]> git.ipfire.org Git - people/ms/ipfire-3.x.git/blame - pkgs/core/kernel/patches/grsecurity-2.2.0-2.6.35.4-201009172030.patch
projects / people / ms / ipfire-3.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ccache: Update to 3.1.1.
[people/ms/ipfire-3.x.git] / pkgs / core / kernel / patches / grsecurity-2.2.0-2.6.35.4-201009172030.patch
CommitLineData
57199397
MT		 1diff -urNp linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h
2--- linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3+++ linux-2.6.35.4/arch/alpha/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 4@@ -3,9 +3,9 @@
5
6 #include <linux/dma-attrs.h>
7
8-extern struct dma_map_ops *dma_ops;
9+extern const struct dma_map_ops *dma_ops;
10
11-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
13 {
14 return dma_ops;
15 }
57199397
MT		 16diff -urNp linux-2.6.35.4/arch/alpha/include/asm/elf.h linux-2.6.35.4/arch/alpha/include/asm/elf.h
17--- linux-2.6.35.4/arch/alpha/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
18+++ linux-2.6.35.4/arch/alpha/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 19@@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
58c5fc13
MT		 20
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
22
23+#ifdef CONFIG_PAX_ASLR
24+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
25+
26+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
28+#endif
29+
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
57199397
MT		 33diff -urNp linux-2.6.35.4/arch/alpha/include/asm/pgtable.h linux-2.6.35.4/arch/alpha/include/asm/pgtable.h
34--- linux-2.6.35.4/arch/alpha/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
35+++ linux-2.6.35.4/arch/alpha/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 36@@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
40+
41+#ifdef CONFIG_PAX_PAGEEXEC
42+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
45+#else
46+# define PAGE_SHARED_NOEXEC PAGE_SHARED
47+# define PAGE_COPY_NOEXEC PAGE_COPY
48+# define PAGE_READONLY_NOEXEC PAGE_READONLY
49+#endif
50+
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
52
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
57199397
MT		 54diff -urNp linux-2.6.35.4/arch/alpha/kernel/module.c linux-2.6.35.4/arch/alpha/kernel/module.c
55--- linux-2.6.35.4/arch/alpha/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
56+++ linux-2.6.35.4/arch/alpha/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 57@@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
58
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61- gp = (u64)me->module_core + me->core_size - 0x8000;
62+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
64
65 for (i = 0; i < n; i++) {
57199397
MT		 66diff -urNp linux-2.6.35.4/arch/alpha/kernel/osf_sys.c linux-2.6.35.4/arch/alpha/kernel/osf_sys.c
67--- linux-2.6.35.4/arch/alpha/kernel/osf_sys.c 2010-08-26 19:47:12.000000000 -0400
68+++ linux-2.6.35.4/arch/alpha/kernel/osf_sys.c 2010-09-17 20:12:09.000000000 -0400
69@@ -1170,7 +1170,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
72 return -ENOMEM;
73- if (!vma || addr + len <= vma->vm_start)
74+ if (check_heap_stack_gap(vma, addr, len))
75 return addr;
76 addr = vma->vm_end;
77 vma = vma->vm_next;
df50ba0c 78@@ -1206,6 +1206,10 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
81
82+#ifdef CONFIG_PAX_RANDMMAP
83+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
84+#endif
85+
86 if (addr) {
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
df50ba0c 89@@ -1213,8 +1217,8 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 90 }
91
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
94- len, limit);
95+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
96+
97 if (addr != (unsigned long) -ENOMEM)
98 return addr;
99
57199397
MT		 100diff -urNp linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c
101--- linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c 2010-08-26 19:47:12.000000000 -0400
102+++ linux-2.6.35.4/arch/alpha/kernel/pci_iommu.c 2010-09-17 20:12:09.000000000 -0400
103@@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
104 return 0;
105 }
106
107-struct dma_map_ops alpha_pci_ops = {
108+const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112@@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
114 };
115
116-struct dma_map_ops *dma_ops = &alpha_pci_ops;
117+const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119diff -urNp linux-2.6.35.4/arch/alpha/kernel/pci-noop.c linux-2.6.35.4/arch/alpha/kernel/pci-noop.c
120--- linux-2.6.35.4/arch/alpha/kernel/pci-noop.c 2010-08-26 19:47:12.000000000 -0400
121+++ linux-2.6.35.4/arch/alpha/kernel/pci-noop.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 122@@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
123 return 0;
124 }
125
126-struct dma_map_ops alpha_noop_ops = {
127+const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131@@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
133 };
134
135-struct dma_map_ops *dma_ops = &alpha_noop_ops;
136+const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
138
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
57199397
MT		 140diff -urNp linux-2.6.35.4/arch/alpha/mm/fault.c linux-2.6.35.4/arch/alpha/mm/fault.c
141--- linux-2.6.35.4/arch/alpha/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
142+++ linux-2.6.35.4/arch/alpha/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 143@@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
145 }
146
147+#ifdef CONFIG_PAX_PAGEEXEC
148+/*
149+ * PaX: decide what to do with offenders (regs->pc = fault address)
150+ *
151+ * returns 1 when task should be killed
152+ * 2 when patched PLT trampoline was detected
153+ * 3 when unpatched PLT trampoline was detected
154+ */
155+static int pax_handle_fetch_fault(struct pt_regs *regs)
156+{
157+
158+#ifdef CONFIG_PAX_EMUPLT
159+ int err;
160+
161+ do { /* PaX: patched PLT emulation #1 */
162+ unsigned int ldah, ldq, jmp;
163+
164+ err = get_user(ldah, (unsigned int *)regs->pc);
165+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
167+
168+ if (err)
169+ break;
170+
171+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173+ jmp == 0x6BFB0000U)
174+ {
175+ unsigned long r27, addr;
176+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
178+
179+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180+ err = get_user(r27, (unsigned long *)addr);
181+ if (err)
182+ break;
183+
184+ regs->r27 = r27;
185+ regs->pc = r27;
186+ return 2;
187+ }
188+ } while (0);
189+
190+ do { /* PaX: patched PLT emulation #2 */
191+ unsigned int ldah, lda, br;
192+
193+ err = get_user(ldah, (unsigned int *)regs->pc);
194+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
195+ err |= get_user(br, (unsigned int *)(regs->pc+8));
196+
197+ if (err)
198+ break;
199+
200+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
202+ (br & 0xFFE00000U) == 0xC3E00000U)
203+ {
204+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
207+
208+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
210+ return 2;
211+ }
212+ } while (0);
213+
214+ do { /* PaX: unpatched PLT emulation */
215+ unsigned int br;
216+
217+ err = get_user(br, (unsigned int *)regs->pc);
218+
219+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220+ unsigned int br2, ldq, nop, jmp;
221+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
222+
223+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224+ err = get_user(br2, (unsigned int *)addr);
225+ err |= get_user(ldq, (unsigned int *)(addr+4));
226+ err |= get_user(nop, (unsigned int *)(addr+8));
227+ err |= get_user(jmp, (unsigned int *)(addr+12));
228+ err |= get_user(resolver, (unsigned long *)(addr+16));
229+
230+ if (err)
231+ break;
232+
233+ if (br2 == 0xC3600000U &&
234+ ldq == 0xA77B000CU &&
235+ nop == 0x47FF041FU &&
236+ jmp == 0x6B7B0000U)
237+ {
238+ regs->r28 = regs->pc+4;
239+ regs->r27 = addr+16;
240+ regs->pc = resolver;
241+ return 3;
242+ }
243+ }
244+ } while (0);
245+#endif
246+
247+ return 1;
248+}
249+
250+void pax_report_insns(void *pc, void *sp)
251+{
252+ unsigned long i;
253+
254+ printk(KERN_ERR "PAX: bytes at PC: ");
255+ for (i = 0; i < 5; i++) {
256+ unsigned int c;
257+ if (get_user(c, (unsigned int *)pc+i))
258+ printk(KERN_CONT "???????? ");
259+ else
260+ printk(KERN_CONT "%08x ", c);
261+ }
262+ printk("\n");
263+}
264+#endif
265
266 /*
267 * This routine handles page faults. It determines the address,
268@@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
269 good_area:
270 si_code = SEGV_ACCERR;
271 if (cause < 0) {
272- if (!(vma->vm_flags & VM_EXEC))
273+ if (!(vma->vm_flags & VM_EXEC)) {
274+
275+#ifdef CONFIG_PAX_PAGEEXEC
276+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
277+ goto bad_area;
278+
279+ up_read(&mm->mmap_sem);
280+ switch (pax_handle_fetch_fault(regs)) {
281+
282+#ifdef CONFIG_PAX_EMUPLT
283+ case 2:
284+ case 3:
285+ return;
286+#endif
287+
288+ }
289+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290+ do_group_exit(SIGKILL);
291+#else
292 goto bad_area;
293+#endif
294+
295+ }
296 } else if (!cause) {
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
57199397
MT		 299diff -urNp linux-2.6.35.4/arch/arm/include/asm/elf.h linux-2.6.35.4/arch/arm/include/asm/elf.h
300--- linux-2.6.35.4/arch/arm/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
301+++ linux-2.6.35.4/arch/arm/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 302@@ -111,7 +111,14 @@ int dump_task_regs(struct task_struct *t
58c5fc13
MT		 303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
305
306-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
308+
309+#ifdef CONFIG_PAX_ASLR
310+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
311+
312+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
314+#endif
315
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
57199397
MT		 318diff -urNp linux-2.6.35.4/arch/arm/include/asm/kmap_types.h linux-2.6.35.4/arch/arm/include/asm/kmap_types.h
319--- linux-2.6.35.4/arch/arm/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
320+++ linux-2.6.35.4/arch/arm/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
321@@ -21,6 +21,7 @@ enum km_type {
df50ba0c 322 KM_L1_CACHE,
58c5fc13 323 KM_L2_CACHE,
57199397 324 KM_KDB,
58c5fc13
MT		 325+ KM_CLEARPAGE,
326 KM_TYPE_NR
327 };
328
57199397
MT		 329diff -urNp linux-2.6.35.4/arch/arm/include/asm/uaccess.h linux-2.6.35.4/arch/arm/include/asm/uaccess.h
330--- linux-2.6.35.4/arch/arm/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
331+++ linux-2.6.35.4/arch/arm/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 332@@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
58c5fc13
MT		 333
334 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
335 {
336+ if ((long)n < 0)
337+ return n;
338+
339 if (access_ok(VERIFY_READ, from, n))
340 n = __copy_from_user(to, from, n);
341 else /* security hole - plug it */
ae4e228f 342@@ -412,6 +415,9 @@ static inline unsigned long __must_check
58c5fc13
MT		 343
344 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
345 {
346+ if ((long)n < 0)
347+ return n;
348+
349 if (access_ok(VERIFY_WRITE, to, n))
350 n = __copy_to_user(to, from, n);
351 return n;
57199397
MT		 352diff -urNp linux-2.6.35.4/arch/arm/kernel/kgdb.c linux-2.6.35.4/arch/arm/kernel/kgdb.c
353--- linux-2.6.35.4/arch/arm/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
354+++ linux-2.6.35.4/arch/arm/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
355@@ -208,7 +208,7 @@ void kgdb_arch_exit(void)
ae4e228f
MT		 356 * and we handle the normal undef case within the do_undefinstr
357 * handler.
358 */
359-struct kgdb_arch arch_kgdb_ops = {
360+const struct kgdb_arch arch_kgdb_ops = {
361 #ifndef __ARMEB__
362 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
363 #else /* ! __ARMEB__ */
57199397
MT		 364diff -urNp linux-2.6.35.4/arch/arm/mach-at91/pm.c linux-2.6.35.4/arch/arm/mach-at91/pm.c
365--- linux-2.6.35.4/arch/arm/mach-at91/pm.c 2010-08-26 19:47:12.000000000 -0400
366+++ linux-2.6.35.4/arch/arm/mach-at91/pm.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 367@@ -294,7 +294,7 @@ static void at91_pm_end(void)
368 }
369
370
371-static struct platform_suspend_ops at91_pm_ops ={
372+static const struct platform_suspend_ops at91_pm_ops ={
373 .valid = at91_pm_valid_state,
374 .begin = at91_pm_begin,
375 .enter = at91_pm_enter,
57199397
MT		 376diff -urNp linux-2.6.35.4/arch/arm/mach-davinci/pm.c linux-2.6.35.4/arch/arm/mach-davinci/pm.c
377--- linux-2.6.35.4/arch/arm/mach-davinci/pm.c 2010-08-26 19:47:12.000000000 -0400
378+++ linux-2.6.35.4/arch/arm/mach-davinci/pm.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 379@@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
380 return ret;
381 }
382
383-static struct platform_suspend_ops davinci_pm_ops = {
384+static const struct platform_suspend_ops davinci_pm_ops = {
385 .enter = davinci_pm_enter,
386 .valid = suspend_valid_only_mem,
387 };
57199397
MT		 388diff -urNp linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c
389--- linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c 2010-08-26 19:47:12.000000000 -0400
390+++ linux-2.6.35.4/arch/arm/mach-msm/last_radio_log.c 2010-09-17 20:12:09.000000000 -0400
391@@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
392 return count;
393 }
394
395+/* cannot be const, see msm_init_last_radio_log */
396 static struct file_operations last_radio_log_fops = {
397 .read = last_radio_log_read
398 };
399diff -urNp linux-2.6.35.4/arch/arm/mach-omap1/pm.c linux-2.6.35.4/arch/arm/mach-omap1/pm.c
400--- linux-2.6.35.4/arch/arm/mach-omap1/pm.c 2010-08-26 19:47:12.000000000 -0400
401+++ linux-2.6.35.4/arch/arm/mach-omap1/pm.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 402@@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
403
404
405
406-static struct platform_suspend_ops omap_pm_ops ={
407+static const struct platform_suspend_ops omap_pm_ops ={
408 .prepare = omap_pm_prepare,
409 .enter = omap_pm_enter,
410 .finish = omap_pm_finish,
57199397
MT		 411diff -urNp linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c
412--- linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c 2010-08-26 19:47:12.000000000 -0400
413+++ linux-2.6.35.4/arch/arm/mach-omap2/pm24xx.c 2010-09-17 20:12:09.000000000 -0400
414@@ -325,7 +325,7 @@ static void omap2_pm_finish(void)
ae4e228f
MT		 415 enable_hlt();
416 }
417
418-static struct platform_suspend_ops omap_pm_ops = {
419+static const struct platform_suspend_ops omap_pm_ops = {
420 .prepare = omap2_pm_prepare,
421 .enter = omap2_pm_enter,
422 .finish = omap2_pm_finish,
57199397
MT		 423diff -urNp linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c
424--- linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c 2010-08-26 19:47:12.000000000 -0400
425+++ linux-2.6.35.4/arch/arm/mach-omap2/pm34xx.c 2010-09-17 20:12:09.000000000 -0400
426@@ -669,7 +669,7 @@ static void omap3_pm_end(void)
ae4e228f
MT		 427 return;
428 }
429
430-static struct platform_suspend_ops omap_pm_ops = {
431+static const struct platform_suspend_ops omap_pm_ops = {
432 .begin = omap3_pm_begin,
433 .end = omap3_pm_end,
434 .prepare = omap3_pm_prepare,
57199397
MT		 435diff -urNp linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c
436--- linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c 2010-08-26 19:47:12.000000000 -0400
437+++ linux-2.6.35.4/arch/arm/mach-pnx4008/pm.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 438@@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
ae4e228f
MT		 439 (state == PM_SUSPEND_MEM);
440 }
441
442-static struct platform_suspend_ops pnx4008_pm_ops = {
443+static const struct platform_suspend_ops pnx4008_pm_ops = {
444 .enter = pnx4008_pm_enter,
445 .valid = pnx4008_pm_valid,
446 };
57199397
MT		 447diff -urNp linux-2.6.35.4/arch/arm/mach-pxa/pm.c linux-2.6.35.4/arch/arm/mach-pxa/pm.c
448--- linux-2.6.35.4/arch/arm/mach-pxa/pm.c 2010-08-26 19:47:12.000000000 -0400
449+++ linux-2.6.35.4/arch/arm/mach-pxa/pm.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 450@@ -96,7 +96,7 @@ void pxa_pm_finish(void)
ae4e228f
MT		 451 pxa_cpu_pm_fns->finish();
452 }
453
454-static struct platform_suspend_ops pxa_pm_ops = {
455+static const struct platform_suspend_ops pxa_pm_ops = {
456 .valid = pxa_pm_valid,
457 .enter = pxa_pm_enter,
458 .prepare = pxa_pm_prepare,
57199397
MT		 459diff -urNp linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c
460--- linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c 2010-08-26 19:47:12.000000000 -0400
461+++ linux-2.6.35.4/arch/arm/mach-pxa/sharpsl_pm.c 2010-09-17 20:12:09.000000000 -0400
462@@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
ae4e228f
MT		 463 }
464
465 #ifdef CONFIG_PM
466-static struct platform_suspend_ops sharpsl_pm_ops = {
467+static const struct platform_suspend_ops sharpsl_pm_ops = {
468 .prepare = pxa_pm_prepare,
469 .finish = pxa_pm_finish,
470 .enter = corgi_pxa_pm_enter,
57199397
MT		 471diff -urNp linux-2.6.35.4/arch/arm/mach-sa1100/pm.c linux-2.6.35.4/arch/arm/mach-sa1100/pm.c
472--- linux-2.6.35.4/arch/arm/mach-sa1100/pm.c 2010-08-26 19:47:12.000000000 -0400
473+++ linux-2.6.35.4/arch/arm/mach-sa1100/pm.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 474@@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
475 return virt_to_phys(sp);
476 }
477
478-static struct platform_suspend_ops sa11x0_pm_ops = {
479+static const struct platform_suspend_ops sa11x0_pm_ops = {
480 .enter = sa11x0_pm_enter,
481 .valid = suspend_valid_only_mem,
482 };
57199397
MT		 483diff -urNp linux-2.6.35.4/arch/arm/mm/fault.c linux-2.6.35.4/arch/arm/mm/fault.c
484--- linux-2.6.35.4/arch/arm/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
485+++ linux-2.6.35.4/arch/arm/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 486@@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
ae4e228f
MT		 487 }
488 #endif
489
490+#ifdef CONFIG_PAX_PAGEEXEC
491+ if (fsr & FSR_LNX_PF) {
492+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
493+ do_group_exit(SIGKILL);
494+ }
495+#endif
496+
497 tsk->thread.address = addr;
498 tsk->thread.error_code = fsr;
499 tsk->thread.trap_no = 14;
df50ba0c 500@@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
ae4e228f
MT		 501 }
502 #endif /* CONFIG_MMU */
503
504+#ifdef CONFIG_PAX_PAGEEXEC
505+void pax_report_insns(void *pc, void *sp)
506+{
507+ long i;
508+
509+ printk(KERN_ERR "PAX: bytes at PC: ");
510+ for (i = 0; i < 20; i++) {
511+ unsigned char c;
512+ if (get_user(c, (__force unsigned char __user *)pc+i))
513+ printk(KERN_CONT "?? ");
514+ else
515+ printk(KERN_CONT "%02x ", c);
516+ }
517+ printk("\n");
518+
519+ printk(KERN_ERR "PAX: bytes at SP-4: ");
520+ for (i = -1; i < 20; i++) {
521+ unsigned long c;
522+ if (get_user(c, (__force unsigned long __user *)sp+i))
523+ printk(KERN_CONT "???????? ");
524+ else
525+ printk(KERN_CONT "%08lx ", c);
526+ }
527+ printk("\n");
528+}
529+#endif
530+
531 /*
532 * First Level Translation Fault Handler
533 *
57199397
MT		 534diff -urNp linux-2.6.35.4/arch/arm/mm/mmap.c linux-2.6.35.4/arch/arm/mm/mmap.c
535--- linux-2.6.35.4/arch/arm/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
536+++ linux-2.6.35.4/arch/arm/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 537@@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 538 if (len > TASK_SIZE)
539 return -ENOMEM;
540
541+#ifdef CONFIG_PAX_RANDMMAP
542+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
543+#endif
544+
545 if (addr) {
546 if (do_align)
547 addr = COLOUR_ALIGN(addr, pgoff);
57199397
MT		 548@@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
549 addr = PAGE_ALIGN(addr);
550
551 vma = find_vma(mm, addr);
552- if (TASK_SIZE - len >= addr &&
553- (!vma || addr + len <= vma->vm_start))
554+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
58c5fc13
MT		 555 return addr;
556 }
557 if (len > mm->cached_hole_size) {
558- start_addr = addr = mm->free_area_cache;
559+ start_addr = addr = mm->free_area_cache;
560 } else {
561- start_addr = addr = TASK_UNMAPPED_BASE;
562- mm->cached_hole_size = 0;
563+ start_addr = addr = mm->mmap_base;
564+ mm->cached_hole_size = 0;
565 }
566
567 full_search:
57199397 568@@ -94,14 +97,14 @@ full_search:
58c5fc13
MT		 569 * Start a new search - just in case we missed
570 * some holes.
571 */
572- if (start_addr != TASK_UNMAPPED_BASE) {
573- start_addr = addr = TASK_UNMAPPED_BASE;
574+ if (start_addr != mm->mmap_base) {
575+ start_addr = addr = mm->mmap_base;
576 mm->cached_hole_size = 0;
577 goto full_search;
578 }
57199397
MT		 579 return -ENOMEM;
580 }
581- if (!vma || addr + len <= vma->vm_start) {
582+ if (check_heap_stack_gap(vma, addr, len)) {
583 /*
584 * Remember the place where we stopped the search:
585 */
586diff -urNp linux-2.6.35.4/arch/arm/plat-samsung/pm.c linux-2.6.35.4/arch/arm/plat-samsung/pm.c
587--- linux-2.6.35.4/arch/arm/plat-samsung/pm.c 2010-08-26 19:47:12.000000000 -0400
588+++ linux-2.6.35.4/arch/arm/plat-samsung/pm.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 589@@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
590 s3c_pm_check_cleanup();
591 }
592
593-static struct platform_suspend_ops s3c_pm_ops = {
594+static const struct platform_suspend_ops s3c_pm_ops = {
595 .enter = s3c_pm_enter,
596 .prepare = s3c_pm_prepare,
597 .finish = s3c_pm_finish,
57199397
MT		 598diff -urNp linux-2.6.35.4/arch/avr32/include/asm/elf.h linux-2.6.35.4/arch/avr32/include/asm/elf.h
599--- linux-2.6.35.4/arch/avr32/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
600+++ linux-2.6.35.4/arch/avr32/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 601@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
58c5fc13
MT		 602 the loader. We need to make sure that it is out of the way of the program
603 that it will "exec", and that there is sufficient room for the brk. */
604
605-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
606+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
607
608+#ifdef CONFIG_PAX_ASLR
609+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
610+
611+#define PAX_DELTA_MMAP_LEN 15
612+#define PAX_DELTA_STACK_LEN 15
613+#endif
614
615 /* This yields a mask that user programs can use to figure out what
616 instruction set this CPU supports. This could be done in user space,
57199397
MT		 617diff -urNp linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h
618--- linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
619+++ linux-2.6.35.4/arch/avr32/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 620@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
621 D(11) KM_IRQ1,
622 D(12) KM_SOFTIRQ0,
623 D(13) KM_SOFTIRQ1,
624-D(14) KM_TYPE_NR
625+D(14) KM_CLEARPAGE,
626+D(15) KM_TYPE_NR
627 };
628
629 #undef D
57199397
MT		 630diff -urNp linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c
631--- linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c 2010-08-26 19:47:12.000000000 -0400
632+++ linux-2.6.35.4/arch/avr32/mach-at32ap/pm.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 633@@ -176,7 +176,7 @@ out:
634 return 0;
635 }
636
637-static struct platform_suspend_ops avr32_pm_ops = {
638+static const struct platform_suspend_ops avr32_pm_ops = {
639 .valid = avr32_pm_valid_state,
640 .enter = avr32_pm_enter,
641 };
57199397
MT		 642diff -urNp linux-2.6.35.4/arch/avr32/mm/fault.c linux-2.6.35.4/arch/avr32/mm/fault.c
643--- linux-2.6.35.4/arch/avr32/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
644+++ linux-2.6.35.4/arch/avr32/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 645@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
646
647 int exception_trace = 1;
648
649+#ifdef CONFIG_PAX_PAGEEXEC
650+void pax_report_insns(void *pc, void *sp)
651+{
652+ unsigned long i;
653+
654+ printk(KERN_ERR "PAX: bytes at PC: ");
655+ for (i = 0; i < 20; i++) {
656+ unsigned char c;
657+ if (get_user(c, (unsigned char *)pc+i))
658+ printk(KERN_CONT "???????? ");
659+ else
660+ printk(KERN_CONT "%02x ", c);
661+ }
662+ printk("\n");
663+}
664+#endif
665+
666 /*
667 * This routine handles page faults. It determines the address and the
668 * problem, and then passes it off to one of the appropriate routines.
669@@ -157,6 +174,16 @@ bad_area:
670 up_read(&mm->mmap_sem);
671
672 if (user_mode(regs)) {
673+
674+#ifdef CONFIG_PAX_PAGEEXEC
675+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
676+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
677+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
678+ do_group_exit(SIGKILL);
679+ }
680+ }
681+#endif
682+
683 if (exception_trace && printk_ratelimit())
684 printk("%s%s[%d]: segfault at %08lx pc %08lx "
685 "sp %08lx ecr %lu\n",
57199397
MT		 686diff -urNp linux-2.6.35.4/arch/blackfin/kernel/kgdb.c linux-2.6.35.4/arch/blackfin/kernel/kgdb.c
687--- linux-2.6.35.4/arch/blackfin/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
688+++ linux-2.6.35.4/arch/blackfin/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 689@@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
690 return -1; /* this means that we do not want to exit from the handler */
58c5fc13
MT		 691 }
692
ae4e228f
MT		 693-struct kgdb_arch arch_kgdb_ops = {
694+const struct kgdb_arch arch_kgdb_ops = {
695 .gdb_bpt_instr = {0xa1},
696 #ifdef CONFIG_SMP
697 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
57199397
MT		 698diff -urNp linux-2.6.35.4/arch/blackfin/mach-common/pm.c linux-2.6.35.4/arch/blackfin/mach-common/pm.c
699--- linux-2.6.35.4/arch/blackfin/mach-common/pm.c 2010-08-26 19:47:12.000000000 -0400
700+++ linux-2.6.35.4/arch/blackfin/mach-common/pm.c 2010-09-17 20:12:09.000000000 -0400
701@@ -232,7 +232,7 @@ static int bfin_pm_enter(suspend_state_t
58c5fc13
MT		 702 return 0;
703 }
704
ae4e228f
MT		 705-struct platform_suspend_ops bfin_pm_ops = {
706+const struct platform_suspend_ops bfin_pm_ops = {
707 .enter = bfin_pm_enter,
708 .valid = bfin_pm_valid,
709 };
57199397
MT		 710diff -urNp linux-2.6.35.4/arch/blackfin/mm/maccess.c linux-2.6.35.4/arch/blackfin/mm/maccess.c
711--- linux-2.6.35.4/arch/blackfin/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
712+++ linux-2.6.35.4/arch/blackfin/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 713@@ -16,7 +16,7 @@ static int validate_memory_access_addres
714 return bfin_mem_access_type(addr, size);
58c5fc13
MT		 715 }
716
ae4e228f
MT		 717-long probe_kernel_read(void *dst, void *src, size_t size)
718+long probe_kernel_read(void *dst, const void *src, size_t size)
58c5fc13 719 {
ae4e228f
MT		 720 unsigned long lsrc = (unsigned long)src;
721 int mem_type;
722@@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
723 return -EFAULT;
58c5fc13
MT		 724 }
725
ae4e228f
MT		 726-long probe_kernel_write(void *dst, void *src, size_t size)
727+long probe_kernel_write(void *dst, const void *src, size_t size)
58c5fc13 728 {
ae4e228f
MT		 729 unsigned long ldst = (unsigned long)dst;
730 int mem_type;
57199397
MT		 731diff -urNp linux-2.6.35.4/arch/frv/include/asm/kmap_types.h linux-2.6.35.4/arch/frv/include/asm/kmap_types.h
732--- linux-2.6.35.4/arch/frv/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
733+++ linux-2.6.35.4/arch/frv/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 734@@ -23,6 +23,7 @@ enum km_type {
735 KM_IRQ1,
736 KM_SOFTIRQ0,
737 KM_SOFTIRQ1,
738+ KM_CLEARPAGE,
739 KM_TYPE_NR
740 };
741
57199397
MT		 742diff -urNp linux-2.6.35.4/arch/frv/mm/elf-fdpic.c linux-2.6.35.4/arch/frv/mm/elf-fdpic.c
743--- linux-2.6.35.4/arch/frv/mm/elf-fdpic.c 2010-08-26 19:47:12.000000000 -0400
744+++ linux-2.6.35.4/arch/frv/mm/elf-fdpic.c 2010-09-17 20:12:09.000000000 -0400
745@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
746 if (addr) {
747 addr = PAGE_ALIGN(addr);
748 vma = find_vma(current->mm, addr);
749- if (TASK_SIZE - len >= addr &&
750- (!vma || addr + len <= vma->vm_start))
751+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
752 goto success;
753 }
754
755@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
756 for (; vma; vma = vma->vm_next) {
757 if (addr > limit)
758 break;
759- if (addr + len <= vma->vm_start)
760+ if (check_heap_stack_gap(vma, addr, len))
761 goto success;
762 addr = vma->vm_end;
763 }
764@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
765 for (; vma; vma = vma->vm_next) {
766 if (addr > limit)
767 break;
768- if (addr + len <= vma->vm_start)
769+ if (check_heap_stack_gap(vma, addr, len))
770 goto success;
771 addr = vma->vm_end;
772 }
773diff -urNp linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c
774--- linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c 2010-08-26 19:47:12.000000000 -0400
775+++ linux-2.6.35.4/arch/ia64/hp/common/hwsw_iommu.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 776@@ -17,7 +17,7 @@
777 #include <linux/swiotlb.h>
778 #include <asm/machvec.h>
58c5fc13 779
ae4e228f
MT		 780-extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
781+extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
58c5fc13 782
ae4e228f
MT		 783 /* swiotlb declarations & definitions: */
784 extern int swiotlb_late_init_with_default_size (size_t size);
785@@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
786 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
58c5fc13
MT		 787 }
788
ae4e228f
MT		 789-struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
790+const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
791 {
792 if (use_swiotlb(dev))
793 return &swiotlb_dma_ops;
57199397
MT		 794diff -urNp linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c
795--- linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c 2010-08-26 19:47:12.000000000 -0400
796+++ linux-2.6.35.4/arch/ia64/hp/common/sba_iommu.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 797@@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
798 },
799 };
58c5fc13 800
ae4e228f
MT		 801-extern struct dma_map_ops swiotlb_dma_ops;
802+extern const struct dma_map_ops swiotlb_dma_ops;
58c5fc13 803
ae4e228f
MT		 804 static int __init
805 sba_init(void)
806@@ -2211,7 +2211,7 @@ sba_page_override(char *str)
58c5fc13 807
ae4e228f 808 __setup("sbapagesize=",sba_page_override);
58c5fc13 809
ae4e228f
MT		 810-struct dma_map_ops sba_dma_ops = {
811+const struct dma_map_ops sba_dma_ops = {
812 .alloc_coherent = sba_alloc_coherent,
813 .free_coherent = sba_free_coherent,
814 .map_page = sba_map_page,
57199397
MT		 815diff -urNp linux-2.6.35.4/arch/ia64/include/asm/compat.h linux-2.6.35.4/arch/ia64/include/asm/compat.h
816--- linux-2.6.35.4/arch/ia64/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
817+++ linux-2.6.35.4/arch/ia64/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
818@@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr)
819 }
820
821 static __inline__ void __user *
822-compat_alloc_user_space (long len)
823+arch_compat_alloc_user_space (long len)
824 {
825 struct pt_regs *regs = task_pt_regs(current);
826 return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len);
827diff -urNp linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h
828--- linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
829+++ linux-2.6.35.4/arch/ia64/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 830@@ -12,7 +12,7 @@
58c5fc13 831
ae4e228f
MT		 832 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
833
834-extern struct dma_map_ops *dma_ops;
835+extern const struct dma_map_ops *dma_ops;
836 extern struct ia64_machine_vector ia64_mv;
837 extern void set_iommu_machvec(void);
58c5fc13 838
ae4e228f
MT		 839@@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
840 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
841 dma_addr_t *daddr, gfp_t gfp)
842 {
843- struct dma_map_ops *ops = platform_dma_get_ops(dev);
844+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
845 void *caddr;
846
847 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
848@@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
849 static inline void dma_free_coherent(struct device *dev, size_t size,
850 void *caddr, dma_addr_t daddr)
851 {
852- struct dma_map_ops *ops = platform_dma_get_ops(dev);
853+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
854 debug_dma_free_coherent(dev, size, caddr, daddr);
855 ops->free_coherent(dev, size, caddr, daddr);
856 }
857@@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
858
859 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
860 {
861- struct dma_map_ops *ops = platform_dma_get_ops(dev);
862+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
863 return ops->mapping_error(dev, daddr);
864 }
865
866 static inline int dma_supported(struct device *dev, u64 mask)
867 {
868- struct dma_map_ops *ops = platform_dma_get_ops(dev);
869+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
870 return ops->dma_supported(dev, mask);
871 }
872
57199397
MT		 873diff -urNp linux-2.6.35.4/arch/ia64/include/asm/elf.h linux-2.6.35.4/arch/ia64/include/asm/elf.h
874--- linux-2.6.35.4/arch/ia64/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
875+++ linux-2.6.35.4/arch/ia64/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 876@@ -42,6 +42,13 @@
58c5fc13
MT		 877 */
878 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
879
880+#ifdef CONFIG_PAX_ASLR
881+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
882+
883+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
884+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
885+#endif
886+
887 #define PT_IA_64_UNWIND 0x70000001
888
889 /* IA-64 relocations: */
57199397
MT		 890diff -urNp linux-2.6.35.4/arch/ia64/include/asm/machvec.h linux-2.6.35.4/arch/ia64/include/asm/machvec.h
891--- linux-2.6.35.4/arch/ia64/include/asm/machvec.h 2010-08-26 19:47:12.000000000 -0400
892+++ linux-2.6.35.4/arch/ia64/include/asm/machvec.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 893@@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
894 /* DMA-mapping interface: */
895 typedef void ia64_mv_dma_init (void);
896 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
897-typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
898+typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
899
900 /*
901 * WARNING: The legacy I/O space is _architected_. Platforms are
902@@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
903 # endif /* CONFIG_IA64_GENERIC */
904
905 extern void swiotlb_dma_init(void);
906-extern struct dma_map_ops *dma_get_ops(struct device *);
907+extern const struct dma_map_ops *dma_get_ops(struct device *);
908
909 /*
910 * Define default versions so we can extend machvec for new platforms without having
57199397
MT		 911diff -urNp linux-2.6.35.4/arch/ia64/include/asm/pgtable.h linux-2.6.35.4/arch/ia64/include/asm/pgtable.h
912--- linux-2.6.35.4/arch/ia64/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
913+++ linux-2.6.35.4/arch/ia64/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
914@@ -12,7 +12,7 @@
915 * David Mosberger-Tang <davidm@hpl.hp.com>
916 */
917
918-
919+#include <linux/const.h>
920 #include <asm/mman.h>
921 #include <asm/page.h>
922 #include <asm/processor.h>
58c5fc13
MT		 923@@ -143,6 +143,17 @@
924 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
925 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
926 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
927+
928+#ifdef CONFIG_PAX_PAGEEXEC
929+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
930+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
931+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
932+#else
933+# define PAGE_SHARED_NOEXEC PAGE_SHARED
934+# define PAGE_READONLY_NOEXEC PAGE_READONLY
935+# define PAGE_COPY_NOEXEC PAGE_COPY
936+#endif
937+
938 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
939 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
940 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
57199397
MT		 941diff -urNp linux-2.6.35.4/arch/ia64/include/asm/uaccess.h linux-2.6.35.4/arch/ia64/include/asm/uaccess.h
942--- linux-2.6.35.4/arch/ia64/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
943+++ linux-2.6.35.4/arch/ia64/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 944@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
945 const void *__cu_from = (from); \
946 long __cu_len = (n); \
947 \
948- if (__access_ok(__cu_to, __cu_len, get_fs())) \
ae4e228f 949+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
58c5fc13
MT		 950 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
951 __cu_len; \
952 })
953@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
954 long __cu_len = (n); \
955 \
956 __chk_user_ptr(__cu_from); \
957- if (__access_ok(__cu_from, __cu_len, get_fs())) \
ae4e228f 958+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
58c5fc13
MT		 959 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
960 __cu_len; \
961 })
57199397
MT		 962diff -urNp linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c
963--- linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c 2010-08-26 19:47:12.000000000 -0400
964+++ linux-2.6.35.4/arch/ia64/kernel/dma-mapping.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 965@@ -3,7 +3,7 @@
966 /* Set this to 1 if there is a HW IOMMU in the system */
967 int iommu_detected __read_mostly;
968
969-struct dma_map_ops *dma_ops;
970+const struct dma_map_ops *dma_ops;
971 EXPORT_SYMBOL(dma_ops);
972
973 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
974@@ -16,7 +16,7 @@ static int __init dma_init(void)
975 }
976 fs_initcall(dma_init);
977
978-struct dma_map_ops *dma_get_ops(struct device *dev)
979+const struct dma_map_ops *dma_get_ops(struct device *dev)
980 {
981 return dma_ops;
982 }
57199397
MT		 983diff -urNp linux-2.6.35.4/arch/ia64/kernel/module.c linux-2.6.35.4/arch/ia64/kernel/module.c
984--- linux-2.6.35.4/arch/ia64/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
985+++ linux-2.6.35.4/arch/ia64/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 986@@ -315,8 +315,7 @@ module_alloc (unsigned long size)
987 void
988 module_free (struct module *mod, void *module_region)
989 {
990- if (mod && mod->arch.init_unw_table &&
991- module_region == mod->module_init) {
992+ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
993 unw_remove_unwind_table(mod->arch.init_unw_table);
994 mod->arch.init_unw_table = NULL;
995 }
996@@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
997 }
998
999 static inline int
1000+in_init_rx (const struct module *mod, uint64_t addr)
1001+{
1002+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1003+}
1004+
1005+static inline int
1006+in_init_rw (const struct module *mod, uint64_t addr)
1007+{
1008+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1009+}
1010+
1011+static inline int
1012 in_init (const struct module *mod, uint64_t addr)
1013 {
1014- return addr - (uint64_t) mod->module_init < mod->init_size;
1015+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1016+}
1017+
1018+static inline int
1019+in_core_rx (const struct module *mod, uint64_t addr)
1020+{
1021+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1022+}
1023+
1024+static inline int
1025+in_core_rw (const struct module *mod, uint64_t addr)
1026+{
1027+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1028 }
1029
1030 static inline int
1031 in_core (const struct module *mod, uint64_t addr)
1032 {
1033- return addr - (uint64_t) mod->module_core < mod->core_size;
1034+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1035 }
1036
1037 static inline int
1038@@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1039 break;
1040
1041 case RV_BDREL:
1042- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1043+ if (in_init_rx(mod, val))
1044+ val -= (uint64_t) mod->module_init_rx;
1045+ else if (in_init_rw(mod, val))
1046+ val -= (uint64_t) mod->module_init_rw;
1047+ else if (in_core_rx(mod, val))
1048+ val -= (uint64_t) mod->module_core_rx;
1049+ else if (in_core_rw(mod, val))
1050+ val -= (uint64_t) mod->module_core_rw;
1051 break;
1052
1053 case RV_LTV:
1054@@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1055 * addresses have been selected...
1056 */
1057 uint64_t gp;
1058- if (mod->core_size > MAX_LTOFF)
1059+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1060 /*
1061 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1062 * at the end of the module.
1063 */
1064- gp = mod->core_size - MAX_LTOFF / 2;
1065+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1066 else
1067- gp = mod->core_size / 2;
1068- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1069+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1070+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1071 mod->arch.gp = gp;
1072 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1073 }
57199397
MT		 1074diff -urNp linux-2.6.35.4/arch/ia64/kernel/pci-dma.c linux-2.6.35.4/arch/ia64/kernel/pci-dma.c
1075--- linux-2.6.35.4/arch/ia64/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
1076+++ linux-2.6.35.4/arch/ia64/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 1077@@ -43,7 +43,7 @@ struct device fallback_dev = {
1078 .dma_mask = &fallback_dev.coherent_dma_mask,
1079 };
1080
1081-extern struct dma_map_ops intel_dma_ops;
1082+extern const struct dma_map_ops intel_dma_ops;
1083
1084 static int __init pci_iommu_init(void)
1085 {
57199397
MT		 1086diff -urNp linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c
1087--- linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
1088+++ linux-2.6.35.4/arch/ia64/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 1089@@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
ae4e228f
MT		 1090 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1091 }
1092
1093-struct dma_map_ops swiotlb_dma_ops = {
1094+const struct dma_map_ops swiotlb_dma_ops = {
1095 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1096 .free_coherent = swiotlb_free_coherent,
1097 .map_page = swiotlb_map_page,
57199397
MT		 1098diff -urNp linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c
1099--- linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c 2010-08-26 19:47:12.000000000 -0400
1100+++ linux-2.6.35.4/arch/ia64/kernel/sys_ia64.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1101@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1102 if (REGION_NUMBER(addr) == RGN_HPAGE)
1103 addr = 0;
1104 #endif
1105+
1106+#ifdef CONFIG_PAX_RANDMMAP
1107+ if (mm->pax_flags & MF_PAX_RANDMMAP)
1108+ addr = mm->free_area_cache;
1109+ else
1110+#endif
1111+
1112 if (!addr)
1113 addr = mm->free_area_cache;
1114
57199397 1115@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
58c5fc13
MT		 1116 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1117 /* At this point: (!vma || addr < vma->vm_end). */
1118 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1119- if (start_addr != TASK_UNMAPPED_BASE) {
1120+ if (start_addr != mm->mmap_base) {
1121 /* Start a new search --- just in case we missed some holes. */
1122- addr = TASK_UNMAPPED_BASE;
1123+ addr = mm->mmap_base;
1124 goto full_search;
1125 }
1126 return -ENOMEM;
57199397
MT		 1127 }
1128- if (!vma || addr + len <= vma->vm_start) {
1129+ if (check_heap_stack_gap(vma, addr, len)) {
1130 /* Remember the address where we stopped this search: */
1131 mm->free_area_cache = addr + len;
1132 return addr;
1133diff -urNp linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S
1134--- linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
1135+++ linux-2.6.35.4/arch/ia64/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 1136@@ -196,7 +196,7 @@ SECTIONS
1137 /* Per-cpu data: */
1138 . = ALIGN(PERCPU_PAGE_SIZE);
1139 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1140- __phys_per_cpu_start = __per_cpu_load;
1141+ __phys_per_cpu_start = per_cpu_load;
1142 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1143 * into percpu page size
1144 */
57199397
MT		 1145diff -urNp linux-2.6.35.4/arch/ia64/mm/fault.c linux-2.6.35.4/arch/ia64/mm/fault.c
1146--- linux-2.6.35.4/arch/ia64/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1147+++ linux-2.6.35.4/arch/ia64/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1148@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1149 return pte_present(pte);
1150 }
1151
1152+#ifdef CONFIG_PAX_PAGEEXEC
1153+void pax_report_insns(void *pc, void *sp)
1154+{
1155+ unsigned long i;
1156+
1157+ printk(KERN_ERR "PAX: bytes at PC: ");
1158+ for (i = 0; i < 8; i++) {
1159+ unsigned int c;
1160+ if (get_user(c, (unsigned int *)pc+i))
1161+ printk(KERN_CONT "???????? ");
1162+ else
1163+ printk(KERN_CONT "%08x ", c);
1164+ }
1165+ printk("\n");
1166+}
1167+#endif
1168+
1169 void __kprobes
1170 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1171 {
1172@@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1173 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1174 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1175
1176- if ((vma->vm_flags & mask) != mask)
1177+ if ((vma->vm_flags & mask) != mask) {
1178+
1179+#ifdef CONFIG_PAX_PAGEEXEC
1180+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1181+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1182+ goto bad_area;
1183+
1184+ up_read(&mm->mmap_sem);
1185+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1186+ do_group_exit(SIGKILL);
1187+ }
1188+#endif
1189+
1190 goto bad_area;
1191
1192+ }
1193+
58c5fc13
MT		 1194 /*
1195 * If for any reason at all we couldn't handle the fault, make
57199397
MT		 1196 * sure we exit gracefully rather than endlessly redo the
1197diff -urNp linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c
1198--- linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
1199+++ linux-2.6.35.4/arch/ia64/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
1200@@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1201 /* At this point: (!vmm || addr < vmm->vm_end). */
1202 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1203 return -ENOMEM;
1204- if (!vmm || (addr + len) <= vmm->vm_start)
1205+ if (check_heap_stack_gap(vmm, addr, len))
1206 return addr;
1207 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1208 }
1209diff -urNp linux-2.6.35.4/arch/ia64/mm/init.c linux-2.6.35.4/arch/ia64/mm/init.c
1210--- linux-2.6.35.4/arch/ia64/mm/init.c 2010-08-26 19:47:12.000000000 -0400
1211+++ linux-2.6.35.4/arch/ia64/mm/init.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1212@@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1213 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1214 vma->vm_end = vma->vm_start + PAGE_SIZE;
1215 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1216+
1217+#ifdef CONFIG_PAX_PAGEEXEC
1218+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1219+ vma->vm_flags &= ~VM_EXEC;
1220+
1221+#ifdef CONFIG_PAX_MPROTECT
1222+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
1223+ vma->vm_flags &= ~VM_MAYEXEC;
1224+#endif
1225+
1226+ }
1227+#endif
1228+
1229 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1230 down_write(&current->mm->mmap_sem);
1231 if (insert_vm_struct(current->mm, vma)) {
57199397
MT		 1232diff -urNp linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c
1233--- linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c 2010-08-26 19:47:12.000000000 -0400
1234+++ linux-2.6.35.4/arch/ia64/sn/pci/pci_dma.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 1235@@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
ae4e228f 1236 return ret;
58c5fc13
MT		 1237 }
1238
ae4e228f
MT		 1239-static struct dma_map_ops sn_dma_ops = {
1240+static const struct dma_map_ops sn_dma_ops = {
1241 .alloc_coherent = sn_dma_alloc_coherent,
1242 .free_coherent = sn_dma_free_coherent,
1243 .map_page = sn_dma_map_page,
57199397
MT		 1244diff -urNp linux-2.6.35.4/arch/m32r/lib/usercopy.c linux-2.6.35.4/arch/m32r/lib/usercopy.c
1245--- linux-2.6.35.4/arch/m32r/lib/usercopy.c 2010-08-26 19:47:12.000000000 -0400
1246+++ linux-2.6.35.4/arch/m32r/lib/usercopy.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1247@@ -14,6 +14,9 @@
1248 unsigned long
1249 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1250 {
1251+ if ((long)n < 0)
1252+ return n;
1253+
1254 prefetch(from);
1255 if (access_ok(VERIFY_WRITE, to, n))
1256 __copy_user(to,from,n);
1257@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1258 unsigned long
1259 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1260 {
1261+ if ((long)n < 0)
1262+ return n;
1263+
1264 prefetchw(to);
1265 if (access_ok(VERIFY_READ, from, n))
1266 __copy_user_zeroing(to,from,n);
57199397
MT		 1267diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/device.h linux-2.6.35.4/arch/microblaze/include/asm/device.h
1268--- linux-2.6.35.4/arch/microblaze/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1269+++ linux-2.6.35.4/arch/microblaze/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1270@@ -13,7 +13,7 @@ struct device_node;
df50ba0c 1271
57199397 1272 struct dev_archdata {
df50ba0c
MT		 1273 /* DMA operations on that device */
1274- struct dma_map_ops *dma_ops;
1275+ const struct dma_map_ops *dma_ops;
1276 void *dma_data;
1277 };
1278
57199397
MT		 1279diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h
1280--- linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1281+++ linux-2.6.35.4/arch/microblaze/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 1282@@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1283 return 0xfffffffful;
1284 }
1285
1286-extern struct dma_map_ops *dma_ops;
1287+extern const struct dma_map_ops *dma_ops;
1288
1289 /*
1290 * Available generic sets of operations
1291 */
1292-extern struct dma_map_ops dma_direct_ops;
1293+extern const struct dma_map_ops dma_direct_ops;
1294
1295-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1296+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1297 {
1298 /* We don't handle the NULL dev case for ISA for now. We could
1299 * do it via an out of line call but it is not needed for now. The
1300@@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1301 return dev->archdata.dma_ops;
1302 }
1303
1304-static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1305+static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1306 {
1307 dev->archdata.dma_ops = ops;
1308 }
1309
1310 static inline int dma_supported(struct device *dev, u64 mask)
1311 {
1312- struct dma_map_ops *ops = get_dma_ops(dev);
1313+ const struct dma_map_ops *ops = get_dma_ops(dev);
1314
1315 if (unlikely(!ops))
1316 return 0;
1317@@ -87,7 +87,7 @@ static inline int dma_supported(struct d
1318
1319 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1320 {
1321- struct dma_map_ops *ops = get_dma_ops(dev);
1322+ const struct dma_map_ops *ops = get_dma_ops(dev);
1323
1324 if (unlikely(ops == NULL))
1325 return -EIO;
1326@@ -103,7 +103,7 @@ static inline int dma_set_mask(struct de
1327
1328 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1329 {
1330- struct dma_map_ops *ops = get_dma_ops(dev);
1331+ const struct dma_map_ops *ops = get_dma_ops(dev);
1332 if (ops->mapping_error)
1333 return ops->mapping_error(dev, dma_addr);
1334
1335@@ -117,7 +117,7 @@ static inline int dma_mapping_error(stru
1336 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1337 dma_addr_t *dma_handle, gfp_t flag)
1338 {
1339- struct dma_map_ops *ops = get_dma_ops(dev);
1340+ const struct dma_map_ops *ops = get_dma_ops(dev);
1341 void *memory;
1342
1343 BUG_ON(!ops);
1344@@ -131,7 +131,7 @@ static inline void *dma_alloc_coherent(s
1345 static inline void dma_free_coherent(struct device *dev, size_t size,
1346 void *cpu_addr, dma_addr_t dma_handle)
1347 {
1348- struct dma_map_ops *ops = get_dma_ops(dev);
1349+ const struct dma_map_ops *ops = get_dma_ops(dev);
1350
1351 BUG_ON(!ops);
1352 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
57199397
MT		 1353diff -urNp linux-2.6.35.4/arch/microblaze/include/asm/pci.h linux-2.6.35.4/arch/microblaze/include/asm/pci.h
1354--- linux-2.6.35.4/arch/microblaze/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
1355+++ linux-2.6.35.4/arch/microblaze/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 1356@@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1357 }
1358
1359 #ifdef CONFIG_PCI
1360-extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1361-extern struct dma_map_ops *get_pci_dma_ops(void);
1362+extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1363+extern const struct dma_map_ops *get_pci_dma_ops(void);
1364 #else /* CONFIG_PCI */
1365 #define set_pci_dma_ops(d)
1366 #define get_pci_dma_ops() NULL
57199397
MT		 1367diff -urNp linux-2.6.35.4/arch/microblaze/kernel/dma.c linux-2.6.35.4/arch/microblaze/kernel/dma.c
1368--- linux-2.6.35.4/arch/microblaze/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
1369+++ linux-2.6.35.4/arch/microblaze/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
1370@@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
df50ba0c
MT		 1371 __dma_sync_page(dma_address, 0 , size, direction);
1372 }
1373
1374-struct dma_map_ops dma_direct_ops = {
1375+const struct dma_map_ops dma_direct_ops = {
1376 .alloc_coherent = dma_direct_alloc_coherent,
1377 .free_coherent = dma_direct_free_coherent,
1378 .map_sg = dma_direct_map_sg,
57199397
MT		 1379diff -urNp linux-2.6.35.4/arch/microblaze/pci/pci-common.c linux-2.6.35.4/arch/microblaze/pci/pci-common.c
1380--- linux-2.6.35.4/arch/microblaze/pci/pci-common.c 2010-08-26 19:47:12.000000000 -0400
1381+++ linux-2.6.35.4/arch/microblaze/pci/pci-common.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 1382@@ -46,14 +46,14 @@ resource_size_t isa_mem_base;
1383 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1384 unsigned int pci_flags;
1385
1386-static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1387+static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1388
1389-void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1390+void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1391 {
1392 pci_dma_ops = dma_ops;
1393 }
1394
1395-struct dma_map_ops *get_pci_dma_ops(void)
1396+const struct dma_map_ops *get_pci_dma_ops(void)
1397 {
1398 return pci_dma_ops;
1399 }
57199397
MT		 1400diff -urNp linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c
1401--- linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c 2010-08-26 19:47:12.000000000 -0400
1402+++ linux-2.6.35.4/arch/mips/alchemy/devboards/pm.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 1403@@ -110,7 +110,7 @@ static void db1x_pm_end(void)
ae4e228f
MT		 1404
1405 }
1406
1407-static struct platform_suspend_ops db1x_pm_ops = {
1408+static const struct platform_suspend_ops db1x_pm_ops = {
1409 .valid = suspend_valid_only_mem,
1410 .begin = db1x_pm_begin,
1411 .enter = db1x_pm_enter,
57199397
MT		 1412diff -urNp linux-2.6.35.4/arch/mips/include/asm/compat.h linux-2.6.35.4/arch/mips/include/asm/compat.h
1413--- linux-2.6.35.4/arch/mips/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
1414+++ linux-2.6.35.4/arch/mips/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
1415@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compa
1416 return (u32)(unsigned long)uptr;
1417 }
1418
1419-static inline void __user *compat_alloc_user_space(long len)
1420+static inline void __user *arch_compat_alloc_user_space(long len)
1421 {
1422 struct pt_regs *regs = (struct pt_regs *)
1423 ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1;
1424diff -urNp linux-2.6.35.4/arch/mips/include/asm/elf.h linux-2.6.35.4/arch/mips/include/asm/elf.h
1425--- linux-2.6.35.4/arch/mips/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1426+++ linux-2.6.35.4/arch/mips/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 1427@@ -368,6 +368,13 @@ extern const char *__elf_platform;
58c5fc13
MT		 1428 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1429 #endif
1430
1431+#ifdef CONFIG_PAX_ASLR
1432+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1433+
1434+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1435+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1436+#endif
1437+
df50ba0c
MT		 1438 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1439 struct linux_binprm;
1440 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
57199397
MT		 1441diff -urNp linux-2.6.35.4/arch/mips/include/asm/page.h linux-2.6.35.4/arch/mips/include/asm/page.h
1442--- linux-2.6.35.4/arch/mips/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
1443+++ linux-2.6.35.4/arch/mips/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 1444@@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
58c5fc13
MT		 1445 #ifdef CONFIG_CPU_MIPS32
1446 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1447 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1448- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1449+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1450 #else
1451 typedef struct { unsigned long long pte; } pte_t;
1452 #define pte_val(x) ((x).pte)
57199397
MT		 1453diff -urNp linux-2.6.35.4/arch/mips/include/asm/system.h linux-2.6.35.4/arch/mips/include/asm/system.h
1454--- linux-2.6.35.4/arch/mips/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
1455+++ linux-2.6.35.4/arch/mips/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 1456@@ -234,6 +234,6 @@ extern void per_cpu_trap_init(void);
58c5fc13
MT		 1457 */
1458 #define __ARCH_WANT_UNLOCKED_CTXSW
1459
1460-extern unsigned long arch_align_stack(unsigned long sp);
1461+#define arch_align_stack(x) ((x) & ALMASK)
1462
1463 #endif /* _ASM_SYSTEM_H */
57199397
MT		 1464diff -urNp linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c
1465--- linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c 2010-08-26 19:47:12.000000000 -0400
1466+++ linux-2.6.35.4/arch/mips/kernel/binfmt_elfn32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1467@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1468 #undef ELF_ET_DYN_BASE
1469 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1470
1471+#ifdef CONFIG_PAX_ASLR
1472+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1473+
1474+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1475+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1476+#endif
1477+
1478 #include <asm/processor.h>
1479 #include <linux/module.h>
1480 #include <linux/elfcore.h>
57199397
MT		 1481diff -urNp linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c
1482--- linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c 2010-08-26 19:47:12.000000000 -0400
1483+++ linux-2.6.35.4/arch/mips/kernel/binfmt_elfo32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1484@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1485 #undef ELF_ET_DYN_BASE
1486 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1487
1488+#ifdef CONFIG_PAX_ASLR
1489+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1490+
1491+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1492+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1493+#endif
1494+
1495 #include <asm/processor.h>
1496
1497 /*
57199397
MT		 1498diff -urNp linux-2.6.35.4/arch/mips/kernel/kgdb.c linux-2.6.35.4/arch/mips/kernel/kgdb.c
1499--- linux-2.6.35.4/arch/mips/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
1500+++ linux-2.6.35.4/arch/mips/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
1501@@ -270,6 +270,7 @@ int kgdb_arch_handle_exception(int vecto
ae4e228f
MT		 1502 return -1;
1503 }
1504
df50ba0c 1505+/* cannot be const, see kgdb_arch_init */
ae4e228f
MT		 1506 struct kgdb_arch arch_kgdb_ops;
1507
1508 /*
57199397
MT		 1509diff -urNp linux-2.6.35.4/arch/mips/kernel/process.c linux-2.6.35.4/arch/mips/kernel/process.c
1510--- linux-2.6.35.4/arch/mips/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
1511+++ linux-2.6.35.4/arch/mips/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 1512@@ -474,15 +474,3 @@ unsigned long get_wchan(struct task_stru
58c5fc13
MT		 1513 out:
1514 return pc;
1515 }
1516-
1517-/*
1518- * Don't forget that the stack pointer must be aligned on a 8 bytes
1519- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1520- */
1521-unsigned long arch_align_stack(unsigned long sp)
1522-{
1523- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1524- sp -= get_random_int() & ~PAGE_MASK;
1525-
1526- return sp & ALMASK;
1527-}
57199397
MT		 1528diff -urNp linux-2.6.35.4/arch/mips/kernel/syscall.c linux-2.6.35.4/arch/mips/kernel/syscall.c
1529--- linux-2.6.35.4/arch/mips/kernel/syscall.c 2010-08-26 19:47:12.000000000 -0400
1530+++ linux-2.6.35.4/arch/mips/kernel/syscall.c 2010-09-17 20:12:09.000000000 -0400
1531@@ -106,17 +106,21 @@ unsigned long arch_get_unmapped_area(str
58c5fc13
MT		 1532 do_color_align = 0;
1533 if (filp || (flags & MAP_SHARED))
1534 do_color_align = 1;
1535+
1536+#ifdef CONFIG_PAX_RANDMMAP
1537+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1538+#endif
1539+
1540 if (addr) {
1541 if (do_color_align)
1542 addr = COLOUR_ALIGN(addr, pgoff);
57199397
MT		 1543 else
1544 addr = PAGE_ALIGN(addr);
1545 vmm = find_vma(current->mm, addr);
1546- if (task_size - len >= addr &&
1547- (!vmm || addr + len <= vmm->vm_start))
1548+ if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
58c5fc13
MT		 1549 return addr;
1550 }
1551- addr = TASK_UNMAPPED_BASE;
1552+ addr = current->mm->mmap_base;
1553 if (do_color_align)
1554 addr = COLOUR_ALIGN(addr, pgoff);
1555 else
57199397
MT		 1556@@ -126,7 +130,7 @@ unsigned long arch_get_unmapped_area(str
1557 /* At this point: (!vmm || addr < vmm->vm_end). */
1558 if (task_size - len < addr)
1559 return -ENOMEM;
1560- if (!vmm || addr + len <= vmm->vm_start)
1561+ if (check_heap_stack_gap(vmm, addr, len))
1562 return addr;
1563 addr = vmm->vm_end;
1564 if (do_color_align)
1565diff -urNp linux-2.6.35.4/arch/mips/loongson/common/pm.c linux-2.6.35.4/arch/mips/loongson/common/pm.c
1566--- linux-2.6.35.4/arch/mips/loongson/common/pm.c 2010-08-26 19:47:12.000000000 -0400
1567+++ linux-2.6.35.4/arch/mips/loongson/common/pm.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 1568@@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1569 }
1570 }
1571
1572-static struct platform_suspend_ops loongson_pm_ops = {
1573+static const struct platform_suspend_ops loongson_pm_ops = {
1574 .valid = loongson_pm_valid_state,
1575 .enter = loongson_pm_enter,
1576 };
57199397
MT		 1577diff -urNp linux-2.6.35.4/arch/mips/mm/fault.c linux-2.6.35.4/arch/mips/mm/fault.c
1578--- linux-2.6.35.4/arch/mips/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1579+++ linux-2.6.35.4/arch/mips/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1580@@ -26,6 +26,23 @@
1581 #include <asm/ptrace.h>
1582 #include <asm/highmem.h> /* For VMALLOC_END */
1583
1584+#ifdef CONFIG_PAX_PAGEEXEC
1585+void pax_report_insns(void *pc)
1586+{
1587+ unsigned long i;
1588+
1589+ printk(KERN_ERR "PAX: bytes at PC: ");
1590+ for (i = 0; i < 5; i++) {
1591+ unsigned int c;
1592+ if (get_user(c, (unsigned int *)pc+i))
1593+ printk(KERN_CONT "???????? ");
1594+ else
1595+ printk(KERN_CONT "%08x ", c);
1596+ }
1597+ printk("\n");
1598+}
1599+#endif
1600+
1601 /*
1602 * This routine handles page faults. It determines the address,
1603 * and the problem, and then passes it off to one of the appropriate
57199397
MT		 1604diff -urNp linux-2.6.35.4/arch/parisc/include/asm/compat.h linux-2.6.35.4/arch/parisc/include/asm/compat.h
1605--- linux-2.6.35.4/arch/parisc/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
1606+++ linux-2.6.35.4/arch/parisc/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
1607@@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compa
1608 return (u32)(unsigned long)uptr;
1609 }
1610
1611-static __inline__ void __user *compat_alloc_user_space(long len)
1612+static __inline__ void __user *arch_compat_alloc_user_space(long len)
1613 {
1614 struct pt_regs *regs = &current->thread.regs;
1615 return (void __user *)regs->gr[30];
1616diff -urNp linux-2.6.35.4/arch/parisc/include/asm/elf.h linux-2.6.35.4/arch/parisc/include/asm/elf.h
1617--- linux-2.6.35.4/arch/parisc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1618+++ linux-2.6.35.4/arch/parisc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 1619@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
58c5fc13
MT		 1620
1621 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1622
1623+#ifdef CONFIG_PAX_ASLR
1624+#define PAX_ELF_ET_DYN_BASE 0x10000UL
1625+
1626+#define PAX_DELTA_MMAP_LEN 16
1627+#define PAX_DELTA_STACK_LEN 16
1628+#endif
1629+
1630 /* This yields a mask that user programs can use to figure out what
1631 instruction set this CPU supports. This could be done in user space,
1632 but it's not easy, and we've already done it here. */
57199397
MT		 1633diff -urNp linux-2.6.35.4/arch/parisc/include/asm/pgtable.h linux-2.6.35.4/arch/parisc/include/asm/pgtable.h
1634--- linux-2.6.35.4/arch/parisc/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
1635+++ linux-2.6.35.4/arch/parisc/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1636@@ -207,6 +207,17 @@
1637 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1638 #define PAGE_COPY PAGE_EXECREAD
1639 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1640+
1641+#ifdef CONFIG_PAX_PAGEEXEC
1642+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1643+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1644+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1645+#else
1646+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1647+# define PAGE_COPY_NOEXEC PAGE_COPY
1648+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1649+#endif
1650+
1651 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1652 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1653 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
57199397
MT		 1654diff -urNp linux-2.6.35.4/arch/parisc/kernel/module.c linux-2.6.35.4/arch/parisc/kernel/module.c
1655--- linux-2.6.35.4/arch/parisc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
1656+++ linux-2.6.35.4/arch/parisc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 1657@@ -96,16 +96,38 @@
58c5fc13
MT		 1658
1659 /* three functions to determine where in the module core
1660 * or init pieces the location is */
1661+static inline int in_init_rx(struct module *me, void *loc)
1662+{
1663+ return (loc >= me->module_init_rx &&
1664+ loc < (me->module_init_rx + me->init_size_rx));
1665+}
1666+
1667+static inline int in_init_rw(struct module *me, void *loc)
1668+{
1669+ return (loc >= me->module_init_rw &&
1670+ loc < (me->module_init_rw + me->init_size_rw));
1671+}
1672+
1673 static inline int in_init(struct module *me, void *loc)
1674 {
1675- return (loc >= me->module_init &&
1676- loc <= (me->module_init + me->init_size));
1677+ return in_init_rx(me, loc) || in_init_rw(me, loc);
1678+}
1679+
1680+static inline int in_core_rx(struct module *me, void *loc)
1681+{
1682+ return (loc >= me->module_core_rx &&
1683+ loc < (me->module_core_rx + me->core_size_rx));
1684+}
1685+
1686+static inline int in_core_rw(struct module *me, void *loc)
1687+{
1688+ return (loc >= me->module_core_rw &&
1689+ loc < (me->module_core_rw + me->core_size_rw));
1690 }
1691
1692 static inline int in_core(struct module *me, void *loc)
1693 {
1694- return (loc >= me->module_core &&
1695- loc <= (me->module_core + me->core_size));
1696+ return in_core_rx(me, loc) || in_core_rw(me, loc);
1697 }
1698
1699 static inline int in_local(struct module *me, void *loc)
df50ba0c 1700@@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
58c5fc13
MT		 1701 }
1702
1703 /* align things a bit */
1704- me->core_size = ALIGN(me->core_size, 16);
1705- me->arch.got_offset = me->core_size;
1706- me->core_size += gots * sizeof(struct got_entry);
1707-
1708- me->core_size = ALIGN(me->core_size, 16);
1709- me->arch.fdesc_offset = me->core_size;
1710- me->core_size += fdescs * sizeof(Elf_Fdesc);
1711+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1712+ me->arch.got_offset = me->core_size_rw;
1713+ me->core_size_rw += gots * sizeof(struct got_entry);
1714+
1715+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1716+ me->arch.fdesc_offset = me->core_size_rw;
1717+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1718
1719 me->arch.got_max = gots;
1720 me->arch.fdesc_max = fdescs;
df50ba0c 1721@@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
58c5fc13
MT		 1722
1723 BUG_ON(value == 0);
1724
1725- got = me->module_core + me->arch.got_offset;
1726+ got = me->module_core_rw + me->arch.got_offset;
1727 for (i = 0; got[i].addr; i++)
1728 if (got[i].addr == value)
1729 goto out;
df50ba0c 1730@@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
58c5fc13
MT		 1731 #ifdef CONFIG_64BIT
1732 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1733 {
1734- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1735+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1736
1737 if (!value) {
1738 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
df50ba0c 1739@@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
58c5fc13
MT		 1740
1741 /* Create new one */
1742 fdesc->addr = value;
1743- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1744+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1745 return (Elf_Addr)fdesc;
1746 }
1747 #endif /* CONFIG_64BIT */
df50ba0c 1748@@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
58c5fc13
MT		 1749
1750 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1751 end = table + sechdrs[me->arch.unwind_section].sh_size;
1752- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1753+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1754
1755 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1756 me->arch.unwind_section, table, end, gp);
57199397
MT		 1757diff -urNp linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c
1758--- linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c 2010-08-26 19:47:12.000000000 -0400
1759+++ linux-2.6.35.4/arch/parisc/kernel/sys_parisc.c 2010-09-17 20:12:09.000000000 -0400
1760@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1761 /* At this point: (!vma || addr < vma->vm_end). */
1762 if (TASK_SIZE - len < addr)
1763 return -ENOMEM;
1764- if (!vma || addr + len <= vma->vm_start)
1765+ if (check_heap_stack_gap(vma, addr, len))
1766 return addr;
1767 addr = vma->vm_end;
1768 }
1769@@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1770 /* At this point: (!vma || addr < vma->vm_end). */
1771 if (TASK_SIZE - len < addr)
1772 return -ENOMEM;
1773- if (!vma || addr + len <= vma->vm_start)
1774+ if (check_heap_stack_gap(vma, addr, len))
1775 return addr;
1776 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1777 if (addr < vma->vm_end) /* handle wraparound */
58c5fc13
MT		 1778@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1779 if (flags & MAP_FIXED)
1780 return addr;
1781 if (!addr)
1782- addr = TASK_UNMAPPED_BASE;
1783+ addr = current->mm->mmap_base;
1784
1785 if (filp) {
1786 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
57199397
MT		 1787diff -urNp linux-2.6.35.4/arch/parisc/kernel/traps.c linux-2.6.35.4/arch/parisc/kernel/traps.c
1788--- linux-2.6.35.4/arch/parisc/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
1789+++ linux-2.6.35.4/arch/parisc/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1790@@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1791
1792 down_read(&current->mm->mmap_sem);
1793 vma = find_vma(current->mm,regs->iaoq[0]);
1794- if (vma && (regs->iaoq[0] >= vma->vm_start)
1795- && (vma->vm_flags & VM_EXEC)) {
1796-
1797+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1798 fault_address = regs->iaoq[0];
1799 fault_space = regs->iasq[0];
1800
57199397
MT		 1801diff -urNp linux-2.6.35.4/arch/parisc/mm/fault.c linux-2.6.35.4/arch/parisc/mm/fault.c
1802--- linux-2.6.35.4/arch/parisc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1803+++ linux-2.6.35.4/arch/parisc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 1804@@ -15,6 +15,7 @@
1805 #include <linux/sched.h>
1806 #include <linux/interrupt.h>
1807 #include <linux/module.h>
1808+#include <linux/unistd.h>
1809
1810 #include <asm/uaccess.h>
1811 #include <asm/traps.h>
1812@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1813 static unsigned long
1814 parisc_acctyp(unsigned long code, unsigned int inst)
1815 {
1816- if (code == 6 || code == 16)
1817+ if (code == 6 || code == 7 || code == 16)
1818 return VM_EXEC;
1819
1820 switch (inst & 0xf0000000) {
1821@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1822 }
1823 #endif
1824
1825+#ifdef CONFIG_PAX_PAGEEXEC
1826+/*
1827+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1828+ *
1829+ * returns 1 when task should be killed
1830+ * 2 when rt_sigreturn trampoline was detected
1831+ * 3 when unpatched PLT trampoline was detected
1832+ */
1833+static int pax_handle_fetch_fault(struct pt_regs *regs)
1834+{
1835+
1836+#ifdef CONFIG_PAX_EMUPLT
1837+ int err;
1838+
1839+ do { /* PaX: unpatched PLT emulation */
1840+ unsigned int bl, depwi;
1841+
1842+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1843+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1844+
1845+ if (err)
1846+ break;
1847+
1848+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1849+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1850+
1851+ err = get_user(ldw, (unsigned int *)addr);
1852+ err |= get_user(bv, (unsigned int *)(addr+4));
1853+ err |= get_user(ldw2, (unsigned int *)(addr+8));
1854+
1855+ if (err)
1856+ break;
1857+
1858+ if (ldw == 0x0E801096U &&
1859+ bv == 0xEAC0C000U &&
1860+ ldw2 == 0x0E881095U)
1861+ {
1862+ unsigned int resolver, map;
1863+
1864+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1865+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1866+ if (err)
1867+ break;
1868+
1869+ regs->gr[20] = instruction_pointer(regs)+8;
1870+ regs->gr[21] = map;
1871+ regs->gr[22] = resolver;
1872+ regs->iaoq[0] = resolver | 3UL;
1873+ regs->iaoq[1] = regs->iaoq[0] + 4;
1874+ return 3;
1875+ }
1876+ }
1877+ } while (0);
1878+#endif
1879+
1880+#ifdef CONFIG_PAX_EMUTRAMP
1881+
1882+#ifndef CONFIG_PAX_EMUSIGRT
1883+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1884+ return 1;
1885+#endif
1886+
1887+ do { /* PaX: rt_sigreturn emulation */
1888+ unsigned int ldi1, ldi2, bel, nop;
1889+
1890+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1891+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1892+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1893+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1894+
1895+ if (err)
1896+ break;
1897+
1898+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1899+ ldi2 == 0x3414015AU &&
1900+ bel == 0xE4008200U &&
1901+ nop == 0x08000240U)
1902+ {
1903+ regs->gr[25] = (ldi1 & 2) >> 1;
1904+ regs->gr[20] = __NR_rt_sigreturn;
1905+ regs->gr[31] = regs->iaoq[1] + 16;
1906+ regs->sr[0] = regs->iasq[1];
1907+ regs->iaoq[0] = 0x100UL;
1908+ regs->iaoq[1] = regs->iaoq[0] + 4;
1909+ regs->iasq[0] = regs->sr[2];
1910+ regs->iasq[1] = regs->sr[2];
1911+ return 2;
1912+ }
1913+ } while (0);
1914+#endif
1915+
1916+ return 1;
1917+}
1918+
1919+void pax_report_insns(void *pc, void *sp)
1920+{
1921+ unsigned long i;
1922+
1923+ printk(KERN_ERR "PAX: bytes at PC: ");
1924+ for (i = 0; i < 5; i++) {
1925+ unsigned int c;
1926+ if (get_user(c, (unsigned int *)pc+i))
1927+ printk(KERN_CONT "???????? ");
1928+ else
1929+ printk(KERN_CONT "%08x ", c);
1930+ }
1931+ printk("\n");
1932+}
1933+#endif
1934+
1935 int fixup_exception(struct pt_regs *regs)
1936 {
1937 const struct exception_table_entry *fix;
1938@@ -192,8 +303,33 @@ good_area:
1939
1940 acc_type = parisc_acctyp(code,regs->iir);
1941
1942- if ((vma->vm_flags & acc_type) != acc_type)
1943+ if ((vma->vm_flags & acc_type) != acc_type) {
1944+
1945+#ifdef CONFIG_PAX_PAGEEXEC
1946+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1947+ (address & ~3UL) == instruction_pointer(regs))
1948+ {
1949+ up_read(&mm->mmap_sem);
1950+ switch (pax_handle_fetch_fault(regs)) {
1951+
1952+#ifdef CONFIG_PAX_EMUPLT
1953+ case 3:
1954+ return;
1955+#endif
1956+
1957+#ifdef CONFIG_PAX_EMUTRAMP
1958+ case 2:
1959+ return;
1960+#endif
1961+
1962+ }
1963+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1964+ do_group_exit(SIGKILL);
1965+ }
1966+#endif
1967+
1968 goto bad_area;
1969+ }
1970
1971 /*
1972 * If for any reason at all we couldn't handle the fault, make
57199397
MT		 1973diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/compat.h linux-2.6.35.4/arch/powerpc/include/asm/compat.h
1974--- linux-2.6.35.4/arch/powerpc/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
1975+++ linux-2.6.35.4/arch/powerpc/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
1976@@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compa
1977 return (u32)(unsigned long)uptr;
1978 }
1979
1980-static inline void __user *compat_alloc_user_space(long len)
1981+static inline void __user *arch_compat_alloc_user_space(long len)
1982 {
1983 struct pt_regs *regs = current->thread.regs;
1984 unsigned long usp = regs->gpr[1];
1985diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/device.h linux-2.6.35.4/arch/powerpc/include/asm/device.h
1986--- linux-2.6.35.4/arch/powerpc/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1987+++ linux-2.6.35.4/arch/powerpc/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1988@@ -11,7 +11,7 @@ struct device_node;
58c5fc13 1989
57199397 1990 struct dev_archdata {
ae4e228f
MT		 1991 /* DMA operations on that device */
1992- struct dma_map_ops *dma_ops;
1993+ const struct dma_map_ops *dma_ops;
1994
1995 /*
1996 * When an iommu is in use, dma_data is used as a ptr to the base of the
57199397
MT		 1997diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h
1998--- linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1999+++ linux-2.6.35.4/arch/powerpc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
2000@@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2001 /*
df50ba0c
MT		 2002 * Available generic sets of operations
2003 */
57199397 2004+/* cannot be const */
ae4e228f 2005 #ifdef CONFIG_PPC64
57199397 2006 extern struct dma_map_ops dma_iommu_ops;
ae4e228f
MT		 2007 #endif
2008-extern struct dma_map_ops dma_direct_ops;
2009+extern const struct dma_map_ops dma_direct_ops;
2010
2011-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2012+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
58c5fc13 2013 {
ae4e228f
MT		 2014 /* We don't handle the NULL dev case for ISA for now. We could
2015 * do it via an out of line call but it is not needed for now. The
57199397 2016@@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
ae4e228f 2017 return dev->archdata.dma_ops;
58c5fc13
MT		 2018 }
2019
ae4e228f
MT		 2020-static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2021+static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
58c5fc13 2022 {
ae4e228f 2023 dev->archdata.dma_ops = ops;
58c5fc13 2024 }
57199397 2025@@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
58c5fc13 2026
ae4e228f 2027 static inline int dma_supported(struct device *dev, u64 mask)
58c5fc13 2028 {
ae4e228f
MT		 2029- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2030+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
58c5fc13 2031
ae4e228f
MT		 2032 if (unlikely(dma_ops == NULL))
2033 return 0;
57199397 2034@@ -129,7 +130,7 @@ static inline int dma_supported(struct d
ae4e228f
MT		 2035
2036 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
58c5fc13 2037 {
ae4e228f
MT		 2038- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2039+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
58c5fc13 2040
ae4e228f
MT		 2041 if (unlikely(dma_ops == NULL))
2042 return -EIO;
57199397 2043@@ -144,7 +145,7 @@ static inline int dma_set_mask(struct de
ae4e228f
MT		 2044 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2045 dma_addr_t *dma_handle, gfp_t flag)
2046 {
2047- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2048+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2049 void *cpu_addr;
2050
2051 BUG_ON(!dma_ops);
57199397 2052@@ -159,7 +160,7 @@ static inline void *dma_alloc_coherent(s
ae4e228f
MT		 2053 static inline void dma_free_coherent(struct device *dev, size_t size,
2054 void *cpu_addr, dma_addr_t dma_handle)
58c5fc13 2055 {
ae4e228f
MT		 2056- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2057+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2058
2059 BUG_ON(!dma_ops);
2060
57199397 2061@@ -170,7 +171,7 @@ static inline void dma_free_coherent(str
ae4e228f
MT		 2062
2063 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2064 {
2065- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2066+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2067
2068 if (dma_ops->mapping_error)
2069 return dma_ops->mapping_error(dev, dma_addr);
57199397
MT		 2070diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/elf.h linux-2.6.35.4/arch/powerpc/include/asm/elf.h
2071--- linux-2.6.35.4/arch/powerpc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2072+++ linux-2.6.35.4/arch/powerpc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 2073@@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
58c5fc13
MT		 2074 the loader. We need to make sure that it is out of the way of the program
2075 that it will "exec", and that there is sufficient room for the brk. */
2076
2077-extern unsigned long randomize_et_dyn(unsigned long base);
2078-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2079+#define ELF_ET_DYN_BASE (0x20000000)
2080+
2081+#ifdef CONFIG_PAX_ASLR
2082+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2083+
2084+#ifdef __powerpc64__
2085+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2086+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2087+#else
2088+#define PAX_DELTA_MMAP_LEN 15
2089+#define PAX_DELTA_STACK_LEN 15
2090+#endif
2091+#endif
2092
2093 /*
2094 * Our registers are always unsigned longs, whether we're a 32 bit
ae4e228f 2095@@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
58c5fc13
MT		 2096 (0x7ff >> (PAGE_SHIFT - 12)) : \
2097 (0x3ffff >> (PAGE_SHIFT - 12)))
2098
2099-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2100-#define arch_randomize_brk arch_randomize_brk
2101-
2102 #endif /* __KERNEL__ */
2103
2104 /*
57199397
MT		 2105diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/iommu.h linux-2.6.35.4/arch/powerpc/include/asm/iommu.h
2106--- linux-2.6.35.4/arch/powerpc/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
2107+++ linux-2.6.35.4/arch/powerpc/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 2108@@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2109 extern void iommu_init_early_dart(void);
2110 extern void iommu_init_early_pasemi(void);
2111
2112+/* dma-iommu.c */
2113+extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2114+
2115 #ifdef CONFIG_PCI
2116 extern void pci_iommu_init(void);
2117 extern void pci_direct_iommu_init(void);
57199397
MT		 2118diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h
2119--- linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
2120+++ linux-2.6.35.4/arch/powerpc/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
2121@@ -27,6 +27,7 @@ enum km_type {
58c5fc13
MT		 2122 KM_PPC_SYNC_PAGE,
2123 KM_PPC_SYNC_ICACHE,
57199397 2124 KM_KDB,
58c5fc13
MT		 2125+ KM_CLEARPAGE,
2126 KM_TYPE_NR
2127 };
2128
57199397
MT		 2129diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/page_64.h linux-2.6.35.4/arch/powerpc/include/asm/page_64.h
2130--- linux-2.6.35.4/arch/powerpc/include/asm/page_64.h 2010-08-26 19:47:12.000000000 -0400
2131+++ linux-2.6.35.4/arch/powerpc/include/asm/page_64.h 2010-09-17 20:12:09.000000000 -0400
2132@@ -172,15 +172,18 @@ do { \
efbe55a5
MT		 2133 * stack by default, so in the absense of a PT_GNU_STACK program header
2134 * we turn execute permission off.
