ gr_fs_write_unlock_irqrestore(current, flags);
58c5fc13 29101 task_unlock(current);
ae4e228f
MT		 29102
29103 if (kill)
29104@@ -147,7 +156,7 @@ EXPORT_SYMBOL(current_umask);
58c5fc13
MT		 29105
29106 /* to be mentioned only in INIT_TASK */
29107 struct fs_struct init_fs = {
29108- .users = 1,
29109+ .users = ATOMIC_INIT(1),
29110 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
29111 .umask = 0022,
29112 };
ae4e228f
MT		 29113@@ -155,6 +164,7 @@ struct fs_struct init_fs = {
29114 void daemonize_fs_struct(void)
29115 {
29116 struct fs_struct *fs = current->fs;
29117+ unsigned long flags;
29118
29119 if (fs) {
29120 int kill;
29121@@ -162,13 +172,15 @@ void daemonize_fs_struct(void)
58c5fc13
MT		 29122 task_lock(current);
29123
29124 write_lock(&init_fs.lock);
29125- init_fs.users++;
29126+ atomic_inc(&init_fs.users);
29127 write_unlock(&init_fs.lock);
29128
ae4e228f 29129+ gr_fs_write_lock_irqsave(current, flags);
58c5fc13
MT		 29130 write_lock(&fs->lock);
29131 current->fs = &init_fs;
29132- kill = !--fs->users;
29133+ kill = !atomic_dec_return(&fs->users);
29134 write_unlock(&fs->lock);
ae4e228f 29135+ gr_fs_write_unlock_irqrestore(current, flags);
58c5fc13
MT		 29136
29137 task_unlock(current);
ae4e228f
MT		 29138 if (kill)
29139diff -urNp linux-2.6.33.1/fs/fuse/control.c linux-2.6.33.1/fs/fuse/control.c
29140--- linux-2.6.33.1/fs/fuse/control.c 2010-03-15 12:09:39.000000000 -0400
29141+++ linux-2.6.33.1/fs/fuse/control.c 2010-03-20 16:58:41.520615009 -0400
29142@@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
58c5fc13
MT		 29143
29144 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
29145 {
29146- struct tree_descr empty_descr = {""};
29147+ struct tree_descr empty_descr = {"", NULL, 0};
29148 struct fuse_conn *fc;
29149 int err;
29150
ae4e228f
MT		 29151diff -urNp linux-2.6.33.1/fs/fuse/cuse.c linux-2.6.33.1/fs/fuse/cuse.c
29152--- linux-2.6.33.1/fs/fuse/cuse.c 2010-03-15 12:09:39.000000000 -0400
29153+++ linux-2.6.33.1/fs/fuse/cuse.c 2010-03-20 16:58:41.520615009 -0400
29154@@ -528,8 +528,18 @@ static int cuse_channel_release(struct i
29155 return rc;
29156 }
29157
29158-static struct file_operations cuse_channel_fops; /* initialized during init */
29159-
29160+static const struct file_operations cuse_channel_fops = { /* initialized during init */
29161+ .owner = THIS_MODULE,
29162+ .llseek = no_llseek,
29163+ .read = do_sync_read,
29164+ .aio_read = fuse_dev_read,
29165+ .write = do_sync_write,
29166+ .aio_write = fuse_dev_write,
29167+ .poll = fuse_dev_poll,
29168+ .open = cuse_channel_open,
29169+ .release = cuse_channel_release,
29170+ .fasync = fuse_dev_fasync,
29171+};
29172
29173 /**************************************************************************
29174 * Misc stuff and module initializatiion
29175@@ -575,12 +585,6 @@ static int __init cuse_init(void)
29176 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
29177 INIT_LIST_HEAD(&cuse_conntbl[i]);
29178
29179- /* inherit and extend fuse_dev_operations */
29180- cuse_channel_fops = fuse_dev_operations;
29181- cuse_channel_fops.owner = THIS_MODULE;
29182- cuse_channel_fops.open = cuse_channel_open;
29183- cuse_channel_fops.release = cuse_channel_release;
29184-
29185 cuse_class = class_create(THIS_MODULE, "cuse");
29186 if (IS_ERR(cuse_class))
29187 return PTR_ERR(cuse_class);
29188diff -urNp linux-2.6.33.1/fs/fuse/dev.c linux-2.6.33.1/fs/fuse/dev.c
29189--- linux-2.6.33.1/fs/fuse/dev.c 2010-03-15 12:09:39.000000000 -0400
29190+++ linux-2.6.33.1/fs/fuse/dev.c 2010-03-20 16:58:41.524892399 -0400
29191@@ -745,7 +745,7 @@ __releases(&fc->lock)
29192 * request_end(). Otherwise add it to the processing list, and set
29193 * the 'sent' flag.
29194 */
29195-static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29196+ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29197 unsigned long nr_segs, loff_t pos)
29198 {
29199 int err;
29200@@ -828,6 +828,8 @@ static ssize_t fuse_dev_read(struct kioc
29201 return err;
29202 }
29203
29204+EXPORT_SYMBOL_GPL(fuse_dev_read);
29205+
29206 static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
29207 struct fuse_copy_state *cs)
29208 {
29209@@ -885,7 +887,7 @@ static int fuse_notify_inval_entry(struc
58c5fc13
MT		 29210 {
29211 struct fuse_notify_inval_entry_out outarg;
29212 int err = -EINVAL;
29213- char buf[FUSE_NAME_MAX+1];
29214+ char *buf = NULL;
29215 struct qstr name;
29216
29217 if (size < sizeof(outarg))
ae4e228f 29218@@ -899,6 +901,11 @@ static int fuse_notify_inval_entry(struc
58c5fc13
MT		 29219 if (outarg.namelen > FUSE_NAME_MAX)
29220 goto err;
29221
29222+ err = -ENOMEM;
29223+ buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
29224+ if (!buf)
29225+ goto err;
29226+
29227 name.name = buf;
29228 name.len = outarg.namelen;
29229 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
ae4e228f 29230@@ -910,17 +917,15 @@ static int fuse_notify_inval_entry(struc
58c5fc13
MT		 29231
29232 down_read(&fc->killsb);
29233 err = -ENOENT;
29234- if (!fc->sb)
29235- goto err_unlock;
29236-
29237- err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
29238-
29239-err_unlock:
29240+ if (fc->sb)
29241+ err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
29242 up_read(&fc->killsb);
29243+ kfree(buf);
29244 return err;
29245
29246 err:
29247 fuse_copy_finish(cs);
29248+ kfree(buf);
29249 return err;
29250 }
29251
ae4e228f
MT		 29252@@ -987,7 +992,7 @@ static int copy_out_args(struct fuse_cop
29253 * it from the list and copy the rest of the buffer to the request.
29254 * The request is finished by calling request_end()
29255 */
29256-static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29257+ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29258 unsigned long nr_segs, loff_t pos)
29259 {
29260 int err;
29261@@ -1084,7 +1089,9 @@ static ssize_t fuse_dev_write(struct kio
29262 return err;
29263 }
29264
29265-static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
29266+EXPORT_SYMBOL_GPL(fuse_dev_write);
29267+
29268+unsigned fuse_dev_poll(struct file *file, poll_table *wait)
29269 {
29270 unsigned mask = POLLOUT | POLLWRNORM;
29271 struct fuse_conn *fc = fuse_get_conn(file);
29272@@ -1103,6 +1110,8 @@ static unsigned fuse_dev_poll(struct fil
29273 return mask;
29274 }
29275
29276+EXPORT_SYMBOL_GPL(fuse_dev_poll);
29277+
29278 /*
29279 * Abort all requests on the given list (pending or processing)
29280 *
29281@@ -1210,7 +1219,7 @@ int fuse_dev_release(struct inode *inode
29282 }
29283 EXPORT_SYMBOL_GPL(fuse_dev_release);
29284
29285-static int fuse_dev_fasync(int fd, struct file *file, int on)
29286+int fuse_dev_fasync(int fd, struct file *file, int on)
29287 {
29288 struct fuse_conn *fc = fuse_get_conn(file);
29289 if (!fc)
29290@@ -1220,6 +1229,8 @@ static int fuse_dev_fasync(int fd, struc
29291 return fasync_helper(fd, file, on, &fc->fasync);
29292 }
29293
29294+EXPORT_SYMBOL_GPL(fuse_dev_fasync);
29295+
29296 const struct file_operations fuse_dev_operations = {
29297 .owner = THIS_MODULE,
29298 .llseek = no_llseek,
29299diff -urNp linux-2.6.33.1/fs/fuse/dir.c linux-2.6.33.1/fs/fuse/dir.c
29300--- linux-2.6.33.1/fs/fuse/dir.c 2010-03-15 12:09:39.000000000 -0400
29301+++ linux-2.6.33.1/fs/fuse/dir.c 2010-03-20 16:58:41.528872982 -0400
29302@@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
58c5fc13
MT		 29303 return link;
29304 }
29305
29306-static void free_link(char *link)
29307+static void free_link(const char *link)
29308 {
29309 if (!IS_ERR(link))
29310 free_page((unsigned long) link);
ae4e228f
MT		 29311diff -urNp linux-2.6.33.1/fs/fuse/fuse_i.h linux-2.6.33.1/fs/fuse/fuse_i.h
29312--- linux-2.6.33.1/fs/fuse/fuse_i.h 2010-03-15 12:09:39.000000000 -0400
29313+++ linux-2.6.33.1/fs/fuse/fuse_i.h 2010-03-20 16:58:41.532912913 -0400
29314@@ -521,6 +521,16 @@ extern const struct file_operations fuse
29315
29316 extern const struct dentry_operations fuse_dentry_operations;
29317
29318+extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
29319+ unsigned long nr_segs, loff_t pos);
29320+
29321+extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
29322+ unsigned long nr_segs, loff_t pos);
29323+
29324+extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
29325+
29326+extern int fuse_dev_fasync(int fd, struct file *file, int on);
29327+
29328 /**
29329 * Inode to nodeid comparison.
29330 */
29331diff -urNp linux-2.6.33.1/fs/gfs2/sys.c linux-2.6.33.1/fs/gfs2/sys.c
29332--- linux-2.6.33.1/fs/gfs2/sys.c 2010-03-15 12:09:39.000000000 -0400
29333+++ linux-2.6.33.1/fs/gfs2/sys.c 2010-03-20 16:58:41.563618654 -0400
29334@@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
29335 return a->store ? a->store(sdp, buf, len) : len;
58c5fc13
MT		 29336 }
29337
ae4e228f
MT		 29338-static struct sysfs_ops gfs2_attr_ops = {
29339+static const struct sysfs_ops gfs2_attr_ops = {
29340 .show = gfs2_attr_show,
29341 .store = gfs2_attr_store,
29342 };
29343@@ -576,7 +576,7 @@ static int gfs2_uevent(struct kset *kset
29344 return 0;
58c5fc13
MT		 29345 }
29346
ae4e228f
MT		 29347-static struct kset_uevent_ops gfs2_uevent_ops = {
29348+static const struct kset_uevent_ops gfs2_uevent_ops = {
29349 .uevent = gfs2_uevent,
58c5fc13 29350 };
ae4e228f
MT		 29351
29352diff -urNp linux-2.6.33.1/fs/hfs/inode.c linux-2.6.33.1/fs/hfs/inode.c
29353--- linux-2.6.33.1/fs/hfs/inode.c 2010-03-15 12:09:39.000000000 -0400
29354+++ linux-2.6.33.1/fs/hfs/inode.c 2010-03-20 16:58:41.564527258 -0400
58c5fc13
MT		 29355@@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
29356
29357 if (S_ISDIR(main_inode->i_mode)) {
29358 if (fd.entrylength < sizeof(struct hfs_cat_dir))
29359- /* panic? */;
29360+ {/* panic? */}
29361 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
29362 sizeof(struct hfs_cat_dir));
29363 if (rec.type != HFS_CDR_DIR ||
29364@@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
29365 sizeof(struct hfs_cat_file));
29366 } else {
29367 if (fd.entrylength < sizeof(struct hfs_cat_file))
29368- /* panic? */;
29369+ {/* panic? */}
29370 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
29371 sizeof(struct hfs_cat_file));
29372 if (rec.type != HFS_CDR_FIL ||
ae4e228f
MT		 29373diff -urNp linux-2.6.33.1/fs/hfsplus/inode.c linux-2.6.33.1/fs/hfsplus/inode.c
29374--- linux-2.6.33.1/fs/hfsplus/inode.c 2010-03-15 12:09:39.000000000 -0400
29375+++ linux-2.6.33.1/fs/hfsplus/inode.c 2010-03-20 16:58:41.564527258 -0400
58c5fc13
MT		 29376@@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
29377 struct hfsplus_cat_folder *folder = &entry.folder;
29378
29379 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
29380- /* panic? */;
29381+ {/* panic? */}
29382 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
29383 sizeof(struct hfsplus_cat_folder));
29384 hfsplus_get_perms(inode, &folder->permissions, 1);
29385@@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
29386 struct hfsplus_cat_file *file = &entry.file;
29387
29388 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
29389- /* panic? */;
29390+ {/* panic? */}
29391 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
29392 sizeof(struct hfsplus_cat_file));
29393
29394@@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
29395 struct hfsplus_cat_folder *folder = &entry.folder;
29396
29397 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
29398- /* panic? */;
29399+ {/* panic? */}
29400 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
29401 sizeof(struct hfsplus_cat_folder));
29402 /* simple node checks? */
29403@@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
29404 struct hfsplus_cat_file *file = &entry.file;
29405
29406 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
29407- /* panic? */;
29408+ {/* panic? */}
29409 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
29410 sizeof(struct hfsplus_cat_file));
29411 hfsplus_inode_write_fork(inode, &file->data_fork);
ae4e228f
MT		 29412diff -urNp linux-2.6.33.1/fs/ioctl.c linux-2.6.33.1/fs/ioctl.c
29413--- linux-2.6.33.1/fs/ioctl.c 2010-03-15 12:09:39.000000000 -0400
29414+++ linux-2.6.33.1/fs/ioctl.c 2010-03-20 16:58:41.564527258 -0400
29415@@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
29416 u64 phys, u64 len, u32 flags)
29417 {
29418 struct fiemap_extent extent;
29419- struct fiemap_extent *dest = fieinfo->fi_extents_start;
29420+ struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
29421
29422 /* only count the extents */
29423 if (fieinfo->fi_extents_max == 0) {
29424@@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
29425
29426 fieinfo.fi_flags = fiemap.fm_flags;
29427 fieinfo.fi_extents_max = fiemap.fm_extent_count;
29428- fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
29429+ fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
29430
29431 if (fiemap.fm_extent_count != 0 &&
29432 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
29433@@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
29434 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
29435 fiemap.fm_flags = fieinfo.fi_flags;
29436 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
29437- if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
29438+ if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
29439 error = -EFAULT;
58c5fc13 29440
ae4e228f
MT		 29441 return error;
29442diff -urNp linux-2.6.33.1/fs/jffs2/debug.h linux-2.6.33.1/fs/jffs2/debug.h
29443--- linux-2.6.33.1/fs/jffs2/debug.h 2010-03-15 12:09:39.000000000 -0400
29444+++ linux-2.6.33.1/fs/jffs2/debug.h 2010-03-20 16:58:41.564527258 -0400
58c5fc13
MT		 29445@@ -52,13 +52,13 @@
29446 #if CONFIG_JFFS2_FS_DEBUG > 0
29447 #define D1(x) x
29448 #else
29449-#define D1(x)
29450+#define D1(x) do {} while (0);
29451 #endif
29452
29453 #if CONFIG_JFFS2_FS_DEBUG > 1
29454 #define D2(x) x
29455 #else
29456-#define D2(x)
29457+#define D2(x) do {} while (0);
29458 #endif
29459
29460 /* The prefixes of JFFS2 messages */
29461@@ -114,73 +114,73 @@
29462 #ifdef JFFS2_DBG_READINODE_MESSAGES
29463 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29464 #else
29465-#define dbg_readinode(fmt, ...)
29466+#define dbg_readinode(fmt, ...) do {} while (0)
29467 #endif
29468 #ifdef JFFS2_DBG_READINODE2_MESSAGES
29469 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29470 #else
29471-#define dbg_readinode2(fmt, ...)
29472+#define dbg_readinode2(fmt, ...) do {} while (0)
29473 #endif
29474
29475 /* Fragtree build debugging messages */
29476 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
29477 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29478 #else
29479-#define dbg_fragtree(fmt, ...)
29480+#define dbg_fragtree(fmt, ...) do {} while (0)
29481 #endif
29482 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
29483 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29484 #else
29485-#define dbg_fragtree2(fmt, ...)
29486+#define dbg_fragtree2(fmt, ...) do {} while (0)
29487 #endif
29488
29489 /* Directory entry list manilulation debugging messages */
29490 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
29491 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29492 #else
29493-#define dbg_dentlist(fmt, ...)
29494+#define dbg_dentlist(fmt, ...) do {} while (0)
29495 #endif
29496
29497 /* Print the messages about manipulating node_refs */
29498 #ifdef JFFS2_DBG_NODEREF_MESSAGES
29499 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29500 #else
29501-#define dbg_noderef(fmt, ...)
29502+#define dbg_noderef(fmt, ...) do {} while (0)
29503 #endif
29504
29505 /* Manipulations with the list of inodes (JFFS2 inocache) */
29506 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
29507 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29508 #else
29509-#define dbg_inocache(fmt, ...)
29510+#define dbg_inocache(fmt, ...) do {} while (0)
29511 #endif
29512
29513 /* Summary debugging messages */
29514 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
29515 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29516 #else
29517-#define dbg_summary(fmt, ...)
29518+#define dbg_summary(fmt, ...) do {} while (0)
29519 #endif
29520
29521 /* File system build messages */
29522 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
29523 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29524 #else
29525-#define dbg_fsbuild(fmt, ...)
29526+#define dbg_fsbuild(fmt, ...) do {} while (0)
29527 #endif
29528
29529 /* Watch the object allocations */
29530 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
29531 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29532 #else
29533-#define dbg_memalloc(fmt, ...)
29534+#define dbg_memalloc(fmt, ...) do {} while (0)
29535 #endif
29536
29537 /* Watch the XATTR subsystem */
29538 #ifdef JFFS2_DBG_XATTR_MESSAGES
29539 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
29540 #else
29541-#define dbg_xattr(fmt, ...)
29542+#define dbg_xattr(fmt, ...) do {} while (0)
29543 #endif
29544
29545 /* "Sanity" checks */
ae4e228f
MT		 29546diff -urNp linux-2.6.33.1/fs/jffs2/erase.c linux-2.6.33.1/fs/jffs2/erase.c
29547--- linux-2.6.33.1/fs/jffs2/erase.c 2010-03-15 12:09:39.000000000 -0400
29548+++ linux-2.6.33.1/fs/jffs2/erase.c 2010-03-20 16:58:41.588752321 -0400
58c5fc13
MT		 29549@@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
29550 struct jffs2_unknown_node marker = {
29551 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
29552 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
29553- .totlen = cpu_to_je32(c->cleanmarker_size)
29554+ .totlen = cpu_to_je32(c->cleanmarker_size),
29555+ .hdr_crc = cpu_to_je32(0)
29556 };
29557
29558 jffs2_prealloc_raw_node_refs(c, jeb, 1);
ae4e228f
MT		 29559diff -urNp linux-2.6.33.1/fs/jffs2/summary.h linux-2.6.33.1/fs/jffs2/summary.h
29560--- linux-2.6.33.1/fs/jffs2/summary.h 2010-03-15 12:09:39.000000000 -0400
29561+++ linux-2.6.33.1/fs/jffs2/summary.h 2010-03-20 16:58:41.588752321 -0400
58c5fc13
MT		 29562@@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
29563
29564 #define jffs2_sum_active() (0)
29565 #define jffs2_sum_init(a) (0)
29566-#define jffs2_sum_exit(a)
29567-#define jffs2_sum_disable_collecting(a)
29568+#define jffs2_sum_exit(a) do {} while (0)
29569+#define jffs2_sum_disable_collecting(a) do {} while (0)
29570 #define jffs2_sum_is_disabled(a) (0)
29571-#define jffs2_sum_reset_collected(a)
29572+#define jffs2_sum_reset_collected(a) do {} while (0)
29573 #define jffs2_sum_add_kvec(a,b,c,d) (0)
29574-#define jffs2_sum_move_collected(a,b)
29575+#define jffs2_sum_move_collected(a,b) do {} while (0)
29576 #define jffs2_sum_write_sumnode(a) (0)
29577-#define jffs2_sum_add_padding_mem(a,b)
29578-#define jffs2_sum_add_inode_mem(a,b,c)
29579-#define jffs2_sum_add_dirent_mem(a,b,c)
29580-#define jffs2_sum_add_xattr_mem(a,b,c)
29581-#define jffs2_sum_add_xref_mem(a,b,c)
29582+#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
29583+#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
29584+#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
29585+#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
29586+#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
29587 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
29588
29589 #endif /* CONFIG_JFFS2_SUMMARY */
ae4e228f
MT		 29590diff -urNp linux-2.6.33.1/fs/jffs2/wbuf.c linux-2.6.33.1/fs/jffs2/wbuf.c
29591--- linux-2.6.33.1/fs/jffs2/wbuf.c 2010-03-15 12:09:39.000000000 -0400
29592+++ linux-2.6.33.1/fs/jffs2/wbuf.c 2010-03-20 16:58:41.588752321 -0400
58c5fc13
MT		 29593@@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
29594 {
29595 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
29596 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
29597- .totlen = constant_cpu_to_je32(8)
29598+ .totlen = constant_cpu_to_je32(8),
29599+ .hdr_crc = constant_cpu_to_je32(0)
29600 };
29601
29602 /*
ae4e228f
MT		 29603diff -urNp linux-2.6.33.1/fs/lockd/svc.c linux-2.6.33.1/fs/lockd/svc.c
29604--- linux-2.6.33.1/fs/lockd/svc.c 2010-03-15 12:09:39.000000000 -0400
29605+++ linux-2.6.33.1/fs/lockd/svc.c 2010-03-20 16:58:41.588752321 -0400
29606@@ -43,7 +43,7 @@
29607
29608 static struct svc_program nlmsvc_program;
29609
29610-struct nlmsvc_binding * nlmsvc_ops;
29611+const struct nlmsvc_binding * nlmsvc_ops;
29612 EXPORT_SYMBOL_GPL(nlmsvc_ops);
29613
29614 static DEFINE_MUTEX(nlmsvc_mutex);
29615diff -urNp linux-2.6.33.1/fs/locks.c linux-2.6.33.1/fs/locks.c
29616--- linux-2.6.33.1/fs/locks.c 2010-03-15 12:09:39.000000000 -0400
29617+++ linux-2.6.33.1/fs/locks.c 2010-03-20 16:58:41.600927747 -0400
58c5fc13
MT		 29618@@ -2007,16 +2007,16 @@ void locks_remove_flock(struct file *fil
29619 return;
29620
29621 if (filp->f_op && filp->f_op->flock) {
29622- struct file_lock fl = {
29623+ struct file_lock flock = {
29624 .fl_pid = current->tgid,
29625 .fl_file = filp,
29626 .fl_flags = FL_FLOCK,
29627 .fl_type = F_UNLCK,
29628 .fl_end = OFFSET_MAX,
29629 };
29630- filp->f_op->flock(filp, F_SETLKW, &fl);
29631- if (fl.fl_ops && fl.fl_ops->fl_release_private)
29632- fl.fl_ops->fl_release_private(&fl);
29633+ filp->f_op->flock(filp, F_SETLKW, &flock);
29634+ if (flock.fl_ops && flock.fl_ops->fl_release_private)
29635+ flock.fl_ops->fl_release_private(&flock);
29636 }
29637
29638 lock_kernel();
ae4e228f
MT		 29639diff -urNp linux-2.6.33.1/fs/namei.c linux-2.6.33.1/fs/namei.c
29640--- linux-2.6.33.1/fs/namei.c 2010-03-15 12:09:39.000000000 -0400
29641+++ linux-2.6.33.1/fs/namei.c 2010-03-20 16:58:41.612934232 -0400
29642@@ -565,7 +565,7 @@ static __always_inline int __do_follow_l
58c5fc13
MT		 29643 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
29644 error = PTR_ERR(cookie);
29645 if (!IS_ERR(cookie)) {
29646- char *s = nd_get_link(nd);
29647+ const char *s = nd_get_link(nd);
29648 error = 0;
29649 if (s)
29650 error = __vfs_follow_link(nd, s);
ae4e228f 29651@@ -599,6 +599,13 @@ static inline int do_follow_link(struct
58c5fc13
MT		 29652 err = security_inode_follow_link(path->dentry, nd);
29653 if (err)
29654 goto loop;
29655+
29656+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
29657+ path->dentry->d_inode, path->dentry, nd->path.mnt)) {
29658+ err = -EACCES;
29659+ goto loop;
29660+ }
29661+
29662 current->link_count++;
29663 current->total_link_count++;
29664 nd->depth++;
ae4e228f 29665@@ -994,11 +1001,18 @@ return_reval:
58c5fc13
MT		 29666 break;
29667 }
29668 return_base:
29669+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
29670+ path_put(&nd->path);
29671+ return -ENOENT;
29672+ }
29673 return 0;
29674 out_dput:
29675 path_put_conditional(&next, nd);
29676 break;
29677 }
29678+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
29679+ err = -ENOENT;
29680+
29681 path_put(&nd->path);
29682 return_err:
29683 return err;
ae4e228f 29684@@ -1552,12 +1566,19 @@ static int __open_namei_create(struct na
58c5fc13
MT		 29685 int error;
29686 struct dentry *dir = nd->path.dentry;
29687
29688+ if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
29689+ error = -EACCES;
29690+ goto out_unlock;
29691+ }
29692+
29693 if (!IS_POSIXACL(dir->d_inode))
29694 mode &= ~current_umask();
29695 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
29696 if (error)
29697 goto out_unlock;
29698 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
29699+ if (!error)
29700+ gr_handle_create(path->dentry, nd->path.mnt);
29701 out_unlock:
29702 mutex_unlock(&dir->d_inode->i_mutex);
29703 dput(nd->path.dentry);
ae4e228f
MT		 29704@@ -1665,6 +1686,22 @@ struct file *do_filp_open(int dfd, const
29705 release_open_intent(&nd);
58c5fc13
MT		 29706 if (error)
29707 return ERR_PTR(error);
29708+
ae4e228f
MT		 29709+ if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
29710+ error = -EPERM;
29711+ goto exit;
29712+ }
29713+
58c5fc13
MT		 29714+ if (gr_handle_rawio(nd.path.dentry->d_inode)) {
29715+ error = -EPERM;
29716+ goto exit;
29717+ }
29718+
29719+ if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
29720+ error = -EACCES;
29721+ goto exit;
29722+ }
29723+
29724 goto ok;
29725 }
29726
ae4e228f 29727@@ -1758,6 +1795,24 @@ do_last:
58c5fc13
MT		 29728 /*
29729 * It already exists.
29730 */
29731+
ae4e228f
MT		 29732+ if (gr_handle_rofs_blockwrite(path.dentry, nd.path.mnt, acc_mode)) {
29733+ error = -EPERM;
29734+ goto exit_mutex_unlock;
29735+ }
58c5fc13
MT		 29736+ if (gr_handle_rawio(path.dentry->d_inode)) {
29737+ error = -EPERM;
29738+ goto exit_mutex_unlock;
29739+ }
29740+ if (!gr_acl_handle_open(path.dentry, nd.path.mnt, flag)) {
29741+ error = -EACCES;
29742+ goto exit_mutex_unlock;
29743+ }
29744+ if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
29745+ error = -EACCES;
29746+ goto exit_mutex_unlock;
29747+ }
29748+
29749 mutex_unlock(&dir->d_inode->i_mutex);
29750 audit_inode(pathname, path.dentry);
29751
ae4e228f 29752@@ -1866,6 +1921,13 @@ do_link:
58c5fc13
MT		 29753 error = security_inode_follow_link(path.dentry, &nd);
29754 if (error)
29755 goto exit_dput;
29756+
29757+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
29758+ path.dentry, nd.path.mnt)) {
29759+ error = -EACCES;
29760+ goto exit_dput;
29761+ }
29762+
29763 error = __do_follow_link(&path, &nd);
ae4e228f 29764 path_put(&path);
58c5fc13 29765 if (error) {
ae4e228f 29766@@ -2045,6 +2107,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
58c5fc13
MT		 29767 error = may_mknod(mode);
29768 if (error)
29769 goto out_dput;
29770+
29771+ if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
29772+ error = -EPERM;
29773+ goto out_dput;
29774+ }
29775+
29776+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
29777+ error = -EACCES;
29778+ goto out_dput;
29779+ }
29780+
29781 error = mnt_want_write(nd.path.mnt);
29782 if (error)
29783 goto out_dput;
ae4e228f 29784@@ -2065,6 +2138,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
58c5fc13
MT		 29785 }
29786 out_drop_write:
29787 mnt_drop_write(nd.path.mnt);
29788+
29789+ if (!error)
29790+ gr_handle_create(dentry, nd.path.mnt);
29791 out_dput:
29792 dput(dentry);
29793 out_unlock:
ae4e228f 29794@@ -2118,6 +2194,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
58c5fc13
MT		 29795 if (IS_ERR(dentry))
29796 goto out_unlock;
29797
29798+ if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
29799+ error = -EACCES;
29800+ goto out_dput;
29801+ }
29802+
29803 if (!IS_POSIXACL(nd.path.dentry->d_inode))
29804 mode &= ~current_umask();
29805 error = mnt_want_write(nd.path.mnt);
ae4e228f 29806@@ -2129,6 +2210,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
58c5fc13
MT		 29807 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
29808 out_drop_write:
29809 mnt_drop_write(nd.path.mnt);
29810+
29811+ if (!error)
29812+ gr_handle_create(dentry, nd.path.mnt);
29813+
29814 out_dput:
29815 dput(dentry);
29816 out_unlock:
ae4e228f 29817@@ -2210,6 +2295,8 @@ static long do_rmdir(int dfd, const char
58c5fc13
MT		 29818 char * name;
29819 struct dentry *dentry;
29820 struct nameidata nd;
29821+ ino_t saved_ino = 0;
29822+ dev_t saved_dev = 0;
29823
29824 error = user_path_parent(dfd, pathname, &nd, &name);
29825 if (error)
ae4e228f 29826@@ -2234,6 +2321,19 @@ static long do_rmdir(int dfd, const char
58c5fc13
MT		 29827 error = PTR_ERR(dentry);
29828 if (IS_ERR(dentry))
29829 goto exit2;
29830+
29831+ if (dentry->d_inode != NULL) {
29832+ if (dentry->d_inode->i_nlink <= 1) {
29833+ saved_ino = dentry->d_inode->i_ino;
29834+ saved_dev = dentry->d_inode->i_sb->s_dev;
29835+ }
29836+
29837+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
29838+ error = -EACCES;
29839+ goto exit3;
29840+ }
29841+ }
29842+
29843 error = mnt_want_write(nd.path.mnt);
29844 if (error)
29845 goto exit3;
ae4e228f 29846@@ -2241,6 +2341,8 @@ static long do_rmdir(int dfd, const char
58c5fc13
MT		 29847 if (error)
29848 goto exit4;
29849 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
29850+ if (!error && (saved_dev || saved_ino))
29851+ gr_handle_delete(saved_ino, saved_dev);
29852 exit4:
29853 mnt_drop_write(nd.path.mnt);
29854 exit3:
ae4e228f 29855@@ -2302,6 +2404,8 @@ static long do_unlinkat(int dfd, const c
58c5fc13
MT		 29856 struct dentry *dentry;
29857 struct nameidata nd;
29858 struct inode *inode = NULL;
29859+ ino_t saved_ino = 0;
29860+ dev_t saved_dev = 0;
29861
29862 error = user_path_parent(dfd, pathname, &nd, &name);
29863 if (error)
ae4e228f 29864@@ -2321,8 +2425,19 @@ static long do_unlinkat(int dfd, const c
58c5fc13
MT		 29865 if (nd.last.name[nd.last.len])
29866 goto slashes;
29867 inode = dentry->d_inode;
29868- if (inode)
29869+ if (inode) {
29870+ if (inode->i_nlink <= 1) {
29871+ saved_ino = inode->i_ino;
29872+ saved_dev = inode->i_sb->s_dev;
29873+ }
29874+
29875 atomic_inc(&inode->i_count);
29876+
29877+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
29878+ error = -EACCES;
29879+ goto exit2;
29880+ }
29881+ }
29882 error = mnt_want_write(nd.path.mnt);
29883 if (error)
29884 goto exit2;
ae4e228f 29885@@ -2330,6 +2445,8 @@ static long do_unlinkat(int dfd, const c
58c5fc13
MT		 29886 if (error)
29887 goto exit3;
29888 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
29889+ if (!error && (saved_ino || saved_dev))
29890+ gr_handle_delete(saved_ino, saved_dev);
29891 exit3:
29892 mnt_drop_write(nd.path.mnt);
29893 exit2:
ae4e228f 29894@@ -2408,6 +2525,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
58c5fc13
MT		 29895 if (IS_ERR(dentry))
29896 goto out_unlock;
29897
29898+ if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
29899+ error = -EACCES;
29900+ goto out_dput;
29901+ }
29902+
29903 error = mnt_want_write(nd.path.mnt);
29904 if (error)
29905 goto out_dput;
ae4e228f 29906@@ -2415,6 +2537,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
58c5fc13
MT		 29907 if (error)
29908 goto out_drop_write;
29909 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
29910+ if (!error)
29911+ gr_handle_create(dentry, nd.path.mnt);
29912 out_drop_write:
29913 mnt_drop_write(nd.path.mnt);
29914 out_dput:
ae4e228f 29915@@ -2508,6 +2632,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
58c5fc13
MT		 29916 error = PTR_ERR(new_dentry);
29917 if (IS_ERR(new_dentry))
29918 goto out_unlock;
29919+
29920+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
29921+ old_path.dentry->d_inode,
29922+ old_path.dentry->d_inode->i_mode, to)) {
29923+ error = -EACCES;
29924+ goto out_dput;
29925+ }
29926+
29927+ if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
29928+ old_path.dentry, old_path.mnt, to)) {
29929+ error = -EACCES;
29930+ goto out_dput;
29931+ }
29932+
29933 error = mnt_want_write(nd.path.mnt);
29934 if (error)
29935 goto out_dput;
ae4e228f 29936@@ -2515,6 +2653,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
58c5fc13
MT		 29937 if (error)
29938 goto out_drop_write;
29939 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
29940+ if (!error)
29941+ gr_handle_create(new_dentry, nd.path.mnt);
29942 out_drop_write:
29943 mnt_drop_write(nd.path.mnt);
29944 out_dput:
ae4e228f 29945@@ -2748,6 +2888,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
58c5fc13
MT		 29946 if (new_dentry == trap)
29947 goto exit5;
29948
29949+ error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
29950+ old_dentry, old_dir->d_inode, oldnd.path.mnt,
29951+ to);
29952+ if (error)
29953+ goto exit5;
29954+
29955 error = mnt_want_write(oldnd.path.mnt);
29956 if (error)
29957 goto exit5;
ae4e228f 29958@@ -2757,6 +2903,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
58c5fc13
MT		 29959 goto exit6;
29960 error = vfs_rename(old_dir->d_inode, old_dentry,
29961 new_dir->d_inode, new_dentry);
29962+ if (!error)
29963+ gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
29964+ new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
29965 exit6:
29966 mnt_drop_write(oldnd.path.mnt);
29967 exit5:
ae4e228f
MT		 29968diff -urNp linux-2.6.33.1/fs/namespace.c linux-2.6.33.1/fs/namespace.c
29969--- linux-2.6.33.1/fs/namespace.c 2010-03-15 12:09:39.000000000 -0400
29970+++ linux-2.6.33.1/fs/namespace.c 2010-03-20 16:58:41.649168726 -0400
29971@@ -1085,6 +1085,9 @@ static int do_umount(struct vfsmount *mn
58c5fc13
MT		 29972 if (!(sb->s_flags & MS_RDONLY))
29973 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
29974 up_write(&sb->s_umount);
29975+
29976+ gr_log_remount(mnt->mnt_devname, retval);
29977+
29978 return retval;
29979 }
29980
ae4e228f 29981@@ -1106,6 +1109,9 @@ static int do_umount(struct vfsmount *mn
58c5fc13
MT		 29982 security_sb_umount_busy(mnt);
29983 up_write(&namespace_sem);
29984 release_mounts(&umount_list);
29985+
29986+ gr_log_unmount(mnt->mnt_devname, retval);
29987+
29988 return retval;
29989 }
29990
ae4e228f
MT		 29991@@ -1963,6 +1969,16 @@ long do_mount(char *dev_name, char *dir_
29992 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
29993 MS_STRICTATIME);
58c5fc13 29994
ae4e228f
MT		 29995+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
29996+ retval = -EPERM;
29997+ goto dput_out;
29998+ }
29999+
58c5fc13
MT		 30000+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
30001+ retval = -EPERM;
30002+ goto dput_out;
30003+ }
30004+
30005 if (flags & MS_REMOUNT)
30006 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
30007 data_page);
ae4e228f 30008@@ -1977,6 +1993,9 @@ long do_mount(char *dev_name, char *dir_
58c5fc13
MT		 30009 dev_name, data_page);
30010 dput_out:
30011 path_put(&path);
30012+
30013+ gr_log_mount(dev_name, dir_name, retval);
30014+
30015 return retval;
30016 }
30017
ae4e228f 30018@@ -2183,6 +2202,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
58c5fc13
MT		 30019 goto out1;
30020 }
30021
30022+ if (gr_handle_chroot_pivot()) {
30023+ error = -EPERM;
30024+ path_put(&old);
30025+ goto out1;
30026+ }
30027+
30028 read_lock(&current->fs->lock);
30029 root = current->fs->root;
30030 path_get(&current->fs->root);
ae4e228f
MT		 30031diff -urNp linux-2.6.33.1/fs/nfs/inode.c linux-2.6.33.1/fs/nfs/inode.c
30032--- linux-2.6.33.1/fs/nfs/inode.c 2010-03-15 12:09:39.000000000 -0400
30033+++ linux-2.6.33.1/fs/nfs/inode.c 2010-03-20 16:58:41.649168726 -0400
30034@@ -965,16 +965,16 @@ static int nfs_size_need_update(const st
30035 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
30036 }
30037
30038-static atomic_long_t nfs_attr_generation_counter;
30039+static atomic_long_unchecked_t nfs_attr_generation_counter;
30040
30041 static unsigned long nfs_read_attr_generation_counter(void)
30042 {
30043- return atomic_long_read(&nfs_attr_generation_counter);
30044+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
30045 }
30046
30047 unsigned long nfs_inc_attr_generation_counter(void)
30048 {
30049- return atomic_long_inc_return(&nfs_attr_generation_counter);
30050+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
30051 }
30052
30053 void nfs_fattr_init(struct nfs_fattr *fattr)
30054diff -urNp linux-2.6.33.1/fs/nfs/nfs4proc.c linux-2.6.33.1/fs/nfs/nfs4proc.c
30055--- linux-2.6.33.1/fs/nfs/nfs4proc.c 2010-03-15 12:09:39.000000000 -0400
30056+++ linux-2.6.33.1/fs/nfs/nfs4proc.c 2010-03-20 16:58:41.652911113 -0400
30057@@ -1159,7 +1159,7 @@ static int _nfs4_do_open_reclaim(struct
58c5fc13
MT		 30058 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
30059 {
30060 struct nfs_server *server = NFS_SERVER(state->inode);
30061- struct nfs4_exception exception = { };
30062+ struct nfs4_exception exception = {0, 0};
30063 int err;
30064 do {
30065 err = _nfs4_do_open_reclaim(ctx, state);
ae4e228f 30066@@ -1201,7 +1201,7 @@ static int _nfs4_open_delegation_recall(
58c5fc13
MT		 30067
30068 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
30069 {
30070- struct nfs4_exception exception = { };
30071+ struct nfs4_exception exception = {0, 0};
30072 struct nfs_server *server = NFS_SERVER(state->inode);
30073 int err;
30074 do {
ae4e228f
MT		 30075@@ -1572,7 +1572,7 @@ static int _nfs4_open_expired(struct nfs
30076 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
58c5fc13
MT		 30077 {
30078 struct nfs_server *server = NFS_SERVER(state->inode);
30079- struct nfs4_exception exception = { };
30080+ struct nfs4_exception exception = {0, 0};
30081 int err;
30082
30083 do {
ae4e228f 30084@@ -1678,7 +1678,7 @@ out_err:
58c5fc13
MT		 30085
30086 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
30087 {
30088- struct nfs4_exception exception = { };
30089+ struct nfs4_exception exception = {0, 0};
30090 struct nfs4_state *res;
30091 int status;
30092
ae4e228f 30093@@ -1769,7 +1769,7 @@ static int nfs4_do_setattr(struct inode
58c5fc13
MT		 30094 struct nfs4_state *state)
30095 {
30096 struct nfs_server *server = NFS_SERVER(inode);
30097- struct nfs4_exception exception = { };
30098+ struct nfs4_exception exception = {0, 0};
30099 int err;
30100 do {
30101 err = nfs4_handle_exception(server,
ae4e228f 30102@@ -2146,7 +2146,7 @@ static int _nfs4_server_capabilities(str
58c5fc13
MT		 30103
30104 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
30105 {
30106- struct nfs4_exception exception = { };
30107+ struct nfs4_exception exception = {0, 0};
30108 int err;
30109 do {
30110 err = nfs4_handle_exception(server,
ae4e228f 30111@@ -2180,7 +2180,7 @@ static int _nfs4_lookup_root(struct nfs_
58c5fc13
MT		 30112 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
30113 struct nfs_fsinfo *info)
30114 {
30115- struct nfs4_exception exception = { };
30116+ struct nfs4_exception exception = {0, 0};
30117 int err;
30118 do {
30119 err = nfs4_handle_exception(server,
ae4e228f 30120@@ -2269,7 +2269,7 @@ static int _nfs4_proc_getattr(struct nfs
58c5fc13
MT		 30121
30122 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
30123 {
30124- struct nfs4_exception exception = { };
30125+ struct nfs4_exception exception = {0, 0};
30126 int err;
30127 do {
30128 err = nfs4_handle_exception(server,
ae4e228f 30129@@ -2357,7 +2357,7 @@ static int nfs4_proc_lookupfh(struct nfs
58c5fc13
MT		 30130 struct qstr *name, struct nfs_fh *fhandle,
30131 struct nfs_fattr *fattr)
30132 {
30133- struct nfs4_exception exception = { };
30134+ struct nfs4_exception exception = {0, 0};
30135 int err;
30136 do {
30137 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
ae4e228f 30138@@ -2386,7 +2386,7 @@ static int _nfs4_proc_lookup(struct inod
58c5fc13
MT		 30139
30140 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
30141 {
30142- struct nfs4_exception exception = { };
30143+ struct nfs4_exception exception = {0, 0};
30144 int err;
30145 do {
30146 err = nfs4_handle_exception(NFS_SERVER(dir),
ae4e228f 30147@@ -2450,7 +2450,7 @@ static int _nfs4_proc_access(struct inod
58c5fc13
MT		 30148
30149 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
30150 {
30151- struct nfs4_exception exception = { };
30152+ struct nfs4_exception exception = {0, 0};
30153 int err;
30154 do {
30155 err = nfs4_handle_exception(NFS_SERVER(inode),
ae4e228f 30156@@ -2506,7 +2506,7 @@ static int _nfs4_proc_readlink(struct in
58c5fc13
MT		 30157 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
30158 unsigned int pgbase, unsigned int pglen)
30159 {
30160- struct nfs4_exception exception = { };
30161+ struct nfs4_exception exception = {0, 0};
30162 int err;
30163 do {
30164 err = nfs4_handle_exception(NFS_SERVER(inode),
ae4e228f 30165@@ -2604,7 +2604,7 @@ static int _nfs4_proc_remove(struct inod
58c5fc13
MT		 30166
30167 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
30168 {
30169- struct nfs4_exception exception = { };
30170+ struct nfs4_exception exception = {0, 0};
30171 int err;
30172 do {
30173 err = nfs4_handle_exception(NFS_SERVER(dir),
ae4e228f 30174@@ -2677,7 +2677,7 @@ static int _nfs4_proc_rename(struct inod
58c5fc13
MT		 30175 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
30176 struct inode *new_dir, struct qstr *new_name)
30177 {
30178- struct nfs4_exception exception = { };
30179+ struct nfs4_exception exception = {0, 0};
30180 int err;
30181 do {
30182 err = nfs4_handle_exception(NFS_SERVER(old_dir),
ae4e228f 30183@@ -2724,7 +2724,7 @@ static int _nfs4_proc_link(struct inode
58c5fc13
MT		 30184
30185 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
30186 {
30187- struct nfs4_exception exception = { };
30188+ struct nfs4_exception exception = {0, 0};
30189 int err;
30190 do {
30191 err = nfs4_handle_exception(NFS_SERVER(inode),
ae4e228f 30192@@ -2816,7 +2816,7 @@ out:
58c5fc13
MT		 30193 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
30194 struct page *page, unsigned int len, struct iattr *sattr)
30195 {
30196- struct nfs4_exception exception = { };
30197+ struct nfs4_exception exception = {0, 0};
30198 int err;
30199 do {
30200 err = nfs4_handle_exception(NFS_SERVER(dir),
ae4e228f 30201@@ -2847,7 +2847,7 @@ out:
58c5fc13
MT		 30202 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
30203 struct iattr *sattr)
30204 {
30205- struct nfs4_exception exception = { };
30206+ struct nfs4_exception exception = {0, 0};
30207 int err;
30208 do {
30209 err = nfs4_handle_exception(NFS_SERVER(dir),
ae4e228f 30210@@ -2896,7 +2896,7 @@ static int _nfs4_proc_readdir(struct den
58c5fc13
MT		 30211 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
30212 u64 cookie, struct page *page, unsigned int count, int plus)
30213 {
30214- struct nfs4_exception exception = { };
30215+ struct nfs4_exception exception = {0, 0};
30216 int err;
30217 do {
30218 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
ae4e228f 30219@@ -2944,7 +2944,7 @@ out:
58c5fc13
MT		 30220 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
30221 struct iattr *sattr, dev_t rdev)
30222 {
30223- struct nfs4_exception exception = { };
30224+ struct nfs4_exception exception = {0, 0};
30225 int err;
30226 do {
30227 err = nfs4_handle_exception(NFS_SERVER(dir),
ae4e228f 30228@@ -2976,7 +2976,7 @@ static int _nfs4_proc_statfs(struct nfs_
58c5fc13
MT		 30229
30230 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
30231 {
30232- struct nfs4_exception exception = { };
30233+ struct nfs4_exception exception = {0, 0};
30234 int err;
30235 do {
30236 err = nfs4_handle_exception(server,
ae4e228f 30237@@ -3007,7 +3007,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
58c5fc13
MT		 30238
30239 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
30240 {
30241- struct nfs4_exception exception = { };
30242+ struct nfs4_exception exception = {0, 0};
30243 int err;
30244
30245 do {
ae4e228f 30246@@ -3053,7 +3053,7 @@ static int _nfs4_proc_pathconf(struct nf
58c5fc13
MT		 30247 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
30248 struct nfs_pathconf *pathconf)
30249 {
30250- struct nfs4_exception exception = { };
30251+ struct nfs4_exception exception = {0, 0};
30252 int err;
30253
30254 do {
ae4e228f 30255@@ -3348,7 +3348,7 @@ out_free:
58c5fc13
MT		 30256
30257 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
30258 {
30259- struct nfs4_exception exception = { };
30260+ struct nfs4_exception exception = {0, 0};
30261 ssize_t ret;
30262 do {
30263 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
ae4e228f 30264@@ -3404,7 +3404,7 @@ static int __nfs4_proc_set_acl(struct in
58c5fc13
MT		 30265
30266 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
30267 {
30268- struct nfs4_exception exception = { };
30269+ struct nfs4_exception exception = {0, 0};
30270 int err;
30271 do {
30272 err = nfs4_handle_exception(NFS_SERVER(inode),
ae4e228f 30273@@ -3686,7 +3686,7 @@ out:
58c5fc13
MT		 30274 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
30275 {
30276 struct nfs_server *server = NFS_SERVER(inode);
30277- struct nfs4_exception exception = { };
30278+ struct nfs4_exception exception = {0, 0};
30279 int err;
30280 do {
30281 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
ae4e228f 30282@@ -3759,7 +3759,7 @@ out:
58c5fc13
MT		 30283
30284 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
30285 {
30286- struct nfs4_exception exception = { };
30287+ struct nfs4_exception exception = {0, 0};
30288 int err;
30289
30290 do {
ae4e228f 30291@@ -4171,7 +4171,7 @@ static int _nfs4_do_setlk(struct nfs4_st
58c5fc13
MT		 30292 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
30293 {
30294 struct nfs_server *server = NFS_SERVER(state->inode);
30295- struct nfs4_exception exception = { };
30296+ struct nfs4_exception exception = {0, 0};
30297 int err;
30298
30299 do {
ae4e228f 30300@@ -4189,7 +4189,7 @@ static int nfs4_lock_reclaim(struct nfs4
58c5fc13
MT		 30301 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
30302 {
30303 struct nfs_server *server = NFS_SERVER(state->inode);
30304- struct nfs4_exception exception = { };
30305+ struct nfs4_exception exception = {0, 0};
30306 int err;
30307
30308 err = nfs4_set_lock_state(state, request);
ae4e228f 30309@@ -4253,7 +4253,7 @@ out:
58c5fc13
MT		 30310
30311 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
30312 {
30313- struct nfs4_exception exception = { };
30314+ struct nfs4_exception exception = {0, 0};
30315 int err;
30316
30317 do {
ae4e228f 30318@@ -4313,7 +4313,7 @@ nfs4_proc_lock(struct file *filp, int cm
58c5fc13
MT		 30319 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
30320 {
30321 struct nfs_server *server = NFS_SERVER(state->inode);
30322- struct nfs4_exception exception = { };
30323+ struct nfs4_exception exception = {0, 0};
30324 int err;
30325
30326 err = nfs4_set_lock_state(state, fl);
ae4e228f
MT		 30327diff -urNp linux-2.6.33.1/fs/nfsd/lockd.c linux-2.6.33.1/fs/nfsd/lockd.c
30328--- linux-2.6.33.1/fs/nfsd/lockd.c 2010-03-15 12:09:39.000000000 -0400
30329+++ linux-2.6.33.1/fs/nfsd/lockd.c 2010-03-20 16:58:41.660926393 -0400
30330@@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
30331 fput(filp);
58c5fc13
MT		 30332 }
30333
ae4e228f
MT		 30334-static struct nlmsvc_binding nfsd_nlm_ops = {
30335+static const struct nlmsvc_binding nfsd_nlm_ops = {
30336 .fopen = nlm_fopen, /* open file for locking */
30337 .fclose = nlm_fclose, /* close file */
58c5fc13 30338 };
ae4e228f
MT		 30339diff -urNp linux-2.6.33.1/fs/nfsd/nfsctl.c linux-2.6.33.1/fs/nfsd/nfsctl.c
30340--- linux-2.6.33.1/fs/nfsd/nfsctl.c 2010-03-15 12:09:39.000000000 -0400
30341+++ linux-2.6.33.1/fs/nfsd/nfsctl.c 2010-03-20 16:58:41.676914510 -0400
30342@@ -159,7 +159,7 @@ static int export_features_open(struct i
30343 return single_open(file, export_features_show, NULL);
58c5fc13
MT		 30344 }
30345
ae4e228f
MT		 30346-static struct file_operations export_features_operations = {
30347+static const struct file_operations export_features_operations = {
30348 .open = export_features_open,
30349 .read = seq_read,
30350 .llseek = seq_lseek,
30351diff -urNp linux-2.6.33.1/fs/nfsd/vfs.c linux-2.6.33.1/fs/nfsd/vfs.c
30352--- linux-2.6.33.1/fs/nfsd/vfs.c 2010-03-15 12:09:39.000000000 -0400
30353+++ linux-2.6.33.1/fs/nfsd/vfs.c 2010-03-20 16:58:41.676914510 -0400
30354@@ -945,7 +945,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
30355 } else {
30356 oldfs = get_fs();
30357 set_fs(KERNEL_DS);
30358- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
30359+ host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
30360 set_fs(oldfs);
30361 }
30362
30363@@ -1068,7 +1068,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
30364
30365 /* Write the data. */
30366 oldfs = get_fs(); set_fs(KERNEL_DS);
30367- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
30368+ host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
30369 set_fs(oldfs);
30370 if (host_err < 0)
30371 goto out_nfserr;
30372@@ -1543,7 +1543,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
30373 */
58c5fc13 30374
ae4e228f
MT		 30375 oldfs = get_fs(); set_fs(KERNEL_DS);
30376- host_err = inode->i_op->readlink(dentry, buf, *lenp);
30377+ host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
30378 set_fs(oldfs);
58c5fc13 30379
ae4e228f
MT		 30380 if (host_err < 0)
30381diff -urNp linux-2.6.33.1/fs/nls/nls_base.c linux-2.6.33.1/fs/nls/nls_base.c
30382--- linux-2.6.33.1/fs/nls/nls_base.c 2010-03-15 12:09:39.000000000 -0400
30383+++ linux-2.6.33.1/fs/nls/nls_base.c 2010-03-20 16:58:41.684912030 -0400
58c5fc13
MT		 30384@@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
30385 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
30386 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
30387 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
30388- {0, /* end of table */}
30389+ {0, 0, 0, 0, 0, /* end of table */}
30390 };
30391
30392 #define UNICODE_MAX 0x0010ffff
ae4e228f
MT		 30393diff -urNp linux-2.6.33.1/fs/ntfs/file.c linux-2.6.33.1/fs/ntfs/file.c
30394--- linux-2.6.33.1/fs/ntfs/file.c 2010-03-15 12:09:39.000000000 -0400
30395+++ linux-2.6.33.1/fs/ntfs/file.c 2010-03-20 16:58:41.717206210 -0400
30396@@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
58c5fc13
MT		 30397 #endif /* NTFS_RW */
30398 };
30399
30400-const struct file_operations ntfs_empty_file_ops = {};
ae4e228f 30401+const struct file_operations ntfs_empty_file_ops __read_only;
58c5fc13
MT		 30402
30403-const struct inode_operations ntfs_empty_inode_ops = {};
ae4e228f
MT		 30404+const struct inode_operations ntfs_empty_inode_ops __read_only;
30405diff -urNp linux-2.6.33.1/fs/ocfs2/cluster/masklog.c linux-2.6.33.1/fs/ocfs2/cluster/masklog.c
30406--- linux-2.6.33.1/fs/ocfs2/cluster/masklog.c 2010-03-15 12:09:39.000000000 -0400
30407+++ linux-2.6.33.1/fs/ocfs2/cluster/masklog.c 2010-03-20 16:58:41.724925424 -0400
30408@@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
30409 return mlog_mask_store(mlog_attr->mask, buf, count);
30410 }
30411
30412-static struct sysfs_ops mlog_attr_ops = {
30413+static const struct sysfs_ops mlog_attr_ops = {
30414 .show = mlog_show,
30415 .store = mlog_store,
30416 };
30417diff -urNp linux-2.6.33.1/fs/ocfs2/localalloc.c linux-2.6.33.1/fs/ocfs2/localalloc.c
30418--- linux-2.6.33.1/fs/ocfs2/localalloc.c 2010-03-15 12:09:39.000000000 -0400
30419+++ linux-2.6.33.1/fs/ocfs2/localalloc.c 2010-03-20 16:58:41.736921327 -0400
30420@@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
58c5fc13
MT		 30421 goto bail;
30422 }
30423
30424- atomic_inc(&osb->alloc_stats.moves);
30425+ atomic_inc_unchecked(&osb->alloc_stats.moves);
30426
30427 status = 0;
30428 bail:
ae4e228f
MT		 30429diff -urNp linux-2.6.33.1/fs/ocfs2/ocfs2.h linux-2.6.33.1/fs/ocfs2/ocfs2.h
30430--- linux-2.6.33.1/fs/ocfs2/ocfs2.h 2010-03-15 12:09:39.000000000 -0400
30431+++ linux-2.6.33.1/fs/ocfs2/ocfs2.h 2010-03-20 16:58:41.753416780 -0400
30432@@ -221,11 +221,11 @@ enum ocfs2_vol_state
58c5fc13
MT		 30433
30434 struct ocfs2_alloc_stats
30435 {
30436- atomic_t moves;
30437- atomic_t local_data;
30438- atomic_t bitmap_data;
30439- atomic_t bg_allocs;
30440- atomic_t bg_extends;
30441+ atomic_unchecked_t moves;
30442+ atomic_unchecked_t local_data;
30443+ atomic_unchecked_t bitmap_data;
30444+ atomic_unchecked_t bg_allocs;
30445+ atomic_unchecked_t bg_extends;
30446 };
30447
30448 enum ocfs2_local_alloc_state
ae4e228f
MT		 30449diff -urNp linux-2.6.33.1/fs/ocfs2/suballoc.c linux-2.6.33.1/fs/ocfs2/suballoc.c
30450--- linux-2.6.33.1/fs/ocfs2/suballoc.c 2010-03-15 12:09:39.000000000 -0400
30451+++ linux-2.6.33.1/fs/ocfs2/suballoc.c 2010-03-20 16:58:41.773443597 -0400
58c5fc13
MT		 30452@@ -620,7 +620,7 @@ static int ocfs2_reserve_suballoc_bits(s
30453 mlog_errno(status);
30454 goto bail;
30455 }
30456- atomic_inc(&osb->alloc_stats.bg_extends);
30457+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
30458
30459 /* You should never ask for this much metadata */
30460 BUG_ON(bits_wanted >
ae4e228f 30461@@ -1651,7 +1651,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
58c5fc13
MT		 30462 mlog_errno(status);
30463 goto bail;
30464 }
30465- atomic_inc(&osb->alloc_stats.bg_allocs);
30466+ atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
30467
30468 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
30469 ac->ac_bits_given += (*num_bits);
ae4e228f 30470@@ -1725,7 +1725,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
58c5fc13
MT		 30471 mlog_errno(status);
30472 goto bail;
30473 }
30474- atomic_inc(&osb->alloc_stats.bg_allocs);
30475+ atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
30476
30477 BUG_ON(num_bits != 1);
30478
ae4e228f 30479@@ -1827,7 +1827,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
58c5fc13
MT		 30480 cluster_start,
30481 num_clusters);
30482 if (!status)
30483- atomic_inc(&osb->alloc_stats.local_data);
30484+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
30485 } else {
30486 if (min_clusters > (osb->bitmap_cpg - 1)) {
30487 /* The only paths asking for contiguousness
ae4e228f 30488@@ -1855,7 +1855,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
58c5fc13
MT		 30489 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
30490 bg_blkno,
30491 bg_bit_off);
30492- atomic_inc(&osb->alloc_stats.bitmap_data);
30493+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
30494 }
30495 }
30496 if (status < 0) {
ae4e228f
MT		 30497diff -urNp linux-2.6.33.1/fs/ocfs2/super.c linux-2.6.33.1/fs/ocfs2/super.c
30498--- linux-2.6.33.1/fs/ocfs2/super.c 2010-03-15 12:09:39.000000000 -0400
30499+++ linux-2.6.33.1/fs/ocfs2/super.c 2010-03-20 16:58:41.781934851 -0400
30500@@ -286,11 +286,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
58c5fc13
MT		 30501 "%10s => GlobalAllocs: %d LocalAllocs: %d "
30502 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
30503 "Stats",
30504- atomic_read(&osb->alloc_stats.bitmap_data),
30505- atomic_read(&osb->alloc_stats.local_data),
30506- atomic_read(&osb->alloc_stats.bg_allocs),
30507- atomic_read(&osb->alloc_stats.moves),
30508- atomic_read(&osb->alloc_stats.bg_extends));
30509+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
30510+ atomic_read_unchecked(&osb->alloc_stats.local_data),
30511+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
30512+ atomic_read_unchecked(&osb->alloc_stats.moves),
30513+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
30514
30515 out += snprintf(buf + out, len - out,
30516 "%10s => State: %u Descriptor: %llu Size: %u bits "
ae4e228f 30517@@ -1999,11 +1999,11 @@ static int ocfs2_initialize_super(struct
58c5fc13
MT		 30518 spin_lock_init(&osb->osb_xattr_lock);
30519 ocfs2_init_inode_steal_slot(osb);
30520
30521- atomic_set(&osb->alloc_stats.moves, 0);
30522- atomic_set(&osb->alloc_stats.local_data, 0);
30523- atomic_set(&osb->alloc_stats.bitmap_data, 0);
30524- atomic_set(&osb->alloc_stats.bg_allocs, 0);
30525- atomic_set(&osb->alloc_stats.bg_extends, 0);
30526+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
30527+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
30528+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
30529+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
30530+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
30531
30532 /* Copy the blockcheck stats from the superblock probe */
30533 osb->osb_ecc_stats = *stats;
ae4e228f
MT		 30534diff -urNp linux-2.6.33.1/fs/ocfs2/symlink.c linux-2.6.33.1/fs/ocfs2/symlink.c
30535--- linux-2.6.33.1/fs/ocfs2/symlink.c 2010-03-15 12:09:39.000000000 -0400
30536+++ linux-2.6.33.1/fs/ocfs2/symlink.c 2010-03-20 16:58:41.809220780 -0400
30537@@ -148,7 +148,7 @@ bail:
58c5fc13 30538
ae4e228f
MT		 30539 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
30540 {
30541- char *link = nd_get_link(nd);
30542+ const char *link = nd_get_link(nd);
30543 if (!IS_ERR(link))
30544 kfree(link);
58c5fc13 30545 }
ae4e228f
MT		 30546diff -urNp linux-2.6.33.1/fs/open.c linux-2.6.33.1/fs/open.c
30547--- linux-2.6.33.1/fs/open.c 2010-03-15 12:09:39.000000000 -0400
30548+++ linux-2.6.33.1/fs/open.c 2010-03-20 16:58:41.824559234 -0400
30549@@ -209,6 +209,9 @@ int do_truncate(struct dentry *dentry, l
58c5fc13
MT		 30550 if (length < 0)
30551 return -EINVAL;
30552
30553+ if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
30554+ return -EACCES;
30555+
30556 newattrs.ia_size = length;
30557 newattrs.ia_valid = ATTR_SIZE | time_attrs;
30558 if (filp) {
ae4e228f 30559@@ -514,6 +517,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
58c5fc13
MT		 30560 if (__mnt_is_readonly(path.mnt))
30561 res = -EROFS;
30562
30563+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
30564+ res = -EACCES;
30565+
30566 out_path_release:
30567 path_put(&path);
30568 out:
ae4e228f 30569@@ -540,6 +546,8 @@ SYSCALL_DEFINE1(chdir, const char __user
58c5fc13
MT		 30570 if (error)
30571 goto dput_and_out;
30572
30573+ gr_log_chdir(path.dentry, path.mnt);
30574+
30575 set_fs_pwd(current->fs, &path);
30576
30577 dput_and_out:
ae4e228f 30578@@ -566,6 +574,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
58c5fc13
MT		 30579 goto out_putf;
30580
30581 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
30582+
30583+ if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
30584+ error = -EPERM;
30585+
30586+ if (!error)
30587+ gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
30588+
30589 if (!error)
30590 set_fs_pwd(current->fs, &file->f_path);
30591 out_putf:
ae4e228f
MT		 30592@@ -594,7 +609,18 @@ SYSCALL_DEFINE1(chroot, const char __use
30593 if (error)
58c5fc13
MT		 30594 goto dput_and_out;
30595
30596+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
30597+ goto dput_and_out;
30598+
30599+ if (gr_handle_chroot_caps(&path)) {
30600+ error = -ENOMEM;
30601+ goto dput_and_out;
30602+ }
30603+
30604 set_fs_root(current->fs, &path);
30605+
30606+ gr_handle_chroot_chdir(&path);
30607+
30608 error = 0;
30609 dput_and_out:
30610 path_put(&path);
ae4e228f 30611@@ -622,6 +648,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
58c5fc13
MT		 30612 err = mnt_want_write_file(file);
30613 if (err)
30614 goto out_putf;
30615+
30616+ if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
30617+ err = -EACCES;
30618+ goto out_drop_write;
30619+ }
30620+
30621 mutex_lock(&inode->i_mutex);
ae4e228f
MT		 30622 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
30623 if (err)
30624@@ -633,6 +665,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
58c5fc13 30625 err = notify_change(dentry, &newattrs);
ae4e228f 30626 out_unlock:
58c5fc13 30627 mutex_unlock(&inode->i_mutex);
58c5fc13
MT		 30628+out_drop_write:
30629 mnt_drop_write(file->f_path.mnt);
30630 out_putf:
30631 fput(file);
ae4e228f 30632@@ -655,17 +688,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
58c5fc13
MT		 30633 error = mnt_want_write(path.mnt);
30634 if (error)
30635 goto dput_and_out;
30636+
30637+ if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
30638+ error = -EACCES;
30639+ goto out_drop_write;
30640+ }
30641+
30642 mutex_lock(&inode->i_mutex);
ae4e228f
MT		 30643 error = security_path_chmod(path.dentry, path.mnt, mode);
30644 if (error)
30645 goto out_unlock;
58c5fc13
MT		 30646 if (mode == (mode_t) -1)
30647 mode = inode->i_mode;
30648+
30649+ if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
30650+ error = -EACCES;
ae4e228f 30651+ goto out_unlock;
58c5fc13
MT		 30652+ }
30653+
30654 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
30655 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
30656 error = notify_change(path.dentry, &newattrs);
ae4e228f 30657 out_unlock:
58c5fc13 30658 mutex_unlock(&inode->i_mutex);
58c5fc13
MT		 30659+out_drop_write:
30660 mnt_drop_write(path.mnt);
30661 dput_and_out:
30662 path_put(&path);
ae4e228f 30663@@ -684,6 +730,9 @@ static int chown_common(struct path *pat
58c5fc13
MT		 30664 int error;
30665 struct iattr newattrs;
30666
ae4e228f 30667+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
58c5fc13
MT		 30668+ return -EACCES;
30669+
30670 newattrs.ia_valid = ATTR_CTIME;
30671 if (user != (uid_t) -1) {
30672 newattrs.ia_valid |= ATTR_UID;
ae4e228f
MT		 30673diff -urNp linux-2.6.33.1/fs/pipe.c linux-2.6.33.1/fs/pipe.c
30674--- linux-2.6.33.1/fs/pipe.c 2010-03-15 12:09:39.000000000 -0400
30675+++ linux-2.6.33.1/fs/pipe.c 2010-03-20 16:58:41.824559234 -0400
30676@@ -401,9 +401,9 @@ redo:
30677 }
30678 if (bufs) /* More to do? */
30679 continue;
30680- if (!pipe->writers)
30681+ if (!atomic_read(&pipe->writers))
30682 break;
30683- if (!pipe->waiting_writers) {
30684+ if (!atomic_read(&pipe->waiting_writers)) {
30685 /* syscall merging: Usually we must not sleep
30686 * if O_NONBLOCK is set, or if we got some data.
30687 * But if a writer sleeps in kernel space, then
30688@@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
30689 mutex_lock(&inode->i_mutex);
30690 pipe = inode->i_pipe;
30691
30692- if (!pipe->readers) {
30693+ if (!atomic_read(&pipe->readers)) {
30694 send_sig(SIGPIPE, current, 0);
30695 ret = -EPIPE;
30696 goto out;
30697@@ -511,7 +511,7 @@ redo1:
30698 for (;;) {
30699 int bufs;
30700
30701- if (!pipe->readers) {
30702+ if (!atomic_read(&pipe->readers)) {
30703 send_sig(SIGPIPE, current, 0);
30704 if (!ret)
30705 ret = -EPIPE;
30706@@ -597,9 +597,9 @@ redo2:
30707 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30708 do_wakeup = 0;
30709 }
30710- pipe->waiting_writers++;
30711+ atomic_inc(&pipe->waiting_writers);
30712 pipe_wait(pipe);
30713- pipe->waiting_writers--;
30714+ atomic_dec(&pipe->waiting_writers);
30715 }
30716 out:
30717 mutex_unlock(&inode->i_mutex);
30718@@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
30719 mask = 0;
30720 if (filp->f_mode & FMODE_READ) {
30721 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
30722- if (!pipe->writers && filp->f_version != pipe->w_counter)
30723+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
30724 mask |= POLLHUP;
30725 }
30726
30727@@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
30728 * Most Unices do not set POLLERR for FIFOs but on Linux they
30729 * behave exactly like pipes for poll().
30730 */
30731- if (!pipe->readers)
30732+ if (!atomic_read(&pipe->readers))
30733 mask |= POLLERR;
30734 }
30735
30736@@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
30737
30738 mutex_lock(&inode->i_mutex);
30739 pipe = inode->i_pipe;
30740- pipe->readers -= decr;
30741- pipe->writers -= decw;
30742+ atomic_sub(decr, &pipe->readers);
30743+ atomic_sub(decw, &pipe->writers);
30744
30745- if (!pipe->readers && !pipe->writers) {
30746+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
30747 free_pipe_info(inode);
30748 } else {
30749 wake_up_interruptible_sync(&pipe->wait);
30750@@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
30751
30752 if (inode->i_pipe) {
30753 ret = 0;
30754- inode->i_pipe->readers++;
30755+ atomic_inc(&inode->i_pipe->readers);
30756 }
30757
30758 mutex_unlock(&inode->i_mutex);
30759@@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
30760
30761 if (inode->i_pipe) {
30762 ret = 0;
30763- inode->i_pipe->writers++;
30764+ atomic_inc(&inode->i_pipe->writers);
30765 }
30766
30767 mutex_unlock(&inode->i_mutex);
30768@@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
30769 if (inode->i_pipe) {
30770 ret = 0;
30771 if (filp->f_mode & FMODE_READ)
30772- inode->i_pipe->readers++;
30773+ atomic_inc(&inode->i_pipe->readers);
30774 if (filp->f_mode & FMODE_WRITE)
30775- inode->i_pipe->writers++;
30776+ atomic_inc(&inode->i_pipe->writers);
30777 }
30778
30779 mutex_unlock(&inode->i_mutex);
30780@@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
58c5fc13
MT		 30781 inode->i_pipe = NULL;
30782 }
30783
30784-static struct vfsmount *pipe_mnt __read_mostly;
30785+struct vfsmount *pipe_mnt __read_mostly;
ae4e228f
MT		 30786
30787 /*
30788 * pipefs_dname() is called from d_path().
30789@@ -933,7 +933,8 @@ static struct inode * get_pipe_inode(voi
30790 goto fail_iput;
30791 inode->i_pipe = pipe;
30792
30793- pipe->readers = pipe->writers = 1;
30794+ atomic_set(&pipe->readers, 1);
30795+ atomic_set(&pipe->writers, 1);
30796 inode->i_fop = &rdwr_pipefifo_fops;
30797
58c5fc13 30798 /*
ae4e228f
MT		 30799diff -urNp linux-2.6.33.1/fs/proc/array.c linux-2.6.33.1/fs/proc/array.c
30800--- linux-2.6.33.1/fs/proc/array.c 2010-03-15 12:09:39.000000000 -0400
30801+++ linux-2.6.33.1/fs/proc/array.c 2010-03-20 16:58:41.824559234 -0400
30802@@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
30803 seq_printf(m, "\n");
58c5fc13
MT		 30804 }
30805
30806+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30807+static inline void task_pax(struct seq_file *m, struct task_struct *p)
30808+{
30809+ if (p->mm)
30810+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
30811+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
30812+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
30813+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
30814+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
30815+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
30816+ else
30817+ seq_printf(m, "PaX:\t-----\n");
30818+}
30819+#endif
30820+
30821 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
30822 struct pid *pid, struct task_struct *task)
30823 {
ae4e228f 30824@@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
58c5fc13
MT		 30825 task_show_regs(m, task);
30826 #endif
30827 task_context_switch_counts(m, task);
30828+
30829+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
30830+ task_pax(m, task);
30831+#endif
30832+
30833 return 0;
30834 }
30835
30836+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30837+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
30838+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
30839+ _mm->pax_flags & MF_PAX_SEGMEXEC))
30840+#endif
30841+
30842 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
30843 struct pid *pid, struct task_struct *task, int whole)
30844 {
ae4e228f
MT		 30845@@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
30846 gtime = task->gtime;
58c5fc13
MT		 30847 }
30848
30849+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30850+ if (PAX_RAND_FLAGS(mm)) {
30851+ eip = 0;
30852+ esp = 0;
30853+ wchan = 0;
30854+ }
30855+#endif
30856+#ifdef CONFIG_GRKERNSEC_HIDESYM
30857+ wchan = 0;
30858+ eip =0;
30859+ esp =0;
30860+#endif
30861+
30862 /* scale priority and nice values from timeslices to -20..20 */
30863 /* to make it look like a "normal" Unix priority/nice value */
30864 priority = task_prio(task);
ae4e228f 30865@@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
58c5fc13
MT		 30866 vsize,
30867 mm ? get_mm_rss(mm) : 0,
30868 rsslim,
30869+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30870+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
30871+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
ae4e228f 30872+ PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? task->stack_start : 0),
58c5fc13
MT		 30873+#else
30874 mm ? mm->start_code : 0,
30875 mm ? mm->end_code : 0,
ae4e228f 30876 (permitted && mm) ? task->stack_start : 0,
58c5fc13
MT		 30877+#endif
30878 esp,
30879 eip,
30880 /* The signal information here is obsolete.
ae4e228f 30881@@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
58c5fc13
MT		 30882
30883 return 0;
30884 }
30885+
30886+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
30887+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
30888+{
ae4e228f 30889+ return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
58c5fc13
MT		 30890+}
30891+#endif
ae4e228f
MT		 30892diff -urNp linux-2.6.33.1/fs/proc/base.c linux-2.6.33.1/fs/proc/base.c
30893--- linux-2.6.33.1/fs/proc/base.c 2010-03-15 12:09:39.000000000 -0400
30894+++ linux-2.6.33.1/fs/proc/base.c 2010-03-20 16:58:41.824559234 -0400
30895@@ -102,6 +102,22 @@ struct pid_entry {
30896 union proc_op op;
30897 };
30898
30899+struct getdents_callback {
30900+ struct linux_dirent __user * current_dir;
30901+ struct linux_dirent __user * previous;
30902+ struct file * file;
30903+ int count;
30904+ int error;
30905+};
30906+
30907+static int gr_fake_filldir(void * __buf, const char *name, int namlen,
30908+ loff_t offset, u64 ino, unsigned int d_type)
30909+{
30910+ struct getdents_callback * buf = (struct getdents_callback *) __buf;
30911+ buf->error = -EINVAL;
30912+ return 0;
30913+}
30914+
30915 #define NOD(NAME, MODE, IOP, FOP, OP) { \
30916 .name = (NAME), \
30917 .len = sizeof(NAME) - 1, \
30918@@ -213,6 +229,9 @@ static int check_mem_permission(struct t
58c5fc13
MT		 30919 if (task == current)
30920 return 0;
30921
30922+ if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
30923+ return -EPERM;
30924+
30925 /*
30926 * If current is actively ptrace'ing, and would also be
30927 * permitted to freshly attach with ptrace now, permit it.
ae4e228f 30928@@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
58c5fc13
MT		 30929 if (!mm->arg_end)
30930 goto out_mm; /* Shh! No looking before we're done */
30931
30932+ if (gr_acl_handle_procpidmem(task))
30933+ goto out_mm;
30934+
30935 len = mm->arg_end - mm->arg_start;
30936
30937 if (len > PAGE_SIZE)
ae4e228f 30938@@ -287,12 +309,26 @@ out:
58c5fc13
MT		 30939 return res;
30940 }
30941
30942+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30943+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
30944+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
30945+ _mm->pax_flags & MF_PAX_SEGMEXEC))
30946+#endif
30947+
30948 static int proc_pid_auxv(struct task_struct *task, char *buffer)
30949 {
30950 int res = 0;
30951 struct mm_struct *mm = get_task_mm(task);
30952 if (mm) {
30953 unsigned int nwords = 0;
30954+
30955+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
30956+ if (PAX_RAND_FLAGS(mm)) {
30957+ mmput(mm);
30958+ return res;
30959+ }
30960+#endif
30961+
30962 do {
30963 nwords += 2;
30964 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
ae4e228f 30965@@ -328,7 +364,7 @@ static int proc_pid_wchan(struct task_st
58c5fc13
MT		 30966 }
30967 #endif /* CONFIG_KALLSYMS */
30968
30969-#ifdef CONFIG_STACKTRACE
30970+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
30971
30972 #define MAX_STACK_TRACE_DEPTH 64
30973
ae4e228f 30974@@ -521,7 +557,7 @@ static int proc_pid_limits(struct task_s
58c5fc13
MT		 30975 return count;
30976 }
30977
30978-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
30979+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
30980 static int proc_pid_syscall(struct task_struct *task, char *buffer)
30981 {
30982 long nr;
ae4e228f 30983@@ -935,6 +971,9 @@ static ssize_t environ_read(struct file
58c5fc13
MT		 30984 if (!task)
30985 goto out_no_task;
30986
30987+ if (gr_acl_handle_procpidmem(task))
30988+ goto out;
30989+
30990 if (!ptrace_may_access(task, PTRACE_MODE_READ))
30991 goto out;
30992
ae4e228f 30993@@ -1520,7 +1559,11 @@ static struct inode *proc_pid_make_inode
58c5fc13
MT		 30994 rcu_read_lock();
30995 cred = __task_cred(task);
30996 inode->i_uid = cred->euid;
30997+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
30998+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
30999+#else
31000 inode->i_gid = cred->egid;
31001+#endif
31002 rcu_read_unlock();
31003 }
31004 security_task_to_inode(task, inode);
ae4e228f 31005@@ -1538,6 +1581,9 @@ static int pid_getattr(struct vfsmount *
58c5fc13
MT		 31006 struct inode *inode = dentry->d_inode;
31007 struct task_struct *task;
31008 const struct cred *cred;
31009+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31010+ const struct cred *tmpcred = current_cred();
31011+#endif
31012
31013 generic_fillattr(inode, stat);
31014
ae4e228f 31015@@ -1545,12 +1591,34 @@ static int pid_getattr(struct vfsmount *
58c5fc13
MT		 31016 stat->uid = 0;
31017 stat->gid = 0;
31018 task = pid_task(proc_pid(inode), PIDTYPE_PID);
31019+
31020+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
31021+ rcu_read_unlock();
31022+ return -ENOENT;
31023+ }
31024+
31025 if (task) {
31026+ cred = __task_cred(task);
31027+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31028+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
31029+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31030+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
31031+#endif
31032+ )
31033+#endif
31034 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
31035+#ifdef CONFIG_GRKERNSEC_PROC_USER
31036+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
31037+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31038+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
31039+#endif
31040 task_dumpable(task)) {
31041- cred = __task_cred(task);
31042 stat->uid = cred->euid;
31043+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31044+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
31045+#else
31046 stat->gid = cred->egid;
31047+#endif
31048 }
31049 }
31050 rcu_read_unlock();
ae4e228f 31051@@ -1582,11 +1650,20 @@ static int pid_revalidate(struct dentry
58c5fc13
MT		 31052
31053 if (task) {
31054 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
31055+#ifdef CONFIG_GRKERNSEC_PROC_USER
31056+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
31057+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31058+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
31059+#endif
31060 task_dumpable(task)) {
31061 rcu_read_lock();
31062 cred = __task_cred(task);
31063 inode->i_uid = cred->euid;
31064+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31065+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31066+#else
31067 inode->i_gid = cred->egid;
31068+#endif
31069 rcu_read_unlock();
31070 } else {
31071 inode->i_uid = 0;
ae4e228f 31072@@ -1707,7 +1784,8 @@ static int proc_fd_info(struct inode *in
58c5fc13
MT		 31073 int fd = proc_fd(inode);
31074
31075 if (task) {
31076- files = get_files_struct(task);
31077+ if (!gr_acl_handle_procpidmem(task))
31078+ files = get_files_struct(task);
31079 put_task_struct(task);
31080 }
31081 if (files) {
ae4e228f 31082@@ -1959,12 +2037,22 @@ static const struct file_operations proc
58c5fc13
MT		 31083 static int proc_fd_permission(struct inode *inode, int mask)
31084 {
31085 int rv;
31086+ struct task_struct *task;
31087
31088 rv = generic_permission(inode, mask, NULL);
31089- if (rv == 0)
31090- return 0;
31091+
31092 if (task_pid(current) == proc_pid(inode))
31093 rv = 0;
31094+
31095+ task = get_proc_task(inode);
31096+ if (task == NULL)
31097+ return rv;
31098+
31099+ if (gr_acl_handle_procpidmem(task))
31100+ rv = -EACCES;
31101+
31102+ put_task_struct(task);
31103+
31104 return rv;
31105 }
31106
ae4e228f 31107@@ -2073,6 +2161,9 @@ static struct dentry *proc_pident_lookup
58c5fc13
MT		 31108 if (!task)
31109 goto out_no_task;
31110
31111+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31112+ goto out;
31113+
31114 /*
31115 * Yes, it does not scale. And it should not. Don't add
31116 * new entries into /proc/<tgid>/ without very good reasons.
ae4e228f 31117@@ -2117,6 +2208,9 @@ static int proc_pident_readdir(struct fi
58c5fc13
MT		 31118 if (!task)
31119 goto out_no_task;
31120
31121+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31122+ goto out;
31123+
31124 ret = 0;
31125 i = filp->f_pos;
31126 switch (i) {
ae4e228f
MT		 31127@@ -2384,7 +2478,7 @@ static void *proc_self_follow_link(struc
31128 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
31129 void *cookie)
31130 {
31131- char *s = nd_get_link(nd);
31132+ const char *s = nd_get_link(nd);
31133 if (!IS_ERR(s))
31134 __putname(s);
31135 }
31136@@ -2497,6 +2591,9 @@ static struct dentry *proc_base_lookup(s
58c5fc13
MT		 31137 if (p > last)
31138 goto out;
31139
31140+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
31141+ goto out;
31142+
31143 error = proc_base_instantiate(dir, dentry, task, p);
31144
31145 out:
ae4e228f 31146@@ -2584,7 +2681,7 @@ static const struct pid_entry tgid_base_
58c5fc13
MT		 31147 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
31148 #endif
ae4e228f 31149 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
58c5fc13
MT		 31150-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
31151+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
31152 INF("syscall", S_IRUSR, proc_pid_syscall),
31153 #endif
31154 INF("cmdline", S_IRUGO, proc_pid_cmdline),
ae4e228f 31155@@ -2612,7 +2709,7 @@ static const struct pid_entry tgid_base_
58c5fc13
MT		 31156 #ifdef CONFIG_KALLSYMS
31157 INF("wchan", S_IRUGO, proc_pid_wchan),
31158 #endif
31159-#ifdef CONFIG_STACKTRACE
31160+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
31161 ONE("stack", S_IRUSR, proc_pid_stack),
31162 #endif
31163 #ifdef CONFIG_SCHEDSTATS
ae4e228f 31164@@ -2642,6 +2739,9 @@ static const struct pid_entry tgid_base_
58c5fc13
MT		 31165 #ifdef CONFIG_TASK_IO_ACCOUNTING
31166 INF("io", S_IRUGO, proc_tgid_io_accounting),
31167 #endif
31168+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
31169+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
31170+#endif
31171 };
31172
31173 static int proc_tgid_base_readdir(struct file * filp,
ae4e228f 31174@@ -2766,7 +2866,14 @@ static struct dentry *proc_pid_instantia
58c5fc13
MT		 31175 if (!inode)
31176 goto out;
31177
31178+#ifdef CONFIG_GRKERNSEC_PROC_USER
31179+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
31180+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31181+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31182+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
31183+#else
31184 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
31185+#endif
31186 inode->i_op = &proc_tgid_base_inode_operations;
31187 inode->i_fop = &proc_tgid_base_operations;
31188 inode->i_flags|=S_IMMUTABLE;
ae4e228f 31189@@ -2808,7 +2915,11 @@ struct dentry *proc_pid_lookup(struct in
58c5fc13
MT		 31190 if (!task)
31191 goto out;
31192
31193+ if (gr_check_hidden_task(task))
31194+ goto out_put_task;
31195+
31196 result = proc_pid_instantiate(dir, dentry, task, NULL);
31197+out_put_task:
31198 put_task_struct(task);
31199 out:
31200 return result;
ae4e228f 31201@@ -2873,6 +2984,11 @@ int proc_pid_readdir(struct file * filp,
58c5fc13
MT		 31202 {
31203 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
31204 struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
31205+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31206+ const struct cred *tmpcred = current_cred();
31207+ const struct cred *itercred;
31208+#endif
ae4e228f 31209+ filldir_t __filldir = filldir;
58c5fc13
MT		 31210 struct tgid_iter iter;
31211 struct pid_namespace *ns;
31212
ae4e228f 31213@@ -2891,8 +3007,27 @@ int proc_pid_readdir(struct file * filp,
58c5fc13
MT		 31214 for (iter = next_tgid(ns, iter);
31215 iter.task;
31216 iter.tgid += 1, iter = next_tgid(ns, iter)) {
31217+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
ae4e228f 31218+ rcu_read_lock();
58c5fc13
MT		 31219+ itercred = __task_cred(iter.task);
31220+#endif
31221+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
31222+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31223+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
31224+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31225+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
31226+#endif
31227+ )
31228+#endif
31229+ )
ae4e228f
MT		 31230+ __filldir = &gr_fake_filldir;
31231+ else
31232+ __filldir = filldir;
31233+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31234+ rcu_read_unlock();
31235+#endif
58c5fc13 31236 filp->f_pos = iter.tgid + TGID_OFFSET;
ae4e228f
MT		 31237- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
31238+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
58c5fc13 31239 put_task_struct(iter.task);
ae4e228f
MT		 31240 goto out;
31241 }
31242@@ -2919,7 +3054,7 @@ static const struct pid_entry tid_base_s
58c5fc13
MT		 31243 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
31244 #endif
ae4e228f 31245 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
58c5fc13
MT		 31246-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
31247+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
31248 INF("syscall", S_IRUSR, proc_pid_syscall),
31249 #endif
31250 INF("cmdline", S_IRUGO, proc_pid_cmdline),
ae4e228f 31251@@ -2946,7 +3081,7 @@ static const struct pid_entry tid_base_s
58c5fc13
MT		 31252 #ifdef CONFIG_KALLSYMS
31253 INF("wchan", S_IRUGO, proc_pid_wchan),
31254 #endif
31255-#ifdef CONFIG_STACKTRACE
31256+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
31257 ONE("stack", S_IRUSR, proc_pid_stack),
31258 #endif
31259 #ifdef CONFIG_SCHEDSTATS
ae4e228f
MT		 31260diff -urNp linux-2.6.33.1/fs/proc/cmdline.c linux-2.6.33.1/fs/proc/cmdline.c
31261--- linux-2.6.33.1/fs/proc/cmdline.c 2010-03-15 12:09:39.000000000 -0400
31262+++ linux-2.6.33.1/fs/proc/cmdline.c 2010-03-20 16:58:41.828775433 -0400
58c5fc13
MT		 31263@@ -23,7 +23,11 @@ static const struct file_operations cmdl
31264
31265 static int __init proc_cmdline_init(void)
31266 {
31267+#ifdef CONFIG_GRKERNSEC_PROC_ADD
31268+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
31269+#else
31270 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
31271+#endif
31272 return 0;
31273 }
31274 module_init(proc_cmdline_init);
ae4e228f
MT		 31275diff -urNp linux-2.6.33.1/fs/proc/devices.c linux-2.6.33.1/fs/proc/devices.c
31276--- linux-2.6.33.1/fs/proc/devices.c 2010-03-15 12:09:39.000000000 -0400
31277+++ linux-2.6.33.1/fs/proc/devices.c 2010-03-20 16:58:41.828775433 -0400
58c5fc13
MT		 31278@@ -64,7 +64,11 @@ static const struct file_operations proc
31279
31280 static int __init proc_devices_init(void)
31281 {
31282+#ifdef CONFIG_GRKERNSEC_PROC_ADD
31283+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
31284+#else
31285 proc_create("devices", 0, NULL, &proc_devinfo_operations);
31286+#endif
31287 return 0;
31288 }
31289 module_init(proc_devices_init);
ae4e228f
MT		 31290diff -urNp linux-2.6.33.1/fs/proc/inode.c linux-2.6.33.1/fs/proc/inode.c
31291--- linux-2.6.33.1/fs/proc/inode.c 2010-03-15 12:09:39.000000000 -0400
31292+++ linux-2.6.33.1/fs/proc/inode.c 2010-03-20 16:58:41.828775433 -0400
31293@@ -434,7 +434,11 @@ struct inode *proc_get_inode(struct supe
58c5fc13
MT		 31294 if (de->mode) {
31295 inode->i_mode = de->mode;
31296 inode->i_uid = de->uid;
31297+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
31298+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
31299+#else
31300 inode->i_gid = de->gid;
31301+#endif
31302 }
31303 if (de->size)
31304 inode->i_size = de->size;
ae4e228f
MT		 31305diff -urNp linux-2.6.33.1/fs/proc/internal.h linux-2.6.33.1/fs/proc/internal.h
31306--- linux-2.6.33.1/fs/proc/internal.h 2010-03-15 12:09:39.000000000 -0400
31307+++ linux-2.6.33.1/fs/proc/internal.h 2010-03-20 16:58:41.828775433 -0400
58c5fc13
MT		 31308@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
31309 struct pid *pid, struct task_struct *task);
31310 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
31311 struct pid *pid, struct task_struct *task);
31312+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
31313+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
31314+#endif
31315 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
31316
31317 extern const struct file_operations proc_maps_operations;
ae4e228f
MT		 31318diff -urNp linux-2.6.33.1/fs/proc/Kconfig linux-2.6.33.1/fs/proc/Kconfig
31319--- linux-2.6.33.1/fs/proc/Kconfig 2010-03-15 12:09:39.000000000 -0400
31320+++ linux-2.6.33.1/fs/proc/Kconfig 2010-03-20 16:58:41.828775433 -0400
58c5fc13
MT		 31321@@ -30,12 +30,12 @@ config PROC_FS
31322
31323 config PROC_KCORE
31324 bool "/proc/kcore support" if !ARM
31325- depends on PROC_FS && MMU
31326+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
31327
31328 config PROC_VMCORE
31329 bool "/proc/vmcore support (EXPERIMENTAL)"
31330- depends on PROC_FS && CRASH_DUMP
31331- default y
31332+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
31333+ default n
31334 help
31335 Exports the dump image of crashed kernel in ELF format.
31336
31337@@ -59,8 +59,8 @@ config PROC_SYSCTL
31338 limited in memory.
31339
31340 config PROC_PAGE_MONITOR
31341- default y
31342- depends on PROC_FS && MMU
31343+ default n
31344+ depends on PROC_FS && MMU && !GRKERNSEC
31345 bool "Enable /proc page monitoring" if EMBEDDED
31346 help
31347 Various /proc files exist to monitor process memory utilization:
ae4e228f
MT		 31348diff -urNp linux-2.6.33.1/fs/proc/kcore.c linux-2.6.33.1/fs/proc/kcore.c
31349--- linux-2.6.33.1/fs/proc/kcore.c 2010-03-15 12:09:39.000000000 -0400
31350+++ linux-2.6.33.1/fs/proc/kcore.c 2010-03-20 16:58:41.832562866 -0400
31351@@ -541,6 +541,9 @@ read_kcore(struct file *file, char __use
58c5fc13 31352
ae4e228f 31353 static int open_kcore(struct inode *inode, struct file *filp)
58c5fc13 31354 {
ae4e228f
MT		 31355+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
31356+ return -EPERM;
58c5fc13 31357+#endif
ae4e228f
MT		 31358 if (!capable(CAP_SYS_RAWIO))
31359 return -EPERM;
31360 if (kcore_need_update)
31361diff -urNp linux-2.6.33.1/fs/proc/meminfo.c linux-2.6.33.1/fs/proc/meminfo.c
31362--- linux-2.6.33.1/fs/proc/meminfo.c 2010-03-15 12:09:39.000000000 -0400
31363+++ linux-2.6.33.1/fs/proc/meminfo.c 2010-03-20 16:58:41.832562866 -0400
31364@@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
31365 vmi.used >> 10,
31366 vmi.largest_chunk >> 10
31367 #ifdef CONFIG_MEMORY_FAILURE
31368- ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
31369+ ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
31370 #endif
31371 );
31372
31373diff -urNp linux-2.6.33.1/fs/proc/nommu.c linux-2.6.33.1/fs/proc/nommu.c
31374--- linux-2.6.33.1/fs/proc/nommu.c 2010-03-15 12:09:39.000000000 -0400
31375+++ linux-2.6.33.1/fs/proc/nommu.c 2010-03-20 16:58:41.832562866 -0400
58c5fc13
MT		 31376@@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
31377 if (len < 1)
31378 len = 1;
31379 seq_printf(m, "%*c", len, ' ');
31380- seq_path(m, &file->f_path, "");
31381+ seq_path(m, &file->f_path, "\n\\");
31382 }
31383
31384 seq_putc(m, '\n');
ae4e228f
MT		 31385diff -urNp linux-2.6.33.1/fs/proc/proc_net.c linux-2.6.33.1/fs/proc/proc_net.c
31386--- linux-2.6.33.1/fs/proc/proc_net.c 2010-03-15 12:09:39.000000000 -0400
31387+++ linux-2.6.33.1/fs/proc/proc_net.c 2010-03-20 16:58:41.832562866 -0400
58c5fc13
MT		 31388@@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
31389 struct task_struct *task;
31390 struct nsproxy *ns;
31391 struct net *net = NULL;
31392+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31393+ const struct cred *cred = current_cred();
31394+#endif
31395+
31396+#ifdef CONFIG_GRKERNSEC_PROC_USER
31397+ if (cred->fsuid)
31398+ return net;
31399+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31400+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
31401+ return net;
31402+#endif
31403
31404 rcu_read_lock();
31405 task = pid_task(proc_pid(dir), PIDTYPE_PID);
ae4e228f
MT		 31406diff -urNp linux-2.6.33.1/fs/proc/proc_sysctl.c linux-2.6.33.1/fs/proc/proc_sysctl.c
31407--- linux-2.6.33.1/fs/proc/proc_sysctl.c 2010-03-15 12:09:39.000000000 -0400
31408+++ linux-2.6.33.1/fs/proc/proc_sysctl.c 2010-03-20 16:58:41.832562866 -0400
58c5fc13
MT		 31409@@ -7,6 +7,8 @@
31410 #include <linux/security.h>
31411 #include "internal.h"
31412
31413+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
31414+
31415 static const struct dentry_operations proc_sys_dentry_operations;
31416 static const struct file_operations proc_sys_file_operations;
31417 static const struct inode_operations proc_sys_inode_operations;
31418@@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
31419 if (!p)
31420 goto out;
31421
31422+ if (gr_handle_sysctl(p, MAY_EXEC))
31423+ goto out;
31424+
31425 err = ERR_PTR(-ENOMEM);
31426 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
31427 if (h)
31428@@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
31429 if (*pos < file->f_pos)
31430 continue;
31431
31432+ if (gr_handle_sysctl(table, 0))
31433+ continue;
31434+
31435 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
31436 if (res)
31437 return res;
31438@@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
31439 if (IS_ERR(head))
31440 return PTR_ERR(head);
31441
31442+ if (table && gr_handle_sysctl(table, MAY_EXEC))
31443+ return -ENOENT;
31444+
31445 generic_fillattr(inode, stat);
31446 if (table)
31447 stat->mode = (stat->mode & S_IFMT) | table->mode;
ae4e228f
MT		 31448diff -urNp linux-2.6.33.1/fs/proc/root.c linux-2.6.33.1/fs/proc/root.c
31449--- linux-2.6.33.1/fs/proc/root.c 2010-03-15 12:09:39.000000000 -0400
31450+++ linux-2.6.33.1/fs/proc/root.c 2010-03-20 16:58:41.836587389 -0400
58c5fc13
MT		 31451@@ -134,7 +134,15 @@ void __init proc_root_init(void)
31452 #ifdef CONFIG_PROC_DEVICETREE
31453 proc_device_tree_init();
31454 #endif
31455+#ifdef CONFIG_GRKERNSEC_PROC_ADD
31456+#ifdef CONFIG_GRKERNSEC_PROC_USER
31457+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
31458+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
31459+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
31460+#endif
31461+#else
31462 proc_mkdir("bus", NULL);
31463+#endif
31464 proc_sys_init();
31465 }
31466
ae4e228f
MT		 31467diff -urNp linux-2.6.33.1/fs/proc/task_mmu.c linux-2.6.33.1/fs/proc/task_mmu.c
31468--- linux-2.6.33.1/fs/proc/task_mmu.c 2010-03-15 12:09:39.000000000 -0400
31469+++ linux-2.6.33.1/fs/proc/task_mmu.c 2010-03-20 16:58:41.836587389 -0400
58c5fc13
MT		 31470@@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
31471 "VmStk:\t%8lu kB\n"
31472 "VmExe:\t%8lu kB\n"
31473 "VmLib:\t%8lu kB\n"
31474- "VmPTE:\t%8lu kB\n",
31475- hiwater_vm << (PAGE_SHIFT-10),
31476+ "VmPTE:\t%8lu kB\n"
31477+
31478+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31479+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
31480+#endif
31481+
31482+ ,hiwater_vm << (PAGE_SHIFT-10),
31483 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
31484 mm->locked_vm << (PAGE_SHIFT-10),
31485 hiwater_rss << (PAGE_SHIFT-10),
31486 total_rss << (PAGE_SHIFT-10),
31487 data << (PAGE_SHIFT-10),
31488 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
31489- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
31490+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
31491+
31492+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
31493+ , mm->context.user_cs_base, mm->context.user_cs_limit
31494+#endif
31495+
31496+ );
31497 }
31498
31499 unsigned long task_vsize(struct mm_struct *mm)
31500@@ -199,6 +210,12 @@ static int do_maps_open(struct inode *in
31501 return ret;
31502 }
31503
31504+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31505+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
31506+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
31507+ _mm->pax_flags & MF_PAX_SEGMEXEC))
31508+#endif
31509+
31510 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
31511 {
31512 struct mm_struct *mm = vma->vm_mm;
31513@@ -217,13 +234,22 @@ static void show_map_vma(struct seq_file
31514 }
31515
31516 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
31517+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31518+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
31519+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
31520+#else
31521 vma->vm_start,
31522 vma->vm_end,
31523+#endif
31524 flags & VM_READ ? 'r' : '-',
31525 flags & VM_WRITE ? 'w' : '-',
31526 flags & VM_EXEC ? 'x' : '-',
31527 flags & VM_MAYSHARE ? 's' : 'p',
31528+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31529+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
31530+#else
31531 pgoff,
31532+#endif
31533 MAJOR(dev), MINOR(dev), ino, &len);
31534
31535 /*
31536@@ -232,16 +258,16 @@ static void show_map_vma(struct seq_file
31537 */
31538 if (file) {
31539 pad_len_spaces(m, len);
31540- seq_path(m, &file->f_path, "\n");
31541+ seq_path(m, &file->f_path, "\n\\");
31542 } else {
31543 const char *name = arch_vma_name(vma);
31544 if (!name) {
31545 if (mm) {
31546- if (vma->vm_start <= mm->start_brk &&
31547- vma->vm_end >= mm->brk) {
31548+ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
31549 name = "[heap]";
31550- } else if (vma->vm_start <= mm->start_stack &&
31551- vma->vm_end >= mm->start_stack) {
31552+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
31553+ (vma->vm_start <= mm->start_stack &&
31554+ vma->vm_end >= mm->start_stack)) {
31555 name = "[stack]";
ae4e228f
MT		 31556 } else {
31557 unsigned long stack_start;
31558@@ -402,9 +428,16 @@ static int show_smap(struct seq_file *m,
58c5fc13
MT		 31559 };
31560
31561 memset(&mss, 0, sizeof mss);
31562- mss.vma = vma;
31563- if (vma->vm_mm && !is_vm_hugetlb_page(vma))
31564- walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
31565+
31566+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31567+ if (!PAX_RAND_FLAGS(vma->vm_mm)) {
31568+#endif
31569+ mss.vma = vma;
31570+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
31571+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
31572+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31573+ }
31574+#endif
31575
31576 show_map_vma(m, vma);
31577
ae4e228f 31578@@ -420,7 +453,11 @@ static int show_smap(struct seq_file *m,
58c5fc13
MT		 31579 "Swap: %8lu kB\n"
31580 "KernelPageSize: %8lu kB\n"
31581 "MMUPageSize: %8lu kB\n",
31582+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
31583+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
31584+#else
31585 (vma->vm_end - vma->vm_start) >> 10,
31586+#endif
31587 mss.resident >> 10,
31588 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
31589 mss.shared_clean >> 10,
ae4e228f
MT		 31590diff -urNp linux-2.6.33.1/fs/proc/task_nommu.c linux-2.6.33.1/fs/proc/task_nommu.c
31591--- linux-2.6.33.1/fs/proc/task_nommu.c 2010-03-15 12:09:39.000000000 -0400
31592+++ linux-2.6.33.1/fs/proc/task_nommu.c 2010-03-20 16:58:41.836587389 -0400
58c5fc13
MT		 31593@@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
31594 else
31595 bytes += kobjsize(mm);
31596
31597- if (current->fs && current->fs->users > 1)
31598+ if (current->fs && atomic_read(&current->fs->users) > 1)
31599 sbytes += kobjsize(current->fs);
31600 else
31601 bytes += kobjsize(current->fs);
ae4e228f 31602@@ -158,7 +158,7 @@ static int nommu_vma_show(struct seq_fil
58c5fc13
MT		 31603 if (len < 1)
31604 len = 1;
31605 seq_printf(m, "%*c", len, ' ');
31606- seq_path(m, &file->f_path, "");
31607+ seq_path(m, &file->f_path, "\n\\");
31608 }
31609
31610 seq_putc(m, '\n');
ae4e228f
MT		 31611diff -urNp linux-2.6.33.1/fs/readdir.c linux-2.6.33.1/fs/readdir.c
31612--- linux-2.6.33.1/fs/readdir.c 2010-03-15 12:09:39.000000000 -0400
31613+++ linux-2.6.33.1/fs/readdir.c 2010-03-20 16:58:41.836587389 -0400
58c5fc13
MT		 31614@@ -16,6 +16,7 @@
31615 #include <linux/security.h>
31616 #include <linux/syscalls.h>
31617 #include <linux/unistd.h>
31618+#include <linux/namei.h>
31619
31620 #include <asm/uaccess.h>
31621
31622@@ -67,6 +68,7 @@ struct old_linux_dirent {
31623
31624 struct readdir_callback {
31625 struct old_linux_dirent __user * dirent;
31626+ struct file * file;
31627 int result;
31628 };
31629
31630@@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
31631 buf->result = -EOVERFLOW;
31632 return -EOVERFLOW;
31633 }
31634+
31635+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31636+ return 0;
31637+
31638 buf->result++;
31639 dirent = buf->dirent;
31640 if (!access_ok(VERIFY_WRITE, dirent,
31641@@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
31642
31643 buf.result = 0;
31644 buf.dirent = dirent;
31645+ buf.file = file;
31646
31647 error = vfs_readdir(file, fillonedir, &buf);
31648 if (buf.result)
31649@@ -142,6 +149,7 @@ struct linux_dirent {
31650 struct getdents_callback {
31651 struct linux_dirent __user * current_dir;
31652 struct linux_dirent __user * previous;
31653+ struct file * file;
31654 int count;
31655 int error;
31656 };
31657@@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
31658 buf->error = -EOVERFLOW;
31659 return -EOVERFLOW;
31660 }
31661+
31662+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31663+ return 0;
31664+
31665 dirent = buf->previous;
31666 if (dirent) {
31667 if (__put_user(offset, &dirent->d_off))
31668@@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
31669 buf.previous = NULL;
31670 buf.count = count;
31671 buf.error = 0;
31672+ buf.file = file;
31673
31674 error = vfs_readdir(file, filldir, &buf);
31675 if (error >= 0)
31676@@ -228,6 +241,7 @@ out:
31677 struct getdents_callback64 {
31678 struct linux_dirent64 __user * current_dir;
31679 struct linux_dirent64 __user * previous;
31680+ struct file *file;
31681 int count;
31682 int error;
31683 };
31684@@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
31685 buf->error = -EINVAL; /* only used if we fail.. */
31686 if (reclen > buf->count)
31687 return -EINVAL;
31688+
31689+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
31690+ return 0;
31691+
31692 dirent = buf->previous;
31693 if (dirent) {
31694 if (__put_user(offset, &dirent->d_off))
31695@@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
31696
31697 buf.current_dir = dirent;
31698 buf.previous = NULL;
31699+ buf.file = file;
31700 buf.count = count;
31701 buf.error = 0;
31702
ae4e228f
MT		 31703diff -urNp linux-2.6.33.1/fs/reiserfs/do_balan.c linux-2.6.33.1/fs/reiserfs/do_balan.c
31704--- linux-2.6.33.1/fs/reiserfs/do_balan.c 2010-03-15 12:09:39.000000000 -0400
31705+++ linux-2.6.33.1/fs/reiserfs/do_balan.c 2010-03-20 16:58:41.848535760 -0400
31706@@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
58c5fc13
MT		 31707 return;
31708 }
31709
31710- atomic_inc(&(fs_generation(tb->tb_sb)));
31711+ atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
31712 do_balance_starts(tb);
31713
31714 /* balance leaf returns 0 except if combining L R and S into
ae4e228f
MT		 31715diff -urNp linux-2.6.33.1/fs/reiserfs/item_ops.c linux-2.6.33.1/fs/reiserfs/item_ops.c
31716--- linux-2.6.33.1/fs/reiserfs/item_ops.c 2010-03-15 12:09:39.000000000 -0400
31717+++ linux-2.6.33.1/fs/reiserfs/item_ops.c 2010-03-20 16:58:41.848535760 -0400
31718@@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
31719 vi->vi_index, vi->vi_type, vi->vi_ih);
31720 }
31721
31722-static struct item_operations stat_data_ops = {
31723+static const struct item_operations stat_data_ops = {
31724 .bytes_number = sd_bytes_number,
31725 .decrement_key = sd_decrement_key,
31726 .is_left_mergeable = sd_is_left_mergeable,
31727@@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
31728 vi->vi_index, vi->vi_type, vi->vi_ih);
31729 }
31730
31731-static struct item_operations direct_ops = {
31732+static const struct item_operations direct_ops = {
31733 .bytes_number = direct_bytes_number,
31734 .decrement_key = direct_decrement_key,
31735 .is_left_mergeable = direct_is_left_mergeable,
31736@@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
31737 vi->vi_index, vi->vi_type, vi->vi_ih);
31738 }
31739
31740-static struct item_operations indirect_ops = {
31741+static const struct item_operations indirect_ops = {
31742 .bytes_number = indirect_bytes_number,
31743 .decrement_key = indirect_decrement_key,
31744 .is_left_mergeable = indirect_is_left_mergeable,
31745@@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
31746 printk("\n");
31747 }
31748
31749-static struct item_operations direntry_ops = {
31750+static const struct item_operations direntry_ops = {
31751 .bytes_number = direntry_bytes_number,
31752 .decrement_key = direntry_decrement_key,
31753 .is_left_mergeable = direntry_is_left_mergeable,
31754@@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
31755 "Invalid item type observed, run fsck ASAP");
31756 }
31757
31758-static struct item_operations errcatch_ops = {
31759+static const struct item_operations errcatch_ops = {
31760 errcatch_bytes_number,
31761 errcatch_decrement_key,
31762 errcatch_is_left_mergeable,
31763@@ -746,7 +746,7 @@ static struct item_operations errcatch_o
31764 #error Item types must use disk-format assigned values.
31765 #endif
31766
31767-struct item_operations *item_ops[TYPE_ANY + 1] = {
31768+const struct item_operations * const item_ops[TYPE_ANY + 1] = {
31769 &stat_data_ops,
31770 &indirect_ops,
31771 &direct_ops,
31772diff -urNp linux-2.6.33.1/fs/reiserfs/procfs.c linux-2.6.33.1/fs/reiserfs/procfs.c
31773--- linux-2.6.33.1/fs/reiserfs/procfs.c 2010-03-15 12:09:39.000000000 -0400
31774+++ linux-2.6.33.1/fs/reiserfs/procfs.c 2010-03-20 16:58:41.848535760 -0400
31775@@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
58c5fc13
MT		 31776 "SMALL_TAILS " : "NO_TAILS ",
31777 replay_only(sb) ? "REPLAY_ONLY " : "",
31778 convert_reiserfs(sb) ? "CONV " : "",
31779- atomic_read(&r->s_generation_counter),
31780+ atomic_read_unchecked(&r->s_generation_counter),
31781 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
31782 SF(s_do_balance), SF(s_unneeded_left_neighbor),
31783 SF(s_good_search_by_key_reada), SF(s_bmaps),
ae4e228f
MT		 31784diff -urNp linux-2.6.33.1/fs/select.c linux-2.6.33.1/fs/select.c
31785--- linux-2.6.33.1/fs/select.c 2010-03-15 12:09:39.000000000 -0400
31786+++ linux-2.6.33.1/fs/select.c 2010-03-20 16:58:41.848535760 -0400
31787@@ -20,6 +20,7 @@
58c5fc13
MT		 31788 #include <linux/module.h>
31789 #include <linux/slab.h>
31790 #include <linux/poll.h>
31791+#include <linux/security.h>
31792 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
31793 #include <linux/file.h>
31794 #include <linux/fdtable.h>
ae4e228f 31795@@ -821,6 +822,7 @@ int do_sys_poll(struct pollfd __user *uf
58c5fc13
MT		 31796 struct poll_list *walk = head;
31797 unsigned long todo = nfds;
31798
31799+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
31800 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
31801 return -EINVAL;
31802
ae4e228f
MT		 31803diff -urNp linux-2.6.33.1/fs/seq_file.c linux-2.6.33.1/fs/seq_file.c
31804--- linux-2.6.33.1/fs/seq_file.c 2010-03-15 12:09:39.000000000 -0400
31805+++ linux-2.6.33.1/fs/seq_file.c 2010-03-20 16:58:41.860772579 -0400
58c5fc13
MT		 31806@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
31807 return 0;
31808 }
31809 if (!m->buf) {
31810- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
31811+ m->size = PAGE_SIZE;
ae4e228f 31812+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
58c5fc13
MT		 31813 if (!m->buf)
31814 return -ENOMEM;
31815 }
31816@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
31817 Eoverflow:
31818 m->op->stop(m, p);
31819 kfree(m->buf);
31820- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
31821+ m->size <<= 1;
31822+ m->buf = kmalloc(m->size, GFP_KERNEL);
31823 return !m->buf ? -ENOMEM : -EAGAIN;
31824 }
31825
31826@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
31827 m->version = file->f_version;
31828 /* grab buffer if we didn't have one */
31829 if (!m->buf) {
31830- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
31831+ m->size = PAGE_SIZE;
ae4e228f 31832+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
58c5fc13
MT		 31833 if (!m->buf)
31834 goto Enomem;
31835 }
31836@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
31837 goto Fill;
31838 m->op->stop(m, p);
31839 kfree(m->buf);
31840- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
31841+ m->size <<= 1;
31842+ m->buf = kmalloc(m->size, GFP_KERNEL);
31843 if (!m->buf)
31844 goto Enomem;
31845 m->count = 0;
ae4e228f
MT		 31846diff -urNp linux-2.6.33.1/fs/smbfs/symlink.c linux-2.6.33.1/fs/smbfs/symlink.c
31847--- linux-2.6.33.1/fs/smbfs/symlink.c 2010-03-15 12:09:39.000000000 -0400
31848+++ linux-2.6.33.1/fs/smbfs/symlink.c 2010-03-20 16:58:41.860772579 -0400
58c5fc13
MT		 31849@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
31850
31851 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
31852 {
31853- char *s = nd_get_link(nd);
31854+ const char *s = nd_get_link(nd);
31855 if (!IS_ERR(s))
31856 __putname(s);
31857 }
ae4e228f
MT		 31858diff -urNp linux-2.6.33.1/fs/splice.c linux-2.6.33.1/fs/splice.c
31859--- linux-2.6.33.1/fs/splice.c 2010-03-15 12:09:39.000000000 -0400
31860+++ linux-2.6.33.1/fs/splice.c 2010-03-20 16:58:41.877542041 -0400
31861@@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
31862 pipe_lock(pipe);
31863
31864 for (;;) {
31865- if (!pipe->readers) {
31866+ if (!atomic_read(&pipe->readers)) {
31867 send_sig(SIGPIPE, current, 0);
31868 if (!ret)
31869 ret = -EPIPE;
31870@@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
31871 do_wakeup = 0;
31872 }
31873
31874- pipe->waiting_writers++;
31875+ atomic_inc(&pipe->waiting_writers);
31876 pipe_wait(pipe);
31877- pipe->waiting_writers--;
31878+ atomic_dec(&pipe->waiting_writers);
31879 }
31880
31881 pipe_unlock(pipe);
31882@@ -531,7 +531,7 @@ static ssize_t kernel_readv(struct file
31883 old_fs = get_fs();
31884 set_fs(get_ds());
31885 /* The cast to a user pointer is valid due to the set_fs() */
31886- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
31887+ res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
31888 set_fs(old_fs);
31889
31890 return res;
31891@@ -546,7 +546,7 @@ static ssize_t kernel_write(struct file
31892 old_fs = get_fs();
31893 set_fs(get_ds());
31894 /* The cast to a user pointer is valid due to the set_fs() */
31895- res = vfs_write(file, (const char __user *)buf, count, &pos);
31896+ res = vfs_write(file, (__force const char __user *)buf, count, &pos);
31897 set_fs(old_fs);
31898
31899 return res;
31900@@ -588,7 +588,7 @@ ssize_t default_file_splice_read(struct
31901 goto err;
31902
31903 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
31904- vec[i].iov_base = (void __user *) page_address(page);
31905+ vec[i].iov_base = (__force void __user *) page_address(page);
31906 vec[i].iov_len = this_len;
31907 pages[i] = page;
31908 spd.nr_pages++;
31909@@ -810,10 +810,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
31910 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
31911 {
31912 while (!pipe->nrbufs) {
31913- if (!pipe->writers)
31914+ if (!atomic_read(&pipe->writers))
31915 return 0;
31916
31917- if (!pipe->waiting_writers && sd->num_spliced)
31918+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
31919 return 0;
31920
31921 if (sd->flags & SPLICE_F_NONBLOCK)
31922@@ -1150,7 +1150,7 @@ ssize_t splice_direct_to_actor(struct fi
31923 * out of the pipe right after the splice_to_pipe(). So set
31924 * PIPE_READERS appropriately.