2135 */
2136-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2137- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2138+#define VM_STACK_DEFAULT_FLAGS32 \
2139+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2140+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2141
2142 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2143 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2144
2145+#ifndef CONFIG_PAX_PAGEEXEC
2146 #define VM_STACK_DEFAULT_FLAGS \
2147 (test_thread_flag(TIF_32BIT) ? \
2148 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2149+#endif
2150
2151 #include <asm-generic/getorder.h>
2152
57199397
MT		 2153diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/page.h linux-2.6.35.4/arch/powerpc/include/asm/page.h
2154--- linux-2.6.35.4/arch/powerpc/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
2155+++ linux-2.6.35.4/arch/powerpc/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
2156@@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2157 * and needs to be executable. This means the whole heap ends
2158 * up being executable.
2159 */
2160-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2161- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2162+#define VM_DATA_DEFAULT_FLAGS32 \
2163+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2164+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2165
2166 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2167 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2168@@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2169 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2170 #endif
2171
2172+#define ktla_ktva(addr) (addr)
2173+#define ktva_ktla(addr) (addr)
2174+
2175 #ifndef __ASSEMBLY__
2176
2177 #undef STRICT_MM_TYPECHECKS
2178diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/pci.h linux-2.6.35.4/arch/powerpc/include/asm/pci.h
2179--- linux-2.6.35.4/arch/powerpc/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
2180+++ linux-2.6.35.4/arch/powerpc/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 2181@@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2182 }
2183
2184 #ifdef CONFIG_PCI
2185-extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2186-extern struct dma_map_ops *get_pci_dma_ops(void);
2187+extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2188+extern const struct dma_map_ops *get_pci_dma_ops(void);
2189 #else /* CONFIG_PCI */
2190 #define set_pci_dma_ops(d)
2191 #define get_pci_dma_ops() NULL
57199397
MT		 2192diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h
2193--- linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h 2010-08-26 19:47:12.000000000 -0400
2194+++ linux-2.6.35.4/arch/powerpc/include/asm/pte-hash32.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 2195@@ -21,6 +21,7 @@
2196 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2197 #define _PAGE_USER 0x004 /* usermode access allowed */
2198 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
ae4e228f 2199+#define _PAGE_EXEC _PAGE_GUARDED
58c5fc13
MT		 2200 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2201 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2202 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
57199397
MT		 2203diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/reg.h linux-2.6.35.4/arch/powerpc/include/asm/reg.h
2204--- linux-2.6.35.4/arch/powerpc/include/asm/reg.h 2010-08-26 19:47:12.000000000 -0400
2205+++ linux-2.6.35.4/arch/powerpc/include/asm/reg.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 2206@@ -191,6 +191,7 @@
58c5fc13
MT		 2207 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2208 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2209 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2210+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2211 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2212 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2213 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
57199397
MT		 2214diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h
2215--- linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h 2010-08-26 19:47:12.000000000 -0400
2216+++ linux-2.6.35.4/arch/powerpc/include/asm/swiotlb.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 2217@@ -13,7 +13,7 @@
2218
2219 #include <linux/swiotlb.h>
2220
2221-extern struct dma_map_ops swiotlb_dma_ops;
2222+extern const struct dma_map_ops swiotlb_dma_ops;
2223
2224 static inline void dma_mark_clean(void *addr, size_t size) {}
2225
57199397
MT		 2226diff -urNp linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h
2227--- linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
2228+++ linux-2.6.35.4/arch/powerpc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
efbe55a5
MT		 2229@@ -13,6 +13,8 @@
2230 #define VERIFY_READ 0
2231 #define VERIFY_WRITE 1
2232
2233+extern void check_object_size(const void *ptr, unsigned long n, bool to);
2234+
2235 /*
2236 * The fs value determines whether argument validity checking should be
2237 * performed or not. If get_fs() == USER_DS, checking is performed, with
2238@@ -327,52 +329,6 @@ do { \
58c5fc13
MT		 2239 extern unsigned long __copy_tofrom_user(void __user *to,
2240 const void __user *from, unsigned long size);
2241
2242-#ifndef __powerpc64__
2243-
2244-static inline unsigned long copy_from_user(void *to,
2245- const void __user *from, unsigned long n)
2246-{
2247- unsigned long over;
2248-
2249- if (access_ok(VERIFY_READ, from, n))
2250- return __copy_tofrom_user((__force void __user *)to, from, n);
2251- if ((unsigned long)from < TASK_SIZE) {
2252- over = (unsigned long)from + n - TASK_SIZE;
2253- return __copy_tofrom_user((__force void __user *)to, from,
2254- n - over) + over;
2255- }
2256- return n;
2257-}
2258-
2259-static inline unsigned long copy_to_user(void __user *to,
2260- const void *from, unsigned long n)
2261-{
2262- unsigned long over;
2263-
2264- if (access_ok(VERIFY_WRITE, to, n))
2265- return __copy_tofrom_user(to, (__force void __user *)from, n);
2266- if ((unsigned long)to < TASK_SIZE) {
2267- over = (unsigned long)to + n - TASK_SIZE;
2268- return __copy_tofrom_user(to, (__force void __user *)from,
2269- n - over) + over;
2270- }
2271- return n;
2272-}
2273-
2274-#else /* __powerpc64__ */
2275-
2276-#define __copy_in_user(to, from, size) \
2277- __copy_tofrom_user((to), (from), (size))
2278-
2279-extern unsigned long copy_from_user(void *to, const void __user *from,
2280- unsigned long n);
2281-extern unsigned long copy_to_user(void __user *to, const void *from,
2282- unsigned long n);
2283-extern unsigned long copy_in_user(void __user *to, const void __user *from,
2284- unsigned long n);
2285-
2286-#endif /* __powerpc64__ */
2287-
2288 static inline unsigned long __copy_from_user_inatomic(void *to,
2289 const void __user *from, unsigned long n)
2290 {
efbe55a5 2291@@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
58c5fc13
MT		 2292 if (ret == 0)
2293 return 0;
2294 }
ae4e228f 2295+
58c5fc13
MT		 2296+ if (!__builtin_constant_p(n))
2297+ check_object_size(to, n, false);
2298+
2299 return __copy_tofrom_user((__force void __user *)to, from, n);
2300 }
2301
efbe55a5 2302@@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
58c5fc13
MT		 2303 if (ret == 0)
2304 return 0;
2305 }
ae4e228f 2306+
58c5fc13
MT		 2307+ if (!__builtin_constant_p(n))
2308+ check_object_size(from, n, true);
2309+
2310 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2311 }
2312
efbe55a5 2313@@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
58c5fc13
MT		 2314 return __copy_to_user_inatomic(to, from, size);
2315 }
2316
2317+#ifndef __powerpc64__
2318+
2319+static inline unsigned long __must_check copy_from_user(void *to,
2320+ const void __user *from, unsigned long n)
2321+{
2322+ unsigned long over;
2323+
ae4e228f 2324+ if ((long)n < 0)
58c5fc13
MT		 2325+ return n;
2326+
2327+ if (access_ok(VERIFY_READ, from, n)) {
2328+ if (!__builtin_constant_p(n))
2329+ check_object_size(to, n, false);
58c5fc13
MT		 2330+ return __copy_tofrom_user((__force void __user *)to, from, n);
2331+ }
2332+ if ((unsigned long)from < TASK_SIZE) {
2333+ over = (unsigned long)from + n - TASK_SIZE;
2334+ if (!__builtin_constant_p(n - over))
2335+ check_object_size(to, n - over, false);
2336+ return __copy_tofrom_user((__force void __user *)to, from,
2337+ n - over) + over;
2338+ }
2339+ return n;
2340+}
2341+
2342+static inline unsigned long __must_check copy_to_user(void __user *to,
2343+ const void *from, unsigned long n)
2344+{
2345+ unsigned long over;
2346+
ae4e228f 2347+ if ((long)n < 0)
58c5fc13
MT		 2348+ return n;
2349+
2350+ if (access_ok(VERIFY_WRITE, to, n)) {
2351+ if (!__builtin_constant_p(n))
2352+ check_object_size(from, n, true);
2353+ return __copy_tofrom_user(to, (__force void __user *)from, n);
2354+ }
2355+ if ((unsigned long)to < TASK_SIZE) {
2356+ over = (unsigned long)to + n - TASK_SIZE;
2357+ if (!__builtin_constant_p(n))
2358+ check_object_size(from, n - over, true);
2359+ return __copy_tofrom_user(to, (__force void __user *)from,
2360+ n - over) + over;
2361+ }
2362+ return n;
2363+}
2364+
2365+#else /* __powerpc64__ */
2366+
2367+#define __copy_in_user(to, from, size) \
2368+ __copy_tofrom_user((to), (from), (size))
2369+
ae4e228f 2370+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
58c5fc13 2371+{
ae4e228f 2372+ if ((long)n < 0 || n > INT_MAX)
58c5fc13
MT		 2373+ return n;
2374+
2375+ if (!__builtin_constant_p(n))
2376+ check_object_size(to, n, false);
2377+
2378+ if (likely(access_ok(VERIFY_READ, from, n)))
2379+ n = __copy_from_user(to, from, n);
2380+ else
2381+ memset(to, 0, n);
58c5fc13
MT		 2382+ return n;
2383+}
2384+
ae4e228f 2385+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
58c5fc13 2386+{
ae4e228f 2387+ if ((long)n < 0 || n > INT_MAX)
58c5fc13
MT		 2388+ return n;
2389+
2390+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
2391+ if (!__builtin_constant_p(n))
2392+ check_object_size(from, n, true);
2393+ n = __copy_to_user(to, from, n);
2394+ }
58c5fc13
MT		 2395+ return n;
2396+}
2397+
2398+extern unsigned long copy_in_user(void __user *to, const void __user *from,
2399+ unsigned long n);
2400+
2401+#endif /* __powerpc64__ */
2402+
2403 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2404
2405 static inline unsigned long clear_user(void __user *addr, unsigned long size)
57199397
MT		 2406diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma.c linux-2.6.35.4/arch/powerpc/kernel/dma.c
2407--- linux-2.6.35.4/arch/powerpc/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
2408+++ linux-2.6.35.4/arch/powerpc/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
2409@@ -135,7 +135,7 @@ static inline void dma_direct_sync_singl
2410 }
2411 #endif
2412
2413-struct dma_map_ops dma_direct_ops = {
2414+const struct dma_map_ops dma_direct_ops = {
2415 .alloc_coherent = dma_direct_alloc_coherent,
2416 .free_coherent = dma_direct_free_coherent,
2417 .map_sg = dma_direct_map_sg,
2418diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c
2419--- linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c 2010-08-26 19:47:12.000000000 -0400
2420+++ linux-2.6.35.4/arch/powerpc/kernel/dma-iommu.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 2421@@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2422 }
2423
2424 /* We support DMA to/from any memory page via the iommu */
2425-static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2426+int dma_iommu_dma_supported(struct device *dev, u64 mask)
2427 {
2428 struct iommu_table *tbl = get_iommu_table_base(dev);
2429
57199397
MT		 2430diff -urNp linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c
2431--- linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
2432+++ linux-2.6.35.4/arch/powerpc/kernel/dma-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 2433@@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
ae4e228f
MT		 2434 * map_page, and unmap_page on highmem, use normal dma_ops
2435 * for everything else.
2436 */
2437-struct dma_map_ops swiotlb_dma_ops = {
2438+const struct dma_map_ops swiotlb_dma_ops = {
2439 .alloc_coherent = dma_direct_alloc_coherent,
2440 .free_coherent = dma_direct_free_coherent,
2441 .map_sg = swiotlb_map_sg_attrs,
57199397
MT		 2442diff -urNp linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S
2443--- linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S 2010-08-26 19:47:12.000000000 -0400
2444+++ linux-2.6.35.4/arch/powerpc/kernel/exceptions-64e.S 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 2445@@ -455,6 +455,7 @@ storage_fault_common:
2446 std r14,_DAR(r1)
2447 std r15,_DSISR(r1)
2448 addi r3,r1,STACK_FRAME_OVERHEAD
2449+ bl .save_nvgprs
2450 mr r4,r14
2451 mr r5,r15
2452 ld r14,PACA_EXGEN+EX_R14(r13)
2453@@ -464,8 +465,7 @@ storage_fault_common:
2454 cmpdi r3,0
2455 bne- 1f
2456 b .ret_from_except_lite
2457-1: bl .save_nvgprs
2458- mr r5,r3
2459+1: mr r5,r3
2460 addi r3,r1,STACK_FRAME_OVERHEAD
2461 ld r4,_DAR(r1)
2462 bl .bad_page_fault
57199397
MT		 2463diff -urNp linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S
2464--- linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S 2010-08-26 19:47:12.000000000 -0400
2465+++ linux-2.6.35.4/arch/powerpc/kernel/exceptions-64s.S 2010-09-17 20:12:09.000000000 -0400
2466@@ -840,10 +840,10 @@ handle_page_fault:
ae4e228f
MT		 2467 11: ld r4,_DAR(r1)
2468 ld r5,_DSISR(r1)
2469 addi r3,r1,STACK_FRAME_OVERHEAD
2470+ bl .save_nvgprs
2471 bl .do_page_fault
2472 cmpdi r3,0
2473 beq+ 13f
2474- bl .save_nvgprs
2475 mr r5,r3
2476 addi r3,r1,STACK_FRAME_OVERHEAD
2477 lwz r4,_DAR(r1)
57199397
MT		 2478diff -urNp linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c
2479--- linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c 2010-08-26 19:47:12.000000000 -0400
2480+++ linux-2.6.35.4/arch/powerpc/kernel/ibmebus.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 2481@@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
ae4e228f
MT		 2482 return 1;
2483 }
2484
2485-static struct dma_map_ops ibmebus_dma_ops = {
2486+static const struct dma_map_ops ibmebus_dma_ops = {
2487 .alloc_coherent = ibmebus_alloc_coherent,
2488 .free_coherent = ibmebus_free_coherent,
2489 .map_sg = ibmebus_map_sg,
57199397
MT		 2490diff -urNp linux-2.6.35.4/arch/powerpc/kernel/kgdb.c linux-2.6.35.4/arch/powerpc/kernel/kgdb.c
2491--- linux-2.6.35.4/arch/powerpc/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
2492+++ linux-2.6.35.4/arch/powerpc/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
2493@@ -128,7 +128,7 @@ static int kgdb_handle_breakpoint(struct
2494 if (kgdb_handle_exception(1, SIGTRAP, 0, regs) != 0)
ae4e228f
MT		 2495 return 0;
2496
2497- if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2498+ if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2499 regs->nip += 4;
2500
2501 return 1;
57199397 2502@@ -360,7 +360,7 @@ int kgdb_arch_handle_exception(int vecto
ae4e228f
MT		 2503 /*
2504 * Global data
2505 */
2506-struct kgdb_arch arch_kgdb_ops = {
2507+const struct kgdb_arch arch_kgdb_ops = {
2508 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2509 };
2510
57199397
MT		 2511diff -urNp linux-2.6.35.4/arch/powerpc/kernel/module_32.c linux-2.6.35.4/arch/powerpc/kernel/module_32.c
2512--- linux-2.6.35.4/arch/powerpc/kernel/module_32.c 2010-08-26 19:47:12.000000000 -0400
2513+++ linux-2.6.35.4/arch/powerpc/kernel/module_32.c 2010-09-17 20:12:09.000000000 -0400
2514@@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2515 me->arch.core_plt_section = i;
2516 }
2517 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2518- printk("Module doesn't contain .plt or .init.plt sections.\n");
2519+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2520 return -ENOEXEC;
2521 }
2522
2523@@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2524
2525 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2526 /* Init, or core PLT? */
2527- if (location >= mod->module_core
2528- && location < mod->module_core + mod->core_size)
2529+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2530+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2531 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2532- else
2533+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2534+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2535 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2536+ else {
2537+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2538+ return ~0UL;
2539+ }
2540
2541 /* Find this entry, or if that fails, the next avail. entry */
2542 while (entry->jump[0]) {
2543diff -urNp linux-2.6.35.4/arch/powerpc/kernel/module.c linux-2.6.35.4/arch/powerpc/kernel/module.c
2544--- linux-2.6.35.4/arch/powerpc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
2545+++ linux-2.6.35.4/arch/powerpc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 2546@@ -31,11 +31,24 @@
2547
2548 LIST_HEAD(module_bug_list);
2549
2550+#ifdef CONFIG_PAX_KERNEXEC
2551 void *module_alloc(unsigned long size)
2552 {
2553 if (size == 0)
2554 return NULL;
2555
2556+ return vmalloc(size);
2557+}
2558+
2559+void *module_alloc_exec(unsigned long size)
2560+#else
2561+void *module_alloc(unsigned long size)
2562+#endif
2563+
2564+{
2565+ if (size == 0)
2566+ return NULL;
2567+
2568 return vmalloc_exec(size);
2569 }
2570
2571@@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2572 vfree(module_region);
2573 }
2574
2575+#ifdef CONFIG_PAX_KERNEXEC
2576+void module_free_exec(struct module *mod, void *module_region)
2577+{
2578+ module_free(mod, module_region);
2579+}
2580+#endif
2581+
2582 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2583 const Elf_Shdr *sechdrs,
2584 const char *name)
57199397
MT		 2585diff -urNp linux-2.6.35.4/arch/powerpc/kernel/pci-common.c linux-2.6.35.4/arch/powerpc/kernel/pci-common.c
2586--- linux-2.6.35.4/arch/powerpc/kernel/pci-common.c 2010-08-26 19:47:12.000000000 -0400
2587+++ linux-2.6.35.4/arch/powerpc/kernel/pci-common.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 2588@@ -51,14 +51,14 @@ resource_size_t isa_mem_base;
ae4e228f
MT		 2589 unsigned int ppc_pci_flags = 0;
2590
2591
2592-static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2593+static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2594
2595-void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2596+void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2597 {
2598 pci_dma_ops = dma_ops;
2599 }
2600
2601-struct dma_map_ops *get_pci_dma_ops(void)
2602+const struct dma_map_ops *get_pci_dma_ops(void)
2603 {
2604 return pci_dma_ops;
2605 }
57199397
MT		 2606diff -urNp linux-2.6.35.4/arch/powerpc/kernel/process.c linux-2.6.35.4/arch/powerpc/kernel/process.c
2607--- linux-2.6.35.4/arch/powerpc/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
2608+++ linux-2.6.35.4/arch/powerpc/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
2609@@ -1215,51 +1215,3 @@ unsigned long arch_align_stack(unsigned
58c5fc13
MT		 2610 sp -= get_random_int() & ~PAGE_MASK;
2611 return sp & ~0xf;
2612 }
2613-
2614-static inline unsigned long brk_rnd(void)
2615-{
2616- unsigned long rnd = 0;
2617-
2618- /* 8MB for 32bit, 1GB for 64bit */
2619- if (is_32bit_task())
2620- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2621- else
2622- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2623-
2624- return rnd << PAGE_SHIFT;
2625-}
2626-
2627-unsigned long arch_randomize_brk(struct mm_struct *mm)
2628-{
ae4e228f
MT		 2629- unsigned long base = mm->brk;
2630- unsigned long ret;
2631-
2632-#ifdef CONFIG_PPC_STD_MMU_64
2633- /*
2634- * If we are using 1TB segments and we are allowed to randomise
2635- * the heap, we can put it above 1TB so it is backed by a 1TB
2636- * segment. Otherwise the heap will be in the bottom 1TB
2637- * which always uses 256MB segments and this may result in a
2638- * performance penalty.
2639- */
2640- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2641- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2642-#endif
2643-
2644- ret = PAGE_ALIGN(base + brk_rnd());
58c5fc13
MT		 2645-
2646- if (ret < mm->brk)
2647- return mm->brk;
2648-
2649- return ret;
2650-}
2651-
2652-unsigned long randomize_et_dyn(unsigned long base)
2653-{
2654- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2655-
2656- if (ret < base)
2657- return base;
2658-
2659- return ret;
2660-}
57199397
MT		 2661diff -urNp linux-2.6.35.4/arch/powerpc/kernel/signal_32.c linux-2.6.35.4/arch/powerpc/kernel/signal_32.c
2662--- linux-2.6.35.4/arch/powerpc/kernel/signal_32.c 2010-08-26 19:47:12.000000000 -0400
2663+++ linux-2.6.35.4/arch/powerpc/kernel/signal_32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 2664@@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2665 /* Save user registers on the stack */
2666 frame = &rt_sf->uc.uc_mcontext;
2667 addr = frame;
2668- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2669+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2670 if (save_user_regs(regs, frame, 0, 1))
2671 goto badframe;
2672 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
57199397
MT		 2673diff -urNp linux-2.6.35.4/arch/powerpc/kernel/signal_64.c linux-2.6.35.4/arch/powerpc/kernel/signal_64.c
2674--- linux-2.6.35.4/arch/powerpc/kernel/signal_64.c 2010-08-26 19:47:12.000000000 -0400
2675+++ linux-2.6.35.4/arch/powerpc/kernel/signal_64.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 2676@@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2677 current->thread.fpscr.val = 0;
2678
2679 /* Set up to return from userspace. */
2680- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2681+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2682 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2683 } else {
2684 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
57199397
MT		 2685diff -urNp linux-2.6.35.4/arch/powerpc/kernel/vdso.c linux-2.6.35.4/arch/powerpc/kernel/vdso.c
2686--- linux-2.6.35.4/arch/powerpc/kernel/vdso.c 2010-08-26 19:47:12.000000000 -0400
2687+++ linux-2.6.35.4/arch/powerpc/kernel/vdso.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 2688@@ -36,6 +36,7 @@
58c5fc13
MT		 2689 #include <asm/firmware.h>
2690 #include <asm/vdso.h>
2691 #include <asm/vdso_datapage.h>
2692+#include <asm/mman.h>
2693
2694 #include "setup.h"
2695
ae4e228f 2696@@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
58c5fc13
MT		 2697 vdso_base = VDSO32_MBASE;
2698 #endif
2699
2700- current->mm->context.vdso_base = 0;
2701+ current->mm->context.vdso_base = ~0UL;
2702
2703 /* vDSO has a problem and was disabled, just don't "enable" it for the
2704 * process
ae4e228f 2705@@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
58c5fc13 2706 vdso_base = get_unmapped_area(NULL, vdso_base,
ae4e228f
MT		 2707 (vdso_pages << PAGE_SHIFT) +
2708 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2709- 0, 0);
2710+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
58c5fc13
MT		 2711 if (IS_ERR_VALUE(vdso_base)) {
2712 rc = vdso_base;
2713 goto fail_mmapsem;
57199397
MT		 2714diff -urNp linux-2.6.35.4/arch/powerpc/kernel/vio.c linux-2.6.35.4/arch/powerpc/kernel/vio.c
2715--- linux-2.6.35.4/arch/powerpc/kernel/vio.c 2010-08-26 19:47:12.000000000 -0400
2716+++ linux-2.6.35.4/arch/powerpc/kernel/vio.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 2717@@ -602,11 +602,12 @@ static void vio_dma_iommu_unmap_sg(struc
ae4e228f
MT		 2718 vio_cmo_dealloc(viodev, alloc_size);
2719 }
2720
2721-struct dma_map_ops vio_dma_mapping_ops = {
2722+static const struct dma_map_ops vio_dma_mapping_ops = {
2723 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2724 .free_coherent = vio_dma_iommu_free_coherent,
2725 .map_sg = vio_dma_iommu_map_sg,
2726 .unmap_sg = vio_dma_iommu_unmap_sg,
2727+ .dma_supported = dma_iommu_dma_supported,
2728 .map_page = vio_dma_iommu_map_page,
2729 .unmap_page = vio_dma_iommu_unmap_page,
2730
57199397 2731@@ -860,7 +861,6 @@ static void vio_cmo_bus_remove(struct vi
ae4e228f
MT		 2732
2733 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2734 {
2735- vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2736 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2737 }
2738
57199397
MT		 2739diff -urNp linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c
2740--- linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
2741+++ linux-2.6.35.4/arch/powerpc/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 2742@@ -9,22 +9,6 @@
2743 #include <linux/module.h>
2744 #include <asm/uaccess.h>
2745
2746-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2747-{
2748- if (likely(access_ok(VERIFY_READ, from, n)))
2749- n = __copy_from_user(to, from, n);
2750- else
2751- memset(to, 0, n);
2752- return n;
2753-}
2754-
2755-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2756-{
2757- if (likely(access_ok(VERIFY_WRITE, to, n)))
2758- n = __copy_to_user(to, from, n);
2759- return n;
2760-}
2761-
2762 unsigned long copy_in_user(void __user *to, const void __user *from,
2763 unsigned long n)
2764 {
2765@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2766 return n;
2767 }
2768
2769-EXPORT_SYMBOL(copy_from_user);
2770-EXPORT_SYMBOL(copy_to_user);
2771 EXPORT_SYMBOL(copy_in_user);
2772
57199397
MT		 2773diff -urNp linux-2.6.35.4/arch/powerpc/mm/fault.c linux-2.6.35.4/arch/powerpc/mm/fault.c
2774--- linux-2.6.35.4/arch/powerpc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
2775+++ linux-2.6.35.4/arch/powerpc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 2776@@ -30,6 +30,10 @@
2777 #include <linux/kprobes.h>
2778 #include <linux/kdebug.h>
ae4e228f 2779 #include <linux/perf_event.h>
58c5fc13
MT		 2780+#include <linux/slab.h>
2781+#include <linux/pagemap.h>
2782+#include <linux/compiler.h>
2783+#include <linux/unistd.h>
2784
2785 #include <asm/firmware.h>
2786 #include <asm/page.h>
ae4e228f 2787@@ -41,6 +45,7 @@
58c5fc13
MT		 2788 #include <asm/tlbflush.h>
2789 #include <asm/siginfo.h>
ae4e228f 2790 #include <mm/mmu_decl.h>
58c5fc13
MT		 2791+#include <asm/ptrace.h>
2792
58c5fc13 2793 #ifdef CONFIG_KPROBES
ae4e228f 2794 static inline int notify_page_fault(struct pt_regs *regs)
58c5fc13
MT		 2795@@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2796 }
2797 #endif
2798
2799+#ifdef CONFIG_PAX_PAGEEXEC
2800+/*
2801+ * PaX: decide what to do with offenders (regs->nip = fault address)
2802+ *
2803+ * returns 1 when task should be killed
2804+ */
2805+static int pax_handle_fetch_fault(struct pt_regs *regs)
2806+{
2807+ return 1;
2808+}
2809+
2810+void pax_report_insns(void *pc, void *sp)
2811+{
2812+ unsigned long i;
2813+
2814+ printk(KERN_ERR "PAX: bytes at PC: ");
2815+ for (i = 0; i < 5; i++) {
2816+ unsigned int c;
ae4e228f 2817+ if (get_user(c, (unsigned int __user *)pc+i))
58c5fc13
MT		 2818+ printk(KERN_CONT "???????? ");
2819+ else
2820+ printk(KERN_CONT "%08x ", c);
2821+ }
2822+ printk("\n");
2823+}
2824+#endif
2825+
2826 /*
2827 * Check whether the instruction at regs->nip is a store using
2828 * an update addressing form which will update r1.
2829@@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2830 * indicate errors in DSISR but can validly be set in SRR1.
2831 */
2832 if (trap == 0x400)
2833- error_code &= 0x48200000;
2834+ error_code &= 0x58200000;
2835 else
2836 is_write = error_code & DSISR_ISSTORE;
2837 #else
57199397 2838@@ -257,7 +289,7 @@ good_area:
58c5fc13
MT		 2839 * "undefined". Of those that can be set, this is the only
2840 * one which seems bad.
2841 */
2842- if (error_code & 0x10000000)
2843+ if (error_code & DSISR_GUARDED)
2844 /* Guarded storage error. */
2845 goto bad_area;
2846 #endif /* CONFIG_8xx */
57199397 2847@@ -272,7 +304,7 @@ good_area:
58c5fc13
MT		 2848 * processors use the same I/D cache coherency mechanism
2849 * as embedded.
2850 */
2851- if (error_code & DSISR_PROTFAULT)
2852+ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2853 goto bad_area;
2854 #endif /* CONFIG_PPC_STD_MMU */
2855
ae4e228f 2856@@ -341,6 +373,23 @@ bad_area:
58c5fc13
MT		 2857 bad_area_nosemaphore:
2858 /* User mode accesses cause a SIGSEGV */
2859 if (user_mode(regs)) {
2860+
2861+#ifdef CONFIG_PAX_PAGEEXEC
2862+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2863+#ifdef CONFIG_PPC_STD_MMU
2864+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2865+#else
2866+ if (is_exec && regs->nip == address) {
2867+#endif
2868+ switch (pax_handle_fetch_fault(regs)) {
2869+ }
2870+
2871+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2872+ do_group_exit(SIGKILL);
2873+ }
2874+ }
2875+#endif
2876+
2877 _exception(SIGSEGV, regs, code, address);
2878 return 0;
2879 }
57199397
MT		 2880diff -urNp linux-2.6.35.4/arch/powerpc/mm/mmap_64.c linux-2.6.35.4/arch/powerpc/mm/mmap_64.c
2881--- linux-2.6.35.4/arch/powerpc/mm/mmap_64.c 2010-08-26 19:47:12.000000000 -0400
2882+++ linux-2.6.35.4/arch/powerpc/mm/mmap_64.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 2883@@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2884 */
2885 if (mmap_is_legacy()) {
2886 mm->mmap_base = TASK_UNMAPPED_BASE;
2887+
2888+#ifdef CONFIG_PAX_RANDMMAP
2889+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2890+ mm->mmap_base += mm->delta_mmap;
2891+#endif
2892+
2893 mm->get_unmapped_area = arch_get_unmapped_area;
2894 mm->unmap_area = arch_unmap_area;
2895 } else {
2896 mm->mmap_base = mmap_base();
2897+
2898+#ifdef CONFIG_PAX_RANDMMAP
2899+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2900+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2901+#endif
2902+
2903 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2904 mm->unmap_area = arch_unmap_area_topdown;
2905 }
57199397
MT		 2906diff -urNp linux-2.6.35.4/arch/powerpc/mm/slice.c linux-2.6.35.4/arch/powerpc/mm/slice.c
2907--- linux-2.6.35.4/arch/powerpc/mm/slice.c 2010-08-26 19:47:12.000000000 -0400
2908+++ linux-2.6.35.4/arch/powerpc/mm/slice.c 2010-09-17 20:12:09.000000000 -0400
2909@@ -98,10 +98,9 @@ static int slice_area_is_free(struct mm_
2910 if ((mm->task_size - len) < addr)
2911 return 0;
2912 vma = find_vma(mm, addr);
2913- return (!vma || (addr + len) <= vma->vm_start);
2914+ return check_heap_stack_gap(vma, addr, len);
2915 }
2916
2917-static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2918 {
2919 return !slice_area_is_free(mm, slice << SLICE_LOW_SHIFT,
2920 1ul << SLICE_LOW_SHIFT);
2921@@ -256,7 +255,7 @@ full_search:
2922 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2923 continue;
2924 }
2925- if (!vma || addr + len <= vma->vm_start) {
2926+ if (check_heap_stack_gap(vma, addr, len)) {
2927 /*
2928 * Remember the place where we stopped the search:
2929 */
2930@@ -336,7 +335,7 @@ static unsigned long slice_find_area_top
2931 * return with success:
2932 */
2933 vma = find_vma(mm, addr);
2934- if (!vma || (addr + len) <= vma->vm_start) {
2935+ if (check_heap_stack_gap(vma, addr, len)) {
2936 /* remember the address as a hint for next time */
2937 if (use_cache)
2938 mm->free_area_cache = addr;
2939@@ -426,6 +425,11 @@ unsigned long slice_get_unmapped_area(un
58c5fc13
MT		 2940 if (fixed && addr > (mm->task_size - len))
2941 return -EINVAL;
2942
2943+#ifdef CONFIG_PAX_RANDMMAP
2944+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2945+ addr = 0;
2946+#endif
2947+
2948 /* If hint, make sure it matches our alignment restrictions */
2949 if (!fixed && addr) {
2950 addr = _ALIGN_UP(addr, 1ul << pshift);
57199397
MT		 2951diff -urNp linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c
2952--- linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-08-26 19:47:12.000000000 -0400
2953+++ linux-2.6.35.4/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 2954@@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2955 lite5200_pm_target_state = PM_SUSPEND_ON;
2956 }
2957
2958-static struct platform_suspend_ops lite5200_pm_ops = {
2959+static const struct platform_suspend_ops lite5200_pm_ops = {
2960 .valid = lite5200_pm_valid,
2961 .begin = lite5200_pm_begin,
2962 .prepare = lite5200_pm_prepare,
57199397
MT		 2963diff -urNp linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2964--- linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-08-26 19:47:12.000000000 -0400
2965+++ linux-2.6.35.4/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-09-17 20:12:09.000000000 -0400
2966@@ -189,7 +189,7 @@ void mpc52xx_pm_finish(void)
ae4e228f
MT		 2967 iounmap(mbar);
2968 }
2969
2970-static struct platform_suspend_ops mpc52xx_pm_ops = {
2971+static const struct platform_suspend_ops mpc52xx_pm_ops = {
2972 .valid = mpc52xx_pm_valid,
2973 .prepare = mpc52xx_pm_prepare,
2974 .enter = mpc52xx_pm_enter,
57199397
MT		 2975diff -urNp linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c
2976--- linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c 2010-08-26 19:47:12.000000000 -0400
2977+++ linux-2.6.35.4/arch/powerpc/platforms/83xx/suspend.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 2978@@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2979 return ret;
58c5fc13
MT		 2980 }
2981
ae4e228f
MT		 2982-static struct platform_suspend_ops mpc83xx_suspend_ops = {
2983+static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2984 .valid = mpc83xx_suspend_valid,
2985 .begin = mpc83xx_suspend_begin,
2986 .enter = mpc83xx_suspend_enter,
57199397
MT		 2987diff -urNp linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c
2988--- linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c 2010-08-26 19:47:12.000000000 -0400
2989+++ linux-2.6.35.4/arch/powerpc/platforms/cell/iommu.c 2010-09-17 20:12:09.000000000 -0400
2990@@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
ae4e228f
MT		 2991
2992 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2993
2994-struct dma_map_ops dma_iommu_fixed_ops = {
2995+const struct dma_map_ops dma_iommu_fixed_ops = {
2996 .alloc_coherent = dma_fixed_alloc_coherent,
2997 .free_coherent = dma_fixed_free_coherent,
2998 .map_sg = dma_fixed_map_sg,
57199397
MT		 2999diff -urNp linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c
3000--- linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c 2010-08-26 19:47:12.000000000 -0400
3001+++ linux-2.6.35.4/arch/powerpc/platforms/ps3/system-bus.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 3002@@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
ae4e228f
MT		 3003 return mask >= DMA_BIT_MASK(32);
3004 }
3005
3006-static struct dma_map_ops ps3_sb_dma_ops = {
3007+static const struct dma_map_ops ps3_sb_dma_ops = {
3008 .alloc_coherent = ps3_alloc_coherent,
3009 .free_coherent = ps3_free_coherent,
3010 .map_sg = ps3_sb_map_sg,
df50ba0c 3011@@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
ae4e228f 3012 .unmap_page = ps3_unmap_page,
58c5fc13
MT		 3013 };
3014
ae4e228f
MT		 3015-static struct dma_map_ops ps3_ioc0_dma_ops = {
3016+static const struct dma_map_ops ps3_ioc0_dma_ops = {
3017 .alloc_coherent = ps3_alloc_coherent,
3018 .free_coherent = ps3_free_coherent,
3019 .map_sg = ps3_ioc0_map_sg,
57199397
MT		 3020diff -urNp linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c
3021--- linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c 2010-08-26 19:47:12.000000000 -0400
3022+++ linux-2.6.35.4/arch/powerpc/sysdev/fsl_pmc.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3023@@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
3024 return 1;
58c5fc13
MT		 3025 }
3026
ae4e228f
MT		 3027-static struct platform_suspend_ops pmc_suspend_ops = {
3028+static const struct platform_suspend_ops pmc_suspend_ops = {
3029 .valid = pmc_suspend_valid,
3030 .enter = pmc_suspend_enter,
58c5fc13 3031 };
57199397
MT		 3032diff -urNp linux-2.6.35.4/arch/s390/include/asm/compat.h linux-2.6.35.4/arch/s390/include/asm/compat.h
3033--- linux-2.6.35.4/arch/s390/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
3034+++ linux-2.6.35.4/arch/s390/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
3035@@ -181,7 +181,7 @@ static inline int is_compat_task(void)
efbe55a5 3036
57199397 3037 #endif
efbe55a5 3038
57199397
MT		 3039-static inline void __user *compat_alloc_user_space(long len)
3040+static inline void __user *arch_compat_alloc_user_space(long len)
3041 {
3042 unsigned long stack;
efbe55a5 3043
57199397
MT		 3044diff -urNp linux-2.6.35.4/arch/s390/include/asm/elf.h linux-2.6.35.4/arch/s390/include/asm/elf.h
3045--- linux-2.6.35.4/arch/s390/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
3046+++ linux-2.6.35.4/arch/s390/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3047@@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
3048 that it will "exec", and that there is sufficient room for the brk. */
3049 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
58c5fc13 3050
ae4e228f
MT		 3051+#ifdef CONFIG_PAX_ASLR
3052+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
58c5fc13 3053+
ae4e228f
MT		 3054+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3055+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3056+#endif
58c5fc13 3057+
ae4e228f
MT		 3058 /* This yields a mask that user programs can use to figure out what
3059 instruction set this CPU supports. */
58c5fc13 3060
57199397
MT		 3061diff -urNp linux-2.6.35.4/arch/s390/include/asm/uaccess.h linux-2.6.35.4/arch/s390/include/asm/uaccess.h
3062--- linux-2.6.35.4/arch/s390/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3063+++ linux-2.6.35.4/arch/s390/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 3064@@ -234,6 +234,10 @@ static inline unsigned long __must_check
58c5fc13
MT		 3065 copy_to_user(void __user *to, const void *from, unsigned long n)
3066 {
3067 might_fault();
3068+
3069+ if ((long)n < 0)
3070+ return n;
3071+
3072 if (access_ok(VERIFY_WRITE, to, n))
3073 n = __copy_to_user(to, from, n);
3074 return n;
ae4e228f 3075@@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
58c5fc13
MT		 3076 static inline unsigned long __must_check
3077 __copy_from_user(void *to, const void __user *from, unsigned long n)
3078 {
3079+ if ((long)n < 0)
3080+ return n;
3081+
3082 if (__builtin_constant_p(n) && (n <= 256))
3083 return uaccess.copy_from_user_small(n, from, to);
3084 else
df50ba0c
MT		 3085@@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3086 unsigned int sz = __compiletime_object_size(to);
3087
58c5fc13
MT		 3088 might_fault();
3089+
3090+ if ((long)n < 0)
3091+ return n;
3092+
df50ba0c
MT		 3093 if (unlikely(sz != -1 && sz < n)) {
3094 copy_from_user_overflow();
3095 return n;
57199397
MT		 3096diff -urNp linux-2.6.35.4/arch/s390/Kconfig linux-2.6.35.4/arch/s390/Kconfig
3097--- linux-2.6.35.4/arch/s390/Kconfig 2010-08-26 19:47:12.000000000 -0400
3098+++ linux-2.6.35.4/arch/s390/Kconfig 2010-09-17 20:12:09.000000000 -0400
3099@@ -230,13 +230,12 @@ config AUDIT_ARCH
3100
3101 config S390_EXEC_PROTECT
3102 bool "Data execute protection"
3103+ default y
3104 help
3105 This option allows to enable a buffer overflow protection for user
3106- space programs and it also selects the addressing mode option above.
3107- The kernel parameter noexec=on will enable this feature and also
3108- switch the addressing modes, default is disabled. Enabling this (via
3109- kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3110- will reduce system performance.
3111+ space programs.
3112+ Enabling this on machines earlier than IBM System z9-109 EC/BC will
3113+ reduce system performance.
3114
3115 comment "Code generation options"
3116
3117diff -urNp linux-2.6.35.4/arch/s390/kernel/module.c linux-2.6.35.4/arch/s390/kernel/module.c
3118--- linux-2.6.35.4/arch/s390/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
3119+++ linux-2.6.35.4/arch/s390/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
3120@@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
58c5fc13
MT		 3121
3122 /* Increase core size by size of got & plt and set start
3123 offsets for got and plt. */
3124- me->core_size = ALIGN(me->core_size, 4);
3125- me->arch.got_offset = me->core_size;
3126- me->core_size += me->arch.got_size;
3127- me->arch.plt_offset = me->core_size;
3128- me->core_size += me->arch.plt_size;
3129+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
3130+ me->arch.got_offset = me->core_size_rw;
3131+ me->core_size_rw += me->arch.got_size;
3132+ me->arch.plt_offset = me->core_size_rx;
3133+ me->core_size_rx += me->arch.plt_size;
3134 return 0;
3135 }
3136
57199397 3137@@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 3138 if (info->got_initialized == 0) {
3139 Elf_Addr *gotent;
3140
3141- gotent = me->module_core + me->arch.got_offset +
3142+ gotent = me->module_core_rw + me->arch.got_offset +
3143 info->got_offset;
3144 *gotent = val;
3145 info->got_initialized = 1;
57199397 3146@@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 3147 else if (r_type == R_390_GOTENT ||
3148 r_type == R_390_GOTPLTENT)
3149 *(unsigned int *) loc =
3150- (val + (Elf_Addr) me->module_core - loc) >> 1;
3151+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3152 else if (r_type == R_390_GOT64 ||
3153 r_type == R_390_GOTPLT64)
3154 *(unsigned long *) loc = val;
57199397 3155@@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 3156 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3157 if (info->plt_initialized == 0) {
3158 unsigned int *ip;
3159- ip = me->module_core + me->arch.plt_offset +
3160+ ip = me->module_core_rx + me->arch.plt_offset +
3161 info->plt_offset;
3162 #ifndef CONFIG_64BIT
3163 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
57199397 3164@@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 3165 val - loc + 0xffffUL < 0x1ffffeUL) ||
3166 (r_type == R_390_PLT32DBL &&
3167 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3168- val = (Elf_Addr) me->module_core +
3169+ val = (Elf_Addr) me->module_core_rx +
3170 me->arch.plt_offset +
3171 info->plt_offset;
3172 val += rela->r_addend - loc;
57199397 3173@@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 3174 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3175 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3176 val = val + rela->r_addend -
3177- ((Elf_Addr) me->module_core + me->arch.got_offset);
3178+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3179 if (r_type == R_390_GOTOFF16)
3180 *(unsigned short *) loc = val;
3181 else if (r_type == R_390_GOTOFF32)
57199397 3182@@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
58c5fc13
MT		 3183 break;
3184 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3185 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3186- val = (Elf_Addr) me->module_core + me->arch.got_offset +
3187+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3188 rela->r_addend - loc;
3189 if (r_type == R_390_GOTPC)
3190 *(unsigned int *) loc = val;
57199397
MT		 3191diff -urNp linux-2.6.35.4/arch/s390/kernel/setup.c linux-2.6.35.4/arch/s390/kernel/setup.c
3192--- linux-2.6.35.4/arch/s390/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
3193+++ linux-2.6.35.4/arch/s390/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
3194@@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
ae4e228f
MT		 3195 }
3196 early_param("mem", early_parse_mem);
58c5fc13 3197
ae4e228f
MT		 3198-unsigned int user_mode = HOME_SPACE_MODE;
3199+unsigned int user_mode = SECONDARY_SPACE_MODE;
3200 EXPORT_SYMBOL_GPL(user_mode);
3201
3202 static int set_amode_and_uaccess(unsigned long user_amode,
57199397 3203@@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
ae4e228f
MT		 3204 }
3205 }
3206
3207-/*
3208- * Switch kernel/user addressing modes?
3209- */
3210-static int __init early_parse_switch_amode(char *p)
3211-{
3212- if (user_mode != SECONDARY_SPACE_MODE)
3213- user_mode = PRIMARY_SPACE_MODE;
3214- return 0;
3215-}
3216-early_param("switch_amode", early_parse_switch_amode);
3217-
3218 static int __init early_parse_user_mode(char *p)
3219 {
3220 if (p && strcmp(p, "primary") == 0)
57199397 3221@@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
ae4e228f
MT		 3222 }
3223 early_param("user_mode", early_parse_user_mode);
3224
3225-#ifdef CONFIG_S390_EXEC_PROTECT
3226-/*
3227- * Enable execute protection?
3228- */
3229-static int __init early_parse_noexec(char *p)
3230-{
3231- if (!strncmp(p, "off", 3))
3232- return 0;
3233- user_mode = SECONDARY_SPACE_MODE;
3234- return 0;
3235-}
3236-early_param("noexec", early_parse_noexec);
3237-#endif /* CONFIG_S390_EXEC_PROTECT */
3238-
3239 static void setup_addressing_mode(void)
3240 {
3241 if (user_mode == SECONDARY_SPACE_MODE) {
57199397
MT		 3242diff -urNp linux-2.6.35.4/arch/s390/mm/maccess.c linux-2.6.35.4/arch/s390/mm/maccess.c
3243--- linux-2.6.35.4/arch/s390/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
3244+++ linux-2.6.35.4/arch/s390/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3245@@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3246 return rc ? rc : count;
3247 }
3248
3249-long probe_kernel_write(void *dst, void *src, size_t size)
3250+long probe_kernel_write(void *dst, const void *src, size_t size)
3251 {
3252 long copied = 0;
3253
57199397
MT		 3254diff -urNp linux-2.6.35.4/arch/s390/mm/mmap.c linux-2.6.35.4/arch/s390/mm/mmap.c
3255--- linux-2.6.35.4/arch/s390/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3256+++ linux-2.6.35.4/arch/s390/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3257@@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3258 */
3259 if (mmap_is_legacy()) {
3260 mm->mmap_base = TASK_UNMAPPED_BASE;
3261+
3262+#ifdef CONFIG_PAX_RANDMMAP
3263+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3264+ mm->mmap_base += mm->delta_mmap;
3265+#endif
3266+
3267 mm->get_unmapped_area = arch_get_unmapped_area;
3268 mm->unmap_area = arch_unmap_area;
3269 } else {
3270 mm->mmap_base = mmap_base();
3271+
3272+#ifdef CONFIG_PAX_RANDMMAP
3273+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3274+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3275+#endif
3276+
3277 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3278 mm->unmap_area = arch_unmap_area_topdown;
3279 }
3280@@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3281 */
3282 if (mmap_is_legacy()) {
3283 mm->mmap_base = TASK_UNMAPPED_BASE;
3284+
3285+#ifdef CONFIG_PAX_RANDMMAP
3286+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3287+ mm->mmap_base += mm->delta_mmap;
3288+#endif
3289+
3290 mm->get_unmapped_area = s390_get_unmapped_area;
3291 mm->unmap_area = arch_unmap_area;
3292 } else {
3293 mm->mmap_base = mmap_base();
3294+
3295+#ifdef CONFIG_PAX_RANDMMAP
3296+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3297+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3298+#endif
3299+
3300 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3301 mm->unmap_area = arch_unmap_area_topdown;
3302 }
57199397
MT		 3303diff -urNp linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c
3304--- linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c 2010-08-26 19:47:12.000000000 -0400
3305+++ linux-2.6.35.4/arch/sh/boards/mach-hp6xx/pm.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3306@@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3307 return 0;
3308 }
3309
3310-static struct platform_suspend_ops hp6x0_pm_ops = {
3311+static const struct platform_suspend_ops hp6x0_pm_ops = {
3312 .enter = hp6x0_pm_enter,
3313 .valid = suspend_valid_only_mem,
3314 };
57199397
MT		 3315diff -urNp linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h
3316--- linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3317+++ linux-2.6.35.4/arch/sh/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3318@@ -1,10 +1,10 @@
3319 #ifndef __ASM_SH_DMA_MAPPING_H
3320 #define __ASM_SH_DMA_MAPPING_H
3321
3322-extern struct dma_map_ops *dma_ops;
3323+extern const struct dma_map_ops *dma_ops;
3324 extern void no_iommu_init(void);
3325
3326-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3327+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3328 {
3329 return dma_ops;
3330 }
3331@@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3332
3333 static inline int dma_supported(struct device *dev, u64 mask)
3334 {
3335- struct dma_map_ops *ops = get_dma_ops(dev);
3336+ const struct dma_map_ops *ops = get_dma_ops(dev);
3337
3338 if (ops->dma_supported)
3339 return ops->dma_supported(dev, mask);
3340@@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3341
3342 static inline int dma_set_mask(struct device *dev, u64 mask)
3343 {
3344- struct dma_map_ops *ops = get_dma_ops(dev);
3345+ const struct dma_map_ops *ops = get_dma_ops(dev);
3346
3347 if (!dev->dma_mask || !dma_supported(dev, mask))
3348 return -EIO;
3349@@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
3350
3351 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3352 {
3353- struct dma_map_ops *ops = get_dma_ops(dev);
3354+ const struct dma_map_ops *ops = get_dma_ops(dev);
3355
3356 if (ops->mapping_error)
3357 return ops->mapping_error(dev, dma_addr);
3358@@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
3359 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3360 dma_addr_t *dma_handle, gfp_t gfp)
3361 {
3362- struct dma_map_ops *ops = get_dma_ops(dev);
3363+ const struct dma_map_ops *ops = get_dma_ops(dev);
3364 void *memory;
3365
3366 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3367@@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3368 static inline void dma_free_coherent(struct device *dev, size_t size,
3369 void *vaddr, dma_addr_t dma_handle)
3370 {
3371- struct dma_map_ops *ops = get_dma_ops(dev);
3372+ const struct dma_map_ops *ops = get_dma_ops(dev);
3373
df50ba0c
MT		 3374 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3375 return;
57199397
MT		 3376diff -urNp linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c
3377--- linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c 2010-08-26 19:47:12.000000000 -0400
3378+++ linux-2.6.35.4/arch/sh/kernel/cpu/shmobile/pm.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 3379@@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
ae4e228f
MT		 3380 return 0;
3381 }
3382
3383-static struct platform_suspend_ops sh_pm_ops = {
3384+static const struct platform_suspend_ops sh_pm_ops = {
3385 .enter = sh_pm_enter,
3386 .valid = suspend_valid_only_mem,
3387 };
57199397
MT		 3388diff -urNp linux-2.6.35.4/arch/sh/kernel/dma-nommu.c linux-2.6.35.4/arch/sh/kernel/dma-nommu.c
3389--- linux-2.6.35.4/arch/sh/kernel/dma-nommu.c 2010-08-26 19:47:12.000000000 -0400
3390+++ linux-2.6.35.4/arch/sh/kernel/dma-nommu.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3391@@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3392 }
3393 #endif
3394
3395-struct dma_map_ops nommu_dma_ops = {
3396+const struct dma_map_ops nommu_dma_ops = {
3397 .alloc_coherent = dma_generic_alloc_coherent,
3398 .free_coherent = dma_generic_free_coherent,
3399 .map_page = nommu_map_page,
57199397
MT		 3400diff -urNp linux-2.6.35.4/arch/sh/kernel/kgdb.c linux-2.6.35.4/arch/sh/kernel/kgdb.c
3401--- linux-2.6.35.4/arch/sh/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
3402+++ linux-2.6.35.4/arch/sh/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
3403@@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
df50ba0c 3404 unregister_die_notifier(&kgdb_notifier);
ae4e228f
MT		 3405 }
3406
3407-struct kgdb_arch arch_kgdb_ops = {
3408+const struct kgdb_arch arch_kgdb_ops = {
3409 /* Breakpoint instruction: trapa #0x3c */
3410 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3411 .gdb_bpt_instr = { 0x3c, 0xc3 },
57199397
MT		 3412diff -urNp linux-2.6.35.4/arch/sh/mm/consistent.c linux-2.6.35.4/arch/sh/mm/consistent.c
3413--- linux-2.6.35.4/arch/sh/mm/consistent.c 2010-08-26 19:47:12.000000000 -0400
3414+++ linux-2.6.35.4/arch/sh/mm/consistent.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 3415@@ -22,7 +22,7 @@
ae4e228f
MT		 3416
3417 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3418
3419-struct dma_map_ops *dma_ops;
3420+const struct dma_map_ops *dma_ops;
3421 EXPORT_SYMBOL(dma_ops);
3422
3423 static int __init dma_init(void)
57199397
MT		 3424diff -urNp linux-2.6.35.4/arch/sh/mm/mmap.c linux-2.6.35.4/arch/sh/mm/mmap.c
3425--- linux-2.6.35.4/arch/sh/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3426+++ linux-2.6.35.4/arch/sh/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3427@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3428 addr = PAGE_ALIGN(addr);
3429
3430 vma = find_vma(mm, addr);
3431- if (TASK_SIZE - len >= addr &&
3432- (!vma || addr + len <= vma->vm_start))
3433+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3434 return addr;
3435 }
efbe55a5 3436
57199397
MT		 3437@@ -106,7 +105,7 @@ full_search:
3438 }
3439 return -ENOMEM;
3440 }
3441- if (likely(!vma || addr + len <= vma->vm_start)) {
3442+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3443 /*
3444 * Remember the place where we stopped the search:
3445 */
3446@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3447 addr = PAGE_ALIGN(addr);
3448
3449 vma = find_vma(mm, addr);
3450- if (TASK_SIZE - len >= addr &&
3451- (!vma || addr + len <= vma->vm_start))
3452+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3453 return addr;
3454 }
3455
3456@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3457 /* make sure it can fit in the remaining address space */
3458 if (likely(addr > len)) {
3459 vma = find_vma(mm, addr-len);
3460- if (!vma || addr <= vma->vm_start) {
3461+ if (check_heap_stack_gap(vma, addr - len, len)) {
3462 /* remember the address as a hint for next time */
3463 return (mm->free_area_cache = addr-len);
3464 }
3465@@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3466 * return with success:
3467 */
3468 vma = find_vma(mm, addr);
3469- if (likely(!vma || addr+len <= vma->vm_start)) {
3470+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3471 /* remember the address as a hint for next time */
3472 return (mm->free_area_cache = addr);
3473 }
3474diff -urNp linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h
3475--- linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h 2010-08-26 19:47:12.000000000 -0400
3476+++ linux-2.6.35.4/arch/sparc/include/asm/atomic_64.h 2010-09-17 20:12:09.000000000 -0400
3477@@ -14,18 +14,40 @@
58c5fc13
MT		 3478 #define ATOMIC64_INIT(i) { (i) }
3479
57199397 3480 #define atomic_read(v) (*(volatile int *)&(v)->counter)
ae4e228f
MT		 3481+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3482+{
3483+ return v->counter;
3484+}
57199397 3485 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
ae4e228f
MT		 3486+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3487+{
3488+ return v->counter;
3489+}
58c5fc13
MT		 3490
3491 #define atomic_set(v, i) (((v)->counter) = i)
ae4e228f
MT		 3492+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3493+{
3494+ v->counter = i;
3495+}
58c5fc13 3496 #define atomic64_set(v, i) (((v)->counter) = i)
ae4e228f
MT		 3497+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3498+{
3499+ v->counter = i;
3500+}
58c5fc13
MT		 3501
3502 extern void atomic_add(int, atomic_t *);
3503+extern void atomic_add_unchecked(int, atomic_unchecked_t *);
57199397
MT		 3504 extern void atomic64_add(long, atomic64_t *);
3505+extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
58c5fc13
MT		 3506 extern void atomic_sub(int, atomic_t *);
3507+extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
57199397
MT		 3508 extern void atomic64_sub(long, atomic64_t *);
3509+extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
58c5fc13
MT		 3510
3511 extern int atomic_add_ret(int, atomic_t *);
57199397
MT		 3512+extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3513 extern long atomic64_add_ret(long, atomic64_t *);
3514+extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
ae4e228f 3515 extern int atomic_sub_ret(int, atomic_t *);
57199397 3516 extern long atomic64_sub_ret(long, atomic64_t *);
ae4e228f 3517
57199397
MT		 3518@@ -33,7 +55,15 @@ extern long atomic64_sub_ret(long, atomi
3519 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
ae4e228f
MT		 3520
3521 #define atomic_inc_return(v) atomic_add_ret(1, v)
57199397
MT		 3522+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3523+{
3524+ return atomic_add_ret_unchecked(1, v);
3525+}
ae4e228f 3526 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
57199397
MT		 3527+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3528+{
3529+ return atomic64_add_ret_unchecked(1, v);
3530+}
ae4e228f
MT		 3531
3532 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3533 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
57199397 3534@@ -59,10 +89,26 @@ extern long atomic64_sub_ret(long, atomi
58c5fc13
MT		 3535 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3536
3537 #define atomic_inc(v) atomic_add(1, v)
ae4e228f
MT		 3538+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3539+{
3540+ atomic_add_unchecked(1, v);
3541+}
58c5fc13 3542 #define atomic64_inc(v) atomic64_add(1, v)
ae4e228f
MT		 3543+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3544+{
3545+ atomic64_add_unchecked(1, v);
3546+}
58c5fc13
MT		 3547
3548 #define atomic_dec(v) atomic_sub(1, v)
df50ba0c
MT		 3549+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3550+{
3551+ atomic_sub_unchecked(1, v);
3552+}
ae4e228f 3553 #define atomic64_dec(v) atomic64_sub(1, v)
df50ba0c
MT		 3554+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3555+{
3556+ atomic64_sub_unchecked(1, v);
3557+}
3558
3559 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3560 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
57199397 3561@@ -72,17 +118,28 @@ extern long atomic64_sub_ret(long, atomi
58c5fc13
MT		 3562
3563 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3564 {
3565- int c, old;
3566+ int c, old, new;
3567 c = atomic_read(v);
3568 for (;;) {
3569- if (unlikely(c == (u)))
3570+ if (unlikely(c == u))
3571 break;
3572- old = atomic_cmpxchg((v), c, c + (a));
3573+
3574+ asm volatile("addcc %2, %0, %0\n"
3575+
3576+#ifdef CONFIG_PAX_REFCOUNT
3577+ "tvs %%icc, 6\n"
3578+#endif
3579+
3580+ : "=r" (new)
3581+ : "0" (c), "ir" (a)
3582+ : "cc");
3583+
3584+ old = atomic_cmpxchg(v, c, new);
3585 if (likely(old == c))
3586 break;
3587 c = old;
3588 }
3589- return c != (u);
3590+ return c != u;
3591 }
3592
3593 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
57199397 3594@@ -93,17 +150,28 @@ static inline int atomic_add_unless(atom
58c5fc13 3595
57199397 3596 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
58c5fc13
MT		 3597 {
3598- long c, old;
3599+ long c, old, new;
3600 c = atomic64_read(v);
3601 for (;;) {
3602- if (unlikely(c == (u)))
3603+ if (unlikely(c == u))
3604 break;
3605- old = atomic64_cmpxchg((v), c, c + (a));
3606+
3607+ asm volatile("addcc %2, %0, %0\n"
3608+
3609+#ifdef CONFIG_PAX_REFCOUNT
3610+ "tvs %%xcc, 6\n"
3611+#endif
3612+
3613+ : "=r" (new)
3614+ : "0" (c), "ir" (a)
3615+ : "cc");
3616+
3617+ old = atomic64_cmpxchg(v, c, new);
3618 if (likely(old == c))
3619 break;
3620 c = old;
3621 }
3622- return c != (u);
3623+ return c != u;
3624 }
3625
3626 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
57199397
MT		 3627diff -urNp linux-2.6.35.4/arch/sparc/include/asm/compat.h linux-2.6.35.4/arch/sparc/include/asm/compat.h
3628--- linux-2.6.35.4/arch/sparc/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
3629+++ linux-2.6.35.4/arch/sparc/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
3630@@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compa
3631 return (u32)(unsigned long)uptr;
3632 }
3633
3634-static inline void __user *compat_alloc_user_space(long len)
3635+static inline void __user *arch_compat_alloc_user_space(long len)
3636 {
3637 struct pt_regs *regs = current_thread_info()->kregs;
3638 unsigned long usp = regs->u_regs[UREG_I6];
3639diff -urNp linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h
3640--- linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3641+++ linux-2.6.35.4/arch/sparc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 3642@@ -13,10 +13,10 @@ extern int dma_supported(struct device *
ae4e228f
MT		 3643 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3644 #define dma_is_consistent(d, h) (1)
3645
3646-extern struct dma_map_ops *dma_ops, pci32_dma_ops;
df50ba0c 3647+extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
ae4e228f
MT		 3648 extern struct bus_type pci_bus_type;
3649
3650-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3651+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3652 {
3653 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3654 if (dev->bus == &pci_bus_type)
df50ba0c 3655@@ -30,7 +30,7 @@ static inline struct dma_map_ops *get_dm
ae4e228f
MT		 3656 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3657 dma_addr_t *dma_handle, gfp_t flag)
3658 {
3659- struct dma_map_ops *ops = get_dma_ops(dev);
3660+ const struct dma_map_ops *ops = get_dma_ops(dev);
3661 void *cpu_addr;
3662
3663 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
df50ba0c 3664@@ -41,7 +41,7 @@ static inline void *dma_alloc_coherent(s
ae4e228f
MT		 3665 static inline void dma_free_coherent(struct device *dev, size_t size,
3666 void *cpu_addr, dma_addr_t dma_handle)
3667 {
3668- struct dma_map_ops *ops = get_dma_ops(dev);
3669+ const struct dma_map_ops *ops = get_dma_ops(dev);
3670
3671 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3672 ops->free_coherent(dev, size, cpu_addr, dma_handle);
57199397
MT		 3673diff -urNp linux-2.6.35.4/arch/sparc/include/asm/elf_32.h linux-2.6.35.4/arch/sparc/include/asm/elf_32.h
3674--- linux-2.6.35.4/arch/sparc/include/asm/elf_32.h 2010-08-26 19:47:12.000000000 -0400
3675+++ linux-2.6.35.4/arch/sparc/include/asm/elf_32.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 3676@@ -114,6 +114,13 @@ typedef struct {
58c5fc13
MT		 3677
3678 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3679
3680+#ifdef CONFIG_PAX_ASLR
3681+#define PAX_ELF_ET_DYN_BASE 0x10000UL
3682+
3683+#define PAX_DELTA_MMAP_LEN 16
3684+#define PAX_DELTA_STACK_LEN 16
3685+#endif
3686+
3687 /* This yields a mask that user programs can use to figure out what
3688 instruction set this cpu supports. This can NOT be done in userspace
3689 on Sparc. */
57199397
MT		 3690diff -urNp linux-2.6.35.4/arch/sparc/include/asm/elf_64.h linux-2.6.35.4/arch/sparc/include/asm/elf_64.h
3691--- linux-2.6.35.4/arch/sparc/include/asm/elf_64.h 2010-08-26 19:47:12.000000000 -0400
3692+++ linux-2.6.35.4/arch/sparc/include/asm/elf_64.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 3693@@ -162,6 +162,12 @@ typedef struct {
58c5fc13
MT		 3694 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3695 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3696
3697+#ifdef CONFIG_PAX_ASLR
3698+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3699+
ae4e228f
MT		 3700+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3701+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
58c5fc13
MT		 3702+#endif
3703
3704 /* This yields a mask that user programs can use to figure out what
3705 instruction set this cpu supports. */
57199397
MT		 3706diff -urNp linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h
3707--- linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
3708+++ linux-2.6.35.4/arch/sparc/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 3709@@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3710 BTFIXUPDEF_INT(page_none)
3711 BTFIXUPDEF_INT(page_copy)
3712 BTFIXUPDEF_INT(page_readonly)
3713+
3714+#ifdef CONFIG_PAX_PAGEEXEC
3715+BTFIXUPDEF_INT(page_shared_noexec)
3716+BTFIXUPDEF_INT(page_copy_noexec)
3717+BTFIXUPDEF_INT(page_readonly_noexec)
3718+#endif
3719+
3720 BTFIXUPDEF_INT(page_kernel)
3721
3722 #define PMD_SHIFT SUN4C_PMD_SHIFT
3723@@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3724 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3725 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3726
3727+#ifdef CONFIG_PAX_PAGEEXEC
3728+extern pgprot_t PAGE_SHARED_NOEXEC;
3729+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3730+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3731+#else
3732+# define PAGE_SHARED_NOEXEC PAGE_SHARED
3733+# define PAGE_COPY_NOEXEC PAGE_COPY
3734+# define PAGE_READONLY_NOEXEC PAGE_READONLY
3735+#endif
3736+
3737 extern unsigned long page_kernel;
3738
3739 #ifdef MODULE
57199397
MT		 3740diff -urNp linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h
3741--- linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h 2010-08-26 19:47:12.000000000 -0400
3742+++ linux-2.6.35.4/arch/sparc/include/asm/pgtsrmmu.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 3743@@ -115,6 +115,13 @@
3744 SRMMU_EXEC | SRMMU_REF)
3745 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3746 SRMMU_EXEC | SRMMU_REF)
3747+
3748+#ifdef CONFIG_PAX_PAGEEXEC
3749+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3750+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3751+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3752+#endif
3753+
3754 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3755 SRMMU_DIRTY | SRMMU_REF)
3756
57199397
MT		 3757diff -urNp linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h
3758--- linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h 2010-08-26 19:47:12.000000000 -0400
3759+++ linux-2.6.35.4/arch/sparc/include/asm/spinlock_64.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 3760@@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
58c5fc13
MT		 3761 __asm__ __volatile__ (
3762 "1: ldsw [%2], %0\n"
3763 " brlz,pn %0, 2f\n"
3764-"4: add %0, 1, %1\n"
3765+"4: addcc %0, 1, %1\n"
3766+
3767+#ifdef CONFIG_PAX_REFCOUNT
3768+" tvs %%icc, 6\n"
3769+#endif
3770+
3771 " cas [%2], %0, %1\n"
3772 " cmp %0, %1\n"
3773 " bne,pn %%icc, 1b\n"
ae4e228f 3774@@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
58c5fc13
MT		 3775 " .previous"
3776 : "=&r" (tmp1), "=&r" (tmp2)
3777 : "r" (lock)
3778- : "memory");
3779+ : "memory", "cc");
3780 }
3781
ae4e228f
MT		 3782 static int inline arch_read_trylock(arch_rwlock_t *lock)
3783@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
58c5fc13
MT		 3784 "1: ldsw [%2], %0\n"
3785 " brlz,a,pn %0, 2f\n"
3786 " mov 0, %0\n"
3787-" add %0, 1, %1\n"
3788+" addcc %0, 1, %1\n"
3789+
3790+#ifdef CONFIG_PAX_REFCOUNT
3791+" tvs %%icc, 6\n"
3792+#endif
3793+
3794 " cas [%2], %0, %1\n"
3795 " cmp %0, %1\n"
3796 " bne,pn %%icc, 1b\n"
ae4e228f 3797@@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
58c5fc13
MT		 3798
3799 __asm__ __volatile__(
3800 "1: lduw [%2], %0\n"
3801-" sub %0, 1, %1\n"
3802+" subcc %0, 1, %1\n"
3803+
3804+#ifdef CONFIG_PAX_REFCOUNT
ae4e228f 3805+" tvs %%icc, 6\n"
58c5fc13
MT		 3806+#endif
3807+
3808 " cas [%2], %0, %1\n"
3809 " cmp %0, %1\n"
3810 " bne,pn %%xcc, 1b\n"
57199397
MT		 3811diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h
3812--- linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
3813+++ linux-2.6.35.4/arch/sparc/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 3814@@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
58c5fc13
MT		 3815
3816 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3817 {
3818- if (n && __access_ok((unsigned long) to, n))
3819+ if ((long)n < 0)
3820+ return n;
3821+
3822+ if (n && __access_ok((unsigned long) to, n)) {
3823+ if (!__builtin_constant_p(n))
3824+ check_object_size(from, n, true);
3825 return __copy_user(to, (__force void __user *) from, n);
3826- else
3827+ } else
3828 return n;
3829 }
3830
3831 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3832 {
3833+ if ((long)n < 0)
3834+ return n;
3835+
3836+ if (!__builtin_constant_p(n))
3837+ check_object_size(from, n, true);
3838+
3839 return __copy_user(to, (__force void __user *) from, n);
3840 }
3841
ae4e228f 3842@@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
58c5fc13 3843 {
ae4e228f
MT		 3844 int sz = __compiletime_object_size(to);
3845
58c5fc13
MT		 3846+ if ((long)n < 0)
3847+ return n;
3848+
ae4e228f
MT		 3849 if (unlikely(sz != -1 && sz < n)) {
3850 copy_from_user_overflow();
3851 return n;
3852 }
3853
3854- if (n && __access_ok((unsigned long) from, n))
58c5fc13
MT		 3855+ if (n && __access_ok((unsigned long) from, n)) {
3856+ if (!__builtin_constant_p(n))
3857+ check_object_size(to, n, false);
3858 return __copy_user((__force void __user *) to, from, n);
3859- else
3860+ } else
3861 return n;
3862 }
3863
3864 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3865 {
3866+ if ((long)n < 0)
3867+ return n;
58c5fc13
MT		 3868+
3869 return __copy_user((__force void __user *) to, from, n);
3870 }
3871
57199397
MT		 3872diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h
3873--- linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
3874+++ linux-2.6.35.4/arch/sparc/include/asm/uaccess_64.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3875@@ -10,6 +10,7 @@
3876 #include <linux/compiler.h>
3877 #include <linux/string.h>
3878 #include <linux/thread_info.h>
3879+#include <linux/kernel.h>
3880 #include <asm/asi.h>
3881 #include <asm/system.h>
3882 #include <asm/spitfire.h>
efbe55a5 3883@@ -224,6 +225,12 @@ copy_from_user(void *to, const void __us
ae4e228f
MT		 3884 int sz = __compiletime_object_size(to);
3885 unsigned long ret = size;
3886
3887+ if ((long)size < 0 || size > INT_MAX)
58c5fc13
MT		 3888+ return size;
3889+
3890+ if (!__builtin_constant_p(size))
3891+ check_object_size(to, size, false);
3892+
ae4e228f
MT		 3893 if (likely(sz == -1 || sz >= size)) {
3894 ret = ___copy_from_user(to, from, size);
3895 if (unlikely(ret))
efbe55a5 3896@@ -243,8 +250,15 @@ extern unsigned long copy_to_user_fixup(
58c5fc13
MT		 3897 static inline unsigned long __must_check
3898 copy_to_user(void __user *to, const void *from, unsigned long size)
3899 {
3900- unsigned long ret = ___copy_to_user(to, from, size);
3901+ unsigned long ret;
3902+
ae4e228f 3903+ if ((long)size < 0 || size > INT_MAX)
58c5fc13
MT		 3904+ return size;
3905+
3906+ if (!__builtin_constant_p(size))
3907+ check_object_size(from, size, true);
58c5fc13 3908
ae4e228f 3909+ ret = ___copy_to_user(to, from, size);
58c5fc13
MT		 3910 if (unlikely(ret))
3911 ret = copy_to_user_fixup(to, from, size);
ae4e228f 3912 return ret;
57199397
MT		 3913diff -urNp linux-2.6.35.4/arch/sparc/include/asm/uaccess.h linux-2.6.35.4/arch/sparc/include/asm/uaccess.h
3914--- linux-2.6.35.4/arch/sparc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3915+++ linux-2.6.35.4/arch/sparc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3916@@ -1,5 +1,13 @@
3917 #ifndef ___ASM_SPARC_UACCESS_H
3918 #define ___ASM_SPARC_UACCESS_H
3919+
3920+#ifdef __KERNEL__
3921+#ifndef __ASSEMBLY__
3922+#include <linux/types.h>
3923+extern void check_object_size(const void *ptr, unsigned long n, bool to);
3924+#endif
3925+#endif
3926+
3927 #if defined(__sparc__) && defined(__arch64__)
3928 #include <asm/uaccess_64.h>
3929 #else
3930diff -urNp linux-2.6.35.4/arch/sparc/kernel/iommu.c linux-2.6.35.4/arch/sparc/kernel/iommu.c
3931--- linux-2.6.35.4/arch/sparc/kernel/iommu.c 2010-08-26 19:47:12.000000000 -0400
3932+++ linux-2.6.35.4/arch/sparc/kernel/iommu.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 3933@@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
ae4e228f
MT		 3934 spin_unlock_irqrestore(&iommu->lock, flags);
3935 }
3936
3937-static struct dma_map_ops sun4u_dma_ops = {
3938+static const struct dma_map_ops sun4u_dma_ops = {
3939 .alloc_coherent = dma_4u_alloc_coherent,
3940 .free_coherent = dma_4u_free_coherent,
3941 .map_page = dma_4u_map_page,
df50ba0c 3942@@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
ae4e228f
MT		 3943 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3944 };
3945
3946-struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3947+const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3948 EXPORT_SYMBOL(dma_ops);
3949
3950 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
57199397
MT		 3951diff -urNp linux-2.6.35.4/arch/sparc/kernel/ioport.c linux-2.6.35.4/arch/sparc/kernel/ioport.c
3952--- linux-2.6.35.4/arch/sparc/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
3953+++ linux-2.6.35.4/arch/sparc/kernel/ioport.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 3954@@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3955 BUG();
3956 }
3957
3958-struct dma_map_ops sbus_dma_ops = {
3959+const struct dma_map_ops sbus_dma_ops = {
3960 .alloc_coherent = sbus_alloc_coherent,
3961 .free_coherent = sbus_free_coherent,
3962 .map_page = sbus_map_page,
3963@@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3964 .sync_sg_for_device = sbus_sync_sg_for_device,
3965 };
3966
3967-struct dma_map_ops *dma_ops = &sbus_dma_ops;
3968+const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3969 EXPORT_SYMBOL(dma_ops);
3970
3971 static int __init sparc_register_ioport(void)
3972@@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3973 }
3974 }
3975
3976-struct dma_map_ops pci32_dma_ops = {
3977+const struct dma_map_ops pci32_dma_ops = {
3978 .alloc_coherent = pci32_alloc_coherent,
3979 .free_coherent = pci32_free_coherent,
3980 .map_page = pci32_map_page,
57199397
MT		 3981diff -urNp linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c
3982--- linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c 2010-08-26 19:47:12.000000000 -0400
3983+++ linux-2.6.35.4/arch/sparc/kernel/kgdb_32.c 2010-09-17 20:12:09.000000000 -0400
3984@@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3985 regs->npc = regs->pc + 4;
ae4e228f
MT		 3986 }
3987
3988-struct kgdb_arch arch_kgdb_ops = {
3989+const struct kgdb_arch arch_kgdb_ops = {
3990 /* Breakpoint instruction: ta 0x7d */
3991 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3992 };
57199397
MT		 3993diff -urNp linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c
3994--- linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c 2010-08-26 19:47:12.000000000 -0400
3995+++ linux-2.6.35.4/arch/sparc/kernel/kgdb_64.c 2010-09-17 20:12:09.000000000 -0400
3996@@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3997 regs->tnpc = regs->tpc + 4;
ae4e228f
MT		 3998 }
3999
4000-struct kgdb_arch arch_kgdb_ops = {
4001+const struct kgdb_arch arch_kgdb_ops = {
4002 /* Breakpoint instruction: ta 0x72 */
4003 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4004 };
57199397
MT		 4005diff -urNp linux-2.6.35.4/arch/sparc/kernel/Makefile linux-2.6.35.4/arch/sparc/kernel/Makefile
4006--- linux-2.6.35.4/arch/sparc/kernel/Makefile 2010-08-26 19:47:12.000000000 -0400
4007+++ linux-2.6.35.4/arch/sparc/kernel/Makefile 2010-09-17 20:12:09.000000000 -0400
4008@@ -3,7 +3,7 @@
4009 #
4010
4011 asflags-y := -ansi
4012-ccflags-y := -Werror
4013+#ccflags-y := -Werror
4014
4015 extra-y := head_$(BITS).o
4016 extra-y += init_task.o
4017diff -urNp linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c
4018--- linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c 2010-08-26 19:47:12.000000000 -0400
4019+++ linux-2.6.35.4/arch/sparc/kernel/pci_sun4v.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 4020@@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4021 spin_unlock_irqrestore(&iommu->lock, flags);
4022 }
4023
4024-static struct dma_map_ops sun4v_dma_ops = {
4025+static const struct dma_map_ops sun4v_dma_ops = {
4026 .alloc_coherent = dma_4v_alloc_coherent,
4027 .free_coherent = dma_4v_free_coherent,
4028 .map_page = dma_4v_map_page,
57199397
MT		 4029diff -urNp linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c
4030--- linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c 2010-08-26 19:47:12.000000000 -0400
4031+++ linux-2.6.35.4/arch/sparc/kernel/sys_sparc_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 4032@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
58c5fc13
MT		 4033 if (ARCH_SUN4C && len > 0x20000000)
4034 return -ENOMEM;
4035 if (!addr)
4036- addr = TASK_UNMAPPED_BASE;
4037+ addr = current->mm->mmap_base;
4038
4039 if (flags & MAP_SHARED)
4040 addr = COLOUR_ALIGN(addr);
57199397
MT		 4041@@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4042 }
4043 if (TASK_SIZE - PAGE_SIZE - len < addr)
4044 return -ENOMEM;
4045- if (!vmm || addr + len <= vmm->vm_start)
4046+ if (check_heap_stack_gap(vmm, addr, len))
4047 return addr;
4048 addr = vmm->vm_end;
4049 if (flags & MAP_SHARED)
4050diff -urNp linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c
4051--- linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c 2010-08-26 19:47:12.000000000 -0400
4052+++ linux-2.6.35.4/arch/sparc/kernel/sys_sparc_64.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 4053@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
58c5fc13
MT		 4054 /* We do not accept a shared mapping if it would violate
4055 * cache aliasing constraints.
4056 */
4057- if ((flags & MAP_SHARED) &&
4058+ if ((filp || (flags & MAP_SHARED)) &&
4059 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4060 return -EINVAL;
4061 return addr;
df50ba0c 4062@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
58c5fc13
MT		 4063 if (filp || (flags & MAP_SHARED))
4064 do_color_align = 1;
4065
4066+#ifdef CONFIG_PAX_RANDMMAP
4067+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4068+#endif
4069+
4070 if (addr) {
4071 if (do_color_align)
4072 addr = COLOUR_ALIGN(addr, pgoff);
57199397
MT		 4073@@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4074 addr = PAGE_ALIGN(addr);
4075
4076 vma = find_vma(mm, addr);
4077- if (task_size - len >= addr &&
4078- (!vma || addr + len <= vma->vm_start))
4079+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4080 return addr;
58c5fc13
MT		 4081 }
4082
4083 if (len > mm->cached_hole_size) {
4084- start_addr = addr = mm->free_area_cache;
4085+ start_addr = addr = mm->free_area_cache;
4086 } else {
4087- start_addr = addr = TASK_UNMAPPED_BASE;
4088+ start_addr = addr = mm->mmap_base;
4089 mm->cached_hole_size = 0;
4090 }
4091
57199397 4092@@ -174,14 +177,14 @@ full_search:
58c5fc13
MT		 4093 vma = find_vma(mm, VA_EXCLUDE_END);
4094 }
4095 if (unlikely(task_size < addr)) {
4096- if (start_addr != TASK_UNMAPPED_BASE) {
4097- start_addr = addr = TASK_UNMAPPED_BASE;
4098+ if (start_addr != mm->mmap_base) {
4099+ start_addr = addr = mm->mmap_base;
4100 mm->cached_hole_size = 0;
4101 goto full_search;
4102 }
57199397
MT		 4103 return -ENOMEM;
4104 }
4105- if (likely(!vma || addr + len <= vma->vm_start)) {
4106+ if (likely(check_heap_stack_gap(vma, addr, len))) {
4107 /*
4108 * Remember the place where we stopped the search:
4109 */
4110@@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 4111 /* We do not accept a shared mapping if it would violate
4112 * cache aliasing constraints.
4113 */
4114- if ((flags & MAP_SHARED) &&
4115+ if ((filp || (flags & MAP_SHARED)) &&
4116 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4117 return -EINVAL;
4118 return addr;
57199397
MT		 4119@@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4120 addr = PAGE_ALIGN(addr);
4121
4122 vma = find_vma(mm, addr);
4123- if (task_size - len >= addr &&
4124- (!vma || addr + len <= vma->vm_start))
4125+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4126 return addr;
4127 }
4128
4129@@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4130 /* make sure it can fit in the remaining address space */
4131 if (likely(addr > len)) {
4132 vma = find_vma(mm, addr-len);
4133- if (!vma || addr <= vma->vm_start) {
4134+ if (check_heap_stack_gap(vma, addr - len, len)) {
4135 /* remember the address as a hint for next time */
4136 return (mm->free_area_cache = addr-len);
4137 }
4138@@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4139 * return with success:
4140 */
4141 vma = find_vma(mm, addr);
4142- if (likely(!vma || addr+len <= vma->vm_start)) {
4143+ if (likely(check_heap_stack_gap(vma, addr, len))) {
4144 /* remember the address as a hint for next time */
4145 return (mm->free_area_cache = addr);
4146 }
4147@@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
ae4e228f 4148 gap == RLIM_INFINITY ||
58c5fc13
MT		 4149 sysctl_legacy_va_layout) {
4150 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4151+
4152+#ifdef CONFIG_PAX_RANDMMAP
4153+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4154+ mm->mmap_base += mm->delta_mmap;
4155+#endif
4156+
4157 mm->get_unmapped_area = arch_get_unmapped_area;
4158 mm->unmap_area = arch_unmap_area;
4159 } else {
57199397 4160@@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
58c5fc13
MT		 4161 gap = (task_size / 6 * 5);
4162
4163 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4164+
4165+#ifdef CONFIG_PAX_RANDMMAP
4166+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4167+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4168+#endif
4169+
4170 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4171 mm->unmap_area = arch_unmap_area_topdown;
4172 }
57199397
MT		 4173diff -urNp linux-2.6.35.4/arch/sparc/kernel/traps_64.c linux-2.6.35.4/arch/sparc/kernel/traps_64.c
4174--- linux-2.6.35.4/arch/sparc/kernel/traps_64.c 2010-08-26 19:47:12.000000000 -0400
4175+++ linux-2.6.35.4/arch/sparc/kernel/traps_64.c 2010-09-17 20:12:09.000000000 -0400
4176@@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
58c5fc13
MT		 4177
4178 lvl -= 0x100;
4179 if (regs->tstate & TSTATE_PRIV) {
4180+
4181+#ifdef CONFIG_PAX_REFCOUNT
4182+ if (lvl == 6)
4183+ pax_report_refcount_overflow(regs);
4184+#endif
4185+
4186 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4187 die_if_kernel(buffer, regs);
4188 }
57199397 4189@@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
58c5fc13
MT		 4190 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4191 {
4192 char buffer[32];
4193-
4194+
4195 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4196 0, lvl, SIGTRAP) == NOTIFY_STOP)
4197 return;
4198
4199+#ifdef CONFIG_PAX_REFCOUNT
4200+ if (lvl == 6)
4201+ pax_report_refcount_overflow(regs);
4202+#endif
4203+
4204 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4205
4206 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
57199397
MT		 4207diff -urNp linux-2.6.35.4/arch/sparc/lib/atomic_64.S linux-2.6.35.4/arch/sparc/lib/atomic_64.S
4208--- linux-2.6.35.4/arch/sparc/lib/atomic_64.S 2010-08-26 19:47:12.000000000 -0400
4209+++ linux-2.6.35.4/arch/sparc/lib/atomic_64.S 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 4210@@ -18,7 +18,12 @@
4211 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4212 BACKOFF_SETUP(%o2)
4213 1: lduw [%o1], %g1
4214- add %g1, %o0, %g7
4215+ addcc %g1, %o0, %g7
4216+
4217+#ifdef CONFIG_PAX_REFCOUNT
4218+ tvs %icc, 6
4219+#endif
4220+
4221 cas [%o1], %g1, %g7
4222 cmp %g1, %g7
4223 bne,pn %icc, 2f
4224@@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4225 2: BACKOFF_SPIN(%o2, %o3, 1b)
4226 .size atomic_add, .-atomic_add
4227
4228+ .globl atomic_add_unchecked
4229+ .type atomic_add_unchecked,#function
4230+atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4231+ BACKOFF_SETUP(%o2)
4232+1: lduw [%o1], %g1
4233+ add %g1, %o0, %g7
4234+ cas [%o1], %g1, %g7
4235+ cmp %g1, %g7
4236+ bne,pn %icc, 2f
4237+ nop
4238+ retl
4239+ nop
4240+2: BACKOFF_SPIN(%o2, %o3, 1b)
4241+ .size atomic_add_unchecked, .-atomic_add_unchecked
4242+
4243 .globl atomic_sub
4244 .type atomic_sub,#function
4245 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4246 BACKOFF_SETUP(%o2)
4247 1: lduw [%o1], %g1
4248- sub %g1, %o0, %g7
4249+ subcc %g1, %o0, %g7
4250+
4251+#ifdef CONFIG_PAX_REFCOUNT
4252+ tvs %icc, 6
4253+#endif
4254+
4255 cas [%o1], %g1, %g7
4256 cmp %g1, %g7
4257 bne,pn %icc, 2f
4258@@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4259 2: BACKOFF_SPIN(%o2, %o3, 1b)
4260 .size atomic_sub, .-atomic_sub
4261
4262+ .globl atomic_sub_unchecked
4263+ .type atomic_sub_unchecked,#function
4264+atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4265+ BACKOFF_SETUP(%o2)
4266+1: lduw [%o1], %g1
4267+ sub %g1, %o0, %g7
4268+ cas [%o1], %g1, %g7
4269+ cmp %g1, %g7
4270+ bne,pn %icc, 2f
4271+ nop
4272+ retl
4273+ nop
4274+2: BACKOFF_SPIN(%o2, %o3, 1b)
4275+ .size atomic_sub_unchecked, .-atomic_sub_unchecked
4276+
4277 .globl atomic_add_ret
4278 .type atomic_add_ret,#function
4279 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4280 BACKOFF_SETUP(%o2)
4281 1: lduw [%o1], %g1
4282- add %g1, %o0, %g7
4283+ addcc %g1, %o0, %g7
4284+
4285+#ifdef CONFIG_PAX_REFCOUNT
4286+ tvs %icc, 6
4287+#endif
4288+
4289 cas [%o1], %g1, %g7
4290 cmp %g1, %g7
4291 bne,pn %icc, 2f
57199397
MT		 4292@@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4293 2: BACKOFF_SPIN(%o2, %o3, 1b)
4294 .size atomic_add_ret, .-atomic_add_ret
4295
4296+ .globl atomic_add_ret_unchecked
4297+ .type atomic_add_ret_unchecked,#function
4298+atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4299+ BACKOFF_SETUP(%o2)
4300+1: lduw [%o1], %g1
4301+ addcc %g1, %o0, %g7
4302+ cas [%o1], %g1, %g7
4303+ cmp %g1, %g7
4304+ bne,pn %icc, 2f
4305+ add %g7, %o0, %g7
4306+ sra %g7, 0, %o0
4307+ retl
4308+ nop
4309+2: BACKOFF_SPIN(%o2, %o3, 1b)
4310+ .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4311+
4312 .globl atomic_sub_ret
4313 .type atomic_sub_ret,#function
58c5fc13
MT		 4314 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4315 BACKOFF_SETUP(%o2)
4316 1: lduw [%o1], %g1
4317- sub %g1, %o0, %g7
4318+ subcc %g1, %o0, %g7
4319+
4320+#ifdef CONFIG_PAX_REFCOUNT
4321+ tvs %icc, 6
4322+#endif
4323+
4324 cas [%o1], %g1, %g7
4325 cmp %g1, %g7
4326 bne,pn %icc, 2f
57199397 4327@@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
58c5fc13
MT		 4328 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4329 BACKOFF_SETUP(%o2)
4330 1: ldx [%o1], %g1
4331- add %g1, %o0, %g7
4332+ addcc %g1, %o0, %g7
4333+
4334+#ifdef CONFIG_PAX_REFCOUNT
4335+ tvs %xcc, 6
4336+#endif
4337+
4338 casx [%o1], %g1, %g7
4339 cmp %g1, %g7
4340 bne,pn %xcc, 2f
57199397 4341@@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
ae4e228f
MT		 4342 2: BACKOFF_SPIN(%o2, %o3, 1b)
4343 .size atomic64_add, .-atomic64_add
4344
4345+ .globl atomic64_add_unchecked
4346+ .type atomic64_add_unchecked,#function
4347+atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4348+ BACKOFF_SETUP(%o2)
4349+1: ldx [%o1], %g1
4350+ addcc %g1, %o0, %g7
4351+ casx [%o1], %g1, %g7
4352+ cmp %g1, %g7
4353+ bne,pn %xcc, 2f
4354+ nop
4355+ retl
4356+ nop
4357+2: BACKOFF_SPIN(%o2, %o3, 1b)
4358+ .size atomic64_add_unchecked, .-atomic64_add_unchecked
4359+
4360 .globl atomic64_sub
4361 .type atomic64_sub,#function
58c5fc13
MT		 4362 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4363 BACKOFF_SETUP(%o2)
4364 1: ldx [%o1], %g1
4365- sub %g1, %o0, %g7
4366+ subcc %g1, %o0, %g7
4367+
4368+#ifdef CONFIG_PAX_REFCOUNT
4369+ tvs %xcc, 6
4370+#endif
4371+
4372 casx [%o1], %g1, %g7
4373 cmp %g1, %g7
4374 bne,pn %xcc, 2f
57199397 4375@@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
df50ba0c
MT		 4376 2: BACKOFF_SPIN(%o2, %o3, 1b)
4377 .size atomic64_sub, .-atomic64_sub
4378
4379+ .globl atomic64_sub_unchecked
4380+ .type atomic64_sub_unchecked,#function
4381+atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4382+ BACKOFF_SETUP(%o2)
4383+1: ldx [%o1], %g1
4384+ subcc %g1, %o0, %g7
4385+ casx [%o1], %g1, %g7
4386+ cmp %g1, %g7
4387+ bne,pn %xcc, 2f
4388+ nop
4389+ retl
4390+ nop
4391+2: BACKOFF_SPIN(%o2, %o3, 1b)
4392+ .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4393+
4394 .globl atomic64_add_ret
4395 .type atomic64_add_ret,#function
58c5fc13
MT		 4396 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4397 BACKOFF_SETUP(%o2)
4398 1: ldx [%o1], %g1
4399- add %g1, %o0, %g7
4400+ addcc %g1, %o0, %g7
4401+
4402+#ifdef CONFIG_PAX_REFCOUNT
4403+ tvs %xcc, 6
4404+#endif
4405+
4406 casx [%o1], %g1, %g7
4407 cmp %g1, %g7
4408 bne,pn %xcc, 2f
57199397 4409@@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
ae4e228f
MT		 4410 2: BACKOFF_SPIN(%o2, %o3, 1b)
4411 .size atomic64_add_ret, .-atomic64_add_ret
4412
4413+ .globl atomic64_add_ret_unchecked
4414+ .type atomic64_add_ret_unchecked,#function
4415+atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4416+ BACKOFF_SETUP(%o2)
4417+1: ldx [%o1], %g1
4418+ addcc %g1, %o0, %g7
4419+ casx [%o1], %g1, %g7
4420+ cmp %g1, %g7
4421+ bne,pn %xcc, 2f
4422+ add %g7, %o0, %g7
4423+ mov %g7, %o0
4424+ retl
4425+ nop
4426+2: BACKOFF_SPIN(%o2, %o3, 1b)
4427+ .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4428+
4429 .globl atomic64_sub_ret
4430 .type atomic64_sub_ret,#function
58c5fc13
MT		 4431 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4432 BACKOFF_SETUP(%o2)
4433 1: ldx [%o1], %g1
4434- sub %g1, %o0, %g7
4435+ subcc %g1, %o0, %g7
4436+
4437+#ifdef CONFIG_PAX_REFCOUNT
4438+ tvs %xcc, 6
4439+#endif
4440+
4441 casx [%o1], %g1, %g7
4442 cmp %g1, %g7
4443 bne,pn %xcc, 2f
57199397
MT		 4444diff -urNp linux-2.6.35.4/arch/sparc/lib/ksyms.c linux-2.6.35.4/arch/sparc/lib/ksyms.c
4445--- linux-2.6.35.4/arch/sparc/lib/ksyms.c 2010-08-26 19:47:12.000000000 -0400
4446+++ linux-2.6.35.4/arch/sparc/lib/ksyms.c 2010-09-17 20:12:09.000000000 -0400
4447@@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
58c5fc13
MT		 4448
4449 /* Atomic counter implementation. */
4450 EXPORT_SYMBOL(atomic_add);
4451+EXPORT_SYMBOL(atomic_add_unchecked);
4452 EXPORT_SYMBOL(atomic_add_ret);
4453 EXPORT_SYMBOL(atomic_sub);
4454+EXPORT_SYMBOL(atomic_sub_unchecked);
4455 EXPORT_SYMBOL(atomic_sub_ret);
4456 EXPORT_SYMBOL(atomic64_add);
57199397 4457+EXPORT_SYMBOL(atomic64_add_unchecked);
58c5fc13 4458 EXPORT_SYMBOL(atomic64_add_ret);
57199397 4459+EXPORT_SYMBOL(atomic64_add_ret_unchecked);
df50ba0c
MT		 4460 EXPORT_SYMBOL(atomic64_sub);
4461+EXPORT_SYMBOL(atomic64_sub_unchecked);
4462 EXPORT_SYMBOL(atomic64_sub_ret);
4463
4464 /* Atomic bit operations. */
57199397
MT		 4465diff -urNp linux-2.6.35.4/arch/sparc/lib/rwsem_64.S linux-2.6.35.4/arch/sparc/lib/rwsem_64.S
4466--- linux-2.6.35.4/arch/sparc/lib/rwsem_64.S 2010-08-26 19:47:12.000000000 -0400
4467+++ linux-2.6.35.4/arch/sparc/lib/rwsem_64.S 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 4468@@ -11,7 +11,12 @@
4469 .globl __down_read
4470 __down_read:
4471 1: lduw [%o0], %g1
4472- add %g1, 1, %g7
4473+ addcc %g1, 1, %g7
4474+
4475+#ifdef CONFIG_PAX_REFCOUNT
4476+ tvs %icc, 6
4477+#endif
4478+
4479 cas [%o0], %g1, %g7
4480 cmp %g1, %g7
4481 bne,pn %icc, 1b
4482@@ -33,7 +38,12 @@ __down_read:
4483 .globl __down_read_trylock
4484 __down_read_trylock:
4485 1: lduw [%o0], %g1
4486- add %g1, 1, %g7
4487+ addcc %g1, 1, %g7
4488+
4489+#ifdef CONFIG_PAX_REFCOUNT
4490+ tvs %icc, 6
4491+#endif
4492+
4493 cmp %g7, 0
4494 bl,pn %icc, 2f
4495 mov 0, %o1
4496@@ -51,7 +61,12 @@ __down_write:
4497 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4498 1:
4499 lduw [%o0], %g3
4500- add %g3, %g1, %g7
4501+ addcc %g3, %g1, %g7
4502+
4503+#ifdef CONFIG_PAX_REFCOUNT
4504+ tvs %icc, 6
4505+#endif
4506+
4507 cas [%o0], %g3, %g7
4508 cmp %g3, %g7
4509 bne,pn %icc, 1b
4510@@ -77,7 +92,12 @@ __down_write_trylock:
4511 cmp %g3, 0
4512 bne,pn %icc, 2f
4513 mov 0, %o1
4514- add %g3, %g1, %g7
4515+ addcc %g3, %g1, %g7
4516+
4517+#ifdef CONFIG_PAX_REFCOUNT
4518+ tvs %icc, 6
4519+#endif
4520+
4521 cas [%o0], %g3, %g7
4522 cmp %g3, %g7
4523 bne,pn %icc, 1b
4524@@ -90,7 +110,12 @@ __down_write_trylock:
4525 __up_read:
4526 1:
4527 lduw [%o0], %g1
4528- sub %g1, 1, %g7
4529+ subcc %g1, 1, %g7
4530+
4531+#ifdef CONFIG_PAX_REFCOUNT
4532+ tvs %icc, 6
4533+#endif
4534+
4535 cas [%o0], %g1, %g7
4536 cmp %g1, %g7
4537 bne,pn %icc, 1b
4538@@ -118,7 +143,12 @@ __up_write:
4539 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4540 1:
4541 lduw [%o0], %g3
4542- sub %g3, %g1, %g7
4543+ subcc %g3, %g1, %g7
4544+
4545+#ifdef CONFIG_PAX_REFCOUNT
4546+ tvs %icc, 6
4547+#endif
4548+
4549 cas [%o0], %g3, %g7
4550 cmp %g3, %g7
4551 bne,pn %icc, 1b
4552@@ -143,7 +173,12 @@ __downgrade_write:
4553 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4554 1:
4555 lduw [%o0], %g3
4556- sub %g3, %g1, %g7
4557+ subcc %g3, %g1, %g7
4558+
4559+#ifdef CONFIG_PAX_REFCOUNT
4560+ tvs %icc, 6
4561+#endif
4562+
4563 cas [%o0], %g3, %g7
4564 cmp %g3, %g7
4565 bne,pn %icc, 1b
57199397
MT		 4566diff -urNp linux-2.6.35.4/arch/sparc/Makefile linux-2.6.35.4/arch/sparc/Makefile
4567--- linux-2.6.35.4/arch/sparc/Makefile 2010-08-26 19:47:12.000000000 -0400
4568+++ linux-2.6.35.4/arch/sparc/Makefile 2010-09-17 20:12:37.000000000 -0400
4569@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4570 # Export what is needed by arch/sparc/boot/Makefile
4571 export VMLINUX_INIT VMLINUX_MAIN
4572 VMLINUX_INIT := $(head-y) $(init-y)
4573-VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4574+VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4575 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4576 VMLINUX_MAIN += $(drivers-y) $(net-y)
efbe55a5 4577
57199397
MT		 4578diff -urNp linux-2.6.35.4/arch/sparc/mm/fault_32.c linux-2.6.35.4/arch/sparc/mm/fault_32.c
4579--- linux-2.6.35.4/arch/sparc/mm/fault_32.c 2010-08-26 19:47:12.000000000 -0400
4580+++ linux-2.6.35.4/arch/sparc/mm/fault_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 4581@@ -22,6 +22,9 @@
58c5fc13
MT		 4582 #include <linux/interrupt.h>
4583 #include <linux/module.h>
4584 #include <linux/kdebug.h>
4585+#include <linux/slab.h>
4586+#include <linux/pagemap.h>
4587+#include <linux/compiler.h>
4588
4589 #include <asm/system.h>
4590 #include <asm/page.h>
df50ba0c 4591@@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
58c5fc13
MT		 4592 return safe_compute_effective_address(regs, insn);
4593 }
4594
4595+#ifdef CONFIG_PAX_PAGEEXEC
4596+#ifdef CONFIG_PAX_DLRESOLVE
ae4e228f 4597+static void pax_emuplt_close(struct vm_area_struct *vma)
58c5fc13
MT		 4598+{
4599+ vma->vm_mm->call_dl_resolve = 0UL;
4600+}
4601+
4602+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4603+{
4604+ unsigned int *kaddr;
4605+
4606+ vmf->page = alloc_page(GFP_HIGHUSER);
4607+ if (!vmf->page)
4608+ return VM_FAULT_OOM;
4609+
4610+ kaddr = kmap(vmf->page);
4611+ memset(kaddr, 0, PAGE_SIZE);
4612+ kaddr[0] = 0x9DE3BFA8U; /* save */
4613+ flush_dcache_page(vmf->page);
4614+ kunmap(vmf->page);
4615+ return VM_FAULT_MAJOR;
4616+}
4617+
4618+static const struct vm_operations_struct pax_vm_ops = {
4619+ .close = pax_emuplt_close,
4620+ .fault = pax_emuplt_fault
4621+};
4622+
4623+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4624+{
4625+ int ret;
4626+
df50ba0c 4627+ INIT_LIST_HEAD(&vma->anon_vma_chain);
58c5fc13
MT		 4628+ vma->vm_mm = current->mm;
4629+ vma->vm_start = addr;
4630+ vma->vm_end = addr + PAGE_SIZE;
4631+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4632+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4633+ vma->vm_ops = &pax_vm_ops;
4634+
4635+ ret = insert_vm_struct(current->mm, vma);
4636+ if (ret)
4637+ return ret;
4638+
4639+ ++current->mm->total_vm;
4640+ return 0;
4641+}
4642+#endif
4643+
4644+/*
4645+ * PaX: decide what to do with offenders (regs->pc = fault address)
4646+ *
4647+ * returns 1 when task should be killed
4648+ * 2 when patched PLT trampoline was detected
4649+ * 3 when unpatched PLT trampoline was detected
4650+ */
4651+static int pax_handle_fetch_fault(struct pt_regs *regs)
4652+{
4653+
4654+#ifdef CONFIG_PAX_EMUPLT
4655+ int err;
4656+
4657+ do { /* PaX: patched PLT emulation #1 */
4658+ unsigned int sethi1, sethi2, jmpl;
4659+
4660+ err = get_user(sethi1, (unsigned int *)regs->pc);
4661+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4662+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4663+
4664+ if (err)
4665+ break;
4666+
4667+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4668+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4669+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4670+ {
4671+ unsigned int addr;
4672+
4673+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4674+ addr = regs->u_regs[UREG_G1];
4675+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4676+ regs->pc = addr;
4677+ regs->npc = addr+4;
4678+ return 2;
4679+ }
4680+ } while (0);
4681+
4682+ { /* PaX: patched PLT emulation #2 */
4683+ unsigned int ba;
4684+
4685+ err = get_user(ba, (unsigned int *)regs->pc);
4686+
4687+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4688+ unsigned int addr;
4689+
4690+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4691+ regs->pc = addr;
4692+ regs->npc = addr+4;
4693+ return 2;
4694+ }
4695+ }
4696+
4697+ do { /* PaX: patched PLT emulation #3 */
4698+ unsigned int sethi, jmpl, nop;
4699+
4700+ err = get_user(sethi, (unsigned int *)regs->pc);
4701+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4702+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4703+
4704+ if (err)
4705+ break;
4706+
4707+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4708+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4709+ nop == 0x01000000U)
4710+ {
4711+ unsigned int addr;
4712+
4713+ addr = (sethi & 0x003FFFFFU) << 10;
4714+ regs->u_regs[UREG_G1] = addr;
4715+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4716+ regs->pc = addr;
4717+ regs->npc = addr+4;
4718+ return 2;
4719+ }
4720+ } while (0);
4721+
4722+ do { /* PaX: unpatched PLT emulation step 1 */
4723+ unsigned int sethi, ba, nop;
4724+
4725+ err = get_user(sethi, (unsigned int *)regs->pc);
4726+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
4727+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4728+
4729+ if (err)
4730+ break;
4731+
4732+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4733+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4734+ nop == 0x01000000U)
4735+ {
4736+ unsigned int addr, save, call;
4737+
4738+ if ((ba & 0xFFC00000U) == 0x30800000U)
4739+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4740+ else
4741+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4742+
4743+ err = get_user(save, (unsigned int *)addr);
4744+ err |= get_user(call, (unsigned int *)(addr+4));
4745+ err |= get_user(nop, (unsigned int *)(addr+8));
4746+ if (err)
4747+ break;
4748+
4749+#ifdef CONFIG_PAX_DLRESOLVE
4750+ if (save == 0x9DE3BFA8U &&
4751+ (call & 0xC0000000U) == 0x40000000U &&
4752+ nop == 0x01000000U)
4753+ {
4754+ struct vm_area_struct *vma;
4755+ unsigned long call_dl_resolve;
4756+
4757+ down_read(&current->mm->mmap_sem);
4758+ call_dl_resolve = current->mm->call_dl_resolve;
4759+ up_read(&current->mm->mmap_sem);
4760+ if (likely(call_dl_resolve))
4761+ goto emulate;
4762+
4763+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4764+
4765+ down_write(&current->mm->mmap_sem);
4766+ if (current->mm->call_dl_resolve) {
4767+ call_dl_resolve = current->mm->call_dl_resolve;
4768+ up_write(&current->mm->mmap_sem);
4769+ if (vma)
4770+ kmem_cache_free(vm_area_cachep, vma);
4771+ goto emulate;
4772+ }
4773+
4774+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4775+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4776+ up_write(&current->mm->mmap_sem);
4777+ if (vma)
4778+ kmem_cache_free(vm_area_cachep, vma);
4779+ return 1;
4780+ }
4781+
4782+ if (pax_insert_vma(vma, call_dl_resolve)) {
4783+ up_write(&current->mm->mmap_sem);
4784+ kmem_cache_free(vm_area_cachep, vma);
4785+ return 1;
4786+ }
4787+
4788+ current->mm->call_dl_resolve = call_dl_resolve;
4789+ up_write(&current->mm->mmap_sem);
4790+
4791+emulate:
4792+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4793+ regs->pc = call_dl_resolve;
4794+ regs->npc = addr+4;
4795+ return 3;
4796+ }
4797+#endif
4798+
4799+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4800+ if ((save & 0xFFC00000U) == 0x05000000U &&
4801+ (call & 0xFFFFE000U) == 0x85C0A000U &&
4802+ nop == 0x01000000U)
4803+ {
4804+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4805+ regs->u_regs[UREG_G2] = addr + 4;
4806+ addr = (save & 0x003FFFFFU) << 10;
4807+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4808+ regs->pc = addr;
4809+ regs->npc = addr+4;
4810+ return 3;
4811+ }
4812+ }
4813+ } while (0);
4814+
4815+ do { /* PaX: unpatched PLT emulation step 2 */
4816+ unsigned int save, call, nop;
4817+
4818+ err = get_user(save, (unsigned int *)(regs->pc-4));
4819+ err |= get_user(call, (unsigned int *)regs->pc);
4820+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
4821+ if (err)
4822+ break;
4823+
4824+ if (save == 0x9DE3BFA8U &&
4825+ (call & 0xC0000000U) == 0x40000000U &&
4826+ nop == 0x01000000U)
4827+ {
4828+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4829+
4830+ regs->u_regs[UREG_RETPC] = regs->pc;
4831+ regs->pc = dl_resolve;
4832+ regs->npc = dl_resolve+4;
4833+ return 3;
4834+ }
4835+ } while (0);
4836+#endif
4837+
4838+ return 1;
4839+}
4840+
4841+void pax_report_insns(void *pc, void *sp)
4842+{
4843+ unsigned long i;
4844+
4845+ printk(KERN_ERR "PAX: bytes at PC: ");
ae4e228f 4846+ for (i = 0; i < 8; i++) {
58c5fc13
MT		 4847+ unsigned int c;
4848+ if (get_user(c, (unsigned int *)pc+i))
4849+ printk(KERN_CONT "???????? ");
4850+ else
4851+ printk(KERN_CONT "%08x ", c);
4852+ }
4853+ printk("\n");
4854+}
4855+#endif
4856+
df50ba0c
MT		 4857 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4858 int text_fault)
58c5fc13 4859 {
df50ba0c 4860@@ -282,6 +547,24 @@ good_area:
58c5fc13
MT		 4861 if(!(vma->vm_flags & VM_WRITE))
4862 goto bad_area;
4863 } else {
4864+
4865+#ifdef CONFIG_PAX_PAGEEXEC
4866+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4867+ up_read(&mm->mmap_sem);
4868+ switch (pax_handle_fetch_fault(regs)) {
4869+
4870+#ifdef CONFIG_PAX_EMUPLT
4871+ case 2:
4872+ case 3:
4873+ return;
4874+#endif
4875+
4876+ }
4877+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4878+ do_group_exit(SIGKILL);
4879+ }
4880+#endif
4881+
4882 /* Allow reads even for write-only mappings */
4883 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4884 goto bad_area;
57199397
MT		 4885diff -urNp linux-2.6.35.4/arch/sparc/mm/fault_64.c linux-2.6.35.4/arch/sparc/mm/fault_64.c
4886--- linux-2.6.35.4/arch/sparc/mm/fault_64.c 2010-08-26 19:47:12.000000000 -0400
4887+++ linux-2.6.35.4/arch/sparc/mm/fault_64.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 4888@@ -21,6 +21,9 @@
58c5fc13
MT		 4889 #include <linux/kprobes.h>
4890 #include <linux/kdebug.h>
4891 #include <linux/percpu.h>
4892+#include <linux/slab.h>
4893+#include <linux/pagemap.h>
4894+#include <linux/compiler.h>
4895
4896 #include <asm/page.h>
4897 #include <asm/pgtable.h>
df50ba0c 4898@@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
58c5fc13
MT		 4899 show_regs(regs);
4900 }
4901
4902+#ifdef CONFIG_PAX_PAGEEXEC
4903+#ifdef CONFIG_PAX_DLRESOLVE
4904+static void pax_emuplt_close(struct vm_area_struct *vma)
4905+{
4906+ vma->vm_mm->call_dl_resolve = 0UL;
4907+}
4908+
4909+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4910+{
4911+ unsigned int *kaddr;
4912+
4913+ vmf->page = alloc_page(GFP_HIGHUSER);
4914+ if (!vmf->page)
4915+ return VM_FAULT_OOM;
4916+
4917+ kaddr = kmap(vmf->page);
4918+ memset(kaddr, 0, PAGE_SIZE);
4919+ kaddr[0] = 0x9DE3BFA8U; /* save */
4920+ flush_dcache_page(vmf->page);
4921+ kunmap(vmf->page);
4922+ return VM_FAULT_MAJOR;
4923+}
4924+
4925+static const struct vm_operations_struct pax_vm_ops = {
4926+ .close = pax_emuplt_close,
4927+ .fault = pax_emuplt_fault
4928+};
4929+
4930+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4931+{
4932+ int ret;
4933+
df50ba0c 4934+ INIT_LIST_HEAD(&vma->anon_vma_chain);
58c5fc13
MT		 4935+ vma->vm_mm = current->mm;
4936+ vma->vm_start = addr;
4937+ vma->vm_end = addr + PAGE_SIZE;
4938+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4939+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4940+ vma->vm_ops = &pax_vm_ops;
4941+
4942+ ret = insert_vm_struct(current->mm, vma);
4943+ if (ret)
4944+ return ret;
4945+
4946+ ++current->mm->total_vm;
4947+ return 0;
4948+}
4949+#endif
4950+
4951+/*
4952+ * PaX: decide what to do with offenders (regs->tpc = fault address)
4953+ *
4954+ * returns 1 when task should be killed
4955+ * 2 when patched PLT trampoline was detected
4956+ * 3 when unpatched PLT trampoline was detected
4957+ */
4958+static int pax_handle_fetch_fault(struct pt_regs *regs)
4959+{
4960+
4961+#ifdef CONFIG_PAX_EMUPLT
4962+ int err;
4963+
4964+ do { /* PaX: patched PLT emulation #1 */
4965+ unsigned int sethi1, sethi2, jmpl;
4966+
4967+ err = get_user(sethi1, (unsigned int *)regs->tpc);
4968+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4969+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4970+
4971+ if (err)
4972+ break;
4973+
4974+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4975+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4976+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4977+ {
4978+ unsigned long addr;
4979+
4980+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4981+ addr = regs->u_regs[UREG_G1];
4982+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4983+
4984+ if (test_thread_flag(TIF_32BIT))
4985+ addr &= 0xFFFFFFFFUL;
4986+
4987+ regs->tpc = addr;
4988+ regs->tnpc = addr+4;
4989+ return 2;
4990+ }
4991+ } while (0);
4992+
4993+ { /* PaX: patched PLT emulation #2 */
4994+ unsigned int ba;
4995+
4996+ err = get_user(ba, (unsigned int *)regs->tpc);
4997+
4998+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4999+ unsigned long addr;
5000+
5001+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5002+
5003+ if (test_thread_flag(TIF_32BIT))
5004+ addr &= 0xFFFFFFFFUL;
5005+
5006+ regs->tpc = addr;
5007+ regs->tnpc = addr+4;
5008+ return 2;
5009+ }
5010+ }
5011+
5012+ do { /* PaX: patched PLT emulation #3 */
5013+ unsigned int sethi, jmpl, nop;
5014+
5015+ err = get_user(sethi, (unsigned int *)regs->tpc);
5016+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5017+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5018+
5019+ if (err)
5020+ break;
5021+
5022+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5023+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5024+ nop == 0x01000000U)
5025+ {
5026+ unsigned long addr;
5027+
5028+ addr = (sethi & 0x003FFFFFU) << 10;
5029+ regs->u_regs[UREG_G1] = addr;
5030+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5031+
5032+ if (test_thread_flag(TIF_32BIT))
5033+ addr &= 0xFFFFFFFFUL;
5034+
5035+ regs->tpc = addr;
5036+ regs->tnpc = addr+4;
5037+ return 2;
5038+ }
5039+ } while (0);
5040+
5041+ do { /* PaX: patched PLT emulation #4 */
ae4e228f 5042+ unsigned int sethi, mov1, call, mov2;
58c5fc13 5043+
ae4e228f
MT		 5044+ err = get_user(sethi, (unsigned int *)regs->tpc);
5045+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5046+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
5047+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
58c5fc13
MT		 5048+
5049+ if (err)
5050+ break;
5051+
ae4e228f
MT		 5052+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5053+ mov1 == 0x8210000FU &&
58c5fc13
MT		 5054+ (call & 0xC0000000U) == 0x40000000U &&
5055+ mov2 == 0x9E100001U)
5056+ {
5057+ unsigned long addr;
5058+
5059+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5060+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5061+
5062+ if (test_thread_flag(TIF_32BIT))
5063+ addr &= 0xFFFFFFFFUL;
5064+
5065+ regs->tpc = addr;
5066+ regs->tnpc = addr+4;
5067+ return 2;
5068+ }
5069+ } while (0);
5070+
5071+ do { /* PaX: patched PLT emulation #5 */
ae4e228f 5072+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
58c5fc13 5073+
ae4e228f
MT		 5074+ err = get_user(sethi, (unsigned int *)regs->tpc);
5075+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5076+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5077+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5078+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5079+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5080+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5081+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
58c5fc13
MT		 5082+
5083+ if (err)
5084+ break;
5085+
ae4e228f
MT		 5086+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5087+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
58c5fc13
MT		 5088+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5089+ (or1 & 0xFFFFE000U) == 0x82106000U &&
5090+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
ae4e228f 5091+ sllx == 0x83287020U &&
58c5fc13
MT		 5092+ jmpl == 0x81C04005U &&
5093+ nop == 0x01000000U)
5094+ {
5095+ unsigned long addr;
5096+
5097+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5098+ regs->u_regs[UREG_G1] <<= 32;
5099+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5100+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5101+ regs->tpc = addr;
5102+ regs->tnpc = addr+4;
5103+ return 2;
5104+ }
5105+ } while (0);
5106+
5107+ do { /* PaX: patched PLT emulation #6 */
ae4e228f 5108+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
58c5fc13 5109+
ae4e228f
MT		 5110+ err = get_user(sethi, (unsigned int *)regs->tpc);
5111+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5112+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5113+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5114+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
5115+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5116+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
58c5fc13
MT		 5117+
5118+ if (err)
5119+ break;
5120+
ae4e228f
MT		 5121+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5122+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
58c5fc13 5123+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
ae4e228f 5124+ sllx == 0x83287020U &&
58c5fc13
MT		 5125+ (or & 0xFFFFE000U) == 0x8A116000U &&
5126+ jmpl == 0x81C04005U &&
5127+ nop == 0x01000000U)
5128+ {
5129+ unsigned long addr;
5130+
5131+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5132+ regs->u_regs[UREG_G1] <<= 32;
5133+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5134+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5135+ regs->tpc = addr;
5136+ regs->tnpc = addr+4;
5137+ return 2;
5138+ }
5139+ } while (0);
5140+
5141+ do { /* PaX: unpatched PLT emulation step 1 */
5142+ unsigned int sethi, ba, nop;
5143+
5144+ err = get_user(sethi, (unsigned int *)regs->tpc);
5145+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5146+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5147+
5148+ if (err)
5149+ break;
5150+
5151+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5152+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5153+ nop == 0x01000000U)
5154+ {
5155+ unsigned long addr;
5156+ unsigned int save, call;
ae4e228f 5157+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
58c5fc13
MT		 5158+
5159+ if ((ba & 0xFFC00000U) == 0x30800000U)
5160+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5161+ else
5162+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5163+
5164+ if (test_thread_flag(TIF_32BIT))
5165+ addr &= 0xFFFFFFFFUL;
5166+
5167+ err = get_user(save, (unsigned int *)addr);
5168+ err |= get_user(call, (unsigned int *)(addr+4));
5169+ err |= get_user(nop, (unsigned int *)(addr+8));
5170+ if (err)
5171+ break;
5172+
5173+#ifdef CONFIG_PAX_DLRESOLVE
5174+ if (save == 0x9DE3BFA8U &&
5175+ (call & 0xC0000000U) == 0x40000000U &&
5176+ nop == 0x01000000U)
5177+ {
5178+ struct vm_area_struct *vma;
5179+ unsigned long call_dl_resolve;
5180+
5181+ down_read(&current->mm->mmap_sem);
5182+ call_dl_resolve = current->mm->call_dl_resolve;
5183+ up_read(&current->mm->mmap_sem);
5184+ if (likely(call_dl_resolve))
5185+ goto emulate;
5186+
5187+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5188+
5189+ down_write(&current->mm->mmap_sem);
5190+ if (current->mm->call_dl_resolve) {
5191+ call_dl_resolve = current->mm->call_dl_resolve;
5192+ up_write(&current->mm->mmap_sem);
5193+ if (vma)
5194+ kmem_cache_free(vm_area_cachep, vma);
5195+ goto emulate;
5196+ }
5197+
5198+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5199+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5200+ up_write(&current->mm->mmap_sem);
5201+ if (vma)
5202+ kmem_cache_free(vm_area_cachep, vma);
5203+ return 1;
5204+ }
5205+
5206+ if (pax_insert_vma(vma, call_dl_resolve)) {
5207+ up_write(&current->mm->mmap_sem);
5208+ kmem_cache_free(vm_area_cachep, vma);
5209+ return 1;
5210+ }
5211+
5212+ current->mm->call_dl_resolve = call_dl_resolve;
5213+ up_write(&current->mm->mmap_sem);
5214+
5215+emulate:
5216+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5217+ regs->tpc = call_dl_resolve;
5218+ regs->tnpc = addr+4;
5219+ return 3;
5220+ }
5221+#endif
5222+
5223+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5224+ if ((save & 0xFFC00000U) == 0x05000000U &&
5225+ (call & 0xFFFFE000U) == 0x85C0A000U &&
5226+ nop == 0x01000000U)
5227+ {
5228+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5229+ regs->u_regs[UREG_G2] = addr + 4;
5230+ addr = (save & 0x003FFFFFU) << 10;
5231+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5232+
5233+ if (test_thread_flag(TIF_32BIT))
5234+ addr &= 0xFFFFFFFFUL;
5235+
5236+ regs->tpc = addr;
5237+ regs->tnpc = addr+4;
5238+ return 3;
5239+ }
ae4e228f
MT		 5240+
5241+ /* PaX: 64-bit PLT stub */
5242+ err = get_user(sethi1, (unsigned int *)addr);
5243+ err |= get_user(sethi2, (unsigned int *)(addr+4));
5244+ err |= get_user(or1, (unsigned int *)(addr+8));
5245+ err |= get_user(or2, (unsigned int *)(addr+12));
5246+ err |= get_user(sllx, (unsigned int *)(addr+16));
5247+ err |= get_user(add, (unsigned int *)(addr+20));
5248+ err |= get_user(jmpl, (unsigned int *)(addr+24));
5249+ err |= get_user(nop, (unsigned int *)(addr+28));
5250+ if (err)
5251+ break;
5252+
5253+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5254+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5255+ (or1 & 0xFFFFE000U) == 0x88112000U &&
5256+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
5257+ sllx == 0x89293020U &&
5258+ add == 0x8A010005U &&
5259+ jmpl == 0x89C14000U &&
5260+ nop == 0x01000000U)
5261+ {
5262+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5263+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5264+ regs->u_regs[UREG_G4] <<= 32;
5265+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5266+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5267+ regs->u_regs[UREG_G4] = addr + 24;
5268+ addr = regs->u_regs[UREG_G5];
5269+ regs->tpc = addr;
5270+ regs->tnpc = addr+4;
5271+ return 3;
5272+ }
58c5fc13
MT		 5273+ }
5274+ } while (0);
5275+
5276+#ifdef CONFIG_PAX_DLRESOLVE
5277+ do { /* PaX: unpatched PLT emulation step 2 */
5278+ unsigned int save, call, nop;
5279+
5280+ err = get_user(save, (unsigned int *)(regs->tpc-4));
5281+ err |= get_user(call, (unsigned int *)regs->tpc);
5282+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5283+ if (err)
5284+ break;
5285+
5286+ if (save == 0x9DE3BFA8U &&
5287+ (call & 0xC0000000U) == 0x40000000U &&
5288+ nop == 0x01000000U)
5289+ {
5290+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5291+
5292+ if (test_thread_flag(TIF_32BIT))
5293+ dl_resolve &= 0xFFFFFFFFUL;
5294+
5295+ regs->u_regs[UREG_RETPC] = regs->tpc;
5296+ regs->tpc = dl_resolve;
5297+ regs->tnpc = dl_resolve+4;
5298+ return 3;
5299+ }
5300+ } while (0);
5301+#endif
5302+
5303+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5304+ unsigned int sethi, ba, nop;
5305+
5306+ err = get_user(sethi, (unsigned int *)regs->tpc);
5307+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5308+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5309+
5310+ if (err)
5311+ break;
5312+
5313+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5314+ (ba & 0xFFF00000U) == 0x30600000U &&
5315+ nop == 0x01000000U)
5316+ {
5317+ unsigned long addr;
5318+
5319+ addr = (sethi & 0x003FFFFFU) << 10;
5320+ regs->u_regs[UREG_G1] = addr;
5321+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5322+
5323+ if (test_thread_flag(TIF_32BIT))
5324+ addr &= 0xFFFFFFFFUL;
5325+
5326+ regs->tpc = addr;
5327+ regs->tnpc = addr+4;
5328+ return 2;
5329+ }
5330+ } while (0);
5331+
5332+#endif
5333+
5334+ return 1;
5335+}
5336+
5337+void pax_report_insns(void *pc, void *sp)
5338+{
5339+ unsigned long i;
5340+
5341+ printk(KERN_ERR "PAX: bytes at PC: ");
ae4e228f 5342+ for (i = 0; i < 8; i++) {
58c5fc13
MT		 5343+ unsigned int c;
5344+ if (get_user(c, (unsigned int *)pc+i))
5345+ printk(KERN_CONT "???????? ");
5346+ else
5347+ printk(KERN_CONT "%08x ", c);
5348+ }
5349+ printk("\n");
5350+}
5351+#endif
5352+
5353 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5354 {
5355 struct mm_struct *mm = current->mm;
df50ba0c 5356@@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
58c5fc13
MT		 5357 if (!vma)
5358 goto bad_area;
5359
5360+#ifdef CONFIG_PAX_PAGEEXEC
5361+ /* PaX: detect ITLB misses on non-exec pages */
5362+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5363+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5364+ {
5365+ if (address != regs->tpc)
5366+ goto good_area;
5367+
5368+ up_read(&mm->mmap_sem);
5369+ switch (pax_handle_fetch_fault(regs)) {
5370+
5371+#ifdef CONFIG_PAX_EMUPLT
5372+ case 2:
5373+ case 3:
5374+ return;
5375+#endif
5376+
5377+ }
5378+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5379+ do_group_exit(SIGKILL);
5380+ }
5381+#endif
5382+
5383 /* Pure DTLB misses do not tell us whether the fault causing
5384 * load/store/atomic was a write or not, it only says that there
5385 * was no match. So in such a case we (carefully) read the
57199397
MT		 5386diff -urNp linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c
5387--- linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
5388+++ linux-2.6.35.4/arch/sparc/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
5389@@ -68,7 +68,7 @@ full_search:
5390 }
5391 return -ENOMEM;
5392 }
5393- if (likely(!vma || addr + len <= vma->vm_start)) {
5394+ if (likely(check_heap_stack_gap(vma, addr, len))) {
5395 /*
5396 * Remember the place where we stopped the search:
5397 */
5398@@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5399 /* make sure it can fit in the remaining address space */
5400 if (likely(addr > len)) {
5401 vma = find_vma(mm, addr-len);
5402- if (!vma || addr <= vma->vm_start) {
5403+ if (check_heap_stack_gap(vma, addr - len, len)) {
5404 /* remember the address as a hint for next time */
5405 return (mm->free_area_cache = addr-len);
5406 }
5407@@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5408 * return with success:
5409 */
5410 vma = find_vma(mm, addr);
5411- if (likely(!vma || addr+len <= vma->vm_start)) {
5412+ if (likely(check_heap_stack_gap(vma, addr, len))) {
5413 /* remember the address as a hint for next time */
5414 return (mm->free_area_cache = addr);
5415 }
5416@@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5417 if (addr) {
5418 addr = ALIGN(addr, HPAGE_SIZE);
5419 vma = find_vma(mm, addr);
5420- if (task_size - len >= addr &&
5421- (!vma || addr + len <= vma->vm_start))
5422+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5423 return addr;
5424 }
5425 if (mm->get_unmapped_area == arch_get_unmapped_area)
5426diff -urNp linux-2.6.35.4/arch/sparc/mm/init_32.c linux-2.6.35.4/arch/sparc/mm/init_32.c
5427--- linux-2.6.35.4/arch/sparc/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
5428+++ linux-2.6.35.4/arch/sparc/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 5429@@ -318,6 +318,9 @@ extern void device_scan(void);
58c5fc13
MT		 5430 pgprot_t PAGE_SHARED __read_mostly;
5431 EXPORT_SYMBOL(PAGE_SHARED);
5432
5433+pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5434+EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5435+
5436 void __init paging_init(void)
5437 {
5438 switch(sparc_cpu_model) {
df50ba0c 5439@@ -346,17 +349,17 @@ void __init paging_init(void)
58c5fc13
MT		 5440
5441 /* Initialize the protection map with non-constant, MMU dependent values. */
5442 protection_map[0] = PAGE_NONE;
5443- protection_map[1] = PAGE_READONLY;
5444- protection_map[2] = PAGE_COPY;
5445- protection_map[3] = PAGE_COPY;
5446+ protection_map[1] = PAGE_READONLY_NOEXEC;
5447+ protection_map[2] = PAGE_COPY_NOEXEC;
5448+ protection_map[3] = PAGE_COPY_NOEXEC;
5449 protection_map[4] = PAGE_READONLY;
5450 protection_map[5] = PAGE_READONLY;
5451 protection_map[6] = PAGE_COPY;
5452 protection_map[7] = PAGE_COPY;
5453 protection_map[8] = PAGE_NONE;
5454- protection_map[9] = PAGE_READONLY;
5455- protection_map[10] = PAGE_SHARED;
5456- protection_map[11] = PAGE_SHARED;
5457+ protection_map[9] = PAGE_READONLY_NOEXEC;
5458+ protection_map[10] = PAGE_SHARED_NOEXEC;
5459+ protection_map[11] = PAGE_SHARED_NOEXEC;
5460 protection_map[12] = PAGE_READONLY;
5461 protection_map[13] = PAGE_READONLY;
5462 protection_map[14] = PAGE_SHARED;
57199397
MT		 5463diff -urNp linux-2.6.35.4/arch/sparc/mm/Makefile linux-2.6.35.4/arch/sparc/mm/Makefile
5464--- linux-2.6.35.4/arch/sparc/mm/Makefile 2010-08-26 19:47:12.000000000 -0400
5465+++ linux-2.6.35.4/arch/sparc/mm/Makefile 2010-09-17 20:12:09.000000000 -0400
5466@@ -2,7 +2,7 @@
5467 #
5468
5469 asflags-y := -ansi
5470-ccflags-y := -Werror
5471+#ccflags-y := -Werror
5472
5473 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5474 obj-y += fault_$(BITS).o
5475diff -urNp linux-2.6.35.4/arch/sparc/mm/srmmu.c linux-2.6.35.4/arch/sparc/mm/srmmu.c
5476--- linux-2.6.35.4/arch/sparc/mm/srmmu.c 2010-08-26 19:47:12.000000000 -0400
5477+++ linux-2.6.35.4/arch/sparc/mm/srmmu.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 5478@@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
58c5fc13
MT		 5479 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5480 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5481 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5482+
5483+#ifdef CONFIG_PAX_PAGEEXEC
5484+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5485+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5486+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5487+#endif
5488+
5489 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5490 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5491
57199397
MT		 5492diff -urNp linux-2.6.35.4/arch/um/include/asm/kmap_types.h linux-2.6.35.4/arch/um/include/asm/kmap_types.h
5493--- linux-2.6.35.4/arch/um/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
5494+++ linux-2.6.35.4/arch/um/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 5495@@ -23,6 +23,7 @@ enum km_type {
5496 KM_IRQ1,
5497 KM_SOFTIRQ0,
5498 KM_SOFTIRQ1,
5499+ KM_CLEARPAGE,
5500 KM_TYPE_NR
5501 };
5502
57199397
MT		 5503diff -urNp linux-2.6.35.4/arch/um/include/asm/page.h linux-2.6.35.4/arch/um/include/asm/page.h
5504--- linux-2.6.35.4/arch/um/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
5505+++ linux-2.6.35.4/arch/um/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 5506@@ -14,6 +14,9 @@
5507 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5508 #define PAGE_MASK (~(PAGE_SIZE-1))
5509
5510+#define ktla_ktva(addr) (addr)
5511+#define ktva_ktla(addr) (addr)
5512+
5513 #ifndef __ASSEMBLY__
5514
5515 struct page;
57199397
MT		 5516diff -urNp linux-2.6.35.4/arch/um/sys-i386/syscalls.c linux-2.6.35.4/arch/um/sys-i386/syscalls.c
5517--- linux-2.6.35.4/arch/um/sys-i386/syscalls.c 2010-08-26 19:47:12.000000000 -0400
5518+++ linux-2.6.35.4/arch/um/sys-i386/syscalls.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 5519@@ -11,6 +11,21 @@
5520 #include "asm/uaccess.h"
5521 #include "asm/unistd.h"
5522
5523+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5524+{
5525+ unsigned long pax_task_size = TASK_SIZE;
5526+
5527+#ifdef CONFIG_PAX_SEGMEXEC
5528+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5529+ pax_task_size = SEGMEXEC_TASK_SIZE;
5530+#endif
5531+
5532+ if (len > pax_task_size || addr > pax_task_size - len)
5533+ return -EINVAL;
5534+
5535+ return 0;
5536+}
5537+
5538 /*
df50ba0c
MT		 5539 * The prototype on i386 is:
5540 *
57199397
MT		 5541diff -urNp linux-2.6.35.4/arch/x86/boot/bitops.h linux-2.6.35.4/arch/x86/boot/bitops.h
5542--- linux-2.6.35.4/arch/x86/boot/bitops.h 2010-08-26 19:47:12.000000000 -0400
5543+++ linux-2.6.35.4/arch/x86/boot/bitops.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 5544@@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5545 u8 v;
5546 const u32 *p = (const u32 *)addr;
5547
5548- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5549+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5550 return v;
5551 }
5552
5553@@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5554
5555 static inline void set_bit(int nr, void *addr)
5556 {
5557- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5558+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5559 }
5560
5561 #endif /* BOOT_BITOPS_H */
57199397
MT		 5562diff -urNp linux-2.6.35.4/arch/x86/boot/boot.h linux-2.6.35.4/arch/x86/boot/boot.h
5563--- linux-2.6.35.4/arch/x86/boot/boot.h 2010-08-26 19:47:12.000000000 -0400
5564+++ linux-2.6.35.4/arch/x86/boot/boot.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 5565@@ -82,7 +82,7 @@ static inline void io_delay(void)
5566 static inline u16 ds(void)
5567 {
5568 u16 seg;
5569- asm("movw %%ds,%0" : "=rm" (seg));
5570+ asm volatile("movw %%ds,%0" : "=rm" (seg));
5571 return seg;
5572 }
5573
5574@@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
5575 static inline int memcmp(const void *s1, const void *s2, size_t len)
5576 {
5577 u8 diff;
5578- asm("repe; cmpsb; setnz %0"
5579+ asm volatile("repe; cmpsb; setnz %0"
5580 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5581 return diff;
5582 }
57199397
MT		 5583diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/head_32.S linux-2.6.35.4/arch/x86/boot/compressed/head_32.S
5584--- linux-2.6.35.4/arch/x86/boot/compressed/head_32.S 2010-08-26 19:47:12.000000000 -0400
5585+++ linux-2.6.35.4/arch/x86/boot/compressed/head_32.S 2010-09-17 20:12:09.000000000 -0400
ae4e228f 5586@@ -76,7 +76,7 @@ ENTRY(startup_32)
58c5fc13
MT		 5587 notl %eax
5588 andl %eax, %ebx
5589 #else
5590- movl $LOAD_PHYSICAL_ADDR, %ebx
5591+ movl $____LOAD_PHYSICAL_ADDR, %ebx
5592 #endif
5593
5594 /* Target address to relocate to for decompression */
ae4e228f 5595@@ -149,7 +149,7 @@ relocated:
58c5fc13
MT		 5596 * and where it was actually loaded.
5597 */
5598 movl %ebp, %ebx
5599- subl $LOAD_PHYSICAL_ADDR, %ebx
5600+ subl $____LOAD_PHYSICAL_ADDR, %ebx
5601 jz 2f /* Nothing to be done if loaded at compiled addr. */
5602 /*
5603 * Process relocations.
ae4e228f 5604@@ -157,8 +157,7 @@ relocated:
58c5fc13
MT		 5605
5606 1: subl $4, %edi
5607 movl (%edi), %ecx
5608- testl %ecx, %ecx
5609- jz 2f
5610+ jecxz 2f
5611 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5612 jmp 1b
5613 2:
57199397
MT		 5614diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/head_64.S linux-2.6.35.4/arch/x86/boot/compressed/head_64.S
5615--- linux-2.6.35.4/arch/x86/boot/compressed/head_64.S 2010-08-26 19:47:12.000000000 -0400
5616+++ linux-2.6.35.4/arch/x86/boot/compressed/head_64.S 2010-09-17 20:12:09.000000000 -0400
ae4e228f 5617@@ -91,7 +91,7 @@ ENTRY(startup_32)
58c5fc13
MT		 5618 notl %eax
5619 andl %eax, %ebx
5620 #else
5621- movl $LOAD_PHYSICAL_ADDR, %ebx
5622+ movl $____LOAD_PHYSICAL_ADDR, %ebx
5623 #endif
5624
5625 /* Target address to relocate to for decompression */
5626@@ -233,7 +233,7 @@ ENTRY(startup_64)
5627 notq %rax
5628 andq %rax, %rbp
5629 #else
5630- movq $LOAD_PHYSICAL_ADDR, %rbp
5631+ movq $____LOAD_PHYSICAL_ADDR, %rbp
5632 #endif
5633
5634 /* Target address to relocate to for decompression */
57199397
MT		 5635diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/misc.c linux-2.6.35.4/arch/x86/boot/compressed/misc.c
5636--- linux-2.6.35.4/arch/x86/boot/compressed/misc.c 2010-08-26 19:47:12.000000000 -0400
5637+++ linux-2.6.35.4/arch/x86/boot/compressed/misc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 5638@@ -285,7 +285,7 @@ static void parse_elf(void *output)
58c5fc13
MT		 5639 case PT_LOAD:
5640 #ifdef CONFIG_RELOCATABLE
5641 dest = output;
5642- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5643+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5644 #else
5645 dest = (void *)(phdr->p_paddr);
5646 #endif
df50ba0c 5647@@ -332,7 +332,7 @@ asmlinkage void decompress_kernel(void *
58c5fc13
MT		 5648 error("Destination address too large");
5649 #endif
5650 #ifndef CONFIG_RELOCATABLE
5651- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5652+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5653 error("Wrong destination address");
5654 #endif
5655
57199397
MT		 5656diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c
5657--- linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c 2010-08-26 19:47:12.000000000 -0400
5658+++ linux-2.6.35.4/arch/x86/boot/compressed/mkpiggy.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 5659@@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5660
5661 offs = (olen > ilen) ? olen - ilen : 0;
5662 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5663- offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5664+ offs += 64*1024; /* Add 64K bytes slack */
5665 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5666
57199397
MT		 5667 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
5668diff -urNp linux-2.6.35.4/arch/x86/boot/compressed/relocs.c linux-2.6.35.4/arch/x86/boot/compressed/relocs.c
5669--- linux-2.6.35.4/arch/x86/boot/compressed/relocs.c 2010-08-26 19:47:12.000000000 -0400
5670+++ linux-2.6.35.4/arch/x86/boot/compressed/relocs.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 5671@@ -13,8 +13,11 @@
58c5fc13 5672
ae4e228f
MT		 5673 static void die(char *fmt, ...);
5674
5675+#include "../../../../include/generated/autoconf.h"
58c5fc13
MT		 5676+
5677 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5678 static Elf32_Ehdr ehdr;
5679+static Elf32_Phdr *phdr;
5680 static unsigned long reloc_count, reloc_idx;
5681 static unsigned long *relocs;
5682
ae4e228f 5683@@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
58c5fc13
MT		 5684 }
5685 }
5686
5687+static void read_phdrs(FILE *fp)
5688+{
5689+ unsigned int i;
5690+
5691+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5692+ if (!phdr) {
5693+ die("Unable to allocate %d program headers\n",
5694+ ehdr.e_phnum);
5695+ }
5696+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5697+ die("Seek to %d failed: %s\n",
5698+ ehdr.e_phoff, strerror(errno));
5699+ }
5700+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5701+ die("Cannot read ELF program headers: %s\n",
5702+ strerror(errno));
5703+ }
5704+ for(i = 0; i < ehdr.e_phnum; i++) {
5705+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5706+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5707+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5708+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5709+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5710+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5711+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5712+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5713+ }
5714+
5715+}
5716+
5717 static void read_shdrs(FILE *fp)
5718 {
5719- int i;
5720+ unsigned int i;
5721 Elf32_Shdr shdr;
5722
5723 secs = calloc(ehdr.e_shnum, sizeof(struct section));
ae4e228f 5724@@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
58c5fc13
MT		 5725
5726 static void read_strtabs(FILE *fp)
5727 {
5728- int i;
5729+ unsigned int i;
5730 for (i = 0; i < ehdr.e_shnum; i++) {
5731 struct section *sec = &secs[i];
5732 if (sec->shdr.sh_type != SHT_STRTAB) {
ae4e228f 5733@@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
58c5fc13
MT		 5734
5735 static void read_symtabs(FILE *fp)
5736 {
5737- int i,j;
5738+ unsigned int i,j;
5739 for (i = 0; i < ehdr.e_shnum; i++) {
5740 struct section *sec = &secs[i];
5741 if (sec->shdr.sh_type != SHT_SYMTAB) {
ae4e228f 5742@@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
58c5fc13
MT		 5743
5744 static void read_relocs(FILE *fp)
5745 {
5746- int i,j;
5747+ unsigned int i,j;
5748+ uint32_t base;
5749+
5750 for (i = 0; i < ehdr.e_shnum; i++) {
5751 struct section *sec = &secs[i];
5752 if (sec->shdr.sh_type != SHT_REL) {
ae4e228f 5753@@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
58c5fc13
MT		 5754 die("Cannot read symbol table: %s\n",
5755 strerror(errno));
5756 }
5757+ base = 0;
5758+ for (j = 0; j < ehdr.e_phnum; j++) {
5759+ if (phdr[j].p_type != PT_LOAD )
5760+ continue;
5761+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5762+ continue;
5763+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5764+ break;
5765+ }
5766 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5767 Elf32_Rel *rel = &sec->reltab[j];
5768- rel->r_offset = elf32_to_cpu(rel->r_offset);
5769+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5770 rel->r_info = elf32_to_cpu(rel->r_info);
5771 }
5772 }
ae4e228f 5773@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
58c5fc13
MT		 5774
5775 static void print_absolute_symbols(void)
5776 {
5777- int i;
5778+ unsigned int i;
5779 printf("Absolute symbols\n");
5780 printf(" Num: Value Size Type Bind Visibility Name\n");
5781 for (i = 0; i < ehdr.e_shnum; i++) {
5782 struct section *sec = &secs[i];
5783 char *sym_strtab;
5784 Elf32_Sym *sh_symtab;
5785- int j;
5786+ unsigned int j;
5787
5788 if (sec->shdr.sh_type != SHT_SYMTAB) {
5789 continue;
ae4e228f 5790@@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
58c5fc13
MT		 5791
5792 static void print_absolute_relocs(void)
5793 {
5794- int i, printed = 0;
5795+ unsigned int i, printed = 0;
5796
5797 for (i = 0; i < ehdr.e_shnum; i++) {
5798 struct section *sec = &secs[i];
5799 struct section *sec_applies, *sec_symtab;
5800 char *sym_strtab;
5801 Elf32_Sym *sh_symtab;
5802- int j;
5803+ unsigned int j;
5804 if (sec->shdr.sh_type != SHT_REL) {
5805 continue;
5806 }
ae4e228f 5807@@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
58c5fc13
MT		 5808
5809 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5810 {
5811- int i;
5812+ unsigned int i;
5813 /* Walk through the relocations */
5814 for (i = 0; i < ehdr.e_shnum; i++) {
5815 char *sym_strtab;
5816 Elf32_Sym *sh_symtab;
5817 struct section *sec_applies, *sec_symtab;
5818- int j;
5819+ unsigned int j;
5820 struct section *sec = &secs[i];
5821
5822 if (sec->shdr.sh_type != SHT_REL) {
ae4e228f
MT		 5823@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5824 !is_rel_reloc(sym_name(sym_strtab, sym))) {
58c5fc13
MT		 5825 continue;
5826 }
5827+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
57199397 5828+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
58c5fc13
MT		 5829+ continue;
5830+
5831+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5832+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
57199397 5833+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
ae4e228f 5834+ continue;
58c5fc13
MT		 5835+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5836+ continue;
5837+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5838+ continue;
5839+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5840+ continue;
5841+#endif
ae4e228f
MT		 5842+
5843 switch (r_type) {
5844 case R_386_NONE:
5845 case R_386_PC32:
5846@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
58c5fc13
MT		 5847
5848 static void emit_relocs(int as_text)
5849 {
5850- int i;
5851+ unsigned int i;
5852 /* Count how many relocations I have and allocate space for them. */
5853 reloc_count = 0;
5854 walk_relocs(count_reloc);
ae4e228f 5855@@ -665,6 +725,7 @@ int main(int argc, char **argv)
58c5fc13
MT		 5856 fname, strerror(errno));
5857 }
5858 read_ehdr(fp);
5859+ read_phdrs(fp);
5860 read_shdrs(fp);
5861 read_strtabs(fp);
5862 read_symtabs(fp);
57199397
MT		 5863diff -urNp linux-2.6.35.4/arch/x86/boot/cpucheck.c linux-2.6.35.4/arch/x86/boot/cpucheck.c
5864--- linux-2.6.35.4/arch/x86/boot/cpucheck.c 2010-08-26 19:47:12.000000000 -0400
5865+++ linux-2.6.35.4/arch/x86/boot/cpucheck.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 5866@@ -74,7 +74,7 @@ static int has_fpu(void)
5867 u16 fcw = -1, fsw = -1;
5868 u32 cr0;
5869
5870- asm("movl %%cr0,%0" : "=r" (cr0));
5871+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
5872 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5873 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5874 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5875@@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5876 {
5877 u32 f0, f1;
5878
5879- asm("pushfl ; "
5880+ asm volatile("pushfl ; "
5881 "pushfl ; "
5882 "popl %0 ; "
5883 "movl %0,%1 ; "
5884@@ -115,7 +115,7 @@ static void get_flags(void)
5885 set_bit(X86_FEATURE_FPU, cpu.flags);
5886
5887 if (has_eflag(X86_EFLAGS_ID)) {
5888- asm("cpuid"
5889+ asm volatile("cpuid"
5890 : "=a" (max_intel_level),
5891 "=b" (cpu_vendor[0]),
5892 "=d" (cpu_vendor[1]),
5893@@ -124,7 +124,7 @@ static void get_flags(void)
5894
5895 if (max_intel_level >= 0x00000001 &&
5896 max_intel_level <= 0x0000ffff) {
5897- asm("cpuid"
5898+ asm volatile("cpuid"
5899 : "=a" (tfms),
5900 "=c" (cpu.flags[4]),
5901 "=d" (cpu.flags[0])
5902@@ -136,7 +136,7 @@ static void get_flags(void)
5903 cpu.model += ((tfms >> 16) & 0xf) << 4;
5904 }
5905
5906- asm("cpuid"
5907+ asm volatile("cpuid"
5908 : "=a" (max_amd_level)
5909 : "a" (0x80000000)
5910 : "ebx", "ecx", "edx");
5911@@ -144,7 +144,7 @@ static void get_flags(void)
5912 if (max_amd_level >= 0x80000001 &&
5913 max_amd_level <= 0x8000ffff) {
5914 u32 eax = 0x80000001;
5915- asm("cpuid"
5916+ asm volatile("cpuid"
5917 : "+a" (eax),
5918 "=c" (cpu.flags[6]),
5919 "=d" (cpu.flags[1])
5920@@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5921 u32 ecx = MSR_K7_HWCR;
5922 u32 eax, edx;
5923
5924- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5925+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5926 eax &= ~(1 << 15);
5927- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5928+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5929
5930 get_flags(); /* Make sure it really did something */
5931 err = check_flags();
5932@@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5933 u32 ecx = MSR_VIA_FCR;
5934 u32 eax, edx;
5935
5936- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5937+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5938 eax |= (1<<1)|(1<<7);
5939- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5940+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5941
5942 set_bit(X86_FEATURE_CX8, cpu.flags);
5943 err = check_flags();
5944@@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5945 u32 eax, edx;
5946 u32 level = 1;
5947
5948- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5949- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5950- asm("cpuid"
5951+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5952+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5953+ asm volatile("cpuid"
5954 : "+a" (level), "=d" (cpu.flags[0])
5955 : : "ecx", "ebx");
5956- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5957+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5958
5959 err = check_flags();
5960 }
57199397
MT		 5961diff -urNp linux-2.6.35.4/arch/x86/boot/header.S linux-2.6.35.4/arch/x86/boot/header.S
5962--- linux-2.6.35.4/arch/x86/boot/header.S 2010-08-26 19:47:12.000000000 -0400
5963+++ linux-2.6.35.4/arch/x86/boot/header.S 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 5964@@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5965 # single linked list of
5966 # struct setup_data
5967
5968-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5969+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5970
5971 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5972 #define VO_INIT_SIZE (VO__end - VO__text)
57199397
MT		 5973diff -urNp linux-2.6.35.4/arch/x86/boot/memory.c linux-2.6.35.4/arch/x86/boot/memory.c
5974--- linux-2.6.35.4/arch/x86/boot/memory.c 2010-08-26 19:47:12.000000000 -0400
5975+++ linux-2.6.35.4/arch/x86/boot/memory.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 5976@@ -19,7 +19,7 @@
5977
5978 static int detect_memory_e820(void)
5979 {
5980- int count = 0;
5981+ unsigned int count = 0;
5982 struct biosregs ireg, oreg;
5983 struct e820entry *desc = boot_params.e820_map;
5984 static struct e820entry buf; /* static so it is zeroed */
57199397
MT		 5985diff -urNp linux-2.6.35.4/arch/x86/boot/video.c linux-2.6.35.4/arch/x86/boot/video.c
5986--- linux-2.6.35.4/arch/x86/boot/video.c 2010-08-26 19:47:12.000000000 -0400
5987+++ linux-2.6.35.4/arch/x86/boot/video.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 5988@@ -96,7 +96,7 @@ static void store_mode_params(void)
5989 static unsigned int get_entry(void)
5990 {
5991 char entry_buf[4];
5992- int i, len = 0;
5993+ unsigned int i, len = 0;
5994 int key;
5995 unsigned int v;
5996
57199397
MT		 5997diff -urNp linux-2.6.35.4/arch/x86/boot/video-vesa.c linux-2.6.35.4/arch/x86/boot/video-vesa.c
5998--- linux-2.6.35.4/arch/x86/boot/video-vesa.c 2010-08-26 19:47:12.000000000 -0400
5999+++ linux-2.6.35.4/arch/x86/boot/video-vesa.c 2010-09-17 20:12:09.000000000 -0400
6000@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
58c5fc13 6001
57199397
MT		 6002 boot_params.screen_info.vesapm_seg = oreg.es;
6003 boot_params.screen_info.vesapm_off = oreg.di;
6004+ boot_params.screen_info.vesapm_size = oreg.cx;
6005 }
efbe55a5 6006
57199397
MT		 6007 /*
6008diff -urNp linux-2.6.35.4/arch/x86/ia32/ia32entry.S linux-2.6.35.4/arch/x86/ia32/ia32entry.S
6009--- linux-2.6.35.4/arch/x86/ia32/ia32entry.S 2010-08-26 19:47:12.000000000 -0400
6010+++ linux-2.6.35.4/arch/x86/ia32/ia32entry.S 2010-09-17 20:12:37.000000000 -0400
df50ba0c
MT		 6011@@ -13,6 +13,7 @@
6012 #include <asm/thread_info.h>
6013 #include <asm/segment.h>
6014 #include <asm/irqflags.h>
6015+#include <asm/pgtable.h>
6016 #include <linux/linkage.h>
6017
6018 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
57199397
MT		 6019@@ -50,7 +51,12 @@
6020 /*
6021 * Reload arg registers from stack in case ptrace changed them.