31925 */
31926- pipe->readers = 1;
31927+ atomic_set(&pipe->readers, 1);
31928
31929 current->splice_pipe = pipe;
31930 }
31931@@ -1710,9 +1710,9 @@ static int ipipe_prep(struct pipe_inode_
31932 ret = -ERESTARTSYS;
31933 break;
31934 }
31935- if (!pipe->writers)
31936+ if (!atomic_read(&pipe->writers))
31937 break;
31938- if (!pipe->waiting_writers) {
31939+ if (!atomic_read(&pipe->waiting_writers)) {
31940 if (flags & SPLICE_F_NONBLOCK) {
31941 ret = -EAGAIN;
31942 break;
31943@@ -1744,7 +1744,7 @@ static int opipe_prep(struct pipe_inode_
31944 pipe_lock(pipe);
31945
31946 while (pipe->nrbufs >= PIPE_BUFFERS) {
31947- if (!pipe->readers) {
31948+ if (!atomic_read(&pipe->readers)) {
31949 send_sig(SIGPIPE, current, 0);
31950 ret = -EPIPE;
31951 break;
31952@@ -1757,9 +1757,9 @@ static int opipe_prep(struct pipe_inode_
31953 ret = -ERESTARTSYS;
31954 break;
31955 }
31956- pipe->waiting_writers++;
31957+ atomic_inc(&pipe->waiting_writers);
31958 pipe_wait(pipe);
31959- pipe->waiting_writers--;
31960+ atomic_dec(&pipe->waiting_writers);
31961 }
58c5fc13 31962
ae4e228f
MT		 31963 pipe_unlock(pipe);
31964@@ -1795,14 +1795,14 @@ retry:
31965 pipe_double_lock(ipipe, opipe);
31966
31967 do {
31968- if (!opipe->readers) {
31969+ if (!atomic_read(&opipe->readers)) {
31970 send_sig(SIGPIPE, current, 0);
31971 if (!ret)
31972 ret = -EPIPE;
31973 break;
31974 }
31975
31976- if (!ipipe->nrbufs && !ipipe->writers)
31977+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
31978 break;
31979
31980 /*
31981@@ -1902,7 +1902,7 @@ static int link_pipe(struct pipe_inode_i
31982 pipe_double_lock(ipipe, opipe);
31983
31984 do {
31985- if (!opipe->readers) {
31986+ if (!atomic_read(&opipe->readers)) {
31987 send_sig(SIGPIPE, current, 0);
31988 if (!ret)
31989 ret = -EPIPE;
31990@@ -1947,7 +1947,7 @@ static int link_pipe(struct pipe_inode_i
31991 * return EAGAIN if we have the potential of some data in the
31992 * future, otherwise just return 0
31993 */
31994- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
31995+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
31996 ret = -EAGAIN;
31997
31998 pipe_unlock(ipipe);
31999diff -urNp linux-2.6.33.1/fs/sysfs/file.c linux-2.6.33.1/fs/sysfs/file.c
32000--- linux-2.6.33.1/fs/sysfs/file.c 2010-03-15 12:09:39.000000000 -0400
32001+++ linux-2.6.33.1/fs/sysfs/file.c 2010-03-20 16:58:41.877542041 -0400
32002@@ -53,7 +53,7 @@ struct sysfs_buffer {
32003 size_t count;
32004 loff_t pos;
32005 char * page;
32006- struct sysfs_ops * ops;
32007+ const struct sysfs_ops * ops;
32008 struct mutex mutex;
32009 int needs_read_fill;
32010 int event;
32011@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
32012 {
32013 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
32014 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
32015- struct sysfs_ops * ops = buffer->ops;
32016+ const struct sysfs_ops * ops = buffer->ops;
32017 int ret = 0;
32018 ssize_t count;
32019
32020@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
32021 {
32022 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
32023 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
32024- struct sysfs_ops * ops = buffer->ops;
32025+ const struct sysfs_ops * ops = buffer->ops;
32026 int rc;
32027
32028 /* need attr_sd for attr and ops, its parent for kobj */
32029@@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
32030 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
32031 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
32032 struct sysfs_buffer *buffer;
32033- struct sysfs_ops *ops;
32034+ const struct sysfs_ops *ops;
32035 int error = -EACCES;
32036 char *p;
32037
32038diff -urNp linux-2.6.33.1/fs/sysfs/symlink.c linux-2.6.33.1/fs/sysfs/symlink.c
32039--- linux-2.6.33.1/fs/sysfs/symlink.c 2010-03-15 12:09:39.000000000 -0400
32040+++ linux-2.6.33.1/fs/sysfs/symlink.c 2010-03-20 16:58:41.877542041 -0400
32041@@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
58c5fc13
MT		 32042
32043 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32044 {
32045- char *page = nd_get_link(nd);
32046+ const char *page = nd_get_link(nd);
32047 if (!IS_ERR(page))
32048 free_page((unsigned long)page);
32049 }
ae4e228f
MT		 32050diff -urNp linux-2.6.33.1/fs/udf/balloc.c linux-2.6.33.1/fs/udf/balloc.c
32051--- linux-2.6.33.1/fs/udf/balloc.c 2010-03-15 12:09:39.000000000 -0400
32052+++ linux-2.6.33.1/fs/udf/balloc.c 2010-03-20 16:58:41.880865953 -0400
58c5fc13
MT		 32053@@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
32054
32055 mutex_lock(&sbi->s_alloc_mutex);
32056 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
32057- if (bloc->logicalBlockNum < 0 ||
32058- (bloc->logicalBlockNum + count) >
32059- partmap->s_partition_len) {
32060+ if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
32061 udf_debug("%d < %d || %d + %d > %d\n",
32062 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
32063 count, partmap->s_partition_len);
32064@@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
32065
32066 mutex_lock(&sbi->s_alloc_mutex);
32067 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
32068- if (bloc->logicalBlockNum < 0 ||
32069- (bloc->logicalBlockNum + count) >
32070- partmap->s_partition_len) {
32071+ if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
32072 udf_debug("%d < %d || %d + %d > %d\n",
ae4e228f 32073 bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count,
58c5fc13 32074 partmap->s_partition_len);
ae4e228f
MT		 32075diff -urNp linux-2.6.33.1/fs/utimes.c linux-2.6.33.1/fs/utimes.c
32076--- linux-2.6.33.1/fs/utimes.c 2010-03-15 12:09:39.000000000 -0400
32077+++ linux-2.6.33.1/fs/utimes.c 2010-03-20 16:58:41.884933711 -0400
58c5fc13
MT		 32078@@ -1,6 +1,7 @@
32079 #include <linux/compiler.h>
32080 #include <linux/file.h>
32081 #include <linux/fs.h>
32082+#include <linux/security.h>
32083 #include <linux/linkage.h>
32084 #include <linux/mount.h>
32085 #include <linux/namei.h>
32086@@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
32087 goto mnt_drop_write_and_out;
32088 }
32089 }
32090+
32091+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
32092+ error = -EACCES;
32093+ goto mnt_drop_write_and_out;
32094+ }
32095+
32096 mutex_lock(&inode->i_mutex);
32097 error = notify_change(path->dentry, &newattrs);
32098 mutex_unlock(&inode->i_mutex);
ae4e228f
MT		 32099diff -urNp linux-2.6.33.1/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.33.1/fs/xfs/linux-2.6/xfs_ioctl.c
32100--- linux-2.6.33.1/fs/xfs/linux-2.6/xfs_ioctl.c 2010-03-15 12:09:39.000000000 -0400
32101+++ linux-2.6.33.1/fs/xfs/linux-2.6/xfs_ioctl.c 2010-03-20 16:58:41.884933711 -0400
32102@@ -135,7 +135,7 @@ xfs_find_handle(
32103 }
58c5fc13 32104
ae4e228f
MT		 32105 error = -EFAULT;
32106- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
32107+ if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
32108 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
32109 goto out_put;
58c5fc13 32110
ae4e228f
MT		 32111diff -urNp linux-2.6.33.1/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.33.1/fs/xfs/linux-2.6/xfs_iops.c
32112--- linux-2.6.33.1/fs/xfs/linux-2.6/xfs_iops.c 2010-03-15 12:09:39.000000000 -0400
32113+++ linux-2.6.33.1/fs/xfs/linux-2.6/xfs_iops.c 2010-03-20 16:58:41.884933711 -0400
32114@@ -469,7 +469,7 @@ xfs_vn_put_link(
58c5fc13
MT		 32115 struct nameidata *nd,
32116 void *p)
32117 {
32118- char *s = nd_get_link(nd);
32119+ const char *s = nd_get_link(nd);
32120
32121 if (!IS_ERR(s))
32122 kfree(s);
ae4e228f
MT		 32123diff -urNp linux-2.6.33.1/fs/xfs/xfs_bmap.c linux-2.6.33.1/fs/xfs/xfs_bmap.c
32124--- linux-2.6.33.1/fs/xfs/xfs_bmap.c 2010-03-15 12:09:39.000000000 -0400
32125+++ linux-2.6.33.1/fs/xfs/xfs_bmap.c 2010-03-20 16:58:41.888938450 -0400
32126@@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
58c5fc13
MT		 32127 int nmap,
32128 int ret_nmap);
32129 #else
32130-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
32131+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
32132 #endif /* DEBUG */
32133
ae4e228f
MT		 32134 STATIC int
32135diff -urNp linux-2.6.33.1/grsecurity/gracl_alloc.c linux-2.6.33.1/grsecurity/gracl_alloc.c
32136--- linux-2.6.33.1/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
32137+++ linux-2.6.33.1/grsecurity/gracl_alloc.c 2010-03-20 16:58:41.888938450 -0400
58c5fc13
MT		 32138@@ -0,0 +1,105 @@
32139+#include <linux/kernel.h>
32140+#include <linux/mm.h>
32141+#include <linux/slab.h>
32142+#include <linux/vmalloc.h>
32143+#include <linux/gracl.h>
32144+#include <linux/grsecurity.h>
32145+
32146+static unsigned long alloc_stack_next = 1;
32147+static unsigned long alloc_stack_size = 1;
32148+static void **alloc_stack;
32149+
32150+static __inline__ int
32151+alloc_pop(void)
32152+{
32153+ if (alloc_stack_next == 1)
32154+ return 0;
32155+
32156+ kfree(alloc_stack[alloc_stack_next - 2]);
32157+
32158+ alloc_stack_next--;
32159+
32160+ return 1;
32161+}
32162+
32163+static __inline__ int
32164+alloc_push(void *buf)
32165+{
32166+ if (alloc_stack_next >= alloc_stack_size)
32167+ return 1;
32168+
32169+ alloc_stack[alloc_stack_next - 1] = buf;
32170+
32171+ alloc_stack_next++;
32172+
32173+ return 0;
32174+}
32175+
32176+void *
32177+acl_alloc(unsigned long len)
32178+{
32179+ void *ret = NULL;
32180+
32181+ if (!len || len > PAGE_SIZE)
32182+ goto out;
32183+
32184+ ret = kmalloc(len, GFP_KERNEL);
32185+
32186+ if (ret) {
32187+ if (alloc_push(ret)) {
32188+ kfree(ret);
32189+ ret = NULL;
32190+ }
32191+ }
32192+
32193+out:
32194+ return ret;
32195+}
32196+
32197+void *
32198+acl_alloc_num(unsigned long num, unsigned long len)
32199+{
32200+ if (!len || (num > (PAGE_SIZE / len)))
32201+ return NULL;
32202+
32203+ return acl_alloc(num * len);
32204+}
32205+
32206+void
32207+acl_free_all(void)
32208+{
32209+ if (gr_acl_is_enabled() || !alloc_stack)
32210+ return;
32211+
32212+ while (alloc_pop()) ;
32213+
32214+ if (alloc_stack) {
32215+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
32216+ kfree(alloc_stack);
32217+ else
32218+ vfree(alloc_stack);
32219+ }
32220+
32221+ alloc_stack = NULL;
32222+ alloc_stack_size = 1;
32223+ alloc_stack_next = 1;
32224+
32225+ return;
32226+}
32227+
32228+int
32229+acl_alloc_stack_init(unsigned long size)
32230+{
32231+ if ((size * sizeof (void *)) <= PAGE_SIZE)
32232+ alloc_stack =
32233+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
32234+ else
32235+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
32236+
32237+ alloc_stack_size = size;
32238+
32239+ if (!alloc_stack)
32240+ return 0;
32241+ else
32242+ return 1;
32243+}
ae4e228f
MT		 32244diff -urNp linux-2.6.33.1/grsecurity/gracl.c linux-2.6.33.1/grsecurity/gracl.c
32245--- linux-2.6.33.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
32246+++ linux-2.6.33.1/grsecurity/gracl.c 2010-03-20 17:00:48.140865901 -0400
32247@@ -0,0 +1,3917 @@
58c5fc13
MT		 32248+#include <linux/kernel.h>
32249+#include <linux/module.h>
32250+#include <linux/sched.h>
32251+#include <linux/mm.h>
32252+#include <linux/file.h>
32253+#include <linux/fs.h>
32254+#include <linux/namei.h>
32255+#include <linux/mount.h>
32256+#include <linux/tty.h>
32257+#include <linux/proc_fs.h>
32258+#include <linux/smp_lock.h>
32259+#include <linux/slab.h>
32260+#include <linux/vmalloc.h>
32261+#include <linux/types.h>
32262+#include <linux/sysctl.h>
32263+#include <linux/netdevice.h>
32264+#include <linux/ptrace.h>
32265+#include <linux/gracl.h>
32266+#include <linux/gralloc.h>
32267+#include <linux/grsecurity.h>
32268+#include <linux/grinternal.h>
32269+#include <linux/pid_namespace.h>
32270+#include <linux/fdtable.h>
32271+#include <linux/percpu.h>
32272+
32273+#include <asm/uaccess.h>
32274+#include <asm/errno.h>
32275+#include <asm/mman.h>
32276+
32277+static struct acl_role_db acl_role_set;
32278+static struct name_db name_set;
32279+static struct inodev_db inodev_set;
32280+
32281+/* for keeping track of userspace pointers used for subjects, so we
32282+ can share references in the kernel as well
32283+*/
32284+
32285+static struct dentry *real_root;
32286+static struct vfsmount *real_root_mnt;
32287+
32288+static struct acl_subj_map_db subj_map_set;
32289+
32290+static struct acl_role_label *default_role;
32291+
ae4e228f
MT		 32292+static struct acl_role_label *role_list;
32293+
58c5fc13
MT		 32294+static u16 acl_sp_role_value;
32295+
32296+extern char *gr_shared_page[4];
32297+static DECLARE_MUTEX(gr_dev_sem);
32298+DEFINE_RWLOCK(gr_inode_lock);
32299+
32300+struct gr_arg *gr_usermode;
32301+
58c5fc13 32302+static unsigned int gr_status __read_only = GR_STATUS_INIT;
58c5fc13
MT		 32303+
32304+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
32305+extern void gr_clear_learn_entries(void);
32306+
32307+#ifdef CONFIG_GRKERNSEC_RESLOG
32308+extern void gr_log_resource(const struct task_struct *task,
32309+ const int res, const unsigned long wanted, const int gt);
32310+#endif
32311+
32312+unsigned char *gr_system_salt;
32313+unsigned char *gr_system_sum;
32314+
32315+static struct sprole_pw **acl_special_roles = NULL;
32316+static __u16 num_sprole_pws = 0;
32317+
32318+static struct acl_role_label *kernel_role = NULL;
32319+
32320+static unsigned int gr_auth_attempts = 0;
32321+static unsigned long gr_auth_expires = 0UL;
32322+
32323+extern struct vfsmount *sock_mnt;
32324+extern struct vfsmount *pipe_mnt;
32325+extern struct vfsmount *shm_mnt;
32326+static struct acl_object_label *fakefs_obj;
32327+
32328+extern int gr_init_uidset(void);
32329+extern void gr_free_uidset(void);
32330+extern void gr_remove_uid(uid_t uid);
32331+extern int gr_find_uid(uid_t uid);
32332+
32333+__inline__ int
32334+gr_acl_is_enabled(void)
32335+{
32336+ return (gr_status & GR_READY);
32337+}
32338+
32339+char gr_roletype_to_char(void)
32340+{
32341+ switch (current->role->roletype &
32342+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
32343+ GR_ROLE_SPECIAL)) {
32344+ case GR_ROLE_DEFAULT:
32345+ return 'D';
32346+ case GR_ROLE_USER:
32347+ return 'U';
32348+ case GR_ROLE_GROUP:
32349+ return 'G';
32350+ case GR_ROLE_SPECIAL:
32351+ return 'S';
32352+ }
32353+
32354+ return 'X';
32355+}
32356+
32357+__inline__ int
32358+gr_acl_tpe_check(void)
32359+{
32360+ if (unlikely(!(gr_status & GR_READY)))
32361+ return 0;
32362+ if (current->role->roletype & GR_ROLE_TPE)
32363+ return 1;
32364+ else
32365+ return 0;
32366+}
32367+
32368+int
32369+gr_handle_rawio(const struct inode *inode)
32370+{
32371+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
32372+ if (inode && S_ISBLK(inode->i_mode) &&
32373+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
32374+ !capable(CAP_SYS_RAWIO))
32375+ return 1;
32376+#endif
32377+ return 0;
32378+}
32379+
32380+static int
32381+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
32382+{
32383+ int i;
32384+ unsigned long *l1;
32385+ unsigned long *l2;
32386+ unsigned char *c1;
32387+ unsigned char *c2;
32388+ int num_longs;
32389+
32390+ if (likely(lena != lenb))
32391+ return 0;
32392+
32393+ l1 = (unsigned long *)a;
32394+ l2 = (unsigned long *)b;
32395+
32396+ num_longs = lena / sizeof(unsigned long);
32397+
32398+ for (i = num_longs; i--; l1++, l2++) {
32399+ if (unlikely(*l1 != *l2))
32400+ return 0;
32401+ }
32402+
32403+ c1 = (unsigned char *) l1;
32404+ c2 = (unsigned char *) l2;
32405+
32406+ i = lena - (num_longs * sizeof(unsigned long));
32407+
32408+ for (; i--; c1++, c2++) {
32409+ if (unlikely(*c1 != *c2))
32410+ return 0;
32411+ }
32412+
32413+ return 1;
32414+}
32415+
32416+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
32417+ struct dentry *root, struct vfsmount *rootmnt,
32418+ char *buffer, int buflen)
32419+{
32420+ char * end = buffer+buflen;
32421+ char * retval;
32422+ int namelen;
32423+
32424+ *--end = '\0';
32425+ buflen--;
32426+
32427+ if (buflen < 1)
32428+ goto Elong;
32429+ /* Get '/' right */
32430+ retval = end-1;
32431+ *retval = '/';
32432+
32433+ for (;;) {
32434+ struct dentry * parent;
32435+
32436+ if (dentry == root && vfsmnt == rootmnt)
32437+ break;
32438+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
32439+ /* Global root? */
32440+ spin_lock(&vfsmount_lock);
32441+ if (vfsmnt->mnt_parent == vfsmnt) {
32442+ spin_unlock(&vfsmount_lock);
32443+ goto global_root;
32444+ }
32445+ dentry = vfsmnt->mnt_mountpoint;
32446+ vfsmnt = vfsmnt->mnt_parent;
32447+ spin_unlock(&vfsmount_lock);
32448+ continue;
32449+ }
32450+ parent = dentry->d_parent;
32451+ prefetch(parent);
32452+ namelen = dentry->d_name.len;
32453+ buflen -= namelen + 1;
32454+ if (buflen < 0)
32455+ goto Elong;
32456+ end -= namelen;
32457+ memcpy(end, dentry->d_name.name, namelen);
32458+ *--end = '/';
32459+ retval = end;
32460+ dentry = parent;
32461+ }
32462+
32463+ return retval;
32464+
32465+global_root:
32466+ namelen = dentry->d_name.len;
32467+ buflen -= namelen;
32468+ if (buflen < 0)
32469+ goto Elong;
32470+ retval -= namelen-1; /* hit the slash */
32471+ memcpy(retval, dentry->d_name.name, namelen);
32472+ return retval;
32473+Elong:
32474+ return ERR_PTR(-ENAMETOOLONG);
32475+}
32476+
32477+static char *
32478+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
32479+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
32480+{
32481+ char *retval;
32482+
32483+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
32484+ if (unlikely(IS_ERR(retval)))
32485+ retval = strcpy(buf, "<path too long>");
32486+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
32487+ retval[1] = '\0';
32488+
32489+ return retval;
32490+}
32491+
32492+static char *
32493+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
32494+ char *buf, int buflen)
32495+{
32496+ char *res;
32497+
32498+ /* we can use real_root, real_root_mnt, because this is only called
32499+ by the RBAC system */
32500+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
32501+
32502+ return res;
32503+}
32504+
32505+static char *
32506+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
32507+ char *buf, int buflen)
32508+{
32509+ char *res;
32510+ struct dentry *root;
32511+ struct vfsmount *rootmnt;
32512+ struct task_struct *reaper = &init_task;
32513+
32514+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
32515+ read_lock(&reaper->fs->lock);
32516+ root = dget(reaper->fs->root.dentry);
32517+ rootmnt = mntget(reaper->fs->root.mnt);
32518+ read_unlock(&reaper->fs->lock);
32519+
32520+ spin_lock(&dcache_lock);
32521+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
32522+ spin_unlock(&dcache_lock);
32523+
32524+ dput(root);
32525+ mntput(rootmnt);
32526+ return res;
32527+}
32528+
32529+static char *
32530+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
32531+{
32532+ char *ret;
32533+ spin_lock(&dcache_lock);
32534+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
32535+ PAGE_SIZE);
32536+ spin_unlock(&dcache_lock);
32537+ return ret;
32538+}
32539+
32540+char *
32541+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
32542+{
32543+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
32544+ PAGE_SIZE);
32545+}
32546+
32547+char *
32548+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
32549+{
32550+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
32551+ PAGE_SIZE);
32552+}
32553+
32554+char *
32555+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
32556+{
32557+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
32558+ PAGE_SIZE);
32559+}
32560+
32561+char *
32562+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
32563+{
32564+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
32565+ PAGE_SIZE);
32566+}
32567+
32568+char *
32569+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
32570+{
32571+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
32572+ PAGE_SIZE);
32573+}
32574+
32575+__inline__ __u32
32576+to_gr_audit(const __u32 reqmode)
32577+{
32578+ /* masks off auditable permission flags, then shifts them to create
32579+ auditing flags, and adds the special case of append auditing if
32580+ we're requesting write */
32581+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
32582+}
32583+
32584+struct acl_subject_label *
32585+lookup_subject_map(const struct acl_subject_label *userp)
32586+{
32587+ unsigned int index = shash(userp, subj_map_set.s_size);
32588+ struct subject_map *match;
32589+
32590+ match = subj_map_set.s_hash[index];
32591+
32592+ while (match && match->user != userp)
32593+ match = match->next;
32594+
32595+ if (match != NULL)
32596+ return match->kernel;
32597+ else
32598+ return NULL;
32599+}
32600+
32601+static void
32602+insert_subj_map_entry(struct subject_map *subjmap)
32603+{
32604+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
32605+ struct subject_map **curr;
32606+
32607+ subjmap->prev = NULL;
32608+
32609+ curr = &subj_map_set.s_hash[index];
32610+ if (*curr != NULL)
32611+ (*curr)->prev = subjmap;
32612+
32613+ subjmap->next = *curr;
32614+ *curr = subjmap;
32615+
32616+ return;
32617+}
32618+
32619+static struct acl_role_label *
32620+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
32621+ const gid_t gid)
32622+{
32623+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
32624+ struct acl_role_label *match;
32625+ struct role_allowed_ip *ipp;
32626+ unsigned int x;
32627+
32628+ match = acl_role_set.r_hash[index];
32629+
32630+ while (match) {
32631+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
32632+ for (x = 0; x < match->domain_child_num; x++) {
32633+ if (match->domain_children[x] == uid)
32634+ goto found;
32635+ }
32636+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
32637+ break;
32638+ match = match->next;
32639+ }
32640+found:
32641+ if (match == NULL) {
32642+ try_group:
32643+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
32644+ match = acl_role_set.r_hash[index];
32645+
32646+ while (match) {
32647+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
32648+ for (x = 0; x < match->domain_child_num; x++) {
32649+ if (match->domain_children[x] == gid)
32650+ goto found2;
32651+ }
32652+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
32653+ break;
32654+ match = match->next;
32655+ }
32656+found2:
32657+ if (match == NULL)
32658+ match = default_role;
32659+ if (match->allowed_ips == NULL)
32660+ return match;
32661+ else {
32662+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
32663+ if (likely
32664+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
32665+ (ntohl(ipp->addr) & ipp->netmask)))
32666+ return match;
32667+ }
32668+ match = default_role;
32669+ }
32670+ } else if (match->allowed_ips == NULL) {
32671+ return match;
32672+ } else {
32673+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
32674+ if (likely
32675+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
32676+ (ntohl(ipp->addr) & ipp->netmask)))
32677+ return match;
32678+ }
32679+ goto try_group;
32680+ }
32681+
32682+ return match;
32683+}
32684+
32685+struct acl_subject_label *
32686+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
32687+ const struct acl_role_label *role)
32688+{
32689+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
32690+ struct acl_subject_label *match;
32691+
32692+ match = role->subj_hash[index];
32693+
32694+ while (match && (match->inode != ino || match->device != dev ||
32695+ (match->mode & GR_DELETED))) {
32696+ match = match->next;
32697+ }
32698+
32699+ if (match && !(match->mode & GR_DELETED))
32700+ return match;
32701+ else
32702+ return NULL;
32703+}
32704+
32705+struct acl_subject_label *
32706+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
32707+ const struct acl_role_label *role)
32708+{
32709+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
32710+ struct acl_subject_label *match;
32711+
32712+ match = role->subj_hash[index];
32713+
32714+ while (match && (match->inode != ino || match->device != dev ||
32715+ !(match->mode & GR_DELETED))) {
32716+ match = match->next;
32717+ }
32718+
32719+ if (match && (match->mode & GR_DELETED))
32720+ return match;
32721+ else
32722+ return NULL;
32723+}
32724+
32725+static struct acl_object_label *
32726+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
32727+ const struct acl_subject_label *subj)
32728+{
32729+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
32730+ struct acl_object_label *match;
32731+
32732+ match = subj->obj_hash[index];
32733+
32734+ while (match && (match->inode != ino || match->device != dev ||
32735+ (match->mode & GR_DELETED))) {
32736+ match = match->next;
32737+ }
32738+
32739+ if (match && !(match->mode & GR_DELETED))
32740+ return match;
32741+ else
32742+ return NULL;
32743+}
32744+
32745+static struct acl_object_label *
32746+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
32747+ const struct acl_subject_label *subj)
32748+{
32749+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
32750+ struct acl_object_label *match;
32751+
32752+ match = subj->obj_hash[index];
32753+
32754+ while (match && (match->inode != ino || match->device != dev ||
32755+ !(match->mode & GR_DELETED))) {
32756+ match = match->next;
32757+ }
32758+
32759+ if (match && (match->mode & GR_DELETED))
32760+ return match;
32761+
32762+ match = subj->obj_hash[index];
32763+
32764+ while (match && (match->inode != ino || match->device != dev ||
32765+ (match->mode & GR_DELETED))) {
32766+ match = match->next;
32767+ }
32768+
32769+ if (match && !(match->mode & GR_DELETED))
32770+ return match;
32771+ else
32772+ return NULL;
32773+}
32774+
32775+static struct name_entry *
32776+lookup_name_entry(const char *name)
32777+{
32778+ unsigned int len = strlen(name);
32779+ unsigned int key = full_name_hash(name, len);
32780+ unsigned int index = key % name_set.n_size;
32781+ struct name_entry *match;
32782+
32783+ match = name_set.n_hash[index];
32784+
32785+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
32786+ match = match->next;
32787+
32788+ return match;
32789+}
32790+
32791+static struct name_entry *
32792+lookup_name_entry_create(const char *name)
32793+{
32794+ unsigned int len = strlen(name);
32795+ unsigned int key = full_name_hash(name, len);
32796+ unsigned int index = key % name_set.n_size;
32797+ struct name_entry *match;
32798+
32799+ match = name_set.n_hash[index];
32800+
32801+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32802+ !match->deleted))
32803+ match = match->next;
32804+
32805+ if (match && match->deleted)
32806+ return match;
32807+
32808+ match = name_set.n_hash[index];
32809+
32810+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
32811+ match->deleted))
32812+ match = match->next;
32813+
32814+ if (match && !match->deleted)
32815+ return match;
32816+ else
32817+ return NULL;
32818+}
32819+
32820+static struct inodev_entry *
32821+lookup_inodev_entry(const ino_t ino, const dev_t dev)
32822+{
32823+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
32824+ struct inodev_entry *match;
32825+
32826+ match = inodev_set.i_hash[index];
32827+
32828+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
32829+ match = match->next;
32830+
32831+ return match;
32832+}
32833+
32834+static void
32835+insert_inodev_entry(struct inodev_entry *entry)
32836+{
32837+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
32838+ inodev_set.i_size);
32839+ struct inodev_entry **curr;
32840+
32841+ entry->prev = NULL;
32842+
32843+ curr = &inodev_set.i_hash[index];
32844+ if (*curr != NULL)
32845+ (*curr)->prev = entry;
32846+
32847+ entry->next = *curr;
32848+ *curr = entry;
32849+
32850+ return;
32851+}
32852+
32853+static void
32854+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
32855+{
32856+ unsigned int index =
32857+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
32858+ struct acl_role_label **curr;
ae4e228f 32859+ struct acl_role_label *tmp;
58c5fc13
MT		 32860+
32861+ curr = &acl_role_set.r_hash[index];
58c5fc13 32862+
ae4e228f
MT		 32863+ /* if role was already inserted due to domains and already has
32864+ a role in the same bucket as it attached, then we need to
32865+ combine these two buckets
32866+ */
32867+ if (role->next) {
32868+ tmp = role->next;
32869+ while (tmp->next)
32870+ tmp = tmp->next;
32871+ tmp->next = *curr;
32872+ } else
32873+ role->next = *curr;
58c5fc13
MT		 32874+ *curr = role;
32875+
32876+ return;
32877+}
32878+
32879+static void
32880+insert_acl_role_label(struct acl_role_label *role)
32881+{
32882+ int i;
32883+
ae4e228f
MT		 32884+ if (role_list == NULL) {
32885+ role_list = role;
32886+ role->prev = NULL;
32887+ } else {
32888+ role->prev = role_list;
32889+ role_list = role;
32890+ }
32891+
32892+ /* used for hash chains */
32893+ role->next = NULL;
32894+
58c5fc13
MT		 32895+ if (role->roletype & GR_ROLE_DOMAIN) {
32896+ for (i = 0; i < role->domain_child_num; i++)
32897+ __insert_acl_role_label(role, role->domain_children[i]);
32898+ } else
32899+ __insert_acl_role_label(role, role->uidgid);
32900+}
32901+
32902+static int
32903+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
32904+{
32905+ struct name_entry **curr, *nentry;
32906+ struct inodev_entry *ientry;
32907+ unsigned int len = strlen(name);
32908+ unsigned int key = full_name_hash(name, len);
32909+ unsigned int index = key % name_set.n_size;
32910+
32911+ curr = &name_set.n_hash[index];
32912+
32913+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
32914+ curr = &((*curr)->next);
32915+
32916+ if (*curr != NULL)
32917+ return 1;
32918+
32919+ nentry = acl_alloc(sizeof (struct name_entry));
32920+ if (nentry == NULL)
32921+ return 0;
32922+ ientry = acl_alloc(sizeof (struct inodev_entry));
32923+ if (ientry == NULL)
32924+ return 0;
32925+ ientry->nentry = nentry;
32926+
32927+ nentry->key = key;
32928+ nentry->name = name;
32929+ nentry->inode = inode;
32930+ nentry->device = device;
32931+ nentry->len = len;
32932+ nentry->deleted = deleted;
32933+
32934+ nentry->prev = NULL;
32935+ curr = &name_set.n_hash[index];
32936+ if (*curr != NULL)
32937+ (*curr)->prev = nentry;
32938+ nentry->next = *curr;
32939+ *curr = nentry;
32940+
32941+ /* insert us into the table searchable by inode/dev */
32942+ insert_inodev_entry(ientry);
32943+
32944+ return 1;
32945+}
32946+
32947+static void
32948+insert_acl_obj_label(struct acl_object_label *obj,
32949+ struct acl_subject_label *subj)
32950+{
32951+ unsigned int index =
32952+ fhash(obj->inode, obj->device, subj->obj_hash_size);
32953+ struct acl_object_label **curr;
32954+
32955+
32956+ obj->prev = NULL;
32957+
32958+ curr = &subj->obj_hash[index];
32959+ if (*curr != NULL)
32960+ (*curr)->prev = obj;
32961+
32962+ obj->next = *curr;
32963+ *curr = obj;
32964+
32965+ return;
32966+}
32967+
32968+static void
32969+insert_acl_subj_label(struct acl_subject_label *obj,
32970+ struct acl_role_label *role)
32971+{
32972+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
32973+ struct acl_subject_label **curr;
32974+
32975+ obj->prev = NULL;
32976+
32977+ curr = &role->subj_hash[index];
32978+ if (*curr != NULL)
32979+ (*curr)->prev = obj;
32980+
32981+ obj->next = *curr;
32982+ *curr = obj;
32983+
32984+ return;
32985+}
32986+
32987+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
32988+
32989+static void *
32990+create_table(__u32 * len, int elementsize)
32991+{
32992+ unsigned int table_sizes[] = {
32993+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
32994+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
32995+ 4194301, 8388593, 16777213, 33554393, 67108859
32996+ };
32997+ void *newtable = NULL;
32998+ unsigned int pwr = 0;
32999+
33000+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
33001+ table_sizes[pwr] <= *len)
33002+ pwr++;
33003+
33004+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
33005+ return newtable;
33006+
33007+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
33008+ newtable =
33009+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
33010+ else
33011+ newtable = vmalloc(table_sizes[pwr] * elementsize);
33012+
33013+ *len = table_sizes[pwr];
33014+
33015+ return newtable;
33016+}
33017+
33018+static int
33019+init_variables(const struct gr_arg *arg)
33020+{
33021+ struct task_struct *reaper = &init_task;
33022+ unsigned int stacksize;
33023+
33024+ subj_map_set.s_size = arg->role_db.num_subjects;
33025+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
33026+ name_set.n_size = arg->role_db.num_objects;
33027+ inodev_set.i_size = arg->role_db.num_objects;
33028+
33029+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
33030+ !name_set.n_size || !inodev_set.i_size)
33031+ return 1;
33032+
33033+ if (!gr_init_uidset())
33034+ return 1;
33035+
33036+ /* set up the stack that holds allocation info */
33037+
33038+ stacksize = arg->role_db.num_pointers + 5;
33039+
33040+ if (!acl_alloc_stack_init(stacksize))
33041+ return 1;
33042+
33043+ /* grab reference for the real root dentry and vfsmount */
33044+ read_lock(&reaper->fs->lock);
33045+ real_root_mnt = mntget(reaper->fs->root.mnt);
33046+ real_root = dget(reaper->fs->root.dentry);
33047+ read_unlock(&reaper->fs->lock);
33048+
33049+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
33050+ if (fakefs_obj == NULL)
33051+ return 1;
33052+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
33053+
33054+ subj_map_set.s_hash =
33055+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
33056+ acl_role_set.r_hash =
33057+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
33058+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
33059+ inodev_set.i_hash =
33060+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
33061+
33062+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
33063+ !name_set.n_hash || !inodev_set.i_hash)
33064+ return 1;
33065+
33066+ memset(subj_map_set.s_hash, 0,
33067+ sizeof(struct subject_map *) * subj_map_set.s_size);
33068+ memset(acl_role_set.r_hash, 0,
33069+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
33070+ memset(name_set.n_hash, 0,
33071+ sizeof (struct name_entry *) * name_set.n_size);
33072+ memset(inodev_set.i_hash, 0,
33073+ sizeof (struct inodev_entry *) * inodev_set.i_size);
33074+
33075+ return 0;
33076+}
33077+
33078+/* free information not needed after startup
33079+ currently contains user->kernel pointer mappings for subjects
33080+*/
33081+
33082+static void
33083+free_init_variables(void)
33084+{
33085+ __u32 i;
33086+
33087+ if (subj_map_set.s_hash) {
33088+ for (i = 0; i < subj_map_set.s_size; i++) {
33089+ if (subj_map_set.s_hash[i]) {
33090+ kfree(subj_map_set.s_hash[i]);
33091+ subj_map_set.s_hash[i] = NULL;
33092+ }
33093+ }
33094+
33095+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
33096+ PAGE_SIZE)
33097+ kfree(subj_map_set.s_hash);
33098+ else
33099+ vfree(subj_map_set.s_hash);
33100+ }
33101+
33102+ return;
33103+}
33104+
33105+static void
33106+free_variables(void)
33107+{
33108+ struct acl_subject_label *s;
33109+ struct acl_role_label *r;
33110+ struct task_struct *task, *task2;
ae4e228f 33111+ unsigned int x;
58c5fc13
MT		 33112+
33113+ gr_clear_learn_entries();
33114+
33115+ read_lock(&tasklist_lock);
33116+ do_each_thread(task2, task) {
33117+ task->acl_sp_role = 0;
33118+ task->acl_role_id = 0;
33119+ task->acl = NULL;
33120+ task->role = NULL;
33121+ } while_each_thread(task2, task);
33122+ read_unlock(&tasklist_lock);
33123+
33124+ /* release the reference to the real root dentry and vfsmount */
33125+ if (real_root)
33126+ dput(real_root);
33127+ real_root = NULL;
33128+ if (real_root_mnt)
33129+ mntput(real_root_mnt);
33130+ real_root_mnt = NULL;
33131+
33132+ /* free all object hash tables */
33133+
ae4e228f 33134+ FOR_EACH_ROLE_START(r)
58c5fc13 33135+ if (r->subj_hash == NULL)
ae4e228f 33136+ goto next_role;
58c5fc13
MT		 33137+ FOR_EACH_SUBJECT_START(r, s, x)
33138+ if (s->obj_hash == NULL)
33139+ break;
33140+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
33141+ kfree(s->obj_hash);
33142+ else
33143+ vfree(s->obj_hash);
33144+ FOR_EACH_SUBJECT_END(s, x)
33145+ FOR_EACH_NESTED_SUBJECT_START(r, s)
33146+ if (s->obj_hash == NULL)
33147+ break;
33148+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
33149+ kfree(s->obj_hash);
33150+ else
33151+ vfree(s->obj_hash);
33152+ FOR_EACH_NESTED_SUBJECT_END(s)
33153+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
33154+ kfree(r->subj_hash);
33155+ else
33156+ vfree(r->subj_hash);
33157+ r->subj_hash = NULL;
ae4e228f
MT		 33158+next_role:
33159+ FOR_EACH_ROLE_END(r)
58c5fc13
MT		 33160+
33161+ acl_free_all();
33162+
33163+ if (acl_role_set.r_hash) {
33164+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
33165+ PAGE_SIZE)
33166+ kfree(acl_role_set.r_hash);
33167+ else
33168+ vfree(acl_role_set.r_hash);
33169+ }
33170+ if (name_set.n_hash) {
33171+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
33172+ PAGE_SIZE)
33173+ kfree(name_set.n_hash);
33174+ else
33175+ vfree(name_set.n_hash);
33176+ }
33177+
33178+ if (inodev_set.i_hash) {
33179+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
33180+ PAGE_SIZE)
33181+ kfree(inodev_set.i_hash);
33182+ else
33183+ vfree(inodev_set.i_hash);
33184+ }
33185+
33186+ gr_free_uidset();
33187+
33188+ memset(&name_set, 0, sizeof (struct name_db));
33189+ memset(&inodev_set, 0, sizeof (struct inodev_db));
33190+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
33191+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
33192+
33193+ default_role = NULL;
ae4e228f 33194+ role_list = NULL;
58c5fc13
MT		 33195+
33196+ return;
33197+}
33198+
33199+static __u32
33200+count_user_objs(struct acl_object_label *userp)
33201+{
33202+ struct acl_object_label o_tmp;
33203+ __u32 num = 0;
33204+
33205+ while (userp) {
33206+ if (copy_from_user(&o_tmp, userp,
33207+ sizeof (struct acl_object_label)))
33208+ break;
33209+
33210+ userp = o_tmp.prev;
33211+ num++;
33212+ }
33213+
33214+ return num;
33215+}
33216+
33217+static struct acl_subject_label *
33218+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
33219+
33220+static int
33221+copy_user_glob(struct acl_object_label *obj)
33222+{
33223+ struct acl_object_label *g_tmp, **guser;
33224+ unsigned int len;
33225+ char *tmp;
33226+
33227+ if (obj->globbed == NULL)
33228+ return 0;
33229+
33230+ guser = &obj->globbed;
33231+ while (*guser) {
33232+ g_tmp = (struct acl_object_label *)
33233+ acl_alloc(sizeof (struct acl_object_label));
33234+ if (g_tmp == NULL)
33235+ return -ENOMEM;
33236+
33237+ if (copy_from_user(g_tmp, *guser,
33238+ sizeof (struct acl_object_label)))
33239+ return -EFAULT;
33240+
33241+ len = strnlen_user(g_tmp->filename, PATH_MAX);
33242+
33243+ if (!len || len >= PATH_MAX)
33244+ return -EINVAL;
33245+
33246+ if ((tmp = (char *) acl_alloc(len)) == NULL)
33247+ return -ENOMEM;
33248+
33249+ if (copy_from_user(tmp, g_tmp->filename, len))
33250+ return -EFAULT;
33251+ tmp[len-1] = '\0';
33252+ g_tmp->filename = tmp;
33253+
33254+ *guser = g_tmp;
33255+ guser = &(g_tmp->next);
33256+ }
33257+
33258+ return 0;
33259+}
33260+
33261+static int
33262+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
33263+ struct acl_role_label *role)
33264+{
33265+ struct acl_object_label *o_tmp;
33266+ unsigned int len;
33267+ int ret;
33268+ char *tmp;
33269+
33270+ while (userp) {
33271+ if ((o_tmp = (struct acl_object_label *)
33272+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
33273+ return -ENOMEM;
33274+
33275+ if (copy_from_user(o_tmp, userp,
33276+ sizeof (struct acl_object_label)))
33277+ return -EFAULT;
33278+
33279+ userp = o_tmp->prev;
33280+
33281+ len = strnlen_user(o_tmp->filename, PATH_MAX);
33282+
33283+ if (!len || len >= PATH_MAX)
33284+ return -EINVAL;
33285+
33286+ if ((tmp = (char *) acl_alloc(len)) == NULL)
33287+ return -ENOMEM;
33288+
33289+ if (copy_from_user(tmp, o_tmp->filename, len))
33290+ return -EFAULT;
33291+ tmp[len-1] = '\0';
33292+ o_tmp->filename = tmp;
33293+
33294+ insert_acl_obj_label(o_tmp, subj);
33295+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
33296+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
33297+ return -ENOMEM;
33298+
33299+ ret = copy_user_glob(o_tmp);
33300+ if (ret)
33301+ return ret;
33302+
33303+ if (o_tmp->nested) {
33304+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
33305+ if (IS_ERR(o_tmp->nested))
33306+ return PTR_ERR(o_tmp->nested);
33307+
33308+ /* insert into nested subject list */
33309+ o_tmp->nested->next = role->hash->first;
33310+ role->hash->first = o_tmp->nested;
33311+ }
33312+ }
33313+
33314+ return 0;
33315+}
33316+
33317+static __u32
33318+count_user_subjs(struct acl_subject_label *userp)
33319+{
33320+ struct acl_subject_label s_tmp;
33321+ __u32 num = 0;
33322+
33323+ while (userp) {
33324+ if (copy_from_user(&s_tmp, userp,
33325+ sizeof (struct acl_subject_label)))
33326+ break;
33327+
33328+ userp = s_tmp.prev;
33329+ /* do not count nested subjects against this count, since
33330+ they are not included in the hash table, but are
33331+ attached to objects. We have already counted
33332+ the subjects in userspace for the allocation
33333+ stack
33334+ */
33335+ if (!(s_tmp.mode & GR_NESTED))
33336+ num++;
33337+ }
33338+
33339+ return num;
33340+}
33341+
33342+static int
33343+copy_user_allowedips(struct acl_role_label *rolep)
33344+{
33345+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
33346+
33347+ ruserip = rolep->allowed_ips;
33348+
33349+ while (ruserip) {
33350+ rlast = rtmp;
33351+
33352+ if ((rtmp = (struct role_allowed_ip *)
33353+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
33354+ return -ENOMEM;
33355+
33356+ if (copy_from_user(rtmp, ruserip,
33357+ sizeof (struct role_allowed_ip)))
33358+ return -EFAULT;
33359+
33360+ ruserip = rtmp->prev;
33361+
33362+ if (!rlast) {
33363+ rtmp->prev = NULL;
33364+ rolep->allowed_ips = rtmp;
33365+ } else {
33366+ rlast->next = rtmp;
33367+ rtmp->prev = rlast;
33368+ }
33369+
33370+ if (!ruserip)
33371+ rtmp->next = NULL;
33372+ }
33373+
33374+ return 0;
33375+}
33376+
33377+static int
33378+copy_user_transitions(struct acl_role_label *rolep)
33379+{
33380+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
33381+
33382+ unsigned int len;
33383+ char *tmp;
33384+
33385+ rusertp = rolep->transitions;
33386+
33387+ while (rusertp) {
33388+ rlast = rtmp;
33389+
33390+ if ((rtmp = (struct role_transition *)
33391+ acl_alloc(sizeof (struct role_transition))) == NULL)
33392+ return -ENOMEM;
33393+
33394+ if (copy_from_user(rtmp, rusertp,
33395+ sizeof (struct role_transition)))
33396+ return -EFAULT;
33397+
33398+ rusertp = rtmp->prev;
33399+
33400+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
33401+
33402+ if (!len || len >= GR_SPROLE_LEN)
33403+ return -EINVAL;
33404+
33405+ if ((tmp = (char *) acl_alloc(len)) == NULL)
33406+ return -ENOMEM;
33407+
33408+ if (copy_from_user(tmp, rtmp->rolename, len))
33409+ return -EFAULT;
33410+ tmp[len-1] = '\0';
33411+ rtmp->rolename = tmp;
33412+
33413+ if (!rlast) {
33414+ rtmp->prev = NULL;
33415+ rolep->transitions = rtmp;
33416+ } else {
33417+ rlast->next = rtmp;
33418+ rtmp->prev = rlast;
33419+ }
33420+
33421+ if (!rusertp)
33422+ rtmp->next = NULL;
33423+ }
33424+
33425+ return 0;
33426+}
33427+
33428+static struct acl_subject_label *
33429+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
33430+{
33431+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
33432+ unsigned int len;
33433+ char *tmp;
33434+ __u32 num_objs;
33435+ struct acl_ip_label **i_tmp, *i_utmp2;
33436+ struct gr_hash_struct ghash;
33437+ struct subject_map *subjmap;
33438+ unsigned int i_num;
33439+ int err;
33440+
33441+ s_tmp = lookup_subject_map(userp);
33442+
33443+ /* we've already copied this subject into the kernel, just return
33444+ the reference to it, and don't copy it over again
33445+ */
33446+ if (s_tmp)
33447+ return(s_tmp);
33448+
33449+ if ((s_tmp = (struct acl_subject_label *)
33450+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
33451+ return ERR_PTR(-ENOMEM);
33452+
33453+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
33454+ if (subjmap == NULL)
33455+ return ERR_PTR(-ENOMEM);
33456+
33457+ subjmap->user = userp;
33458+ subjmap->kernel = s_tmp;
33459+ insert_subj_map_entry(subjmap);
33460+
33461+ if (copy_from_user(s_tmp, userp,
33462+ sizeof (struct acl_subject_label)))
33463+ return ERR_PTR(-EFAULT);
33464+
33465+ len = strnlen_user(s_tmp->filename, PATH_MAX);
33466+
33467+ if (!len || len >= PATH_MAX)
33468+ return ERR_PTR(-EINVAL);
33469+
33470+ if ((tmp = (char *) acl_alloc(len)) == NULL)
33471+ return ERR_PTR(-ENOMEM);
33472+
33473+ if (copy_from_user(tmp, s_tmp->filename, len))
33474+ return ERR_PTR(-EFAULT);
33475+ tmp[len-1] = '\0';
33476+ s_tmp->filename = tmp;
33477+
33478+ if (!strcmp(s_tmp->filename, "/"))
33479+ role->root_label = s_tmp;
33480+
33481+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
33482+ return ERR_PTR(-EFAULT);
33483+
33484+ /* copy user and group transition tables */
33485+
33486+ if (s_tmp->user_trans_num) {
33487+ uid_t *uidlist;
33488+
33489+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
33490+ if (uidlist == NULL)
33491+ return ERR_PTR(-ENOMEM);
33492+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
33493+ return ERR_PTR(-EFAULT);
33494+
33495+ s_tmp->user_transitions = uidlist;
33496+ }
33497+
33498+ if (s_tmp->group_trans_num) {
33499+ gid_t *gidlist;
33500+
33501+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
33502+ if (gidlist == NULL)
33503+ return ERR_PTR(-ENOMEM);
33504+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
33505+ return ERR_PTR(-EFAULT);
33506+
33507+ s_tmp->group_transitions = gidlist;
33508+ }
33509+
33510+ /* set up object hash table */
33511+ num_objs = count_user_objs(ghash.first);
33512+
33513+ s_tmp->obj_hash_size = num_objs;
33514+ s_tmp->obj_hash =
33515+ (struct acl_object_label **)
33516+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
33517+
33518+ if (!s_tmp->obj_hash)
33519+ return ERR_PTR(-ENOMEM);
33520+
33521+ memset(s_tmp->obj_hash, 0,
33522+ s_tmp->obj_hash_size *
33523+ sizeof (struct acl_object_label *));
33524+
33525+ /* add in objects */
33526+ err = copy_user_objs(ghash.first, s_tmp, role);
33527+
33528+ if (err)
33529+ return ERR_PTR(err);
33530+
33531+ /* set pointer for parent subject */
33532+ if (s_tmp->parent_subject) {
33533+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
33534+
33535+ if (IS_ERR(s_tmp2))
33536+ return s_tmp2;
33537+
33538+ s_tmp->parent_subject = s_tmp2;
33539+ }
33540+
33541+ /* add in ip acls */
33542+
33543+ if (!s_tmp->ip_num) {
33544+ s_tmp->ips = NULL;
33545+ goto insert;
33546+ }
33547+
33548+ i_tmp =
33549+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
33550+ sizeof (struct acl_ip_label *));
33551+
33552+ if (!i_tmp)
33553+ return ERR_PTR(-ENOMEM);
33554+
33555+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
33556+ *(i_tmp + i_num) =
33557+ (struct acl_ip_label *)
33558+ acl_alloc(sizeof (struct acl_ip_label));
33559+ if (!*(i_tmp + i_num))
33560+ return ERR_PTR(-ENOMEM);
33561+
33562+ if (copy_from_user
33563+ (&i_utmp2, s_tmp->ips + i_num,
33564+ sizeof (struct acl_ip_label *)))
33565+ return ERR_PTR(-EFAULT);
33566+
33567+ if (copy_from_user
33568+ (*(i_tmp + i_num), i_utmp2,
33569+ sizeof (struct acl_ip_label)))
33570+ return ERR_PTR(-EFAULT);
33571+
33572+ if ((*(i_tmp + i_num))->iface == NULL)
33573+ continue;
33574+
33575+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
33576+ if (!len || len >= IFNAMSIZ)
33577+ return ERR_PTR(-EINVAL);
33578+ tmp = acl_alloc(len);
33579+ if (tmp == NULL)
33580+ return ERR_PTR(-ENOMEM);
33581+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
33582+ return ERR_PTR(-EFAULT);
33583+ (*(i_tmp + i_num))->iface = tmp;
33584+ }
33585+
33586+ s_tmp->ips = i_tmp;
33587+
33588+insert:
33589+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
33590+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
33591+ return ERR_PTR(-ENOMEM);
33592+
33593+ return s_tmp;
33594+}
33595+
33596+static int
33597+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
33598+{
33599+ struct acl_subject_label s_pre;
33600+ struct acl_subject_label * ret;
33601+ int err;
33602+
33603+ while (userp) {
33604+ if (copy_from_user(&s_pre, userp,
33605+ sizeof (struct acl_subject_label)))
33606+ return -EFAULT;
33607+
33608+ /* do not add nested subjects here, add
33609+ while parsing objects
33610+ */
33611+
33612+ if (s_pre.mode & GR_NESTED) {
33613+ userp = s_pre.prev;
33614+ continue;
33615+ }
33616+
33617+ ret = do_copy_user_subj(userp, role);
33618+
33619+ err = PTR_ERR(ret);
33620+ if (IS_ERR(ret))
33621+ return err;
33622+
33623+ insert_acl_subj_label(ret, role);
33624+
33625+ userp = s_pre.prev;
33626+ }
33627+
33628+ return 0;
33629+}
33630+
33631+static int
33632+copy_user_acl(struct gr_arg *arg)
33633+{
33634+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
33635+ struct sprole_pw *sptmp;
33636+ struct gr_hash_struct *ghash;
33637+ uid_t *domainlist;
33638+ unsigned int r_num;
33639+ unsigned int len;
33640+ char *tmp;
33641+ int err = 0;
33642+ __u16 i;
33643+ __u32 num_subjs;
33644+
33645+ /* we need a default and kernel role */
33646+ if (arg->role_db.num_roles < 2)
33647+ return -EINVAL;
33648+
33649+ /* copy special role authentication info from userspace */
33650+
33651+ num_sprole_pws = arg->num_sprole_pws;
33652+ acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
33653+
33654+ if (!acl_special_roles) {
33655+ err = -ENOMEM;
33656+ goto cleanup;
33657+ }
33658+
33659+ for (i = 0; i < num_sprole_pws; i++) {
33660+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
33661+ if (!sptmp) {
33662+ err = -ENOMEM;
33663+ goto cleanup;
33664+ }
33665+ if (copy_from_user(sptmp, arg->sprole_pws + i,
33666+ sizeof (struct sprole_pw))) {
33667+ err = -EFAULT;
33668+ goto cleanup;
33669+ }
33670+
33671+ len =
33672+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
33673+
33674+ if (!len || len >= GR_SPROLE_LEN) {
33675+ err = -EINVAL;
33676+ goto cleanup;
33677+ }
33678+
33679+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
33680+ err = -ENOMEM;
33681+ goto cleanup;
33682+ }
33683+
33684+ if (copy_from_user(tmp, sptmp->rolename, len)) {
33685+ err = -EFAULT;
33686+ goto cleanup;
33687+ }
33688+ tmp[len-1] = '\0';
33689+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
33690+ printk(KERN_ALERT "Copying special role %s\n", tmp);
33691+#endif
33692+ sptmp->rolename = tmp;
33693+ acl_special_roles[i] = sptmp;
33694+ }
33695+
33696+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
33697+
33698+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
33699+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
33700+
33701+ if (!r_tmp) {
33702+ err = -ENOMEM;
33703+ goto cleanup;
33704+ }
33705+
33706+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
33707+ sizeof (struct acl_role_label *))) {
33708+ err = -EFAULT;
33709+ goto cleanup;
33710+ }
33711+
33712+ if (copy_from_user(r_tmp, r_utmp2,
33713+ sizeof (struct acl_role_label))) {
33714+ err = -EFAULT;
33715+ goto cleanup;
33716+ }
33717+
33718+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
33719+
33720+ if (!len || len >= PATH_MAX) {
33721+ err = -EINVAL;
33722+ goto cleanup;
33723+ }
33724+
33725+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
33726+ err = -ENOMEM;
33727+ goto cleanup;
33728+ }
33729+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
33730+ err = -EFAULT;
33731+ goto cleanup;
33732+ }
33733+ tmp[len-1] = '\0';
33734+ r_tmp->rolename = tmp;
33735+
33736+ if (!strcmp(r_tmp->rolename, "default")
33737+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
33738+ default_role = r_tmp;
33739+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
33740+ kernel_role = r_tmp;
33741+ }
33742+
33743+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
33744+ err = -ENOMEM;
33745+ goto cleanup;
33746+ }
33747+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
33748+ err = -EFAULT;
33749+ goto cleanup;
33750+ }
33751+
33752+ r_tmp->hash = ghash;
33753+
33754+ num_subjs = count_user_subjs(r_tmp->hash->first);
33755+
33756+ r_tmp->subj_hash_size = num_subjs;
33757+ r_tmp->subj_hash =
33758+ (struct acl_subject_label **)
33759+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
33760+
33761+ if (!r_tmp->subj_hash) {
33762+ err = -ENOMEM;
33763+ goto cleanup;
33764+ }
33765+
33766+ err = copy_user_allowedips(r_tmp);
33767+ if (err)
33768+ goto cleanup;
33769+
33770+ /* copy domain info */
33771+ if (r_tmp->domain_children != NULL) {
33772+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
33773+ if (domainlist == NULL) {
33774+ err = -ENOMEM;
33775+ goto cleanup;
33776+ }
33777+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
33778+ err = -EFAULT;
33779+ goto cleanup;
33780+ }
33781+ r_tmp->domain_children = domainlist;
33782+ }
33783+
33784+ err = copy_user_transitions(r_tmp);
33785+ if (err)
33786+ goto cleanup;
33787+
33788+ memset(r_tmp->subj_hash, 0,
33789+ r_tmp->subj_hash_size *
33790+ sizeof (struct acl_subject_label *));
33791+
33792+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
33793+
33794+ if (err)
33795+ goto cleanup;
33796+
33797+ /* set nested subject list to null */
33798+ r_tmp->hash->first = NULL;
33799+
33800+ insert_acl_role_label(r_tmp);
33801+ }
33802+
33803+ goto return_err;
33804+ cleanup:
33805+ free_variables();
33806+ return_err:
33807+ return err;
33808+
33809+}
33810+
33811+static int
33812+gracl_init(struct gr_arg *args)
33813+{
33814+ int error = 0;
33815+
33816+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
33817+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
33818+
33819+ if (init_variables(args)) {
33820+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
33821+ error = -ENOMEM;
33822+ free_variables();
33823+ goto out;
33824+ }
33825+
33826+ error = copy_user_acl(args);
33827+ free_init_variables();
33828+ if (error) {
33829+ free_variables();
33830+ goto out;
33831+ }
33832+
33833+ if ((error = gr_set_acls(0))) {
33834+ free_variables();
33835+ goto out;
33836+ }
33837+
ae4e228f 33838+ pax_open_kernel();
58c5fc13 33839+ gr_status |= GR_READY;
ae4e228f 33840+ pax_close_kernel();
58c5fc13
MT		 33841+
33842+ out:
33843+ return error;
33844+}
33845+
33846+/* derived from glibc fnmatch() 0: match, 1: no match*/
33847+
33848+static int
33849+glob_match(const char *p, const char *n)
33850+{
33851+ char c;
33852+
33853+ while ((c = *p++) != '\0') {
33854+ switch (c) {
33855+ case '?':
33856+ if (*n == '\0')
33857+ return 1;
33858+ else if (*n == '/')
33859+ return 1;
33860+ break;
33861+ case '\\':
33862+ if (*n != c)
33863+ return 1;
33864+ break;
33865+ case '*':
33866+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
33867+ if (*n == '/')
33868+ return 1;
33869+ else if (c == '?') {
33870+ if (*n == '\0')
33871+ return 1;
33872+ else
33873+ ++n;
33874+ }
33875+ }
33876+ if (c == '\0') {
33877+ return 0;
33878+ } else {
33879+ const char *endp;
33880+
33881+ if ((endp = strchr(n, '/')) == NULL)
33882+ endp = n + strlen(n);
33883+
33884+ if (c == '[') {
33885+ for (--p; n < endp; ++n)
33886+ if (!glob_match(p, n))
33887+ return 0;
33888+ } else if (c == '/') {
33889+ while (*n != '\0' && *n != '/')
33890+ ++n;
33891+ if (*n == '/' && !glob_match(p, n + 1))
33892+ return 0;
33893+ } else {
33894+ for (--p; n < endp; ++n)
33895+ if (*n == c && !glob_match(p, n))
33896+ return 0;
33897+ }
33898+
33899+ return 1;
33900+ }
33901+ case '[':
33902+ {
33903+ int not;
33904+ char cold;
33905+
33906+ if (*n == '\0' || *n == '/')
33907+ return 1;
33908+
33909+ not = (*p == '!' || *p == '^');
33910+ if (not)
33911+ ++p;
33912+
33913+ c = *p++;
33914+ for (;;) {
33915+ unsigned char fn = (unsigned char)*n;
33916+
33917+ if (c == '\0')
33918+ return 1;
33919+ else {
33920+ if (c == fn)
33921+ goto matched;
33922+ cold = c;
33923+ c = *p++;
33924+
33925+ if (c == '-' && *p != ']') {
33926+ unsigned char cend = *p++;
33927+
33928+ if (cend == '\0')
33929+ return 1;
33930+
33931+ if (cold <= fn && fn <= cend)
33932+ goto matched;
33933+
33934+ c = *p++;
33935+ }
33936+ }
33937+
33938+ if (c == ']')
33939+ break;
33940+ }
33941+ if (!not)
33942+ return 1;
33943+ break;
33944+ matched:
33945+ while (c != ']') {
33946+ if (c == '\0')
33947+ return 1;
33948+
33949+ c = *p++;
33950+ }
33951+ if (not)
33952+ return 1;
33953+ }
33954+ break;
33955+ default:
33956+ if (c != *n)
33957+ return 1;
33958+ }
33959+
33960+ ++n;
33961+ }
33962+
33963+ if (*n == '\0')
33964+ return 0;
33965+
33966+ if (*n == '/')
33967+ return 0;
33968+
33969+ return 1;
33970+}
33971+
33972+static struct acl_object_label *
33973+chk_glob_label(struct acl_object_label *globbed,
33974+ struct dentry *dentry, struct vfsmount *mnt, char **path)
33975+{
33976+ struct acl_object_label *tmp;
33977+
33978+ if (*path == NULL)
33979+ *path = gr_to_filename_nolock(dentry, mnt);
33980+
33981+ tmp = globbed;
33982+
33983+ while (tmp) {
33984+ if (!glob_match(tmp->filename, *path))
33985+ return tmp;
33986+ tmp = tmp->next;
33987+ }
33988+
33989+ return NULL;
33990+}
33991+
33992+static struct acl_object_label *
33993+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
33994+ const ino_t curr_ino, const dev_t curr_dev,
33995+ const struct acl_subject_label *subj, char **path, const int checkglob)
33996+{
33997+ struct acl_subject_label *tmpsubj;
33998+ struct acl_object_label *retval;
33999+ struct acl_object_label *retval2;
34000+
34001+ tmpsubj = (struct acl_subject_label *) subj;
34002+ read_lock(&gr_inode_lock);
34003+ do {
34004+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
34005+ if (retval) {
34006+ if (checkglob && retval->globbed) {
34007+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
34008+ (struct vfsmount *)orig_mnt, path);
34009+ if (retval2)
34010+ retval = retval2;
34011+ }
34012+ break;
34013+ }
34014+ } while ((tmpsubj = tmpsubj->parent_subject));
34015+ read_unlock(&gr_inode_lock);
34016+
34017+ return retval;
34018+}
34019+
34020+static __inline__ struct acl_object_label *
34021+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
34022+ const struct dentry *curr_dentry,
34023+ const struct acl_subject_label *subj, char **path, const int checkglob)
34024+{
34025+ return __full_lookup(orig_dentry, orig_mnt,
34026+ curr_dentry->d_inode->i_ino,
34027+ curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
34028+}
34029+
34030+static struct acl_object_label *
34031+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34032+ const struct acl_subject_label *subj, char *path, const int checkglob)
34033+{
34034+ struct dentry *dentry = (struct dentry *) l_dentry;
34035+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
34036+ struct acl_object_label *retval;
34037+
34038+ spin_lock(&dcache_lock);
34039+
34040+ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
34041+ /* ignore Eric Biederman */
34042+ IS_PRIVATE(l_dentry->d_inode))) {
34043+ retval = fakefs_obj;
34044+ goto out;
34045+ }
34046+
34047+ for (;;) {
34048+ if (dentry == real_root && mnt == real_root_mnt)
34049+ break;
34050+
34051+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
34052+ if (mnt->mnt_parent == mnt)
34053+ break;
34054+
34055+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34056+ if (retval != NULL)
34057+ goto out;
34058+
34059+ dentry = mnt->mnt_mountpoint;
34060+ mnt = mnt->mnt_parent;
34061+ continue;
34062+ }
34063+
34064+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34065+ if (retval != NULL)
34066+ goto out;
34067+
34068+ dentry = dentry->d_parent;
34069+ }
34070+
34071+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
34072+
34073+ if (retval == NULL)
34074+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
34075+out:
34076+ spin_unlock(&dcache_lock);
34077+ return retval;
34078+}
34079+
34080+static __inline__ struct acl_object_label *
34081+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34082+ const struct acl_subject_label *subj)
34083+{
34084+ char *path = NULL;
34085+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
34086+}
34087+
34088+static __inline__ struct acl_object_label *
34089+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34090+ const struct acl_subject_label *subj)
34091+{
34092+ char *path = NULL;
34093+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
34094+}
34095+
34096+static __inline__ struct acl_object_label *
34097+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34098+ const struct acl_subject_label *subj, char *path)
34099+{
34100+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
34101+}
34102+
34103+static struct acl_subject_label *
34104+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
34105+ const struct acl_role_label *role)
34106+{
34107+ struct dentry *dentry = (struct dentry *) l_dentry;
34108+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
34109+ struct acl_subject_label *retval;
34110+
34111+ spin_lock(&dcache_lock);
34112+
34113+ for (;;) {
34114+ if (dentry == real_root && mnt == real_root_mnt)
34115+ break;
34116+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
34117+ if (mnt->mnt_parent == mnt)
34118+ break;
34119+
34120+ read_lock(&gr_inode_lock);
34121+ retval =
34122+ lookup_acl_subj_label(dentry->d_inode->i_ino,
34123+ dentry->d_inode->i_sb->s_dev, role);
34124+ read_unlock(&gr_inode_lock);
34125+ if (retval != NULL)
34126+ goto out;
34127+
34128+ dentry = mnt->mnt_mountpoint;
34129+ mnt = mnt->mnt_parent;
34130+ continue;
34131+ }
34132+
34133+ read_lock(&gr_inode_lock);
34134+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
34135+ dentry->d_inode->i_sb->s_dev, role);
34136+ read_unlock(&gr_inode_lock);
34137+ if (retval != NULL)
34138+ goto out;
34139+
34140+ dentry = dentry->d_parent;
34141+ }
34142+
34143+ read_lock(&gr_inode_lock);
34144+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
34145+ dentry->d_inode->i_sb->s_dev, role);
34146+ read_unlock(&gr_inode_lock);
34147+
34148+ if (unlikely(retval == NULL)) {
34149+ read_lock(&gr_inode_lock);
34150+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
34151+ real_root->d_inode->i_sb->s_dev, role);
34152+ read_unlock(&gr_inode_lock);
34153+ }
34154+out:
34155+ spin_unlock(&dcache_lock);
34156+
34157+ return retval;
34158+}
34159+
34160+static void
34161+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
34162+{
34163+ struct task_struct *task = current;
34164+ const struct cred *cred = current_cred();
34165+
34166+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
34167+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34168+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
ae4e228f 34169+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
58c5fc13
MT		 34170+
34171+ return;
34172+}
34173+
34174+static void
34175+gr_log_learn_sysctl(const char *path, const __u32 mode)
34176+{
34177+ struct task_struct *task = current;
34178+ const struct cred *cred = current_cred();
34179+
34180+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
34181+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34182+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
ae4e228f 34183+ 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
58c5fc13
MT		 34184+
34185+ return;
34186+}
34187+
34188+static void
34189+gr_log_learn_id_change(const char type, const unsigned int real,
34190+ const unsigned int effective, const unsigned int fs)
34191+{
34192+ struct task_struct *task = current;
34193+ const struct cred *cred = current_cred();
34194+
34195+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
34196+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
34197+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
ae4e228f 34198+ type, real, effective, fs, &task->signal->curr_ip);
58c5fc13
MT		 34199+
34200+ return;
34201+}
34202+
34203+__u32
34204+gr_check_link(const struct dentry * new_dentry,
34205+ const struct dentry * parent_dentry,
34206+ const struct vfsmount * parent_mnt,
34207+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
34208+{
34209+ struct acl_object_label *obj;
34210+ __u32 oldmode, newmode;
34211+ __u32 needmode;
34212+
34213+ if (unlikely(!(gr_status & GR_READY)))
34214+ return (GR_CREATE | GR_LINK);
34215+
34216+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
34217+ oldmode = obj->mode;
34218+
34219+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34220+ oldmode |= (GR_CREATE | GR_LINK);
34221+
34222+ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
34223+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
34224+ needmode |= GR_SETID | GR_AUDIT_SETID;
34225+
34226+ newmode =
34227+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
34228+ oldmode | needmode);
34229+
34230+ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
34231+ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
34232+ GR_INHERIT | GR_AUDIT_INHERIT);
34233+
34234+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
34235+ goto bad;
34236+
34237+ if ((oldmode & needmode) != needmode)
34238+ goto bad;
34239+
34240+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
34241+ if ((newmode & needmode) != needmode)
34242+ goto bad;
34243+
34244+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
34245+ return newmode;
34246+bad:
34247+ needmode = oldmode;
34248+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
34249+ needmode |= GR_SETID;
34250+
34251+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
34252+ gr_log_learn(old_dentry, old_mnt, needmode);
34253+ return (GR_CREATE | GR_LINK);
34254+ } else if (newmode & GR_SUPPRESS)
34255+ return GR_SUPPRESS;
34256+ else
34257+ return 0;
34258+}
34259+
34260+__u32
34261+gr_search_file(const struct dentry * dentry, const __u32 mode,
34262+ const struct vfsmount * mnt)
34263+{
34264+ __u32 retval = mode;
34265+ struct acl_subject_label *curracl;
34266+ struct acl_object_label *currobj;
34267+
34268+ if (unlikely(!(gr_status & GR_READY)))
34269+ return (mode & ~GR_AUDITS);
34270+
34271+ curracl = current->acl;
34272+
34273+ currobj = chk_obj_label(dentry, mnt, curracl);
34274+ retval = currobj->mode & mode;
34275+
34276+ if (unlikely
34277+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
34278+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
34279+ __u32 new_mode = mode;
34280+
34281+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34282+
34283+ retval = new_mode;
34284+
34285+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
34286+ new_mode |= GR_INHERIT;
34287+
34288+ if (!(mode & GR_NOLEARN))
34289+ gr_log_learn(dentry, mnt, new_mode);
34290+ }
34291+
34292+ return retval;
34293+}
34294+
34295+__u32
34296+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
34297+ const struct vfsmount * mnt, const __u32 mode)
34298+{
34299+ struct name_entry *match;
34300+ struct acl_object_label *matchpo;
34301+ struct acl_subject_label *curracl;
34302+ char *path;
34303+ __u32 retval;
34304+
34305+ if (unlikely(!(gr_status & GR_READY)))
34306+ return (mode & ~GR_AUDITS);
34307+
34308+ preempt_disable();
34309+ path = gr_to_filename_rbac(new_dentry, mnt);
34310+ match = lookup_name_entry_create(path);
34311+
34312+ if (!match)
34313+ goto check_parent;
34314+
34315+ curracl = current->acl;
34316+
34317+ read_lock(&gr_inode_lock);
34318+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
34319+ read_unlock(&gr_inode_lock);
34320+
34321+ if (matchpo) {
34322+ if ((matchpo->mode & mode) !=
34323+ (mode & ~(GR_AUDITS | GR_SUPPRESS))
34324+ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
34325+ __u32 new_mode = mode;
34326+
34327+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34328+
34329+ gr_log_learn(new_dentry, mnt, new_mode);
34330+
34331+ preempt_enable();
34332+ return new_mode;
34333+ }
34334+ preempt_enable();
34335+ return (matchpo->mode & mode);
34336+ }
34337+
34338+ check_parent:
34339+ curracl = current->acl;
34340+
34341+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
34342+ retval = matchpo->mode & mode;
34343+
34344+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
34345+ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
34346+ __u32 new_mode = mode;
34347+
34348+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
34349+
34350+ gr_log_learn(new_dentry, mnt, new_mode);
34351+ preempt_enable();
34352+ return new_mode;
34353+ }
34354+
34355+ preempt_enable();
34356+ return retval;
34357+}
34358+
34359+int
34360+gr_check_hidden_task(const struct task_struct *task)
34361+{
34362+ if (unlikely(!(gr_status & GR_READY)))
34363+ return 0;
34364+
34365+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
34366+ return 1;
34367+
34368+ return 0;
34369+}
34370+
34371+int
34372+gr_check_protected_task(const struct task_struct *task)
34373+{
34374+ if (unlikely(!(gr_status & GR_READY) || !task))
34375+ return 0;
34376+
34377+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
34378+ task->acl != current->acl)
34379+ return 1;
34380+
34381+ return 0;
34382+}
34383+
34384+void
34385+gr_copy_label(struct task_struct *tsk)
34386+{
34387+ tsk->signal->used_accept = 0;
34388+ tsk->acl_sp_role = 0;
34389+ tsk->acl_role_id = current->acl_role_id;
34390+ tsk->acl = current->acl;
34391+ tsk->role = current->role;
34392+ tsk->signal->curr_ip = current->signal->curr_ip;
34393+ if (current->exec_file)
34394+ get_file(current->exec_file);
34395+ tsk->exec_file = current->exec_file;
34396+ tsk->is_writable = current->is_writable;
34397+ if (unlikely(current->signal->used_accept))
34398+ current->signal->curr_ip = 0;
34399+
34400+ return;
34401+}
34402+
34403+static void
34404+gr_set_proc_res(struct task_struct *task)
34405+{
34406+ struct acl_subject_label *proc;
34407+ unsigned short i;
34408+
34409+ proc = task->acl;
34410+
34411+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
34412+ return;
34413+
34414+ for (i = 0; i < RLIM_NLIMITS; i++) {
34415+ if (!(proc->resmask & (1 << i)))
34416+ continue;
34417+
34418+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
34419+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
34420+ }
34421+
34422+ return;
34423+}
34424+
34425+int
34426+gr_check_user_change(int real, int effective, int fs)
34427+{
34428+ unsigned int i;
34429+ __u16 num;
34430+ uid_t *uidlist;
34431+ int curuid;
34432+ int realok = 0;
34433+ int effectiveok = 0;
34434+ int fsok = 0;
34435+
34436+ if (unlikely(!(gr_status & GR_READY)))
34437+ return 0;
34438+
34439+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34440+ gr_log_learn_id_change('u', real, effective, fs);
34441+
34442+ num = current->acl->user_trans_num;
34443+ uidlist = current->acl->user_transitions;
34444+
34445+ if (uidlist == NULL)
34446+ return 0;
34447+
34448+ if (real == -1)
34449+ realok = 1;
34450+ if (effective == -1)
34451+ effectiveok = 1;
34452+ if (fs == -1)
34453+ fsok = 1;
34454+
34455+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
34456+ for (i = 0; i < num; i++) {
34457+ curuid = (int)uidlist[i];
34458+ if (real == curuid)
34459+ realok = 1;
34460+ if (effective == curuid)
34461+ effectiveok = 1;
34462+ if (fs == curuid)
34463+ fsok = 1;
34464+ }
34465+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
34466+ for (i = 0; i < num; i++) {
34467+ curuid = (int)uidlist[i];
34468+ if (real == curuid)
34469+ break;
34470+ if (effective == curuid)
34471+ break;
34472+ if (fs == curuid)
34473+ break;
34474+ }
34475+ /* not in deny list */
34476+ if (i == num) {
34477+ realok = 1;
34478+ effectiveok = 1;
34479+ fsok = 1;
34480+ }
34481+ }
34482+
34483+ if (realok && effectiveok && fsok)
34484+ return 0;
34485+ else {
34486+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
34487+ return 1;
34488+ }
34489+}
34490+
34491+int
34492+gr_check_group_change(int real, int effective, int fs)
34493+{
34494+ unsigned int i;
34495+ __u16 num;
34496+ gid_t *gidlist;
34497+ int curgid;
34498+ int realok = 0;
34499+ int effectiveok = 0;
34500+ int fsok = 0;
34501+
34502+ if (unlikely(!(gr_status & GR_READY)))
34503+ return 0;
34504+
34505+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
34506+ gr_log_learn_id_change('g', real, effective, fs);
34507+
34508+ num = current->acl->group_trans_num;
34509+ gidlist = current->acl->group_transitions;
34510+
34511+ if (gidlist == NULL)
34512+ return 0;
34513+
34514+ if (real == -1)
34515+ realok = 1;
34516+ if (effective == -1)
34517+ effectiveok = 1;
34518+ if (fs == -1)
34519+ fsok = 1;
34520+
34521+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
34522+ for (i = 0; i < num; i++) {
34523+ curgid = (int)gidlist[i];
34524+ if (real == curgid)
34525+ realok = 1;
34526+ if (effective == curgid)
34527+ effectiveok = 1;
34528+ if (fs == curgid)
34529+ fsok = 1;
34530+ }
34531+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
34532+ for (i = 0; i < num; i++) {
34533+ curgid = (int)gidlist[i];
34534+ if (real == curgid)
34535+ break;
34536+ if (effective == curgid)
34537+ break;
34538+ if (fs == curgid)
34539+ break;
34540+ }
34541+ /* not in deny list */
34542+ if (i == num) {
34543+ realok = 1;
34544+ effectiveok = 1;
34545+ fsok = 1;
34546+ }
34547+ }
34548+
34549+ if (realok && effectiveok && fsok)
34550+ return 0;
34551+ else {
34552+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
34553+ return 1;
34554+ }
34555+}
34556+
34557+void
34558+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
34559+{
34560+ struct acl_role_label *role = task->role;
34561+ struct acl_subject_label *subj = NULL;
34562+ struct acl_object_label *obj;
34563+ struct file *filp;
34564+
34565+ if (unlikely(!(gr_status & GR_READY)))
34566+ return;
34567+
34568+ filp = task->exec_file;
34569+
34570+ /* kernel process, we'll give them the kernel role */
34571+ if (unlikely(!filp)) {
34572+ task->role = kernel_role;
34573+ task->acl = kernel_role->root_label;
34574+ return;
34575+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
34576+ role = lookup_acl_role_label(task, uid, gid);
34577+
34578+ /* perform subject lookup in possibly new role
34579+ we can use this result below in the case where role == task->role
34580+ */
34581+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
34582+
34583+ /* if we changed uid/gid, but result in the same role
34584+ and are using inheritance, don't lose the inherited subject
34585+ if current subject is other than what normal lookup
34586+ would result in, we arrived via inheritance, don't
34587+ lose subject
34588+ */
34589+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
34590+ (subj == task->acl)))
34591+ task->acl = subj;
34592+
34593+ task->role = role;
34594+
34595+ task->is_writable = 0;
34596+
34597+ /* ignore additional mmap checks for processes that are writable
34598+ by the default ACL */
34599+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
34600+ if (unlikely(obj->mode & GR_WRITE))
34601+ task->is_writable = 1;
34602+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
34603+ if (unlikely(obj->mode & GR_WRITE))
34604+ task->is_writable = 1;
34605+
34606+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34607+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
34608+#endif
34609+
34610+ gr_set_proc_res(task);
34611+
34612+ return;
34613+}
34614+
34615+int
34616+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
34617+ const int unsafe_share)
34618+{
34619+ struct task_struct *task = current;
34620+ struct acl_subject_label *newacl;
34621+ struct acl_object_label *obj;
34622+ __u32 retmode;
34623+
34624+ if (unlikely(!(gr_status & GR_READY)))
34625+ return 0;
34626+
34627+ newacl = chk_subj_label(dentry, mnt, task->role);
34628+
34629+ task_lock(task);
ae4e228f
MT		 34630+ if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
34631+ !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
58c5fc13
MT		 34632+ !(task->role->roletype & GR_ROLE_GOD) &&
34633+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
ae4e228f 34634+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
58c5fc13 34635+ task_unlock(task);
ae4e228f
MT		 34636+ if (unsafe_share)
34637+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
34638+ else
34639+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
58c5fc13
MT		 34640+ return -EACCES;
34641+ }
34642+ task_unlock(task);
34643+
34644+ obj = chk_obj_label(dentry, mnt, task->acl);
34645+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
34646+
34647+ if (!(task->acl->mode & GR_INHERITLEARN) &&
34648+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
34649+ if (obj->nested)
34650+ task->acl = obj->nested;
34651+ else
34652+ task->acl = newacl;
34653+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
34654+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
34655+
34656+ task->is_writable = 0;
34657+
34658+ /* ignore additional mmap checks for processes that are writable
34659+ by the default ACL */
34660+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
34661+ if (unlikely(obj->mode & GR_WRITE))
34662+ task->is_writable = 1;
34663+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
34664+ if (unlikely(obj->mode & GR_WRITE))
34665+ task->is_writable = 1;
34666+
34667+ gr_set_proc_res(task);
34668+
34669+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
34670+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
34671+#endif
34672+ return 0;
34673+}
34674+
34675+/* always called with valid inodev ptr */
34676+static void
34677+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
34678+{
34679+ struct acl_object_label *matchpo;
34680+ struct acl_subject_label *matchps;
34681+ struct acl_subject_label *subj;
34682+ struct acl_role_label *role;
ae4e228f 34683+ unsigned int x;
58c5fc13 34684+
ae4e228f 34685+ FOR_EACH_ROLE_START(role)
58c5fc13
MT		 34686+ FOR_EACH_SUBJECT_START(role, subj, x)
34687+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
34688+ matchpo->mode |= GR_DELETED;
34689+ FOR_EACH_SUBJECT_END(subj,x)
34690+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
34691+ if (subj->inode == ino && subj->device == dev)
34692+ subj->mode |= GR_DELETED;
34693+ FOR_EACH_NESTED_SUBJECT_END(subj)
34694+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
34695+ matchps->mode |= GR_DELETED;
ae4e228f 34696+ FOR_EACH_ROLE_END(role)
58c5fc13
MT		 34697+
34698+ inodev->nentry->deleted = 1;
34699+
34700+ return;
34701+}
34702+
34703+void
34704+gr_handle_delete(const ino_t ino, const dev_t dev)
34705+{
34706+ struct inodev_entry *inodev;
34707+
34708+ if (unlikely(!(gr_status & GR_READY)))
34709+ return;
34710+
34711+ write_lock(&gr_inode_lock);
34712+ inodev = lookup_inodev_entry(ino, dev);
34713+ if (inodev != NULL)
34714+ do_handle_delete(inodev, ino, dev);
34715+ write_unlock(&gr_inode_lock);
34716+
34717+ return;
34718+}
34719+
34720+static void
34721+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
34722+ const ino_t newinode, const dev_t newdevice,
34723+ struct acl_subject_label *subj)
34724+{
34725+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
34726+ struct acl_object_label *match;
34727+
34728+ match = subj->obj_hash[index];
34729+
34730+ while (match && (match->inode != oldinode ||
34731+ match->device != olddevice ||
34732+ !(match->mode & GR_DELETED)))
34733+ match = match->next;
34734+
34735+ if (match && (match->inode == oldinode)
34736+ && (match->device == olddevice)
34737+ && (match->mode & GR_DELETED)) {
34738+ if (match->prev == NULL) {
34739+ subj->obj_hash[index] = match->next;
34740+ if (match->next != NULL)
34741+ match->next->prev = NULL;
34742+ } else {
34743+ match->prev->next = match->next;
34744+ if (match->next != NULL)
34745+ match->next->prev = match->prev;
34746+ }
34747+ match->prev = NULL;
34748+ match->next = NULL;
34749+ match->inode = newinode;
34750+ match->device = newdevice;
34751+ match->mode &= ~GR_DELETED;
34752+
34753+ insert_acl_obj_label(match, subj);
34754+ }
34755+
34756+ return;
34757+}
34758+
34759+static void
34760+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
34761+ const ino_t newinode, const dev_t newdevice,
34762+ struct acl_role_label *role)
34763+{
34764+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
34765+ struct acl_subject_label *match;
34766+
34767+ match = role->subj_hash[index];
34768+
34769+ while (match && (match->inode != oldinode ||
34770+ match->device != olddevice ||
34771+ !(match->mode & GR_DELETED)))
34772+ match = match->next;
34773+
34774+ if (match && (match->inode == oldinode)
34775+ && (match->device == olddevice)
34776+ && (match->mode & GR_DELETED)) {
34777+ if (match->prev == NULL) {
34778+ role->subj_hash[index] = match->next;
34779+ if (match->next != NULL)
34780+ match->next->prev = NULL;
34781+ } else {
34782+ match->prev->next = match->next;
34783+ if (match->next != NULL)
34784+ match->next->prev = match->prev;
34785+ }
34786+ match->prev = NULL;
34787+ match->next = NULL;
34788+ match->inode = newinode;
34789+ match->device = newdevice;
34790+ match->mode &= ~GR_DELETED;
34791+
34792+ insert_acl_subj_label(match, role);
34793+ }
34794+
34795+ return;
34796+}
34797+
34798+static void
34799+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
34800+ const ino_t newinode, const dev_t newdevice)
34801+{
34802+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
34803+ struct inodev_entry *match;
34804+
34805+ match = inodev_set.i_hash[index];
34806+
34807+ while (match && (match->nentry->inode != oldinode ||
34808+ match->nentry->device != olddevice || !match->nentry->deleted))
34809+ match = match->next;
34810+
34811+ if (match && (match->nentry->inode == oldinode)
34812+ && (match->nentry->device == olddevice) &&
34813+ match->nentry->deleted) {
34814+ if (match->prev == NULL) {
34815+ inodev_set.i_hash[index] = match->next;
34816+ if (match->next != NULL)
34817+ match->next->prev = NULL;
34818+ } else {
34819+ match->prev->next = match->next;
34820+ if (match->next != NULL)
34821+ match->next->prev = match->prev;
34822+ }
34823+ match->prev = NULL;
34824+ match->next = NULL;
34825+ match->nentry->inode = newinode;
34826+ match->nentry->device = newdevice;
34827+ match->nentry->deleted = 0;
34828+
34829+ insert_inodev_entry(match);
34830+ }
34831+
34832+ return;
34833+}
34834+
34835+static void
34836+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
34837+ const struct vfsmount *mnt)
34838+{
34839+ struct acl_subject_label *subj;
34840+ struct acl_role_label *role;
ae4e228f
MT		 34841+ unsigned int x;
34842+
34843+ FOR_EACH_ROLE_START(role)
58c5fc13
MT		 34844+ update_acl_subj_label(matchn->inode, matchn->device,
34845+ dentry->d_inode->i_ino,
34846+ dentry->d_inode->i_sb->s_dev, role);
34847+
34848+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
34849+ if ((subj->inode == dentry->d_inode->i_ino) &&
34850+ (subj->device == dentry->d_inode->i_sb->s_dev)) {
34851+ subj->inode = dentry->d_inode->i_ino;
34852+ subj->device = dentry->d_inode->i_sb->s_dev;
34853+ }
34854+ FOR_EACH_NESTED_SUBJECT_END(subj)
34855+ FOR_EACH_SUBJECT_START(role, subj, x)
34856+ update_acl_obj_label(matchn->inode, matchn->device,
34857+ dentry->d_inode->i_ino,
34858+ dentry->d_inode->i_sb->s_dev, subj);
34859+ FOR_EACH_SUBJECT_END(subj,x)
ae4e228f 34860+ FOR_EACH_ROLE_END(role)
58c5fc13
MT		 34861+
34862+ update_inodev_entry(matchn->inode, matchn->device,
34863+ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
34864+
34865+ return;
34866+}
34867+
34868+void
34869+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
34870+{
34871+ struct name_entry *matchn;
34872+
34873+ if (unlikely(!(gr_status & GR_READY)))
34874+ return;
34875+
34876+ preempt_disable();
34877+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
34878+
34879+ if (unlikely((unsigned long)matchn)) {
34880+ write_lock(&gr_inode_lock);
34881+ do_handle_create(matchn, dentry, mnt);
34882+ write_unlock(&gr_inode_lock);
34883+ }
34884+ preempt_enable();
34885+
34886+ return;
34887+}
34888+
34889+void
34890+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
34891+ struct dentry *old_dentry,
34892+ struct dentry *new_dentry,
34893+ struct vfsmount *mnt, const __u8 replace)
34894+{
34895+ struct name_entry *matchn;
34896+ struct inodev_entry *inodev;
34897+
34898+ /* vfs_rename swaps the name and parent link for old_dentry and
34899+ new_dentry
34900+ at this point, old_dentry has the new name, parent link, and inode
34901+ for the renamed file
34902+ if a file is being replaced by a rename, new_dentry has the inode
34903+ and name for the replaced file
34904+ */
34905+
34906+ if (unlikely(!(gr_status & GR_READY)))
34907+ return;
34908+
34909+ preempt_disable();
34910+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
34911+
34912+ /* we wouldn't have to check d_inode if it weren't for
34913+ NFS silly-renaming
34914+ */
34915+
34916+ write_lock(&gr_inode_lock);
34917+ if (unlikely(replace && new_dentry->d_inode)) {
34918+ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
34919+ new_dentry->d_inode->i_sb->s_dev);
34920+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
34921+ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
34922+ new_dentry->d_inode->i_sb->s_dev);
34923+ }
34924+
34925+ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
34926+ old_dentry->d_inode->i_sb->s_dev);
34927+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
34928+ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
34929+ old_dentry->d_inode->i_sb->s_dev);
34930+
34931+ if (unlikely((unsigned long)matchn))
34932+ do_handle_create(matchn, old_dentry, mnt);
34933+
34934+ write_unlock(&gr_inode_lock);
34935+ preempt_enable();
34936+
34937+ return;
34938+}
34939+
34940+static int
34941+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
34942+ unsigned char **sum)
34943+{
34944+ struct acl_role_label *r;
34945+ struct role_allowed_ip *ipp;
34946+ struct role_transition *trans;
34947+ unsigned int i;
34948+ int found = 0;
34949+
34950+ /* check transition table */
34951+
34952+ for (trans = current->role->transitions; trans; trans = trans->next) {
34953+ if (!strcmp(rolename, trans->rolename)) {
34954+ found = 1;
34955+ break;
34956+ }
34957+ }
34958+
34959+ if (!found)
34960+ return 0;
34961+
34962+ /* handle special roles that do not require authentication
34963+ and check ip */
34964+
ae4e228f 34965+ FOR_EACH_ROLE_START(r)
58c5fc13
MT		 34966+ if (!strcmp(rolename, r->rolename) &&
34967+ (r->roletype & GR_ROLE_SPECIAL)) {
34968+ found = 0;
34969+ if (r->allowed_ips != NULL) {
34970+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
34971+ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
34972+ (ntohl(ipp->addr) & ipp->netmask))
34973+ found = 1;
34974+ }
34975+ } else
34976+ found = 2;
34977+ if (!found)
34978+ return 0;
34979+
34980+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
34981+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
34982+ *salt = NULL;
34983+ *sum = NULL;
34984+ return 1;
34985+ }
34986+ }
ae4e228f 34987+ FOR_EACH_ROLE_END(r)
58c5fc13
MT		 34988+
34989+ for (i = 0; i < num_sprole_pws; i++) {
34990+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
34991+ *salt = acl_special_roles[i]->salt;
34992+ *sum = acl_special_roles[i]->sum;
34993+ return 1;
34994+ }
34995+ }
34996+
34997+ return 0;
34998+}
34999+
35000+static void
35001+assign_special_role(char *rolename)
35002+{
35003+ struct acl_object_label *obj;
35004+ struct acl_role_label *r;
35005+ struct acl_role_label *assigned = NULL;
35006+ struct task_struct *tsk;
35007+ struct file *filp;
58c5fc13 35008+
ae4e228f 35009+ FOR_EACH_ROLE_START(r)
58c5fc13 35010+ if (!strcmp(rolename, r->rolename) &&
ae4e228f 35011+ (r->roletype & GR_ROLE_SPECIAL)) {
58c5fc13 35012+ assigned = r;
ae4e228f
MT		 35013+ break;
35014+ }
35015+ FOR_EACH_ROLE_END(r)
58c5fc13
MT		 35016+
35017+ if (!assigned)
35018+ return;
35019+
35020+ read_lock(&tasklist_lock);
35021+ read_lock(&grsec_exec_file_lock);
35022+
35023+ tsk = current->parent;
35024+ if (tsk == NULL)
35025+ goto out_unlock;
35026+
35027+ filp = tsk->exec_file;
35028+ if (filp == NULL)
35029+ goto out_unlock;
35030+
35031+ tsk->is_writable = 0;
35032+
35033+ tsk->acl_sp_role = 1;
35034+ tsk->acl_role_id = ++acl_sp_role_value;
35035+ tsk->role = assigned;
35036+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
35037+
35038+ /* ignore additional mmap checks for processes that are writable
35039+ by the default ACL */
35040+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35041+ if (unlikely(obj->mode & GR_WRITE))
35042+ tsk->is_writable = 1;
35043+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
35044+ if (unlikely(obj->mode & GR_WRITE))
35045+ tsk->is_writable = 1;
35046+
35047+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35048+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
35049+#endif
35050+
35051+out_unlock:
35052+ read_unlock(&grsec_exec_file_lock);
35053+ read_unlock(&tasklist_lock);
35054+ return;
35055+}
35056+
35057+int gr_check_secure_terminal(struct task_struct *task)
35058+{
35059+ struct task_struct *p, *p2, *p3;
35060+ struct files_struct *files;
35061+ struct fdtable *fdt;
35062+ struct file *our_file = NULL, *file;
35063+ int i;
35064+
35065+ if (task->signal->tty == NULL)
35066+ return 1;
35067+
35068+ files = get_files_struct(task);
35069+ if (files != NULL) {
35070+ rcu_read_lock();
35071+ fdt = files_fdtable(files);
35072+ for (i=0; i < fdt->max_fds; i++) {
35073+ file = fcheck_files(files, i);
35074+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
35075+ get_file(file);
35076+ our_file = file;
35077+ }
35078+ }
35079+ rcu_read_unlock();
35080+ put_files_struct(files);
35081+ }
35082+
35083+ if (our_file == NULL)
35084+ return 1;
35085+
35086+ read_lock(&tasklist_lock);
35087+ do_each_thread(p2, p) {
35088+ files = get_files_struct(p);
35089+ if (files == NULL ||
35090+ (p->signal && p->signal->tty == task->signal->tty)) {
35091+ if (files != NULL)
35092+ put_files_struct(files);
35093+ continue;
35094+ }
35095+ rcu_read_lock();
35096+ fdt = files_fdtable(files);
35097+ for (i=0; i < fdt->max_fds; i++) {
35098+ file = fcheck_files(files, i);
35099+ if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
35100+ file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
35101+ p3 = task;
35102+ while (p3->pid > 0) {
35103+ if (p3 == p)
35104+ break;
35105+ p3 = p3->parent;
35106+ }
35107+ if (p3 == p)
35108+ break;
35109+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
35110+ gr_handle_alertkill(p);
35111+ rcu_read_unlock();
35112+ put_files_struct(files);
35113+ read_unlock(&tasklist_lock);
35114+ fput(our_file);
35115+ return 0;
35116+ }
35117+ }
35118+ rcu_read_unlock();
35119+ put_files_struct(files);
35120+ } while_each_thread(p2, p);
35121+ read_unlock(&tasklist_lock);
35122+
35123+ fput(our_file);
35124+ return 1;
35125+}
35126+
35127+ssize_t
35128+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
35129+{
35130+ struct gr_arg_wrapper uwrap;
ae4e228f
MT		 35131+ unsigned char *sprole_salt = NULL;
35132+ unsigned char *sprole_sum = NULL;
58c5fc13
MT		 35133+ int error = sizeof (struct gr_arg_wrapper);
35134+ int error2 = 0;
35135+
35136+ down(&gr_dev_sem);
35137+
35138+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
35139+ error = -EPERM;
35140+ goto out;
35141+ }
35142+
35143+ if (count != sizeof (struct gr_arg_wrapper)) {
35144+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
35145+ error = -EINVAL;
35146+ goto out;
35147+ }
35148+
35149+
35150+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
35151+ gr_auth_expires = 0;
35152+ gr_auth_attempts = 0;
35153+ }
35154+
35155+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
35156+ error = -EFAULT;
35157+ goto out;
35158+ }
35159+
35160+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
35161+ error = -EINVAL;
35162+ goto out;
35163+ }
35164+
35165+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
35166+ error = -EFAULT;
35167+ goto out;
35168+ }
35169+
35170+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
35171+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
35172+ time_after(gr_auth_expires, get_seconds())) {
35173+ error = -EBUSY;
35174+ goto out;
35175+ }
35176+
35177+ /* if non-root trying to do anything other than use a special role,
35178+ do not attempt authentication, do not count towards authentication
35179+ locking
35180+ */
35181+
35182+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
35183+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
35184+ current_uid()) {
35185+ error = -EPERM;
35186+ goto out;
35187+ }
35188+
35189+ /* ensure pw and special role name are null terminated */
35190+
35191+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
35192+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
35193+
35194+ /* Okay.
35195+ * We have our enough of the argument structure..(we have yet
35196+ * to copy_from_user the tables themselves) . Copy the tables
35197+ * only if we need them, i.e. for loading operations. */
35198+
35199+ switch (gr_usermode->mode) {
35200+ case GR_STATUS:
35201+ if (gr_status & GR_READY) {
35202+ error = 1;
35203+ if (!gr_check_secure_terminal(current))
35204+ error = 3;
35205+ } else
35206+ error = 2;
35207+ goto out;
35208+ case GR_SHUTDOWN:
35209+ if ((gr_status & GR_READY)
35210+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
ae4e228f 35211+ pax_open_kernel();
58c5fc13 35212+ gr_status &= ~GR_READY;
ae4e228f
MT		 35213+ pax_close_kernel();
35214+
58c5fc13
MT		 35215+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
35216+ free_variables();
35217+ memset(gr_usermode, 0, sizeof (struct gr_arg));
35218+ memset(gr_system_salt, 0, GR_SALT_LEN);
35219+ memset(gr_system_sum, 0, GR_SHA_LEN);
35220+ } else if (gr_status & GR_READY) {
35221+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
35222+ error = -EPERM;
35223+ } else {
35224+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
35225+ error = -EAGAIN;
35226+ }
35227+ break;
35228+ case GR_ENABLE:
35229+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
35230+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
35231+ else {
35232+ if (gr_status & GR_READY)
35233+ error = -EAGAIN;
35234+ else
35235+ error = error2;
35236+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
35237+ }
35238+ break;
35239+ case GR_RELOAD:
35240+ if (!(gr_status & GR_READY)) {
35241+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
35242+ error = -EAGAIN;
35243+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35244+ lock_kernel();
58c5fc13 35245+
ae4e228f 35246+ pax_open_kernel();
58c5fc13 35247+ gr_status &= ~GR_READY;
ae4e228f
MT		 35248+ pax_close_kernel();
35249+
58c5fc13
MT		 35250+ free_variables();
35251+ if (!(error2 = gracl_init(gr_usermode))) {
35252+ unlock_kernel();
35253+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
35254+ } else {
35255+ unlock_kernel();
35256+ error = error2;
35257+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
35258+ }
35259+ } else {
35260+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
35261+ error = -EPERM;
35262+ }
35263+ break;
35264+ case GR_SEGVMOD:
35265+ if (unlikely(!(gr_status & GR_READY))) {
35266+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
35267+ error = -EAGAIN;
35268+ break;
35269+ }
35270+
35271+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
35272+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
35273+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
35274+ struct acl_subject_label *segvacl;
35275+ segvacl =
35276+ lookup_acl_subj_label(gr_usermode->segv_inode,
35277+ gr_usermode->segv_device,
35278+ current->role);
35279+ if (segvacl) {
35280+ segvacl->crashes = 0;
35281+ segvacl->expires = 0;
35282+ }
35283+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
35284+ gr_remove_uid(gr_usermode->segv_uid);
35285+ }
35286+ } else {
35287+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
35288+ error = -EPERM;
35289+ }
35290+ break;
35291+ case GR_SPROLE:
35292+ case GR_SPROLEPAM:
35293+ if (unlikely(!(gr_status & GR_READY))) {
35294+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
35295+ error = -EAGAIN;
35296+ break;
35297+ }
35298+
35299+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
35300+ current->role->expires = 0;
35301+ current->role->auth_attempts = 0;
35302+ }
35303+
35304+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
35305+ time_after(current->role->expires, get_seconds())) {
35306+ error = -EBUSY;
35307+ goto out;
35308+ }
35309+
35310+ if (lookup_special_role_auth
35311+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
35312+ && ((!sprole_salt && !sprole_sum)
35313+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
35314+ char *p = "";
35315+ assign_special_role(gr_usermode->sp_role);
35316+ read_lock(&tasklist_lock);
35317+ if (current->parent)
35318+ p = current->parent->role->rolename;
35319+ read_unlock(&tasklist_lock);
35320+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
35321+ p, acl_sp_role_value);
35322+ } else {
35323+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
35324+ error = -EPERM;
35325+ if(!(current->role->auth_attempts++))
35326+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
35327+
35328+ goto out;
35329+ }
35330+ break;
35331+ case GR_UNSPROLE:
35332+ if (unlikely(!(gr_status & GR_READY))) {
35333+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
35334+ error = -EAGAIN;
35335+ break;
35336+ }
35337+
35338+ if (current->role->roletype & GR_ROLE_SPECIAL) {
35339+ char *p = "";
35340+ int i = 0;
35341+
35342+ read_lock(&tasklist_lock);
35343+ if (current->parent) {
35344+ p = current->parent->role->rolename;
35345+ i = current->parent->acl_role_id;
35346+ }
35347+ read_unlock(&tasklist_lock);
35348+
35349+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
35350+ gr_set_acls(1);
35351+ } else {
58c5fc13
MT		 35352+ error = -EPERM;
35353+ goto out;
35354+ }
35355+ break;
35356+ default:
35357+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
35358+ error = -EINVAL;
35359+ break;
35360+ }
35361+
35362+ if (error != -EPERM)
35363+ goto out;
35364+
35365+ if(!(gr_auth_attempts++))
35366+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
35367+
35368+ out:
35369+ up(&gr_dev_sem);
35370+ return error;
35371+}
35372+
35373+int
35374+gr_set_acls(const int type)
35375+{
35376+ struct acl_object_label *obj;
35377+ struct task_struct *task, *task2;
35378+ struct file *filp;
35379+ struct acl_role_label *role = current->role;
35380+ __u16 acl_role_id = current->acl_role_id;
35381+ const struct cred *cred;
35382+ char *tmpname;
35383+ struct name_entry *nmatch;
35384+ struct acl_subject_label *tmpsubj;
35385+
ae4e228f 35386+ rcu_read_lock();
58c5fc13
MT		 35387+ read_lock(&tasklist_lock);
35388+ read_lock(&grsec_exec_file_lock);
35389+ do_each_thread(task2, task) {
35390+ /* check to see if we're called from the exit handler,
35391+ if so, only replace ACLs that have inherited the admin
35392+ ACL */
35393+
35394+ if (type && (task->role != role ||
35395+ task->acl_role_id != acl_role_id))
35396+ continue;
35397+
35398+ task->acl_role_id = 0;
35399+ task->acl_sp_role = 0;
35400+
35401+ if ((filp = task->exec_file)) {
35402+ cred = __task_cred(task);
35403+ task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
35404+
35405+ /* the following is to apply the correct subject
35406+ on binaries running when the RBAC system
35407+ is enabled, when the binaries have been
35408+ replaced or deleted since their execution
35409+ -----
35410+ when the RBAC system starts, the inode/dev
35411+ from exec_file will be one the RBAC system
35412+ is unaware of. It only knows the inode/dev
35413+ of the present file on disk, or the absence
35414+ of it.
35415+ */
35416+ preempt_disable();
35417+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
35418+
35419+ nmatch = lookup_name_entry(tmpname);
35420+ preempt_enable();
35421+ tmpsubj = NULL;
35422+ if (nmatch) {
35423+ if (nmatch->deleted)
35424+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
35425+ else
35426+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
35427+ if (tmpsubj != NULL)
35428+ task->acl = tmpsubj;
35429+ }
35430+ if (tmpsubj == NULL)
35431+ task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
35432+ task->role);
35433+ if (task->acl) {
35434+ struct acl_subject_label *curr;
35435+ curr = task->acl;
35436+
35437+ task->is_writable = 0;
35438+ /* ignore additional mmap checks for processes that are writable
35439+ by the default ACL */
35440+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35441+ if (unlikely(obj->mode & GR_WRITE))
35442+ task->is_writable = 1;
35443+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
35444+ if (unlikely(obj->mode & GR_WRITE))
35445+ task->is_writable = 1;
35446+
35447+ gr_set_proc_res(task);
35448+
35449+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35450+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
35451+#endif
35452+ } else {
35453+ read_unlock(&grsec_exec_file_lock);
35454+ read_unlock(&tasklist_lock);
ae4e228f 35455+ rcu_read_unlock();
58c5fc13
MT		 35456+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
35457+ return 1;
35458+ }
35459+ } else {
35460+ // it's a kernel process
35461+ task->role = kernel_role;
35462+ task->acl = kernel_role->root_label;
35463+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
35464+ task->acl->mode &= ~GR_PROCFIND;
35465+#endif
35466+ }
35467+ } while_each_thread(task2, task);
35468+ read_unlock(&grsec_exec_file_lock);
35469+ read_unlock(&tasklist_lock);
ae4e228f
MT		 35470+ rcu_read_unlock();
35471+
58c5fc13
MT		 35472+ return 0;
35473+}
35474+
35475+void
35476+gr_learn_resource(const struct task_struct *task,
35477+ const int res, const unsigned long wanted, const int gt)
35478+{
35479+ struct acl_subject_label *acl;
35480+ const struct cred *cred;
35481+
35482+ if (unlikely((gr_status & GR_READY) &&
35483+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
35484+ goto skip_reslog;
35485+
35486+#ifdef CONFIG_GRKERNSEC_RESLOG
35487+ gr_log_resource(task, res, wanted, gt);
35488+#endif
35489+ skip_reslog:
35490+
35491+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
35492+ return;
35493+
35494+ acl = task->acl;
35495+
35496+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
35497+ !(acl->resmask & (1 << (unsigned short) res))))
35498+ return;
35499+
35500+ if (wanted >= acl->res[res].rlim_cur) {
35501+ unsigned long res_add;
35502+
35503+ res_add = wanted;
35504+ switch (res) {
35505+ case RLIMIT_CPU:
35506+ res_add += GR_RLIM_CPU_BUMP;
35507+ break;
35508+ case RLIMIT_FSIZE:
35509+ res_add += GR_RLIM_FSIZE_BUMP;
35510+ break;
35511+ case RLIMIT_DATA:
35512+ res_add += GR_RLIM_DATA_BUMP;
35513+ break;
35514+ case RLIMIT_STACK:
35515+ res_add += GR_RLIM_STACK_BUMP;
35516+ break;
35517+ case RLIMIT_CORE:
35518+ res_add += GR_RLIM_CORE_BUMP;
35519+ break;
35520+ case RLIMIT_RSS:
35521+ res_add += GR_RLIM_RSS_BUMP;
35522+ break;
35523+ case RLIMIT_NPROC:
35524+ res_add += GR_RLIM_NPROC_BUMP;
35525+ break;
35526+ case RLIMIT_NOFILE:
35527+ res_add += GR_RLIM_NOFILE_BUMP;
35528+ break;
35529+ case RLIMIT_MEMLOCK:
35530+ res_add += GR_RLIM_MEMLOCK_BUMP;
35531+ break;
35532+ case RLIMIT_AS:
35533+ res_add += GR_RLIM_AS_BUMP;
35534+ break;
35535+ case RLIMIT_LOCKS:
35536+ res_add += GR_RLIM_LOCKS_BUMP;
35537+ break;
35538+ case RLIMIT_SIGPENDING:
35539+ res_add += GR_RLIM_SIGPENDING_BUMP;
35540+ break;
35541+ case RLIMIT_MSGQUEUE:
35542+ res_add += GR_RLIM_MSGQUEUE_BUMP;
35543+ break;
35544+ case RLIMIT_NICE:
35545+ res_add += GR_RLIM_NICE_BUMP;
35546+ break;
35547+ case RLIMIT_RTPRIO:
35548+ res_add += GR_RLIM_RTPRIO_BUMP;
35549+ break;
35550+ case RLIMIT_RTTIME:
35551+ res_add += GR_RLIM_RTTIME_BUMP;
35552+ break;
35553+ }
35554+
35555+ acl->res[res].rlim_cur = res_add;
35556+
35557+ if (wanted > acl->res[res].rlim_max)
35558+ acl->res[res].rlim_max = res_add;
35559+
35560+ /* only log the subject filename, since resource logging is supported for
35561+ single-subject learning only */
ae4e228f 35562+ rcu_read_lock();
58c5fc13
MT		 35563+ cred = __task_cred(task);
35564+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
35565+ task->role->roletype, cred->uid, cred->gid, acl->filename,
35566+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
ae4e228f
MT		 35567+ "", (unsigned long) res, &task->signal->curr_ip);
35568+ rcu_read_unlock();
58c5fc13
MT		 35569+ }
35570+
35571+ return;
35572+}
35573+
35574+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
35575+void
35576+pax_set_initial_flags(struct linux_binprm *bprm)
35577+{
35578+ struct task_struct *task = current;
35579+ struct acl_subject_label *proc;
35580+ unsigned long flags;
35581+
35582+ if (unlikely(!(gr_status & GR_READY)))
35583+ return;
35584+
35585+ flags = pax_get_flags(task);
35586+
35587+ proc = task->acl;
35588+
35589+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
35590+ flags &= ~MF_PAX_PAGEEXEC;
35591+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
35592+ flags &= ~MF_PAX_SEGMEXEC;
35593+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
35594+ flags &= ~MF_PAX_RANDMMAP;
35595+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
35596+ flags &= ~MF_PAX_EMUTRAMP;
35597+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
35598+ flags &= ~MF_PAX_MPROTECT;
35599+
35600+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
35601+ flags |= MF_PAX_PAGEEXEC;
35602+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
35603+ flags |= MF_PAX_SEGMEXEC;
35604+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
35605+ flags |= MF_PAX_RANDMMAP;
35606+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
35607+ flags |= MF_PAX_EMUTRAMP;
35608+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
35609+ flags |= MF_PAX_MPROTECT;
35610+
35611+ pax_set_flags(task, flags);
35612+
35613+ return;
35614+}
35615+#endif
35616+
35617+#ifdef CONFIG_SYSCTL
35618+/* Eric Biederman likes breaking userland ABI and every inode-based security
35619+ system to save 35kb of memory */
35620+
35621+/* we modify the passed in filename, but adjust it back before returning */
35622+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
35623+{
35624+ struct name_entry *nmatch;
35625+ char *p, *lastp = NULL;
35626+ struct acl_object_label *obj = NULL, *tmp;
35627+ struct acl_subject_label *tmpsubj;
35628+ char c = '\0';
35629+
35630+ read_lock(&gr_inode_lock);
35631+
35632+ p = name + len - 1;
35633+ do {
35634+ nmatch = lookup_name_entry(name);
35635+ if (lastp != NULL)
35636+ *lastp = c;
35637+
35638+ if (nmatch == NULL)
35639+ goto next_component;
35640+ tmpsubj = current->acl;
35641+ do {
35642+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
35643+ if (obj != NULL) {
35644+ tmp = obj->globbed;
35645+ while (tmp) {
35646+ if (!glob_match(tmp->filename, name)) {
35647+ obj = tmp;
35648+ goto found_obj;
35649+ }
35650+ tmp = tmp->next;
35651+ }
35652+ goto found_obj;
35653+ }
35654+ } while ((tmpsubj = tmpsubj->parent_subject));
35655+next_component:
35656+ /* end case */
35657+ if (p == name)
35658+ break;
35659+
35660+ while (*p != '/')
35661+ p--;
35662+ if (p == name)
35663+ lastp = p + 1;
35664+ else {
35665+ lastp = p;
35666+ p--;
35667+ }
35668+ c = *lastp;
35669+ *lastp = '\0';
35670+ } while (1);
35671+found_obj:
35672+ read_unlock(&gr_inode_lock);
35673+ /* obj returned will always be non-null */
35674+ return obj;
35675+}
35676+
35677+/* returns 0 when allowing, non-zero on error
35678+ op of 0 is used for readdir, so we don't log the names of hidden files
35679+*/
35680+__u32
35681+gr_handle_sysctl(const struct ctl_table *table, const int op)
35682+{
35683+ ctl_table *tmp;
35684+ const char *proc_sys = "/proc/sys";
35685+ char *path;
35686+ struct acl_object_label *obj;
35687+ unsigned short len = 0, pos = 0, depth = 0, i;
35688+ __u32 err = 0;
35689+ __u32 mode = 0;
35690+
35691+ if (unlikely(!(gr_status & GR_READY)))
35692+ return 0;
35693+
35694+ /* for now, ignore operations on non-sysctl entries if it's not a
35695+ readdir*/
35696+ if (table->child != NULL && op != 0)
35697+ return 0;
35698+
35699+ mode |= GR_FIND;
35700+ /* it's only a read if it's an entry, read on dirs is for readdir */
35701+ if (op & MAY_READ)
35702+ mode |= GR_READ;
35703+ if (op & MAY_WRITE)
35704+ mode |= GR_WRITE;
35705+
35706+ preempt_disable();
35707+
35708+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
35709+
35710+ /* it's only a read/write if it's an actual entry, not a dir
35711+ (which are opened for readdir)
35712+ */
35713+
35714+ /* convert the requested sysctl entry into a pathname */
35715+
35716+ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
35717+ len += strlen(tmp->procname);
35718+ len++;
35719+ depth++;
35720+ }
35721+
35722+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
35723+ /* deny */
35724+ goto out;
35725+ }
35726+
35727+ memset(path, 0, PAGE_SIZE);
35728+
35729+ memcpy(path, proc_sys, strlen(proc_sys));
35730+
35731+ pos += strlen(proc_sys);
35732+
35733+ for (; depth > 0; depth--) {
35734+ path[pos] = '/';
35735+ pos++;
35736+ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
35737+ if (depth == i) {
35738+ memcpy(path + pos, tmp->procname,
35739+ strlen(tmp->procname));
35740+ pos += strlen(tmp->procname);
35741+ }
35742+ i++;
35743+ }
35744+ }
35745+
35746+ obj = gr_lookup_by_name(path, pos);
35747+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
35748+
35749+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
35750+ ((err & mode) != mode))) {
35751+ __u32 new_mode = mode;
35752+
35753+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
35754+
35755+ err = 0;
35756+ gr_log_learn_sysctl(path, new_mode);
35757+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
35758+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
35759+ err = -ENOENT;
35760+ } else if (!(err & GR_FIND)) {
35761+ err = -ENOENT;
35762+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
35763+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
35764+ path, (mode & GR_READ) ? " reading" : "",
35765+ (mode & GR_WRITE) ? " writing" : "");
35766+ err = -EACCES;
35767+ } else if ((err & mode) != mode) {
35768+ err = -EACCES;
35769+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
35770+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
35771+ path, (mode & GR_READ) ? " reading" : "",
35772+ (mode & GR_WRITE) ? " writing" : "");
35773+ err = 0;
35774+ } else
35775+ err = 0;
35776+
35777+ out:
35778+ preempt_enable();
35779+
35780+ return err;
35781+}
35782+#endif
35783+
35784+int
35785+gr_handle_proc_ptrace(struct task_struct *task)
35786+{
35787+ struct file *filp;
35788+ struct task_struct *tmp = task;
35789+ struct task_struct *curtemp = current;
35790+ __u32 retmode;
35791+
35792+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
35793+ if (unlikely(!(gr_status & GR_READY)))
35794+ return 0;
35795+#endif
35796+
35797+ read_lock(&tasklist_lock);
35798+ read_lock(&grsec_exec_file_lock);
35799+ filp = task->exec_file;
35800+
35801+ while (tmp->pid > 0) {
35802+ if (tmp == curtemp)
35803+ break;
35804+ tmp = tmp->parent;
35805+ }
35806+
35807+ if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
35808+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
35809+ read_unlock(&grsec_exec_file_lock);
35810+ read_unlock(&tasklist_lock);
35811+ return 1;
35812+ }
35813+
35814+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
35815+ if (!(gr_status & GR_READY)) {
35816+ read_unlock(&grsec_exec_file_lock);
35817+ read_unlock(&tasklist_lock);
35818+ return 0;
35819+ }
35820+#endif
35821+
35822+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
35823+ read_unlock(&grsec_exec_file_lock);
35824+ read_unlock(&tasklist_lock);
35825+
35826+ if (retmode & GR_NOPTRACE)
35827+ return 1;
35828+
35829+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
35830+ && (current->acl != task->acl || (current->acl != current->role->root_label
35831+ && current->pid != task->pid)))
35832+ return 1;
35833+
35834+ return 0;
35835+}
35836+
35837+int
35838+gr_handle_ptrace(struct task_struct *task, const long request)
35839+{
35840+ struct task_struct *tmp = task;
35841+ struct task_struct *curtemp = current;
35842+ __u32 retmode;
35843+
35844+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
35845+ if (unlikely(!(gr_status & GR_READY)))
35846+ return 0;
35847+#endif
35848+
35849+ read_lock(&tasklist_lock);
35850+ while (tmp->pid > 0) {
35851+ if (tmp == curtemp)
35852+ break;
35853+ tmp = tmp->parent;
35854+ }
35855+
35856+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
35857+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
35858+ read_unlock(&tasklist_lock);
35859+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35860+ return 1;
35861+ }
35862+ read_unlock(&tasklist_lock);
35863+
35864+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
35865+ if (!(gr_status & GR_READY))
35866+ return 0;
35867+#endif
35868+
35869+ read_lock(&grsec_exec_file_lock);
35870+ if (unlikely(!task->exec_file)) {
35871+ read_unlock(&grsec_exec_file_lock);
35872+ return 0;
35873+ }
35874+
35875+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
35876+ read_unlock(&grsec_exec_file_lock);
35877+
35878+ if (retmode & GR_NOPTRACE) {
35879+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35880+ return 1;
35881+ }
35882+
35883+ if (retmode & GR_PTRACERD) {
35884+ switch (request) {
35885+ case PTRACE_POKETEXT:
35886+ case PTRACE_POKEDATA:
35887+ case PTRACE_POKEUSR:
35888+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
35889+ case PTRACE_SETREGS:
35890+ case PTRACE_SETFPREGS:
35891+#endif
35892+#ifdef CONFIG_X86
35893+ case PTRACE_SETFPXREGS:
35894+#endif
35895+#ifdef CONFIG_ALTIVEC
35896+ case PTRACE_SETVRREGS:
35897+#endif
35898+ return 1;
35899+ default:
35900+ return 0;
35901+ }
35902+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
35903+ !(current->role->roletype & GR_ROLE_GOD) &&
35904+ (current->acl != task->acl)) {
35905+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
35906+ return 1;
35907+ }
35908+
35909+ return 0;
35910+}
35911+
35912+static int is_writable_mmap(const struct file *filp)
35913+{
35914+ struct task_struct *task = current;
35915+ struct acl_object_label *obj, *obj2;
35916+
35917+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
35918+ !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode)) {
35919+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
35920+ obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
35921+ task->role->root_label);
35922+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
35923+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
35924+ return 1;
35925+ }
35926+ }
35927+ return 0;
35928+}
35929+
35930+int
35931+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
35932+{
35933+ __u32 mode;
35934+
35935+ if (unlikely(!file || !(prot & PROT_EXEC)))
35936+ return 1;
35937+
35938+ if (is_writable_mmap(file))
35939+ return 0;
35940+
35941+ mode =
35942+ gr_search_file(file->f_path.dentry,
35943+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
35944+ file->f_path.mnt);
35945+
35946+ if (!gr_tpe_allow(file))
35947+ return 0;
35948+
35949+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
35950+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35951+ return 0;
35952+ } else if (unlikely(!(mode & GR_EXEC))) {
35953+ return 0;
35954+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
35955+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35956+ return 1;
35957+ }
35958+
35959+ return 1;
35960+}
35961+
35962+int
35963+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
35964+{
35965+ __u32 mode;
35966+
35967+ if (unlikely(!file || !(prot & PROT_EXEC)))
35968+ return 1;
35969+
35970+ if (is_writable_mmap(file))
35971+ return 0;
35972+
35973+ mode =
35974+ gr_search_file(file->f_path.dentry,
35975+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
35976+ file->f_path.mnt);
35977+
35978+ if (!gr_tpe_allow(file))
35979+ return 0;
35980+
35981+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
35982+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35983+ return 0;
35984+ } else if (unlikely(!(mode & GR_EXEC))) {
35985+ return 0;
35986+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
35987+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
35988+ return 1;
35989+ }
35990+
35991+ return 1;
35992+}
35993+
35994+void
35995+gr_acl_handle_psacct(struct task_struct *task, const long code)
35996+{
35997+ unsigned long runtime;
35998+ unsigned long cputime;
35999+ unsigned int wday, cday;
36000+ __u8 whr, chr;
36001+ __u8 wmin, cmin;
36002+ __u8 wsec, csec;
36003+ struct timespec timeval;
36004+
36005+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
36006+ !(task->acl->mode & GR_PROCACCT)))
36007+ return;
36008+
36009+ do_posix_clock_monotonic_gettime(&timeval);
36010+ runtime = timeval.tv_sec - task->start_time.tv_sec;
36011+ wday = runtime / (3600 * 24);
36012+ runtime -= wday * (3600 * 24);
36013+ whr = runtime / 3600;
36014+ runtime -= whr * 3600;
36015+ wmin = runtime / 60;
36016+ runtime -= wmin * 60;
36017+ wsec = runtime;
36018+
36019+ cputime = (task->utime + task->stime) / HZ;
36020+ cday = cputime / (3600 * 24);
36021+ cputime -= cday * (3600 * 24);
36022+ chr = cputime / 3600;
36023+ cputime -= chr * 3600;
36024+ cmin = cputime / 60;
36025+ cputime -= cmin * 60;
36026+ csec = cputime;
36027+
36028+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
36029+
36030+ return;
36031+}
36032+
36033+void gr_set_kernel_label(struct task_struct *task)
36034+{
36035+ if (gr_status & GR_READY) {
36036+ task->role = kernel_role;
36037+ task->acl = kernel_role->root_label;
36038+ }
36039+ return;
36040+}
36041+
36042+#ifdef CONFIG_TASKSTATS
36043+int gr_is_taskstats_denied(int pid)
36044+{
36045+ struct task_struct *task;
36046+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36047+ const struct cred *cred;
36048+#endif
36049+ int ret = 0;
36050+
36051+ /* restrict taskstats viewing to un-chrooted root users
36052+ who have the 'view' subject flag if the RBAC system is enabled
36053+ */
36054+
36055+ read_lock(&tasklist_lock);
36056+ task = find_task_by_vpid(pid);
36057+ if (task) {
ae4e228f 36058+ gr_fs_read_lock(task);
58c5fc13
MT		 36059+#ifdef CONFIG_GRKERNSEC_CHROOT
36060+ if (proc_is_chrooted(task))
36061+ ret = -EACCES;
36062+#endif
36063+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36064+ cred = __task_cred(task);
36065+#ifdef CONFIG_GRKERNSEC_PROC_USER
36066+ if (cred->uid != 0)
36067+ ret = -EACCES;
36068+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
36069+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
36070+ ret = -EACCES;
36071+#endif
36072+#endif
36073+ if (gr_status & GR_READY) {
36074+ if (!(task->acl->mode & GR_VIEW))
36075+ ret = -EACCES;
36076+ }
36077+
ae4e228f 36078+ gr_fs_read_unlock(task);
58c5fc13
MT		 36079+ } else
36080+ ret = -ENOENT;
36081+
36082+ read_unlock(&tasklist_lock);
36083+
36084+ return ret;
36085+}
36086+#endif
36087+
36088+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
36089+{
36090+ struct task_struct *task = current;
36091+ struct dentry *dentry = file->f_path.dentry;
36092+ struct vfsmount *mnt = file->f_path.mnt;
36093+ struct acl_object_label *obj, *tmp;
36094+ struct acl_subject_label *subj;
36095+ unsigned int bufsize;
36096+ int is_not_root;
36097+ char *path;
36098+
36099+ if (unlikely(!(gr_status & GR_READY)))
36100+ return 1;
36101+
36102+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36103+ return 1;
36104+
36105+ /* ignore Eric Biederman */
36106+ if (IS_PRIVATE(dentry->d_inode))
36107+ return 1;
36108+
36109+ subj = task->acl;
36110+ do {
36111+ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
36112+ if (obj != NULL)
36113+ return (obj->mode & GR_FIND) ? 1 : 0;
36114+ } while ((subj = subj->parent_subject));
36115+
36116+ /* this is purely an optimization since we're looking for an object
36117+ for the directory we're doing a readdir on
36118+ if it's possible for any globbed object to match the entry we're
36119+ filling into the directory, then the object we find here will be
36120+ an anchor point with attached globbed objects
36121+ */
36122+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
36123+ if (obj->globbed == NULL)
36124+ return (obj->mode & GR_FIND) ? 1 : 0;
36125+
36126+ is_not_root = ((obj->filename[0] == '/') &&
36127+ (obj->filename[1] == '\0')) ? 0 : 1;
36128+ bufsize = PAGE_SIZE - namelen - is_not_root;
36129+
36130+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
36131+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
36132+ return 1;
36133+
36134+ preempt_disable();
36135+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
36136+ bufsize);
36137+
36138+ bufsize = strlen(path);
36139+
36140+ /* if base is "/", don't append an additional slash */
36141+ if (is_not_root)
36142+ *(path + bufsize) = '/';
36143+ memcpy(path + bufsize + is_not_root, name, namelen);
36144+ *(path + bufsize + namelen + is_not_root) = '\0';
36145+
36146+ tmp = obj->globbed;
36147+ while (tmp) {
36148+ if (!glob_match(tmp->filename, path)) {
36149+ preempt_enable();
36150+ return (tmp->mode & GR_FIND) ? 1 : 0;
36151+ }
36152+ tmp = tmp->next;
36153+ }
36154+ preempt_enable();
36155+ return (obj->mode & GR_FIND) ? 1 : 0;
36156+}
36157+
36158+EXPORT_SYMBOL(gr_learn_resource);
36159+EXPORT_SYMBOL(gr_set_kernel_label);
36160+#ifdef CONFIG_SECURITY
36161+EXPORT_SYMBOL(gr_check_user_change);
36162+EXPORT_SYMBOL(gr_check_group_change);
36163+#endif
36164+
ae4e228f
MT		 36165diff -urNp linux-2.6.33.1/grsecurity/gracl_cap.c linux-2.6.33.1/grsecurity/gracl_cap.c
36166--- linux-2.6.33.1/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
36167+++ linux-2.6.33.1/grsecurity/gracl_cap.c 2010-03-20 16:58:41.888938450 -0400
58c5fc13
MT		 36168@@ -0,0 +1,131 @@
36169+#include <linux/kernel.h>
36170+#include <linux/module.h>
36171+#include <linux/sched.h>
36172+#include <linux/gracl.h>
36173+#include <linux/grsecurity.h>
36174+#include <linux/grinternal.h>
36175+
36176+static const char *captab_log[] = {
36177+ "CAP_CHOWN",
36178+ "CAP_DAC_OVERRIDE",
36179+ "CAP_DAC_READ_SEARCH",
36180+ "CAP_FOWNER",
36181+ "CAP_FSETID",
36182+ "CAP_KILL",
36183+ "CAP_SETGID",
36184+ "CAP_SETUID",
36185+ "CAP_SETPCAP",
36186+ "CAP_LINUX_IMMUTABLE",
36187+ "CAP_NET_BIND_SERVICE",
36188+ "CAP_NET_BROADCAST",
36189+ "CAP_NET_ADMIN",
36190+ "CAP_NET_RAW",
36191+ "CAP_IPC_LOCK",
36192+ "CAP_IPC_OWNER",
36193+ "CAP_SYS_MODULE",
36194+ "CAP_SYS_RAWIO",
36195+ "CAP_SYS_CHROOT",
36196+ "CAP_SYS_PTRACE",
36197+ "CAP_SYS_PACCT",
36198+ "CAP_SYS_ADMIN",
36199+ "CAP_SYS_BOOT",
36200+ "CAP_SYS_NICE",
36201+ "CAP_SYS_RESOURCE",
36202+ "CAP_SYS_TIME",
36203+ "CAP_SYS_TTY_CONFIG",
36204+ "CAP_MKNOD",
36205+ "CAP_LEASE",
36206+ "CAP_AUDIT_WRITE",
36207+ "CAP_AUDIT_CONTROL",
36208+ "CAP_SETFCAP",
36209+ "CAP_MAC_OVERRIDE",
36210+ "CAP_MAC_ADMIN"
36211+};
36212+
36213+EXPORT_SYMBOL(gr_is_capable);
36214+EXPORT_SYMBOL(gr_is_capable_nolog);
36215+
36216+int
36217+gr_is_capable(const int cap)
36218+{
36219+ struct task_struct *task = current;
36220+ const struct cred *cred = current_cred();
36221+ struct acl_subject_label *curracl;
36222+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
36223+
36224+ if (!gr_acl_is_enabled())
36225+ return 1;
36226+
36227+ curracl = task->acl;
36228+
36229+ cap_drop = curracl->cap_lower;
36230+ cap_mask = curracl->cap_mask;
36231+
36232+ while ((curracl = curracl->parent_subject)) {
36233+ /* if the cap isn't specified in the current computed mask but is specified in the
36234+ current level subject, and is lowered in the current level subject, then add
36235+ it to the set of dropped capabilities
36236+ otherwise, add the current level subject's mask to the current computed mask
36237+ */
36238+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
36239+ cap_raise(cap_mask, cap);
36240+ if (cap_raised(curracl->cap_lower, cap))
36241+ cap_raise(cap_drop, cap);
36242+ }
36243+ }
36244+
36245+ if (!cap_raised(cap_drop, cap))
36246+ return 1;
36247+
36248+ curracl = task->acl;
36249+
36250+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
36251+ && cap_raised(cred->cap_effective, cap)) {
36252+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
36253+ task->role->roletype, cred->uid,
36254+ cred->gid, task->exec_file ?