6022 * We don't reload %eax because syscall_trace_enter() returned
6023- * the value it wants us to use in the table lookup.
6024+ * the %rax value we should see. Instead, we just truncate that
6025+ * value to 32 bits again as we did on entry from user mode.
6026+ * If it's a new value set by user_regset during entry tracing,
6027+ * this matches the normal truncation of the user-mode value.
6028+ * If it's -1 to make us punt the syscall, then (u32)-1 is still
6029+ * an appropriately invalid value.
6030 */
6031 .macro LOAD_ARGS32 offset, _r9=0
6032 .if \_r9
6033@@ -60,6 +66,7 @@
6034 movl \offset+48(%rsp),%edx
6035 movl \offset+56(%rsp),%esi
6036 movl \offset+64(%rsp),%edi
6037+ movl %eax,%eax /* zero extension */
6038 .endm
6039
6040 .macro CFI_STARTPROC32 simple
6041@@ -114,6 +121,11 @@ ENTRY(ia32_sysenter_target)
df50ba0c
MT		 6042 SWAPGS_UNSAFE_STACK
6043 movq PER_CPU_VAR(kernel_stack), %rsp
6044 addq $(KERNEL_STACK_OFFSET),%rsp
6045+
6046+#ifdef CONFIG_PAX_MEMORY_UDEREF
6047+ call pax_enter_kernel_user
6048+#endif
6049+
6050 /*
6051 * No need to follow this irqs on/off section: the syscall
6052 * disabled irqs, here we enable it straight after entry:
57199397 6053@@ -144,6 +156,12 @@ ENTRY(ia32_sysenter_target)
df50ba0c
MT		 6054 SAVE_ARGS 0,0,1
6055 /* no need to do an access_ok check here because rbp has been
6056 32bit zero extended */
6057+
6058+#ifdef CONFIG_PAX_MEMORY_UDEREF
6059+ mov $PAX_USER_SHADOW_BASE,%r10
6060+ add %r10,%rbp
6061+#endif
6062+
6063 1: movl (%rbp),%ebp
6064 .section __ex_table,"a"
6065 .quad 1b,ia32_badarg
57199397
MT		 6066@@ -153,7 +171,7 @@ ENTRY(ia32_sysenter_target)
6067 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
6068 CFI_REMEMBER_STATE
6069 jnz sysenter_tracesys
6070- cmpl $(IA32_NR_syscalls-1),%eax
6071+ cmpq $(IA32_NR_syscalls-1),%rax
6072 ja ia32_badsys
6073 sysenter_do_call:
6074 IA32_ARG_FIXUP
6075@@ -166,6 +184,11 @@ sysenter_dispatch:
df50ba0c
MT		 6076 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6077 jnz sysexit_audit
6078 sysexit_from_sys_call:
6079+
6080+#ifdef CONFIG_PAX_MEMORY_UDEREF
6081+ call pax_exit_kernel_user
6082+#endif
6083+
6084 andl $~TS_COMPAT,TI_status(%r10)
6085 /* clear IF, that popfq doesn't enable interrupts early */
6086 andl $~0x200,EFLAGS-R11(%rsp)
57199397
MT		 6087@@ -195,7 +218,7 @@ sysexit_from_sys_call:
6088 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6089 call audit_syscall_entry
6090 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6091- cmpl $(IA32_NR_syscalls-1),%eax
6092+ cmpq $(IA32_NR_syscalls-1),%rax
6093 ja ia32_badsys
6094 movl %ebx,%edi /* reload 1st syscall arg */
6095 movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */
6096@@ -248,7 +271,7 @@ sysenter_tracesys:
6097 call syscall_trace_enter
6098 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6099 RESTORE_REST
6100- cmpl $(IA32_NR_syscalls-1),%eax
6101+ cmpq $(IA32_NR_syscalls-1),%rax
6102 ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
6103 jmp sysenter_do_call
6104 CFI_ENDPROC
6105@@ -284,6 +307,11 @@ ENTRY(ia32_cstar_target)
df50ba0c
MT		 6106 movl %esp,%r8d
6107 CFI_REGISTER rsp,r8
6108 movq PER_CPU_VAR(kernel_stack),%rsp
6109+
6110+#ifdef CONFIG_PAX_MEMORY_UDEREF
6111+ call pax_enter_kernel_user
6112+#endif
6113+
6114 /*
6115 * No need to follow this irqs on/off section: the syscall
6116 * disabled irqs and here we enable it straight after entry:
57199397 6117@@ -305,6 +333,12 @@ ENTRY(ia32_cstar_target)
df50ba0c
MT		 6118 /* no need to do an access_ok check here because r8 has been
6119 32bit zero extended */
6120 /* hardware stack frame is complete now */
6121+
6122+#ifdef CONFIG_PAX_MEMORY_UDEREF
6123+ mov $PAX_USER_SHADOW_BASE,%r10
6124+ add %r10,%r8
6125+#endif
6126+
6127 1: movl (%r8),%r9d
6128 .section __ex_table,"a"
6129 .quad 1b,ia32_badarg
57199397
MT		 6130@@ -314,7 +348,7 @@ ENTRY(ia32_cstar_target)
6131 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
6132 CFI_REMEMBER_STATE
6133 jnz cstar_tracesys
6134- cmpl $IA32_NR_syscalls-1,%eax
6135+ cmpq $IA32_NR_syscalls-1,%rax
6136 ja ia32_badsys
6137 cstar_do_call:
6138 IA32_ARG_FIXUP 1
6139@@ -327,6 +361,11 @@ cstar_dispatch:
df50ba0c
MT		 6140 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6141 jnz sysretl_audit
6142 sysretl_from_sys_call:
6143+
6144+#ifdef CONFIG_PAX_MEMORY_UDEREF
6145+ call pax_exit_kernel_user
6146+#endif
6147+
6148 andl $~TS_COMPAT,TI_status(%r10)
6149 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6150 movl RIP-ARGOFFSET(%rsp),%ecx
57199397
MT		 6151@@ -367,7 +406,7 @@ cstar_tracesys:
6152 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
6153 RESTORE_REST
6154 xchgl %ebp,%r9d
6155- cmpl $(IA32_NR_syscalls-1),%eax
6156+ cmpq $(IA32_NR_syscalls-1),%rax
6157 ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
6158 jmp cstar_do_call
6159 END(ia32_cstar_target)
6160@@ -409,6 +448,11 @@ ENTRY(ia32_syscall)
df50ba0c
MT		 6161 CFI_REL_OFFSET rip,RIP-RIP
6162 PARAVIRT_ADJUST_EXCEPTION_FRAME
6163 SWAPGS
6164+
6165+#ifdef CONFIG_PAX_MEMORY_UDEREF
6166+ call pax_enter_kernel_user
6167+#endif
6168+
6169 /*
6170 * No need to follow this irqs on/off section: the syscall
6171 * disabled irqs and here we enable it straight after entry:
57199397
MT		 6172@@ -425,7 +469,7 @@ ENTRY(ia32_syscall)
6173 orl $TS_COMPAT,TI_status(%r10)
6174 testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10)
6175 jnz ia32_tracesys
6176- cmpl $(IA32_NR_syscalls-1),%eax
6177+ cmpq $(IA32_NR_syscalls-1),%rax
6178 ja ia32_badsys
6179 ia32_do_call:
6180 IA32_ARG_FIXUP
6181@@ -444,7 +488,7 @@ ia32_tracesys:
6182 call syscall_trace_enter
6183 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6184 RESTORE_REST
6185- cmpl $(IA32_NR_syscalls-1),%eax
6186+ cmpq $(IA32_NR_syscalls-1),%rax
6187 ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
6188 jmp ia32_do_call
6189 END(ia32_syscall)
6190diff -urNp linux-2.6.35.4/arch/x86/ia32/ia32_signal.c linux-2.6.35.4/arch/x86/ia32/ia32_signal.c
6191--- linux-2.6.35.4/arch/x86/ia32/ia32_signal.c 2010-08-26 19:47:12.000000000 -0400
6192+++ linux-2.6.35.4/arch/x86/ia32/ia32_signal.c 2010-09-17 20:12:09.000000000 -0400
6193@@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6194 sp -= frame_size;
6195 /* Align the stack pointer according to the i386 ABI,
6196 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6197- sp = ((sp + 4) & -16ul) - 4;
6198+ sp = ((sp - 12) & -16ul) - 4;
6199 return (void __user *) sp;
6200 }
6201
6202@@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6203 0xb8,
6204 __NR_ia32_rt_sigreturn,
6205 0x80cd,
6206- 0,
6207+ 0
6208 };
6209
6210 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6211diff -urNp linux-2.6.35.4/arch/x86/include/asm/alternative.h linux-2.6.35.4/arch/x86/include/asm/alternative.h
6212--- linux-2.6.35.4/arch/x86/include/asm/alternative.h 2010-08-26 19:47:12.000000000 -0400
6213+++ linux-2.6.35.4/arch/x86/include/asm/alternative.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 6214@@ -91,7 +91,7 @@ static inline int alternatives_text_rese
58c5fc13 6215 " .byte 664f-663f\n" /* replacementlen */ \
ae4e228f 6216 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
58c5fc13
MT		 6217 ".previous\n" \
6218- ".section .altinstr_replacement, \"ax\"\n" \
6219+ ".section .altinstr_replacement, \"a\"\n" \
6220 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6221 ".previous"
6222
57199397
MT		 6223diff -urNp linux-2.6.35.4/arch/x86/include/asm/apm.h linux-2.6.35.4/arch/x86/include/asm/apm.h
6224--- linux-2.6.35.4/arch/x86/include/asm/apm.h 2010-08-26 19:47:12.000000000 -0400
6225+++ linux-2.6.35.4/arch/x86/include/asm/apm.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 6226@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6227 __asm__ __volatile__(APM_DO_ZERO_SEGS
6228 "pushl %%edi\n\t"
6229 "pushl %%ebp\n\t"
6230- "lcall *%%cs:apm_bios_entry\n\t"
6231+ "lcall *%%ss:apm_bios_entry\n\t"
6232 "setc %%al\n\t"
6233 "popl %%ebp\n\t"
6234 "popl %%edi\n\t"
6235@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6236 __asm__ __volatile__(APM_DO_ZERO_SEGS
6237 "pushl %%edi\n\t"
6238 "pushl %%ebp\n\t"
6239- "lcall *%%cs:apm_bios_entry\n\t"
6240+ "lcall *%%ss:apm_bios_entry\n\t"
6241 "setc %%bl\n\t"
6242 "popl %%ebp\n\t"
6243 "popl %%edi\n\t"
57199397
MT		 6244diff -urNp linux-2.6.35.4/arch/x86/include/asm/asm.h linux-2.6.35.4/arch/x86/include/asm/asm.h
6245--- linux-2.6.35.4/arch/x86/include/asm/asm.h 2010-08-26 19:47:12.000000000 -0400
6246+++ linux-2.6.35.4/arch/x86/include/asm/asm.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 6247@@ -37,6 +37,12 @@
6248 #define _ASM_SI __ASM_REG(si)
6249 #define _ASM_DI __ASM_REG(di)
58c5fc13 6250
df50ba0c
MT		 6251+#ifdef CONFIG_X86_32
6252+#define _ASM_INTO "into"
6253+#else
6254+#define _ASM_INTO "int $4"
58c5fc13
MT		 6255+#endif
6256+
df50ba0c
MT		 6257 /* Exception table entry */
6258 #ifdef __ASSEMBLY__
6259 # define _ASM_EXTABLE(from,to) \
57199397
MT		 6260diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h
6261--- linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h 2010-08-26 19:47:12.000000000 -0400
6262+++ linux-2.6.35.4/arch/x86/include/asm/atomic64_32.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 6263@@ -12,6 +12,14 @@ typedef struct {
ae4e228f
MT		 6264 u64 __aligned(8) counter;
6265 } atomic64_t;
6266
6267+#ifdef CONFIG_PAX_REFCOUNT
6268+typedef struct {
6269+ u64 __aligned(8) counter;
6270+} atomic64_unchecked_t;
6271+#else
6272+typedef atomic64_t atomic64_unchecked_t;
6273+#endif
6274+
6275 #define ATOMIC64_INIT(val) { (val) }
6276
57199397
MT		 6277 #ifdef CONFIG_X86_CMPXCHG64
6278diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h
6279--- linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h 2010-08-26 19:47:12.000000000 -0400
6280+++ linux-2.6.35.4/arch/x86/include/asm/atomic64_64.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 6281@@ -22,6 +22,18 @@ static inline long atomic64_read(const a
ae4e228f
MT		 6282 }
6283
6284 /**
6285+ * atomic64_read_unchecked - read atomic64 variable
6286+ * @v: pointer of type atomic64_unchecked_t
6287+ *
6288+ * Atomically reads the value of @v.
6289+ * Doesn't imply a read memory barrier.
6290+ */
6291+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6292+{
6293+ return v->counter;
6294+}
6295+
6296+/**
6297 * atomic64_set - set atomic64 variable
6298 * @v: pointer to type atomic64_t
6299 * @i: required value
df50ba0c 6300@@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
ae4e228f
MT		 6301 }
6302
6303 /**
6304+ * atomic64_set_unchecked - set atomic64 variable
6305+ * @v: pointer to type atomic64_unchecked_t
6306+ * @i: required value
6307+ *
6308+ * Atomically sets the value of @v to @i.
6309+ */
6310+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6311+{
6312+ v->counter = i;
6313+}
6314+
6315+/**
6316 * atomic64_add - add integer to atomic64 variable
6317 * @i: integer value to add
6318 * @v: pointer to type atomic64_t
df50ba0c 6319@@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
58c5fc13
MT		 6320 */
6321 static inline void atomic64_add(long i, atomic64_t *v)
6322 {
58c5fc13
MT		 6323+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
6324+
6325+#ifdef CONFIG_PAX_REFCOUNT
6326+ "jno 0f\n"
6327+ LOCK_PREFIX "subq %1,%0\n"
6328+ "int $4\n0:\n"
6329+ _ASM_EXTABLE(0b, 0b)
6330+#endif
6331+
ae4e228f
MT		 6332+ : "=m" (v->counter)
6333+ : "er" (i), "m" (v->counter));
6334+}
6335+
6336+/**
6337+ * atomic64_add_unchecked - add integer to atomic64 variable
6338+ * @i: integer value to add
6339+ * @v: pointer to type atomic64_unchecked_t
6340+ *
6341+ * Atomically adds @i to @v.
6342+ */
6343+static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6344+{
6345 asm volatile(LOCK_PREFIX "addq %1,%0"
58c5fc13
MT		 6346 : "=m" (v->counter)
6347 : "er" (i), "m" (v->counter));
df50ba0c 6348@@ -56,7 +102,15 @@ static inline void atomic64_add(long i,
58c5fc13
MT		 6349 */
6350 static inline void atomic64_sub(long i, atomic64_t *v)
6351 {
6352- asm volatile(LOCK_PREFIX "subq %1,%0"
6353+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
6354+
6355+#ifdef CONFIG_PAX_REFCOUNT
6356+ "jno 0f\n"
6357+ LOCK_PREFIX "addq %1,%0\n"
6358+ "int $4\n0:\n"
6359+ _ASM_EXTABLE(0b, 0b)
6360+#endif
6361+
6362 : "=m" (v->counter)
6363 : "er" (i), "m" (v->counter));
6364 }
df50ba0c 6365@@ -74,7 +128,16 @@ static inline int atomic64_sub_and_test(
58c5fc13
MT		 6366 {
6367 unsigned char c;
6368
6369- asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6370+ asm volatile(LOCK_PREFIX "subq %2,%0\n"
6371+
6372+#ifdef CONFIG_PAX_REFCOUNT
6373+ "jno 0f\n"
6374+ LOCK_PREFIX "addq %2,%0\n"
6375+ "int $4\n0:\n"
6376+ _ASM_EXTABLE(0b, 0b)
6377+#endif
6378+
6379+ "sete %1\n"
6380 : "=m" (v->counter), "=qm" (c)
6381 : "er" (i), "m" (v->counter) : "memory");
6382 return c;
df50ba0c 6383@@ -88,6 +151,31 @@ static inline int atomic64_sub_and_test(
58c5fc13
MT		 6384 */
6385 static inline void atomic64_inc(atomic64_t *v)
6386 {
58c5fc13
MT		 6387+ asm volatile(LOCK_PREFIX "incq %0\n"
6388+
6389+#ifdef CONFIG_PAX_REFCOUNT
6390+ "jno 0f\n"
6391+ "int $4\n0:\n"
6392+ ".pushsection .fixup,\"ax\"\n"
6393+ "1:\n"
6394+ LOCK_PREFIX "decq %0\n"
6395+ "jmp 0b\n"
6396+ ".popsection\n"
6397+ _ASM_EXTABLE(0b, 1b)
6398+#endif
6399+
ae4e228f
MT		 6400+ : "=m" (v->counter)
6401+ : "m" (v->counter));
6402+}
6403+
6404+/**
6405+ * atomic64_inc_unchecked - increment atomic64 variable
6406+ * @v: pointer to type atomic64_unchecked_t
6407+ *
6408+ * Atomically increments @v by 1.
6409+ */
6410+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6411+{
6412 asm volatile(LOCK_PREFIX "incq %0"
58c5fc13
MT		 6413 : "=m" (v->counter)
6414 : "m" (v->counter));
df50ba0c 6415@@ -101,7 +189,32 @@ static inline void atomic64_inc(atomic64
58c5fc13
MT		 6416 */
6417 static inline void atomic64_dec(atomic64_t *v)
6418 {
6419- asm volatile(LOCK_PREFIX "decq %0"
6420+ asm volatile(LOCK_PREFIX "decq %0\n"
6421+
6422+#ifdef CONFIG_PAX_REFCOUNT
6423+ "jno 0f\n"
6424+ "int $4\n0:\n"
6425+ ".pushsection .fixup,\"ax\"\n"
6426+ "1: \n"
6427+ LOCK_PREFIX "incq %0\n"
6428+ "jmp 0b\n"
6429+ ".popsection\n"
6430+ _ASM_EXTABLE(0b, 1b)
6431+#endif
6432+
df50ba0c
MT		 6433+ : "=m" (v->counter)
6434+ : "m" (v->counter));
6435+}
6436+
6437+/**
6438+ * atomic64_dec_unchecked - decrement atomic64 variable
6439+ * @v: pointer to type atomic64_t
6440+ *
6441+ * Atomically decrements @v by 1.
6442+ */
6443+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6444+{
6445+ asm volatile(LOCK_PREFIX "decq %0\n"
58c5fc13
MT		 6446 : "=m" (v->counter)
6447 : "m" (v->counter));
6448 }
df50ba0c 6449@@ -118,7 +231,20 @@ static inline int atomic64_dec_and_test(
58c5fc13
MT		 6450 {
6451 unsigned char c;
6452
6453- asm volatile(LOCK_PREFIX "decq %0; sete %1"
6454+ asm volatile(LOCK_PREFIX "decq %0\n"
6455+
6456+#ifdef CONFIG_PAX_REFCOUNT
6457+ "jno 0f\n"
6458+ "int $4\n0:\n"
6459+ ".pushsection .fixup,\"ax\"\n"
6460+ "1: \n"
6461+ LOCK_PREFIX "incq %0\n"
6462+ "jmp 0b\n"
6463+ ".popsection\n"
6464+ _ASM_EXTABLE(0b, 1b)
6465+#endif
6466+
6467+ "sete %1\n"
6468 : "=m" (v->counter), "=qm" (c)
6469 : "m" (v->counter) : "memory");
6470 return c != 0;
df50ba0c 6471@@ -136,7 +262,20 @@ static inline int atomic64_inc_and_test(
58c5fc13
MT		 6472 {
6473 unsigned char c;
6474
6475- asm volatile(LOCK_PREFIX "incq %0; sete %1"
6476+ asm volatile(LOCK_PREFIX "incq %0\n"
6477+
6478+#ifdef CONFIG_PAX_REFCOUNT
6479+ "jno 0f\n"
6480+ "int $4\n0:\n"
6481+ ".pushsection .fixup,\"ax\"\n"
6482+ "1: \n"
6483+ LOCK_PREFIX "decq %0\n"
6484+ "jmp 0b\n"
6485+ ".popsection\n"
6486+ _ASM_EXTABLE(0b, 1b)
6487+#endif
6488+
6489+ "sete %1\n"
6490 : "=m" (v->counter), "=qm" (c)
6491 : "m" (v->counter) : "memory");
6492 return c != 0;
df50ba0c 6493@@ -155,7 +294,16 @@ static inline int atomic64_add_negative(
58c5fc13
MT		 6494 {
6495 unsigned char c;
6496
6497- asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6498+ asm volatile(LOCK_PREFIX "addq %2,%0\n"
6499+
6500+#ifdef CONFIG_PAX_REFCOUNT
6501+ "jno 0f\n"
6502+ LOCK_PREFIX "subq %2,%0\n"
6503+ "int $4\n0:\n"
6504+ _ASM_EXTABLE(0b, 0b)
6505+#endif
6506+
6507+ "sets %1\n"
6508 : "=m" (v->counter), "=qm" (c)
6509 : "er" (i), "m" (v->counter) : "memory");
6510 return c;
df50ba0c 6511@@ -171,7 +319,31 @@ static inline int atomic64_add_negative(
58c5fc13
MT		 6512 static inline long atomic64_add_return(long i, atomic64_t *v)
6513 {
6514 long __i = i;
6515- asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6516+ asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6517+
6518+#ifdef CONFIG_PAX_REFCOUNT
6519+ "jno 0f\n"
6520+ "movq %0, %1\n"
6521+ "int $4\n0:\n"
6522+ _ASM_EXTABLE(0b, 0b)
6523+#endif
6524+
ae4e228f
MT		 6525+ : "+r" (i), "+m" (v->counter)
6526+ : : "memory");
6527+ return i + __i;
6528+}
6529+
6530+/**
6531+ * atomic64_add_return_unchecked - add and return
6532+ * @i: integer value to add
6533+ * @v: pointer to type atomic64_unchecked_t
6534+ *
6535+ * Atomically adds @i to @v and returns @i + @v
6536+ */
6537+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6538+{
6539+ long __i = i;
6540+ asm volatile(LOCK_PREFIX "xaddq %0, %1"
58c5fc13
MT		 6541 : "+r" (i), "+m" (v->counter)
6542 : : "memory");
6543 return i + __i;
57199397 6544@@ -183,6 +355,10 @@ static inline long atomic64_sub_return(l
ae4e228f
MT		 6545 }
6546
6547 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
57199397
MT		 6548+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6549+{
6550+ return atomic64_add_return_unchecked(1, v);
6551+}
ae4e228f
MT		 6552 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6553
6554 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
57199397 6555@@ -206,17 +382,29 @@ static inline long atomic64_xchg(atomic6
58c5fc13 6556 */
df50ba0c 6557 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
58c5fc13 6558 {
df50ba0c
MT		 6559- long c, old;
6560+ long c, old, new;
6561 c = atomic64_read(v);
58c5fc13
MT		 6562 for (;;) {
6563- if (unlikely(c == (u)))
6564+ if (unlikely(c == u))
6565 break;
df50ba0c 6566- old = atomic64_cmpxchg((v), c, c + (a));
58c5fc13 6567+
df50ba0c 6568+ asm volatile("add %2,%0\n"
58c5fc13
MT		 6569+
6570+#ifdef CONFIG_PAX_REFCOUNT
6571+ "jno 0f\n"
6572+ "int $4\n0:\n"
6573+ _ASM_EXTABLE(0b, 0b)
6574+#endif
6575+
6576+ : "=r" (new)
6577+ : "0" (c), "ir" (a));
6578+
df50ba0c 6579+ old = atomic64_cmpxchg(v, c, new);
58c5fc13
MT		 6580 if (likely(old == c))
6581 break;
6582 c = old;
6583 }
6584- return c != (u);
6585+ return c != u;
6586 }
6587
df50ba0c 6588 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
57199397
MT		 6589diff -urNp linux-2.6.35.4/arch/x86/include/asm/atomic.h linux-2.6.35.4/arch/x86/include/asm/atomic.h
6590--- linux-2.6.35.4/arch/x86/include/asm/atomic.h 2010-08-26 19:47:12.000000000 -0400
6591+++ linux-2.6.35.4/arch/x86/include/asm/atomic.h 2010-09-17 20:12:09.000000000 -0400
6592@@ -26,6 +26,17 @@ static inline int atomic_read(const atom
6593 }
6594
6595 /**
6596+ * atomic_read_unchecked - read atomic variable
6597+ * @v: pointer of type atomic_unchecked_t
6598+ *
6599+ * Atomically reads the value of @v.
6600+ */
6601+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6602+{
6603+ return v->counter;
6604+}
6605+
6606+/**
6607 * atomic_set - set atomic variable
6608 * @v: pointer of type atomic_t
6609 * @i: required value
6610@@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6611 }
6612
6613 /**
6614+ * atomic_set_unchecked - set atomic variable
6615+ * @v: pointer of type atomic_unchecked_t
6616+ * @i: required value
6617+ *
6618+ * Atomically sets the value of @v to @i.
6619+ */
6620+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6621+{
6622+ v->counter = i;
6623+}
6624+
6625+/**
6626 * atomic_add - add integer to atomic variable
6627 * @i: integer value to add
6628 * @v: pointer of type atomic_t
6629@@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6630 */
6631 static inline void atomic_add(int i, atomic_t *v)
6632 {
6633- asm volatile(LOCK_PREFIX "addl %1,%0"
6634+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
6635+
6636+#ifdef CONFIG_PAX_REFCOUNT
6637+ "jno 0f\n"
6638+ LOCK_PREFIX "subl %1,%0\n"
6639+ _ASM_INTO "\n0:\n"
6640+ _ASM_EXTABLE(0b, 0b)
6641+#endif
6642+
6643+ : "+m" (v->counter)
6644+ : "ir" (i));
6645+}
6646+
6647+/**
6648+ * atomic_add_unchecked - add integer to atomic variable
6649+ * @i: integer value to add
6650+ * @v: pointer of type atomic_unchecked_t
6651+ *
6652+ * Atomically adds @i to @v.
6653+ */
6654+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6655+{
6656+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
6657 : "+m" (v->counter)
6658 : "ir" (i));
6659 }
6660@@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6661 */
6662 static inline void atomic_sub(int i, atomic_t *v)
6663 {
6664- asm volatile(LOCK_PREFIX "subl %1,%0"
6665+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
6666+
6667+#ifdef CONFIG_PAX_REFCOUNT
6668+ "jno 0f\n"
6669+ LOCK_PREFIX "addl %1,%0\n"
6670+ _ASM_INTO "\n0:\n"
6671+ _ASM_EXTABLE(0b, 0b)
6672+#endif
6673+
6674+ : "+m" (v->counter)
6675+ : "ir" (i));
6676+}
6677+
6678+/**
6679+ * atomic_sub_unchecked - subtract integer from atomic variable
6680+ * @i: integer value to subtract
6681+ * @v: pointer of type atomic_t
6682+ *
6683+ * Atomically subtracts @i from @v.
6684+ */
6685+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6686+{
6687+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
6688 : "+m" (v->counter)
6689 : "ir" (i));
6690 }
6691@@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6692 {
6693 unsigned char c;
6694
6695- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6696+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
6697+
6698+#ifdef CONFIG_PAX_REFCOUNT
6699+ "jno 0f\n"
6700+ LOCK_PREFIX "addl %2,%0\n"
6701+ _ASM_INTO "\n0:\n"
6702+ _ASM_EXTABLE(0b, 0b)
6703+#endif
6704+
6705+ "sete %1\n"
6706 : "+m" (v->counter), "=qm" (c)
6707 : "ir" (i) : "memory");
6708 return c;
6709@@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6710 */
6711 static inline void atomic_inc(atomic_t *v)
6712 {
6713- asm volatile(LOCK_PREFIX "incl %0"
6714+ asm volatile(LOCK_PREFIX "incl %0\n"
6715+
6716+#ifdef CONFIG_PAX_REFCOUNT
6717+ "jno 0f\n"
6718+ LOCK_PREFIX "decl %0\n"
6719+ _ASM_INTO "\n0:\n"
6720+ _ASM_EXTABLE(0b, 0b)
6721+#endif
6722+
6723+ : "+m" (v->counter));
6724+}
6725+
6726+/**
6727+ * atomic_inc_unchecked - increment atomic variable
6728+ * @v: pointer of type atomic_unchecked_t
6729+ *
6730+ * Atomically increments @v by 1.
6731+ */
6732+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6733+{
6734+ asm volatile(LOCK_PREFIX "incl %0\n"
6735 : "+m" (v->counter));
6736 }
6737
6738@@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6739 */
6740 static inline void atomic_dec(atomic_t *v)
6741 {
6742- asm volatile(LOCK_PREFIX "decl %0"
6743+ asm volatile(LOCK_PREFIX "decl %0\n"
6744+
6745+#ifdef CONFIG_PAX_REFCOUNT
6746+ "jno 0f\n"
6747+ LOCK_PREFIX "incl %0\n"
6748+ _ASM_INTO "\n0:\n"
6749+ _ASM_EXTABLE(0b, 0b)
6750+#endif
6751+
6752+ : "+m" (v->counter));
6753+}
6754+
6755+/**
6756+ * atomic_dec_unchecked - decrement atomic variable
6757+ * @v: pointer of type atomic_t
6758+ *
6759+ * Atomically decrements @v by 1.
6760+ */
6761+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6762+{
6763+ asm volatile(LOCK_PREFIX "decl %0\n"
6764 : "+m" (v->counter));
6765 }
6766
6767@@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6768 {
6769 unsigned char c;
6770
6771- asm volatile(LOCK_PREFIX "decl %0; sete %1"
6772+ asm volatile(LOCK_PREFIX "decl %0\n"
6773+
6774+#ifdef CONFIG_PAX_REFCOUNT
6775+ "jno 0f\n"
6776+ LOCK_PREFIX "incl %0\n"
6777+ _ASM_INTO "\n0:\n"
6778+ _ASM_EXTABLE(0b, 0b)
6779+#endif
6780+
6781+ "sete %1\n"
6782 : "+m" (v->counter), "=qm" (c)
6783 : : "memory");
6784 return c != 0;
6785@@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
6786 {
6787 unsigned char c;
6788
6789- asm volatile(LOCK_PREFIX "incl %0; sete %1"
6790+ asm volatile(LOCK_PREFIX "incl %0\n"
6791+
6792+#ifdef CONFIG_PAX_REFCOUNT
6793+ "jno 0f\n"
6794+ LOCK_PREFIX "decl %0\n"
6795+ _ASM_INTO "\n0:\n"
6796+ _ASM_EXTABLE(0b, 0b)
6797+#endif
6798+
6799+ "sete %1\n"
6800 : "+m" (v->counter), "=qm" (c)
6801 : : "memory");
6802 return c != 0;
6803@@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
6804 {
6805 unsigned char c;
6806
6807- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6808+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
6809+
6810+#ifdef CONFIG_PAX_REFCOUNT
6811+ "jno 0f\n"
6812+ LOCK_PREFIX "subl %2,%0\n"
6813+ _ASM_INTO "\n0:\n"
6814+ _ASM_EXTABLE(0b, 0b)
6815+#endif
6816+
6817+ "sets %1\n"
6818 : "+m" (v->counter), "=qm" (c)
6819 : "ir" (i) : "memory");
6820 return c;
6821@@ -180,6 +323,46 @@ static inline int atomic_add_return(int
6822 #endif
6823 /* Modern 486+ processor */
6824 __i = i;
6825+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6826+
6827+#ifdef CONFIG_PAX_REFCOUNT
6828+ "jno 0f\n"
6829+ "movl %0, %1\n"
6830+ _ASM_INTO "\n0:\n"
6831+ _ASM_EXTABLE(0b, 0b)
6832+#endif
6833+
6834+ : "+r" (i), "+m" (v->counter)
6835+ : : "memory");
6836+ return i + __i;
6837+
6838+#ifdef CONFIG_M386
6839+no_xadd: /* Legacy 386 processor */
6840+ local_irq_save(flags);
6841+ __i = atomic_read(v);
6842+ atomic_set(v, i + __i);
6843+ local_irq_restore(flags);
6844+ return i + __i;
6845+#endif
6846+}
6847+
6848+/**
6849+ * atomic_add_return_unchecked - add integer and return
6850+ * @v: pointer of type atomic_unchecked_t
6851+ * @i: integer value to add
6852+ *
6853+ * Atomically adds @i to @v and returns @i + @v
6854+ */
6855+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6856+{
6857+ int __i;
6858+#ifdef CONFIG_M386
6859+ unsigned long flags;
6860+ if (unlikely(boot_cpu_data.x86 <= 3))
6861+ goto no_xadd;
6862+#endif
6863+ /* Modern 486+ processor */
6864+ __i = i;
6865 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6866 : "+r" (i), "+m" (v->counter)
6867 : : "memory");
6868@@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
6869 }
6870
6871 #define atomic_inc_return(v) (atomic_add_return(1, v))
6872+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6873+{
6874+ return atomic_add_return_unchecked(1, v);
6875+}
6876 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6877
6878 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6879@@ -231,17 +418,29 @@ static inline int atomic_xchg(atomic_t *
6880 */
6881 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6882 {
6883- int c, old;
6884+ int c, old, new;
6885 c = atomic_read(v);
6886 for (;;) {
6887- if (unlikely(c == (u)))
6888+ if (unlikely(c == u))
6889 break;
6890- old = atomic_cmpxchg((v), c, c + (a));
6891+
6892+ asm volatile("addl %2,%0\n"
6893+
6894+#ifdef CONFIG_PAX_REFCOUNT
6895+ "jno 0f\n"
6896+ _ASM_INTO "\n0:\n"
6897+ _ASM_EXTABLE(0b, 0b)
6898+#endif
6899+
6900+ : "=r" (new)
6901+ : "0" (c), "ir" (a));
6902+
6903+ old = atomic_cmpxchg(v, c, new);
6904 if (likely(old == c))
6905 break;
6906 c = old;
6907 }
6908- return c != (u);
6909+ return c != u;
6910 }
6911
6912 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6913diff -urNp linux-2.6.35.4/arch/x86/include/asm/boot.h linux-2.6.35.4/arch/x86/include/asm/boot.h
6914--- linux-2.6.35.4/arch/x86/include/asm/boot.h 2010-08-26 19:47:12.000000000 -0400
6915+++ linux-2.6.35.4/arch/x86/include/asm/boot.h 2010-09-17 20:12:09.000000000 -0400
efbe55a5
MT		 6916@@ -11,10 +11,15 @@
6917 #include <asm/pgtable_types.h>
df50ba0c 6918
efbe55a5
MT		 6919 /* Physical address where kernel should be loaded. */
6920-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6921+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6922 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6923 & ~(CONFIG_PHYSICAL_ALIGN - 1))
df50ba0c 6924
efbe55a5
MT		 6925+#ifndef __ASSEMBLY__
6926+extern unsigned char __LOAD_PHYSICAL_ADDR[];
6927+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
df50ba0c
MT		 6928+#endif
6929+
efbe55a5
MT		 6930 /* Minimum kernel alignment, as a power of two */
6931 #ifdef CONFIG_X86_64
6932 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
57199397
MT		 6933diff -urNp linux-2.6.35.4/arch/x86/include/asm/cacheflush.h linux-2.6.35.4/arch/x86/include/asm/cacheflush.h
6934--- linux-2.6.35.4/arch/x86/include/asm/cacheflush.h 2010-08-26 19:47:12.000000000 -0400
6935+++ linux-2.6.35.4/arch/x86/include/asm/cacheflush.h 2010-09-17 20:12:09.000000000 -0400
6936@@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
6937 unsigned long pg_flags = pg->flags & _PGMT_MASK;
6938
6939 if (pg_flags == _PGMT_DEFAULT)
6940- return -1;
6941+ return ~0UL;
6942 else if (pg_flags == _PGMT_WC)
6943 return _PAGE_CACHE_WC;
6944 else if (pg_flags == _PGMT_UC_MINUS)
6945diff -urNp linux-2.6.35.4/arch/x86/include/asm/cache.h linux-2.6.35.4/arch/x86/include/asm/cache.h
6946--- linux-2.6.35.4/arch/x86/include/asm/cache.h 2010-08-26 19:47:12.000000000 -0400
6947+++ linux-2.6.35.4/arch/x86/include/asm/cache.h 2010-09-17 20:12:09.000000000 -0400
efbe55a5
MT		 6948@@ -8,6 +8,7 @@
6949 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6950
57199397
MT		 6951 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
6952+#define __read_only __attribute__((__section__(".data..read_only")))
efbe55a5
MT		 6953
6954 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6955 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
57199397
MT		 6956diff -urNp linux-2.6.35.4/arch/x86/include/asm/checksum_32.h linux-2.6.35.4/arch/x86/include/asm/checksum_32.h
6957--- linux-2.6.35.4/arch/x86/include/asm/checksum_32.h 2010-08-26 19:47:12.000000000 -0400
6958+++ linux-2.6.35.4/arch/x86/include/asm/checksum_32.h 2010-09-17 20:12:09.000000000 -0400
efbe55a5
MT		 6959@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6960 int len, __wsum sum,
6961 int *src_err_ptr, int *dst_err_ptr);
df50ba0c 6962
efbe55a5
MT		 6963+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6964+ int len, __wsum sum,
6965+ int *src_err_ptr, int *dst_err_ptr);
df50ba0c 6966+
efbe55a5
MT		 6967+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6968+ int len, __wsum sum,
6969+ int *src_err_ptr, int *dst_err_ptr);
df50ba0c 6970+
efbe55a5
MT		 6971 /*
6972 * Note: when you get a NULL pointer exception here this means someone
6973 * passed in an incorrect kernel address to one of these functions.
6974@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6975 int *err_ptr)
df50ba0c 6976 {
efbe55a5
MT		 6977 might_sleep();
6978- return csum_partial_copy_generic((__force void *)src, dst,
6979+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
6980 len, sum, err_ptr, NULL);
58c5fc13
MT		 6981 }
6982
ae4e228f 6983@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
58c5fc13
MT		 6984 {
6985 might_sleep();
6986 if (access_ok(VERIFY_WRITE, dst, len))
6987- return csum_partial_copy_generic(src, (__force void *)dst,
6988+ return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6989 len, sum, NULL, err_ptr);
6990
6991 if (len)
57199397
MT		 6992diff -urNp linux-2.6.35.4/arch/x86/include/asm/compat.h linux-2.6.35.4/arch/x86/include/asm/compat.h
6993--- linux-2.6.35.4/arch/x86/include/asm/compat.h 2010-08-26 19:47:12.000000000 -0400
6994+++ linux-2.6.35.4/arch/x86/include/asm/compat.h 2010-09-17 20:12:37.000000000 -0400
6995@@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compa
6996 return (u32)(unsigned long)uptr;
6997 }
6998
6999-static inline void __user *compat_alloc_user_space(long len)
7000+static inline void __user *arch_compat_alloc_user_space(long len)
7001 {
7002 struct pt_regs *regs = task_pt_regs(current);
7003 return (void __user *)regs->sp - len;
7004diff -urNp linux-2.6.35.4/arch/x86/include/asm/cpufeature.h linux-2.6.35.4/arch/x86/include/asm/cpufeature.h
7005--- linux-2.6.35.4/arch/x86/include/asm/cpufeature.h 2010-08-26 19:47:12.000000000 -0400
7006+++ linux-2.6.35.4/arch/x86/include/asm/cpufeature.h 2010-09-17 20:12:09.000000000 -0400
7007@@ -323,7 +323,7 @@ static __always_inline __pure bool __sta
7008 " .byte 4f - 3f\n" /* replacement len */
7009 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* padding */
7010 ".previous\n"
7011- ".section .altinstr_replacement,\"ax\"\n"
7012+ ".section .altinstr_replacement,\"a\"\n"
7013 "3: movb $1,%0\n"
7014 "4:\n"
7015 ".previous\n"
7016diff -urNp linux-2.6.35.4/arch/x86/include/asm/desc.h linux-2.6.35.4/arch/x86/include/asm/desc.h
7017--- linux-2.6.35.4/arch/x86/include/asm/desc.h 2010-08-26 19:47:12.000000000 -0400
7018+++ linux-2.6.35.4/arch/x86/include/asm/desc.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 7019@@ -4,6 +4,7 @@
7020 #include <asm/desc_defs.h>
7021 #include <asm/ldt.h>
7022 #include <asm/mmu.h>
7023+#include <asm/pgtable.h>
7024 #include <linux/smp.h>
7025
7026 static inline void fill_ldt(struct desc_struct *desc,
7027@@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
58c5fc13
MT		 7028 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7029 desc->type = (info->read_exec_only ^ 1) << 1;
7030 desc->type |= info->contents << 2;
7031+ desc->type |= info->seg_not_present ^ 1;
7032 desc->s = 1;
7033 desc->dpl = 0x3;
7034 desc->p = info->seg_not_present ^ 1;
ae4e228f 7035@@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
58c5fc13
MT		 7036 }
7037
7038 extern struct desc_ptr idt_descr;
7039-extern gate_desc idt_table[];
7040-
7041-struct gdt_page {
7042- struct desc_struct gdt[GDT_ENTRIES];
7043-} __attribute__((aligned(PAGE_SIZE)));
7044-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7045+extern gate_desc idt_table[256];
7046
7047+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7048 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7049 {
7050- return per_cpu(gdt_page, cpu).gdt;
7051+ return cpu_gdt_table[cpu];
7052 }
7053
7054 #ifdef CONFIG_X86_64
ae4e228f 7055@@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
58c5fc13
MT		 7056 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7057 const gate_desc *gate)
7058 {
ae4e228f 7059+ pax_open_kernel();
58c5fc13 7060 memcpy(&idt[entry], gate, sizeof(*gate));
ae4e228f 7061+ pax_close_kernel();
58c5fc13
MT		 7062 }
7063
7064 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7065 const void *desc)
7066 {
ae4e228f 7067+ pax_open_kernel();
58c5fc13 7068 memcpy(&ldt[entry], desc, 8);
ae4e228f 7069+ pax_close_kernel();
58c5fc13
MT		 7070 }
7071
7072 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7073 const void *desc, int type)
7074 {
7075 unsigned int size;
58c5fc13
MT		 7076+
7077 switch (type) {
7078 case DESC_TSS:
7079 size = sizeof(tss_desc);
ae4e228f 7080@@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
58c5fc13
MT		 7081 size = sizeof(struct desc_struct);
7082 break;
7083 }
7084+
ae4e228f 7085+ pax_open_kernel();
58c5fc13 7086 memcpy(&gdt[entry], desc, size);
ae4e228f 7087+ pax_close_kernel();
58c5fc13
MT		 7088 }
7089
7090 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
ae4e228f 7091@@ -211,7 +217,9 @@ static inline void native_set_ldt(const
58c5fc13
MT		 7092
7093 static inline void native_load_tr_desc(void)
7094 {
ae4e228f 7095+ pax_open_kernel();
58c5fc13 7096 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
ae4e228f 7097+ pax_close_kernel();
58c5fc13
MT		 7098 }
7099
7100 static inline void native_load_gdt(const struct desc_ptr *dtr)
ae4e228f 7101@@ -246,8 +254,10 @@ static inline void native_load_tls(struc
58c5fc13
MT		 7102 unsigned int i;
7103 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7104
ae4e228f 7105+ pax_open_kernel();
58c5fc13
MT		 7106 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7107 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
ae4e228f 7108+ pax_close_kernel();
58c5fc13
MT		 7109 }
7110
7111 #define _LDT_empty(info) \
df50ba0c
MT		 7112@@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
7113 desc->limit = (limit >> 16) & 0xf;
7114 }
7115
7116-static inline void _set_gate(int gate, unsigned type, void *addr,
7117+static inline void _set_gate(int gate, unsigned type, const void *addr,
7118 unsigned dpl, unsigned ist, unsigned seg)
7119 {
7120 gate_desc s;
7121@@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
7122 * Pentium F0 0F bugfix can have resulted in the mapped
7123 * IDT being write-protected.
7124 */
7125-static inline void set_intr_gate(unsigned int n, void *addr)
7126+static inline void set_intr_gate(unsigned int n, const void *addr)
7127 {
7128 BUG_ON((unsigned)n > 0xFF);
7129 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7130@@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
7131 /*
7132 * This routine sets up an interrupt gate at directory privilege level 3.
7133 */
7134-static inline void set_system_intr_gate(unsigned int n, void *addr)
7135+static inline void set_system_intr_gate(unsigned int n, const void *addr)
7136 {
7137 BUG_ON((unsigned)n > 0xFF);
7138 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7139 }
7140
7141-static inline void set_system_trap_gate(unsigned int n, void *addr)
7142+static inline void set_system_trap_gate(unsigned int n, const void *addr)
7143 {
7144 BUG_ON((unsigned)n > 0xFF);
7145 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7146 }
7147
7148-static inline void set_trap_gate(unsigned int n, void *addr)
7149+static inline void set_trap_gate(unsigned int n, const void *addr)
7150 {
7151 BUG_ON((unsigned)n > 0xFF);
7152 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7153@@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7154 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7155 {
7156 BUG_ON((unsigned)n > 0xFF);
7157- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7158+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7159 }
7160
7161-static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7162+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7163 {
7164 BUG_ON((unsigned)n > 0xFF);
7165 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7166 }
7167
7168-static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7169+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7170 {
7171 BUG_ON((unsigned)n > 0xFF);
58c5fc13
MT		 7172 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7173 }
7174
7175+#ifdef CONFIG_X86_32
7176+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7177+{
7178+ struct desc_struct d;
7179+
7180+ if (likely(limit))
7181+ limit = (limit - 1UL) >> PAGE_SHIFT;
7182+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
7183+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7184+}
7185+#endif
7186+
7187 #endif /* _ASM_X86_DESC_H */
57199397
MT		 7188diff -urNp linux-2.6.35.4/arch/x86/include/asm/device.h linux-2.6.35.4/arch/x86/include/asm/device.h
7189--- linux-2.6.35.4/arch/x86/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
7190+++ linux-2.6.35.4/arch/x86/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 7191@@ -6,7 +6,7 @@ struct dev_archdata {
7192 void *acpi_handle;
7193 #endif
7194 #ifdef CONFIG_X86_64
7195-struct dma_map_ops *dma_ops;
7196+ const struct dma_map_ops *dma_ops;
7197 #endif
7198 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7199 void *iommu; /* hook for IOMMU specific extension */
57199397
MT		 7200diff -urNp linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h
7201--- linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
7202+++ linux-2.6.35.4/arch/x86/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 7203@@ -26,9 +26,9 @@ extern int iommu_merge;
7204 extern struct device x86_dma_fallback_dev;
7205 extern int panic_on_overflow;
7206
7207-extern struct dma_map_ops *dma_ops;
7208+extern const struct dma_map_ops *dma_ops;
7209
7210-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7211+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7212 {
7213 #ifdef CONFIG_X86_32
7214 return dma_ops;
7215@@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7216 /* Make sure we keep the same behaviour */
7217 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7218 {
7219- struct dma_map_ops *ops = get_dma_ops(dev);
7220+ const struct dma_map_ops *ops = get_dma_ops(dev);
7221 if (ops->mapping_error)
7222 return ops->mapping_error(dev, dma_addr);
7223
7224@@ -123,7 +123,7 @@ static inline void *
7225 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7226 gfp_t gfp)
7227 {
7228- struct dma_map_ops *ops = get_dma_ops(dev);
7229+ const struct dma_map_ops *ops = get_dma_ops(dev);
7230 void *memory;
7231
7232 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7233@@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
7234 static inline void dma_free_coherent(struct device *dev, size_t size,
7235 void *vaddr, dma_addr_t bus)
7236 {
7237- struct dma_map_ops *ops = get_dma_ops(dev);
7238+ const struct dma_map_ops *ops = get_dma_ops(dev);
7239
7240 WARN_ON(irqs_disabled()); /* for portability */
7241
57199397
MT		 7242diff -urNp linux-2.6.35.4/arch/x86/include/asm/e820.h linux-2.6.35.4/arch/x86/include/asm/e820.h
7243--- linux-2.6.35.4/arch/x86/include/asm/e820.h 2010-08-26 19:47:12.000000000 -0400
7244+++ linux-2.6.35.4/arch/x86/include/asm/e820.h 2010-09-17 20:12:09.000000000 -0400
7245@@ -69,7 +69,7 @@ struct e820map {
ae4e228f 7246 #define ISA_START_ADDRESS 0xa0000
58c5fc13 7247 #define ISA_END_ADDRESS 0x100000
58c5fc13
MT		 7248
7249-#define BIOS_BEGIN 0x000a0000
7250+#define BIOS_BEGIN 0x000c0000
7251 #define BIOS_END 0x00100000
7252
7253 #ifdef __KERNEL__
57199397
MT		 7254diff -urNp linux-2.6.35.4/arch/x86/include/asm/elf.h linux-2.6.35.4/arch/x86/include/asm/elf.h
7255--- linux-2.6.35.4/arch/x86/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
7256+++ linux-2.6.35.4/arch/x86/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 7257@@ -237,7 +237,25 @@ extern int force_personality32;
58c5fc13
MT		 7258 the loader. We need to make sure that it is out of the way of the program
7259 that it will "exec", and that there is sufficient room for the brk. */
7260
7261+#ifdef CONFIG_PAX_SEGMEXEC
7262+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7263+#else
7264 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7265+#endif
7266+
7267+#ifdef CONFIG_PAX_ASLR
7268+#ifdef CONFIG_X86_32
7269+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7270+
7271+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7272+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7273+#else
7274+#define PAX_ELF_ET_DYN_BASE 0x400000UL
7275+
df50ba0c
MT		 7276+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7277+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
58c5fc13
MT		 7278+#endif
7279+#endif
7280
7281 /* This yields a mask that user programs can use to figure out what
7282 instruction set this CPU supports. This could be done in user space,
ae4e228f 7283@@ -291,8 +309,7 @@ do { \
58c5fc13
MT		 7284 #define ARCH_DLINFO \
7285 do { \
7286 if (vdso_enabled) \
7287- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7288- (unsigned long)current->mm->context.vdso); \
7289+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7290 } while (0)
7291
7292 #define AT_SYSINFO 32
ae4e228f 7293@@ -303,7 +320,7 @@ do { \
58c5fc13
MT		 7294
7295 #endif /* !CONFIG_X86_32 */
7296
7297-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7298+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7299
7300 #define VDSO_ENTRY \
7301 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
ae4e228f 7302@@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
58c5fc13
MT		 7303 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7304 #define compat_arch_setup_additional_pages syscall32_setup_pages
7305
7306-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7307-#define arch_randomize_brk arch_randomize_brk
7308-
7309 #endif /* _ASM_X86_ELF_H */
57199397
MT		 7310diff -urNp linux-2.6.35.4/arch/x86/include/asm/futex.h linux-2.6.35.4/arch/x86/include/asm/futex.h
7311--- linux-2.6.35.4/arch/x86/include/asm/futex.h 2010-08-26 19:47:12.000000000 -0400
7312+++ linux-2.6.35.4/arch/x86/include/asm/futex.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 7313@@ -11,17 +11,54 @@
58c5fc13
MT		 7314 #include <asm/processor.h>
7315 #include <asm/system.h>
7316
7317+#ifdef CONFIG_X86_32
df50ba0c 7318 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
58c5fc13
MT		 7319+ asm volatile( \
7320+ "movw\t%w6, %%ds\n" \
7321+ "1:\t" insn "\n" \
7322+ "2:\tpushl\t%%ss\n" \
7323+ "\tpopl\t%%ds\n" \
7324+ "\t.section .fixup,\"ax\"\n" \
7325+ "3:\tmov\t%3, %1\n" \
7326+ "\tjmp\t2b\n" \
7327+ "\t.previous\n" \
7328+ _ASM_EXTABLE(1b, 3b) \
7329+ : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7330+ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
7331+
7332+#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7333+ asm volatile("movw\t%w7, %%es\n" \
7334+ "1:\tmovl\t%%es:%2, %0\n" \
7335+ "\tmovl\t%0, %3\n" \
7336+ "\t" insn "\n" \
7337+ "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
7338+ "\tjnz\t1b\n" \
7339+ "3:\tpushl\t%%ss\n" \
7340+ "\tpopl\t%%es\n" \
7341+ "\t.section .fixup,\"ax\"\n" \
7342+ "4:\tmov\t%5, %1\n" \
7343+ "\tjmp\t3b\n" \
7344+ "\t.previous\n" \
7345+ _ASM_EXTABLE(1b, 4b) \
7346+ _ASM_EXTABLE(2b, 4b) \
7347+ : "=&a" (oldval), "=&r" (ret), \
7348+ "+m" (*uaddr), "=&r" (tem) \
7349+ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
7350+#else
df50ba0c
MT		 7351+#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7352+ typecheck(u32 *, uaddr); \
58c5fc13
MT		 7353 asm volatile("1:\t" insn "\n" \
7354 "2:\t.section .fixup,\"ax\"\n" \
df50ba0c
MT		 7355 "3:\tmov\t%3, %1\n" \
7356 "\tjmp\t2b\n" \
7357 "\t.previous\n" \
7358 _ASM_EXTABLE(1b, 3b) \
7359- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7360+ : "=r" (oldval), "=r" (ret), \
7361+ "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))\
7362 : "i" (-EFAULT), "0" (oparg), "1" (0))
7363
7364 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7365+ typecheck(u32 *, uaddr); \
7366 asm volatile("1:\tmovl %2, %0\n" \
7367 "\tmovl\t%0, %3\n" \
7368 "\t" insn "\n" \
7369@@ -34,10 +71,12 @@
7370 _ASM_EXTABLE(1b, 4b) \
7371 _ASM_EXTABLE(2b, 4b) \
58c5fc13 7372 : "=&a" (oldval), "=&r" (ret), \
df50ba0c
MT		 7373- "+m" (*uaddr), "=&r" (tem) \
7374+ "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4)),\
7375+ "=&r" (tem) \
58c5fc13
MT		 7376 : "r" (oparg), "i" (-EFAULT), "1" (0))
7377+#endif
7378
7379-static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7380+static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7381 {
7382 int op = (encoded_op >> 28) & 7;
7383 int cmp = (encoded_op >> 24) & 15;
df50ba0c 7384@@ -61,11 +100,20 @@ static inline int futex_atomic_op_inuser
58c5fc13
MT		 7385
7386 switch (op) {
7387 case FUTEX_OP_SET:
7388+#ifdef CONFIG_X86_32
7389+ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
7390+#else
7391 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7392+#endif
7393 break;
7394 case FUTEX_OP_ADD:
7395+#ifdef CONFIG_X86_32
7396+ __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
7397+ uaddr, oparg);
7398+#else
7399 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7400 uaddr, oparg);
7401+#endif
7402 break;
7403 case FUTEX_OP_OR:
7404 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
df50ba0c 7405@@ -109,7 +157,7 @@ static inline int futex_atomic_op_inuser
58c5fc13
MT		 7406 return ret;
7407 }
7408
7409-static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7410+static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7411 int newval)
7412 {
7413
df50ba0c
MT		 7414@@ -119,17 +167,31 @@ static inline int futex_atomic_cmpxchg_i
7415 return -ENOSYS;
7416 #endif
7417
7418- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7419+ if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
58c5fc13
MT		 7420 return -EFAULT;
7421
7422- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
df50ba0c 7423- "2:\t.section .fixup, \"ax\"\n"
58c5fc13
MT		 7424+ asm volatile(
7425+#ifdef CONFIG_X86_32
7426+ "\tmovw %w5, %%ds\n"
df50ba0c 7427+ "1:\t" LOCK_PREFIX "cmpxchgl %3, %%ds:%1\n"
58c5fc13
MT		 7428+ "2:\tpushl %%ss\n"
7429+ "\tpopl %%ds\n"
58c5fc13
MT		 7430+#else
7431+ "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
df50ba0c 7432+ "2:\n"
58c5fc13 7433+#endif
df50ba0c 7434+ "\t.section .fixup, \"ax\"\n"
58c5fc13
MT		 7435 "3:\tmov %2, %0\n"
7436 "\tjmp 2b\n"
7437 "\t.previous\n"
7438 _ASM_EXTABLE(1b, 3b)
58c5fc13 7439+#ifdef CONFIG_X86_32
df50ba0c 7440 : "=a" (oldval), "+m" (*uaddr)
58c5fc13
MT		 7441+ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
7442+#else
df50ba0c 7443+ : "=a" (oldval), "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))
58c5fc13
MT		 7444 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7445+#endif
7446 : "memory"
7447 );
7448
57199397
MT		 7449diff -urNp linux-2.6.35.4/arch/x86/include/asm/i387.h linux-2.6.35.4/arch/x86/include/asm/i387.h
7450--- linux-2.6.35.4/arch/x86/include/asm/i387.h 2010-08-26 19:47:12.000000000 -0400
7451+++ linux-2.6.35.4/arch/x86/include/asm/i387.h 2010-09-17 20:12:09.000000000 -0400
7452@@ -77,6 +77,11 @@ static inline int fxrstor_checking(struc
df50ba0c
MT		 7453 {
7454 int err;
7455
7456+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7457+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7458+ fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7459+#endif
7460+
7461 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7462 "2:\n"
7463 ".section .fixup,\"ax\"\n"
57199397 7464@@ -127,6 +132,11 @@ static inline int fxsave_user(struct i38
df50ba0c
MT		 7465 {
7466 int err;
7467
7468+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7469+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7470+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7471+#endif
7472+
7473 asm volatile("1: rex64/fxsave (%[fx])\n\t"
7474 "2:\n"
7475 ".section .fixup,\"ax\"\n"
57199397 7476@@ -220,13 +230,8 @@ static inline int fxrstor_checking(struc
58c5fc13
MT		 7477 }
7478
7479 /* We need a safe address that is cheap to find and that is already
7480- in L1 during context switch. The best choices are unfortunately
7481- different for UP and SMP */
7482-#ifdef CONFIG_SMP
7483-#define safe_address (__per_cpu_offset[0])
7484-#else
7485-#define safe_address (kstat_cpu(0).cpustat.user)
7486-#endif
7487+ in L1 during context switch. */
7488+#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7489
7490 /*
7491 * These must be called with preempt disabled
57199397
MT		 7492diff -urNp linux-2.6.35.4/arch/x86/include/asm/io.h linux-2.6.35.4/arch/x86/include/asm/io.h
7493--- linux-2.6.35.4/arch/x86/include/asm/io.h 2010-08-26 19:47:12.000000000 -0400
7494+++ linux-2.6.35.4/arch/x86/include/asm/io.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 7495@@ -213,6 +213,17 @@ extern void iounmap(volatile void __iome
58c5fc13
MT		 7496
7497 #include <linux/vmalloc.h>
7498
7499+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
ae4e228f 7500+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
58c5fc13
MT		 7501+{
7502+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7503+}
7504+
ae4e228f 7505+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
58c5fc13
MT		 7506+{
7507+ return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7508+}
7509+
df50ba0c
MT		 7510 /*
7511 * Convert a virtual cached pointer to an uncached pointer
7512 */
57199397
MT		 7513diff -urNp linux-2.6.35.4/arch/x86/include/asm/iommu.h linux-2.6.35.4/arch/x86/include/asm/iommu.h
7514--- linux-2.6.35.4/arch/x86/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
7515+++ linux-2.6.35.4/arch/x86/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 7516@@ -1,7 +1,7 @@
7517 #ifndef _ASM_X86_IOMMU_H
7518 #define _ASM_X86_IOMMU_H
7519
7520-extern struct dma_map_ops nommu_dma_ops;
7521+extern const struct dma_map_ops nommu_dma_ops;
7522 extern int force_iommu, no_iommu;
7523 extern int iommu_detected;
7524 extern int iommu_pass_through;
57199397
MT		 7525diff -urNp linux-2.6.35.4/arch/x86/include/asm/irqflags.h linux-2.6.35.4/arch/x86/include/asm/irqflags.h
7526--- linux-2.6.35.4/arch/x86/include/asm/irqflags.h 2010-08-26 19:47:12.000000000 -0400
7527+++ linux-2.6.35.4/arch/x86/include/asm/irqflags.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 7528@@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
ae4e228f
MT		 7529 sti; \
7530 sysexit
7531
df50ba0c
MT		 7532+#define GET_CR0_INTO_RDI mov %cr0, %rdi
7533+#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7534+#define GET_CR3_INTO_RDI mov %cr3, %rdi
7535+#define SET_RDI_INTO_CR3 mov %rdi, %cr3
ae4e228f
MT		 7536+
7537 #else
58c5fc13
MT		 7538 #define INTERRUPT_RETURN iret
7539 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
57199397
MT		 7540diff -urNp linux-2.6.35.4/arch/x86/include/asm/kvm_host.h linux-2.6.35.4/arch/x86/include/asm/kvm_host.h
7541--- linux-2.6.35.4/arch/x86/include/asm/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
7542+++ linux-2.6.35.4/arch/x86/include/asm/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
7543@@ -536,7 +536,7 @@ struct kvm_x86_ops {
ae4e228f 7544 const struct trace_print_flags *exit_reasons_str;
58c5fc13
MT		 7545 };
7546
7547-extern struct kvm_x86_ops *kvm_x86_ops;
7548+extern const struct kvm_x86_ops *kvm_x86_ops;
7549
7550 int kvm_mmu_module_init(void);
7551 void kvm_mmu_module_exit(void);
57199397
MT		 7552diff -urNp linux-2.6.35.4/arch/x86/include/asm/local.h linux-2.6.35.4/arch/x86/include/asm/local.h
7553--- linux-2.6.35.4/arch/x86/include/asm/local.h 2010-08-26 19:47:12.000000000 -0400
7554+++ linux-2.6.35.4/arch/x86/include/asm/local.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 7555@@ -18,26 +18,90 @@ typedef struct {
7556
7557 static inline void local_inc(local_t *l)
7558 {
7559- asm volatile(_ASM_INC "%0"
7560+ asm volatile(_ASM_INC "%0\n"
7561+
7562+#ifdef CONFIG_PAX_REFCOUNT
7563+#ifdef CONFIG_X86_32
7564+ "into\n0:\n"
7565+#else
7566+ "jno 0f\n"
7567+ "int $4\n0:\n"
7568+#endif
7569+ ".pushsection .fixup,\"ax\"\n"
7570+ "1:\n"
7571+ _ASM_DEC "%0\n"
7572+ "jmp 0b\n"
7573+ ".popsection\n"
7574+ _ASM_EXTABLE(0b, 1b)
7575+#endif
7576+
7577 : "+m" (l->a.counter));
7578 }
7579
7580 static inline void local_dec(local_t *l)
7581 {
7582- asm volatile(_ASM_DEC "%0"
7583+ asm volatile(_ASM_DEC "%0\n"
7584+
7585+#ifdef CONFIG_PAX_REFCOUNT
7586+#ifdef CONFIG_X86_32
7587+ "into\n0:\n"
7588+#else
7589+ "jno 0f\n"
7590+ "int $4\n0:\n"
7591+#endif
7592+ ".pushsection .fixup,\"ax\"\n"
7593+ "1:\n"
7594+ _ASM_INC "%0\n"
7595+ "jmp 0b\n"
7596+ ".popsection\n"
7597+ _ASM_EXTABLE(0b, 1b)
7598+#endif
7599+
7600 : "+m" (l->a.counter));
7601 }
7602
7603 static inline void local_add(long i, local_t *l)
7604 {
7605- asm volatile(_ASM_ADD "%1,%0"
7606+ asm volatile(_ASM_ADD "%1,%0\n"
7607+
7608+#ifdef CONFIG_PAX_REFCOUNT
7609+#ifdef CONFIG_X86_32
7610+ "into\n0:\n"
7611+#else
7612+ "jno 0f\n"
7613+ "int $4\n0:\n"
7614+#endif
7615+ ".pushsection .fixup,\"ax\"\n"
7616+ "1:\n"
7617+ _ASM_SUB "%1,%0\n"
7618+ "jmp 0b\n"
7619+ ".popsection\n"
7620+ _ASM_EXTABLE(0b, 1b)
7621+#endif
7622+
7623 : "+m" (l->a.counter)
7624 : "ir" (i));
7625 }
7626
7627 static inline void local_sub(long i, local_t *l)
7628 {
7629- asm volatile(_ASM_SUB "%1,%0"
7630+ asm volatile(_ASM_SUB "%1,%0\n"
7631+
7632+#ifdef CONFIG_PAX_REFCOUNT
7633+#ifdef CONFIG_X86_32
7634+ "into\n0:\n"
7635+#else
7636+ "jno 0f\n"
7637+ "int $4\n0:\n"
7638+#endif
7639+ ".pushsection .fixup,\"ax\"\n"
7640+ "1:\n"
7641+ _ASM_ADD "%1,%0\n"
7642+ "jmp 0b\n"
7643+ ".popsection\n"
7644+ _ASM_EXTABLE(0b, 1b)
7645+#endif
7646+
7647 : "+m" (l->a.counter)
7648 : "ir" (i));
7649 }
7650@@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7651 {
7652 unsigned char c;
7653
7654- asm volatile(_ASM_SUB "%2,%0; sete %1"
7655+ asm volatile(_ASM_SUB "%2,%0\n"
7656+
7657+#ifdef CONFIG_PAX_REFCOUNT
7658+#ifdef CONFIG_X86_32
7659+ "into\n0:\n"
7660+#else
7661+ "jno 0f\n"
7662+ "int $4\n0:\n"
7663+#endif
7664+ ".pushsection .fixup,\"ax\"\n"
7665+ "1:\n"
7666+ _ASM_ADD "%2,%0\n"
7667+ "jmp 0b\n"
7668+ ".popsection\n"
7669+ _ASM_EXTABLE(0b, 1b)
7670+#endif
7671+
7672+ "sete %1\n"
7673 : "+m" (l->a.counter), "=qm" (c)
7674 : "ir" (i) : "memory");
7675 return c;
7676@@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7677 {
7678 unsigned char c;
7679
7680- asm volatile(_ASM_DEC "%0; sete %1"
7681+ asm volatile(_ASM_DEC "%0\n"
7682+
7683+#ifdef CONFIG_PAX_REFCOUNT
7684+#ifdef CONFIG_X86_32
7685+ "into\n0:\n"
7686+#else
7687+ "jno 0f\n"
7688+ "int $4\n0:\n"
7689+#endif
7690+ ".pushsection .fixup,\"ax\"\n"
7691+ "1:\n"
7692+ _ASM_INC "%0\n"
7693+ "jmp 0b\n"
7694+ ".popsection\n"
7695+ _ASM_EXTABLE(0b, 1b)
7696+#endif
7697+
7698+ "sete %1\n"
7699 : "+m" (l->a.counter), "=qm" (c)
7700 : : "memory");
7701 return c != 0;
7702@@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7703 {
7704 unsigned char c;
7705
7706- asm volatile(_ASM_INC "%0; sete %1"
7707+ asm volatile(_ASM_INC "%0\n"
7708+
7709+#ifdef CONFIG_PAX_REFCOUNT
7710+#ifdef CONFIG_X86_32
7711+ "into\n0:\n"
7712+#else
7713+ "jno 0f\n"
7714+ "int $4\n0:\n"
7715+#endif
7716+ ".pushsection .fixup,\"ax\"\n"
7717+ "1:\n"
7718+ _ASM_DEC "%0\n"
7719+ "jmp 0b\n"
7720+ ".popsection\n"
7721+ _ASM_EXTABLE(0b, 1b)
7722+#endif
7723+
7724+ "sete %1\n"
7725 : "+m" (l->a.counter), "=qm" (c)
7726 : : "memory");
7727 return c != 0;
7728@@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7729 {
7730 unsigned char c;
7731
7732- asm volatile(_ASM_ADD "%2,%0; sets %1"
7733+ asm volatile(_ASM_ADD "%2,%0\n"
7734+
7735+#ifdef CONFIG_PAX_REFCOUNT
7736+#ifdef CONFIG_X86_32
7737+ "into\n0:\n"
7738+#else
7739+ "jno 0f\n"
7740+ "int $4\n0:\n"
7741+#endif
7742+ ".pushsection .fixup,\"ax\"\n"
7743+ "1:\n"
7744+ _ASM_SUB "%2,%0\n"
7745+ "jmp 0b\n"
7746+ ".popsection\n"
7747+ _ASM_EXTABLE(0b, 1b)
7748+#endif
7749+
7750+ "sets %1\n"
7751 : "+m" (l->a.counter), "=qm" (c)
7752 : "ir" (i) : "memory");
7753 return c;
7754@@ -133,7 +265,23 @@ static inline long local_add_return(long
7755 #endif
7756 /* Modern 486+ processor */
7757 __i = i;
7758- asm volatile(_ASM_XADD "%0, %1;"
7759+ asm volatile(_ASM_XADD "%0, %1\n"
7760+
7761+#ifdef CONFIG_PAX_REFCOUNT
7762+#ifdef CONFIG_X86_32
7763+ "into\n0:\n"
7764+#else
7765+ "jno 0f\n"
7766+ "int $4\n0:\n"
7767+#endif
7768+ ".pushsection .fixup,\"ax\"\n"
7769+ "1:\n"
7770+ _ASM_MOV "%0,%1\n"
7771+ "jmp 0b\n"
7772+ ".popsection\n"
7773+ _ASM_EXTABLE(0b, 1b)
7774+#endif
7775+
7776 : "+r" (i), "+m" (l->a.counter)
7777 : : "memory");
7778 return i + __i;
57199397
MT		 7779diff -urNp linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h
7780--- linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h 2010-08-26 19:47:12.000000000 -0400
7781+++ linux-2.6.35.4/arch/x86/include/asm/mc146818rtc.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 7782@@ -81,8 +81,8 @@ static inline unsigned char current_lock
7783 #else
7784 #define lock_cmos_prefix(reg) do {} while (0)
7785 #define lock_cmos_suffix(reg) do {} while (0)
7786-#define lock_cmos(reg)
7787-#define unlock_cmos()
7788+#define lock_cmos(reg) do {} while (0)
7789+#define unlock_cmos() do {} while (0)
7790 #define do_i_have_lock_cmos() 0
7791 #define current_lock_cmos_reg() 0
7792 #endif
57199397
MT		 7793diff -urNp linux-2.6.35.4/arch/x86/include/asm/microcode.h linux-2.6.35.4/arch/x86/include/asm/microcode.h
7794--- linux-2.6.35.4/arch/x86/include/asm/microcode.h 2010-08-26 19:47:12.000000000 -0400
7795+++ linux-2.6.35.4/arch/x86/include/asm/microcode.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 7796@@ -12,13 +12,13 @@ struct device;
7797 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7798
7799 struct microcode_ops {
7800- enum ucode_state (*request_microcode_user) (int cpu,
7801+ enum ucode_state (* const request_microcode_user) (int cpu,
7802 const void __user *buf, size_t size);
7803
7804- enum ucode_state (*request_microcode_fw) (int cpu,
7805+ enum ucode_state (* const request_microcode_fw) (int cpu,
7806 struct device *device);
7807
7808- void (*microcode_fini_cpu) (int cpu);
7809+ void (* const microcode_fini_cpu) (int cpu);
7810
7811 /*
7812 * The generic 'microcode_core' part guarantees that
7813@@ -38,18 +38,18 @@ struct ucode_cpu_info {
7814 extern struct ucode_cpu_info ucode_cpu_info[];
7815
7816 #ifdef CONFIG_MICROCODE_INTEL
7817-extern struct microcode_ops * __init init_intel_microcode(void);
7818+extern const struct microcode_ops * __init init_intel_microcode(void);
7819 #else
7820-static inline struct microcode_ops * __init init_intel_microcode(void)
7821+static inline const struct microcode_ops * __init init_intel_microcode(void)
7822 {
7823 return NULL;
7824 }
7825 #endif /* CONFIG_MICROCODE_INTEL */
7826
7827 #ifdef CONFIG_MICROCODE_AMD
7828-extern struct microcode_ops * __init init_amd_microcode(void);
7829+extern const struct microcode_ops * __init init_amd_microcode(void);
7830 #else
7831-static inline struct microcode_ops * __init init_amd_microcode(void)
7832+static inline const struct microcode_ops * __init init_amd_microcode(void)
7833 {
7834 return NULL;
7835 }
57199397
MT		 7836diff -urNp linux-2.6.35.4/arch/x86/include/asm/mman.h linux-2.6.35.4/arch/x86/include/asm/mman.h
7837--- linux-2.6.35.4/arch/x86/include/asm/mman.h 2010-08-26 19:47:12.000000000 -0400
7838+++ linux-2.6.35.4/arch/x86/include/asm/mman.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 7839@@ -5,4 +5,14 @@
7840
7841 #include <asm-generic/mman.h>
58c5fc13
MT		 7842
7843+#ifdef __KERNEL__
7844+#ifndef __ASSEMBLY__
7845+#ifdef CONFIG_X86_32
7846+#define arch_mmap_check i386_mmap_check
7847+int i386_mmap_check(unsigned long addr, unsigned long len,
7848+ unsigned long flags);
7849+#endif
7850+#endif
7851+#endif
7852+
7853 #endif /* _ASM_X86_MMAN_H */
57199397
MT		 7854diff -urNp linux-2.6.35.4/arch/x86/include/asm/mmu_context.h linux-2.6.35.4/arch/x86/include/asm/mmu_context.h
7855--- linux-2.6.35.4/arch/x86/include/asm/mmu_context.h 2010-08-26 19:47:12.000000000 -0400
7856+++ linux-2.6.35.4/arch/x86/include/asm/mmu_context.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 7857@@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
7858
7859 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7860 {
7861+
7862+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7863+ unsigned int i;
7864+ pgd_t *pgd;
7865+
7866+ pax_open_kernel();
7867+ pgd = get_cpu_pgd(smp_processor_id());
7868+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7869+ if (paravirt_enabled())
7870+ set_pgd(pgd+i, native_make_pgd(0));
7871+ else
7872+ pgd[i] = native_make_pgd(0);
7873+ pax_close_kernel();
7874+#endif
7875+
7876 #ifdef CONFIG_SMP
7877 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7878 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7879@@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
58c5fc13
MT		 7880 struct task_struct *tsk)
7881 {
7882 unsigned cpu = smp_processor_id();
7883+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7884+ int tlbstate = TLBSTATE_OK;
7885+#endif
7886
7887 if (likely(prev != next)) {
7888 /* stop flush ipis for the previous mm */
ae4e228f 7889 cpumask_clear_cpu(cpu, mm_cpumask(prev));
58c5fc13
MT		 7890 #ifdef CONFIG_SMP
7891+#ifdef CONFIG_X86_32
7892+ tlbstate = percpu_read(cpu_tlbstate.state);
7893+#endif
7894 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7895 percpu_write(cpu_tlbstate.active_mm, next);
7896 #endif
df50ba0c
MT		 7897 cpumask_set_cpu(cpu, mm_cpumask(next));
7898
7899 /* Re-load page tables */
7900+#ifdef CONFIG_PAX_PER_CPU_PGD
7901+ pax_open_kernel();
7902+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7903+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7904+ pax_close_kernel();
7905+ load_cr3(get_cpu_pgd(cpu));
7906+#else
7907 load_cr3(next->pgd);
7908+#endif
7909
7910 /*
7911 * load the LDT, if the LDT is different:
58c5fc13
MT		 7912 */
7913 if (unlikely(prev->context.ldt != next->context.ldt))
7914 load_LDT_nolock(&next->context);
df50ba0c 7915- }
58c5fc13
MT		 7916+
7917+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
ae4e228f 7918+ if (!(__supported_pte_mask & _PAGE_NX)) {
58c5fc13
MT		 7919+ smp_mb__before_clear_bit();
7920+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7921+ smp_mb__after_clear_bit();
7922+ cpu_set(cpu, next->context.cpu_user_cs_mask);
7923+ }
7924+#endif
7925+
7926+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7927+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
ae4e228f
MT		 7928+ prev->context.user_cs_limit != next->context.user_cs_limit))
7929+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
df50ba0c 7930 #ifdef CONFIG_SMP
ae4e228f 7931+ else if (unlikely(tlbstate != TLBSTATE_OK))
58c5fc13
MT		 7932+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7933+#endif
ae4e228f 7934+#endif
58c5fc13 7935+
df50ba0c 7936+ }
58c5fc13 7937 else {
df50ba0c
MT		 7938+
7939+#ifdef CONFIG_PAX_PER_CPU_PGD
7940+ pax_open_kernel();
7941+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7942+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7943+ pax_close_kernel();
7944+ load_cr3(get_cpu_pgd(cpu));
7945+#endif
7946+
7947+#ifdef CONFIG_SMP
7948 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7949 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7950
7951@@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
7952 * tlb flush IPI delivery. We must reload CR3
7953 * to make sure to use no freed page tables.
58c5fc13 7954 */
df50ba0c
MT		 7955+
7956+#ifndef CONFIG_PAX_PER_CPU_PGD
58c5fc13 7957 load_cr3(next->pgd);
df50ba0c
MT		 7958+#endif
7959+
58c5fc13
MT		 7960 load_LDT_nolock(&next->context);
7961+
7962+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
ae4e228f 7963+ if (!(__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 7964+ cpu_set(cpu, next->context.cpu_user_cs_mask);
7965+#endif
7966+
7967+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7968+#ifdef CONFIG_PAX_PAGEEXEC
ae4e228f 7969+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
58c5fc13
MT		 7970+#endif
7971+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7972+#endif
7973+
7974 }
df50ba0c 7975- }
58c5fc13 7976 #endif
df50ba0c
MT		 7977+ }
7978 }
7979
7980 #define activate_mm(prev, next) \
57199397
MT		 7981diff -urNp linux-2.6.35.4/arch/x86/include/asm/mmu.h linux-2.6.35.4/arch/x86/include/asm/mmu.h
7982--- linux-2.6.35.4/arch/x86/include/asm/mmu.h 2010-08-26 19:47:12.000000000 -0400
7983+++ linux-2.6.35.4/arch/x86/include/asm/mmu.h 2010-09-17 20:12:09.000000000 -0400
7984@@ -9,10 +9,23 @@
7985 * we put the segment information here.
7986 */
7987 typedef struct {
7988- void *ldt;
7989+ struct desc_struct *ldt;
7990 int size;
7991 struct mutex lock;
7992- void *vdso;
7993+ unsigned long vdso;
7994+
7995+#ifdef CONFIG_X86_32
7996+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7997+ unsigned long user_cs_base;
7998+ unsigned long user_cs_limit;
7999+
8000+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8001+ cpumask_t cpu_user_cs_mask;
8002+#endif
8003+
8004+#endif
8005+#endif
8006+
8007 } mm_context_t;
8008
8009 #ifdef CONFIG_SMP
8010diff -urNp linux-2.6.35.4/arch/x86/include/asm/module.h linux-2.6.35.4/arch/x86/include/asm/module.h
8011--- linux-2.6.35.4/arch/x86/include/asm/module.h 2010-08-26 19:47:12.000000000 -0400
8012+++ linux-2.6.35.4/arch/x86/include/asm/module.h 2010-09-17 20:12:37.000000000 -0400
df50ba0c
MT		 8013@@ -59,13 +59,31 @@
8014 #error unknown processor family
8015 #endif
8016
8017+#ifdef CONFIG_PAX_MEMORY_UDEREF
8018+#define MODULE_PAX_UDEREF "UDEREF "
8019+#else
8020+#define MODULE_PAX_UDEREF ""
8021+#endif
8022+
8023 #ifdef CONFIG_X86_32
8024 # ifdef CONFIG_4KSTACKS
8025 # define MODULE_STACKSIZE "4KSTACKS "
58c5fc13
MT		 8026 # else
8027 # define MODULE_STACKSIZE ""
8028 # endif
8029-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
df50ba0c
MT		 8030+# ifdef CONFIG_PAX_KERNEXEC
8031+# define MODULE_PAX_KERNEXEC "KERNEXEC "
8032+# else
8033+# define MODULE_PAX_KERNEXEC ""
8034+# endif
58c5fc13
MT		 8035+# ifdef CONFIG_GRKERNSEC
8036+# define MODULE_GRSEC "GRSECURITY "
8037+# else
8038+# define MODULE_GRSEC ""
8039+# endif
df50ba0c
MT		 8040+# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8041+#else
8042+# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
58c5fc13
MT		 8043 #endif
8044
8045 #endif /* _ASM_X86_MODULE_H */
57199397
MT		 8046diff -urNp linux-2.6.35.4/arch/x86/include/asm/page_32_types.h linux-2.6.35.4/arch/x86/include/asm/page_32_types.h
8047--- linux-2.6.35.4/arch/x86/include/asm/page_32_types.h 2010-08-26 19:47:12.000000000 -0400
8048+++ linux-2.6.35.4/arch/x86/include/asm/page_32_types.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 8049@@ -15,6 +15,10 @@
8050 */
8051 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
8052
8053+#ifdef CONFIG_PAX_PAGEEXEC
8054+#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
8055+#endif
8056+
8057 #ifdef CONFIG_4KSTACKS
8058 #define THREAD_ORDER 0
8059 #else
57199397
MT		 8060diff -urNp linux-2.6.35.4/arch/x86/include/asm/paravirt.h linux-2.6.35.4/arch/x86/include/asm/paravirt.h
8061--- linux-2.6.35.4/arch/x86/include/asm/paravirt.h 2010-08-26 19:47:12.000000000 -0400
8062+++ linux-2.6.35.4/arch/x86/include/asm/paravirt.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 8063@@ -720,6 +720,21 @@ static inline void __set_fixmap(unsigned
ae4e228f
MT		 8064 pv_mmu_ops.set_fixmap(idx, phys, flags);
8065 }
8066
8067+#ifdef CONFIG_PAX_KERNEXEC
8068+static inline unsigned long pax_open_kernel(void)
8069+{
efbe55a5 8070+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
ae4e228f
MT		 8071+}
8072+
8073+static inline unsigned long pax_close_kernel(void)
8074+{
efbe55a5 8075+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
ae4e228f
MT		 8076+}
8077+#else
8078+static inline unsigned long pax_open_kernel(void) { return 0; }
8079+static inline unsigned long pax_close_kernel(void) { return 0; }
8080+#endif
8081+
8082 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8083
8084 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
df50ba0c 8085@@ -936,7 +951,7 @@ extern void default_banner(void);
58c5fc13
MT		 8086
8087 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8088 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8089-#define PARA_INDIRECT(addr) *%cs:addr
8090+#define PARA_INDIRECT(addr) *%ss:addr
8091 #endif
8092
8093 #define INTERRUPT_RETURN \
df50ba0c
MT		 8094@@ -1013,6 +1028,21 @@ extern void default_banner(void);
8095 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
ae4e228f
MT		 8096 CLBR_NONE, \
8097 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
58c5fc13 8098+
df50ba0c 8099+#define GET_CR0_INTO_RDI \
ae4e228f 8100+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
df50ba0c 8101+ mov %rax,%rdi
ae4e228f 8102+
df50ba0c
MT		 8103+#define SET_RDI_INTO_CR0 \
8104+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
ae4e228f 8105+
df50ba0c
MT		 8106+#define GET_CR3_INTO_RDI \
8107+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8108+ mov %rax,%rdi
8109+
8110+#define SET_RDI_INTO_CR3 \
8111+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
ae4e228f
MT		 8112+
8113 #endif /* CONFIG_X86_32 */
8114
8115 #endif /* __ASSEMBLY__ */
57199397
MT		 8116diff -urNp linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h
8117--- linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h 2010-08-26 19:47:12.000000000 -0400
8118+++ linux-2.6.35.4/arch/x86/include/asm/paravirt_types.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 8119@@ -312,6 +312,12 @@ struct pv_mmu_ops {
ae4e228f
MT		 8120 an mfn. We can tell which is which from the index. */
8121 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8122 phys_addr_t phys, pgprot_t flags);
8123+
8124+#ifdef CONFIG_PAX_KERNEXEC
8125+ unsigned long (*pax_open_kernel)(void);
8126+ unsigned long (*pax_close_kernel)(void);
8127+#endif
8128+
8129 };
8130
8131 struct arch_spinlock;
57199397
MT		 8132diff -urNp linux-2.6.35.4/arch/x86/include/asm/pci_x86.h linux-2.6.35.4/arch/x86/include/asm/pci_x86.h
8133--- linux-2.6.35.4/arch/x86/include/asm/pci_x86.h 2010-08-26 19:47:12.000000000 -0400
8134+++ linux-2.6.35.4/arch/x86/include/asm/pci_x86.h 2010-09-17 20:12:09.000000000 -0400
8135@@ -91,16 +91,16 @@ extern int (*pcibios_enable_irq)(struct
ae4e228f
MT		 8136 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8137
8138 struct pci_raw_ops {
8139- int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8140+ int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8141 int reg, int len, u32 *val);
8142- int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8143+ int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8144 int reg, int len, u32 val);
8145 };
8146
8147-extern struct pci_raw_ops *raw_pci_ops;
8148-extern struct pci_raw_ops *raw_pci_ext_ops;
8149+extern const struct pci_raw_ops *raw_pci_ops;
8150+extern const struct pci_raw_ops *raw_pci_ext_ops;
8151
8152-extern struct pci_raw_ops pci_direct_conf1;
8153+extern const struct pci_raw_ops pci_direct_conf1;
8154 extern bool port_cf9_safe;
8155
8156 /* arch_initcall level */
57199397
MT		 8157diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgalloc.h linux-2.6.35.4/arch/x86/include/asm/pgalloc.h
8158--- linux-2.6.35.4/arch/x86/include/asm/pgalloc.h 2010-08-26 19:47:12.000000000 -0400
8159+++ linux-2.6.35.4/arch/x86/include/asm/pgalloc.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 8160@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
58c5fc13
MT		 8161 pmd_t *pmd, pte_t *pte)
8162 {
8163 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8164+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8165+}
8166+
8167+static inline void pmd_populate_user(struct mm_struct *mm,
8168+ pmd_t *pmd, pte_t *pte)
8169+{
8170+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8171 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8172 }
8173
57199397
MT		 8174diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h
8175--- linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h 2010-08-26 19:47:12.000000000 -0400
8176+++ linux-2.6.35.4/arch/x86/include/asm/pgtable-2level.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 8177@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
58c5fc13
MT		 8178
8179 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8180 {
ae4e228f 8181+ pax_open_kernel();
58c5fc13 8182 *pmdp = pmd;
ae4e228f 8183+ pax_close_kernel();
58c5fc13
MT		 8184 }
8185
8186 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
57199397
MT		 8187diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h
8188--- linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
8189+++ linux-2.6.35.4/arch/x86/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
8190@@ -25,8 +25,6 @@
8191 struct mm_struct;
8192 struct vm_area_struct;
8193
8194-extern pgd_t swapper_pg_dir[1024];
8195-
8196 static inline void pgtable_cache_init(void) { }
8197 static inline void check_pgt_cache(void) { }
8198 void paging_init(void);
8199@@ -47,6 +45,11 @@ extern void set_pmd_pfn(unsigned long, u
8200 # include <asm/pgtable-2level.h>
8201 #endif
8202
8203+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8204+#ifdef CONFIG_X86_PAE
8205+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8206+#endif
8207+
8208 #if defined(CONFIG_HIGHPTE)
8209 #define __KM_PTE \
8210 (in_nmi() ? KM_NMI_PTE : \
8211@@ -71,7 +74,9 @@ extern void set_pmd_pfn(unsigned long, u
8212 /* Clear a kernel PTE and flush it from the TLB */
8213 #define kpte_clear_flush(ptep, vaddr) \
8214 do { \
8215+ pax_open_kernel(); \
8216 pte_clear(&init_mm, (vaddr), (ptep)); \
8217+ pax_close_kernel(); \
8218 __flush_tlb_one((vaddr)); \
8219 } while (0)
8220
8221@@ -83,6 +88,9 @@ do { \
8222
8223 #endif /* !__ASSEMBLY__ */
8224
8225+#define HAVE_ARCH_UNMAPPED_AREA
8226+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8227+
8228 /*
8229 * kern_addr_valid() is (1) for FLATMEM and (0) for
8230 * SPARSEMEM and DISCONTIGMEM
8231diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h
8232--- linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h 2010-08-26 19:47:12.000000000 -0400
8233+++ linux-2.6.35.4/arch/x86/include/asm/pgtable_32_types.h 2010-09-17 20:12:09.000000000 -0400
8234@@ -8,7 +8,7 @@
8235 */
8236 #ifdef CONFIG_X86_PAE
8237 # include <asm/pgtable-3level_types.h>
8238-# define PMD_SIZE (1UL << PMD_SHIFT)
8239+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8240 # define PMD_MASK (~(PMD_SIZE - 1))
8241 #else
8242 # include <asm/pgtable-2level_types.h>
8243@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8244 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8245 #endif
8246
8247+#ifdef CONFIG_PAX_KERNEXEC
8248+#ifndef __ASSEMBLY__
8249+extern unsigned char MODULES_EXEC_VADDR[];
8250+extern unsigned char MODULES_EXEC_END[];
8251+#endif
8252+#include <asm/boot.h>
8253+#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8254+#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8255+#else
8256+#define ktla_ktva(addr) (addr)
8257+#define ktva_ktla(addr) (addr)
8258+#endif
8259+
8260 #define MODULES_VADDR VMALLOC_START
8261 #define MODULES_END VMALLOC_END
8262 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8263diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h
8264--- linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h 2010-08-26 19:47:12.000000000 -0400
8265+++ linux-2.6.35.4/arch/x86/include/asm/pgtable-3level.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 8266@@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
58c5fc13
MT		 8267
8268 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8269 {
ae4e228f 8270+ pax_open_kernel();
58c5fc13 8271 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
ae4e228f 8272+ pax_close_kernel();
58c5fc13
MT		 8273 }
8274
8275 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8276 {
ae4e228f 8277+ pax_open_kernel();
58c5fc13 8278 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
ae4e228f 8279+ pax_close_kernel();
58c5fc13
MT		 8280 }
8281
8282 /*
57199397
MT		 8283diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h
8284--- linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h 2010-08-26 19:47:12.000000000 -0400
8285+++ linux-2.6.35.4/arch/x86/include/asm/pgtable_64.h 2010-09-17 20:12:09.000000000 -0400
8286@@ -16,10 +16,13 @@
8287
8288 extern pud_t level3_kernel_pgt[512];
8289 extern pud_t level3_ident_pgt[512];
8290+extern pud_t level3_vmalloc_pgt[512];
8291+extern pud_t level3_vmemmap_pgt[512];
8292+extern pud_t level2_vmemmap_pgt[512];
8293 extern pmd_t level2_kernel_pgt[512];
8294 extern pmd_t level2_fixmap_pgt[512];
8295-extern pmd_t level2_ident_pgt[512];
8296-extern pgd_t init_level4_pgt[];
8297+extern pmd_t level2_ident_pgt[512*2];
8298+extern pgd_t init_level4_pgt[512];
8299
8300 #define swapper_pg_dir init_level4_pgt
8301
8302@@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8303
8304 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8305 {
8306+ pax_open_kernel();
8307 *pmdp = pmd;
8308+ pax_close_kernel();
8309 }
8310
8311 static inline void native_pmd_clear(pmd_t *pmd)
8312@@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8313
8314 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8315 {
8316+ pax_open_kernel();
8317 *pgdp = pgd;
8318+ pax_close_kernel();
8319 }
8320
8321 static inline void native_pgd_clear(pgd_t *pgd)
8322diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h
8323--- linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h 2010-08-26 19:47:12.000000000 -0400
8324+++ linux-2.6.35.4/arch/x86/include/asm/pgtable_64_types.h 2010-09-17 20:12:09.000000000 -0400
8325@@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8326 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8327 #define MODULES_END _AC(0xffffffffff000000, UL)
8328 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8329+#define MODULES_EXEC_VADDR MODULES_VADDR
8330+#define MODULES_EXEC_END MODULES_END
8331+
8332+#define ktla_ktva(addr) (addr)
8333+#define ktva_ktla(addr) (addr)
8334
8335 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8336diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable.h linux-2.6.35.4/arch/x86/include/asm/pgtable.h
8337--- linux-2.6.35.4/arch/x86/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
8338+++ linux-2.6.35.4/arch/x86/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 8339@@ -76,12 +76,51 @@ extern struct list_head pgd_list;
8340
8341 #define arch_end_context_switch(prev) do {} while(0)
8342
8343+#define pax_open_kernel() native_pax_open_kernel()
8344+#define pax_close_kernel() native_pax_close_kernel()
8345 #endif /* CONFIG_PARAVIRT */
8346
8347+#define __HAVE_ARCH_PAX_OPEN_KERNEL
8348+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
58c5fc13
MT		 8349+
8350+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f
MT		 8351+static inline unsigned long native_pax_open_kernel(void)
8352+{
58c5fc13
MT		 8353+ unsigned long cr0;
8354+
ae4e228f
MT		 8355+ preempt_disable();
8356+ barrier();
8357+ cr0 = read_cr0() ^ X86_CR0_WP;
8358+ BUG_ON(unlikely(cr0 & X86_CR0_WP));
8359+ write_cr0(cr0);
8360+ return cr0 ^ X86_CR0_WP;
8361+}
58c5fc13 8362+
ae4e228f
MT		 8363+static inline unsigned long native_pax_close_kernel(void)
8364+{
8365+ unsigned long cr0;
58c5fc13 8366+
ae4e228f
MT		 8367+ cr0 = read_cr0() ^ X86_CR0_WP;
8368+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8369+ write_cr0(cr0);
8370+ barrier();
8371+ preempt_enable_no_resched();
8372+ return cr0 ^ X86_CR0_WP;
8373+}
8374+#else
8375+static inline unsigned long native_pax_open_kernel(void) { return 0; }
8376+static inline unsigned long native_pax_close_kernel(void) { return 0; }
58c5fc13
MT		 8377+#endif
8378+
ae4e228f 8379 /*
58c5fc13
MT		 8380 * The following only work if pte_present() is true.
8381 * Undefined behaviour if not..
8382 */
8383+static inline int pte_user(pte_t pte)
8384+{
8385+ return pte_val(pte) & _PAGE_USER;
8386+}
8387+
8388 static inline int pte_dirty(pte_t pte)
8389 {
8390 return pte_flags(pte) & _PAGE_DIRTY;
ae4e228f 8391@@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
58c5fc13
MT		 8392 return pte_clear_flags(pte, _PAGE_RW);
8393 }
8394
8395+static inline pte_t pte_mkread(pte_t pte)
8396+{
8397+ return __pte(pte_val(pte) | _PAGE_USER);
8398+}
8399+
8400 static inline pte_t pte_mkexec(pte_t pte)
8401 {
8402- return pte_clear_flags(pte, _PAGE_NX);
8403+#ifdef CONFIG_X86_PAE
8404+ if (__supported_pte_mask & _PAGE_NX)
8405+ return pte_clear_flags(pte, _PAGE_NX);
8406+ else
8407+#endif
8408+ return pte_set_flags(pte, _PAGE_USER);
8409+}
8410+
8411+static inline pte_t pte_exprotect(pte_t pte)
8412+{
8413+#ifdef CONFIG_X86_PAE
8414+ if (__supported_pte_mask & _PAGE_NX)
8415+ return pte_set_flags(pte, _PAGE_NX);
8416+ else
8417+#endif
8418+ return pte_clear_flags(pte, _PAGE_USER);
8419 }
8420
8421 static inline pte_t pte_mkdirty(pte_t pte)
df50ba0c
MT		 8422@@ -304,6 +363,15 @@ pte_t *populate_extra_pte(unsigned long
8423 #endif
8424
8425 #ifndef __ASSEMBLY__
8426+
8427+#ifdef CONFIG_PAX_PER_CPU_PGD
8428+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8429+static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8430+{
8431+ return cpu_pgd[cpu];
8432+}
8433+#endif
8434+
8435 #include <linux/mm_types.h>
8436
8437 static inline int pte_none(pte_t pte)
8438@@ -474,7 +542,7 @@ static inline pud_t *pud_offset(pgd_t *p
58c5fc13
MT		 8439
8440 static inline int pgd_bad(pgd_t pgd)
8441 {
8442- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8443+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8444 }
8445
8446 static inline int pgd_none(pgd_t pgd)
df50ba0c
MT		 8447@@ -497,7 +565,12 @@ static inline int pgd_none(pgd_t pgd)
8448 * pgd_offset() returns a (pgd_t *)
8449 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8450 */
8451-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8452+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8453+
8454+#ifdef CONFIG_PAX_PER_CPU_PGD
8455+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8456+#endif
8457+
8458 /*
8459 * a shortcut which implies the use of the kernel's pgd, instead
8460 * of a process's
8461@@ -508,6 +581,20 @@ static inline int pgd_none(pgd_t pgd)
8462 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8463 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8464
8465+#ifdef CONFIG_X86_32
8466+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8467+#else
8468+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8469+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8470+
8471+#ifdef CONFIG_PAX_MEMORY_UDEREF
8472+#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8473+#else
8474+#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8475+#endif
8476+
8477+#endif
8478+
8479 #ifndef __ASSEMBLY__
8480
8481 extern int direct_gbpages;
8482@@ -613,11 +700,23 @@ static inline void ptep_set_wrprotect(st
ae4e228f
MT		 8483 * dst and src can be on the same page, but the range must not overlap,
8484 * and must not cross a page boundary.
58c5fc13 8485 */
ae4e228f
MT		 8486-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8487+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
58c5fc13
MT		 8488 {
8489- memcpy(dst, src, count * sizeof(pgd_t));
ae4e228f
MT		 8490+ pax_open_kernel();
8491+ while (count--)
8492+ *dst++ = *src++;
8493+ pax_close_kernel();
58c5fc13
MT		 8494 }
8495
df50ba0c
MT		 8496+#ifdef CONFIG_PAX_PER_CPU_PGD
8497+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8498+#endif
8499+
8500+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8501+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8502+#else
8503+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8504+#endif
58c5fc13 8505
df50ba0c
MT		 8506 #include <asm-generic/pgtable.h>
8507 #endif /* __ASSEMBLY__ */
57199397
MT		 8508diff -urNp linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h
8509--- linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h 2010-08-26 19:47:12.000000000 -0400
8510+++ linux-2.6.35.4/arch/x86/include/asm/pgtable_types.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 8511@@ -16,12 +16,11 @@
8512 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8513 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8514 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8515-#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8516+#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8517 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8518 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8519 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8520-#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8521-#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8522+#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8523 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8524
8525 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8526@@ -39,7 +38,6 @@
8527 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8528 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8529 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8530-#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8531 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8532 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8533 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8534@@ -55,8 +53,10 @@
8535
8536 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8537 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8538-#else
8539+#elif defined(CONFIG_KMEMCHECK)
8540 #define _PAGE_NX (_AT(pteval_t, 0))
8541+#else
8542+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8543 #endif
8544
8545 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8546@@ -93,6 +93,9 @@
8547 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8548 _PAGE_ACCESSED)
8549
8550+#define PAGE_READONLY_NOEXEC PAGE_READONLY
8551+#define PAGE_SHARED_NOEXEC PAGE_SHARED
8552+
8553 #define __PAGE_KERNEL_EXEC \
8554 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8555 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8556@@ -103,8 +106,8 @@
8557 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8558 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8559 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8560-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8561-#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8562+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8563+#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8564 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8565 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8566 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8567@@ -163,8 +166,8 @@
8568 * bits are combined, this will alow user to access the high address mapped
8569 * VDSO in the presence of CONFIG_COMPAT_VDSO
8570 */
8571-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8572-#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8573+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8574+#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8575 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8576 #endif
8577
57199397
MT		 8578@@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8579 {
8580 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8581 }
8582+#endif
8583
8584+#if PAGETABLE_LEVELS == 3
8585+#include <asm-generic/pgtable-nopud.h>
8586+#endif
8587+
8588+#if PAGETABLE_LEVELS == 2
8589+#include <asm-generic/pgtable-nopmd.h>
8590+#endif
8591+
8592+#ifndef __ASSEMBLY__
8593 #if PAGETABLE_LEVELS > 3
8594 typedef struct { pudval_t pud; } pud_t;
8595
8596@@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8597 return pud.pud;
8598 }
8599 #else
8600-#include <asm-generic/pgtable-nopud.h>
8601-
8602 static inline pudval_t native_pud_val(pud_t pud)
8603 {
8604 return native_pgd_val(pud.pgd);
8605@@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8606 return pmd.pmd;
8607 }
8608 #else
8609-#include <asm-generic/pgtable-nopmd.h>
8610-
8611 static inline pmdval_t native_pmd_val(pmd_t pmd)
8612 {
8613 return native_pgd_val(pmd.pud.pgd);
8614@@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
58c5fc13
MT		 8615
8616 extern pteval_t __supported_pte_mask;
ae4e228f
MT		 8617 extern void set_nx(void);
8618-extern int nx_enabled;
58c5fc13
MT		 8619
8620 #define pgprot_writecombine pgprot_writecombine
8621 extern pgprot_t pgprot_writecombine(pgprot_t prot);
57199397
MT		 8622diff -urNp linux-2.6.35.4/arch/x86/include/asm/processor.h linux-2.6.35.4/arch/x86/include/asm/processor.h
8623--- linux-2.6.35.4/arch/x86/include/asm/processor.h 2010-08-26 19:47:12.000000000 -0400
8624+++ linux-2.6.35.4/arch/x86/include/asm/processor.h 2010-09-17 20:12:09.000000000 -0400
8625@@ -269,7 +269,7 @@ struct tss_struct {
58c5fc13
MT		 8626
8627 } ____cacheline_aligned;
8628
8629-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8630+extern struct tss_struct init_tss[NR_CPUS];
8631
8632 /*
8633 * Save the original ist values for checking stack pointers during debugging
57199397 8634@@ -884,8 +884,15 @@ static inline void spin_lock_prefetch(co
58c5fc13
MT		 8635 */
8636 #define TASK_SIZE PAGE_OFFSET
8637 #define TASK_SIZE_MAX TASK_SIZE
8638+
8639+#ifdef CONFIG_PAX_SEGMEXEC
8640+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
58c5fc13
MT		 8641+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8642+#else
8643 #define STACK_TOP TASK_SIZE
8644-#define STACK_TOP_MAX STACK_TOP
8645+#endif
ae4e228f 8646+
58c5fc13
MT		 8647+#define STACK_TOP_MAX TASK_SIZE
8648
8649 #define INIT_THREAD { \
8650 .sp0 = sizeof(init_stack) + (long)&init_stack, \
57199397 8651@@ -902,7 +909,7 @@ static inline void spin_lock_prefetch(co
58c5fc13
MT		 8652 */
8653 #define INIT_TSS { \
8654 .x86_tss = { \
8655- .sp0 = sizeof(init_stack) + (long)&init_stack, \
8656+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8657 .ss0 = __KERNEL_DS, \
8658 .ss1 = __KERNEL_CS, \
8659 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
57199397 8660@@ -913,11 +920,7 @@ static inline void spin_lock_prefetch(co
58c5fc13
MT		 8661 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8662
8663 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8664-#define KSTK_TOP(info) \
8665-({ \
8666- unsigned long *__ptr = (unsigned long *)(info); \
8667- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8668-})
8669+#define KSTK_TOP(info) ((info)->task.thread.sp0)
8670
8671 /*
8672 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
57199397 8673@@ -932,7 +935,7 @@ extern unsigned long thread_saved_pc(str
58c5fc13
MT		 8674 #define task_pt_regs(task) \
8675 ({ \
8676 struct pt_regs *__regs__; \
8677- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8678+ __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8679 __regs__ - 1; \
8680 })
8681
57199397 8682@@ -942,13 +945,13 @@ extern unsigned long thread_saved_pc(str
df50ba0c
MT		 8683 /*
8684 * User space process size. 47bits minus one guard page.
8685 */
8686-#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8687+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8688
8689 /* This decides where the kernel will search for a free chunk of vm
58c5fc13
MT		 8690 * space during mmap's.
8691 */
8692 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8693- 0xc0000000 : 0xFFFFe000)
8694+ 0xc0000000 : 0xFFFFf000)
8695
8696 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8697 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
57199397 8698@@ -985,6 +988,10 @@ extern void start_thread(struct pt_regs
58c5fc13
MT		 8699 */
8700 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8701
8702+#ifdef CONFIG_PAX_SEGMEXEC
8703+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8704+#endif
8705+
8706 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8707
8708 /* Get/set a process' ability to use the timestamp counter instruction */
57199397
MT		 8709diff -urNp linux-2.6.35.4/arch/x86/include/asm/ptrace.h linux-2.6.35.4/arch/x86/include/asm/ptrace.h
8710--- linux-2.6.35.4/arch/x86/include/asm/ptrace.h 2010-08-26 19:47:12.000000000 -0400
8711+++ linux-2.6.35.4/arch/x86/include/asm/ptrace.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 8712@@ -152,28 +152,29 @@ static inline unsigned long regs_return_
58c5fc13
MT		 8713 }
8714
8715 /*
8716- * user_mode_vm(regs) determines whether a register set came from user mode.
8717+ * user_mode(regs) determines whether a register set came from user mode.
8718 * This is true if V8086 mode was enabled OR if the register set was from
8719 * protected mode with RPL-3 CS value. This tricky test checks that with
8720 * one comparison. Many places in the kernel can bypass this full check
8721- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8722+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8723+ * be used.
8724 */
8725-static inline int user_mode(struct pt_regs *regs)
8726+static inline int user_mode_novm(struct pt_regs *regs)
8727 {
8728 #ifdef CONFIG_X86_32
8729 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8730 #else
8731- return !!(regs->cs & 3);
8732+ return !!(regs->cs & SEGMENT_RPL_MASK);
8733 #endif
8734 }
8735
8736-static inline int user_mode_vm(struct pt_regs *regs)
8737+static inline int user_mode(struct pt_regs *regs)
8738 {
8739 #ifdef CONFIG_X86_32
8740 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8741 USER_RPL;
8742 #else
8743- return user_mode(regs);
8744+ return user_mode_novm(regs);
8745 #endif
8746 }
8747
57199397
MT		 8748diff -urNp linux-2.6.35.4/arch/x86/include/asm/reboot.h linux-2.6.35.4/arch/x86/include/asm/reboot.h
8749--- linux-2.6.35.4/arch/x86/include/asm/reboot.h 2010-08-26 19:47:12.000000000 -0400
8750+++ linux-2.6.35.4/arch/x86/include/asm/reboot.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 8751@@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8752
8753 void native_machine_crash_shutdown(struct pt_regs *regs);
8754 void native_machine_shutdown(void);
8755-void machine_real_restart(const unsigned char *code, int length);
8756+void machine_real_restart(const unsigned char *code, unsigned int length);
8757
8758 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8759 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
57199397
MT		 8760diff -urNp linux-2.6.35.4/arch/x86/include/asm/rwsem.h linux-2.6.35.4/arch/x86/include/asm/rwsem.h
8761--- linux-2.6.35.4/arch/x86/include/asm/rwsem.h 2010-08-26 19:47:12.000000000 -0400
8762+++ linux-2.6.35.4/arch/x86/include/asm/rwsem.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 8763@@ -118,10 +118,26 @@ static inline void __down_read(struct rw
58c5fc13
MT		 8764 {
8765 asm volatile("# beginning down_read\n\t"
df50ba0c 8766 LOCK_PREFIX _ASM_INC "(%1)\n\t"
58c5fc13
MT		 8767+
8768+#ifdef CONFIG_PAX_REFCOUNT
8769+#ifdef CONFIG_X86_32
8770+ "into\n0:\n"
8771+#else
8772+ "jno 0f\n"
8773+ "int $4\n0:\n"
8774+#endif
8775+ ".pushsection .fixup,\"ax\"\n"
8776+ "1:\n"
df50ba0c 8777+ LOCK_PREFIX _ASM_DEC "(%1)\n"
58c5fc13
MT		 8778+ "jmp 0b\n"
8779+ ".popsection\n"
8780+ _ASM_EXTABLE(0b, 1b)
8781+#endif
8782+
8783 /* adds 0x00000001, returns the old value */
8784- " jns 1f\n"
8785+ " jns 2f\n"
8786 " call call_rwsem_down_read_failed\n"
8787- "1:\n\t"
8788+ "2:\n\t"
8789 "# ending down_read\n\t"
8790 : "+m" (sem->count)
8791 : "a" (sem)
df50ba0c
MT		 8792@@ -136,13 +152,29 @@ static inline int __down_read_trylock(st
8793 rwsem_count_t result, tmp;
58c5fc13 8794 asm volatile("# beginning __down_read_trylock\n\t"
df50ba0c 8795 " mov %0,%1\n\t"
58c5fc13
MT		 8796- "1:\n\t"
8797+ "2:\n\t"
df50ba0c
MT		 8798 " mov %1,%2\n\t"
8799 " add %3,%2\n\t"
58c5fc13
MT		 8800- " jle 2f\n\t"
8801+
8802+#ifdef CONFIG_PAX_REFCOUNT
8803+#ifdef CONFIG_X86_32
8804+ "into\n0:\n"
8805+#else
8806+ "jno 0f\n"
8807+ "int $4\n0:\n"
8808+#endif
8809+ ".pushsection .fixup,\"ax\"\n"
8810+ "1:\n"
df50ba0c 8811+ "sub %3,%2\n"
58c5fc13
MT		 8812+ "jmp 0b\n"
8813+ ".popsection\n"
8814+ _ASM_EXTABLE(0b, 1b)
8815+#endif
8816+
8817+ " jle 3f\n\t"
df50ba0c 8818 LOCK_PREFIX " cmpxchg %2,%0\n\t"
58c5fc13
MT		 8819- " jnz 1b\n\t"
8820- "2:\n\t"
8821+ " jnz 2b\n\t"
8822+ "3:\n\t"
8823 "# ending __down_read_trylock\n\t"
8824 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8825 : "i" (RWSEM_ACTIVE_READ_BIAS)
df50ba0c 8826@@ -160,12 +192,28 @@ static inline void __down_write_nested(s
58c5fc13
MT		 8827 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8828 asm volatile("# beginning down_write\n\t"
df50ba0c 8829 LOCK_PREFIX " xadd %1,(%2)\n\t"
58c5fc13
MT		 8830+
8831+#ifdef CONFIG_PAX_REFCOUNT
8832+#ifdef CONFIG_X86_32
8833+ "into\n0:\n"
8834+#else
8835+ "jno 0f\n"
8836+ "int $4\n0:\n"
8837+#endif
8838+ ".pushsection .fixup,\"ax\"\n"
8839+ "1:\n"
df50ba0c 8840+ "mov %1,(%2)\n"
58c5fc13
MT		 8841+ "jmp 0b\n"
8842+ ".popsection\n"
8843+ _ASM_EXTABLE(0b, 1b)
8844+#endif
8845+
8846 /* subtract 0x0000ffff, returns the old value */
df50ba0c 8847 " test %1,%1\n\t"
58c5fc13
MT		 8848 /* was the count 0 before? */
8849- " jz 1f\n"
8850+ " jz 2f\n"
8851 " call call_rwsem_down_write_failed\n"
8852- "1:\n"
8853+ "2:\n"
8854 "# ending down_write"
8855 : "+m" (sem->count), "=d" (tmp)
8856 : "a" (sem), "1" (tmp)
df50ba0c
MT		 8857@@ -198,10 +246,26 @@ static inline void __up_read(struct rw_s
8858 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
58c5fc13 8859 asm volatile("# beginning __up_read\n\t"
df50ba0c 8860 LOCK_PREFIX " xadd %1,(%2)\n\t"
58c5fc13
MT		 8861+
8862+#ifdef CONFIG_PAX_REFCOUNT
8863+#ifdef CONFIG_X86_32
8864+ "into\n0:\n"
8865+#else
8866+ "jno 0f\n"
8867+ "int $4\n0:\n"
8868+#endif
8869+ ".pushsection .fixup,\"ax\"\n"
8870+ "1:\n"
df50ba0c 8871+ "mov %1,(%2)\n"
58c5fc13
MT		 8872+ "jmp 0b\n"
8873+ ".popsection\n"
8874+ _ASM_EXTABLE(0b, 1b)
8875+#endif
8876+
8877 /* subtracts 1, returns the old value */
8878- " jns 1f\n\t"
8879+ " jns 2f\n\t"
8880 " call call_rwsem_wake\n"
8881- "1:\n"
8882+ "2:\n"
8883 "# ending __up_read\n"
8884 : "+m" (sem->count), "=d" (tmp)
8885 : "a" (sem), "1" (tmp)
df50ba0c
MT		 8886@@ -216,11 +280,27 @@ static inline void __up_write(struct rw_
8887 rwsem_count_t tmp;
58c5fc13 8888 asm volatile("# beginning __up_write\n\t"
df50ba0c 8889 LOCK_PREFIX " xadd %1,(%2)\n\t"
58c5fc13
MT		 8890+
8891+#ifdef CONFIG_PAX_REFCOUNT
8892+#ifdef CONFIG_X86_32
8893+ "into\n0:\n"
8894+#else
8895+ "jno 0f\n"
8896+ "int $4\n0:\n"
8897+#endif
8898+ ".pushsection .fixup,\"ax\"\n"
8899+ "1:\n"
df50ba0c 8900+ "mov %1,(%2)\n"
58c5fc13
MT		 8901+ "jmp 0b\n"
8902+ ".popsection\n"
8903+ _ASM_EXTABLE(0b, 1b)
8904+#endif
8905+
8906 /* tries to transition
8907 0xffff0001 -> 0x00000000 */
8908- " jz 1f\n"
8909+ " jz 2f\n"
8910 " call call_rwsem_wake\n"
8911- "1:\n\t"
8912+ "2:\n\t"
8913 "# ending __up_write\n"
df50ba0c
MT		 8914 : "+m" (sem->count), "=d" (tmp)
8915 : "a" (sem), "1" (-RWSEM_ACTIVE_WRITE_BIAS)
8916@@ -234,13 +314,29 @@ static inline void __downgrade_write(str
58c5fc13
MT		 8917 {
8918 asm volatile("# beginning __downgrade_write\n\t"
df50ba0c 8919 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
58c5fc13
MT		 8920+
8921+#ifdef CONFIG_PAX_REFCOUNT
8922+#ifdef CONFIG_X86_32
8923+ "into\n0:\n"
8924+#else
8925+ "jno 0f\n"
8926+ "int $4\n0:\n"
8927+#endif
8928+ ".pushsection .fixup,\"ax\"\n"
8929+ "1:\n"
df50ba0c 8930+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
58c5fc13
MT		 8931+ "jmp 0b\n"
8932+ ".popsection\n"
8933+ _ASM_EXTABLE(0b, 1b)
8934+#endif
8935+
df50ba0c
MT		 8936 /*
8937 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8938 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8939 */
58c5fc13
MT		 8940- " jns 1f\n\t"
8941+ " jns 2f\n\t"
8942 " call call_rwsem_downgrade_wake\n"
8943- "1:\n\t"
8944+ "2:\n\t"
8945 "# ending __downgrade_write\n"
8946 : "+m" (sem->count)
df50ba0c
MT		 8947 : "a" (sem), "er" (-RWSEM_WAITING_BIAS)
8948@@ -253,7 +349,23 @@ static inline void __downgrade_write(str
8949 static inline void rwsem_atomic_add(rwsem_count_t delta,
8950 struct rw_semaphore *sem)
58c5fc13 8951 {
df50ba0c
MT		 8952- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8953+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
58c5fc13
MT		 8954+
8955+#ifdef CONFIG_PAX_REFCOUNT
8956+#ifdef CONFIG_X86_32
8957+ "into\n0:\n"
8958+#else
8959+ "jno 0f\n"
8960+ "int $4\n0:\n"
8961+#endif
8962+ ".pushsection .fixup,\"ax\"\n"
8963+ "1:\n"
df50ba0c 8964+ LOCK_PREFIX _ASM_SUB "%1,%0\n"
58c5fc13
MT		 8965+ "jmp 0b\n"
8966+ ".popsection\n"
8967+ _ASM_EXTABLE(0b, 1b)
8968+#endif
8969+
8970 : "+m" (sem->count)
df50ba0c 8971 : "er" (delta));
58c5fc13 8972 }
df50ba0c 8973@@ -266,7 +378,23 @@ static inline rwsem_count_t rwsem_atomic
58c5fc13 8974 {
df50ba0c 8975 rwsem_count_t tmp = delta;
58c5fc13
MT		 8976
8977- asm volatile(LOCK_PREFIX "xadd %0,%1"
8978+ asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8979+
8980+#ifdef CONFIG_PAX_REFCOUNT
8981+#ifdef CONFIG_X86_32
8982+ "into\n0:\n"
8983+#else
8984+ "jno 0f\n"
8985+ "int $4\n0:\n"
8986+#endif
8987+ ".pushsection .fixup,\"ax\"\n"
8988+ "1:\n"
df50ba0c 8989+ "mov %0,%1\n"
58c5fc13
MT		 8990+ "jmp 0b\n"
8991+ ".popsection\n"
8992+ _ASM_EXTABLE(0b, 1b)
8993+#endif
8994+
8995 : "+r" (tmp), "+m" (sem->count)
8996 : : "memory");
8997
57199397
MT		 8998diff -urNp linux-2.6.35.4/arch/x86/include/asm/segment.h linux-2.6.35.4/arch/x86/include/asm/segment.h
8999--- linux-2.6.35.4/arch/x86/include/asm/segment.h 2010-08-26 19:47:12.000000000 -0400
9000+++ linux-2.6.35.4/arch/x86/include/asm/segment.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 9001@@ -62,8 +62,8 @@
9002 * 26 - ESPFIX small SS
9003 * 27 - per-cpu [ offset to per-cpu data area ]
9004 * 28 - stack_canary-20 [ for stack protector ]
9005- * 29 - unused
9006- * 30 - unused
9007+ * 29 - PCI BIOS CS
9008+ * 30 - PCI BIOS DS
9009 * 31 - TSS for double fault handler
9010 */
9011 #define GDT_ENTRY_TLS_MIN 6
9012@@ -77,6 +77,8 @@
9013
9014 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
9015
9016+#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9017+
9018 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
9019
9020 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
9021@@ -88,7 +90,7 @@
58c5fc13
MT		 9022 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
9023 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
9024
9025-#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9026+#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9027 #ifdef CONFIG_SMP
9028 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
9029 #else
ae4e228f 9030@@ -102,6 +104,12 @@
58c5fc13
MT		 9031 #define __KERNEL_STACK_CANARY 0
9032 #endif
9033
9034+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
9035+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9036+
9037+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
9038+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9039+
9040 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9041
9042 /*
ae4e228f 9043@@ -139,7 +147,7 @@
58c5fc13
MT		 9044 */
9045
9046 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9047-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9048+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9049
9050
9051 #else
ae4e228f
MT		 9052@@ -163,6 +171,8 @@
9053 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9054 #define __USER32_DS __USER_DS
9055
9056+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9057+
9058 #define GDT_ENTRY_TSS 8 /* needs two entries */
9059 #define GDT_ENTRY_LDT 10 /* needs two entries */
9060 #define GDT_ENTRY_TLS_MIN 12
9061@@ -183,6 +193,7 @@
9062 #endif
9063
9064 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
9065+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
9066 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
9067 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
9068 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
57199397
MT		 9069diff -urNp linux-2.6.35.4/arch/x86/include/asm/spinlock.h linux-2.6.35.4/arch/x86/include/asm/spinlock.h
9070--- linux-2.6.35.4/arch/x86/include/asm/spinlock.h 2010-08-26 19:47:12.000000000 -0400
9071+++ linux-2.6.35.4/arch/x86/include/asm/spinlock.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 9072@@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
9073 static inline void arch_read_lock(arch_rwlock_t *rw)
58c5fc13
MT		 9074 {
9075 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9076- "jns 1f\n"
9077- "call __read_lock_failed\n\t"
9078+
9079+#ifdef CONFIG_PAX_REFCOUNT
9080+#ifdef CONFIG_X86_32
9081+ "into\n0:\n"
9082+#else
9083+ "jno 0f\n"
9084+ "int $4\n0:\n"
9085+#endif
9086+ ".pushsection .fixup,\"ax\"\n"
9087 "1:\n"
9088+ LOCK_PREFIX " addl $1,(%0)\n"
9089+ "jmp 0b\n"
9090+ ".popsection\n"
9091+ _ASM_EXTABLE(0b, 1b)
9092+#endif
9093+
9094+ "jns 2f\n"
9095+ "call __read_lock_failed\n\t"
9096+ "2:\n"
9097 ::LOCK_PTR_REG (rw) : "memory");
9098 }
9099
ae4e228f 9100 static inline void arch_write_lock(arch_rwlock_t *rw)
58c5fc13
MT		 9101 {
9102 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9103- "jz 1f\n"
9104- "call __write_lock_failed\n\t"
9105+
9106+#ifdef CONFIG_PAX_REFCOUNT
9107+#ifdef CONFIG_X86_32
9108+ "into\n0:\n"
9109+#else
9110+ "jno 0f\n"
9111+ "int $4\n0:\n"
9112+#endif
9113+ ".pushsection .fixup,\"ax\"\n"
9114 "1:\n"
9115+ LOCK_PREFIX " addl %1,(%0)\n"
9116+ "jmp 0b\n"
9117+ ".popsection\n"
9118+ _ASM_EXTABLE(0b, 1b)
9119+#endif
9120+
9121+ "jz 2f\n"
9122+ "call __write_lock_failed\n\t"
9123+ "2:\n"
9124 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
9125 }
9126
ae4e228f 9127@@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
58c5fc13 9128
ae4e228f 9129 static inline void arch_read_unlock(arch_rwlock_t *rw)
58c5fc13
MT		 9130 {
9131- asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9132+ asm volatile(LOCK_PREFIX "incl %0\n"
9133+
9134+#ifdef CONFIG_PAX_REFCOUNT
9135+#ifdef CONFIG_X86_32
9136+ "into\n0:\n"
9137+#else
9138+ "jno 0f\n"
9139+ "int $4\n0:\n"
9140+#endif
9141+ ".pushsection .fixup,\"ax\"\n"
9142+ "1:\n"
9143+ LOCK_PREFIX "decl %0\n"
9144+ "jmp 0b\n"
9145+ ".popsection\n"
9146+ _ASM_EXTABLE(0b, 1b)
9147+#endif
9148+
9149+ :"+m" (rw->lock) : : "memory");
9150 }
9151
ae4e228f 9152 static inline void arch_write_unlock(arch_rwlock_t *rw)
58c5fc13
MT		 9153 {
9154- asm volatile(LOCK_PREFIX "addl %1, %0"
9155+ asm volatile(LOCK_PREFIX "addl %1, %0\n"
9156+
9157+#ifdef CONFIG_PAX_REFCOUNT
9158+#ifdef CONFIG_X86_32
9159+ "into\n0:\n"
9160+#else
9161+ "jno 0f\n"
9162+ "int $4\n0:\n"
9163+#endif
9164+ ".pushsection .fixup,\"ax\"\n"
9165+ "1:\n"
9166+ LOCK_PREFIX "subl %1,%0\n"
9167+ "jmp 0b\n"
9168+ ".popsection\n"
9169+ _ASM_EXTABLE(0b, 1b)
9170+#endif
9171+
9172 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9173 }
9174
57199397
MT		 9175diff -urNp linux-2.6.35.4/arch/x86/include/asm/system.h linux-2.6.35.4/arch/x86/include/asm/system.h
9176--- linux-2.6.35.4/arch/x86/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
9177+++ linux-2.6.35.4/arch/x86/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 9178@@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
58c5fc13
MT		 9179 {
9180 unsigned long __limit;
9181 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9182- return __limit + 1;
9183+ return __limit;
9184 }
9185
9186 static inline void native_clts(void)
ae4e228f 9187@@ -342,7 +342,7 @@ void enable_hlt(void);
58c5fc13
MT		 9188
9189 void cpu_idle_wait(void);
9190
9191-extern unsigned long arch_align_stack(unsigned long sp);
9192+#define arch_align_stack(x) ((x) & ~0xfUL)
9193 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9194
9195 void default_idle(void);
57199397
MT		 9196diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h
9197--- linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
9198+++ linux-2.6.35.4/arch/x86/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
efbe55a5 9199@@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
58c5fc13
MT		 9200 static __always_inline unsigned long __must_check
9201 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9202 {
9203+ if ((long)n < 0)
9204+ return n;
9205+
9206 if (__builtin_constant_p(n)) {
9207 unsigned long ret;
9208
efbe55a5 9209@@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
58c5fc13
MT		 9210 return ret;
9211 }
9212 }
9213+ if (!__builtin_constant_p(n))
9214+ check_object_size(from, n, true);
9215 return __copy_to_user_ll(to, from, n);
9216 }
9217
efbe55a5 9218@@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
58c5fc13
MT		 9219 static __always_inline unsigned long
9220 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9221 {
9222+ if ((long)n < 0)
9223+ return n;
9224+
9225 /* Avoid zeroing the tail if the copy fails..
9226 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9227 * but as the zeroing behaviour is only significant when n is not
efbe55a5 9228@@ -138,6 +146,10 @@ static __always_inline unsigned long
58c5fc13
MT		 9229 __copy_from_user(void *to, const void __user *from, unsigned long n)
9230 {
9231 might_fault();
9232+
9233+ if ((long)n < 0)
9234+ return n;
9235+
9236 if (__builtin_constant_p(n)) {
9237 unsigned long ret;
9238
efbe55a5 9239@@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
58c5fc13
MT		 9240 return ret;
9241 }
9242 }
9243+ if (!__builtin_constant_p(n))
9244+ check_object_size(to, n, false);
9245 return __copy_from_user_ll(to, from, n);
9246 }
9247
efbe55a5 9248@@ -160,6 +174,10 @@ static __always_inline unsigned long __c
58c5fc13
MT		 9249 const void __user *from, unsigned long n)
9250 {
9251 might_fault();
9252+
9253+ if ((long)n < 0)
9254+ return n;
9255+
9256 if (__builtin_constant_p(n)) {
9257 unsigned long ret;
9258
efbe55a5 9259@@ -182,15 +200,19 @@ static __always_inline unsigned long
58c5fc13
MT		 9260 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9261 unsigned long n)
9262 {
9263- return __copy_from_user_ll_nocache_nozero(to, from, n);
ae4e228f 9264-}
58c5fc13
MT		 9265+ if ((long)n < 0)
9266+ return n;
ae4e228f
MT		 9267
9268-unsigned long __must_check copy_to_user(void __user *to,
9269- const void *from, unsigned long n);
9270-unsigned long __must_check _copy_from_user(void *to,
9271- const void __user *from,
9272- unsigned long n);
58c5fc13
MT		 9273+ return __copy_from_user_ll_nocache_nozero(to, from, n);
9274+}
ae4e228f
MT		 9275
9276+extern void copy_to_user_overflow(void)
9277+#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9278+ __compiletime_error("copy_to_user() buffer size is not provably correct")
9279+#else
9280+ __compiletime_warning("copy_to_user() buffer size is not provably correct")
9281+#endif
9282+;
9283
9284 extern void copy_from_user_overflow(void)
9285 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
efbe55a5 9286@@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
ae4e228f
MT		 9287 #endif
9288 ;
9289
9290-static inline unsigned long __must_check copy_from_user(void *to,
9291- const void __user *from,
9292- unsigned long n)
58c5fc13
MT		 9293+/**
9294+ * copy_to_user: - Copy a block of data into user space.
9295+ * @to: Destination address, in user space.
9296+ * @from: Source address, in kernel space.
9297+ * @n: Number of bytes to copy.
9298+ *
9299+ * Context: User context only. This function may sleep.
9300+ *
9301+ * Copy data from kernel space to user space.
9302+ *
9303+ * Returns number of bytes that could not be copied.
9304+ * On success, this will be zero.
9305+ */
ae4e228f 9306+static inline unsigned long __must_check
58c5fc13
MT		 9307+copy_to_user(void __user *to, const void *from, unsigned long n)
9308+{
ae4e228f
MT		 9309+ int sz = __compiletime_object_size(from);
9310+
9311+ if (unlikely(sz != -1 && sz < n))
9312+ copy_to_user_overflow();
9313+ else if (access_ok(VERIFY_WRITE, to, n))
58c5fc13
MT		 9314+ n = __copy_to_user(to, from, n);
9315+ return n;
9316+}
9317+
9318+/**
9319+ * copy_from_user: - Copy a block of data from user space.
9320+ * @to: Destination address, in kernel space.
9321+ * @from: Source address, in user space.
9322+ * @n: Number of bytes to copy.
9323+ *
9324+ * Context: User context only. This function may sleep.
9325+ *
9326+ * Copy data from user space to kernel space.
9327+ *
9328+ * Returns number of bytes that could not be copied.
9329+ * On success, this will be zero.
9330+ *
9331+ * If some data could not be copied, this function will pad the copied
9332+ * data to the requested size using zero bytes.
9333+ */
ae4e228f 9334+static inline unsigned long __must_check
58c5fc13 9335+copy_from_user(void *to, const void __user *from, unsigned long n)
ae4e228f
MT		 9336 {
9337 int sz = __compiletime_object_size(to);
9338
9339- if (likely(sz == -1 || sz >= n))
9340- n = _copy_from_user(to, from, n);
9341- else
9342+ if (unlikely(sz != -1 && sz < n))
9343 copy_from_user_overflow();
9344-
9345+ else if (access_ok(VERIFY_READ, from, n))
58c5fc13
MT		 9346+ n = __copy_from_user(to, from, n);
9347+ else if ((long)n > 0) {
9348+ if (!__builtin_constant_p(n))
9349+ check_object_size(to, n, false);
9350+ memset(to, 0, n);
9351+ }
ae4e228f 9352 return n;
58c5fc13
MT		 9353 }
9354
57199397
MT		 9355diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h
9356--- linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
9357+++ linux-2.6.35.4/arch/x86/include/asm/uaccess_64.h 2010-09-17 20:12:37.000000000 -0400
df50ba0c
MT		 9358@@ -11,6 +11,11 @@
9359 #include <asm/alternative.h>
9360 #include <asm/cpufeature.h>
58c5fc13 9361 #include <asm/page.h>
df50ba0c
MT		 9362+#include <asm/pgtable.h>
9363+
58c5fc13
MT		 9364+#define set_fs(x) (current_thread_info()->addr_limit = (x))
9365+
df50ba0c
MT		 9366+extern void check_object_size(const void *ptr, unsigned long n, bool to);
9367
58c5fc13
MT		 9368 /*
9369 * Copy To/From Userspace
df50ba0c
MT		 9370@@ -37,26 +42,26 @@ copy_user_generic(void *to, const void *
9371 return ret;
9372 }
9373
58c5fc13 9374-__must_check unsigned long
ae4e228f 9375-_copy_to_user(void __user *to, const void *from, unsigned len);
58c5fc13 9376-__must_check unsigned long
ae4e228f
MT		 9377-_copy_from_user(void *to, const void __user *from, unsigned len);
9378+static __always_inline __must_check unsigned long
9379+__copy_to_user(void __user *to, const void *from, unsigned len);
9380+static __always_inline __must_check unsigned long
9381+__copy_from_user(void *to, const void __user *from, unsigned len);
9382 __must_check unsigned long
58c5fc13
MT		 9383 copy_in_user(void __user *to, const void __user *from, unsigned len);
9384
ae4e228f
MT		 9385 static inline unsigned long __must_check copy_from_user(void *to,
9386 const void __user *from,
9387- unsigned long n)
9388+ unsigned n)
9389 {
9390- int sz = __compiletime_object_size(to);
9391-
9392 might_fault();
9393- if (likely(sz == -1 || sz >= n))
9394- n = _copy_from_user(to, from, n);
9395-#ifdef CONFIG_DEBUG_VM
9396- else
9397- WARN(1, "Buffer overflow detected!\n");
9398-#endif
9399+
9400+ if (access_ok(VERIFY_READ, from, n))
9401+ n = __copy_from_user(to, from, n);
9402+ else if ((int)n > 0) {
9403+ if (!__builtin_constant_p(n))
9404+ check_object_size(to, n, false);
9405+ memset(to, 0, n);
9406+ }
9407 return n;
9408 }
9409
df50ba0c 9410@@ -65,17 +70,35 @@ int copy_to_user(void __user *dst, const
ae4e228f
MT		 9411 {
9412 might_fault();
9413
9414- return _copy_to_user(dst, src, size);
9415+ if (access_ok(VERIFY_WRITE, dst, size))
9416+ size = __copy_to_user(dst, src, size);
9417+ return size;
9418 }
9419
58c5fc13
MT		 9420 static __always_inline __must_check
9421-int __copy_from_user(void *dst, const void __user *src, unsigned size)
9422+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9423 {
9424- int ret = 0;
ae4e228f 9425+ int sz = __compiletime_object_size(dst);
58c5fc13
MT		 9426+ unsigned ret = 0;
9427
9428 might_fault();
9429- if (!__builtin_constant_p(size))
9430+
9431+ if ((int)size < 0)
9432+ return size;
9433+
ae4e228f
MT		 9434+ if (unlikely(sz != -1 && sz < size)) {
9435+#ifdef CONFIG_DEBUG_VM
9436+ WARN(1, "Buffer overflow detected!\n");
9437+#endif
9438+ return size;
9439+ }
9440+
58c5fc13
MT		 9441+ if (!__builtin_constant_p(size)) {
9442+ check_object_size(dst, size, false);
df50ba0c
MT		 9443+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9444+ src += PAX_USER_SHADOW_BASE;
58c5fc13
MT		 9445 return copy_user_generic(dst, (__force void *)src, size);
9446+ }
9447 switch (size) {
9448 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9449 ret, "b", "b", "=q", 1);
df50ba0c
MT		 9450@@ -108,18 +131,36 @@ int __copy_from_user(void *dst, const vo
9451 ret, "q", "", "=r", 8);
9452 return ret;
9453 default:
9454+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9455+ src += PAX_USER_SHADOW_BASE;
9456 return copy_user_generic(dst, (__force void *)src, size);
9457 }
58c5fc13
MT		 9458 }
9459
9460 static __always_inline __must_check
9461-int __copy_to_user(void __user *dst, const void *src, unsigned size)
9462+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9463 {
9464- int ret = 0;
ae4e228f 9465+ int sz = __compiletime_object_size(src);
58c5fc13
MT		 9466+ unsigned ret = 0;
9467
9468 might_fault();
9469- if (!__builtin_constant_p(size))
9470+
9471+ if ((int)size < 0)
9472+ return size;
9473+
ae4e228f
MT		 9474+ if (unlikely(sz != -1 && sz < size)) {
9475+#ifdef CONFIG_DEBUG_VM
9476+ WARN(1, "Buffer overflow detected!\n");
9477+#endif
9478+ return size;
9479+ }
9480+
58c5fc13
MT		 9481+ if (!__builtin_constant_p(size)) {
9482+ check_object_size(src, size, true);
df50ba0c
MT		 9483+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9484+ dst += PAX_USER_SHADOW_BASE;
58c5fc13
MT		 9485 return copy_user_generic((__force void *)dst, src, size);
9486+ }
9487 switch (size) {
9488 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9489 ret, "b", "b", "iq", 1);
df50ba0c
MT		 9490@@ -152,19 +193,30 @@ int __copy_to_user(void __user *dst, con
9491 ret, "q", "", "er", 8);
9492 return ret;
9493 default:
9494+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9495+ dst += PAX_USER_SHADOW_BASE;
9496 return copy_user_generic((__force void *)dst, src, size);
9497 }
58c5fc13
MT		 9498 }
9499
9500 static __always_inline __must_check
9501-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
ae4e228f 9502+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
58c5fc13
MT		 9503 {
9504- int ret = 0;
58c5fc13
MT		 9505+ unsigned ret = 0;
9506
9507 might_fault();
df50ba0c 9508- if (!__builtin_constant_p(size))
58c5fc13
MT		 9509+
9510+ if ((int)size < 0)
9511+ return size;
9512+
df50ba0c
MT		 9513+ if (!__builtin_constant_p(size)) {
9514+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9515+ src += PAX_USER_SHADOW_BASE;
9516+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9517+ dst += PAX_USER_SHADOW_BASE;
58c5fc13
MT		 9518 return copy_user_generic((__force void *)dst,
9519 (__force void *)src, size);
df50ba0c
MT		 9520+ }
9521 switch (size) {
9522 case 1: {
9523 u8 tmp;
9524@@ -204,6 +256,10 @@ int __copy_in_user(void __user *dst, con
9525 return ret;
9526 }
9527 default:
9528+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9529+ src += PAX_USER_SHADOW_BASE;
9530+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9531+ dst += PAX_USER_SHADOW_BASE;
9532 return copy_user_generic((__force void *)dst,
9533 (__force void *)src, size);
9534 }
9535@@ -222,33 +278,45 @@ __must_check unsigned long __clear_user(
9536 static __must_check __always_inline int
9537 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9538 {
9539+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9540+ src += PAX_USER_SHADOW_BASE;
ae4e228f
MT		 9541 return copy_user_generic(dst, (__force const void *)src, size);
9542 }
58c5fc13
MT		 9543
9544-static __must_check __always_inline int
9545+static __must_check __always_inline unsigned long
9546 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9547 {
9548+ if ((int)size < 0)
9549+ return size;
9550+
df50ba0c
MT		 9551+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9552+ dst += PAX_USER_SHADOW_BASE;
58c5fc13
MT		 9553 return copy_user_generic((__force void *)dst, src, size);
9554 }
9555
9556-extern long __copy_user_nocache(void *dst, const void __user *src,
9557+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9558 unsigned size, int zerorest);
9559
9560-static inline int
9561-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9562+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9563 {
9564 might_sleep();
9565+
9566+ if ((int)size < 0)
9567+ return size;
9568+
9569 return __copy_user_nocache(dst, src, size, 1);
9570 }
9571
9572-static inline int
9573-__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9574+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9575 unsigned size)
9576 {
9577+ if ((int)size < 0)
9578+ return size;
9579+
9580 return __copy_user_nocache(dst, src, size, 0);
9581 }
9582
9583-unsigned long
9584+extern unsigned long
9585 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9586
9587 #endif /* _ASM_X86_UACCESS_64_H */
57199397
MT		 9588diff -urNp linux-2.6.35.4/arch/x86/include/asm/uaccess.h linux-2.6.35.4/arch/x86/include/asm/uaccess.h
9589--- linux-2.6.35.4/arch/x86/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
9590+++ linux-2.6.35.4/arch/x86/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
9591@@ -8,12 +8,15 @@
9592 #include <linux/thread_info.h>
9593 #include <linux/prefetch.h>
9594 #include <linux/string.h>
9595+#include <linux/sched.h>
9596 #include <asm/asm.h>
9597 #include <asm/page.h>
9598
9599 #define VERIFY_READ 0
9600 #define VERIFY_WRITE 1
9601
9602+extern void check_object_size(const void *ptr, unsigned long n, bool to);
9603+
9604 /*
9605 * The fs value determines whether argument validity checking should be
9606 * performed or not. If get_fs() == USER_DS, checking is performed, with
9607@@ -29,7 +32,12 @@
9608
9609 #define get_ds() (KERNEL_DS)
9610 #define get_fs() (current_thread_info()->addr_limit)
9611+#ifdef CONFIG_X86_32
9612+void __set_fs(mm_segment_t x, int cpu);
9613+void set_fs(mm_segment_t x);
9614+#else
9615 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9616+#endif
9617
9618 #define segment_eq(a, b) ((a).seg == (b).seg)
9619
9620@@ -77,7 +85,33 @@
9621 * checks that the pointer is in the user space range - after calling
9622 * this function, memory access functions may still return -EFAULT.
9623 */
9624-#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9625+#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9626+#define access_ok(type, addr, size) \
9627+({ \
9628+ long __size = size; \
9629+ unsigned long __addr = (unsigned long)addr; \
9630+ unsigned long __addr_ao = __addr & PAGE_MASK; \
9631+ unsigned long __end_ao = __addr + __size - 1; \
9632+ bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9633+ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9634+ while(__addr_ao <= __end_ao) { \
9635+ char __c_ao; \
9636+ __addr_ao += PAGE_SIZE; \
9637+ if (__size > PAGE_SIZE) \
9638+ cond_resched(); \
9639+ if (__get_user(__c_ao, (char __user *)__addr)) \
9640+ break; \
9641+ if (type != VERIFY_WRITE) { \
9642+ __addr = __addr_ao; \
9643+ continue; \
9644+ } \
9645+ if (__put_user(__c_ao, (char __user *)__addr)) \
9646+ break; \
9647+ __addr = __addr_ao; \
9648+ } \
9649+ } \
9650+ __ret_ao; \
9651+})
9652
9653 /*
9654 * The exception table consists of pairs of addresses: the first is the
9655@@ -183,13 +217,21 @@ extern int __get_user_bad(void);
9656 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9657 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9658
9659-
9660+#ifdef CONFIG_X86_32
9661+#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
9662+#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
9663+#else
9664+#define _ASM_LOAD_USER_DS(ds)
9665+#define _ASM_LOAD_KERNEL_DS
9666+#endif
9667
9668 #ifdef CONFIG_X86_32
9669 #define __put_user_asm_u64(x, addr, err, errret) \
9670- asm volatile("1: movl %%eax,0(%2)\n" \
9671- "2: movl %%edx,4(%2)\n" \
9672+ asm volatile(_ASM_LOAD_USER_DS(5) \
9673+ "1: movl %%eax,%%ds:0(%2)\n" \
9674+ "2: movl %%edx,%%ds:4(%2)\n" \
9675 "3:\n" \
9676+ _ASM_LOAD_KERNEL_DS \
9677 ".section .fixup,\"ax\"\n" \
9678 "4: movl %3,%0\n" \
9679 " jmp 3b\n" \
9680@@ -197,15 +239,18 @@ extern int __get_user_bad(void);
9681 _ASM_EXTABLE(1b, 4b) \
9682 _ASM_EXTABLE(2b, 4b) \
9683 : "=r" (err) \
9684- : "A" (x), "r" (addr), "i" (errret), "0" (err))
9685+ : "A" (x), "r" (addr), "i" (errret), "0" (err), \
9686+ "r"(__USER_DS))
9687
9688 #define __put_user_asm_ex_u64(x, addr) \
9689- asm volatile("1: movl %%eax,0(%1)\n" \
9690- "2: movl %%edx,4(%1)\n" \
9691+ asm volatile(_ASM_LOAD_USER_DS(2) \
9692+ "1: movl %%eax,%%ds:0(%1)\n" \
9693+ "2: movl %%edx,%%ds:4(%1)\n" \
9694 "3:\n" \
9695+ _ASM_LOAD_KERNEL_DS \
9696 _ASM_EXTABLE(1b, 2b - 1b) \
9697 _ASM_EXTABLE(2b, 3b - 2b) \
9698- : : "A" (x), "r" (addr))
9699+ : : "A" (x), "r" (addr), "r"(__USER_DS))
9700
9701 #define __put_user_x8(x, ptr, __ret_pu) \
9702 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
9703@@ -374,16 +419,18 @@ do { \
9704 } while (0)
9705
9706 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9707- asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9708+ asm volatile(_ASM_LOAD_USER_DS(5) \
9709+ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
9710 "2:\n" \
9711+ _ASM_LOAD_KERNEL_DS \
9712 ".section .fixup,\"ax\"\n" \
9713 "3: mov %3,%0\n" \
9714 " xor"itype" %"rtype"1,%"rtype"1\n" \
9715 " jmp 2b\n" \
9716 ".previous\n" \
9717 _ASM_EXTABLE(1b, 3b) \
9718- : "=r" (err), ltype(x) \
9719- : "m" (__m(addr)), "i" (errret), "0" (err))
9720+ : "=r" (err), ltype (x) \
9721+ : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
9722
9723 #define __get_user_size_ex(x, ptr, size) \
9724 do { \
9725@@ -407,10 +454,12 @@ do { \
9726 } while (0)
9727
9728 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9729- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9730+ asm volatile(_ASM_LOAD_USER_DS(2) \
9731+ "1: mov"itype" %%ds:%1,%"rtype"0\n" \
9732 "2:\n" \
9733+ _ASM_LOAD_KERNEL_DS \
9734 _ASM_EXTABLE(1b, 2b - 1b) \
9735- : ltype(x) : "m" (__m(addr)))
9736+ : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
9737
9738 #define __put_user_nocheck(x, ptr, size) \
9739 ({ \
9740@@ -424,13 +473,24 @@ do { \
9741 int __gu_err; \
9742 unsigned long __gu_val; \
9743 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9744- (x) = (__force __typeof__(*(ptr)))__gu_val; \
9745+ (x) = (__typeof__(*(ptr)))__gu_val; \
9746 __gu_err; \
9747 })
9748
9749 /* FIXME: this hack is definitely wrong -AK */
9750 struct __large_struct { unsigned long buf[100]; };
9751-#define __m(x) (*(struct __large_struct __user *)(x))
9752+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9753+#define ____m(x) \
9754+({ \
9755+ unsigned long ____x = (unsigned long)(x); \
9756+ if (____x < PAX_USER_SHADOW_BASE) \
9757+ ____x += PAX_USER_SHADOW_BASE; \
9758+ (void __user *)____x; \
9759+})
9760+#else
9761+#define ____m(x) (x)
9762+#endif
9763+#define __m(x) (*(struct __large_struct __user *)____m(x))
9764
9765 /*
9766 * Tell gcc we read from memory instead of writing: this is because
9767@@ -438,21 +498,26 @@ struct __large_struct { unsigned long bu
9768 * aliasing issues.