36255+ gr_to_filename(task->exec_file->f_path.dentry,
36256+ task->exec_file->f_path.mnt) : curracl->filename,
36257+ curracl->filename, 0UL,
ae4e228f 36258+ 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
58c5fc13
MT		 36259+ return 1;
36260+ }
36261+
36262+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap))
36263+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
36264+ return 0;
36265+}
36266+
36267+int
36268+gr_is_capable_nolog(const int cap)
36269+{
36270+ struct acl_subject_label *curracl;
36271+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
36272+
36273+ if (!gr_acl_is_enabled())
36274+ return 1;
36275+
36276+ curracl = current->acl;
36277+
36278+ cap_drop = curracl->cap_lower;
36279+ cap_mask = curracl->cap_mask;
36280+
36281+ while ((curracl = curracl->parent_subject)) {
36282+ /* if the cap isn't specified in the current computed mask but is specified in the
36283+ current level subject, and is lowered in the current level subject, then add
36284+ it to the set of dropped capabilities
36285+ otherwise, add the current level subject's mask to the current computed mask
36286+ */
36287+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
36288+ cap_raise(cap_mask, cap);
36289+ if (cap_raised(curracl->cap_lower, cap))
36290+ cap_raise(cap_drop, cap);
36291+ }
36292+ }
36293+
36294+ if (!cap_raised(cap_drop, cap))
36295+ return 1;
36296+
36297+ return 0;
36298+}
36299+
ae4e228f
MT		 36300diff -urNp linux-2.6.33.1/grsecurity/gracl_fs.c linux-2.6.33.1/grsecurity/gracl_fs.c
36301--- linux-2.6.33.1/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
36302+++ linux-2.6.33.1/grsecurity/gracl_fs.c 2010-03-20 16:58:41.888938450 -0400
58c5fc13
MT		 36303@@ -0,0 +1,424 @@
36304+#include <linux/kernel.h>
36305+#include <linux/sched.h>
36306+#include <linux/types.h>
36307+#include <linux/fs.h>
36308+#include <linux/file.h>
36309+#include <linux/stat.h>
36310+#include <linux/grsecurity.h>
36311+#include <linux/grinternal.h>
36312+#include <linux/gracl.h>
36313+
36314+__u32
36315+gr_acl_handle_hidden_file(const struct dentry * dentry,
36316+ const struct vfsmount * mnt)
36317+{
36318+ __u32 mode;
36319+
36320+ if (unlikely(!dentry->d_inode))
36321+ return GR_FIND;
36322+
36323+ mode =
36324+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
36325+
36326+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
36327+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
36328+ return mode;
36329+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
36330+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
36331+ return 0;
36332+ } else if (unlikely(!(mode & GR_FIND)))
36333+ return 0;
36334+
36335+ return GR_FIND;
36336+}
36337+
36338+__u32
36339+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
36340+ const int fmode)
36341+{
36342+ __u32 reqmode = GR_FIND;
36343+ __u32 mode;
36344+
36345+ if (unlikely(!dentry->d_inode))
36346+ return reqmode;
36347+
36348+ if (unlikely(fmode & O_APPEND))
36349+ reqmode |= GR_APPEND;
36350+ else if (unlikely(fmode & FMODE_WRITE))
36351+ reqmode |= GR_WRITE;
36352+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
36353+ reqmode |= GR_READ;
36354+ if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
36355+ reqmode &= ~GR_READ;
36356+ mode =
36357+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
36358+ mnt);
36359+
36360+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36361+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
36362+ reqmode & GR_READ ? " reading" : "",
36363+ reqmode & GR_WRITE ? " writing" : reqmode &
36364+ GR_APPEND ? " appending" : "");
36365+ return reqmode;
36366+ } else
36367+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36368+ {
36369+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
36370+ reqmode & GR_READ ? " reading" : "",
36371+ reqmode & GR_WRITE ? " writing" : reqmode &
36372+ GR_APPEND ? " appending" : "");
36373+ return 0;
36374+ } else if (unlikely((mode & reqmode) != reqmode))
36375+ return 0;
36376+
36377+ return reqmode;
36378+}
36379+
36380+__u32
36381+gr_acl_handle_creat(const struct dentry * dentry,
36382+ const struct dentry * p_dentry,
36383+ const struct vfsmount * p_mnt, const int fmode,
36384+ const int imode)
36385+{
36386+ __u32 reqmode = GR_WRITE | GR_CREATE;
36387+ __u32 mode;
36388+
36389+ if (unlikely(fmode & O_APPEND))
36390+ reqmode |= GR_APPEND;
36391+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
36392+ reqmode |= GR_READ;
36393+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
36394+ reqmode |= GR_SETID;
36395+
36396+ mode =
36397+ gr_check_create(dentry, p_dentry, p_mnt,
36398+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
36399+
36400+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36401+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
36402+ reqmode & GR_READ ? " reading" : "",
36403+ reqmode & GR_WRITE ? " writing" : reqmode &
36404+ GR_APPEND ? " appending" : "");
36405+ return reqmode;
36406+ } else
36407+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36408+ {
36409+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
36410+ reqmode & GR_READ ? " reading" : "",
36411+ reqmode & GR_WRITE ? " writing" : reqmode &
36412+ GR_APPEND ? " appending" : "");
36413+ return 0;
36414+ } else if (unlikely((mode & reqmode) != reqmode))
36415+ return 0;
36416+
36417+ return reqmode;
36418+}
36419+
36420+__u32
36421+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
36422+ const int fmode)
36423+{
36424+ __u32 mode, reqmode = GR_FIND;
36425+
36426+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
36427+ reqmode |= GR_EXEC;
36428+ if (fmode & S_IWOTH)
36429+ reqmode |= GR_WRITE;
36430+ if (fmode & S_IROTH)
36431+ reqmode |= GR_READ;
36432+
36433+ mode =
36434+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
36435+ mnt);
36436+
36437+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
36438+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
36439+ reqmode & GR_READ ? " reading" : "",
36440+ reqmode & GR_WRITE ? " writing" : "",
36441+ reqmode & GR_EXEC ? " executing" : "");
36442+ return reqmode;
36443+ } else
36444+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
36445+ {
36446+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
36447+ reqmode & GR_READ ? " reading" : "",
36448+ reqmode & GR_WRITE ? " writing" : "",
36449+ reqmode & GR_EXEC ? " executing" : "");
36450+ return 0;
36451+ } else if (unlikely((mode & reqmode) != reqmode))
36452+ return 0;
36453+
36454+ return reqmode;
36455+}
36456+
36457+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
36458+{
36459+ __u32 mode;
36460+
36461+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
36462+
36463+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
36464+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
36465+ return mode;
36466+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
36467+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
36468+ return 0;
36469+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
36470+ return 0;
36471+
36472+ return (reqmode);
36473+}
36474+
36475+__u32
36476+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
36477+{
36478+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
36479+}
36480+
36481+__u32
36482+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
36483+{
36484+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
36485+}
36486+
36487+__u32
36488+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
36489+{
36490+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
36491+}
36492+
36493+__u32
36494+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
36495+{
36496+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
36497+}
36498+
36499+__u32
36500+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
36501+ mode_t mode)
36502+{
36503+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
36504+ return 1;
36505+
36506+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
36507+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
36508+ GR_FCHMOD_ACL_MSG);
36509+ } else {
36510+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
36511+ }
36512+}
36513+
36514+__u32
36515+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
36516+ mode_t mode)
36517+{
36518+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
36519+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
36520+ GR_CHMOD_ACL_MSG);
36521+ } else {
36522+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
36523+ }
36524+}
36525+
36526+__u32
36527+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
36528+{
36529+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
36530+}
36531+
36532+__u32
36533+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
36534+{
36535+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
36536+}
36537+
36538+__u32
36539+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
36540+{
36541+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
36542+ GR_UNIXCONNECT_ACL_MSG);
36543+}
36544+
36545+/* hardlinks require at minimum create permission,
36546+ any additional privilege required is based on the
36547+ privilege of the file being linked to
36548+*/
36549+__u32
36550+gr_acl_handle_link(const struct dentry * new_dentry,
36551+ const struct dentry * parent_dentry,
36552+ const struct vfsmount * parent_mnt,
36553+ const struct dentry * old_dentry,
36554+ const struct vfsmount * old_mnt, const char *to)
36555+{
36556+ __u32 mode;
36557+ __u32 needmode = GR_CREATE | GR_LINK;
36558+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
36559+
36560+ mode =
36561+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
36562+ old_mnt);
36563+
36564+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
36565+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
36566+ return mode;
36567+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
36568+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
36569+ return 0;
36570+ } else if (unlikely((mode & needmode) != needmode))
36571+ return 0;
36572+
36573+ return 1;
36574+}
36575+
36576+__u32
36577+gr_acl_handle_symlink(const struct dentry * new_dentry,
36578+ const struct dentry * parent_dentry,
36579+ const struct vfsmount * parent_mnt, const char *from)
36580+{
36581+ __u32 needmode = GR_WRITE | GR_CREATE;
36582+ __u32 mode;
36583+
36584+ mode =
36585+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
36586+ GR_CREATE | GR_AUDIT_CREATE |
36587+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
36588+
36589+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
36590+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
36591+ return mode;
36592+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
36593+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
36594+ return 0;
36595+ } else if (unlikely((mode & needmode) != needmode))
36596+ return 0;
36597+
36598+ return (GR_WRITE | GR_CREATE);
36599+}
36600+
36601+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
36602+{
36603+ __u32 mode;
36604+
36605+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
36606+
36607+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
36608+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
36609+ return mode;
36610+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
36611+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
36612+ return 0;
36613+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
36614+ return 0;
36615+
36616+ return (reqmode);
36617+}
36618+
36619+__u32
36620+gr_acl_handle_mknod(const struct dentry * new_dentry,
36621+ const struct dentry * parent_dentry,
36622+ const struct vfsmount * parent_mnt,
36623+ const int mode)
36624+{
36625+ __u32 reqmode = GR_WRITE | GR_CREATE;
36626+ if (unlikely(mode & (S_ISUID | S_ISGID)))
36627+ reqmode |= GR_SETID;
36628+
36629+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
36630+ reqmode, GR_MKNOD_ACL_MSG);
36631+}
36632+
36633+__u32
36634+gr_acl_handle_mkdir(const struct dentry *new_dentry,
36635+ const struct dentry *parent_dentry,
36636+ const struct vfsmount *parent_mnt)
36637+{
36638+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
36639+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
36640+}
36641+
36642+#define RENAME_CHECK_SUCCESS(old, new) \
36643+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
36644+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
36645+
36646+int
36647+gr_acl_handle_rename(struct dentry *new_dentry,
36648+ struct dentry *parent_dentry,
36649+ const struct vfsmount *parent_mnt,
36650+ struct dentry *old_dentry,
36651+ struct inode *old_parent_inode,
36652+ struct vfsmount *old_mnt, const char *newname)
36653+{
36654+ __u32 comp1, comp2;
36655+ int error = 0;
36656+
36657+ if (unlikely(!gr_acl_is_enabled()))
36658+ return 0;
36659+
36660+ if (!new_dentry->d_inode) {
36661+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
36662+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
36663+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
36664+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
36665+ GR_DELETE | GR_AUDIT_DELETE |
36666+ GR_AUDIT_READ | GR_AUDIT_WRITE |
36667+ GR_SUPPRESS, old_mnt);
36668+ } else {
36669+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
36670+ GR_CREATE | GR_DELETE |
36671+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
36672+ GR_AUDIT_READ | GR_AUDIT_WRITE |
36673+ GR_SUPPRESS, parent_mnt);
36674+ comp2 =
36675+ gr_search_file(old_dentry,
36676+ GR_READ | GR_WRITE | GR_AUDIT_READ |
36677+ GR_DELETE | GR_AUDIT_DELETE |
36678+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
36679+ }
36680+
36681+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
36682+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
36683+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
36684+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
36685+ && !(comp2 & GR_SUPPRESS)) {
36686+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
36687+ error = -EACCES;
36688+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
36689+ error = -EACCES;
36690+
36691+ return error;
36692+}
36693+
36694+void
36695+gr_acl_handle_exit(void)
36696+{
36697+ u16 id;
36698+ char *rolename;
36699+ struct file *exec_file;
36700+
36701+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
36702+ id = current->acl_role_id;
36703+ rolename = current->role->rolename;
36704+ gr_set_acls(1);
36705+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
36706+ }
36707+
36708+ write_lock(&grsec_exec_file_lock);
36709+ exec_file = current->exec_file;
36710+ current->exec_file = NULL;
36711+ write_unlock(&grsec_exec_file_lock);
36712+
36713+ if (exec_file)
36714+ fput(exec_file);
36715+}
36716+
36717+int
36718+gr_acl_handle_procpidmem(const struct task_struct *task)
36719+{
36720+ if (unlikely(!gr_acl_is_enabled()))
36721+ return 0;
36722+
36723+ if (task != current && task->acl->mode & GR_PROTPROCFD)
36724+ return -EACCES;
36725+
36726+ return 0;
36727+}
ae4e228f
MT		 36728diff -urNp linux-2.6.33.1/grsecurity/gracl_ip.c linux-2.6.33.1/grsecurity/gracl_ip.c
36729--- linux-2.6.33.1/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
36730+++ linux-2.6.33.1/grsecurity/gracl_ip.c 2010-03-20 16:58:41.892922620 -0400
36731@@ -0,0 +1,339 @@
58c5fc13
MT		 36732+#include <linux/kernel.h>
36733+#include <asm/uaccess.h>
36734+#include <asm/errno.h>
36735+#include <net/sock.h>
36736+#include <linux/file.h>
36737+#include <linux/fs.h>
36738+#include <linux/net.h>
36739+#include <linux/in.h>
36740+#include <linux/skbuff.h>
36741+#include <linux/ip.h>
36742+#include <linux/udp.h>
36743+#include <linux/smp_lock.h>
36744+#include <linux/types.h>
36745+#include <linux/sched.h>
36746+#include <linux/netdevice.h>
36747+#include <linux/inetdevice.h>
36748+#include <linux/gracl.h>
36749+#include <linux/grsecurity.h>
36750+#include <linux/grinternal.h>
36751+
36752+#define GR_BIND 0x01
36753+#define GR_CONNECT 0x02
36754+#define GR_INVERT 0x04
36755+#define GR_BINDOVERRIDE 0x08
36756+#define GR_CONNECTOVERRIDE 0x10
36757+
36758+static const char * gr_protocols[256] = {
36759+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
36760+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
36761+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
36762+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
36763+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
36764+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
36765+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
36766+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
36767+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
36768+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
36769+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
36770+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
36771+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
36772+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
36773+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
36774+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
36775+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
36776+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
36777+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
36778+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
36779+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
36780+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
36781+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
36782+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
36783+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
36784+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
36785+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
36786+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
36787+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
36788+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
36789+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
36790+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
36791+ };
36792+
36793+static const char * gr_socktypes[11] = {
36794+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
36795+ "unknown:7", "unknown:8", "unknown:9", "packet"
36796+ };
36797+
36798+const char *
36799+gr_proto_to_name(unsigned char proto)
36800+{
36801+ return gr_protocols[proto];
36802+}
36803+
36804+const char *
36805+gr_socktype_to_name(unsigned char type)
36806+{
36807+ return gr_socktypes[type];
36808+}
36809+
36810+int
36811+gr_search_socket(const int domain, const int type, const int protocol)
36812+{
36813+ struct acl_subject_label *curr;
36814+ const struct cred *cred = current_cred();
36815+
36816+ if (unlikely(!gr_acl_is_enabled()))
36817+ goto exit;
36818+
36819+ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
36820+ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
36821+ goto exit; // let the kernel handle it
36822+
36823+ curr = current->acl;
36824+
36825+ if (!curr->ips)
36826+ goto exit;
36827+
36828+ if ((curr->ip_type & (1 << type)) &&
36829+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
36830+ goto exit;
36831+
36832+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
36833+ /* we don't place acls on raw sockets , and sometimes
36834+ dgram/ip sockets are opened for ioctl and not
36835+ bind/connect, so we'll fake a bind learn log */
36836+ if (type == SOCK_RAW || type == SOCK_PACKET) {
36837+ __u32 fakeip = 0;
36838+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36839+ current->role->roletype, cred->uid,
36840+ cred->gid, current->exec_file ?
36841+ gr_to_filename(current->exec_file->f_path.dentry,
36842+ current->exec_file->f_path.mnt) :
36843+ curr->filename, curr->filename,
ae4e228f
MT		 36844+ &fakeip, 0, type,
36845+ protocol, GR_CONNECT, &current->signal->curr_ip);
58c5fc13
MT		 36846+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
36847+ __u32 fakeip = 0;
36848+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36849+ current->role->roletype, cred->uid,
36850+ cred->gid, current->exec_file ?
36851+ gr_to_filename(current->exec_file->f_path.dentry,
36852+ current->exec_file->f_path.mnt) :
36853+ curr->filename, curr->filename,
ae4e228f
MT		 36854+ &fakeip, 0, type,
36855+ protocol, GR_BIND, &current->signal->curr_ip);
58c5fc13
MT		 36856+ }
36857+ /* we'll log when they use connect or bind */
36858+ goto exit;
36859+ }
36860+
36861+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
36862+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
36863+
36864+ return 0;
36865+ exit:
36866+ return 1;
36867+}
36868+
36869+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
36870+{
36871+ if ((ip->mode & mode) &&
36872+ (ip_port >= ip->low) &&
36873+ (ip_port <= ip->high) &&
36874+ ((ntohl(ip_addr) & our_netmask) ==
36875+ (ntohl(our_addr) & our_netmask))
36876+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
36877+ && (ip->type & (1 << type))) {
36878+ if (ip->mode & GR_INVERT)
36879+ return 2; // specifically denied
36880+ else
36881+ return 1; // allowed
36882+ }
36883+
36884+ return 0; // not specifically allowed, may continue parsing
36885+}
36886+
36887+static int
36888+gr_search_connectbind(const int full_mode, struct sock *sk,
36889+ struct sockaddr_in *addr, const int type)
36890+{
36891+ char iface[IFNAMSIZ] = {0};
36892+ struct acl_subject_label *curr;
36893+ struct acl_ip_label *ip;
36894+ struct inet_sock *isk;
36895+ struct net_device *dev;
36896+ struct in_device *idev;
36897+ unsigned long i;
36898+ int ret;
36899+ int mode = full_mode & (GR_BIND | GR_CONNECT);
36900+ __u32 ip_addr = 0;
36901+ __u32 our_addr;
36902+ __u32 our_netmask;
36903+ char *p;
36904+ __u16 ip_port = 0;
36905+ const struct cred *cred = current_cred();
36906+
36907+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
36908+ return 0;
36909+
36910+ curr = current->acl;
36911+ isk = inet_sk(sk);
36912+
36913+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
36914+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
36915+ addr->sin_addr.s_addr = curr->inaddr_any_override;
ae4e228f 36916+ if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
58c5fc13
MT		 36917+ struct sockaddr_in saddr;
36918+ int err;
36919+
36920+ saddr.sin_family = AF_INET;
36921+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
ae4e228f 36922+ saddr.sin_port = isk->inet_sport;
58c5fc13
MT		 36923+
36924+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
36925+ if (err)
36926+ return err;
36927+
36928+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
36929+ if (err)
36930+ return err;
36931+ }
36932+
36933+ if (!curr->ips)
36934+ return 0;
36935+
36936+ ip_addr = addr->sin_addr.s_addr;
36937+ ip_port = ntohs(addr->sin_port);
36938+
36939+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
36940+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
36941+ current->role->roletype, cred->uid,
36942+ cred->gid, current->exec_file ?
36943+ gr_to_filename(current->exec_file->f_path.dentry,
36944+ current->exec_file->f_path.mnt) :
36945+ curr->filename, curr->filename,
ae4e228f
MT		 36946+ &ip_addr, ip_port, type,
36947+ sk->sk_protocol, mode, &current->signal->curr_ip);
58c5fc13
MT		 36948+ return 0;
36949+ }
36950+
36951+ for (i = 0; i < curr->ip_num; i++) {
36952+ ip = *(curr->ips + i);
36953+ if (ip->iface != NULL) {
36954+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
36955+ p = strchr(iface, ':');
36956+ if (p != NULL)
36957+ *p = '\0';
36958+ dev = dev_get_by_name(sock_net(sk), iface);
36959+ if (dev == NULL)
36960+ continue;
36961+ idev = in_dev_get(dev);
36962+ if (idev == NULL) {
36963+ dev_put(dev);
36964+ continue;
36965+ }
36966+ rcu_read_lock();
36967+ for_ifa(idev) {
36968+ if (!strcmp(ip->iface, ifa->ifa_label)) {
36969+ our_addr = ifa->ifa_address;
36970+ our_netmask = 0xffffffff;
36971+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
36972+ if (ret == 1) {
36973+ rcu_read_unlock();
36974+ in_dev_put(idev);
36975+ dev_put(dev);
36976+ return 0;
36977+ } else if (ret == 2) {
36978+ rcu_read_unlock();
36979+ in_dev_put(idev);
36980+ dev_put(dev);
36981+ goto denied;
36982+ }
36983+ }
36984+ } endfor_ifa(idev);
36985+ rcu_read_unlock();
36986+ in_dev_put(idev);
36987+ dev_put(dev);
36988+ } else {
36989+ our_addr = ip->addr;
36990+ our_netmask = ip->netmask;
36991+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
36992+ if (ret == 1)
36993+ return 0;
36994+ else if (ret == 2)
36995+ goto denied;
36996+ }
36997+ }
36998+
36999+denied:
37000+ if (mode == GR_BIND)
ae4e228f 37001+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
58c5fc13 37002+ else if (mode == GR_CONNECT)
ae4e228f 37003+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
58c5fc13
MT		 37004+
37005+ return -EACCES;
37006+}
37007+
37008+int
37009+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
37010+{
37011+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
37012+}
37013+
37014+int
37015+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
37016+{
37017+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
37018+}
37019+
37020+int gr_search_listen(struct socket *sock)
37021+{
37022+ struct sock *sk = sock->sk;
37023+ struct sockaddr_in addr;
37024+
ae4e228f
MT		 37025+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
37026+ addr.sin_port = inet_sk(sk)->inet_sport;
58c5fc13
MT		 37027+
37028+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
37029+}
37030+
37031+int gr_search_accept(struct socket *sock)
37032+{
37033+ struct sock *sk = sock->sk;
37034+ struct sockaddr_in addr;
37035+
ae4e228f
MT		 37036+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
37037+ addr.sin_port = inet_sk(sk)->inet_sport;
58c5fc13
MT		 37038+
37039+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
37040+}
37041+
37042+int
37043+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
37044+{
37045+ if (addr)
37046+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
37047+ else {
37048+ struct sockaddr_in sin;
37049+ const struct inet_sock *inet = inet_sk(sk);
37050+
ae4e228f
MT		 37051+ sin.sin_addr.s_addr = inet->inet_daddr;
37052+ sin.sin_port = inet->inet_dport;
58c5fc13
MT		 37053+
37054+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
37055+ }
37056+}
37057+
37058+int
37059+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
37060+{
37061+ struct sockaddr_in sin;
37062+
37063+ if (unlikely(skb->len < sizeof (struct udphdr)))
37064+ return 0; // skip this packet
37065+
37066+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
37067+ sin.sin_port = udp_hdr(skb)->source;
37068+
37069+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
37070+}
ae4e228f
MT		 37071diff -urNp linux-2.6.33.1/grsecurity/gracl_learn.c linux-2.6.33.1/grsecurity/gracl_learn.c
37072--- linux-2.6.33.1/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
37073+++ linux-2.6.33.1/grsecurity/gracl_learn.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 37074@@ -0,0 +1,211 @@
37075+#include <linux/kernel.h>
37076+#include <linux/mm.h>
37077+#include <linux/sched.h>
37078+#include <linux/poll.h>
37079+#include <linux/smp_lock.h>
37080+#include <linux/string.h>
37081+#include <linux/file.h>
37082+#include <linux/types.h>
37083+#include <linux/vmalloc.h>
37084+#include <linux/grinternal.h>
37085+
37086+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
37087+ size_t count, loff_t *ppos);
37088+extern int gr_acl_is_enabled(void);
37089+
37090+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
37091+static int gr_learn_attached;
37092+
37093+/* use a 512k buffer */
37094+#define LEARN_BUFFER_SIZE (512 * 1024)
37095+
37096+static DEFINE_SPINLOCK(gr_learn_lock);
37097+static DECLARE_MUTEX(gr_learn_user_sem);
37098+
37099+/* we need to maintain two buffers, so that the kernel context of grlearn
37100+ uses a semaphore around the userspace copying, and the other kernel contexts
37101+ use a spinlock when copying into the buffer, since they cannot sleep
37102+*/
37103+static char *learn_buffer;
37104+static char *learn_buffer_user;
37105+static int learn_buffer_len;
37106+static int learn_buffer_user_len;
37107+
37108+static ssize_t
37109+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
37110+{
37111+ DECLARE_WAITQUEUE(wait, current);
37112+ ssize_t retval = 0;
37113+
37114+ add_wait_queue(&learn_wait, &wait);
37115+ set_current_state(TASK_INTERRUPTIBLE);
37116+ do {
37117+ down(&gr_learn_user_sem);
37118+ spin_lock(&gr_learn_lock);
37119+ if (learn_buffer_len)
37120+ break;
37121+ spin_unlock(&gr_learn_lock);
37122+ up(&gr_learn_user_sem);
37123+ if (file->f_flags & O_NONBLOCK) {
37124+ retval = -EAGAIN;
37125+ goto out;
37126+ }
37127+ if (signal_pending(current)) {
37128+ retval = -ERESTARTSYS;
37129+ goto out;
37130+ }
37131+
37132+ schedule();
37133+ } while (1);
37134+
37135+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
37136+ learn_buffer_user_len = learn_buffer_len;
37137+ retval = learn_buffer_len;
37138+ learn_buffer_len = 0;
37139+
37140+ spin_unlock(&gr_learn_lock);
37141+
37142+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
37143+ retval = -EFAULT;
37144+
37145+ up(&gr_learn_user_sem);
37146+out:
37147+ set_current_state(TASK_RUNNING);
37148+ remove_wait_queue(&learn_wait, &wait);
37149+ return retval;
37150+}
37151+
37152+static unsigned int
37153+poll_learn(struct file * file, poll_table * wait)
37154+{
37155+ poll_wait(file, &learn_wait, wait);
37156+
37157+ if (learn_buffer_len)
37158+ return (POLLIN | POLLRDNORM);
37159+
37160+ return 0;
37161+}
37162+
37163+void
37164+gr_clear_learn_entries(void)
37165+{
37166+ char *tmp;
37167+
37168+ down(&gr_learn_user_sem);
37169+ if (learn_buffer != NULL) {
37170+ spin_lock(&gr_learn_lock);
37171+ tmp = learn_buffer;
37172+ learn_buffer = NULL;
37173+ spin_unlock(&gr_learn_lock);
37174+ vfree(learn_buffer);
37175+ }
37176+ if (learn_buffer_user != NULL) {
37177+ vfree(learn_buffer_user);
37178+ learn_buffer_user = NULL;
37179+ }
37180+ learn_buffer_len = 0;
37181+ up(&gr_learn_user_sem);
37182+
37183+ return;
37184+}
37185+
37186+void
37187+gr_add_learn_entry(const char *fmt, ...)
37188+{
37189+ va_list args;
37190+ unsigned int len;
37191+
37192+ if (!gr_learn_attached)
37193+ return;
37194+
37195+ spin_lock(&gr_learn_lock);
37196+
37197+ /* leave a gap at the end so we know when it's "full" but don't have to
37198+ compute the exact length of the string we're trying to append
37199+ */
37200+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
37201+ spin_unlock(&gr_learn_lock);
37202+ wake_up_interruptible(&learn_wait);
37203+ return;
37204+ }
37205+ if (learn_buffer == NULL) {
37206+ spin_unlock(&gr_learn_lock);
37207+ return;
37208+ }
37209+
37210+ va_start(args, fmt);
37211+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
37212+ va_end(args);
37213+
37214+ learn_buffer_len += len + 1;
37215+
37216+ spin_unlock(&gr_learn_lock);
37217+ wake_up_interruptible(&learn_wait);
37218+
37219+ return;
37220+}
37221+
37222+static int
37223+open_learn(struct inode *inode, struct file *file)
37224+{
37225+ if (file->f_mode & FMODE_READ && gr_learn_attached)
37226+ return -EBUSY;
37227+ if (file->f_mode & FMODE_READ) {
37228+ int retval = 0;
37229+ down(&gr_learn_user_sem);
37230+ if (learn_buffer == NULL)
37231+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
37232+ if (learn_buffer_user == NULL)
37233+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
37234+ if (learn_buffer == NULL) {
37235+ retval = -ENOMEM;
37236+ goto out_error;
37237+ }
37238+ if (learn_buffer_user == NULL) {
37239+ retval = -ENOMEM;
37240+ goto out_error;
37241+ }
37242+ learn_buffer_len = 0;
37243+ learn_buffer_user_len = 0;
37244+ gr_learn_attached = 1;
37245+out_error:
37246+ up(&gr_learn_user_sem);
37247+ return retval;
37248+ }
37249+ return 0;
37250+}
37251+
37252+static int
37253+close_learn(struct inode *inode, struct file *file)
37254+{
37255+ char *tmp;
37256+
37257+ if (file->f_mode & FMODE_READ) {
37258+ down(&gr_learn_user_sem);
37259+ if (learn_buffer != NULL) {
37260+ spin_lock(&gr_learn_lock);
37261+ tmp = learn_buffer;
37262+ learn_buffer = NULL;
37263+ spin_unlock(&gr_learn_lock);
37264+ vfree(tmp);
37265+ }
37266+ if (learn_buffer_user != NULL) {
37267+ vfree(learn_buffer_user);
37268+ learn_buffer_user = NULL;
37269+ }
37270+ learn_buffer_len = 0;
37271+ learn_buffer_user_len = 0;
37272+ gr_learn_attached = 0;
37273+ up(&gr_learn_user_sem);
37274+ }
37275+
37276+ return 0;
37277+}
37278+
37279+const struct file_operations grsec_fops = {
37280+ .read = read_learn,
37281+ .write = write_grsec_handler,
37282+ .open = open_learn,
37283+ .release = close_learn,
37284+ .poll = poll_learn,
37285+};
ae4e228f
MT		 37286diff -urNp linux-2.6.33.1/grsecurity/gracl_res.c linux-2.6.33.1/grsecurity/gracl_res.c
37287--- linux-2.6.33.1/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
37288+++ linux-2.6.33.1/grsecurity/gracl_res.c 2010-03-20 16:58:41.892922620 -0400
37289@@ -0,0 +1,65 @@
58c5fc13
MT		 37290+#include <linux/kernel.h>
37291+#include <linux/sched.h>
37292+#include <linux/gracl.h>
37293+#include <linux/grinternal.h>
37294+
37295+static const char *restab_log[] = {
37296+ [RLIMIT_CPU] = "RLIMIT_CPU",
37297+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
37298+ [RLIMIT_DATA] = "RLIMIT_DATA",
37299+ [RLIMIT_STACK] = "RLIMIT_STACK",
37300+ [RLIMIT_CORE] = "RLIMIT_CORE",
37301+ [RLIMIT_RSS] = "RLIMIT_RSS",
37302+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
37303+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
37304+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
37305+ [RLIMIT_AS] = "RLIMIT_AS",
37306+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
37307+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
37308+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
37309+ [RLIMIT_NICE] = "RLIMIT_NICE",
37310+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
37311+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
37312+ [GR_CRASH_RES] = "RLIMIT_CRASH"
37313+};
37314+
37315+void
37316+gr_log_resource(const struct task_struct *task,
37317+ const int res, const unsigned long wanted, const int gt)
37318+{
ae4e228f 37319+ const struct cred *cred;
58c5fc13
MT		 37320+
37321+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
37322+ return;
37323+
37324+ // not yet supported resource
37325+ if (!restab_log[res])
37326+ return;
37327+
ae4e228f
MT		 37328+ rcu_read_lock();
37329+ cred = __task_cred(task);
37330+
37331+ if (res == RLIMIT_NPROC &&
37332+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
37333+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
37334+ goto out_rcu_unlock;
37335+ else if (res == RLIMIT_MEMLOCK &&
37336+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
37337+ goto out_rcu_unlock;
37338+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
37339+ goto out_rcu_unlock;
37340+ rcu_read_unlock();
37341+
58c5fc13
MT		 37342+ preempt_disable();
37343+
37344+ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
37345+ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
37346+ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
37347+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
37348+ preempt_enable_no_resched();
37349+
37350+ return;
ae4e228f
MT		 37351+out_rcu_unlock:
37352+ rcu_read_unlock();
37353+ return;
58c5fc13 37354+}
ae4e228f
MT		 37355diff -urNp linux-2.6.33.1/grsecurity/gracl_segv.c linux-2.6.33.1/grsecurity/gracl_segv.c
37356--- linux-2.6.33.1/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
37357+++ linux-2.6.33.1/grsecurity/gracl_segv.c 2010-03-20 16:58:41.892922620 -0400
37358@@ -0,0 +1,310 @@
58c5fc13
MT		 37359+#include <linux/kernel.h>
37360+#include <linux/mm.h>
37361+#include <asm/uaccess.h>
37362+#include <asm/errno.h>
37363+#include <asm/mman.h>
37364+#include <net/sock.h>
37365+#include <linux/file.h>
37366+#include <linux/fs.h>
37367+#include <linux/net.h>
37368+#include <linux/in.h>
37369+#include <linux/smp_lock.h>
37370+#include <linux/slab.h>
37371+#include <linux/types.h>
37372+#include <linux/sched.h>
37373+#include <linux/timer.h>
37374+#include <linux/gracl.h>
37375+#include <linux/grsecurity.h>
37376+#include <linux/grinternal.h>
37377+
37378+static struct crash_uid *uid_set;
37379+static unsigned short uid_used;
37380+static DEFINE_SPINLOCK(gr_uid_lock);
37381+extern rwlock_t gr_inode_lock;
37382+extern struct acl_subject_label *
37383+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
37384+ struct acl_role_label *role);
37385+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
37386+
37387+int
37388+gr_init_uidset(void)
37389+{
37390+ uid_set =
37391+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
37392+ uid_used = 0;
37393+
37394+ return uid_set ? 1 : 0;
37395+}
37396+
37397+void
37398+gr_free_uidset(void)
37399+{
37400+ if (uid_set)
37401+ kfree(uid_set);
37402+
37403+ return;
37404+}
37405+
37406+int
37407+gr_find_uid(const uid_t uid)
37408+{
37409+ struct crash_uid *tmp = uid_set;
37410+ uid_t buid;
37411+ int low = 0, high = uid_used - 1, mid;
37412+
37413+ while (high >= low) {
37414+ mid = (low + high) >> 1;
37415+ buid = tmp[mid].uid;
37416+ if (buid == uid)
37417+ return mid;
37418+ if (buid > uid)
37419+ high = mid - 1;
37420+ if (buid < uid)
37421+ low = mid + 1;
37422+ }
37423+
37424+ return -1;
37425+}
37426+
37427+static __inline__ void
37428+gr_insertsort(void)
37429+{
37430+ unsigned short i, j;
37431+ struct crash_uid index;
37432+
37433+ for (i = 1; i < uid_used; i++) {
37434+ index = uid_set[i];
37435+ j = i;
37436+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
37437+ uid_set[j] = uid_set[j - 1];
37438+ j--;
37439+ }
37440+ uid_set[j] = index;
37441+ }
37442+
37443+ return;
37444+}
37445+
37446+static __inline__ void
37447+gr_insert_uid(const uid_t uid, const unsigned long expires)
37448+{
37449+ int loc;
37450+
37451+ if (uid_used == GR_UIDTABLE_MAX)
37452+ return;
37453+
37454+ loc = gr_find_uid(uid);
37455+
37456+ if (loc >= 0) {
37457+ uid_set[loc].expires = expires;
37458+ return;
37459+ }
37460+
37461+ uid_set[uid_used].uid = uid;
37462+ uid_set[uid_used].expires = expires;
37463+ uid_used++;
37464+
37465+ gr_insertsort();
37466+
37467+ return;
37468+}
37469+
37470+void
37471+gr_remove_uid(const unsigned short loc)
37472+{
37473+ unsigned short i;
37474+
37475+ for (i = loc + 1; i < uid_used; i++)
37476+ uid_set[i - 1] = uid_set[i];
37477+
37478+ uid_used--;
37479+
37480+ return;
37481+}
37482+
37483+int
37484+gr_check_crash_uid(const uid_t uid)
37485+{
37486+ int loc;
37487+ int ret = 0;
37488+
37489+ if (unlikely(!gr_acl_is_enabled()))
37490+ return 0;
37491+
37492+ spin_lock(&gr_uid_lock);
37493+ loc = gr_find_uid(uid);
37494+
37495+ if (loc < 0)
37496+ goto out_unlock;
37497+
37498+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
37499+ gr_remove_uid(loc);
37500+ else
37501+ ret = 1;
37502+
37503+out_unlock:
37504+ spin_unlock(&gr_uid_lock);
37505+ return ret;
37506+}
37507+
37508+static __inline__ int
37509+proc_is_setxid(const struct cred *cred)
37510+{
37511+ if (cred->uid != cred->euid || cred->uid != cred->suid ||
37512+ cred->uid != cred->fsuid)
37513+ return 1;
37514+ if (cred->gid != cred->egid || cred->gid != cred->sgid ||
37515+ cred->gid != cred->fsgid)
37516+ return 1;
37517+
37518+ return 0;
37519+}
37520+static __inline__ int
37521+gr_fake_force_sig(int sig, struct task_struct *t)
37522+{
37523+ unsigned long int flags;
37524+ int ret, blocked, ignored;
37525+ struct k_sigaction *action;
37526+
37527+ spin_lock_irqsave(&t->sighand->siglock, flags);
37528+ action = &t->sighand->action[sig-1];
37529+ ignored = action->sa.sa_handler == SIG_IGN;
37530+ blocked = sigismember(&t->blocked, sig);
37531+ if (blocked || ignored) {
37532+ action->sa.sa_handler = SIG_DFL;
37533+ if (blocked) {
37534+ sigdelset(&t->blocked, sig);
37535+ recalc_sigpending_and_wake(t);
37536+ }
37537+ }
37538+ if (action->sa.sa_handler == SIG_DFL)
37539+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
37540+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
37541+
37542+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
37543+
37544+ return ret;
37545+}
37546+
37547+void
37548+gr_handle_crash(struct task_struct *task, const int sig)
37549+{
37550+ struct acl_subject_label *curr;
37551+ struct acl_subject_label *curr2;
37552+ struct task_struct *tsk, *tsk2;
ae4e228f 37553+ const struct cred *cred;
58c5fc13
MT		 37554+ const struct cred *cred2;
37555+
37556+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
37557+ return;
37558+
37559+ if (unlikely(!gr_acl_is_enabled()))
37560+ return;
37561+
37562+ curr = task->acl;
37563+
37564+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
37565+ return;
37566+
37567+ if (time_before_eq(curr->expires, get_seconds())) {
37568+ curr->expires = 0;
37569+ curr->crashes = 0;
37570+ }
37571+
37572+ curr->crashes++;
37573+
37574+ if (!curr->expires)
37575+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
37576+
37577+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
37578+ time_after(curr->expires, get_seconds())) {
ae4e228f
MT		 37579+ rcu_read_lock();
37580+ cred = __task_cred(task);
58c5fc13
MT		 37581+ if (cred->uid && proc_is_setxid(cred)) {
37582+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
37583+ spin_lock(&gr_uid_lock);
37584+ gr_insert_uid(cred->uid, curr->expires);
37585+ spin_unlock(&gr_uid_lock);
37586+ curr->expires = 0;
37587+ curr->crashes = 0;
37588+ read_lock(&tasklist_lock);
37589+ do_each_thread(tsk2, tsk) {
37590+ cred2 = __task_cred(tsk);
37591+ if (tsk != task && cred2->uid == cred->uid)
37592+ gr_fake_force_sig(SIGKILL, tsk);
37593+ } while_each_thread(tsk2, tsk);
37594+ read_unlock(&tasklist_lock);
37595+ } else {
37596+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
37597+ read_lock(&tasklist_lock);
37598+ do_each_thread(tsk2, tsk) {
37599+ if (likely(tsk != task)) {
37600+ curr2 = tsk->acl;
37601+
37602+ if (curr2->device == curr->device &&
37603+ curr2->inode == curr->inode)
37604+ gr_fake_force_sig(SIGKILL, tsk);
37605+ }
37606+ } while_each_thread(tsk2, tsk);
37607+ read_unlock(&tasklist_lock);
37608+ }
ae4e228f 37609+ rcu_read_unlock();
58c5fc13
MT		 37610+ }
37611+
37612+ return;
37613+}
37614+
37615+int
37616+gr_check_crash_exec(const struct file *filp)
37617+{
37618+ struct acl_subject_label *curr;
37619+
37620+ if (unlikely(!gr_acl_is_enabled()))
37621+ return 0;
37622+
37623+ read_lock(&gr_inode_lock);
37624+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
37625+ filp->f_path.dentry->d_inode->i_sb->s_dev,
37626+ current->role);
37627+ read_unlock(&gr_inode_lock);
37628+
37629+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
37630+ (!curr->crashes && !curr->expires))
37631+ return 0;
37632+
37633+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
37634+ time_after(curr->expires, get_seconds()))
37635+ return 1;
37636+ else if (time_before_eq(curr->expires, get_seconds())) {
37637+ curr->crashes = 0;
37638+ curr->expires = 0;
37639+ }
37640+
37641+ return 0;
37642+}
37643+
37644+void
37645+gr_handle_alertkill(struct task_struct *task)
37646+{
37647+ struct acl_subject_label *curracl;
37648+ __u32 curr_ip;
37649+ struct task_struct *p, *p2;
37650+
37651+ if (unlikely(!gr_acl_is_enabled()))
37652+ return;
37653+
37654+ curracl = task->acl;
37655+ curr_ip = task->signal->curr_ip;
37656+
37657+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
37658+ read_lock(&tasklist_lock);
37659+ do_each_thread(p2, p) {
37660+ if (p->signal->curr_ip == curr_ip)
37661+ gr_fake_force_sig(SIGKILL, p);
37662+ } while_each_thread(p2, p);
37663+ read_unlock(&tasklist_lock);
37664+ } else if (curracl->mode & GR_KILLPROC)
37665+ gr_fake_force_sig(SIGKILL, task);
37666+
37667+ return;
37668+}
ae4e228f
MT		 37669diff -urNp linux-2.6.33.1/grsecurity/gracl_shm.c linux-2.6.33.1/grsecurity/gracl_shm.c
37670--- linux-2.6.33.1/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
37671+++ linux-2.6.33.1/grsecurity/gracl_shm.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 37672@@ -0,0 +1,37 @@
37673+#include <linux/kernel.h>
37674+#include <linux/mm.h>
37675+#include <linux/sched.h>
37676+#include <linux/file.h>
37677+#include <linux/ipc.h>
37678+#include <linux/gracl.h>
37679+#include <linux/grsecurity.h>
37680+#include <linux/grinternal.h>
37681+
37682+int
37683+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
37684+ const time_t shm_createtime, const uid_t cuid, const int shmid)
37685+{
37686+ struct task_struct *task;
37687+
37688+ if (!gr_acl_is_enabled())
37689+ return 1;
37690+
37691+ read_lock(&tasklist_lock);
37692+
37693+ task = find_task_by_vpid(shm_cprid);
37694+
37695+ if (unlikely(!task))
37696+ task = find_task_by_vpid(shm_lapid);
37697+
37698+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
37699+ (task->pid == shm_lapid)) &&
37700+ (task->acl->mode & GR_PROTSHM) &&
37701+ (task->acl != current->acl))) {
37702+ read_unlock(&tasklist_lock);
37703+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
37704+ return 0;
37705+ }
37706+ read_unlock(&tasklist_lock);
37707+
37708+ return 1;
37709+}
ae4e228f
MT		 37710diff -urNp linux-2.6.33.1/grsecurity/grsec_chdir.c linux-2.6.33.1/grsecurity/grsec_chdir.c
37711--- linux-2.6.33.1/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
37712+++ linux-2.6.33.1/grsecurity/grsec_chdir.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 37713@@ -0,0 +1,19 @@
37714+#include <linux/kernel.h>
37715+#include <linux/sched.h>
37716+#include <linux/fs.h>
37717+#include <linux/file.h>
37718+#include <linux/grsecurity.h>
37719+#include <linux/grinternal.h>
37720+
37721+void
37722+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
37723+{
37724+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
37725+ if ((grsec_enable_chdir && grsec_enable_group &&
37726+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
37727+ !grsec_enable_group)) {
37728+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
37729+ }
37730+#endif
37731+ return;
37732+}
ae4e228f
MT		 37733diff -urNp linux-2.6.33.1/grsecurity/grsec_chroot.c linux-2.6.33.1/grsecurity/grsec_chroot.c
37734--- linux-2.6.33.1/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
37735+++ linux-2.6.33.1/grsecurity/grsec_chroot.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 37736@@ -0,0 +1,348 @@
37737+#include <linux/kernel.h>
37738+#include <linux/module.h>
37739+#include <linux/sched.h>
37740+#include <linux/file.h>
37741+#include <linux/fs.h>
37742+#include <linux/mount.h>
37743+#include <linux/types.h>
37744+#include <linux/pid_namespace.h>
37745+#include <linux/grsecurity.h>
37746+#include <linux/grinternal.h>
37747+
37748+int
37749+gr_handle_chroot_unix(const pid_t pid)
37750+{
37751+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
37752+ struct pid *spid = NULL;
37753+
37754+ if (unlikely(!grsec_enable_chroot_unix))
37755+ return 1;
37756+
37757+ if (likely(!proc_is_chrooted(current)))
37758+ return 1;
37759+
37760+ read_lock(&tasklist_lock);
37761+
37762+ spid = find_vpid(pid);
37763+ if (spid) {
37764+ struct task_struct *p;
37765+ p = pid_task(spid, PIDTYPE_PID);
ae4e228f 37766+ gr_fs_read_lock(p);
58c5fc13 37767+ if (unlikely(!have_same_root(current, p))) {
ae4e228f 37768+ gr_fs_read_unlock(p);
58c5fc13
MT		 37769+ read_unlock(&tasklist_lock);
37770+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
37771+ return 0;
37772+ }
ae4e228f 37773+ gr_fs_read_unlock(p);
58c5fc13
MT		 37774+ }
37775+ read_unlock(&tasklist_lock);
37776+#endif
37777+ return 1;
37778+}
37779+
37780+int
37781+gr_handle_chroot_nice(void)
37782+{
37783+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
37784+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
37785+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
37786+ return -EPERM;
37787+ }
37788+#endif
37789+ return 0;
37790+}
37791+
37792+int
37793+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
37794+{
37795+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
37796+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
37797+ && proc_is_chrooted(current)) {
37798+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
37799+ return -EACCES;
37800+ }
37801+#endif
37802+ return 0;
37803+}
37804+
37805+int
37806+gr_handle_chroot_rawio(const struct inode *inode)
37807+{
37808+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
37809+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
37810+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
37811+ return 1;
37812+#endif
37813+ return 0;
37814+}
37815+
37816+int
37817+gr_pid_is_chrooted(struct task_struct *p)
37818+{
37819+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
37820+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
37821+ return 0;
37822+
ae4e228f 37823+ gr_fs_read_lock(p);
58c5fc13
MT		 37824+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
37825+ !have_same_root(current, p)) {
ae4e228f 37826+ gr_fs_read_unlock(p);
58c5fc13
MT		 37827+ return 1;
37828+ }
ae4e228f 37829+ gr_fs_read_unlock(p);
58c5fc13
MT		 37830+#endif
37831+ return 0;
37832+}
37833+
37834+EXPORT_SYMBOL(gr_pid_is_chrooted);
37835+
37836+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
37837+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
37838+{
37839+ struct dentry *dentry = (struct dentry *)u_dentry;
37840+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
37841+ struct dentry *realroot;
37842+ struct vfsmount *realrootmnt;
37843+ struct dentry *currentroot;
37844+ struct vfsmount *currentmnt;
37845+ struct task_struct *reaper = &init_task;
37846+ int ret = 1;
37847+
37848+ read_lock(&reaper->fs->lock);
37849+ realrootmnt = mntget(reaper->fs->root.mnt);
37850+ realroot = dget(reaper->fs->root.dentry);
37851+ read_unlock(&reaper->fs->lock);
37852+
37853+ read_lock(&current->fs->lock);
37854+ currentmnt = mntget(current->fs->root.mnt);
37855+ currentroot = dget(current->fs->root.dentry);
37856+ read_unlock(&current->fs->lock);
37857+
37858+ spin_lock(&dcache_lock);
37859+ for (;;) {
37860+ if (unlikely((dentry == realroot && mnt == realrootmnt)
37861+ || (dentry == currentroot && mnt == currentmnt)))
37862+ break;
37863+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
37864+ if (mnt->mnt_parent == mnt)
37865+ break;
37866+ dentry = mnt->mnt_mountpoint;
37867+ mnt = mnt->mnt_parent;
37868+ continue;
37869+ }
37870+ dentry = dentry->d_parent;
37871+ }
37872+ spin_unlock(&dcache_lock);
37873+
37874+ dput(currentroot);
37875+ mntput(currentmnt);
37876+
37877+ /* access is outside of chroot */
37878+ if (dentry == realroot && mnt == realrootmnt)
37879+ ret = 0;
37880+
37881+ dput(realroot);
37882+ mntput(realrootmnt);
37883+ return ret;
37884+}
37885+#endif
37886+
37887+int
37888+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
37889+{
37890+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
37891+ if (!grsec_enable_chroot_fchdir)
37892+ return 1;
37893+
37894+ if (!proc_is_chrooted(current))
37895+ return 1;
37896+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
37897+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
37898+ return 0;
37899+ }
37900+#endif
37901+ return 1;
37902+}
37903+
37904+int
37905+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
37906+ const time_t shm_createtime)
37907+{
37908+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
37909+ struct pid *pid = NULL;
37910+ time_t starttime;
37911+
37912+ if (unlikely(!grsec_enable_chroot_shmat))
37913+ return 1;
37914+
37915+ if (likely(!proc_is_chrooted(current)))
37916+ return 1;
37917+
37918+ read_lock(&tasklist_lock);
37919+
37920+ pid = find_vpid(shm_cprid);
37921+ if (pid) {
37922+ struct task_struct *p;
37923+ p = pid_task(pid, PIDTYPE_PID);
ae4e228f 37924+ gr_fs_read_lock(p);
58c5fc13
MT		 37925+ starttime = p->start_time.tv_sec;
37926+ if (unlikely(!have_same_root(current, p) &&
37927+ time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
ae4e228f 37928+ gr_fs_read_unlock(p);
58c5fc13
MT		 37929+ read_unlock(&tasklist_lock);
37930+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
37931+ return 0;
37932+ }
ae4e228f 37933+ gr_fs_read_unlock(p);
58c5fc13
MT		 37934+ } else {
37935+ pid = find_vpid(shm_lapid);
37936+ if (pid) {
37937+ struct task_struct *p;
37938+ p = pid_task(pid, PIDTYPE_PID);
ae4e228f 37939+ gr_fs_read_lock(p);
58c5fc13 37940+ if (unlikely(!have_same_root(current, p))) {
ae4e228f 37941+ gr_fs_read_unlock(p);
58c5fc13
MT		 37942+ read_unlock(&tasklist_lock);
37943+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
37944+ return 0;
37945+ }
ae4e228f 37946+ gr_fs_read_unlock(p);
58c5fc13
MT		 37947+ }
37948+ }
37949+
37950+ read_unlock(&tasklist_lock);
37951+#endif
37952+ return 1;
37953+}
37954+
37955+void
37956+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
37957+{
37958+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
37959+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
37960+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
37961+#endif
37962+ return;
37963+}
37964+
37965+int
37966+gr_handle_chroot_mknod(const struct dentry *dentry,
37967+ const struct vfsmount *mnt, const int mode)
37968+{
37969+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
37970+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
37971+ proc_is_chrooted(current)) {
37972+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
37973+ return -EPERM;
37974+ }
37975+#endif
37976+ return 0;
37977+}
37978+
37979+int
37980+gr_handle_chroot_mount(const struct dentry *dentry,
37981+ const struct vfsmount *mnt, const char *dev_name)
37982+{
37983+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
37984+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
37985+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
37986+ return -EPERM;
37987+ }
37988+#endif
37989+ return 0;
37990+}
37991+
37992+int
37993+gr_handle_chroot_pivot(void)
37994+{
37995+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
37996+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
37997+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
37998+ return -EPERM;
37999+ }
38000+#endif
38001+ return 0;
38002+}
38003+
38004+int
38005+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
38006+{
38007+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
38008+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
38009+ !gr_is_outside_chroot(dentry, mnt)) {
38010+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
38011+ return -EPERM;
38012+ }
38013+#endif
38014+ return 0;
38015+}
38016+
38017+int
38018+gr_handle_chroot_caps(struct path *path)
38019+{
38020+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
38021+ if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
38022+ (init_task.fs->root.dentry != path->dentry) &&
38023+ (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
38024+
38025+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
38026+ const struct cred *old = current_cred();
38027+ struct cred *new = prepare_creds();
38028+ if (new == NULL)
38029+ return 1;
38030+
38031+ new->cap_permitted = cap_drop(old->cap_permitted,
38032+ chroot_caps);
38033+ new->cap_inheritable = cap_drop(old->cap_inheritable,
38034+ chroot_caps);
38035+ new->cap_effective = cap_drop(old->cap_effective,
38036+ chroot_caps);
38037+
38038+ commit_creds(new);
38039+
38040+ return 0;
38041+ }
38042+#endif
38043+ return 0;
38044+}
38045+
38046+int
38047+gr_handle_chroot_sysctl(const int op)
38048+{
38049+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
ae4e228f
MT		 38050+ if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
38051+ proc_is_chrooted(current))
58c5fc13
MT		 38052+ return -EACCES;
38053+#endif
38054+ return 0;
38055+}
38056+
38057+void
38058+gr_handle_chroot_chdir(struct path *path)
38059+{
38060+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
38061+ if (grsec_enable_chroot_chdir)
38062+ set_fs_pwd(current->fs, path);
38063+#endif
38064+ return;
38065+}
38066+
38067+int
38068+gr_handle_chroot_chmod(const struct dentry *dentry,
38069+ const struct vfsmount *mnt, const int mode)
38070+{
38071+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
38072+ if (grsec_enable_chroot_chmod &&
38073+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
38074+ proc_is_chrooted(current)) {
38075+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
38076+ return -EPERM;
38077+ }
38078+#endif
38079+ return 0;
38080+}
38081+
38082+#ifdef CONFIG_SECURITY
38083+EXPORT_SYMBOL(gr_handle_chroot_caps);
38084+#endif
ae4e228f
MT		 38085diff -urNp linux-2.6.33.1/grsecurity/grsec_disabled.c linux-2.6.33.1/grsecurity/grsec_disabled.c
38086--- linux-2.6.33.1/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
38087+++ linux-2.6.33.1/grsecurity/grsec_disabled.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 38088@@ -0,0 +1,426 @@
38089+#include <linux/kernel.h>
38090+#include <linux/module.h>
38091+#include <linux/sched.h>
38092+#include <linux/file.h>
38093+#include <linux/fs.h>
38094+#include <linux/kdev_t.h>
38095+#include <linux/net.h>
38096+#include <linux/in.h>
38097+#include <linux/ip.h>
38098+#include <linux/skbuff.h>
38099+#include <linux/sysctl.h>
38100+
38101+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
38102+void
38103+pax_set_initial_flags(struct linux_binprm *bprm)
38104+{
38105+ return;
38106+}
38107+#endif
38108+
38109+#ifdef CONFIG_SYSCTL
38110+__u32
38111+gr_handle_sysctl(const struct ctl_table * table, const int op)
38112+{
38113+ return 0;
38114+}
38115+#endif
38116+
38117+#ifdef CONFIG_TASKSTATS
38118+int gr_is_taskstats_denied(int pid)
38119+{
38120+ return 0;
38121+}
38122+#endif
38123+
38124+int
38125+gr_acl_is_enabled(void)
38126+{
38127+ return 0;
38128+}
38129+
38130+int
38131+gr_handle_rawio(const struct inode *inode)
38132+{
38133+ return 0;
38134+}
38135+
38136+void
38137+gr_acl_handle_psacct(struct task_struct *task, const long code)
38138+{
38139+ return;
38140+}
38141+
38142+int
38143+gr_handle_ptrace(struct task_struct *task, const long request)
38144+{
38145+ return 0;
38146+}
38147+
38148+int
38149+gr_handle_proc_ptrace(struct task_struct *task)
38150+{
38151+ return 0;
38152+}
38153+
38154+void
38155+gr_learn_resource(const struct task_struct *task,
38156+ const int res, const unsigned long wanted, const int gt)
38157+{
38158+ return;
38159+}
38160+
38161+int
38162+gr_set_acls(const int type)
38163+{
38164+ return 0;
38165+}
38166+
38167+int
38168+gr_check_hidden_task(const struct task_struct *tsk)
38169+{
38170+ return 0;
38171+}
38172+
38173+int
38174+gr_check_protected_task(const struct task_struct *task)
38175+{
38176+ return 0;
38177+}
38178+
38179+void
38180+gr_copy_label(struct task_struct *tsk)
38181+{
38182+ return;
38183+}
38184+
38185+void
38186+gr_set_pax_flags(struct task_struct *task)
38187+{
38188+ return;
38189+}
38190+
38191+int
38192+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
38193+ const int unsafe_share)
38194+{
38195+ return 0;
38196+}
38197+
38198+void
38199+gr_handle_delete(const ino_t ino, const dev_t dev)
38200+{
38201+ return;
38202+}
38203+
38204+void
38205+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
38206+{
38207+ return;
38208+}
38209+
38210+void
38211+gr_handle_crash(struct task_struct *task, const int sig)
38212+{
38213+ return;
38214+}
38215+
38216+int
38217+gr_check_crash_exec(const struct file *filp)
38218+{
38219+ return 0;
38220+}
38221+
38222+int
38223+gr_check_crash_uid(const uid_t uid)
38224+{
38225+ return 0;
38226+}
38227+
38228+void
38229+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
38230+ struct dentry *old_dentry,
38231+ struct dentry *new_dentry,
38232+ struct vfsmount *mnt, const __u8 replace)
38233+{
38234+ return;
38235+}
38236+
38237+int
38238+gr_search_socket(const int family, const int type, const int protocol)
38239+{
38240+ return 1;
38241+}
38242+
38243+int
38244+gr_search_connectbind(const int mode, const struct socket *sock,
38245+ const struct sockaddr_in *addr)
38246+{
38247+ return 0;
38248+}
38249+
38250+int
38251+gr_is_capable(const int cap)
38252+{
38253+ return 1;
38254+}
38255+
38256+int
38257+gr_is_capable_nolog(const int cap)
38258+{
38259+ return 1;
38260+}
38261+
38262+void
38263+gr_handle_alertkill(struct task_struct *task)
38264+{
38265+ return;
38266+}
38267+
38268+__u32
38269+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
38270+{
38271+ return 1;
38272+}
38273+
38274+__u32
38275+gr_acl_handle_hidden_file(const struct dentry * dentry,
38276+ const struct vfsmount * mnt)
38277+{
38278+ return 1;
38279+}
38280+
38281+__u32
38282+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38283+ const int fmode)
38284+{
38285+ return 1;
38286+}
38287+
38288+__u32
38289+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38290+{
38291+ return 1;
38292+}
38293+
38294+__u32
38295+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
38296+{
38297+ return 1;
38298+}
38299+
38300+int
38301+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
38302+ unsigned int *vm_flags)
38303+{
38304+ return 1;
38305+}
38306+
38307+__u32
38308+gr_acl_handle_truncate(const struct dentry * dentry,
38309+ const struct vfsmount * mnt)
38310+{
38311+ return 1;
38312+}
38313+
38314+__u32
38315+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
38316+{
38317+ return 1;
38318+}
38319+
38320+__u32
38321+gr_acl_handle_access(const struct dentry * dentry,
38322+ const struct vfsmount * mnt, const int fmode)
38323+{
38324+ return 1;
38325+}
38326+
38327+__u32
38328+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
38329+ mode_t mode)
38330+{
38331+ return 1;
38332+}
38333+
38334+__u32
38335+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
38336+ mode_t mode)
38337+{
38338+ return 1;
38339+}
38340+
38341+__u32
38342+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
38343+{
38344+ return 1;
38345+}
38346+
38347+void
38348+grsecurity_init(void)
38349+{
38350+ return;
38351+}
38352+
38353+__u32
38354+gr_acl_handle_mknod(const struct dentry * new_dentry,
38355+ const struct dentry * parent_dentry,
38356+ const struct vfsmount * parent_mnt,
38357+ const int mode)
38358+{
38359+ return 1;
38360+}
38361+
38362+__u32
38363+gr_acl_handle_mkdir(const struct dentry * new_dentry,
38364+ const struct dentry * parent_dentry,
38365+ const struct vfsmount * parent_mnt)
38366+{
38367+ return 1;
38368+}
38369+
38370+__u32
38371+gr_acl_handle_symlink(const struct dentry * new_dentry,
38372+ const struct dentry * parent_dentry,
38373+ const struct vfsmount * parent_mnt, const char *from)
38374+{
38375+ return 1;
38376+}
38377+
38378+__u32
38379+gr_acl_handle_link(const struct dentry * new_dentry,
38380+ const struct dentry * parent_dentry,
38381+ const struct vfsmount * parent_mnt,
38382+ const struct dentry * old_dentry,
38383+ const struct vfsmount * old_mnt, const char *to)
38384+{
38385+ return 1;
38386+}
38387+
38388+int
38389+gr_acl_handle_rename(const struct dentry *new_dentry,
38390+ const struct dentry *parent_dentry,
38391+ const struct vfsmount *parent_mnt,
38392+ const struct dentry *old_dentry,
38393+ const struct inode *old_parent_inode,
38394+ const struct vfsmount *old_mnt, const char *newname)
38395+{
38396+ return 0;
38397+}
38398+
38399+int
38400+gr_acl_handle_filldir(const struct file *file, const char *name,
38401+ const int namelen, const ino_t ino)
38402+{
38403+ return 1;
38404+}
38405+
38406+int
38407+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
38408+ const time_t shm_createtime, const uid_t cuid, const int shmid)
38409+{
38410+ return 1;
38411+}
38412+
38413+int
38414+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
38415+{
38416+ return 0;
38417+}
38418+
38419+int
38420+gr_search_accept(const struct socket *sock)
38421+{
38422+ return 0;
38423+}
38424+
38425+int
38426+gr_search_listen(const struct socket *sock)
38427+{
38428+ return 0;
38429+}
38430+
38431+int
38432+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
38433+{
38434+ return 0;
38435+}
38436+
38437+__u32
38438+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
38439+{
38440+ return 1;
38441+}
38442+
38443+__u32
38444+gr_acl_handle_creat(const struct dentry * dentry,
38445+ const struct dentry * p_dentry,
38446+ const struct vfsmount * p_mnt, const int fmode,
38447+ const int imode)
38448+{
38449+ return 1;
38450+}
38451+
38452+void
38453+gr_acl_handle_exit(void)
38454+{
38455+ return;
38456+}
38457+
38458+int
38459+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38460+{
38461+ return 1;
38462+}
38463+
38464+void
38465+gr_set_role_label(const uid_t uid, const gid_t gid)
38466+{
38467+ return;
38468+}
38469+
38470+int
38471+gr_acl_handle_procpidmem(const struct task_struct *task)
38472+{
38473+ return 0;
38474+}
38475+
38476+int
38477+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
38478+{
38479+ return 0;
38480+}
38481+
38482+int
38483+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
38484+{
38485+ return 0;
38486+}
38487+
38488+void
38489+gr_set_kernel_label(struct task_struct *task)
38490+{
38491+ return;
38492+}
38493+
38494+int
38495+gr_check_user_change(int real, int effective, int fs)
38496+{
38497+ return 0;
38498+}
38499+
38500+int
38501+gr_check_group_change(int real, int effective, int fs)
38502+{
38503+ return 0;
38504+}
38505+
38506+
38507+EXPORT_SYMBOL(gr_is_capable);
38508+EXPORT_SYMBOL(gr_is_capable_nolog);
38509+EXPORT_SYMBOL(gr_learn_resource);
38510+EXPORT_SYMBOL(gr_set_kernel_label);
38511+#ifdef CONFIG_SECURITY
38512+EXPORT_SYMBOL(gr_check_user_change);
38513+EXPORT_SYMBOL(gr_check_group_change);
38514+#endif
ae4e228f
MT		 38515diff -urNp linux-2.6.33.1/grsecurity/grsec_exec.c linux-2.6.33.1/grsecurity/grsec_exec.c
38516--- linux-2.6.33.1/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
38517+++ linux-2.6.33.1/grsecurity/grsec_exec.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 38518@@ -0,0 +1,89 @@
38519+#include <linux/kernel.h>
38520+#include <linux/sched.h>
38521+#include <linux/file.h>
38522+#include <linux/binfmts.h>
38523+#include <linux/smp_lock.h>
38524+#include <linux/fs.h>
38525+#include <linux/types.h>
38526+#include <linux/grdefs.h>
38527+#include <linux/grinternal.h>
38528+#include <linux/capability.h>
38529+
38530+#include <asm/uaccess.h>
38531+
38532+#ifdef CONFIG_GRKERNSEC_EXECLOG
38533+static char gr_exec_arg_buf[132];
38534+static DECLARE_MUTEX(gr_exec_arg_sem);
38535+#endif
38536+
38537+int
38538+gr_handle_nproc(void)
38539+{
38540+#ifdef CONFIG_GRKERNSEC_EXECVE
38541+ const struct cred *cred = current_cred();
38542+ if (grsec_enable_execve && cred->user &&
38543+ (atomic_read(&cred->user->processes) >
38544+ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
38545+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
38546+ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
38547+ return -EAGAIN;
38548+ }
38549+#endif
38550+ return 0;
38551+}
38552+
38553+void
38554+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
38555+{
38556+#ifdef CONFIG_GRKERNSEC_EXECLOG
38557+ char *grarg = gr_exec_arg_buf;
38558+ unsigned int i, x, execlen = 0;
38559+ char c;
38560+
38561+ if (!((grsec_enable_execlog && grsec_enable_group &&
38562+ in_group_p(grsec_audit_gid))
38563+ || (grsec_enable_execlog && !grsec_enable_group)))
38564+ return;
38565+
38566+ down(&gr_exec_arg_sem);
38567+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
38568+
38569+ if (unlikely(argv == NULL))
38570+ goto log;
38571+
38572+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
38573+ const char __user *p;
38574+ unsigned int len;
38575+
38576+ if (copy_from_user(&p, argv + i, sizeof(p)))
38577+ goto log;
38578+ if (!p)
38579+ goto log;
38580+ len = strnlen_user(p, 128 - execlen);
38581+ if (len > 128 - execlen)
38582+ len = 128 - execlen;
38583+ else if (len > 0)
38584+ len--;
38585+ if (copy_from_user(grarg + execlen, p, len))
38586+ goto log;
38587+
38588+ /* rewrite unprintable characters */
38589+ for (x = 0; x < len; x++) {
38590+ c = *(grarg + execlen + x);
38591+ if (c < 32 || c > 126)
38592+ *(grarg + execlen + x) = ' ';
38593+ }
38594+
38595+ execlen += len;
38596+ *(grarg + execlen) = ' ';
38597+ *(grarg + execlen + 1) = '\0';
38598+ execlen++;
38599+ }
38600+
38601+ log:
38602+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
38603+ bprm->file->f_path.mnt, grarg);
38604+ up(&gr_exec_arg_sem);
38605+#endif
38606+ return;
38607+}
ae4e228f
MT		 38608diff -urNp linux-2.6.33.1/grsecurity/grsec_fifo.c linux-2.6.33.1/grsecurity/grsec_fifo.c
38609--- linux-2.6.33.1/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
38610+++ linux-2.6.33.1/grsecurity/grsec_fifo.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 38611@@ -0,0 +1,24 @@
38612+#include <linux/kernel.h>
38613+#include <linux/sched.h>
38614+#include <linux/fs.h>
38615+#include <linux/file.h>
38616+#include <linux/grinternal.h>
38617+
38618+int
38619+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
38620+ const struct dentry *dir, const int flag, const int acc_mode)
38621+{
38622+#ifdef CONFIG_GRKERNSEC_FIFO
38623+ const struct cred *cred = current_cred();
38624+
38625+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
38626+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
38627+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
38628+ (cred->fsuid != dentry->d_inode->i_uid)) {
38629+ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
38630+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
38631+ return -EACCES;
38632+ }
38633+#endif
38634+ return 0;
38635+}
ae4e228f
MT		 38636diff -urNp linux-2.6.33.1/grsecurity/grsec_fork.c linux-2.6.33.1/grsecurity/grsec_fork.c
38637--- linux-2.6.33.1/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
38638+++ linux-2.6.33.1/grsecurity/grsec_fork.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 38639@@ -0,0 +1,15 @@
38640+#include <linux/kernel.h>
38641+#include <linux/sched.h>
38642+#include <linux/grsecurity.h>
38643+#include <linux/grinternal.h>
38644+#include <linux/errno.h>
38645+
38646+void
38647+gr_log_forkfail(const int retval)
38648+{
38649+#ifdef CONFIG_GRKERNSEC_FORKFAIL
38650+ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
38651+ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
38652+#endif
38653+ return;
38654+}
ae4e228f
MT		 38655diff -urNp linux-2.6.33.1/grsecurity/grsec_init.c linux-2.6.33.1/grsecurity/grsec_init.c
38656--- linux-2.6.33.1/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
38657+++ linux-2.6.33.1/grsecurity/grsec_init.c 2010-03-20 17:00:48.140865901 -0400
38658@@ -0,0 +1,241 @@
58c5fc13
MT		 38659+#include <linux/kernel.h>
38660+#include <linux/sched.h>
38661+#include <linux/mm.h>
38662+#include <linux/smp_lock.h>
38663+#include <linux/gracl.h>
38664+#include <linux/slab.h>
38665+#include <linux/vmalloc.h>
38666+#include <linux/percpu.h>
38667+
38668+int grsec_enable_link;
38669+int grsec_enable_dmesg;
38670+int grsec_enable_harden_ptrace;
38671+int grsec_enable_fifo;
38672+int grsec_enable_execve;
38673+int grsec_enable_execlog;
38674+int grsec_enable_signal;
38675+int grsec_enable_forkfail;
ae4e228f 38676+int grsec_enable_audit_ptrace;
58c5fc13
MT		 38677+int grsec_enable_time;
38678+int grsec_enable_audit_textrel;
38679+int grsec_enable_group;
38680+int grsec_audit_gid;
38681+int grsec_enable_chdir;
38682+int grsec_enable_mount;
ae4e228f 38683+int grsec_enable_rofs;
58c5fc13
MT		 38684+int grsec_enable_chroot_findtask;
38685+int grsec_enable_chroot_mount;
38686+int grsec_enable_chroot_shmat;
38687+int grsec_enable_chroot_fchdir;
38688+int grsec_enable_chroot_double;
38689+int grsec_enable_chroot_pivot;
38690+int grsec_enable_chroot_chdir;
38691+int grsec_enable_chroot_chmod;
38692+int grsec_enable_chroot_mknod;
38693+int grsec_enable_chroot_nice;
38694+int grsec_enable_chroot_execlog;
38695+int grsec_enable_chroot_caps;
38696+int grsec_enable_chroot_sysctl;
38697+int grsec_enable_chroot_unix;
38698+int grsec_enable_tpe;
38699+int grsec_tpe_gid;
ae4e228f
MT		 38700+int grsec_enable_blackhole;
38701+int grsec_lastack_retries;
58c5fc13
MT		 38702+int grsec_enable_tpe_all;
38703+int grsec_enable_socket_all;
38704+int grsec_socket_all_gid;
38705+int grsec_enable_socket_client;
38706+int grsec_socket_client_gid;
38707+int grsec_enable_socket_server;
38708+int grsec_socket_server_gid;
38709+int grsec_resource_logging;
38710+int grsec_lock;
38711+
38712+DEFINE_SPINLOCK(grsec_alert_lock);
38713+unsigned long grsec_alert_wtime = 0;
38714+unsigned long grsec_alert_fyet = 0;
38715+
38716+DEFINE_SPINLOCK(grsec_audit_lock);
38717+
38718+DEFINE_RWLOCK(grsec_exec_file_lock);
38719+
38720+char *gr_shared_page[4];
38721+
38722+char *gr_alert_log_fmt;
38723+char *gr_audit_log_fmt;
38724+char *gr_alert_log_buf;
38725+char *gr_audit_log_buf;
38726+
38727+extern struct gr_arg *gr_usermode;
38728+extern unsigned char *gr_system_salt;
38729+extern unsigned char *gr_system_sum;
38730+
38731+void __init
38732+grsecurity_init(void)
38733+{
38734+ int j;
38735+ /* create the per-cpu shared pages */
38736+
38737+#ifdef CONFIG_X86
38738+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
38739+#endif
38740+
38741+ for (j = 0; j < 4; j++) {
38742+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
38743+ if (gr_shared_page[j] == NULL) {
38744+ panic("Unable to allocate grsecurity shared page");
38745+ return;
38746+ }
38747+ }
38748+
38749+ /* allocate log buffers */
38750+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
38751+ if (!gr_alert_log_fmt) {
38752+ panic("Unable to allocate grsecurity alert log format buffer");
38753+ return;
38754+ }
38755+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
38756+ if (!gr_audit_log_fmt) {
38757+ panic("Unable to allocate grsecurity audit log format buffer");
38758+ return;
38759+ }
38760+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
38761+ if (!gr_alert_log_buf) {
38762+ panic("Unable to allocate grsecurity alert log buffer");
38763+ return;
38764+ }
38765+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
38766+ if (!gr_audit_log_buf) {
38767+ panic("Unable to allocate grsecurity audit log buffer");
38768+ return;
38769+ }
38770+
38771+ /* allocate memory for authentication structure */
38772+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
38773+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
38774+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
38775+
38776+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
38777+ panic("Unable to allocate grsecurity authentication structure");
38778+ return;
38779+ }
38780+
38781+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
38782+#ifndef CONFIG_GRKERNSEC_SYSCTL
38783+ grsec_lock = 1;
38784+#endif
38785+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
38786+ grsec_enable_audit_textrel = 1;
38787+#endif
38788+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
38789+ grsec_enable_group = 1;
38790+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
38791+#endif
38792+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
38793+ grsec_enable_chdir = 1;
38794+#endif
38795+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38796+ grsec_enable_harden_ptrace = 1;
38797+#endif
38798+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
38799+ grsec_enable_mount = 1;
38800+#endif
38801+#ifdef CONFIG_GRKERNSEC_LINK
38802+ grsec_enable_link = 1;
38803+#endif
38804+#ifdef CONFIG_GRKERNSEC_DMESG
38805+ grsec_enable_dmesg = 1;
38806+#endif
ae4e228f
MT		 38807+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
38808+ grsec_enable_blackhole = 1;
38809+ grsec_lastack_retries = 4;
38810+#endif
58c5fc13
MT		 38811+#ifdef CONFIG_GRKERNSEC_FIFO
38812+ grsec_enable_fifo = 1;
38813+#endif
38814+#ifdef CONFIG_GRKERNSEC_EXECVE
38815+ grsec_enable_execve = 1;
38816+#endif
38817+#ifdef CONFIG_GRKERNSEC_EXECLOG
38818+ grsec_enable_execlog = 1;
38819+#endif
38820+#ifdef CONFIG_GRKERNSEC_SIGNAL
38821+ grsec_enable_signal = 1;
38822+#endif
38823+#ifdef CONFIG_GRKERNSEC_FORKFAIL
38824+ grsec_enable_forkfail = 1;
38825+#endif
38826+#ifdef CONFIG_GRKERNSEC_TIME
38827+ grsec_enable_time = 1;
38828+#endif
38829+#ifdef CONFIG_GRKERNSEC_RESLOG
38830+ grsec_resource_logging = 1;
38831+#endif
38832+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
38833+ grsec_enable_chroot_findtask = 1;
38834+#endif
38835+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
38836+ grsec_enable_chroot_unix = 1;
38837+#endif
38838+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
38839+ grsec_enable_chroot_mount = 1;
38840+#endif
38841+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
38842+ grsec_enable_chroot_fchdir = 1;
38843+#endif
38844+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
38845+ grsec_enable_chroot_shmat = 1;
38846+#endif
ae4e228f
MT		 38847+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
38848+ grsec_enable_audit_ptrace = 1;
38849+#endif
58c5fc13
MT		 38850+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
38851+ grsec_enable_chroot_double = 1;
38852+#endif
38853+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
38854+ grsec_enable_chroot_pivot = 1;
38855+#endif
38856+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
38857+ grsec_enable_chroot_chdir = 1;
38858+#endif
38859+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
38860+ grsec_enable_chroot_chmod = 1;
38861+#endif
38862+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
38863+ grsec_enable_chroot_mknod = 1;
38864+#endif
38865+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
38866+ grsec_enable_chroot_nice = 1;
38867+#endif
38868+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
38869+ grsec_enable_chroot_execlog = 1;
38870+#endif
38871+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
38872+ grsec_enable_chroot_caps = 1;
38873+#endif
38874+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
38875+ grsec_enable_chroot_sysctl = 1;
38876+#endif
38877+#ifdef CONFIG_GRKERNSEC_TPE
38878+ grsec_enable_tpe = 1;
38879+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
38880+#ifdef CONFIG_GRKERNSEC_TPE_ALL
38881+ grsec_enable_tpe_all = 1;
38882+#endif
38883+#endif
38884+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
38885+ grsec_enable_socket_all = 1;
38886+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
38887+#endif
38888+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
38889+ grsec_enable_socket_client = 1;
38890+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
38891+#endif
38892+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
38893+ grsec_enable_socket_server = 1;
38894+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
38895+#endif
38896+#endif
38897+
38898+ return;
38899+}
ae4e228f
MT		 38900diff -urNp linux-2.6.33.1/grsecurity/grsec_link.c linux-2.6.33.1/grsecurity/grsec_link.c
38901--- linux-2.6.33.1/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
38902+++ linux-2.6.33.1/grsecurity/grsec_link.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 38903@@ -0,0 +1,43 @@
38904+#include <linux/kernel.h>
38905+#include <linux/sched.h>
38906+#include <linux/fs.h>
38907+#include <linux/file.h>
38908+#include <linux/grinternal.h>
38909+
38910+int
38911+gr_handle_follow_link(const struct inode *parent,
38912+ const struct inode *inode,
38913+ const struct dentry *dentry, const struct vfsmount *mnt)
38914+{
38915+#ifdef CONFIG_GRKERNSEC_LINK
38916+ const struct cred *cred = current_cred();
38917+
38918+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
38919+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
38920+ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
38921+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
38922+ return -EACCES;
38923+ }
38924+#endif
38925+ return 0;
38926+}
38927+
38928+int
38929+gr_handle_hardlink(const struct dentry *dentry,
38930+ const struct vfsmount *mnt,
38931+ struct inode *inode, const int mode, const char *to)
38932+{
38933+#ifdef CONFIG_GRKERNSEC_LINK
38934+ const struct cred *cred = current_cred();
38935+
38936+ if (grsec_enable_link && cred->fsuid != inode->i_uid &&
38937+ (!S_ISREG(mode) || (mode & S_ISUID) ||
38938+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
38939+ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
38940+ !capable(CAP_FOWNER) && cred->uid) {
38941+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
38942+ return -EPERM;
38943+ }
38944+#endif
38945+ return 0;
38946+}
ae4e228f
MT		 38947diff -urNp linux-2.6.33.1/grsecurity/grsec_log.c linux-2.6.33.1/grsecurity/grsec_log.c
38948--- linux-2.6.33.1/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
38949+++ linux-2.6.33.1/grsecurity/grsec_log.c 2010-03-20 16:58:41.892922620 -0400
38950@@ -0,0 +1,296 @@
58c5fc13
MT		 38951+#include <linux/kernel.h>
38952+#include <linux/sched.h>
38953+#include <linux/file.h>
38954+#include <linux/tty.h>
38955+#include <linux/fs.h>
38956+#include <linux/grinternal.h>
38957+
38958+#define BEGIN_LOCKS(x) \
ae4e228f 38959+ rcu_read_lock(); \
58c5fc13
MT		 38960+ read_lock(&tasklist_lock); \
38961+ read_lock(&grsec_exec_file_lock); \
38962+ if (x != GR_DO_AUDIT) \
38963+ spin_lock(&grsec_alert_lock); \
38964+ else \
38965+ spin_lock(&grsec_audit_lock)
38966+
38967+#define END_LOCKS(x) \
38968+ if (x != GR_DO_AUDIT) \
38969+ spin_unlock(&grsec_alert_lock); \
38970+ else \
38971+ spin_unlock(&grsec_audit_lock); \
38972+ read_unlock(&grsec_exec_file_lock); \
38973+ read_unlock(&tasklist_lock); \
ae4e228f 38974+ rcu_read_unlock(); \
58c5fc13
MT		 38975+ if (x == GR_DONT_AUDIT) \
38976+ gr_handle_alertkill(current)
38977+
38978+enum {
38979+ FLOODING,
38980+ NO_FLOODING
38981+};
38982+
38983+extern char *gr_alert_log_fmt;
38984+extern char *gr_audit_log_fmt;
38985+extern char *gr_alert_log_buf;
38986+extern char *gr_audit_log_buf;
38987+
38988+static int gr_log_start(int audit)
38989+{
38990+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
38991+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
38992+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
38993+
38994+ if (audit == GR_DO_AUDIT)
38995+ goto set_fmt;
38996+
38997+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
38998+ grsec_alert_wtime = jiffies;
38999+ grsec_alert_fyet = 0;
39000+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
39001+ grsec_alert_fyet++;
39002+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
39003+ grsec_alert_wtime = jiffies;
39004+ grsec_alert_fyet++;
39005+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
39006+ return FLOODING;
39007+ } else return FLOODING;
39008+
39009+set_fmt:
39010+ memset(buf, 0, PAGE_SIZE);
39011+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
ae4e228f
MT		 39012+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
39013+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58c5fc13 39014+ } else if (current->signal->curr_ip) {
ae4e228f
MT		 39015+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
39016+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
58c5fc13
MT		 39017+ } else if (gr_acl_is_enabled()) {
39018+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
39019+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
39020+ } else {
39021+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
39022+ strcpy(buf, fmt);
39023+ }
39024+
39025+ return NO_FLOODING;
39026+}
39027+
39028+static void gr_log_middle(int audit, const char *msg, va_list ap)
39029+ __attribute__ ((format (printf, 2, 0)));
39030+
39031+static void gr_log_middle(int audit, const char *msg, va_list ap)
39032+{
39033+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
39034+ unsigned int len = strlen(buf);
39035+
39036+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
39037+
39038+ return;
39039+}
39040+
39041+static void gr_log_middle_varargs(int audit, const char *msg, ...)
39042+ __attribute__ ((format (printf, 2, 3)));
39043+
39044+static void gr_log_middle_varargs(int audit, const char *msg, ...)
39045+{
39046+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
39047+ unsigned int len = strlen(buf);
39048+ va_list ap;
39049+
39050+ va_start(ap, msg);
39051+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
39052+ va_end(ap);
39053+
39054+ return;
39055+}
39056+
39057+static void gr_log_end(int audit)
39058+{
39059+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
39060+ unsigned int len = strlen(buf);
39061+
39062+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
39063+ printk("%s\n", buf);
39064+
39065+ return;
39066+}
39067+
39068+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
39069+{
39070+ int logtype;
39071+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
39072+ char *str1, *str2, *str3;
39073+ void *voidptr;
39074+ int num1, num2;
39075+ unsigned long ulong1, ulong2;
39076+ struct dentry *dentry;
39077+ struct vfsmount *mnt;
39078+ struct file *file;
39079+ struct task_struct *task;
39080+ const struct cred *cred, *pcred;
39081+ va_list ap;
39082+
39083+ BEGIN_LOCKS(audit);
39084+ logtype = gr_log_start(audit);
39085+ if (logtype == FLOODING) {
39086+ END_LOCKS(audit);
39087+ return;
39088+ }
39089+ va_start(ap, argtypes);
39090+ switch (argtypes) {
39091+ case GR_TTYSNIFF:
39092+ task = va_arg(ap, struct task_struct *);
ae4e228f 39093+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
58c5fc13
MT		 39094+ break;
39095+ case GR_SYSCTL_HIDDEN:
39096+ str1 = va_arg(ap, char *);
39097+ gr_log_middle_varargs(audit, msg, result, str1);
39098+ break;
39099+ case GR_RBAC:
39100+ dentry = va_arg(ap, struct dentry *);
39101+ mnt = va_arg(ap, struct vfsmount *);
39102+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
39103+ break;
39104+ case GR_RBAC_STR:
39105+ dentry = va_arg(ap, struct dentry *);
39106+ mnt = va_arg(ap, struct vfsmount *);
39107+ str1 = va_arg(ap, char *);
39108+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
39109+ break;
39110+ case GR_STR_RBAC:
39111+ str1 = va_arg(ap, char *);
39112+ dentry = va_arg(ap, struct dentry *);
39113+ mnt = va_arg(ap, struct vfsmount *);
39114+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
39115+ break;
39116+ case GR_RBAC_MODE2:
39117+ dentry = va_arg(ap, struct dentry *);
39118+ mnt = va_arg(ap, struct vfsmount *);
39119+ str1 = va_arg(ap, char *);
39120+ str2 = va_arg(ap, char *);
39121+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
39122+ break;
39123+ case GR_RBAC_MODE3:
39124+ dentry = va_arg(ap, struct dentry *);
39125+ mnt = va_arg(ap, struct vfsmount *);
39126+ str1 = va_arg(ap, char *);
39127+ str2 = va_arg(ap, char *);
39128+ str3 = va_arg(ap, char *);
39129+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
39130+ break;
39131+ case GR_FILENAME:
39132+ dentry = va_arg(ap, struct dentry *);
39133+ mnt = va_arg(ap, struct vfsmount *);
39134+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
39135+ break;
39136+ case GR_STR_FILENAME:
39137+ str1 = va_arg(ap, char *);
39138+ dentry = va_arg(ap, struct dentry *);
39139+ mnt = va_arg(ap, struct vfsmount *);
39140+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
39141+ break;
39142+ case GR_FILENAME_STR:
39143+ dentry = va_arg(ap, struct dentry *);
39144+ mnt = va_arg(ap, struct vfsmount *);
39145+ str1 = va_arg(ap, char *);
39146+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
39147+ break;
39148+ case GR_FILENAME_TWO_INT:
39149+ dentry = va_arg(ap, struct dentry *);
39150+ mnt = va_arg(ap, struct vfsmount *);
39151+ num1 = va_arg(ap, int);
39152+ num2 = va_arg(ap, int);
39153+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
39154+ break;
39155+ case GR_FILENAME_TWO_INT_STR:
39156+ dentry = va_arg(ap, struct dentry *);
39157+ mnt = va_arg(ap, struct vfsmount *);
39158+ num1 = va_arg(ap, int);
39159+ num2 = va_arg(ap, int);
39160+ str1 = va_arg(ap, char *);
39161+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
39162+ break;
39163+ case GR_TEXTREL:
39164+ file = va_arg(ap, struct file *);
39165+ ulong1 = va_arg(ap, unsigned long);
39166+ ulong2 = va_arg(ap, unsigned long);
39167+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
39168+ break;
39169+ case GR_PTRACE:
39170+ task = va_arg(ap, struct task_struct *);
39171+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
39172+ break;
39173+ case GR_RESOURCE:
39174+ task = va_arg(ap, struct task_struct *);
39175+ cred = __task_cred(task);
39176+ pcred = __task_cred(task->parent);
39177+ ulong1 = va_arg(ap, unsigned long);
39178+ str1 = va_arg(ap, char *);
39179+ ulong2 = va_arg(ap, unsigned long);
39180+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39181+ break;
39182+ case GR_CAP:
39183+ task = va_arg(ap, struct task_struct *);
39184+ cred = __task_cred(task);
39185+ pcred = __task_cred(task->parent);
39186+ str1 = va_arg(ap, char *);
39187+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39188+ break;
39189+ case GR_SIG:
39190+ str1 = va_arg(ap, char *);
39191+ voidptr = va_arg(ap, void *);
39192+ gr_log_middle_varargs(audit, msg, str1, voidptr);
39193+ break;
39194+ case GR_SIG2:
39195+ task = va_arg(ap, struct task_struct *);
39196+ cred = __task_cred(task);
39197+ pcred = __task_cred(task->parent);
39198+ num1 = va_arg(ap, int);
39199+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
39200+ break;
39201+ case GR_CRASH1:
39202+ task = va_arg(ap, struct task_struct *);
39203+ cred = __task_cred(task);
39204+ pcred = __task_cred(task->parent);
39205+ ulong1 = va_arg(ap, unsigned long);
39206+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
39207+ break;
39208+ case GR_CRASH2:
39209+ task = va_arg(ap, struct task_struct *);
39210+ cred = __task_cred(task);
39211+ pcred = __task_cred(task->parent);
39212+ ulong1 = va_arg(ap, unsigned long);
39213+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
39214+ break;
39215+ case GR_PSACCT:
39216+ {
39217+ unsigned int wday, cday;
39218+ __u8 whr, chr;
39219+ __u8 wmin, cmin;
39220+ __u8 wsec, csec;
39221+ char cur_tty[64] = { 0 };
39222+ char parent_tty[64] = { 0 };
39223+
39224+ task = va_arg(ap, struct task_struct *);
39225+ wday = va_arg(ap, unsigned int);
39226+ cday = va_arg(ap, unsigned int);
39227+ whr = va_arg(ap, int);
39228+ chr = va_arg(ap, int);
39229+ wmin = va_arg(ap, int);
39230+ cmin = va_arg(ap, int);
39231+ wsec = va_arg(ap, int);
39232+ csec = va_arg(ap, int);
39233+ ulong1 = va_arg(ap, unsigned long);
39234+ cred = __task_cred(task);
39235+ pcred = __task_cred(task->parent);
39236+
ae4e228f 39237+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58c5fc13
MT		 39238+ }
39239+ break;
39240+ default:
39241+ gr_log_middle(audit, msg, ap);
39242+ }
39243+ va_end(ap);
39244+ gr_log_end(audit);
39245+ END_LOCKS(audit);
39246+}
ae4e228f
MT		 39247diff -urNp linux-2.6.33.1/grsecurity/grsec_mem.c linux-2.6.33.1/grsecurity/grsec_mem.c
39248--- linux-2.6.33.1/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
39249+++ linux-2.6.33.1/grsecurity/grsec_mem.c 2010-03-20 16:58:41.892922620 -0400
39250@@ -0,0 +1,85 @@
58c5fc13
MT		 39251+#include <linux/kernel.h>
39252+#include <linux/sched.h>
39253+#include <linux/mm.h>
39254+#include <linux/mman.h>
39255+#include <linux/grinternal.h>
39256+
39257+void
39258+gr_handle_ioperm(void)
39259+{
39260+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
39261+ return;
39262+}
39263+
39264+void
39265+gr_handle_iopl(void)
39266+{
39267+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
39268+ return;
39269+}
39270+
39271+void
39272+gr_handle_mem_write(void)
39273+{
39274+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
39275+ return;
39276+}
39277+
39278+void
39279+gr_handle_kmem_write(void)
39280+{
39281+ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
39282+ return;
39283+}
39284+
39285+void
39286+gr_handle_open_port(void)
39287+{
39288+ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
39289+ return;
39290+}
39291+
39292+int
39293+gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
39294+{
39295+ unsigned long start, end;
39296+
39297+ start = offset;
39298+ end = start + vma->vm_end - vma->vm_start;
39299+
39300+ if (start > end) {
39301+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
39302+ return -EPERM;
39303+ }
39304+
39305+ /* allowed ranges : ISA I/O BIOS */
39306+ if ((start >= __pa(high_memory))
39307+#if defined(CONFIG_X86) || defined(CONFIG_PPC)
39308+ || (start >= 0x000a0000 && end <= 0x00100000)
39309+ || (start >= 0x00000000 && end <= 0x00001000)
39310+#endif
39311+ )
39312+ return 0;
39313+
39314+ if (vma->vm_flags & VM_WRITE) {
39315+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
39316+ return -EPERM;
39317+ } else
39318+ vma->vm_flags &= ~VM_MAYWRITE;
39319+
39320+ return 0;
39321+}
39322+
39323+void
39324+gr_log_nonroot_mod_load(const char *modname)
39325+{
39326+ gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
39327+ return;
39328+}
39329+
ae4e228f
MT		 39330+void
39331+gr_handle_vm86(void)
39332+{
39333+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
39334+ return;
39335+}
39336diff -urNp linux-2.6.33.1/grsecurity/grsec_mount.c linux-2.6.33.1/grsecurity/grsec_mount.c
39337--- linux-2.6.33.1/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
39338+++ linux-2.6.33.1/grsecurity/grsec_mount.c 2010-03-20 16:58:41.892922620 -0400
39339@@ -0,0 +1,62 @@
58c5fc13
MT		 39340+#include <linux/kernel.h>
39341+#include <linux/sched.h>
ae4e228f 39342+#include <linux/mount.h>
58c5fc13
MT		 39343+#include <linux/grsecurity.h>
39344+#include <linux/grinternal.h>
39345+
39346+void
39347+gr_log_remount(const char *devname, const int retval)
39348+{
39349+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39350+ if (grsec_enable_mount && (retval >= 0))
39351+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
39352+#endif
39353+ return;
39354+}
39355+
39356+void
39357+gr_log_unmount(const char *devname, const int retval)
39358+{
39359+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39360+ if (grsec_enable_mount && (retval >= 0))
39361+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
39362+#endif
39363+ return;
39364+}
39365+
39366+void
39367+gr_log_mount(const char *from, const char *to, const int retval)
39368+{
39369+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
39370+ if (grsec_enable_mount && (retval >= 0))
39371+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
39372+#endif
39373+ return;
39374+}
ae4e228f
MT		 39375+
39376+int
39377+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
39378+{
39379+#ifdef CONFIG_GRKERNSEC_ROFS
39380+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
39381+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
39382+ return -EPERM;
39383+ } else
39384+ return 0;
39385+#endif
39386+ return 0;
39387+}
39388+
39389+int
39390+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
39391+{
39392+#ifdef CONFIG_GRKERNSEC_ROFS
39393+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
39394+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
39395+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
39396+ return -EPERM;
39397+ } else
39398+ return 0;
39399+#endif
39400+ return 0;
39401+}
39402diff -urNp linux-2.6.33.1/grsecurity/grsec_ptrace.c linux-2.6.33.1/grsecurity/grsec_ptrace.c
39403--- linux-2.6.33.1/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
39404+++ linux-2.6.33.1/grsecurity/grsec_ptrace.c 2010-03-20 16:58:41.892922620 -0400
39405@@ -0,0 +1,14 @@
39406+#include <linux/kernel.h>
39407+#include <linux/sched.h>
39408+#include <linux/grinternal.h>
39409+#include <linux/grsecurity.h>
39410+
39411+void
39412+gr_audit_ptrace(struct task_struct *task)
39413+{
39414+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
39415+ if (grsec_enable_audit_ptrace)
39416+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
39417+#endif
39418+ return;
39419+}
39420diff -urNp linux-2.6.33.1/grsecurity/grsec_sig.c linux-2.6.33.1/grsecurity/grsec_sig.c
39421--- linux-2.6.33.1/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
39422+++ linux-2.6.33.1/grsecurity/grsec_sig.c 2010-03-20 16:58:41.892922620 -0400
58c5fc13
MT		 39423@@ -0,0 +1,65 @@
39424+#include <linux/kernel.h>
39425+#include <linux/sched.h>
39426+#include <linux/delay.h>
39427+#include <linux/grsecurity.h>
39428+#include <linux/grinternal.h>
39429+
39430+char *signames[] = {
39431+ [SIGSEGV] = "Segmentation fault",
39432+ [SIGILL] = "Illegal instruction",
39433+ [SIGABRT] = "Abort",
39434+ [SIGBUS] = "Invalid alignment/Bus error"
39435+};
39436+
39437+void
39438+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
39439+{
39440+#ifdef CONFIG_GRKERNSEC_SIGNAL
39441+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
39442+ (sig == SIGABRT) || (sig == SIGBUS))) {
39443+ if (t->pid == current->pid) {
39444+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
39445+ } else {
39446+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
39447+ }
39448+ }
39449+#endif
39450+ return;
39451+}
39452+
39453+int
39454+gr_handle_signal(const struct task_struct *p, const int sig)
39455+{
39456+#ifdef CONFIG_GRKERNSEC
39457+ if (current->pid > 1 && gr_check_protected_task(p)) {
39458+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
39459+ return -EPERM;
39460+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
39461+ return -EPERM;
39462+ }
39463+#endif
39464+ return 0;
39465+}
39466+
39467+void gr_handle_brute_attach(struct task_struct *p)
39468+{
39469+#ifdef CONFIG_GRKERNSEC_BRUTE
39470+ read_lock(&tasklist_lock);
39471+ read_lock(&grsec_exec_file_lock);
39472+ if (p->parent && p->parent->exec_file == p->exec_file)
39473+ p->parent->brute = 1;
39474+ read_unlock(&grsec_exec_file_lock);
39475+ read_unlock(&tasklist_lock);
39476+#endif
39477+ return;
39478+}
39479+
39480+void gr_handle_brute_check(void)
39481+{
39482+#ifdef CONFIG_GRKERNSEC_BRUTE
39483+ if (current->brute)
39484+ msleep(30 * 1000);
39485+#endif
39486+ return;
39487+}
39488+
ae4e228f
MT		 39489diff -urNp linux-2.6.33.1/grsecurity/grsec_sock.c linux-2.6.33.1/grsecurity/grsec_sock.c
39490--- linux-2.6.33.1/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
39491+++ linux-2.6.33.1/grsecurity/grsec_sock.c 2010-03-20 16:58:41.892922620 -0400
39492@@ -0,0 +1,271 @@
58c5fc13
MT		 39493+#include <linux/kernel.h>
39494+#include <linux/module.h>
39495+#include <linux/sched.h>
39496+#include <linux/file.h>
39497+#include <linux/net.h>
39498+#include <linux/in.h>
39499+#include <linux/ip.h>
39500+#include <net/sock.h>
39501+#include <net/inet_sock.h>
39502+#include <linux/grsecurity.h>
39503+#include <linux/grinternal.h>
39504+#include <linux/gracl.h>
39505+
39506+kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
39507+EXPORT_SYMBOL(gr_cap_rtnetlink);
39508+
39509+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
39510+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
39511+
39512+EXPORT_SYMBOL(gr_search_udp_recvmsg);
39513+EXPORT_SYMBOL(gr_search_udp_sendmsg);
39514+
39515+#ifdef CONFIG_UNIX_MODULE
39516+EXPORT_SYMBOL(gr_acl_handle_unix);
39517+EXPORT_SYMBOL(gr_acl_handle_mknod);
39518+EXPORT_SYMBOL(gr_handle_chroot_unix);
39519+EXPORT_SYMBOL(gr_handle_create);
39520+#endif
39521+
39522+#ifdef CONFIG_GRKERNSEC
39523+#define gr_conn_table_size 32749
39524+struct conn_table_entry {
39525+ struct conn_table_entry *next;
39526+ struct signal_struct *sig;
39527+};
39528+
39529+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
39530+DEFINE_SPINLOCK(gr_conn_table_lock);
39531+
39532+extern const char * gr_socktype_to_name(unsigned char type);
39533+extern const char * gr_proto_to_name(unsigned char proto);
39534+
39535+static __inline__ int
39536+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
39537+{
39538+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
39539+}
39540+
39541+static __inline__ int
39542+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
39543+ __u16 sport, __u16 dport)
39544+{
39545+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
39546+ sig->gr_sport == sport && sig->gr_dport == dport))
39547+ return 1;
39548+ else
39549+ return 0;
39550+}
39551+
39552+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
39553+{
39554+ struct conn_table_entry **match;
39555+ unsigned int index;
39556+
39557+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
39558+ sig->gr_sport, sig->gr_dport,
39559+ gr_conn_table_size);
39560+
39561+ newent->sig = sig;
39562+
39563+ match = &gr_conn_table[index];
39564+ newent->next = *match;
39565+ *match = newent;
39566+
39567+ return;
39568+}
39569+
39570+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
39571+{
39572+ struct conn_table_entry *match, *last = NULL;
39573+ unsigned int index;
39574+
39575+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
39576+ sig->gr_sport, sig->gr_dport,
39577+ gr_conn_table_size);
39578+
39579+ match = gr_conn_table[index];
39580+ while (match && !conn_match(match->sig,
39581+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
39582+ sig->gr_dport)) {
39583+ last = match;
39584+ match = match->next;
39585+ }
39586+
39587+ if (match) {
39588+ if (last)
39589+ last->next = match->next;
39590+ else
39591+ gr_conn_table[index] = NULL;
39592+ kfree(match);
39593+ }
39594+
39595+ return;
39596+}
39597+
39598+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
39599+ __u16 sport, __u16 dport)
39600+{
39601+ struct conn_table_entry *match;
39602+ unsigned int index;
39603+
39604+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
39605+
39606+ match = gr_conn_table[index];
39607+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
39608+ match = match->next;
39609+
39610+ if (match)
39611+ return match->sig;
39612+ else
39613+ return NULL;
39614+}
39615+
39616+#endif
39617+
39618+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
39619+{
39620+#ifdef CONFIG_GRKERNSEC
39621+ struct signal_struct *sig = task->signal;
39622+ struct conn_table_entry *newent;
39623+
39624+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
39625+ if (newent == NULL)
39626+ return;
39627+ /* no bh lock needed since we are called with bh disabled */
39628+ spin_lock(&gr_conn_table_lock);
39629+ gr_del_task_from_ip_table_nolock(sig);
ae4e228f
MT		 39630+ sig->gr_saddr = inet->inet_rcv_saddr;
39631+ sig->gr_daddr = inet->inet_daddr;
39632+ sig->gr_sport = inet->inet_sport;
39633+ sig->gr_dport = inet->inet_dport;
58c5fc13
MT		 39634+ gr_add_to_task_ip_table_nolock(sig, newent);
39635+ spin_unlock(&gr_conn_table_lock);
39636+#endif
39637+ return;
39638+}
39639+
39640+void gr_del_task_from_ip_table(struct task_struct *task)
39641+{
39642+#ifdef CONFIG_GRKERNSEC
39643+ spin_lock_bh(&gr_conn_table_lock);
39644+ gr_del_task_from_ip_table_nolock(task->signal);
39645+ spin_unlock_bh(&gr_conn_table_lock);
39646+#endif
39647+ return;
39648+}
39649+
39650+void
39651+gr_attach_curr_ip(const struct sock *sk)
39652+{
39653+#ifdef CONFIG_GRKERNSEC
39654+ struct signal_struct *p, *set;
39655+ const struct inet_sock *inet = inet_sk(sk);
39656+
39657+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
39658+ return;
39659+
39660+ set = current->signal;
39661+
39662+ spin_lock_bh(&gr_conn_table_lock);
ae4e228f
MT		 39663+ p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
39664+ inet->inet_dport, inet->inet_sport);
58c5fc13
MT		 39665+ if (unlikely(p != NULL)) {
39666+ set->curr_ip = p->curr_ip;
39667+ set->used_accept = 1;
39668+ gr_del_task_from_ip_table_nolock(p);
39669+ spin_unlock_bh(&gr_conn_table_lock);
39670+ return;
39671+ }
39672+ spin_unlock_bh(&gr_conn_table_lock);
39673+
ae4e228f 39674+ set->curr_ip = inet->inet_daddr;
58c5fc13
MT		 39675+ set->used_accept = 1;
39676+#endif
39677+ return;
39678+}
39679+
39680+int
39681+gr_handle_sock_all(const int family, const int type, const int protocol)
39682+{
39683+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
39684+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
39685+ (family != AF_UNIX) && (family != AF_LOCAL)) {
39686+ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
39687+ return -EACCES;
39688+ }
39689+#endif
39690+ return 0;
39691+}
39692+
39693+int
39694+gr_handle_sock_server(const struct sockaddr *sck)
39695+{
39696+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39697+ if (grsec_enable_socket_server &&
39698+ in_group_p(grsec_socket_server_gid) &&
39699+ sck && (sck->sa_family != AF_UNIX) &&
39700+ (sck->sa_family != AF_LOCAL)) {
39701+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
39702+ return -EACCES;
39703+ }
39704+#endif
39705+ return 0;
39706+}
39707+
39708+int
39709+gr_handle_sock_server_other(const struct sock *sck)
39710+{
39711+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
39712+ if (grsec_enable_socket_server &&
39713+ in_group_p(grsec_socket_server_gid) &&
39714+ sck && (sck->sk_family != AF_UNIX) &&
39715+ (sck->sk_family != AF_LOCAL)) {
39716+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
39717+ return -EACCES;
39718+ }
39719+#endif
39720+ return 0;
39721+}
39722+
39723+int
39724+gr_handle_sock_client(const struct sockaddr *sck)
39725+{
39726+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
39727+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
39728+ sck && (sck->sa_family != AF_UNIX) &&
39729+ (sck->sa_family != AF_LOCAL)) {
39730+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
39731+ return -EACCES;
39732+ }
39733+#endif
39734+ return 0;
39735+}
39736+
39737+kernel_cap_t
39738+gr_cap_rtnetlink(struct sock *sock)
39739+{
39740+#ifdef CONFIG_GRKERNSEC
39741+ if (!gr_acl_is_enabled())
39742+ return current_cap();
39743+ else if (sock->sk_protocol == NETLINK_ISCSI &&
39744+ cap_raised(current_cap(), CAP_SYS_ADMIN) &&
39745+ gr_is_capable(CAP_SYS_ADMIN))
39746+ return current_cap();
39747+ else if (sock->sk_protocol == NETLINK_AUDIT &&
39748+ cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
39749+ gr_is_capable(CAP_AUDIT_WRITE) &&
39750+ cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
39751+ gr_is_capable(CAP_AUDIT_CONTROL))
39752+ return current_cap();
39753+ else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
ae4e228f
MT		 39754+ ((sock->sk_protocol == NETLINK_ROUTE) ?