9769 */
9770 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9771- asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9772+ asm volatile(_ASM_LOAD_USER_DS(5) \
9773+ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
9774 "2:\n" \
9775+ _ASM_LOAD_KERNEL_DS \
9776 ".section .fixup,\"ax\"\n" \
9777 "3: mov %3,%0\n" \
9778 " jmp 2b\n" \
9779 ".previous\n" \
9780 _ASM_EXTABLE(1b, 3b) \
9781 : "=r"(err) \
9782- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9783+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
9784+ "r"(__USER_DS))
9785
9786 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9787- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9788+ asm volatile(_ASM_LOAD_USER_DS(2) \
9789+ "1: mov"itype" %"rtype"0,%%ds:%1\n" \
9790 "2:\n" \
9791+ _ASM_LOAD_KERNEL_DS \
9792 _ASM_EXTABLE(1b, 2b - 1b) \
9793- : : ltype(x), "m" (__m(addr)))
9794+ : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
9795
9796 /*
9797 * uaccess_try and catch
9798@@ -530,7 +595,7 @@ struct __large_struct { unsigned long bu
9799 #define get_user_ex(x, ptr) do { \
9800 unsigned long __gue_val; \
9801 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9802- (x) = (__force __typeof__(*(ptr)))__gue_val; \
9803+ (x) = (__typeof__(*(ptr)))__gue_val; \
9804 } while (0)
9805
9806 #ifdef CONFIG_X86_WP_WORKS_OK
9807@@ -567,6 +632,7 @@ extern struct movsl_mask {
9808
9809 #define ARCH_HAS_NOCACHE_UACCESS 1
9810
9811+#define ARCH_HAS_SORT_EXTABLE
9812 #ifdef CONFIG_X86_32
9813 # include "uaccess_32.h"
9814 #else
9815diff -urNp linux-2.6.35.4/arch/x86/include/asm/vgtod.h linux-2.6.35.4/arch/x86/include/asm/vgtod.h
9816--- linux-2.6.35.4/arch/x86/include/asm/vgtod.h 2010-08-26 19:47:12.000000000 -0400
9817+++ linux-2.6.35.4/arch/x86/include/asm/vgtod.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 9818@@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
9819 int sysctl_enabled;
9820 struct timezone sys_tz;
9821 struct { /* extract of a clocksource struct */
9822+ char name[8];
9823 cycle_t (*vread)(void);
9824 cycle_t cycle_last;
9825 cycle_t mask;
57199397
MT		 9826diff -urNp linux-2.6.35.4/arch/x86/include/asm/vmi.h linux-2.6.35.4/arch/x86/include/asm/vmi.h
9827--- linux-2.6.35.4/arch/x86/include/asm/vmi.h 2010-08-26 19:47:12.000000000 -0400
9828+++ linux-2.6.35.4/arch/x86/include/asm/vmi.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 9829@@ -191,6 +191,7 @@ struct vrom_header {
9830 u8 reserved[96]; /* Reserved for headers */
9831 char vmi_init[8]; /* VMI_Init jump point */
9832 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
9833+ char rom_data[8048]; /* rest of the option ROM */
9834 } __attribute__((packed));
9835
9836 struct pnp_header {
57199397
MT		 9837diff -urNp linux-2.6.35.4/arch/x86/include/asm/vsyscall.h linux-2.6.35.4/arch/x86/include/asm/vsyscall.h
9838--- linux-2.6.35.4/arch/x86/include/asm/vsyscall.h 2010-08-26 19:47:12.000000000 -0400
9839+++ linux-2.6.35.4/arch/x86/include/asm/vsyscall.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 9840@@ -15,9 +15,10 @@ enum vsyscall_num {
9841
9842 #ifdef __KERNEL__
9843 #include <linux/seqlock.h>
9844+#include <linux/getcpu.h>
9845+#include <linux/time.h>
9846
9847 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9848-#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9849
9850 /* Definitions for CONFIG_GENERIC_TIME definitions */
9851 #define __section_vsyscall_gtod_data __attribute__ \
9852@@ -31,7 +32,6 @@ enum vsyscall_num {
9853 #define VGETCPU_LSL 2
9854
9855 extern int __vgetcpu_mode;
9856-extern volatile unsigned long __jiffies;
9857
9858 /* kernel space (writeable) */
9859 extern int vgetcpu_mode;
9860@@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9861
9862 extern void map_vsyscall(void);
9863
9864+extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9865+extern time_t vtime(time_t *t);
9866+extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9867 #endif /* __KERNEL__ */
9868
9869 #endif /* _ASM_X86_VSYSCALL_H */
57199397
MT		 9870diff -urNp linux-2.6.35.4/arch/x86/include/asm/xsave.h linux-2.6.35.4/arch/x86/include/asm/xsave.h
9871--- linux-2.6.35.4/arch/x86/include/asm/xsave.h 2010-08-26 19:47:12.000000000 -0400
9872+++ linux-2.6.35.4/arch/x86/include/asm/xsave.h 2010-09-17 20:12:09.000000000 -0400
9873@@ -59,6 +59,12 @@ static inline int fpu_xrstor_checking(st
df50ba0c
MT		 9874 static inline int xsave_user(struct xsave_struct __user *buf)
9875 {
9876 int err;
9877+
9878+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9879+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
9880+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
9881+#endif
9882+
9883 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
9884 "2:\n"
9885 ".section .fixup,\"ax\"\n"
57199397 9886@@ -85,6 +91,11 @@ static inline int xrestore_user(struct x
df50ba0c
MT		 9887 u32 lmask = mask;
9888 u32 hmask = mask >> 32;
9889
9890+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9891+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
9892+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
9893+#endif
9894+
9895 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
9896 "2:\n"
9897 ".section .fixup,\"ax\"\n"
57199397
MT		 9898diff -urNp linux-2.6.35.4/arch/x86/Kconfig linux-2.6.35.4/arch/x86/Kconfig
9899--- linux-2.6.35.4/arch/x86/Kconfig 2010-08-26 19:47:12.000000000 -0400
9900+++ linux-2.6.35.4/arch/x86/Kconfig 2010-09-17 20:12:37.000000000 -0400
9901@@ -1038,7 +1038,7 @@ choice
9902
9903 config NOHIGHMEM
9904 bool "off"
9905- depends on !X86_NUMAQ
9906+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9907 ---help---
9908 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
9909 However, the address space of 32-bit x86 processors is only 4
9910@@ -1075,7 +1075,7 @@ config NOHIGHMEM
9911
9912 config HIGHMEM4G
9913 bool "4GB"
9914- depends on !X86_NUMAQ
9915+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9916 ---help---
9917 Select this if you have a 32-bit processor and between 1 and 4
9918 gigabytes of physical RAM.
9919@@ -1129,7 +1129,7 @@ config PAGE_OFFSET
9920 hex
9921 default 0xB0000000 if VMSPLIT_3G_OPT
9922 default 0x80000000 if VMSPLIT_2G
9923- default 0x78000000 if VMSPLIT_2G_OPT
9924+ default 0x70000000 if VMSPLIT_2G_OPT
9925 default 0x40000000 if VMSPLIT_1G
9926 default 0xC0000000
9927 depends on X86_32
9928@@ -1461,7 +1461,7 @@ config ARCH_USES_PG_UNCACHED
9929
9930 config EFI
9931 bool "EFI runtime service support"
9932- depends on ACPI
9933+ depends on ACPI && !PAX_KERNEXEC
9934 ---help---
9935 This enables the kernel to use EFI runtime services that are
9936 available (such as the EFI variable services).
9937@@ -1548,6 +1548,7 @@ config KEXEC_JUMP
9938 config PHYSICAL_START
9939 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9940 default "0x1000000"
9941+ range 0x400000 0x40000000
9942 ---help---
9943 This gives the physical address where the kernel is loaded.
9944
9945@@ -1611,6 +1612,7 @@ config X86_NEED_RELOCS
9946 config PHYSICAL_ALIGN
9947 hex "Alignment value to which kernel should be aligned" if X86_32
9948 default "0x1000000"
9949+ range 0x400000 0x1000000 if PAX_KERNEXEC
9950 range 0x2000 0x1000000
9951 ---help---
9952 This value puts the alignment restrictions on physical address
9953@@ -1642,9 +1644,10 @@ config HOTPLUG_CPU
9954 Say N if you want to disable CPU hotplug.
9955
9956 config COMPAT_VDSO
9957- def_bool y
9958+ def_bool n
9959 prompt "Compat VDSO support"
9960 depends on X86_32 || IA32_EMULATION
9961+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9962 ---help---
9963 Map the 32-bit VDSO to the predictable old-style address too.
9964
9965diff -urNp linux-2.6.35.4/arch/x86/Kconfig.cpu linux-2.6.35.4/arch/x86/Kconfig.cpu
9966--- linux-2.6.35.4/arch/x86/Kconfig.cpu 2010-08-26 19:47:12.000000000 -0400
9967+++ linux-2.6.35.4/arch/x86/Kconfig.cpu 2010-09-17 20:12:09.000000000 -0400
9968@@ -336,7 +336,7 @@ config X86_PPRO_FENCE
9969
9970 config X86_F00F_BUG
9971 def_bool y
9972- depends on M586MMX || M586TSC || M586 || M486 || M386
9973+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9974
9975 config X86_INVD_BUG
9976 def_bool y
9977@@ -360,7 +360,7 @@ config X86_POPAD_OK
9978
9979 config X86_ALIGNMENT_16
9980 def_bool y
9981- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9982+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9983
9984 config X86_INTEL_USERCOPY
9985 def_bool y
9986@@ -406,7 +406,7 @@ config X86_CMPXCHG64
9987 # generates cmov.
9988 config X86_CMOV
9989 def_bool y
9990- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9991+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9992
9993 config X86_MINIMUM_CPU_FAMILY
9994 int
9995diff -urNp linux-2.6.35.4/arch/x86/Kconfig.debug linux-2.6.35.4/arch/x86/Kconfig.debug
9996--- linux-2.6.35.4/arch/x86/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
9997+++ linux-2.6.35.4/arch/x86/Kconfig.debug 2010-09-17 20:12:09.000000000 -0400
9998@@ -97,7 +97,7 @@ config X86_PTDUMP
9999 config DEBUG_RODATA
10000 bool "Write protect kernel read-only data structures"
10001 default y
10002- depends on DEBUG_KERNEL
10003+ depends on DEBUG_KERNEL && BROKEN
10004 ---help---
10005 Mark the kernel read-only data as write-protected in the pagetables,
10006 in order to catch accidental (and incorrect) writes to such const
10007diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/boot.c linux-2.6.35.4/arch/x86/kernel/acpi/boot.c
10008--- linux-2.6.35.4/arch/x86/kernel/acpi/boot.c 2010-08-26 19:47:12.000000000 -0400
10009+++ linux-2.6.35.4/arch/x86/kernel/acpi/boot.c 2010-09-17 20:12:09.000000000 -0400
10010@@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
58c5fc13
MT		 10011 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10012 },
10013 },
10014- {}
10015+ { NULL, NULL, {{0, {0}}}, NULL}
10016 };
10017
10018 /*
57199397
MT		 10019diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S
10020--- linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S 2010-08-26 19:47:12.000000000 -0400
10021+++ linux-2.6.35.4/arch/x86/kernel/acpi/realmode/wakeup.S 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 10022@@ -104,7 +104,7 @@ _start:
10023 movl %eax, %ecx
10024 orl %edx, %ecx
10025 jz 1f
10026- movl $0xc0000080, %ecx
10027+ mov $MSR_EFER, %ecx
10028 wrmsr
10029 1:
10030
57199397
MT		 10031diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c
10032--- linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
10033+++ linux-2.6.35.4/arch/x86/kernel/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 10034@@ -11,11 +11,12 @@
10035 #include <linux/cpumask.h>
10036 #include <asm/segment.h>
10037 #include <asm/desc.h>
10038+#include <asm/e820.h>
10039
10040 #include "realmode/wakeup.h"
10041 #include "sleep.h"
10042
10043-unsigned long acpi_wakeup_address;
10044+unsigned long acpi_wakeup_address = 0x2000;
10045 unsigned long acpi_realmode_flags;
10046
10047 /* address in low memory of the wakeup routine. */
ae4e228f 10048@@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
58c5fc13
MT		 10049 header->trampoline_segment = setup_trampoline() >> 4;
10050 #ifdef CONFIG_SMP
10051 stack_start.sp = temp_stack + sizeof(temp_stack);
10052+
ae4e228f 10053+ pax_open_kernel();
58c5fc13
MT		 10054 early_gdt_descr.address =
10055 (unsigned long)get_cpu_gdt_table(smp_processor_id());
ae4e228f 10056+ pax_close_kernel();
58c5fc13
MT		 10057+
10058 initial_gs = per_cpu_offset(smp_processor_id());
10059 #endif
10060 initial_code = (unsigned long)wakeup_long64;
57199397
MT		 10061diff -urNp linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S
10062--- linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S 2010-08-26 19:47:12.000000000 -0400
10063+++ linux-2.6.35.4/arch/x86/kernel/acpi/wakeup_32.S 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 10064@@ -30,13 +30,11 @@ wakeup_pmode_return:
10065 # and restore the stack ... but you need gdt for this to work
10066 movl saved_context_esp, %esp
10067
10068- movl %cs:saved_magic, %eax
10069- cmpl $0x12345678, %eax
10070+ cmpl $0x12345678, saved_magic
10071 jne bogus_magic
10072
10073 # jump to place where we left off
10074- movl saved_eip, %eax
10075- jmp *%eax
10076+ jmp *(saved_eip)
10077
10078 bogus_magic:
10079 jmp bogus_magic
57199397
MT		 10080diff -urNp linux-2.6.35.4/arch/x86/kernel/alternative.c linux-2.6.35.4/arch/x86/kernel/alternative.c
10081--- linux-2.6.35.4/arch/x86/kernel/alternative.c 2010-08-26 19:47:12.000000000 -0400
10082+++ linux-2.6.35.4/arch/x86/kernel/alternative.c 2010-09-17 20:12:09.000000000 -0400
10083@@ -247,7 +247,7 @@ static void alternatives_smp_lock(const
10084 if (!*poff || ptr < text || ptr >= text_end)
10085 continue;
10086 /* turn DS segment override prefix into lock prefix */
10087- if (*ptr == 0x3e)
10088+ if (*ktla_ktva(ptr) == 0x3e)
10089 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10090 };
10091 mutex_unlock(&text_mutex);
10092@@ -268,7 +268,7 @@ static void alternatives_smp_unlock(cons
10093 if (!*poff || ptr < text || ptr >= text_end)
10094 continue;
10095 /* turn lock prefix into DS segment override prefix */
10096- if (*ptr == 0xf0)
10097+ if (*ktla_ktva(ptr) == 0xf0)
10098 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10099 };
10100 mutex_unlock(&text_mutex);
10101@@ -436,7 +436,7 @@ void __init_or_module apply_paravirt(str
58c5fc13
MT		 10102
10103 BUG_ON(p->len > MAX_PATCH_LEN);
10104 /* prep the buffer with the original instructions */
10105- memcpy(insnbuf, p->instr, p->len);
10106+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10107 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10108 (unsigned long)p->instr, p->len);
10109
57199397 10110@@ -504,7 +504,7 @@ void __init alternative_instructions(voi
df50ba0c
MT		 10111 if (smp_alt_once)
10112 free_init_pages("SMP alternatives",
10113 (unsigned long)__smp_locks,
10114- (unsigned long)__smp_locks_end);
10115+ PAGE_ALIGN((unsigned long)__smp_locks_end));
10116
10117 restart_nmi();
10118 }
57199397 10119@@ -521,13 +521,17 @@ void __init alternative_instructions(voi
58c5fc13
MT		 10120 * instructions. And on the local CPU you need to be protected again NMI or MCE
10121 * handlers seeing an inconsistent instruction while you patch.
10122 */
ae4e228f
MT		 10123-static void *__init_or_module text_poke_early(void *addr, const void *opcode,
10124+static void *__kprobes text_poke_early(void *addr, const void *opcode,
10125 size_t len)
58c5fc13
MT		 10126 {
10127 unsigned long flags;
58c5fc13
MT		 10128 local_irq_save(flags);
10129- memcpy(addr, opcode, len);
10130+
ae4e228f 10131+ pax_open_kernel();
58c5fc13 10132+ memcpy(ktla_ktva(addr), opcode, len);
57199397 10133 sync_core();
ae4e228f 10134+ pax_close_kernel();
58c5fc13 10135+
ae4e228f 10136 local_irq_restore(flags);
58c5fc13 10137 /* Could also do a CLFLUSH here to speed up CPU recovery; but
57199397
MT		 10138 that causes hangs on some VIA CPUs. */
10139@@ -549,36 +553,22 @@ static void *__init_or_module text_poke_
58c5fc13
MT		 10140 */
10141 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10142 {
10143- unsigned long flags;
10144- char *vaddr;
10145+ unsigned char *vaddr = ktla_ktva(addr);
10146 struct page *pages[2];
10147- int i;
10148+ size_t i;
58c5fc13 10149
ae4e228f 10150 if (!core_kernel_text((unsigned long)addr)) {
58c5fc13
MT		 10151- pages[0] = vmalloc_to_page(addr);
10152- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
58c5fc13
MT		 10153+ pages[0] = vmalloc_to_page(vaddr);
10154+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10155 } else {
10156- pages[0] = virt_to_page(addr);
10157+ pages[0] = virt_to_page(vaddr);
10158 WARN_ON(!PageReserved(pages[0]));
10159- pages[1] = virt_to_page(addr + PAGE_SIZE);
10160+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10161 }
10162 BUG_ON(!pages[0]);
10163- local_irq_save(flags);
10164- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10165- if (pages[1])
10166- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10167- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10168- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10169- clear_fixmap(FIX_TEXT_POKE0);
10170- if (pages[1])
10171- clear_fixmap(FIX_TEXT_POKE1);
10172- local_flush_tlb();
10173- sync_core();
10174- /* Could also do a CLFLUSH here to speed up CPU recovery; but
10175- that causes hangs on some VIA CPUs. */
10176+ text_poke_early(addr, opcode, len);
10177 for (i = 0; i < len; i++)
10178- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10179- local_irq_restore(flags);
10180+ BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
10181 return addr;
10182 }
df50ba0c 10183
57199397
MT		 10184diff -urNp linux-2.6.35.4/arch/x86/kernel/amd_iommu.c linux-2.6.35.4/arch/x86/kernel/amd_iommu.c
10185--- linux-2.6.35.4/arch/x86/kernel/amd_iommu.c 2010-08-26 19:47:12.000000000 -0400
10186+++ linux-2.6.35.4/arch/x86/kernel/amd_iommu.c 2010-09-17 20:12:09.000000000 -0400
10187@@ -2284,7 +2284,7 @@ static void prealloc_protection_domains(
ae4e228f
MT		 10188 }
10189 }
10190
10191-static struct dma_map_ops amd_iommu_dma_ops = {
10192+static const struct dma_map_ops amd_iommu_dma_ops = {
10193 .alloc_coherent = alloc_coherent,
10194 .free_coherent = free_coherent,
10195 .map_page = map_page,
57199397
MT		 10196diff -urNp linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c
10197--- linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c 2010-08-26 19:47:12.000000000 -0400
10198+++ linux-2.6.35.4/arch/x86/kernel/apic/io_apic.c 2010-09-17 20:12:09.000000000 -0400
10199@@ -691,7 +691,7 @@ struct IO_APIC_route_entry **alloc_ioapi
ae4e228f
MT		 10200 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10201 GFP_ATOMIC);
10202 if (!ioapic_entries)
10203- return 0;
10204+ return NULL;
58c5fc13 10205
ae4e228f
MT		 10206 for (apic = 0; apic < nr_ioapics; apic++) {
10207 ioapic_entries[apic] =
57199397 10208@@ -708,7 +708,7 @@ nomem:
ae4e228f
MT		 10209 kfree(ioapic_entries[apic]);
10210 kfree(ioapic_entries);
58c5fc13 10211
ae4e228f
MT		 10212- return 0;
10213+ return NULL;
10214 }
58c5fc13 10215
ae4e228f 10216 /*
57199397 10217@@ -1118,7 +1118,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
ae4e228f
MT		 10218 }
10219 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10220
10221-void lock_vector_lock(void)
10222+void lock_vector_lock(void) __acquires(vector_lock)
10223 {
10224 /* Used to the online set of cpus does not change
10225 * during assign_irq_vector.
57199397 10226@@ -1126,7 +1126,7 @@ void lock_vector_lock(void)
df50ba0c 10227 raw_spin_lock(&vector_lock);
ae4e228f
MT		 10228 }
10229
10230-void unlock_vector_lock(void)
10231+void unlock_vector_lock(void) __releases(vector_lock)
10232 {
df50ba0c 10233 raw_spin_unlock(&vector_lock);
ae4e228f 10234 }
57199397
MT		 10235diff -urNp linux-2.6.35.4/arch/x86/kernel/apm_32.c linux-2.6.35.4/arch/x86/kernel/apm_32.c
10236--- linux-2.6.35.4/arch/x86/kernel/apm_32.c 2010-08-26 19:47:12.000000000 -0400
10237+++ linux-2.6.35.4/arch/x86/kernel/apm_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 10238@@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10239 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10240 * even though they are called in protected mode.
10241 */
10242-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10243+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10244 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10245
10246 static const char driver_version[] = "1.16ac"; /* no spaces */
10247@@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
58c5fc13
MT		 10248 BUG_ON(cpu != 0);
10249 gdt = get_cpu_gdt_table(cpu);
10250 save_desc_40 = gdt[0x40 / 8];
10251+
ae4e228f 10252+ pax_open_kernel();
58c5fc13 10253 gdt[0x40 / 8] = bad_bios_desc;
ae4e228f 10254+ pax_close_kernel();
58c5fc13 10255
58c5fc13
MT		 10256 apm_irq_save(flags);
10257 APM_DO_SAVE_SEGS;
ae4e228f 10258@@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
58c5fc13
MT		 10259 &call->esi);
10260 APM_DO_RESTORE_SEGS;
10261 apm_irq_restore(flags);
10262+
ae4e228f 10263+ pax_open_kernel();
58c5fc13 10264 gdt[0x40 / 8] = save_desc_40;
ae4e228f 10265+ pax_close_kernel();
58c5fc13
MT		 10266+
10267 put_cpu();
10268
10269 return call->eax & 0xff;
ae4e228f 10270@@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
58c5fc13
MT		 10271 BUG_ON(cpu != 0);
10272 gdt = get_cpu_gdt_table(cpu);
10273 save_desc_40 = gdt[0x40 / 8];
10274+
ae4e228f 10275+ pax_open_kernel();
58c5fc13 10276 gdt[0x40 / 8] = bad_bios_desc;
ae4e228f 10277+ pax_close_kernel();
58c5fc13 10278
58c5fc13
MT		 10279 apm_irq_save(flags);
10280 APM_DO_SAVE_SEGS;
ae4e228f 10281@@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
58c5fc13
MT		 10282 &call->eax);
10283 APM_DO_RESTORE_SEGS;
10284 apm_irq_restore(flags);
10285+
ae4e228f 10286+ pax_open_kernel();
58c5fc13 10287 gdt[0x40 / 8] = save_desc_40;
ae4e228f 10288+ pax_close_kernel();
58c5fc13
MT		 10289+
10290 put_cpu();
10291 return error;
10292 }
ae4e228f 10293@@ -975,7 +989,7 @@ recalc:
58c5fc13
MT		 10294
10295 static void apm_power_off(void)
10296 {
10297- unsigned char po_bios_call[] = {
10298+ const unsigned char po_bios_call[] = {
10299 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10300 0x8e, 0xd0, /* movw ax,ss */
10301 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
ae4e228f 10302@@ -1931,7 +1945,10 @@ static const struct file_operations apm_
58c5fc13
MT		 10303 static struct miscdevice apm_device = {
10304 APM_MINOR_DEV,
10305 "apm_bios",
10306- &apm_bios_fops
10307+ &apm_bios_fops,
10308+ {NULL, NULL},
10309+ NULL,
10310+ NULL
10311 };
10312
10313
ae4e228f 10314@@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
58c5fc13
MT		 10315 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10316 },
10317
10318- { }
10319+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10320 };
10321
10322 /*
ae4e228f 10323@@ -2355,12 +2372,15 @@ static int __init apm_init(void)
58c5fc13
MT		 10324 * code to that CPU.
10325 */
10326 gdt = get_cpu_gdt_table(0);
10327+
ae4e228f
MT		 10328+ pax_open_kernel();
10329 set_desc_base(&gdt[APM_CS >> 3],
10330 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10331 set_desc_base(&gdt[APM_CS_16 >> 3],
10332 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10333 set_desc_base(&gdt[APM_DS >> 3],
10334 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10335+ pax_close_kernel();
58c5fc13 10336
58c5fc13
MT		 10337 proc_create("apm", 0, NULL, &apm_file_ops);
10338
57199397
MT		 10339diff -urNp linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c
10340--- linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c 2010-08-26 19:47:12.000000000 -0400
10341+++ linux-2.6.35.4/arch/x86/kernel/asm-offsets_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 10342@@ -115,6 +115,11 @@ void foo(void)
58c5fc13
MT		 10343 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10344 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10345 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
ae4e228f
MT		 10346+
10347+#ifdef CONFIG_PAX_KERNEXEC
58c5fc13 10348+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
ae4e228f
MT		 10349+#endif
10350+
58c5fc13
MT		 10351 #endif
10352
10353 #ifdef CONFIG_XEN
57199397
MT		 10354diff -urNp linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c
10355--- linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c 2010-08-26 19:47:12.000000000 -0400
10356+++ linux-2.6.35.4/arch/x86/kernel/asm-offsets_64.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 10357@@ -63,6 +63,18 @@ int main(void)
ae4e228f
MT		 10358 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10359 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10360 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10361+
10362+#ifdef CONFIG_PAX_KERNEXEC
10363+ OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10364+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10365+#endif
df50ba0c
MT		 10366+
10367+#ifdef CONFIG_PAX_MEMORY_UDEREF
10368+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10369+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10370+ OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10371+#endif
ae4e228f
MT		 10372+
10373 #endif
10374
10375
df50ba0c 10376@@ -115,6 +127,7 @@ int main(void)
58c5fc13
MT		 10377 ENTRY(cr8);
10378 BLANK();
10379 #undef ENTRY
10380+ DEFINE(TSS_size, sizeof(struct tss_struct));
10381 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10382 BLANK();
10383 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
57199397
MT		 10384diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/common.c linux-2.6.35.4/arch/x86/kernel/cpu/common.c
10385--- linux-2.6.35.4/arch/x86/kernel/cpu/common.c 2010-08-26 19:47:12.000000000 -0400
10386+++ linux-2.6.35.4/arch/x86/kernel/cpu/common.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 10387@@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
58c5fc13
MT		 10388
10389 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10390
10391-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10392-#ifdef CONFIG_X86_64
10393- /*
10394- * We need valid kernel segments for data and code in long mode too
10395- * IRET will check the segment types kkeil 2000/10/28
10396- * Also sysret mandates a special GDT layout
10397- *
10398- * TLS descriptors are currently at a different place compared to i386.
10399- * Hopefully nobody expects them at a fixed place (Wine?)
10400- */
ae4e228f
MT		 10401- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10402- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10403- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10404- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10405- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10406- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
58c5fc13 10407-#else
ae4e228f
MT		 10408- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10409- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10410- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10411- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
58c5fc13
MT		 10412- /*
10413- * Segments used for calling PnP BIOS have byte granularity.
10414- * They code segments and data segments have fixed 64k limits,
10415- * the transfer segment sizes are set at run time.
10416- */
10417- /* 32-bit code */
ae4e228f 10418- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
58c5fc13 10419- /* 16-bit code */
ae4e228f 10420- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
58c5fc13 10421- /* 16-bit data */
ae4e228f 10422- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
58c5fc13 10423- /* 16-bit data */
ae4e228f 10424- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
58c5fc13 10425- /* 16-bit data */
ae4e228f 10426- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
58c5fc13
MT		 10427- /*
10428- * The APM segments have byte granularity and their bases
10429- * are set at run time. All have 64k limits.
10430- */
10431- /* 32-bit code */
ae4e228f 10432- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
58c5fc13 10433- /* 16-bit code */
ae4e228f 10434- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
58c5fc13 10435- /* data */
ae4e228f 10436- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
58c5fc13 10437-
ae4e228f
MT		 10438- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10439- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
58c5fc13
MT		 10440- GDT_STACK_CANARY_INIT
10441-#endif
10442-} };
10443-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10444-
10445 static int __init x86_xsave_setup(char *s)
10446 {
10447 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
ae4e228f 10448@@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
58c5fc13
MT		 10449 {
10450 struct desc_ptr gdt_descr;
10451
10452- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10453+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10454 gdt_descr.size = GDT_SIZE - 1;
10455 load_gdt(&gdt_descr);
10456 /* Reload the per-cpu base */
ae4e228f 10457@@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
58c5fc13
MT		 10458 /* Filter out anything that depends on CPUID levels we don't have */
10459 filter_cpuid_features(c, true);
10460
ae4e228f 10461+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
58c5fc13
MT		 10462+ setup_clear_cpu_cap(X86_FEATURE_SEP);
10463+#endif
10464+
10465 /* If the model name is still unset, do table lookup. */
10466 if (!c->x86_model_id[0]) {
10467 const char *p;
57199397 10468@@ -1117,7 +1067,7 @@ void __cpuinit cpu_init(void)
58c5fc13
MT		 10469 int i;
10470
10471 cpu = stack_smp_processor_id();
10472- t = &per_cpu(init_tss, cpu);
10473+ t = init_tss + cpu;
ae4e228f 10474 oist = &per_cpu(orig_ist, cpu);
58c5fc13
MT		 10475
10476 #ifdef CONFIG_NUMA
57199397 10477@@ -1143,7 +1093,7 @@ void __cpuinit cpu_init(void)
df50ba0c
MT		 10478 switch_to_new_gdt(cpu);
10479 loadsegment(fs, 0);
10480
10481- load_idt((const struct desc_ptr *)&idt_descr);
10482+ load_idt(&idt_descr);
10483
10484 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10485 syscall_init();
57199397 10486@@ -1205,7 +1155,7 @@ void __cpuinit cpu_init(void)
58c5fc13
MT		 10487 {
10488 int cpu = smp_processor_id();
10489 struct task_struct *curr = current;
10490- struct tss_struct *t = &per_cpu(init_tss, cpu);
10491+ struct tss_struct *t = init_tss + cpu;
10492 struct thread_struct *thread = &curr->thread;
10493
10494 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
57199397
MT		 10495diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10496--- linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-08-26 19:47:12.000000000 -0400
10497+++ linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-09-17 20:12:09.000000000 -0400
10498@@ -484,7 +484,7 @@ static const struct dmi_system_id sw_any
58c5fc13
MT		 10499 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10500 },
10501 },
10502- { }
10503+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10504 };
58c5fc13 10505
ae4e228f 10506 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
57199397
MT		 10507diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10508--- linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-08-26 19:47:12.000000000 -0400
10509+++ linux-2.6.35.4/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 10510@@ -226,7 +226,7 @@ static struct cpu_model models[] =
58c5fc13
MT		 10511 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10512 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10513
10514- { NULL, }
10515+ { NULL, NULL, 0, NULL}
10516 };
10517 #undef _BANIAS
10518 #undef BANIAS
57199397
MT		 10519diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/intel.c linux-2.6.35.4/arch/x86/kernel/cpu/intel.c
10520--- linux-2.6.35.4/arch/x86/kernel/cpu/intel.c 2010-08-26 19:47:12.000000000 -0400
10521+++ linux-2.6.35.4/arch/x86/kernel/cpu/intel.c 2010-09-17 20:12:09.000000000 -0400
10522@@ -160,7 +160,7 @@ static void __cpuinit trap_init_f00f_bug
58c5fc13
MT		 10523 * Update the IDT descriptor and reload the IDT so that
10524 * it uses the read-only mapped virtual address.
10525 */
10526- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10527+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10528 load_idt(&idt_descr);
10529 }
10530 #endif
57199397
MT		 10531diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/Makefile linux-2.6.35.4/arch/x86/kernel/cpu/Makefile
10532--- linux-2.6.35.4/arch/x86/kernel/cpu/Makefile 2010-08-26 19:47:12.000000000 -0400
10533+++ linux-2.6.35.4/arch/x86/kernel/cpu/Makefile 2010-09-17 20:12:09.000000000 -0400
10534@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10535 CFLAGS_REMOVE_perf_event.o = -pg
10536 endif
10537
10538-# Make sure load_percpu_segment has no stackprotector
10539-nostackp := $(call cc-option, -fno-stack-protector)
10540-CFLAGS_common.o := $(nostackp)
10541-
10542 obj-y := intel_cacheinfo.o addon_cpuid_features.o
10543 obj-y += proc.o capflags.o powerflags.o common.o
10544 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10545diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c
10546--- linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c 2010-08-26 19:47:12.000000000 -0400
10547+++ linux-2.6.35.4/arch/x86/kernel/cpu/mcheck/mce.c 2010-09-17 20:12:09.000000000 -0400
10548@@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
ae4e228f
MT		 10549 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10550 m->cs, m->ip);
10551
10552- if (m->cs == __KERNEL_CS)
10553+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10554 print_symbol("{%s}", m->ip);
10555 pr_cont("\n");
10556 }
57199397 10557@@ -1471,14 +1471,14 @@ void __cpuinit mcheck_cpu_init(struct cp
58c5fc13
MT		 10558 */
10559
10560 static DEFINE_SPINLOCK(mce_state_lock);
10561-static int open_count; /* #times opened */
10562+static atomic_t open_count; /* #times opened */
10563 static int open_exclu; /* already open exclusive? */
10564
10565 static int mce_open(struct inode *inode, struct file *file)
10566 {
10567 spin_lock(&mce_state_lock);
10568
10569- if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10570+ if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10571 spin_unlock(&mce_state_lock);
10572
10573 return -EBUSY;
57199397 10574@@ -1486,7 +1486,7 @@ static int mce_open(struct inode *inode,
58c5fc13
MT		 10575
10576 if (file->f_flags & O_EXCL)
10577 open_exclu = 1;
10578- open_count++;
10579+ atomic_inc(&open_count);
10580
10581 spin_unlock(&mce_state_lock);
10582
57199397 10583@@ -1497,7 +1497,7 @@ static int mce_release(struct inode *ino
58c5fc13
MT		 10584 {
10585 spin_lock(&mce_state_lock);
10586
10587- open_count--;
10588+ atomic_dec(&open_count);
10589 open_exclu = 0;
10590
10591 spin_unlock(&mce_state_lock);
57199397 10592@@ -1683,6 +1683,7 @@ static struct miscdevice mce_log_device
58c5fc13
MT		 10593 MISC_MCELOG_MINOR,
10594 "mcelog",
10595 &mce_chrdev_ops,
10596+ {NULL, NULL}, NULL, NULL
10597 };
10598
10599 /*
57199397
MT		 10600diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c
10601--- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c 2010-08-26 19:47:12.000000000 -0400
10602+++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/generic.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 10603@@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
ae4e228f
MT		 10604 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10605 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10606 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
58c5fc13
MT		 10607- {}
10608+ { 0, 0 }
10609 };
10610
10611 static unsigned long smp_changes_mask;
57199397
MT		 10612diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c
10613--- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c 2010-08-26 19:47:12.000000000 -0400
10614+++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/main.c 2010-09-17 20:12:09.000000000 -0400
10615@@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
ae4e228f
MT		 10616 u64 size_or_mask, size_and_mask;
10617 static bool mtrr_aps_delayed_init;
10618
df50ba0c 10619-static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
ae4e228f
MT		 10620+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10621
df50ba0c 10622 const struct mtrr_ops *mtrr_if;
ae4e228f 10623
57199397
MT		 10624diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h
10625--- linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-08-26 19:47:12.000000000 -0400
10626+++ linux-2.6.35.4/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 10627@@ -12,19 +12,19 @@
10628 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10629
10630 struct mtrr_ops {
10631- u32 vendor;
10632- u32 use_intel_if;
10633- void (*set)(unsigned int reg, unsigned long base,
10634+ const u32 vendor;
10635+ const u32 use_intel_if;
10636+ void (* const set)(unsigned int reg, unsigned long base,
10637 unsigned long size, mtrr_type type);
10638- void (*set_all)(void);
10639+ void (* const set_all)(void);
10640
10641- void (*get)(unsigned int reg, unsigned long *base,
10642+ void (* const get)(unsigned int reg, unsigned long *base,
10643 unsigned long *size, mtrr_type *type);
10644- int (*get_free_region)(unsigned long base, unsigned long size,
10645+ int (* const get_free_region)(unsigned long base, unsigned long size,
10646 int replace_reg);
10647- int (*validate_add_page)(unsigned long base, unsigned long size,
10648+ int (* const validate_add_page)(unsigned long base, unsigned long size,
10649 unsigned int type);
10650- int (*have_wrcomb)(void);
10651+ int (* const have_wrcomb)(void);
10652 };
10653
10654 extern int generic_get_free_region(unsigned long base, unsigned long size,
57199397
MT		 10655diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c
10656--- linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-08-26 19:47:12.000000000 -0400
10657+++ linux-2.6.35.4/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 10658@@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10659
10660 /* Interface defining a CPU specific perfctr watchdog */
10661 struct wd_ops {
10662- int (*reserve)(void);
10663- void (*unreserve)(void);
10664- int (*setup)(unsigned nmi_hz);
10665- void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10666- void (*stop)(void);
10667+ int (* const reserve)(void);
10668+ void (* const unreserve)(void);
10669+ int (* const setup)(unsigned nmi_hz);
10670+ void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10671+ void (* const stop)(void);
10672 unsigned perfctr;
10673 unsigned evntsel;
10674 u64 checkbit;
df50ba0c 10675@@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
ae4e228f
MT		 10676 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10677 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10678
df50ba0c 10679+/* cannot be const, see probe_nmi_watchdog */
ae4e228f
MT		 10680 static struct wd_ops intel_arch_wd_ops;
10681
10682 static int setup_intel_arch_watchdog(unsigned nmi_hz)
df50ba0c 10683@@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
ae4e228f
MT		 10684 return 1;
10685 }
58c5fc13 10686
ae4e228f
MT		 10687+/* cannot be const */
10688 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10689 .reserve = single_msr_reserve,
10690 .unreserve = single_msr_unreserve,
57199397
MT		 10691diff -urNp linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c
10692--- linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c 2010-08-26 19:47:12.000000000 -0400
10693+++ linux-2.6.35.4/arch/x86/kernel/cpu/perf_event.c 2010-09-17 20:12:09.000000000 -0400
10694@@ -1685,7 +1685,7 @@ perf_callchain_user(struct pt_regs *regs
10695 break;
10696
10697 callchain_store(entry, frame.return_address);
10698- fp = frame.next_frame;
10699+ fp = (__force const void __user *)frame.next_frame;
10700 }
10701 }
10702
10703diff -urNp linux-2.6.35.4/arch/x86/kernel/crash.c linux-2.6.35.4/arch/x86/kernel/crash.c
10704--- linux-2.6.35.4/arch/x86/kernel/crash.c 2010-08-26 19:47:12.000000000 -0400
10705+++ linux-2.6.35.4/arch/x86/kernel/crash.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 10706@@ -40,7 +40,7 @@ static void kdump_nmi_callback(int cpu,
58c5fc13
MT		 10707 regs = args->regs;
10708
10709 #ifdef CONFIG_X86_32
10710- if (!user_mode_vm(regs)) {
10711+ if (!user_mode(regs)) {
10712 crash_fixup_ss_esp(&fixed_regs, regs);
10713 regs = &fixed_regs;
10714 }
57199397
MT		 10715diff -urNp linux-2.6.35.4/arch/x86/kernel/doublefault_32.c linux-2.6.35.4/arch/x86/kernel/doublefault_32.c
10716--- linux-2.6.35.4/arch/x86/kernel/doublefault_32.c 2010-08-26 19:47:12.000000000 -0400
10717+++ linux-2.6.35.4/arch/x86/kernel/doublefault_32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 10718@@ -11,7 +11,7 @@
10719
10720 #define DOUBLEFAULT_STACKSIZE (1024)
10721 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10722-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10723+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10724
10725 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10726
10727@@ -21,7 +21,7 @@ static void doublefault_fn(void)
10728 unsigned long gdt, tss;
10729
10730 store_gdt(&gdt_desc);
10731- gdt = gdt_desc.address;
10732+ gdt = (unsigned long)gdt_desc.address;
10733
10734 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10735
ae4e228f 10736@@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
58c5fc13
MT		 10737 /* 0x2 bit is always set */
10738 .flags = X86_EFLAGS_SF | 0x2,
10739 .sp = STACK_START,
10740- .es = __USER_DS,
10741+ .es = __KERNEL_DS,
10742 .cs = __KERNEL_CS,
10743 .ss = __KERNEL_DS,
10744- .ds = __USER_DS,
10745+ .ds = __KERNEL_DS,
10746 .fs = __KERNEL_PERCPU,
10747
10748 .__cr3 = __pa_nodebug(swapper_pg_dir),
57199397
MT		 10749diff -urNp linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c
10750--- linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c 2010-08-26 19:47:12.000000000 -0400
10751+++ linux-2.6.35.4/arch/x86/kernel/dumpstack_32.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 10752@@ -107,11 +107,12 @@ void show_registers(struct pt_regs *regs
58c5fc13
MT		 10753 * When in-kernel, we also print out the stack and code at the
10754 * time of the fault..
10755 */
10756- if (!user_mode_vm(regs)) {
10757+ if (!user_mode(regs)) {
10758 unsigned int code_prologue = code_bytes * 43 / 64;
10759 unsigned int code_len = code_bytes;
10760 unsigned char c;
10761 u8 *ip;
10762+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10763
10764 printk(KERN_EMERG "Stack:\n");
10765 show_stack_log_lvl(NULL, regs, &regs->sp,
df50ba0c 10766@@ -119,10 +120,10 @@ void show_registers(struct pt_regs *regs
58c5fc13
MT		 10767
10768 printk(KERN_EMERG "Code: ");
10769
10770- ip = (u8 *)regs->ip - code_prologue;
10771+ ip = (u8 *)regs->ip - code_prologue + cs_base;
10772 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10773 /* try starting at IP */
10774- ip = (u8 *)regs->ip;
10775+ ip = (u8 *)regs->ip + cs_base;
10776 code_len = code_len - code_prologue + 1;
10777 }
10778 for (i = 0; i < code_len; i++, ip++) {
df50ba0c 10779@@ -131,7 +132,7 @@ void show_registers(struct pt_regs *regs
58c5fc13
MT		 10780 printk(" Bad EIP value.");
10781 break;
10782 }
10783- if (ip == (u8 *)regs->ip)
10784+ if (ip == (u8 *)regs->ip + cs_base)
10785 printk("<%02x> ", c);
10786 else
10787 printk("%02x ", c);
df50ba0c 10788@@ -144,6 +145,7 @@ int is_valid_bugaddr(unsigned long ip)
58c5fc13
MT		 10789 {
10790 unsigned short ud2;
10791
10792+ ip = ktla_ktva(ip);
10793 if (ip < PAGE_OFFSET)
10794 return 0;
10795 if (probe_kernel_address((unsigned short *)ip, ud2))
57199397
MT		 10796diff -urNp linux-2.6.35.4/arch/x86/kernel/dumpstack.c linux-2.6.35.4/arch/x86/kernel/dumpstack.c
10797--- linux-2.6.35.4/arch/x86/kernel/dumpstack.c 2010-08-26 19:47:12.000000000 -0400
10798+++ linux-2.6.35.4/arch/x86/kernel/dumpstack.c 2010-09-17 20:12:09.000000000 -0400
10799@@ -207,7 +207,7 @@ void dump_stack(void)
10800 #endif
10801
10802 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
10803- current->pid, current->comm, print_tainted(),
10804+ task_pid_nr(current), current->comm, print_tainted(),
10805 init_utsname()->release,
10806 (int)strcspn(init_utsname()->version, " "),
10807 init_utsname()->version);
10808@@ -263,7 +263,7 @@ void __kprobes oops_end(unsigned long fl
10809 panic("Fatal exception in interrupt");
10810 if (panic_on_oops)
10811 panic("Fatal exception");
10812- do_exit(signr);
10813+ do_group_exit(signr);
10814 }
10815
10816 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
10817@@ -290,7 +290,7 @@ int __kprobes __die(const char *str, str
10818
10819 show_registers(regs);
10820 #ifdef CONFIG_X86_32
10821- if (user_mode_vm(regs)) {
10822+ if (user_mode(regs)) {
10823 sp = regs->sp;
10824 ss = regs->ss & 0xffff;
10825 } else {
10826@@ -318,7 +318,7 @@ void die(const char *str, struct pt_regs
10827 unsigned long flags = oops_begin();
10828 int sig = SIGSEGV;
10829
10830- if (!user_mode_vm(regs))
10831+ if (!user_mode(regs))
10832 report_bug(regs->ip, regs);
10833
10834 if (__die(str, regs, err))
10835diff -urNp linux-2.6.35.4/arch/x86/kernel/efi_32.c linux-2.6.35.4/arch/x86/kernel/efi_32.c
10836--- linux-2.6.35.4/arch/x86/kernel/efi_32.c 2010-08-26 19:47:12.000000000 -0400
10837+++ linux-2.6.35.4/arch/x86/kernel/efi_32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 10838@@ -38,70 +38,38 @@
10839 */
10840
10841 static unsigned long efi_rt_eflags;
10842-static pgd_t efi_bak_pg_dir_pointer[2];
10843+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10844
10845-void efi_call_phys_prelog(void)
10846+void __init efi_call_phys_prelog(void)
10847 {
10848- unsigned long cr4;
10849- unsigned long temp;
10850 struct desc_ptr gdt_descr;
10851
10852 local_irq_save(efi_rt_eflags);
10853
10854- /*
10855- * If I don't have PAE, I should just duplicate two entries in page
10856- * directory. If I have PAE, I just need to duplicate one entry in
10857- * page directory.
10858- */
10859- cr4 = read_cr4_safe();
10860
10861- if (cr4 & X86_CR4_PAE) {
10862- efi_bak_pg_dir_pointer[0].pgd =
10863- swapper_pg_dir[pgd_index(0)].pgd;
10864- swapper_pg_dir[0].pgd =
10865- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10866- } else {
10867- efi_bak_pg_dir_pointer[0].pgd =
10868- swapper_pg_dir[pgd_index(0)].pgd;
10869- efi_bak_pg_dir_pointer[1].pgd =
10870- swapper_pg_dir[pgd_index(0x400000)].pgd;
10871- swapper_pg_dir[pgd_index(0)].pgd =
10872- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10873- temp = PAGE_OFFSET + 0x400000;
10874- swapper_pg_dir[pgd_index(0x400000)].pgd =
10875- swapper_pg_dir[pgd_index(temp)].pgd;
10876- }
10877+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10878+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10879+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10880
10881 /*
10882 * After the lock is released, the original page table is restored.
10883 */
10884 __flush_tlb_all();
10885
10886- gdt_descr.address = __pa(get_cpu_gdt_table(0));
10887+ gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10888 gdt_descr.size = GDT_SIZE - 1;
10889 load_gdt(&gdt_descr);
10890 }
10891
10892-void efi_call_phys_epilog(void)
10893+void __init efi_call_phys_epilog(void)
10894 {
10895- unsigned long cr4;
10896 struct desc_ptr gdt_descr;
10897
10898- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10899+ gdt_descr.address = get_cpu_gdt_table(0);
10900 gdt_descr.size = GDT_SIZE - 1;
10901 load_gdt(&gdt_descr);
10902
10903- cr4 = read_cr4_safe();
10904-
10905- if (cr4 & X86_CR4_PAE) {
10906- swapper_pg_dir[pgd_index(0)].pgd =
10907- efi_bak_pg_dir_pointer[0].pgd;
10908- } else {
10909- swapper_pg_dir[pgd_index(0)].pgd =
10910- efi_bak_pg_dir_pointer[0].pgd;
10911- swapper_pg_dir[pgd_index(0x400000)].pgd =
10912- efi_bak_pg_dir_pointer[1].pgd;
10913- }
10914+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10915
10916 /*
10917 * After the lock is released, the original page table is restored.
57199397
MT		 10918diff -urNp linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S
10919--- linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S 2010-08-26 19:47:12.000000000 -0400
10920+++ linux-2.6.35.4/arch/x86/kernel/efi_stub_32.S 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 10921@@ -6,6 +6,7 @@
10922 */
10923
10924 #include <linux/linkage.h>
10925+#include <linux/init.h>
10926 #include <asm/page_types.h>
10927
10928 /*
10929@@ -20,7 +21,7 @@
10930 * service functions will comply with gcc calling convention, too.
10931 */
10932
10933-.text
10934+__INIT
10935 ENTRY(efi_call_phys)
10936 /*
10937 * 0. The function can only be called in Linux kernel. So CS has been
10938@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10939 * The mapping of lower virtual memory has been created in prelog and
10940 * epilog.
10941 */
10942- movl $1f, %edx
10943- subl $__PAGE_OFFSET, %edx
10944- jmp *%edx
10945+ jmp 1f-__PAGE_OFFSET
10946 1:
10947
10948 /*
10949@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10950 * parameter 2, ..., param n. To make things easy, we save the return
10951 * address of efi_call_phys in a global variable.
10952 */
10953- popl %edx
10954- movl %edx, saved_return_addr
10955- /* get the function pointer into ECX*/
10956- popl %ecx
10957- movl %ecx, efi_rt_function_ptr
10958- movl $2f, %edx
10959- subl $__PAGE_OFFSET, %edx
10960- pushl %edx
10961+ popl (saved_return_addr)
10962+ popl (efi_rt_function_ptr)
10963
10964 /*
10965 * 3. Clear PG bit in %CR0.
10966@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10967 /*
10968 * 5. Call the physical function.
10969 */
10970- jmp *%ecx
10971+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
10972
10973-2:
10974 /*
10975 * 6. After EFI runtime service returns, control will return to
10976 * following instruction. We'd better readjust stack pointer first.
10977@@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10978 movl %cr0, %edx
10979 orl $0x80000000, %edx
10980 movl %edx, %cr0
10981- jmp 1f
10982-1:
10983+
10984 /*
10985 * 8. Now restore the virtual mode from flat mode by
10986 * adding EIP with PAGE_OFFSET.
10987 */
10988- movl $1f, %edx
10989- jmp *%edx
10990+ jmp 1f+__PAGE_OFFSET
10991 1:
10992
10993 /*
10994 * 9. Balance the stack. And because EAX contain the return value,
10995 * we'd better not clobber it.
10996 */
10997- leal efi_rt_function_ptr, %edx
10998- movl (%edx), %ecx
10999- pushl %ecx
11000+ pushl (efi_rt_function_ptr)
11001
11002 /*
11003- * 10. Push the saved return address onto the stack and return.
11004+ * 10. Return to the saved return address.
11005 */
11006- leal saved_return_addr, %edx
11007- movl (%edx), %ecx
11008- pushl %ecx
11009- ret
11010+ jmpl *(saved_return_addr)
11011 ENDPROC(efi_call_phys)
11012 .previous
11013
11014-.data
11015+__INITDATA
11016 saved_return_addr:
11017 .long 0
11018 efi_rt_function_ptr:
57199397
MT		 11019diff -urNp linux-2.6.35.4/arch/x86/kernel/entry_32.S linux-2.6.35.4/arch/x86/kernel/entry_32.S
11020--- linux-2.6.35.4/arch/x86/kernel/entry_32.S 2010-08-26 19:47:12.000000000 -0400
11021+++ linux-2.6.35.4/arch/x86/kernel/entry_32.S 2010-09-17 20:12:09.000000000 -0400
11022@@ -192,7 +192,67 @@
58c5fc13
MT		 11023
11024 #endif /* CONFIG_X86_32_LAZY_GS */
11025
11026-.macro SAVE_ALL
df50ba0c
MT		 11027+.macro PAX_EXIT_KERNEL
11028+#ifdef CONFIG_PAX_KERNEXEC
11029+#ifdef CONFIG_PARAVIRT
11030+ push %eax; push %ecx;
11031+#endif
11032+ mov %cs, %esi
11033+ cmp $__KERNEXEC_KERNEL_CS, %esi
11034+ jnz 2f
11035+#ifdef CONFIG_PARAVIRT
11036+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11037+ mov %eax, %esi
11038+#else
11039+ mov %cr0, %esi
11040+#endif
11041+ btr $16, %esi
11042+ ljmp $__KERNEL_CS, $1f
11043+1:
11044+#ifdef CONFIG_PARAVIRT
11045+ mov %esi, %eax
11046+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11047+#else
11048+ mov %esi, %cr0
11049+#endif
11050+2:
11051+#ifdef CONFIG_PARAVIRT
11052+ pop %ecx; pop %eax
11053+#endif
11054+#endif
11055+.endm
11056+
11057+.macro PAX_ENTER_KERNEL
11058+#ifdef CONFIG_PAX_KERNEXEC
11059+#ifdef CONFIG_PARAVIRT
11060+ push %eax; push %ecx;
11061+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11062+ mov %eax, %esi
11063+#else
11064+ mov %cr0, %esi
11065+#endif
11066+ bts $16, %esi
11067+ jnc 1f
11068+ mov %cs, %esi
11069+ cmp $__KERNEL_CS, %esi
11070+ jz 3f
11071+ ljmp $__KERNEL_CS, $3f
11072+1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11073+2:
11074+#ifdef CONFIG_PARAVIRT
11075+ mov %esi, %eax
11076+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11077+#else
11078+ mov %esi, %cr0
11079+#endif
11080+3:
11081+#ifdef CONFIG_PARAVIRT
11082+ pop %ecx; pop %eax
11083+#endif
11084+#endif
11085+.endm
11086+
58c5fc13
MT		 11087+.macro __SAVE_ALL _DS
11088 cld
11089 PUSH_GS
11090 pushl %fs
57199397 11091@@ -225,7 +285,7 @@
58c5fc13
MT		 11092 pushl %ebx
11093 CFI_ADJUST_CFA_OFFSET 4
11094 CFI_REL_OFFSET ebx, 0
11095- movl $(__USER_DS), %edx
11096+ movl $\_DS, %edx
11097 movl %edx, %ds
11098 movl %edx, %es
11099 movl $(__KERNEL_PERCPU), %edx
57199397 11100@@ -233,6 +293,15 @@
58c5fc13
MT		 11101 SET_KERNEL_GS %edx
11102 .endm
11103
11104+.macro SAVE_ALL
ae4e228f 11105+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13 11106+ __SAVE_ALL __KERNEL_DS
ae4e228f 11107+ PAX_ENTER_KERNEL
58c5fc13
MT		 11108+#else
11109+ __SAVE_ALL __USER_DS
11110+#endif
11111+.endm
11112+
11113 .macro RESTORE_INT_REGS
11114 popl %ebx
11115 CFI_ADJUST_CFA_OFFSET -4
57199397 11116@@ -357,7 +426,15 @@ check_userspace:
58c5fc13
MT		 11117 movb PT_CS(%esp), %al
11118 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11119 cmpl $USER_RPL, %eax
11120+
11121+#ifdef CONFIG_PAX_KERNEXEC
11122+ jae resume_userspace
ae4e228f
MT		 11123+
11124+ PAX_EXIT_KERNEL
58c5fc13
MT		 11125+ jmp resume_kernel
11126+#else
11127 jb resume_kernel # not returning to v8086 or userspace
11128+#endif
11129
11130 ENTRY(resume_userspace)
11131 LOCKDEP_SYS_EXIT
57199397 11132@@ -423,10 +500,9 @@ sysenter_past_esp:
58c5fc13
MT		 11133 /*CFI_REL_OFFSET cs, 0*/
11134 /*
11135 * Push current_thread_info()->sysenter_return to the stack.
11136- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11137- * pushed above; +8 corresponds to copy_thread's esp0 setting.
11138 */
11139- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
11140+ GET_THREAD_INFO(%ebp)
11141+ pushl TI_sysenter_return(%ebp)
11142 CFI_ADJUST_CFA_OFFSET 4
11143 CFI_REL_OFFSET eip, 0
11144
57199397 11145@@ -439,9 +515,19 @@ sysenter_past_esp:
58c5fc13
MT		 11146 * Load the potential sixth argument from user stack.
11147 * Careful about security.
11148 */
11149+ movl PT_OLDESP(%esp),%ebp
11150+
11151+#ifdef CONFIG_PAX_MEMORY_UDEREF
11152+ mov PT_OLDSS(%esp),%ds
11153+1: movl %ds:(%ebp),%ebp
11154+ push %ss
11155+ pop %ds
11156+#else
11157 cmpl $__PAGE_OFFSET-3,%ebp
11158 jae syscall_fault
11159 1: movl (%ebp),%ebp
11160+#endif
11161+
11162 movl %ebp,PT_EBP(%esp)
11163 .section __ex_table,"a"
11164 .align 4
57199397 11165@@ -464,12 +550,23 @@ sysenter_do_call:
58c5fc13
MT		 11166 testl $_TIF_ALLWORK_MASK, %ecx
11167 jne sysexit_audit
11168 sysenter_exit:
11169+
11170+#ifdef CONFIG_PAX_RANDKSTACK
11171+ pushl %eax
11172+ CFI_ADJUST_CFA_OFFSET 4
11173+ call pax_randomize_kstack
11174+ popl %eax
11175+ CFI_ADJUST_CFA_OFFSET -4
11176+#endif
11177+
11178 /* if something modifies registers it must also disable sysexit */
11179 movl PT_EIP(%esp), %edx
11180 movl PT_OLDESP(%esp), %ecx
11181 xorl %ebp,%ebp
11182 TRACE_IRQS_ON
11183 1: mov PT_FS(%esp), %fs
11184+2: mov PT_DS(%esp), %ds
11185+3: mov PT_ES(%esp), %es
11186 PTGS_TO_GS
11187 ENABLE_INTERRUPTS_SYSEXIT
11188
57199397 11189@@ -513,11 +610,17 @@ sysexit_audit:
58c5fc13
MT		 11190
11191 CFI_ENDPROC
11192 .pushsection .fixup,"ax"
11193-2: movl $0,PT_FS(%esp)
11194+4: movl $0,PT_FS(%esp)
11195+ jmp 1b
11196+5: movl $0,PT_DS(%esp)
11197+ jmp 1b
11198+6: movl $0,PT_ES(%esp)
11199 jmp 1b
11200 .section __ex_table,"a"
11201 .align 4
11202- .long 1b,2b
11203+ .long 1b,4b
11204+ .long 2b,5b
11205+ .long 3b,6b
11206 .popsection
11207 PTGS_TO_GS_EX
11208 ENDPROC(ia32_sysenter_target)
57199397 11209@@ -551,6 +654,10 @@ syscall_exit:
58c5fc13
MT		 11210 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11211 jne syscall_exit_work
11212
11213+#ifdef CONFIG_PAX_RANDKSTACK
11214+ call pax_randomize_kstack
11215+#endif
11216+
11217 restore_all:
11218 TRACE_IRQS_IRET
11219 restore_all_notrace:
57199397 11220@@ -615,7 +722,13 @@ ldt_ss:
58c5fc13
MT		 11221 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11222 mov %dx, %ax /* eax: new kernel esp */
11223 sub %eax, %edx /* offset (low word is 0) */
11224- PER_CPU(gdt_page, %ebx)
11225+#ifdef CONFIG_SMP
11226+ movl PER_CPU_VAR(cpu_number), %ebx
11227+ shll $PAGE_SHIFT_asm, %ebx
11228+ addl $cpu_gdt_table, %ebx
11229+#else
11230+ movl $cpu_gdt_table, %ebx
11231+#endif
11232 shr $16, %edx
11233 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
11234 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
57199397 11235@@ -655,25 +768,19 @@ work_resched:
58c5fc13
MT		 11236
11237 work_notifysig: # deal with pending signals and
11238 # notify-resume requests
11239+ movl %esp, %eax
11240 #ifdef CONFIG_VM86
11241 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11242- movl %esp, %eax
11243- jne work_notifysig_v86 # returning to kernel-space or
11244+ jz 1f # returning to kernel-space or
11245 # vm86-space
11246- xorl %edx, %edx
11247- call do_notify_resume
11248- jmp resume_userspace_sig
11249
11250- ALIGN
11251-work_notifysig_v86:
11252 pushl %ecx # save ti_flags for do_notify_resume
11253 CFI_ADJUST_CFA_OFFSET 4
11254 call save_v86_state # %eax contains pt_regs pointer
11255 popl %ecx
11256 CFI_ADJUST_CFA_OFFSET -4
11257 movl %eax, %esp
11258-#else
11259- movl %esp, %eax
11260+1:
11261 #endif
11262 xorl %edx, %edx
11263 call do_notify_resume
57199397 11264@@ -708,6 +815,10 @@ END(syscall_exit_work)
58c5fc13
MT		 11265
11266 RING0_INT_FRAME # can't unwind into user space anyway
11267 syscall_fault:
11268+#ifdef CONFIG_PAX_MEMORY_UDEREF
11269+ push %ss
11270+ pop %ds
11271+#endif
11272 GET_THREAD_INFO(%ebp)
11273 movl $-EFAULT,PT_EAX(%esp)
11274 jmp resume_userspace
57199397 11275@@ -791,7 +902,13 @@ ptregs_clone:
58c5fc13
MT		 11276 * normal stack and adjusts ESP with the matching offset.