39755+ gr_is_capable_nolog(CAP_NET_ADMIN) :
39756+ gr_is_capable(CAP_NET_ADMIN)))
58c5fc13
MT		 39757+ return current_cap();
39758+ else
39759+ return __cap_empty_set;
39760+#else
39761+ return current_cap();
39762+#endif
39763+}
ae4e228f
MT		 39764diff -urNp linux-2.6.33.1/grsecurity/grsec_sysctl.c linux-2.6.33.1/grsecurity/grsec_sysctl.c
39765--- linux-2.6.33.1/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
39766+++ linux-2.6.33.1/grsecurity/grsec_sysctl.c 2010-03-20 17:08:11.436987044 -0400
39767@@ -0,0 +1,404 @@
58c5fc13
MT		 39768+#include <linux/kernel.h>
39769+#include <linux/sched.h>
39770+#include <linux/sysctl.h>
39771+#include <linux/grsecurity.h>
39772+#include <linux/grinternal.h>
39773+
39774+int
39775+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
39776+{
39777+#ifdef CONFIG_GRKERNSEC_SYSCTL
39778+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
39779+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
39780+ return -EACCES;
39781+ }
39782+#endif
39783+ return 0;
39784+}
39785+
ae4e228f
MT		 39786+#ifdef CONFIG_GRKERNSEC_ROFS
39787+static int __maybe_unused one = 1;
39788+#endif
39789+
39790+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
58c5fc13
MT		 39791+ctl_table grsecurity_table[] = {
39792+#ifdef CONFIG_GRKERNSEC_SYSCTL
39793+#ifdef CONFIG_GRKERNSEC_LINK
39794+ {
58c5fc13
MT		 39795+ .procname = "linking_restrictions",
39796+ .data = &grsec_enable_link,
39797+ .maxlen = sizeof(int),
39798+ .mode = 0600,
39799+ .proc_handler = &proc_dointvec,
39800+ },
39801+#endif
39802+#ifdef CONFIG_GRKERNSEC_FIFO
39803+ {
58c5fc13
MT		 39804+ .procname = "fifo_restrictions",
39805+ .data = &grsec_enable_fifo,
39806+ .maxlen = sizeof(int),
39807+ .mode = 0600,
39808+ .proc_handler = &proc_dointvec,
39809+ },
39810+#endif
39811+#ifdef CONFIG_GRKERNSEC_EXECVE
39812+ {
58c5fc13
MT		 39813+ .procname = "execve_limiting",
39814+ .data = &grsec_enable_execve,
39815+ .maxlen = sizeof(int),
39816+ .mode = 0600,
39817+ .proc_handler = &proc_dointvec,
39818+ },
39819+#endif
ae4e228f
MT		 39820+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
39821+ {
39822+ .procname = "ip_blackhole",
39823+ .data = &grsec_enable_blackhole,
39824+ .maxlen = sizeof(int),
39825+ .mode = 0600,
39826+ .proc_handler = &proc_dointvec,
39827+ },
39828+ {
39829+ .procname = "lastack_retries",
39830+ .data = &grsec_lastack_retries,
39831+ .maxlen = sizeof(int),
39832+ .mode = 0600,
39833+ .proc_handler = &proc_dointvec,
39834+ },
39835+#endif
58c5fc13
MT		 39836+#ifdef CONFIG_GRKERNSEC_EXECLOG
39837+ {
58c5fc13
MT		 39838+ .procname = "exec_logging",
39839+ .data = &grsec_enable_execlog,
39840+ .maxlen = sizeof(int),
39841+ .mode = 0600,
39842+ .proc_handler = &proc_dointvec,
39843+ },
39844+#endif
39845+#ifdef CONFIG_GRKERNSEC_SIGNAL
39846+ {
58c5fc13
MT		 39847+ .procname = "signal_logging",
39848+ .data = &grsec_enable_signal,
39849+ .maxlen = sizeof(int),
39850+ .mode = 0600,
39851+ .proc_handler = &proc_dointvec,
39852+ },
39853+#endif
39854+#ifdef CONFIG_GRKERNSEC_FORKFAIL
39855+ {
58c5fc13
MT		 39856+ .procname = "forkfail_logging",
39857+ .data = &grsec_enable_forkfail,
39858+ .maxlen = sizeof(int),
39859+ .mode = 0600,
39860+ .proc_handler = &proc_dointvec,
39861+ },
39862+#endif
39863+#ifdef CONFIG_GRKERNSEC_TIME
39864+ {
58c5fc13
MT		 39865+ .procname = "timechange_logging",
39866+ .data = &grsec_enable_time,
39867+ .maxlen = sizeof(int),
39868+ .mode = 0600,
39869+ .proc_handler = &proc_dointvec,
39870+ },
39871+#endif
39872+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39873+ {
58c5fc13
MT		 39874+ .procname = "chroot_deny_shmat",
39875+ .data = &grsec_enable_chroot_shmat,
39876+ .maxlen = sizeof(int),
39877+ .mode = 0600,
39878+ .proc_handler = &proc_dointvec,
39879+ },
39880+#endif
39881+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39882+ {
58c5fc13
MT		 39883+ .procname = "chroot_deny_unix",
39884+ .data = &grsec_enable_chroot_unix,
39885+ .maxlen = sizeof(int),
39886+ .mode = 0600,
39887+ .proc_handler = &proc_dointvec,
39888+ },
39889+#endif
39890+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39891+ {
58c5fc13
MT		 39892+ .procname = "chroot_deny_mount",
39893+ .data = &grsec_enable_chroot_mount,
39894+ .maxlen = sizeof(int),
39895+ .mode = 0600,
39896+ .proc_handler = &proc_dointvec,
39897+ },
39898+#endif
39899+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39900+ {
58c5fc13
MT		 39901+ .procname = "chroot_deny_fchdir",
39902+ .data = &grsec_enable_chroot_fchdir,
39903+ .maxlen = sizeof(int),
39904+ .mode = 0600,
39905+ .proc_handler = &proc_dointvec,
39906+ },
39907+#endif
39908+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39909+ {
58c5fc13
MT		 39910+ .procname = "chroot_deny_chroot",
39911+ .data = &grsec_enable_chroot_double,
39912+ .maxlen = sizeof(int),
39913+ .mode = 0600,
39914+ .proc_handler = &proc_dointvec,
39915+ },
39916+#endif
39917+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39918+ {
58c5fc13
MT		 39919+ .procname = "chroot_deny_pivot",
39920+ .data = &grsec_enable_chroot_pivot,
39921+ .maxlen = sizeof(int),
39922+ .mode = 0600,
39923+ .proc_handler = &proc_dointvec,
39924+ },
39925+#endif
39926+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
39927+ {
58c5fc13
MT		 39928+ .procname = "chroot_enforce_chdir",
39929+ .data = &grsec_enable_chroot_chdir,
39930+ .maxlen = sizeof(int),
39931+ .mode = 0600,
39932+ .proc_handler = &proc_dointvec,
39933+ },
39934+#endif
39935+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
39936+ {
58c5fc13
MT		 39937+ .procname = "chroot_deny_chmod",
39938+ .data = &grsec_enable_chroot_chmod,
39939+ .maxlen = sizeof(int),
39940+ .mode = 0600,
39941+ .proc_handler = &proc_dointvec,
39942+ },
39943+#endif
39944+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39945+ {
58c5fc13
MT		 39946+ .procname = "chroot_deny_mknod",
39947+ .data = &grsec_enable_chroot_mknod,
39948+ .maxlen = sizeof(int),
39949+ .mode = 0600,
39950+ .proc_handler = &proc_dointvec,
39951+ },
39952+#endif
39953+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39954+ {
58c5fc13
MT		 39955+ .procname = "chroot_restrict_nice",
39956+ .data = &grsec_enable_chroot_nice,
39957+ .maxlen = sizeof(int),
39958+ .mode = 0600,
39959+ .proc_handler = &proc_dointvec,
39960+ },
39961+#endif
39962+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39963+ {
58c5fc13
MT		 39964+ .procname = "chroot_execlog",
39965+ .data = &grsec_enable_chroot_execlog,
39966+ .maxlen = sizeof(int),
39967+ .mode = 0600,
39968+ .proc_handler = &proc_dointvec,
39969+ },
39970+#endif
39971+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39972+ {
58c5fc13
MT		 39973+ .procname = "chroot_caps",
39974+ .data = &grsec_enable_chroot_caps,
39975+ .maxlen = sizeof(int),
39976+ .mode = 0600,
39977+ .proc_handler = &proc_dointvec,
39978+ },
39979+#endif
39980+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
39981+ {
58c5fc13
MT		 39982+ .procname = "chroot_deny_sysctl",
39983+ .data = &grsec_enable_chroot_sysctl,
39984+ .maxlen = sizeof(int),
39985+ .mode = 0600,
39986+ .proc_handler = &proc_dointvec,
39987+ },
39988+#endif
39989+#ifdef CONFIG_GRKERNSEC_TPE
39990+ {
58c5fc13
MT		 39991+ .procname = "tpe",
39992+ .data = &grsec_enable_tpe,
39993+ .maxlen = sizeof(int),
39994+ .mode = 0600,
39995+ .proc_handler = &proc_dointvec,
39996+ },
39997+ {
58c5fc13
MT		 39998+ .procname = "tpe_gid",
39999+ .data = &grsec_tpe_gid,
40000+ .maxlen = sizeof(int),
40001+ .mode = 0600,
40002+ .proc_handler = &proc_dointvec,
40003+ },
40004+#endif
40005+#ifdef CONFIG_GRKERNSEC_TPE_ALL
40006+ {
58c5fc13
MT		 40007+ .procname = "tpe_restrict_all",
40008+ .data = &grsec_enable_tpe_all,
40009+ .maxlen = sizeof(int),
40010+ .mode = 0600,
40011+ .proc_handler = &proc_dointvec,
40012+ },
40013+#endif
40014+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
40015+ {
58c5fc13
MT		 40016+ .procname = "socket_all",
40017+ .data = &grsec_enable_socket_all,
40018+ .maxlen = sizeof(int),
40019+ .mode = 0600,
40020+ .proc_handler = &proc_dointvec,
40021+ },
40022+ {
58c5fc13
MT		 40023+ .procname = "socket_all_gid",
40024+ .data = &grsec_socket_all_gid,
40025+ .maxlen = sizeof(int),
40026+ .mode = 0600,
40027+ .proc_handler = &proc_dointvec,
40028+ },
40029+#endif
40030+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
40031+ {
58c5fc13
MT		 40032+ .procname = "socket_client",
40033+ .data = &grsec_enable_socket_client,
40034+ .maxlen = sizeof(int),
40035+ .mode = 0600,
40036+ .proc_handler = &proc_dointvec,
40037+ },
40038+ {
58c5fc13
MT		 40039+ .procname = "socket_client_gid",
40040+ .data = &grsec_socket_client_gid,
40041+ .maxlen = sizeof(int),
40042+ .mode = 0600,
40043+ .proc_handler = &proc_dointvec,
40044+ },
40045+#endif
40046+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
40047+ {
58c5fc13
MT		 40048+ .procname = "socket_server",
40049+ .data = &grsec_enable_socket_server,
40050+ .maxlen = sizeof(int),
40051+ .mode = 0600,
40052+ .proc_handler = &proc_dointvec,
40053+ },
40054+ {
58c5fc13
MT		 40055+ .procname = "socket_server_gid",
40056+ .data = &grsec_socket_server_gid,
40057+ .maxlen = sizeof(int),
40058+ .mode = 0600,
40059+ .proc_handler = &proc_dointvec,
40060+ },
40061+#endif
40062+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
40063+ {
58c5fc13
MT		 40064+ .procname = "audit_group",
40065+ .data = &grsec_enable_group,
40066+ .maxlen = sizeof(int),
40067+ .mode = 0600,
40068+ .proc_handler = &proc_dointvec,
40069+ },
40070+ {
58c5fc13
MT		 40071+ .procname = "audit_gid",
40072+ .data = &grsec_audit_gid,
40073+ .maxlen = sizeof(int),
40074+ .mode = 0600,
40075+ .proc_handler = &proc_dointvec,
40076+ },
40077+#endif
40078+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40079+ {
58c5fc13
MT		 40080+ .procname = "audit_chdir",
40081+ .data = &grsec_enable_chdir,
40082+ .maxlen = sizeof(int),
40083+ .mode = 0600,
40084+ .proc_handler = &proc_dointvec,
40085+ },
40086+#endif
40087+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
40088+ {
58c5fc13
MT		 40089+ .procname = "audit_mount",
40090+ .data = &grsec_enable_mount,
40091+ .maxlen = sizeof(int),
40092+ .mode = 0600,
40093+ .proc_handler = &proc_dointvec,
40094+ },
40095+#endif
40096+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40097+ {
58c5fc13
MT		 40098+ .procname = "audit_textrel",
40099+ .data = &grsec_enable_audit_textrel,
40100+ .maxlen = sizeof(int),
40101+ .mode = 0600,
40102+ .proc_handler = &proc_dointvec,
40103+ },
40104+#endif
40105+#ifdef CONFIG_GRKERNSEC_DMESG
40106+ {
58c5fc13
MT		 40107+ .procname = "dmesg",
40108+ .data = &grsec_enable_dmesg,
40109+ .maxlen = sizeof(int),
40110+ .mode = 0600,
40111+ .proc_handler = &proc_dointvec,
40112+ },
40113+#endif
40114+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40115+ {
58c5fc13
MT		 40116+ .procname = "chroot_findtask",
40117+ .data = &grsec_enable_chroot_findtask,
40118+ .maxlen = sizeof(int),
40119+ .mode = 0600,
40120+ .proc_handler = &proc_dointvec,
40121+ },
40122+#endif
40123+#ifdef CONFIG_GRKERNSEC_RESLOG
40124+ {
58c5fc13
MT		 40125+ .procname = "resource_logging",
40126+ .data = &grsec_resource_logging,
40127+ .maxlen = sizeof(int),
40128+ .mode = 0600,
40129+ .proc_handler = &proc_dointvec,
40130+ },
40131+#endif
ae4e228f
MT		 40132+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
40133+ {
40134+ .procname = "audit_ptrace",
40135+ .data = &grsec_enable_audit_ptrace,
40136+ .maxlen = sizeof(int),
40137+ .mode = 0600,
40138+ .proc_handler = &proc_dointvec,
40139+ },
40140+#endif
58c5fc13
MT		 40141+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40142+ {
58c5fc13
MT		 40143+ .procname = "harden_ptrace",
40144+ .data = &grsec_enable_harden_ptrace,
40145+ .maxlen = sizeof(int),
40146+ .mode = 0600,
40147+ .proc_handler = &proc_dointvec,
40148+ },
40149+#endif
40150+ {
58c5fc13
MT		 40151+ .procname = "grsec_lock",
40152+ .data = &grsec_lock,
40153+ .maxlen = sizeof(int),
40154+ .mode = 0600,
40155+ .proc_handler = &proc_dointvec,
40156+ },
40157+#endif
ae4e228f
MT		 40158+#ifdef CONFIG_GRKERNSEC_ROFS
40159+ {
40160+ .procname = "romount_protect",
40161+ .data = &grsec_enable_rofs,
40162+ .maxlen = sizeof(int),
40163+ .mode = 0600,
40164+ .proc_handler = &proc_dointvec_minmax,
40165+ .extra1 = &one,
40166+ .extra2 = &one,
40167+ },
40168+#endif
40169+ { }
58c5fc13
MT		 40170+};
40171+#endif
ae4e228f
MT		 40172diff -urNp linux-2.6.33.1/grsecurity/grsec_textrel.c linux-2.6.33.1/grsecurity/grsec_textrel.c
40173--- linux-2.6.33.1/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
40174+++ linux-2.6.33.1/grsecurity/grsec_textrel.c 2010-03-20 16:58:41.900965882 -0400
58c5fc13
MT		 40175@@ -0,0 +1,16 @@
40176+#include <linux/kernel.h>
40177+#include <linux/sched.h>
40178+#include <linux/mm.h>
40179+#include <linux/file.h>
40180+#include <linux/grinternal.h>
40181+#include <linux/grsecurity.h>
40182+
40183+void
40184+gr_log_textrel(struct vm_area_struct * vma)
40185+{
40186+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40187+ if (grsec_enable_audit_textrel)
40188+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
40189+#endif
40190+ return;
40191+}
ae4e228f
MT		 40192diff -urNp linux-2.6.33.1/grsecurity/grsec_time.c linux-2.6.33.1/grsecurity/grsec_time.c
40193--- linux-2.6.33.1/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
40194+++ linux-2.6.33.1/grsecurity/grsec_time.c 2010-03-20 16:58:41.900965882 -0400
58c5fc13
MT		 40195@@ -0,0 +1,13 @@
40196+#include <linux/kernel.h>
40197+#include <linux/sched.h>
40198+#include <linux/grinternal.h>
40199+
40200+void
40201+gr_log_timechange(void)
40202+{
40203+#ifdef CONFIG_GRKERNSEC_TIME
40204+ if (grsec_enable_time)
40205+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
40206+#endif
40207+ return;
40208+}
ae4e228f
MT		 40209diff -urNp linux-2.6.33.1/grsecurity/grsec_tpe.c linux-2.6.33.1/grsecurity/grsec_tpe.c
40210--- linux-2.6.33.1/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
40211+++ linux-2.6.33.1/grsecurity/grsec_tpe.c 2010-03-20 16:58:41.900965882 -0400
58c5fc13
MT		 40212@@ -0,0 +1,38 @@
40213+#include <linux/kernel.h>
40214+#include <linux/sched.h>
40215+#include <linux/file.h>
40216+#include <linux/fs.h>
40217+#include <linux/grinternal.h>
40218+
40219+extern int gr_acl_tpe_check(void);
40220+
40221+int
40222+gr_tpe_allow(const struct file *file)
40223+{
40224+#ifdef CONFIG_GRKERNSEC
40225+ struct inode *inode = file->f_path.dentry->d_parent->d_inode;
40226+ const struct cred *cred = current_cred();
40227+
40228+ if (cred->uid && ((grsec_enable_tpe &&
40229+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40230+ !in_group_p(grsec_tpe_gid)
40231+#else
40232+ in_group_p(grsec_tpe_gid)
40233+#endif
40234+ ) || gr_acl_tpe_check()) &&
40235+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
40236+ (inode->i_mode & S_IWOTH))))) {
40237+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
40238+ return 0;
40239+ }
40240+#ifdef CONFIG_GRKERNSEC_TPE_ALL
40241+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
40242+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
40243+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
40244+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
40245+ return 0;
40246+ }
40247+#endif
40248+#endif
40249+ return 1;
40250+}
ae4e228f
MT		 40251diff -urNp linux-2.6.33.1/grsecurity/grsum.c linux-2.6.33.1/grsecurity/grsum.c
40252--- linux-2.6.33.1/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
40253+++ linux-2.6.33.1/grsecurity/grsum.c 2010-03-20 16:58:41.900965882 -0400
58c5fc13
MT		 40254@@ -0,0 +1,59 @@
40255+#include <linux/err.h>
40256+#include <linux/kernel.h>
40257+#include <linux/sched.h>
40258+#include <linux/mm.h>
40259+#include <linux/scatterlist.h>
40260+#include <linux/crypto.h>
40261+#include <linux/gracl.h>
40262+
40263+
40264+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
40265+#error "crypto and sha256 must be built into the kernel"
40266+#endif
40267+
40268+int
40269+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
40270+{
40271+ char *p;
40272+ struct crypto_hash *tfm;
40273+ struct hash_desc desc;
40274+ struct scatterlist sg;
40275+ unsigned char temp_sum[GR_SHA_LEN];
40276+ volatile int retval = 0;
40277+ volatile int dummy = 0;
40278+ unsigned int i;
40279+
40280+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
40281+ if (IS_ERR(tfm)) {
40282+ /* should never happen, since sha256 should be built in */
40283+ return 1;
40284+ }
40285+
40286+ desc.tfm = tfm;
40287+ desc.flags = 0;
40288+
40289+ crypto_hash_init(&desc);
40290+
40291+ p = salt;
40292+ sg_set_buf(&sg, p, GR_SALT_LEN);
40293+ crypto_hash_update(&desc, &sg, sg.length);
40294+
40295+ p = entry->pw;
40296+ sg_set_buf(&sg, p, strlen(p));
40297+
40298+ crypto_hash_update(&desc, &sg, sg.length);
40299+
40300+ crypto_hash_final(&desc, temp_sum);
40301+
40302+ memset(entry->pw, 0, GR_PW_LEN);
40303+
40304+ for (i = 0; i < GR_SHA_LEN; i++)
40305+ if (sum[i] != temp_sum[i])
40306+ retval = 1;
40307+ else
40308+ dummy = 1; // waste a cycle
40309+
40310+ crypto_free_hash(tfm);
40311+
40312+ return retval;
40313+}
ae4e228f
MT		 40314diff -urNp linux-2.6.33.1/grsecurity/Kconfig linux-2.6.33.1/grsecurity/Kconfig
40315--- linux-2.6.33.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
40316+++ linux-2.6.33.1/grsecurity/Kconfig 2010-03-20 17:00:48.140865901 -0400
40317@@ -0,0 +1,965 @@
58c5fc13
MT		 40318+#
40319+# grecurity configuration
40320+#
40321+
40322+menu "Grsecurity"
40323+
40324+config GRKERNSEC
40325+ bool "Grsecurity"
40326+ select CRYPTO
40327+ select CRYPTO_SHA256
40328+ help
40329+ If you say Y here, you will be able to configure many features
40330+ that will enhance the security of your system. It is highly
40331+ recommended that you say Y here and read through the help
40332+ for each option so that you fully understand the features and
40333+ can evaluate their usefulness for your machine.
40334+
40335+choice
40336+ prompt "Security Level"
40337+ depends on GRKERNSEC
40338+ default GRKERNSEC_CUSTOM
40339+
40340+config GRKERNSEC_LOW
40341+ bool "Low"
40342+ select GRKERNSEC_LINK
40343+ select GRKERNSEC_FIFO
40344+ select GRKERNSEC_EXECVE
40345+ select GRKERNSEC_RANDNET
40346+ select GRKERNSEC_DMESG
40347+ select GRKERNSEC_CHROOT
40348+ select GRKERNSEC_CHROOT_CHDIR
40349+
40350+ help
40351+ If you choose this option, several of the grsecurity options will
40352+ be enabled that will give you greater protection against a number
40353+ of attacks, while assuring that none of your software will have any
40354+ conflicts with the additional security measures. If you run a lot
40355+ of unusual software, or you are having problems with the higher
40356+ security levels, you should say Y here. With this option, the
40357+ following features are enabled:
40358+
40359+ - Linking restrictions
40360+ - FIFO restrictions
40361+ - Enforcing RLIMIT_NPROC on execve
40362+ - Restricted dmesg
40363+ - Enforced chdir("/") on chroot
40364+ - Runtime module disabling
40365+
40366+config GRKERNSEC_MEDIUM
40367+ bool "Medium"
40368+ select PAX
40369+ select PAX_EI_PAX
40370+ select PAX_PT_PAX_FLAGS
40371+ select PAX_HAVE_ACL_FLAGS
40372+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
40373+ select GRKERNSEC_CHROOT
40374+ select GRKERNSEC_CHROOT_SYSCTL
40375+ select GRKERNSEC_LINK
40376+ select GRKERNSEC_FIFO
40377+ select GRKERNSEC_EXECVE
40378+ select GRKERNSEC_DMESG
40379+ select GRKERNSEC_RANDNET
40380+ select GRKERNSEC_FORKFAIL
40381+ select GRKERNSEC_TIME
40382+ select GRKERNSEC_SIGNAL
40383+ select GRKERNSEC_CHROOT
40384+ select GRKERNSEC_CHROOT_UNIX
40385+ select GRKERNSEC_CHROOT_MOUNT
40386+ select GRKERNSEC_CHROOT_PIVOT
40387+ select GRKERNSEC_CHROOT_DOUBLE
40388+ select GRKERNSEC_CHROOT_CHDIR
40389+ select GRKERNSEC_CHROOT_MKNOD
40390+ select GRKERNSEC_PROC
40391+ select GRKERNSEC_PROC_USERGROUP
40392+ select PAX_RANDUSTACK
40393+ select PAX_ASLR
40394+ select PAX_RANDMMAP
40395+ select PAX_REFCOUNT if (X86 || SPARC64)
40396+ select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC32 || PPC64) && (SLAB || SLUB || SLOB))
40397+
40398+ help
40399+ If you say Y here, several features in addition to those included
40400+ in the low additional security level will be enabled. These
40401+ features provide even more security to your system, though in rare
40402+ cases they may be incompatible with very old or poorly written
40403+ software. If you enable this option, make sure that your auth
40404+ service (identd) is running as gid 1001. With this option,
40405+ the following features (in addition to those provided in the
40406+ low additional security level) will be enabled:
40407+
40408+ - Failed fork logging
40409+ - Time change logging
40410+ - Signal logging
40411+ - Deny mounts in chroot
40412+ - Deny double chrooting
40413+ - Deny sysctl writes in chroot
40414+ - Deny mknod in chroot
40415+ - Deny access to abstract AF_UNIX sockets out of chroot
40416+ - Deny pivot_root in chroot
40417+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
40418+ - /proc restrictions with special GID set to 10 (usually wheel)
40419+ - Address Space Layout Randomization (ASLR)
40420+ - Prevent exploitation of most refcount overflows
40421+ - Bounds checking of copying between the kernel and userland
40422+
40423+config GRKERNSEC_HIGH
40424+ bool "High"
40425+ select GRKERNSEC_LINK
40426+ select GRKERNSEC_FIFO
40427+ select GRKERNSEC_EXECVE
40428+ select GRKERNSEC_DMESG
40429+ select GRKERNSEC_FORKFAIL
40430+ select GRKERNSEC_TIME
40431+ select GRKERNSEC_SIGNAL
40432+ select GRKERNSEC_CHROOT
40433+ select GRKERNSEC_CHROOT_SHMAT
40434+ select GRKERNSEC_CHROOT_UNIX
40435+ select GRKERNSEC_CHROOT_MOUNT
40436+ select GRKERNSEC_CHROOT_FCHDIR
40437+ select GRKERNSEC_CHROOT_PIVOT
40438+ select GRKERNSEC_CHROOT_DOUBLE
40439+ select GRKERNSEC_CHROOT_CHDIR
40440+ select GRKERNSEC_CHROOT_MKNOD
40441+ select GRKERNSEC_CHROOT_CAPS
40442+ select GRKERNSEC_CHROOT_SYSCTL
40443+ select GRKERNSEC_CHROOT_FINDTASK
40444+ select GRKERNSEC_PROC
40445+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
40446+ select GRKERNSEC_HIDESYM
40447+ select GRKERNSEC_BRUTE
40448+ select GRKERNSEC_PROC_USERGROUP
40449+ select GRKERNSEC_KMEM
40450+ select GRKERNSEC_RESLOG
40451+ select GRKERNSEC_RANDNET
40452+ select GRKERNSEC_PROC_ADD
40453+ select GRKERNSEC_CHROOT_CHMOD
40454+ select GRKERNSEC_CHROOT_NICE
40455+ select GRKERNSEC_AUDIT_MOUNT
40456+ select GRKERNSEC_MODHARDEN if (MODULES)
40457+ select GRKERNSEC_HARDEN_PTRACE
ae4e228f 40458+ select GRKERNSEC_VM86 if (X86_32)
58c5fc13
MT		 40459+ select PAX
40460+ select PAX_RANDUSTACK
40461+ select PAX_ASLR
40462+ select PAX_RANDMMAP
40463+ select PAX_NOEXEC
40464+ select PAX_MPROTECT
40465+ select PAX_EI_PAX
40466+ select PAX_PT_PAX_FLAGS
40467+ select PAX_HAVE_ACL_FLAGS
ae4e228f
MT		 40468+ select PAX_KERNEXEC if ((PPC32 || PPC64 || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
40469+ select PAX_MEMORY_UDEREF if (X86_32 && !XEN)
58c5fc13
MT		 40470+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
40471+ select PAX_SEGMEXEC if (X86_32)
40472+ select PAX_PAGEEXEC
40473+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
40474+ select PAX_EMUTRAMP if (PARISC)
40475+ select PAX_EMUSIGRT if (PARISC)
40476+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
40477+ select PAX_REFCOUNT if (X86 || SPARC64)
40478+ select PAX_USERCOPY if ((X86 || PPC32 || PPC64 || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
40479+ help
40480+ If you say Y here, many of the features of grsecurity will be
40481+ enabled, which will protect you against many kinds of attacks
40482+ against your system. The heightened security comes at a cost
40483+ of an increased chance of incompatibilities with rare software
40484+ on your machine. Since this security level enables PaX, you should
40485+ view <http://pax.grsecurity.net> and read about the PaX
40486+ project. While you are there, download chpax and run it on
40487+ binaries that cause problems with PaX. Also remember that
40488+ since the /proc restrictions are enabled, you must run your
40489+ identd as gid 1001. This security level enables the following
40490+ features in addition to those listed in the low and medium
40491+ security levels:
40492+
40493+ - Additional /proc restrictions
40494+ - Chmod restrictions in chroot
40495+ - No signals, ptrace, or viewing of processes outside of chroot
40496+ - Capability restrictions in chroot
40497+ - Deny fchdir out of chroot
40498+ - Priority restrictions in chroot
40499+ - Segmentation-based implementation of PaX
40500+ - Mprotect restrictions
40501+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
40502+ - Kernel stack randomization
40503+ - Mount/unmount/remount logging
40504+ - Kernel symbol hiding
40505+ - Prevention of memory exhaustion-based exploits
40506+ - Hardening of module auto-loading
40507+ - Ptrace restrictions
ae4e228f 40508+ - Restricted vm86 mode
58c5fc13
MT		 40509+
40510+config GRKERNSEC_CUSTOM
40511+ bool "Custom"
40512+ help
40513+ If you say Y here, you will be able to configure every grsecurity
40514+ option, which allows you to enable many more features that aren't
40515+ covered in the basic security levels. These additional features
40516+ include TPE, socket restrictions, and the sysctl system for
40517+ grsecurity. It is advised that you read through the help for
40518+ each option to determine its usefulness in your situation.
40519+
40520+endchoice
40521+
40522+menu "Address Space Protection"
40523+depends on GRKERNSEC
40524+
40525+config GRKERNSEC_KMEM
40526+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
40527+ help
40528+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
40529+ be written to via mmap or otherwise to modify the running kernel.
40530+ /dev/port will also not be allowed to be opened. If you have module
40531+ support disabled, enabling this will close up four ways that are
40532+ currently used to insert malicious code into the running kernel.
40533+ Even with all these features enabled, we still highly recommend that
40534+ you use the RBAC system, as it is still possible for an attacker to
40535+ modify the running kernel through privileged I/O granted by ioperm/iopl.
40536+ If you are not using XFree86, you may be able to stop this additional
40537+ case by enabling the 'Disable privileged I/O' option. Though nothing
40538+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
40539+ but only to video memory, which is the only writing we allow in this
40540+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
40541+ not be allowed to mprotect it with PROT_WRITE later.
40542+ It is highly recommended that you say Y here if you meet all the
40543+ conditions above.
40544+
ae4e228f
MT		 40545+config GRKERNSEC_VM86
40546+ bool "Restrict VM86 mode"
40547+ depends on X86_32
40548+
40549+ help
40550+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
40551+ make use of a special execution mode on 32bit x86 processors called
40552+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
40553+ video cards and will still work with this option enabled. The purpose
40554+ of the option is to prevent exploitation of emulation errors in
40555+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
40556+ Nearly all users should be able to enable this option.
40557+
58c5fc13
MT		 40558+config GRKERNSEC_IO
40559+ bool "Disable privileged I/O"
40560+ depends on X86
40561+ select RTC_CLASS
40562+ select RTC_INTF_DEV
40563+ select RTC_DRV_CMOS
40564+
40565+ help
40566+ If you say Y here, all ioperm and iopl calls will return an error.
40567+ Ioperm and iopl can be used to modify the running kernel.
40568+ Unfortunately, some programs need this access to operate properly,
40569+ the most notable of which are XFree86 and hwclock. hwclock can be
40570+ remedied by having RTC support in the kernel, so real-time
40571+ clock support is enabled if this option is enabled, to ensure
40572+ that hwclock operates correctly. XFree86 still will not
40573+ operate correctly with this option enabled, so DO NOT CHOOSE Y
40574+ IF YOU USE XFree86. If you use XFree86 and you still want to
40575+ protect your kernel against modification, use the RBAC system.
40576+
40577+config GRKERNSEC_PROC_MEMMAP
40578+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
40579+ default y if (PAX_NOEXEC || PAX_ASLR)
40580+ depends on PAX_NOEXEC || PAX_ASLR
40581+ help
40582+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
40583+ give no information about the addresses of its mappings if
40584+ PaX features that rely on random addresses are enabled on the task.
40585+ If you use PaX it is greatly recommended that you say Y here as it
40586+ closes up a hole that makes the full ASLR useless for suid
40587+ binaries.
40588+
40589+config GRKERNSEC_BRUTE
40590+ bool "Deter exploit bruteforcing"
40591+ help
40592+ If you say Y here, attempts to bruteforce exploits against forking
40593+ daemons such as apache or sshd will be deterred. When a child of a
40594+ forking daemon is killed by PaX or crashes due to an illegal
40595+ instruction, the parent process will be delayed 30 seconds upon every
40596+ subsequent fork until the administrator is able to assess the
40597+ situation and restart the daemon. It is recommended that you also
40598+ enable signal logging in the auditing section so that logs are
40599+ generated when a process performs an illegal instruction.
40600+
40601+config GRKERNSEC_MODHARDEN
40602+ bool "Harden module auto-loading"
40603+ depends on MODULES
40604+ help
40605+ If you say Y here, module auto-loading in response to use of some
40606+ feature implemented by an unloaded module will be restricted to
40607+ root users. Enabling this option helps defend against attacks
40608+ by unprivileged users who abuse the auto-loading behavior to
40609+ cause a vulnerable module to load that is then exploited.
40610+
40611+ If this option prevents a legitimate use of auto-loading for a
40612+ non-root user, the administrator can execute modprobe manually
40613+ with the exact name of the module mentioned in the alert log.
40614+ Alternatively, the administrator can add the module to the list
40615+ of modules loaded at boot by modifying init scripts.
40616+
40617+ Modification of init scripts will most likely be needed on
40618+ Ubuntu servers with encrypted home directory support enabled,
40619+ as the first non-root user logging in will cause the ecb(aes),
40620+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
40621+
40622+config GRKERNSEC_HIDESYM
40623+ bool "Hide kernel symbols"
40624+ help
40625+ If you say Y here, getting information on loaded modules, and
40626+ displaying all kernel symbols through a syscall will be restricted
40627+ to users with CAP_SYS_MODULE. For software compatibility reasons,
40628+ /proc/kallsyms will be restricted to the root user. The RBAC
40629+ system can hide that entry even from root. Note that this option
40630+ is only effective provided the following conditions are met:
40631+ 1) The kernel using grsecurity is not precompiled by some distribution
40632+ 2) You are using the RBAC system and hiding other files such as your
40633+ kernel image and System.map. Alternatively, enabling this option
40634+ causes the permissions on /boot, /lib/modules, and the kernel
40635+ source directory to change at compile time to prevent
40636+ reading by non-root users.
40637+ If the above conditions are met, this option will aid in providing a
40638+ useful protection against local kernel exploitation of overflows
40639+ and arbitrary read/write vulnerabilities.
40640+
40641+endmenu
40642+menu "Role Based Access Control Options"
40643+depends on GRKERNSEC
40644+
40645+config GRKERNSEC_NO_RBAC
40646+ bool "Disable RBAC system"
40647+ help
40648+ If you say Y here, the /dev/grsec device will be removed from the kernel,
40649+ preventing the RBAC system from being enabled. You should only say Y
40650+ here if you have no intention of using the RBAC system, so as to prevent
40651+ an attacker with root access from misusing the RBAC system to hide files
40652+ and processes when loadable module support and /dev/[k]mem have been
40653+ locked down.
40654+
40655+config GRKERNSEC_ACL_HIDEKERN
40656+ bool "Hide kernel processes"
40657+ help
40658+ If you say Y here, all kernel threads will be hidden to all
40659+ processes but those whose subject has the "view hidden processes"
40660+ flag.
40661+
40662+config GRKERNSEC_ACL_MAXTRIES
40663+ int "Maximum tries before password lockout"
40664+ default 3
40665+ help
40666+ This option enforces the maximum number of times a user can attempt
40667+ to authorize themselves with the grsecurity RBAC system before being
40668+ denied the ability to attempt authorization again for a specified time.
40669+ The lower the number, the harder it will be to brute-force a password.
40670+
40671+config GRKERNSEC_ACL_TIMEOUT
40672+ int "Time to wait after max password tries, in seconds"
40673+ default 30
40674+ help
40675+ This option specifies the time the user must wait after attempting to
40676+ authorize to the RBAC system with the maximum number of invalid
40677+ passwords. The higher the number, the harder it will be to brute-force
40678+ a password.
40679+
40680+endmenu
40681+menu "Filesystem Protections"
40682+depends on GRKERNSEC
40683+
40684+config GRKERNSEC_PROC
40685+ bool "Proc restrictions"
40686+ help
40687+ If you say Y here, the permissions of the /proc filesystem
40688+ will be altered to enhance system security and privacy. You MUST
40689+ choose either a user only restriction or a user and group restriction.
40690+ Depending upon the option you choose, you can either restrict users to
40691+ see only the processes they themselves run, or choose a group that can
40692+ view all processes and files normally restricted to root if you choose
40693+ the "restrict to user only" option. NOTE: If you're running identd as
40694+ a non-root user, you will have to run it as the group you specify here.
40695+
40696+config GRKERNSEC_PROC_USER
40697+ bool "Restrict /proc to user only"
40698+ depends on GRKERNSEC_PROC
40699+ help
40700+ If you say Y here, non-root users will only be able to view their own
40701+ processes, and restricts them from viewing network-related information,
40702+ and viewing kernel symbol and module information.
40703+
40704+config GRKERNSEC_PROC_USERGROUP
40705+ bool "Allow special group"
40706+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
40707+ help
40708+ If you say Y here, you will be able to select a group that will be
40709+ able to view all processes, network-related information, and
40710+ kernel and symbol information. This option is useful if you want
40711+ to run identd as a non-root user.
40712+
40713+config GRKERNSEC_PROC_GID
40714+ int "GID for special group"
40715+ depends on GRKERNSEC_PROC_USERGROUP
40716+ default 1001
40717+
40718+config GRKERNSEC_PROC_ADD
40719+ bool "Additional restrictions"
40720+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
40721+ help
40722+ If you say Y here, additional restrictions will be placed on
40723+ /proc that keep normal users from viewing device information and
40724+ slabinfo information that could be useful for exploits.
40725+
40726+config GRKERNSEC_LINK
40727+ bool "Linking restrictions"
40728+ help
40729+ If you say Y here, /tmp race exploits will be prevented, since users
40730+ will no longer be able to follow symlinks owned by other users in
40731+ world-writable +t directories (i.e. /tmp), unless the owner of the
40732+ symlink is the owner of the directory. users will also not be
40733+ able to hardlink to files they do not own. If the sysctl option is
40734+ enabled, a sysctl option with name "linking_restrictions" is created.
40735+
40736+config GRKERNSEC_FIFO
40737+ bool "FIFO restrictions"
40738+ help
40739+ If you say Y here, users will not be able to write to FIFOs they don't
40740+ own in world-writable +t directories (i.e. /tmp), unless the owner of
40741+ the FIFO is the same owner of the directory it's held in. If the sysctl
40742+ option is enabled, a sysctl option with name "fifo_restrictions" is
40743+ created.
40744+
ae4e228f
MT		 40745+config GRKERNSEC_ROFS
40746+ bool "Runtime read-only mount protection"
40747+ help
40748+ If you say Y here, a sysctl option with name "romount_protect" will
40749+ be created. By setting this option to 1 at runtime, filesystems
40750+ will be protected in the following ways:
40751+ * No new writable mounts will be allowed
40752+ * Existing read-only mounts won't be able to be remounted read/write
40753+ * Write operations will be denied on all block devices
40754+ This option acts independently of grsec_lock: once it is set to 1,
40755+ it cannot be turned off. Therefore, please be mindful of the resulting
40756+ behavior if this option is enabled in an init script on a read-only
40757+ filesystem. This feature is mainly intended for secure embedded systems.
40758+
58c5fc13
MT		 40759+config GRKERNSEC_CHROOT
40760+ bool "Chroot jail restrictions"
40761+ help
40762+ If you say Y here, you will be able to choose several options that will
40763+ make breaking out of a chrooted jail much more difficult. If you
40764+ encounter no software incompatibilities with the following options, it
40765+ is recommended that you enable each one.
40766+
40767+config GRKERNSEC_CHROOT_MOUNT
40768+ bool "Deny mounts"
40769+ depends on GRKERNSEC_CHROOT
40770+ help
40771+ If you say Y here, processes inside a chroot will not be able to
40772+ mount or remount filesystems. If the sysctl option is enabled, a
40773+ sysctl option with name "chroot_deny_mount" is created.
40774+
40775+config GRKERNSEC_CHROOT_DOUBLE
40776+ bool "Deny double-chroots"
40777+ depends on GRKERNSEC_CHROOT
40778+ help
40779+ If you say Y here, processes inside a chroot will not be able to chroot
40780+ again outside the chroot. This is a widely used method of breaking
40781+ out of a chroot jail and should not be allowed. If the sysctl
40782+ option is enabled, a sysctl option with name
40783+ "chroot_deny_chroot" is created.
40784+
40785+config GRKERNSEC_CHROOT_PIVOT
40786+ bool "Deny pivot_root in chroot"
40787+ depends on GRKERNSEC_CHROOT
40788+ help
40789+ If you say Y here, processes inside a chroot will not be able to use
40790+ a function called pivot_root() that was introduced in Linux 2.3.41. It
40791+ works similar to chroot in that it changes the root filesystem. This
40792+ function could be misused in a chrooted process to attempt to break out
40793+ of the chroot, and therefore should not be allowed. If the sysctl
40794+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
40795+ created.
40796+
40797+config GRKERNSEC_CHROOT_CHDIR
40798+ bool "Enforce chdir(\"/\") on all chroots"
40799+ depends on GRKERNSEC_CHROOT
40800+ help
40801+ If you say Y here, the current working directory of all newly-chrooted
40802+ applications will be set to the the root directory of the chroot.
40803+ The man page on chroot(2) states:
40804+ Note that this call does not change the current working
40805+ directory, so that `.' can be outside the tree rooted at
40806+ `/'. In particular, the super-user can escape from a
40807+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
40808+
40809+ It is recommended that you say Y here, since it's not known to break
40810+ any software. If the sysctl option is enabled, a sysctl option with
40811+ name "chroot_enforce_chdir" is created.
40812+
40813+config GRKERNSEC_CHROOT_CHMOD
40814+ bool "Deny (f)chmod +s"
40815+ depends on GRKERNSEC_CHROOT
40816+ help
40817+ If you say Y here, processes inside a chroot will not be able to chmod
40818+ or fchmod files to make them have suid or sgid bits. This protects
40819+ against another published method of breaking a chroot. If the sysctl
40820+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
40821+ created.
40822+
40823+config GRKERNSEC_CHROOT_FCHDIR
40824+ bool "Deny fchdir out of chroot"
40825+ depends on GRKERNSEC_CHROOT
40826+ help
40827+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
40828+ to a file descriptor of the chrooting process that points to a directory
40829+ outside the filesystem will be stopped. If the sysctl option
40830+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
40831+
40832+config GRKERNSEC_CHROOT_MKNOD
40833+ bool "Deny mknod"
40834+ depends on GRKERNSEC_CHROOT
40835+ help
40836+ If you say Y here, processes inside a chroot will not be allowed to
40837+ mknod. The problem with using mknod inside a chroot is that it
40838+ would allow an attacker to create a device entry that is the same
40839+ as one on the physical root of your system, which could range from
40840+ anything from the console device to a device for your harddrive (which
40841+ they could then use to wipe the drive or steal data). It is recommended
40842+ that you say Y here, unless you run into software incompatibilities.
40843+ If the sysctl option is enabled, a sysctl option with name
40844+ "chroot_deny_mknod" is created.
40845+
40846+config GRKERNSEC_CHROOT_SHMAT
40847+ bool "Deny shmat() out of chroot"
40848+ depends on GRKERNSEC_CHROOT
40849+ help
40850+ If you say Y here, processes inside a chroot will not be able to attach
40851+ to shared memory segments that were created outside of the chroot jail.
40852+ It is recommended that you say Y here. If the sysctl option is enabled,
40853+ a sysctl option with name "chroot_deny_shmat" is created.
40854+
40855+config GRKERNSEC_CHROOT_UNIX
40856+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
40857+ depends on GRKERNSEC_CHROOT
40858+ help
40859+ If you say Y here, processes inside a chroot will not be able to
40860+ connect to abstract (meaning not belonging to a filesystem) Unix
40861+ domain sockets that were bound outside of a chroot. It is recommended
40862+ that you say Y here. If the sysctl option is enabled, a sysctl option
40863+ with name "chroot_deny_unix" is created.
40864+
40865+config GRKERNSEC_CHROOT_FINDTASK
40866+ bool "Protect outside processes"
40867+ depends on GRKERNSEC_CHROOT
40868+ help
40869+ If you say Y here, processes inside a chroot will not be able to
40870+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
40871+ getsid, or view any process outside of the chroot. If the sysctl
40872+ option is enabled, a sysctl option with name "chroot_findtask" is
40873+ created.
40874+
40875+config GRKERNSEC_CHROOT_NICE
40876+ bool "Restrict priority changes"
40877+ depends on GRKERNSEC_CHROOT
40878+ help
40879+ If you say Y here, processes inside a chroot will not be able to raise
40880+ the priority of processes in the chroot, or alter the priority of
40881+ processes outside the chroot. This provides more security than simply
40882+ removing CAP_SYS_NICE from the process' capability set. If the
40883+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
40884+ is created.
40885+
40886+config GRKERNSEC_CHROOT_SYSCTL
40887+ bool "Deny sysctl writes"
40888+ depends on GRKERNSEC_CHROOT
40889+ help
40890+ If you say Y here, an attacker in a chroot will not be able to
40891+ write to sysctl entries, either by sysctl(2) or through a /proc
40892+ interface. It is strongly recommended that you say Y here. If the
40893+ sysctl option is enabled, a sysctl option with name
40894+ "chroot_deny_sysctl" is created.
40895+
40896+config GRKERNSEC_CHROOT_CAPS
40897+ bool "Capability restrictions"
40898+ depends on GRKERNSEC_CHROOT
40899+ help
40900+ If you say Y here, the capabilities on all root processes within a
40901+ chroot jail will be lowered to stop module insertion, raw i/o,
40902+ system and net admin tasks, rebooting the system, modifying immutable
40903+ files, modifying IPC owned by another, and changing the system time.
40904+ This is left an option because it can break some apps. Disable this
40905+ if your chrooted apps are having problems performing those kinds of
40906+ tasks. If the sysctl option is enabled, a sysctl option with
40907+ name "chroot_caps" is created.
40908+
40909+endmenu
40910+menu "Kernel Auditing"
40911+depends on GRKERNSEC
40912+
40913+config GRKERNSEC_AUDIT_GROUP
40914+ bool "Single group for auditing"
40915+ help
40916+ If you say Y here, the exec, chdir, and (un)mount logging features
40917+ will only operate on a group you specify. This option is recommended
40918+ if you only want to watch certain users instead of having a large
40919+ amount of logs from the entire system. If the sysctl option is enabled,
40920+ a sysctl option with name "audit_group" is created.
40921+
40922+config GRKERNSEC_AUDIT_GID
40923+ int "GID for auditing"
40924+ depends on GRKERNSEC_AUDIT_GROUP
40925+ default 1007
40926+
40927+config GRKERNSEC_EXECLOG
40928+ bool "Exec logging"
40929+ help
40930+ If you say Y here, all execve() calls will be logged (since the
40931+ other exec*() calls are frontends to execve(), all execution
40932+ will be logged). Useful for shell-servers that like to keep track
40933+ of their users. If the sysctl option is enabled, a sysctl option with
40934+ name "exec_logging" is created.
40935+ WARNING: This option when enabled will produce a LOT of logs, especially
40936+ on an active system.
40937+
40938+config GRKERNSEC_RESLOG
40939+ bool "Resource logging"
40940+ help
40941+ If you say Y here, all attempts to overstep resource limits will
40942+ be logged with the resource name, the requested size, and the current
40943+ limit. It is highly recommended that you say Y here. If the sysctl
40944+ option is enabled, a sysctl option with name "resource_logging" is
40945+ created. If the RBAC system is enabled, the sysctl value is ignored.
40946+
40947+config GRKERNSEC_CHROOT_EXECLOG
40948+ bool "Log execs within chroot"
40949+ help
40950+ If you say Y here, all executions inside a chroot jail will be logged
40951+ to syslog. This can cause a large amount of logs if certain
40952+ applications (eg. djb's daemontools) are installed on the system, and
40953+ is therefore left as an option. If the sysctl option is enabled, a
40954+ sysctl option with name "chroot_execlog" is created.
40955+
ae4e228f
MT		 40956+config GRKERNSEC_AUDIT_PTRACE
40957+ bool "Ptrace logging"
40958+ help
40959+ If you say Y here, all attempts to attach to a process via ptrace
40960+ will be logged. If the sysctl option is enabled, a sysctl option
40961+ with name "audit_ptrace" is created.
40962+
58c5fc13
MT		 40963+config GRKERNSEC_AUDIT_CHDIR
40964+ bool "Chdir logging"
40965+ help
40966+ If you say Y here, all chdir() calls will be logged. If the sysctl
40967+ option is enabled, a sysctl option with name "audit_chdir" is created.
40968+
40969+config GRKERNSEC_AUDIT_MOUNT
40970+ bool "(Un)Mount logging"
40971+ help
40972+ If you say Y here, all mounts and unmounts will be logged. If the
40973+ sysctl option is enabled, a sysctl option with name "audit_mount" is
40974+ created.
40975+
40976+config GRKERNSEC_SIGNAL
40977+ bool "Signal logging"
40978+ help
40979+ If you say Y here, certain important signals will be logged, such as
40980+ SIGSEGV, which will as a result inform you of when a error in a program
40981+ occurred, which in some cases could mean a possible exploit attempt.
40982+ If the sysctl option is enabled, a sysctl option with name
40983+ "signal_logging" is created.
40984+
40985+config GRKERNSEC_FORKFAIL
40986+ bool "Fork failure logging"
40987+ help
40988+ If you say Y here, all failed fork() attempts will be logged.
40989+ This could suggest a fork bomb, or someone attempting to overstep
40990+ their process limit. If the sysctl option is enabled, a sysctl option
40991+ with name "forkfail_logging" is created.
40992+
40993+config GRKERNSEC_TIME
40994+ bool "Time change logging"
40995+ help
40996+ If you say Y here, any changes of the system clock will be logged.
40997+ If the sysctl option is enabled, a sysctl option with name
40998+ "timechange_logging" is created.
40999+
41000+config GRKERNSEC_PROC_IPADDR
41001+ bool "/proc/<pid>/ipaddr support"
41002+ help
41003+ If you say Y here, a new entry will be added to each /proc/<pid>
41004+ directory that contains the IP address of the person using the task.
41005+ The IP is carried across local TCP and AF_UNIX stream sockets.
41006+ This information can be useful for IDS/IPSes to perform remote response
41007+ to a local attack. The entry is readable by only the owner of the
41008+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
41009+ the RBAC system), and thus does not create privacy concerns.
41010+
41011+config GRKERNSEC_AUDIT_TEXTREL
41012+ bool 'ELF text relocations logging (READ HELP)'
41013+ depends on PAX_MPROTECT
41014+ help
41015+ If you say Y here, text relocations will be logged with the filename
41016+ of the offending library or binary. The purpose of the feature is
41017+ to help Linux distribution developers get rid of libraries and
41018+ binaries that need text relocations which hinder the future progress
41019+ of PaX. Only Linux distribution developers should say Y here, and
41020+ never on a production machine, as this option creates an information
41021+ leak that could aid an attacker in defeating the randomization of
41022+ a single memory region. If the sysctl option is enabled, a sysctl
41023+ option with name "audit_textrel" is created.
41024+
41025+endmenu
41026+
41027+menu "Executable Protections"
41028+depends on GRKERNSEC
41029+
41030+config GRKERNSEC_EXECVE
41031+ bool "Enforce RLIMIT_NPROC on execs"
41032+ help
41033+ If you say Y here, users with a resource limit on processes will
41034+ have the value checked during execve() calls. The current system
41035+ only checks the system limit during fork() calls. If the sysctl option
41036+ is enabled, a sysctl option with name "execve_limiting" is created.
41037+
41038+config GRKERNSEC_DMESG
41039+ bool "Dmesg(8) restriction"
41040+ help
41041+ If you say Y here, non-root users will not be able to use dmesg(8)
41042+ to view up to the last 4kb of messages in the kernel's log buffer.
41043+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
41044+ created.
41045+
41046+config GRKERNSEC_HARDEN_PTRACE
41047+ bool "Deter ptrace-based process snooping"
41048+ help
41049+ If you say Y here, TTY sniffers and other malicious monitoring
41050+ programs implemented through ptrace will be defeated. If you
41051+ have been using the RBAC system, this option has already been
41052+ enabled for several years for all users, with the ability to make
41053+ fine-grained exceptions.
41054+
41055+ This option only affects the ability of non-root users to ptrace
41056+ processes that are not a descendent of the ptracing process.
41057+ This means that strace ./binary and gdb ./binary will still work,
41058+ but attaching to arbitrary processes will not. If the sysctl
41059+ option is enabled, a sysctl option with name "harden_ptrace" is
41060+ created.
41061+
41062+config GRKERNSEC_TPE
41063+ bool "Trusted Path Execution (TPE)"
41064+ help
41065+ If you say Y here, you will be able to choose a gid to add to the
41066+ supplementary groups of users you want to mark as "untrusted."
41067+ These users will not be able to execute any files that are not in
41068+ root-owned directories writable only by root. If the sysctl option
41069+ is enabled, a sysctl option with name "tpe" is created.
41070+
41071+config GRKERNSEC_TPE_ALL
41072+ bool "Partially restrict non-root users"
41073+ depends on GRKERNSEC_TPE
41074+ help
41075+ If you say Y here, All non-root users other than the ones in the
41076+ group specified in the main TPE option will only be allowed to
41077+ execute files in directories they own that are not group or
41078+ world-writable, or in directories owned by root and writable only by
41079+ root. If the sysctl option is enabled, a sysctl option with name
41080+ "tpe_restrict_all" is created.
41081+
41082+config GRKERNSEC_TPE_INVERT
41083+ bool "Invert GID option"
41084+ depends on GRKERNSEC_TPE
41085+ help
41086+ If you say Y here, the group you specify in the TPE configuration will
41087+ decide what group TPE restrictions will be *disabled* for. This
41088+ option is useful if you want TPE restrictions to be applied to most
41089+ users on the system.
41090+
41091+config GRKERNSEC_TPE_GID
41092+ int "GID for untrusted users"
41093+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
41094+ default 1005
41095+ help
41096+ If you have selected the "Invert GID option" above, setting this
41097+ GID determines what group TPE restrictions will be *disabled* for.
41098+ If you have not selected the "Invert GID option" above, setting this
41099+ GID determines what group TPE restrictions will be *enabled* for.
41100+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
41101+ is created.
41102+
41103+config GRKERNSEC_TPE_GID
41104+ int "GID for trusted users"
41105+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
41106+ default 1005
41107+ help
41108+ If you have selected the "Invert GID option" above, setting this
41109+ GID determines what group TPE restrictions will be *disabled* for.
41110+ If you have not selected the "Invert GID option" above, setting this
41111+ GID determines what group TPE restrictions will be *enabled* for.
41112+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
41113+ is created.
41114+
41115+endmenu
41116+menu "Network Protections"
41117+depends on GRKERNSEC
41118+
41119+config GRKERNSEC_RANDNET
41120+ bool "Larger entropy pools"
41121+ help
41122+ If you say Y here, the entropy pools used for many features of Linux
41123+ and grsecurity will be doubled in size. Since several grsecurity
41124+ features use additional randomness, it is recommended that you say Y
41125+ here. Saying Y here has a similar effect as modifying
41126+ /proc/sys/kernel/random/poolsize.
41127+
41128+config GRKERNSEC_BLACKHOLE
ae4e228f 41129+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
58c5fc13
MT		 41130+ help
41131+ If you say Y here, neither TCP resets nor ICMP
41132+ destination-unreachable packets will be sent in response to packets
41133+ send to ports for which no associated listening process exists.
41134+ This feature supports both IPV4 and IPV6 and exempts the
41135+ loopback interface from blackholing. Enabling this feature
41136+ makes a host more resilient to DoS attacks and reduces network
41137+ visibility against scanners.
41138+
ae4e228f
MT		 41139+ The blackhole feature as-implemented is equivalent to the FreeBSD
41140+ blackhole feature, as prevents RST responses to all packets, not
41141+ just SYNs. Under most application behavior this causes no
41142+ problems, but applications (like haproxy) may not close certain
41143+ connections in a way that cleanly terminates them on the remote
41144+ end, leaving the remote host in LAST_ACK state. Because of this
41145+ side-effect and to prevent intentional LAST_ACK DoSes, this
41146+ feature also adds automatic mitigation against such attacks.
41147+ The mitigation drastically reduces the amount of time a socket
41148+ can spend in LAST_ACK state. If you're using haproxy and not
41149+ all servers it connects to have this option enabled, consider
41150+ disabling this feature on the haproxy host.
41151+
41152+ If this option is enabled, two sysctl options with names
41153+ "ip_blackhole" and "lastack_retries" will be created.
41154+ While "ip_blackhole" takes the standard zero/non-zero on/off
41155+ toggle, "lastack_retries" uses the same kinds of values as
41156+ "tcp_retries1" and "tcp_retries2". The default value of 4
41157+ prevents a socket from lasting more than 45 seconds in LAST_ACK
41158+ state.
41159+
58c5fc13
MT		 41160+config GRKERNSEC_SOCKET
41161+ bool "Socket restrictions"
41162+ help
41163+ If you say Y here, you will be able to choose from several options.
41164+ If you assign a GID on your system and add it to the supplementary
41165+ groups of users you want to restrict socket access to, this patch
41166+ will perform up to three things, based on the option(s) you choose.
41167+
41168+config GRKERNSEC_SOCKET_ALL
41169+ bool "Deny any sockets to group"
41170+ depends on GRKERNSEC_SOCKET
41171+ help
41172+ If you say Y here, you will be able to choose a GID of whose users will
41173+ be unable to connect to other hosts from your machine or run server
41174+ applications from your machine. If the sysctl option is enabled, a
41175+ sysctl option with name "socket_all" is created.
41176+
41177+config GRKERNSEC_SOCKET_ALL_GID
41178+ int "GID to deny all sockets for"
41179+ depends on GRKERNSEC_SOCKET_ALL
41180+ default 1004
41181+ help
41182+ Here you can choose the GID to disable socket access for. Remember to
41183+ add the users you want socket access disabled for to the GID
41184+ specified here. If the sysctl option is enabled, a sysctl option
41185+ with name "socket_all_gid" is created.
41186+
41187+config GRKERNSEC_SOCKET_CLIENT
41188+ bool "Deny client sockets to group"
41189+ depends on GRKERNSEC_SOCKET
41190+ help
41191+ If you say Y here, you will be able to choose a GID of whose users will
41192+ be unable to connect to other hosts from your machine, but will be
41193+ able to run servers. If this option is enabled, all users in the group
41194+ you specify will have to use passive mode when initiating ftp transfers
41195+ from the shell on your machine. If the sysctl option is enabled, a
41196+ sysctl option with name "socket_client" is created.
41197+
41198+config GRKERNSEC_SOCKET_CLIENT_GID
41199+ int "GID to deny client sockets for"
41200+ depends on GRKERNSEC_SOCKET_CLIENT
41201+ default 1003
41202+ help
41203+ Here you can choose the GID to disable client socket access for.
41204+ Remember to add the users you want client socket access disabled for to
41205+ the GID specified here. If the sysctl option is enabled, a sysctl
41206+ option with name "socket_client_gid" is created.
41207+
41208+config GRKERNSEC_SOCKET_SERVER
41209+ bool "Deny server sockets to group"
41210+ depends on GRKERNSEC_SOCKET
41211+ help
41212+ If you say Y here, you will be able to choose a GID of whose users will
41213+ be unable to run server applications from your machine. If the sysctl
41214+ option is enabled, a sysctl option with name "socket_server" is created.
41215+
41216+config GRKERNSEC_SOCKET_SERVER_GID
41217+ int "GID to deny server sockets for"
41218+ depends on GRKERNSEC_SOCKET_SERVER
41219+ default 1002
41220+ help
41221+ Here you can choose the GID to disable server socket access for.
41222+ Remember to add the users you want server socket access disabled for to
41223+ the GID specified here. If the sysctl option is enabled, a sysctl
41224+ option with name "socket_server_gid" is created.
41225+
41226+endmenu
41227+menu "Sysctl support"
41228+depends on GRKERNSEC && SYSCTL
41229+
41230+config GRKERNSEC_SYSCTL
41231+ bool "Sysctl support"
41232+ help
41233+ If you say Y here, you will be able to change the options that
41234+ grsecurity runs with at bootup, without having to recompile your
41235+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
41236+ to enable (1) or disable (0) various features. All the sysctl entries
41237+ are mutable until the "grsec_lock" entry is set to a non-zero value.
41238+ All features enabled in the kernel configuration are disabled at boot
41239+ if you do not say Y to the "Turn on features by default" option.
41240+ All options should be set at startup, and the grsec_lock entry should
41241+ be set to a non-zero value after all the options are set.
41242+ *THIS IS EXTREMELY IMPORTANT*
41243+
41244+config GRKERNSEC_SYSCTL_ON
41245+ bool "Turn on features by default"
41246+ depends on GRKERNSEC_SYSCTL
41247+ help
41248+ If you say Y here, instead of having all features enabled in the
41249+ kernel configuration disabled at boot time, the features will be
41250+ enabled at boot time. It is recommended you say Y here unless
41251+ there is some reason you would want all sysctl-tunable features to
41252+ be disabled by default. As mentioned elsewhere, it is important
41253+ to enable the grsec_lock entry once you have finished modifying
41254+ the sysctl entries.
41255+
41256+endmenu
41257+menu "Logging Options"
41258+depends on GRKERNSEC
41259+
41260+config GRKERNSEC_FLOODTIME
41261+ int "Seconds in between log messages (minimum)"
41262+ default 10
41263+ help
41264+ This option allows you to enforce the number of seconds between
41265+ grsecurity log messages. The default should be suitable for most
41266+ people, however, if you choose to change it, choose a value small enough
41267+ to allow informative logs to be produced, but large enough to
41268+ prevent flooding.
41269+
41270+config GRKERNSEC_FLOODBURST
41271+ int "Number of messages in a burst (maximum)"
41272+ default 4
41273+ help
41274+ This option allows you to choose the maximum number of messages allowed
41275+ within the flood time interval you chose in a separate option. The
41276+ default should be suitable for most people, however if you find that
41277+ many of your logs are being interpreted as flooding, you may want to
41278+ raise this value.
41279+
41280+endmenu
41281+
41282+endmenu
ae4e228f
MT		 41283diff -urNp linux-2.6.33.1/grsecurity/Makefile linux-2.6.33.1/grsecurity/Makefile
41284--- linux-2.6.33.1/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
41285+++ linux-2.6.33.1/grsecurity/Makefile 2010-03-20 16:58:41.900965882 -0400
58c5fc13
MT		 41286@@ -0,0 +1,29 @@
41287+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
41288+# during 2001-2009 it has been completely redesigned by Brad Spengler
41289+# into an RBAC system
41290+#
41291+# All code in this directory and various hooks inserted throughout the kernel
41292+# are copyright Brad Spengler - Open Source Security, Inc., and released
41293+# under the GPL v2 or higher
41294+
41295+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
41296+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
ae4e228f 41297+ grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
58c5fc13
MT		 41298+
41299+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
41300+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
41301+ gracl_learn.o grsec_log.o
41302+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
41303+
41304+ifndef CONFIG_GRKERNSEC
41305+obj-y += grsec_disabled.o
41306+endif
41307+
41308+ifdef CONFIG_GRKERNSEC_HIDESYM
41309+extra-y := grsec_hidesym.o
41310+$(obj)/grsec_hidesym.o:
41311+ @-chmod -f 500 /boot
41312+ @-chmod -f 500 /lib/modules
41313+ @-chmod -f 700 .
41314+ @echo ' grsec: protected kernel image paths'
41315+endif
ae4e228f
MT		 41316diff -urNp linux-2.6.33.1/include/acpi/acpi_drivers.h linux-2.6.33.1/include/acpi/acpi_drivers.h
41317--- linux-2.6.33.1/include/acpi/acpi_drivers.h 2010-03-15 12:09:39.000000000 -0400
41318+++ linux-2.6.33.1/include/acpi/acpi_drivers.h 2010-03-20 16:58:41.900965882 -0400
41319@@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
41320 Dock Station
41321 -------------------------------------------------------------------------- */
41322 struct acpi_dock_ops {
41323- acpi_notify_handler handler;
41324- acpi_notify_handler uevent;
41325+ const acpi_notify_handler handler;
41326+ const acpi_notify_handler uevent;
41327 };
58c5fc13 41328
ae4e228f
MT		 41329 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
41330@@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
41331 extern int register_dock_notifier(struct notifier_block *nb);
41332 extern void unregister_dock_notifier(struct notifier_block *nb);
41333 extern int register_hotplug_dock_device(acpi_handle handle,
41334- struct acpi_dock_ops *ops,
41335+ const struct acpi_dock_ops *ops,
41336 void *context);
41337 extern void unregister_hotplug_dock_device(acpi_handle handle);
41338 #else
41339@@ -144,7 +144,7 @@ static inline void unregister_dock_notif
41340 {
41341 }
41342 static inline int register_hotplug_dock_device(acpi_handle handle,
41343- struct acpi_dock_ops *ops,
41344+ const struct acpi_dock_ops *ops,
41345 void *context)
41346 {
41347 return -ENODEV;
41348diff -urNp linux-2.6.33.1/include/asm-generic/atomic-long.h linux-2.6.33.1/include/asm-generic/atomic-long.h
41349--- linux-2.6.33.1/include/asm-generic/atomic-long.h 2010-03-15 12:09:39.000000000 -0400
41350+++ linux-2.6.33.1/include/asm-generic/atomic-long.h 2010-03-20 16:58:41.900965882 -0400
41351@@ -22,6 +22,12 @@
41352
41353 typedef atomic64_t atomic_long_t;
41354
41355+#ifdef CONFIG_PAX_REFCOUNT
41356+typedef atomic64_unchecked_t atomic_long_unchecked_t;
41357+#else
41358+typedef atomic64_t atomic_long_unchecked_t;
41359+#endif
58c5fc13 41360+
ae4e228f 41361 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
58c5fc13 41362
ae4e228f
MT		 41363 static inline long atomic_long_read(atomic_long_t *l)
41364@@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
41365 return (long)atomic64_read(v);
41366 }
41367
41368+#ifdef CONFIG_PAX_REFCOUNT
41369+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
41370+{
41371+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
58c5fc13 41372+
ae4e228f
MT		 41373+ return (long)atomic64_read_unchecked(v);
41374+}
41375+#endif
41376+
41377 static inline void atomic_long_set(atomic_long_t *l, long i)
41378 {
41379 atomic64_t *v = (atomic64_t *)l;
41380@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
41381 atomic64_set(v, i);
41382 }
58c5fc13 41383
ae4e228f
MT		 41384+#ifdef CONFIG_PAX_REFCOUNT
41385+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
41386+{
41387+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41388+
41389+ atomic64_set_unchecked(v, i);
41390+}
41391+#endif
41392+
41393 static inline void atomic_long_inc(atomic_long_t *l)
41394 {
41395 atomic64_t *v = (atomic64_t *)l;
41396@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
41397 atomic64_inc(v);
58c5fc13
MT		 41398 }
41399
ae4e228f
MT		 41400+#ifdef CONFIG_PAX_REFCOUNT
41401+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
58c5fc13 41402+{
ae4e228f
MT		 41403+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41404+
41405+ atomic64_inc_unchecked(v);
58c5fc13 41406+}
ae4e228f 41407+#endif
58c5fc13 41408+
ae4e228f 41409 static inline void atomic_long_dec(atomic_long_t *l)
58c5fc13 41410 {
ae4e228f
MT		 41411 atomic64_t *v = (atomic64_t *)l;
41412@@ -59,6 +92,15 @@ static inline void atomic_long_add(long
41413 atomic64_add(i, v);
58c5fc13
MT		 41414 }
41415
ae4e228f
MT		 41416+#ifdef CONFIG_PAX_REFCOUNT
41417+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
58c5fc13 41418+{
ae4e228f
MT		 41419+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41420+
41421+ atomic64_add_unchecked(i, v);
58c5fc13 41422+}
ae4e228f 41423+#endif
58c5fc13 41424+
ae4e228f 41425 static inline void atomic_long_sub(long i, atomic_long_t *l)
58c5fc13 41426 {
ae4e228f
MT		 41427 atomic64_t *v = (atomic64_t *)l;
41428@@ -115,6 +157,15 @@ static inline long atomic_long_inc_retur
41429 return (long)atomic64_inc_return(v);
58c5fc13
MT		 41430 }
41431
ae4e228f
MT		 41432+#ifdef CONFIG_PAX_REFCOUNT
41433+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
58c5fc13 41434+{
ae4e228f
MT		 41435+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
41436+
41437+ return (long)atomic64_inc_return_unchecked(v);
58c5fc13 41438+}
ae4e228f 41439+#endif
58c5fc13 41440+
ae4e228f
MT		 41441 static inline long atomic_long_dec_return(atomic_long_t *l)
41442 {
41443 atomic64_t *v = (atomic64_t *)l;
41444@@ -140,6 +191,12 @@ static inline long atomic_long_add_unles
41445
41446 typedef atomic_t atomic_long_t;
41447
41448+#ifdef CONFIG_PAX_REFCOUNT
41449+typedef atomic_unchecked_t atomic_long_unchecked_t;
41450+#else
41451+typedef atomic_t atomic_long_unchecked_t;
41452+#endif
41453+
41454 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
41455 static inline long atomic_long_read(atomic_long_t *l)
41456 {
41457@@ -148,6 +205,15 @@ static inline long atomic_long_read(atom
41458 return (long)atomic_read(v);
41459 }
41460
41461+#ifdef CONFIG_PAX_REFCOUNT
41462+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
41463+{
41464+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41465+
41466+ return (long)atomic_read_unchecked(v);
41467+}
41468+#endif
41469+
41470 static inline void atomic_long_set(atomic_long_t *l, long i)
41471 {
41472 atomic_t *v = (atomic_t *)l;
41473@@ -155,6 +221,15 @@ static inline void atomic_long_set(atomi
41474 atomic_set(v, i);
41475 }
41476
41477+#ifdef CONFIG_PAX_REFCOUNT
41478+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
41479+{
41480+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41481+
41482+ atomic_set_unchecked(v, i);
41483+}
41484+#endif
41485+
41486 static inline void atomic_long_inc(atomic_long_t *l)
41487 {
41488 atomic_t *v = (atomic_t *)l;
41489@@ -162,6 +237,15 @@ static inline void atomic_long_inc(atomi
41490 atomic_inc(v);
41491 }
41492
41493+#ifdef CONFIG_PAX_REFCOUNT
41494+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
41495+{
41496+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41497+
41498+ atomic_inc_unchecked(v);
41499+}
41500+#endif
41501+
41502 static inline void atomic_long_dec(atomic_long_t *l)
41503 {
41504 atomic_t *v = (atomic_t *)l;
41505@@ -176,6 +260,15 @@ static inline void atomic_long_add(long
41506 atomic_add(i, v);
41507 }
41508
41509+#ifdef CONFIG_PAX_REFCOUNT
41510+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
41511+{
41512+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41513+
41514+ atomic_add_unchecked(i, v);
41515+}
41516+#endif
41517+
41518 static inline void atomic_long_sub(long i, atomic_long_t *l)
58c5fc13 41519 {
ae4e228f
MT		 41520 atomic_t *v = (atomic_t *)l;
41521@@ -232,6 +325,15 @@ static inline long atomic_long_inc_retur
41522 return (long)atomic_inc_return(v);
41523 }
41524
41525+#ifdef CONFIG_PAX_REFCOUNT
41526+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
41527+{
41528+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
41529+
41530+ return (long)atomic_inc_return_unchecked(v);
41531+}
41532+#endif
41533+
41534 static inline long atomic_long_dec_return(atomic_long_t *l)
41535 {
41536 atomic_t *v = (atomic_t *)l;
41537@@ -255,4 +357,33 @@ static inline long atomic_long_add_unles
41538
41539 #endif /* BITS_PER_LONG == 64 */
41540
41541+#ifdef CONFIG_PAX_REFCOUNT
41542+static inline void pax_refcount_needs_these_functions(void)
41543+{
41544+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
41545+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
41546+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
41547+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
41548+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
41549+
41550+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
41551+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
41552+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
41553+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
41554+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
41555+}
41556+#else
41557+#define atomic_read_unchecked(v) atomic_read(v)
41558+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
41559+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
41560+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
41561+#define atomic_inc_unchecked(v) atomic_inc(v)
41562+
41563+#define atomic_long_read_unchecked(v) atomic_long_read(v)
41564+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
41565+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
41566+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
41567+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
41568+#endif
41569+
41570 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
41571diff -urNp linux-2.6.33.1/include/asm-generic/dma-mapping-common.h linux-2.6.33.1/include/asm-generic/dma-mapping-common.h
41572--- linux-2.6.33.1/include/asm-generic/dma-mapping-common.h 2010-03-15 12:09:39.000000000 -0400
41573+++ linux-2.6.33.1/include/asm-generic/dma-mapping-common.h 2010-03-20 16:58:41.904583344 -0400
41574@@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
41575 enum dma_data_direction dir,
41576 struct dma_attrs *attrs)
41577 {
41578- struct dma_map_ops *ops = get_dma_ops(dev);
41579+ const struct dma_map_ops *ops = get_dma_ops(dev);
41580 dma_addr_t addr;
41581
41582 kmemcheck_mark_initialized(ptr, size);
41583@@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
41584 enum dma_data_direction dir,
41585 struct dma_attrs *attrs)
41586 {
41587- struct dma_map_ops *ops = get_dma_ops(dev);
41588+ const struct dma_map_ops *ops = get_dma_ops(dev);
41589
41590 BUG_ON(!valid_dma_direction(dir));
41591 if (ops->unmap_page)
41592@@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
41593 int nents, enum dma_data_direction dir,
41594 struct dma_attrs *attrs)
41595 {
41596- struct dma_map_ops *ops = get_dma_ops(dev);
41597+ const struct dma_map_ops *ops = get_dma_ops(dev);
41598 int i, ents;
41599 struct scatterlist *s;
41600
41601@@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
41602 int nents, enum dma_data_direction dir,
41603 struct dma_attrs *attrs)
41604 {
41605- struct dma_map_ops *ops = get_dma_ops(dev);
41606+ const struct dma_map_ops *ops = get_dma_ops(dev);
41607
41608 BUG_ON(!valid_dma_direction(dir));
41609 debug_dma_unmap_sg(dev, sg, nents, dir);
41610@@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
41611 size_t offset, size_t size,
41612 enum dma_data_direction dir)
41613 {
41614- struct dma_map_ops *ops = get_dma_ops(dev);
41615+ const struct dma_map_ops *ops = get_dma_ops(dev);
41616 dma_addr_t addr;
41617
41618 kmemcheck_mark_initialized(page_address(page) + offset, size);
41619@@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
41620 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
41621 size_t size, enum dma_data_direction dir)
41622 {
41623- struct dma_map_ops *ops = get_dma_ops(dev);
41624+ const struct dma_map_ops *ops = get_dma_ops(dev);
41625
41626 BUG_ON(!valid_dma_direction(dir));
41627 if (ops->unmap_page)
41628@@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
41629 size_t size,
41630 enum dma_data_direction dir)
41631 {
41632- struct dma_map_ops *ops = get_dma_ops(dev);
41633+ const struct dma_map_ops *ops = get_dma_ops(dev);
41634
41635 BUG_ON(!valid_dma_direction(dir));
41636 if (ops->sync_single_for_cpu)
41637@@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
41638 dma_addr_t addr, size_t size,
41639 enum dma_data_direction dir)
41640 {
41641- struct dma_map_ops *ops = get_dma_ops(dev);
41642+ const struct dma_map_ops *ops = get_dma_ops(dev);
41643
41644 BUG_ON(!valid_dma_direction(dir));
41645 if (ops->sync_single_for_device)
41646@@ -123,7 +123,7 @@ static inline void dma_sync_single_range
41647 size_t size,
41648 enum dma_data_direction dir)
41649 {
41650- struct dma_map_ops *ops = get_dma_ops(dev);
41651+ const struct dma_map_ops *ops = get_dma_ops(dev);
41652
41653 BUG_ON(!valid_dma_direction(dir));
41654 if (ops->sync_single_range_for_cpu) {
41655@@ -140,7 +140,7 @@ static inline void dma_sync_single_range
41656 size_t size,
41657 enum dma_data_direction dir)
41658 {
41659- struct dma_map_ops *ops = get_dma_ops(dev);
41660+ const struct dma_map_ops *ops = get_dma_ops(dev);
41661
41662 BUG_ON(!valid_dma_direction(dir));
41663 if (ops->sync_single_range_for_device) {
41664@@ -155,7 +155,7 @@ static inline void
41665 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
41666 int nelems, enum dma_data_direction dir)
41667 {
41668- struct dma_map_ops *ops = get_dma_ops(dev);
41669+ const struct dma_map_ops *ops = get_dma_ops(dev);
41670
41671 BUG_ON(!valid_dma_direction(dir));
41672 if (ops->sync_sg_for_cpu)
41673@@ -167,7 +167,7 @@ static inline void
41674 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
41675 int nelems, enum dma_data_direction dir)
41676 {
41677- struct dma_map_ops *ops = get_dma_ops(dev);
41678+ const struct dma_map_ops *ops = get_dma_ops(dev);
41679
41680 BUG_ON(!valid_dma_direction(dir));
41681 if (ops->sync_sg_for_device)
41682diff -urNp linux-2.6.33.1/include/asm-generic/futex.h linux-2.6.33.1/include/asm-generic/futex.h
41683--- linux-2.6.33.1/include/asm-generic/futex.h 2010-03-15 12:09:39.000000000 -0400
41684+++ linux-2.6.33.1/include/asm-generic/futex.h 2010-03-20 16:58:41.904583344 -0400
58c5fc13
MT		 41685@@ -6,7 +6,7 @@
41686 #include <asm/errno.h>
41687
41688 static inline int
41689-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
41690+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
41691 {
41692 int op = (encoded_op >> 28) & 7;
41693 int cmp = (encoded_op >> 24) & 15;
41694@@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
41695 }
41696
41697 static inline int
41698-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
41699+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
41700 {
41701 return -ENOSYS;
41702 }
ae4e228f
MT		 41703diff -urNp linux-2.6.33.1/include/asm-generic/int-l64.h linux-2.6.33.1/include/asm-generic/int-l64.h
41704--- linux-2.6.33.1/include/asm-generic/int-l64.h 2010-03-15 12:09:39.000000000 -0400
41705+++ linux-2.6.33.1/include/asm-generic/int-l64.h 2010-03-20 16:58:41.904583344 -0400
58c5fc13
MT		 41706@@ -46,6 +46,8 @@ typedef unsigned int u32;
41707 typedef signed long s64;
41708 typedef unsigned long u64;
41709
41710+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
41711+
41712 #define S8_C(x) x
41713 #define U8_C(x) x ## U
41714 #define S16_C(x) x
ae4e228f
MT		 41715diff -urNp linux-2.6.33.1/include/asm-generic/int-ll64.h linux-2.6.33.1/include/asm-generic/int-ll64.h
41716--- linux-2.6.33.1/include/asm-generic/int-ll64.h 2010-03-15 12:09:39.000000000 -0400
41717+++ linux-2.6.33.1/include/asm-generic/int-ll64.h 2010-03-20 16:58:41.904583344 -0400
58c5fc13
MT		 41718@@ -51,6 +51,8 @@ typedef unsigned int u32;
41719 typedef signed long long s64;
41720 typedef unsigned long long u64;
41721
41722+typedef unsigned long long intoverflow_t;
41723+
41724 #define S8_C(x) x
41725 #define U8_C(x) x ## U
41726 #define S16_C(x) x
ae4e228f
MT		 41727diff -urNp linux-2.6.33.1/include/asm-generic/kmap_types.h linux-2.6.33.1/include/asm-generic/kmap_types.h
41728--- linux-2.6.33.1/include/asm-generic/kmap_types.h 2010-03-15 12:09:39.000000000 -0400
41729+++ linux-2.6.33.1/include/asm-generic/kmap_types.h 2010-03-20 16:58:41.904583344 -0400
41730@@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
41731 KMAP_D(16) KM_IRQ_PTE,
41732 KMAP_D(17) KM_NMI,
41733 KMAP_D(18) KM_NMI_PTE,
41734-KMAP_D(19) KM_TYPE_NR
41735+KMAP_D(19) KM_CLEARPAGE,
41736+KMAP_D(20) KM_TYPE_NR
58c5fc13
MT		 41737 };
41738
ae4e228f
MT		 41739 #undef KMAP_D
41740diff -urNp linux-2.6.33.1/include/asm-generic/pgtable.h linux-2.6.33.1/include/asm-generic/pgtable.h
41741--- linux-2.6.33.1/include/asm-generic/pgtable.h 2010-03-15 12:09:39.000000000 -0400
41742+++ linux-2.6.33.1/include/asm-generic/pgtable.h 2010-03-20 16:58:41.904583344 -0400
41743@@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
41744 unsigned long size);
41745 #endif
41746
41747+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
41748+static inline unsigned long pax_open_kernel(void) { return 0; }
41749+#endif
41750+
41751+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
41752+static inline unsigned long pax_close_kernel(void) { return 0; }
41753+#endif
41754+
41755 #endif /* !__ASSEMBLY__ */
41756
41757 #endif /* _ASM_GENERIC_PGTABLE_H */
41758diff -urNp linux-2.6.33.1/include/asm-generic/vmlinux.lds.h linux-2.6.33.1/include/asm-generic/vmlinux.lds.h
41759--- linux-2.6.33.1/include/asm-generic/vmlinux.lds.h 2010-03-15 12:09:39.000000000 -0400
41760+++ linux-2.6.33.1/include/asm-generic/vmlinux.lds.h 2010-03-20 16:58:41.904583344 -0400
41761@@ -203,6 +203,7 @@
58c5fc13
MT		 41762 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
41763 VMLINUX_SYMBOL(__start_rodata) = .; \
41764 *(.rodata) *(.rodata.*) \
41765+ *(.data.read_only) \
41766 *(__vermagic) /* Kernel version magic */ \
41767 *(__markers_strings) /* Markers: strings */ \
41768 *(__tracepoints_strings)/* Tracepoints: strings */ \
ae4e228f 41769@@ -660,22 +661,24 @@
58c5fc13
MT		 41770 * section in the linker script will go there too. @phdr should have
41771 * a leading colon.
41772 *
41773- * Note that this macros defines __per_cpu_load as an absolute symbol.
41774+ * Note that this macros defines per_cpu_load as an absolute symbol.
41775 * If there is no need to put the percpu section at a predetermined
41776 * address, use PERCPU().
41777 */
41778 #define PERCPU_VADDR(vaddr, phdr) \
41779- VMLINUX_SYMBOL(__per_cpu_load) = .; \
41780- .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
41781+ per_cpu_load = .; \
41782+ .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
41783 - LOAD_OFFSET) { \
41784+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
41785 VMLINUX_SYMBOL(__per_cpu_start) = .; \
41786 *(.data.percpu.first) \
41787- *(.data.percpu.page_aligned) \
41788 *(.data.percpu) \
41789+ . = ALIGN(PAGE_SIZE); \
41790+ *(.data.percpu.page_aligned) \
41791 *(.data.percpu.shared_aligned) \
41792 VMLINUX_SYMBOL(__per_cpu_end) = .; \
41793 } phdr \
41794- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
41795+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
41796
41797 /**
41798 * PERCPU - define output section for percpu area, simple version
ae4e228f
MT		 41799diff -urNp linux-2.6.33.1/include/drm/drm_pciids.h linux-2.6.33.1/include/drm/drm_pciids.h
41800--- linux-2.6.33.1/include/drm/drm_pciids.h 2010-03-15 12:09:39.000000000 -0400
41801+++ linux-2.6.33.1/include/drm/drm_pciids.h 2010-03-20 16:58:41.904583344 -0400
58c5fc13
MT		 41802@@ -375,7 +375,7 @@
41803 {0x1002, 0x9712, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41804 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41805 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
41806- {0, 0, 0}
41807+ {0, 0, 0, 0, 0, 0}
41808
41809 #define r128_PCI_IDS \
41810 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41811@@ -415,14 +415,14 @@
41812 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41813 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41814 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41815- {0, 0, 0}
41816+ {0, 0, 0, 0, 0, 0}
41817
41818 #define mga_PCI_IDS \
41819 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
41820 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
41821 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
41822 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
41823- {0, 0, 0}
41824+ {0, 0, 0, 0, 0, 0}
41825
41826 #define mach64_PCI_IDS \
41827 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41828@@ -445,7 +445,7 @@
41829 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41830 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41831 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41832- {0, 0, 0}
41833+ {0, 0, 0, 0, 0, 0}
41834
41835 #define sisdrv_PCI_IDS \
41836 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41837@@ -456,7 +456,7 @@
41838 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41839 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
41840 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
41841- {0, 0, 0}
41842+ {0, 0, 0, 0, 0, 0}
41843
41844 #define tdfx_PCI_IDS \
41845 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41846@@ -465,7 +465,7 @@
41847 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41848 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41849 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41850- {0, 0, 0}
41851+ {0, 0, 0, 0, 0, 0}
41852
41853 #define viadrv_PCI_IDS \
41854 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41855@@ -477,14 +477,14 @@
41856 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41857 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
41858 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
41859- {0, 0, 0}
41860+ {0, 0, 0, 0, 0, 0}
41861
41862 #define i810_PCI_IDS \
41863 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41864 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41865 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41866 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41867- {0, 0, 0}
41868+ {0, 0, 0, 0, 0, 0}
41869
41870 #define i830_PCI_IDS \
41871 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41872@@ -492,11 +492,11 @@
41873 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41874 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41875 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41876- {0, 0, 0}
41877+ {0, 0, 0, 0, 0, 0}
41878
41879 #define gamma_PCI_IDS \
41880 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
41881- {0, 0, 0}
41882+ {0, 0, 0, 0, 0, 0}
41883
41884 #define savage_PCI_IDS \
41885 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
41886@@ -522,10 +522,10 @@
41887 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
41888 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
41889 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
41890- {0, 0, 0}
41891+ {0, 0, 0, 0, 0, 0}
41892
41893 #define ffb_PCI_IDS \
41894- {0, 0, 0}
41895+ {0, 0, 0, 0, 0, 0}
41896
41897 #define i915_PCI_IDS \
41898 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
ae4e228f 41899@@ -558,4 +558,4 @@
58c5fc13
MT		 41900 {0x8086, 0x35e8, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41901 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41902 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
41903- {0, 0, 0}
41904+ {0, 0, 0, 0, 0, 0}
ae4e228f
MT		 41905diff -urNp linux-2.6.33.1/include/drm/drmP.h linux-2.6.33.1/include/drm/drmP.h
41906--- linux-2.6.33.1/include/drm/drmP.h 2010-03-15 12:09:39.000000000 -0400
41907+++ linux-2.6.33.1/include/drm/drmP.h 2010-03-20 16:58:41.904583344 -0400
41908@@ -806,7 +806,7 @@ struct drm_driver {
41909 void (*vgaarb_irq)(struct drm_device *dev, bool state);
58c5fc13
MT		 41910
41911 /* Driver private ops for this object */
41912- struct vm_operations_struct *gem_vm_ops;
41913+ const struct vm_operations_struct *gem_vm_ops;
41914
41915 int major;
41916 int minor;
ae4e228f 41917@@ -915,7 +915,7 @@ struct drm_device {
58c5fc13
MT		 41918
41919 /** \name Usage Counters */
41920 /*@{ */
41921- int open_count; /**< Outstanding files open */
41922+ atomic_t open_count; /**< Outstanding files open */
41923 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
41924 atomic_t vma_count; /**< Outstanding vma areas open */
41925 int buf_use; /**< Buffers in use -- cannot alloc */
ae4e228f 41926@@ -926,7 +926,7 @@ struct drm_device {
58c5fc13
MT		 41927 /*@{ */
41928 unsigned long counters;
41929 enum drm_stat_type types[15];
41930- atomic_t counts[15];
41931+ atomic_unchecked_t counts[15];
41932 /*@} */
41933
41934 struct list_head filelist;
ae4e228f
MT		 41935diff -urNp linux-2.6.33.1/include/linux/a.out.h linux-2.6.33.1/include/linux/a.out.h
41936--- linux-2.6.33.1/include/linux/a.out.h 2010-03-15 12:09:39.000000000 -0400
41937+++ linux-2.6.33.1/include/linux/a.out.h 2010-03-20 16:58:41.904583344 -0400
58c5fc13
MT		 41938@@ -39,6 +39,14 @@ enum machine_type {
41939 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
41940 };
41941
41942+/* Constants for the N_FLAGS field */
41943+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
41944+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
41945+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
41946+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
41947+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
41948+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
41949+
41950 #if !defined (N_MAGIC)
41951 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
41952 #endif
ae4e228f
MT		 41953diff -urNp linux-2.6.33.1/include/linux/atmdev.h linux-2.6.33.1/include/linux/atmdev.h
41954--- linux-2.6.33.1/include/linux/atmdev.h 2010-03-15 12:09:39.000000000 -0400
41955+++ linux-2.6.33.1/include/linux/atmdev.h 2010-03-20 16:58:41.904583344 -0400
58c5fc13
MT		 41956@@ -237,7 +237,7 @@ struct compat_atm_iobuf {
41957 #endif
41958
41959 struct k_atm_aal_stats {
41960-#define __HANDLE_ITEM(i) atomic_t i
41961+#define __HANDLE_ITEM(i) atomic_unchecked_t i
41962 __AAL_STAT_ITEMS
41963 #undef __HANDLE_ITEM
41964 };
ae4e228f
MT		 41965diff -urNp linux-2.6.33.1/include/linux/binfmts.h linux-2.6.33.1/include/linux/binfmts.h
41966--- linux-2.6.33.1/include/linux/binfmts.h 2010-03-15 12:09:39.000000000 -0400
41967+++ linux-2.6.33.1/include/linux/binfmts.h 2010-03-20 16:58:41.904583344 -0400
41968@@ -86,6 +86,7 @@ struct linux_binfmt {
58c5fc13
MT		 41969 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
41970 int (*load_shlib)(struct file *);
ae4e228f 41971 int (*core_dump)(struct coredump_params *cprm);
58c5fc13
MT		 41972+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
41973 unsigned long min_coredump; /* minimal dump size */
41974 int hasvdso;
41975 };
ae4e228f
MT		 41976diff -urNp linux-2.6.33.1/include/linux/blkdev.h linux-2.6.33.1/include/linux/blkdev.h
41977--- linux-2.6.33.1/include/linux/blkdev.h 2010-03-15 12:09:39.000000000 -0400
41978+++ linux-2.6.33.1/include/linux/blkdev.h 2010-03-20 16:58:41.908542968 -0400
41979@@ -1287,19 +1287,19 @@ static inline int blk_integrity_rq(struc
41980 #endif /* CONFIG_BLK_DEV_INTEGRITY */
41981
41982 struct block_device_operations {
41983- int (*open) (struct block_device *, fmode_t);
41984- int (*release) (struct gendisk *, fmode_t);
41985- int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41986- int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41987- int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41988- int (*direct_access) (struct block_device *, sector_t,
41989+ int (* const open) (struct block_device *, fmode_t);
41990+ int (* const release) (struct gendisk *, fmode_t);
41991+ int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41992+ int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41993+ int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
41994+ int (* const direct_access) (struct block_device *, sector_t,
41995 void **, unsigned long *);
41996- int (*media_changed) (struct gendisk *);
41997- unsigned long long (*set_capacity) (struct gendisk *,
41998+ int (* const media_changed) (struct gendisk *);
41999+ unsigned long long (* const set_capacity) (struct gendisk *,
42000 unsigned long long);
42001- int (*revalidate_disk) (struct gendisk *);
42002- int (*getgeo)(struct block_device *, struct hd_geometry *);
42003- struct module *owner;
42004+ int (* const revalidate_disk) (struct gendisk *);
42005+ int (* const getgeo)(struct block_device *, struct hd_geometry *);
42006+ struct module * const owner;
42007 };
42008
42009 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
42010diff -urNp linux-2.6.33.1/include/linux/cache.h linux-2.6.33.1/include/linux/cache.h
42011--- linux-2.6.33.1/include/linux/cache.h 2010-03-15 12:09:39.000000000 -0400
42012+++ linux-2.6.33.1/include/linux/cache.h 2010-03-20 16:58:41.908542968 -0400
58c5fc13
MT		 42013@@ -16,6 +16,10 @@
42014 #define __read_mostly
42015 #endif
42016
42017+#ifndef __read_only
42018+#define __read_only __read_mostly
42019+#endif
42020+
42021 #ifndef ____cacheline_aligned
42022 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
42023 #endif
ae4e228f
MT		 42024diff -urNp linux-2.6.33.1/include/linux/capability.h linux-2.6.33.1/include/linux/capability.h
42025--- linux-2.6.33.1/include/linux/capability.h 2010-03-15 12:09:39.000000000 -0400
42026+++ linux-2.6.33.1/include/linux/capability.h 2010-03-20 16:58:41.908542968 -0400
42027@@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
58c5fc13
MT		 42028 (security_real_capable_noaudit((t), (cap)) == 0)
42029
42030 extern int capable(int cap);
42031+int capable_nolog(int cap);
42032
42033 /* audit system wants to get cap info from files as well */
42034 struct dentry;
ae4e228f
MT		 42035diff -urNp linux-2.6.33.1/include/linux/compiler-gcc4.h linux-2.6.33.1/include/linux/compiler-gcc4.h
42036--- linux-2.6.33.1/include/linux/compiler-gcc4.h 2010-03-15 12:09:39.000000000 -0400
42037+++ linux-2.6.33.1/include/linux/compiler-gcc4.h 2010-03-20 16:58:41.908542968 -0400
42038@@ -50,6 +50,10 @@
42039 #define unreachable() __builtin_unreachable()
42040 #endif
58c5fc13
MT		 42041
42042+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
42043+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
42044+#define __bos0(ptr) __bos((ptr), 0)
42045+#define __bos1(ptr) __bos((ptr), 1)
42046 #endif
ae4e228f
MT		 42047
42048 #if __GNUC_MINOR__ > 0
42049diff -urNp linux-2.6.33.1/include/linux/compiler.h linux-2.6.33.1/include/linux/compiler.h
42050--- linux-2.6.33.1/include/linux/compiler.h 2010-03-15 12:09:39.000000000 -0400
42051+++ linux-2.6.33.1/include/linux/compiler.h 2010-03-20 16:58:41.908542968 -0400
42052@@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
58c5fc13
MT		 42053 #define __cold
42054 #endif
42055
42056+#ifndef __alloc_size
42057+#define __alloc_size
42058+#endif
42059+
42060+#ifndef __bos
42061+#define __bos
42062+#endif
42063+
42064+#ifndef __bos0
42065+#define __bos0
42066+#endif
42067+
42068+#ifndef __bos1
42069+#define __bos1
42070+#endif
42071+
42072 /* Simple shorthand for a section definition */
42073 #ifndef __section
42074 # define __section(S) __attribute__ ((__section__(#S)))
ae4e228f
MT		 42075diff -urNp linux-2.6.33.1/include/linux/decompress/mm.h linux-2.6.33.1/include/linux/decompress/mm.h
42076--- linux-2.6.33.1/include/linux/decompress/mm.h 2010-03-15 12:09:39.000000000 -0400
42077+++ linux-2.6.33.1/include/linux/decompress/mm.h 2010-03-20 16:58:41.908542968 -0400
58c5fc13
MT		 42078@@ -68,7 +68,7 @@ static void free(void *where)
42079 * warnings when not needed (indeed large_malloc / large_free are not
42080 * needed by inflate */
42081
42082-#define malloc(a) kmalloc(a, GFP_KERNEL)
42083+#define malloc(a) kmalloc((a), GFP_KERNEL)
42084 #define free(a) kfree(a)
42085
42086 #define large_malloc(a) vmalloc(a)
ae4e228f
MT		 42087diff -urNp linux-2.6.33.1/include/linux/dma-mapping.h linux-2.6.33.1/include/linux/dma-mapping.h
42088--- linux-2.6.33.1/include/linux/dma-mapping.h 2010-03-15 12:09:39.000000000 -0400
42089+++ linux-2.6.33.1/include/linux/dma-mapping.h 2010-03-20 16:58:41.908542968 -0400
42090@@ -16,50 +16,50 @@ enum dma_data_direction {
42091 };
42092
42093 struct dma_map_ops {
42094- void* (*alloc_coherent)(struct device *dev, size_t size,
42095+ void* (* const alloc_coherent)(struct device *dev, size_t size,
42096 dma_addr_t *dma_handle, gfp_t gfp);
42097- void (*free_coherent)(struct device *dev, size_t size,
42098+ void (* const free_coherent)(struct device *dev, size_t size,
42099 void *vaddr, dma_addr_t dma_handle);
42100- dma_addr_t (*map_page)(struct device *dev, struct page *page,
42101+ dma_addr_t (* const map_page)(struct device *dev, struct page *page,
42102 unsigned long offset, size_t size,
42103 enum dma_data_direction dir,
42104 struct dma_attrs *attrs);
42105- void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
42106+ void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
42107 size_t size, enum dma_data_direction dir,
42108 struct dma_attrs *attrs);
42109- int (*map_sg)(struct device *dev, struct scatterlist *sg,
42110+ int (* const map_sg)(struct device *dev, struct scatterlist *sg,
42111 int nents, enum dma_data_direction dir,
42112 struct dma_attrs *attrs);
42113- void (*unmap_sg)(struct device *dev,
42114+ void (* const unmap_sg)(struct device *dev,
42115 struct scatterlist *sg, int nents,
42116 enum dma_data_direction dir,
42117 struct dma_attrs *attrs);
42118- void (*sync_single_for_cpu)(struct device *dev,
42119+ void (* const sync_single_for_cpu)(struct device *dev,
42120 dma_addr_t dma_handle, size_t size,
42121 enum dma_data_direction dir);
42122- void (*sync_single_for_device)(struct device *dev,
42123+ void (* const sync_single_for_device)(struct device *dev,
42124 dma_addr_t dma_handle, size_t size,
42125 enum dma_data_direction dir);
42126- void (*sync_single_range_for_cpu)(struct device *dev,
42127+ void (* const sync_single_range_for_cpu)(struct device *dev,
42128 dma_addr_t dma_handle,
42129 unsigned long offset,
42130 size_t size,
42131 enum dma_data_direction dir);
42132- void (*sync_single_range_for_device)(struct device *dev,
42133+ void (* const sync_single_range_for_device)(struct device *dev,
42134 dma_addr_t dma_handle,
42135 unsigned long offset,
42136 size_t size,
42137 enum dma_data_direction dir);
42138- void (*sync_sg_for_cpu)(struct device *dev,
42139+ void (* const sync_sg_for_cpu)(struct device *dev,
42140 struct scatterlist *sg, int nents,
42141 enum dma_data_direction dir);
42142- void (*sync_sg_for_device)(struct device *dev,
42143+ void (* const sync_sg_for_device)(struct device *dev,
42144 struct scatterlist *sg, int nents,
42145 enum dma_data_direction dir);
42146- int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
42147- int (*dma_supported)(struct device *dev, u64 mask);
42148- int (*set_dma_mask)(struct device *dev, u64 mask);
42149- int is_phys;
42150+ int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
42151+ int (* const dma_supported)(struct device *dev, u64 mask);
42152+ int (* set_dma_mask)(struct device *dev, u64 mask);
42153+ const int is_phys;
42154 };
42155
42156 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
42157diff -urNp linux-2.6.33.1/include/linux/elf.h linux-2.6.33.1/include/linux/elf.h
42158--- linux-2.6.33.1/include/linux/elf.h 2010-03-15 12:09:39.000000000 -0400
42159+++ linux-2.6.33.1/include/linux/elf.h 2010-03-20 16:58:41.908542968 -0400
58c5fc13
MT		 42160@@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
42161 #define PT_GNU_EH_FRAME 0x6474e550
42162
42163 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
42164+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
42165+
42166+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
42167+
42168+/* Constants for the e_flags field */
42169+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
42170+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
42171+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
42172+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
42173+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
42174+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
42175
42176 /* These constants define the different elf file types */
42177 #define ET_NONE 0
42178@@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
42179 #define DT_DEBUG 21
42180 #define DT_TEXTREL 22
42181 #define DT_JMPREL 23
42182+#define DT_FLAGS 30
42183+ #define DF_TEXTREL 0x00000004
42184 #define DT_ENCODING 32
42185 #define OLD_DT_LOOS 0x60000000
42186 #define DT_LOOS 0x6000000d
42187@@ -230,6 +243,19 @@ typedef struct elf64_hdr {
42188 #define PF_W 0x2
42189 #define PF_X 0x1
42190
42191+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
42192+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
42193+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
42194+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
42195+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
42196+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
42197+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
42198+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
42199+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
42200+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
42201+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
42202+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
42203+
42204 typedef struct elf32_phdr{
42205 Elf32_Word p_type;
42206 Elf32_Off p_offset;
42207@@ -322,6 +348,8 @@ typedef struct elf64_shdr {
42208 #define EI_OSABI 7
42209 #define EI_PAD 8
42210
42211+#define EI_PAX 14
42212+
42213 #define ELFMAG0 0x7f /* EI_MAG */
42214 #define ELFMAG1 'E'
42215 #define ELFMAG2 'L'
ae4e228f 42216@@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
58c5fc13
MT		 42217 #define elf_phdr elf32_phdr
42218 #define elf_note elf32_note
42219 #define elf_addr_t Elf32_Off
42220+#define elf_dyn Elf32_Dyn
42221
42222 #else
42223
ae4e228f 42224@@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
58c5fc13
MT		 42225 #define elf_phdr elf64_phdr
42226 #define elf_note elf64_note
42227 #define elf_addr_t Elf64_Off
42228+#define elf_dyn Elf64_Dyn
42229
42230 #endif
42231
ae4e228f
MT		 42232diff -urNp linux-2.6.33.1/include/linux/fs.h linux-2.6.33.1/include/linux/fs.h
42233--- linux-2.6.33.1/include/linux/fs.h 2010-03-15 12:09:39.000000000 -0400
42234+++ linux-2.6.33.1/include/linux/fs.h 2010-03-20 16:59:37.096727099 -0400
42235@@ -90,6 +90,11 @@ struct inodes_stat_t {
42236 /* Expect random access pattern */
42237 #define FMODE_RANDOM ((__force fmode_t)4096)
58c5fc13
MT		 42238
42239+/* Hack for grsec so as not to require read permission simply to execute
ae4e228f
MT		 42240+ * a binary
42241+ */
58c5fc13
MT		 42242+#define FMODE_GREXEC ((__force fmode_t)8192)
42243+
42244 /*
42245 * The below are the various read and write types that we support. Some of
42246 * them include behavioral modifiers that send information down to the
ae4e228f
MT		 42247@@ -570,41 +575,41 @@ typedef int (*read_actor_t)(read_descrip
42248 unsigned long, unsigned long);
42249
42250 struct address_space_operations {
42251- int (*writepage)(struct page *page, struct writeback_control *wbc);
42252- int (*readpage)(struct file *, struct page *);
42253- void (*sync_page)(struct page *);
42254+ int (* const writepage)(struct page *page, struct writeback_control *wbc);
42255+ int (* const readpage)(struct file *, struct page *);
42256+ void (* const sync_page)(struct page *);
42257
42258 /* Write back some dirty pages from this mapping. */
42259- int (*writepages)(struct address_space *, struct writeback_control *);
42260+ int (* const writepages)(struct address_space *, struct writeback_control *);
42261
42262 /* Set a page dirty. Return true if this dirtied it */
42263- int (*set_page_dirty)(struct page *page);
42264+ int (* const set_page_dirty)(struct page *page);
42265
42266- int (*readpages)(struct file *filp, struct address_space *mapping,
42267+ int (* const readpages)(struct file *filp, struct address_space *mapping,
42268 struct list_head *pages, unsigned nr_pages);
42269
42270- int (*write_begin)(struct file *, struct address_space *mapping,
42271+ int (* const write_begin)(struct file *, struct address_space *mapping,
42272 loff_t pos, unsigned len, unsigned flags,
42273 struct page **pagep, void **fsdata);
42274- int (*write_end)(struct file *, struct address_space *mapping,
42275+ int (* const write_end)(struct file *, struct address_space *mapping,
42276 loff_t pos, unsigned len, unsigned copied,
42277 struct page *page, void *fsdata);
42278
42279 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
42280- sector_t (*bmap)(struct address_space *, sector_t);
42281- void (*invalidatepage) (struct page *, unsigned long);
42282- int (*releasepage) (struct page *, gfp_t);
42283- ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
42284+ sector_t (* const bmap)(struct address_space *, sector_t);
42285+ void (* const invalidatepage) (struct page *, unsigned long);
42286+ int (* const releasepage) (struct page *, gfp_t);
42287+ ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
42288 loff_t offset, unsigned long nr_segs);
42289- int (*get_xip_mem)(struct address_space *, pgoff_t, int,
42290+ int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
42291 void **, unsigned long *);
42292 /* migrate the contents of a page to the specified target */
42293- int (*migratepage) (struct address_space *,
42294+ int (* const migratepage) (struct address_space *,
42295 struct page *, struct page *);
42296- int (*launder_page) (struct page *);
42297- int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
42298+ int (* const launder_page) (struct page *);
42299+ int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
42300 unsigned long);
42301- int (*error_remove_page)(struct address_space *, struct page *);
42302+ int (* const error_remove_page)(struct address_space *, struct page *);
42303 };
42304
42305 /*
42306@@ -1032,19 +1037,19 @@ static inline int file_check_writeable(s
42307 typedef struct files_struct *fl_owner_t;
42308
42309 struct file_lock_operations {
42310- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
42311- void (*fl_release_private)(struct file_lock *);
42312+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
42313+ void (* const fl_release_private)(struct file_lock *);
42314 };
42315
42316 struct lock_manager_operations {
42317- int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
42318- void (*fl_notify)(struct file_lock *); /* unblock callback */
42319- int (*fl_grant)(struct file_lock *, struct file_lock *, int);
42320- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
42321- void (*fl_release_private)(struct file_lock *);
42322- void (*fl_break)(struct file_lock *);
42323- int (*fl_mylease)(struct file_lock *, struct file_lock *);
42324- int (*fl_change)(struct file_lock **, int);
42325+ int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
42326+ void (* const fl_notify)(struct file_lock *); /* unblock callback */
42327+ int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
42328+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
42329+ void (* const fl_release_private)(struct file_lock *);
42330+ void (* const fl_break)(struct file_lock *);
42331+ int (* const fl_mylease)(struct file_lock *, struct file_lock *);
42332+ int (* const fl_change)(struct file_lock **, int);
42333 };
42334
42335 struct lock_manager {
42336@@ -1437,7 +1442,7 @@ struct fiemap_extent_info {
42337 unsigned int fi_flags; /* Flags as passed from user */
42338 unsigned int fi_extents_mapped; /* Number of mapped extents */
42339 unsigned int fi_extents_max; /* Size of fiemap_extent array */
42340- struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
42341+ struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
42342 * array */
42343 };
42344 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
42345@@ -1554,30 +1559,30 @@ extern ssize_t vfs_writev(struct file *,
42346 unsigned long, loff_t *);
42347
42348 struct super_operations {
42349- struct inode *(*alloc_inode)(struct super_block *sb);
42350- void (*destroy_inode)(struct inode *);
42351+ struct inode *(* const alloc_inode)(struct super_block *sb);
42352+ void (* const destroy_inode)(struct inode *);
42353
42354- void (*dirty_inode) (struct inode *);
42355- int (*write_inode) (struct inode *, int);
42356- void (*drop_inode) (struct inode *);
42357- void (*delete_inode) (struct inode *);
42358- void (*put_super) (struct super_block *);
42359- void (*write_super) (struct super_block *);
42360- int (*sync_fs)(struct super_block *sb, int wait);
42361- int (*freeze_fs) (struct super_block *);
42362- int (*unfreeze_fs) (struct super_block *);
42363- int (*statfs) (struct dentry *, struct kstatfs *);
42364- int (*remount_fs) (struct super_block *, int *, char *);
42365- void (*clear_inode) (struct inode *);
42366- void (*umount_begin) (struct super_block *);
42367+ void (* const dirty_inode) (struct inode *);
42368+ int (* const write_inode) (struct inode *, int);
42369+ void (* const drop_inode) (struct inode *);
42370+ void (* const delete_inode) (struct inode *);
42371+ void (* const put_super) (struct super_block *);
42372+ void (* const write_super) (struct super_block *);
42373+ int (* const sync_fs)(struct super_block *sb, int wait);
42374+ int (* const freeze_fs) (struct super_block *);
42375+ int (* const unfreeze_fs) (struct super_block *);
42376+ int (* const statfs) (struct dentry *, struct kstatfs *);
42377+ int (* const remount_fs) (struct super_block *, int *, char *);
42378+ void (* const clear_inode) (struct inode *);
42379+ void (* const umount_begin) (struct super_block *);
42380
42381- int (*show_options)(struct seq_file *, struct vfsmount *);
42382- int (*show_stats)(struct seq_file *, struct vfsmount *);
42383+ int (* const show_options)(struct seq_file *, struct vfsmount *);
42384+ int (* const show_stats)(struct seq_file *, struct vfsmount *);
42385 #ifdef CONFIG_QUOTA
42386- ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
42387- ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
42388+ ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
42389+ ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
42390 #endif
42391- int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
42392+ int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
42393 };
42394
42395 /*
42396diff -urNp linux-2.6.33.1/include/linux/fs_struct.h linux-2.6.33.1/include/linux/fs_struct.h
42397--- linux-2.6.33.1/include/linux/fs_struct.h 2010-03-15 12:09:39.000000000 -0400
42398+++ linux-2.6.33.1/include/linux/fs_struct.h 2010-03-20 16:58:41.908542968 -0400
58c5fc13
MT		 42399@@ -4,7 +4,7 @@
42400 #include <linux/path.h>
42401
42402 struct fs_struct {
42403- int users;
42404+ atomic_t users;
42405 rwlock_t lock;
42406 int umask;
42407 int in_exec;
ae4e228f
MT		 42408diff -urNp linux-2.6.33.1/include/linux/genhd.h linux-2.6.33.1/include/linux/genhd.h
42409--- linux-2.6.33.1/include/linux/genhd.h 2010-03-15 12:09:39.000000000 -0400
42410+++ linux-2.6.33.1/include/linux/genhd.h 2010-03-20 16:58:41.912517036 -0400
42411@@ -162,7 +162,7 @@ struct gendisk {
58c5fc13
MT		 42412
42413 struct timer_rand_state *random;
42414
42415- atomic_t sync_io; /* RAID */
42416+ atomic_unchecked_t sync_io; /* RAID */
42417 struct work_struct async_notify;
42418 #ifdef CONFIG_BLK_DEV_INTEGRITY
42419 struct blk_integrity *integrity;
ae4e228f
MT		 42420diff -urNp linux-2.6.33.1/include/linux/gracl.h linux-2.6.33.1/include/linux/gracl.h
42421--- linux-2.6.33.1/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
42422+++ linux-2.6.33.1/include/linux/gracl.h 2010-03-20 16:58:41.912517036 -0400
42423@@ -0,0 +1,309 @@
58c5fc13
MT		 42424+#ifndef GR_ACL_H
42425+#define GR_ACL_H
42426+
42427+#include <linux/grdefs.h>
42428+#include <linux/resource.h>
42429+#include <linux/capability.h>
42430+#include <linux/dcache.h>
42431+#include <asm/resource.h>
42432+
42433+/* Major status information */
42434+
42435+#define GR_VERSION "grsecurity 2.1.14"
42436+#define GRSECURITY_VERSION 0x2114
42437+
42438+enum {
42439+ GR_SHUTDOWN = 0,
42440+ GR_ENABLE = 1,
42441+ GR_SPROLE = 2,
42442+ GR_RELOAD = 3,
42443+ GR_SEGVMOD = 4,
42444+ GR_STATUS = 5,
42445+ GR_UNSPROLE = 6,
42446+ GR_PASSSET = 7,
42447+ GR_SPROLEPAM = 8,
42448+};
42449+
42450+/* Password setup definitions
42451+ * kernel/grhash.c */
42452+enum {
42453+ GR_PW_LEN = 128,
42454+ GR_SALT_LEN = 16,
42455+ GR_SHA_LEN = 32,
42456+};
42457+
42458+enum {
42459+ GR_SPROLE_LEN = 64,
42460+};
42461+
42462+#define GR_NLIMITS 32
42463+
42464+/* Begin Data Structures */
42465+
42466+struct sprole_pw {
42467+ unsigned char *rolename;
42468+ unsigned char salt[GR_SALT_LEN];
42469+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
42470+};
42471+
42472+struct name_entry {
42473+ __u32 key;
42474+ ino_t inode;
42475+ dev_t device;
42476+ char *name;
42477+ __u16 len;
42478+ __u8 deleted;
42479+ struct name_entry *prev;
42480+ struct name_entry *next;
42481+};
42482+
42483+struct inodev_entry {
42484+ struct name_entry *nentry;
42485+ struct inodev_entry *prev;
42486+ struct inodev_entry *next;
42487+};
42488+
42489+struct acl_role_db {
42490+ struct acl_role_label **r_hash;
42491+ __u32 r_size;
42492+};
42493+
42494+struct inodev_db {
42495+ struct inodev_entry **i_hash;
42496+ __u32 i_size;
42497+};
42498+
42499+struct name_db {
42500+ struct name_entry **n_hash;
42501+ __u32 n_size;
42502+};
42503+
42504+struct crash_uid {
42505+ uid_t uid;
42506+ unsigned long expires;
42507+};
42508+
42509+struct gr_hash_struct {
42510+ void **table;
42511+ void **nametable;
42512+ void *first;
42513+ __u32 table_size;
42514+ __u32 used_size;
42515+ int type;
42516+};
42517+
42518+/* Userspace Grsecurity ACL data structures */
42519+
42520+struct acl_subject_label {
42521+ char *filename;
42522+ ino_t inode;
42523+ dev_t device;
42524+ __u32 mode;
42525+ kernel_cap_t cap_mask;
42526+ kernel_cap_t cap_lower;
42527+
42528+ struct rlimit res[GR_NLIMITS];
42529+ __u32 resmask;
42530+
42531+ __u8 user_trans_type;
42532+ __u8 group_trans_type;
42533+ uid_t *user_transitions;
42534+ gid_t *group_transitions;
42535+ __u16 user_trans_num;
42536+ __u16 group_trans_num;
42537+
42538+ __u32 ip_proto[8];
42539+ __u32 ip_type;
42540+ struct acl_ip_label **ips;
42541+ __u32 ip_num;
42542+ __u32 inaddr_any_override;
42543+
42544+ __u32 crashes;
42545+ unsigned long expires;
42546+
42547+ struct acl_subject_label *parent_subject;
42548+ struct gr_hash_struct *hash;
42549+ struct acl_subject_label *prev;
42550+ struct acl_subject_label *next;
42551+
42552+ struct acl_object_label **obj_hash;
42553+ __u32 obj_hash_size;
42554+ __u16 pax_flags;
42555+};
42556+
42557+struct role_allowed_ip {
42558+ __u32 addr;
42559+ __u32 netmask;
42560+
42561+ struct role_allowed_ip *prev;
42562+ struct role_allowed_ip *next;
42563+};
42564+
42565+struct role_transition {
42566+ char *rolename;
42567+
42568+ struct role_transition *prev;
42569+ struct role_transition *next;
42570+};
42571+
42572+struct acl_role_label {
42573+ char *rolename;
42574+ uid_t uidgid;
42575+ __u16 roletype;
42576+
42577+ __u16 auth_attempts;
42578+ unsigned long expires;
42579+
42580+ struct acl_subject_label *root_label;
42581+ struct gr_hash_struct *hash;
42582+
42583+ struct acl_role_label *prev;
42584+ struct acl_role_label *next;
42585+
42586+ struct role_transition *transitions;
42587+ struct role_allowed_ip *allowed_ips;
42588+ uid_t *domain_children;
42589+ __u16 domain_child_num;
42590+
42591+ struct acl_subject_label **subj_hash;
42592+ __u32 subj_hash_size;
42593+};
42594+
42595+struct user_acl_role_db {
42596+ struct acl_role_label **r_table;
42597+ __u32 num_pointers; /* Number of allocations to track */
42598+ __u32 num_roles; /* Number of roles */
42599+ __u32 num_domain_children; /* Number of domain children */
42600+ __u32 num_subjects; /* Number of subjects */
42601+ __u32 num_objects; /* Number of objects */
42602+};
42603+
42604+struct acl_object_label {
42605+ char *filename;
42606+ ino_t inode;
42607+ dev_t device;
42608+ __u32 mode;
42609+
42610+ struct acl_subject_label *nested;
42611+ struct acl_object_label *globbed;
42612+
42613+ /* next two structures not used */
42614+
42615+ struct acl_object_label *prev;
42616+ struct acl_object_label *next;
42617+};
42618+
42619+struct acl_ip_label {
42620+ char *iface;
42621+ __u32 addr;
42622+ __u32 netmask;
42623+ __u16 low, high;
42624+ __u8 mode;
42625+ __u32 type;
42626+ __u32 proto[8];
42627+
42628+ /* next two structures not used */
42629+
42630+ struct acl_ip_label *prev;
42631+ struct acl_ip_label *next;
42632+};
42633+
42634+struct gr_arg {
42635+ struct user_acl_role_db role_db;
42636+ unsigned char pw[GR_PW_LEN];
42637+ unsigned char salt[GR_SALT_LEN];
42638+ unsigned char sum[GR_SHA_LEN];
42639+ unsigned char sp_role[GR_SPROLE_LEN];
42640+ struct sprole_pw *sprole_pws;
42641+ dev_t segv_device;
42642+ ino_t segv_inode;
42643+ uid_t segv_uid;
42644+ __u16 num_sprole_pws;
42645+ __u16 mode;
42646+};
42647+
42648+struct gr_arg_wrapper {
42649+ struct gr_arg *arg;
42650+ __u32 version;
42651+ __u32 size;
42652+};
42653+
42654+struct subject_map {
42655+ struct acl_subject_label *user;
42656+ struct acl_subject_label *kernel;
42657+ struct subject_map *prev;
42658+ struct subject_map *next;
42659+};
42660+
42661+struct acl_subj_map_db {
42662+ struct subject_map **s_hash;
42663+ __u32 s_size;
42664+};
42665+
42666+/* End Data Structures Section */
42667+
42668+/* Hash functions generated by empirical testing by Brad Spengler
42669+ Makes good use of the low bits of the inode. Generally 0-1 times
42670+ in loop for successful match. 0-3 for unsuccessful match.