11277 */
11278 /* fixup the stack */
11279- PER_CPU(gdt_page, %ebx)
11280+#ifdef CONFIG_SMP
11281+ movl PER_CPU_VAR(cpu_number), %ebx
11282+ shll $PAGE_SHIFT_asm, %ebx
11283+ addl $cpu_gdt_table, %ebx
11284+#else
11285+ movl $cpu_gdt_table, %ebx
11286+#endif
11287 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
11288 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
11289 shl $16, %eax
57199397 11290@@ -1273,7 +1390,6 @@ return_to_handler:
ae4e228f 11291 jmp *%ecx
58c5fc13
MT		 11292 #endif
11293
11294-.section .rodata,"a"
11295 #include "syscall_table_32.S"
11296
11297 syscall_table_size=(.-sys_call_table)
57199397 11298@@ -1330,9 +1446,12 @@ error_code:
58c5fc13
MT		 11299 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11300 REG_TO_PTGS %ecx
11301 SET_KERNEL_GS %ecx
11302- movl $(__USER_DS), %ecx
11303+ movl $(__KERNEL_DS), %ecx
11304 movl %ecx, %ds
11305 movl %ecx, %es
df50ba0c
MT		 11306+
11307+ PAX_ENTER_KERNEL
11308+
58c5fc13 11309 TRACE_IRQS_OFF
df50ba0c
MT		 11310 movl %esp,%eax # pt_regs pointer
11311 call *%edi
57199397 11312@@ -1426,6 +1545,9 @@ nmi_stack_correct:
58c5fc13
MT		 11313 xorl %edx,%edx # zero error code
11314 movl %esp,%eax # pt_regs pointer
11315 call do_nmi
11316+
ae4e228f 11317+ PAX_EXIT_KERNEL
58c5fc13
MT		 11318+
11319 jmp restore_all_notrace
11320 CFI_ENDPROC
11321
57199397 11322@@ -1466,6 +1588,9 @@ nmi_espfix_stack:
58c5fc13
MT		 11323 FIXUP_ESPFIX_STACK # %eax == %esp
11324 xorl %edx,%edx # zero error code
11325 call do_nmi
11326+
ae4e228f 11327+ PAX_EXIT_KERNEL
58c5fc13
MT		 11328+
11329 RESTORE_REGS
11330 lss 12+4(%esp), %esp # back to espfix stack
11331 CFI_ADJUST_CFA_OFFSET -24
57199397
MT		 11332diff -urNp linux-2.6.35.4/arch/x86/kernel/entry_64.S linux-2.6.35.4/arch/x86/kernel/entry_64.S
11333--- linux-2.6.35.4/arch/x86/kernel/entry_64.S 2010-08-26 19:47:12.000000000 -0400
11334+++ linux-2.6.35.4/arch/x86/kernel/entry_64.S 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 11335@@ -53,6 +53,7 @@
11336 #include <asm/paravirt.h>
11337 #include <asm/ftrace.h>
11338 #include <asm/percpu.h>
11339+#include <asm/pgtable.h>
11340
11341 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11342 #include <linux/elf-em.h>
df50ba0c
MT		 11343@@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11344 ENDPROC(native_usergs_sysret64)
11345 #endif /* CONFIG_PARAVIRT */
11346
11347+ .macro ljmpq sel, off
11348+#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11349+ .byte 0x48; ljmp *1234f(%rip)
11350+ .pushsection .rodata
11351+ .align 16
11352+ 1234: .quad \off; .word \sel
11353+ .popsection
11354+#else
11355+ push $\sel
11356+ push $\off
11357+ lretq
11358+#endif
11359+ .endm
11360+
11361+ENTRY(pax_enter_kernel)
11362+
11363+#ifdef CONFIG_PAX_KERNEXEC
11364+ push %rdi
11365+
11366+#ifdef CONFIG_PARAVIRT
11367+ PV_SAVE_REGS(CLBR_RDI)
11368+#endif
11369+
11370+ GET_CR0_INTO_RDI
11371+ bts $16,%rdi
11372+ jnc 1f
11373+ mov %cs,%edi
11374+ cmp $__KERNEL_CS,%edi
11375+ jz 3f
11376+ ljmpq __KERNEL_CS,3f
11377+1: ljmpq __KERNEXEC_KERNEL_CS,2f
11378+2: SET_RDI_INTO_CR0
11379+3:
11380+
11381+#ifdef CONFIG_PARAVIRT
11382+ PV_RESTORE_REGS(CLBR_RDI)
11383+#endif
11384+
11385+ pop %rdi
11386+#endif
11387+
11388+ retq
11389+ENDPROC(pax_enter_kernel)
11390+
11391+ENTRY(pax_exit_kernel)
11392+
11393+#ifdef CONFIG_PAX_KERNEXEC
11394+ push %rdi
11395+
11396+#ifdef CONFIG_PARAVIRT
11397+ PV_SAVE_REGS(CLBR_RDI)
11398+#endif
11399+
11400+ mov %cs,%rdi
11401+ cmp $__KERNEXEC_KERNEL_CS,%edi
11402+ jnz 2f
11403+ GET_CR0_INTO_RDI
11404+ btr $16,%rdi
11405+ ljmpq __KERNEL_CS,1f
11406+1: SET_RDI_INTO_CR0
11407+2:
11408+
11409+#ifdef CONFIG_PARAVIRT
11410+ PV_RESTORE_REGS(CLBR_RDI);
11411+#endif
11412+
11413+ pop %rdi
11414+#endif
11415+
11416+ retq
11417+ENDPROC(pax_exit_kernel)
11418+
11419+ENTRY(pax_enter_kernel_user)
11420+
11421+#ifdef CONFIG_PAX_MEMORY_UDEREF
11422+ push %rdi
11423+ push %rbx
11424+
11425+#ifdef CONFIG_PARAVIRT
11426+ PV_SAVE_REGS(CLBR_RDI)
11427+#endif
11428+
11429+ GET_CR3_INTO_RDI
11430+ mov %rdi,%rbx
11431+ add $__START_KERNEL_map,%rbx
11432+ sub phys_base(%rip),%rbx
11433+
11434+#ifdef CONFIG_PARAVIRT
11435+ push %rdi
11436+ cmpl $0, pv_info+PARAVIRT_enabled
11437+ jz 1f
11438+ i = 0
11439+ .rept USER_PGD_PTRS
11440+ mov i*8(%rbx),%rsi
11441+ mov $0,%sil
11442+ lea i*8(%rbx),%rdi
11443+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11444+ i = i + 1
11445+ .endr
11446+ jmp 2f
11447+1:
11448+#endif
11449+
11450+ i = 0
11451+ .rept USER_PGD_PTRS
11452+ movb $0,i*8(%rbx)
11453+ i = i + 1
11454+ .endr
11455+
11456+#ifdef CONFIG_PARAVIRT
11457+2: pop %rdi
11458+#endif
11459+ SET_RDI_INTO_CR3
11460+
11461+#ifdef CONFIG_PAX_KERNEXEC
11462+ GET_CR0_INTO_RDI
11463+ bts $16,%rdi
11464+ SET_RDI_INTO_CR0
11465+#endif
11466+
11467+#ifdef CONFIG_PARAVIRT
11468+ PV_RESTORE_REGS(CLBR_RDI)
11469+#endif
11470+
11471+ pop %rbx
11472+ pop %rdi
11473+#endif
11474+
11475+ retq
11476+ENDPROC(pax_enter_kernel_user)
11477+
11478+ENTRY(pax_exit_kernel_user)
11479+
11480+#ifdef CONFIG_PAX_MEMORY_UDEREF
11481+ push %rdi
11482+
11483+#ifdef CONFIG_PARAVIRT
11484+ push %rbx
11485+ PV_SAVE_REGS(CLBR_RDI)
11486+#endif
11487+
11488+#ifdef CONFIG_PAX_KERNEXEC
11489+ GET_CR0_INTO_RDI
11490+ btr $16,%rdi
11491+ SET_RDI_INTO_CR0
11492+#endif
11493+
11494+ GET_CR3_INTO_RDI
11495+ add $__START_KERNEL_map,%rdi
11496+ sub phys_base(%rip),%rdi
11497+
11498+#ifdef CONFIG_PARAVIRT
11499+ cmpl $0, pv_info+PARAVIRT_enabled
11500+ jz 1f
11501+ mov %rdi,%rbx
11502+ i = 0
11503+ .rept USER_PGD_PTRS
11504+ mov i*8(%rbx),%rsi
11505+ mov $0x67,%sil
11506+ lea i*8(%rbx),%rdi
11507+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11508+ i = i + 1
11509+ .endr
11510+ jmp 2f
11511+1:
11512+#endif
11513+
11514+ i = 0
11515+ .rept USER_PGD_PTRS
11516+ movb $0x67,i*8(%rdi)
11517+ i = i + 1
11518+ .endr
11519+
11520+#ifdef CONFIG_PARAVIRT
11521+2: PV_RESTORE_REGS(CLBR_RDI)
11522+ pop %rbx
11523+#endif
11524+
11525+ pop %rdi
11526+#endif
11527+
11528+ retq
11529+ENDPROC(pax_exit_kernel_user)
11530
11531 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11532 #ifdef CONFIG_TRACE_IRQFLAGS
11533@@ -317,7 +501,7 @@ ENTRY(save_args)
11534 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11535 movq_cfi rbp, 8 /* push %rbp */
11536 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11537- testl $3, CS(%rdi)
11538+ testb $3, CS(%rdi)
11539 je 1f
11540 SWAPGS
11541 /*
11542@@ -409,7 +593,7 @@ ENTRY(ret_from_fork)
11543
11544 RESTORE_REST
11545
11546- testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11547+ testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11548 je int_ret_from_sys_call
11549
11550 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11551@@ -468,6 +652,11 @@ ENTRY(system_call_after_swapgs)
11552
11553 movq %rsp,PER_CPU_VAR(old_rsp)
11554 movq PER_CPU_VAR(kernel_stack),%rsp
11555+
11556+#ifdef CONFIG_PAX_MEMORY_UDEREF
11557+ call pax_enter_kernel_user
11558+#endif
11559+
11560 /*
11561 * No need to follow this irqs off/on section - it's straight
11562 * and short:
11563@@ -502,6 +691,11 @@ sysret_check:
11564 andl %edi,%edx
11565 jnz sysret_careful
11566 CFI_REMEMBER_STATE
11567+
11568+#ifdef CONFIG_PAX_MEMORY_UDEREF
11569+ call pax_exit_kernel_user
11570+#endif
11571+
11572 /*
11573 * sysretq will re-enable interrupts:
11574 */
11575@@ -613,7 +807,7 @@ tracesys:
11576 GLOBAL(int_ret_from_sys_call)
11577 DISABLE_INTERRUPTS(CLBR_NONE)
11578 TRACE_IRQS_OFF
11579- testl $3,CS-ARGOFFSET(%rsp)
11580+ testb $3,CS-ARGOFFSET(%rsp)
11581 je retint_restore_args
11582 movl $_TIF_ALLWORK_MASK,%edi
11583 /* edi: mask to check */
11584@@ -800,6 +994,16 @@ END(interrupt)
ae4e228f
MT		 11585 CFI_ADJUST_CFA_OFFSET 10*8
11586 call save_args
11587 PARTIAL_FRAME 0
df50ba0c
MT		 11588+#ifdef CONFIG_PAX_MEMORY_UDEREF
11589+ testb $3, CS(%rdi)
11590+ jnz 1f
11591+ call pax_enter_kernel
11592+ jmp 2f
11593+1: call pax_enter_kernel_user
11594+2:
11595+#else
11596+ call pax_enter_kernel
11597+#endif
ae4e228f
MT		 11598 call \func
11599 .endm
11600
df50ba0c 11601@@ -826,7 +1030,7 @@ ret_from_intr:
ae4e228f
MT		 11602 CFI_ADJUST_CFA_OFFSET -8
11603 exit_intr:
ae4e228f 11604 GET_THREAD_INFO(%rcx)
df50ba0c
MT		 11605- testl $3,CS-ARGOFFSET(%rsp)
11606+ testb $3,CS-ARGOFFSET(%rsp)
ae4e228f 11607 je retint_kernel
df50ba0c
MT		 11608
11609 /* Interrupt came from user space */
11610@@ -848,12 +1052,18 @@ retint_swapgs: /* return to user-space
11611 * The iretq could re-enable interrupts:
11612 */
11613 DISABLE_INTERRUPTS(CLBR_ANY)
11614+
11615+#ifdef CONFIG_PAX_MEMORY_UDEREF
11616+ call pax_exit_kernel_user
11617+#endif
11618+
11619 TRACE_IRQS_IRETQ
11620 SWAPGS
11621 jmp restore_args
11622
11623 retint_restore_args: /* return to kernel space */
11624 DISABLE_INTERRUPTS(CLBR_ANY)
11625+ call pax_exit_kernel
11626 /*
11627 * The iretq could re-enable interrupts:
11628 */
11629@@ -1040,6 +1250,16 @@ ENTRY(\sym)
ae4e228f
MT		 11630 CFI_ADJUST_CFA_OFFSET 15*8
11631 call error_entry
11632 DEFAULT_FRAME 0
df50ba0c
MT		 11633+#ifdef CONFIG_PAX_MEMORY_UDEREF
11634+ testb $3, CS(%rsp)
11635+ jnz 1f
11636+ call pax_enter_kernel
11637+ jmp 2f
11638+1: call pax_enter_kernel_user
11639+2:
11640+#else
11641+ call pax_enter_kernel
11642+#endif
ae4e228f
MT		 11643 movq %rsp,%rdi /* pt_regs pointer */
11644 xorl %esi,%esi /* no error code */
11645 call \do_sym
df50ba0c 11646@@ -1057,6 +1277,16 @@ ENTRY(\sym)
ae4e228f
MT		 11647 subq $15*8, %rsp
11648 call save_paranoid
11649 TRACE_IRQS_OFF
df50ba0c
MT		 11650+#ifdef CONFIG_PAX_MEMORY_UDEREF
11651+ testb $3, CS(%rsp)
11652+ jnz 1f
11653+ call pax_enter_kernel
11654+ jmp 2f
11655+1: call pax_enter_kernel_user
11656+2:
11657+#else
11658+ call pax_enter_kernel
11659+#endif
ae4e228f
MT		 11660 movq %rsp,%rdi /* pt_regs pointer */
11661 xorl %esi,%esi /* no error code */
11662 call \do_sym
df50ba0c 11663@@ -1074,9 +1304,24 @@ ENTRY(\sym)
ae4e228f
MT		 11664 subq $15*8, %rsp
11665 call save_paranoid
58c5fc13 11666 TRACE_IRQS_OFF
df50ba0c
MT		 11667+#ifdef CONFIG_PAX_MEMORY_UDEREF
11668+ testb $3, CS(%rsp)
11669+ jnz 1f
11670+ call pax_enter_kernel
11671+ jmp 2f
11672+1: call pax_enter_kernel_user
11673+2:
11674+#else
11675+ call pax_enter_kernel
11676+#endif
58c5fc13
MT		 11677 movq %rsp,%rdi /* pt_regs pointer */
11678 xorl %esi,%esi /* no error code */
ae4e228f 11679- PER_CPU(init_tss, %r12)
58c5fc13 11680+#ifdef CONFIG_SMP
ae4e228f
MT		 11681+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11682+ lea init_tss(%r12), %r12
58c5fc13 11683+#else
ae4e228f 11684+ lea init_tss(%rip), %r12
58c5fc13 11685+#endif
ae4e228f 11686 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
58c5fc13 11687 call \do_sym
ae4e228f 11688 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
df50ba0c 11689@@ -1093,6 +1338,16 @@ ENTRY(\sym)
ae4e228f
MT		 11690 CFI_ADJUST_CFA_OFFSET 15*8
11691 call error_entry
11692 DEFAULT_FRAME 0
df50ba0c
MT		 11693+#ifdef CONFIG_PAX_MEMORY_UDEREF
11694+ testb $3, CS(%rsp)
11695+ jnz 1f
11696+ call pax_enter_kernel
11697+ jmp 2f
11698+1: call pax_enter_kernel_user
11699+2:
11700+#else
11701+ call pax_enter_kernel
11702+#endif
ae4e228f
MT		 11703 movq %rsp,%rdi /* pt_regs pointer */
11704 movq ORIG_RAX(%rsp),%rsi /* get error code */
11705 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
df50ba0c 11706@@ -1112,6 +1367,16 @@ ENTRY(\sym)
ae4e228f
MT		 11707 call save_paranoid
11708 DEFAULT_FRAME 0
11709 TRACE_IRQS_OFF
df50ba0c
MT		 11710+#ifdef CONFIG_PAX_MEMORY_UDEREF
11711+ testb $3, CS(%rsp)
11712+ jnz 1f
11713+ call pax_enter_kernel
11714+ jmp 2f
11715+1: call pax_enter_kernel_user
11716+2:
11717+#else
11718+ call pax_enter_kernel
11719+#endif
ae4e228f
MT		 11720 movq %rsp,%rdi /* pt_regs pointer */
11721 movq ORIG_RAX(%rsp),%rsi /* get error code */
11722 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
df50ba0c
MT		 11723@@ -1370,14 +1635,27 @@ ENTRY(paranoid_exit)
11724 TRACE_IRQS_OFF
11725 testl %ebx,%ebx /* swapgs needed? */
11726 jnz paranoid_restore
11727- testl $3,CS(%rsp)
11728+ testb $3,CS(%rsp)
ae4e228f 11729 jnz paranoid_userspace
df50ba0c
MT		 11730+#ifdef CONFIG_PAX_MEMORY_UDEREF
11731+ call pax_exit_kernel
11732+ TRACE_IRQS_IRETQ 0
11733+ SWAPGS_UNSAFE_STACK
11734+ RESTORE_ALL 8
11735+ jmp irq_return
11736+#endif
ae4e228f 11737 paranoid_swapgs:
df50ba0c
MT		 11738+#ifdef CONFIG_PAX_MEMORY_UDEREF
11739+ call pax_exit_kernel_user
11740+#else
11741+ call pax_exit_kernel
11742+#endif
ae4e228f
MT		 11743 TRACE_IRQS_IRETQ 0
11744 SWAPGS_UNSAFE_STACK
11745 RESTORE_ALL 8
11746 jmp irq_return
11747 paranoid_restore:
df50ba0c 11748+ call pax_exit_kernel
ae4e228f
MT		 11749 TRACE_IRQS_IRETQ 0
11750 RESTORE_ALL 8
11751 jmp irq_return
df50ba0c
MT		 11752@@ -1435,7 +1713,7 @@ ENTRY(error_entry)
11753 movq_cfi r14, R14+8
11754 movq_cfi r15, R15+8
11755 xorl %ebx,%ebx
11756- testl $3,CS+8(%rsp)
11757+ testb $3,CS+8(%rsp)
11758 je error_kernelspace
11759 error_swapgs:
11760 SWAPGS
11761@@ -1499,6 +1777,16 @@ ENTRY(nmi)
ae4e228f
MT		 11762 CFI_ADJUST_CFA_OFFSET 15*8
11763 call save_paranoid
11764 DEFAULT_FRAME 0
df50ba0c
MT		 11765+#ifdef CONFIG_PAX_MEMORY_UDEREF
11766+ testb $3, CS(%rsp)
11767+ jnz 1f
11768+ call pax_enter_kernel
11769+ jmp 2f
11770+1: call pax_enter_kernel_user
11771+2:
11772+#else
11773+ call pax_enter_kernel
11774+#endif
ae4e228f
MT		 11775 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11776 movq %rsp,%rdi
11777 movq $-1,%rsi
df50ba0c
MT		 11778@@ -1509,11 +1797,12 @@ ENTRY(nmi)
11779 DISABLE_INTERRUPTS(CLBR_NONE)
11780 testl %ebx,%ebx /* swapgs needed? */
11781 jnz nmi_restore
11782- testl $3,CS(%rsp)
11783+ testb $3,CS(%rsp)
11784 jnz nmi_userspace
ae4e228f
MT		 11785 nmi_swapgs:
11786 SWAPGS_UNSAFE_STACK
11787 nmi_restore:
df50ba0c 11788+ call pax_exit_kernel
ae4e228f
MT		 11789 RESTORE_ALL 8
11790 jmp irq_return
11791 nmi_userspace:
57199397
MT		 11792diff -urNp linux-2.6.35.4/arch/x86/kernel/ftrace.c linux-2.6.35.4/arch/x86/kernel/ftrace.c
11793--- linux-2.6.35.4/arch/x86/kernel/ftrace.c 2010-08-26 19:47:12.000000000 -0400
11794+++ linux-2.6.35.4/arch/x86/kernel/ftrace.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 11795@@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11796
ae4e228f
MT		 11797 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11798 smp_rmb();
11799+ pax_open_kernel();
11800 ftrace_mod_code();
11801+ pax_close_kernel();
11802 atomic_inc(&nmi_update_count);
11803 }
11804 /* Must have previous changes seen before executions */
df50ba0c 11805@@ -260,7 +262,7 @@ do_ftrace_mod_code(unsigned long ip, voi
ae4e228f
MT		 11806
11807
11808
11809-static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
11810+static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
11811
11812 static unsigned char *ftrace_nop_replace(void)
11813 {
df50ba0c 11814@@ -273,6 +275,8 @@ ftrace_modify_code(unsigned long ip, uns
ae4e228f
MT		 11815 {
11816 unsigned char replaced[MCOUNT_INSN_SIZE];
11817
11818+ ip = ktla_ktva(ip);
11819+
11820 /*
11821 * Note: Due to modules and __init, code can
11822 * disappear and change, we need to protect against faulting
df50ba0c 11823@@ -329,7 +333,7 @@ int ftrace_update_ftrace_func(ftrace_fun
58c5fc13
MT		 11824 unsigned char old[MCOUNT_INSN_SIZE], *new;
11825 int ret;
11826
11827- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11828+ memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11829 new = ftrace_call_replace(ip, (unsigned long)func);
ae4e228f
MT		 11830 ret = ftrace_modify_code(ip, old, new);
11831
df50ba0c 11832@@ -382,15 +386,15 @@ int __init ftrace_dyn_arch_init(void *da
ae4e228f
MT		 11833 switch (faulted) {
11834 case 0:
11835 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
11836- memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
11837+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
11838 break;
11839 case 1:
11840 pr_info("converting mcount calls to 66 66 66 66 90\n");
11841- memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
11842+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
11843 break;
11844 case 2:
11845 pr_info("converting mcount calls to jmp . + 5\n");
11846- memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
11847+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
11848 break;
11849 }
58c5fc13 11850
df50ba0c 11851@@ -411,6 +415,8 @@ static int ftrace_mod_jmp(unsigned long
ae4e228f
MT		 11852 {
11853 unsigned char code[MCOUNT_INSN_SIZE];
11854
11855+ ip = ktla_ktva(ip);
11856+
11857 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11858 return -EFAULT;
11859
57199397
MT		 11860diff -urNp linux-2.6.35.4/arch/x86/kernel/head32.c linux-2.6.35.4/arch/x86/kernel/head32.c
11861--- linux-2.6.35.4/arch/x86/kernel/head32.c 2010-08-26 19:47:12.000000000 -0400
11862+++ linux-2.6.35.4/arch/x86/kernel/head32.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 11863@@ -17,6 +17,7 @@
ae4e228f
MT		 11864 #include <asm/apic.h>
11865 #include <asm/io_apic.h>
58c5fc13 11866 #include <asm/bios_ebda.h>
58c5fc13
MT		 11867+#include <asm/boot.h>
11868
ae4e228f 11869 static void __init i386_default_early_setup(void)
58c5fc13 11870 {
df50ba0c
MT		 11871@@ -40,7 +41,7 @@ void __init i386_start_kernel(void)
11872 "EX TRAMPOLINE");
11873 #endif
58c5fc13
MT		 11874
11875- reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11876+ reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11877
11878 #ifdef CONFIG_BLK_DEV_INITRD
11879 /* Reserve INITRD */
57199397
MT		 11880diff -urNp linux-2.6.35.4/arch/x86/kernel/head_32.S linux-2.6.35.4/arch/x86/kernel/head_32.S
11881--- linux-2.6.35.4/arch/x86/kernel/head_32.S 2010-08-26 19:47:12.000000000 -0400
11882+++ linux-2.6.35.4/arch/x86/kernel/head_32.S 2010-09-17 20:12:09.000000000 -0400
df50ba0c 11883@@ -25,6 +25,12 @@
58c5fc13
MT		 11884 /* Physical address */
11885 #define pa(X) ((X) - __PAGE_OFFSET)
ae4e228f
MT		 11886
11887+#ifdef CONFIG_PAX_KERNEXEC
11888+#define ta(X) (X)
11889+#else
11890+#define ta(X) ((X) - __PAGE_OFFSET)
11891+#endif
11892+
11893 /*
11894 * References to members of the new_cpu_data structure.
11895 */
df50ba0c 11896@@ -54,11 +60,7 @@
58c5fc13
MT		 11897 * and small than max_low_pfn, otherwise will waste some page table entries
11898 */
11899
11900-#if PTRS_PER_PMD > 1
11901-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
11902-#else
11903-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
11904-#endif
11905+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
11906
11907 /* Enough space to fit pagetables for the low memory linear map */
11908 MAPPING_BEYOND_END = \
df50ba0c 11909@@ -75,6 +77,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
58c5fc13
MT		 11910 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11911
11912 /*
11913+ * Real beginning of normal "text" segment
11914+ */
11915+ENTRY(stext)
11916+ENTRY(_stext)
11917+
11918+/*
11919 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
11920 * %esi points to the real-mode code as a 32-bit pointer.
11921 * CS and DS must be 4 GB flat segments, but we don't depend on
df50ba0c 11922@@ -82,6 +90,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
58c5fc13
MT		 11923 * can.
11924 */
ae4e228f 11925 __HEAD
58c5fc13
MT		 11926+
11927+#ifdef CONFIG_PAX_KERNEXEC
11928+ jmp startup_32
11929+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
11930+.fill PAGE_SIZE-5,1,0xcc
11931+#endif
11932+
11933 ENTRY(startup_32)
11934 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
11935 us to not reload segments */
df50ba0c 11936@@ -99,6 +114,55 @@ ENTRY(startup_32)
58c5fc13
MT		 11937 movl %eax,%gs
11938 2:
11939
11940+#ifdef CONFIG_SMP
11941+ movl $pa(cpu_gdt_table),%edi
11942+ movl $__per_cpu_load,%eax
11943+ movw %ax,__KERNEL_PERCPU + 2(%edi)
11944+ rorl $16,%eax
11945+ movb %al,__KERNEL_PERCPU + 4(%edi)
11946+ movb %ah,__KERNEL_PERCPU + 7(%edi)
11947+ movl $__per_cpu_end - 1,%eax
ae4e228f 11948+ subl $__per_cpu_start,%eax
58c5fc13
MT		 11949+ movw %ax,__KERNEL_PERCPU + 0(%edi)
11950+#endif
11951+
11952+#ifdef CONFIG_PAX_MEMORY_UDEREF
11953+ movl $NR_CPUS,%ecx
11954+ movl $pa(cpu_gdt_table),%edi
11955+1:
11956+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
11957+ addl $PAGE_SIZE_asm,%edi
11958+ loop 1b
11959+#endif
11960+
11961+#ifdef CONFIG_PAX_KERNEXEC
11962+ movl $pa(boot_gdt),%edi
ae4e228f 11963+ movl $__LOAD_PHYSICAL_ADDR,%eax
58c5fc13
MT		 11964+ movw %ax,__BOOT_CS + 2(%edi)
11965+ rorl $16,%eax
11966+ movb %al,__BOOT_CS + 4(%edi)
11967+ movb %ah,__BOOT_CS + 7(%edi)
11968+ rorl $16,%eax
11969+
ae4e228f
MT		 11970+ ljmp $(__BOOT_CS),$1f
11971+1:
11972+
58c5fc13
MT		 11973+ movl $NR_CPUS,%ecx
11974+ movl $pa(cpu_gdt_table),%edi
ae4e228f 11975+ addl $__PAGE_OFFSET,%eax
58c5fc13
MT		 11976+1:
11977+ movw %ax,__KERNEL_CS + 2(%edi)
ae4e228f 11978+ movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
58c5fc13
MT		 11979+ rorl $16,%eax
11980+ movb %al,__KERNEL_CS + 4(%edi)
ae4e228f 11981+ movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
58c5fc13 11982+ movb %ah,__KERNEL_CS + 7(%edi)
ae4e228f 11983+ movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
58c5fc13
MT		 11984+ rorl $16,%eax
11985+ addl $PAGE_SIZE_asm,%edi
11986+ loop 1b
11987+#endif
11988+
11989 /*
11990 * Clear BSS first so that there are no surprises...
11991 */
df50ba0c 11992@@ -142,9 +206,7 @@ ENTRY(startup_32)
58c5fc13
MT		 11993 cmpl $num_subarch_entries, %eax
11994 jae bad_subarch
11995
11996- movl pa(subarch_entries)(,%eax,4), %eax
11997- subl $__PAGE_OFFSET, %eax
11998- jmp *%eax
11999+ jmp *pa(subarch_entries)(,%eax,4)
12000
12001 bad_subarch:
12002 WEAK(lguest_entry)
df50ba0c 12003@@ -156,10 +218,10 @@ WEAK(xen_entry)
58c5fc13
MT		 12004 __INITDATA
12005
12006 subarch_entries:
12007- .long default_entry /* normal x86/PC */
12008- .long lguest_entry /* lguest hypervisor */
12009- .long xen_entry /* Xen hypervisor */
ae4e228f
MT		 12010- .long default_entry /* Moorestown MID */
12011+ .long ta(default_entry) /* normal x86/PC */
12012+ .long ta(lguest_entry) /* lguest hypervisor */
12013+ .long ta(xen_entry) /* Xen hypervisor */
12014+ .long ta(default_entry) /* Moorestown MID */
58c5fc13
MT		 12015 num_subarch_entries = (. - subarch_entries) / 4
12016 .previous
12017 #endif /* CONFIG_PARAVIRT */
df50ba0c 12018@@ -220,8 +282,11 @@ default_entry:
58c5fc13
MT		 12019 movl %eax, pa(max_pfn_mapped)
12020
12021 /* Do early initialization of the fixmap area */
12022- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
12023- movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12024+#ifdef CONFIG_COMPAT_VDSO
12025+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12026+#else
12027+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12028+#endif
12029 #else /* Not PAE */
12030
12031 page_pde_offset = (__PAGE_OFFSET >> 20);
df50ba0c 12032@@ -251,8 +316,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
58c5fc13
MT		 12033 movl %eax, pa(max_pfn_mapped)
12034
12035 /* Do early initialization of the fixmap area */
12036- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
12037- movl %eax,pa(swapper_pg_dir+0xffc)
12038+#ifdef CONFIG_COMPAT_VDSO
12039+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
12040+#else
12041+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
12042+#endif
12043 #endif
12044 jmp 3f
12045 /*
df50ba0c 12046@@ -299,6 +367,7 @@ ENTRY(startup_32_smp)
58c5fc13
MT		 12047 orl %edx,%eax
12048 movl %eax,%cr4
12049
12050+#ifdef CONFIG_X86_PAE
ae4e228f
MT		 12051 testb $X86_CR4_PAE, %al # check if PAE is enabled
12052 jz 6f
58c5fc13 12053
df50ba0c 12054@@ -323,6 +392,9 @@ ENTRY(startup_32_smp)
58c5fc13
MT		 12055 /* Make changes effective */
12056 wrmsr
12057
12058+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
58c5fc13 12059+#endif
ae4e228f 12060+
58c5fc13
MT		 12061 6:
12062
12063 /*
df50ba0c 12064@@ -348,9 +420,7 @@ ENTRY(startup_32_smp)
58c5fc13
MT		 12065
12066 #ifdef CONFIG_SMP
12067 cmpb $0, ready
12068- jz 1f /* Initial CPU cleans BSS */
12069- jmp checkCPUtype
12070-1:
12071+ jnz checkCPUtype /* Initial CPU cleans BSS */
12072 #endif /* CONFIG_SMP */
12073
12074 /*
df50ba0c 12075@@ -428,7 +498,7 @@ is386: movl $2,%ecx # set MP
58c5fc13
MT		 12076 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12077 movl %eax,%ss # after changing gdt.
12078
12079- movl $(__USER_DS),%eax # DS/ES contains default USER segment
12080+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12081 movl %eax,%ds
12082 movl %eax,%es
12083
df50ba0c 12084@@ -442,8 +512,11 @@ is386: movl $2,%ecx # set MP
58c5fc13
MT		 12085 */
12086 cmpb $0,ready
12087 jne 1f
df50ba0c 12088- movl $gdt_page,%eax
58c5fc13 12089+ movl $cpu_gdt_table,%eax
df50ba0c 12090 movl $stack_canary,%ecx
58c5fc13
MT		 12091+#ifdef CONFIG_SMP
12092+ addl $__per_cpu_load,%ecx
12093+#endif
12094 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12095 shrl $16, %ecx
12096 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
df50ba0c 12097@@ -461,10 +534,6 @@ is386: movl $2,%ecx # set MP
58c5fc13
MT		 12098 #ifdef CONFIG_SMP
12099 movb ready, %cl
12100 movb $1, ready
12101- cmpb $0,%cl # the first CPU calls start_kernel
12102- je 1f
12103- movl (stack_start), %esp
12104-1:
12105 #endif /* CONFIG_SMP */
12106 jmp *(initial_code)
12107
df50ba0c 12108@@ -550,22 +619,22 @@ early_page_fault:
58c5fc13
MT		 12109 jmp early_fault
12110
12111 early_fault:
12112- cld
12113 #ifdef CONFIG_PRINTK
12114+ cmpl $1,%ss:early_recursion_flag
12115+ je hlt_loop
12116+ incl %ss:early_recursion_flag
12117+ cld
12118 pusha
12119 movl $(__KERNEL_DS),%eax
12120 movl %eax,%ds
12121 movl %eax,%es
12122- cmpl $2,early_recursion_flag
12123- je hlt_loop
12124- incl early_recursion_flag
12125 movl %cr2,%eax
12126 pushl %eax
12127 pushl %edx /* trapno */
12128 pushl $fault_msg
12129 call printk
12130+; call dump_stack
12131 #endif
12132- call dump_stack
12133 hlt_loop:
12134 hlt
12135 jmp hlt_loop
df50ba0c 12136@@ -573,8 +642,11 @@ hlt_loop:
58c5fc13
MT		 12137 /* This is the default interrupt "handler" :-) */
12138 ALIGN
12139 ignore_int:
12140- cld
12141 #ifdef CONFIG_PRINTK
12142+ cmpl $2,%ss:early_recursion_flag
12143+ je hlt_loop
12144+ incl %ss:early_recursion_flag
12145+ cld
12146 pushl %eax
12147 pushl %ecx
12148 pushl %edx
df50ba0c 12149@@ -583,9 +655,6 @@ ignore_int:
58c5fc13
MT		 12150 movl $(__KERNEL_DS),%eax
12151 movl %eax,%ds
12152 movl %eax,%es
12153- cmpl $2,early_recursion_flag
12154- je hlt_loop
12155- incl early_recursion_flag
12156 pushl 16(%esp)
12157 pushl 24(%esp)
12158 pushl 32(%esp)
df50ba0c 12159@@ -612,27 +681,38 @@ ENTRY(initial_code)
58c5fc13
MT		 12160 /*
12161 * BSS section
12162 */
ae4e228f 12163-__PAGE_ALIGNED_BSS
58c5fc13
MT		 12164- .align PAGE_SIZE_asm
12165 #ifdef CONFIG_X86_PAE
12166+.section .swapper_pg_pmd,"a",@progbits
12167 swapper_pg_pmd:
12168 .fill 1024*KPMDS,4,0
12169 #else
12170+.section .swapper_pg_dir,"a",@progbits
12171 ENTRY(swapper_pg_dir)
12172 .fill 1024,4,0
12173 #endif
12174+
12175 swapper_pg_fixmap:
12176 .fill 1024,4,0
12177+
12178+.section .empty_zero_page,"a",@progbits
12179 ENTRY(empty_zero_page)
12180 .fill 4096,1,0
12181
12182 /*
12183+ * The IDT has to be page-aligned to simplify the Pentium
12184+ * F0 0F bug workaround.. We have a special link segment
12185+ * for this.
12186+ */
12187+.section .idt,"a",@progbits
12188+ENTRY(idt_table)
12189+ .fill 256,8,0
12190+
12191+/*
12192 * This starts the data section.
12193 */
12194 #ifdef CONFIG_X86_PAE
ae4e228f 12195-__PAGE_ALIGNED_DATA
58c5fc13
MT		 12196- /* Page-aligned for the benefit of paravirt? */
12197- .align PAGE_SIZE_asm
12198+.section .swapper_pg_dir,"a",@progbits
df50ba0c 12199+
58c5fc13
MT		 12200 ENTRY(swapper_pg_dir)
12201 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12202 # if KPMDS == 3
df50ba0c
MT		 12203@@ -651,15 +731,24 @@ ENTRY(swapper_pg_dir)
12204 # error "Kernel PMDs should be 1, 2 or 3"
12205 # endif
12206 .align PAGE_SIZE_asm /* needs to be page-sized too */
12207+
12208+#ifdef CONFIG_PAX_PER_CPU_PGD
12209+ENTRY(cpu_pgd)
12210+ .rept NR_CPUS
12211+ .fill 4,8,0
12212+ .endr
12213+#endif
12214+
12215 #endif
58c5fc13
MT		 12216
12217 .data
12218 ENTRY(stack_start)
12219- .long init_thread_union+THREAD_SIZE
12220+ .long init_thread_union+THREAD_SIZE-8
12221 .long __BOOT_DS
12222
12223 ready: .byte 0
12224
12225+.section .rodata,"a",@progbits
12226 early_recursion_flag:
12227 .long 0
12228
df50ba0c 12229@@ -695,7 +784,7 @@ fault_msg:
58c5fc13
MT		 12230 .word 0 # 32 bit align gdt_desc.address
12231 boot_gdt_descr:
12232 .word __BOOT_DS+7
12233- .long boot_gdt - __PAGE_OFFSET
12234+ .long pa(boot_gdt)
12235
12236 .word 0 # 32-bit align idt_desc.address
12237 idt_descr:
df50ba0c 12238@@ -706,7 +795,7 @@ idt_descr:
58c5fc13
MT		 12239 .word 0 # 32 bit align gdt_desc.address
12240 ENTRY(early_gdt_descr)
12241 .word GDT_ENTRIES*8-1
df50ba0c 12242- .long gdt_page /* Overwritten for secondary CPUs */
58c5fc13
MT		 12243+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
12244
12245 /*
12246 * The boot_gdt must mirror the equivalent in setup.S and is
df50ba0c 12247@@ -715,5 +804,65 @@ ENTRY(early_gdt_descr)
58c5fc13
MT		 12248 .align L1_CACHE_BYTES
12249 ENTRY(boot_gdt)
12250 .fill GDT_ENTRY_BOOT_CS,8,0
12251- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12252- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12253+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12254+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12255+
12256+ .align PAGE_SIZE_asm
12257+ENTRY(cpu_gdt_table)
12258+ .rept NR_CPUS
12259+ .quad 0x0000000000000000 /* NULL descriptor */
12260+ .quad 0x0000000000000000 /* 0x0b reserved */
12261+ .quad 0x0000000000000000 /* 0x13 reserved */
12262+ .quad 0x0000000000000000 /* 0x1b reserved */
ae4e228f
MT		 12263+
12264+#ifdef CONFIG_PAX_KERNEXEC
12265+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12266+#else
58c5fc13 12267+ .quad 0x0000000000000000 /* 0x20 unused */
ae4e228f
MT		 12268+#endif
12269+
58c5fc13
MT		 12270+ .quad 0x0000000000000000 /* 0x28 unused */
12271+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12272+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12273+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12274+ .quad 0x0000000000000000 /* 0x4b reserved */
12275+ .quad 0x0000000000000000 /* 0x53 reserved */
12276+ .quad 0x0000000000000000 /* 0x5b reserved */
12277+
12278+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12279+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12280+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12281+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12282+
12283+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12284+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12285+
12286+ /*
12287+ * Segments used for calling PnP BIOS have byte granularity.
12288+ * The code segments and data segments have fixed 64k limits,
12289+ * the transfer segment sizes are set at run time.
12290+ */
12291+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
12292+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
12293+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
12294+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
12295+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
12296+
12297+ /*
12298+ * The APM segments have byte granularity and their bases
12299+ * are set at run time. All have 64k limits.
12300+ */
12301+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12302+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12303+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
12304+
12305+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12306+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
ae4e228f 12307+ .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
58c5fc13
MT		 12308+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12309+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12310+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12311+
12312+ /* Be sure this is zeroed to avoid false validations in Xen */
12313+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12314+ .endr
57199397
MT		 12315diff -urNp linux-2.6.35.4/arch/x86/kernel/head_64.S linux-2.6.35.4/arch/x86/kernel/head_64.S
12316--- linux-2.6.35.4/arch/x86/kernel/head_64.S 2010-08-26 19:47:12.000000000 -0400
12317+++ linux-2.6.35.4/arch/x86/kernel/head_64.S 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 12318@@ -19,6 +19,7 @@
12319 #include <asm/cache.h>
12320 #include <asm/processor-flags.h>
12321 #include <asm/percpu.h>
12322+#include <asm/cpufeature.h>
12323
12324 #ifdef CONFIG_PARAVIRT
12325 #include <asm/asm-offsets.h>
12326@@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
58c5fc13
MT		 12327 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12328 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12329 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12330+L4_VMALLOC_START = pgd_index(VMALLOC_START)
12331+L3_VMALLOC_START = pud_index(VMALLOC_START)
12332+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12333+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12334
12335 .text
ae4e228f
MT		 12336 __HEAD
12337@@ -85,35 +90,22 @@ startup_64:
58c5fc13
MT		 12338 */
12339 addq %rbp, init_level4_pgt + 0(%rip)
12340 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12341+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12342+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12343 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12344
12345 addq %rbp, level3_ident_pgt + 0(%rip)
ae4e228f 12346+#ifndef CONFIG_XEN
58c5fc13 12347+ addq %rbp, level3_ident_pgt + 8(%rip)
ae4e228f 12348+#endif
58c5fc13
MT		 12349
12350- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12351- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12352+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12353
12354- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12355+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12356+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12357
12358- /* Add an Identity mapping if I am above 1G */
12359- leaq _text(%rip), %rdi
12360- andq $PMD_PAGE_MASK, %rdi
12361-
12362- movq %rdi, %rax
12363- shrq $PUD_SHIFT, %rax
12364- andq $(PTRS_PER_PUD - 1), %rax
12365- jz ident_complete
12366-
12367- leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12368- leaq level3_ident_pgt(%rip), %rbx
12369- movq %rdx, 0(%rbx, %rax, 8)
12370-
12371- movq %rdi, %rax
12372- shrq $PMD_SHIFT, %rax
12373- andq $(PTRS_PER_PMD - 1), %rax
12374- leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12375- leaq level2_spare_pgt(%rip), %rbx
12376- movq %rdx, 0(%rbx, %rax, 8)
12377-ident_complete:
12378+ addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12379+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12380
12381 /*
12382 * Fixup the kernel text+data virtual addresses. Note that
df50ba0c
MT		 12383@@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12384 * after the boot processor executes this code.
12385 */
12386
12387- /* Enable PAE mode and PGE */
12388- movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12389+ /* Enable PAE mode and PSE/PGE */
12390+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12391 movq %rax, %cr4
12392
12393 /* Setup early boot stage 4 level pagetables. */
ae4e228f
MT		 12394@@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12395 movl $MSR_EFER, %ecx
12396 rdmsr
12397 btsl $_EFER_SCE, %eax /* Enable System Call */
12398- btl $20,%edi /* No Execute supported? */
12399+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
58c5fc13
MT		 12400 jnc 1f
12401 btsl $_EFER_NX, %eax
12402+ leaq init_level4_pgt(%rip), %rdi
12403+ btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12404+ btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12405+ btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
ae4e228f 12406+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
58c5fc13
MT		 12407 1: wrmsr /* Make changes effective */
12408
12409 /* Setup cr0 */
ae4e228f 12410@@ -271,7 +268,7 @@ ENTRY(secondary_startup_64)
58c5fc13
MT		 12411 bad_address:
12412 jmp bad_address
12413
12414- .section ".init.text","ax"
12415+ __INIT
12416 #ifdef CONFIG_EARLY_PRINTK
12417 .globl early_idt_handlers
12418 early_idt_handlers:
ae4e228f 12419@@ -316,18 +313,23 @@ ENTRY(early_idt_handler)
58c5fc13
MT		 12420 #endif /* EARLY_PRINTK */
12421 1: hlt
12422 jmp 1b
12423+ .previous
12424
12425 #ifdef CONFIG_EARLY_PRINTK
12426+ __INITDATA
12427 early_recursion_flag:
12428 .long 0
12429+ .previous
12430
12431+ .section .rodata,"a",@progbits
12432 early_idt_msg:
12433 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12434 early_idt_ripmsg:
12435 .asciz "RIP %s\n"
12436-#endif /* CONFIG_EARLY_PRINTK */
12437 .previous
12438+#endif /* CONFIG_EARLY_PRINTK */
12439
12440+ .section .rodata,"a",@progbits
12441 #define NEXT_PAGE(name) \
12442 .balign PAGE_SIZE; \
12443 ENTRY(name)
df50ba0c 12444@@ -351,13 +353,36 @@ NEXT_PAGE(init_level4_pgt)
58c5fc13
MT		 12445 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12446 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12447 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12448+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
12449+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12450+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12451+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12452 .org init_level4_pgt + L4_START_KERNEL*8, 0
12453 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12454 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12455
df50ba0c
MT		 12456+#ifdef CONFIG_PAX_PER_CPU_PGD
12457+NEXT_PAGE(cpu_pgd)
12458+ .rept NR_CPUS
12459+ .fill 512,8,0
12460+ .endr
12461+#endif
12462+
58c5fc13
MT		 12463 NEXT_PAGE(level3_ident_pgt)
12464 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12465+#ifdef CONFIG_XEN
12466 .fill 511,8,0
12467+#else
12468+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
ae4e228f 12469+ .fill 510,8,0
58c5fc13
MT		 12470+#endif
12471+
12472+NEXT_PAGE(level3_vmalloc_pgt)
12473+ .fill 512,8,0
12474+
12475+NEXT_PAGE(level3_vmemmap_pgt)
12476+ .fill L3_VMEMMAP_START,8,0
12477+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12478
12479 NEXT_PAGE(level3_kernel_pgt)
12480 .fill L3_START_KERNEL,8,0
df50ba0c 12481@@ -365,20 +390,23 @@ NEXT_PAGE(level3_kernel_pgt)
58c5fc13
MT		 12482 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12483 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12484
12485+NEXT_PAGE(level2_vmemmap_pgt)
12486+ .fill 512,8,0
12487+
12488 NEXT_PAGE(level2_fixmap_pgt)
12489- .fill 506,8,0
12490- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12491- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12492- .fill 5,8,0
12493+ .fill 507,8,0
12494+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12495+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12496+ .fill 4,8,0
12497
12498-NEXT_PAGE(level1_fixmap_pgt)
12499+NEXT_PAGE(level1_vsyscall_pgt)
12500 .fill 512,8,0
12501
12502-NEXT_PAGE(level2_ident_pgt)
12503- /* Since I easily can, map the first 1G.
ae4e228f 12504+ /* Since I easily can, map the first 2G.
58c5fc13
MT		 12505 * Don't set NX because code runs from these pages.
12506 */
12507- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12508+NEXT_PAGE(level2_ident_pgt)
ae4e228f 12509+ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
58c5fc13
MT		 12510
12511 NEXT_PAGE(level2_kernel_pgt)
12512 /*
df50ba0c 12513@@ -391,33 +419,55 @@ NEXT_PAGE(level2_kernel_pgt)
58c5fc13
MT		 12514 * If you want to increase this then increase MODULES_VADDR
12515 * too.)
12516 */
12517- PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12518- KERNEL_IMAGE_SIZE/PMD_SIZE)
12519-
12520-NEXT_PAGE(level2_spare_pgt)
12521- .fill 512, 8, 0
12522+ PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12523
12524 #undef PMDS
12525 #undef NEXT_PAGE
12526
12527- .data
12528+ .align PAGE_SIZE
12529+ENTRY(cpu_gdt_table)
12530+ .rept NR_CPUS
12531+ .quad 0x0000000000000000 /* NULL descriptor */
12532+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12533+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
12534+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
12535+ .quad 0x00cffb000000ffff /* __USER32_CS */
12536+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12537+ .quad 0x00affb000000ffff /* __USER_CS */
ae4e228f
MT		 12538+
12539+#ifdef CONFIG_PAX_KERNEXEC
12540+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12541+#else
58c5fc13 12542+ .quad 0x0 /* unused */
ae4e228f
MT		 12543+#endif
12544+
58c5fc13
MT		 12545+ .quad 0,0 /* TSS */
12546+ .quad 0,0 /* LDT */
12547+ .quad 0,0,0 /* three TLS descriptors */
12548+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
12549+ /* asm/segment.h:GDT_ENTRIES must match this */
12550+
12551+ /* zero the remaining page */
12552+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12553+ .endr
12554+
12555 .align 16
12556 .globl early_gdt_descr
12557 early_gdt_descr:
12558 .word GDT_ENTRIES*8-1
12559 early_gdt_descr_base:
12560- .quad INIT_PER_CPU_VAR(gdt_page)
12561+ .quad cpu_gdt_table
12562
12563 ENTRY(phys_base)
12564 /* This must match the first entry in level2_kernel_pgt */
12565 .quad 0x0000000000000000
12566
12567 #include "../../x86/xen/xen-head.S"
12568-
12569- .section .bss, "aw", @nobits
12570+
12571+ .section .rodata,"a",@progbits
12572 .align L1_CACHE_BYTES
12573 ENTRY(idt_table)
12574- .skip IDT_ENTRIES * 16
12575+ .fill 512,8,0
12576
ae4e228f 12577 __PAGE_ALIGNED_BSS
58c5fc13 12578 .align PAGE_SIZE
57199397
MT		 12579diff -urNp linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c
12580--- linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c 2010-08-26 19:47:12.000000000 -0400
12581+++ linux-2.6.35.4/arch/x86/kernel/i386_ksyms_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 12582@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12583 EXPORT_SYMBOL(cmpxchg8b_emu);
58c5fc13
MT		 12584 #endif
12585
12586+EXPORT_SYMBOL_GPL(cpu_gdt_table);
12587+
12588 /* Networking helper routines. */
12589 EXPORT_SYMBOL(csum_partial_copy_generic);
12590+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12591+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12592
12593 EXPORT_SYMBOL(__get_user_1);
12594 EXPORT_SYMBOL(__get_user_2);
ae4e228f 12595@@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
58c5fc13
MT		 12596
12597 EXPORT_SYMBOL(csum_partial);
12598 EXPORT_SYMBOL(empty_zero_page);
12599+
12600+#ifdef CONFIG_PAX_KERNEXEC
12601+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12602+#endif
57199397
MT		 12603diff -urNp linux-2.6.35.4/arch/x86/kernel/init_task.c linux-2.6.35.4/arch/x86/kernel/init_task.c
12604--- linux-2.6.35.4/arch/x86/kernel/init_task.c 2010-08-26 19:47:12.000000000 -0400
12605+++ linux-2.6.35.4/arch/x86/kernel/init_task.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 12606@@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
58c5fc13
MT		 12607 * section. Since TSS's are completely CPU-local, we want them
12608 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12609 */
12610-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12611-
12612+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12613+EXPORT_SYMBOL(init_tss);
57199397
MT		 12614diff -urNp linux-2.6.35.4/arch/x86/kernel/ioport.c linux-2.6.35.4/arch/x86/kernel/ioport.c
12615--- linux-2.6.35.4/arch/x86/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
12616+++ linux-2.6.35.4/arch/x86/kernel/ioport.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 12617@@ -6,6 +6,7 @@
12618 #include <linux/sched.h>
12619 #include <linux/kernel.h>
12620 #include <linux/capability.h>
12621+#include <linux/security.h>
12622 #include <linux/errno.h>
12623 #include <linux/types.h>
12624 #include <linux/ioport.h>
12625@@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12626
12627 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12628 return -EINVAL;
12629+#ifdef CONFIG_GRKERNSEC_IO
df50ba0c 12630+ if (turn_on && grsec_disable_privio) {
58c5fc13
MT		 12631+ gr_handle_ioperm();
12632+ return -EPERM;
12633+ }
12634+#endif
12635 if (turn_on && !capable(CAP_SYS_RAWIO))
12636 return -EPERM;
12637
12638@@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12639 * because the ->io_bitmap_max value must match the bitmap
12640 * contents:
12641 */
12642- tss = &per_cpu(init_tss, get_cpu());
12643+ tss = init_tss + get_cpu();
12644
12645 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12646
df50ba0c 12647@@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
58c5fc13
MT		 12648 return -EINVAL;
12649 /* Trying to gain more privileges? */
12650 if (level > old) {
12651+#ifdef CONFIG_GRKERNSEC_IO
df50ba0c
MT		 12652+ if (grsec_disable_privio) {
12653+ gr_handle_iopl();
12654+ return -EPERM;
12655+ }
12656+#endif
58c5fc13
MT		 12657 if (!capable(CAP_SYS_RAWIO))
12658 return -EPERM;
58c5fc13 12659 }
57199397
MT		 12660diff -urNp linux-2.6.35.4/arch/x86/kernel/irq_32.c linux-2.6.35.4/arch/x86/kernel/irq_32.c
12661--- linux-2.6.35.4/arch/x86/kernel/irq_32.c 2010-08-26 19:47:12.000000000 -0400
12662+++ linux-2.6.35.4/arch/x86/kernel/irq_32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 12663@@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
12664 return 0;
12665
12666 /* build the stack frame on the IRQ stack */
12667- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12668+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12669 irqctx->tinfo.task = curctx->tinfo.task;
12670 irqctx->tinfo.previous_esp = current_stack_pointer;
12671
12672@@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
12673 irqctx->tinfo.previous_esp = current_stack_pointer;
12674
12675 /* build the stack frame on the softirq stack */
12676- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12677+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12678
12679 call_on_stack(__do_softirq, isp);
12680 /*
57199397
MT		 12681diff -urNp linux-2.6.35.4/arch/x86/kernel/kgdb.c linux-2.6.35.4/arch/x86/kernel/kgdb.c
12682--- linux-2.6.35.4/arch/x86/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
12683+++ linux-2.6.35.4/arch/x86/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
12684@@ -77,7 +77,7 @@ void pt_regs_to_gdb_regs(unsigned long *
ae4e228f
MT		 12685 gdb_regs[GDB_CS] = regs->cs;
12686 gdb_regs[GDB_FS] = 0xFFFF;
12687 gdb_regs[GDB_GS] = 0xFFFF;
12688- if (user_mode_vm(regs)) {
12689+ if (user_mode(regs)) {
12690 gdb_regs[GDB_SS] = regs->ss;
12691 gdb_regs[GDB_SP] = regs->sp;
12692 } else {
57199397
MT		 12693@@ -720,7 +720,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12694 regs->ip = ip;
ae4e228f
MT		 12695 }
12696
12697-struct kgdb_arch arch_kgdb_ops = {
12698+const struct kgdb_arch arch_kgdb_ops = {
12699 /* Breakpoint instruction: */
12700 .gdb_bpt_instr = { 0xcc },
12701 .flags = KGDB_HW_BREAKPOINT,
57199397
MT		 12702diff -urNp linux-2.6.35.4/arch/x86/kernel/kprobes.c linux-2.6.35.4/arch/x86/kernel/kprobes.c
12703--- linux-2.6.35.4/arch/x86/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
12704+++ linux-2.6.35.4/arch/x86/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 12705@@ -114,9 +114,12 @@ static void __kprobes __synthesize_relat
58c5fc13 12706 s32 raddr;
df50ba0c
MT		 12707 } __attribute__((packed)) *insn;
12708
12709- insn = (struct __arch_relative_insn *)from;
12710+ insn = (struct __arch_relative_insn *)(ktla_ktva(from));
58c5fc13 12711+
ae4e228f 12712+ pax_open_kernel();
df50ba0c
MT		 12713 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12714 insn->op = op;
ae4e228f 12715+ pax_close_kernel();
58c5fc13
MT		 12716 }
12717
df50ba0c
MT		 12718 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12719@@ -315,7 +318,9 @@ static int __kprobes __copy_instruction(
12720 }
12721 }
12722 insn_get_length(&insn);
ae4e228f 12723+ pax_open_kernel();
df50ba0c 12724 memcpy(dest, insn.kaddr, insn.length);
ae4e228f 12725+ pax_close_kernel();
58c5fc13 12726
df50ba0c
MT		 12727 #ifdef CONFIG_X86_64
12728 if (insn_rip_relative(&insn)) {
12729@@ -339,7 +344,9 @@ static int __kprobes __copy_instruction(
12730 (u8 *) dest;
12731 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12732 disp = (u8 *) dest + insn_offset_displacement(&insn);
12733+ pax_open_kernel();
12734 *(s32 *) disp = (s32) newdisp;
12735+ pax_close_kernel();
12736 }
12737 #endif
12738 return insn.length;
12739@@ -353,12 +360,12 @@ static void __kprobes arch_copy_kprobe(s
12740 */
12741 __copy_instruction(p->ainsn.insn, p->addr, 0);
58c5fc13
MT		 12742
12743- if (can_boost(p->addr))
12744+ if (can_boost(ktla_ktva(p->addr)))
12745 p->ainsn.boostable = 0;
12746 else
12747 p->ainsn.boostable = -1;
12748
12749- p->opcode = *p->addr;
12750+ p->opcode = *(ktla_ktva(p->addr));
12751 }
12752
12753 int __kprobes arch_prepare_kprobe(struct kprobe *p)
57199397 12754@@ -475,7 +482,7 @@ static void __kprobes setup_singlestep(s
df50ba0c
MT		 12755 * nor set current_kprobe, because it doesn't use single
12756 * stepping.
12757 */
12758- regs->ip = (unsigned long)p->ainsn.insn;
12759+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12760 preempt_enable_no_resched();
12761 return;
12762 }
57199397 12763@@ -494,7 +501,7 @@ static void __kprobes setup_singlestep(s
58c5fc13
MT		 12764 if (p->opcode == BREAKPOINT_INSTRUCTION)
12765 regs->ip = (unsigned long)p->addr;
12766 else
12767- regs->ip = (unsigned long)p->ainsn.insn;
12768+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12769 }
12770
df50ba0c 12771 /*
57199397 12772@@ -573,7 +580,7 @@ static int __kprobes kprobe_handler(stru
df50ba0c
MT		 12773 setup_singlestep(p, regs, kcb, 0);
12774 return 1;
12775 }
12776- } else if (*addr != BREAKPOINT_INSTRUCTION) {
12777+ } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
58c5fc13
MT		 12778 /*
12779 * The breakpoint instruction was removed right
12780 * after we hit it. Another cpu has removed
57199397 12781@@ -799,7 +806,7 @@ static void __kprobes resume_execution(s
58c5fc13
MT		 12782 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12783 {
12784 unsigned long *tos = stack_addr(regs);
12785- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12786+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12787 unsigned long orig_ip = (unsigned long)p->addr;
12788 kprobe_opcode_t *insn = p->ainsn.insn;
12789
57199397 12790@@ -982,7 +989,7 @@ int __kprobes kprobe_exceptions_notify(s
58c5fc13
MT		 12791 struct die_args *args = data;
12792 int ret = NOTIFY_DONE;
12793
12794- if (args->regs && user_mode_vm(args->regs))
12795+ if (args->regs && user_mode(args->regs))
12796 return ret;
12797
12798 switch (val) {
57199397
MT		 12799diff -urNp linux-2.6.35.4/arch/x86/kernel/ldt.c linux-2.6.35.4/arch/x86/kernel/ldt.c
12800--- linux-2.6.35.4/arch/x86/kernel/ldt.c 2010-08-26 19:47:12.000000000 -0400
12801+++ linux-2.6.35.4/arch/x86/kernel/ldt.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 12802@@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
58c5fc13
MT		 12803 if (reload) {
12804 #ifdef CONFIG_SMP
12805 preempt_disable();
12806- load_LDT(pc);
12807+ load_LDT_nolock(pc);
ae4e228f
MT		 12808 if (!cpumask_equal(mm_cpumask(current->mm),
12809 cpumask_of(smp_processor_id())))
58c5fc13
MT		 12810 smp_call_function(flush_ldt, current->mm, 1);
12811 preempt_enable();
12812 #else
12813- load_LDT(pc);
12814+ load_LDT_nolock(pc);
12815 #endif
12816 }
12817 if (oldsize) {
df50ba0c 12818@@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
58c5fc13
MT		 12819 return err;
12820
12821 for (i = 0; i < old->size; i++)
12822- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
12823+ write_ldt_entry(new->ldt, i, old->ldt + i);
12824 return 0;
12825 }
12826
df50ba0c 12827@@ -116,6 +116,24 @@ int init_new_context(struct task_struct
58c5fc13
MT		 12828 retval = copy_ldt(&mm->context, &old_mm->context);
12829 mutex_unlock(&old_mm->context.lock);
12830 }
12831+
12832+ if (tsk == current) {
12833+ mm->context.vdso = ~0UL;
12834+
12835+#ifdef CONFIG_X86_32
12836+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
12837+ mm->context.user_cs_base = 0UL;
12838+ mm->context.user_cs_limit = ~0UL;
12839+
12840+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
12841+ cpus_clear(mm->context.cpu_user_cs_mask);
12842+#endif
12843+
12844+#endif
12845+#endif
12846+
12847+ }
12848+
12849 return retval;
12850 }
12851
df50ba0c 12852@@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
58c5fc13
MT		 12853 }
12854 }
12855
12856+#ifdef CONFIG_PAX_SEGMEXEC
12857+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
12858+ error = -EINVAL;
12859+ goto out_unlock;
12860+ }
12861+#endif
12862+
12863 fill_ldt(&ldt, &ldt_info);
12864 if (oldmode)
12865 ldt.avl = 0;
57199397
MT		 12866diff -urNp linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c
12867--- linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c 2010-08-26 19:47:12.000000000 -0400
12868+++ linux-2.6.35.4/arch/x86/kernel/machine_kexec_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 12869@@ -27,7 +27,7 @@
58c5fc13 12870 #include <asm/cacheflush.h>
ae4e228f 12871 #include <asm/debugreg.h>
58c5fc13
MT		 12872
12873-static void set_idt(void *newidt, __u16 limit)
12874+static void set_idt(struct desc_struct *newidt, __u16 limit)
12875 {
12876 struct desc_ptr curidt;
12877
ae4e228f 12878@@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
58c5fc13
MT		 12879 }
12880
12881
12882-static void set_gdt(void *newgdt, __u16 limit)
12883+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
12884 {
12885 struct desc_ptr curgdt;
12886
12887@@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
12888 }
12889
12890 control_page = page_address(image->control_code_page);
12891- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
12892+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
12893
12894 relocate_kernel_ptr = control_page;
12895 page_list[PA_CONTROL_PAGE] = __pa(control_page);
57199397
MT		 12896diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_amd.c linux-2.6.35.4/arch/x86/kernel/microcode_amd.c
12897--- linux-2.6.35.4/arch/x86/kernel/microcode_amd.c 2010-08-26 19:47:12.000000000 -0400
12898+++ linux-2.6.35.4/arch/x86/kernel/microcode_amd.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 12899@@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
12900 uci->mc = NULL;
12901 }
12902
12903-static struct microcode_ops microcode_amd_ops = {
12904+static const struct microcode_ops microcode_amd_ops = {
12905 .request_microcode_user = request_microcode_user,
12906 .request_microcode_fw = request_microcode_fw,
12907 .collect_cpu_info = collect_cpu_info_amd,
12908@@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
12909 .microcode_fini_cpu = microcode_fini_cpu_amd,
12910 };
58c5fc13 12911
ae4e228f
MT		 12912-struct microcode_ops * __init init_amd_microcode(void)
12913+const struct microcode_ops * __init init_amd_microcode(void)
12914 {
12915 return &microcode_amd_ops;
12916 }
57199397
MT		 12917diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_core.c linux-2.6.35.4/arch/x86/kernel/microcode_core.c
12918--- linux-2.6.35.4/arch/x86/kernel/microcode_core.c 2010-08-26 19:47:12.000000000 -0400
12919+++ linux-2.6.35.4/arch/x86/kernel/microcode_core.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 12920@@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
12921
12922 #define MICROCODE_VERSION "2.00"
12923
12924-static struct microcode_ops *microcode_ops;
12925+static const struct microcode_ops *microcode_ops;
12926
12927 /*
12928 * Synchronization.
57199397
MT		 12929diff -urNp linux-2.6.35.4/arch/x86/kernel/microcode_intel.c linux-2.6.35.4/arch/x86/kernel/microcode_intel.c
12930--- linux-2.6.35.4/arch/x86/kernel/microcode_intel.c 2010-08-26 19:47:12.000000000 -0400
12931+++ linux-2.6.35.4/arch/x86/kernel/microcode_intel.c 2010-09-17 20:12:09.000000000 -0400
12932@@ -446,13 +446,13 @@ static enum ucode_state request_microcod
ae4e228f
MT		 12933
12934 static int get_ucode_user(void *to, const void *from, size_t n)
12935 {
12936- return copy_from_user(to, from, n);
12937+ return copy_from_user(to, (__force const void __user *)from, n);
12938 }
12939
12940 static enum ucode_state
12941 request_microcode_user(int cpu, const void __user *buf, size_t size)
12942 {
12943- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
12944+ return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
12945 }
12946
12947 static void microcode_fini_cpu(int cpu)
57199397 12948@@ -463,7 +463,7 @@ static void microcode_fini_cpu(int cpu)
ae4e228f
MT		 12949 uci->mc = NULL;
12950 }
12951
12952-static struct microcode_ops microcode_intel_ops = {
12953+static const struct microcode_ops microcode_intel_ops = {
12954 .request_microcode_user = request_microcode_user,
12955 .request_microcode_fw = request_microcode_fw,
12956 .collect_cpu_info = collect_cpu_info,
57199397 12957@@ -471,7 +471,7 @@ static struct microcode_ops microcode_in
ae4e228f
MT		 12958 .microcode_fini_cpu = microcode_fini_cpu,
12959 };
12960
12961-struct microcode_ops * __init init_intel_microcode(void)
12962+const struct microcode_ops * __init init_intel_microcode(void)
12963 {
12964 return &microcode_intel_ops;
12965 }
57199397
MT		 12966diff -urNp linux-2.6.35.4/arch/x86/kernel/module.c linux-2.6.35.4/arch/x86/kernel/module.c
12967--- linux-2.6.35.4/arch/x86/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
12968+++ linux-2.6.35.4/arch/x86/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 12969@@ -35,7 +35,7 @@
58c5fc13
MT		 12970 #define DEBUGP(fmt...)
12971 #endif
12972
12973-void *module_alloc(unsigned long size)
12974+static void *__module_alloc(unsigned long size, pgprot_t prot)
12975 {
12976 struct vm_struct *area;
12977
df50ba0c 12978@@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
58c5fc13
MT		 12979 if (!area)
12980 return NULL;
12981
12982- return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
12983- PAGE_KERNEL_EXEC);
12984+ return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
12985+}
12986+
58c5fc13
MT		 12987+void *module_alloc(unsigned long size)
12988+{
ae4e228f
MT		 12989+
12990+#ifdef CONFIG_PAX_KERNEXEC
58c5fc13 12991+ return __module_alloc(size, PAGE_KERNEL);
ae4e228f
MT		 12992+#else
12993+ return __module_alloc(size, PAGE_KERNEL_EXEC);
12994+#endif
12995+
12996 }
12997
12998 /* Free memory returned from module_alloc */
df50ba0c 12999@@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
ae4e228f
MT		 13000 vfree(module_region);
13001 }
13002
13003+#ifdef CONFIG_PAX_KERNEXEC
13004+#ifdef CONFIG_X86_32
58c5fc13
MT		 13005+void *module_alloc_exec(unsigned long size)
13006+{
13007+ struct vm_struct *area;
13008+
13009+ if (size == 0)
13010+ return NULL;
13011+
13012+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
ae4e228f 13013+ return area ? area->addr : NULL;
58c5fc13
MT		 13014+}
13015+EXPORT_SYMBOL(module_alloc_exec);
13016+
13017+void module_free_exec(struct module *mod, void *module_region)
13018+{
ae4e228f 13019+ vunmap(module_region);
58c5fc13
MT		 13020+}
13021+EXPORT_SYMBOL(module_free_exec);
13022+#else
58c5fc13
MT		 13023+void module_free_exec(struct module *mod, void *module_region)
13024+{
13025+ module_free(mod, module_region);
13026+}
13027+EXPORT_SYMBOL(module_free_exec);
13028+
13029+void *module_alloc_exec(unsigned long size)
13030+{
13031+ return __module_alloc(size, PAGE_KERNEL_RX);
13032+}
13033+EXPORT_SYMBOL(module_alloc_exec);
13034+#endif
58c5fc13 13035+#endif
ae4e228f
MT		 13036+
13037 /* We don't need anything special. */
13038 int module_frob_arch_sections(Elf_Ehdr *hdr,
13039 Elf_Shdr *sechdrs,
df50ba0c 13040@@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
58c5fc13
MT		 13041 unsigned int i;
13042 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13043 Elf32_Sym *sym;
13044- uint32_t *location;
13045+ uint32_t *plocation, location;
58c5fc13
MT		 13046
13047 DEBUGP("Applying relocate section %u to %u\n", relsec,
13048 sechdrs[relsec].sh_info);
13049 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13050 /* This is where to make the change */
13051- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13052- + rel[i].r_offset;
13053+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13054+ location = (uint32_t)plocation;
13055+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13056+ plocation = ktla_ktva((void *)plocation);
13057 /* This is the symbol it is referring to. Note that all
13058 undefined symbols have been resolved. */
13059 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
df50ba0c 13060@@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
58c5fc13
MT		 13061 switch (ELF32_R_TYPE(rel[i].r_info)) {
13062 case R_386_32:
13063 /* We add the value into the location given */
13064- *location += sym->st_value;
ae4e228f 13065+ pax_open_kernel();
58c5fc13 13066+ *plocation += sym->st_value;
ae4e228f 13067+ pax_close_kernel();
58c5fc13
MT		 13068 break;
13069 case R_386_PC32:
13070 /* Add the value, subtract its postition */
13071- *location += sym->st_value - (uint32_t)location;
ae4e228f 13072+ pax_open_kernel();
58c5fc13 13073+ *plocation += sym->st_value - location;
ae4e228f 13074+ pax_close_kernel();
58c5fc13
MT		 13075 break;
13076 default:
13077 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
df50ba0c 13078@@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
58c5fc13
MT		 13079 case R_X86_64_NONE:
13080 break;
13081 case R_X86_64_64:
ae4e228f 13082+ pax_open_kernel();
58c5fc13 13083 *(u64 *)loc = val;
ae4e228f 13084+ pax_close_kernel();
58c5fc13
MT		 13085 break;
13086 case R_X86_64_32:
ae4e228f 13087+ pax_open_kernel();
58c5fc13 13088 *(u32 *)loc = val;
ae4e228f 13089+ pax_close_kernel();
58c5fc13
MT		 13090 if (val != *(u32 *)loc)
13091 goto overflow;
13092 break;
13093 case R_X86_64_32S:
ae4e228f 13094+ pax_open_kernel();
58c5fc13 13095 *(s32 *)loc = val;
ae4e228f 13096+ pax_close_kernel();
58c5fc13
MT		 13097 if ((s64)val != *(s32 *)loc)
13098 goto overflow;
13099 break;
13100 case R_X86_64_PC32:
13101 val -= (u64)loc;
ae4e228f 13102+ pax_open_kernel();
58c5fc13 13103 *(u32 *)loc = val;
ae4e228f 13104+ pax_close_kernel();
58c5fc13
MT		 13105+
13106 #if 0
13107 if ((s64)val != *(s32 *)loc)
13108 goto overflow;
57199397
MT		 13109diff -urNp linux-2.6.35.4/arch/x86/kernel/paravirt.c linux-2.6.35.4/arch/x86/kernel/paravirt.c
13110--- linux-2.6.35.4/arch/x86/kernel/paravirt.c 2010-08-26 19:47:12.000000000 -0400
13111+++ linux-2.6.35.4/arch/x86/kernel/paravirt.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 13112@@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
58c5fc13 13113 * corresponding structure. */
df50ba0c 13114 static void *get_call_destination(u8 type)
58c5fc13
MT		 13115 {
13116- struct paravirt_patch_template tmpl = {
13117+ const struct paravirt_patch_template tmpl = {
13118 .pv_init_ops = pv_init_ops,
13119 .pv_time_ops = pv_time_ops,
13120 .pv_cpu_ops = pv_cpu_ops,
df50ba0c 13121@@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
58c5fc13 13122 if (opfunc == NULL)
df50ba0c
MT		 13123 /* If there's no function, patch it with a ud2a (BUG) */
13124 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13125- else if (opfunc == _paravirt_nop)
13126+ else if (opfunc == (void *)_paravirt_nop)
13127 /* If the operation is a nop, then nop the callsite */
13128 ret = paravirt_patch_nop();
13129
13130 /* identity functions just return their single argument */
13131- else if (opfunc == _paravirt_ident_32)
13132+ else if (opfunc == (void *)_paravirt_ident_32)
13133 ret = paravirt_patch_ident_32(insnbuf, len);
13134- else if (opfunc == _paravirt_ident_64)
13135+ else if (opfunc == (void *)_paravirt_ident_64)
13136 ret = paravirt_patch_ident_64(insnbuf, len);
13137
13138 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
ae4e228f 13139@@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
58c5fc13
MT		 13140 if (insn_len > len || start == NULL)
13141 insn_len = len;
13142 else
13143- memcpy(insnbuf, start, insn_len);
13144+ memcpy(insnbuf, ktla_ktva(start), insn_len);
13145
13146 return insn_len;
13147 }
ae4e228f 13148@@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
58c5fc13
MT		 13149 preempt_enable();
13150 }
13151
13152-struct pv_info pv_info = {
13153+struct pv_info pv_info __read_only = {
13154 .name = "bare hardware",
13155 .paravirt_enabled = 0,
13156 .kernel_rpl = 0,
13157 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13158 };
13159
13160-struct pv_init_ops pv_init_ops = {
13161+struct pv_init_ops pv_init_ops __read_only = {
13162 .patch = native_patch,
58c5fc13
MT		 13163 };
13164
13165-struct pv_time_ops pv_time_ops = {
13166+struct pv_time_ops pv_time_ops __read_only = {
ae4e228f 13167 .sched_clock = native_sched_clock,
58c5fc13
MT		 13168 };
13169
13170-struct pv_irq_ops pv_irq_ops = {
13171+struct pv_irq_ops pv_irq_ops __read_only = {
58c5fc13
MT		 13172 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13173 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
ae4e228f
MT		 13174 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13175@@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
58c5fc13
MT		 13176 #endif
13177 };
13178
13179-struct pv_cpu_ops pv_cpu_ops = {
13180+struct pv_cpu_ops pv_cpu_ops __read_only = {
13181 .cpuid = native_cpuid,
13182 .get_debugreg = native_get_debugreg,
13183 .set_debugreg = native_set_debugreg,
ae4e228f 13184@@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
58c5fc13
MT		 13185 .end_context_switch = paravirt_nop,
13186 };
13187
13188-struct pv_apic_ops pv_apic_ops = {
13189+struct pv_apic_ops pv_apic_ops __read_only = {
13190 #ifdef CONFIG_X86_LOCAL_APIC
ae4e228f
MT		 13191 .startup_ipi_hook = paravirt_nop,
13192 #endif
13193@@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
58c5fc13
MT		 13194 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13195 #endif
13196
13197-struct pv_mmu_ops pv_mmu_ops = {
13198+struct pv_mmu_ops pv_mmu_ops __read_only = {
ae4e228f
MT		 13199
13200 .read_cr2 = native_read_cr2,
13201 .write_cr2 = native_write_cr2,
df50ba0c 13202@@ -463,6 +463,12 @@ struct pv_mmu_ops pv_mmu_ops = {
ae4e228f
MT		 13203 },
13204
13205 .set_fixmap = native_set_fixmap,
13206+
13207+#ifdef CONFIG_PAX_KERNEXEC
13208+ .pax_open_kernel = native_pax_open_kernel,
13209+ .pax_close_kernel = native_pax_close_kernel,
13210+#endif
13211+
13212 };
13213
13214 EXPORT_SYMBOL_GPL(pv_time_ops);
57199397
MT		 13215diff -urNp linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c
13216--- linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c 2010-08-26 19:47:12.000000000 -0400
13217+++ linux-2.6.35.4/arch/x86/kernel/paravirt-spinlocks.c 2010-09-17 20:12:09.000000000 -0400
13218@@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13219 arch_spin_lock(lock);
13220 }
13221
13222-struct pv_lock_ops pv_lock_ops = {
13223+struct pv_lock_ops pv_lock_ops __read_only = {
13224 #ifdef CONFIG_SMP
13225 .spin_is_locked = __ticket_spin_is_locked,
13226 .spin_is_contended = __ticket_spin_is_contended,
13227diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c
13228--- linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c 2010-08-26 19:47:12.000000000 -0400
13229+++ linux-2.6.35.4/arch/x86/kernel/pci-calgary_64.c 2010-09-17 20:12:09.000000000 -0400
13230@@ -475,7 +475,7 @@ static void calgary_free_coherent(struct
ae4e228f
MT		 13231 free_pages((unsigned long)vaddr, get_order(size));
13232 }
13233
13234-static struct dma_map_ops calgary_dma_ops = {
13235+static const struct dma_map_ops calgary_dma_ops = {
13236 .alloc_coherent = calgary_alloc_coherent,
13237 .free_coherent = calgary_free_coherent,
13238 .map_sg = calgary_map_sg,
57199397
MT		 13239diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-dma.c linux-2.6.35.4/arch/x86/kernel/pci-dma.c
13240--- linux-2.6.35.4/arch/x86/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
13241+++ linux-2.6.35.4/arch/x86/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 13242@@ -16,7 +16,7 @@
ae4e228f
MT		 13243
13244 static int forbid_dac __read_mostly;
13245
13246-struct dma_map_ops *dma_ops = &nommu_dma_ops;
13247+const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13248 EXPORT_SYMBOL(dma_ops);
13249
13250 static int iommu_sac_force __read_mostly;
df50ba0c 13251@@ -248,7 +248,7 @@ early_param("iommu", iommu_setup);
ae4e228f
MT		 13252
13253 int dma_supported(struct device *dev, u64 mask)
13254 {
13255- struct dma_map_ops *ops = get_dma_ops(dev);
13256+ const struct dma_map_ops *ops = get_dma_ops(dev);
13257
13258 #ifdef CONFIG_PCI
13259 if (mask > 0xffffffff && forbid_dac > 0) {
57199397
MT		 13260diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c
13261--- linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c 2010-08-26 19:47:12.000000000 -0400
13262+++ linux-2.6.35.4/arch/x86/kernel/pci-gart_64.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 13263@@ -699,7 +699,7 @@ static __init int init_k8_gatt(struct ag
ae4e228f
MT		 13264 return -1;
13265 }
13266
13267-static struct dma_map_ops gart_dma_ops = {
13268+static const struct dma_map_ops gart_dma_ops = {
13269 .map_sg = gart_map_sg,
13270 .unmap_sg = gart_unmap_sg,
13271 .map_page = gart_map_page,
57199397
MT		 13272diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-nommu.c linux-2.6.35.4/arch/x86/kernel/pci-nommu.c
13273--- linux-2.6.35.4/arch/x86/kernel/pci-nommu.c 2010-08-26 19:47:12.000000000 -0400
13274+++ linux-2.6.35.4/arch/x86/kernel/pci-nommu.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 13275@@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
ae4e228f
MT		 13276 flush_write_buffers();
13277 }
13278
13279-struct dma_map_ops nommu_dma_ops = {
13280+const struct dma_map_ops nommu_dma_ops = {
13281 .alloc_coherent = dma_generic_alloc_coherent,
13282 .free_coherent = nommu_free_coherent,
13283 .map_sg = nommu_map_sg,
57199397
MT		 13284diff -urNp linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c
13285--- linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
13286+++ linux-2.6.35.4/arch/x86/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 13287@@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
13288 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13289 }
13290
13291-static struct dma_map_ops swiotlb_dma_ops = {
13292+static const struct dma_map_ops swiotlb_dma_ops = {
13293 .mapping_error = swiotlb_dma_mapping_error,
13294 .alloc_coherent = x86_swiotlb_alloc_coherent,
13295 .free_coherent = swiotlb_free_coherent,
57199397
MT		 13296diff -urNp linux-2.6.35.4/arch/x86/kernel/process_32.c linux-2.6.35.4/arch/x86/kernel/process_32.c
13297--- linux-2.6.35.4/arch/x86/kernel/process_32.c 2010-08-26 19:47:12.000000000 -0400
13298+++ linux-2.6.35.4/arch/x86/kernel/process_32.c 2010-09-17 20:12:09.000000000 -0400
13299@@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
13300 unsigned long thread_saved_pc(struct task_struct *tsk)
13301 {
13302 return ((unsigned long *)tsk->thread.sp)[3];
13303+//XXX return tsk->thread.eip;
13304 }
13305
13306 #ifndef CONFIG_SMP
13307@@ -126,7 +127,7 @@ void __show_regs(struct pt_regs *regs, i
13308 unsigned long sp;
13309 unsigned short ss, gs;
13310
13311- if (user_mode_vm(regs)) {
13312+ if (user_mode(regs)) {
13313 sp = regs->sp;
13314 ss = regs->ss & 0xffff;
13315 gs = get_user_gs(regs);
13316@@ -196,7 +197,7 @@ int copy_thread(unsigned long clone_flag
13317 struct task_struct *tsk;
13318 int err;
13319
13320- childregs = task_pt_regs(p);
13321+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13322 *childregs = *regs;
13323 childregs->ax = 0;
13324 childregs->sp = sp;
13325@@ -230,6 +231,7 @@ int copy_thread(unsigned long clone_flag
13326 * Set a new TLS for the child thread?
13327 */
13328 if (clone_flags & CLONE_SETTLS)
13329+//XXX needs set_fs()?
13330 err = do_set_thread_area(p, -1,
13331 (struct user_desc __user *)childregs->si, 0);
13332
13333@@ -293,7 +295,7 @@ __switch_to(struct task_struct *prev_p,
13334 struct thread_struct *prev = &prev_p->thread,
13335 *next = &next_p->thread;
13336 int cpu = smp_processor_id();
13337- struct tss_struct *tss = &per_cpu(init_tss, cpu);
13338+ struct tss_struct *tss = init_tss + cpu;
13339 bool preload_fpu;
13340
13341 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13342@@ -328,6 +330,11 @@ __switch_to(struct task_struct *prev_p,
13343 */
13344 lazy_save_gs(prev->gs);
13345
13346+#ifdef CONFIG_PAX_MEMORY_UDEREF
13347+ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
13348+ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
13349+#endif
13350+
13351 /*
13352 * Load the per-thread Thread-Local Storage descriptor.