42671+ Shift/add algorithm with modulus of table size and an XOR*/
42672+
42673+static __inline__ unsigned int
42674+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
42675+{
ae4e228f 42676+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
58c5fc13
MT		 42677+}
42678+
42679+ static __inline__ unsigned int
42680+shash(const struct acl_subject_label *userp, const unsigned int sz)
42681+{
42682+ return ((const unsigned long)userp % sz);
42683+}
42684+
42685+static __inline__ unsigned int
42686+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
42687+{
42688+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
42689+}
42690+
42691+static __inline__ unsigned int
42692+nhash(const char *name, const __u16 len, const unsigned int sz)
42693+{
42694+ return full_name_hash((const unsigned char *)name, len) % sz;
42695+}
42696+
ae4e228f
MT		 42697+#define FOR_EACH_ROLE_START(role) \
42698+ role = role_list; \
42699+ while (role) {
58c5fc13 42700+
ae4e228f
MT		 42701+#define FOR_EACH_ROLE_END(role) \
42702+ role = role->prev; \
58c5fc13
MT		 42703+ }
42704+
42705+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
42706+ subj = NULL; \
42707+ iter = 0; \
42708+ while (iter < role->subj_hash_size) { \
42709+ if (subj == NULL) \
42710+ subj = role->subj_hash[iter]; \
42711+ if (subj == NULL) { \
42712+ iter++; \
42713+ continue; \
42714+ }
42715+
42716+#define FOR_EACH_SUBJECT_END(subj,iter) \
42717+ subj = subj->next; \
42718+ if (subj == NULL) \
42719+ iter++; \
42720+ }
42721+
42722+
42723+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
42724+ subj = role->hash->first; \
42725+ while (subj != NULL) {
42726+
42727+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
42728+ subj = subj->next; \
42729+ }
42730+
42731+#endif
42732+
ae4e228f
MT		 42733diff -urNp linux-2.6.33.1/include/linux/gralloc.h linux-2.6.33.1/include/linux/gralloc.h
42734--- linux-2.6.33.1/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
42735+++ linux-2.6.33.1/include/linux/gralloc.h 2010-03-20 16:58:41.912517036 -0400
58c5fc13
MT		 42736@@ -0,0 +1,9 @@
42737+#ifndef __GRALLOC_H
42738+#define __GRALLOC_H
42739+
42740+void acl_free_all(void);
42741+int acl_alloc_stack_init(unsigned long size);
42742+void *acl_alloc(unsigned long len);
42743+void *acl_alloc_num(unsigned long num, unsigned long len);
42744+
42745+#endif
ae4e228f
MT		 42746diff -urNp linux-2.6.33.1/include/linux/grdefs.h linux-2.6.33.1/include/linux/grdefs.h
42747--- linux-2.6.33.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
42748+++ linux-2.6.33.1/include/linux/grdefs.h 2010-03-20 16:58:41.912517036 -0400
58c5fc13
MT		 42749@@ -0,0 +1,136 @@
42750+#ifndef GRDEFS_H
42751+#define GRDEFS_H
42752+
42753+/* Begin grsecurity status declarations */
42754+
42755+enum {
42756+ GR_READY = 0x01,
42757+ GR_STATUS_INIT = 0x00 // disabled state
42758+};
42759+
42760+/* Begin ACL declarations */
42761+
42762+/* Role flags */
42763+
42764+enum {
42765+ GR_ROLE_USER = 0x0001,
42766+ GR_ROLE_GROUP = 0x0002,
42767+ GR_ROLE_DEFAULT = 0x0004,
42768+ GR_ROLE_SPECIAL = 0x0008,
42769+ GR_ROLE_AUTH = 0x0010,
42770+ GR_ROLE_NOPW = 0x0020,
42771+ GR_ROLE_GOD = 0x0040,
42772+ GR_ROLE_LEARN = 0x0080,
42773+ GR_ROLE_TPE = 0x0100,
42774+ GR_ROLE_DOMAIN = 0x0200,
42775+ GR_ROLE_PAM = 0x0400
42776+};
42777+
42778+/* ACL Subject and Object mode flags */
42779+enum {
42780+ GR_DELETED = 0x80000000
42781+};
42782+
42783+/* ACL Object-only mode flags */
42784+enum {
42785+ GR_READ = 0x00000001,
42786+ GR_APPEND = 0x00000002,
42787+ GR_WRITE = 0x00000004,
42788+ GR_EXEC = 0x00000008,
42789+ GR_FIND = 0x00000010,
42790+ GR_INHERIT = 0x00000020,
42791+ GR_SETID = 0x00000040,
42792+ GR_CREATE = 0x00000080,
42793+ GR_DELETE = 0x00000100,
42794+ GR_LINK = 0x00000200,
42795+ GR_AUDIT_READ = 0x00000400,
42796+ GR_AUDIT_APPEND = 0x00000800,
42797+ GR_AUDIT_WRITE = 0x00001000,
42798+ GR_AUDIT_EXEC = 0x00002000,
42799+ GR_AUDIT_FIND = 0x00004000,
42800+ GR_AUDIT_INHERIT= 0x00008000,
42801+ GR_AUDIT_SETID = 0x00010000,
42802+ GR_AUDIT_CREATE = 0x00020000,
42803+ GR_AUDIT_DELETE = 0x00040000,
42804+ GR_AUDIT_LINK = 0x00080000,
42805+ GR_PTRACERD = 0x00100000,
42806+ GR_NOPTRACE = 0x00200000,
42807+ GR_SUPPRESS = 0x00400000,
42808+ GR_NOLEARN = 0x00800000
42809+};
42810+
42811+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
42812+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
42813+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
42814+
42815+/* ACL subject-only mode flags */
42816+enum {
42817+ GR_KILL = 0x00000001,
42818+ GR_VIEW = 0x00000002,
42819+ GR_PROTECTED = 0x00000004,
42820+ GR_LEARN = 0x00000008,
42821+ GR_OVERRIDE = 0x00000010,
42822+ /* just a placeholder, this mode is only used in userspace */
42823+ GR_DUMMY = 0x00000020,
42824+ GR_PROTSHM = 0x00000040,
42825+ GR_KILLPROC = 0x00000080,
42826+ GR_KILLIPPROC = 0x00000100,
42827+ /* just a placeholder, this mode is only used in userspace */
42828+ GR_NOTROJAN = 0x00000200,
42829+ GR_PROTPROCFD = 0x00000400,
42830+ GR_PROCACCT = 0x00000800,
42831+ GR_RELAXPTRACE = 0x00001000,
42832+ GR_NESTED = 0x00002000,
42833+ GR_INHERITLEARN = 0x00004000,
42834+ GR_PROCFIND = 0x00008000,
42835+ GR_POVERRIDE = 0x00010000,
42836+ GR_KERNELAUTH = 0x00020000,
42837+};
42838+
42839+enum {
42840+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
42841+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
42842+ GR_PAX_ENABLE_MPROTECT = 0x0004,
42843+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
42844+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
42845+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
42846+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
42847+ GR_PAX_DISABLE_MPROTECT = 0x0400,
42848+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
42849+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
42850+};
42851+
42852+enum {
42853+ GR_ID_USER = 0x01,
42854+ GR_ID_GROUP = 0x02,
42855+};
42856+
42857+enum {
42858+ GR_ID_ALLOW = 0x01,
42859+ GR_ID_DENY = 0x02,
42860+};
42861+
42862+#define GR_CRASH_RES 31
42863+#define GR_UIDTABLE_MAX 500
42864+
42865+/* begin resource learning section */
42866+enum {
42867+ GR_RLIM_CPU_BUMP = 60,
42868+ GR_RLIM_FSIZE_BUMP = 50000,
42869+ GR_RLIM_DATA_BUMP = 10000,
42870+ GR_RLIM_STACK_BUMP = 1000,
42871+ GR_RLIM_CORE_BUMP = 10000,
42872+ GR_RLIM_RSS_BUMP = 500000,
42873+ GR_RLIM_NPROC_BUMP = 1,
42874+ GR_RLIM_NOFILE_BUMP = 5,
42875+ GR_RLIM_MEMLOCK_BUMP = 50000,
42876+ GR_RLIM_AS_BUMP = 500000,
42877+ GR_RLIM_LOCKS_BUMP = 2,
42878+ GR_RLIM_SIGPENDING_BUMP = 5,
42879+ GR_RLIM_MSGQUEUE_BUMP = 10000,
42880+ GR_RLIM_NICE_BUMP = 1,
42881+ GR_RLIM_RTPRIO_BUMP = 1,
42882+ GR_RLIM_RTTIME_BUMP = 1000000
42883+};
42884+
42885+#endif
ae4e228f
MT		 42886diff -urNp linux-2.6.33.1/include/linux/grinternal.h linux-2.6.33.1/include/linux/grinternal.h
42887--- linux-2.6.33.1/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
42888+++ linux-2.6.33.1/include/linux/grinternal.h 2010-03-20 17:34:52.485855710 -0400
42889@@ -0,0 +1,215 @@
58c5fc13
MT		 42890+#ifndef __GRINTERNAL_H
42891+#define __GRINTERNAL_H
42892+
42893+#ifdef CONFIG_GRKERNSEC
42894+
42895+#include <linux/fs.h>
42896+#include <linux/mnt_namespace.h>
42897+#include <linux/nsproxy.h>
42898+#include <linux/gracl.h>
42899+#include <linux/grdefs.h>
42900+#include <linux/grmsg.h>
42901+
42902+void gr_add_learn_entry(const char *fmt, ...)
42903+ __attribute__ ((format (printf, 1, 2)));
42904+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
42905+ const struct vfsmount *mnt);
42906+__u32 gr_check_create(const struct dentry *new_dentry,
42907+ const struct dentry *parent,
42908+ const struct vfsmount *mnt, const __u32 mode);
42909+int gr_check_protected_task(const struct task_struct *task);
42910+__u32 to_gr_audit(const __u32 reqmode);
42911+int gr_set_acls(const int type);
42912+
42913+int gr_acl_is_enabled(void);
42914+char gr_roletype_to_char(void);
42915+
42916+void gr_handle_alertkill(struct task_struct *task);
42917+char *gr_to_filename(const struct dentry *dentry,
42918+ const struct vfsmount *mnt);
42919+char *gr_to_filename1(const struct dentry *dentry,
42920+ const struct vfsmount *mnt);
42921+char *gr_to_filename2(const struct dentry *dentry,
42922+ const struct vfsmount *mnt);
42923+char *gr_to_filename3(const struct dentry *dentry,
42924+ const struct vfsmount *mnt);
42925+
42926+extern int grsec_enable_harden_ptrace;
42927+extern int grsec_enable_link;
42928+extern int grsec_enable_fifo;
42929+extern int grsec_enable_execve;
42930+extern int grsec_enable_shm;
42931+extern int grsec_enable_execlog;
42932+extern int grsec_enable_signal;
ae4e228f 42933+extern int grsec_enable_audit_ptrace;
58c5fc13
MT		 42934+extern int grsec_enable_forkfail;
42935+extern int grsec_enable_time;
ae4e228f 42936+extern int grsec_enable_rofs;
58c5fc13
MT		 42937+extern int grsec_enable_chroot_shmat;
42938+extern int grsec_enable_chroot_findtask;
42939+extern int grsec_enable_chroot_mount;
42940+extern int grsec_enable_chroot_double;
42941+extern int grsec_enable_chroot_pivot;
42942+extern int grsec_enable_chroot_chdir;
42943+extern int grsec_enable_chroot_chmod;
42944+extern int grsec_enable_chroot_mknod;
42945+extern int grsec_enable_chroot_fchdir;
42946+extern int grsec_enable_chroot_nice;
42947+extern int grsec_enable_chroot_execlog;
42948+extern int grsec_enable_chroot_caps;
42949+extern int grsec_enable_chroot_sysctl;
42950+extern int grsec_enable_chroot_unix;
42951+extern int grsec_enable_tpe;
42952+extern int grsec_tpe_gid;
42953+extern int grsec_enable_tpe_all;
42954+extern int grsec_enable_sidcaps;
42955+extern int grsec_enable_socket_all;
42956+extern int grsec_socket_all_gid;
42957+extern int grsec_enable_socket_client;
42958+extern int grsec_socket_client_gid;
42959+extern int grsec_enable_socket_server;
42960+extern int grsec_socket_server_gid;
42961+extern int grsec_audit_gid;
42962+extern int grsec_enable_group;
42963+extern int grsec_enable_audit_textrel;
42964+extern int grsec_enable_mount;
42965+extern int grsec_enable_chdir;
42966+extern int grsec_resource_logging;
ae4e228f
MT		 42967+extern int grsec_enable_blackhole;
42968+extern int grsec_lastack_retries;
58c5fc13
MT		 42969+extern int grsec_lock;
42970+
42971+extern spinlock_t grsec_alert_lock;
42972+extern unsigned long grsec_alert_wtime;
42973+extern unsigned long grsec_alert_fyet;
42974+
42975+extern spinlock_t grsec_audit_lock;
42976+
42977+extern rwlock_t grsec_exec_file_lock;
42978+
42979+#define gr_task_fullpath(tsk) (tsk->exec_file ? \
42980+ gr_to_filename2(tsk->exec_file->f_path.dentry, \
42981+ tsk->exec_file->f_vfsmnt) : "/")
42982+
42983+#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
42984+ gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
42985+ tsk->parent->exec_file->f_vfsmnt) : "/")
42986+
42987+#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
42988+ gr_to_filename(tsk->exec_file->f_path.dentry, \
42989+ tsk->exec_file->f_vfsmnt) : "/")
42990+
42991+#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
42992+ gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
42993+ tsk->parent->exec_file->f_vfsmnt) : "/")
42994+
42995+#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
42996+ ((init_task.fs->root.dentry != tsk_a->fs->root.dentry) && \
42997+ (tsk_a->nsproxy->mnt_ns->root->mnt_root != \
42998+ tsk_a->fs->root.dentry)))
42999+
43000+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
43001+ (tsk_a->fs->root.dentry == tsk_b->fs->root.dentry))
43002+
43003+#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
43004+ task->pid, cred->uid, \
43005+ cred->euid, cred->gid, cred->egid, \
43006+ gr_parent_task_fullpath(task), \
43007+ task->parent->comm, task->parent->pid, \
43008+ pcred->uid, pcred->euid, \
43009+ pcred->gid, pcred->egid
43010+
43011+#define GR_CHROOT_CAPS {{ \
43012+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
43013+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
43014+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
43015+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
43016+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
43017+ CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
43018+
43019+#define security_learn(normal_msg,args...) \
43020+({ \
43021+ read_lock(&grsec_exec_file_lock); \
43022+ gr_add_learn_entry(normal_msg "\n", ## args); \
43023+ read_unlock(&grsec_exec_file_lock); \
43024+})
43025+
43026+enum {
43027+ GR_DO_AUDIT,
43028+ GR_DONT_AUDIT,
43029+ GR_DONT_AUDIT_GOOD
43030+};
43031+
43032+enum {
43033+ GR_TTYSNIFF,
43034+ GR_RBAC,
43035+ GR_RBAC_STR,
43036+ GR_STR_RBAC,
43037+ GR_RBAC_MODE2,
43038+ GR_RBAC_MODE3,
43039+ GR_FILENAME,
43040+ GR_SYSCTL_HIDDEN,
43041+ GR_NOARGS,
43042+ GR_ONE_INT,
43043+ GR_ONE_INT_TWO_STR,
43044+ GR_ONE_STR,
43045+ GR_STR_INT,
43046+ GR_TWO_INT,
43047+ GR_THREE_INT,
43048+ GR_FIVE_INT_TWO_STR,
43049+ GR_TWO_STR,
43050+ GR_THREE_STR,
43051+ GR_FOUR_STR,
43052+ GR_STR_FILENAME,
43053+ GR_FILENAME_STR,
43054+ GR_FILENAME_TWO_INT,
43055+ GR_FILENAME_TWO_INT_STR,
43056+ GR_TEXTREL,
43057+ GR_PTRACE,
43058+ GR_RESOURCE,
43059+ GR_CAP,
43060+ GR_SIG,
43061+ GR_SIG2,
43062+ GR_CRASH1,
43063+ GR_CRASH2,
43064+ GR_PSACCT
43065+};
43066+
43067+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
43068+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
43069+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
43070+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
43071+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
43072+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
43073+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
43074+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
43075+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
43076+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
43077+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
43078+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
43079+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
43080+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
43081+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
43082+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
43083+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
43084+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
43085+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
43086+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
43087+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
43088+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
43089+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
43090+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
43091+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
43092+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
43093+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
43094+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
43095+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
43096+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
43097+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
43098+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
43099+
43100+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
43101+
43102+#endif
43103+
43104+#endif
ae4e228f
MT		 43105diff -urNp linux-2.6.33.1/include/linux/grmsg.h linux-2.6.33.1/include/linux/grmsg.h
43106--- linux-2.6.33.1/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
43107+++ linux-2.6.33.1/include/linux/grmsg.h 2010-03-20 17:00:48.140865901 -0400
43108@@ -0,0 +1,107 @@
58c5fc13 43109+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
ae4e228f 43110+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
58c5fc13
MT		 43111+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
43112+#define GR_STOPMOD_MSG "denied modification of module state by "
ae4e228f
MT		 43113+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
43114+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
58c5fc13
MT		 43115+#define GR_IOPERM_MSG "denied use of ioperm() by "
43116+#define GR_IOPL_MSG "denied use of iopl() by "
43117+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
43118+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
43119+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
43120+#define GR_KMEM_MSG "denied write of /dev/kmem by "
43121+#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
43122+#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
43123+#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
43124+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
ae4e228f
MT		 43125+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
43126+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
58c5fc13
MT		 43127+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
43128+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
43129+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
43130+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
43131+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
43132+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
43133+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
ae4e228f 43134+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
58c5fc13
MT		 43135+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
43136+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
43137+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
43138+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
43139+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
43140+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
43141+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
43142+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
ae4e228f 43143+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
58c5fc13
MT		 43144+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
43145+#define GR_NPROC_MSG "denied overstep of process limit by "
43146+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
43147+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
43148+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
43149+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
43150+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
43151+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
43152+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
43153+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
43154+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
43155+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
43156+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
43157+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
43158+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
43159+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
43160+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
43161+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
43162+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
43163+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
43164+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
43165+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
43166+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
43167+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
43168+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
43169+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
43170+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
43171+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
43172+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
43173+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
43174+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
43175+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
43176+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
43177+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
43178+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
43179+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
43180+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
43181+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
58c5fc13
MT		 43182+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
43183+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
43184+#define GR_FAILFORK_MSG "failed fork with errno %d by "
43185+#define GR_NICE_CHROOT_MSG "denied priority change by "
43186+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
43187+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
43188+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
43189+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
43190+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
43191+#define GR_TIME_MSG "time set by "
43192+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
43193+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
43194+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
43195+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
43196+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
43197+#define GR_BIND_MSG "denied bind() by "
43198+#define GR_CONNECT_MSG "denied connect() by "
ae4e228f
MT		 43199+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
43200+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
43201+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
58c5fc13
MT		 43202+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
43203+#define GR_CAP_ACL_MSG "use of %s denied for "
43204+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
43205+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
43206+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
43207+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
43208+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
43209+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
43210+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
43211+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
43212+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
43213+#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
ae4e228f
MT		 43214+#define GR_VM86_MSG "denied use of vm86 by "
43215+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
43216diff -urNp linux-2.6.33.1/include/linux/grsecurity.h linux-2.6.33.1/include/linux/grsecurity.h
43217--- linux-2.6.33.1/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
43218+++ linux-2.6.33.1/include/linux/grsecurity.h 2010-03-20 17:00:48.140865901 -0400
43219@@ -0,0 +1,199 @@
58c5fc13
MT		 43220+#ifndef GR_SECURITY_H
43221+#define GR_SECURITY_H
43222+#include <linux/fs.h>
43223+#include <linux/fs_struct.h>
43224+#include <linux/binfmts.h>
43225+#include <linux/gracl.h>
43226+
43227+/* notify of brain-dead configs */
43228+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
43229+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
43230+#endif
43231+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
43232+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
43233+#endif
43234+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
43235+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
43236+#endif
43237+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
43238+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
43239+#endif
43240+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
43241+#error "CONFIG_PAX enabled, but no PaX options are enabled."
43242+#endif
43243+
43244+void gr_handle_brute_attach(struct task_struct *p);
43245+void gr_handle_brute_check(void);
43246+
43247+char gr_roletype_to_char(void);
43248+
43249+int gr_check_user_change(int real, int effective, int fs);
43250+int gr_check_group_change(int real, int effective, int fs);
43251+
43252+void gr_del_task_from_ip_table(struct task_struct *p);
43253+
43254+int gr_pid_is_chrooted(struct task_struct *p);
43255+int gr_handle_chroot_nice(void);
43256+int gr_handle_chroot_sysctl(const int op);
43257+int gr_handle_chroot_setpriority(struct task_struct *p,
43258+ const int niceval);
43259+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
43260+int gr_handle_chroot_chroot(const struct dentry *dentry,
43261+ const struct vfsmount *mnt);
43262+int gr_handle_chroot_caps(struct path *path);
43263+void gr_handle_chroot_chdir(struct path *path);
43264+int gr_handle_chroot_chmod(const struct dentry *dentry,
43265+ const struct vfsmount *mnt, const int mode);
43266+int gr_handle_chroot_mknod(const struct dentry *dentry,
43267+ const struct vfsmount *mnt, const int mode);
43268+int gr_handle_chroot_mount(const struct dentry *dentry,
43269+ const struct vfsmount *mnt,
43270+ const char *dev_name);
43271+int gr_handle_chroot_pivot(void);
43272+int gr_handle_chroot_unix(const pid_t pid);
43273+
43274+int gr_handle_rawio(const struct inode *inode);
43275+int gr_handle_nproc(void);
43276+
43277+void gr_handle_ioperm(void);
43278+void gr_handle_iopl(void);
43279+
43280+int gr_tpe_allow(const struct file *file);
43281+
43282+int gr_random_pid(void);
43283+
43284+void gr_log_forkfail(const int retval);
43285+void gr_log_timechange(void);
43286+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
43287+void gr_log_chdir(const struct dentry *dentry,
43288+ const struct vfsmount *mnt);
43289+void gr_log_chroot_exec(const struct dentry *dentry,
43290+ const struct vfsmount *mnt);
43291+void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
43292+void gr_log_remount(const char *devname, const int retval);
43293+void gr_log_unmount(const char *devname, const int retval);
43294+void gr_log_mount(const char *from, const char *to, const int retval);
43295+void gr_log_textrel(struct vm_area_struct *vma);
43296+
43297+int gr_handle_follow_link(const struct inode *parent,
43298+ const struct inode *inode,
43299+ const struct dentry *dentry,
43300+ const struct vfsmount *mnt);
43301+int gr_handle_fifo(const struct dentry *dentry,
43302+ const struct vfsmount *mnt,
43303+ const struct dentry *dir, const int flag,
43304+ const int acc_mode);
43305+int gr_handle_hardlink(const struct dentry *dentry,
43306+ const struct vfsmount *mnt,
43307+ struct inode *inode,
43308+ const int mode, const char *to);
43309+
43310+int gr_is_capable(const int cap);
43311+int gr_is_capable_nolog(const int cap);
43312+void gr_learn_resource(const struct task_struct *task, const int limit,
43313+ const unsigned long wanted, const int gt);
43314+void gr_copy_label(struct task_struct *tsk);
43315+void gr_handle_crash(struct task_struct *task, const int sig);
43316+int gr_handle_signal(const struct task_struct *p, const int sig);
43317+int gr_check_crash_uid(const uid_t uid);
43318+int gr_check_protected_task(const struct task_struct *task);
43319+int gr_acl_handle_mmap(const struct file *file,
43320+ const unsigned long prot);
43321+int gr_acl_handle_mprotect(const struct file *file,
43322+ const unsigned long prot);
43323+int gr_check_hidden_task(const struct task_struct *tsk);
43324+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
43325+ const struct vfsmount *mnt);
43326+__u32 gr_acl_handle_utime(const struct dentry *dentry,
43327+ const struct vfsmount *mnt);
43328+__u32 gr_acl_handle_access(const struct dentry *dentry,
43329+ const struct vfsmount *mnt, const int fmode);
43330+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
43331+ const struct vfsmount *mnt, mode_t mode);
43332+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
43333+ const struct vfsmount *mnt, mode_t mode);
43334+__u32 gr_acl_handle_chown(const struct dentry *dentry,
43335+ const struct vfsmount *mnt);
43336+int gr_handle_ptrace(struct task_struct *task, const long request);
43337+int gr_handle_proc_ptrace(struct task_struct *task);
43338+__u32 gr_acl_handle_execve(const struct dentry *dentry,
43339+ const struct vfsmount *mnt);
43340+int gr_check_crash_exec(const struct file *filp);
43341+int gr_acl_is_enabled(void);
43342+void gr_set_kernel_label(struct task_struct *task);
43343+void gr_set_role_label(struct task_struct *task, const uid_t uid,
43344+ const gid_t gid);
43345+int gr_set_proc_label(const struct dentry *dentry,
43346+ const struct vfsmount *mnt,
43347+ const int unsafe_share);
43348+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
43349+ const struct vfsmount *mnt);
43350+__u32 gr_acl_handle_open(const struct dentry *dentry,
43351+ const struct vfsmount *mnt, const int fmode);
43352+__u32 gr_acl_handle_creat(const struct dentry *dentry,
43353+ const struct dentry *p_dentry,
43354+ const struct vfsmount *p_mnt, const int fmode,
43355+ const int imode);
43356+void gr_handle_create(const struct dentry *dentry,
43357+ const struct vfsmount *mnt);
43358+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
43359+ const struct dentry *parent_dentry,
43360+ const struct vfsmount *parent_mnt,
43361+ const int mode);
43362+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
43363+ const struct dentry *parent_dentry,
43364+ const struct vfsmount *parent_mnt);
43365+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
43366+ const struct vfsmount *mnt);
43367+void gr_handle_delete(const ino_t ino, const dev_t dev);
43368+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
43369+ const struct vfsmount *mnt);
43370+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
43371+ const struct dentry *parent_dentry,
43372+ const struct vfsmount *parent_mnt,
43373+ const char *from);
43374+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
43375+ const struct dentry *parent_dentry,
43376+ const struct vfsmount *parent_mnt,
43377+ const struct dentry *old_dentry,
43378+ const struct vfsmount *old_mnt, const char *to);
43379+int gr_acl_handle_rename(struct dentry *new_dentry,
43380+ struct dentry *parent_dentry,
43381+ const struct vfsmount *parent_mnt,
43382+ struct dentry *old_dentry,
43383+ struct inode *old_parent_inode,
43384+ struct vfsmount *old_mnt, const char *newname);
43385+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
43386+ struct dentry *old_dentry,
43387+ struct dentry *new_dentry,
43388+ struct vfsmount *mnt, const __u8 replace);
43389+__u32 gr_check_link(const struct dentry *new_dentry,
43390+ const struct dentry *parent_dentry,
43391+ const struct vfsmount *parent_mnt,
43392+ const struct dentry *old_dentry,
43393+ const struct vfsmount *old_mnt);
43394+int gr_acl_handle_filldir(const struct file *file, const char *name,
43395+ const unsigned int namelen, const ino_t ino);
43396+
43397+__u32 gr_acl_handle_unix(const struct dentry *dentry,
43398+ const struct vfsmount *mnt);
43399+void gr_acl_handle_exit(void);
43400+void gr_acl_handle_psacct(struct task_struct *task, const long code);
43401+int gr_acl_handle_procpidmem(const struct task_struct *task);
ae4e228f
MT		 43402+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
43403+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
43404+void gr_audit_ptrace(struct task_struct *task);
58c5fc13
MT		 43405+
43406+#ifdef CONFIG_GRKERNSEC
43407+void gr_log_nonroot_mod_load(const char *modname);
ae4e228f 43408+void gr_handle_vm86(void);
58c5fc13
MT		 43409+void gr_handle_mem_write(void);
43410+void gr_handle_kmem_write(void);
43411+void gr_handle_open_port(void);
43412+int gr_handle_mem_mmap(const unsigned long offset,
43413+ struct vm_area_struct *vma);
43414+
43415+extern int grsec_enable_dmesg;
58c5fc13
MT		 43416+#endif
43417+
43418+#endif
ae4e228f
MT		 43419diff -urNp linux-2.6.33.1/include/linux/grsock.h linux-2.6.33.1/include/linux/grsock.h
43420--- linux-2.6.33.1/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
43421+++ linux-2.6.33.1/include/linux/grsock.h 2010-03-20 16:58:41.912517036 -0400
43422@@ -0,0 +1,19 @@
43423+#ifndef __GRSOCK_H
43424+#define __GRSOCK_H
43425+
43426+extern void gr_attach_curr_ip(const struct sock *sk);
43427+extern int gr_handle_sock_all(const int family, const int type,
43428+ const int protocol);
43429+extern int gr_handle_sock_server(const struct sockaddr *sck);
43430+extern int gr_handle_sock_server_other(const struct socket *sck);
43431+extern int gr_handle_sock_client(const struct sockaddr *sck);
43432+extern int gr_search_connect(struct socket * sock,
43433+ struct sockaddr_in * addr);
43434+extern int gr_search_bind(struct socket * sock,
43435+ struct sockaddr_in * addr);
43436+extern int gr_search_listen(struct socket * sock);
43437+extern int gr_search_accept(struct socket * sock);
43438+extern int gr_search_socket(const int domain, const int type,
43439+ const int protocol);
43440+
43441+#endif
43442diff -urNp linux-2.6.33.1/include/linux/hdpu_features.h linux-2.6.33.1/include/linux/hdpu_features.h
43443--- linux-2.6.33.1/include/linux/hdpu_features.h 2010-03-15 12:09:39.000000000 -0400
43444+++ linux-2.6.33.1/include/linux/hdpu_features.h 2010-03-20 16:58:41.912517036 -0400
58c5fc13
MT		 43445@@ -3,7 +3,7 @@
43446 struct cpustate_t {
43447 spinlock_t lock;
43448 int excl;
43449- int open_count;
43450+ atomic_t open_count;
43451 unsigned char cached_val;
43452 int inited;
43453 unsigned long *set_addr;
ae4e228f
MT		 43454diff -urNp linux-2.6.33.1/include/linux/highmem.h linux-2.6.33.1/include/linux/highmem.h
43455--- linux-2.6.33.1/include/linux/highmem.h 2010-03-15 12:09:39.000000000 -0400
43456+++ linux-2.6.33.1/include/linux/highmem.h 2010-03-20 16:58:41.912517036 -0400
58c5fc13
MT		 43457@@ -137,6 +137,18 @@ static inline void clear_highpage(struct
43458 kunmap_atomic(kaddr, KM_USER0);
43459 }
43460
43461+static inline void sanitize_highpage(struct page *page)
43462+{
43463+ void *kaddr;
43464+ unsigned long flags;
43465+
43466+ local_irq_save(flags);
43467+ kaddr = kmap_atomic(page, KM_CLEARPAGE);
43468+ clear_page(kaddr);
43469+ kunmap_atomic(kaddr, KM_CLEARPAGE);
43470+ local_irq_restore(flags);
43471+}
43472+
43473 static inline void zero_user_segments(struct page *page,
43474 unsigned start1, unsigned end1,
43475 unsigned start2, unsigned end2)
ae4e228f
MT		 43476diff -urNp linux-2.6.33.1/include/linux/init_task.h linux-2.6.33.1/include/linux/init_task.h
43477--- linux-2.6.33.1/include/linux/init_task.h 2010-03-15 12:09:39.000000000 -0400
43478+++ linux-2.6.33.1/include/linux/init_task.h 2010-03-20 16:58:41.912517036 -0400
43479@@ -111,6 +111,13 @@ extern struct cred init_cred;
43480 # define INIT_PERF_EVENTS(tsk)
43481 #endif
43482
43483+#ifdef CONFIG_GRKERNSEC
43484+# define INIT_GR_FS_LOCK \
43485+ .gr_fs_lock = __RW_LOCK_UNLOCKED(gr_fs_lock),
43486+#else
43487+# define INIT_GR_FS_LOCK
43488+#endif
43489+
43490 /*
43491 * INIT_TASK is used to set up the first task table, touch at
43492 * your own risk!. Base=0, limit=0x1fffff (=2MB)
43493@@ -180,6 +187,7 @@ extern struct cred init_cred;
43494 INIT_FTRACE_GRAPH \
43495 INIT_TRACE_RECURSION \
43496 INIT_TASK_RCU_PREEMPT(tsk) \
43497+ INIT_GR_FS_LOCK \
43498 }
43499
43500
43501diff -urNp linux-2.6.33.1/include/linux/interrupt.h linux-2.6.33.1/include/linux/interrupt.h
43502--- linux-2.6.33.1/include/linux/interrupt.h 2010-03-15 12:09:39.000000000 -0400
43503+++ linux-2.6.33.1/include/linux/interrupt.h 2010-03-20 16:58:41.912517036 -0400
43504@@ -357,7 +357,7 @@ enum
43505 /* map softirq index to softirq name. update 'softirq_to_name' in
43506 * kernel/softirq.c when adding a new softirq.
43507 */
43508-extern char *softirq_to_name[NR_SOFTIRQS];
43509+extern const char * const softirq_to_name[NR_SOFTIRQS];
43510
43511 /* softirq mask and active fields moved to irq_cpustat_t in
43512 * asm/hardirq.h to get better cache usage. KAO
43513@@ -365,12 +365,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
43514
43515 struct softirq_action
43516 {
43517- void (*action)(struct softirq_action *);
43518+ void (*action)(void);
43519 };
43520
43521 asmlinkage void do_softirq(void);
43522 asmlinkage void __do_softirq(void);
43523-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
43524+extern void open_softirq(int nr, void (*action)(void));
43525 extern void softirq_init(void);
43526 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
43527 extern void raise_softirq_irqoff(unsigned int nr);
43528diff -urNp linux-2.6.33.1/include/linux/jbd2.h linux-2.6.33.1/include/linux/jbd2.h
43529--- linux-2.6.33.1/include/linux/jbd2.h 2010-03-15 12:09:39.000000000 -0400
43530+++ linux-2.6.33.1/include/linux/jbd2.h 2010-03-20 16:58:41.912517036 -0400
58c5fc13
MT		 43531@@ -66,7 +66,7 @@ extern u8 jbd2_journal_enable_debug;
43532 } \
43533 } while (0)
43534 #else
43535-#define jbd_debug(f, a...) /**/
43536+#define jbd_debug(f, a...) do {} while (0)
43537 #endif
43538
43539 static inline void *jbd2_alloc(size_t size, gfp_t flags)
ae4e228f
MT		 43540diff -urNp linux-2.6.33.1/include/linux/jbd.h linux-2.6.33.1/include/linux/jbd.h
43541--- linux-2.6.33.1/include/linux/jbd.h 2010-03-15 12:09:39.000000000 -0400
43542+++ linux-2.6.33.1/include/linux/jbd.h 2010-03-20 16:58:41.916544293 -0400
58c5fc13
MT		 43543@@ -66,7 +66,7 @@ extern u8 journal_enable_debug;
43544 } \
43545 } while (0)
43546 #else
43547-#define jbd_debug(f, a...) /**/
43548+#define jbd_debug(f, a...) do {} while (0)
43549 #endif
43550
43551 static inline void *jbd_alloc(size_t size, gfp_t flags)
ae4e228f
MT		 43552diff -urNp linux-2.6.33.1/include/linux/kallsyms.h linux-2.6.33.1/include/linux/kallsyms.h
43553--- linux-2.6.33.1/include/linux/kallsyms.h 2010-03-15 12:09:39.000000000 -0400
43554+++ linux-2.6.33.1/include/linux/kallsyms.h 2010-03-20 16:58:41.916544293 -0400
58c5fc13
MT		 43555@@ -15,7 +15,8 @@
43556
43557 struct module;
43558
43559-#ifdef CONFIG_KALLSYMS
43560+#ifndef __INCLUDED_BY_HIDESYM
43561+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
43562 /* Lookup the address for a symbol. Returns 0 if not found. */
43563 unsigned long kallsyms_lookup_name(const char *name);
43564
43565@@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
43566 /* Stupid that this does nothing, but I didn't create this mess. */
43567 #define __print_symbol(fmt, addr)
43568 #endif /*CONFIG_KALLSYMS*/
43569+#else /* when included by kallsyms.c, with HIDESYM enabled */
43570+extern void __print_symbol(const char *fmt, unsigned long address);
43571+#endif
43572
43573 /* This macro allows us to keep printk typechecking */
43574 static void __check_printsym_format(const char *fmt, ...)
ae4e228f
MT		 43575diff -urNp linux-2.6.33.1/include/linux/kgdb.h linux-2.6.33.1/include/linux/kgdb.h
43576--- linux-2.6.33.1/include/linux/kgdb.h 2010-03-15 12:09:39.000000000 -0400
43577+++ linux-2.6.33.1/include/linux/kgdb.h 2010-03-20 16:58:41.916544293 -0400
43578@@ -250,20 +250,20 @@ struct kgdb_arch {
43579 */
43580 struct kgdb_io {
43581 const char *name;
43582- int (*read_char) (void);
43583- void (*write_char) (u8);
43584- void (*flush) (void);
43585- int (*init) (void);
43586- void (*pre_exception) (void);
43587- void (*post_exception) (void);
43588+ int (* const read_char) (void);
43589+ void (* const write_char) (u8);
43590+ void (* const flush) (void);
43591+ int (* const init) (void);
43592+ void (* const pre_exception) (void);
43593+ void (* const post_exception) (void);
43594 };
43595
43596-extern struct kgdb_arch arch_kgdb_ops;
43597+extern const struct kgdb_arch arch_kgdb_ops;
43598
43599 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
43600
43601-extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
43602-extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
43603+extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
43604+extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
43605
43606 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
43607 extern int kgdb_mem2hex(char *mem, char *buf, int count);
43608diff -urNp linux-2.6.33.1/include/linux/kobject.h linux-2.6.33.1/include/linux/kobject.h
43609--- linux-2.6.33.1/include/linux/kobject.h 2010-03-15 12:09:39.000000000 -0400
43610+++ linux-2.6.33.1/include/linux/kobject.h 2010-03-20 16:58:41.916544293 -0400
43611@@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
43612
43613 struct kobj_type {
43614 void (*release)(struct kobject *kobj);
43615- struct sysfs_ops *sysfs_ops;
43616+ const struct sysfs_ops *sysfs_ops;
43617 struct attribute **default_attrs;
43618 };
43619
43620@@ -118,9 +118,9 @@ struct kobj_uevent_env {
43621 };
43622
43623 struct kset_uevent_ops {
43624- int (*filter)(struct kset *kset, struct kobject *kobj);
43625- const char *(*name)(struct kset *kset, struct kobject *kobj);
43626- int (*uevent)(struct kset *kset, struct kobject *kobj,
43627+ int (* const filter)(struct kset *kset, struct kobject *kobj);
43628+ const char *(* const name)(struct kset *kset, struct kobject *kobj);
43629+ int (* const uevent)(struct kset *kset, struct kobject *kobj,
43630 struct kobj_uevent_env *env);
43631 };
43632
43633@@ -132,7 +132,7 @@ struct kobj_attribute {
43634 const char *buf, size_t count);
43635 };
43636
43637-extern struct sysfs_ops kobj_sysfs_ops;
43638+extern const struct sysfs_ops kobj_sysfs_ops;
43639
43640 /**
43641 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
43642@@ -155,14 +155,14 @@ struct kset {
43643 struct list_head list;
43644 spinlock_t list_lock;
43645 struct kobject kobj;
43646- struct kset_uevent_ops *uevent_ops;
43647+ const struct kset_uevent_ops *uevent_ops;
43648 };
43649
43650 extern void kset_init(struct kset *kset);
43651 extern int __must_check kset_register(struct kset *kset);
43652 extern void kset_unregister(struct kset *kset);
43653 extern struct kset * __must_check kset_create_and_add(const char *name,
43654- struct kset_uevent_ops *u,
43655+ const struct kset_uevent_ops *u,
43656 struct kobject *parent_kobj);
43657
43658 static inline struct kset *to_kset(struct kobject *kobj)
43659diff -urNp linux-2.6.33.1/include/linux/kvm_host.h linux-2.6.33.1/include/linux/kvm_host.h
43660--- linux-2.6.33.1/include/linux/kvm_host.h 2010-03-15 12:09:39.000000000 -0400
43661+++ linux-2.6.33.1/include/linux/kvm_host.h 2010-03-20 16:58:41.916544293 -0400
43662@@ -225,7 +225,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
58c5fc13
MT		 43663 void vcpu_load(struct kvm_vcpu *vcpu);
43664 void vcpu_put(struct kvm_vcpu *vcpu);
43665
43666-int kvm_init(void *opaque, unsigned int vcpu_size,
43667+int kvm_init(const void *opaque, unsigned int vcpu_size,
43668 struct module *module);
43669 void kvm_exit(void);
43670
ae4e228f 43671@@ -332,7 +332,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
58c5fc13
MT		 43672 struct kvm_guest_debug *dbg);
43673 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
43674
43675-int kvm_arch_init(void *opaque);
43676+int kvm_arch_init(const void *opaque);
43677 void kvm_arch_exit(void);
43678
43679 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
ae4e228f
MT		 43680diff -urNp linux-2.6.33.1/include/linux/libata.h linux-2.6.33.1/include/linux/libata.h
43681--- linux-2.6.33.1/include/linux/libata.h 2010-03-15 12:09:39.000000000 -0400
43682+++ linux-2.6.33.1/include/linux/libata.h 2010-03-20 16:58:41.916544293 -0400
58c5fc13
MT		 43683@@ -64,11 +64,11 @@
43684 #ifdef ATA_VERBOSE_DEBUG
43685 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
43686 #else
43687-#define VPRINTK(fmt, args...)
43688+#define VPRINTK(fmt, args...) do {} while (0)
43689 #endif /* ATA_VERBOSE_DEBUG */
43690 #else
43691-#define DPRINTK(fmt, args...)
43692-#define VPRINTK(fmt, args...)
43693+#define DPRINTK(fmt, args...) do {} while (0)
43694+#define VPRINTK(fmt, args...) do {} while (0)
43695 #endif /* ATA_DEBUG */
43696
43697 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
ae4e228f
MT		 43698@@ -524,11 +524,11 @@ struct ata_ioports {
43699
43700 struct ata_host {
43701 spinlock_t lock;
43702- struct device *dev;
43703+ struct device *dev;
43704 void __iomem * const *iomap;
43705 unsigned int n_ports;
43706 void *private_data;
43707- struct ata_port_operations *ops;
43708+ const struct ata_port_operations *ops;
43709 unsigned long flags;
43710 #ifdef CONFIG_ATA_ACPI
43711 acpi_handle acpi_handle;
43712@@ -710,7 +710,7 @@ struct ata_link {
43713
43714 struct ata_port {
43715 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
43716- struct ata_port_operations *ops;
43717+ const struct ata_port_operations *ops;
43718 spinlock_t *lock;
43719 /* Flags owned by the EH context. Only EH should touch these once the
43720 port is active */
43721@@ -892,7 +892,7 @@ struct ata_port_info {
43722 unsigned long pio_mask;
43723 unsigned long mwdma_mask;
43724 unsigned long udma_mask;
43725- struct ata_port_operations *port_ops;
43726+ const struct ata_port_operations *port_ops;
43727 void *private_data;
43728 };
43729
43730@@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
43731 extern const unsigned long sata_deb_timing_hotplug[];
43732 extern const unsigned long sata_deb_timing_long[];
43733
43734-extern struct ata_port_operations ata_dummy_port_ops;
43735+extern const struct ata_port_operations ata_dummy_port_ops;
43736 extern const struct ata_port_info ata_dummy_port_info;
43737
43738 static inline const unsigned long *
43739@@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
43740 struct scsi_host_template *sht);
43741 extern void ata_host_detach(struct ata_host *host);
43742 extern void ata_host_init(struct ata_host *, struct device *,
43743- unsigned long, struct ata_port_operations *);
43744+ unsigned long, const struct ata_port_operations *);
43745 extern int ata_scsi_detect(struct scsi_host_template *sht);
43746 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
43747 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
43748diff -urNp linux-2.6.33.1/include/linux/lockd/bind.h linux-2.6.33.1/include/linux/lockd/bind.h
43749--- linux-2.6.33.1/include/linux/lockd/bind.h 2010-03-15 12:09:39.000000000 -0400
43750+++ linux-2.6.33.1/include/linux/lockd/bind.h 2010-03-20 16:58:41.916544293 -0400
43751@@ -23,13 +23,13 @@ struct svc_rqst;
43752 * This is the set of functions for lockd->nfsd communication
43753 */
43754 struct nlmsvc_binding {
43755- __be32 (*fopen)(struct svc_rqst *,
43756+ __be32 (* const fopen)(struct svc_rqst *,
43757 struct nfs_fh *,
43758 struct file **);
43759- void (*fclose)(struct file *);
43760+ void (* const fclose)(struct file *);
43761 };
43762
43763-extern struct nlmsvc_binding * nlmsvc_ops;
43764+extern const struct nlmsvc_binding * nlmsvc_ops;
43765
43766 /*
43767 * Similar to nfs_client_initdata, but without the NFS-specific
43768diff -urNp linux-2.6.33.1/include/linux/mm.h linux-2.6.33.1/include/linux/mm.h
43769--- linux-2.6.33.1/include/linux/mm.h 2010-03-15 12:09:39.000000000 -0400
43770+++ linux-2.6.33.1/include/linux/mm.h 2010-03-20 16:58:41.916544293 -0400
43771@@ -106,6 +106,10 @@ extern unsigned int kobjsize(const void
58c5fc13 43772 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
ae4e228f 43773 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
58c5fc13
MT		 43774
43775+#ifdef CONFIG_PAX_PAGEEXEC
43776+#define VM_PAGEEXEC 0x80000000 /* vma->vm_page_prot needs special handling */
43777+#endif
43778+
43779 #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
43780 #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
43781 #endif
ae4e228f 43782@@ -895,6 +899,8 @@ struct shrinker {
58c5fc13
MT		 43783 extern void register_shrinker(struct shrinker *);
43784 extern void unregister_shrinker(struct shrinker *);
43785
43786+pgprot_t vm_get_page_prot(unsigned long vm_flags);
43787+
43788 int vma_wants_writenotify(struct vm_area_struct *vma);
43789
43790 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
ae4e228f 43791@@ -1171,6 +1177,7 @@ out:
58c5fc13
MT		 43792 }
43793
43794 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
43795+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
43796
43797 extern unsigned long do_brk(unsigned long, unsigned long);
43798
ae4e228f 43799@@ -1225,6 +1232,10 @@ extern struct vm_area_struct * find_vma(
58c5fc13
MT		 43800 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
43801 struct vm_area_struct **pprev);
43802
43803+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
43804+extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
43805+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
43806+
43807 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
43808 NULL if none. Assume start_addr < end_addr. */
43809 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
ae4e228f 43810@@ -1241,7 +1252,6 @@ static inline unsigned long vma_pages(st
58c5fc13
MT		 43811 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
43812 }
43813
43814-pgprot_t vm_get_page_prot(unsigned long vm_flags);
43815 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
43816 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
43817 unsigned long pfn, unsigned long size, pgprot_t);
ae4e228f
MT		 43818@@ -1344,8 +1354,14 @@ extern int unpoison_memory(unsigned long
43819 extern int sysctl_memory_failure_early_kill;
43820 extern int sysctl_memory_failure_recovery;
43821 extern void shake_page(struct page *p, int access);
43822-extern atomic_long_t mce_bad_pages;
43823+extern atomic_long_unchecked_t mce_bad_pages;
43824 extern int soft_offline_page(struct page *page, int flags);
43825
58c5fc13
MT		 43826+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
43827+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
43828+#else
43829+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
43830+#endif
43831+
43832 #endif /* __KERNEL__ */
43833 #endif /* _LINUX_MM_H */
ae4e228f
MT		 43834diff -urNp linux-2.6.33.1/include/linux/mm_types.h linux-2.6.33.1/include/linux/mm_types.h
43835--- linux-2.6.33.1/include/linux/mm_types.h 2010-03-15 12:09:39.000000000 -0400
43836+++ linux-2.6.33.1/include/linux/mm_types.h 2010-03-20 16:58:41.916544293 -0400
43837@@ -188,6 +188,8 @@ struct vm_area_struct {
58c5fc13
MT		 43838 #ifdef CONFIG_NUMA
43839 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
43840 #endif
43841+
43842+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
43843 };
43844
43845 struct core_thread {
ae4e228f 43846@@ -291,6 +293,24 @@ struct mm_struct {
58c5fc13
MT		 43847 #ifdef CONFIG_MMU_NOTIFIER
43848 struct mmu_notifier_mm *mmu_notifier_mm;
43849 #endif
43850+
43851+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
43852+ unsigned long pax_flags;
43853+#endif
43854+
43855+#ifdef CONFIG_PAX_DLRESOLVE
43856+ unsigned long call_dl_resolve;
43857+#endif
43858+
43859+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
43860+ unsigned long call_syscall;
43861+#endif
43862+
43863+#ifdef CONFIG_PAX_ASLR
43864+ unsigned long delta_mmap; /* randomized offset */
43865+ unsigned long delta_stack; /* randomized offset */
43866+#endif
43867+
43868 };
43869
43870 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
ae4e228f
MT		 43871diff -urNp linux-2.6.33.1/include/linux/mmu_notifier.h linux-2.6.33.1/include/linux/mmu_notifier.h
43872--- linux-2.6.33.1/include/linux/mmu_notifier.h 2010-03-15 12:09:39.000000000 -0400
43873+++ linux-2.6.33.1/include/linux/mmu_notifier.h 2010-03-20 16:58:41.916544293 -0400
43874@@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
43875 */
43876 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
43877 ({ \
43878- pte_t __pte; \
43879+ pte_t ___pte; \
43880 struct vm_area_struct *___vma = __vma; \
43881 unsigned long ___address = __address; \
43882- __pte = ptep_clear_flush(___vma, ___address, __ptep); \
43883+ ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
43884 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
43885- __pte; \
43886+ ___pte; \
43887 })
43888
43889 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
43890diff -urNp linux-2.6.33.1/include/linux/mod_devicetable.h linux-2.6.33.1/include/linux/mod_devicetable.h
43891--- linux-2.6.33.1/include/linux/mod_devicetable.h 2010-03-15 12:09:39.000000000 -0400
43892+++ linux-2.6.33.1/include/linux/mod_devicetable.h 2010-03-20 16:58:41.916544293 -0400
58c5fc13
MT		 43893@@ -12,7 +12,7 @@
43894 typedef unsigned long kernel_ulong_t;
43895 #endif
43896
43897-#define PCI_ANY_ID (~0)
43898+#define PCI_ANY_ID ((__u16)~0)
43899
43900 struct pci_device_id {
43901 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
43902@@ -131,7 +131,7 @@ struct usb_device_id {
43903 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
43904 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
43905
43906-#define HID_ANY_ID (~0)
43907+#define HID_ANY_ID (~0U)
43908
43909 struct hid_device_id {
43910 __u16 bus;
ae4e228f
MT		 43911diff -urNp linux-2.6.33.1/include/linux/module.h linux-2.6.33.1/include/linux/module.h
43912--- linux-2.6.33.1/include/linux/module.h 2010-03-15 12:09:39.000000000 -0400
43913+++ linux-2.6.33.1/include/linux/module.h 2010-03-20 16:58:41.916544293 -0400
43914@@ -289,16 +289,16 @@ struct module
58c5fc13
MT		 43915 int (*init)(void);
43916
43917 /* If this is non-NULL, vfree after init() returns */
43918- void *module_init;
43919+ void *module_init_rx, *module_init_rw;
43920
43921 /* Here is the actual code + data, vfree'd on unload. */
43922- void *module_core;
43923+ void *module_core_rx, *module_core_rw;
43924
43925 /* Here are the sizes of the init and core sections */
43926- unsigned int init_size, core_size;
43927+ unsigned int init_size_rw, core_size_rw;
43928
43929 /* The size of the executable code in each section. */
43930- unsigned int init_text_size, core_text_size;
43931+ unsigned int init_size_rx, core_size_rx;
43932
43933 /* Arch-specific module values */
43934 struct mod_arch_specific arch;
ae4e228f 43935@@ -395,16 +395,46 @@ struct module *__module_address(unsigned
58c5fc13
MT		 43936 bool is_module_address(unsigned long addr);
43937 bool is_module_text_address(unsigned long addr);
43938
43939+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
43940+{
43941+
43942+#ifdef CONFIG_PAX_KERNEXEC
43943+ if (ktla_ktva(addr) >= (unsigned long)start &&
43944+ ktla_ktva(addr) < (unsigned long)start + size)
43945+ return 1;
43946+#endif
43947+
43948+ return ((void *)addr >= start && (void *)addr < start + size);
43949+}
43950+
43951+static inline int within_module_core_rx(unsigned long addr, struct module *mod)
43952+{
43953+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
43954+}
43955+
43956+static inline int within_module_core_rw(unsigned long addr, struct module *mod)
43957+{
43958+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
43959+}
43960+
43961+static inline int within_module_init_rx(unsigned long addr, struct module *mod)
43962+{
43963+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
43964+}
43965+
43966+static inline int within_module_init_rw(unsigned long addr, struct module *mod)
43967+{
43968+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
43969+}
43970+
43971 static inline int within_module_core(unsigned long addr, struct module *mod)
43972 {
43973- return (unsigned long)mod->module_core <= addr &&
43974- addr < (unsigned long)mod->module_core + mod->core_size;
43975+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
43976 }
43977
43978 static inline int within_module_init(unsigned long addr, struct module *mod)
43979 {
43980- return (unsigned long)mod->module_init <= addr &&
43981- addr < (unsigned long)mod->module_init + mod->init_size;
43982+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
43983 }
43984
43985 /* Search for module by name: must hold module_mutex. */
ae4e228f
MT		 43986diff -urNp linux-2.6.33.1/include/linux/moduleloader.h linux-2.6.33.1/include/linux/moduleloader.h
43987--- linux-2.6.33.1/include/linux/moduleloader.h 2010-03-15 12:09:39.000000000 -0400
43988+++ linux-2.6.33.1/include/linux/moduleloader.h 2010-03-20 16:58:41.916544293 -0400
58c5fc13
MT		 43989@@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
43990 sections. Returns NULL on failure. */
43991 void *module_alloc(unsigned long size);
43992
43993+#ifdef CONFIG_PAX_KERNEXEC
43994+void *module_alloc_exec(unsigned long size);
43995+#else
43996+#define module_alloc_exec(x) module_alloc(x)
43997+#endif
43998+
43999 /* Free memory returned from module_alloc. */
44000 void module_free(struct module *mod, void *module_region);
44001
44002+#ifdef CONFIG_PAX_KERNEXEC
44003+void module_free_exec(struct module *mod, void *module_region);
44004+#else
ae4e228f 44005+#define module_free_exec(x, y) module_free((x), (y))
58c5fc13
MT		 44006+#endif
44007+
44008 /* Apply the given relocation to the (simplified) ELF. Return -error
44009 or 0. */
44010 int apply_relocate(Elf_Shdr *sechdrs,
ae4e228f
MT		 44011diff -urNp linux-2.6.33.1/include/linux/namei.h linux-2.6.33.1/include/linux/namei.h
44012--- linux-2.6.33.1/include/linux/namei.h 2010-03-15 12:09:39.000000000 -0400
44013+++ linux-2.6.33.1/include/linux/namei.h 2010-03-20 16:58:41.916544293 -0400
58c5fc13
MT		 44014@@ -22,7 +22,7 @@ struct nameidata {
44015 unsigned int flags;
44016 int last_type;
44017 unsigned depth;
44018- char *saved_names[MAX_NESTED_LINKS + 1];
44019+ const char *saved_names[MAX_NESTED_LINKS + 1];
44020
44021 /* Intent data */
44022 union {
ae4e228f 44023@@ -81,12 +81,12 @@ extern int follow_up(struct path *);
58c5fc13
MT		 44024 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
44025 extern void unlock_rename(struct dentry *, struct dentry *);
44026
44027-static inline void nd_set_link(struct nameidata *nd, char *path)
44028+static inline void nd_set_link(struct nameidata *nd, const char *path)
44029 {
44030 nd->saved_names[nd->depth] = path;
44031 }
44032
44033-static inline char *nd_get_link(struct nameidata *nd)
ae4e228f 44034+static inline const char *nd_get_link(const struct nameidata *nd)
58c5fc13
MT		 44035 {
44036 return nd->saved_names[nd->depth];
44037 }
ae4e228f
MT		 44038diff -urNp linux-2.6.33.1/include/linux/nodemask.h linux-2.6.33.1/include/linux/nodemask.h
44039--- linux-2.6.33.1/include/linux/nodemask.h 2010-03-15 12:09:39.000000000 -0400
44040+++ linux-2.6.33.1/include/linux/nodemask.h 2010-03-20 16:58:41.916544293 -0400
44041@@ -469,11 +469,11 @@ static inline int num_node_state(enum no
58c5fc13
MT		 44042
44043 #define any_online_node(mask) \
44044 ({ \
44045- int node; \
44046- for_each_node_mask(node, (mask)) \
44047- if (node_online(node)) \
44048+ int __node; \
44049+ for_each_node_mask(__node, (mask)) \
44050+ if (node_online(__node)) \
44051 break; \
44052- node; \
44053+ __node; \
44054 })
44055
44056 #define num_online_nodes() num_node_state(N_ONLINE)
ae4e228f
MT		 44057diff -urNp linux-2.6.33.1/include/linux/oprofile.h linux-2.6.33.1/include/linux/oprofile.h
44058--- linux-2.6.33.1/include/linux/oprofile.h 2010-03-15 12:09:39.000000000 -0400
44059+++ linux-2.6.33.1/include/linux/oprofile.h 2010-03-20 16:58:41.920592896 -0400
44060@@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
44061 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
44062 char const * name, ulong * val);
58c5fc13 44063
ae4e228f
MT		 44064-/** Create a file for read-only access to an atomic_t. */
44065+/** Create a file for read-only access to an atomic_unchecked_t. */
58c5fc13
MT		 44066 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
44067- char const * name, atomic_t * val);
44068+ char const * name, atomic_unchecked_t * val);
44069
44070 /** create a directory */
44071 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
ae4e228f
MT		 44072diff -urNp linux-2.6.33.1/include/linux/pipe_fs_i.h linux-2.6.33.1/include/linux/pipe_fs_i.h
44073--- linux-2.6.33.1/include/linux/pipe_fs_i.h 2010-03-15 12:09:39.000000000 -0400
44074+++ linux-2.6.33.1/include/linux/pipe_fs_i.h 2010-03-20 16:58:41.920592896 -0400
44075@@ -46,9 +46,9 @@ struct pipe_inode_info {
44076 wait_queue_head_t wait;
44077 unsigned int nrbufs, curbuf;
44078 struct page *tmp_page;
44079- unsigned int readers;
44080- unsigned int writers;
44081- unsigned int waiting_writers;
44082+ atomic_t readers;
44083+ atomic_t writers;
44084+ atomic_t waiting_writers;
44085 unsigned int r_counter;
44086 unsigned int w_counter;
44087 struct fasync_struct *fasync_readers;
44088diff -urNp linux-2.6.33.1/include/linux/poison.h linux-2.6.33.1/include/linux/poison.h
44089--- linux-2.6.33.1/include/linux/poison.h 2010-03-15 12:09:39.000000000 -0400
44090+++ linux-2.6.33.1/include/linux/poison.h 2010-03-20 16:58:41.920592896 -0400
44091@@ -19,8 +19,8 @@
58c5fc13
MT		 44092 * under normal circumstances, used to verify that nobody uses
44093 * non-initialized list entries.
44094 */
ae4e228f
MT		 44095-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
44096-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
44097+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
44098+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
58c5fc13
MT		 44099
44100 /********** include/linux/timer.h **********/
44101 /*
ae4e228f
MT		 44102diff -urNp linux-2.6.33.1/include/linux/proc_fs.h linux-2.6.33.1/include/linux/proc_fs.h
44103--- linux-2.6.33.1/include/linux/proc_fs.h 2010-03-15 12:09:39.000000000 -0400
44104+++ linux-2.6.33.1/include/linux/proc_fs.h 2010-03-20 16:58:41.920592896 -0400
44105@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
58c5fc13
MT		 44106 return proc_create_data(name, mode, parent, proc_fops, NULL);
44107 }
44108
44109+static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
44110+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
44111+{
44112+#ifdef CONFIG_GRKERNSEC_PROC_USER
44113+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
44114+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
44115+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
44116+#else
44117+ return proc_create_data(name, mode, parent, proc_fops, NULL);
44118+#endif
44119+}
44120+
44121+
44122 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
44123 mode_t mode, struct proc_dir_entry *base,
44124 read_proc_t *read_proc, void * data)
ae4e228f
MT		 44125diff -urNp linux-2.6.33.1/include/linux/random.h linux-2.6.33.1/include/linux/random.h
44126--- linux-2.6.33.1/include/linux/random.h 2010-03-15 12:09:39.000000000 -0400
44127+++ linux-2.6.33.1/include/linux/random.h 2010-03-20 16:58:41.920592896 -0400
58c5fc13
MT		 44128@@ -74,6 +74,11 @@ unsigned long randomize_range(unsigned l
44129 u32 random32(void);
44130 void srandom32(u32 seed);
44131
44132+static inline unsigned long pax_get_random_long(void)
44133+{
44134+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
44135+}
44136+
44137 #endif /* __KERNEL___ */
44138
44139 #endif /* _LINUX_RANDOM_H */
ae4e228f
MT		 44140diff -urNp linux-2.6.33.1/include/linux/reiserfs_fs.h linux-2.6.33.1/include/linux/reiserfs_fs.h
44141--- linux-2.6.33.1/include/linux/reiserfs_fs.h 2010-03-15 12:09:39.000000000 -0400
44142+++ linux-2.6.33.1/include/linux/reiserfs_fs.h 2010-03-20 16:58:41.920592896 -0400
44143@@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
58c5fc13
MT		 44144 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
44145
44146 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
44147-#define get_generation(s) atomic_read (&fs_generation(s))
44148+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
44149 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
44150 #define __fs_changed(gen,s) (gen != get_generation (s))
ae4e228f
MT		 44151 #define fs_changed(gen,s) \
44152@@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
44153 */
44154
44155 struct item_operations {
44156- int (*bytes_number) (struct item_head * ih, int block_size);
44157- void (*decrement_key) (struct cpu_key *);
44158- int (*is_left_mergeable) (struct reiserfs_key * ih,
44159+ int (* const bytes_number) (struct item_head * ih, int block_size);
44160+ void (* const decrement_key) (struct cpu_key *);
44161+ int (* const is_left_mergeable) (struct reiserfs_key * ih,
44162 unsigned long bsize);
44163- void (*print_item) (struct item_head *, char *item);
44164- void (*check_item) (struct item_head *, char *item);
44165+ void (* const print_item) (struct item_head *, char *item);
44166+ void (* const check_item) (struct item_head *, char *item);
44167
44168- int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
44169+ int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
44170 int is_affected, int insert_size);
44171- int (*check_left) (struct virtual_item * vi, int free,
44172+ int (* const check_left) (struct virtual_item * vi, int free,
44173 int start_skip, int end_skip);
44174- int (*check_right) (struct virtual_item * vi, int free);
44175- int (*part_size) (struct virtual_item * vi, int from, int to);
44176- int (*unit_num) (struct virtual_item * vi);
44177- void (*print_vi) (struct virtual_item * vi);
44178+ int (* const check_right) (struct virtual_item * vi, int free);
44179+ int (* const part_size) (struct virtual_item * vi, int from, int to);
44180+ int (* const unit_num) (struct virtual_item * vi);
44181+ void (* const print_vi) (struct virtual_item * vi);
44182 };
44183
44184-extern struct item_operations *item_ops[TYPE_ANY + 1];
44185+extern const struct item_operations * const item_ops[TYPE_ANY + 1];
44186
44187 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
44188 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
44189diff -urNp linux-2.6.33.1/include/linux/reiserfs_fs_sb.h linux-2.6.33.1/include/linux/reiserfs_fs_sb.h
44190--- linux-2.6.33.1/include/linux/reiserfs_fs_sb.h 2010-03-15 12:09:39.000000000 -0400
44191+++ linux-2.6.33.1/include/linux/reiserfs_fs_sb.h 2010-03-20 16:58:41.920592896 -0400
44192@@ -386,7 +386,7 @@ struct reiserfs_sb_info {
58c5fc13
MT		 44193 /* Comment? -Hans */
44194 wait_queue_head_t s_wait;
44195 /* To be obsoleted soon by per buffer seals.. -Hans */
44196- atomic_t s_generation_counter; // increased by one every time the
44197+ atomic_unchecked_t s_generation_counter; // increased by one every time the
44198 // tree gets re-balanced
44199 unsigned long s_properties; /* File system properties. Currently holds
44200 on-disk FS format */
ae4e228f
MT		 44201diff -urNp linux-2.6.33.1/include/linux/sched.h linux-2.6.33.1/include/linux/sched.h
44202--- linux-2.6.33.1/include/linux/sched.h 2010-03-15 12:09:39.000000000 -0400
44203+++ linux-2.6.33.1/include/linux/sched.h 2010-03-20 16:58:41.920592896 -0400
44204@@ -101,6 +101,7 @@ struct bio;
58c5fc13
MT		 44205 struct fs_struct;
44206 struct bts_context;
ae4e228f 44207 struct perf_event_context;
58c5fc13
MT		 44208+struct linux_binprm;
44209
44210 /*
44211 * List of flags we want to share for kernel threads,
ae4e228f 44212@@ -678,6 +679,15 @@ struct signal_struct {
58c5fc13
MT		 44213 struct tty_audit_buf *tty_audit_buf;
44214 #endif
ae4e228f 44215
58c5fc13
MT		 44216+#ifdef CONFIG_GRKERNSEC
44217+ u32 curr_ip;
44218+ u32 gr_saddr;
44219+ u32 gr_daddr;
44220+ u16 gr_sport;
44221+ u16 gr_dport;
44222+ u8 used_accept:1;
44223+#endif
ae4e228f
MT		 44224+
44225 int oom_adj; /* OOM kill score adjustment (bit shift) */
58c5fc13
MT		 44226 };
44227
ae4e228f 44228@@ -1234,7 +1244,7 @@ struct rcu_node;
58c5fc13
MT		 44229
44230 struct task_struct {
44231 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
44232- void *stack;
44233+ struct thread_info *stack;
44234 atomic_t usage;
44235 unsigned int flags; /* per process flags, defined below */
44236 unsigned int ptrace;
ae4e228f 44237@@ -1346,8 +1356,8 @@ struct task_struct {
58c5fc13
MT		 44238 struct list_head thread_group;
44239
44240 struct completion *vfork_done; /* for vfork() */
44241- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
44242- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
44243+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
44244+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
44245
44246 cputime_t utime, stime, utimescaled, stimescaled;
44247 cputime_t gtime;
ae4e228f 44248@@ -1363,16 +1373,6 @@ struct task_struct {
58c5fc13
MT		 44249 struct task_cputime cputime_expires;
44250 struct list_head cpu_timers[3];
44251
44252-/* process credentials */
44253- const struct cred *real_cred; /* objective and real subjective task
44254- * credentials (COW) */
44255- const struct cred *cred; /* effective (overridable) subjective task
44256- * credentials (COW) */
44257- struct mutex cred_guard_mutex; /* guard against foreign influences on
44258- * credential calculations
44259- * (notably. ptrace) */
ae4e228f 44260- struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
58c5fc13
MT		 44261-
44262 char comm[TASK_COMM_LEN]; /* executable name excluding path
44263 - access with [gs]et_task_comm (which lock
44264 it with task_lock())
ae4e228f
MT		 44265@@ -1456,6 +1456,15 @@ struct task_struct {
44266 int softirqs_enabled;
44267 int softirq_context;
58c5fc13
MT		 44268 #endif
44269+
44270+/* process credentials */
44271+ const struct cred *real_cred; /* objective and real subjective task
44272+ * credentials (COW) */
58c5fc13
MT		 44273+ struct mutex cred_guard_mutex; /* guard against foreign influences on
44274+ * credential calculations
44275+ * (notably. ptrace) */
ae4e228f 44276+ struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
58c5fc13 44277+
ae4e228f
MT		 44278 #ifdef CONFIG_LOCKDEP
44279 # define MAX_LOCK_DEPTH 48UL
44280 u64 curr_chain_key;
44281@@ -1476,6 +1485,9 @@ struct task_struct {
44282
44283 struct backing_dev_info *backing_dev_info;
44284
44285+ const struct cred *cred; /* effective (overridable) subjective task
44286+ * credentials (COW) */
44287+
44288 struct io_context *io_context;
44289
44290 unsigned long ptrace_message;
44291@@ -1539,6 +1551,19 @@ struct task_struct {
44292 unsigned long default_timer_slack_ns;
44293
44294 struct list_head *scm_work_list;
58c5fc13
MT		 44295+
44296+#ifdef CONFIG_GRKERNSEC
44297+ /* grsecurity */
ae4e228f 44298+ rwlock_t gr_fs_lock;
58c5fc13
MT		 44299+ struct acl_subject_label *acl;
44300+ struct acl_role_label *role;
44301+ struct file *exec_file;
44302+ u16 acl_role_id;
44303+ u8 acl_sp_role;
44304+ u8 is_writable;
44305+ u8 brute;
44306+#endif
44307+
ae4e228f
MT		 44308 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
44309 /* Index of current stored adress in ret_stack */
44310 int curr_ret_stack;
44311@@ -1571,6 +1596,52 @@ struct task_struct {
44312 #endif
58c5fc13
MT		 44313 };
44314
44315+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
44316+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
44317+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
44318+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
44319+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
44320+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
44321+
44322+#ifdef CONFIG_PAX_SOFTMODE
44323+extern unsigned int pax_softmode;
44324+#endif
44325+
44326+extern int pax_check_flags(unsigned long *);
44327+
44328+/* if tsk != current then task_lock must be held on it */
44329+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44330+static inline unsigned long pax_get_flags(struct task_struct *tsk)
44331+{
44332+ if (likely(tsk->mm))
44333+ return tsk->mm->pax_flags;
44334+ else
44335+ return 0UL;
44336+}
44337+
44338+/* if tsk != current then task_lock must be held on it */
44339+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
44340+{
44341+ if (likely(tsk->mm)) {
44342+ tsk->mm->pax_flags = flags;
44343+ return 0;
44344+ }
44345+ return -EINVAL;
44346+}
44347+#endif
44348+
44349+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44350+extern void pax_set_initial_flags(struct linux_binprm *bprm);
44351+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44352+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
44353+#endif
44354+
44355+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
44356+void pax_report_insns(void *pc, void *sp);
44357+void pax_report_refcount_overflow(struct pt_regs *regs);
44358+void pax_report_leak_to_user(const void *ptr, unsigned long len);
44359+void pax_report_overflow_from_user(const void *ptr, unsigned long len);
44360+
44361 /* Future-safe accessor for struct task_struct's cpus_allowed. */
ae4e228f 44362 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
58c5fc13 44363
ae4e228f 44364@@ -2172,7 +2243,7 @@ extern void __cleanup_sighand(struct sig
58c5fc13
MT		 44365 extern void exit_itimers(struct signal_struct *);
44366 extern void flush_itimer_signals(void);
44367
44368-extern NORET_TYPE void do_group_exit(int);
44369+extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
44370
44371 extern void daemonize(const char *, ...);
44372 extern int allow_signal(int);
ae4e228f
MT		 44373@@ -2274,6 +2345,33 @@ static inline void task_unlock(struct ta
44374 spin_unlock(&p->alloc_lock);
44375 }
44376
44377+/* grsec: protects only ->fs as task_lock is overkill and we can't
44378+ be using a spin_lock in interrupt context
44379+*/
44380+#ifdef CONFIG_GRKERNSEC
44381+#define gr_fs_write_lock_irqsave(x, y) \
44382+ write_lock_irqsave(&x->gr_fs_lock, y)
44383+#define gr_fs_write_unlock_irqrestore(x, y) \
44384+ write_unlock_irqrestore(&x->gr_fs_lock, y)
44385+#else
44386+#define gr_fs_write_lock_irqsave(x, y)
44387+#define gr_fs_write_unlock_irqrestore(x, y)
44388+#endif
44389+
44390+static inline void gr_fs_read_lock(struct task_struct *p)
44391+{
44392+#ifdef CONFIG_GRKERNSEC
44393+ read_lock(&p->gr_fs_lock);
44394+#endif
44395+}
44396+
44397+static inline void gr_fs_read_unlock(struct task_struct *p)
44398+{
44399+#ifdef CONFIG_GRKERNSEC
44400+ read_unlock(&p->gr_fs_lock);
44401+#endif
44402+}
44403+
44404 extern struct sighand_struct *lock_task_sighand(struct task_struct *tsk,
44405 unsigned long *flags);
44406
44407@@ -2285,8 +2383,8 @@ static inline void unlock_task_sighand(s
58c5fc13
MT		 44408
44409 #ifndef __HAVE_THREAD_FUNCTIONS
44410
44411-#define task_thread_info(task) ((struct thread_info *)(task)->stack)
44412-#define task_stack_page(task) ((task)->stack)
44413+#define task_thread_info(task) ((task)->stack)
44414+#define task_stack_page(task) ((void *)(task)->stack)
44415
44416 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
44417 {
ae4e228f 44418@@ -2301,13 +2399,31 @@ static inline unsigned long *end_of_stac
58c5fc13
MT		 44419
44420 #endif
44421
44422-static inline int object_is_on_stack(void *obj)
ae4e228f 44423+static inline int object_starts_on_stack(void *obj)
58c5fc13 44424 {
ae4e228f
MT		 44425- void *stack = task_stack_page(current);
44426+ const void *stack = task_stack_page(current);
58c5fc13 44427
ae4e228f
MT		 44428 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
44429 }
44430
44431+/* 0: not at all, 1: fully, -1: partially (implies an error) */
44432+static inline int object_is_on_stack(const void *obj, unsigned long len)
44433+{
44434+ const void *stack = task_stack_page(current);
44435+ const void *stackend = stack + THREAD_SIZE;
44436+
44437+ if (obj + len < obj)
44438+ return -1;
44439+
44440+ if (stack <= obj && obj + len <= stackend)
44441+ return 1;
44442+
44443+ if (obj + len <= stack || stackend <= obj)
44444+ return 0;
44445+
44446+ return -1;
44447+}
44448+
44449 extern void thread_info_cache_init(void);
44450
44451 #ifdef CONFIG_DEBUG_STACK_USAGE
44452diff -urNp linux-2.6.33.1/include/linux/screen_info.h linux-2.6.33.1/include/linux/screen_info.h
44453--- linux-2.6.33.1/include/linux/screen_info.h 2010-03-15 12:09:39.000000000 -0400
44454+++ linux-2.6.33.1/include/linux/screen_info.h 2010-03-20 16:58:41.920592896 -0400
44455@@ -43,7 +43,8 @@ struct screen_info {
58c5fc13
MT		 44456 __u16 pages; /* 0x32 */
44457 __u16 vesa_attributes; /* 0x34 */
44458 __u32 capabilities; /* 0x36 */
44459- __u8 _reserved[6]; /* 0x3a */
44460+ __u16 vesapm_size; /* 0x3a */
44461+ __u8 _reserved[4]; /* 0x3c */
44462 } __attribute__((packed));
44463
44464 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
ae4e228f
MT		 44465diff -urNp linux-2.6.33.1/include/linux/security.h linux-2.6.33.1/include/linux/security.h
44466--- linux-2.6.33.1/include/linux/security.h 2010-03-15 12:09:39.000000000 -0400
44467+++ linux-2.6.33.1/include/linux/security.h 2010-03-20 16:58:41.924637706 -0400
58c5fc13
MT		 44468@@ -34,6 +34,7 @@
44469 #include <linux/key.h>
44470 #include <linux/xfrm.h>
44471 #include <linux/gfp.h>
44472+#include <linux/grsecurity.h>
44473 #include <net/flow.h>
44474
44475 /* Maximum number of letters for an LSM name string */
ae4e228f
MT		 44476diff -urNp linux-2.6.33.1/include/linux/shm.h linux-2.6.33.1/include/linux/shm.h
44477--- linux-2.6.33.1/include/linux/shm.h 2010-03-15 12:09:39.000000000 -0400
44478+++ linux-2.6.33.1/include/linux/shm.h 2010-03-20 16:58:41.924637706 -0400
58c5fc13
MT		 44479@@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
44480 pid_t shm_cprid;
44481 pid_t shm_lprid;
44482 struct user_struct *mlock_user;
44483+#ifdef CONFIG_GRKERNSEC
44484+ time_t shm_createtime;
44485+ pid_t shm_lapid;
44486+#endif
44487 };
44488
44489 /* shm_mode upper byte flags */
ae4e228f
MT		 44490diff -urNp linux-2.6.33.1/include/linux/slab.h linux-2.6.33.1/include/linux/slab.h
44491--- linux-2.6.33.1/include/linux/slab.h 2010-03-15 12:09:39.000000000 -0400
44492+++ linux-2.6.33.1/include/linux/slab.h 2010-03-20 16:58:41.924637706 -0400
44493@@ -11,6 +11,7 @@
44494
44495 #include <linux/gfp.h>
44496 #include <linux/types.h>
44497+#include <linux/err.h>
44498
44499 /*
44500 * Flags to pass to kmem_cache_create().
44501@@ -82,10 +83,13 @@
58c5fc13
MT		 44502 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
44503 * Both make kfree a no-op.
44504 */
44505-#define ZERO_SIZE_PTR ((void *)16)
ae4e228f
MT		 44506+#define ZERO_SIZE_PTR \
44507+({ \
44508+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
44509+ (void *)(-MAX_ERRNO-1L); \
44510+})
58c5fc13
MT		 44511
44512-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
44513- (unsigned long)ZERO_SIZE_PTR)
44514+#define ZERO_OR_NULL_PTR(x) (!(x) || (x) == ZERO_SIZE_PTR)
44515
44516 /*
44517 * struct kmem_cache related prototypes
ae4e228f 44518@@ -138,6 +142,7 @@ void * __must_check krealloc(const void
58c5fc13
MT		 44519 void kfree(const void *);
44520 void kzfree(const void *);
44521 size_t ksize(const void *);
44522+void check_object_size(const void *ptr, unsigned long n, bool to);
44523
44524 /*
44525 * Allocator specific definitions. These are mainly used to establish optimized
ae4e228f 44526@@ -328,4 +333,37 @@ static inline void *kzalloc_node(size_t
58c5fc13
MT		 44527
44528 void __init kmem_cache_init_late(void);
44529
44530+#define kmalloc(x, y) \
44531+({ \
44532+ void *___retval; \
44533+ intoverflow_t ___x = (intoverflow_t)x; \
44534+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
44535+ ___retval = NULL; \
44536+ else \
44537+ ___retval = kmalloc((size_t)___x, (y)); \
44538+ ___retval; \
44539+})
44540+
44541+#define kmalloc_node(x, y, z) \
44542+({ \
44543+ void *___retval; \
44544+ intoverflow_t ___x = (intoverflow_t)x; \
44545+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
44546+ ___retval = NULL; \
44547+ else \
44548+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
44549+ ___retval; \
44550+})
44551+
44552+#define kzalloc(x, y) \
44553+({ \
44554+ void *___retval; \
44555+ intoverflow_t ___x = (intoverflow_t)x; \
44556+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
44557+ ___retval = NULL; \
44558+ else \
44559+ ___retval = kzalloc((size_t)___x, (y)); \
44560+ ___retval; \
44561+})
44562+
44563 #endif /* _LINUX_SLAB_H */
ae4e228f
MT		 44564diff -urNp linux-2.6.33.1/include/linux/slub_def.h linux-2.6.33.1/include/linux/slub_def.h
44565--- linux-2.6.33.1/include/linux/slub_def.h 2010-03-15 12:09:39.000000000 -0400
44566+++ linux-2.6.33.1/include/linux/slub_def.h 2010-03-20 16:58:41.924637706 -0400
58c5fc13
MT		 44567@@ -86,7 +86,7 @@ struct kmem_cache {
44568 struct kmem_cache_order_objects max;
44569 struct kmem_cache_order_objects min;
44570 gfp_t allocflags; /* gfp flags to use on each alloc */
44571- int refcount; /* Refcount for slab cache destroy */
44572+ atomic_t refcount; /* Refcount for slab cache destroy */
44573 void (*ctor)(void *);
44574 int inuse; /* Offset to metadata */
44575 int align; /* Alignment */
ae4e228f
MT		 44576diff -urNp linux-2.6.33.1/include/linux/sonet.h linux-2.6.33.1/include/linux/sonet.h
44577--- linux-2.6.33.1/include/linux/sonet.h 2010-03-15 12:09:39.000000000 -0400
44578+++ linux-2.6.33.1/include/linux/sonet.h 2010-03-20 16:58:41.924637706 -0400
58c5fc13
MT		 44579@@ -61,7 +61,7 @@ struct sonet_stats {
44580 #include <asm/atomic.h>
44581
44582 struct k_sonet_stats {
44583-#define __HANDLE_ITEM(i) atomic_t i
44584+#define __HANDLE_ITEM(i) atomic_unchecked_t i
44585 __SONET_ITEMS
44586 #undef __HANDLE_ITEM
44587 };
ae4e228f
MT		 44588diff -urNp linux-2.6.33.1/include/linux/suspend.h linux-2.6.33.1/include/linux/suspend.h
44589--- linux-2.6.33.1/include/linux/suspend.h 2010-03-15 12:09:39.000000000 -0400
44590+++ linux-2.6.33.1/include/linux/suspend.h 2010-03-20 16:58:41.924637706 -0400
44591@@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
44592 * which require special recovery actions in that situation.
44593 */
44594 struct platform_suspend_ops {
44595- int (*valid)(suspend_state_t state);
44596- int (*begin)(suspend_state_t state);
44597- int (*prepare)(void);
44598- int (*prepare_late)(void);
44599- int (*enter)(suspend_state_t state);
44600- void (*wake)(void);
44601- void (*finish)(void);
44602- void (*end)(void);
44603- void (*recover)(void);
44604+ int (* const valid)(suspend_state_t state);
44605+ int (* const begin)(suspend_state_t state);
44606+ int (* const prepare)(void);
44607+ int (* const prepare_late)(void);
44608+ int (* const enter)(suspend_state_t state);
44609+ void (* const wake)(void);
44610+ void (* const finish)(void);
44611+ void (* const end)(void);
44612+ void (* const recover)(void);
44613 };
44614
44615 #ifdef CONFIG_SUSPEND
44616@@ -120,7 +120,7 @@ struct platform_suspend_ops {
44617 * suspend_set_ops - set platform dependent suspend operations
44618 * @ops: The new suspend operations to set.
44619 */
44620-extern void suspend_set_ops(struct platform_suspend_ops *ops);
44621+extern void suspend_set_ops(const struct platform_suspend_ops *ops);
44622 extern int suspend_valid_only_mem(suspend_state_t state);
44623
44624 /**
44625@@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
44626 #else /* !CONFIG_SUSPEND */
44627 #define suspend_valid_only_mem NULL
44628
44629-static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
44630+static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
44631 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
44632 #endif /* !CONFIG_SUSPEND */
44633
44634@@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
44635 * platforms which require special recovery actions in that situation.
44636 */
44637 struct platform_hibernation_ops {
44638- int (*begin)(void);
44639- void (*end)(void);
44640- int (*pre_snapshot)(void);
44641- void (*finish)(void);
44642- int (*prepare)(void);
44643- int (*enter)(void);
44644- void (*leave)(void);
44645- int (*pre_restore)(void);
44646- void (*restore_cleanup)(void);
44647- void (*recover)(void);
44648+ int (* const begin)(void);
44649+ void (* const end)(void);
44650+ int (* const pre_snapshot)(void);
44651+ void (* const finish)(void);
44652+ int (* const prepare)(void);
44653+ int (* const enter)(void);
44654+ void (* const leave)(void);
44655+ int (* const pre_restore)(void);
44656+ void (* const restore_cleanup)(void);
44657+ void (* const recover)(void);
44658 };
44659
44660 #ifdef CONFIG_HIBERNATION
44661@@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
44662 extern void swsusp_unset_page_free(struct page *);
44663 extern unsigned long get_safe_page(gfp_t gfp_mask);
44664
44665-extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
44666+extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
44667 extern int hibernate(void);
44668 extern bool system_entering_hibernation(void);
44669 #else /* CONFIG_HIBERNATION */
44670@@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
44671 static inline void swsusp_set_page_free(struct page *p) {}
44672 static inline void swsusp_unset_page_free(struct page *p) {}
44673
44674-static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
44675+static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
44676 static inline int hibernate(void) { return -ENOSYS; }
44677 static inline bool system_entering_hibernation(void) { return false; }
44678 #endif /* CONFIG_HIBERNATION */
44679diff -urNp linux-2.6.33.1/include/linux/sysctl.h linux-2.6.33.1/include/linux/sysctl.h
44680--- linux-2.6.33.1/include/linux/sysctl.h 2010-03-15 12:09:39.000000000 -0400
44681+++ linux-2.6.33.1/include/linux/sysctl.h 2010-03-20 16:58:41.924637706 -0400
44682@@ -155,7 +155,11 @@ enum
58c5fc13
MT		 44683 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
44684 };
44685
44686-
44687+#ifdef CONFIG_PAX_SOFTMODE
44688+enum {
44689+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
44690+};
44691+#endif
44692
44693 /* CTL_VM names: */
44694 enum
ae4e228f
MT		 44695diff -urNp linux-2.6.33.1/include/linux/sysfs.h linux-2.6.33.1/include/linux/sysfs.h
44696--- linux-2.6.33.1/include/linux/sysfs.h 2010-03-15 12:09:39.000000000 -0400
44697+++ linux-2.6.33.1/include/linux/sysfs.h 2010-03-20 16:58:41.924637706 -0400
44698@@ -75,8 +75,8 @@ struct bin_attribute {
44699 };
44700
44701 struct sysfs_ops {
44702- ssize_t (*show)(struct kobject *, struct attribute *,char *);
44703- ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
44704+ ssize_t (* const show)(struct kobject *, struct attribute *,char *);
44705+ ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
44706 };
44707
44708 struct sysfs_dirent;
44709diff -urNp linux-2.6.33.1/include/linux/thread_info.h linux-2.6.33.1/include/linux/thread_info.h
44710--- linux-2.6.33.1/include/linux/thread_info.h 2010-03-15 12:09:39.000000000 -0400
44711+++ linux-2.6.33.1/include/linux/thread_info.h 2010-03-20 16:58:41.924637706 -0400
58c5fc13
MT		 44712@@ -23,7 +23,7 @@ struct restart_block {
44713 };
44714 /* For futex_wait and futex_wait_requeue_pi */
44715 struct {
44716- u32 *uaddr;
44717+ u32 __user *uaddr;
44718 u32 val;
44719 u32 flags;
44720 u32 bitset;
ae4e228f
MT		 44721diff -urNp linux-2.6.33.1/include/linux/tty.h linux-2.6.33.1/include/linux/tty.h
44722--- linux-2.6.33.1/include/linux/tty.h 2010-03-15 12:09:39.000000000 -0400
44723+++ linux-2.6.33.1/include/linux/tty.h 2010-03-20 16:58:41.924637706 -0400
44724@@ -13,6 +13,7 @@
44725 #include <linux/tty_driver.h>
44726 #include <linux/tty_ldisc.h>
44727 #include <linux/mutex.h>
44728+#include <linux/poll.h>
44729
44730 #include <asm/system.h>
44731
44732@@ -440,7 +441,6 @@ extern int tty_perform_flush(struct tty_
44733 extern dev_t tty_devnum(struct tty_struct *tty);
44734 extern void proc_clear_tty(struct task_struct *p);
44735 extern struct tty_struct *get_current_tty(void);
44736-extern void tty_default_fops(struct file_operations *fops);
44737 extern struct tty_struct *alloc_tty_struct(void);
44738 extern void free_tty_struct(struct tty_struct *tty);
44739 extern void initialize_tty_struct(struct tty_struct *tty,
44740@@ -501,6 +501,18 @@ extern void tty_ldisc_begin(void);
44741 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
44742 extern void tty_ldisc_enable(struct tty_struct *tty);
44743
44744+/* tty_io.c */
44745+extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
44746+extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
44747+extern unsigned int tty_poll(struct file *, poll_table *);
44748+#ifdef CONFIG_COMPAT
44749+extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
44750+ unsigned long arg);
44751+#else
44752+#define tty_compat_ioctl NULL
44753+#endif
44754+extern int tty_release(struct inode *, struct file *);
44755+extern int tty_fasync(int fd, struct file *filp, int on);
44756
44757 /* n_tty.c */
44758 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
44759diff -urNp linux-2.6.33.1/include/linux/tty_ldisc.h linux-2.6.33.1/include/linux/tty_ldisc.h
44760--- linux-2.6.33.1/include/linux/tty_ldisc.h 2010-03-15 12:09:39.000000000 -0400
44761+++ linux-2.6.33.1/include/linux/tty_ldisc.h 2010-03-20 16:58:41.924637706 -0400
58c5fc13
MT		 44762@@ -139,7 +139,7 @@ struct tty_ldisc_ops {
44763
44764 struct module *owner;
44765
44766- int refcount;
44767+ atomic_t refcount;
44768 };
44769
44770 struct tty_ldisc {
ae4e228f
MT		 44771diff -urNp linux-2.6.33.1/include/linux/types.h linux-2.6.33.1/include/linux/types.h
44772--- linux-2.6.33.1/include/linux/types.h 2010-03-15 12:09:39.000000000 -0400
44773+++ linux-2.6.33.1/include/linux/types.h 2010-03-20 16:58:41.924637706 -0400
58c5fc13
MT		 44774@@ -191,10 +191,26 @@ typedef struct {
44775 volatile int counter;
44776 } atomic_t;
44777
44778+#ifdef CONFIG_PAX_REFCOUNT
44779+typedef struct {
44780+ volatile int counter;
44781+} atomic_unchecked_t;
44782+#else
44783+typedef atomic_t atomic_unchecked_t;
44784+#endif
44785+
44786 #ifdef CONFIG_64BIT
44787 typedef struct {
44788 volatile long counter;
44789 } atomic64_t;
44790+
44791+#ifdef CONFIG_PAX_REFCOUNT
44792+typedef struct {
44793+ volatile long counter;
44794+} atomic64_unchecked_t;
44795+#else
44796+typedef atomic64_t atomic64_unchecked_t;
44797+#endif
44798 #endif
44799
44800 struct ustat {
ae4e228f
MT		 44801diff -urNp linux-2.6.33.1/include/linux/uaccess.h linux-2.6.33.1/include/linux/uaccess.h
44802--- linux-2.6.33.1/include/linux/uaccess.h 2010-03-15 12:09:39.000000000 -0400
44803+++ linux-2.6.33.1/include/linux/uaccess.h 2010-03-20 16:58:41.924637706 -0400
58c5fc13
MT		 44804@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
44805 long ret; \
44806 mm_segment_t old_fs = get_fs(); \
44807 \
44808- set_fs(KERNEL_DS); \
44809 pagefault_disable(); \
44810+ set_fs(KERNEL_DS); \
44811 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
44812- pagefault_enable(); \
44813 set_fs(old_fs); \
44814+ pagefault_enable(); \
44815 ret; \
44816 })
44817
ae4e228f
MT		 44818@@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
44819 * Safely read from address @src to the buffer at @dst. If a kernel fault
44820 * happens, handle that and return -EFAULT.
44821 */
44822-extern long probe_kernel_read(void *dst, void *src, size_t size);
44823-extern long __probe_kernel_read(void *dst, void *src, size_t size);
44824+extern long probe_kernel_read(void *dst, const void *src, size_t size);
44825+extern long __probe_kernel_read(void *dst, const void *src, size_t size);
44826
44827 /*
44828 * probe_kernel_write(): safely attempt to write to a location
44829@@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
44830 * Safely write to address @dst from the buffer at @src. If a kernel fault
44831 * happens, handle that and return -EFAULT.
44832 */
44833-extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
44834-extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
44835+extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
44836+extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
44837
44838 #endif /* __LINUX_UACCESS_H__ */
44839diff -urNp linux-2.6.33.1/include/linux/vmalloc.h linux-2.6.33.1/include/linux/vmalloc.h
44840--- linux-2.6.33.1/include/linux/vmalloc.h 2010-03-15 12:09:39.000000000 -0400
44841+++ linux-2.6.33.1/include/linux/vmalloc.h 2010-03-20 16:58:41.928524770 -0400
58c5fc13
MT		 44842@@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
44843 #define VM_MAP 0x00000004 /* vmap()ed pages */
44844 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
44845 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
44846+
44847+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
44848+#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
44849+#endif
44850+
44851 /* bits [20..32] reserved for arch specific ioremap internals */
44852
44853 /*
ae4e228f
MT		 44854@@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
44855
44856 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
58c5fc13
MT		 44857
44858+#define vmalloc(x) \
44859+({ \
44860+ void *___retval; \
44861+ intoverflow_t ___x = (intoverflow_t)x; \
44862+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
44863+ ___retval = NULL; \
44864+ else \
44865+ ___retval = vmalloc((unsigned long)___x); \
44866+ ___retval; \
44867+})
44868+
44869+#define __vmalloc(x, y, z) \
44870+({ \
44871+ void *___retval; \
44872+ intoverflow_t ___x = (intoverflow_t)x; \
44873+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
44874+ ___retval = NULL; \
44875+ else \
44876+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
44877+ ___retval; \
44878+})
44879+
44880+#define vmalloc_user(x) \
44881+({ \
44882+ void *___retval; \
44883+ intoverflow_t ___x = (intoverflow_t)x; \
44884+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
44885+ ___retval = NULL; \
44886+ else \
44887+ ___retval = vmalloc_user((unsigned long)___x); \
44888+ ___retval; \
44889+})
44890+
44891+#define vmalloc_exec(x) \
44892+({ \
44893+ void *___retval; \
44894+ intoverflow_t ___x = (intoverflow_t)x; \
44895+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
44896+ ___retval = NULL; \
44897+ else \
44898+ ___retval = vmalloc_exec((unsigned long)___x); \
44899+ ___retval; \
44900+})
44901+
44902+#define vmalloc_node(x, y) \
44903+({ \
44904+ void *___retval; \
44905+ intoverflow_t ___x = (intoverflow_t)x; \
44906+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
44907+ ___retval = NULL; \
44908+ else \
44909+ ___retval = vmalloc_node((unsigned long)___x, (y));\
44910+ ___retval; \
44911+})
44912+
44913+#define vmalloc_32(x) \
44914+({ \
44915+ void *___retval; \
44916+ intoverflow_t ___x = (intoverflow_t)x; \
44917+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
44918+ ___retval = NULL; \
44919+ else \
44920+ ___retval = vmalloc_32((unsigned long)___x); \
44921+ ___retval; \
44922+})
44923+
44924+#define vmalloc_32_user(x) \
44925+({ \
44926+ void *___retval; \
44927+ intoverflow_t ___x = (intoverflow_t)x; \
44928+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
44929+ ___retval = NULL; \
44930+ else \
44931+ ___retval = vmalloc_32_user((unsigned long)___x);\
44932+ ___retval; \
44933+})
44934+
44935 #endif /* _LINUX_VMALLOC_H */
ae4e228f
MT		 44936diff -urNp linux-2.6.33.1/include/net/irda/ircomm_tty.h linux-2.6.33.1/include/net/irda/ircomm_tty.h
44937--- linux-2.6.33.1/include/net/irda/ircomm_tty.h 2010-03-15 12:09:39.000000000 -0400
44938+++ linux-2.6.33.1/include/net/irda/ircomm_tty.h 2010-03-20 16:58:41.928524770 -0400
58c5fc13
MT		 44939@@ -105,8 +105,8 @@ struct ircomm_tty_cb {
44940 unsigned short close_delay;
44941 unsigned short closing_wait; /* time to wait before closing */
44942
44943- int open_count;
44944- int blocked_open; /* # of blocked opens */
44945+ atomic_t open_count;
44946+ atomic_t blocked_open; /* # of blocked opens */
44947
44948 /* Protect concurent access to :
44949 * o self->open_count
ae4e228f
MT		 44950diff -urNp linux-2.6.33.1/include/net/neighbour.h linux-2.6.33.1/include/net/neighbour.h
44951--- linux-2.6.33.1/include/net/neighbour.h 2010-03-15 12:09:39.000000000 -0400
44952+++ linux-2.6.33.1/include/net/neighbour.h 2010-03-20 16:58:41.928524770 -0400
44953@@ -116,12 +116,12 @@ struct neighbour {
44954
44955 struct neigh_ops {
44956 int family;
44957- void (*solicit)(struct neighbour *, struct sk_buff*);
44958- void (*error_report)(struct neighbour *, struct sk_buff*);
44959- int (*output)(struct sk_buff*);
44960- int (*connected_output)(struct sk_buff*);
44961- int (*hh_output)(struct sk_buff*);
44962- int (*queue_xmit)(struct sk_buff*);
44963+ void (* const solicit)(struct neighbour *, struct sk_buff*);
44964+ void (* const error_report)(struct neighbour *, struct sk_buff*);
44965+ int (* const output)(struct sk_buff*);
44966+ int (* const connected_output)(struct sk_buff*);
44967+ int (* const hh_output)(struct sk_buff*);
44968+ int (* const queue_xmit)(struct sk_buff*);
44969 };
44970
44971 struct pneigh_entry {
44972diff -urNp linux-2.6.33.1/include/net/sctp/sctp.h linux-2.6.33.1/include/net/sctp/sctp.h
44973--- linux-2.6.33.1/include/net/sctp/sctp.h 2010-03-15 12:09:39.000000000 -0400
44974+++ linux-2.6.33.1/include/net/sctp/sctp.h 2010-03-20 16:58:41.928524770 -0400
44975@@ -304,8 +304,8 @@ extern int sctp_debug_flag;
58c5fc13
MT		 44976
44977 #else /* SCTP_DEBUG */
44978
44979-#define SCTP_DEBUG_PRINTK(whatever...)
44980-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
44981+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
44982+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
44983 #define SCTP_ENABLE_DEBUG
44984 #define SCTP_DISABLE_DEBUG
44985 #define SCTP_ASSERT(expr, str, func)
ae4e228f
MT		 44986diff -urNp linux-2.6.33.1/include/net/tcp.h linux-2.6.33.1/include/net/tcp.h
44987--- linux-2.6.33.1/include/net/tcp.h 2010-03-15 12:09:39.000000000 -0400
44988+++ linux-2.6.33.1/include/net/tcp.h 2010-03-20 16:58:41.928524770 -0400
44989@@ -1392,6 +1392,7 @@ enum tcp_seq_states {
44990 struct tcp_seq_afinfo {
44991 char *name;
44992 sa_family_t family;
44993+ /* cannot be const */
44994 struct file_operations seq_fops;
44995 struct seq_operations seq_ops;
44996 };
44997diff -urNp linux-2.6.33.1/include/net/udp.h linux-2.6.33.1/include/net/udp.h
44998--- linux-2.6.33.1/include/net/udp.h 2010-03-15 12:09:39.000000000 -0400
44999+++ linux-2.6.33.1/include/net/udp.h 2010-03-20 16:58:41.928524770 -0400
45000@@ -221,6 +221,7 @@ struct udp_seq_afinfo {
45001 char *name;
45002 sa_family_t family;
45003 struct udp_table *udp_table;
45004+ /* cannot be const */
45005 struct file_operations seq_fops;
45006 struct seq_operations seq_ops;
45007 };
45008diff -urNp linux-2.6.33.1/include/sound/ac97_codec.h linux-2.6.33.1/include/sound/ac97_codec.h
45009--- linux-2.6.33.1/include/sound/ac97_codec.h 2010-03-15 12:09:39.000000000 -0400
45010+++ linux-2.6.33.1/include/sound/ac97_codec.h 2010-03-20 16:58:41.928524770 -0400
45011@@ -419,15 +419,15 @@
45012 struct snd_ac97;
45013
45014 struct snd_ac97_build_ops {
45015- int (*build_3d) (struct snd_ac97 *ac97);
45016- int (*build_specific) (struct snd_ac97 *ac97);
45017- int (*build_spdif) (struct snd_ac97 *ac97);
45018- int (*build_post_spdif) (struct snd_ac97 *ac97);
45019+ int (* const build_3d) (struct snd_ac97 *ac97);
45020+ int (* const build_specific) (struct snd_ac97 *ac97);
45021+ int (* const build_spdif) (struct snd_ac97 *ac97);
45022+ int (* const build_post_spdif) (struct snd_ac97 *ac97);
45023 #ifdef CONFIG_PM
45024- void (*suspend) (struct snd_ac97 *ac97);
45025- void (*resume) (struct snd_ac97 *ac97);
45026+ void (* const suspend) (struct snd_ac97 *ac97);
45027+ void (* const resume) (struct snd_ac97 *ac97);
58c5fc13 45028 #endif
ae4e228f
MT		 45029- void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
45030+ void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
45031 };
45032
45033 struct snd_ac97_bus_ops {
45034@@ -477,7 +477,7 @@ struct snd_ac97_template {
45035
45036 struct snd_ac97 {
45037 /* -- lowlevel (hardware) driver specific -- */
45038- struct snd_ac97_build_ops * build_ops;
45039+ const struct snd_ac97_build_ops * build_ops;
45040 void *private_data;
45041 void (*private_free) (struct snd_ac97 *ac97);
45042 /* --- */
45043diff -urNp linux-2.6.33.1/include/trace/events/irq.h linux-2.6.33.1/include/trace/events/irq.h
45044--- linux-2.6.33.1/include/trace/events/irq.h 2010-03-15 12:09:39.000000000 -0400
45045+++ linux-2.6.33.1/include/trace/events/irq.h 2010-03-20 16:58:41.928524770 -0400
45046@@ -34,7 +34,7 @@
45047 */
45048 TRACE_EVENT(irq_handler_entry,
45049
45050- TP_PROTO(int irq, struct irqaction *action),
45051+ TP_PROTO(int irq, const struct irqaction *action),
45052
45053 TP_ARGS(irq, action),
45054
45055@@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
45056 */
45057 TRACE_EVENT(irq_handler_exit,
45058
45059- TP_PROTO(int irq, struct irqaction *action, int ret),
45060+ TP_PROTO(int irq, const struct irqaction *action, int ret),
45061
45062 TP_ARGS(irq, action, ret),
45063
45064@@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
58c5fc13 45065
ae4e228f 45066 DECLARE_EVENT_CLASS(softirq,
58c5fc13 45067
ae4e228f
MT		 45068- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
45069+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
45070
45071 TP_ARGS(h, vec),
45072
45073@@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
45074 */
45075 DEFINE_EVENT(softirq, softirq_entry,
45076
45077- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
45078+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
45079
45080 TP_ARGS(h, vec)
45081 );
45082@@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
45083 */
45084 DEFINE_EVENT(softirq, softirq_exit,
45085
45086- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
45087+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
45088
45089 TP_ARGS(h, vec)
45090 );
45091diff -urNp linux-2.6.33.1/include/video/uvesafb.h linux-2.6.33.1/include/video/uvesafb.h
45092--- linux-2.6.33.1/include/video/uvesafb.h 2010-03-15 12:09:39.000000000 -0400
45093+++ linux-2.6.33.1/include/video/uvesafb.h 2010-03-20 16:58:41.928524770 -0400
58c5fc13
MT		 45094@@ -177,6 +177,7 @@ struct uvesafb_par {
45095 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
45096 u8 pmi_setpal; /* PMI for palette changes */
45097 u16 *pmi_base; /* protected mode interface location */
45098+ u8 *pmi_code; /* protected mode code location */
45099 void *pmi_start;
45100 void *pmi_pal;
45101 u8 *vbe_state_orig; /*
ae4e228f
MT		 45102diff -urNp linux-2.6.33.1/init/do_mounts.c linux-2.6.33.1/init/do_mounts.c
45103--- linux-2.6.33.1/init/do_mounts.c 2010-03-15 12:09:39.000000000 -0400
45104+++ linux-2.6.33.1/init/do_mounts.c 2010-03-20 16:58:41.936928392 -0400
58c5fc13
MT		 45105@@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
45106
45107 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
45108 {
45109- int err = sys_mount(name, "/root", fs, flags, data);
ae4e228f 45110+ int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
58c5fc13
MT		 45111 if (err)
45112 return err;
45113
45114- sys_chdir("/root");
ae4e228f 45115+ sys_chdir((__force char __user *)"/root");
58c5fc13
MT		 45116 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
45117 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
45118 current->fs->pwd.mnt->mnt_sb->s_type->name,
45119@@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
45120 va_start(args, fmt);
45121 vsprintf(buf, fmt, args);
45122 va_end(args);
45123- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
45124+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
45125 if (fd >= 0) {
45126 sys_ioctl(fd, FDEJECT, 0);
45127 sys_close(fd);
45128 }
45129 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
45130- fd = sys_open("/dev/console", O_RDWR, 0);
45131+ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
45132 if (fd >= 0) {
45133 sys_ioctl(fd, TCGETS, (long)&termios);
45134 termios.c_lflag &= ~ICANON;
45135 sys_ioctl(fd, TCSETSF, (long)&termios);
45136- sys_read(fd, &c, 1);
45137+ sys_read(fd, (char __user *)&c, 1);
45138 termios.c_lflag |= ICANON;
45139 sys_ioctl(fd, TCSETSF, (long)&termios);
45140 sys_close(fd);
ae4e228f 45141@@ -416,6 +416,6 @@ void __init prepare_namespace(void)
58c5fc13
MT		 45142 mount_root();
45143 out:
ae4e228f 45144 devtmpfs_mount("dev");
58c5fc13
MT		 45145- sys_mount(".", "/", NULL, MS_MOVE, NULL);
45146- sys_chroot(".");
ae4e228f
MT		 45147+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
45148+ sys_chroot((__force char __user *)".");
58c5fc13 45149 }
ae4e228f
MT		 45150diff -urNp linux-2.6.33.1/init/do_mounts.h linux-2.6.33.1/init/do_mounts.h
45151--- linux-2.6.33.1/init/do_mounts.h 2010-03-15 12:09:39.000000000 -0400
45152+++ linux-2.6.33.1/init/do_mounts.h 2010-03-20 16:58:41.973158089 -0400
58c5fc13
MT		 45153@@ -15,15 +15,15 @@ extern int root_mountflags;
45154
45155 static inline int create_dev(char *name, dev_t dev)
45156 {
45157- sys_unlink(name);
45158- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
ae4e228f
MT		 45159+ sys_unlink((__force char __user *)name);
45160+ return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
58c5fc13
MT		 45161 }
45162
45163 #if BITS_PER_LONG == 32
45164 static inline u32 bstat(char *name)
45165 {
45166 struct stat64 stat;
45167- if (sys_stat64(name, &stat) != 0)
ae4e228f 45168+ if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
58c5fc13
MT		 45169 return 0;
45170 if (!S_ISBLK(stat.st_mode))
45171 return 0;
ae4e228f
MT		 45172diff -urNp linux-2.6.33.1/init/do_mounts_initrd.c linux-2.6.33.1/init/do_mounts_initrd.c
45173--- linux-2.6.33.1/init/do_mounts_initrd.c 2010-03-15 12:09:39.000000000 -0400
45174+++ linux-2.6.33.1/init/do_mounts_initrd.c 2010-03-20 16:58:41.973158089 -0400
58c5fc13
MT		 45175@@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
45176 sys_close(old_fd);sys_close(root_fd);
45177 sys_close(0);sys_close(1);sys_close(2);
45178 sys_setsid();
45179- (void) sys_open("/dev/console",O_RDWR,0);
ae4e228f 45180+ (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
58c5fc13
MT		 45181 (void) sys_dup(0);
45182 (void) sys_dup(0);
45183 return kernel_execve(shell, argv, envp_init);
45184@@ -47,13 +47,13 @@ static void __init handle_initrd(void)
45185 create_dev("/dev/root.old", Root_RAM0);
45186 /* mount initrd on rootfs' /root */
45187 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
45188- sys_mkdir("/old", 0700);
45189- root_fd = sys_open("/", 0, 0);
45190- old_fd = sys_open("/old", 0, 0);
ae4e228f
MT		 45191+ sys_mkdir((__force const char __user *)"/old", 0700);
45192+ root_fd = sys_open((__force const char __user *)"/", 0, 0);
45193+ old_fd = sys_open((__force const char __user *)"/old", 0, 0);
58c5fc13
MT		 45194 /* move initrd over / and chdir/chroot in initrd root */
45195- sys_chdir("/root");
45196- sys_mount(".", "/", NULL, MS_MOVE, NULL);
45197- sys_chroot(".");
ae4e228f
MT		 45198+ sys_chdir((__force const char __user *)"/root");
45199+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
45200+ sys_chroot((__force const char __user *)".");
58c5fc13
MT		 45201
45202 /*
45203 * In case that a resume from disk is carried out by linuxrc or one of
45204@@ -70,15 +70,15 @@ static void __init handle_initrd(void)
45205
45206 /* move initrd to rootfs' /old */
45207 sys_fchdir(old_fd);
45208- sys_mount("/", ".", NULL, MS_MOVE, NULL);
ae4e228f 45209+ sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
58c5fc13
MT		 45210 /* switch root and cwd back to / of rootfs */
45211 sys_fchdir(root_fd);
45212- sys_chroot(".");
ae4e228f 45213+ sys_chroot((__force const char __user *)".");
58c5fc13
MT		 45214 sys_close(old_fd);
45215 sys_close(root_fd);
45216
45217 if (new_decode_dev(real_root_dev) == Root_RAM0) {
45218- sys_chdir("/old");
ae4e228f 45219+ sys_chdir((__force const char __user *)"/old");
58c5fc13
MT		 45220 return;
45221 }
45222
45223@@ -86,17 +86,17 @@ static void __init handle_initrd(void)
45224 mount_root();
45225
45226 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
45227- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
ae4e228f 45228+ error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
58c5fc13
MT		 45229 if (!error)
45230 printk("okay\n");
45231 else {
45232- int fd = sys_open("/dev/root.old", O_RDWR, 0);
ae4e228f 45233+ int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
58c5fc13
MT		 45234 if (error == -ENOENT)
45235 printk("/initrd does not exist. Ignored.\n");
45236 else
45237 printk("failed\n");
45238 printk(KERN_NOTICE "Unmounting old root\n");
45239- sys_umount("/old", MNT_DETACH);
ae4e228f 45240+ sys_umount((__force char __user *)"/old", MNT_DETACH);
58c5fc13
MT		 45241 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
45242 if (fd < 0) {
45243 error = fd;
45244@@ -119,11 +119,11 @@ int __init initrd_load(void)
45245 * mounted in the normal path.
45246 */
45247 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
45248- sys_unlink("/initrd.image");
ae4e228f 45249+ sys_unlink((__force const char __user *)"/initrd.image");
58c5fc13
MT		 45250 handle_initrd();
45251 return 1;
45252 }
45253 }
45254- sys_unlink("/initrd.image");
ae4e228f 45255+ sys_unlink((__force const char __user *)"/initrd.image");
58c5fc13
MT		 45256 return 0;
45257 }
ae4e228f
MT		 45258diff -urNp linux-2.6.33.1/init/do_mounts_md.c linux-2.6.33.1/init/do_mounts_md.c
45259--- linux-2.6.33.1/init/do_mounts_md.c 2010-03-15 12:09:39.000000000 -0400
45260+++ linux-2.6.33.1/init/do_mounts_md.c 2010-03-20 16:58:41.973158089 -0400
58c5fc13
MT		 45261@@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
45262 partitioned ? "_d" : "", minor,
45263 md_setup_args[ent].device_names);
45264
45265- fd = sys_open(name, 0, 0);
ae4e228f 45266+ fd = sys_open((__force char __user *)name, 0, 0);
58c5fc13
MT		 45267 if (fd < 0) {
45268 printk(KERN_ERR "md: open failed - cannot start "
45269 "array %s\n", name);
45270@@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
45271 * array without it
45272 */
45273 sys_close(fd);
45274- fd = sys_open(name, 0, 0);
ae4e228f 45275+ fd = sys_open((__force char __user *)name, 0, 0);
58c5fc13
MT		 45276 sys_ioctl(fd, BLKRRPART, 0);
45277 }
45278 sys_close(fd);
45279@@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
45280
45281 wait_for_device_probe();
45282
45283- fd = sys_open("/dev/md0", 0, 0);
ae4e228f 45284+ fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
58c5fc13
MT		 45285 if (fd >= 0) {
45286 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
45287 sys_close(fd);
ae4e228f
MT		 45288diff -urNp linux-2.6.33.1/init/initramfs.c linux-2.6.33.1/init/initramfs.c
45289--- linux-2.6.33.1/init/initramfs.c 2010-03-15 12:09:39.000000000 -0400
45290+++ linux-2.6.33.1/init/initramfs.c 2010-03-20 16:58:41.973158089 -0400
45291@@ -74,7 +74,7 @@ static void __init free_hash(void)
45292 }
45293 }
45294
45295-static long __init do_utime(char __user *filename, time_t mtime)
45296+static long __init do_utime(__force char __user *filename, time_t mtime)
45297 {
45298 struct timespec t[2];
45299
45300@@ -109,7 +109,7 @@ static void __init dir_utime(void)
45301 struct dir_entry *de, *tmp;
45302 list_for_each_entry_safe(de, tmp, &dir_list, list) {
45303 list_del(&de->list);
45304- do_utime(de->name, de->mtime);
45305+ do_utime((__force char __user *)de->name, de->mtime);
45306 kfree(de->name);
45307 kfree(de);
45308 }
58c5fc13
MT		 45309@@ -271,7 +271,7 @@ static int __init maybe_link(void)
45310 if (nlink >= 2) {
45311 char *old = find_link(major, minor, ino, mode, collected);
45312 if (old)
45313- return (sys_link(old, collected) < 0) ? -1 : 1;
ae4e228f 45314+ return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
58c5fc13
MT		 45315 }
45316 return 0;
45317 }
45318@@ -280,11 +280,11 @@ static void __init clean_path(char *path
45319 {
45320 struct stat st;
45321
45322- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
ae4e228f 45323+ if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
58c5fc13
MT		 45324 if (S_ISDIR(st.st_mode))
45325- sys_rmdir(path);
ae4e228f 45326+ sys_rmdir((__force char __user *)path);
58c5fc13
MT		 45327 else
45328- sys_unlink(path);
ae4e228f 45329+ sys_unlink((__force char __user *)path);
58c5fc13
MT		 45330 }
45331 }
45332
45333@@ -305,7 +305,7 @@ static int __init do_name(void)
45334 int openflags = O_WRONLY|O_CREAT;
45335 if (ml != 1)
45336 openflags |= O_TRUNC;
45337- wfd = sys_open(collected, openflags, mode);
ae4e228f 45338+ wfd = sys_open((__force char __user *)collected, openflags, mode);
58c5fc13
MT		 45339
45340 if (wfd >= 0) {
45341 sys_fchown(wfd, uid, gid);
ae4e228f 45342@@ -317,17 +317,17 @@ static int __init do_name(void)
58c5fc13
MT		 45343 }
45344 }
45345 } else if (S_ISDIR(mode)) {
45346- sys_mkdir(collected, mode);
45347- sys_chown(collected, uid, gid);
45348- sys_chmod(collected, mode);
ae4e228f
MT		 45349+ sys_mkdir((__force char __user *)collected, mode);
45350+ sys_chown((__force char __user *)collected, uid, gid);
45351+ sys_chmod((__force char __user *)collected, mode);
58c5fc13
MT		 45352 dir_add(collected, mtime);
45353 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
45354 S_ISFIFO(mode) || S_ISSOCK(mode)) {
45355 if (maybe_link() == 0) {
45356- sys_mknod(collected, mode, rdev);
45357- sys_chown(collected, uid, gid);
45358- sys_chmod(collected, mode);
ae4e228f
MT		 45359- do_utime(collected, mtime);
45360+ sys_mknod((__force char __user *)collected, mode, rdev);
45361+ sys_chown((__force char __user *)collected, uid, gid);
45362+ sys_chmod((__force char __user *)collected, mode);
45363+ do_utime((__force char __user *)collected, mtime);
58c5fc13
MT		 45364 }
45365 }
ae4e228f
MT		 45366 return 0;
45367@@ -336,15 +336,15 @@ static int __init do_name(void)
58c5fc13
MT		 45368 static int __init do_copy(void)
45369 {
45370 if (count >= body_len) {
45371- sys_write(wfd, victim, body_len);
ae4e228f 45372+ sys_write(wfd, (__force char __user *)victim, body_len);
58c5fc13 45373 sys_close(wfd);
ae4e228f
MT		 45374- do_utime(vcollected, mtime);
45375+ do_utime((__force char __user *)vcollected, mtime);
58c5fc13 45376 kfree(vcollected);
ae4e228f 45377 eat(body_len);
58c5fc13
MT		 45378 state = SkipIt;
45379 return 0;
45380 } else {
45381- sys_write(wfd, victim, count);
ae4e228f 45382+ sys_write(wfd, (__force char __user *)victim, count);
58c5fc13
MT		 45383 body_len -= count;
45384 eat(count);
45385 return 1;
ae4e228f 45386@@ -355,9 +355,9 @@ static int __init do_symlink(void)
58c5fc13
MT		 45387 {
45388 collected[N_ALIGN(name_len) + body_len] = '\0';
45389 clean_path(collected, 0);
45390- sys_symlink(collected + N_ALIGN(name_len), collected);
45391- sys_lchown(collected, uid, gid);
ae4e228f
MT		 45392- do_utime(collected, mtime);
45393+ sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
45394+ sys_lchown((__force char __user *)collected, uid, gid);
45395+ do_utime((__force char __user *)collected, mtime);
58c5fc13
MT		 45396 state = SkipIt;
45397 next_state = Reset;
ae4e228f
MT		 45398 return 0;
45399diff -urNp linux-2.6.33.1/init/Kconfig linux-2.6.33.1/init/Kconfig
45400--- linux-2.6.33.1/init/Kconfig 2010-03-15 12:09:39.000000000 -0400
45401+++ linux-2.6.33.1/init/Kconfig 2010-03-20 16:58:41.973158089 -0400
45402@@ -1046,7 +1046,7 @@ config SLUB_DEBUG
58c5fc13
MT		 45403
45404 config COMPAT_BRK
45405 bool "Disable heap randomization"
45406- default y
45407+ default n
45408 help
45409 Randomizing heap placement makes heap exploits harder, but it
45410 also breaks ancient binaries (including anything libc5 based).
ae4e228f 45411@@ -1158,9 +1158,9 @@ config HAVE_GENERIC_DMA_COHERENT
58c5fc13
MT		 45412
45413 config SLABINFO
45414 bool
45415- depends on PROC_FS
45416+ depends on PROC_FS && !GRKERNSEC_PROC_ADD
45417 depends on SLAB || SLUB_DEBUG
45418- default y
45419+ default n
45420
45421 config RT_MUTEXES
45422 boolean
ae4e228f
MT		 45423diff -urNp linux-2.6.33.1/init/main.c linux-2.6.33.1/init/main.c
45424--- linux-2.6.33.1/init/main.c 2010-03-15 12:09:39.000000000 -0400
45425+++ linux-2.6.33.1/init/main.c 2010-03-20 16:58:41.976562026 -0400
45426@@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
58c5fc13
MT		 45427 #ifdef CONFIG_TC
45428 extern void tc_init(void);
45429 #endif
45430+extern void grsecurity_init(void);
45431
45432 enum system_states system_state __read_mostly;
45433 EXPORT_SYMBOL(system_state);
ae4e228f 45434@@ -183,6 +184,35 @@ static int __init set_reset_devices(char
58c5fc13
MT		 45435
45436 __setup("reset_devices", set_reset_devices);
45437
45438+#if defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32)
45439+static int __init setup_pax_nouderef(char *str)
45440+{
45441+ unsigned int cpu;
45442+
45443+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
45444+ get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
45445+ get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
45446+ }
45447+ asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
45448+ asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
45449+ asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
45450+
45451+ return 0;
45452+}
45453+early_param("pax_nouderef", setup_pax_nouderef);
45454+#endif
45455+
45456+#ifdef CONFIG_PAX_SOFTMODE
45457+unsigned int pax_softmode;
45458+
45459+static int __init setup_pax_softmode(char *str)
45460+{
45461+ get_option(&str, &pax_softmode);
45462+ return 1;
45463+}
45464+__setup("pax_softmode=", setup_pax_softmode);
45465+#endif
45466+
45467 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
45468 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
45469 static const char *panic_later, *panic_param;
ae4e228f
MT		 45470@@ -697,52 +727,53 @@ int initcall_debug;
45471 core_param(initcall_debug, initcall_debug, bool, 0644);
58c5fc13 45472
ae4e228f
MT		 45473 static char msgbuf[64];
45474-static struct boot_trace_call call;
45475-static struct boot_trace_ret ret;
45476+static struct boot_trace_call trace_call;
45477+static struct boot_trace_ret trace_ret;
58c5fc13 45478
ae4e228f 45479 int do_one_initcall(initcall_t fn)
58c5fc13
MT		 45480 {
45481 int count = preempt_count();
45482 ktime_t calltime, delta, rettime;
45483+ const char *msg1 = "", *msg2 = "";
45484
45485 if (initcall_debug) {
ae4e228f
MT		 45486- call.caller = task_pid_nr(current);
45487- printk("calling %pF @ %i\n", fn, call.caller);
45488+ trace_call.caller = task_pid_nr(current);
45489+ printk("calling %pF @ %i\n", fn, trace_call.caller);
45490 calltime = ktime_get();
45491- trace_boot_call(&call, fn);
45492+ trace_boot_call(&trace_call, fn);
45493 enable_boot_trace();
45494 }
45495
45496- ret.result = fn();
45497+ trace_ret.result = fn();
45498
45499 if (initcall_debug) {
45500 disable_boot_trace();
45501 rettime = ktime_get();
45502 delta = ktime_sub(rettime, calltime);
45503- ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
45504- trace_boot_ret(&ret, fn);
45505+ trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
45506+ trace_boot_ret(&trace_ret, fn);
45507 printk("initcall %pF returned %d after %Ld usecs\n", fn,
45508- ret.result, ret.duration);
45509+ trace_ret.result, trace_ret.duration);
45510 }
45511
45512 msgbuf[0] = 0;
45513
45514- if (ret.result && ret.result != -ENODEV && initcall_debug)
45515- sprintf(msgbuf, "error code %d ", ret.result);
45516+ if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
45517+ sprintf(msgbuf, "error code %d ", trace_ret.result);
58c5fc13
MT		 45518
45519 if (preempt_count() != count) {
45520- strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
45521+ msg1 = " preemption imbalance";
45522 preempt_count() = count;
45523 }
45524 if (irqs_disabled()) {
45525- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
45526+ msg2 = " disabled interrupts";
45527 local_irq_enable();
45528 }
45529- if (msgbuf[0]) {
45530- printk("initcall %pF returned with %s\n", fn, msgbuf);
45531+ if (msgbuf[0] || *msg1 || *msg2) {
45532+ printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
45533 }
45534
ae4e228f
MT		 45535- return ret.result;
45536+ return trace_ret.result;
45537 }
45538
45539
45540@@ -881,11 +912,13 @@ static int __init kernel_init(void * unu
45541 if (!ramdisk_execute_command)
45542 ramdisk_execute_command = "/init";
45543
45544- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
45545+ if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
45546 ramdisk_execute_command = NULL;
58c5fc13
MT		 45547 prepare_namespace();
45548 }
45549
45550+ grsecurity_init();
45551+
45552 /*
45553 * Ok, we have completed the initial bootup, and
45554 * we're essentially up and running. Get rid of the
ae4e228f
MT		 45555diff -urNp linux-2.6.33.1/init/noinitramfs.c linux-2.6.33.1/init/noinitramfs.c
45556--- linux-2.6.33.1/init/noinitramfs.c 2010-03-15 12:09:39.000000000 -0400
45557+++ linux-2.6.33.1/init/noinitramfs.c 2010-03-20 16:58:41.976562026 -0400
58c5fc13
MT		 45558@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
45559 {
45560 int err;
45561
45562- err = sys_mkdir("/dev", 0755);
45563+ err = sys_mkdir((const char __user *)"/dev", 0755);
45564 if (err < 0)
45565 goto out;
45566
45567@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
45568 if (err < 0)
45569 goto out;
45570
45571- err = sys_mkdir("/root", 0700);
45572+ err = sys_mkdir((const char __user *)"/root", 0700);
45573 if (err < 0)
45574 goto out;
45575
ae4e228f
MT		 45576diff -urNp linux-2.6.33.1/ipc/mqueue.c linux-2.6.33.1/ipc/mqueue.c
45577--- linux-2.6.33.1/ipc/mqueue.c 2010-03-15 12:09:39.000000000 -0400
45578+++ linux-2.6.33.1/ipc/mqueue.c 2010-03-20 16:58:41.976562026 -0400
45579@@ -149,6 +149,7 @@ static struct inode *mqueue_get_inode(st
58c5fc13
MT		 45580 mq_bytes = (mq_msg_tblsz +
45581 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
45582
45583+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
45584 spin_lock(&mq_lock);
45585 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
45586 u->mq_bytes + mq_bytes >
ae4e228f
MT		 45587diff -urNp linux-2.6.33.1/ipc/shm.c linux-2.6.33.1/ipc/shm.c
45588--- linux-2.6.33.1/ipc/shm.c 2010-03-15 12:09:39.000000000 -0400
45589+++ linux-2.6.33.1/ipc/shm.c 2010-03-20 16:58:41.997340945 -0400
45590@@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
58c5fc13
MT		 45591 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
45592 #endif
45593
45594+#ifdef CONFIG_GRKERNSEC
45595+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
45596+ const time_t shm_createtime, const uid_t cuid,
45597+ const int shmid);
45598+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
45599+ const time_t shm_createtime);
45600+#endif
45601+
45602 void shm_init_ns(struct ipc_namespace *ns)
45603 {
45604 ns->shm_ctlmax = SHMMAX;
ae4e228f 45605@@ -398,6 +406,14 @@ static int newseg(struct ipc_namespace *
58c5fc13
MT		 45606 shp->shm_lprid = 0;
45607 shp->shm_atim = shp->shm_dtim = 0;
45608 shp->shm_ctim = get_seconds();
45609+#ifdef CONFIG_GRKERNSEC
45610+ {
45611+ struct timespec timeval;
45612+ do_posix_clock_monotonic_gettime(&timeval);
45613+
45614+ shp->shm_createtime = timeval.tv_sec;
45615+ }
45616+#endif
45617 shp->shm_segsz = size;
45618 shp->shm_nattch = 0;
45619 shp->shm_file = file;
ae4e228f 45620@@ -881,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
58c5fc13
MT		 45621 if (err)
45622 goto out_unlock;
45623
45624+#ifdef CONFIG_GRKERNSEC
45625+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
45626+ shp->shm_perm.cuid, shmid) ||
45627+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
45628+ err = -EACCES;
45629+ goto out_unlock;
45630+ }
45631+#endif
45632+
ae4e228f
MT		 45633 path = shp->shm_file->f_path;
45634 path_get(&path);
58c5fc13
MT		 45635 shp->shm_nattch++;
45636+#ifdef CONFIG_GRKERNSEC
45637+ shp->shm_lapid = current->pid;
45638+#endif
45639 size = i_size_read(path.dentry->d_inode);
45640 shm_unlock(shp);
45641
ae4e228f
MT		 45642diff -urNp linux-2.6.33.1/kernel/acct.c linux-2.6.33.1/kernel/acct.c
45643--- linux-2.6.33.1/kernel/acct.c 2010-03-15 12:09:39.000000000 -0400
45644+++ linux-2.6.33.1/kernel/acct.c 2010-03-20 16:58:42.008931878 -0400
45645@@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
58c5fc13
MT		 45646 */
45647 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
45648 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
45649- file->f_op->write(file, (char *)&ac,
ae4e228f 45650+ file->f_op->write(file, (__force char __user *)&ac,
58c5fc13
MT		 45651 sizeof(acct_t), &file->f_pos);
45652 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
45653 set_fs(fs);
ae4e228f
MT		 45654diff -urNp linux-2.6.33.1/kernel/capability.c linux-2.6.33.1/kernel/capability.c
45655--- linux-2.6.33.1/kernel/capability.c 2010-03-15 12:09:39.000000000 -0400
45656+++ linux-2.6.33.1/kernel/capability.c 2010-03-20 16:58:42.008931878 -0400
45657@@ -206,6 +206,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
45658 * before modification is attempted and the application
45659 * fails.
45660 */
45661+ if (tocopy > ARRAY_SIZE(kdata))
45662+ return -EFAULT;
45663+
45664 if (copy_to_user(dataptr, kdata, tocopy
45665 * sizeof(struct __user_cap_data_struct))) {
45666 return -EFAULT;
45667@@ -307,10 +310,21 @@ int capable(int cap)
58c5fc13
MT		 45668 BUG();
45669 }
45670
45671- if (security_capable(cap) == 0) {
45672+ if (security_capable(cap) == 0 && gr_is_capable(cap)) {
58c5fc13
MT		 45673+ current->flags |= PF_SUPERPRIV;
45674+ return 1;
45675+ }
45676+ return 0;
45677+}
ae4e228f
MT		 45678+
45679+int capable_nolog(int cap)
45680+{
45681+ if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
45682 current->flags |= PF_SUPERPRIV;
45683 return 1;
45684 }
45685 return 0;
45686 }
58c5fc13
MT		 45687+
45688 EXPORT_SYMBOL(capable);
45689+EXPORT_SYMBOL(capable_nolog);
ae4e228f
MT		 45690diff -urNp linux-2.6.33.1/kernel/configs.c linux-2.6.33.1/kernel/configs.c
45691--- linux-2.6.33.1/kernel/configs.c 2010-03-15 12:09:39.000000000 -0400
45692+++ linux-2.6.33.1/kernel/configs.c 2010-03-20 16:58:42.020953047 -0400
58c5fc13
MT		 45693@@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
45694 struct proc_dir_entry *entry;
45695
45696 /* create the current config file */
45697+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
45698+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
45699+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
45700+ &ikconfig_file_ops);
45701+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45702+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
45703+ &ikconfig_file_ops);
45704+#endif
45705+#else
45706 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
45707 &ikconfig_file_ops);
45708+#endif
45709+
45710 if (!entry)
45711 return -ENOMEM;
45712
ae4e228f
MT		 45713diff -urNp linux-2.6.33.1/kernel/cpu.c linux-2.6.33.1/kernel/cpu.c
45714--- linux-2.6.33.1/kernel/cpu.c 2010-03-15 12:09:39.000000000 -0400
45715+++ linux-2.6.33.1/kernel/cpu.c 2010-03-20 16:58:42.028929112 -0400
58c5fc13
MT		 45716@@ -19,7 +19,7 @@
45717 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
45718 static DEFINE_MUTEX(cpu_add_remove_lock);
45719
45720-static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
45721+static RAW_NOTIFIER_HEAD(cpu_chain);
45722
45723 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
45724 * Should always be manipulated under cpu_add_remove_lock
ae4e228f
MT		 45725diff -urNp linux-2.6.33.1/kernel/cred.c linux-2.6.33.1/kernel/cred.c
45726--- linux-2.6.33.1/kernel/cred.c 2010-03-15 12:09:39.000000000 -0400
45727+++ linux-2.6.33.1/kernel/cred.c 2010-03-20 16:58:42.028929112 -0400
45728@@ -520,6 +520,8 @@ int commit_creds(struct cred *new)
58c5fc13
MT		 45729
45730 get_cred(new); /* we will require a ref for the subj creds too */
45731
45732+ gr_set_role_label(task, new->uid, new->gid);
45733+
45734 /* dumpability changes */
45735 if (old->euid != new->euid ||
45736 old->egid != new->egid ||
ae4e228f
MT		 45737diff -urNp linux-2.6.33.1/kernel/exit.c linux-2.6.33.1/kernel/exit.c
45738--- linux-2.6.33.1/kernel/exit.c 2010-03-15 12:09:39.000000000 -0400
45739+++ linux-2.6.33.1/kernel/exit.c 2010-03-20 16:58:42.032663961 -0400
45740@@ -57,6 +57,10 @@
58c5fc13
MT		 45741 #include <asm/mmu_context.h>
45742 #include "cred-internals.h"
45743
45744+#ifdef CONFIG_GRKERNSEC
45745+extern rwlock_t grsec_exec_file_lock;
45746+#endif
45747+
45748 static void exit_mm(struct task_struct * tsk);
45749
45750 static void __unhash_process(struct task_struct *p)
ae4e228f 45751@@ -168,6 +172,8 @@ void release_task(struct task_struct * p
58c5fc13
MT		 45752 struct task_struct *leader;
45753 int zap_leader;
45754 repeat:
45755+ gr_del_task_from_ip_table(p);
45756+
45757 tracehook_prepare_release_task(p);
45758 /* don't need to get the RCU readlock here - the process is dead and
45759 * can't be modifying its own credentials */
ae4e228f 45760@@ -335,11 +341,22 @@ static void reparent_to_kthreadd(void)
58c5fc13
MT		 45761 {
45762 write_lock_irq(&tasklist_lock);
45763
45764+#ifdef CONFIG_GRKERNSEC
45765+ write_lock(&grsec_exec_file_lock);
45766+ if (current->exec_file) {
45767+ fput(current->exec_file);
45768+ current->exec_file = NULL;
45769+ }
45770+ write_unlock(&grsec_exec_file_lock);
45771+#endif
45772+
45773 ptrace_unlink(current);
45774 /* Reparent to init */
45775 current->real_parent = current->parent = kthreadd_task;
45776 list_move_tail(&current->sibling, &current->real_parent->children);
45777
45778+ gr_set_kernel_label(current);
45779+
45780 /* Set the exit signal to SIGCHLD so we signal init on exit */
45781 current->exit_signal = SIGCHLD;
45782
ae4e228f
MT		 45783@@ -391,7 +408,7 @@ int allow_signal(int sig)
45784 * know it'll be handled, so that they don't get converted to
45785 * SIGKILL or just silently dropped.
45786 */
45787- current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
45788+ current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
45789 recalc_sigpending();
45790 spin_unlock_irq(&current->sighand->siglock);
45791 return 0;
45792@@ -427,6 +444,17 @@ void daemonize(const char *name, ...)
58c5fc13
MT		 45793 vsnprintf(current->comm, sizeof(current->comm), name, args);
45794 va_end(args);
45795
45796+#ifdef CONFIG_GRKERNSEC
45797+ write_lock(&grsec_exec_file_lock);
45798+ if (current->exec_file) {
45799+ fput(current->exec_file);
45800+ current->exec_file = NULL;
45801+ }
45802+ write_unlock(&grsec_exec_file_lock);
45803+#endif
45804+
45805+ gr_set_kernel_label(current);
45806+
45807 /*
45808 * If we were started as result of loading a module, close all of the
45809 * user space pages. We don't need them, and if we didn't close them
ae4e228f 45810@@ -961,6 +989,9 @@ NORET_TYPE void do_exit(long code)
58c5fc13
MT		 45811 tsk->exit_code = code;
45812 taskstats_exit(tsk, group_dead);
45813
45814+ gr_acl_handle_psacct(tsk, code);
45815+ gr_acl_handle_exit();
45816+
45817 exit_mm(tsk);
45818
45819 if (group_dead)
ae4e228f 45820@@ -1180,7 +1211,7 @@ static int wait_task_zombie(struct wait_
58c5fc13
MT		 45821
45822 if (unlikely(wo->wo_flags & WNOWAIT)) {
45823 int exit_code = p->exit_code;
45824- int why, status;
45825+ int why;
45826
45827 get_task_struct(p);
45828 read_unlock(&tasklist_lock);
ae4e228f
MT		 45829diff -urNp linux-2.6.33.1/kernel/fork.c linux-2.6.33.1/kernel/fork.c
45830--- linux-2.6.33.1/kernel/fork.c 2010-03-15 12:09:39.000000000 -0400
45831+++ linux-2.6.33.1/kernel/fork.c 2010-03-20 16:58:42.032663961 -0400
45832@@ -255,7 +255,7 @@ static struct task_struct *dup_task_stru
58c5fc13
MT		 45833 *stackend = STACK_END_MAGIC; /* for overflow detection */
45834
45835 #ifdef CONFIG_CC_STACKPROTECTOR
45836- tsk->stack_canary = get_random_int();
45837+ tsk->stack_canary = pax_get_random_long();
45838 #endif
45839
45840 /* One for us, one for whoever does the "release_task()" (usually parent) */
ae4e228f 45841@@ -295,8 +295,8 @@ static int dup_mmap(struct mm_struct *mm
58c5fc13
MT		 45842 mm->locked_vm = 0;
45843 mm->mmap = NULL;
45844 mm->mmap_cache = NULL;
45845- mm->free_area_cache = oldmm->mmap_base;
45846- mm->cached_hole_size = ~0UL;
45847+ mm->free_area_cache = oldmm->free_area_cache;
45848+ mm->cached_hole_size = oldmm->cached_hole_size;
45849 mm->map_count = 0;
45850 cpumask_clear(mm_cpumask(mm));
45851 mm->mm_rb = RB_ROOT;
ae4e228f 45852@@ -336,6 +336,7 @@ static int dup_mmap(struct mm_struct *mm
58c5fc13
MT		 45853 tmp->vm_flags &= ~VM_LOCKED;
45854 tmp->vm_mm = mm;
45855 tmp->vm_next = NULL;
45856+ tmp->vm_mirror = NULL;
45857 anon_vma_link(tmp);
45858 file = tmp->vm_file;
45859 if (file) {
ae4e228f 45860@@ -383,6 +384,31 @@ static int dup_mmap(struct mm_struct *mm
58c5fc13
MT		 45861 if (retval)
45862 goto out;
45863 }
45864+
45865+#ifdef CONFIG_PAX_SEGMEXEC
45866+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
45867+ struct vm_area_struct *mpnt_m;
45868+
45869+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
45870+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
45871+
45872+ if (!mpnt->vm_mirror)
45873+ continue;
45874+
45875+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
45876+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
45877+ mpnt->vm_mirror = mpnt_m;
45878+ } else {
45879+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
45880+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
45881+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
45882+ mpnt->vm_mirror->vm_mirror = mpnt;
45883+ }
45884+ }
45885+ BUG_ON(mpnt_m);
45886+ }
45887+#endif
45888+
45889 /* a new mm has just been created */
45890 arch_dup_mmap(oldmm, mm);
45891 retval = 0;
ae4e228f 45892@@ -733,7 +759,7 @@ static int copy_fs(unsigned long clone_f
58c5fc13
MT		 45893 write_unlock(&fs->lock);
45894 return -EAGAIN;
45895 }
45896- fs->users++;
45897+ atomic_inc(&fs->users);
45898 write_unlock(&fs->lock);
45899 return 0;
45900 }
ae4e228f 45901@@ -1032,10 +1058,13 @@ static struct task_struct *copy_process(
58c5fc13
MT		 45902 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
45903 #endif
45904 retval = -EAGAIN;
45905+
45906+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
45907+
45908 if (atomic_read(&p->real_cred->user->processes) >=
45909 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
ae4e228f
MT		 45910- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
45911- p->real_cred->user != INIT_USER)
45912+ if (p->real_cred->user != INIT_USER &&
45913+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
45914 goto bad_fork_free;
45915 }
45916
45917@@ -1064,6 +1093,10 @@ static struct task_struct *copy_process(
45918 p->vfork_done = NULL;
45919 spin_lock_init(&p->alloc_lock);
45920
45921+#ifdef CONFIG_GRKERNSEC
45922+ rwlock_init(&p->gr_fs_lock);
45923+#endif
45924+
45925 init_sigpending(&p->pending);
45926
45927 p->utime = cputime_zero;
45928@@ -1190,6 +1223,8 @@ static struct task_struct *copy_process(
58c5fc13
MT		 45929 goto bad_fork_free_pid;
45930 }
45931
45932+ gr_copy_label(p);
45933+
45934 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
45935 /*
45936 * Clear TID on mm_release()?
ae4e228f 45937@@ -1342,6 +1377,8 @@ bad_fork_cleanup_count:
58c5fc13
MT		 45938 bad_fork_free:
45939 free_task(p);
45940 fork_out:
45941+ gr_log_forkfail(retval);
45942+
45943 return ERR_PTR(retval);
45944 }
45945
ae4e228f 45946@@ -1435,6 +1472,8 @@ long do_fork(unsigned long clone_flags,
58c5fc13
MT		 45947 if (clone_flags & CLONE_PARENT_SETTID)
45948 put_user(nr, parent_tidptr);
45949
45950+ gr_handle_brute_check();
45951+
45952 if (clone_flags & CLONE_VFORK) {
45953 p->vfork_done = &vfork;
45954 init_completion(&vfork);
ae4e228f 45955@@ -1567,7 +1606,7 @@ static int unshare_fs(unsigned long unsh
58c5fc13
MT		 45956 return 0;
45957
45958 /* don't need lock here; in the worst case we'll do useless copy */
45959- if (fs->users == 1)
45960+ if (atomic_read(&fs->users) == 1)
45961 return 0;
45962
45963 *new_fsp = copy_fs_struct(fs);
ae4e228f
MT		 45964@@ -1687,14 +1726,18 @@ SYSCALL_DEFINE1(unshare, unsigned long,
45965 task_lock(current);
45966
45967 if (new_fs) {
45968+ unsigned long flags;
45969+
45970+ gr_fs_write_lock_irqsave(current, flags);
58c5fc13
MT		 45971 fs = current->fs;
45972 write_lock(&fs->lock);
45973 current->fs = new_fs;
45974- if (--fs->users)
45975+ if (atomic_dec_return(&fs->users))
45976 new_fs = NULL;
45977 else
45978 new_fs = fs;
ae4e228f
MT		 45979 write_unlock(&fs->lock);
45980+ gr_fs_write_unlock_irqrestore(current, flags);
45981 }
45982
45983 if (new_mm) {
45984diff -urNp linux-2.6.33.1/kernel/futex.c linux-2.6.33.1/kernel/futex.c
45985--- linux-2.6.33.1/kernel/futex.c 2010-03-15 12:09:39.000000000 -0400
45986+++ linux-2.6.33.1/kernel/futex.c 2010-03-20 16:58:42.048537218 -0400
45987@@ -54,6 +54,7 @@
45988 #include <linux/mount.h>
45989 #include <linux/pagemap.h>
45990 #include <linux/syscalls.h>
45991+#include <linux/ptrace.h>
45992 #include <linux/signal.h>
45993 #include <linux/module.h>
45994 #include <linux/magic.h>
45995@@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
58c5fc13
MT		 45996 struct page *page;
45997 int err;
45998
45999+#ifdef CONFIG_PAX_SEGMEXEC
46000+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
46001+ return -EFAULT;
46002+#endif
46003+
46004 /*
46005 * The futex address must be "naturally" aligned.
46006 */
ae4e228f 46007@@ -1852,7 +1858,7 @@ retry:
58c5fc13
MT		 46008
46009 restart = &current_thread_info()->restart_block;
46010 restart->fn = futex_wait_restart;
46011- restart->futex.uaddr = (u32 *)uaddr;
46012+ restart->futex.uaddr = uaddr;
46013 restart->futex.val = val;
46014 restart->futex.time = abs_time->tv64;
46015 restart->futex.bitset = bitset;
ae4e228f
MT		 46016@@ -2385,7 +2391,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
46017 {
46018 struct robust_list_head __user *head;
46019 unsigned long ret;
46020- const struct cred *cred = current_cred(), *pcred;
46021+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
46022+ const struct cred *cred = current_cred();
46023+ const struct cred *pcred;
46024+#endif
46025
46026 if (!futex_cmpxchg_enabled)
46027 return -ENOSYS;
46028@@ -2401,11 +2410,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
46029 if (!p)
46030 goto err_unlock;
46031 ret = -EPERM;
46032+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46033+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
46034+ goto err_unlock;
46035+#else
46036 pcred = __task_cred(p);
46037 if (cred->euid != pcred->euid &&
46038 cred->euid != pcred->uid &&
46039 !capable(CAP_SYS_PTRACE))
46040 goto err_unlock;
46041+#endif
46042 head = p->robust_list;
46043 rcu_read_unlock();
46044 }
46045@@ -2467,7 +2481,7 @@ retry:
58c5fc13
MT		 46046 */
46047 static inline int fetch_robust_entry(struct robust_list __user **entry,
46048 struct robust_list __user * __user *head,
46049- int *pi)
46050+ unsigned int *pi)
46051 {
46052 unsigned long uentry;
46053
ae4e228f
MT		 46054diff -urNp linux-2.6.33.1/kernel/futex_compat.c linux-2.6.33.1/kernel/futex_compat.c
46055--- linux-2.6.33.1/kernel/futex_compat.c 2010-03-15 12:09:39.000000000 -0400
46056+++ linux-2.6.33.1/kernel/futex_compat.c 2010-03-20 16:58:42.048537218 -0400
46057@@ -10,6 +10,7 @@
46058 #include <linux/compat.h>
46059 #include <linux/nsproxy.h>
46060 #include <linux/futex.h>
46061+#include <linux/ptrace.h>
46062
46063 #include <asm/uaccess.h>
46064
46065@@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
46066 {
46067 struct compat_robust_list_head __user *head;
46068 unsigned long ret;
46069- const struct cred *cred = current_cred(), *pcred;
46070+ const struct cred *cred = current_cred();
46071+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
46072+ const struct cred *pcred;
46073+#endif
46074
46075 if (!futex_cmpxchg_enabled)
46076 return -ENOSYS;
46077@@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
46078 if (!p)
46079 goto err_unlock;
46080 ret = -EPERM;
46081+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46082+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
46083+ goto err_unlock;
46084+#else
46085 pcred = __task_cred(p);
46086 if (cred->euid != pcred->euid &&
46087 cred->euid != pcred->uid &&
46088 !capable(CAP_SYS_PTRACE))
46089 goto err_unlock;
46090+#endif
46091 head = p->compat_robust_list;
46092 read_unlock(&tasklist_lock);
46093 }
46094diff -urNp linux-2.6.33.1/kernel/gcov/base.c linux-2.6.33.1/kernel/gcov/base.c
46095--- linux-2.6.33.1/kernel/gcov/base.c 2010-03-15 12:09:39.000000000 -0400
46096+++ linux-2.6.33.1/kernel/gcov/base.c 2010-03-20 16:58:42.048537218 -0400
58c5fc13
MT		 46097@@ -102,11 +102,6 @@ void gcov_enable_events(void)
46098 }
46099
46100 #ifdef CONFIG_MODULES
46101-static inline int within(void *addr, void *start, unsigned long size)
46102-{
46103- return ((addr >= start) && (addr < start + size));
46104-}
46105-
46106 /* Update list and generate events when modules are unloaded. */
46107 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
46108 void *data)
46109@@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
46110 prev = NULL;
46111 /* Remove entries located in module from linked list. */
46112 for (info = gcov_info_head; info; info = info->next) {
46113- if (within(info, mod->module_core, mod->core_size)) {
46114+ if (within_module_core_rw((unsigned long)info, mod)) {
46115 if (prev)
46116 prev->next = info->next;
46117 else
ae4e228f
MT		 46118diff -urNp linux-2.6.33.1/kernel/hrtimer.c linux-2.6.33.1/kernel/hrtimer.c
46119--- linux-2.6.33.1/kernel/hrtimer.c 2010-03-15 12:09:39.000000000 -0400
46120+++ linux-2.6.33.1/kernel/hrtimer.c 2010-03-20 16:58:42.048537218 -0400
46121@@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
46122 local_irq_restore(flags);
46123 }
46124
46125-static void run_hrtimer_softirq(struct softirq_action *h)
46126+static void run_hrtimer_softirq(void)
46127 {
46128 hrtimer_peek_ahead_timers();
46129 }
46130diff -urNp linux-2.6.33.1/kernel/kallsyms.c linux-2.6.33.1/kernel/kallsyms.c
46131--- linux-2.6.33.1/kernel/kallsyms.c 2010-03-15 12:09:39.000000000 -0400
46132+++ linux-2.6.33.1/kernel/kallsyms.c 2010-03-20 16:58:42.064920323 -0400
58c5fc13
MT		 46133@@ -11,6 +11,9 @@
46134 * Changed the compression method from stem compression to "table lookup"
46135 * compression (see scripts/kallsyms.c for a more complete description)
46136 */
46137+#ifdef CONFIG_GRKERNSEC_HIDESYM
46138+#define __INCLUDED_BY_HIDESYM 1
46139+#endif
46140 #include <linux/kallsyms.h>
46141 #include <linux/module.h>
46142 #include <linux/init.h>
46143@@ -51,6 +54,9 @@ extern const unsigned long kallsyms_mark
46144
46145 static inline int is_kernel_inittext(unsigned long addr)
46146 {
46147+ if (system_state != SYSTEM_BOOTING)
46148+ return 0;
46149+
46150 if (addr >= (unsigned long)_sinittext
46151 && addr <= (unsigned long)_einittext)
46152 return 1;
ae4e228f 46153@@ -67,6 +73,24 @@ static inline int is_kernel_text(unsigne
58c5fc13
MT		 46154
46155 static inline int is_kernel(unsigned long addr)
46156 {
ae4e228f
MT		 46157+ if (is_kernel_inittext(addr))
46158+ return 1;
58c5fc13 46159+
ae4e228f
MT		 46160+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
46161+ if ((unsigned long)MODULES_EXEC_VADDR <= ktla_ktva(addr) && ktla_ktva(addr) <= (unsigned long)MODULES_EXEC_END)
58c5fc13 46162+ return 0;
58c5fc13 46163+
ae4e228f
MT		 46164+ if (is_kernel_text(addr))
46165+ return 1;
46166+
46167+ if (ktla_ktva((unsigned long)_stext) <= addr && addr < ktla_ktva((unsigned long)_etext))
58c5fc13 46168+ return 1;
ae4e228f
MT		 46169+
46170+ if ((addr >= (unsigned long)_sdata && addr <= (unsigned long)_end))
46171+ return 1;
46172+ return in_gate_area_no_task(addr);
46173+#endif
58c5fc13
MT		 46174+
46175 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
46176 return 1;
46177 return in_gate_area_no_task(addr);
ae4e228f 46178@@ -414,7 +438,6 @@ static unsigned long get_ksymbol_core(st
58c5fc13
MT		 46179
46180 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
46181 {
46182- iter->name[0] = '\0';
46183 iter->nameoff = get_symbol_offset(new_pos);
46184 iter->pos = new_pos;
46185 }
ae4e228f
MT		 46186@@ -462,6 +485,11 @@ static int s_show(struct seq_file *m, vo
46187 {
46188 struct kallsym_iter *iter = m->private;
46189
46190+#ifdef CONFIG_GRKERNSEC_HIDESYM
46191+ if (current_uid())
46192+ return 0;
46193+#endif
46194+
46195 /* Some debugging symbols have no name. Ignore them. */
46196 if (!iter->name[0])
46197 return 0;
46198@@ -502,7 +530,7 @@ static int kallsyms_open(struct inode *i
58c5fc13
MT		 46199 struct kallsym_iter *iter;
46200 int ret;
46201
46202- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
46203+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
46204 if (!iter)
46205 return -ENOMEM;
46206 reset_iter(iter, 0);
ae4e228f
MT		 46207diff -urNp linux-2.6.33.1/kernel/kgdb.c linux-2.6.33.1/kernel/kgdb.c
46208--- linux-2.6.33.1/kernel/kgdb.c 2010-03-15 12:09:39.000000000 -0400
46209+++ linux-2.6.33.1/kernel/kgdb.c 2010-03-20 16:58:42.068659558 -0400
46210@@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
46211 /* Guard for recursive entry */
46212 static int exception_level;
46213
46214-static struct kgdb_io *kgdb_io_ops;
46215+static const struct kgdb_io *kgdb_io_ops;
46216 static DEFINE_SPINLOCK(kgdb_registration_lock);
46217
46218 /* kgdb console driver is loaded */
46219@@ -1664,7 +1664,7 @@ static void kgdb_initial_breakpoint(void
46220 *
46221 * Register it with the KGDB core.
46222 */
46223-int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
46224+int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
46225 {
46226 int err;
58c5fc13 46227
ae4e228f
MT		 46228@@ -1709,7 +1709,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
46229 *
46230 * Unregister it with the KGDB core.
46231 */
46232-void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
46233+void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
58c5fc13 46234 {
ae4e228f
MT		 46235 BUG_ON(kgdb_connected);
46236
46237diff -urNp linux-2.6.33.1/kernel/kmod.c linux-2.6.33.1/kernel/kmod.c
46238--- linux-2.6.33.1/kernel/kmod.c 2010-03-15 12:09:39.000000000 -0400
46239+++ linux-2.6.33.1/kernel/kmod.c 2010-03-20 16:58:42.068659558 -0400
46240@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
46241 if (ret)
46242 return ret;
58c5fc13
MT		 46243
46244+#ifdef CONFIG_GRKERNSEC_MODHARDEN
46245+ /* we could do a tighter check here, but some distros
46246+ are taking it upon themselves to remove CAP_SYS_MODULE
ae4e228f 46247+ from even root-running apps which cause modules to be
58c5fc13
MT		 46248+ auto-loaded
46249+ */
46250+ if (current_uid()) {
46251+ gr_log_nonroot_mod_load(module_name);
46252+ return -EPERM;
46253+ }
46254+#endif
46255+
46256 /* If modprobe needs a service that is in a module, we get a recursive
46257 * loop. Limit the number of running kmod threads to max_threads/2 or
46258 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
ae4e228f
MT		 46259diff -urNp linux-2.6.33.1/kernel/kprobes.c linux-2.6.33.1/kernel/kprobes.c
46260--- linux-2.6.33.1/kernel/kprobes.c 2010-03-15 12:09:39.000000000 -0400
46261+++ linux-2.6.33.1/kernel/kprobes.c 2010-03-20 16:58:42.068659558 -0400
46262@@ -186,7 +186,7 @@ static kprobe_opcode_t __kprobes *__get_
58c5fc13
MT		 46263 * kernel image and loaded module images reside. This is required
46264 * so x86_64 can correctly handle the %rip-relative fixups.
46265 */
46266- kip->insns = module_alloc(PAGE_SIZE);
46267+ kip->insns = module_alloc_exec(PAGE_SIZE);
46268 if (!kip->insns) {
46269 kfree(kip);
46270 return NULL;
ae4e228f
MT		 46271@@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
46272 */
46273 if (!list_is_singular(&kprobe_insn_pages)) {
46274 list_del(&kip->list);
58c5fc13
MT		 46275- module_free(NULL, kip->insns);
46276+ module_free_exec(NULL, kip->insns);
46277 kfree(kip);
46278 }
46279 return 1;
ae4e228f
MT		 46280diff -urNp linux-2.6.33.1/kernel/lockdep.c linux-2.6.33.1/kernel/lockdep.c
46281--- linux-2.6.33.1/kernel/lockdep.c 2010-03-15 12:09:39.000000000 -0400
46282+++ linux-2.6.33.1/kernel/lockdep.c 2010-03-20 16:58:42.072946288 -0400
46283@@ -586,6 +586,10 @@ static int static_obj(void *obj)
58c5fc13
MT		 46284 int i;
46285 #endif
46286
46287+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f 46288+ start = ktla_ktva(start);
58c5fc13
MT		 46289+#endif
46290+
46291 /*
46292 * static variable?
46293 */
ae4e228f 46294@@ -601,8 +605,7 @@ static int static_obj(void *obj)
58c5fc13
MT		 46295 */
46296 for_each_possible_cpu(i) {
58c5fc13
MT		 46297 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
46298- end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
46299- + per_cpu_offset(i);
58c5fc13
MT		 46300+ end = start + PERCPU_ENOUGH_ROOM;
46301
46302 if ((addr >= start) && (addr < end))
46303 return 1;
ae4e228f
MT		 46304@@ -719,6 +722,7 @@ register_lock_class(struct lockdep_map *
46305 if (!static_obj(lock->key)) {
46306 debug_locks_off();
46307 printk("INFO: trying to register non-static key.\n");
46308+ printk("lock:%pS key:%pS.\n", lock, lock->key);
46309 printk("the code is fine but needs lockdep annotation.\n");
46310 printk("turning off the locking correctness validator.\n");
46311 dump_stack();
46312diff -urNp linux-2.6.33.1/kernel/module.c linux-2.6.33.1/kernel/module.c
46313--- linux-2.6.33.1/kernel/module.c 2010-03-15 12:09:39.000000000 -0400
46314+++ linux-2.6.33.1/kernel/module.c 2010-03-20 16:58:42.072946288 -0400
46315@@ -89,7 +89,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
58c5fc13
MT		 46316 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
46317
46318 /* Bounds of module allocation, for speeding __module_address */
46319-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
46320+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
46321+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
46322
46323 int register_module_notifier(struct notifier_block * nb)
46324 {
ae4e228f 46325@@ -245,7 +246,7 @@ bool each_symbol(bool (*fn)(const struct
58c5fc13
MT		 46326 return true;
46327
46328 list_for_each_entry_rcu(mod, &modules, list) {
46329- struct symsearch arr[] = {
46330+ struct symsearch modarr[] = {
46331 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
46332 NOT_GPL_ONLY, false },
46333 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
ae4e228f 46334@@ -267,7 +268,7 @@ bool each_symbol(bool (*fn)(const struct
58c5fc13
MT		 46335 #endif
46336 };
46337
46338- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
46339+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
46340 return true;
46341 }
46342 return false;
ae4e228f
MT		 46343@@ -375,7 +376,7 @@ static void *percpu_modalloc(unsigned lo
46344 {
58c5fc13 46345 void *ptr;
58c5fc13
MT		 46346
46347- if (align > PAGE_SIZE) {
46348+ if (align-1 >= PAGE_SIZE) {
46349 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
46350 name, align, PAGE_SIZE);
46351 align = PAGE_SIZE;
ae4e228f 46352@@ -1393,7 +1394,8 @@ static void free_module(struct module *m
58c5fc13
MT		 46353 destroy_params(mod->kp, mod->num_kp);
46354
46355 /* This may be NULL, but that's OK */
46356- module_free(mod, mod->module_init);
46357+ module_free(mod, mod->module_init_rw);
46358+ module_free_exec(mod, mod->module_init_rx);
46359 kfree(mod->args);
46360 if (mod->percpu)
46361 percpu_modfree(mod->percpu);
ae4e228f 46362@@ -1402,10 +1404,12 @@ static void free_module(struct module *m
58c5fc13
MT		 46363 percpu_modfree(mod->refptr);
46364 #endif
46365 /* Free lock-classes: */
46366- lockdep_free_key_range(mod->module_core, mod->core_size);
46367+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
46368+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
46369
46370 /* Finally, free the core (containing the module structure) */
46371- module_free(mod, mod->module_core);
46372+ module_free_exec(mod, mod->module_core_rx);
46373+ module_free(mod, mod->module_core_rw);
58c5fc13 46374
ae4e228f
MT		 46375 #ifdef CONFIG_MPU
46376 update_protections(current->mm);
46377@@ -1499,7 +1503,9 @@ static int simplify_symbols(Elf_Shdr *se
58c5fc13
MT		 46378 strtab + sym[i].st_name, mod);
46379 /* Ok if resolved. */
46380 if (ksym) {
ae4e228f 46381+ pax_open_kernel();
58c5fc13 46382 sym[i].st_value = ksym->value;
ae4e228f 46383+ pax_close_kernel();
58c5fc13
MT		 46384 break;
46385 }
46386
ae4e228f 46387@@ -1518,7 +1524,9 @@ static int simplify_symbols(Elf_Shdr *se
58c5fc13
MT		 46388 secbase = (unsigned long)mod->percpu;
46389 else
46390 secbase = sechdrs[sym[i].st_shndx].sh_addr;
ae4e228f 46391+ pax_open_kernel();
58c5fc13 46392 sym[i].st_value += secbase;
ae4e228f 46393+ pax_close_kernel();
58c5fc13
MT		 46394 break;
46395 }
46396 }
ae4e228f 46397@@ -1579,11 +1587,12 @@ static void layout_sections(struct modul
58c5fc13
MT		 46398 || s->sh_entsize != ~0UL
46399 || strstarts(secstrings + s->sh_name, ".init"))
46400 continue;
46401- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
46402+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
46403+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
46404+ else
46405+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
46406 DEBUGP("\t%s\n", secstrings + s->sh_name);
46407 }
46408- if (m == 0)
46409- mod->core_text_size = mod->core_size;
46410 }
46411
46412 DEBUGP("Init section allocation order:\n");
ae4e228f 46413@@ -1596,12 +1605,13 @@ static void layout_sections(struct modul
58c5fc13
MT		 46414 || s->sh_entsize != ~0UL
46415 || !strstarts(secstrings + s->sh_name, ".init"))
46416 continue;
46417- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
46418- | INIT_OFFSET_MASK);
46419+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
46420+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
46421+ else
46422+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
46423+ s->sh_entsize |= INIT_OFFSET_MASK;
46424 DEBUGP("\t%s\n", secstrings + s->sh_name);
46425 }
46426- if (m == 0)
46427- mod->init_text_size = mod->init_size;
46428 }
46429 }
46430
ae4e228f
MT		 46431@@ -1705,9 +1715,8 @@ static int is_exported(const char *name,
46432
46433 /* As per nm */
46434 static char elf_type(const Elf_Sym *sym,
46435- Elf_Shdr *sechdrs,
46436- const char *secstrings,
46437- struct module *mod)
46438+ const Elf_Shdr *sechdrs,
46439+ const char *secstrings)
58c5fc13 46440 {
ae4e228f
MT		 46441 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
46442 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
46443@@ -1782,7 +1791,7 @@ static unsigned long layout_symtab(struc
58c5fc13 46444
ae4e228f
MT		 46445 /* Put symbol section at end of init part of module. */
46446 symsect->sh_flags |= SHF_ALLOC;
46447- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
46448+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
46449 symindex) | INIT_OFFSET_MASK;
46450 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
46451
46452@@ -1799,19 +1808,19 @@ static unsigned long layout_symtab(struc
46453 }
46454
46455 /* Append room for core symbols at end of core part. */
46456- symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
46457- mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
46458+ symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
46459+ mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
46460
46461 /* Put string table section at end of init part of module. */
46462 strsect->sh_flags |= SHF_ALLOC;
46463- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
46464+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
46465 strindex) | INIT_OFFSET_MASK;
46466 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
46467
46468 /* Append room for core symbols' strings at end of core part. */
46469- *pstroffs = mod->core_size;
46470+ *pstroffs = mod->core_size_rx;
46471 __set_bit(0, strmap);
46472- mod->core_size += bitmap_weight(strmap, strsect->sh_size);
46473+ mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
46474
46475 return symoffs;
46476 }
46477@@ -1835,12 +1844,14 @@ static void add_kallsyms(struct module *
58c5fc13
MT		 46478 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
46479 mod->strtab = (void *)sechdrs[strindex].sh_addr;
46480
ae4e228f
MT		 46481+ pax_open_kernel();
46482+
58c5fc13 46483 /* Set types up while we still have access to sections. */
ae4e228f
MT		 46484 for (i = 0; i < mod->num_symtab; i++)
46485 mod->symtab[i].st_info
58c5fc13 46486- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
ae4e228f
MT		 46487+ = elf_type(&mod->symtab[i], sechdrs, secstrings);
46488
46489- mod->core_symtab = dst = mod->module_core + symoffs;
46490+ mod->core_symtab = dst = mod->module_core_rx + symoffs;
46491 src = mod->symtab;
46492 *dst = *src;
46493 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
46494@@ -1852,10 +1863,12 @@ static void add_kallsyms(struct module *
46495 }
46496 mod->core_num_syms = ndst;
46497
46498- mod->core_strtab = s = mod->module_core + stroffs;
46499+ mod->core_strtab = s = mod->module_core_rx + stroffs;
46500 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
46501 if (test_bit(i, strmap))
46502 *++s = mod->strtab[i];
58c5fc13 46503+
ae4e228f 46504+ pax_close_kernel();
58c5fc13
MT		 46505 }
46506 #else
ae4e228f
MT		 46507 static inline unsigned long layout_symtab(struct module *mod,
46508@@ -1892,16 +1905,30 @@ static void dynamic_debug_setup(struct _
58c5fc13
MT		 46509 #endif
46510 }
46511
46512-static void *module_alloc_update_bounds(unsigned long size)
46513+static void *module_alloc_update_bounds_rw(unsigned long size)
46514 {
46515 void *ret = module_alloc(size);
46516
46517 if (ret) {
46518 /* Update module bounds. */
46519- if ((unsigned long)ret < module_addr_min)
46520- module_addr_min = (unsigned long)ret;
46521- if ((unsigned long)ret + size > module_addr_max)
46522- module_addr_max = (unsigned long)ret + size;
46523+ if ((unsigned long)ret < module_addr_min_rw)
46524+ module_addr_min_rw = (unsigned long)ret;
46525+ if ((unsigned long)ret + size > module_addr_max_rw)
46526+ module_addr_max_rw = (unsigned long)ret + size;
46527+ }
46528+ return ret;
46529+}
46530+
46531+static void *module_alloc_update_bounds_rx(unsigned long size)
46532+{
46533+ void *ret = module_alloc_exec(size);
46534+
46535+ if (ret) {
46536+ /* Update module bounds. */
46537+ if ((unsigned long)ret < module_addr_min_rx)
46538+ module_addr_min_rx = (unsigned long)ret;
46539+ if ((unsigned long)ret + size > module_addr_max_rx)
46540+ module_addr_max_rx = (unsigned long)ret + size;
46541 }
46542 return ret;
46543 }
ae4e228f
MT		 46544@@ -2108,7 +2135,7 @@ static noinline struct module *load_modu
46545 secstrings, &stroffs, strmap);
58c5fc13
MT		 46546
46547 /* Do the allocs. */
46548- ptr = module_alloc_update_bounds(mod->core_size);
46549+ ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
46550 /*
46551 * The pointer to this block is stored in the module structure
46552 * which is inside the block. Just mark it as not being a
ae4e228f 46553@@ -2119,23 +2146,47 @@ static noinline struct module *load_modu
58c5fc13
MT		 46554 err = -ENOMEM;
46555 goto free_percpu;
46556 }
46557- memset(ptr, 0, mod->core_size);
46558- mod->module_core = ptr;
46559+ memset(ptr, 0, mod->core_size_rw);
46560+ mod->module_core_rw = ptr;
46561
46562- ptr = module_alloc_update_bounds(mod->init_size);
46563+ ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
46564 /*
46565 * The pointer to this block is stored in the module structure
46566 * which is inside the block. This block doesn't need to be
46567 * scanned as it contains data and code that will be freed
46568 * after the module is initialized.
46569 */
46570- kmemleak_ignore(ptr);
46571- if (!ptr && mod->init_size) {
46572+ kmemleak_not_leak(ptr);
46573+ if (!ptr && mod->init_size_rw) {
ae4e228f 46574+ err = -ENOMEM;
58c5fc13 46575+ goto free_core_rw;
ae4e228f 46576+ }
58c5fc13
MT		 46577+ memset(ptr, 0, mod->init_size_rw);
46578+ mod->module_init_rw = ptr;
46579+
46580+ ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
46581+ kmemleak_not_leak(ptr);
46582+ if (!ptr) {
ae4e228f
MT		 46583 err = -ENOMEM;
46584- goto free_core;
58c5fc13 46585+ goto free_init_rw;
ae4e228f
MT		 46586 }
46587- memset(ptr, 0, mod->init_size);
46588- mod->module_init = ptr;
58c5fc13 46589+
ae4e228f 46590+ pax_open_kernel();
58c5fc13 46591+ memset(ptr, 0, mod->core_size_rx);
ae4e228f 46592+ pax_close_kernel();
58c5fc13
MT		 46593+ mod->module_core_rx = ptr;
46594+
46595+ ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
46596+ kmemleak_not_leak(ptr);
46597+ if (!ptr && mod->init_size_rx) {
46598+ err = -ENOMEM;
46599+ goto free_core_rx;
46600+ }
46601+
ae4e228f 46602+ pax_open_kernel();
58c5fc13 46603+ memset(ptr, 0, mod->init_size_rx);
ae4e228f 46604+ pax_close_kernel();
58c5fc13
MT		 46605+ mod->module_init_rx = ptr;
46606
46607 /* Transfer each section which specifies SHF_ALLOC */
46608 DEBUGP("final section addresses:\n");
ae4e228f 46609@@ -2145,17 +2196,41 @@ static noinline struct module *load_modu
58c5fc13
MT		 46610 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
46611 continue;
46612
46613- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
46614- dest = mod->module_init
46615- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46616- else
46617- dest = mod->module_core + sechdrs[i].sh_entsize;
46618+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
46619+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
46620+ dest = mod->module_init_rw
46621+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46622+ else
46623+ dest = mod->module_init_rx
46624+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
46625+ } else {
46626+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
46627+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
46628+ else
46629+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
46630+ }
46631+
46632+ if (sechdrs[i].sh_type != SHT_NOBITS) {
ae4e228f 46633+
58c5fc13
MT		 46634+#ifdef CONFIG_PAX_KERNEXEC
46635+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
ae4e228f 46636+ pax_open_kernel();
58c5fc13 46637+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
ae4e228f 46638+ pax_close_kernel();
58c5fc13
MT		 46639+ } else
46640+#endif
ae4e228f
MT		 46641
46642- if (sechdrs[i].sh_type != SHT_NOBITS)
46643- memcpy(dest, (void *)sechdrs[i].sh_addr,
46644- sechdrs[i].sh_size);
58c5fc13
MT		 46645+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
46646+ }
46647 /* Update sh_addr to point to copy in image. */
46648- sechdrs[i].sh_addr = (unsigned long)dest;
46649+
46650+#ifdef CONFIG_PAX_KERNEXEC
46651+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
46652+ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
46653+ else
46654+#endif
46655+
46656+ sechdrs[i].sh_addr = (unsigned long)dest;
46657 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
46658 }
46659 /* Module has been moved. */
ae4e228f 46660@@ -2167,7 +2242,7 @@ static noinline struct module *load_modu
58c5fc13
MT		 46661 mod->name);
46662 if (!mod->refptr) {
46663 err = -ENOMEM;
46664- goto free_init;
46665+ goto free_init_rx;
46666 }
46667 #endif
46668 /* Now we've moved module, initialize linked lists, etc. */
ae4e228f 46669@@ -2282,8 +2357,8 @@ static noinline struct module *load_modu
58c5fc13
MT		 46670
46671 /* Now do relocations. */
46672 for (i = 1; i < hdr->e_shnum; i++) {
46673- const char *strtab = (char *)sechdrs[strindex].sh_addr;
46674 unsigned int info = sechdrs[i].sh_info;
46675+ strtab = (char *)sechdrs[strindex].sh_addr;
46676
46677 /* Not a valid relocation section? */
46678 if (info >= hdr->e_shnum)
ae4e228f 46679@@ -2344,12 +2419,12 @@ static noinline struct module *load_modu
58c5fc13
MT		 46680 * Do it before processing of module parameters, so the module
46681 * can provide parameter accessor functions of its own.
46682 */
46683- if (mod->module_init)
46684- flush_icache_range((unsigned long)mod->module_init,
46685- (unsigned long)mod->module_init
46686- + mod->init_size);
46687- flush_icache_range((unsigned long)mod->module_core,
46688- (unsigned long)mod->module_core + mod->core_size);
46689+ if (mod->module_init_rx)
46690+ flush_icache_range((unsigned long)mod->module_init_rx,
46691+ (unsigned long)mod->module_init_rx
46692+ + mod->init_size_rx);
46693+ flush_icache_range((unsigned long)mod->module_core_rx,
46694+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
46695
46696 set_fs(old_fs);
46697
ae4e228f 46698@@ -2397,12 +2472,16 @@ static noinline struct module *load_modu
58c5fc13
MT		 46699 free_unload:
46700 module_unload_free(mod);
46701 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
58c5fc13
MT		 46702+ free_init_rx:
46703 percpu_modfree(mod->refptr);
ae4e228f 46704- free_init:
58c5fc13
MT		 46705 #endif
46706- module_free(mod, mod->module_init);
46707- free_core:
46708- module_free(mod, mod->module_core);
46709+ module_free_exec(mod, mod->module_init_rx);
46710+ free_core_rx:
46711+ module_free_exec(mod, mod->module_core_rx);
46712+ free_init_rw:
46713+ module_free(mod, mod->module_init_rw);
46714+ free_core_rw:
46715+ module_free(mod, mod->module_core_rw);
46716 /* mod will be freed with core. Don't access it beyond this line! */
46717 free_percpu:
46718 if (percpu)
ae4e228f
MT		 46719@@ -2504,10 +2583,12 @@ SYSCALL_DEFINE3(init_module, void __user
46720 mod->symtab = mod->core_symtab;
46721 mod->strtab = mod->core_strtab;
46722 #endif
58c5fc13
MT		 46723- module_free(mod, mod->module_init);
46724- mod->module_init = NULL;
46725- mod->init_size = 0;
46726- mod->init_text_size = 0;
46727+ module_free(mod, mod->module_init_rw);
46728+ module_free_exec(mod, mod->module_init_rx);
46729+ mod->module_init_rw = NULL;
46730+ mod->module_init_rx = NULL;
46731+ mod->init_size_rw = 0;
46732+ mod->init_size_rx = 0;
46733 mutex_unlock(&module_mutex);
46734
46735 return 0;
ae4e228f 46736@@ -2538,10 +2619,16 @@ static const char *get_ksymbol(struct mo
58c5fc13
MT		 46737 unsigned long nextval;
46738
46739 /* At worse, next value is at end of module */
46740- if (within_module_init(addr, mod))
46741- nextval = (unsigned long)mod->module_init+mod->init_text_size;
46742+ if (within_module_init_rx(addr, mod))
46743+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
46744+ else if (within_module_init_rw(addr, mod))
46745+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
46746+ else if (within_module_core_rx(addr, mod))
46747+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
46748+ else if (within_module_core_rw(addr, mod))
46749+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
46750 else
46751- nextval = (unsigned long)mod->module_core+mod->core_text_size;
46752+ return NULL;
46753
46754 /* Scan for closest preceeding symbol, and next symbol. (ELF
46755 starts real symbols at 1). */
ae4e228f 46756@@ -2787,7 +2874,7 @@ static int m_show(struct seq_file *m, vo
58c5fc13
MT		 46757 char buf[8];
46758
46759 seq_printf(m, "%s %u",
46760- mod->name, mod->init_size + mod->core_size);
46761+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
46762 print_unload_info(m, mod);
46763
46764 /* Informative for users. */
ae4e228f 46765@@ -2796,7 +2883,7 @@ static int m_show(struct seq_file *m, vo
58c5fc13
MT		 46766 mod->state == MODULE_STATE_COMING ? "Loading":
46767 "Live");
46768 /* Used by oprofile and other similar tools. */
46769- seq_printf(m, " 0x%p", mod->module_core);
46770+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
46771
46772 /* Taints info */
46773 if (mod->taints)
ae4e228f 46774@@ -2832,7 +2919,17 @@ static const struct file_operations proc
58c5fc13
MT		 46775
46776 static int __init proc_modules_init(void)
46777 {
46778+#ifndef CONFIG_GRKERNSEC_HIDESYM
46779+#ifdef CONFIG_GRKERNSEC_PROC_USER
46780+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
46781+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46782+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
46783+#else
46784 proc_create("modules", 0, NULL, &proc_modules_operations);
46785+#endif
46786+#else
46787+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
46788+#endif
46789 return 0;
46790 }
46791 module_init(proc_modules_init);
ae4e228f 46792@@ -2891,12 +2988,12 @@ struct module *__module_address(unsigned
58c5fc13
MT		 46793 {
46794 struct module *mod;
46795
46796- if (addr < module_addr_min || addr > module_addr_max)
46797+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
46798+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
46799 return NULL;
46800
46801 list_for_each_entry_rcu(mod, &modules, list)
46802- if (within_module_core(addr, mod)
46803- || within_module_init(addr, mod))
46804+ if (within_module_init(addr, mod) || within_module_core(addr, mod))
46805 return mod;
46806 return NULL;
46807 }
ae4e228f 46808@@ -2930,11 +3027,20 @@ bool is_module_text_address(unsigned lon
58c5fc13
MT		 46809 */
46810 struct module *__module_text_address(unsigned long addr)
46811 {
46812- struct module *mod = __module_address(addr);
46813+ struct module *mod;
46814+
46815+#ifdef CONFIG_X86_32
46816+ addr = ktla_ktva(addr);
46817+#endif
46818+
46819+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
46820+ return NULL;
46821+
46822+ mod = __module_address(addr);
46823+
46824 if (mod) {
46825 /* Make sure it's within the text section. */
46826- if (!within(addr, mod->module_init, mod->init_text_size)
46827- && !within(addr, mod->module_core, mod->core_text_size))
46828+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
46829 mod = NULL;
46830 }
46831 return mod;
ae4e228f
MT		 46832diff -urNp linux-2.6.33.1/kernel/panic.c linux-2.6.33.1/kernel/panic.c
46833--- linux-2.6.33.1/kernel/panic.c 2010-03-15 12:09:39.000000000 -0400
46834+++ linux-2.6.33.1/kernel/panic.c 2010-03-20 16:58:42.076969908 -0400
46835@@ -396,7 +396,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
58c5fc13
MT		 46836 */
46837 void __stack_chk_fail(void)
46838 {
46839- panic("stack-protector: Kernel stack is corrupted in: %p\n",
46840+ dump_stack();
46841+ panic("stack-protector: Kernel stack is corrupted in: %pS\n",
46842 __builtin_return_address(0));
46843 }
46844 EXPORT_SYMBOL(__stack_chk_fail);
ae4e228f
MT		 46845diff -urNp linux-2.6.33.1/kernel/params.c linux-2.6.33.1/kernel/params.c
46846--- linux-2.6.33.1/kernel/params.c 2010-03-15 12:09:39.000000000 -0400
46847+++ linux-2.6.33.1/kernel/params.c 2010-03-20 16:58:42.088938657 -0400
46848@@ -723,7 +723,7 @@ static ssize_t module_attr_store(struct
46849 return ret;
58c5fc13
MT		 46850 }
46851
ae4e228f
MT		 46852-static struct sysfs_ops module_sysfs_ops = {
46853+static const struct sysfs_ops module_sysfs_ops = {
46854 .show = module_attr_show,
46855 .store = module_attr_store,
46856 };
46857@@ -737,7 +737,7 @@ static int uevent_filter(struct kset *ks
46858 return 0;
58c5fc13
MT		 46859 }
46860
ae4e228f
MT		 46861-static struct kset_uevent_ops module_uevent_ops = {
46862+static const struct kset_uevent_ops module_uevent_ops = {
46863 .filter = uevent_filter,
46864 };
58c5fc13 46865
ae4e228f
MT		 46866diff -urNp linux-2.6.33.1/kernel/pid.c linux-2.6.33.1/kernel/pid.c
46867--- linux-2.6.33.1/kernel/pid.c 2010-03-15 12:09:39.000000000 -0400
46868+++ linux-2.6.33.1/kernel/pid.c 2010-03-20 16:58:42.092540045 -0400
58c5fc13
MT		 46869@@ -33,6 +33,7 @@
46870 #include <linux/rculist.h>
46871 #include <linux/bootmem.h>
46872 #include <linux/hash.h>
46873+#include <linux/security.h>
46874 #include <linux/pid_namespace.h>
46875 #include <linux/init_task.h>
46876 #include <linux/syscalls.h>
46877@@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
46878
46879 int pid_max = PID_MAX_DEFAULT;
46880
46881-#define RESERVED_PIDS 300
46882+#define RESERVED_PIDS 500
46883
46884 int pid_max_min = RESERVED_PIDS + 1;
46885 int pid_max_max = PID_MAX_LIMIT;
46886@@ -380,7 +381,14 @@ EXPORT_SYMBOL(pid_task);
46887 */
46888 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
46889 {
46890- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
46891+ struct task_struct *task;
46892+
46893+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
46894+
46895+ if (gr_pid_is_chrooted(task))
46896+ return NULL;
46897+
46898+ return task;
46899 }
46900
46901 struct task_struct *find_task_by_vpid(pid_t vnr)
ae4e228f
MT		 46902diff -urNp linux-2.6.33.1/kernel/posix-cpu-timers.c linux-2.6.33.1/kernel/posix-cpu-timers.c
46903--- linux-2.6.33.1/kernel/posix-cpu-timers.c 2010-03-15 12:09:39.000000000 -0400
46904+++ linux-2.6.33.1/kernel/posix-cpu-timers.c 2010-03-20 16:58:42.092540045 -0400
58c5fc13
MT		 46905@@ -6,6 +6,7 @@
46906 #include <linux/posix-timers.h>
46907 #include <linux/errno.h>
46908 #include <linux/math64.h>
46909+#include <linux/security.h>
46910 #include <asm/uaccess.h>
46911 #include <linux/kernel_stat.h>
ae4e228f
MT		 46912 #include <trace/events/timer.h>
46913@@ -1043,6 +1044,7 @@ static void check_thread_timers(struct t
58c5fc13
MT		 46914 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
46915 return;
46916 }
46917+ gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout, 1);
46918 if (tsk->rt.timeout > DIV_ROUND_UP(*soft, USEC_PER_SEC/HZ)) {
46919 /*
46920 * At the soft limit, send a SIGXCPU every second.
ae4e228f 46921@@ -1205,6 +1207,7 @@ static void check_process_timers(struct
58c5fc13
MT		 46922 __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
46923 return;
46924 }
46925+ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
46926 if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
46927 /*
46928 * At the soft limit, send a SIGXCPU every second.
ae4e228f
MT		 46929diff -urNp linux-2.6.33.1/kernel/power/hibernate.c linux-2.6.33.1/kernel/power/hibernate.c
46930--- linux-2.6.33.1/kernel/power/hibernate.c 2010-03-15 12:09:39.000000000 -0400
46931+++ linux-2.6.33.1/kernel/power/hibernate.c 2010-03-20 16:58:42.092540045 -0400
46932@@ -49,14 +49,14 @@ enum {
46933
46934 static int hibernation_mode = HIBERNATION_SHUTDOWN;
46935
46936-static struct platform_hibernation_ops *hibernation_ops;
46937+static const struct platform_hibernation_ops *hibernation_ops;
46938
46939 /**
46940 * hibernation_set_ops - set the global hibernate operations
46941 * @ops: the hibernation operations to use in subsequent hibernation transitions
46942 */
46943
46944-void hibernation_set_ops(struct platform_hibernation_ops *ops)
46945+void hibernation_set_ops(const struct platform_hibernation_ops *ops)
46946 {
46947 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
46948 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
46949diff -urNp linux-2.6.33.1/kernel/power/poweroff.c linux-2.6.33.1/kernel/power/poweroff.c
46950--- linux-2.6.33.1/kernel/power/poweroff.c 2010-03-15 12:09:39.000000000 -0400
46951+++ linux-2.6.33.1/kernel/power/poweroff.c 2010-03-20 16:58:42.096640751 -0400
58c5fc13
MT		 46952@@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
46953 .enable_mask = SYSRQ_ENABLE_BOOT,
46954 };
46955
46956-static int pm_sysrq_init(void)
46957+static int __init pm_sysrq_init(void)
46958 {
46959 register_sysrq_key('o', &sysrq_poweroff_op);
46960 return 0;
ae4e228f
MT		 46961diff -urNp linux-2.6.33.1/kernel/power/process.c linux-2.6.33.1/kernel/power/process.c
46962--- linux-2.6.33.1/kernel/power/process.c 2010-03-15 12:09:39.000000000 -0400
46963+++ linux-2.6.33.1/kernel/power/process.c 2010-03-20 16:58:42.096640751 -0400
46964@@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
58c5fc13
MT		 46965 struct timeval start, end;
46966 u64 elapsed_csecs64;
46967 unsigned int elapsed_csecs;
46968+ bool timedout = false;
46969
46970 do_gettimeofday(&start);
46971
46972 end_time = jiffies + TIMEOUT;
ae4e228f 46973 while (true) {
58c5fc13
MT		 46974 todo = 0;
46975+ if (time_after(jiffies, end_time))
46976+ timedout = true;
46977 read_lock(&tasklist_lock);
46978 do_each_thread(g, p) {
46979 if (frozen(p) || !freezeable(p))
ae4e228f 46980@@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
58c5fc13
MT		 46981 * It is "frozen enough". If the task does wake
46982 * up, it will immediately call try_to_freeze.
46983 */
46984- if (!task_is_stopped_or_traced(p) &&
46985- !freezer_should_skip(p))
46986+ if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
46987 todo++;
46988+ if (timedout) {
46989+ printk(KERN_ERR "Task refusing to freeze:\n");
46990+ sched_show_task(p);
46991+ }
46992+ }
46993 } while_each_thread(g, p);
46994 read_unlock(&tasklist_lock);
ae4e228f
MT		 46995- if (!todo || time_after(jiffies, end_time))
46996+ if (!todo || timedout)
46997 break;
46998
46999 /*
47000diff -urNp linux-2.6.33.1/kernel/power/suspend.c linux-2.6.33.1/kernel/power/suspend.c
47001--- linux-2.6.33.1/kernel/power/suspend.c 2010-03-15 12:09:39.000000000 -0400
47002+++ linux-2.6.33.1/kernel/power/suspend.c 2010-03-20 16:58:42.096640751 -0400
47003@@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
47004 [PM_SUSPEND_MEM] = "mem",
47005 };
47006
47007-static struct platform_suspend_ops *suspend_ops;
47008+static const struct platform_suspend_ops *suspend_ops;
47009
47010 /**
47011 * suspend_set_ops - Set the global suspend method table.
47012 * @ops: Pointer to ops structure.
47013 */
47014-void suspend_set_ops(struct platform_suspend_ops *ops)
47015+void suspend_set_ops(const struct platform_suspend_ops *ops)
47016 {
47017 mutex_lock(&pm_mutex);
47018 suspend_ops = ops;
47019diff -urNp linux-2.6.33.1/kernel/printk.c linux-2.6.33.1/kernel/printk.c
47020--- linux-2.6.33.1/kernel/printk.c 2010-03-15 12:09:39.000000000 -0400
47021+++ linux-2.6.33.1/kernel/printk.c 2010-03-20 16:58:42.096640751 -0400
47022@@ -280,6 +280,11 @@ int do_syslog(int type, char __user *buf
58c5fc13
MT		 47023 char c;
47024 int error = 0;
47025
47026+#ifdef CONFIG_GRKERNSEC_DMESG
47027+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
47028+ return -EPERM;
47029+#endif
47030+
47031 error = security_syslog(type);
47032 if (error)
47033 return error;
ae4e228f
MT		 47034diff -urNp linux-2.6.33.1/kernel/ptrace.c linux-2.6.33.1/kernel/ptrace.c
47035--- linux-2.6.33.1/kernel/ptrace.c 2010-03-15 12:09:39.000000000 -0400
47036+++ linux-2.6.33.1/kernel/ptrace.c 2010-03-20 16:58:42.104944311 -0400
58c5fc13
MT		 47037@@ -141,7 +141,7 @@ int __ptrace_may_access(struct task_stru
47038 cred->gid != tcred->egid ||
47039 cred->gid != tcred->sgid ||
47040 cred->gid != tcred->gid) &&
47041- !capable(CAP_SYS_PTRACE)) {
47042+ !capable_nolog(CAP_SYS_PTRACE)) {
47043 rcu_read_unlock();
47044 return -EPERM;
47045 }
47046@@ -149,7 +149,7 @@ int __ptrace_may_access(struct task_stru
47047 smp_rmb();
47048 if (task->mm)
47049 dumpable = get_dumpable(task->mm);
47050- if (!dumpable && !capable(CAP_SYS_PTRACE))
47051+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
47052 return -EPERM;
47053
ae4e228f 47054 return security_ptrace_access_check(task, mode);
58c5fc13
MT		 47055@@ -199,7 +199,7 @@ int ptrace_attach(struct task_struct *ta
47056 goto unlock_tasklist;
47057
47058 task->ptrace = PT_PTRACED;
47059- if (capable(CAP_SYS_PTRACE))
47060+ if (capable_nolog(CAP_SYS_PTRACE))
47061 task->ptrace |= PT_PTRACE_CAP;
47062
47063 __ptrace_link(task, current);
ae4e228f
MT		 47064@@ -362,7 +362,7 @@ int ptrace_readdata(struct task_struct *
47065 break;
47066 return -EIO;
47067 }
47068- if (copy_to_user(dst, buf, retval))
47069+ if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
47070 return -EFAULT;
47071 copied += retval;
47072 src += retval;
47073@@ -532,18 +532,18 @@ int ptrace_request(struct task_struct *c
47074 ret = ptrace_setoptions(child, data);
47075 break;
47076 case PTRACE_GETEVENTMSG:
47077- ret = put_user(child->ptrace_message, (unsigned long __user *) data);
47078+ ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
47079 break;
47080
47081 case PTRACE_GETSIGINFO:
47082 ret = ptrace_getsiginfo(child, &siginfo);
47083 if (!ret)
47084- ret = copy_siginfo_to_user((siginfo_t __user *) data,
47085+ ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
47086 &siginfo);
47087 break;
47088
47089 case PTRACE_SETSIGINFO:
47090- if (copy_from_user(&siginfo, (siginfo_t __user *) data,
47091+ if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
47092 sizeof siginfo))
47093 ret = -EFAULT;
47094 else
47095@@ -621,14 +621,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
47096 goto out;
47097 }
58c5fc13
MT		 47098
47099+ if (gr_handle_ptrace(child, request)) {
47100+ ret = -EPERM;
47101+ goto out_put_task_struct;
47102+ }
47103+
ae4e228f
MT		 47104 if (request == PTRACE_ATTACH) {
47105 ret = ptrace_attach(child);
47106 /*
47107 * Some architectures need to do book-keeping after
47108 * a ptrace attach.
47109 */
47110- if (!ret)
47111+ if (!ret) {
47112 arch_ptrace_attach(child);
47113+ gr_audit_ptrace(child);
47114+ }
47115 goto out_put_task_struct;
47116 }
58c5fc13 47117
ae4e228f
MT		 47118@@ -653,7 +660,7 @@ int generic_ptrace_peekdata(struct task_
47119 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
47120 if (copied != sizeof(tmp))
47121 return -EIO;
47122- return put_user(tmp, (unsigned long __user *)data);
47123+ return put_user(tmp, (__force unsigned long __user *)data);
58c5fc13
MT		 47124 }
47125
ae4e228f
MT		 47126 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
47127diff -urNp linux-2.6.33.1/kernel/rcutree.c linux-2.6.33.1/kernel/rcutree.c
47128--- linux-2.6.33.1/kernel/rcutree.c 2010-03-15 12:09:39.000000000 -0400
47129+++ linux-2.6.33.1/kernel/rcutree.c 2010-03-20 16:58:42.108722969 -0400
47130@@ -1315,7 +1315,7 @@ __rcu_process_callbacks(struct rcu_state
58c5fc13 47131 /*
ae4e228f 47132 * Do softirq processing for the current CPU.
58c5fc13 47133 */
ae4e228f
MT		 47134-static void rcu_process_callbacks(struct softirq_action *unused)
47135+static void rcu_process_callbacks(void)
47136 {
47137 /*
47138 * Memory references from any prior RCU read-side critical sections
47139diff -urNp linux-2.6.33.1/kernel/relay.c linux-2.6.33.1/kernel/relay.c
47140--- linux-2.6.33.1/kernel/relay.c 2010-03-15 12:09:39.000000000 -0400
47141+++ linux-2.6.33.1/kernel/relay.c 2010-03-20 16:58:42.108722969 -0400
58c5fc13
MT		 47142@@ -1292,7 +1292,7 @@ static int subbuf_splice_actor(struct fi
47143 return 0;
47144
47145 ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
47146- if (ret < 0 || ret < total_len)
47147+ if ((int)ret < 0 || ret < total_len)
47148 return ret;
47149
47150 if (read_start + ret == nonpad_end)
ae4e228f
MT		 47151diff -urNp linux-2.6.33.1/kernel/resource.c linux-2.6.33.1/kernel/resource.c
47152--- linux-2.6.33.1/kernel/resource.c 2010-03-15 12:09:39.000000000 -0400
47153+++ linux-2.6.33.1/kernel/resource.c 2010-03-20 16:58:42.108722969 -0400
58c5fc13
MT		 47154@@ -132,8 +132,18 @@ static const struct file_operations proc
47155
47156 static int __init ioresources_init(void)
47157 {
47158+#ifdef CONFIG_GRKERNSEC_PROC_ADD
47159+#ifdef CONFIG_GRKERNSEC_PROC_USER
47160+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
47161+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
47162+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47163+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
47164+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
47165+#endif
47166+#else
47167 proc_create("ioports", 0, NULL, &proc_ioports_operations);
47168 proc_create("iomem", 0, NULL, &proc_iomem_operations);
47169+#endif
47170 return 0;
47171 }
47172 __initcall(ioresources_init);
ae4e228f
MT		 47173diff -urNp linux-2.6.33.1/kernel/sched.c linux-2.6.33.1/kernel/sched.c
47174--- linux-2.6.33.1/kernel/sched.c 2010-03-15 12:09:39.000000000 -0400
47175+++ linux-2.6.33.1/kernel/sched.c 2010-03-20 16:58:42.116976245 -0400
47176@@ -4855,7 +4855,7 @@ out:
47177 * In CONFIG_NO_HZ case, the idle load balance owner will do the
47178 * rebalancing for all the cpus for whom scheduler ticks are stopped.
47179 */
47180-static void run_rebalance_domains(struct softirq_action *h)
47181+static void run_rebalance_domains(void)
47182 {
47183 int this_cpu = smp_processor_id();
47184 struct rq *this_rq = cpu_rq(this_cpu);
47185@@ -6158,6 +6158,8 @@ int can_nice(const struct task_struct *p
58c5fc13
MT		 47186 /* convert nice value [19,-20] to rlimit style value [1,40] */
47187 int nice_rlim = 20 - nice;
47188
47189+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
47190+
47191 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
47192 capable(CAP_SYS_NICE));
47193 }
ae4e228f 47194@@ -6191,7 +6193,8 @@ SYSCALL_DEFINE1(nice, int, increment)
58c5fc13
MT		 47195 if (nice > 19)
47196 nice = 19;
47197
47198- if (increment < 0 && !can_nice(current, nice))
47199+ if (increment < 0 && (!can_nice(current, nice) ||
47200+ gr_handle_chroot_nice()))
47201 return -EPERM;
47202
47203 retval = security_task_setnice(current, nice);
ae4e228f 47204@@ -6333,6 +6336,8 @@ recheck:
58c5fc13
MT		 47205 if (rt_policy(policy)) {
47206 unsigned long rlim_rtprio;
47207
47208+ gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
47209+
47210 if (!lock_task_sighand(p, &flags))
47211 return -ESRCH;
47212 rlim_rtprio = p->signal->rlim[RLIMIT_RTPRIO].rlim_cur;
ae4e228f
MT		 47213diff -urNp linux-2.6.33.1/kernel/signal.c linux-2.6.33.1/kernel/signal.c
47214--- linux-2.6.33.1/kernel/signal.c 2010-03-15 12:09:39.000000000 -0400
47215+++ linux-2.6.33.1/kernel/signal.c 2010-03-20 16:58:42.116976245 -0400
47216@@ -226,6 +226,9 @@ __sigqueue_alloc(int sig, struct task_st
58c5fc13 47217 atomic_inc(&user->sigpending);
ae4e228f
MT		 47218 rcu_read_unlock();
47219
58c5fc13
MT		 47220+ if (!override_rlimit)
47221+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
ae4e228f 47222+
58c5fc13
MT		 47223 if (override_rlimit ||
47224 atomic_read(&user->sigpending) <=
ae4e228f
MT		 47225 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) {
47226@@ -659,6 +662,9 @@ static int check_kill_permission(int sig
58c5fc13
MT		 47227 }
47228 }
47229
47230+ if (gr_handle_signal(t, sig))
47231+ return -EPERM;
47232+
47233 return security_task_kill(t, info, sig, 0);
47234 }
47235
ae4e228f 47236@@ -1006,7 +1012,7 @@ __group_send_sig_info(int sig, struct si
58c5fc13
MT		 47237 return send_signal(sig, info, p, 1);
47238 }
47239
47240-static int
47241+int
47242 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
47243 {
47244 return send_signal(sig, info, t, 0);
ae4e228f 47245@@ -1060,6 +1066,9 @@ force_sig_info(int sig, struct siginfo *
58c5fc13
MT		 47246 ret = specific_send_sig_info(sig, info, t);
47247 spin_unlock_irqrestore(&t->sighand->siglock, flags);
47248
47249+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
47250+ gr_handle_crash(t, sig);
47251+
47252 return ret;
47253 }
47254
ae4e228f
MT		 47255@@ -1113,8 +1122,11 @@ int group_send_sig_info(int sig, struct
47256 {
47257 int ret = check_kill_permission(sig, info, p);
47258
47259- if (!ret && sig)
47260+ if (!ret && sig) {
47261 ret = do_send_sig_info(sig, info, p, true);
58c5fc13
MT		 47262+ if (!ret)
47263+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
ae4e228f 47264+ }
58c5fc13
MT		 47265
47266 return ret;
ae4e228f
MT		 47267 }
47268diff -urNp linux-2.6.33.1/kernel/smp.c linux-2.6.33.1/kernel/smp.c
47269--- linux-2.6.33.1/kernel/smp.c 2010-03-15 12:09:39.000000000 -0400
47270+++ linux-2.6.33.1/kernel/smp.c 2010-03-20 16:58:42.120938497 -0400
47271@@ -498,22 +498,22 @@ int smp_call_function(void (*func)(void
47272 }
47273 EXPORT_SYMBOL(smp_call_function);
47274
47275-void ipi_call_lock(void)
47276+void ipi_call_lock(void) __acquires(call_function.lock)
47277 {
47278 raw_spin_lock(&call_function.lock);
47279 }
47280
47281-void ipi_call_unlock(void)
47282+void ipi_call_unlock(void) __releases(call_function.lock)
47283 {
47284 raw_spin_unlock(&call_function.lock);
47285 }
47286
47287-void ipi_call_lock_irq(void)
47288+void ipi_call_lock_irq(void) __acquires(call_function.lock)
47289 {
47290 raw_spin_lock_irq(&call_function.lock);
47291 }
47292
47293-void ipi_call_unlock_irq(void)
47294+void ipi_call_unlock_irq(void) __releases(call_function.lock)
47295 {
47296 raw_spin_unlock_irq(&call_function.lock);
47297 }
47298diff -urNp linux-2.6.33.1/kernel/softirq.c linux-2.6.33.1/kernel/softirq.c
47299--- linux-2.6.33.1/kernel/softirq.c 2010-03-15 12:09:39.000000000 -0400
47300+++ linux-2.6.33.1/kernel/softirq.c 2010-03-20 16:58:42.120938497 -0400
47301@@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
47302
47303 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
47304
47305-char *softirq_to_name[NR_SOFTIRQS] = {
47306+const char * const softirq_to_name[NR_SOFTIRQS] = {
47307 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
47308 "TASKLET", "SCHED", "HRTIMER", "RCU"
47309 };
47310@@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
47311
47312 asmlinkage void __do_softirq(void)
47313 {
47314- struct softirq_action *h;
47315+ const struct softirq_action *h;
47316 __u32 pending;
47317 int max_restart = MAX_SOFTIRQ_RESTART;
47318 int cpu;
47319@@ -216,7 +216,7 @@ restart:
47320 kstat_incr_softirqs_this_cpu(h - softirq_vec);
47321
47322 trace_softirq_entry(h, softirq_vec);
47323- h->action(h);
47324+ h->action();
47325 trace_softirq_exit(h, softirq_vec);
47326 if (unlikely(prev_count != preempt_count())) {
47327 printk(KERN_ERR "huh, entered softirq %td %s %p"
47328@@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
47329 local_irq_restore(flags);
47330 }
47331
47332-void open_softirq(int nr, void (*action)(struct softirq_action *))
47333+void open_softirq(int nr, void (*action)(void))
47334 {
47335 softirq_vec[nr].action = action;
47336 }
47337@@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
47338
47339 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
47340
47341-static void tasklet_action(struct softirq_action *a)
47342+static void tasklet_action(void)
47343 {
47344 struct tasklet_struct *list;
47345
47346@@ -431,7 +431,7 @@ static void tasklet_action(struct softir
47347 }
47348 }
47349
47350-static void tasklet_hi_action(struct softirq_action *a)
47351+static void tasklet_hi_action(void)
47352 {
47353 struct tasklet_struct *list;
47354
47355diff -urNp linux-2.6.33.1/kernel/sys.c linux-2.6.33.1/kernel/sys.c
47356--- linux-2.6.33.1/kernel/sys.c 2010-03-15 12:09:39.000000000 -0400
47357+++ linux-2.6.33.1/kernel/sys.c 2010-03-20 16:58:42.128666983 -0400
47358@@ -132,6 +132,12 @@ static int set_one_prio(struct task_stru
58c5fc13
MT		 47359 error = -EACCES;
47360 goto out;
47361 }
47362+
47363+ if (gr_handle_chroot_setpriority(p, niceval)) {
47364+ error = -EACCES;
47365+ goto out;
47366+ }
47367+
47368 no_nice = security_task_setnice(p, niceval);
47369 if (no_nice) {
47370 error = no_nice;
ae4e228f 47371@@ -513,6 +519,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
58c5fc13
MT		 47372 goto error;
47373 }
47374
47375+ if (gr_check_group_change(new->gid, new->egid, -1))
47376+ goto error;
47377+
47378 if (rgid != (gid_t) -1 ||
47379 (egid != (gid_t) -1 && egid != old->gid))
47380 new->sgid = new->egid;
ae4e228f 47381@@ -546,6 +555,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
58c5fc13
MT		 47382 goto error;
47383
47384 retval = -EPERM;
47385+
47386+ if (gr_check_group_change(gid, gid, gid))
47387+ goto error;
47388+
47389 if (capable(CAP_SETGID))
47390 new->gid = new->egid = new->sgid = new->fsgid = gid;
47391 else if (gid == old->gid || gid == old->sgid)
ae4e228f 47392@@ -636,6 +649,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
58c5fc13
MT		 47393 goto error;
47394 }
47395
47396+ if (gr_check_user_change(new->uid, new->euid, -1))
47397+ goto error;
47398+
47399 if (new->uid != old->uid) {
47400 retval = set_user(new);
47401 if (retval < 0)
ae4e228f 47402@@ -684,6 +700,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
58c5fc13
MT		 47403 goto error;
47404
47405 retval = -EPERM;
47406+
47407+ if (gr_check_crash_uid(uid))
47408+ goto error;
47409+ if (gr_check_user_change(uid, uid, uid))
47410+ goto error;
47411+
47412 if (capable(CAP_SETUID)) {
47413 new->suid = new->uid = uid;
47414 if (uid != old->uid) {
ae4e228f 47415@@ -741,6 +763,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
58c5fc13
MT		 47416 goto error;
47417 }
47418
47419+ if (gr_check_user_change(ruid, euid, -1))
47420+ goto error;
47421+
47422 if (ruid != (uid_t) -1) {
47423 new->uid = ruid;
47424 if (ruid != old->uid) {
ae4e228f 47425@@ -809,6 +834,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
58c5fc13
MT		 47426 goto error;
47427 }
47428
47429+ if (gr_check_group_change(rgid, egid, -1))
47430+ goto error;
47431+
47432 if (rgid != (gid_t) -1)
47433 new->gid = rgid;
47434 if (egid != (gid_t) -1)
ae4e228f 47435@@ -858,6 +886,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
58c5fc13
MT		 47436 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
47437 goto error;
47438
47439+ if (gr_check_user_change(-1, -1, uid))
47440+ goto error;
47441+
47442 if (uid == old->uid || uid == old->euid ||
47443 uid == old->suid || uid == old->fsuid ||
47444 capable(CAP_SETUID)) {
ae4e228f 47445@@ -898,6 +929,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
58c5fc13
MT		 47446 if (gid == old->gid || gid == old->egid ||
47447 gid == old->sgid || gid == old->fsgid ||
47448 capable(CAP_SETGID)) {
47449+ if (gr_check_group_change(-1, -1, gid))
47450+ goto error;
47451+
47452 if (gid != old_fsgid) {
47453 new->fsgid = gid;
47454 goto change_okay;
ae4e228f 47455@@ -1460,7 +1494,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
58c5fc13
MT		 47456 error = get_dumpable(me->mm);
47457 break;
47458 case PR_SET_DUMPABLE:
47459- if (arg2 < 0 || arg2 > 1) {
47460+ if (arg2 > 1) {
47461 error = -EINVAL;
47462 break;
47463 }
ae4e228f
MT		 47464diff -urNp linux-2.6.33.1/kernel/sysctl.c linux-2.6.33.1/kernel/sysctl.c
47465--- linux-2.6.33.1/kernel/sysctl.c 2010-03-15 12:09:39.000000000 -0400
47466+++ linux-2.6.33.1/kernel/sysctl.c 2010-03-20 16:58:42.186495404 -0400
47467@@ -62,6 +62,13 @@
47468
58c5fc13
MT		 47469
47470 #if defined(CONFIG_SYSCTL)
47471+#include <linux/grsecurity.h>
47472+#include <linux/grinternal.h>
47473+
47474+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
47475+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
47476+ const int op);
47477+extern int gr_handle_chroot_sysctl(const int op);
47478
47479 /* External variables not in a header file. */
47480 extern int C_A_D;
ae4e228f
MT		 47481@@ -169,6 +176,7 @@ static int proc_do_cad_pid(struct ctl_ta
47482 static int proc_taint(struct ctl_table *table, int write,
58c5fc13
MT		 47483 void __user *buffer, size_t *lenp, loff_t *ppos);
47484 #endif
47485+extern ctl_table grsecurity_table[];
47486
47487 static struct ctl_table root_table[];
47488 static struct ctl_table_root sysctl_table_root;
ae4e228f 47489@@ -201,6 +209,20 @@ extern struct ctl_table epoll_table[];
58c5fc13
MT		 47490 int sysctl_legacy_va_layout;
47491 #endif
47492
47493+#ifdef CONFIG_PAX_SOFTMODE
47494+static ctl_table pax_table[] = {
47495+ {
58c5fc13
MT		 47496+ .procname = "softmode",
47497+ .data = &pax_softmode,
47498+ .maxlen = sizeof(unsigned int),
47499+ .mode = 0600,
47500+ .proc_handler = &proc_dointvec,
47501+ },
47502+
ae4e228f 47503+ { }
58c5fc13
MT		 47504+};
47505+#endif
47506+
47507 extern int prove_locking;
47508 extern int lock_stat;
47509
ae4e228f 47510@@ -251,6 +273,22 @@ static int max_sched_shares_ratelimit =
58c5fc13
MT		 47511 #endif
47512
47513 static struct ctl_table kern_table[] = {
ae4e228f 47514+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
58c5fc13 47515+ {
58c5fc13
MT		 47516+ .procname = "grsecurity",
47517+ .mode = 0500,
47518+ .child = grsecurity_table,
47519+ },
47520+#endif
47521+
47522+#ifdef CONFIG_PAX_SOFTMODE
47523+ {
58c5fc13
MT		 47524+ .procname = "pax",
47525+ .mode = 0500,
47526+ .child = pax_table,
47527+ },
47528+#endif
47529+
58c5fc13 47530 {
ae4e228f
MT		 47531 .procname = "sched_child_runs_first",
47532 .data = &sysctl_sched_child_runs_first,
47533@@ -1629,6 +1667,16 @@ int sysctl_perm(struct ctl_table_root *r
58c5fc13
MT		 47534 int error;
47535 int mode;
47536
47537+ if (table->parent != NULL && table->parent->procname != NULL &&
47538+ table->procname != NULL &&
47539+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
47540+ return -EACCES;
47541+ if (gr_handle_chroot_sysctl(op))
47542+ return -EACCES;
47543+ error = gr_handle_sysctl(table, op);
47544+ if (error)
47545+ return error;
58c5fc13
MT		 47546+
47547 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
47548 if (error)
47549 return error;
ae4e228f
MT		 47550@@ -2137,6 +2185,8 @@ static int __do_proc_dointvec(void *tbl_
47551 len = strlen(buf);
47552 if (len > left)
47553 len = left;
47554+ if (len > sizeof(buf))
47555+ len = sizeof(buf);
47556 if(copy_to_user(s, buf, len))
47557 return -EFAULT;
47558 left -= len;
47559@@ -2362,6 +2412,8 @@ static int __do_proc_doulongvec_minmax(v
47560 len = strlen(buf);
47561 if (len > left)
47562 len = left;
47563+ if (len > sizeof(buf))
47564+ len = sizeof(buf);
47565 if(copy_to_user(s, buf, len))
47566 return -EFAULT;
47567 left -= len;
47568diff -urNp linux-2.6.33.1/kernel/taskstats.c linux-2.6.33.1/kernel/taskstats.c
47569--- linux-2.6.33.1/kernel/taskstats.c 2010-03-15 12:09:39.000000000 -0400
47570+++ linux-2.6.33.1/kernel/taskstats.c 2010-03-20 16:58:42.186495404 -0400
58c5fc13
MT		 47571@@ -26,9 +26,12 @@
47572 #include <linux/cgroup.h>
47573 #include <linux/fs.h>
47574 #include <linux/file.h>
47575+#include <linux/grsecurity.h>
47576 #include <net/genetlink.h>
47577 #include <asm/atomic.h>
47578
47579+extern int gr_is_taskstats_denied(int pid);
47580+
47581 /*
47582 * Maximum length of a cpumask that can be specified in
47583 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
47584@@ -433,6 +436,9 @@ static int taskstats_user_cmd(struct sk_
47585 size_t size;
47586 cpumask_var_t mask;
47587
47588+ if (gr_is_taskstats_denied(current->pid))
47589+ return -EACCES;
47590+
47591 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
47592 return -ENOMEM;
47593
ae4e228f
MT		 47594diff -urNp linux-2.6.33.1/kernel/time/tick-broadcast.c linux-2.6.33.1/kernel/time/tick-broadcast.c
47595--- linux-2.6.33.1/kernel/time/tick-broadcast.c 2010-03-15 12:09:39.000000000 -0400
47596+++ linux-2.6.33.1/kernel/time/tick-broadcast.c 2010-03-20 16:58:42.200972419 -0400
58c5fc13
MT		 47597@@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
47598 * then clear the broadcast bit.
47599 */
47600 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
47601- int cpu = smp_processor_id();
47602+ cpu = smp_processor_id();
47603
47604 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
47605 tick_broadcast_clear_oneshot(cpu);
ae4e228f
MT		 47606diff -urNp linux-2.6.33.1/kernel/time.c linux-2.6.33.1/kernel/time.c
47607--- linux-2.6.33.1/kernel/time.c 2010-03-15 12:09:39.000000000 -0400
47608+++ linux-2.6.33.1/kernel/time.c 2010-03-20 16:58:42.200972419 -0400
58c5fc13
MT		 47609@@ -94,6 +94,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
47610 return err;
47611
47612 do_settimeofday(&tv);
47613+
47614+ gr_log_timechange();
47615+
47616 return 0;
47617 }
47618
47619@@ -202,6 +205,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
47620 return -EFAULT;
47621 }
47622
47623+ gr_log_timechange();
47624+
47625 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
47626 }
47627
47628@@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
47629 * Avoid unnecessary multiplications/divisions in the
47630 * two most common HZ cases:
47631 */
47632-unsigned int inline jiffies_to_msecs(const unsigned long j)
47633+inline unsigned int jiffies_to_msecs(const unsigned long j)
47634 {
47635 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
47636 return (MSEC_PER_SEC / HZ) * j;
47637@@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
47638 }
47639 EXPORT_SYMBOL(jiffies_to_msecs);
47640
47641-unsigned int inline jiffies_to_usecs(const unsigned long j)
47642+inline unsigned int jiffies_to_usecs(const unsigned long j)
47643 {
47644 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
47645 return (USEC_PER_SEC / HZ) * j;
ae4e228f
MT		 47646diff -urNp linux-2.6.33.1/kernel/timer.c linux-2.6.33.1/kernel/timer.c
47647--- linux-2.6.33.1/kernel/timer.c 2010-03-15 12:09:39.000000000 -0400
47648+++ linux-2.6.33.1/kernel/timer.c 2010-03-20 16:58:42.212949807 -0400
47649@@ -1206,7 +1206,7 @@ void update_process_times(int user_tick)
47650 /*
47651 * This function runs timers and the timer-tq in bottom half context.
47652 */
47653-static void run_timer_softirq(struct softirq_action *h)
47654+static void run_timer_softirq(void)
47655 {
47656 struct tvec_base *base = __get_cpu_var(tvec_bases);
58c5fc13 47657
ae4e228f
MT		 47658diff -urNp linux-2.6.33.1/kernel/trace/ftrace.c linux-2.6.33.1/kernel/trace/ftrace.c
47659--- linux-2.6.33.1/kernel/trace/ftrace.c 2010-03-15 12:09:39.000000000 -0400
47660+++ linux-2.6.33.1/kernel/trace/ftrace.c 2010-03-20 16:58:42.212949807 -0400
47661@@ -1102,13 +1102,18 @@ ftrace_code_disable(struct module *mod,
47662
47663 ip = rec->ip;
47664
47665+ ret = ftrace_arch_code_modify_prepare();
47666+ FTRACE_WARN_ON(ret);
47667+ if (ret)
47668+ return 0;
47669+
47670 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
47671+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
47672 if (ret) {
47673 ftrace_bug(ret, ip);
47674 rec->flags |= FTRACE_FL_FAILED;
47675- return 0;
47676 }
47677- return 1;
47678+ return ret ? 0 : 1;
58c5fc13
MT		 47679 }
47680
ae4e228f
MT		 47681 /*
47682diff -urNp linux-2.6.33.1/kernel/trace/Kconfig linux-2.6.33.1/kernel/trace/Kconfig
47683--- linux-2.6.33.1/kernel/trace/Kconfig 2010-03-15 12:09:39.000000000 -0400
47684+++ linux-2.6.33.1/kernel/trace/Kconfig 2010-03-20 16:58:42.212949807 -0400
47685@@ -124,6 +124,7 @@ if FTRACE
58c5fc13
MT		 47686 config FUNCTION_TRACER
47687 bool "Kernel Function Tracer"
47688 depends on HAVE_FUNCTION_TRACER
47689+ depends on !PAX_KERNEXEC
47690 select FRAME_POINTER
47691 select KALLSYMS
47692 select GENERIC_TRACER
ae4e228f 47693@@ -362,6 +363,7 @@ config PROFILE_KSYM_TRACER
58c5fc13
MT		 47694 config STACK_TRACER
47695 bool "Trace max stack"
47696 depends on HAVE_FUNCTION_TRACER
47697+ depends on !PAX_KERNEXEC
47698 select FUNCTION_TRACER
47699 select STACKTRACE
47700 select KALLSYMS
ae4e228f
MT		 47701diff -urNp linux-2.6.33.1/kernel/trace/trace.c linux-2.6.33.1/kernel/trace/trace.c
47702--- linux-2.6.33.1/kernel/trace/trace.c 2010-03-15 12:09:39.000000000 -0400
47703+++ linux-2.6.33.1/kernel/trace/trace.c 2010-03-20 16:58:42.217937104 -0400
47704@@ -3820,10 +3820,9 @@ static const struct file_operations trac
47705 };
47706 #endif
58c5fc13 47707
ae4e228f
MT		 47708-static struct dentry *d_tracer;
47709-
47710 struct dentry *tracing_init_dentry(void)
47711 {
47712+ static struct dentry *d_tracer;
47713 static int once;
47714
47715 if (d_tracer)
47716@@ -3843,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
47717 return d_tracer;
58c5fc13
MT		 47718 }
47719
ae4e228f
MT		 47720-static struct dentry *d_percpu;
47721-
47722 struct dentry *tracing_dentry_percpu(void)
47723 {
47724+ static struct dentry *d_percpu;
47725 static int once;
47726 struct dentry *d_tracer;
47727
47728diff -urNp linux-2.6.33.1/kernel/trace/trace_output.c linux-2.6.33.1/kernel/trace/trace_output.c
47729--- linux-2.6.33.1/kernel/trace/trace_output.c 2010-03-15 12:09:39.000000000 -0400
47730+++ linux-2.6.33.1/kernel/trace/trace_output.c 2010-03-20 16:58:42.220764190 -0400
47731@@ -280,7 +280,7 @@ int trace_seq_path(struct trace_seq *s,
47732
58c5fc13
MT		 47733 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
47734 if (!IS_ERR(p)) {
47735- p = mangle_path(s->buffer + s->len, p, "\n");
47736+ p = mangle_path(s->buffer + s->len, p, "\n\\");
47737 if (p) {
47738 s->len = p - s->buffer;
47739 return 1;
ae4e228f
MT		 47740diff -urNp linux-2.6.33.1/kernel/trace/trace_stack.c linux-2.6.33.1/kernel/trace/trace_stack.c
47741--- linux-2.6.33.1/kernel/trace/trace_stack.c 2010-03-15 12:09:39.000000000 -0400
47742+++ linux-2.6.33.1/kernel/trace/trace_stack.c 2010-03-20 16:58:42.220764190 -0400
47743@@ -50,7 +50,7 @@ static inline void check_stack(void)
47744 return;
58c5fc13 47745
ae4e228f
MT		 47746 /* we do not handle interrupt stacks yet */
47747- if (!object_is_on_stack(&this_size))
47748+ if (!object_starts_on_stack(&this_size))
47749 return;
47750
47751 local_irq_save(flags);
47752diff -urNp linux-2.6.33.1/lib/bug.c linux-2.6.33.1/lib/bug.c
47753--- linux-2.6.33.1/lib/bug.c 2010-03-15 12:09:39.000000000 -0400
47754+++ linux-2.6.33.1/lib/bug.c 2010-03-20 16:58:42.225948146 -0400
47755@@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
47756 return BUG_TRAP_TYPE_NONE;
47757
47758 bug = find_bug(bugaddr);
47759+ if (!bug)
47760+ return BUG_TRAP_TYPE_NONE;
47761
47762 printk(KERN_EMERG "------------[ cut here ]------------\n");
47763
47764diff -urNp linux-2.6.33.1/lib/debugobjects.c linux-2.6.33.1/lib/debugobjects.c
47765--- linux-2.6.33.1/lib/debugobjects.c 2010-03-15 12:09:39.000000000 -0400
47766+++ linux-2.6.33.1/lib/debugobjects.c 2010-03-20 16:58:42.225948146 -0400
47767@@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
47768 if (limit > 4)
47769 return;
47770
47771- is_on_stack = object_is_on_stack(addr);
47772+ is_on_stack = object_starts_on_stack(addr);
47773 if (is_on_stack == onstack)
47774 return;
47775
47776diff -urNp linux-2.6.33.1/lib/dma-debug.c linux-2.6.33.1/lib/dma-debug.c
47777--- linux-2.6.33.1/lib/dma-debug.c 2010-03-15 12:09:39.000000000 -0400
47778+++ linux-2.6.33.1/lib/dma-debug.c 2010-03-20 16:58:42.240954646 -0400
47779@@ -861,7 +861,7 @@ out:
58c5fc13 47780
ae4e228f
MT		 47781 static void check_for_stack(struct device *dev, void *addr)
47782 {
47783- if (object_is_on_stack(addr))
47784+ if (object_starts_on_stack(addr))
47785 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
47786 "stack [addr=%p]\n", addr);
47787 }
47788diff -urNp linux-2.6.33.1/lib/inflate.c linux-2.6.33.1/lib/inflate.c
47789--- linux-2.6.33.1/lib/inflate.c 2010-03-15 12:09:39.000000000 -0400
47790+++ linux-2.6.33.1/lib/inflate.c 2010-03-20 16:58:42.240954646 -0400
58c5fc13
MT		 47791@@ -266,7 +266,7 @@ static void free(void *where)
47792 malloc_ptr = free_mem_ptr;
47793 }
47794 #else
47795-#define malloc(a) kmalloc(a, GFP_KERNEL)
47796+#define malloc(a) kmalloc((a), GFP_KERNEL)
47797 #define free(a) kfree(a)
47798 #endif
47799
ae4e228f
MT		 47800diff -urNp linux-2.6.33.1/lib/Kconfig.debug linux-2.6.33.1/lib/Kconfig.debug
47801--- linux-2.6.33.1/lib/Kconfig.debug 2010-03-15 12:09:39.000000000 -0400
47802+++ linux-2.6.33.1/lib/Kconfig.debug 2010-03-20 16:58:42.244515655 -0400
47803@@ -914,7 +914,7 @@ config LATENCYTOP
58c5fc13
MT		 47804 select STACKTRACE
47805 select SCHEDSTATS
47806 select SCHED_DEBUG
47807- depends on HAVE_LATENCYTOP_SUPPORT
47808+ depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
47809 help
47810 Enable this option if you want to use the LatencyTOP tool
47811 to find out which userspace is blocking on what kernel operations.
ae4e228f
MT		 47812diff -urNp linux-2.6.33.1/lib/kobject.c linux-2.6.33.1/lib/kobject.c
47813--- linux-2.6.33.1/lib/kobject.c 2010-03-15 12:09:39.000000000 -0400
47814+++ linux-2.6.33.1/lib/kobject.c 2010-03-20 16:58:42.244515655 -0400
47815@@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
47816 return ret;
47817 }
47818
47819-struct sysfs_ops kobj_sysfs_ops = {
47820+const struct sysfs_ops kobj_sysfs_ops = {
47821 .show = kobj_attr_show,
47822 .store = kobj_attr_store,
47823 };
47824@@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
47825 * If the kset was not able to be created, NULL will be returned.
47826 */
47827 static struct kset *kset_create(const char *name,
47828- struct kset_uevent_ops *uevent_ops,
47829+ const struct kset_uevent_ops *uevent_ops,
47830 struct kobject *parent_kobj)
47831 {
47832 struct kset *kset;
47833@@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
47834 * If the kset was not able to be created, NULL will be returned.
47835 */
47836 struct kset *kset_create_and_add(const char *name,
47837- struct kset_uevent_ops *uevent_ops,
47838+ const struct kset_uevent_ops *uevent_ops,
47839 struct kobject *parent_kobj)
47840 {
47841 struct kset *kset;
47842diff -urNp linux-2.6.33.1/lib/kobject_uevent.c linux-2.6.33.1/lib/kobject_uevent.c
47843--- linux-2.6.33.1/lib/kobject_uevent.c 2010-03-15 12:09:39.000000000 -0400
47844+++ linux-2.6.33.1/lib/kobject_uevent.c 2010-03-20 16:58:42.244515655 -0400
47845@@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
47846 const char *subsystem;
47847 struct kobject *top_kobj;
47848 struct kset *kset;
47849- struct kset_uevent_ops *uevent_ops;
47850+ const struct kset_uevent_ops *uevent_ops;
47851 u64 seq;
47852 int i = 0;
47853 int retval = 0;
47854diff -urNp linux-2.6.33.1/lib/parser.c linux-2.6.33.1/lib/parser.c
47855--- linux-2.6.33.1/lib/parser.c 2010-03-15 12:09:39.000000000 -0400
47856+++ linux-2.6.33.1/lib/parser.c 2010-03-20 16:58:42.244515655 -0400
47857@@ -129,7 +129,7 @@ static int match_number(substring_t *s,
58c5fc13
MT		 47858 char *buf;
47859 int ret;
47860
47861- buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
47862+ buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
47863 if (!buf)
47864 return -ENOMEM;
47865 memcpy(buf, s->from, s->to - s->from);
ae4e228f
MT		 47866diff -urNp linux-2.6.33.1/lib/radix-tree.c linux-2.6.33.1/lib/radix-tree.c
47867--- linux-2.6.33.1/lib/radix-tree.c 2010-03-15 12:09:39.000000000 -0400
47868+++ linux-2.6.33.1/lib/radix-tree.c 2010-03-20 16:58:42.253002352 -0400
58c5fc13
MT		 47869@@ -81,7 +81,7 @@ struct radix_tree_preload {
47870 int nr;
47871 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
47872 };
47873-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
47874+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
47875
47876 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
47877 {
ae4e228f
MT		 47878diff -urNp linux-2.6.33.1/lib/random32.c linux-2.6.33.1/lib/random32.c
47879--- linux-2.6.33.1/lib/random32.c 2010-03-15 12:09:39.000000000 -0400
47880+++ linux-2.6.33.1/lib/random32.c 2010-03-20 16:58:42.256945498 -0400
58c5fc13
MT		 47881@@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
47882 */
47883 static inline u32 __seed(u32 x, u32 m)
47884 {
47885- return (x < m) ? x + m : x;
47886+ return (x <= m) ? x + m + 1 : x;
47887 }
47888
47889 /**
ae4e228f
MT		 47890diff -urNp linux-2.6.33.1/localversion-grsec linux-2.6.33.1/localversion-grsec
47891--- linux-2.6.33.1/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
47892+++ linux-2.6.33.1/localversion-grsec 2010-03-20 16:58:42.256945498 -0400
58c5fc13
MT		 47893@@ -0,0 +1 @@
47894+-grsec
ae4e228f
MT		 47895diff -urNp linux-2.6.33.1/Makefile linux-2.6.33.1/Makefile
47896--- linux-2.6.33.1/Makefile 2010-03-15 12:09:39.000000000 -0400
47897+++ linux-2.6.33.1/Makefile 2010-03-20 16:58:42.256945498 -0400
47898@@ -227,8 +227,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
58c5fc13
MT		 47899
47900 HOSTCC = gcc
47901 HOSTCXX = g++
ae4e228f 47902-HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
58c5fc13 47903-HOSTCXXFLAGS = -O2
ae4e228f 47904+HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
58c5fc13
MT		 47905+HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
47906
47907 # Decide whether to build built-in, modular, or both.
47908 # Normally, just do built-in.
ae4e228f 47909@@ -650,7 +650,7 @@ export mod_strip_cmd
58c5fc13
MT		 47910
47911
47912 ifeq ($(KBUILD_EXTMOD),)
47913-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
47914+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
47915
47916 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
47917 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
ae4e228f
MT		 47918diff -urNp linux-2.6.33.1/mm/filemap.c linux-2.6.33.1/mm/filemap.c
47919--- linux-2.6.33.1/mm/filemap.c 2010-03-15 12:09:39.000000000 -0400
47920+++ linux-2.6.33.1/mm/filemap.c 2010-03-20 16:58:42.256945498 -0400
47921@@ -1601,7 +1601,7 @@ int generic_file_mmap(struct file * file
58c5fc13
MT		 47922 struct address_space *mapping = file->f_mapping;
47923
47924 if (!mapping->a_ops->readpage)
47925- return -ENOEXEC;
47926+ return -ENODEV;
47927 file_accessed(file);
47928 vma->vm_ops = &generic_file_vm_ops;
47929 vma->vm_flags |= VM_CAN_NONLINEAR;
ae4e228f 47930@@ -1997,6 +1997,7 @@ inline int generic_write_checks(struct f
58c5fc13
MT		 47931 *pos = i_size_read(inode);
47932
47933 if (limit != RLIM_INFINITY) {
47934+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
47935 if (*pos >= limit) {
47936 send_sig(SIGXFSZ, current, 0);
47937 return -EFBIG;
ae4e228f
MT		 47938diff -urNp linux-2.6.33.1/mm/fremap.c linux-2.6.33.1/mm/fremap.c
47939--- linux-2.6.33.1/mm/fremap.c 2010-03-15 12:09:39.000000000 -0400
47940+++ linux-2.6.33.1/mm/fremap.c 2010-03-20 16:58:42.256945498 -0400
58c5fc13
MT		 47941@@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
47942 retry:
47943 vma = find_vma(mm, start);
47944
47945+#ifdef CONFIG_PAX_SEGMEXEC
47946+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
47947+ goto out;
47948+#endif
47949+
47950 /*
47951 * Make sure the vma is shared, that it supports prefaulting,
47952 * and that the remapped range is valid and fully within
ae4e228f
MT		 47953diff -urNp linux-2.6.33.1/mm/highmem.c linux-2.6.33.1/mm/highmem.c
47954--- linux-2.6.33.1/mm/highmem.c 2010-03-15 12:09:39.000000000 -0400
47955+++ linux-2.6.33.1/mm/highmem.c 2010-03-20 16:58:42.256945498 -0400
47956@@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
58c5fc13
MT		 47957 * So no dangers, even with speculative execution.
47958 */
47959 page = pte_page(pkmap_page_table[i]);
ae4e228f 47960+ pax_open_kernel();
58c5fc13
MT		 47961 pte_clear(&init_mm, (unsigned long)page_address(page),
47962 &pkmap_page_table[i]);
ae4e228f
MT		 47963-
47964+ pax_close_kernel();
58c5fc13
MT		 47965 set_page_address(page, NULL);
47966 need_flush = 1;
47967 }
ae4e228f 47968@@ -177,9 +178,11 @@ start:
58c5fc13
MT		 47969 }
47970 }
47971 vaddr = PKMAP_ADDR(last_pkmap_nr);
ae4e228f
MT		 47972+
47973+ pax_open_kernel();
58c5fc13
MT		 47974 set_pte_at(&init_mm, vaddr,
47975 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
ae4e228f
MT		 47976-
47977+ pax_close_kernel();
58c5fc13
MT		 47978 pkmap_count[last_pkmap_nr] = 1;
47979 set_page_address(page, (void *)vaddr);
58c5fc13 47980
ae4e228f
MT		 47981diff -urNp linux-2.6.33.1/mm/hugetlb.c linux-2.6.33.1/mm/hugetlb.c
47982--- linux-2.6.33.1/mm/hugetlb.c 2010-03-15 12:09:39.000000000 -0400
47983+++ linux-2.6.33.1/mm/hugetlb.c 2010-03-20 16:58:42.256945498 -0400
47984@@ -2267,6 +2267,26 @@ static int unmap_ref_private(struct mm_s
58c5fc13
MT		 47985 return 1;
47986 }
47987
47988+#ifdef CONFIG_PAX_SEGMEXEC
47989+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
47990+{
47991+ struct mm_struct *mm = vma->vm_mm;
47992+ struct vm_area_struct *vma_m;
47993+ unsigned long address_m;
47994+ pte_t *ptep_m;
47995+
47996+ vma_m = pax_find_mirror_vma(vma);
47997+ if (!vma_m)
47998+ return;
47999+
48000+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48001+ address_m = address + SEGMEXEC_TASK_SIZE;
48002+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
48003+ get_page(page_m);
48004+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
48005+}
48006+#endif
48007+
48008 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
48009 unsigned long address, pte_t *ptep, pte_t pte,
48010 struct page *pagecache_page)
ae4e228f 48011@@ -2347,6 +2367,11 @@ retry_avoidcopy:
58c5fc13
MT		 48012 huge_ptep_clear_flush(vma, address, ptep);
48013 set_huge_pte_at(mm, address, ptep,
48014 make_huge_pte(vma, new_page, 1));
48015+
48016+#ifdef CONFIG_PAX_SEGMEXEC
48017+ pax_mirror_huge_pte(vma, address, new_page);
48018+#endif
48019+
48020 /* Make the old page be freed below */
48021 new_page = old_page;
48022 }
ae4e228f 48023@@ -2476,6 +2501,10 @@ retry:
58c5fc13
MT		 48024 && (vma->vm_flags & VM_SHARED)));
48025 set_huge_pte_at(mm, address, ptep, new_pte);
48026
48027+#ifdef CONFIG_PAX_SEGMEXEC
48028+ pax_mirror_huge_pte(vma, address, page);
48029+#endif
48030+
48031 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
48032 /* Optimization, do the COW without a second fault */
48033 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
ae4e228f 48034@@ -2504,6 +2533,28 @@ int hugetlb_fault(struct mm_struct *mm,
58c5fc13
MT		 48035 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
48036 struct hstate *h = hstate_vma(vma);
48037
48038+#ifdef CONFIG_PAX_SEGMEXEC
48039+ struct vm_area_struct *vma_m;
48040+
48041+ vma_m = pax_find_mirror_vma(vma);
48042+ if (vma_m) {
48043+ unsigned long address_m;
48044+
48045+ if (vma->vm_start > vma_m->vm_start) {
48046+ address_m = address;
48047+ address -= SEGMEXEC_TASK_SIZE;
48048+ vma = vma_m;
48049+ h = hstate_vma(vma);
48050+ } else
48051+ address_m = address + SEGMEXEC_TASK_SIZE;
48052+
48053+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
48054+ return VM_FAULT_OOM;
48055+ address_m &= HPAGE_MASK;
48056+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
48057+ }
48058+#endif
48059+
48060 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
48061 if (!ptep)
48062 return VM_FAULT_OOM;
ae4e228f
MT		 48063diff -urNp linux-2.6.33.1/mm/Kconfig linux-2.6.33.1/mm/Kconfig
48064--- linux-2.6.33.1/mm/Kconfig 2010-03-15 12:09:39.000000000 -0400
48065+++ linux-2.6.33.1/mm/Kconfig 2010-03-20 16:58:42.256945498 -0400
48066@@ -222,7 +222,7 @@ config KSM
58c5fc13
MT		 48067 config DEFAULT_MMAP_MIN_ADDR
48068 int "Low address space to protect from user allocation"
ae4e228f 48069 depends on MMU
58c5fc13
MT		 48070- default 4096
48071+ default 65536
48072 help
48073 This is the portion of low virtual memory which should be protected
48074 from userspace allocation. Keeping a user from writing to low pages
ae4e228f
MT		 48075diff -urNp linux-2.6.33.1/mm/maccess.c linux-2.6.33.1/mm/maccess.c
48076--- linux-2.6.33.1/mm/maccess.c 2010-03-15 12:09:39.000000000 -0400
48077+++ linux-2.6.33.1/mm/maccess.c 2010-03-20 16:58:42.256945498 -0400
48078@@ -15,10 +15,10 @@
48079 * happens, handle that and return -EFAULT.
48080 */
48081
48082-long __weak probe_kernel_read(void *dst, void *src, size_t size)
48083+long __weak probe_kernel_read(void *dst, const void *src, size_t size)
48084 __attribute__((alias("__probe_kernel_read")));
48085
48086-long __probe_kernel_read(void *dst, void *src, size_t size)
48087+long __probe_kernel_read(void *dst, const void *src, size_t size)
48088 {
48089 long ret;
48090 mm_segment_t old_fs = get_fs();
48091@@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
48092 * Safely write to address @dst from the buffer at @src. If a kernel fault
48093 * happens, handle that and return -EFAULT.
48094 */
48095-long __weak probe_kernel_write(void *dst, void *src, size_t size)
48096+long __weak probe_kernel_write(void *dst, const void *src, size_t size)
48097 __attribute__((alias("__probe_kernel_write")));
48098
48099-long __probe_kernel_write(void *dst, void *src, size_t size)
48100+long __probe_kernel_write(void *dst, const void *src, size_t size)
48101 {
48102 long ret;
48103 mm_segment_t old_fs = get_fs();
48104diff -urNp linux-2.6.33.1/mm/madvise.c linux-2.6.33.1/mm/madvise.c
48105--- linux-2.6.33.1/mm/madvise.c 2010-03-15 12:09:39.000000000 -0400
48106+++ linux-2.6.33.1/mm/madvise.c 2010-03-20 16:58:42.256945498 -0400
48107@@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
58c5fc13 48108 pgoff_t pgoff;
ae4e228f 48109 unsigned long new_flags = vma->vm_flags;
58c5fc13
MT		 48110
48111+#ifdef CONFIG_PAX_SEGMEXEC
48112+ struct vm_area_struct *vma_m;
48113+#endif
48114+
48115 switch (behavior) {
48116 case MADV_NORMAL:
48117 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
ae4e228f 48118@@ -104,6 +108,13 @@ success:
58c5fc13
MT		 48119 /*
48120 * vm_flags is protected by the mmap_sem held in write mode.
48121 */
48122+
48123+#ifdef CONFIG_PAX_SEGMEXEC
48124+ vma_m = pax_find_mirror_vma(vma);
48125+ if (vma_m)
48126+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
48127+#endif
48128+
48129 vma->vm_flags = new_flags;
48130
48131 out:
ae4e228f
MT		 48132@@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
48133 struct vm_area_struct ** prev,
48134 unsigned long start, unsigned long end)
48135 {
58c5fc13
MT		 48136+
48137+#ifdef CONFIG_PAX_SEGMEXEC
ae4e228f
MT		 48138+ struct vm_area_struct *vma_m;
48139+#endif
58c5fc13 48140+
ae4e228f
MT		 48141 *prev = vma;
48142 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
48143 return -EINVAL;
48144@@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
48145 zap_page_range(vma, start, end - start, &details);
48146 } else
48147 zap_page_range(vma, start, end - start, NULL);
48148+
48149+#ifdef CONFIG_PAX_SEGMEXEC
48150+ vma_m = pax_find_mirror_vma(vma);
48151+ if (vma_m) {
48152+ if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
48153+ struct zap_details details = {
48154+ .nonlinear_vma = vma_m,
48155+ .last_index = ULONG_MAX,
48156+ };
48157+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
48158+ } else
48159+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
48160+ }
58c5fc13
MT		 48161+#endif
48162+
ae4e228f
MT		 48163 return 0;
48164 }
58c5fc13 48165
ae4e228f 48166@@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
58c5fc13
MT		 48167 if (end < start)
48168 goto out;
48169
48170+#ifdef CONFIG_PAX_SEGMEXEC
48171+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
48172+ if (end > SEGMEXEC_TASK_SIZE)
48173+ goto out;
48174+ } else
48175+#endif
48176+
48177+ if (end > TASK_SIZE)
48178+ goto out;
48179+
48180 error = 0;
48181 if (end == start)
48182 goto out;
ae4e228f
MT		 48183diff -urNp linux-2.6.33.1/mm/memory.c linux-2.6.33.1/mm/memory.c
48184--- linux-2.6.33.1/mm/memory.c 2010-03-15 12:09:39.000000000 -0400
48185+++ linux-2.6.33.1/mm/memory.c 2010-03-20 16:58:42.260726041 -0400
48186@@ -48,6 +48,7 @@
48187 #include <linux/ksm.h>
58c5fc13
MT		 48188 #include <linux/rmap.h>
48189 #include <linux/module.h>
48190+#include <linux/security.h>
48191 #include <linux/delayacct.h>
48192 #include <linux/init.h>
48193 #include <linux/writeback.h>
ae4e228f
MT		 48194@@ -1266,10 +1267,10 @@ int __get_user_pages(struct task_struct
48195 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
58c5fc13
MT		 48196 i = 0;
48197
48198- do {
48199+ while (nr_pages) {
48200 struct vm_area_struct *vma;
58c5fc13
MT		 48201
48202- vma = find_extend_vma(mm, start);
48203+ vma = find_vma(mm, start);
48204 if (!vma && in_gate_area(tsk, start)) {
48205 unsigned long pg = start & PAGE_MASK;
48206 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
ae4e228f 48207@@ -1311,7 +1312,7 @@ int __get_user_pages(struct task_struct
58c5fc13
MT		 48208 continue;
48209 }
48210
48211- if (!vma ||
48212+ if (!vma || start < vma->vm_start ||
48213 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
ae4e228f 48214 !(vm_flags & vma->vm_flags))
58c5fc13 48215 return i ? : -EFAULT;
ae4e228f 48216@@ -1386,7 +1387,7 @@ int __get_user_pages(struct task_struct
58c5fc13
MT		 48217 start += PAGE_SIZE;
48218 nr_pages--;
48219 } while (nr_pages && start < vma->vm_end);
48220- } while (nr_pages);
48221+ }
48222 return i;
48223 }
48224
ae4e228f 48225@@ -1982,6 +1983,186 @@ static inline void cow_user_page(struct
58c5fc13
MT		 48226 copy_user_highpage(dst, src, va, vma);
48227 }
48228
48229+#ifdef CONFIG_PAX_SEGMEXEC
48230+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
48231+{
48232+ struct mm_struct *mm = vma->vm_mm;
48233+ spinlock_t *ptl;
48234+ pte_t *pte, entry;
48235+
48236+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
48237+ entry = *pte;
48238+ if (!pte_present(entry)) {
48239+ if (!pte_none(entry)) {
48240+ BUG_ON(pte_file(entry));
48241+ free_swap_and_cache(pte_to_swp_entry(entry));
48242+ pte_clear_not_present_full(mm, address, pte, 0);
48243+ }
48244+ } else {
48245+ struct page *page;
48246+
48247+ flush_cache_page(vma, address, pte_pfn(entry));
48248+ entry = ptep_clear_flush(vma, address, pte);
48249+ BUG_ON(pte_dirty(entry));
48250+ page = vm_normal_page(vma, address, entry);
48251+ if (page) {
48252+ update_hiwater_rss(mm);
48253+ if (PageAnon(page))
48254+ dec_mm_counter(mm, anon_rss);
48255+ else
48256+ dec_mm_counter(mm, file_rss);
48257+ page_remove_rmap(page);
48258+ page_cache_release(page);
48259+ }
48260+ }
48261+ pte_unmap_unlock(pte, ptl);
48262+}
48263+
48264+/* PaX: if vma is mirrored, synchronize the mirror's PTE
48265+ *
48266+ * the ptl of the lower mapped page is held on entry and is not released on exit
48267+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
48268+ */
48269+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
48270+{
48271+ struct mm_struct *mm = vma->vm_mm;
48272+ unsigned long address_m;
48273+ spinlock_t *ptl_m;
48274+ struct vm_area_struct *vma_m;
48275+ pmd_t *pmd_m;
48276+ pte_t *pte_m, entry_m;
48277+
48278+ BUG_ON(!page_m || !PageAnon(page_m));
48279+
48280+ vma_m = pax_find_mirror_vma(vma);
48281+ if (!vma_m)
48282+ return;
48283+
48284+ BUG_ON(!PageLocked(page_m));
48285+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48286+ address_m = address + SEGMEXEC_TASK_SIZE;
48287+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48288+ pte_m = pte_offset_map_nested(pmd_m, address_m);
48289+ ptl_m = pte_lockptr(mm, pmd_m);
48290+ if (ptl != ptl_m) {
48291+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48292+ if (!pte_none(*pte_m))
48293+ goto out;
48294+ }
48295+
48296+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
48297+ page_cache_get(page_m);
48298+ page_add_anon_rmap(page_m, vma_m, address_m);
48299+ inc_mm_counter(mm, anon_rss);
48300+ set_pte_at(mm, address_m, pte_m, entry_m);
48301+ update_mmu_cache(vma_m, address_m, entry_m);
48302+out:
48303+ if (ptl != ptl_m)
48304+ spin_unlock(ptl_m);
48305+ pte_unmap_nested(pte_m);
48306+ unlock_page(page_m);
48307+}
48308+
48309+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
48310+{
48311+ struct mm_struct *mm = vma->vm_mm;
48312+ unsigned long address_m;
48313+ spinlock_t *ptl_m;
48314+ struct vm_area_struct *vma_m;
48315+ pmd_t *pmd_m;
48316+ pte_t *pte_m, entry_m;
48317+
48318+ BUG_ON(!page_m || PageAnon(page_m));
48319+
48320+ vma_m = pax_find_mirror_vma(vma);
48321+ if (!vma_m)
48322+ return;
48323+
48324+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48325+ address_m = address + SEGMEXEC_TASK_SIZE;
48326+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48327+ pte_m = pte_offset_map_nested(pmd_m, address_m);
48328+ ptl_m = pte_lockptr(mm, pmd_m);
48329+ if (ptl != ptl_m) {
48330+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48331+ if (!pte_none(*pte_m))
48332+ goto out;
48333+ }
48334+
48335+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
48336+ page_cache_get(page_m);
48337+ page_add_file_rmap(page_m);
48338+ inc_mm_counter(mm, file_rss);
48339+ set_pte_at(mm, address_m, pte_m, entry_m);
48340+ update_mmu_cache(vma_m, address_m, entry_m);
48341+out:
48342+ if (ptl != ptl_m)
48343+ spin_unlock(ptl_m);
48344+ pte_unmap_nested(pte_m);
48345+}
48346+
48347+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
48348+{
48349+ struct mm_struct *mm = vma->vm_mm;
48350+ unsigned long address_m;
48351+ spinlock_t *ptl_m;
48352+ struct vm_area_struct *vma_m;
48353+ pmd_t *pmd_m;
48354+ pte_t *pte_m, entry_m;
48355+
48356+ vma_m = pax_find_mirror_vma(vma);
48357+ if (!vma_m)
48358+ return;
48359+
48360+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
48361+ address_m = address + SEGMEXEC_TASK_SIZE;
48362+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
48363+ pte_m = pte_offset_map_nested(pmd_m, address_m);
48364+ ptl_m = pte_lockptr(mm, pmd_m);
48365+ if (ptl != ptl_m) {
48366+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
48367+ if (!pte_none(*pte_m))
48368+ goto out;
48369+ }
48370+
48371+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
48372+ set_pte_at(mm, address_m, pte_m, entry_m);
48373+out:
48374+ if (ptl != ptl_m)
48375+ spin_unlock(ptl_m);
48376+ pte_unmap_nested(pte_m);
48377+}
48378+
48379+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
48380+{
48381+ struct page *page_m;
48382+ pte_t entry;
48383+
48384+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
48385+ goto out;
48386+
48387+ entry = *pte;
48388+ page_m = vm_normal_page(vma, address, entry);
48389+ if (!page_m)
48390+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
48391+ else if (PageAnon(page_m)) {
48392+ if (pax_find_mirror_vma(vma)) {
48393+ pte_unmap_unlock(pte, ptl);
48394+ lock_page(page_m);
48395+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
48396+ if (pte_same(entry, *pte))
48397+ pax_mirror_anon_pte(vma, address, page_m, ptl);
48398+ else
48399+ unlock_page(page_m);
48400+ }
48401+ } else
48402+ pax_mirror_file_pte(vma, address, page_m, ptl);
48403+
48404+out:
48405+ pte_unmap_unlock(pte, ptl);
48406+}
48407+#endif
48408+
48409 /*
48410 * This routine handles present pages, when users try to write
48411 * to a shared page. It is done by copying the page to a new address
ae4e228f 48412@@ -2161,6 +2342,12 @@ gotten:
58c5fc13
MT		 48413 */
48414 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
48415 if (likely(pte_same(*page_table, orig_pte))) {
48416+
48417+#ifdef CONFIG_PAX_SEGMEXEC
48418+ if (pax_find_mirror_vma(vma))
48419+ BUG_ON(!trylock_page(new_page));
48420+#endif
48421+
48422 if (old_page) {
48423 if (!PageAnon(old_page)) {
48424 dec_mm_counter(mm, file_rss);
ae4e228f 48425@@ -2212,6 +2399,10 @@ gotten:
58c5fc13
MT		 48426 page_remove_rmap(old_page);
48427 }
48428
48429+#ifdef CONFIG_PAX_SEGMEXEC
48430+ pax_mirror_anon_pte(vma, address, new_page, ptl);
48431+#endif
48432+
48433 /* Free the old page.. */
48434 new_page = old_page;
48435 ret |= VM_FAULT_WRITE;
ae4e228f 48436@@ -2619,6 +2810,11 @@ static int do_swap_page(struct mm_struct
58c5fc13
MT		 48437 swap_free(entry);
48438 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
48439 try_to_free_swap(page);
48440+
48441+#ifdef CONFIG_PAX_SEGMEXEC
48442+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
48443+#endif
48444+
48445 unlock_page(page);
48446
48447 if (flags & FAULT_FLAG_WRITE) {
ae4e228f 48448@@ -2630,6 +2826,11 @@ static int do_swap_page(struct mm_struct
58c5fc13
MT		 48449
48450 /* No need to invalidate - it was non-present before */
48451 update_mmu_cache(vma, address, pte);
48452+
48453+#ifdef CONFIG_PAX_SEGMEXEC
48454+ pax_mirror_anon_pte(vma, address, page, ptl);
48455+#endif
48456+
48457 unlock:
48458 pte_unmap_unlock(page_table, ptl);
48459 out:
ae4e228f
MT		 48460@@ -2653,7 +2854,7 @@ static int do_anonymous_page(struct mm_s
48461 unsigned long address, pte_t *page_table, pmd_t *pmd,
48462 unsigned int flags)
48463 {
48464- struct page *page;
48465+ struct page *page = NULL;
48466 spinlock_t *ptl;
48467 pte_t entry;
48468
48469@@ -2688,6 +2889,11 @@ static int do_anonymous_page(struct mm_s
58c5fc13
MT		 48470 if (!pte_none(*page_table))
48471 goto release;
ae4e228f 48472
58c5fc13
MT		 48473+#ifdef CONFIG_PAX_SEGMEXEC
48474+ if (pax_find_mirror_vma(vma))
48475+ BUG_ON(!trylock_page(page));
48476+#endif
48477+
48478 inc_mm_counter(mm, anon_rss);
48479 page_add_new_anon_rmap(page, vma, address);
ae4e228f
MT		 48480 setpte:
48481@@ -2695,6 +2901,12 @@ setpte:
58c5fc13
MT		 48482
48483 /* No need to invalidate - it was non-present before */
48484 update_mmu_cache(vma, address, entry);
48485+
48486+#ifdef CONFIG_PAX_SEGMEXEC
ae4e228f
MT		 48487+ if (page)
48488+ pax_mirror_anon_pte(vma, address, page, ptl);
58c5fc13
MT		 48489+#endif
48490+
48491 unlock:
48492 pte_unmap_unlock(page_table, ptl);
48493 return 0;
ae4e228f 48494@@ -2837,6 +3049,12 @@ static int __do_fault(struct mm_struct *
58c5fc13
MT		 48495 */
48496 /* Only go through if we didn't race with anybody else... */
48497 if (likely(pte_same(*page_table, orig_pte))) {
48498+
48499+#ifdef CONFIG_PAX_SEGMEXEC
48500+ if (anon && pax_find_mirror_vma(vma))
48501+ BUG_ON(!trylock_page(page));
48502+#endif
48503+
48504 flush_icache_page(vma, page);
48505 entry = mk_pte(page, vma->vm_page_prot);
48506 if (flags & FAULT_FLAG_WRITE)
ae4e228f 48507@@ -2856,6 +3074,14 @@ static int __do_fault(struct mm_struct *
58c5fc13
MT		 48508
48509 /* no need to invalidate: a not-present page won't be cached */
48510 update_mmu_cache(vma, address, entry);
48511+
48512+#ifdef CONFIG_PAX_SEGMEXEC
48513+ if (anon)
48514+ pax_mirror_anon_pte(vma, address, page, ptl);
48515+ else
48516+ pax_mirror_file_pte(vma, address, page, ptl);
48517+#endif
48518+
48519 } else {
48520 if (charged)
48521 mem_cgroup_uncharge_page(page);
ae4e228f 48522@@ -3003,6 +3229,12 @@ static inline int handle_pte_fault(struc
58c5fc13
MT		 48523 if (flags & FAULT_FLAG_WRITE)
48524 flush_tlb_page(vma, address);
48525 }
48526+
48527+#ifdef CONFIG_PAX_SEGMEXEC
48528+ pax_mirror_pte(vma, address, pte, pmd, ptl);
48529+ return 0;
48530+#endif
48531+
48532 unlock:
48533 pte_unmap_unlock(pte, ptl);
48534 return 0;
ae4e228f 48535@@ -3019,6 +3251,10 @@ int handle_mm_fault(struct mm_struct *mm
58c5fc13
MT		 48536 pmd_t *pmd;
48537 pte_t *pte;
48538
48539+#ifdef CONFIG_PAX_SEGMEXEC
48540+ struct vm_area_struct *vma_m;
48541+#endif
48542+
48543 __set_current_state(TASK_RUNNING);
48544
48545 count_vm_event(PGFAULT);
ae4e228f 48546@@ -3026,6 +3262,34 @@ int handle_mm_fault(struct mm_struct *mm
58c5fc13
MT		 48547 if (unlikely(is_vm_hugetlb_page(vma)))
48548 return hugetlb_fault(mm, vma, address, flags);
48549
48550+#ifdef CONFIG_PAX_SEGMEXEC
48551+ vma_m = pax_find_mirror_vma(vma);
48552+ if (vma_m) {
48553+ unsigned long address_m;
48554+ pgd_t *pgd_m;
48555+ pud_t *pud_m;
48556+ pmd_t *pmd_m;
48557+
48558+ if (vma->vm_start > vma_m->vm_start) {
48559+ address_m = address;
48560+ address -= SEGMEXEC_TASK_SIZE;
48561+ vma = vma_m;
48562+ } else
48563+ address_m = address + SEGMEXEC_TASK_SIZE;
48564+
48565+ pgd_m = pgd_offset(mm, address_m);
48566+ pud_m = pud_alloc(mm, pgd_m, address_m);
48567+ if (!pud_m)
48568+ return VM_FAULT_OOM;
48569+ pmd_m = pmd_alloc(mm, pud_m, address_m);
48570+ if (!pmd_m)
48571+ return VM_FAULT_OOM;
48572+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
48573+ return VM_FAULT_OOM;
48574+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
48575+ }
48576+#endif
48577+
48578 pgd = pgd_offset(mm, address);
48579 pud = pud_alloc(mm, pgd, address);
48580 if (!pud)
ae4e228f 48581@@ -3123,7 +3387,7 @@ static int __init gate_vma_init(void)
58c5fc13
MT		 48582 gate_vma.vm_start = FIXADDR_USER_START;
48583 gate_vma.vm_end = FIXADDR_USER_END;
48584 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
48585- gate_vma.vm_page_prot = __P101;
48586+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
48587 /*
48588 * Make sure the vDSO gets into every core dump.
48589 * Dumping its contents makes post-mortem fully interpretable later
ae4e228f
MT		 48590diff -urNp linux-2.6.33.1/mm/memory-failure.c linux-2.6.33.1/mm/memory-failure.c
48591--- linux-2.6.33.1/mm/memory-failure.c 2010-03-15 12:09:39.000000000 -0400
48592+++ linux-2.6.33.1/mm/memory-failure.c 2010-03-20 16:58:42.260726041 -0400
48593@@ -50,7 +50,7 @@ int sysctl_memory_failure_early_kill __r
48594
48595 int sysctl_memory_failure_recovery __read_mostly = 1;
48596
48597-atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
48598+atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
48599
48600 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
48601
48602@@ -935,7 +935,7 @@ int __memory_failure(unsigned long pfn,
48603 return 0;
48604 }
48605
48606- atomic_long_add(1, &mce_bad_pages);
48607+ atomic_long_add_unchecked(1, &mce_bad_pages);
48608
48609 /*
48610 * We need/can do nothing about count=0 pages.
48611diff -urNp linux-2.6.33.1/mm/mempolicy.c linux-2.6.33.1/mm/mempolicy.c
48612--- linux-2.6.33.1/mm/mempolicy.c 2010-03-15 12:09:39.000000000 -0400
48613+++ linux-2.6.33.1/mm/mempolicy.c 2010-03-20 16:58:42.260726041 -0400
48614@@ -569,6 +569,10 @@ static int mbind_range(struct vm_area_st
58c5fc13
MT		 48615 struct vm_area_struct *next;
48616 int err;
48617
48618+#ifdef CONFIG_PAX_SEGMEXEC
48619+ struct vm_area_struct *vma_m;
48620+#endif
48621+
48622 err = 0;
48623 for (; vma && vma->vm_start < end; vma = next) {
48624 next = vma->vm_next;
ae4e228f 48625@@ -580,6 +584,16 @@ static int mbind_range(struct vm_area_st
58c5fc13
MT		 48626 err = policy_vma(vma, new);
48627 if (err)
48628 break;
48629+
48630+#ifdef CONFIG_PAX_SEGMEXEC
48631+ vma_m = pax_find_mirror_vma(vma);
48632+ if (vma_m) {
48633+ err = policy_vma(vma_m, new);
48634+ if (err)
48635+ break;
48636+ }
48637+#endif
48638+
48639 }
48640 return err;
48641 }
ae4e228f 48642@@ -1000,6 +1014,17 @@ static long do_mbind(unsigned long start
58c5fc13
MT		 48643
48644 if (end < start)
48645 return -EINVAL;
48646+
48647+#ifdef CONFIG_PAX_SEGMEXEC
48648+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
48649+ if (end > SEGMEXEC_TASK_SIZE)
48650+ return -EINVAL;
48651+ } else
48652+#endif
48653+
48654+ if (end > TASK_SIZE)
48655+ return -EINVAL;
48656+
48657 if (end == start)
48658 return 0;
48659
ae4e228f 48660@@ -1205,6 +1230,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
58c5fc13
MT		 48661 if (!mm)
48662 return -EINVAL;
48663
48664+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48665+ if (mm != current->mm &&
48666+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
48667+ err = -EPERM;
48668+ goto out;
48669+ }
48670+#endif
48671+
48672 /*
48673 * Check if this process has the right to modify the specified
48674 * process. The right exists if the process has administrative
ae4e228f 48675@@ -1214,8 +1247,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
58c5fc13
MT		 48676 rcu_read_lock();
48677 tcred = __task_cred(task);
48678 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
48679- cred->uid != tcred->suid && cred->uid != tcred->uid &&
48680- !capable(CAP_SYS_NICE)) {
48681+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
48682 rcu_read_unlock();
48683 err = -EPERM;
48684 goto out;
ae4e228f 48685@@ -2431,7 +2463,7 @@ int show_numa_map(struct seq_file *m, vo
58c5fc13
MT		 48686
48687 if (file) {
48688 seq_printf(m, " file=");
48689- seq_path(m, &file->f_path, "\n\t= ");
48690+ seq_path(m, &file->f_path, "\n\t\\= ");
48691 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
48692 seq_printf(m, " heap");
48693 } else if (vma->vm_start <= mm->start_stack &&
ae4e228f
MT		 48694diff -urNp linux-2.6.33.1/mm/migrate.c linux-2.6.33.1/mm/migrate.c
48695--- linux-2.6.33.1/mm/migrate.c 2010-03-15 12:09:39.000000000 -0400
48696+++ linux-2.6.33.1/mm/migrate.c 2010-03-20 16:58:42.260726041 -0400
48697@@ -1059,6 +1059,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
58c5fc13
MT		 48698 if (!mm)
48699 return -EINVAL;
48700
48701+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48702+ if (mm != current->mm &&
48703+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
48704+ err = -EPERM;
48705+ goto out;
48706+ }
48707+#endif
48708+
48709 /*
48710 * Check if this process has the right to modify the specified
48711 * process. The right exists if the process has administrative
ae4e228f 48712@@ -1068,8 +1076,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
58c5fc13
MT		 48713 rcu_read_lock();
48714 tcred = __task_cred(task);
48715 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
48716- cred->uid != tcred->suid && cred->uid != tcred->uid &&
48717- !capable(CAP_SYS_NICE)) {
48718+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
48719 rcu_read_unlock();
48720 err = -EPERM;
48721 goto out;
ae4e228f
MT		 48722diff -urNp linux-2.6.33.1/mm/mlock.c linux-2.6.33.1/mm/mlock.c
48723--- linux-2.6.33.1/mm/mlock.c 2010-03-15 12:09:39.000000000 -0400
48724+++ linux-2.6.33.1/mm/mlock.c 2010-03-20 16:58:42.264564412 -0400
58c5fc13
MT		 48725@@ -13,6 +13,7 @@
48726 #include <linux/pagemap.h>
48727 #include <linux/mempolicy.h>
48728 #include <linux/syscalls.h>
48729+#include <linux/security.h>
48730 #include <linux/sched.h>
48731 #include <linux/module.h>
48732 #include <linux/rmap.h>
ae4e228f 48733@@ -432,6 +433,17 @@ static int do_mlock(unsigned long start,
58c5fc13
MT		 48734 return -EINVAL;
48735 if (end == start)
48736 return 0;
48737+
48738+#ifdef CONFIG_PAX_SEGMEXEC
48739+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
48740+ if (end > SEGMEXEC_TASK_SIZE)
48741+ return -EINVAL;
48742+ } else
48743+#endif
48744+
48745+ if (end > TASK_SIZE)
48746+ return -EINVAL;
48747+
48748 vma = find_vma_prev(current->mm, start, &prev);
48749 if (!vma || vma->vm_start > start)
48750 return -ENOMEM;
ae4e228f 48751@@ -491,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
58c5fc13
MT		 48752 lock_limit >>= PAGE_SHIFT;
48753
48754 /* check against resource limits */
48755+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
48756 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
48757 error = do_mlock(start, len, 1);
48758 up_write(&current->mm->mmap_sem);
ae4e228f 48759@@ -512,10 +525,10 @@ SYSCALL_DEFINE2(munlock, unsigned long,
58c5fc13
MT		 48760 static int do_mlockall(int flags)
48761 {
48762 struct vm_area_struct * vma, * prev = NULL;
48763- unsigned int def_flags = 0;
48764+ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
48765
48766 if (flags & MCL_FUTURE)
48767- def_flags = VM_LOCKED;
48768+ def_flags |= VM_LOCKED;
48769 current->mm->def_flags = def_flags;
48770 if (flags == MCL_FUTURE)
48771 goto out;
ae4e228f 48772@@ -523,6 +536,12 @@ static int do_mlockall(int flags)
58c5fc13
MT		 48773 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
48774 unsigned int newflags;
48775
48776+#ifdef CONFIG_PAX_SEGMEXEC
48777+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
48778+ break;
48779+#endif
48780+
48781+ BUG_ON(vma->vm_end > TASK_SIZE);
48782 newflags = vma->vm_flags | VM_LOCKED;
48783 if (!(flags & MCL_CURRENT))
48784 newflags &= ~VM_LOCKED;
ae4e228f 48785@@ -554,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
58c5fc13
MT		 48786 lock_limit >>= PAGE_SHIFT;
48787
48788 ret = -ENOMEM;
48789+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
48790 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
48791 capable(CAP_IPC_LOCK))
48792 ret = do_mlockall(flags);
ae4e228f
MT		 48793diff -urNp linux-2.6.33.1/mm/mmap.c linux-2.6.33.1/mm/mmap.c
48794--- linux-2.6.33.1/mm/mmap.c 2010-03-15 12:09:39.000000000 -0400
48795+++ linux-2.6.33.1/mm/mmap.c 2010-03-20 16:58:42.264564412 -0400
48796@@ -44,6 +44,16 @@
58c5fc13
MT		 48797 #define arch_rebalance_pgtables(addr, len) (addr)
48798 #endif
48799
48800+static inline void verify_mm_writelocked(struct mm_struct *mm)
48801+{
48802+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
48803+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
48804+ up_read(&mm->mmap_sem);
48805+ BUG();
48806+ }
48807+#endif
48808+}
48809+
48810 static void unmap_region(struct mm_struct *mm,
48811 struct vm_area_struct *vma, struct vm_area_struct *prev,
48812 unsigned long start, unsigned long end);
ae4e228f 48813@@ -69,16 +79,25 @@ static void unmap_region(struct mm_struc
58c5fc13
MT		 48814 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
48815 *
48816 */
48817-pgprot_t protection_map[16] = {
48818+pgprot_t protection_map[16] __read_only = {
48819 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
48820 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
48821 };
48822
48823 pgprot_t vm_get_page_prot(unsigned long vm_flags)
48824 {
48825- return __pgprot(pgprot_val(protection_map[vm_flags &
48826+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
48827 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
48828 pgprot_val(arch_vm_get_page_prot(vm_flags)));
48829+
48830+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
ae4e228f 48831+ if (!(__supported_pte_mask & _PAGE_NX) &&
58c5fc13
MT		 48832+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
48833+ (vm_flags & (VM_READ | VM_WRITE)))
48834+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
48835+#endif
48836+
48837+ return prot;
48838 }
48839 EXPORT_SYMBOL(vm_get_page_prot);
48840
ae4e228f 48841@@ -230,6 +249,7 @@ static struct vm_area_struct *remove_vma
58c5fc13
MT		 48842 struct vm_area_struct *next = vma->vm_next;
48843
48844 might_sleep();
48845+ BUG_ON(vma->vm_mirror);
48846 if (vma->vm_ops && vma->vm_ops->close)
48847 vma->vm_ops->close(vma);
48848 if (vma->vm_file) {
ae4e228f 48849@@ -266,6 +286,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
58c5fc13
MT		 48850 * not page aligned -Ram Gupta
48851 */
48852 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
48853+ gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
48854 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
48855 (mm->end_data - mm->start_data) > rlim)
48856 goto out;
ae4e228f 48857@@ -693,6 +714,12 @@ static int
58c5fc13
MT		 48858 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
48859 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
48860 {
48861+
48862+#ifdef CONFIG_PAX_SEGMEXEC
48863+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
48864+ return 0;
48865+#endif
48866+
48867 if (is_mergeable_vma(vma, file, vm_flags) &&
48868 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
48869 if (vma->vm_pgoff == vm_pgoff)
ae4e228f 48870@@ -712,6 +739,12 @@ static int
58c5fc13
MT		 48871 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
48872 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
48873 {
48874+
48875+#ifdef CONFIG_PAX_SEGMEXEC
48876+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
48877+ return 0;
48878+#endif
48879+
48880 if (is_mergeable_vma(vma, file, vm_flags) &&
48881 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
48882 pgoff_t vm_pglen;
ae4e228f 48883@@ -754,12 +787,19 @@ can_vma_merge_after(struct vm_area_struc
58c5fc13
MT		 48884 struct vm_area_struct *vma_merge(struct mm_struct *mm,
48885 struct vm_area_struct *prev, unsigned long addr,
48886 unsigned long end, unsigned long vm_flags,
48887- struct anon_vma *anon_vma, struct file *file,
48888+ struct anon_vma *anon_vma, struct file *file,
48889 pgoff_t pgoff, struct mempolicy *policy)
48890 {
48891 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
48892 struct vm_area_struct *area, *next;
48893
48894+#ifdef CONFIG_PAX_SEGMEXEC
48895+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
48896+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
48897+
48898+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
48899+#endif
48900+
48901 /*
48902 * We later require that vma->vm_flags == vm_flags,
48903 * so this tests vma->vm_flags & VM_SPECIAL, too.
ae4e228f 48904@@ -775,6 +815,15 @@ struct vm_area_struct *vma_merge(struct
58c5fc13
MT		 48905 if (next && next->vm_end == end) /* cases 6, 7, 8 */
48906 next = next->vm_next;
48907
48908+#ifdef CONFIG_PAX_SEGMEXEC
48909+ if (prev)
48910+ prev_m = pax_find_mirror_vma(prev);
48911+ if (area)
48912+ area_m = pax_find_mirror_vma(area);
48913+ if (next)
48914+ next_m = pax_find_mirror_vma(next);
48915+#endif
48916+
48917 /*
48918 * Can it merge with the predecessor?
48919 */
ae4e228f 48920@@ -794,9 +843,24 @@ struct vm_area_struct *vma_merge(struct
58c5fc13
MT		 48921 /* cases 1, 6 */
48922 vma_adjust(prev, prev->vm_start,
48923 next->vm_end, prev->vm_pgoff, NULL);
48924- } else /* cases 2, 5, 7 */
48925+
48926+#ifdef CONFIG_PAX_SEGMEXEC
48927+ if (prev_m)
48928+ vma_adjust(prev_m, prev_m->vm_start,
48929+ next_m->vm_end, prev_m->vm_pgoff, NULL);
48930+#endif
48931+
48932+ } else { /* cases 2, 5, 7 */
48933 vma_adjust(prev, prev->vm_start,
48934 end, prev->vm_pgoff, NULL);
48935+
48936+#ifdef CONFIG_PAX_SEGMEXEC
48937+ if (prev_m)
48938+ vma_adjust(prev_m, prev_m->vm_start,
48939+ end_m, prev_m->vm_pgoff, NULL);
48940+#endif
48941+
48942+ }
48943 return prev;
48944 }
48945
ae4e228f 48946@@ -807,12 +871,27 @@ struct vm_area_struct *vma_merge(struct
58c5fc13
MT		 48947 mpol_equal(policy, vma_policy(next)) &&
48948 can_vma_merge_before(next, vm_flags,
48949 anon_vma, file, pgoff+pglen)) {
48950- if (prev && addr < prev->vm_end) /* case 4 */
48951+ if (prev && addr < prev->vm_end) { /* case 4 */
48952 vma_adjust(prev, prev->vm_start,
48953 addr, prev->vm_pgoff, NULL);
48954- else /* cases 3, 8 */
48955+
48956+#ifdef CONFIG_PAX_SEGMEXEC
48957+ if (prev_m)
48958+ vma_adjust(prev_m, prev_m->vm_start,
48959+ addr_m, prev_m->vm_pgoff, NULL);
48960+#endif
48961+
48962+ } else { /* cases 3, 8 */
48963 vma_adjust(area, addr, next->vm_end,
48964 next->vm_pgoff - pglen, NULL);
48965+
48966+#ifdef CONFIG_PAX_SEGMEXEC
48967+ if (area_m)
48968+ vma_adjust(area_m, addr_m, next_m->vm_end,
48969+ next_m->vm_pgoff - pglen, NULL);
48970+#endif
48971+
48972+ }
48973 return area;
48974 }
48975
ae4e228f 48976@@ -887,14 +966,11 @@ none:
58c5fc13
MT		 48977 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
48978 struct file *file, long pages)
48979 {
48980- const unsigned long stack_flags
48981- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
48982-
48983 if (file) {
48984 mm->shared_vm += pages;
48985 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
48986 mm->exec_vm += pages;
48987- } else if (flags & stack_flags)
48988+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
48989 mm->stack_vm += pages;
48990 if (flags & (VM_RESERVED|VM_IO))
48991 mm->reserved_vm += pages;
ae4e228f 48992@@ -921,7 +997,7 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 48993 * (the exception is when the underlying filesystem is noexec
48994 * mounted, in which case we dont add PROT_EXEC.)
48995 */
48996- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
48997+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
48998 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
48999 prot |= PROT_EXEC;
49000
ae4e228f 49001@@ -947,7 +1023,7 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 49002 /* Obtain the address to map to. we verify (or select) it and ensure
49003 * that it represents a valid section of the address space.
49004 */
49005- addr = get_unmapped_area(file, addr, len, pgoff, flags);
49006+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
49007 if (addr & ~PAGE_MASK)
49008 return addr;
49009
ae4e228f 49010@@ -958,6 +1034,26 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 49011 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
49012 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
49013
49014+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49015+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49016+
49017+#ifdef CONFIG_PAX_MPROTECT
49018+ if (mm->pax_flags & MF_PAX_MPROTECT) {
49019+ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
49020+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
49021+ else
49022+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
49023+ }
49024+#endif
49025+
49026+ }
49027+#endif
49028+
49029+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
49030+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
49031+ vm_flags &= ~VM_PAGEEXEC;
49032+#endif
49033+
ae4e228f 49034 if (flags & MAP_LOCKED)
58c5fc13
MT		 49035 if (!can_do_mlock())
49036 return -EPERM;
ae4e228f 49037@@ -969,6 +1065,7 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 49038 locked += mm->locked_vm;
49039 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
49040 lock_limit >>= PAGE_SHIFT;
49041+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
49042 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
49043 return -EAGAIN;
49044 }
ae4e228f 49045@@ -1039,6 +1136,9 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 49046 if (error)
49047 return error;
49048
49049+ if (!gr_acl_handle_mmap(file, prot))
49050+ return -EACCES;
49051+
49052 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
49053 }
49054 EXPORT_SYMBOL(do_mmap_pgoff);
ae4e228f 49055@@ -1091,10 +1191,10 @@ out:
58c5fc13
MT		 49056 */
49057 int vma_wants_writenotify(struct vm_area_struct *vma)
49058 {
49059- unsigned int vm_flags = vma->vm_flags;
49060+ unsigned long vm_flags = vma->vm_flags;
49061
49062 /* If it was private or non-writable, the write bit is already clear */
49063- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
49064+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
49065 return 0;
49066
49067 /* The backer wishes to know when pages are first written to? */
ae4e228f 49068@@ -1143,14 +1243,24 @@ unsigned long mmap_region(struct file *f
58c5fc13
MT		 49069 unsigned long charged = 0;
49070 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
49071
49072+#ifdef CONFIG_PAX_SEGMEXEC
49073+ struct vm_area_struct *vma_m = NULL;
49074+#endif
49075+
49076+ /*
49077+ * mm->mmap_sem is required to protect against another thread
49078+ * changing the mappings in case we sleep.
49079+ */
49080+ verify_mm_writelocked(mm);
49081+
49082 /* Clear old maps */
49083 error = -ENOMEM;
49084-munmap_back:
49085 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49086 if (vma && vma->vm_start < addr + len) {
49087 if (do_munmap(mm, addr, len))
49088 return -ENOMEM;
49089- goto munmap_back;
49090+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49091+ BUG_ON(vma && vma->vm_start < addr + len);
49092 }
49093
49094 /* Check against address space limit. */
ae4e228f 49095@@ -1199,6 +1309,16 @@ munmap_back:
58c5fc13
MT		 49096 goto unacct_error;
49097 }
49098
49099+#ifdef CONFIG_PAX_SEGMEXEC
49100+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
49101+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49102+ if (!vma_m) {
49103+ error = -ENOMEM;
49104+ goto free_vma;
49105+ }
49106+ }
49107+#endif
49108+
49109 vma->vm_mm = mm;
49110 vma->vm_start = addr;
49111 vma->vm_end = addr + len;
ae4e228f 49112@@ -1221,6 +1341,19 @@ munmap_back:
58c5fc13
MT		 49113 error = file->f_op->mmap(file, vma);
49114 if (error)
49115 goto unmap_and_free_vma;
49116+
49117+#ifdef CONFIG_PAX_SEGMEXEC
49118+ if (vma_m && (vm_flags & VM_EXECUTABLE))
49119+ added_exe_file_vma(mm);
49120+#endif
49121+
49122+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
49123+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
49124+ vma->vm_flags |= VM_PAGEEXEC;
49125+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
49126+ }
49127+#endif
49128+
49129 if (vm_flags & VM_EXECUTABLE)
49130 added_exe_file_vma(mm);
ae4e228f
MT		 49131
49132@@ -1256,6 +1389,11 @@ munmap_back:
58c5fc13
MT		 49133 vma_link(mm, vma, prev, rb_link, rb_parent);
49134 file = vma->vm_file;
49135
49136+#ifdef CONFIG_PAX_SEGMEXEC
49137+ if (vma_m)
49138+ pax_mirror_vma(vma_m, vma);
49139+#endif
49140+
49141 /* Once vma denies write, undo our temporary denial count */
49142 if (correct_wcount)
49143 atomic_inc(&inode->i_writecount);
ae4e228f 49144@@ -1264,6 +1402,7 @@ out:
58c5fc13
MT		 49145
49146 mm->total_vm += len >> PAGE_SHIFT;
49147 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
49148+ track_exec_limit(mm, addr, addr + len, vm_flags);
49149 if (vm_flags & VM_LOCKED) {
49150 /*
49151 * makes pages present; downgrades, drops, reacquires mmap_sem
ae4e228f 49152@@ -1286,6 +1425,12 @@ unmap_and_free_vma:
58c5fc13
MT		 49153 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
49154 charged = 0;
49155 free_vma:
49156+
49157+#ifdef CONFIG_PAX_SEGMEXEC
49158+ if (vma_m)
49159+ kmem_cache_free(vm_area_cachep, vma_m);
49160+#endif
49161+
49162 kmem_cache_free(vm_area_cachep, vma);
49163 unacct_error:
49164 if (charged)
ae4e228f 49165@@ -1319,6 +1464,10 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 49166 if (flags & MAP_FIXED)
49167 return addr;
49168
49169+#ifdef CONFIG_PAX_RANDMMAP
49170+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
49171+#endif
49172+
49173 if (addr) {
49174 addr = PAGE_ALIGN(addr);
49175 vma = find_vma(mm, addr);
ae4e228f 49176@@ -1327,10 +1476,10 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 49177 return addr;
49178 }
49179 if (len > mm->cached_hole_size) {
49180- start_addr = addr = mm->free_area_cache;
49181+ start_addr = addr = mm->free_area_cache;
49182 } else {
49183- start_addr = addr = TASK_UNMAPPED_BASE;
49184- mm->cached_hole_size = 0;
49185+ start_addr = addr = mm->mmap_base;
49186+ mm->cached_hole_size = 0;
49187 }
49188
49189 full_search:
ae4e228f 49190@@ -1341,9 +1490,8 @@ full_search:
58c5fc13
MT		 49191 * Start a new search - just in case we missed
49192 * some holes.
49193 */
49194- if (start_addr != TASK_UNMAPPED_BASE) {
49195- addr = TASK_UNMAPPED_BASE;
49196- start_addr = addr;
49197+ if (start_addr != mm->mmap_base) {
49198+ start_addr = addr = mm->mmap_base;
49199 mm->cached_hole_size = 0;
49200 goto full_search;
49201 }
ae4e228f 49202@@ -1365,10 +1513,16 @@ full_search:
58c5fc13
MT		 49203
49204 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
49205 {
49206+
49207+#ifdef CONFIG_PAX_SEGMEXEC
49208+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
49209+ return;
49210+#endif
49211+
49212 /*
49213 * Is this a new hole at the lowest possible address?
49214 */
49215- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
49216+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
49217 mm->free_area_cache = addr;
49218 mm->cached_hole_size = ~0UL;
49219 }
ae4e228f 49220@@ -1386,7 +1540,7 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 49221 {
49222 struct vm_area_struct *vma;
49223 struct mm_struct *mm = current->mm;
49224- unsigned long addr = addr0;
49225+ unsigned long base = mm->mmap_base, addr = addr0;
49226
49227 /* requested length too big for entire address space */
49228 if (len > TASK_SIZE)
ae4e228f 49229@@ -1395,6 +1549,10 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 49230 if (flags & MAP_FIXED)
49231 return addr;
49232
49233+#ifdef CONFIG_PAX_RANDMMAP
49234+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
49235+#endif
49236+
49237 /* requesting a specific address */
49238 if (addr) {
49239 addr = PAGE_ALIGN(addr);
ae4e228f 49240@@ -1452,13 +1610,21 @@ bottomup:
58c5fc13
MT		 49241 * can happen with large stack limits and large mmap()
49242 * allocations.
49243 */
49244+ mm->mmap_base = TASK_UNMAPPED_BASE;
49245+
49246+#ifdef CONFIG_PAX_RANDMMAP
49247+ if (mm->pax_flags & MF_PAX_RANDMMAP)
49248+ mm->mmap_base += mm->delta_mmap;
49249+#endif
49250+
49251+ mm->free_area_cache = mm->mmap_base;
49252 mm->cached_hole_size = ~0UL;
49253- mm->free_area_cache = TASK_UNMAPPED_BASE;
49254 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
49255 /*
49256 * Restore the topdown base:
49257 */
49258- mm->free_area_cache = mm->mmap_base;
49259+ mm->mmap_base = base;
49260+ mm->free_area_cache = base;
49261 mm->cached_hole_size = ~0UL;
49262
49263 return addr;
ae4e228f 49264@@ -1467,6 +1633,12 @@ bottomup:
58c5fc13
MT		 49265
49266 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
49267 {
49268+
49269+#ifdef CONFIG_PAX_SEGMEXEC
49270+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
49271+ return;
49272+#endif
49273+
49274 /*
49275 * Is this a new hole at the highest possible address?
49276 */
ae4e228f 49277@@ -1474,8 +1646,10 @@ void arch_unmap_area_topdown(struct mm_s
58c5fc13
MT		 49278 mm->free_area_cache = addr;
49279
49280 /* dont allow allocations above current base */
49281- if (mm->free_area_cache > mm->mmap_base)
49282+ if (mm->free_area_cache > mm->mmap_base) {
49283 mm->free_area_cache = mm->mmap_base;
49284+ mm->cached_hole_size = ~0UL;
49285+ }
49286 }
49287
49288 unsigned long
ae4e228f 49289@@ -1583,6 +1757,27 @@ out:
58c5fc13
MT		 49290 return prev ? prev->vm_next : vma;
49291 }
49292
49293+#ifdef CONFIG_PAX_SEGMEXEC
49294+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
49295+{
49296+ struct vm_area_struct *vma_m;
49297+
49298+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
49299+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
49300+ BUG_ON(vma->vm_mirror);
49301+ return NULL;
49302+ }
49303+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
49304+ vma_m = vma->vm_mirror;
49305+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
49306+ BUG_ON(vma->vm_file != vma_m->vm_file);
49307+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
49308+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
49309+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
49310+ return vma_m;
49311+}
49312+#endif
49313+
49314 /*
49315 * Verify that the stack growth is acceptable and
49316 * update accounting. This is shared with both the
ae4e228f 49317@@ -1599,6 +1794,7 @@ static int acct_stack_growth(struct vm_a
58c5fc13
MT		 49318 return -ENOMEM;
49319
49320 /* Stack limit test */
49321+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
49322 if (size > rlim[RLIMIT_STACK].rlim_cur)
49323 return -ENOMEM;
49324
ae4e228f 49325@@ -1608,6 +1804,7 @@ static int acct_stack_growth(struct vm_a
58c5fc13
MT		 49326 unsigned long limit;
49327 locked = mm->locked_vm + grow;
49328 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
49329+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
49330 if (locked > limit && !capable(CAP_IPC_LOCK))
49331 return -ENOMEM;
49332 }
ae4e228f 49333@@ -1643,35 +1840,40 @@ static
58c5fc13
MT		 49334 #endif
49335 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
49336 {
49337- int error;
49338+ int error, locknext;
49339
49340 if (!(vma->vm_flags & VM_GROWSUP))
49341 return -EFAULT;
49342
49343+ /* Also guard against wrapping around to address 0. */
49344+ if (address < PAGE_ALIGN(address+1))
49345+ address = PAGE_ALIGN(address+1);
49346+ else
49347+ return -ENOMEM;
49348+
49349 /*
49350 * We must make sure the anon_vma is allocated
49351 * so that the anon_vma locking is not a noop.
49352 */
49353 if (unlikely(anon_vma_prepare(vma)))
49354 return -ENOMEM;
49355+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
49356+ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
49357+ return -ENOMEM;
49358 anon_vma_lock(vma);
49359+ if (locknext)
49360+ anon_vma_lock(vma->vm_next);
49361
49362 /*
49363 * vma->vm_start/vm_end cannot change under us because the caller
49364 * is required to hold the mmap_sem in read mode. We need the
49365- * anon_vma lock to serialize against concurrent expand_stacks.
49366- * Also guard against wrapping around to address 0.
49367+ * anon_vma locks to serialize against concurrent expand_stacks
49368+ * and expand_upwards.
49369 */
49370- if (address < PAGE_ALIGN(address+4))
49371- address = PAGE_ALIGN(address+4);
49372- else {
49373- anon_vma_unlock(vma);
49374- return -ENOMEM;
49375- }
49376 error = 0;
49377
49378 /* Somebody else might have raced and expanded it already */
49379- if (address > vma->vm_end) {
49380+ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
49381 unsigned long size, grow;
49382
49383 size = address - vma->vm_start;
ae4e228f 49384@@ -1681,6 +1883,8 @@ int expand_upwards(struct vm_area_struct
58c5fc13
MT		 49385 if (!error)
49386 vma->vm_end = address;
49387 }
49388+ if (locknext)
49389+ anon_vma_unlock(vma->vm_next);
49390 anon_vma_unlock(vma);
49391 return error;
49392 }
ae4e228f 49393@@ -1692,7 +1896,8 @@ int expand_upwards(struct vm_area_struct
58c5fc13
MT		 49394 static int expand_downwards(struct vm_area_struct *vma,
49395 unsigned long address)
49396 {
49397- int error;
49398+ int error, lockprev = 0;
49399+ struct vm_area_struct *prev = NULL;
49400
49401 /*
49402 * We must make sure the anon_vma is allocated
ae4e228f 49403@@ -1706,6 +1911,15 @@ static int expand_downwards(struct vm_ar
58c5fc13
MT		 49404 if (error)
49405 return error;
49406
49407+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
49408+ find_vma_prev(vma->vm_mm, address, &prev);
49409+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
49410+#endif
49411+ if (lockprev && unlikely(anon_vma_prepare(prev)))
49412+ return -ENOMEM;
49413+ if (lockprev)
49414+ anon_vma_lock(prev);
49415+
49416 anon_vma_lock(vma);
49417
49418 /*
ae4e228f 49419@@ -1715,9 +1929,15 @@ static int expand_downwards(struct vm_ar
58c5fc13
MT		 49420 */
49421
49422 /* Somebody else might have raced and expanded it already */
49423- if (address < vma->vm_start) {
49424+ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
49425 unsigned long size, grow;
49426
49427+#ifdef CONFIG_PAX_SEGMEXEC
49428+ struct vm_area_struct *vma_m;
49429+
49430+ vma_m = pax_find_mirror_vma(vma);
49431+#endif
49432+
49433 size = vma->vm_end - address;
49434 grow = (vma->vm_start - address) >> PAGE_SHIFT;
49435
ae4e228f 49436@@ -1725,9 +1945,20 @@ static int expand_downwards(struct vm_ar
58c5fc13
MT		 49437 if (!error) {
49438 vma->vm_start = address;
49439 vma->vm_pgoff -= grow;
49440+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
49441+
49442+#ifdef CONFIG_PAX_SEGMEXEC
49443+ if (vma_m) {
49444+ vma_m->vm_start -= grow << PAGE_SHIFT;
49445+ vma_m->vm_pgoff -= grow;
49446+ }
49447+#endif
49448+
49449 }
49450 }
49451 anon_vma_unlock(vma);
49452+ if (lockprev)
49453+ anon_vma_unlock(prev);
49454 return error;
49455 }
49456
ae4e228f 49457@@ -1803,6 +2034,13 @@ static void remove_vma_list(struct mm_st
58c5fc13
MT		 49458 do {
49459 long nrpages = vma_pages(vma);
49460
49461+#ifdef CONFIG_PAX_SEGMEXEC
49462+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
49463+ vma = remove_vma(vma);
49464+ continue;
49465+ }
49466+#endif
49467+
49468 mm->total_vm -= nrpages;
49469 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
49470 vma = remove_vma(vma);
ae4e228f 49471@@ -1847,6 +2085,16 @@ detach_vmas_to_be_unmapped(struct mm_str
58c5fc13
MT		 49472
49473 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
49474 do {
49475+
49476+#ifdef CONFIG_PAX_SEGMEXEC
49477+ if (vma->vm_mirror) {
49478+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
49479+ vma->vm_mirror->vm_mirror = NULL;
49480+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
49481+ vma->vm_mirror = NULL;
49482+ }
49483+#endif
49484+
49485 rb_erase(&vma->vm_rb, &mm->mm_rb);
49486 mm->map_count--;
49487 tail_vma = vma;
ae4e228f
MT		 49488@@ -1872,14 +2120,33 @@ static int __split_vma(struct mm_struct
49489 struct mempolicy *pol;
49490 struct vm_area_struct *new;
49491
58c5fc13 49492+#ifdef CONFIG_PAX_SEGMEXEC
ae4e228f 49493+ struct vm_area_struct *vma_m, *new_m = NULL;
58c5fc13 49494+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
ae4e228f 49495+#endif
58c5fc13 49496+
ae4e228f
MT		 49497 if (is_vm_hugetlb_page(vma) && (addr &
49498 ~(huge_page_mask(hstate_vma(vma)))))
49499 return -EINVAL;
49500
49501+#ifdef CONFIG_PAX_SEGMEXEC
58c5fc13 49502+ vma_m = pax_find_mirror_vma(vma);
ae4e228f 49503+#endif
58c5fc13 49504+
ae4e228f
MT		 49505 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49506 if (!new)
49507 return -ENOMEM;
49508
49509+#ifdef CONFIG_PAX_SEGMEXEC
58c5fc13
MT		 49510+ if (vma_m) {
49511+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49512+ if (!new_m) {
49513+ kmem_cache_free(vm_area_cachep, new);
49514+ return -ENOMEM;
49515+ }
49516+ }
ae4e228f 49517+#endif
58c5fc13 49518+
ae4e228f
MT		 49519 /* most fields are the same, copy all, and then fixup */
49520 *new = *vma;
49521
49522@@ -1890,8 +2157,29 @@ static int __split_vma(struct mm_struct
49523 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
49524 }
49525
49526+#ifdef CONFIG_PAX_SEGMEXEC
58c5fc13
MT		 49527+ if (vma_m) {
49528+ *new_m = *vma_m;
49529+ new_m->vm_mirror = new;
49530+ new->vm_mirror = new_m;
49531+
49532+ if (new_below)
49533+ new_m->vm_end = addr_m;
49534+ else {
49535+ new_m->vm_start = addr_m;
49536+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
49537+ }
49538+ }
ae4e228f
MT		 49539+#endif
49540+
49541 pol = mpol_dup(vma_policy(vma));
49542 if (IS_ERR(pol)) {
58c5fc13 49543+
ae4e228f 49544+#ifdef CONFIG_PAX_SEGMEXEC
58c5fc13
MT		 49545+ if (new_m)
49546+ kmem_cache_free(vm_area_cachep, new_m);
ae4e228f 49547+#endif
58c5fc13 49548+
ae4e228f
MT		 49549 kmem_cache_free(vm_area_cachep, new);
49550 return PTR_ERR(pol);
49551 }
49552@@ -1912,6 +2200,28 @@ static int __split_vma(struct mm_struct
49553 else
49554 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
49555
49556+#ifdef CONFIG_PAX_SEGMEXEC
58c5fc13
MT		 49557+ if (vma_m) {
49558+ mpol_get(pol);
49559+ vma_set_policy(new_m, pol);
49560+
49561+ if (new_m->vm_file) {
49562+ get_file(new_m->vm_file);
49563+ if (vma_m->vm_flags & VM_EXECUTABLE)
49564+ added_exe_file_vma(mm);
49565+ }
49566+
49567+ if (new_m->vm_ops && new_m->vm_ops->open)
49568+ new_m->vm_ops->open(new_m);
49569+
49570+ if (new_below)
49571+ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
49572+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
49573+ else
49574+ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
49575+ }
ae4e228f 49576+#endif
58c5fc13 49577+
58c5fc13
MT		 49578 return 0;
49579 }
ae4e228f
MT		 49580
49581@@ -1922,6 +2232,15 @@ static int __split_vma(struct mm_struct
49582 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
49583 unsigned long addr, int new_below)
49584 {
49585+
49586+#ifdef CONFIG_PAX_SEGMEXEC
49587+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
49588+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
49589+ if (mm->map_count >= sysctl_max_map_count-1)
49590+ return -ENOMEM;
49591+ } else
58c5fc13 49592+#endif
ae4e228f
MT		 49593+
49594 if (mm->map_count >= sysctl_max_map_count)
49595 return -ENOMEM;
58c5fc13 49596
ae4e228f 49597@@ -1933,11 +2252,30 @@ int split_vma(struct mm_struct *mm, stru
58c5fc13
MT		 49598 * work. This now handles partial unmappings.
49599 * Jeremy Fitzhardinge <jeremy@goop.org>
49600 */
49601+#ifdef CONFIG_PAX_SEGMEXEC
49602 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49603 {
49604+ int ret = __do_munmap(mm, start, len);
49605+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
49606+ return ret;
49607+
49608+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
49609+}
49610+
49611+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49612+#else
49613+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
49614+#endif
49615+{
49616 unsigned long end;
49617 struct vm_area_struct *vma, *prev, *last;
49618
49619+ /*
49620+ * mm->mmap_sem is required to protect against another thread
49621+ * changing the mappings in case we sleep.
49622+ */
49623+ verify_mm_writelocked(mm);
49624+
49625 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
49626 return -EINVAL;
49627
ae4e228f 49628@@ -2011,6 +2349,8 @@ int do_munmap(struct mm_struct *mm, unsi
58c5fc13
MT		 49629 /* Fix up all other VM information */
49630 remove_vma_list(mm, vma);
49631
49632+ track_exec_limit(mm, start, end, 0UL);
49633+
49634 return 0;
49635 }
49636
ae4e228f 49637@@ -2023,22 +2363,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
58c5fc13
MT		 49638
49639 profile_munmap(addr);
49640
49641+#ifdef CONFIG_PAX_SEGMEXEC
49642+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
49643+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
49644+ return -EINVAL;
49645+#endif
49646+
49647 down_write(&mm->mmap_sem);
49648 ret = do_munmap(mm, addr, len);
49649 up_write(&mm->mmap_sem);
49650 return ret;
49651 }
49652
49653-static inline void verify_mm_writelocked(struct mm_struct *mm)
49654-{
49655-#ifdef CONFIG_DEBUG_VM
49656- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
49657- WARN_ON(1);
49658- up_read(&mm->mmap_sem);
49659- }
49660-#endif
49661-}
49662-
49663 /*
49664 * this is really a simplified "do_mmap". it only handles
49665 * anonymous maps. eventually we may be able to do some
ae4e228f 49666@@ -2052,6 +2388,11 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 49667 struct rb_node ** rb_link, * rb_parent;
49668 pgoff_t pgoff = addr >> PAGE_SHIFT;
49669 int error;
49670+ unsigned long charged;
49671+
49672+#ifdef CONFIG_PAX_SEGMEXEC
49673+ struct vm_area_struct *vma_m = NULL;
49674+#endif
49675
49676 len = PAGE_ALIGN(len);
49677 if (!len)
ae4e228f 49678@@ -2063,16 +2404,30 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 49679
49680 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
49681
49682+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49683+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49684+ flags &= ~VM_EXEC;
49685+
49686+#ifdef CONFIG_PAX_MPROTECT
49687+ if (mm->pax_flags & MF_PAX_MPROTECT)
49688+ flags &= ~VM_MAYEXEC;
49689+#endif
49690+
49691+ }
49692+#endif
49693+
ae4e228f
MT		 49694 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
49695 if (error & ~PAGE_MASK)
58c5fc13
MT		 49696 return error;
49697
49698+ charged = len >> PAGE_SHIFT;
49699+
49700 /*
49701 * mlock MCL_FUTURE?
49702 */
49703 if (mm->def_flags & VM_LOCKED) {
49704 unsigned long locked, lock_limit;
49705- locked = len >> PAGE_SHIFT;
49706+ locked = charged;
49707 locked += mm->locked_vm;
49708 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
49709 lock_limit >>= PAGE_SHIFT;
ae4e228f 49710@@ -2089,22 +2444,22 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 49711 /*
49712 * Clear old maps. this also does some error checking for us
49713 */
49714- munmap_back:
49715 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49716 if (vma && vma->vm_start < addr + len) {
49717 if (do_munmap(mm, addr, len))
49718 return -ENOMEM;
49719- goto munmap_back;
49720+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
49721+ BUG_ON(vma && vma->vm_start < addr + len);
49722 }
49723
49724 /* Check against address space limits *after* clearing old maps... */
49725- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
49726+ if (!may_expand_vm(mm, charged))
49727 return -ENOMEM;
49728
49729 if (mm->map_count > sysctl_max_map_count)
49730 return -ENOMEM;
49731
49732- if (security_vm_enough_memory(len >> PAGE_SHIFT))
49733+ if (security_vm_enough_memory(charged))
49734 return -ENOMEM;
49735
49736 /* Can we just expand an old private anonymous mapping? */
ae4e228f 49737@@ -2118,10 +2473,21 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 49738 */
49739 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49740 if (!vma) {
49741- vm_unacct_memory(len >> PAGE_SHIFT);
49742+ vm_unacct_memory(charged);
49743 return -ENOMEM;
49744 }
49745
49746+#ifdef CONFIG_PAX_SEGMEXEC
49747+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
49748+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49749+ if (!vma_m) {
49750+ kmem_cache_free(vm_area_cachep, vma);
49751+ vm_unacct_memory(charged);
49752+ return -ENOMEM;
49753+ }
49754+ }
49755+#endif
49756+
49757 vma->vm_mm = mm;
49758 vma->vm_start = addr;
49759 vma->vm_end = addr + len;
ae4e228f 49760@@ -2130,11 +2496,12 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 49761 vma->vm_page_prot = vm_get_page_prot(flags);
49762 vma_link(mm, vma, prev, rb_link, rb_parent);
49763 out:
49764- mm->total_vm += len >> PAGE_SHIFT;
49765+ mm->total_vm += charged;
49766 if (flags & VM_LOCKED) {
49767 if (!mlock_vma_pages_range(vma, addr, addr + len))
49768- mm->locked_vm += (len >> PAGE_SHIFT);
49769+ mm->locked_vm += charged;
49770 }
49771+ track_exec_limit(mm, addr, addr + len, flags);
49772 return addr;
49773 }
49774
ae4e228f 49775@@ -2181,8 +2548,10 @@ void exit_mmap(struct mm_struct *mm)
58c5fc13
MT		 49776 * Walk the list again, actually closing and freeing it,
49777 * with preemption enabled, without holding any MM locks.
49778 */
49779- while (vma)
49780+ while (vma) {
49781+ vma->vm_mirror = NULL;
49782 vma = remove_vma(vma);
49783+ }
49784
49785 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
49786 }
ae4e228f 49787@@ -2196,6 +2565,10 @@ int insert_vm_struct(struct mm_struct *
58c5fc13
MT		 49788 struct vm_area_struct * __vma, * prev;
49789 struct rb_node ** rb_link, * rb_parent;
49790
49791+#ifdef CONFIG_PAX_SEGMEXEC
49792+ struct vm_area_struct *vma_m = NULL;
49793+#endif
49794+
49795 /*
49796 * The vm_pgoff of a purely anonymous vma should be irrelevant
49797 * until its first write fault, when page's anon_vma and index
ae4e228f 49798@@ -2218,7 +2591,22 @@ int insert_vm_struct(struct mm_struct *
58c5fc13
MT		 49799 if ((vma->vm_flags & VM_ACCOUNT) &&
49800 security_vm_enough_memory_mm(mm, vma_pages(vma)))
49801 return -ENOMEM;
49802+
49803+#ifdef CONFIG_PAX_SEGMEXEC
49804+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
49805+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
49806+ if (!vma_m)
49807+ return -ENOMEM;
49808+ }
49809+#endif
49810+
49811 vma_link(mm, vma, prev, rb_link, rb_parent);
49812+
49813+#ifdef CONFIG_PAX_SEGMEXEC
49814+ if (vma_m)
49815+ pax_mirror_vma(vma_m, vma);
49816+#endif
49817+
49818 return 0;
49819 }
49820
ae4e228f 49821@@ -2236,6 +2624,8 @@ struct vm_area_struct *copy_vma(struct v
58c5fc13
MT		 49822 struct rb_node **rb_link, *rb_parent;
49823 struct mempolicy *pol;
49824
49825+ BUG_ON(vma->vm_mirror);
49826+
49827 /*
49828 * If anonymous vma has not yet been faulted, update new pgoff
49829 * to match new location, to increase its chance of merging.
ae4e228f 49830@@ -2279,6 +2669,35 @@ struct vm_area_struct *copy_vma(struct v
58c5fc13
MT		 49831 return new_vma;
49832 }
49833
49834+#ifdef CONFIG_PAX_SEGMEXEC
49835+void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
49836+{
49837+ struct vm_area_struct *prev_m;
49838+ struct rb_node **rb_link_m, *rb_parent_m;
49839+ struct mempolicy *pol_m;
49840+
49841+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
49842+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
49843+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
49844+ *vma_m = *vma;
49845+ pol_m = vma_policy(vma_m);
49846+ mpol_get(pol_m);
49847+ vma_set_policy(vma_m, pol_m);
49848+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
49849+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
49850+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
49851+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
49852+ if (vma_m->vm_file)
49853+ get_file(vma_m->vm_file);
49854+ if (vma_m->vm_ops && vma_m->vm_ops->open)
49855+ vma_m->vm_ops->open(vma_m);
49856+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
49857+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
49858+ vma_m->vm_mirror = vma;
49859+ vma->vm_mirror = vma_m;
49860+}
49861+#endif
49862+
49863 /*
49864 * Return true if the calling process may expand its vm space by the passed
49865 * number of pages
ae4e228f 49866@@ -2289,7 +2708,7 @@ int may_expand_vm(struct mm_struct *mm,
58c5fc13
MT		 49867 unsigned long lim;
49868
49869 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
49870-
49871+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
49872 if (cur + npages > lim)
49873 return 0;
49874 return 1;
ae4e228f 49875@@ -2358,6 +2777,15 @@ int install_special_mapping(struct mm_st
58c5fc13
MT		 49876 vma->vm_start = addr;
49877 vma->vm_end = addr + len;
49878
49879+#ifdef CONFIG_PAX_MPROTECT
49880+ if (mm->pax_flags & MF_PAX_MPROTECT) {
49881+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
49882+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
49883+ else
49884+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
49885+ }
49886+#endif
49887+
49888 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
49889 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
49890
ae4e228f
MT		 49891diff -urNp linux-2.6.33.1/mm/mprotect.c linux-2.6.33.1/mm/mprotect.c
49892--- linux-2.6.33.1/mm/mprotect.c 2010-03-15 12:09:39.000000000 -0400
49893+++ linux-2.6.33.1/mm/mprotect.c 2010-03-20 16:58:42.264564412 -0400
58c5fc13
MT		 49894@@ -24,10 +24,16 @@
49895 #include <linux/mmu_notifier.h>
49896 #include <linux/migrate.h>
ae4e228f 49897 #include <linux/perf_event.h>
58c5fc13
MT		 49898+
49899+#ifdef CONFIG_PAX_MPROTECT
49900+#include <linux/elf.h>
49901+#endif
49902+
49903 #include <asm/uaccess.h>
49904 #include <asm/pgtable.h>
49905 #include <asm/cacheflush.h>
49906 #include <asm/tlbflush.h>
49907+#include <asm/mmu_context.h>
49908
49909 #ifndef pgprot_modify
49910 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
49911@@ -132,6 +138,48 @@ static void change_protection(struct vm_
49912 flush_tlb_range(vma, start, end);
49913 }
49914
49915+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
49916+/* called while holding the mmap semaphor for writing except stack expansion */
49917+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
49918+{
49919+ unsigned long oldlimit, newlimit = 0UL;
49920+
ae4e228f 49921+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 49922+ return;
49923+
49924+ spin_lock(&mm->page_table_lock);
49925+ oldlimit = mm->context.user_cs_limit;
49926+ if ((prot & VM_EXEC) && oldlimit < end)
49927+ /* USER_CS limit moved up */
49928+ newlimit = end;
49929+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
49930+ /* USER_CS limit moved down */
49931+ newlimit = start;
49932+
49933+ if (newlimit) {
49934+ mm->context.user_cs_limit = newlimit;
49935+
49936+#ifdef CONFIG_SMP
49937+ wmb();
49938+ cpus_clear(mm->context.cpu_user_cs_mask);
49939+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
49940+#endif
49941+
49942+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
49943+ }
49944+ spin_unlock(&mm->page_table_lock);
49945+ if (newlimit == end) {
49946+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
49947+
49948+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
49949+ if (is_vm_hugetlb_page(vma))
49950+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
49951+ else
49952+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
49953+ }
49954+}
49955+#endif
49956+
49957 int
49958 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
49959 unsigned long start, unsigned long end, unsigned long newflags)
49960@@ -144,6 +192,14 @@ mprotect_fixup(struct vm_area_struct *vm
49961 int error;
49962 int dirty_accountable = 0;
49963
49964+#ifdef CONFIG_PAX_SEGMEXEC
49965+ struct vm_area_struct *vma_m = NULL;
49966+ unsigned long start_m, end_m;
49967+
49968+ start_m = start + SEGMEXEC_TASK_SIZE;
49969+ end_m = end + SEGMEXEC_TASK_SIZE;
49970+#endif
49971+
49972 if (newflags == oldflags) {
49973 *pprev = vma;
49974 return 0;
49975@@ -165,6 +221,38 @@ mprotect_fixup(struct vm_area_struct *vm
49976 }
49977 }
49978
49979+#ifdef CONFIG_PAX_SEGMEXEC
49980+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
49981+ if (start != vma->vm_start) {
49982+ error = split_vma(mm, vma, start, 1);
49983+ if (error)
49984+ goto fail;
49985+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
49986+ *pprev = (*pprev)->vm_next;
49987+ }
49988+
49989+ if (end != vma->vm_end) {
49990+ error = split_vma(mm, vma, end, 0);
49991+ if (error)
49992+ goto fail;
49993+ }
49994+
49995+ if (pax_find_mirror_vma(vma)) {
49996+ error = __do_munmap(mm, start_m, end_m - start_m);
49997+ if (error)
49998+ goto fail;
49999+ } else {
50000+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
50001+ if (!vma_m) {
50002+ error = -ENOMEM;
50003+ goto fail;
50004+ }
50005+ vma->vm_flags = newflags;
50006+ pax_mirror_vma(vma_m, vma);
50007+ }
50008+ }
50009+#endif
50010+
50011 /*
50012 * First try to merge with previous and/or next vma.
50013 */
50014@@ -196,8 +284,14 @@ success:
50015 * held in write mode.
50016 */
50017 vma->vm_flags = newflags;
50018+
50019+#ifdef CONFIG_PAX_MPROTECT
ae4e228f
MT		 50020+ if (mm->binfmt && mm->binfmt->handle_mprotect)
50021+ mm->binfmt->handle_mprotect(vma, newflags);
58c5fc13
MT		 50022+#endif
50023+
50024 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
50025- vm_get_page_prot(newflags));
50026+ vm_get_page_prot(vma->vm_flags));
50027
50028 if (vma_wants_writenotify(vma)) {
50029 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
50030@@ -238,6 +332,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50031 end = start + len;
50032 if (end <= start)
50033 return -ENOMEM;
50034+
50035+#ifdef CONFIG_PAX_SEGMEXEC
50036+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
50037+ if (end > SEGMEXEC_TASK_SIZE)
50038+ return -EINVAL;
50039+ } else
50040+#endif
50041+
50042+ if (end > TASK_SIZE)
50043+ return -EINVAL;
50044+
50045 if (!arch_validate_prot(prot))
50046 return -EINVAL;
50047
50048@@ -245,7 +350,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50049 /*
50050 * Does the application expect PROT_READ to imply PROT_EXEC:
50051 */
50052- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
50053+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
50054 prot |= PROT_EXEC;
50055
50056 vm_flags = calc_vm_prot_bits(prot);
50057@@ -277,6 +382,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50058 if (start > vma->vm_start)
50059 prev = vma;
50060
50061+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
50062+ error = -EACCES;
50063+ goto out;
50064+ }
50065+
50066+#ifdef CONFIG_PAX_MPROTECT
ae4e228f
MT		 50067+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
50068+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
58c5fc13
MT		 50069+#endif
50070+
50071 for (nstart = start ; ; ) {
50072 unsigned long newflags;
50073
50074@@ -301,6 +416,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
50075 if (error)
50076 goto out;
ae4e228f 50077 perf_event_mmap(vma);
58c5fc13
MT		 50078+
50079+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
50080+
50081 nstart = tmp;
50082
50083 if (nstart < prev->vm_end)
ae4e228f
MT		 50084diff -urNp linux-2.6.33.1/mm/mremap.c linux-2.6.33.1/mm/mremap.c
50085--- linux-2.6.33.1/mm/mremap.c 2010-03-15 12:09:39.000000000 -0400
50086+++ linux-2.6.33.1/mm/mremap.c 2010-03-20 16:58:42.264564412 -0400
50087@@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
58c5fc13
MT		 50088 continue;
50089 pte = ptep_clear_flush(vma, old_addr, old_pte);
50090 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
50091+
50092+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
ae4e228f 50093+ if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
58c5fc13
MT		 50094+ pte = pte_exprotect(pte);
50095+#endif
50096+
50097 set_pte_at(mm, new_addr, new_pte, pte);
50098 }
50099
ae4e228f
MT		 50100@@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
50101 if (is_vm_hugetlb_page(vma))
50102 goto Einval;
50103
50104+#ifdef CONFIG_PAX_SEGMEXEC
50105+ if (pax_find_mirror_vma(vma))
50106+ goto Einval;
50107+#endif
50108+
50109 /* We can't remap across vm area boundaries */
50110 if (old_len > vma->vm_end - addr)
50111 goto Efault;
50112@@ -322,20 +333,23 @@ static unsigned long mremap_to(unsigned
50113 unsigned long ret = -EINVAL;
50114 unsigned long charged = 0;
50115 unsigned long map_flags;
50116+ unsigned long pax_task_size = TASK_SIZE;
50117
50118 if (new_addr & ~PAGE_MASK)
50119 goto out;
50120
50121- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
50122+#ifdef CONFIG_PAX_SEGMEXEC
50123+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
50124+ pax_task_size = SEGMEXEC_TASK_SIZE;
50125+#endif
50126+
50127+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
50128 goto out;
50129
50130 /* Check if the location we're moving into overlaps the
50131 * old location at all, and fail if it does.
50132 */
50133- if ((new_addr <= addr) && (new_addr+new_len) > addr)
50134- goto out;
50135-
50136- if ((addr <= new_addr) && (addr+old_len) > new_addr)
50137+ if (addr + old_len > new_addr && new_addr + new_len > addr)
50138 goto out;
50139
50140 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
50141@@ -407,6 +421,7 @@ unsigned long do_mremap(unsigned long ad
58c5fc13
MT		 50142 struct vm_area_struct *vma;
50143 unsigned long ret = -EINVAL;
50144 unsigned long charged = 0;
50145+ unsigned long pax_task_size = TASK_SIZE;
50146
50147 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
50148 goto out;
ae4e228f 50149@@ -425,6 +440,15 @@ unsigned long do_mremap(unsigned long ad
58c5fc13
MT		 50150 if (!new_len)
50151 goto out;
50152
50153+#ifdef CONFIG_PAX_SEGMEXEC
ae4e228f 50154+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
58c5fc13
MT		 50155+ pax_task_size = SEGMEXEC_TASK_SIZE;
50156+#endif
50157+
50158+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
50159+ old_len > pax_task_size || addr > pax_task_size-old_len)
50160+ goto out;
50161+
58c5fc13 50162 if (flags & MREMAP_FIXED) {
ae4e228f
MT		 50163 if (flags & MREMAP_MAYMOVE)
50164 ret = mremap_to(addr, old_len, new_addr, new_len);
50165@@ -471,6 +495,7 @@ unsigned long do_mremap(unsigned long ad
58c5fc13
MT		 50166 addr + new_len);
50167 }
50168 ret = addr;
50169+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
50170 goto out;
50171 }
50172 }
ae4e228f
MT		 50173@@ -497,7 +522,13 @@ unsigned long do_mremap(unsigned long ad
50174 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
50175 if (ret)
50176 goto out;
50177+
58c5fc13
MT		 50178+ map_flags = vma->vm_flags;
50179 ret = move_vma(vma, addr, old_len, new_len, new_addr);
50180+ if (!(ret & ~PAGE_MASK)) {
50181+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
50182+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
50183+ }
50184 }
50185 out:
50186 if (ret & ~PAGE_MASK)
ae4e228f
MT		 50187diff -urNp linux-2.6.33.1/mm/nommu.c linux-2.6.33.1/mm/nommu.c
50188--- linux-2.6.33.1/mm/nommu.c 2010-03-15 12:09:39.000000000 -0400
50189+++ linux-2.6.33.1/mm/nommu.c 2010-03-20 16:58:42.268525965 -0400
50190@@ -759,15 +759,6 @@ struct vm_area_struct *find_vma(struct m
58c5fc13
MT		 50191 EXPORT_SYMBOL(find_vma);
50192
50193 /*
50194- * find a VMA
50195- * - we don't extend stack VMAs under NOMMU conditions
50196- */
50197-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
50198-{
50199- return find_vma(mm, addr);
50200-}
50201-
50202-/*
50203 * expand a stack to a given address
50204 * - not supported under NOMMU conditions
50205 */
ae4e228f
MT		 50206diff -urNp linux-2.6.33.1/mm/page_alloc.c linux-2.6.33.1/mm/page_alloc.c
50207--- linux-2.6.33.1/mm/page_alloc.c 2010-03-15 12:09:39.000000000 -0400
50208+++ linux-2.6.33.1/mm/page_alloc.c 2010-03-20 16:58:42.272540377 -0400
50209@@ -583,6 +583,10 @@ static void __free_pages_ok(struct page
58c5fc13 50210 int bad = 0;
ae4e228f 50211 int wasMlocked = __TestClearPageMlocked(page);
58c5fc13
MT		 50212
50213+#ifdef CONFIG_PAX_MEMORY_SANITIZE
50214+ unsigned long index = 1UL << order;
50215+#endif
50216+
50217 kmemcheck_free_shadow(page, order);
50218
50219 for (i = 0 ; i < (1 << order) ; ++i)
ae4e228f 50220@@ -595,6 +599,12 @@ static void __free_pages_ok(struct page
58c5fc13
MT		 50221 debug_check_no_obj_freed(page_address(page),
50222 PAGE_SIZE << order);
50223 }
50224+
50225+#ifdef CONFIG_PAX_MEMORY_SANITIZE
50226+ for (; index; --index)
50227+ sanitize_highpage(page + index - 1);
50228+#endif
50229+
50230 arch_free_page(page, order);
50231 kernel_map_pages(page, 1 << order, 0);
50232
ae4e228f 50233@@ -698,8 +708,10 @@ static int prep_new_page(struct page *pa
58c5fc13
MT		 50234 arch_alloc_page(page, order);
50235 kernel_map_pages(page, 1 << order, 1);
50236
50237+#ifndef CONFIG_PAX_MEMORY_SANITIZE
50238 if (gfp_flags & __GFP_ZERO)
50239 prep_zero_page(page, order, gfp_flags);
50240+#endif
50241
50242 if (order && (gfp_flags & __GFP_COMP))
50243 prep_compound_page(page, order);
ae4e228f 50244@@ -1093,6 +1105,11 @@ static void free_hot_cold_page(struct pa
58c5fc13
MT		 50245 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
50246 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
50247 }
50248+
50249+#ifdef CONFIG_PAX_MEMORY_SANITIZE
50250+ sanitize_highpage(page);
50251+#endif
50252+
50253 arch_free_page(page, 0);
50254 kernel_map_pages(page, 1, 0);
50255
ae4e228f
MT		 50256diff -urNp linux-2.6.33.1/mm/percpu.c linux-2.6.33.1/mm/percpu.c
50257--- linux-2.6.33.1/mm/percpu.c 2010-03-15 12:09:39.000000000 -0400
50258+++ linux-2.6.33.1/mm/percpu.c 2010-03-20 16:58:42.272540377 -0400
50259@@ -114,7 +114,7 @@ static unsigned int pcpu_first_unit_cpu
50260 static unsigned int pcpu_last_unit_cpu __read_mostly;
58c5fc13
MT		 50261
50262 /* the address of the first chunk which starts with the kernel static area */
50263-void *pcpu_base_addr __read_mostly;
50264+void *pcpu_base_addr __read_only;
50265 EXPORT_SYMBOL_GPL(pcpu_base_addr);
50266
ae4e228f
MT		 50267 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
50268diff -urNp linux-2.6.33.1/mm/rmap.c linux-2.6.33.1/mm/rmap.c
50269--- linux-2.6.33.1/mm/rmap.c 2010-03-15 12:09:39.000000000 -0400
50270+++ linux-2.6.33.1/mm/rmap.c 2010-03-20 16:58:42.272540377 -0400
50271@@ -109,6 +109,10 @@ int anon_vma_prepare(struct vm_area_stru
58c5fc13
MT		 50272 struct mm_struct *mm = vma->vm_mm;
50273 struct anon_vma *allocated;
50274
50275+#ifdef CONFIG_PAX_SEGMEXEC
50276+ struct vm_area_struct *vma_m;
50277+#endif
50278+
50279 anon_vma = find_mergeable_anon_vma(vma);
50280 allocated = NULL;
50281 if (!anon_vma) {
ae4e228f 50282@@ -122,6 +126,15 @@ int anon_vma_prepare(struct vm_area_stru
58c5fc13
MT		 50283 /* page_table_lock to protect against threads */
50284 spin_lock(&mm->page_table_lock);
50285 if (likely(!vma->anon_vma)) {
50286+
50287+#ifdef CONFIG_PAX_SEGMEXEC
50288+ vma_m = pax_find_mirror_vma(vma);
50289+ if (vma_m) {
50290+ vma_m->anon_vma = anon_vma;
50291+ __anon_vma_link(vma_m);
50292+ }
50293+#endif
50294+
50295 vma->anon_vma = anon_vma;
50296 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
50297 allocated = NULL;
ae4e228f
MT		 50298diff -urNp linux-2.6.33.1/mm/shmem.c linux-2.6.33.1/mm/shmem.c
50299--- linux-2.6.33.1/mm/shmem.c 2010-03-15 12:09:39.000000000 -0400
50300+++ linux-2.6.33.1/mm/shmem.c 2010-03-20 16:58:42.272540377 -0400
50301@@ -30,7 +30,7 @@
50302 #include <linux/module.h>
58c5fc13 50303 #include <linux/swap.h>
58c5fc13
MT		 50304
50305-static struct vfsmount *shm_mnt;
50306+struct vfsmount *shm_mnt;
50307
50308 #ifdef CONFIG_SHMEM
50309 /*
ae4e228f
MT		 50310diff -urNp linux-2.6.33.1/mm/slab.c linux-2.6.33.1/mm/slab.c
50311--- linux-2.6.33.1/mm/slab.c 2010-03-15 12:09:39.000000000 -0400
50312+++ linux-2.6.33.1/mm/slab.c 2010-03-20 16:58:42.276578221 -0400
58c5fc13
MT		 50313@@ -308,7 +308,7 @@ struct kmem_list3 {
50314 * Need this for bootstrapping a per node allocator.
50315 */
50316 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
50317-struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
50318+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
50319 #define CACHE_CACHE 0
50320 #define SIZE_AC MAX_NUMNODES
50321 #define SIZE_L3 (2 * MAX_NUMNODES)
50322@@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
50323 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
50324 */
50325 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
50326- const struct slab *slab, void *obj)
50327+ const struct slab *slab, const void *obj)
50328 {
50329 u32 offset = (obj - slab->s_mem);
50330 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
50331@@ -584,14 +584,14 @@ struct cache_names {
50332 static struct cache_names __initdata cache_names[] = {
50333 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
50334 #include <linux/kmalloc_sizes.h>
50335- {NULL,}
50336+ {NULL, NULL}
50337 #undef CACHE
50338 };
50339
50340 static struct arraycache_init initarray_cache __initdata =
50341- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
50342+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
50343 static struct arraycache_init initarray_generic =
50344- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
50345+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
50346
50347 /* internal cache of cache description objs */
50348 static struct kmem_cache cache_cache = {
ae4e228f
MT		 50349@@ -4104,7 +4104,7 @@ out:
50350 schedule_delayed_work(work, round_jiffies_relative(REAPTIMEOUT_CPUC));
50351 }
58c5fc13 50352
ae4e228f
MT		 50353-#ifdef CONFIG_SLABINFO
50354+#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
50355
50356 static void print_slabinfo_header(struct seq_file *m)
58c5fc13 50357 {
ae4e228f 50358@@ -4502,6 +4502,51 @@ static int __init slab_proc_init(void)
58c5fc13
MT		 50359 module_init(slab_proc_init);
50360 #endif
50361
50362+void check_object_size(const void *ptr, unsigned long n, bool to)
50363+{
50364+
50365+#ifdef CONFIG_PAX_USERCOPY
50366+ struct kmem_cache *cachep;
50367+ struct slab *slabp;
50368+ struct page *page;
50369+ unsigned int objnr;
50370+ unsigned long offset;
50371+
50372+ if (!n)
50373+ return;
50374+
50375+ if (ZERO_OR_NULL_PTR(ptr))
50376+ goto report;
50377+
50378+ if (!virt_addr_valid(ptr))
50379+ return;
50380+
50381+ page = virt_to_head_page(ptr);
50382+
ae4e228f
MT		 50383+ if (!PageSlab(page)) {
50384+ if (object_is_on_stack(ptr, n) == -1)
50385+ goto report;
58c5fc13 50386+ return;
ae4e228f 50387+ }
58c5fc13
MT		 50388+
50389+ cachep = page_get_cache(page);
50390+ slabp = page_get_slab(page);
50391+ objnr = obj_to_index(cachep, slabp, ptr);
50392+ BUG_ON(objnr >= cachep->num);
50393+ offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
50394+ if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
50395+ return;
50396+
50397+report:
50398+ if (to)
50399+ pax_report_leak_to_user(ptr, n);
50400+ else
50401+ pax_report_overflow_from_user(ptr, n);
50402+#endif
50403+
50404+}
50405+EXPORT_SYMBOL(check_object_size);
50406+
50407 /**
50408 * ksize - get the actual amount of memory allocated for a given object
50409 * @objp: Pointer to the object
ae4e228f
MT		 50410diff -urNp linux-2.6.33.1/mm/slob.c linux-2.6.33.1/mm/slob.c
50411--- linux-2.6.33.1/mm/slob.c 2010-03-15 12:09:39.000000000 -0400
50412+++ linux-2.6.33.1/mm/slob.c 2010-03-20 16:58:42.276578221 -0400
58c5fc13
MT		 50413@@ -29,7 +29,7 @@
50414 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
50415 * alloc_pages() directly, allocating compound pages so the page order
50416 * does not have to be separately tracked, and also stores the exact
50417- * allocation size in page->private so that it can be used to accurately
50418+ * allocation size in slob_page->size so that it can be used to accurately
50419 * provide ksize(). These objects are detected in kfree() because slob_page()
50420 * is false for them.
50421 *
50422@@ -58,6 +58,7 @@
50423 */
50424
50425 #include <linux/kernel.h>
50426+#include <linux/sched.h>
50427 #include <linux/slab.h>
50428 #include <linux/mm.h>
50429 #include <linux/swap.h> /* struct reclaim_state */
50430@@ -100,7 +101,8 @@ struct slob_page {
50431 unsigned long flags; /* mandatory */
50432 atomic_t _count; /* mandatory */
50433 slobidx_t units; /* free units left in page */
50434- unsigned long pad[2];
50435+ unsigned long pad[1];
50436+ unsigned long size; /* size when >=PAGE_SIZE */
50437 slob_t *free; /* first free slob_t in page */
50438 struct list_head list; /* linked list of free pages */
50439 };
50440@@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
50441 */
50442 static inline int is_slob_page(struct slob_page *sp)
50443 {
50444- return PageSlab((struct page *)sp);
50445+ return PageSlab((struct page *)sp) && !sp->size;
50446 }
50447
50448 static inline void set_slob_page(struct slob_page *sp)
50449@@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
50450
50451 static inline struct slob_page *slob_page(const void *addr)
50452 {
50453- return (struct slob_page *)virt_to_page(addr);
50454+ return (struct slob_page *)virt_to_head_page(addr);
50455 }
50456
50457 /*
50458@@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
50459 /*
50460 * Return the size of a slob block.
50461 */
50462-static slobidx_t slob_units(slob_t *s)
50463+static slobidx_t slob_units(const slob_t *s)
50464 {
50465 if (s->units > 0)
50466 return s->units;
50467@@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
50468 /*
50469 * Return the next free slob block pointer after this one.
50470 */
50471-static slob_t *slob_next(slob_t *s)
50472+static slob_t *slob_next(const slob_t *s)
50473 {
50474 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
50475 slobidx_t next;
50476@@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
50477 /*
50478 * Returns true if s is the last free block in its page.
50479 */
50480-static int slob_last(slob_t *s)
50481+static int slob_last(const slob_t *s)
50482 {
50483 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
50484 }
50485@@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
50486 if (!page)
50487 return NULL;
50488
50489+ set_slob_page(page);
50490 return page_address(page);
50491 }
50492
50493@@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
50494 if (!b)
50495 return NULL;
50496 sp = slob_page(b);
50497- set_slob_page(sp);
50498
50499 spin_lock_irqsave(&slob_lock, flags);
50500 sp->units = SLOB_UNITS(PAGE_SIZE);
50501 sp->free = b;
50502+ sp->size = 0;
50503 INIT_LIST_HEAD(&sp->list);
50504 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
50505 set_slob_page_free(sp, slob_list);
50506@@ -475,10 +478,9 @@ out:
50507 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
50508 #endif
50509
50510-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
50511+static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
50512 {
50513- unsigned int *m;
50514- int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50515+ slob_t *m;
50516 void *ret;
50517
50518 lockdep_trace_alloc(gfp);
50519@@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
50520
50521 if (!m)
50522 return NULL;
50523- *m = size;
50524+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
50525+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
50526+ m[0].units = size;
50527+ m[1].units = align;
50528 ret = (void *)m + align;
50529
50530 trace_kmalloc_node(_RET_IP_, ret,
50531@@ -501,9 +506,9 @@ void *__kmalloc_node(size_t size, gfp_t
50532
50533 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
50534 if (ret) {
50535- struct page *page;
50536- page = virt_to_page(ret);
50537- page->private = size;
50538+ struct slob_page *sp;
50539+ sp = slob_page(ret);
50540+ sp->size = size;
50541 }
50542
50543 trace_kmalloc_node(_RET_IP_, ret,
50544@@ -513,6 +518,13 @@ void *__kmalloc_node(size_t size, gfp_t
50545 kmemleak_alloc(ret, size, 1, gfp);
50546 return ret;
50547 }
50548+
50549+void *__kmalloc_node(size_t size, gfp_t gfp, int node)
50550+{
50551+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50552+
50553+ return __kmalloc_node_align(size, gfp, node, align);
50554+}
50555 EXPORT_SYMBOL(__kmalloc_node);
50556
50557 void kfree(const void *block)
ae4e228f 50558@@ -528,13 +540,84 @@ void kfree(const void *block)
58c5fc13
MT		 50559 sp = slob_page(block);
50560 if (is_slob_page(sp)) {
50561 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50562- unsigned int *m = (unsigned int *)(block - align);
50563- slob_free(m, *m + align);
50564- } else
50565+ slob_t *m = (slob_t *)(block - align);
50566+ slob_free(m, m[0].units + align);
50567+ } else {
50568+ clear_slob_page(sp);
50569+ free_slob_page(sp);
50570+ sp->size = 0;
50571 put_page(&sp->page);
50572+ }
50573 }
50574 EXPORT_SYMBOL(kfree);
50575
50576+void check_object_size(const void *ptr, unsigned long n, bool to)
50577+{
50578+
50579+#ifdef CONFIG_PAX_USERCOPY
50580+ struct slob_page *sp;
50581+ const slob_t *free;
50582+ const void *base;
50583+
50584+ if (!n)
50585+ return;
50586+
50587+ if (ZERO_OR_NULL_PTR(ptr))
50588+ goto report;
50589+
50590+ if (!virt_addr_valid(ptr))
50591+ return;
50592+
50593+ sp = slob_page(ptr);
ae4e228f
MT		 50594+ if (!PageSlab((struct page*)sp)) {
50595+ if (object_is_on_stack(ptr, n) == -1)
50596+ goto report;
58c5fc13 50597+ return;
ae4e228f 50598+ }
58c5fc13
MT		 50599+
50600+ if (sp->size) {
50601+ base = page_address(&sp->page);
50602+ if (base <= ptr && n <= sp->size - (ptr - base))
50603+ return;
50604+ goto report;
50605+ }
50606+
50607+ /* some tricky double walking to find the chunk */
50608+ base = (void *)((unsigned long)ptr & PAGE_MASK);
50609+ free = sp->free;
50610+
50611+ while (!slob_last(free) && (void *)free <= ptr) {
50612+ base = free + slob_units(free);
50613+ free = slob_next(free);
50614+ }
50615+
50616+ while (base < (void *)free) {
50617+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
50618+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
50619+ int offset;
50620+
50621+ if (ptr < base + align)
50622+ goto report;
50623+
50624+ offset = ptr - base - align;
50625+ if (offset < m) {
50626+ if (n <= m - offset)
50627+ return;
50628+ goto report;
50629+ }
50630+ base += size;
50631+ }
50632+
50633+report:
50634+ if (to)
50635+ pax_report_leak_to_user(ptr, n);
50636+ else
50637+ pax_report_overflow_from_user(ptr, n);
50638+#endif
50639+
50640+}
50641+EXPORT_SYMBOL(check_object_size);
50642+
50643 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
50644 size_t ksize(const void *block)
50645 {
ae4e228f 50646@@ -547,10 +630,10 @@ size_t ksize(const void *block)
58c5fc13
MT		 50647 sp = slob_page(block);
50648 if (is_slob_page(sp)) {
50649 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
50650- unsigned int *m = (unsigned int *)(block - align);
50651- return SLOB_UNITS(*m) * SLOB_UNIT;
50652+ slob_t *m = (slob_t *)(block - align);
50653+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
50654 } else
50655- return sp->page.private;
50656+ return sp->size;
50657 }
50658 EXPORT_SYMBOL(ksize);
50659
ae4e228f 50660@@ -605,17 +688,25 @@ void *kmem_cache_alloc_node(struct kmem_
58c5fc13
MT		 50661 {
50662 void *b;
50663
50664+#ifdef CONFIG_PAX_USERCOPY
50665+ b = __kmalloc_node_align(c->size, flags, node, c->align);
50666+#else
50667 if (c->size < PAGE_SIZE) {
50668 b = slob_alloc(c->size, flags, c->align, node);
50669 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
50670 SLOB_UNITS(c->size) * SLOB_UNIT,
50671 flags, node);
50672 } else {
50673+ struct slob_page *sp;
50674+
50675 b = slob_new_pages(flags, get_order(c->size), node);
50676+ sp = slob_page(b);
50677+ sp->size = c->size;
50678 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
50679 PAGE_SIZE << get_order(c->size),
50680 flags, node);
50681 }
50682+#endif
50683
50684 if (c->ctor)
50685 c->ctor(b);
ae4e228f 50686@@ -627,10 +718,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
58c5fc13
MT		 50687
50688 static void __kmem_cache_free(void *b, int size)
50689 {
50690- if (size < PAGE_SIZE)
50691+ struct slob_page *sp = slob_page(b);
50692+
50693+ if (is_slob_page(sp))
50694 slob_free(b, size);
50695- else
50696+ else {
50697+ clear_slob_page(sp);
50698+ free_slob_page(sp);
50699+ sp->size = 0;
50700 slob_free_pages(b, get_order(size));
50701+ }
50702 }
50703
50704 static void kmem_rcu_free(struct rcu_head *head)
ae4e228f 50705@@ -643,15 +740,24 @@ static void kmem_rcu_free(struct rcu_hea
58c5fc13
MT		 50706
50707 void kmem_cache_free(struct kmem_cache *c, void *b)
50708 {
50709+ int size = c->size;
50710+
50711+#ifdef CONFIG_PAX_USERCOPY
50712+ if (size + c->align < PAGE_SIZE) {
50713+ size += c->align;
50714+ b -= c->align;
50715+ }
50716+#endif
50717+
50718 kmemleak_free_recursive(b, c->flags);
50719 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
50720 struct slob_rcu *slob_rcu;
50721- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
50722+ slob_rcu = b + (size - sizeof(struct slob_rcu));
50723 INIT_RCU_HEAD(&slob_rcu->head);
50724- slob_rcu->size = c->size;
50725+ slob_rcu->size = size;
50726 call_rcu(&slob_rcu->head, kmem_rcu_free);
50727 } else {
50728- __kmem_cache_free(b, c->size);
50729+ __kmem_cache_free(b, size);
50730 }
50731
50732 trace_kmem_cache_free(_RET_IP_, b);
ae4e228f
MT		 50733diff -urNp linux-2.6.33.1/mm/slub.c linux-2.6.33.1/mm/slub.c
50734--- linux-2.6.33.1/mm/slub.c 2010-03-15 12:09:39.000000000 -0400
50735+++ linux-2.6.33.1/mm/slub.c 2010-03-20 16:58:42.280534479 -0400
50736@@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
50737
50738 page = virt_to_head_page(x);
50739
50740+ BUG_ON(!PageSlab(page));
50741+
50742 slab_free(s, page, x, _RET_IP_);
50743
50744 trace_kmem_cache_free(_RET_IP_, x);
50745@@ -1937,7 +1939,7 @@ static int slub_min_objects;
58c5fc13
MT		 50746 * Merge control. If this is set then no merging of slab caches will occur.
50747 * (Could be removed. This was introduced to pacify the merge skeptics.)
50748 */
50749-static int slub_nomerge;
50750+static int slub_nomerge = 1;
50751
50752 /*
50753 * Calculate the order of allocation given an slab object size.
ae4e228f 50754@@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
58c5fc13
MT		 50755 * list to avoid pounding the page allocator excessively.
50756 */
50757 set_min_partial(s, ilog2(s->size));
50758- s->refcount = 1;
50759+ atomic_set(&s->refcount, 1);
50760 #ifdef CONFIG_NUMA
50761 s->remote_node_defrag_ratio = 1000;
50762 #endif
ae4e228f 50763@@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
58c5fc13
MT		 50764 void kmem_cache_destroy(struct kmem_cache *s)
50765 {
50766 down_write(&slub_lock);
50767- s->refcount--;
50768- if (!s->refcount) {
50769+ if (atomic_dec_and_test(&s->refcount)) {
50770 list_del(&s->list);
50771 up_write(&slub_lock);
50772 if (kmem_cache_close(s)) {
ae4e228f 50773@@ -2915,6 +2916,46 @@ void *__kmalloc_node(size_t size, gfp_t
58c5fc13
MT		 50774 EXPORT_SYMBOL(__kmalloc_node);
50775 #endif
50776
50777+void check_object_size(const void *ptr, unsigned long n, bool to)
50778+{
50779+
50780+#ifdef CONFIG_PAX_USERCOPY
50781+ struct page *page;
50782+ struct kmem_cache *s;
50783+ unsigned long offset;
50784+
50785+ if (!n)
50786+ return;
50787+
50788+ if (ZERO_OR_NULL_PTR(ptr))
50789+ goto report;
50790+
50791+ if (!virt_addr_valid(ptr))
50792+ return;
50793+
50794+ page = get_object_page(ptr);
50795+
ae4e228f
MT		 50796+ if (!page) {
50797+ if (object_is_on_stack(ptr, n) == -1)
50798+ goto report;
58c5fc13 50799+ return;
ae4e228f 50800+ }
58c5fc13
MT		 50801+
50802+ s = page->slab;
50803+ offset = (ptr - page_address(page)) % s->size;
50804+ if (offset <= s->objsize && n <= s->objsize - offset)
50805+ return;
50806+
50807+report:
50808+ if (to)
50809+ pax_report_leak_to_user(ptr, n);
50810+ else
50811+ pax_report_overflow_from_user(ptr, n);
50812+#endif
50813+
50814+}
50815+EXPORT_SYMBOL(check_object_size);
50816+
50817 size_t ksize(const void *object)
50818 {
50819 struct page *page;
ae4e228f 50820@@ -3186,7 +3227,7 @@ void __init kmem_cache_init(void)
58c5fc13
MT		 50821 */
50822 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
50823 sizeof(struct kmem_cache_node), GFP_NOWAIT);
50824- kmalloc_caches[0].refcount = -1;
50825+ atomic_set(&kmalloc_caches[0].refcount, -1);
50826 caches++;
50827
50828 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
ae4e228f 50829@@ -3293,7 +3334,7 @@ static int slab_unmergeable(struct kmem_
58c5fc13
MT		 50830 /*
50831 * We may have set a slab to be unmergeable during bootstrap.
50832 */
50833- if (s->refcount < 0)
50834+ if (atomic_read(&s->refcount) < 0)
50835 return 1;
50836
50837 return 0;
ae4e228f 50838@@ -3353,7 +3394,7 @@ struct kmem_cache *kmem_cache_create(con
58c5fc13
MT		 50839 if (s) {
50840 int cpu;
50841
50842- s->refcount++;
50843+ atomic_inc(&s->refcount);
50844 /*
50845 * Adjust the object sizes so that we clear
50846 * the complete object on kzalloc.
ae4e228f 50847@@ -3372,7 +3413,7 @@ struct kmem_cache *kmem_cache_create(con
58c5fc13
MT		 50848
50849 if (sysfs_slab_alias(s, name)) {
50850 down_write(&slub_lock);
50851- s->refcount--;
50852+ atomic_dec(&s->refcount);
50853 up_write(&slub_lock);
50854 goto err;
50855 }
ae4e228f 50856@@ -4101,7 +4142,7 @@ SLAB_ATTR_RO(ctor);
58c5fc13
MT		 50857
50858 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
50859 {
50860- return sprintf(buf, "%d\n", s->refcount - 1);
50861+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
50862 }
50863 SLAB_ATTR_RO(aliases);
50864
ae4e228f
MT		 50865@@ -4519,7 +4560,7 @@ static void kmem_cache_release(struct ko
50866 kfree(s);
50867 }
58c5fc13 50868
ae4e228f
MT		 50869-static struct sysfs_ops slab_sysfs_ops = {
50870+static const struct sysfs_ops slab_sysfs_ops = {
50871 .show = slab_attr_show,
50872 .store = slab_attr_store,
50873 };
50874@@ -4538,7 +4579,7 @@ static int uevent_filter(struct kset *ks
58c5fc13
MT		 50875 return 0;
50876 }
ae4e228f
MT		 50877
50878-static struct kset_uevent_ops slab_uevent_ops = {
50879+static const struct kset_uevent_ops slab_uevent_ops = {
50880 .filter = uevent_filter,
50881 };
50882
50883@@ -4712,7 +4753,7 @@ __initcall(slab_sysfs_init);
50884 /*
50885 * The /proc/slabinfo ABI
50886 */
50887-#ifdef CONFIG_SLABINFO
50888+#if defined(CONFIG_SLABINFO) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
50889 static void print_slabinfo_header(struct seq_file *m)
50890 {
50891 seq_puts(m, "slabinfo - version: 2.1\n");
50892diff -urNp linux-2.6.33.1/mm/util.c linux-2.6.33.1/mm/util.c
50893--- linux-2.6.33.1/mm/util.c 2010-03-15 12:09:39.000000000 -0400
50894+++ linux-2.6.33.1/mm/util.c 2010-03-20 16:58:42.280534479 -0400
58c5fc13
MT		 50895@@ -224,6 +224,12 @@ EXPORT_SYMBOL(strndup_user);
50896 void arch_pick_mmap_layout(struct mm_struct *mm)
50897 {
50898 mm->mmap_base = TASK_UNMAPPED_BASE;
50899+
50900+#ifdef CONFIG_PAX_RANDMMAP
50901+ if (mm->pax_flags & MF_PAX_RANDMMAP)
50902+ mm->mmap_base += mm->delta_mmap;
50903+#endif
50904+
50905 mm->get_unmapped_area = arch_get_unmapped_area;
50906 mm->unmap_area = arch_unmap_area;
50907 }
ae4e228f
MT		 50908diff -urNp linux-2.6.33.1/mm/vmalloc.c linux-2.6.33.1/mm/vmalloc.c
50909--- linux-2.6.33.1/mm/vmalloc.c 2010-03-15 12:09:39.000000000 -0400
50910+++ linux-2.6.33.1/mm/vmalloc.c 2010-03-20 16:58:42.280534479 -0400
50911@@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
50912
50913 pte = pte_offset_kernel(pmd, addr);
50914 do {
50915- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
50916- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
50917+
50918+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50919+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
50920+ BUG_ON(!pte_exec(*pte));
50921+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
50922+ continue;
50923+ }
50924+#endif
50925+
50926+ {
50927+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
50928+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
50929+ }
50930 } while (pte++, addr += PAGE_SIZE, addr != end);
50931 }
50932
50933@@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
58c5fc13
MT		 50934 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
50935 {
50936 pte_t *pte;
50937+ int ret = -ENOMEM;
58c5fc13
MT		 50938
50939 /*
50940 * nr is a running index into the array which helps higher level
ae4e228f 50941@@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
58c5fc13
MT		 50942 pte = pte_alloc_kernel(pmd, addr);
50943 if (!pte)
50944 return -ENOMEM;
50945+
ae4e228f 50946+ pax_open_kernel();
58c5fc13
MT		 50947 do {
50948 struct page *page = pages[*nr];
50949
50950- if (WARN_ON(!pte_none(*pte)))
50951- return -EBUSY;
50952- if (WARN_ON(!page))
50953- return -ENOMEM;
ae4e228f
MT		 50954+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50955+ if (pgprot_val(prot) & _PAGE_NX)
50956+#endif
50957+
58c5fc13
MT		 50958+ if (WARN_ON(!pte_none(*pte))) {
50959+ ret = -EBUSY;
50960+ goto out;
50961+ }
50962+ if (WARN_ON(!page)) {
50963+ ret = -ENOMEM;
50964+ goto out;
50965+ }
50966 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
50967 (*nr)++;
50968 } while (pte++, addr += PAGE_SIZE, addr != end);
50969- return 0;
50970+ ret = 0;
50971+out:
ae4e228f
MT		 50972+ pax_close_kernel();
50973+ return ret;
50974 }
50975
50976 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
50977@@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
50978 * and fall back on vmalloc() if that fails. Others
50979 * just put it in the vmalloc space.
50980 */
50981-#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
50982+#ifdef CONFIG_MODULES
50983+#ifdef MODULES_VADDR
50984 unsigned long addr = (unsigned long)x;
50985 if (addr >= MODULES_VADDR && addr < MODULES_END)
50986 return 1;
50987 #endif
58c5fc13 50988+
ae4e228f
MT		 50989+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50990+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
50991+ return 1;
58c5fc13
MT		 50992+#endif
50993+
ae4e228f
MT		 50994+#endif
50995+
50996 return is_vmalloc_addr(x);
58c5fc13
MT		 50997 }
50998
ae4e228f
MT		 50999@@ -292,13 +326,13 @@ static void __insert_vmap_area(struct vm
51000 struct rb_node *tmp;
51001
51002 while (*p) {
51003- struct vmap_area *tmp;
51004+ struct vmap_area *varea;
51005
51006 parent = *p;
51007- tmp = rb_entry(parent, struct vmap_area, rb_node);
51008- if (va->va_start < tmp->va_end)
51009+ varea = rb_entry(parent, struct vmap_area, rb_node);
51010+ if (va->va_start < varea->va_end)
51011 p = &(*p)->rb_left;
51012- else if (va->va_end > tmp->va_start)
51013+ else if (va->va_end > varea->va_start)
51014 p = &(*p)->rb_right;
51015 else
51016 BUG();
51017@@ -1224,6 +1258,16 @@ static struct vm_struct *__get_vm_area_n
51018 struct vm_struct *area;
58c5fc13
MT		 51019
51020 BUG_ON(in_interrupt());
51021+
51022+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51023+ if (flags & VM_KERNEXEC) {
51024+ if (start != VMALLOC_START || end != VMALLOC_END)
51025+ return NULL;
51026+ start = (unsigned long)&MODULES_EXEC_VADDR;
51027+ end = (unsigned long)&MODULES_EXEC_END;
51028+ }
51029+#endif
51030+
51031 if (flags & VM_IOREMAP) {
51032 int bit = fls(size);
51033
ae4e228f
MT		 51034@@ -1449,6 +1493,11 @@ void *vmap(struct page **pages, unsigned
51035 if (count > totalram_pages)
58c5fc13
MT		 51036 return NULL;
51037
51038+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51039+ if (!(pgprot_val(prot) & _PAGE_NX))
51040+ flags |= VM_KERNEXEC;
51041+#endif
51042+
51043 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
51044 __builtin_return_address(0));
51045 if (!area)
ae4e228f
MT		 51046@@ -1558,6 +1607,13 @@ static void *__vmalloc_node(unsigned lon
51047 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
58c5fc13
MT		 51048 return NULL;
51049
51050+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
51051+ if (!(pgprot_val(prot) & _PAGE_NX))
ae4e228f 51052+ area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
58c5fc13
MT		 51053+ node, gfp_mask, caller);
51054+ else
51055+#endif
51056+
ae4e228f
MT		 51057 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
51058 VMALLOC_END, node, gfp_mask, caller);
58c5fc13 51059
ae4e228f 51060@@ -1576,6 +1632,7 @@ static void *__vmalloc_node(unsigned lon
58c5fc13
MT		 51061 return addr;
51062 }
51063
51064+#undef __vmalloc
51065 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
51066 {
ae4e228f
MT		 51067 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
51068@@ -1592,6 +1649,7 @@ EXPORT_SYMBOL(__vmalloc);
58c5fc13
MT		 51069 * For tight control over page level allocator and protection flags
51070 * use __vmalloc() instead.
51071 */
51072+#undef vmalloc
51073 void *vmalloc(unsigned long size)
51074 {
ae4e228f
MT		 51075 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
51076@@ -1606,6 +1664,7 @@ EXPORT_SYMBOL(vmalloc);
58c5fc13
MT		 51077 * The resulting memory area is zeroed so it can be mapped to userspace
51078 * without leaking data.
51079 */
51080+#undef vmalloc_user
51081 void *vmalloc_user(unsigned long size)
51082 {
51083 struct vm_struct *area;
ae4e228f 51084@@ -1633,6 +1692,7 @@ EXPORT_SYMBOL(vmalloc_user);
58c5fc13
MT		 51085 * For tight control over page level allocator and protection flags
51086 * use __vmalloc() instead.
51087 */
51088+#undef vmalloc_node
51089 void *vmalloc_node(unsigned long size, int node)
51090 {
ae4e228f
MT		 51091 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
51092@@ -1655,10 +1715,10 @@ EXPORT_SYMBOL(vmalloc_node);
58c5fc13
MT		 51093 * For tight control over page level allocator and protection flags
51094 * use __vmalloc() instead.
51095 */
51096-
51097+#undef vmalloc_exec
51098 void *vmalloc_exec(unsigned long size)
51099 {
ae4e228f
MT		 51100- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
51101+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
58c5fc13
MT		 51102 -1, __builtin_return_address(0));
51103 }
51104
ae4e228f 51105@@ -1677,6 +1737,7 @@ void *vmalloc_exec(unsigned long size)
58c5fc13
MT		 51106 * Allocate enough 32bit PA addressable pages to cover @size from the
51107 * page level allocator and map them into contiguous kernel virtual space.
51108 */
51109+#undef vmalloc_32
51110 void *vmalloc_32(unsigned long size)
51111 {
ae4e228f
MT		 51112 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
51113@@ -1691,6 +1752,7 @@ EXPORT_SYMBOL(vmalloc_32);
58c5fc13
MT		 51114 * The resulting memory area is 32bit addressable and zeroed so it can be
51115 * mapped to userspace without leaking data.
51116 */
51117+#undef vmalloc_32_user
51118 void *vmalloc_32_user(unsigned long size)
51119 {
51120 struct vm_struct *area;
ae4e228f
MT		 51121diff -urNp linux-2.6.33.1/net/atm/atm_misc.c linux-2.6.33.1/net/atm/atm_misc.c
51122--- linux-2.6.33.1/net/atm/atm_misc.c 2010-03-15 12:09:39.000000000 -0400
51123+++ linux-2.6.33.1/net/atm/atm_misc.c 2010-03-20 16:58:42.280534479 -0400
58c5fc13
MT		 51124@@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
51125 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
51126 return 1;
51127 atm_return(vcc,truesize);
51128- atomic_inc(&vcc->stats->rx_drop);
51129+ atomic_inc_unchecked(&vcc->stats->rx_drop);
51130 return 0;
51131 }
51132
51133@@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
51134 }
51135 }
51136 atm_return(vcc,guess);
51137- atomic_inc(&vcc->stats->rx_drop);
51138+ atomic_inc_unchecked(&vcc->stats->rx_drop);
51139 return NULL;
51140 }
51141
51142@@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
51143
51144 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
51145 {
51146-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
51147+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
51148 __SONET_ITEMS
51149 #undef __HANDLE_ITEM
51150 }
51151@@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
51152
51153 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
51154 {
51155-#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
51156+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
51157 __SONET_ITEMS
51158 #undef __HANDLE_ITEM
51159 }
ae4e228f
MT		 51160diff -urNp linux-2.6.33.1/net/atm/proc.c linux-2.6.33.1/net/atm/proc.c
51161--- linux-2.6.33.1/net/atm/proc.c 2010-03-15 12:09:39.000000000 -0400
51162+++ linux-2.6.33.1/net/atm/proc.c 2010-03-20 16:58:42.280534479 -0400
58c5fc13
MT		 51163@@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
51164 const struct k_atm_aal_stats *stats)
51165 {
51166 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
51167- atomic_read(&stats->tx),atomic_read(&stats->tx_err),
51168- atomic_read(&stats->rx),atomic_read(&stats->rx_err),
51169- atomic_read(&stats->rx_drop));
51170+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
51171+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
51172+ atomic_read_unchecked(&stats->rx_drop));
51173 }
51174
51175 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
ae4e228f
MT		 51176diff -urNp linux-2.6.33.1/net/atm/resources.c linux-2.6.33.1/net/atm/resources.c
51177--- linux-2.6.33.1/net/atm/resources.c 2010-03-15 12:09:39.000000000 -0400
51178+++ linux-2.6.33.1/net/atm/resources.c 2010-03-20 16:58:42.280534479 -0400
58c5fc13
MT		 51179@@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
51180 static void copy_aal_stats(struct k_atm_aal_stats *from,
51181 struct atm_aal_stats *to)
51182 {
51183-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
51184+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
51185 __AAL_STAT_ITEMS
51186 #undef __HANDLE_ITEM
51187 }
51188@@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
51189 static void subtract_aal_stats(struct k_atm_aal_stats *from,
51190 struct atm_aal_stats *to)
51191 {
51192-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
51193+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
51194 __AAL_STAT_ITEMS
51195 #undef __HANDLE_ITEM
51196 }
ae4e228f
MT		 51197diff -urNp linux-2.6.33.1/net/bridge/br_private.h linux-2.6.33.1/net/bridge/br_private.h
51198--- linux-2.6.33.1/net/bridge/br_private.h 2010-03-15 12:09:39.000000000 -0400
51199+++ linux-2.6.33.1/net/bridge/br_private.h 2010-03-20 16:58:42.280534479 -0400
51200@@ -254,7 +254,7 @@ extern void br_ifinfo_notify(int event,
51201
51202 #ifdef CONFIG_SYSFS
51203 /* br_sysfs_if.c */
51204-extern struct sysfs_ops brport_sysfs_ops;
51205+extern const struct sysfs_ops brport_sysfs_ops;
51206 extern int br_sysfs_addif(struct net_bridge_port *p);
51207
51208 /* br_sysfs_br.c */
51209diff -urNp linux-2.6.33.1/net/bridge/br_stp_if.c linux-2.6.33.1/net/bridge/br_stp_if.c
51210--- linux-2.6.33.1/net/bridge/br_stp_if.c 2010-03-15 12:09:39.000000000 -0400
51211+++ linux-2.6.33.1/net/bridge/br_stp_if.c 2010-03-20 16:58:42.280534479 -0400
58c5fc13
MT		 51212@@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
51213 char *envp[] = { NULL };
51214
51215 if (br->stp_enabled == BR_USER_STP) {
51216- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
51217+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
51218 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
51219 br->dev->name, r);
51220
ae4e228f
MT		 51221diff -urNp linux-2.6.33.1/net/bridge/br_sysfs_if.c linux-2.6.33.1/net/bridge/br_sysfs_if.c
51222--- linux-2.6.33.1/net/bridge/br_sysfs_if.c 2010-03-15 12:09:39.000000000 -0400
51223+++ linux-2.6.33.1/net/bridge/br_sysfs_if.c 2010-03-20 16:58:42.280534479 -0400
51224@@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
51225 return ret;
51226 }
51227
51228-struct sysfs_ops brport_sysfs_ops = {
51229+const struct sysfs_ops brport_sysfs_ops = {
51230 .show = brport_show,
51231 .store = brport_store,
51232 };
51233diff -urNp linux-2.6.33.1/net/bridge/netfilter/ebtables.c linux-2.6.33.1/net/bridge/netfilter/ebtables.c
51234--- linux-2.6.33.1/net/bridge/netfilter/ebtables.c 2010-03-15 12:09:39.000000000 -0400
51235+++ linux-2.6.33.1/net/bridge/netfilter/ebtables.c 2010-03-20 16:58:42.284535154 -0400
51236@@ -1456,7 +1456,7 @@ static int do_ebt_get_ctl(struct sock *s
51237 tmp.valid_hooks = t->table->valid_hooks;
51238 }
51239 mutex_unlock(&ebt_mutex);
51240- if (copy_to_user(user, &tmp, *len) != 0){
51241+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
51242 BUGPRINT("c2u Didn't work\n");
51243 ret = -EFAULT;
51244 break;
51245diff -urNp linux-2.6.33.1/net/core/dev.c linux-2.6.33.1/net/core/dev.c
51246--- linux-2.6.33.1/net/core/dev.c 2010-03-15 12:09:39.000000000 -0400
51247+++ linux-2.6.33.1/net/core/dev.c 2010-03-20 16:58:42.284535154 -0400
51248@@ -2183,7 +2183,7 @@ int netif_rx_ni(struct sk_buff *skb)
51249 }
51250 EXPORT_SYMBOL(netif_rx_ni);
51251
51252-static void net_tx_action(struct softirq_action *h)
51253+static void net_tx_action(void)
51254 {
51255 struct softnet_data *sd = &__get_cpu_var(softnet_data);
51256
51257@@ -2939,7 +2939,7 @@ void netif_napi_del(struct napi_struct *
51258 EXPORT_SYMBOL(netif_napi_del);
51259
51260
51261-static void net_rx_action(struct softirq_action *h)
51262+static void net_rx_action(void)
51263 {
51264 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
51265 unsigned long time_limit = jiffies + 2;
51266diff -urNp linux-2.6.33.1/net/core/flow.c linux-2.6.33.1/net/core/flow.c
51267--- linux-2.6.33.1/net/core/flow.c 2010-03-15 12:09:39.000000000 -0400
51268+++ linux-2.6.33.1/net/core/flow.c 2010-03-20 16:58:42.284535154 -0400
58c5fc13
MT		 51269@@ -39,7 +39,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
51270
51271 static u32 flow_hash_shift;
51272 #define flow_hash_size (1 << flow_hash_shift)
51273-static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
51274+static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
51275
51276 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
51277
51278@@ -52,7 +52,7 @@ struct flow_percpu_info {
51279 u32 hash_rnd;
51280 int count;
51281 };
51282-static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
51283+static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
51284
51285 #define flow_hash_rnd_recalc(cpu) \
51286 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
51287@@ -69,7 +69,7 @@ struct flow_flush_info {
51288 atomic_t cpuleft;
51289 struct completion completion;
51290 };
51291-static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
51292+static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
51293
51294 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
51295
ae4e228f
MT		 51296diff -urNp linux-2.6.33.1/net/core/sock.c linux-2.6.33.1/net/core/sock.c
51297--- linux-2.6.33.1/net/core/sock.c 2010-03-15 12:09:39.000000000 -0400
51298+++ linux-2.6.33.1/net/core/sock.c 2010-03-20 16:58:42.284535154 -0400
51299@@ -896,7 +896,7 @@ int sock_getsockopt(struct socket *sock,
51300 return -ENOTCONN;
51301 if (lv < len)
51302 return -EINVAL;
51303- if (copy_to_user(optval, address, len))
51304+ if (len > sizeof(address) || copy_to_user(optval, address, len))
51305 return -EFAULT;
51306 goto lenout;
51307 }
51308@@ -929,7 +929,7 @@ int sock_getsockopt(struct socket *sock,
51309
51310 if (len > lv)
51311 len = lv;
51312- if (copy_to_user(optval, &v, len))
51313+ if (len > sizeof(v) || copy_to_user(optval, &v, len))
51314 return -EFAULT;
51315 lenout:
51316 if (put_user(len, optlen))
51317diff -urNp linux-2.6.33.1/net/dccp/ccids/ccid3.c linux-2.6.33.1/net/dccp/ccids/ccid3.c
51318--- linux-2.6.33.1/net/dccp/ccids/ccid3.c 2010-03-15 12:09:39.000000000 -0400
51319+++ linux-2.6.33.1/net/dccp/ccids/ccid3.c 2010-03-20 16:58:42.284535154 -0400
51320@@ -41,7 +41,7 @@
58c5fc13
MT		 51321 static int ccid3_debug;
51322 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
51323 #else
51324-#define ccid3_pr_debug(format, a...)
51325+#define ccid3_pr_debug(format, a...) do {} while (0)
51326 #endif
51327
51328 /*
ae4e228f
MT		 51329diff -urNp linux-2.6.33.1/net/dccp/dccp.h linux-2.6.33.1/net/dccp/dccp.h
51330--- linux-2.6.33.1/net/dccp/dccp.h 2010-03-15 12:09:39.000000000 -0400
51331+++ linux-2.6.33.1/net/dccp/dccp.h 2010-03-20 16:58:42.284535154 -0400
58c5fc13
MT		 51332@@ -44,9 +44,9 @@ extern int dccp_debug;
51333 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
51334 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
51335 #else
51336-#define dccp_pr_debug(format, a...)
51337-#define dccp_pr_debug_cat(format, a...)
51338-#define dccp_debug(format, a...)
51339+#define dccp_pr_debug(format, a...) do {} while (0)
51340+#define dccp_pr_debug_cat(format, a...) do {} while (0)
51341+#define dccp_debug(format, a...) do {} while (0)
51342 #endif
51343
51344 extern struct inet_hashinfo dccp_hashinfo;
ae4e228f
MT		 51345diff -urNp linux-2.6.33.1/net/decnet/sysctl_net_decnet.c linux-2.6.33.1/net/decnet/sysctl_net_decnet.c
51346--- linux-2.6.33.1/net/decnet/sysctl_net_decnet.c 2010-03-15 12:09:39.000000000 -0400
51347+++ linux-2.6.33.1/net/decnet/sysctl_net_decnet.c 2010-03-20 16:58:42.284535154 -0400
51348@@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
51349
51350 if (len > *lenp) len = *lenp;
51351
51352- if (copy_to_user(buffer, addr, len))
51353+ if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
51354 return -EFAULT;
51355
51356 *lenp = len;
51357@@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
51358
51359 if (len > *lenp) len = *lenp;
51360
51361- if (copy_to_user(buffer, devname, len))
51362+ if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
51363 return -EFAULT;
51364
51365 *lenp = len;
51366diff -urNp linux-2.6.33.1/net/ipv4/inet_hashtables.c linux-2.6.33.1/net/ipv4/inet_hashtables.c
51367--- linux-2.6.33.1/net/ipv4/inet_hashtables.c 2010-03-15 12:09:39.000000000 -0400
51368+++ linux-2.6.33.1/net/ipv4/inet_hashtables.c 2010-03-20 16:58:42.311008973 -0400
58c5fc13
MT		 51369@@ -18,11 +18,14 @@
51370 #include <linux/sched.h>
51371 #include <linux/slab.h>
51372 #include <linux/wait.h>
51373+#include <linux/security.h>
51374
51375 #include <net/inet_connection_sock.h>
51376 #include <net/inet_hashtables.h>
51377 #include <net/ip.h>
51378
51379+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
51380+
51381 /*
51382 * Allocate and initialize a new local port bind bucket.
51383 * The bindhash mutex for snum's hash chain must be held here.
ae4e228f
MT		 51384@@ -506,6 +509,8 @@ ok:
51385 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
58c5fc13
MT		 51386 spin_unlock(&head->lock);
51387
51388+ gr_update_task_in_ip_table(current, inet_sk(sk));
51389+
51390 if (tw) {
51391 inet_twsk_deschedule(tw, death_row);
ae4e228f
MT		 51392 while (twrefcnt) {
51393diff -urNp linux-2.6.33.1/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.33.1/net/ipv4/netfilter/nf_nat_snmp_basic.c
51394--- linux-2.6.33.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-03-15 12:09:39.000000000 -0400
51395+++ linux-2.6.33.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-03-20 16:58:42.311008973 -0400
58c5fc13
MT		 51396@@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
51397
51398 *len = 0;
51399
51400- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
51401+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
51402 if (*octets == NULL) {
51403 if (net_ratelimit())
51404 printk("OOM in bsalg (%d)\n", __LINE__);
ae4e228f
MT		 51405diff -urNp linux-2.6.33.1/net/ipv4/tcp_ipv4.c linux-2.6.33.1/net/ipv4/tcp_ipv4.c
51406--- linux-2.6.33.1/net/ipv4/tcp_ipv4.c 2010-03-15 12:09:39.000000000 -0400
51407+++ linux-2.6.33.1/net/ipv4/tcp_ipv4.c 2010-03-20 17:00:48.140865901 -0400
51408@@ -84,6 +84,9 @@
51409 int sysctl_tcp_tw_reuse __read_mostly;
51410 int sysctl_tcp_low_latency __read_mostly;
58c5fc13 51411
58c5fc13 51412+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
ae4e228f 51413+extern int grsec_enable_blackhole;
58c5fc13 51414+#endif
ae4e228f
MT		 51415
51416 #ifdef CONFIG_TCP_MD5SIG
51417 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
51418@@ -1646,12 +1649,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
51419 TCP_SKB_CB(skb)->sacked = 0;
51420
51421 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
51422- if (!sk)
51423+ if (!sk) {
51424+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51425+ ret = 1;
51426+#endif
51427 goto no_tcp_socket;
51428+ }
51429
51430 process:
51431- if (sk->sk_state == TCP_TIME_WAIT)
51432+ if (sk->sk_state == TCP_TIME_WAIT) {
51433+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51434+ ret = 2;
51435+#endif
51436 goto do_time_wait;
51437+ }
51438
51439 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
51440 goto discard_and_relse;
51441@@ -1693,6 +1704,10 @@ no_tcp_socket:
58c5fc13
MT		 51442 bad_packet:
51443 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
51444 } else {
51445+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
ae4e228f
MT		 51446+ if (!grsec_enable_blackhole || (ret == 1 &&
51447+ (skb->dev->flags & IFF_LOOPBACK)))
58c5fc13
MT		 51448+#endif
51449 tcp_v4_send_reset(NULL, skb);
51450 }
51451
ae4e228f
MT		 51452diff -urNp linux-2.6.33.1/net/ipv4/tcp_minisocks.c linux-2.6.33.1/net/ipv4/tcp_minisocks.c
51453--- linux-2.6.33.1/net/ipv4/tcp_minisocks.c 2010-03-15 12:09:39.000000000 -0400
51454+++ linux-2.6.33.1/net/ipv4/tcp_minisocks.c 2010-03-20 17:06:01.445852790 -0400
51455@@ -26,6 +26,10 @@
51456 #include <net/inet_common.h>
51457 #include <net/xfrm.h>
51458
51459+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51460+extern int grsec_enable_blackhole;
51461+#endif
51462+
51463 int sysctl_tcp_syncookies __read_mostly = 1;
51464 EXPORT_SYMBOL(sysctl_tcp_syncookies);
51465
51466@@ -698,8 +702,11 @@ listen_overflow:
58c5fc13
MT		 51467
51468 embryonic_reset:
51469 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
ae4e228f 51470- if (!(flg & TCP_FLAG_RST))
58c5fc13
MT		 51471+
51472+#ifndef CONFIG_GRKERNSEC_BLACKHOLE
ae4e228f 51473+ if (!grsec_enable_blackhole || !(flg & TCP_FLAG_RST))
58c5fc13
MT		 51474 req->rsk_ops->send_reset(sk, skb);
51475+#endif
51476
51477 inet_csk_reqsk_queue_drop(sk, req, prev);
51478 return NULL;
ae4e228f
MT		 51479diff -urNp linux-2.6.33.1/net/ipv4/tcp_probe.c linux-2.6.33.1/net/ipv4/tcp_probe.c
51480--- linux-2.6.33.1/net/ipv4/tcp_probe.c 2010-03-15 12:09:39.000000000 -0400
51481+++ linux-2.6.33.1/net/ipv4/tcp_probe.c 2010-03-20 16:58:42.312547376 -0400
51482@@ -201,7 +201,7 @@ static ssize_t tcpprobe_read(struct file
51483 if (cnt + width >= len)
51484 break;
51485
51486- if (copy_to_user(buf + cnt, tbuf, width))
51487+ if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
51488 return -EFAULT;
51489 cnt += width;
51490 }
51491diff -urNp linux-2.6.33.1/net/ipv4/tcp_timer.c linux-2.6.33.1/net/ipv4/tcp_timer.c
51492--- linux-2.6.33.1/net/ipv4/tcp_timer.c 2010-03-15 12:09:39.000000000 -0400
51493+++ linux-2.6.33.1/net/ipv4/tcp_timer.c 2010-03-20 17:00:48.145360815 -0400
51494@@ -21,6 +21,10 @@
51495 #include <linux/module.h>
51496 #include <net/tcp.h>
51497
51498+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51499+extern int grsec_lastack_retries;
51500+#endif
51501+
51502 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
51503 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
51504 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
51505@@ -193,6 +197,13 @@ static int tcp_write_timeout(struct sock
51506 }
51507 }
51508
51509+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51510+ if ((sk->sk_state == TCP_LAST_ACK) &&
51511+ (grsec_lastack_retries > 0) &&
51512+ (grsec_lastack_retries < retry_until))
51513+ retry_until = grsec_lastack_retries;
51514+#endif
51515+
51516 if (retransmits_timed_out(sk, retry_until)) {
51517 /* Has it gone just too far? */
51518 tcp_write_err(sk);
51519diff -urNp linux-2.6.33.1/net/ipv4/udp.c linux-2.6.33.1/net/ipv4/udp.c
51520--- linux-2.6.33.1/net/ipv4/udp.c 2010-03-15 12:09:39.000000000 -0400
51521+++ linux-2.6.33.1/net/ipv4/udp.c 2010-03-20 17:06:32.628937453 -0400
58c5fc13
MT		 51522@@ -86,6 +86,7 @@
51523 #include <linux/types.h>
51524 #include <linux/fcntl.h>
51525 #include <linux/module.h>
51526+#include <linux/security.h>
51527 #include <linux/socket.h>
51528 #include <linux/sockios.h>
51529 #include <linux/igmp.h>
ae4e228f
MT		 51530@@ -106,6 +107,10 @@
51531 #include <net/xfrm.h>
51532 #include "udp_impl.h"
51533
51534+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51535+extern int grsec_enable_blackhole;
51536+#endif
51537+
51538 struct udp_table udp_table __read_mostly;
51539 EXPORT_SYMBOL(udp_table);
51540
51541@@ -562,6 +567,9 @@ found:
58c5fc13
MT		 51542 return s;
51543 }
51544
51545+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
51546+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
51547+
51548 /*
51549 * This routine is called by the ICMP module when it gets some
51550 * sort of error condition. If err < 0 then the socket should
ae4e228f 51551@@ -830,9 +838,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
58c5fc13
MT		 51552 dport = usin->sin_port;
51553 if (dport == 0)
51554 return -EINVAL;
51555+
51556+ err = gr_search_udp_sendmsg(sk, usin);
51557+ if (err)
51558+ return err;
51559 } else {
51560 if (sk->sk_state != TCP_ESTABLISHED)
51561 return -EDESTADDRREQ;
51562+
51563+ err = gr_search_udp_sendmsg(sk, NULL);
51564+ if (err)
51565+ return err;
51566+
ae4e228f
MT		 51567 daddr = inet->inet_daddr;
51568 dport = inet->inet_dport;
58c5fc13 51569 /* Open fast path for connected socket.
ae4e228f 51570@@ -1137,6 +1154,10 @@ try_again:
58c5fc13
MT		 51571 if (!skb)
51572 goto out;
51573
51574+ err = gr_search_udp_recvmsg(sk, skb);
51575+ if (err)
51576+ goto out_free;
51577+
51578 ulen = skb->len - sizeof(struct udphdr);
51579 copied = len;
51580 if (copied > ulen)
ae4e228f 51581@@ -1568,6 +1589,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
58c5fc13
MT		 51582 goto csum_error;
51583
51584 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
51585+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
ae4e228f 51586+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
58c5fc13
MT		 51587+#endif
51588 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
51589
51590 /*
ae4e228f
MT		 51591diff -urNp linux-2.6.33.1/net/ipv6/exthdrs.c linux-2.6.33.1/net/ipv6/exthdrs.c
51592--- linux-2.6.33.1/net/ipv6/exthdrs.c 2010-03-15 12:09:39.000000000 -0400
51593+++ linux-2.6.33.1/net/ipv6/exthdrs.c 2010-03-20 16:58:42.312547376 -0400
51594@@ -635,7 +635,7 @@ static struct tlvtype_proc tlvprochopopt
58c5fc13
MT		 51595 .type = IPV6_TLV_JUMBO,
51596 .func = ipv6_hop_jumbo,
51597 },
51598- { -1, }
51599+ { -1, NULL }
51600 };
51601
51602 int ipv6_parse_hopopts(struct sk_buff *skb)
ae4e228f
MT		 51603diff -urNp linux-2.6.33.1/net/ipv6/raw.c linux-2.6.33.1/net/ipv6/raw.c
51604--- linux-2.6.33.1/net/ipv6/raw.c 2010-03-15 12:09:39.000000000 -0400
51605+++ linux-2.6.33.1/net/ipv6/raw.c 2010-03-20 16:58:42.312547376 -0400
51606@@ -597,7 +597,7 @@ out:
58c5fc13
MT		 51607 return err;
51608 }
51609
51610-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
51611+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
51612 struct flowi *fl, struct rt6_info *rt,
51613 unsigned int flags)
51614 {
ae4e228f
MT		 51615diff -urNp linux-2.6.33.1/net/ipv6/tcp_ipv6.c linux-2.6.33.1/net/ipv6/tcp_ipv6.c
51616--- linux-2.6.33.1/net/ipv6/tcp_ipv6.c 2010-03-15 12:09:39.000000000 -0400
51617+++ linux-2.6.33.1/net/ipv6/tcp_ipv6.c 2010-03-20 16:58:42.316527391 -0400
51618@@ -1625,6 +1625,9 @@ static int tcp_v6_do_rcv(struct sock *sk
58c5fc13
MT		 51619 return 0;
51620
51621 reset:
51622+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51623+ if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
51624+#endif
51625 tcp_v6_send_reset(sk, skb);
51626 discard:
51627 if (opt_skb)
ae4e228f 51628@@ -1747,6 +1750,9 @@ no_tcp_socket:
58c5fc13
MT		 51629 bad_packet:
51630 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
51631 } else {
51632+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51633+ if (skb->dev->flags & IFF_LOOPBACK)
51634+#endif
51635 tcp_v6_send_reset(NULL, skb);
51636 }
51637
ae4e228f
MT		 51638diff -urNp linux-2.6.33.1/net/ipv6/udp.c linux-2.6.33.1/net/ipv6/udp.c
51639--- linux-2.6.33.1/net/ipv6/udp.c 2010-03-15 12:09:39.000000000 -0400
51640+++ linux-2.6.33.1/net/ipv6/udp.c 2010-03-20 16:58:42.316527391 -0400
51641@@ -745,6 +745,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
58c5fc13
MT		 51642 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
51643 proto == IPPROTO_UDPLITE);
51644
51645+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51646+ if (skb->dev->flags & IFF_LOOPBACK)
51647+#endif
51648 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
51649
51650 kfree_skb(skb);
ae4e228f
MT		 51651diff -urNp linux-2.6.33.1/net/irda/ircomm/ircomm_tty.c linux-2.6.33.1/net/irda/ircomm/ircomm_tty.c
51652--- linux-2.6.33.1/net/irda/ircomm/ircomm_tty.c 2010-03-15 12:09:39.000000000 -0400
51653+++ linux-2.6.33.1/net/irda/ircomm/ircomm_tty.c 2010-03-20 16:58:42.316527391 -0400
58c5fc13
MT		 51654@@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
51655 add_wait_queue(&self->open_wait, &wait);
51656
51657 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
51658- __FILE__,__LINE__, tty->driver->name, self->open_count );
51659+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
51660
51661 /* As far as I can see, we protect open_count - Jean II */
51662 spin_lock_irqsave(&self->spinlock, flags);
51663 if (!tty_hung_up_p(filp)) {
51664 extra_count = 1;
51665- self->open_count--;
51666+ atomic_dec(&self->open_count);
51667 }
51668 spin_unlock_irqrestore(&self->spinlock, flags);
51669- self->blocked_open++;
51670+ atomic_inc(&self->blocked_open);
51671
51672 while (1) {
51673 if (tty->termios->c_cflag & CBAUD) {
51674@@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
51675 }
51676
51677 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
51678- __FILE__,__LINE__, tty->driver->name, self->open_count );
51679+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
51680
51681 schedule();
51682 }
51683@@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
51684 if (extra_count) {
51685 /* ++ is not atomic, so this should be protected - Jean II */
51686 spin_lock_irqsave(&self->spinlock, flags);
51687- self->open_count++;
51688+ atomic_inc(&self->open_count);
51689 spin_unlock_irqrestore(&self->spinlock, flags);
51690 }
51691- self->blocked_open--;
51692+ atomic_dec(&self->blocked_open);
51693
51694 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
51695- __FILE__,__LINE__, tty->driver->name, self->open_count);
51696+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
51697
51698 if (!retval)
51699 self->flags |= ASYNC_NORMAL_ACTIVE;
51700@@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
51701 }
51702 /* ++ is not atomic, so this should be protected - Jean II */
51703 spin_lock_irqsave(&self->spinlock, flags);
51704- self->open_count++;
51705+ atomic_inc(&self->open_count);
51706
51707 tty->driver_data = self;
51708 self->tty = tty;
51709 spin_unlock_irqrestore(&self->spinlock, flags);
51710
51711 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
51712- self->line, self->open_count);
51713+ self->line, atomic_read(&self->open_count));
51714
51715 /* Not really used by us, but lets do it anyway */
51716 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
51717@@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
51718 return;
51719 }
51720
51721- if ((tty->count == 1) && (self->open_count != 1)) {
51722+ if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
51723 /*
51724 * Uh, oh. tty->count is 1, which means that the tty
51725 * structure will be freed. state->count should always
51726@@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
51727 */
51728 IRDA_DEBUG(0, "%s(), bad serial port count; "
51729 "tty->count is 1, state->count is %d\n", __func__ ,
51730- self->open_count);
51731- self->open_count = 1;
51732+ atomic_read(&self->open_count));
51733+ atomic_set(&self->open_count, 1);
51734 }
51735
51736- if (--self->open_count < 0) {
51737+ if (atomic_dec_return(&self->open_count) < 0) {
51738 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
51739- __func__, self->line, self->open_count);
51740- self->open_count = 0;
51741+ __func__, self->line, atomic_read(&self->open_count));
51742+ atomic_set(&self->open_count, 0);
51743 }
51744- if (self->open_count) {
51745+ if (atomic_read(&self->open_count)) {
51746 spin_unlock_irqrestore(&self->spinlock, flags);
51747
51748 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
51749@@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
51750 tty->closing = 0;
51751 self->tty = NULL;
51752
51753- if (self->blocked_open) {
51754+ if (atomic_read(&self->blocked_open)) {
51755 if (self->close_delay)
51756 schedule_timeout_interruptible(self->close_delay);
51757 wake_up_interruptible(&self->open_wait);
51758@@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
51759 spin_lock_irqsave(&self->spinlock, flags);
51760 self->flags &= ~ASYNC_NORMAL_ACTIVE;
51761 self->tty = NULL;
51762- self->open_count = 0;
51763+ atomic_set(&self->open_count, 0);
51764 spin_unlock_irqrestore(&self->spinlock, flags);
51765
51766 wake_up_interruptible(&self->open_wait);
51767@@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
51768 seq_putc(m, '\n');
51769
51770 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
51771- seq_printf(m, "Open count: %d\n", self->open_count);
51772+ seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
51773 seq_printf(m, "Max data size: %d\n", self->max_data_size);
51774 seq_printf(m, "Max header size: %d\n", self->max_header_size);
51775
ae4e228f
MT		 51776diff -urNp linux-2.6.33.1/net/mac80211/ieee80211_i.h linux-2.6.33.1/net/mac80211/ieee80211_i.h
51777--- linux-2.6.33.1/net/mac80211/ieee80211_i.h 2010-03-15 12:09:39.000000000 -0400
51778+++ linux-2.6.33.1/net/mac80211/ieee80211_i.h 2010-03-20 16:58:42.316527391 -0400
51779@@ -574,7 +574,7 @@ struct ieee80211_local {
51780 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
58c5fc13
MT		 51781 spinlock_t queue_stop_reason_lock;
51782
58c5fc13
MT		 51783- int open_count;
51784+ atomic_t open_count;
51785 int monitors, cooked_mntrs;
51786 /* number of interfaces with corresponding FIF_ flags */
ae4e228f
MT		 51787 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
51788diff -urNp linux-2.6.33.1/net/mac80211/iface.c linux-2.6.33.1/net/mac80211/iface.c
51789--- linux-2.6.33.1/net/mac80211/iface.c 2010-03-15 12:09:39.000000000 -0400
51790+++ linux-2.6.33.1/net/mac80211/iface.c 2010-03-20 16:58:42.316527391 -0400
51791@@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
58c5fc13
MT		 51792 break;
51793 }
51794
51795- if (local->open_count == 0) {
51796+ if (atomic_read(&local->open_count) == 0) {
51797 res = drv_start(local);
51798 if (res)
51799 goto err_del_bss;
51800@@ -198,7 +198,7 @@ static int ieee80211_open(struct net_dev
51801 * Validate the MAC address for this device.
51802 */
51803 if (!is_valid_ether_addr(dev->dev_addr)) {
51804- if (!local->open_count)
51805+ if (!atomic_read(&local->open_count))
51806 drv_stop(local);
51807 return -EADDRNOTAVAIL;
51808 }
ae4e228f 51809@@ -294,7 +294,7 @@ static int ieee80211_open(struct net_dev
58c5fc13
MT		 51810
51811 hw_reconf_flags |= __ieee80211_recalc_idle(local);
51812
51813- local->open_count++;
51814+ atomic_inc(&local->open_count);
51815 if (hw_reconf_flags) {
51816 ieee80211_hw_config(local, hw_reconf_flags);
51817 /*
ae4e228f 51818@@ -322,7 +322,7 @@ static int ieee80211_open(struct net_dev
58c5fc13
MT		 51819 err_del_interface:
51820 drv_remove_interface(local, &conf);
51821 err_stop:
51822- if (!local->open_count)
51823+ if (!atomic_read(&local->open_count))
51824 drv_stop(local);
51825 err_del_bss:
51826 sdata->bss = NULL;
ae4e228f 51827@@ -422,7 +422,7 @@ static int ieee80211_stop(struct net_dev
58c5fc13
MT		 51828 WARN_ON(!list_empty(&sdata->u.ap.vlans));
51829 }
51830
51831- local->open_count--;
51832+ atomic_dec(&local->open_count);
51833
51834 switch (sdata->vif.type) {
51835 case NL80211_IFTYPE_AP_VLAN:
ae4e228f 51836@@ -528,7 +528,7 @@ static int ieee80211_stop(struct net_dev
58c5fc13
MT		 51837
51838 ieee80211_recalc_ps(local, -1);
51839
51840- if (local->open_count == 0) {
51841+ if (atomic_read(&local->open_count) == 0) {
ae4e228f
MT		 51842 ieee80211_clear_tx_pending(local);
51843 ieee80211_stop_device(local);
58c5fc13 51844
ae4e228f
MT		 51845diff -urNp linux-2.6.33.1/net/mac80211/main.c linux-2.6.33.1/net/mac80211/main.c
51846--- linux-2.6.33.1/net/mac80211/main.c 2010-03-15 12:09:39.000000000 -0400
51847+++ linux-2.6.33.1/net/mac80211/main.c 2010-03-20 16:58:42.316527391 -0400
51848@@ -129,7 +129,7 @@ int ieee80211_hw_config(struct ieee80211
58c5fc13
MT		 51849 local->hw.conf.power_level = power;
51850 }
51851
51852- if (changed && local->open_count) {
51853+ if (changed && atomic_read(&local->open_count)) {
51854 ret = drv_config(local, changed);
51855 /*
51856 * Goal:
ae4e228f
MT		 51857diff -urNp linux-2.6.33.1/net/mac80211/pm.c linux-2.6.33.1/net/mac80211/pm.c
51858--- linux-2.6.33.1/net/mac80211/pm.c 2010-03-15 12:09:39.000000000 -0400
51859+++ linux-2.6.33.1/net/mac80211/pm.c 2010-03-20 16:58:42.316527391 -0400
51860@@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
58c5fc13
MT		 51861 }
51862
51863 /* stop hardware - this must stop RX */
ae4e228f
MT		 51864- if (local->open_count)
51865+ if (atomic_read(&local->open_count))
51866 ieee80211_stop_device(local);
51867
51868 local->suspended = true;
51869diff -urNp linux-2.6.33.1/net/mac80211/rate.c linux-2.6.33.1/net/mac80211/rate.c
51870--- linux-2.6.33.1/net/mac80211/rate.c 2010-03-15 12:09:39.000000000 -0400
51871+++ linux-2.6.33.1/net/mac80211/rate.c 2010-03-20 16:58:42.316527391 -0400
51872@@ -288,7 +288,7 @@ int ieee80211_init_rate_ctrl_alg(struct
58c5fc13
MT		 51873
51874 ASSERT_RTNL();
ae4e228f
MT		 51875
51876- if (local->open_count)
51877+ if (atomic_read(&local->open_count))
58c5fc13
MT		 51878 return -EBUSY;
51879
ae4e228f
MT		 51880 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
51881diff -urNp linux-2.6.33.1/net/mac80211/rc80211_pid_debugfs.c linux-2.6.33.1/net/mac80211/rc80211_pid_debugfs.c
51882--- linux-2.6.33.1/net/mac80211/rc80211_pid_debugfs.c 2010-03-15 12:09:39.000000000 -0400
51883+++ linux-2.6.33.1/net/mac80211/rc80211_pid_debugfs.c 2010-03-20 16:58:42.323982192 -0400
51884@@ -191,7 +191,7 @@ static ssize_t rate_control_pid_events_r
58c5fc13 51885
ae4e228f 51886 spin_unlock_irqrestore(&events->lock, status);
58c5fc13 51887
ae4e228f
MT		 51888- if (copy_to_user(buf, pb, p))
51889+ if (p > sizeof(pb) || copy_to_user(buf, pb, p))
51890 return -EFAULT;
58c5fc13 51891
ae4e228f
MT		 51892 return p;
51893diff -urNp linux-2.6.33.1/net/mac80211/util.c linux-2.6.33.1/net/mac80211/util.c
51894--- linux-2.6.33.1/net/mac80211/util.c 2010-03-15 12:09:39.000000000 -0400
51895+++ linux-2.6.33.1/net/mac80211/util.c 2010-03-20 16:58:42.329957671 -0400
51896@@ -1050,14 +1050,14 @@ int ieee80211_reconfig(struct ieee80211_
51897 local->resuming = true;
58c5fc13
MT		 51898
51899 /* restart hardware */
51900- if (local->open_count) {
51901+ if (atomic_read(&local->open_count)) {
ae4e228f
MT		 51902 /*
51903 * Upon resume hardware can sometimes be goofy due to
51904 * various platform / driver / bus issues, so restarting
51905 * the device may at times not work immediately. Propagate
51906 * the error.
51907 */
51908- res = drv_start(local);
51909+ res = drv_start(local);
51910 if (res) {
51911 WARN(local->suspended, "Harware became unavailable "
51912 "upon resume. This is could be a software issue"
51913diff -urNp linux-2.6.33.1/net/packet/af_packet.c linux-2.6.33.1/net/packet/af_packet.c
51914--- linux-2.6.33.1/net/packet/af_packet.c 2010-03-15 12:09:39.000000000 -0400
51915+++ linux-2.6.33.1/net/packet/af_packet.c 2010-03-20 16:58:42.329957671 -0400
51916@@ -1886,7 +1886,7 @@ static int packet_getsockopt(struct sock
51917 case PACKET_HDRLEN:
51918 if (len > sizeof(int))
51919 len = sizeof(int);
51920- if (copy_from_user(&val, optval, len))
51921+ if (len > sizeof(val) || copy_from_user(&val, optval, len))
51922 return -EFAULT;
51923 switch (val) {
51924 case TPACKET_V1:
51925@@ -1919,7 +1919,7 @@ static int packet_getsockopt(struct sock
58c5fc13 51926
ae4e228f
MT		 51927 if (put_user(len, optlen))
51928 return -EFAULT;
51929- if (copy_to_user(optval, data, len))
51930+ if (len > sizeof(st) || copy_to_user(optval, data, len))
51931 return -EFAULT;
51932 return 0;
58c5fc13 51933 }
ae4e228f
MT		 51934diff -urNp linux-2.6.33.1/net/sctp/socket.c linux-2.6.33.1/net/sctp/socket.c
51935--- linux-2.6.33.1/net/sctp/socket.c 2010-03-15 12:09:39.000000000 -0400
51936+++ linux-2.6.33.1/net/sctp/socket.c 2010-03-20 16:58:42.332512321 -0400
51937@@ -1482,7 +1482,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
58c5fc13
MT		 51938 struct sctp_sndrcvinfo *sinfo;
51939 struct sctp_initmsg *sinit;
51940 sctp_assoc_t associd = 0;
51941- sctp_cmsgs_t cmsgs = { NULL };
51942+ sctp_cmsgs_t cmsgs = { NULL, NULL };
51943 int err;
51944 sctp_scope_t scope;
51945 long timeo;
ae4e228f
MT		 51946@@ -4386,7 +4386,7 @@ static int sctp_getsockopt_peer_addrs(st
51947 addrlen = sctp_get_af_specific(sk->sk_family)->sockaddr_len;
51948 if (space_left < addrlen)
51949 return -ENOMEM;
51950- if (copy_to_user(to, &temp, addrlen))
51951+ if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
51952 return -EFAULT;
51953 to += addrlen;
51954 cnt++;
51955@@ -5478,7 +5478,6 @@ pp_found:
58c5fc13
MT		 51956 */
51957 int reuse = sk->sk_reuse;
51958 struct sock *sk2;
51959- struct hlist_node *node;
51960
51961 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
51962 if (pp->fastreuse && sk->sk_reuse &&
ae4e228f
MT		 51963diff -urNp linux-2.6.33.1/net/socket.c linux-2.6.33.1/net/socket.c
51964--- linux-2.6.33.1/net/socket.c 2010-03-15 12:09:39.000000000 -0400
51965+++ linux-2.6.33.1/net/socket.c 2010-03-20 16:58:42.332512321 -0400
51966@@ -87,6 +87,7 @@
58c5fc13
MT		 51967 #include <linux/wireless.h>
51968 #include <linux/nsproxy.h>
ae4e228f 51969 #include <linux/magic.h>
58c5fc13
MT		 51970+#include <linux/in.h>
51971
51972 #include <asm/uaccess.h>
51973 #include <asm/unistd.h>
ae4e228f
MT		 51974@@ -103,6 +104,8 @@
51975 #include <linux/sockios.h>
51976 #include <linux/atalk.h>
58c5fc13 51977
ae4e228f 51978+#include <linux/grsock.h>
58c5fc13
MT		 51979+
51980 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
51981 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
51982 unsigned long nr_segs, loff_t pos);
ae4e228f 51983@@ -304,7 +307,7 @@ static int sockfs_get_sb(struct file_sys
58c5fc13
MT		 51984 mnt);
51985 }
51986
51987-static struct vfsmount *sock_mnt __read_mostly;
51988+struct vfsmount *sock_mnt __read_mostly;
51989
51990 static struct file_system_type sock_fs_type = {
51991 .name = "sockfs",
ae4e228f 51992@@ -1310,6 +1313,16 @@ SYSCALL_DEFINE3(socket, int, family, int
58c5fc13
MT		 51993 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
51994 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
51995
51996+ if(!gr_search_socket(family, type, protocol)) {
51997+ retval = -EACCES;
51998+ goto out;
51999+ }
52000+
52001+ if (gr_handle_sock_all(family, type, protocol)) {
52002+ retval = -EACCES;
52003+ goto out;
52004+ }
52005+
52006 retval = sock_create(family, type, protocol, &sock);
52007 if (retval < 0)
52008 goto out;
ae4e228f 52009@@ -1422,6 +1435,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
58c5fc13
MT		 52010 if (sock) {
52011 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
52012 if (err >= 0) {
52013+ if (gr_handle_sock_server((struct sockaddr *)&address)) {
52014+ err = -EACCES;
52015+ goto error;
52016+ }
52017+ err = gr_search_bind(sock, (struct sockaddr_in *)&address);
52018+ if (err)
52019+ goto error;
52020+
52021 err = security_socket_bind(sock,
52022 (struct sockaddr *)&address,
52023 addrlen);
ae4e228f 52024@@ -1430,6 +1451,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
58c5fc13
MT		 52025 (struct sockaddr *)
52026 &address, addrlen);
52027 }
52028+error:
52029 fput_light(sock->file, fput_needed);
52030 }
52031 return err;
ae4e228f 52032@@ -1453,10 +1475,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
58c5fc13
MT		 52033 if ((unsigned)backlog > somaxconn)
52034 backlog = somaxconn;
52035
52036+ if (gr_handle_sock_server_other(sock)) {
52037+ err = -EPERM;
52038+ goto error;
52039+ }
52040+
52041+ err = gr_search_listen(sock);
52042+ if (err)
52043+ goto error;
52044+
52045 err = security_socket_listen(sock, backlog);
52046 if (!err)
52047 err = sock->ops->listen(sock, backlog);
52048
52049+error:
52050 fput_light(sock->file, fput_needed);
52051 }
52052 return err;
ae4e228f 52053@@ -1499,6 +1531,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
58c5fc13
MT		 52054 newsock->type = sock->type;
52055 newsock->ops = sock->ops;
52056
52057+ if (gr_handle_sock_server_other(sock)) {
52058+ err = -EPERM;
52059+ sock_release(newsock);
52060+ goto out_put;
52061+ }
52062+
52063+ err = gr_search_accept(sock);
52064+ if (err) {
52065+ sock_release(newsock);
52066+ goto out_put;
52067+ }
52068+
52069 /*
52070 * We don't need try_module_get here, as the listening socket (sock)
52071 * has the protocol module (sock->ops->owner) held.
ae4e228f 52072@@ -1537,6 +1581,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
58c5fc13
MT		 52073 fd_install(newfd, newfile);
52074 err = newfd;
52075
52076+ gr_attach_curr_ip(newsock->sk);
52077+
52078 out_put:
52079 fput_light(sock->file, fput_needed);
52080 out:
ae4e228f 52081@@ -1569,6 +1615,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
58c5fc13
MT		 52082 int, addrlen)
52083 {
52084 struct socket *sock;
52085+ struct sockaddr *sck;
52086 struct sockaddr_storage address;
52087 int err, fput_needed;
52088
ae4e228f 52089@@ -1579,6 +1626,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
58c5fc13
MT		 52090 if (err < 0)
52091 goto out_put;
52092
52093+ sck = (struct sockaddr *)&address;
52094+
52095+ if (gr_handle_sock_client(sck)) {
52096+ err = -EACCES;
52097+ goto out_put;
52098+ }
52099+
52100+ err = gr_search_connect(sock, (struct sockaddr_in *)sck);
52101+ if (err)
52102+ goto out_put;
52103+
52104 err =
52105 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
52106 if (err)
ae4e228f
MT		 52107diff -urNp linux-2.6.33.1/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.33.1/net/sunrpc/xprtrdma/svc_rdma.c
52108--- linux-2.6.33.1/net/sunrpc/xprtrdma/svc_rdma.c 2010-03-15 12:09:39.000000000 -0400
52109+++ linux-2.6.33.1/net/sunrpc/xprtrdma/svc_rdma.c 2010-03-20 16:58:42.332512321 -0400
52110@@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
52111 len -= *ppos;
52112 if (len > *lenp)
52113 len = *lenp;
52114- if (len && copy_to_user(buffer, str_buf, len))
52115+ if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
52116 return -EFAULT;
52117 *lenp = len;
52118 *ppos += len;
52119diff -urNp linux-2.6.33.1/net/sysctl_net.c linux-2.6.33.1/net/sysctl_net.c
52120--- linux-2.6.33.1/net/sysctl_net.c 2010-03-15 12:09:39.000000000 -0400
52121+++ linux-2.6.33.1/net/sysctl_net.c 2010-03-20 16:58:42.332512321 -0400
52122@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
52123 struct ctl_table *table)
52124 {
52125 /* Allow network administrator to have same access as root. */
52126- if (capable(CAP_NET_ADMIN)) {
52127+ if (capable_nolog(CAP_NET_ADMIN)) {
52128 int mode = (table->mode >> 6) & 7;
52129 return (mode << 6) | (mode << 3) | mode;
52130 }
52131diff -urNp linux-2.6.33.1/net/unix/af_unix.c linux-2.6.33.1/net/unix/af_unix.c
52132--- linux-2.6.33.1/net/unix/af_unix.c 2010-03-15 12:09:39.000000000 -0400
52133+++ linux-2.6.33.1/net/unix/af_unix.c 2010-03-20 16:58:42.332512321 -0400
52134@@ -735,6 +735,12 @@ static struct sock *unix_find_other(stru
58c5fc13
MT		 52135 err = -ECONNREFUSED;
52136 if (!S_ISSOCK(inode->i_mode))
52137 goto put_fail;
52138+
52139+ if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
52140+ err = -EACCES;
52141+ goto put_fail;
52142+ }
52143+
52144 u = unix_find_socket_byinode(net, inode);
52145 if (!u)
52146 goto put_fail;
ae4e228f 52147@@ -755,6 +761,13 @@ static struct sock *unix_find_other(stru
58c5fc13
MT		 52148 if (u) {
52149 struct dentry *dentry;
52150 dentry = unix_sk(u)->dentry;
52151+
52152+ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
52153+ err = -EPERM;
52154+ sock_put(u);
52155+ goto fail;
52156+ }
52157+
52158 if (dentry)
52159 touch_atime(unix_sk(u)->mnt, dentry);
52160 } else
ae4e228f 52161@@ -840,11 +853,18 @@ static int unix_bind(struct socket *sock
58c5fc13
MT		 52162 err = security_path_mknod(&nd.path, dentry, mode, 0);
52163 if (err)
52164 goto out_mknod_drop_write;
52165+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
52166+ err = -EACCES;
52167+ goto out_mknod_drop_write;
52168+ }
52169 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
52170 out_mknod_drop_write:
52171 mnt_drop_write(nd.path.mnt);
52172 if (err)
52173 goto out_mknod_dput;
52174+
52175+ gr_handle_create(dentry, nd.path.mnt);
52176+
52177 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
52178 dput(nd.path.dentry);
52179 nd.path.dentry = dentry;
ae4e228f 52180@@ -862,6 +882,10 @@ out_mknod_drop_write:
58c5fc13
MT		 52181 goto out_unlock;
52182 }
52183
52184+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
52185+ sk->sk_peercred.pid = current->pid;
52186+#endif
52187+
52188 list = &unix_socket_table[addr->hash];
52189 } else {
52190 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
ae4e228f
MT		 52191diff -urNp linux-2.6.33.1/samples/kobject/kset-example.c linux-2.6.33.1/samples/kobject/kset-example.c
52192--- linux-2.6.33.1/samples/kobject/kset-example.c 2010-03-15 12:09:39.000000000 -0400
52193+++ linux-2.6.33.1/samples/kobject/kset-example.c 2010-03-20 16:58:42.344967210 -0400
52194@@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
58c5fc13
MT		 52195 }
52196
ae4e228f
MT		 52197 /* Our custom sysfs_ops that we will associate with our ktype later on */
52198-static struct sysfs_ops foo_sysfs_ops = {
52199+static const struct sysfs_ops foo_sysfs_ops = {
52200 .show = foo_attr_show,
52201 .store = foo_attr_store,
58c5fc13 52202 };
ae4e228f
MT		 52203diff -urNp linux-2.6.33.1/scripts/basic/fixdep.c linux-2.6.33.1/scripts/basic/fixdep.c
52204--- linux-2.6.33.1/scripts/basic/fixdep.c 2010-03-15 12:09:39.000000000 -0400
52205+++ linux-2.6.33.1/scripts/basic/fixdep.c 2010-03-20 16:58:42.344967210 -0400
52206@@ -222,9 +222,9 @@ static void use_config(char *m, int slen
58c5fc13 52207
ae4e228f 52208 static void parse_config_file(char *map, size_t len)
58c5fc13
MT		 52209 {
52210- int *end = (int *) (map + len);
52211+ unsigned int *end = (unsigned int *) (map + len);
52212 /* start at +1, so that p can never be < map */
52213- int *m = (int *) map + 1;
52214+ unsigned int *m = (unsigned int *) map + 1;
52215 char *p, *q;
52216
52217 for (; m < end; m++) {
ae4e228f
MT		 52218@@ -371,7 +371,7 @@ static void print_deps(void)
52219 static void traps(void)
58c5fc13
MT		 52220 {
52221 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
52222- int *p = (int *)test;
52223+ unsigned int *p = (unsigned int *)test;
52224
52225 if (*p != INT_CONF) {
52226 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
ae4e228f
MT		 52227diff -urNp linux-2.6.33.1/scripts/kallsyms.c linux-2.6.33.1/scripts/kallsyms.c
52228--- linux-2.6.33.1/scripts/kallsyms.c 2010-03-15 12:09:39.000000000 -0400
52229+++ linux-2.6.33.1/scripts/kallsyms.c 2010-03-20 16:58:42.344967210 -0400
58c5fc13
MT		 52230@@ -43,10 +43,10 @@ struct text_range {
52231
52232 static unsigned long long _text;
52233 static struct text_range text_ranges[] = {
52234- { "_stext", "_etext" },
52235- { "_sinittext", "_einittext" },
52236- { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
52237- { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
52238+ { "_stext", "_etext", 0, 0 },
52239+ { "_sinittext", "_einittext", 0, 0 },
52240+ { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
52241+ { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
52242 };
52243 #define text_range_text (&text_ranges[0])
52244 #define text_range_inittext (&text_ranges[1])
ae4e228f
MT		 52245diff -urNp linux-2.6.33.1/scripts/mod/file2alias.c linux-2.6.33.1/scripts/mod/file2alias.c
52246--- linux-2.6.33.1/scripts/mod/file2alias.c 2010-03-15 12:09:39.000000000 -0400
52247+++ linux-2.6.33.1/scripts/mod/file2alias.c 2010-03-20 16:58:42.348544513 -0400
58c5fc13
MT		 52248@@ -72,7 +72,7 @@ static void device_id_check(const char *
52249 unsigned long size, unsigned long id_size,
52250 void *symval)
52251 {
52252- int i;
52253+ unsigned int i;
52254
52255 if (size % id_size || size < id_size) {
52256 if (cross_build != 0)
52257@@ -102,7 +102,7 @@ static void device_id_check(const char *
52258 /* USB is special because the bcdDevice can be matched against a numeric range */
52259 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
52260 static void do_usb_entry(struct usb_device_id *id,
52261- unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
52262+ unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
52263 unsigned char range_lo, unsigned char range_hi,
ae4e228f 52264 unsigned char max, struct module *mod)
58c5fc13 52265 {
ae4e228f 52266@@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
58c5fc13
MT		 52267 for (i = 0; i < count; i++) {
52268 const char *id = (char *)devs[i].id;
52269 char acpi_id[sizeof(devs[0].id)];
52270- int j;
52271+ unsigned int j;
52272
52273 buf_printf(&mod->dev_table_buf,
52274 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
ae4e228f 52275@@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
58c5fc13
MT		 52276
52277 for (j = 0; j < PNP_MAX_DEVICES; j++) {
52278 const char *id = (char *)card->devs[j].id;
52279- int i2, j2;
52280+ unsigned int i2, j2;
52281 int dup = 0;
52282
52283 if (!id[0])
ae4e228f 52284@@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
58c5fc13
MT		 52285 /* add an individual alias for every device entry */
52286 if (!dup) {
52287 char acpi_id[sizeof(card->devs[0].id)];
52288- int k;
52289+ unsigned int k;
52290
52291 buf_printf(&mod->dev_table_buf,
52292 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
ae4e228f 52293@@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
58c5fc13
MT		 52294 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
52295 char *alias)
52296 {
52297- int i, j;
52298+ unsigned int i, j;
52299
52300 sprintf(alias, "dmi*");
52301
ae4e228f
MT		 52302diff -urNp linux-2.6.33.1/scripts/mod/modpost.c linux-2.6.33.1/scripts/mod/modpost.c
52303--- linux-2.6.33.1/scripts/mod/modpost.c 2010-03-15 12:09:39.000000000 -0400
52304+++ linux-2.6.33.1/scripts/mod/modpost.c 2010-03-20 16:58:42.348544513 -0400
52305@@ -842,6 +842,7 @@ enum mismatch {
58c5fc13
MT		 52306 INIT_TO_EXIT,
52307 EXIT_TO_INIT,
52308 EXPORT_TO_INIT_EXIT,
52309+ DATA_TO_TEXT
52310 };
52311
52312 struct sectioncheck {
ae4e228f 52313@@ -927,6 +928,12 @@ const struct sectioncheck sectioncheck[]
58c5fc13
MT		 52314 .fromsec = { "__ksymtab*", NULL },
52315 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
52316 .mismatch = EXPORT_TO_INIT_EXIT
52317+},
52318+/* Do not reference code from writable data */
52319+{
52320+ .fromsec = { DATA_SECTIONS, NULL },
52321+ .tosec = { TEXT_SECTIONS, NULL },
52322+ .mismatch = DATA_TO_TEXT
52323 }
52324 };
52325
ae4e228f 52326@@ -1031,10 +1038,10 @@ static Elf_Sym *find_elf_symbol(struct e
58c5fc13
MT		 52327 continue;
52328 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
52329 continue;
52330- if (sym->st_value == addr)
52331- return sym;
52332 /* Find a symbol nearby - addr are maybe negative */
52333 d = sym->st_value - addr;
52334+ if (d == 0)
52335+ return sym;
52336 if (d < 0)
52337 d = addr - sym->st_value;
52338 if (d < distance) {
ae4e228f 52339@@ -1275,6 +1282,14 @@ static void report_sec_mismatch(const ch
58c5fc13
MT		 52340 "Fix this by removing the %sannotation of %s "
52341 "or drop the export.\n",
52342 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
52343+ case DATA_TO_TEXT:
52344+/*
52345+ fprintf(stderr,
52346+ "The variable %s references\n"
52347+ "the %s %s%s%s\n",
52348+ fromsym, to, sec2annotation(tosec), tosym, to_p);
52349+*/
52350+ break;
52351 case NO_MISMATCH:
52352 /* To get warnings on missing members */
52353 break;
ae4e228f 52354@@ -1600,7 +1615,7 @@ void __attribute__((format(printf, 2, 3)
58c5fc13
MT		 52355 va_end(ap);
52356 }
52357
52358-void buf_write(struct buffer *buf, const char *s, int len)
52359+void buf_write(struct buffer *buf, const char *s, unsigned int len)
52360 {
52361 if (buf->size - buf->pos < len) {
52362 buf->size += len + SZ;
ae4e228f 52363@@ -1812,7 +1827,7 @@ static void write_if_changed(struct buff
58c5fc13
MT		 52364 if (fstat(fileno(file), &st) < 0)
52365 goto close_write;
52366
52367- if (st.st_size != b->pos)
52368+ if (st.st_size != (off_t)b->pos)
52369 goto close_write;
52370
52371 tmp = NOFAIL(malloc(b->pos));
ae4e228f
MT		 52372diff -urNp linux-2.6.33.1/scripts/mod/modpost.h linux-2.6.33.1/scripts/mod/modpost.h
52373--- linux-2.6.33.1/scripts/mod/modpost.h 2010-03-15 12:09:39.000000000 -0400
52374+++ linux-2.6.33.1/scripts/mod/modpost.h 2010-03-20 16:58:42.348544513 -0400
58c5fc13
MT		 52375@@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
52376
52377 struct buffer {
52378 char *p;
52379- int pos;
52380- int size;
52381+ unsigned int pos;
52382+ unsigned int size;
52383 };
52384
52385 void __attribute__((format(printf, 2, 3)))
52386 buf_printf(struct buffer *buf, const char *fmt, ...);
52387
52388 void
52389-buf_write(struct buffer *buf, const char *s, int len);
52390+buf_write(struct buffer *buf, const char *s, unsigned int len);
52391
52392 struct module {
52393 struct module *next;
ae4e228f
MT		 52394diff -urNp linux-2.6.33.1/scripts/mod/sumversion.c linux-2.6.33.1/scripts/mod/sumversion.c
52395--- linux-2.6.33.1/scripts/mod/sumversion.c 2010-03-15 12:09:39.000000000 -0400
52396+++ linux-2.6.33.1/scripts/mod/sumversion.c 2010-03-20 16:58:42.348544513 -0400
52397@@ -455,7 +455,7 @@ static void write_version(const char *fi
58c5fc13
MT		 52398 goto out;
52399 }
52400
52401- if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
52402+ if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
52403 warn("writing sum in %s failed: %s\n",
52404 filename, strerror(errno));
52405 goto out;
ae4e228f
MT		 52406diff -urNp linux-2.6.33.1/scripts/pnmtologo.c linux-2.6.33.1/scripts/pnmtologo.c
52407--- linux-2.6.33.1/scripts/pnmtologo.c 2010-03-15 12:09:39.000000000 -0400
52408+++ linux-2.6.33.1/scripts/pnmtologo.c 2010-03-20 16:58:42.348544513 -0400
58c5fc13
MT		 52409@@ -237,14 +237,14 @@ static void write_header(void)
52410 fprintf(out, " * Linux logo %s\n", logoname);
52411 fputs(" */\n\n", out);
52412 fputs("#include <linux/linux_logo.h>\n\n", out);
52413- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
52414+ fprintf(out, "static unsigned char %s_data[] = {\n",
52415 logoname);
52416 }
52417
52418 static void write_footer(void)
52419 {
52420 fputs("\n};\n\n", out);
52421- fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
52422+ fprintf(out, "const struct linux_logo %s = {\n", logoname);
52423 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
52424 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
52425 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
52426@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
52427 fputs("\n};\n\n", out);
52428
52429 /* write logo clut */
52430- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
52431+ fprintf(out, "static unsigned char %s_clut[] = {\n",
52432 logoname);
52433 write_hex_cnt = 0;
52434 for (i = 0; i < logo_clutsize; i++) {
ae4e228f
MT		 52435diff -urNp linux-2.6.33.1/security/commoncap.c linux-2.6.33.1/security/commoncap.c
52436--- linux-2.6.33.1/security/commoncap.c 2010-03-15 12:09:39.000000000 -0400
52437+++ linux-2.6.33.1/security/commoncap.c 2010-03-20 16:58:42.348544513 -0400
58c5fc13
MT		 52438@@ -27,7 +27,7 @@
52439 #include <linux/sched.h>
52440 #include <linux/prctl.h>
52441 #include <linux/securebits.h>
52442-
52443+#include <net/sock.h>
52444 /*
52445 * If a non-root user executes a setuid-root binary in
52446 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
52447@@ -50,9 +50,11 @@ static void warn_setuid_and_fcaps_mixed(
52448 }
52449 }
52450
52451+extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
52452+
52453 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
52454 {
52455- NETLINK_CB(skb).eff_cap = current_cap();
52456+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
52457 return 0;
52458 }
52459
ae4e228f
MT		 52460diff -urNp linux-2.6.33.1/security/integrity/ima/ima_api.c linux-2.6.33.1/security/integrity/ima/ima_api.c
52461--- linux-2.6.33.1/security/integrity/ima/ima_api.c 2010-03-15 12:09:39.000000000 -0400
52462+++ linux-2.6.33.1/security/integrity/ima/ima_api.c 2010-03-20 16:58:42.348544513 -0400
52463@@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
52464 int result;
58c5fc13 52465
ae4e228f
MT		 52466 /* can overflow, only indicator */
52467- atomic_long_inc(&ima_htable.violations);
52468+ atomic_long_inc_unchecked(&ima_htable.violations);
52469
52470 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
52471 if (!entry) {
52472diff -urNp linux-2.6.33.1/security/integrity/ima/ima_fs.c linux-2.6.33.1/security/integrity/ima/ima_fs.c
52473--- linux-2.6.33.1/security/integrity/ima/ima_fs.c 2010-03-15 12:09:39.000000000 -0400
52474+++ linux-2.6.33.1/security/integrity/ima/ima_fs.c 2010-03-20 16:58:42.348544513 -0400
52475@@ -27,12 +27,12 @@
52476 static int valid_policy = 1;
52477 #define TMPBUFLEN 12
52478 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
52479- loff_t *ppos, atomic_long_t *val)
52480+ loff_t *ppos, atomic_long_unchecked_t *val)
52481 {
52482 char tmpbuf[TMPBUFLEN];
52483 ssize_t len;
52484
52485- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
52486+ len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
52487 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
52488 }
52489
52490diff -urNp linux-2.6.33.1/security/integrity/ima/ima.h linux-2.6.33.1/security/integrity/ima/ima.h
52491--- linux-2.6.33.1/security/integrity/ima/ima.h 2010-03-15 12:09:39.000000000 -0400
52492+++ linux-2.6.33.1/security/integrity/ima/ima.h 2010-03-20 16:58:42.348544513 -0400
52493@@ -83,8 +83,8 @@ void ima_add_violation(struct inode *ino
52494 extern spinlock_t ima_queue_lock;
52495
52496 struct ima_h_table {
52497- atomic_long_t len; /* number of stored measurements in the list */
52498- atomic_long_t violations;
52499+ atomic_long_unchecked_t len; /* number of stored measurements in the list */
52500+ atomic_long_unchecked_t violations;
52501 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
58c5fc13 52502 };
ae4e228f
MT		 52503 extern struct ima_h_table ima_htable;
52504diff -urNp linux-2.6.33.1/security/integrity/ima/ima_queue.c linux-2.6.33.1/security/integrity/ima/ima_queue.c
52505--- linux-2.6.33.1/security/integrity/ima/ima_queue.c 2010-03-15 12:09:39.000000000 -0400
52506+++ linux-2.6.33.1/security/integrity/ima/ima_queue.c 2010-03-20 16:58:42.348544513 -0400
52507@@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
52508 INIT_LIST_HEAD(&qe->later);
52509 list_add_tail_rcu(&qe->later, &ima_measurements);
52510
52511- atomic_long_inc(&ima_htable.len);
52512+ atomic_long_inc_unchecked(&ima_htable.len);
52513 key = ima_hash_key(entry->digest);
52514 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
58c5fc13 52515 return 0;
ae4e228f
MT		 52516diff -urNp linux-2.6.33.1/security/Kconfig linux-2.6.33.1/security/Kconfig
52517--- linux-2.6.33.1/security/Kconfig 2010-03-15 12:09:39.000000000 -0400
52518+++ linux-2.6.33.1/security/Kconfig 2010-03-20 17:07:22.208972401 -0400
52519@@ -4,6 +4,488 @@
58c5fc13
MT		 52520
52521 menu "Security options"
52522
52523+source grsecurity/Kconfig
52524+
52525+menu "PaX"
52526+
52527+config PAX
52528+ bool "Enable various PaX features"
ae4e228f 52529+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC || SPARC || X86)
58c5fc13
MT		 52530+ help
52531+ This allows you to enable various PaX features. PaX adds
52532+ intrusion prevention mechanisms to the kernel that reduce
52533+ the risks posed by exploitable memory corruption bugs.
52534+
52535+menu "PaX Control"
52536+ depends on PAX
52537+
52538+config PAX_SOFTMODE
52539+ bool 'Support soft mode'
ae4e228f 52540+ select PAX_PT_PAX_FLAGS
58c5fc13
MT		 52541+ help
52542+ Enabling this option will allow you to run PaX in soft mode, that
52543+ is, PaX features will not be enforced by default, only on executables
52544+ marked explicitly. You must also enable PT_PAX_FLAGS support as it
52545+ is the only way to mark executables for soft mode use.
52546+
52547+ Soft mode can be activated by using the "pax_softmode=1" kernel command
52548+ line option on boot. Furthermore you can control various PaX features
52549+ at runtime via the entries in /proc/sys/kernel/pax.
52550+
52551+config PAX_EI_PAX
52552+ bool 'Use legacy ELF header marking'
52553+ help
52554+ Enabling this option will allow you to control PaX features on
52555+ a per executable basis via the 'chpax' utility available at
52556+ http://pax.grsecurity.net/. The control flags will be read from
52557+ an otherwise reserved part of the ELF header. This marking has
52558+ numerous drawbacks (no support for soft-mode, toolchain does not
52559+ know about the non-standard use of the ELF header) therefore it
52560+ has been deprecated in favour of PT_PAX_FLAGS support.
52561+
52562+ If you have applications not marked by the PT_PAX_FLAGS ELF
52563+ program header then you MUST enable this option otherwise they
52564+ will not get any protection.
52565+
52566+ Note that if you enable PT_PAX_FLAGS marking support as well,
52567+ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
52568+
52569+config PAX_PT_PAX_FLAGS
52570+ bool 'Use ELF program header marking'
52571+ help
52572+ Enabling this option will allow you to control PaX features on
52573+ a per executable basis via the 'paxctl' utility available at
52574+ http://pax.grsecurity.net/. The control flags will be read from
52575+ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
52576+ has the benefits of supporting both soft mode and being fully
52577+ integrated into the toolchain (the binutils patch is available
52578+ from http://pax.grsecurity.net).
52579+
52580+ If you have applications not marked by the PT_PAX_FLAGS ELF
52581+ program header then you MUST enable the EI_PAX marking support
52582+ otherwise they will not get any protection.
52583+
52584+ Note that if you enable the legacy EI_PAX marking support as well,
52585+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
52586+
52587+choice
52588+ prompt 'MAC system integration'
52589+ default PAX_HAVE_ACL_FLAGS
52590+ help
52591+ Mandatory Access Control systems have the option of controlling
52592+ PaX flags on a per executable basis, choose the method supported
52593+ by your particular system.
52594+
52595+ - "none": if your MAC system does not interact with PaX,
52596+ - "direct": if your MAC system defines pax_set_initial_flags() itself,
52597+ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
52598+
52599+ NOTE: this option is for developers/integrators only.
52600+
52601+ config PAX_NO_ACL_FLAGS
52602+ bool 'none'
52603+
52604+ config PAX_HAVE_ACL_FLAGS
52605+ bool 'direct'
52606+
52607+ config PAX_HOOK_ACL_FLAGS
52608+ bool 'hook'
52609+endchoice
52610+
52611+endmenu
52612+
52613+menu "Non-executable pages"
52614+ depends on PAX
52615+
52616+config PAX_NOEXEC
52617+ bool "Enforce non-executable pages"
ae4e228f 52618+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
58c5fc13
MT		 52619+ help
52620+ By design some architectures do not allow for protecting memory
52621+ pages against execution or even if they do, Linux does not make
52622+ use of this feature. In practice this means that if a page is
52623+ readable (such as the stack or heap) it is also executable.
52624+
52625+ There is a well known exploit technique that makes use of this
52626+ fact and a common programming mistake where an attacker can
52627+ introduce code of his choice somewhere in the attacked program's
52628+ memory (typically the stack or the heap) and then execute it.
52629+
52630+ If the attacked program was running with different (typically
52631+ higher) privileges than that of the attacker, then he can elevate
52632+ his own privilege level (e.g. get a root shell, write to files for
52633+ which he does not have write access to, etc).
52634+
52635+ Enabling this option will let you choose from various features
52636+ that prevent the injection and execution of 'foreign' code in
52637+ a program.
52638+
52639+ This will also break programs that rely on the old behaviour and
52640+ expect that dynamically allocated memory via the malloc() family
52641+ of functions is executable (which it is not). Notable examples
52642+ are the XFree86 4.x server, the java runtime and wine.
52643+
52644+config PAX_PAGEEXEC
52645+ bool "Paging based non-executable pages"
52646+ depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
ae4e228f
MT		 52647+ select S390_SWITCH_AMODE if S390
52648+ select S390_EXEC_PROTECT if S390
58c5fc13
MT		 52649+ help
52650+ This implementation is based on the paging feature of the CPU.
52651+ On i386 without hardware non-executable bit support there is a
52652+ variable but usually low performance impact, however on Intel's
52653+ P4 core based CPUs it is very high so you should not enable this
52654+ for kernels meant to be used on such CPUs.
52655+
52656+ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
52657+ with hardware non-executable bit support there is no performance
52658+ impact, on ppc the impact is negligible.
52659+
52660+ Note that several architectures require various emulations due to
52661+ badly designed userland ABIs, this will cause a performance impact
52662+ but will disappear as soon as userland is fixed. For example, ppc
52663+ userland MUST have been built with secure-plt by a recent toolchain.
52664+
52665+config PAX_SEGMEXEC
52666+ bool "Segmentation based non-executable pages"
52667+ depends on PAX_NOEXEC && X86_32
52668+ help
52669+ This implementation is based on the segmentation feature of the
52670+ CPU and has a very small performance impact, however applications
52671+ will be limited to a 1.5 GB address space instead of the normal
52672+ 3 GB.
52673+
52674+config PAX_EMUTRAMP
52675+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
52676+ default y if PARISC
52677+ help
52678+ There are some programs and libraries that for one reason or
52679+ another attempt to execute special small code snippets from
52680+ non-executable memory pages. Most notable examples are the
52681+ signal handler return code generated by the kernel itself and
52682+ the GCC trampolines.
52683+
52684+ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
52685+ such programs will no longer work under your kernel.
52686+
52687+ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
52688+ utilities to enable trampoline emulation for the affected programs
52689+ yet still have the protection provided by the non-executable pages.
52690+
52691+ On parisc you MUST enable this option and EMUSIGRT as well, otherwise
52692+ your system will not even boot.
52693+
52694+ Alternatively you can say N here and use the 'chpax' or 'paxctl'
52695+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
52696+ for the affected files.
52697+
52698+ NOTE: enabling this feature *may* open up a loophole in the
52699+ protection provided by non-executable pages that an attacker
52700+ could abuse. Therefore the best solution is to not have any
52701+ files on your system that would require this option. This can
52702+ be achieved by not using libc5 (which relies on the kernel
52703+ signal handler return code) and not using or rewriting programs
52704+ that make use of the nested function implementation of GCC.
52705+ Skilled users can just fix GCC itself so that it implements
52706+ nested function calls in a way that does not interfere with PaX.
52707+
52708+config PAX_EMUSIGRT
52709+ bool "Automatically emulate sigreturn trampolines"
52710+ depends on PAX_EMUTRAMP && PARISC
52711+ default y
52712+ help
52713+ Enabling this option will have the kernel automatically detect
52714+ and emulate signal return trampolines executing on the stack
52715+ that would otherwise lead to task termination.
52716+
52717+ This solution is intended as a temporary one for users with
52718+ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
52719+ Modula-3 runtime, etc) or executables linked to such, basically
52720+ everything that does not specify its own SA_RESTORER function in
52721+ normal executable memory like glibc 2.1+ does.
52722+
52723+ On parisc you MUST enable this option, otherwise your system will
52724+ not even boot.
52725+
52726+ NOTE: this feature cannot be disabled on a per executable basis
52727+ and since it *does* open up a loophole in the protection provided
52728+ by non-executable pages, the best solution is to not have any
52729+ files on your system that would require this option.
52730+
52731+config PAX_MPROTECT
52732+ bool "Restrict mprotect()"
52733+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
52734+ help
52735+ Enabling this option will prevent programs from
52736+ - changing the executable status of memory pages that were
52737+ not originally created as executable,
52738+ - making read-only executable pages writable again,
52739+ - creating executable pages from anonymous memory.
52740+
52741+ You should say Y here to complete the protection provided by
52742+ the enforcement of non-executable pages.
52743+
52744+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
52745+ this feature on a per file basis.
52746+
52747+config PAX_NOELFRELOCS
52748+ bool "Disallow ELF text relocations"
52749+ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || PPC || X86)
52750+ help
52751+ Non-executable pages and mprotect() restrictions are effective
52752+ in preventing the introduction of new executable code into an
52753+ attacked task's address space. There remain only two venues
52754+ for this kind of attack: if the attacker can execute already
52755+ existing code in the attacked task then he can either have it
52756+ create and mmap() a file containing his code or have it mmap()
52757+ an already existing ELF library that does not have position
52758+ independent code in it and use mprotect() on it to make it
52759+ writable and copy his code there. While protecting against
52760+ the former approach is beyond PaX, the latter can be prevented
52761+ by having only PIC ELF libraries on one's system (which do not
52762+ need to relocate their code). If you are sure this is your case,
52763+ then enable this option otherwise be careful as you may not even
52764+ be able to boot or log on your system (for example, some PAM
52765+ modules are erroneously compiled as non-PIC by default).
52766+
52767+ NOTE: if you are using dynamic ELF executables (as suggested
52768+ when using ASLR) then you must have made sure that you linked
52769+ your files using the PIC version of crt1 (the et_dyn.tar.gz package
52770+ referenced there has already been updated to support this).
52771+
52772+config PAX_ETEXECRELOCS
52773+ bool "Allow ELF ET_EXEC text relocations"
52774+ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
52775+ default y
52776+ help
52777+ On some architectures there are incorrectly created applications
52778+ that require text relocations and would not work without enabling
52779+ this option. If you are an alpha, ia64 or parisc user, you should
52780+ enable this option and disable it once you have made sure that
52781+ none of your applications need it.
52782+
52783+config PAX_EMUPLT
52784+ bool "Automatically emulate ELF PLT"
ae4e228f 52785+ depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
58c5fc13
MT		 52786+ default y
52787+ help
52788+ Enabling this option will have the kernel automatically detect
52789+ and emulate the Procedure Linkage Table entries in ELF files.
52790+ On some architectures such entries are in writable memory, and
52791+ become non-executable leading to task termination. Therefore
52792+ it is mandatory that you enable this option on alpha, parisc,
52793+ sparc and sparc64, otherwise your system would not even boot.
52794+
52795+ NOTE: this feature *does* open up a loophole in the protection
52796+ provided by the non-executable pages, therefore the proper
52797+ solution is to modify the toolchain to produce a PLT that does
52798+ not need to be writable.
52799+
52800+config PAX_DLRESOLVE
52801+ bool 'Emulate old glibc resolver stub'
ae4e228f 52802+ depends on PAX_EMUPLT && SPARC
58c5fc13
MT		 52803+ default n
52804+ help
52805+ This option is needed if userland has an old glibc (before 2.4)
52806+ that puts a 'save' instruction into the runtime generated resolver
52807+ stub that needs special emulation.
52808+
52809+config PAX_KERNEXEC
52810+ bool "Enforce non-executable kernel pages"
ae4e228f 52811+ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
58c5fc13
MT		 52812+ help
52813+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
52814+ that is, enabling this option will make it harder to inject
52815+ and execute 'foreign' code in kernel memory itself.
52816+
ae4e228f
MT		 52817+config PAX_KERNEXEC_MODULE_TEXT
52818+ int "Minimum amount of memory reserved for module code"
52819+ default "4"
52820+ depends on PAX_KERNEXEC && X86_32 && MODULES
52821+ help
52822+ Due to implementation details the kernel must reserve a fixed
52823+ amount of memory for module code at compile time that cannot be
52824+ changed at runtime. Here you can specify the minimum amount
52825+ in MB that will be reserved. Due to the same implementation
52826+ details this size will always be rounded up to the next 2/4 MB
52827+ boundary (depends on PAE) so the actually available memory for
52828+ module code will usually be more than this minimum.
52829+
52830+ The default 4 MB should be enough for most users but if you have
52831+ an excessive number of modules (e.g., most distribution configs
52832+ compile many drivers as modules) or use huge modules such as
52833+ nvidia's kernel driver, you will need to adjust this amount.
52834+ A good rule of thumb is to look at your currently loaded kernel
52835+ modules and add up their sizes.
52836+
58c5fc13
MT		 52837+endmenu
52838+
52839+menu "Address Space Layout Randomization"
52840+ depends on PAX
52841+
52842+config PAX_ASLR
52843+ bool "Address Space Layout Randomization"
52844+ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
52845+ help
52846+ Many if not most exploit techniques rely on the knowledge of
52847+ certain addresses in the attacked program. The following options
52848+ will allow the kernel to apply a certain amount of randomization
52849+ to specific parts of the program thereby forcing an attacker to
52850+ guess them in most cases. Any failed guess will most likely crash
52851+ the attacked program which allows the kernel to detect such attempts
52852+ and react on them. PaX itself provides no reaction mechanisms,
52853+ instead it is strongly encouraged that you make use of Nergal's
52854+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
52855+ (http://www.grsecurity.net/) built-in crash detection features or
52856+ develop one yourself.
52857+
52858+ By saying Y here you can choose to randomize the following areas:
52859+ - top of the task's kernel stack
52860+ - top of the task's userland stack
52861+ - base address for mmap() requests that do not specify one
52862+ (this includes all libraries)
52863+ - base address of the main executable
52864+
52865+ It is strongly recommended to say Y here as address space layout
52866+ randomization has negligible impact on performance yet it provides
52867+ a very effective protection.
52868+
52869+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
52870+ this feature on a per file basis.
52871+
52872+config PAX_RANDKSTACK
52873+ bool "Randomize kernel stack base"
52874+ depends on PAX_ASLR && X86_TSC && X86_32
52875+ help
52876+ By saying Y here the kernel will randomize every task's kernel
52877+ stack on every system call. This will not only force an attacker
52878+ to guess it but also prevent him from making use of possible
52879+ leaked information about it.
52880+
52881+ Since the kernel stack is a rather scarce resource, randomization
52882+ may cause unexpected stack overflows, therefore you should very
52883+ carefully test your system. Note that once enabled in the kernel
52884+ configuration, this feature cannot be disabled on a per file basis.
52885+
52886+config PAX_RANDUSTACK
52887+ bool "Randomize user stack base"
52888+ depends on PAX_ASLR
52889+ help
52890+ By saying Y here the kernel will randomize every task's userland
52891+ stack. The randomization is done in two steps where the second
52892+ one may apply a big amount of shift to the top of the stack and
52893+ cause problems for programs that want to use lots of memory (more
52894+ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
52895+ For this reason the second step can be controlled by 'chpax' or
52896+ 'paxctl' on a per file basis.
52897+
52898+config PAX_RANDMMAP
52899+ bool "Randomize mmap() base"
52900+ depends on PAX_ASLR
52901+ help
52902+ By saying Y here the kernel will use a randomized base address for
52903+ mmap() requests that do not specify one themselves. As a result
52904+ all dynamically loaded libraries will appear at random addresses
52905+ and therefore be harder to exploit by a technique where an attacker
52906+ attempts to execute library code for his purposes (e.g. spawn a
52907+ shell from an exploited program that is running at an elevated
52908+ privilege level).
52909+
52910+ Furthermore, if a program is relinked as a dynamic ELF file, its
52911+ base address will be randomized as well, completing the full
52912+ randomization of the address space layout. Attacking such programs
52913+ becomes a guess game. You can find an example of doing this at
52914+ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
52915+ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
52916+
52917+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
52918+ feature on a per file basis.
52919+
52920+endmenu
52921+
52922+menu "Miscellaneous hardening features"
52923+
52924+config PAX_MEMORY_SANITIZE
52925+ bool "Sanitize all freed memory"
52926+ help
52927+ By saying Y here the kernel will erase memory pages as soon as they
52928+ are freed. This in turn reduces the lifetime of data stored in the
52929+ pages, making it less likely that sensitive information such as
52930+ passwords, cryptographic secrets, etc stay in memory for too long.
52931+
52932+ This is especially useful for programs whose runtime is short, long
52933+ lived processes and the kernel itself benefit from this as long as
52934+ they operate on whole memory pages and ensure timely freeing of pages
52935+ that may hold sensitive information.
52936+
52937+ The tradeoff is performance impact, on a single CPU system kernel
52938+ compilation sees a 3% slowdown, other systems and workloads may vary
52939+ and you are advised to test this feature on your expected workload
52940+ before deploying it.
52941+
52942+ Note that this feature does not protect data stored in live pages,
52943+ e.g., process memory swapped to disk may stay there for a long time.
52944+
52945+config PAX_MEMORY_UDEREF
52946+ bool "Prevent invalid userland pointer dereference"
ae4e228f 52947+ depends on X86_32 && !UML_X86 && !XEN
58c5fc13
MT		 52948+ help
52949+ By saying Y here the kernel will be prevented from dereferencing
52950+ userland pointers in contexts where the kernel expects only kernel
52951+ pointers. This is both a useful runtime debugging feature and a
52952+ security measure that prevents exploiting a class of kernel bugs.
52953+
52954+ The tradeoff is that some virtualization solutions may experience
52955+ a huge slowdown and therefore you should not enable this feature
52956+ for kernels meant to run in such environments. Whether a given VM
52957+ solution is affected or not is best determined by simply trying it
52958+ out, the performance impact will be obvious right on boot as this
52959+ mechanism engages from very early on. A good rule of thumb is that
52960+ VMs running on CPUs without hardware virtualization support (i.e.,
52961+ the majority of IA-32 CPUs) will likely experience the slowdown.
52962+
52963+config PAX_REFCOUNT
52964+ bool "Prevent various kernel object reference counter overflows"
52965+ depends on GRKERNSEC && (X86 || SPARC64)
52966+ help
52967+ By saying Y here the kernel will detect and prevent overflowing
52968+ various (but not all) kinds of object reference counters. Such
52969+ overflows can normally occur due to bugs only and are often, if
52970+ not always, exploitable.
52971+
52972+ The tradeoff is that data structures protected by an overflowed
52973+ refcount will never be freed and therefore will leak memory. Note
52974+ that this leak also happens even without this protection but in
52975+ that case the overflow can eventually trigger the freeing of the
52976+ data structure while it is still being used elsewhere, resulting
52977+ in the exploitable situation that this feature prevents.
52978+
52979+ Since this has a negligible performance impact, you should enable
52980+ this feature.
52981+
52982+config PAX_USERCOPY
52983+ bool "Bounds check heap object copies between kernel and userland"
ae4e228f 52984+ depends on X86 || PPC || SPARC
58c5fc13
MT		 52985+ depends on GRKERNSEC && (SLAB || SLUB || SLOB)
52986+ help
52987+ By saying Y here the kernel will enforce the size of heap objects
52988+ when they are copied in either direction between the kernel and
52989+ userland, even if only a part of the heap object is copied.
52990+
52991+ Specifically, this checking prevents information leaking from the
52992+ kernel heap during kernel to userland copies (if the kernel heap
52993+ object is otherwise fully initialized) and prevents kernel heap
52994+ overflows during userland to kernel copies.
52995+
52996+ Note that the current implementation provides the strictest checks
52997+ for the SLUB allocator.
52998+
52999+ Since this has a negligible performance impact, you should enable
53000+ this feature.
53001+endmenu
53002+
53003+endmenu
53004+
53005 config KEYS
53006 bool "Enable access key retention support"
53007 help
ae4e228f
MT		 53008@@ -124,7 +606,7 @@ config INTEL_TXT
53009 config LSM_MMAP_MIN_ADDR
53010 int "Low address space for LSM to protect from user allocation"
53011 depends on SECURITY && SECURITY_SELINUX
53012- default 65536
53013+ default 32768
53014 help
53015 This is the portion of low virtual memory which should be protected
53016 from userspace allocation. Keeping a user from writing to low pages
53017diff -urNp linux-2.6.33.1/security/min_addr.c linux-2.6.33.1/security/min_addr.c
53018--- linux-2.6.33.1/security/min_addr.c 2010-03-15 12:09:39.000000000 -0400
53019+++ linux-2.6.33.1/security/min_addr.c 2010-03-20 16:58:42.348544513 -0400
58c5fc13
MT		 53020@@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
53021 */
53022 static void update_mmap_min_addr(void)
53023 {
53024+#ifndef SPARC
53025 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
53026 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
53027 mmap_min_addr = dac_mmap_min_addr;
53028@@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
53029 #else
53030 mmap_min_addr = dac_mmap_min_addr;
53031 #endif
53032+#endif
53033 }
53034
53035 /*
ae4e228f
MT		 53036diff -urNp linux-2.6.33.1/sound/aoa/codecs/onyx.c linux-2.6.33.1/sound/aoa/codecs/onyx.c
53037--- linux-2.6.33.1/sound/aoa/codecs/onyx.c 2010-03-15 12:09:39.000000000 -0400
53038+++ linux-2.6.33.1/sound/aoa/codecs/onyx.c 2010-03-20 16:58:42.365465627 -0400
58c5fc13
MT		 53039@@ -53,7 +53,7 @@ struct onyx {
53040 spdif_locked:1,
53041 analog_locked:1,
53042 original_mute:2;
53043- int open_count;
53044+ atomic_t open_count;
53045 struct codec_info *codec_info;
53046
53047 /* mutex serializes concurrent access to the device
53048@@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
53049 struct onyx *onyx = cii->codec_data;
53050
53051 mutex_lock(&onyx->mutex);
53052- onyx->open_count++;
53053+ atomic_inc(&onyx->open_count);
53054 mutex_unlock(&onyx->mutex);
53055
53056 return 0;
53057@@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
53058 struct onyx *onyx = cii->codec_data;
53059
53060 mutex_lock(&onyx->mutex);
53061- onyx->open_count--;
53062- if (!onyx->open_count)
53063+ if (atomic_dec_and_test(&onyx->open_count))
53064 onyx->spdif_locked = onyx->analog_locked = 0;
53065 mutex_unlock(&onyx->mutex);
53066
ae4e228f
MT		 53067diff -urNp linux-2.6.33.1/sound/core/oss/pcm_oss.c linux-2.6.33.1/sound/core/oss/pcm_oss.c
53068--- linux-2.6.33.1/sound/core/oss/pcm_oss.c 2010-03-15 12:09:39.000000000 -0400
53069+++ linux-2.6.33.1/sound/core/oss/pcm_oss.c 2010-03-20 16:58:42.372956563 -0400
53070@@ -2949,8 +2949,8 @@ static void snd_pcm_oss_proc_done(struct
58c5fc13
MT		 53071 }
53072 }
53073 #else /* !CONFIG_SND_VERBOSE_PROCFS */
53074-#define snd_pcm_oss_proc_init(pcm)
53075-#define snd_pcm_oss_proc_done(pcm)
53076+#define snd_pcm_oss_proc_init(pcm) do {} while (0)
53077+#define snd_pcm_oss_proc_done(pcm) do {} while (0)
53078 #endif /* CONFIG_SND_VERBOSE_PROCFS */
53079
53080 /*
ae4e228f
MT		 53081diff -urNp linux-2.6.33.1/sound/core/seq/seq_lock.h linux-2.6.33.1/sound/core/seq/seq_lock.h
53082--- linux-2.6.33.1/sound/core/seq/seq_lock.h 2010-03-15 12:09:39.000000000 -0400
53083+++ linux-2.6.33.1/sound/core/seq/seq_lock.h 2010-03-20 16:58:42.376941145 -0400
58c5fc13
MT		 53084@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
53085 #else /* SMP || CONFIG_SND_DEBUG */
53086
53087 typedef spinlock_t snd_use_lock_t; /* dummy */
53088-#define snd_use_lock_init(lockp) /**/
53089-#define snd_use_lock_use(lockp) /**/
53090-#define snd_use_lock_free(lockp) /**/
53091-#define snd_use_lock_sync(lockp) /**/
53092+#define snd_use_lock_init(lockp) do {} while (0)
53093+#define snd_use_lock_use(lockp) do {} while (0)
53094+#define snd_use_lock_free(lockp) do {} while (0)
53095+#define snd_use_lock_sync(lockp) do {} while (0)
53096
53097 #endif /* SMP || CONFIG_SND_DEBUG */
53098
ae4e228f
MT		 53099diff -urNp linux-2.6.33.1/sound/drivers/mts64.c linux-2.6.33.1/sound/drivers/mts64.c
53100--- linux-2.6.33.1/sound/drivers/mts64.c 2010-03-15 12:09:39.000000000 -0400
53101+++ linux-2.6.33.1/sound/drivers/mts64.c 2010-03-20 16:58:42.380965540 -0400
58c5fc13
MT		 53102@@ -65,7 +65,7 @@ struct mts64 {
53103 struct pardevice *pardev;
53104 int pardev_claimed;
53105
53106- int open_count;
53107+ atomic_t open_count;
53108 int current_midi_output_port;
53109 int current_midi_input_port;
53110 u8 mode[MTS64_NUM_INPUT_PORTS];
53111@@ -695,7 +695,7 @@ static int snd_mts64_rawmidi_open(struct
53112 {
53113 struct mts64 *mts = substream->rmidi->private_data;
53114
53115- if (mts->open_count == 0) {
53116+ if (atomic_read(&mts->open_count) == 0) {
53117 /* We don't need a spinlock here, because this is just called
53118 if the device has not been opened before.
53119 So there aren't any IRQs from the device */
53120@@ -703,7 +703,7 @@ static int snd_mts64_rawmidi_open(struct
53121
53122 msleep(50);
53123 }
53124- ++(mts->open_count);
53125+ atomic_inc(&mts->open_count);
53126
53127 return 0;
53128 }
53129@@ -713,8 +713,7 @@ static int snd_mts64_rawmidi_close(struc
53130 struct mts64 *mts = substream->rmidi->private_data;
53131 unsigned long flags;
53132
53133- --(mts->open_count);
53134- if (mts->open_count == 0) {
53135+ if (atomic_dec_return(&mts->open_count) == 0) {
53136 /* We need the spinlock_irqsave here because we can still
53137 have IRQs at this point */
53138 spin_lock_irqsave(&mts->lock, flags);
53139@@ -723,8 +722,8 @@ static int snd_mts64_rawmidi_close(struc
53140
53141 msleep(500);
53142
53143- } else if (mts->open_count < 0)
53144- mts->open_count = 0;
53145+ } else if (atomic_read(&mts->open_count) < 0)
53146+ atomic_set(&mts->open_count, 0);
53147
53148 return 0;
53149 }
ae4e228f
MT		 53150diff -urNp linux-2.6.33.1/sound/drivers/portman2x4.c linux-2.6.33.1/sound/drivers/portman2x4.c
53151--- linux-2.6.33.1/sound/drivers/portman2x4.c 2010-03-15 12:09:39.000000000 -0400
53152+++ linux-2.6.33.1/sound/drivers/portman2x4.c 2010-03-20 16:58:42.396942474 -0400
58c5fc13
MT		 53153@@ -83,7 +83,7 @@ struct portman {
53154 struct pardevice *pardev;
53155 int pardev_claimed;
53156
53157- int open_count;
53158+ atomic_t open_count;
53159 int mode[PORTMAN_NUM_INPUT_PORTS];
53160 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
53161 };
ae4e228f
MT		 53162diff -urNp linux-2.6.33.1/sound/oss/sb_audio.c linux-2.6.33.1/sound/oss/sb_audio.c
53163--- linux-2.6.33.1/sound/oss/sb_audio.c 2010-03-15 12:09:39.000000000 -0400
53164+++ linux-2.6.33.1/sound/oss/sb_audio.c 2010-03-20 16:58:42.404957454 -0400
53165@@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
53166 buf16 = (signed short *)(localbuf + localoffs);
53167 while (c)
53168 {
53169- locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
53170+ locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
53171 if (copy_from_user(lbuf8,
53172 userbuf+useroffs + p,
53173 locallen))
53174diff -urNp linux-2.6.33.1/sound/pci/ac97/ac97_codec.c linux-2.6.33.1/sound/pci/ac97/ac97_codec.c
53175--- linux-2.6.33.1/sound/pci/ac97/ac97_codec.c 2010-03-15 12:09:39.000000000 -0400
53176+++ linux-2.6.33.1/sound/pci/ac97/ac97_codec.c 2010-03-20 16:58:42.416962707 -0400
53177@@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
53178 }
53179
53180 /* build_ops to do nothing */
53181-static struct snd_ac97_build_ops null_build_ops;
53182+static const struct snd_ac97_build_ops null_build_ops;
53183
53184 #ifdef CONFIG_SND_AC97_POWER_SAVE
53185 static void do_update_power(struct work_struct *work)
53186diff -urNp linux-2.6.33.1/sound/pci/ac97/ac97_patch.c linux-2.6.33.1/sound/pci/ac97/ac97_patch.c
53187--- linux-2.6.33.1/sound/pci/ac97/ac97_patch.c 2010-03-15 12:09:39.000000000 -0400
53188+++ linux-2.6.33.1/sound/pci/ac97/ac97_patch.c 2010-03-20 16:58:42.440672764 -0400
53189@@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
53190 return 0;
53191 }
53192
53193-static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
53194+static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
53195 .build_spdif = patch_yamaha_ymf743_build_spdif,
53196 .build_3d = patch_yamaha_ymf7x3_3d,
53197 };
53198@@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
53199 return 0;
53200 }
53201
53202-static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
53203+static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
53204 .build_3d = patch_yamaha_ymf7x3_3d,
53205 .build_post_spdif = patch_yamaha_ymf753_post_spdif
53206 };
53207@@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
53208 return 0;
53209 }
53210
53211-static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
53212+static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
53213 .build_specific = patch_wolfson_wm9703_specific,
53214 };
53215
53216@@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
53217 return 0;
53218 }
53219
53220-static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
53221+static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
53222 .build_specific = patch_wolfson_wm9704_specific,
53223 };
53224
53225@@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
53226 return 0;
53227 }
53228
53229-static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
53230+static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
53231 .build_specific = patch_wolfson_wm9705_specific,
53232 };
53233
53234@@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
53235 return 0;
53236 }
53237
53238-static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
53239+static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
53240 .build_specific = patch_wolfson_wm9711_specific,
53241 };
53242
53243@@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
53244 }
53245 #endif
53246
53247-static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
53248+static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
53249 .build_specific = patch_wolfson_wm9713_specific,
53250 .build_3d = patch_wolfson_wm9713_3d,
53251 #ifdef CONFIG_PM
53252@@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
53253 return 0;
53254 }
53255
53256-static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
53257+static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
53258 .build_3d = patch_sigmatel_stac9700_3d,
53259 .build_specific = patch_sigmatel_stac97xx_specific
53260 };
53261@@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
53262 return patch_sigmatel_stac97xx_specific(ac97);
53263 }
53264
53265-static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
53266+static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
53267 .build_3d = patch_sigmatel_stac9708_3d,
53268 .build_specific = patch_sigmatel_stac9708_specific
53269 };
53270@@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
53271 return 0;
53272 }
53273
53274-static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
53275+static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
53276 .build_3d = patch_sigmatel_stac9700_3d,
53277 .build_specific = patch_sigmatel_stac9758_specific
53278 };
53279@@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
53280 return 0;
53281 }
53282
53283-static struct snd_ac97_build_ops patch_cirrus_ops = {
53284+static const struct snd_ac97_build_ops patch_cirrus_ops = {
53285 .build_spdif = patch_cirrus_build_spdif
53286 };
53287
53288@@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
53289 return 0;
53290 }
53291
53292-static struct snd_ac97_build_ops patch_conexant_ops = {
53293+static const struct snd_ac97_build_ops patch_conexant_ops = {
53294 .build_spdif = patch_conexant_build_spdif
53295 };
53296
58c5fc13
MT		 53297@@ -1501,7 +1501,7 @@ static const struct snd_ac97_res_table a
53298 { AC97_VIDEO, 0x9f1f },
53299 { AC97_AUX, 0x9f1f },
53300 { AC97_PCM, 0x9f1f },
53301- { } /* terminator */
53302+ { 0, 0 } /* terminator */
53303 };
53304
53305 static int patch_ad1819(struct snd_ac97 * ac97)
ae4e228f
MT		 53306@@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
53307 }
53308 }
53309
53310-static struct snd_ac97_build_ops patch_ad1881_build_ops = {
53311+static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
53312 #ifdef CONFIG_PM
53313 .resume = ad18xx_resume
53314 #endif
53315@@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
53316 return 0;
53317 }
53318
53319-static struct snd_ac97_build_ops patch_ad1885_build_ops = {
53320+static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
53321 .build_specific = &patch_ad1885_specific,
53322 #ifdef CONFIG_PM
53323 .resume = ad18xx_resume
53324@@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
53325 return 0;
53326 }
53327
53328-static struct snd_ac97_build_ops patch_ad1886_build_ops = {
53329+static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
53330 .build_specific = &patch_ad1886_specific,
53331 #ifdef CONFIG_PM
53332 .resume = ad18xx_resume
53333@@ -1894,7 +1894,7 @@ static int patch_ad1981a_specific(struct
53334 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
53335 }
53336
53337-static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
53338+static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
53339 .build_post_spdif = patch_ad198x_post_spdif,
53340 .build_specific = patch_ad1981a_specific,
53341 #ifdef CONFIG_PM
53342@@ -1949,7 +1949,7 @@ static int patch_ad1981b_specific(struct
53343 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
53344 }
53345
53346-static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
53347+static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
53348 .build_post_spdif = patch_ad198x_post_spdif,
53349 .build_specific = patch_ad1981b_specific,
53350 #ifdef CONFIG_PM
53351@@ -2088,7 +2088,7 @@ static int patch_ad1888_specific(struct
53352 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
53353 }
53354
53355-static struct snd_ac97_build_ops patch_ad1888_build_ops = {
53356+static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
53357 .build_post_spdif = patch_ad198x_post_spdif,
53358 .build_specific = patch_ad1888_specific,
53359 #ifdef CONFIG_PM
53360@@ -2137,7 +2137,7 @@ static int patch_ad1980_specific(struct
53361 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
53362 }
53363
53364-static struct snd_ac97_build_ops patch_ad1980_build_ops = {
53365+static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
53366 .build_post_spdif = patch_ad198x_post_spdif,
53367 .build_specific = patch_ad1980_specific,
53368 #ifdef CONFIG_PM
53369@@ -2252,7 +2252,7 @@ static int patch_ad1985_specific(struct
53370 ARRAY_SIZE(snd_ac97_ad1985_controls));
53371 }
53372
53373-static struct snd_ac97_build_ops patch_ad1985_build_ops = {
53374+static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
53375 .build_post_spdif = patch_ad198x_post_spdif,
53376 .build_specific = patch_ad1985_specific,
53377 #ifdef CONFIG_PM
53378@@ -2544,7 +2544,7 @@ static int patch_ad1986_specific(struct
53379 ARRAY_SIZE(snd_ac97_ad1985_controls));
53380 }
53381
53382-static struct snd_ac97_build_ops patch_ad1986_build_ops = {
53383+static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
53384 .build_post_spdif = patch_ad198x_post_spdif,
53385 .build_specific = patch_ad1986_specific,
53386 #ifdef CONFIG_PM
53387@@ -2649,7 +2649,7 @@ static int patch_alc650_specific(struct
53388 return 0;
53389 }
53390
53391-static struct snd_ac97_build_ops patch_alc650_ops = {
53392+static const struct snd_ac97_build_ops patch_alc650_ops = {
53393 .build_specific = patch_alc650_specific,
53394 .update_jacks = alc650_update_jacks
53395 };
53396@@ -2801,7 +2801,7 @@ static int patch_alc655_specific(struct
53397 return 0;
53398 }
53399
53400-static struct snd_ac97_build_ops patch_alc655_ops = {
53401+static const struct snd_ac97_build_ops patch_alc655_ops = {
53402 .build_specific = patch_alc655_specific,
53403 .update_jacks = alc655_update_jacks
53404 };
53405@@ -2913,7 +2913,7 @@ static int patch_alc850_specific(struct
53406 return 0;
53407 }
53408
53409-static struct snd_ac97_build_ops patch_alc850_ops = {
53410+static const struct snd_ac97_build_ops patch_alc850_ops = {
53411 .build_specific = patch_alc850_specific,
53412 .update_jacks = alc850_update_jacks
53413 };
53414@@ -2975,7 +2975,7 @@ static int patch_cm9738_specific(struct
53415 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
53416 }
53417
53418-static struct snd_ac97_build_ops patch_cm9738_ops = {
53419+static const struct snd_ac97_build_ops patch_cm9738_ops = {
53420 .build_specific = patch_cm9738_specific,
53421 .update_jacks = cm9738_update_jacks
53422 };
53423@@ -3066,7 +3066,7 @@ static int patch_cm9739_post_spdif(struc
53424 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
53425 }
53426
53427-static struct snd_ac97_build_ops patch_cm9739_ops = {
53428+static const struct snd_ac97_build_ops patch_cm9739_ops = {
53429 .build_specific = patch_cm9739_specific,
53430 .build_post_spdif = patch_cm9739_post_spdif,
53431 .update_jacks = cm9739_update_jacks
53432@@ -3240,7 +3240,7 @@ static int patch_cm9761_specific(struct
53433 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
53434 }
53435
53436-static struct snd_ac97_build_ops patch_cm9761_ops = {
53437+static const struct snd_ac97_build_ops patch_cm9761_ops = {
53438 .build_specific = patch_cm9761_specific,
53439 .build_post_spdif = patch_cm9761_post_spdif,
53440 .update_jacks = cm9761_update_jacks
53441@@ -3336,7 +3336,7 @@ static int patch_cm9780_specific(struct
53442 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
53443 }
53444
53445-static struct snd_ac97_build_ops patch_cm9780_ops = {
53446+static const struct snd_ac97_build_ops patch_cm9780_ops = {
53447 .build_specific = patch_cm9780_specific,
53448 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
53449 };
53450@@ -3456,7 +3456,7 @@ static int patch_vt1616_specific(struct
53451 return 0;
53452 }
53453
53454-static struct snd_ac97_build_ops patch_vt1616_ops = {
53455+static const struct snd_ac97_build_ops patch_vt1616_ops = {
53456 .build_specific = patch_vt1616_specific
53457 };
53458
53459@@ -3810,7 +3810,7 @@ static int patch_it2646_specific(struct
53460 return 0;
53461 }
53462
53463-static struct snd_ac97_build_ops patch_it2646_ops = {
53464+static const struct snd_ac97_build_ops patch_it2646_ops = {
53465 .build_specific = patch_it2646_specific,
53466 .update_jacks = it2646_update_jacks
53467 };
53468@@ -3844,7 +3844,7 @@ static int patch_si3036_specific(struct
53469 return 0;
53470 }
53471
53472-static struct snd_ac97_build_ops patch_si3036_ops = {
53473+static const struct snd_ac97_build_ops patch_si3036_ops = {
53474 .build_specific = patch_si3036_specific,
53475 };
53476
53477@@ -3877,7 +3877,7 @@ static struct snd_ac97_res_table lm4550_
58c5fc13
MT		 53478 { AC97_AUX, 0x1f1f },
53479 { AC97_PCM, 0x1f1f },
53480 { AC97_REC_GAIN, 0x0f0f },
53481- { } /* terminator */
53482+ { 0, 0 } /* terminator */
53483 };
53484
53485 static int patch_lm4550(struct snd_ac97 *ac97)
ae4e228f
MT		 53486@@ -3911,7 +3911,7 @@ static int patch_ucb1400_specific(struct
53487 return 0;
53488 }
53489
53490-static struct snd_ac97_build_ops patch_ucb1400_ops = {
53491+static const struct snd_ac97_build_ops patch_ucb1400_ops = {
53492 .build_specific = patch_ucb1400_specific,
53493 };
53494
53495diff -urNp linux-2.6.33.1/sound/pci/ens1370.c linux-2.6.33.1/sound/pci/ens1370.c
53496--- linux-2.6.33.1/sound/pci/ens1370.c 2010-03-15 12:09:39.000000000 -0400
53497+++ linux-2.6.33.1/sound/pci/ens1370.c 2010-03-20 16:58:42.452959690 -0400
58c5fc13
MT		 53498@@ -452,7 +452,7 @@ static struct pci_device_id snd_audiopci
53499 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
53500 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
53501 #endif
53502- { 0, }
53503+ { 0, 0, 0, 0, 0, 0, 0 }
53504 };
53505
53506 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
ae4e228f
MT		 53507diff -urNp linux-2.6.33.1/sound/pci/intel8x0.c linux-2.6.33.1/sound/pci/intel8x0.c
53508--- linux-2.6.33.1/sound/pci/intel8x0.c 2010-03-15 12:09:39.000000000 -0400
53509+++ linux-2.6.33.1/sound/pci/intel8x0.c 2010-03-20 16:58:42.464956802 -0400
58c5fc13
MT		 53510@@ -444,7 +444,7 @@ static struct pci_device_id snd_intel8x0
53511 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
53512 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
53513 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
53514- { 0, }
53515+ { 0, 0, 0, 0, 0, 0, 0 }
53516 };
53517
53518 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
ae4e228f 53519@@ -2129,7 +2129,7 @@ static struct ac97_quirk ac97_quirks[] _
58c5fc13
MT		 53520 .type = AC97_TUNE_HP_ONLY
53521 },
53522 #endif
53523- { } /* terminator */
53524+ { 0, 0, 0, 0, NULL, 0 } /* terminator */
53525 };
53526
53527 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
ae4e228f
MT		 53528diff -urNp linux-2.6.33.1/sound/pci/intel8x0m.c linux-2.6.33.1/sound/pci/intel8x0m.c
53529--- linux-2.6.33.1/sound/pci/intel8x0m.c 2010-03-15 12:09:39.000000000 -0400
53530+++ linux-2.6.33.1/sound/pci/intel8x0m.c 2010-03-20 16:58:42.469451186 -0400
58c5fc13
MT		 53531@@ -239,7 +239,7 @@ static struct pci_device_id snd_intel8x0
53532 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
53533 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
53534 #endif
53535- { 0, }
53536+ { 0, 0, 0, 0, 0, 0, 0 }
53537 };
53538
53539 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
53540@@ -1264,7 +1264,7 @@ static struct shortname_table {
53541 { 0x5455, "ALi M5455" },
53542 { 0x746d, "AMD AMD8111" },
53543 #endif
53544- { 0 },
53545+ { 0, NULL },
53546 };
53547
53548 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
ae4e228f
MT		 53549diff -urNp linux-2.6.33.1/usr/gen_init_cpio.c linux-2.6.33.1/usr/gen_init_cpio.c
53550--- linux-2.6.33.1/usr/gen_init_cpio.c 2010-03-15 12:09:39.000000000 -0400
53551+++ linux-2.6.33.1/usr/gen_init_cpio.c 2010-03-20 16:58:42.469451186 -0400
58c5fc13
MT		 53552@@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
53553 int retval;
53554 int rc = -1;
53555 int namesize;
53556- int i;
53557+ unsigned int i;
53558
53559 mode |= S_IFREG;
53560
ae4e228f 53561@@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
58c5fc13
MT		 53562 *env_var = *expanded = '\0';
53563 strncat(env_var, start + 2, end - start - 2);
53564 strncat(expanded, new_location, start - new_location);
53565- strncat(expanded, getenv(env_var), PATH_MAX);
53566- strncat(expanded, end + 1, PATH_MAX);
53567+ strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
53568+ strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
53569 strncpy(new_location, expanded, PATH_MAX);
53570+ new_location[PATH_MAX] = 0;
53571 } else
53572 break;
53573 }
ae4e228f
MT		 53574diff -urNp linux-2.6.33.1/virt/kvm/kvm_main.c linux-2.6.33.1/virt/kvm/kvm_main.c
53575--- linux-2.6.33.1/virt/kvm/kvm_main.c 2010-03-15 12:09:39.000000000 -0400
53576+++ linux-2.6.33.1/virt/kvm/kvm_main.c 2010-03-20 16:58:42.489458390 -0400
53577@@ -1168,6 +1168,7 @@ static int kvm_vcpu_release(struct inode
53578 return 0;
53579 }
53580
53581+/* cannot be const */
53582 static struct file_operations kvm_vcpu_fops = {
53583 .release = kvm_vcpu_release,
53584 .unlocked_ioctl = kvm_vcpu_ioctl,
53585@@ -1624,6 +1625,7 @@ static int kvm_vm_mmap(struct file *file
53586 return 0;
53587 }
53588
53589+/* cannot be const */
53590 static struct file_operations kvm_vm_fops = {
53591 .release = kvm_vm_release,
53592 .unlocked_ioctl = kvm_vm_ioctl,
53593@@ -1714,6 +1716,7 @@ out:
53594 return r;
53595 }
53596
53597+/* cannot be const */
53598 static struct file_operations kvm_chardev_ops = {
53599 .unlocked_ioctl = kvm_dev_ioctl,
53600 .compat_ioctl = kvm_dev_ioctl,
53601@@ -1723,6 +1726,9 @@ static struct miscdevice kvm_dev = {
58c5fc13
MT		 53602 KVM_MINOR,
53603 "kvm",
53604 &kvm_chardev_ops,
53605+ {NULL, NULL},
53606+ NULL,
53607+ NULL
53608 };
53609
53610 static void hardware_enable(void *junk)
ae4e228f 53611@@ -2050,7 +2056,7 @@ static void kvm_sched_out(struct preempt
58c5fc13
MT		 53612 kvm_arch_vcpu_put(vcpu);
53613 }
53614
53615-int kvm_init(void *opaque, unsigned int vcpu_size,
53616+int kvm_init(const void *opaque, unsigned int vcpu_size,
53617 struct module *module)
53618 {
53619 int r;
IPFire 3.x development tree