13353 */
13354@@ -404,3 +411,27 @@ unsigned long get_wchan(struct task_stru
13355 return 0;
13356 }
13357
13358+#ifdef CONFIG_PAX_RANDKSTACK
13359+asmlinkage void pax_randomize_kstack(void)
13360+{
13361+ struct thread_struct *thread = &current->thread;
13362+ unsigned long time;
13363+
13364+ if (!randomize_va_space)
13365+ return;
13366+
13367+ rdtscl(time);
13368+
13369+ /* P4 seems to return a 0 LSB, ignore it */
13370+#ifdef CONFIG_MPENTIUM4
13371+ time &= 0x1EUL;
13372+ time <<= 2;
13373+#else
13374+ time &= 0xFUL;
13375+ time <<= 3;
13376+#endif
13377+
13378+ thread->sp0 ^= time;
13379+ load_sp0(init_tss + smp_processor_id(), thread);
13380+}
13381+#endif
13382diff -urNp linux-2.6.35.4/arch/x86/kernel/process_64.c linux-2.6.35.4/arch/x86/kernel/process_64.c
13383--- linux-2.6.35.4/arch/x86/kernel/process_64.c 2010-08-26 19:47:12.000000000 -0400
13384+++ linux-2.6.35.4/arch/x86/kernel/process_64.c 2010-09-17 20:12:09.000000000 -0400
13385@@ -87,7 +87,7 @@ static void __exit_idle(void)
13386 void exit_idle(void)
13387 {
13388 /* idle loop has pid 0 */
13389- if (current->pid)
13390+ if (task_pid_nr(current))
13391 return;
13392 __exit_idle();
13393 }
13394@@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
13395 struct thread_struct *prev = &prev_p->thread;
13396 struct thread_struct *next = &next_p->thread;
13397 int cpu = smp_processor_id();
13398- struct tss_struct *tss = &per_cpu(init_tss, cpu);
13399+ struct tss_struct *tss = init_tss + cpu;
13400 unsigned fsindex, gsindex;
13401 bool preload_fpu;
13402
13403@@ -528,12 +528,11 @@ unsigned long get_wchan(struct task_stru
13404 if (!p || p == current || p->state == TASK_RUNNING)
13405 return 0;
13406 stack = (unsigned long)task_stack_page(p);
13407- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13408+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13409 return 0;
13410 fp = *(u64 *)(p->thread.sp);
13411 do {
13412- if (fp < (unsigned long)stack ||
13413- fp >= (unsigned long)stack+THREAD_SIZE)
13414+ if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13415 return 0;
13416 ip = *(u64 *)(fp+8);
13417 if (!in_sched_functions(ip))
13418diff -urNp linux-2.6.35.4/arch/x86/kernel/process.c linux-2.6.35.4/arch/x86/kernel/process.c
13419--- linux-2.6.35.4/arch/x86/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
13420+++ linux-2.6.35.4/arch/x86/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
13421@@ -73,7 +73,7 @@ void exit_thread(void)
efbe55a5
MT		 13422 unsigned long *bp = t->io_bitmap_ptr;
13423
13424 if (bp) {
13425- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13426+ struct tss_struct *tss = init_tss + get_cpu();
13427
13428 t->io_bitmap_ptr = NULL;
13429 clear_thread_flag(TIF_IO_BITMAP);
57199397 13430@@ -107,7 +107,7 @@ void show_regs_common(void)
efbe55a5
MT		 13431
13432 printk(KERN_CONT "\n");
13433 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s %s/%s\n",
13434- current->pid, current->comm, print_tainted(),
13435+ task_pid_nr(current), current->comm, print_tainted(),
13436 init_utsname()->release,
13437 (int)strcspn(init_utsname()->version, " "),
13438 init_utsname()->version, board, product);
57199397 13439@@ -117,6 +117,9 @@ void flush_thread(void)
efbe55a5
MT		 13440 {
13441 struct task_struct *tsk = current;
13442
13443+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
13444+ loadsegment(gs, 0);
13445+#endif
13446 flush_ptrace_hw_breakpoint(tsk);
13447 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13448 /*
13449@@ -279,8 +282,8 @@ int kernel_thread(int (*fn)(void *), voi
13450 regs.di = (unsigned long) arg;
13451
13452 #ifdef CONFIG_X86_32
13453- regs.ds = __USER_DS;
13454- regs.es = __USER_DS;
13455+ regs.ds = __KERNEL_DS;
13456+ regs.es = __KERNEL_DS;
13457 regs.fs = __KERNEL_PERCPU;
13458 regs.gs = __KERNEL_STACK_CANARY;
13459 #else
13460@@ -689,17 +692,3 @@ static int __init idle_setup(char *str)
13461 return 0;
13462 }
13463 early_param("idle", idle_setup);
13464-
13465-unsigned long arch_align_stack(unsigned long sp)
13466-{
13467- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13468- sp -= get_random_int() % 8192;
13469- return sp & ~0xf;
13470-}
13471-
13472-unsigned long arch_randomize_brk(struct mm_struct *mm)
13473-{
13474- unsigned long range_end = mm->brk + 0x02000000;
13475- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13476-}
13477-
57199397
MT		 13478diff -urNp linux-2.6.35.4/arch/x86/kernel/ptrace.c linux-2.6.35.4/arch/x86/kernel/ptrace.c
13479--- linux-2.6.35.4/arch/x86/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
13480+++ linux-2.6.35.4/arch/x86/kernel/ptrace.c 2010-09-17 20:12:09.000000000 -0400
13481@@ -804,7 +804,7 @@ static const struct user_regset_view use
ae4e228f
MT		 13482 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
13483 {
13484 int ret;
13485- unsigned long __user *datap = (unsigned long __user *)data;
13486+ unsigned long __user *datap = (__force unsigned long __user *)data;
13487
13488 switch (request) {
13489 /* read the word at location addr in the USER area. */
57199397 13490@@ -891,14 +891,14 @@ long arch_ptrace(struct task_struct *chi
ae4e228f
MT		 13491 if (addr < 0)
13492 return -EIO;
13493 ret = do_get_thread_area(child, addr,
13494- (struct user_desc __user *) data);
13495+ (__force struct user_desc __user *) data);
13496 break;
13497
13498 case PTRACE_SET_THREAD_AREA:
13499 if (addr < 0)
13500 return -EIO;
13501 ret = do_set_thread_area(child, addr,
13502- (struct user_desc __user *) data, 0);
13503+ (__force struct user_desc __user *) data, 0);
13504 break;
13505 #endif
13506
57199397 13507@@ -1315,7 +1315,7 @@ static void fill_sigtrap_info(struct tas
ae4e228f
MT		 13508 memset(info, 0, sizeof(*info));
13509 info->si_signo = SIGTRAP;
13510 info->si_code = si_code;
13511- info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13512+ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13513 }
13514
13515 void user_single_step_siginfo(struct task_struct *tsk,
57199397
MT		 13516diff -urNp linux-2.6.35.4/arch/x86/kernel/reboot.c linux-2.6.35.4/arch/x86/kernel/reboot.c
13517--- linux-2.6.35.4/arch/x86/kernel/reboot.c 2010-08-26 19:47:12.000000000 -0400
13518+++ linux-2.6.35.4/arch/x86/kernel/reboot.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 13519@@ -33,7 +33,7 @@ void (*pm_power_off)(void);
58c5fc13
MT		 13520 EXPORT_SYMBOL(pm_power_off);
13521
13522 static const struct desc_ptr no_idt = {};
13523-static int reboot_mode;
13524+static unsigned short reboot_mode;
13525 enum reboot_type reboot_type = BOOT_KBD;
13526 int reboot_force;
13527
57199397 13528@@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
ae4e228f 13529 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
58c5fc13
MT		 13530 },
13531 },
13532- { }
13533+ { NULL, NULL, {{0, {0}}}, NULL}
13534 };
13535
13536 static int __init reboot_init(void)
57199397 13537@@ -300,12 +300,12 @@ core_initcall(reboot_init);
58c5fc13
MT		 13538 controller to pulse the CPU reset line, which is more thorough, but
13539 doesn't work with at least one type of 486 motherboard. It is easy
13540 to stop this code working; hence the copious comments. */
13541-static const unsigned long long
13542-real_mode_gdt_entries [3] =
13543+static struct desc_struct
13544+real_mode_gdt_entries [3] __read_only =
13545 {
13546- 0x0000000000000000ULL, /* Null descriptor */
13547- 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13548- 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
ae4e228f
MT		 13549+ GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13550+ GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13551+ GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
58c5fc13
MT		 13552 };
13553
13554 static const struct desc_ptr
57199397 13555@@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
58c5fc13
MT		 13556 * specified by the code and length parameters.
13557 * We assume that length will aways be less that 100!
13558 */
13559-void machine_real_restart(const unsigned char *code, int length)
13560+void machine_real_restart(const unsigned char *code, unsigned int length)
13561 {
13562 local_irq_disable();
13563
57199397 13564@@ -374,8 +374,8 @@ void machine_real_restart(const unsigned
58c5fc13
MT		 13565 /* Remap the kernel at virtual address zero, as well as offset zero
13566 from the kernel segment. This assumes the kernel segment starts at
13567 virtual address PAGE_OFFSET. */
13568- memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13569- sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
13570+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13571+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13572
13573 /*
13574 * Use `swapper_pg_dir' as our page directory.
57199397 13575@@ -387,16 +387,15 @@ void machine_real_restart(const unsigned
58c5fc13
MT		 13576 boot)". This seems like a fairly standard thing that gets set by
13577 REBOOT.COM programs, and the previous reset routine did this
13578 too. */
13579- *((unsigned short *)0x472) = reboot_mode;
13580+ *(unsigned short *)(__va(0x472)) = reboot_mode;
13581
13582 /* For the switch to real mode, copy some code to low memory. It has
13583 to be in the first 64k because it is running in 16-bit mode, and it
13584 has to have the same physical and virtual address, because it turns
13585 off paging. Copy it near the end of the first page, out of the way
13586 of BIOS variables. */
13587- memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13588- real_mode_switch, sizeof (real_mode_switch));
13589- memcpy((void *)(0x1000 - 100), code, length);
13590+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13591+ memcpy(__va(0x1000 - 100), code, length);
13592
13593 /* Set up the IDT for real mode. */
13594 load_idt(&real_mode_idt);
57199397
MT		 13595diff -urNp linux-2.6.35.4/arch/x86/kernel/setup.c linux-2.6.35.4/arch/x86/kernel/setup.c
13596--- linux-2.6.35.4/arch/x86/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
13597+++ linux-2.6.35.4/arch/x86/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
efbe55a5
MT		 13598@@ -704,7 +704,7 @@ static void __init trim_bios_range(void)
13599 * area (640->1Mb) as ram even though it is not.
13600 * take them out.
13601 */
13602- e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13603+ e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13604 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13605 }
13606
57199397 13607@@ -791,14 +791,14 @@ void __init setup_arch(char **cmdline_p)
58c5fc13
MT		 13608
13609 if (!boot_params.hdr.root_flags)
13610 root_mountflags &= ~MS_RDONLY;
13611- init_mm.start_code = (unsigned long) _text;
13612- init_mm.end_code = (unsigned long) _etext;
13613+ init_mm.start_code = ktla_ktva((unsigned long) _text);
13614+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
13615 init_mm.end_data = (unsigned long) _edata;
13616 init_mm.brk = _brk_end;
13617
13618- code_resource.start = virt_to_phys(_text);
13619- code_resource.end = virt_to_phys(_etext)-1;
13620- data_resource.start = virt_to_phys(_etext);
13621+ code_resource.start = virt_to_phys(ktla_ktva(_text));
13622+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13623+ data_resource.start = virt_to_phys(_sdata);
13624 data_resource.end = virt_to_phys(_edata)-1;
13625 bss_resource.start = virt_to_phys(&__bss_start);
13626 bss_resource.end = virt_to_phys(&__bss_stop)-1;
57199397
MT		 13627diff -urNp linux-2.6.35.4/arch/x86/kernel/setup_percpu.c linux-2.6.35.4/arch/x86/kernel/setup_percpu.c
13628--- linux-2.6.35.4/arch/x86/kernel/setup_percpu.c 2010-08-26 19:47:12.000000000 -0400
13629+++ linux-2.6.35.4/arch/x86/kernel/setup_percpu.c 2010-09-17 20:12:09.000000000 -0400
13630@@ -21,19 +21,17 @@
13631 #include <asm/cpu.h>
13632 #include <asm/stackprotector.h>
58c5fc13
MT		 13633
13634+#ifdef CONFIG_SMP
13635 DEFINE_PER_CPU(int, cpu_number);
13636 EXPORT_PER_CPU_SYMBOL(cpu_number);
13637+#endif
13638
13639-#ifdef CONFIG_X86_64
13640 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13641-#else
13642-#define BOOT_PERCPU_OFFSET 0
13643-#endif
13644
13645 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13646 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13647
13648-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13649+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13650 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13651 };
13652 EXPORT_SYMBOL(__per_cpu_offset);
57199397 13653@@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
58c5fc13
MT		 13654 {
13655 #ifdef CONFIG_X86_32
ae4e228f
MT		 13656 struct desc_struct gdt;
13657+ unsigned long base = per_cpu_offset(cpu);
13658
58c5fc13
MT		 13659- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13660- 0x2 | DESCTYPE_S, 0x8);
13661- gdt.s = 1;
ae4e228f
MT		 13662+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13663+ 0x83 | DESCTYPE_S, 0xC);
13664 write_gdt_entry(get_cpu_gdt_table(cpu),
13665 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
58c5fc13 13666 #endif
57199397 13667@@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
58c5fc13
MT		 13668 /* alrighty, percpu areas up and running */
13669 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13670 for_each_possible_cpu(cpu) {
13671+#ifdef CONFIG_CC_STACKPROTECTOR
13672+#ifdef CONFIG_x86_32
13673+ unsigned long canary = per_cpu(stack_canary, cpu);
13674+#endif
13675+#endif
ae4e228f 13676 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
58c5fc13
MT		 13677 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13678 per_cpu(cpu_number, cpu) = cpu;
57199397
MT		 13679@@ -249,6 +252,12 @@ void __init setup_per_cpu_areas(void)
13680 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
58c5fc13
MT		 13681 #endif
13682 #endif
13683+#ifdef CONFIG_CC_STACKPROTECTOR
13684+#ifdef CONFIG_x86_32
13685+ if (cpu == boot_cpu_id)
13686+ per_cpu(stack_canary, cpu) = canary;
13687+#endif
13688+#endif
13689 /*
57199397 13690 * Up to this point, the boot CPU has been using .init.data
58c5fc13 13691 * area. Reload any changed state for the boot CPU.
57199397
MT		 13692diff -urNp linux-2.6.35.4/arch/x86/kernel/signal.c linux-2.6.35.4/arch/x86/kernel/signal.c
13693--- linux-2.6.35.4/arch/x86/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
13694+++ linux-2.6.35.4/arch/x86/kernel/signal.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 13695@@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
58c5fc13
MT		 13696 * Align the stack pointer according to the i386 ABI,
13697 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13698 */
13699- sp = ((sp + 4) & -16ul) - 4;
13700+ sp = ((sp - 12) & -16ul) - 4;
13701 #else /* !CONFIG_X86_32 */
13702 sp = round_down(sp, 16) - 8;
13703 #endif
ae4e228f
MT		 13704@@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13705 * Return an always-bogus address instead so we will die with SIGSEGV.
13706 */
13707 if (onsigstack && !likely(on_sig_stack(sp)))
13708- return (void __user *)-1L;
13709+ return (__force void __user *)-1L;
13710
13711 /* save i387 state */
13712 if (used_math() && save_i387_xstate(*fpstate) < 0)
13713- return (void __user *)-1L;
13714+ return (__force void __user *)-1L;
13715
13716 return (void __user *)sp;
13717 }
13718@@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
58c5fc13
MT		 13719 }
13720
13721 if (current->mm->context.vdso)
13722- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
ae4e228f 13723+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
58c5fc13
MT		 13724 else
13725- restorer = &frame->retcode;
13726+ restorer = (void __user *)&frame->retcode;
13727 if (ka->sa.sa_flags & SA_RESTORER)
13728 restorer = ka->sa.sa_restorer;
13729
ae4e228f
MT		 13730@@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13731 * reasons and because gdb uses it as a signature to notice
13732 * signal handler stack frames.
13733 */
13734- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13735+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13736
13737 if (err)
13738 return -EFAULT;
13739@@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str
58c5fc13
MT		 13740 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13741
13742 /* Set up to return from userspace. */
13743- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
ae4e228f 13744+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
58c5fc13
MT		 13745 if (ka->sa.sa_flags & SA_RESTORER)
13746 restorer = ka->sa.sa_restorer;
13747 put_user_ex(restorer, &frame->pretcode);
ae4e228f
MT		 13748@@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str
13749 * reasons and because gdb uses it as a signature to notice
13750 * signal handler stack frames.
13751 */
13752- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13753+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13754 } put_user_catch(err);
13755
13756 if (err)
13757@@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re
58c5fc13
MT		 13758 * X86_32: vm86 regs switched out by assembly code before reaching
13759 * here, so testing against kernel CS suffices.
13760 */
13761- if (!user_mode(regs))
13762+ if (!user_mode_novm(regs))
13763 return;
13764
13765 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
57199397
MT		 13766diff -urNp linux-2.6.35.4/arch/x86/kernel/smpboot.c linux-2.6.35.4/arch/x86/kernel/smpboot.c
13767--- linux-2.6.35.4/arch/x86/kernel/smpboot.c 2010-08-26 19:47:12.000000000 -0400
13768+++ linux-2.6.35.4/arch/x86/kernel/smpboot.c 2010-09-17 20:12:09.000000000 -0400
13769@@ -780,7 +780,11 @@ do_rest:
58c5fc13
MT		 13770 (unsigned long)task_stack_page(c_idle.idle) -
13771 KERNEL_STACK_OFFSET + THREAD_SIZE;
13772 #endif
13773+
ae4e228f 13774+ pax_open_kernel();
58c5fc13 13775 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
ae4e228f 13776+ pax_close_kernel();
58c5fc13
MT		 13777+
13778 initial_code = (unsigned long)start_secondary;
13779 stack_start.sp = (void *) c_idle.idle->thread.sp;
13780
57199397 13781@@ -920,6 +924,12 @@ int __cpuinit native_cpu_up(unsigned int
df50ba0c
MT		 13782
13783 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13784
13785+#ifdef CONFIG_PAX_PER_CPU_PGD
13786+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13787+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13788+ KERNEL_PGD_PTRS);
13789+#endif
13790+
13791 #ifdef CONFIG_X86_32
13792 /* init low mem mapping */
13793 clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
57199397
MT		 13794diff -urNp linux-2.6.35.4/arch/x86/kernel/step.c linux-2.6.35.4/arch/x86/kernel/step.c
13795--- linux-2.6.35.4/arch/x86/kernel/step.c 2010-08-26 19:47:12.000000000 -0400
13796+++ linux-2.6.35.4/arch/x86/kernel/step.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 13797@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13798 struct desc_struct *desc;
58c5fc13
MT		 13799 unsigned long base;
13800
13801- seg &= ~7UL;
13802+ seg >>= 3;
13803
13804 mutex_lock(&child->mm->context.lock);
13805- if (unlikely((seg >> 3) >= child->mm->context.size))
58c5fc13 13806+ if (unlikely(seg >= child->mm->context.size))
ae4e228f 13807 addr = -1L; /* bogus selector, access would fault */
58c5fc13 13808 else {
ae4e228f
MT		 13809 desc = child->mm->context.ldt + seg;
13810@@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
58c5fc13
MT		 13811 unsigned char opcode[15];
13812 unsigned long addr = convert_ip_to_linear(child, regs);
13813
13814+ if (addr == -EINVAL)
13815+ return 0;
13816+
13817 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
13818 for (i = 0; i < copied; i++) {
13819 switch (opcode[i]) {
ae4e228f 13820@@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
58c5fc13
MT		 13821
13822 #ifdef CONFIG_X86_64
13823 case 0x40 ... 0x4f:
13824- if (regs->cs != __USER_CS)
13825+ if ((regs->cs & 0xffff) != __USER_CS)
13826 /* 32-bit mode: register increment */
13827 return 0;
13828 /* 64-bit mode: REX prefix */
57199397
MT		 13829diff -urNp linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S
13830--- linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S 2010-08-26 19:47:12.000000000 -0400
13831+++ linux-2.6.35.4/arch/x86/kernel/syscall_table_32.S 2010-09-17 20:12:09.000000000 -0400
13832@@ -1,3 +1,4 @@
13833+.section .rodata,"a",@progbits
13834 ENTRY(sys_call_table)
13835 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
13836 .long sys_exit
13837diff -urNp linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c
13838--- linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c 2010-08-26 19:47:12.000000000 -0400
13839+++ linux-2.6.35.4/arch/x86/kernel/sys_i386_32.c 2010-09-17 20:12:09.000000000 -0400
13840@@ -24,6 +24,224 @@
58c5fc13
MT		 13841
13842 #include <asm/syscalls.h>
13843
13844+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
13845+{
13846+ unsigned long pax_task_size = TASK_SIZE;
13847+
13848+#ifdef CONFIG_PAX_SEGMEXEC
13849+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13850+ pax_task_size = SEGMEXEC_TASK_SIZE;
13851+#endif
13852+
13853+ if (len > pax_task_size || addr > pax_task_size - len)
13854+ return -EINVAL;
13855+
13856+ return 0;
13857+}
13858+
58c5fc13
MT		 13859+unsigned long
13860+arch_get_unmapped_area(struct file *filp, unsigned long addr,
13861+ unsigned long len, unsigned long pgoff, unsigned long flags)
13862+{
13863+ struct mm_struct *mm = current->mm;
13864+ struct vm_area_struct *vma;
13865+ unsigned long start_addr, pax_task_size = TASK_SIZE;
13866+
13867+#ifdef CONFIG_PAX_SEGMEXEC
13868+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
13869+ pax_task_size = SEGMEXEC_TASK_SIZE;
13870+#endif
13871+
13872+ if (len > pax_task_size)
13873+ return -ENOMEM;
13874+
13875+ if (flags & MAP_FIXED)
13876+ return addr;
13877+
13878+#ifdef CONFIG_PAX_RANDMMAP
13879+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13880+#endif
13881+
13882+ if (addr) {
13883+ addr = PAGE_ALIGN(addr);
57199397
MT		 13884+ if (pax_task_size - len >= addr) {
13885+ vma = find_vma(mm, addr);
13886+ if (check_heap_stack_gap(vma, addr, len))
13887+ return addr;
13888+ }
58c5fc13
MT		 13889+ }
13890+ if (len > mm->cached_hole_size) {
13891+ start_addr = addr = mm->free_area_cache;
13892+ } else {
13893+ start_addr = addr = mm->mmap_base;
13894+ mm->cached_hole_size = 0;
13895+ }
13896+
13897+#ifdef CONFIG_PAX_PAGEEXEC
ae4e228f 13898+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
58c5fc13
MT		 13899+ start_addr = 0x00110000UL;
13900+
13901+#ifdef CONFIG_PAX_RANDMMAP
13902+ if (mm->pax_flags & MF_PAX_RANDMMAP)
13903+ start_addr += mm->delta_mmap & 0x03FFF000UL;
13904+#endif
13905+
13906+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
13907+ start_addr = addr = mm->mmap_base;
13908+ else
13909+ addr = start_addr;
13910+ }
13911+#endif
13912+
13913+full_search:
13914+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
13915+ /* At this point: (!vma || addr < vma->vm_end). */
13916+ if (pax_task_size - len < addr) {
13917+ /*
13918+ * Start a new search - just in case we missed
13919+ * some holes.
13920+ */
13921+ if (start_addr != mm->mmap_base) {
13922+ start_addr = addr = mm->mmap_base;
13923+ mm->cached_hole_size = 0;
13924+ goto full_search;
13925+ }
13926+ return -ENOMEM;
13927+ }
57199397
MT		 13928+ if (check_heap_stack_gap(vma, addr, len))
13929+ break;
58c5fc13
MT		 13930+ if (addr + mm->cached_hole_size < vma->vm_start)
13931+ mm->cached_hole_size = vma->vm_start - addr;
13932+ addr = vma->vm_end;
13933+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
13934+ start_addr = addr = mm->mmap_base;
13935+ mm->cached_hole_size = 0;
13936+ goto full_search;
13937+ }
13938+ }
57199397
MT		 13939+
13940+ /*
13941+ * Remember the place where we stopped the search:
13942+ */
13943+ mm->free_area_cache = addr + len;
13944+ return addr;
58c5fc13
MT		 13945+}
13946+
13947+unsigned long
13948+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
13949+ const unsigned long len, const unsigned long pgoff,
13950+ const unsigned long flags)
13951+{
13952+ struct vm_area_struct *vma;
13953+ struct mm_struct *mm = current->mm;
13954+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
13955+
13956+#ifdef CONFIG_PAX_SEGMEXEC
13957+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
13958+ pax_task_size = SEGMEXEC_TASK_SIZE;
13959+#endif
13960+
13961+ /* requested length too big for entire address space */
13962+ if (len > pax_task_size)
13963+ return -ENOMEM;
13964+
13965+ if (flags & MAP_FIXED)
13966+ return addr;
13967+
13968+#ifdef CONFIG_PAX_PAGEEXEC
ae4e228f 13969+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
58c5fc13
MT		 13970+ goto bottomup;
13971+#endif
13972+
13973+#ifdef CONFIG_PAX_RANDMMAP
13974+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13975+#endif
13976+
13977+ /* requesting a specific address */
13978+ if (addr) {
13979+ addr = PAGE_ALIGN(addr);
57199397
MT		 13980+ if (pax_task_size - len >= addr) {
13981+ vma = find_vma(mm, addr);
13982+ if (check_heap_stack_gap(vma, addr, len))
13983+ return addr;
13984+ }
58c5fc13
MT		 13985+ }
13986+
13987+ /* check if free_area_cache is useful for us */
13988+ if (len <= mm->cached_hole_size) {
13989+ mm->cached_hole_size = 0;
13990+ mm->free_area_cache = mm->mmap_base;
13991+ }
13992+
13993+ /* either no address requested or can't fit in requested address hole */
13994+ addr = mm->free_area_cache;
13995+
13996+ /* make sure it can fit in the remaining address space */
13997+ if (addr > len) {
13998+ vma = find_vma(mm, addr-len);
57199397 13999+ if (check_heap_stack_gap(vma, addr - len, len))
58c5fc13
MT		 14000+ /* remember the address as a hint for next time */
14001+ return (mm->free_area_cache = addr-len);
14002+ }
14003+
14004+ if (mm->mmap_base < len)
14005+ goto bottomup;
14006+
14007+ addr = mm->mmap_base-len;
14008+
14009+ do {
14010+ /*
14011+ * Lookup failure means no vma is above this address,
14012+ * else if new region fits below vma->vm_start,
14013+ * return with success:
14014+ */
14015+ vma = find_vma(mm, addr);
57199397 14016+ if (check_heap_stack_gap(vma, addr, len))
58c5fc13
MT		 14017+ /* remember the address as a hint for next time */
14018+ return (mm->free_area_cache = addr);
14019+
14020+ /* remember the largest hole we saw so far */
14021+ if (addr + mm->cached_hole_size < vma->vm_start)
14022+ mm->cached_hole_size = vma->vm_start - addr;
14023+
14024+ /* try just below the current vma->vm_start */
14025+ addr = vma->vm_start-len;
14026+ } while (len < vma->vm_start);
14027+
14028+bottomup:
14029+ /*
14030+ * A failed mmap() very likely causes application failure,
14031+ * so fall back to the bottom-up function here. This scenario
14032+ * can happen with large stack limits and large mmap()
14033+ * allocations.
14034+ */
14035+
14036+#ifdef CONFIG_PAX_SEGMEXEC
14037+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
14038+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14039+ else
14040+#endif
14041+
14042+ mm->mmap_base = TASK_UNMAPPED_BASE;
14043+
14044+#ifdef CONFIG_PAX_RANDMMAP
14045+ if (mm->pax_flags & MF_PAX_RANDMMAP)
14046+ mm->mmap_base += mm->delta_mmap;
14047+#endif
14048+
14049+ mm->free_area_cache = mm->mmap_base;
14050+ mm->cached_hole_size = ~0UL;
14051+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14052+ /*
14053+ * Restore the topdown base:
14054+ */
14055+ mm->mmap_base = base;
14056+ mm->free_area_cache = base;
14057+ mm->cached_hole_size = ~0UL;
14058+
14059+ return addr;
14060+}
df50ba0c
MT		 14061+
14062 /*
14063 * Do a system call from kernel instead of calling sys_execve so we
14064 * end up with proper pt_regs.
57199397
MT		 14065diff -urNp linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c
14066--- linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c 2010-08-26 19:47:12.000000000 -0400
14067+++ linux-2.6.35.4/arch/x86/kernel/sys_x86_64.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 14068@@ -32,8 +32,8 @@ out:
58c5fc13
MT		 14069 return error;
14070 }
14071
14072-static void find_start_end(unsigned long flags, unsigned long *begin,
14073- unsigned long *end)
14074+static void find_start_end(struct mm_struct *mm, unsigned long flags,
14075+ unsigned long *begin, unsigned long *end)
14076 {
14077 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
14078 unsigned long new_begin;
ae4e228f 14079@@ -52,7 +52,7 @@ static void find_start_end(unsigned long
58c5fc13
MT		 14080 *begin = new_begin;
14081 }
14082 } else {
14083- *begin = TASK_UNMAPPED_BASE;
14084+ *begin = mm->mmap_base;
14085 *end = TASK_SIZE;
14086 }
14087 }
57199397 14088@@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 14089 if (flags & MAP_FIXED)
14090 return addr;
14091
14092- find_start_end(flags, &begin, &end);
14093+ find_start_end(mm, flags, &begin, &end);
14094
14095 if (len > end)
14096 return -ENOMEM;
14097
14098+#ifdef CONFIG_PAX_RANDMMAP
14099+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14100+#endif
14101+
14102 if (addr) {
14103 addr = PAGE_ALIGN(addr);
14104 vma = find_vma(mm, addr);
57199397
MT		 14105- if (end - len >= addr &&
14106- (!vma || addr + len <= vma->vm_start))
14107+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
14108 return addr;
14109 }
14110 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
14111@@ -106,7 +109,7 @@ full_search:
14112 }
14113 return -ENOMEM;
14114 }
14115- if (!vma || addr + len <= vma->vm_start) {
14116+ if (check_heap_stack_gap(vma, addr, len)) {
14117 /*
14118 * Remember the place where we stopped the search:
14119 */
14120@@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 14121 {
14122 struct vm_area_struct *vma;
14123 struct mm_struct *mm = current->mm;
14124- unsigned long addr = addr0;
14125+ unsigned long base = mm->mmap_base, addr = addr0;
14126
14127 /* requested length too big for entire address space */
14128 if (len > TASK_SIZE)
57199397 14129@@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 14130 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14131 goto bottomup;
14132
14133+#ifdef CONFIG_PAX_RANDMMAP
14134+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14135+#endif
14136+
14137 /* requesting a specific address */
14138 if (addr) {
14139 addr = PAGE_ALIGN(addr);
57199397
MT		 14140 vma = find_vma(mm, addr);
14141- if (TASK_SIZE - len >= addr &&
14142- (!vma || addr + len <= vma->vm_start))
14143+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
14144 return addr;
14145 }
14146
14147@@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
14148 /* make sure it can fit in the remaining address space */
14149 if (addr > len) {
14150 vma = find_vma(mm, addr-len);
14151- if (!vma || addr <= vma->vm_start)
14152+ if (check_heap_stack_gap(vma, addr - len, len))
14153 /* remember the address as a hint for next time */
14154 return mm->free_area_cache = addr-len;
14155 }
14156@@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14157 * return with success:
14158 */
14159 vma = find_vma(mm, addr);
14160- if (!vma || addr+len <= vma->vm_start)
14161+ if (check_heap_stack_gap(vma, addr, len))
14162 /* remember the address as a hint for next time */
14163 return mm->free_area_cache = addr;
14164
14165@@ -198,13 +204,21 @@ bottomup:
58c5fc13
MT		 14166 * can happen with large stack limits and large mmap()
14167 * allocations.
14168 */
14169+ mm->mmap_base = TASK_UNMAPPED_BASE;
14170+
14171+#ifdef CONFIG_PAX_RANDMMAP
14172+ if (mm->pax_flags & MF_PAX_RANDMMAP)
14173+ mm->mmap_base += mm->delta_mmap;
14174+#endif
14175+
14176+ mm->free_area_cache = mm->mmap_base;
14177 mm->cached_hole_size = ~0UL;
14178- mm->free_area_cache = TASK_UNMAPPED_BASE;
14179 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14180 /*
14181 * Restore the topdown base:
14182 */
14183- mm->free_area_cache = mm->mmap_base;
14184+ mm->mmap_base = base;
14185+ mm->free_area_cache = base;
14186 mm->cached_hole_size = ~0UL;
14187
14188 return addr;
57199397
MT		 14189diff -urNp linux-2.6.35.4/arch/x86/kernel/time.c linux-2.6.35.4/arch/x86/kernel/time.c
14190--- linux-2.6.35.4/arch/x86/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
14191+++ linux-2.6.35.4/arch/x86/kernel/time.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 14192@@ -26,17 +26,13 @@
14193 int timer_ack;
14194 #endif
14195
14196-#ifdef CONFIG_X86_64
14197-volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14198-#endif
14199-
14200 unsigned long profile_pc(struct pt_regs *regs)
14201 {
58c5fc13
MT		 14202 unsigned long pc = instruction_pointer(regs);
14203
58c5fc13
MT		 14204- if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14205+ if (!user_mode(regs) && in_lock_functions(pc)) {
14206 #ifdef CONFIG_FRAME_POINTER
14207- return *(unsigned long *)(regs->bp + sizeof(long));
14208+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14209 #else
ae4e228f
MT		 14210 unsigned long *sp =
14211 (unsigned long *)kernel_stack_pointer(regs);
14212@@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14213 * or above a saved flags. Eflags has bits 22-31 zero,
14214 * kernel addresses don't.
14215 */
58c5fc13
MT		 14216+
14217+#ifdef CONFIG_PAX_KERNEXEC
14218+ return ktla_ktva(sp[0]);
14219+#else
14220 if (sp[0] >> 22)
14221 return sp[0];
14222 if (sp[1] >> 22)
14223 return sp[1];
14224 #endif
14225+
14226+#endif
14227 }
58c5fc13
MT		 14228 return pc;
14229 }
57199397
MT		 14230diff -urNp linux-2.6.35.4/arch/x86/kernel/tls.c linux-2.6.35.4/arch/x86/kernel/tls.c
14231--- linux-2.6.35.4/arch/x86/kernel/tls.c 2010-08-26 19:47:12.000000000 -0400
14232+++ linux-2.6.35.4/arch/x86/kernel/tls.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 14233@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14234 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14235 return -EINVAL;
14236
14237+#ifdef CONFIG_PAX_SEGMEXEC
14238+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14239+ return -EINVAL;
14240+#endif
14241+
14242 set_tls_desc(p, idx, &info, 1);
14243
14244 return 0;
57199397
MT		 14245diff -urNp linux-2.6.35.4/arch/x86/kernel/trampoline_32.S linux-2.6.35.4/arch/x86/kernel/trampoline_32.S
14246--- linux-2.6.35.4/arch/x86/kernel/trampoline_32.S 2010-08-26 19:47:12.000000000 -0400
14247+++ linux-2.6.35.4/arch/x86/kernel/trampoline_32.S 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 14248@@ -32,6 +32,12 @@
14249 #include <asm/segment.h>
14250 #include <asm/page_types.h>
14251
14252+#ifdef CONFIG_PAX_KERNEXEC
14253+#define ta(X) (X)
14254+#else
14255+#define ta(X) ((X) - __PAGE_OFFSET)
14256+#endif
14257+
14258 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14259 __CPUINITRODATA
14260 .code16
14261@@ -60,7 +66,7 @@ r_base = .
14262 inc %ax # protected mode (PE) bit
14263 lmsw %ax # into protected mode
14264 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14265- ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14266+ ljmpl $__BOOT_CS, $ta(startup_32_smp)
14267
14268 # These need to be in the same 64K segment as the above;
14269 # hence we don't use the boot_gdt_descr defined in head.S
57199397
MT		 14270diff -urNp linux-2.6.35.4/arch/x86/kernel/traps.c linux-2.6.35.4/arch/x86/kernel/traps.c
14271--- linux-2.6.35.4/arch/x86/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
14272+++ linux-2.6.35.4/arch/x86/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
14273@@ -70,12 +70,6 @@ asmlinkage int system_call(void);
58c5fc13
MT		 14274
14275 /* Do we ignore FPU interrupts ? */
14276 char ignore_fpu_irq;
14277-
14278-/*
14279- * The IDT has to be page-aligned to simplify the Pentium
ae4e228f 14280- * F0 0F bug workaround.
58c5fc13 14281- */
ae4e228f 14282-gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
58c5fc13
MT		 14283 #endif
14284
14285 DECLARE_BITMAP(used_vectors, NR_VECTORS);
57199397 14286@@ -110,13 +104,13 @@ static inline void preempt_conditional_c
58c5fc13 14287 }
ae4e228f
MT		 14288
14289 static void __kprobes
14290-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14291+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14292 long error_code, siginfo_t *info)
14293 {
58c5fc13
MT		 14294 struct task_struct *tsk = current;
14295
14296 #ifdef CONFIG_X86_32
14297- if (regs->flags & X86_VM_MASK) {
14298+ if (v8086_mode(regs)) {
14299 /*
14300 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14301 * On nmi (interrupt 2), do_trap should not be called.
57199397 14302@@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
58c5fc13
MT		 14303 }
14304 #endif
14305
14306- if (!user_mode(regs))
14307+ if (!user_mode_novm(regs))
14308 goto kernel_trap;
14309
14310 #ifdef CONFIG_X86_32
57199397 14311@@ -150,7 +144,7 @@ trap_signal:
58c5fc13
MT		 14312 printk_ratelimit()) {
14313 printk(KERN_INFO
14314 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14315- tsk->comm, tsk->pid, str,
14316+ tsk->comm, task_pid_nr(tsk), str,
14317 regs->ip, regs->sp, error_code);
14318 print_vma_addr(" in ", regs->ip);
14319 printk("\n");
57199397 14320@@ -167,8 +161,20 @@ kernel_trap:
ae4e228f
MT		 14321 if (!fixup_exception(regs)) {
14322 tsk->thread.error_code = error_code;
58c5fc13 14323 tsk->thread.trap_no = trapnr;
ae4e228f
MT		 14324+
14325+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14326+ if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14327+ str = "PAX: suspicious stack segment fault";
14328+#endif
14329+
58c5fc13
MT		 14330 die(str, regs, error_code);
14331 }
14332+
14333+#ifdef CONFIG_PAX_REFCOUNT
14334+ if (trapnr == 4)
14335+ pax_report_refcount_overflow(regs);
14336+#endif
14337+
14338 return;
14339
14340 #ifdef CONFIG_X86_32
57199397 14341@@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
58c5fc13
MT		 14342 conditional_sti(regs);
14343
14344 #ifdef CONFIG_X86_32
14345- if (regs->flags & X86_VM_MASK)
14346+ if (v8086_mode(regs))
14347 goto gp_in_vm86;
14348 #endif
14349
14350 tsk = current;
14351- if (!user_mode(regs))
14352+ if (!user_mode_novm(regs))
14353 goto gp_in_kernel;
14354
14355+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
ae4e228f 14356+ if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
58c5fc13
MT		 14357+ struct mm_struct *mm = tsk->mm;
14358+ unsigned long limit;
14359+
14360+ down_write(&mm->mmap_sem);
14361+ limit = mm->context.user_cs_limit;
14362+ if (limit < TASK_SIZE) {
14363+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14364+ up_write(&mm->mmap_sem);
14365+ return;
14366+ }
14367+ up_write(&mm->mmap_sem);
14368+ }
14369+#endif
14370+
14371 tsk->thread.error_code = error_code;
14372 tsk->thread.trap_no = 13;
14373
57199397 14374@@ -297,6 +319,13 @@ gp_in_kernel:
58c5fc13
MT		 14375 if (notify_die(DIE_GPF, "general protection fault", regs,
14376 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14377 return;
14378+
14379+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
ae4e228f 14380+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
58c5fc13
MT		 14381+ die("PAX: suspicious general protection fault", regs, error_code);
14382+ else
14383+#endif
14384+
14385 die("general protection fault", regs, error_code);
14386 }
14387
57199397 14388@@ -565,7 +594,7 @@ dotraplinkage void __kprobes do_debug(st
ae4e228f
MT		 14389 /* It's safe to allow irq's after DR6 has been saved */
14390 preempt_conditional_sti(regs);
58c5fc13 14391
ae4e228f
MT		 14392- if (regs->flags & X86_VM_MASK) {
14393+ if (v8086_mode(regs)) {
14394 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14395 error_code, 1);
14396 return;
57199397 14397@@ -578,7 +607,7 @@ dotraplinkage void __kprobes do_debug(st
ae4e228f
MT		 14398 * We already checked v86 mode above, so we can check for kernel mode
14399 * by just checking the CPL of CS.
58c5fc13 14400 */
ae4e228f
MT		 14401- if ((dr6 & DR_STEP) && !user_mode(regs)) {
14402+ if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14403 tsk->thread.debugreg6 &= ~DR_STEP;
14404 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14405 regs->flags &= ~X86_EFLAGS_TF;
57199397 14406@@ -607,7 +636,7 @@ void math_error(struct pt_regs *regs, in
58c5fc13 14407 return;
57199397
MT		 14408 conditional_sti(regs);
14409
14410- if (!user_mode_vm(regs))
14411+ if (!user_mode(regs))
14412 {
14413 if (!fixup_exception(regs)) {
14414 task->thread.error_code = error_code;
14415diff -urNp linux-2.6.35.4/arch/x86/kernel/tsc.c linux-2.6.35.4/arch/x86/kernel/tsc.c
14416--- linux-2.6.35.4/arch/x86/kernel/tsc.c 2010-08-26 19:47:12.000000000 -0400
14417+++ linux-2.6.35.4/arch/x86/kernel/tsc.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 14418@@ -795,7 +795,7 @@ static struct dmi_system_id __initdata b
58c5fc13
MT		 14419 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14420 },
14421 },
14422- {}
14423+ { NULL, NULL, {{0, {0}}}, NULL}
14424 };
14425
14426 static void __init check_system_tsc_reliable(void)
57199397
MT		 14427diff -urNp linux-2.6.35.4/arch/x86/kernel/vm86_32.c linux-2.6.35.4/arch/x86/kernel/vm86_32.c
14428--- linux-2.6.35.4/arch/x86/kernel/vm86_32.c 2010-08-26 19:47:12.000000000 -0400
14429+++ linux-2.6.35.4/arch/x86/kernel/vm86_32.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 14430@@ -41,6 +41,7 @@
14431 #include <linux/ptrace.h>
14432 #include <linux/audit.h>
14433 #include <linux/stddef.h>
14434+#include <linux/grsecurity.h>
14435
14436 #include <asm/uaccess.h>
14437 #include <asm/io.h>
14438@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
58c5fc13
MT		 14439 do_exit(SIGSEGV);
14440 }
14441
14442- tss = &per_cpu(init_tss, get_cpu());
14443+ tss = init_tss + get_cpu();
14444 current->thread.sp0 = current->thread.saved_sp0;
14445 current->thread.sysenter_cs = __KERNEL_CS;
14446 load_sp0(tss, &current->thread);
ae4e228f
MT		 14447@@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14448 struct task_struct *tsk;
14449 int tmp, ret = -EPERM;
14450
14451+#ifdef CONFIG_GRKERNSEC_VM86
14452+ if (!capable(CAP_SYS_RAWIO)) {
14453+ gr_handle_vm86();
14454+ goto out;
14455+ }
14456+#endif
14457+
14458 tsk = current;
14459 if (tsk->thread.saved_sp0)
14460 goto out;
14461@@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14462 int tmp, ret;
14463 struct vm86plus_struct __user *v86;
14464
14465+#ifdef CONFIG_GRKERNSEC_VM86
14466+ if (!capable(CAP_SYS_RAWIO)) {
14467+ gr_handle_vm86();
14468+ ret = -EPERM;
14469+ goto out;
14470+ }
14471+#endif
14472+
14473 tsk = current;
14474 switch (cmd) {
14475 case VM86_REQUEST_IRQ:
14476@@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
58c5fc13
MT		 14477 tsk->thread.saved_fs = info->regs32->fs;
14478 tsk->thread.saved_gs = get_user_gs(info->regs32);
14479
14480- tss = &per_cpu(init_tss, get_cpu());
14481+ tss = init_tss + get_cpu();
14482 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14483 if (cpu_has_sep)
14484 tsk->thread.sysenter_cs = 0;
ae4e228f
MT		 14485@@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14486 goto cannot_handle;
14487 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14488 goto cannot_handle;
14489- intr_ptr = (unsigned long __user *) (i << 2);
14490+ intr_ptr = (__force unsigned long __user *) (i << 2);
14491 if (get_user(segoffs, intr_ptr))
14492 goto cannot_handle;
14493 if ((segoffs >> 16) == BIOSSEG)
57199397
MT		 14494diff -urNp linux-2.6.35.4/arch/x86/kernel/vmi_32.c linux-2.6.35.4/arch/x86/kernel/vmi_32.c
14495--- linux-2.6.35.4/arch/x86/kernel/vmi_32.c 2010-08-26 19:47:12.000000000 -0400
14496+++ linux-2.6.35.4/arch/x86/kernel/vmi_32.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 14497@@ -46,12 +46,17 @@ typedef u32 __attribute__((regparm(1)))
ae4e228f
MT		 14498 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
14499
14500 #define call_vrom_func(rom,func) \
14501- (((VROMFUNC *)(rom->func))())
14502+ (((VROMFUNC *)(ktva_ktla(rom.func)))())
14503
14504 #define call_vrom_long_func(rom,func,arg) \
14505- (((VROMLONGFUNC *)(rom->func)) (arg))
14506+({\
14507+ u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
14508+ struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
14509+ __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
14510+ __reloc;\
14511+})
14512
14513-static struct vrom_header *vmi_rom;
14514+static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
14515 static int disable_pge;
14516 static int disable_pse;
14517 static int disable_sep;
df50ba0c 14518@@ -78,10 +83,10 @@ static struct {
ae4e228f
MT		 14519 void (*set_initial_ap_state)(int, int);
14520 void (*halt)(void);
14521 void (*set_lazy_mode)(int mode);
14522-} vmi_ops;
14523+} vmi_ops __read_only;
14524
14525 /* Cached VMI operations */
14526-struct vmi_timer_ops vmi_timer_ops;
14527+struct vmi_timer_ops vmi_timer_ops __read_only;
14528
14529 /*
14530 * VMI patching routines.
df50ba0c 14531@@ -96,7 +101,7 @@ struct vmi_timer_ops vmi_timer_ops;
ae4e228f
MT		 14532 static inline void patch_offset(void *insnbuf,
14533 unsigned long ip, unsigned long dest)
14534 {
14535- *(unsigned long *)(insnbuf+1) = dest-ip-5;
14536+ *(unsigned long *)(insnbuf+1) = dest-ip-5;
14537 }
14538
14539 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
df50ba0c 14540@@ -104,6 +109,7 @@ static unsigned patch_internal(int call,
58c5fc13
MT		 14541 {
14542 u64 reloc;
14543 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
58c5fc13
MT		 14544+
14545 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
14546 switch(rel->type) {
14547 case VMI_RELOCATION_CALL_REL:
df50ba0c 14548@@ -382,13 +388,13 @@ static void vmi_set_pud(pud_t *pudp, pud
58c5fc13
MT		 14549
14550 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
14551 {
14552- const pte_t pte = { .pte = 0 };
14553+ const pte_t pte = __pte(0ULL);
14554 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
14555 }
14556
14557 static void vmi_pmd_clear(pmd_t *pmd)
14558 {
14559- const pte_t pte = { .pte = 0 };
14560+ const pte_t pte = __pte(0ULL);
14561 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
14562 }
14563 #endif
df50ba0c 14564@@ -416,8 +422,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
58c5fc13
MT		 14565 ap.ss = __KERNEL_DS;
14566 ap.esp = (unsigned long) start_esp;
14567
14568- ap.ds = __USER_DS;
14569- ap.es = __USER_DS;
14570+ ap.ds = __KERNEL_DS;
14571+ ap.es = __KERNEL_DS;
14572 ap.fs = __KERNEL_PERCPU;
14573 ap.gs = __KERNEL_STACK_CANARY;
14574
df50ba0c 14575@@ -464,6 +470,18 @@ static void vmi_leave_lazy_mmu(void)
ae4e228f
MT		 14576 paravirt_leave_lazy_mmu();
14577 }
58c5fc13
MT		 14578
14579+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f
MT		 14580+static unsigned long vmi_pax_open_kernel(void)
14581+{
14582+ return 0;
14583+}
14584+
14585+static unsigned long vmi_pax_close_kernel(void)
14586+{
14587+ return 0;
14588+}
58c5fc13
MT		 14589+#endif
14590+
ae4e228f
MT		 14591 static inline int __init check_vmi_rom(struct vrom_header *rom)
14592 {
14593 struct pci_header *pci;
df50ba0c 14594@@ -476,6 +494,10 @@ static inline int __init check_vmi_rom(s
ae4e228f
MT		 14595 return 0;
14596 if (rom->vrom_signature != VMI_SIGNATURE)
58c5fc13 14597 return 0;
ae4e228f
MT		 14598+ if (rom->rom_length * 512 > sizeof(*rom)) {
14599+ printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
14600+ return 0;
14601+ }
14602 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
14603 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
14604 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
df50ba0c 14605@@ -540,7 +562,7 @@ static inline int __init probe_vmi_rom(v
ae4e228f
MT		 14606 struct vrom_header *romstart;
14607 romstart = (struct vrom_header *)isa_bus_to_virt(base);
14608 if (check_vmi_rom(romstart)) {
14609- vmi_rom = romstart;
14610+ vmi_rom = *romstart;
14611 return 1;
14612 }
58c5fc13 14613 }
df50ba0c 14614@@ -816,6 +838,11 @@ static inline int __init activate_vmi(vo
58c5fc13
MT		 14615
14616 para_fill(pv_irq_ops.safe_halt, Halt);
14617
14618+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f
MT		 14619+ pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
14620+ pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
58c5fc13
MT		 14621+#endif
14622+
14623 /*
14624 * Alternative instruction rewriting doesn't happen soon enough
14625 * to convert VMI_IRET to a call instead of a jump; so we have
df50ba0c 14626@@ -833,16 +860,16 @@ static inline int __init activate_vmi(vo
ae4e228f
MT		 14627
14628 void __init vmi_init(void)
14629 {
14630- if (!vmi_rom)
14631+ if (!vmi_rom.rom_signature)
14632 probe_vmi_rom();
14633 else
14634- check_vmi_rom(vmi_rom);
14635+ check_vmi_rom(&vmi_rom);
14636
14637 /* In case probing for or validating the ROM failed, basil */
14638- if (!vmi_rom)
14639+ if (!vmi_rom.rom_signature)
14640 return;
14641
14642- reserve_top_address(-vmi_rom->virtual_top);
14643+ reserve_top_address(-vmi_rom.virtual_top);
14644
14645 #ifdef CONFIG_X86_IO_APIC
14646 /* This is virtual hardware; timer routing is wired correctly */
df50ba0c 14647@@ -854,7 +881,7 @@ void __init vmi_activate(void)
ae4e228f
MT		 14648 {
14649 unsigned long flags;
14650
14651- if (!vmi_rom)
14652+ if (!vmi_rom.rom_signature)
14653 return;
14654
14655 local_irq_save(flags);
57199397
MT		 14656diff -urNp linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S
14657--- linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
14658+++ linux-2.6.35.4/arch/x86/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
14659@@ -26,6 +26,13 @@
58c5fc13
MT		 14660 #include <asm/page_types.h>
14661 #include <asm/cache.h>
14662 #include <asm/boot.h>
14663+#include <asm/segment.h>
14664+
58c5fc13
MT		 14665+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14666+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14667+#else
14668+#define __KERNEL_TEXT_OFFSET 0
14669+#endif
14670
14671 #undef i386 /* in case the preprocessor is a 32bit one */
14672
57199397 14673@@ -34,13 +41,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
58c5fc13
MT		 14674 #ifdef CONFIG_X86_32
14675 OUTPUT_ARCH(i386)
14676 ENTRY(phys_startup_32)
14677-jiffies = jiffies_64;
14678 #else
14679 OUTPUT_ARCH(i386:x86-64)
14680 ENTRY(phys_startup_64)
14681-jiffies_64 = jiffies;
14682 #endif
14683
14684+jiffies = jiffies_64;
14685+
ae4e228f
MT		 14686 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14687 /*
14688 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
57199397 14689@@ -69,31 +76,46 @@ jiffies_64 = jiffies;
ae4e228f 14690
58c5fc13
MT		 14691 PHDRS {
14692 text PT_LOAD FLAGS(5); /* R_E */
14693- data PT_LOAD FLAGS(7); /* RWE */
57199397
MT		 14694+#ifdef CONFIG_X86_32
14695+ module PT_LOAD FLAGS(5); /* R_E */
14696+#endif
ae4e228f
MT		 14697+#ifdef CONFIG_XEN
14698+ rodata PT_LOAD FLAGS(5); /* R_E */
14699+#else
58c5fc13 14700+ rodata PT_LOAD FLAGS(4); /* R__ */
ae4e228f 14701+#endif
58c5fc13
MT		 14702+ data PT_LOAD FLAGS(6); /* RW_ */
14703 #ifdef CONFIG_X86_64
ae4e228f 14704 user PT_LOAD FLAGS(5); /* R_E */
58c5fc13
MT		 14705+#endif
14706+ init.begin PT_LOAD FLAGS(6); /* RW_ */
14707 #ifdef CONFIG_SMP
ae4e228f 14708 percpu PT_LOAD FLAGS(6); /* RW_ */
58c5fc13
MT		 14709 #endif
14710+ text.init PT_LOAD FLAGS(5); /* R_E */
14711+ text.exit PT_LOAD FLAGS(5); /* R_E */
14712 init PT_LOAD FLAGS(7); /* RWE */
14713-#endif
14714 note PT_NOTE FLAGS(0); /* ___ */
14715 }
14716
14717 SECTIONS
14718 {
14719 #ifdef CONFIG_X86_32
14720- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14721- phys_startup_32 = startup_32 - LOAD_OFFSET;
14722+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14723 #else
14724- . = __START_KERNEL;
14725- phys_startup_64 = startup_64 - LOAD_OFFSET;
14726+ . = __START_KERNEL;
14727 #endif
14728
14729 /* Text and read-only data */
ae4e228f
MT		 14730- .text : AT(ADDR(.text) - LOAD_OFFSET) {
14731- _text = .;
58c5fc13 14732+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
ae4e228f 14733 /* bootstrapping code */
58c5fc13
MT		 14734+#ifdef CONFIG_X86_32
14735+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14736+#else
14737+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14738+#endif
14739+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
ae4e228f
MT		 14740+ _text = .;
14741 HEAD_TEXT
58c5fc13 14742 #ifdef CONFIG_X86_32
58c5fc13 14743 . = ALIGN(PAGE_SIZE);
57199397 14744@@ -108,13 +130,50 @@ SECTIONS
ae4e228f
MT		 14745 IRQENTRY_TEXT
14746 *(.fixup)
14747 *(.gnu.warning)
14748- /* End of text section */
14749- _etext = .;
58c5fc13
MT		 14750 } :text = 0x9090
14751
14752- NOTES :text :note
14753+ . += __KERNEL_TEXT_OFFSET;
df50ba0c 14754+
58c5fc13
MT		 14755+#ifdef CONFIG_X86_32
14756+ . = ALIGN(PAGE_SIZE);
ae4e228f
MT		 14757+ .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
14758+ *(.vmi.rom)
14759+ } :module
14760+
58c5fc13
MT		 14761+ . = ALIGN(PAGE_SIZE);
14762+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
ae4e228f
MT		 14763+
14764+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
58c5fc13
MT		 14765+ MODULES_EXEC_VADDR = .;
14766+ BYTE(0)
ae4e228f 14767+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
57199397 14768+ . = ALIGN(HPAGE_SIZE);
58c5fc13 14769+ MODULES_EXEC_END = . - 1;
58c5fc13 14770+#endif
ae4e228f
MT		 14771+
14772+ } :module
58c5fc13
MT		 14773+#endif
14774+
57199397 14775+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
ae4e228f
MT		 14776+ /* End of text section */
14777+ _etext = . - __KERNEL_TEXT_OFFSET;
57199397
MT		 14778+ }
14779+
14780+#ifdef CONFIG_X86_32
14781+ . = ALIGN(PAGE_SIZE);
14782+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14783+ *(.idt)
14784+ . = ALIGN(PAGE_SIZE);
14785+ *(.empty_zero_page)
14786+ *(.swapper_pg_pmd)
14787+ *(.swapper_pg_dir)
14788+ } :rodata
14789+#endif
14790+
14791+ . = ALIGN(PAGE_SIZE);
14792+ NOTES :rodata :note
14793
14794- EXCEPTION_TABLE(16) :text = 0x9090
14795+ EXCEPTION_TABLE(16) :rodata
14796
14797 X64_ALIGN_DEBUG_RODATA_BEGIN
14798 RO_DATA(PAGE_SIZE)
14799@@ -122,16 +181,20 @@ SECTIONS
14800
14801 /* Data */
14802 .data : AT(ADDR(.data) - LOAD_OFFSET) {
58c5fc13
MT		 14803+
14804+#ifdef CONFIG_PAX_KERNEXEC
57199397 14805+ . = ALIGN(HPAGE_SIZE);
58c5fc13
MT		 14806+#else
14807+ . = ALIGN(PAGE_SIZE);
14808+#endif
14809+
14810 /* Start of data section */
14811 _sdata = .;
14812
14813 /* init_task */
14814 INIT_TASK_DATA(THREAD_SIZE)
14815
14816-#ifdef CONFIG_X86_32
14817- /* 32 bit has nosave before _edata */
14818 NOSAVE_DATA
14819-#endif
14820
14821 PAGE_ALIGNED_DATA(PAGE_SIZE)
ae4e228f 14822
57199397 14823@@ -194,12 +257,6 @@ SECTIONS
58c5fc13
MT		 14824 }
14825 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14826
ae4e228f 14827- . = ALIGN(L1_CACHE_BYTES);
58c5fc13
MT		 14828- .jiffies : AT(VLOAD(.jiffies)) {
14829- *(.jiffies)
14830- }
14831- jiffies = VVIRT(.jiffies);
14832-
14833 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14834 *(.vsyscall_3)
14835 }
57199397 14836@@ -215,12 +272,19 @@ SECTIONS
58c5fc13
MT		 14837 #endif /* CONFIG_X86_64 */
14838
14839 /* Init code and data - will be freed after init */
14840- . = ALIGN(PAGE_SIZE);
14841 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14842+ BYTE(0)
14843+
14844+#ifdef CONFIG_PAX_KERNEXEC
57199397 14845+ . = ALIGN(HPAGE_SIZE);
58c5fc13
MT		 14846+#else
14847+ . = ALIGN(PAGE_SIZE);
14848+#endif
14849+
14850 __init_begin = .; /* paired with __init_end */
14851- }
14852+ } :init.begin
14853
14854-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14855+#ifdef CONFIG_SMP
14856 /*
14857 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14858 * output PHDR, so the next output section - .init.text - should
57199397 14859@@ -229,12 +293,27 @@ SECTIONS
58c5fc13
MT		 14860 PERCPU_VADDR(0, :percpu)
14861 #endif
14862
ae4e228f 14863- INIT_TEXT_SECTION(PAGE_SIZE)
58c5fc13
MT		 14864-#ifdef CONFIG_X86_64
14865- :init
14866-#endif
ae4e228f
MT		 14867+ . = ALIGN(PAGE_SIZE);
14868+ init_begin = .;
14869+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14870+ VMLINUX_SYMBOL(_sinittext) = .;
14871+ INIT_TEXT
14872+ VMLINUX_SYMBOL(_einittext) = .;
14873+ . = ALIGN(PAGE_SIZE);
58c5fc13 14874+ } :text.init
57199397 14875+
58c5fc13
MT		 14876+ /*
14877+ * .exit.text is discard at runtime, not link time, to deal with
14878+ * references from .altinstructions and .eh_frame
14879+ */
57199397 14880+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
58c5fc13
MT		 14881+ EXIT_TEXT
14882+ . = ALIGN(16);
14883+ } :text.exit
14884+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
57199397
MT		 14885
14886- INIT_DATA_SECTION(16)
ae4e228f
MT		 14887+ . = ALIGN(PAGE_SIZE);
14888+ INIT_DATA_SECTION(16) :init
58c5fc13 14889
ae4e228f
MT		 14890 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14891 __x86_cpu_dev_start = .;
57199397 14892@@ -260,19 +339,11 @@ SECTIONS
58c5fc13
MT		 14893 *(.altinstr_replacement)
14894 }
14895
14896- /*
14897- * .exit.text is discard at runtime, not link time, to deal with
14898- * references from .altinstructions and .eh_frame
14899- */
14900- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
14901- EXIT_TEXT
14902- }
14903-
14904 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
14905 EXIT_DATA
14906 }
58c5fc13
MT		 14907
14908-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
14909+#ifndef CONFIG_SMP
14910 PERCPU(PAGE_SIZE)
14911 #endif
14912
57199397 14913@@ -291,16 +362,10 @@ SECTIONS
df50ba0c
MT		 14914 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
14915 __smp_locks = .;
14916 *(.smp_locks)
14917- . = ALIGN(PAGE_SIZE);
14918 __smp_locks_end = .;
14919+ . = ALIGN(PAGE_SIZE);
58c5fc13
MT		 14920 }
14921
14922-#ifdef CONFIG_X86_64
14923- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
14924- NOSAVE_DATA
14925- }
14926-#endif
14927-
14928 /* BSS */
14929 . = ALIGN(PAGE_SIZE);
14930 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
57199397 14931@@ -316,6 +381,7 @@ SECTIONS
58c5fc13
MT		 14932 __brk_base = .;
14933 . += 64 * 1024; /* 64k alignment slop space */
14934 *(.brk_reservation) /* areas brk users have reserved */
57199397 14935+ . = ALIGN(HPAGE_SIZE);
58c5fc13
MT		 14936 __brk_limit = .;
14937 }
14938
57199397 14939@@ -342,13 +408,12 @@ SECTIONS
58c5fc13
MT		 14940 * for the boot processor.
14941 */
df50ba0c 14942 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
58c5fc13
MT		 14943-INIT_PER_CPU(gdt_page);
14944 INIT_PER_CPU(irq_stack_union);
14945
14946 /*
14947 * Build-time check on the image size:
14948 */
14949-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
14950+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
14951 "kernel image bigger than KERNEL_IMAGE_SIZE");
14952
14953 #ifdef CONFIG_SMP
57199397
MT		 14954diff -urNp linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c
14955--- linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c 2010-08-26 19:47:12.000000000 -0400
14956+++ linux-2.6.35.4/arch/x86/kernel/vsyscall_64.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 14957@@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
58c5fc13
MT		 14958
14959 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
14960 /* copy vsyscall data */
14961+ strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
14962 vsyscall_gtod_data.clock.vread = clock->vread;
14963 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
14964 vsyscall_gtod_data.clock.mask = clock->mask;
ae4e228f 14965@@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
58c5fc13
MT		 14966 We do this here because otherwise user space would do it on
14967 its own in a likely inferior way (no access to jiffies).
14968 If you don't like it pass NULL. */
14969- if (tcache && tcache->blob[0] == (j = __jiffies)) {
14970+ if (tcache && tcache->blob[0] == (j = jiffies)) {
14971 p = tcache->blob[1];
14972 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
14973 /* Load per CPU data from RDTSCP */
57199397
MT		 14974diff -urNp linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c
14975--- linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c 2010-08-26 19:47:12.000000000 -0400
14976+++ linux-2.6.35.4/arch/x86/kernel/x8664_ksyms_64.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 14977@@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
14978 EXPORT_SYMBOL(copy_user_generic_string);
14979 EXPORT_SYMBOL(copy_user_generic_unrolled);
58c5fc13 14980 EXPORT_SYMBOL(__copy_user_nocache);
ae4e228f
MT		 14981-EXPORT_SYMBOL(_copy_from_user);
14982-EXPORT_SYMBOL(_copy_to_user);
58c5fc13
MT		 14983
14984 EXPORT_SYMBOL(copy_page);
ae4e228f 14985 EXPORT_SYMBOL(clear_page);
57199397
MT		 14986diff -urNp linux-2.6.35.4/arch/x86/kernel/xsave.c linux-2.6.35.4/arch/x86/kernel/xsave.c
14987--- linux-2.6.35.4/arch/x86/kernel/xsave.c 2010-08-26 19:47:12.000000000 -0400
14988+++ linux-2.6.35.4/arch/x86/kernel/xsave.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 14989@@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
14990 fx_sw_user->xstate_size > fx_sw_user->extended_size)
14991 return -1;
14992
14993- err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
14994+ err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
14995 fx_sw_user->extended_size -
14996 FP_XSTATE_MAGIC2_SIZE));
14997 /*
14998@@ -196,7 +196,7 @@ fx_only:
14999 * the other extended state.
15000 */
15001 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15002- return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15003+ return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15004 }
15005
15006 /*
15007@@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
57199397 15008 if (use_xsave())
ae4e228f
MT		 15009 err = restore_user_xstate(buf);
15010 else
15011- err = fxrstor_checking((__force struct i387_fxsave_struct *)
15012+ err = fxrstor_checking((struct i387_fxsave_struct __user *)
15013 buf);
15014 if (unlikely(err)) {
15015 /*
57199397
MT		 15016diff -urNp linux-2.6.35.4/arch/x86/kvm/emulate.c linux-2.6.35.4/arch/x86/kvm/emulate.c
15017--- linux-2.6.35.4/arch/x86/kvm/emulate.c 2010-08-26 19:47:12.000000000 -0400
15018+++ linux-2.6.35.4/arch/x86/kvm/emulate.c 2010-09-17 20:12:09.000000000 -0400
15019@@ -88,11 +88,11 @@
df50ba0c
MT		 15020 #define Src2CL (1<<29)
15021 #define Src2ImmByte (2<<29)
15022 #define Src2One (3<<29)
15023-#define Src2Imm16 (4<<29)
57199397 15024-#define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
df50ba0c 15025+#define Src2Imm16 (4U<<29)
57199397
MT		 15026+#define Src2Mem16 (5U<<29) /* Used for Ep encoding. First argument has to be
15027 in memory and second argument is located
15028 immediately after the first one in memory. */
15029-#define Src2Mask (7<<29)
df50ba0c
MT		 15030+#define Src2Mask (7U<<29)
15031
15032 enum {
15033 Group1_80, Group1_81, Group1_82, Group1_83,
57199397 15034@@ -446,6 +446,7 @@ static u32 group2_table[] = {
ae4e228f
MT		 15035
15036 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
15037 do { \
15038+ unsigned long _tmp; \
15039 __asm__ __volatile__ ( \
15040 _PRE_EFLAGS("0", "4", "2") \
15041 _op _suffix " %"_x"3,%1; " \
57199397 15042@@ -459,8 +460,6 @@ static u32 group2_table[] = {
ae4e228f
MT		 15043 /* Raw emulation: instruction has two explicit operands. */
15044 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15045 do { \
15046- unsigned long _tmp; \
15047- \
15048 switch ((_dst).bytes) { \
15049 case 2: \
15050 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
57199397 15051@@ -476,7 +475,6 @@ static u32 group2_table[] = {
ae4e228f
MT		 15052
15053 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15054 do { \
15055- unsigned long _tmp; \
15056 switch ((_dst).bytes) { \
15057 case 1: \
15058 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
57199397
MT		 15059diff -urNp linux-2.6.35.4/arch/x86/kvm/lapic.c linux-2.6.35.4/arch/x86/kvm/lapic.c
15060--- linux-2.6.35.4/arch/x86/kvm/lapic.c 2010-08-26 19:47:12.000000000 -0400
15061+++ linux-2.6.35.4/arch/x86/kvm/lapic.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 15062@@ -52,7 +52,7 @@
15063 #define APIC_BUS_CYCLE_NS 1
15064
15065 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15066-#define apic_debug(fmt, arg...)
15067+#define apic_debug(fmt, arg...) do {} while (0)
15068
15069 #define APIC_LVT_NUM 6
15070 /* 14 is the version for Xeon and Pentium 8.4.8*/
57199397
MT		 15071diff -urNp linux-2.6.35.4/arch/x86/kvm/svm.c linux-2.6.35.4/arch/x86/kvm/svm.c
15072--- linux-2.6.35.4/arch/x86/kvm/svm.c 2010-08-26 19:47:12.000000000 -0400
15073+++ linux-2.6.35.4/arch/x86/kvm/svm.c 2010-09-17 20:12:09.000000000 -0400
15074@@ -2796,7 +2796,11 @@ static void reload_tss(struct kvm_vcpu *
58c5fc13
MT		 15075 int cpu = raw_smp_processor_id();
15076
ae4e228f 15077 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
58c5fc13 15078+
ae4e228f
MT		 15079+ pax_open_kernel();
15080 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15081+ pax_close_kernel();
58c5fc13
MT		 15082+
15083 load_TR_desc();
15084 }
15085
57199397
MT		 15086@@ -3337,7 +3341,7 @@ static void svm_fpu_deactivate(struct kv
15087 update_cr0_intercept(svm);
58c5fc13
MT		 15088 }
15089
15090-static struct kvm_x86_ops svm_x86_ops = {
15091+static const struct kvm_x86_ops svm_x86_ops = {
15092 .cpu_has_kvm_support = has_svm,
15093 .disabled_by_bios = is_disabled,
15094 .hardware_setup = svm_hardware_setup,
57199397
MT		 15095diff -urNp linux-2.6.35.4/arch/x86/kvm/vmx.c linux-2.6.35.4/arch/x86/kvm/vmx.c
15096--- linux-2.6.35.4/arch/x86/kvm/vmx.c 2010-08-26 19:47:12.000000000 -0400
15097+++ linux-2.6.35.4/arch/x86/kvm/vmx.c 2010-09-17 20:12:09.000000000 -0400
15098@@ -653,7 +653,11 @@ static void reload_tss(void)
58c5fc13 15099
57199397
MT		 15100 native_store_gdt(&gdt);
15101 descs = (void *)gdt.address;
58c5fc13 15102+
ae4e228f 15103+ pax_open_kernel();
58c5fc13 15104 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
ae4e228f 15105+ pax_close_kernel();
58c5fc13
MT		 15106+
15107 load_TR_desc();
15108 }
15109
57199397 15110@@ -1550,8 +1554,11 @@ static __init int hardware_setup(void)
58c5fc13
MT		 15111 if (!cpu_has_vmx_flexpriority())
15112 flexpriority_enabled = 0;
15113
15114- if (!cpu_has_vmx_tpr_shadow())
15115- kvm_x86_ops->update_cr8_intercept = NULL;
15116+ if (!cpu_has_vmx_tpr_shadow()) {
ae4e228f 15117+ pax_open_kernel();
58c5fc13 15118+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
ae4e228f 15119+ pax_close_kernel();
58c5fc13
MT		 15120+ }
15121
ae4e228f
MT		 15122 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15123 kvm_disable_largepages();
57199397
MT		 15124@@ -2533,7 +2540,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15125 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
58c5fc13
MT		 15126
15127 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15128- vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15129+ vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15130 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15131 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
57199397
MT		 15132 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15133@@ -3909,6 +3916,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
58c5fc13
MT		 15134 "jmp .Lkvm_vmx_return \n\t"
15135 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15136 ".Lkvm_vmx_return: "
15137+
15138+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15139+ "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15140+ ".Lkvm_vmx_return2: "
15141+#endif
15142+
15143 /* Save guest registers, load host registers, keep flags */
15144 "xchg %0, (%%"R"sp) \n\t"
15145 "mov %%"R"ax, %c[rax](%0) \n\t"
57199397 15146@@ -3955,8 +3968,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
58c5fc13
MT		 15147 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15148 #endif
15149 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15150+
15151+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15152+ ,[cs]"i"(__KERNEL_CS)
15153+#endif
15154+
15155 : "cc", "memory"
df50ba0c
MT		 15156- , R"bx", R"di", R"si"
15157+ , R"ax", R"bx", R"di", R"si"
58c5fc13 15158 #ifdef CONFIG_X86_64
df50ba0c
MT		 15159 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
15160 #endif
57199397 15161@@ -3970,7 +3988,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
58c5fc13
MT		 15162 if (vmx->rmode.irq.pending)
15163 fixup_rmode_irq(vmx);
15164
15165- asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15166+ asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
15167 vmx->launched = 1;
15168
15169 vmx_complete_interrupts(vmx);
57199397 15170@@ -4191,7 +4209,7 @@ static void vmx_set_supported_cpuid(u32
efbe55a5 15171 {
58c5fc13
MT		 15172 }
15173
15174-static struct kvm_x86_ops vmx_x86_ops = {
15175+static const struct kvm_x86_ops vmx_x86_ops = {
15176 .cpu_has_kvm_support = cpu_has_kvm_support,
15177 .disabled_by_bios = vmx_disabled_by_bios,
15178 .hardware_setup = hardware_setup,
57199397
MT		 15179diff -urNp linux-2.6.35.4/arch/x86/kvm/x86.c linux-2.6.35.4/arch/x86/kvm/x86.c
15180--- linux-2.6.35.4/arch/x86/kvm/x86.c 2010-08-26 19:47:12.000000000 -0400
15181+++ linux-2.6.35.4/arch/x86/kvm/x86.c 2010-09-17 20:12:09.000000000 -0400
15182@@ -86,7 +86,7 @@ static void update_cr8_intercept(struct
ae4e228f
MT		 15183 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15184 struct kvm_cpuid_entry2 __user *entries);
58c5fc13
MT		 15185
15186-struct kvm_x86_ops *kvm_x86_ops;
15187+const struct kvm_x86_ops *kvm_x86_ops;
15188 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15189
ae4e228f 15190 int ignore_msrs = 0;
57199397 15191@@ -112,38 +112,38 @@ static struct kvm_shared_msrs_global __r
ae4e228f
MT		 15192 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15193
58c5fc13
MT		 15194 struct kvm_stats_debugfs_item debugfs_entries[] = {
15195- { "pf_fixed", VCPU_STAT(pf_fixed) },
15196- { "pf_guest", VCPU_STAT(pf_guest) },
15197- { "tlb_flush", VCPU_STAT(tlb_flush) },
15198- { "invlpg", VCPU_STAT(invlpg) },
15199- { "exits", VCPU_STAT(exits) },
15200- { "io_exits", VCPU_STAT(io_exits) },
15201- { "mmio_exits", VCPU_STAT(mmio_exits) },
15202- { "signal_exits", VCPU_STAT(signal_exits) },
15203- { "irq_window", VCPU_STAT(irq_window_exits) },
15204- { "nmi_window", VCPU_STAT(nmi_window_exits) },
15205- { "halt_exits", VCPU_STAT(halt_exits) },
15206- { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15207- { "hypercalls", VCPU_STAT(hypercalls) },
15208- { "request_irq", VCPU_STAT(request_irq_exits) },
15209- { "irq_exits", VCPU_STAT(irq_exits) },
15210- { "host_state_reload", VCPU_STAT(host_state_reload) },
15211- { "efer_reload", VCPU_STAT(efer_reload) },
15212- { "fpu_reload", VCPU_STAT(fpu_reload) },
15213- { "insn_emulation", VCPU_STAT(insn_emulation) },
15214- { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15215- { "irq_injections", VCPU_STAT(irq_injections) },
15216- { "nmi_injections", VCPU_STAT(nmi_injections) },
15217- { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15218- { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15219- { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15220- { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15221- { "mmu_flooded", VM_STAT(mmu_flooded) },
15222- { "mmu_recycled", VM_STAT(mmu_recycled) },
15223- { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15224- { "mmu_unsync", VM_STAT(mmu_unsync) },
15225- { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15226- { "largepages", VM_STAT(lpages) },
15227+ { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15228+ { "pf_guest", VCPU_STAT(pf_guest), NULL },
15229+ { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15230+ { "invlpg", VCPU_STAT(invlpg), NULL },
15231+ { "exits", VCPU_STAT(exits), NULL },
15232+ { "io_exits", VCPU_STAT(io_exits), NULL },
15233+ { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15234+ { "signal_exits", VCPU_STAT(signal_exits), NULL },
15235+ { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15236+ { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15237+ { "halt_exits", VCPU_STAT(halt_exits), NULL },
15238+ { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15239+ { "hypercalls", VCPU_STAT(hypercalls), NULL },
15240+ { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15241+ { "irq_exits", VCPU_STAT(irq_exits), NULL },
15242+ { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15243+ { "efer_reload", VCPU_STAT(efer_reload), NULL },
15244+ { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15245+ { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15246+ { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15247+ { "irq_injections", VCPU_STAT(irq_injections), NULL },
15248+ { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15249+ { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15250+ { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15251+ { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15252+ { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15253+ { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15254+ { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15255+ { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15256+ { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15257+ { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15258+ { "largepages", VM_STAT(lpages), NULL },
15259 { NULL }
15260 };
15261
57199397 15262@@ -1672,6 +1672,8 @@ long kvm_arch_dev_ioctl(struct file *fil
ae4e228f
MT		 15263 if (n < msr_list.nmsrs)
15264 goto out;
15265 r = -EFAULT;
15266+ if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15267+ goto out;
15268 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15269 num_msrs_to_save * sizeof(u32)))
15270 goto out;
57199397 15271@@ -2103,7 +2105,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
58c5fc13
MT		 15272 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15273 struct kvm_interrupt *irq)
15274 {
15275- if (irq->irq < 0 || irq->irq >= 256)
15276+ if (irq->irq >= 256)
15277 return -EINVAL;
15278 if (irqchip_in_kernel(vcpu->kvm))
15279 return -ENXIO;
57199397 15280@@ -4070,10 +4072,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
ae4e228f 15281 }
57199397 15282 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
58c5fc13
MT		 15283
15284-int kvm_arch_init(void *opaque)
15285+int kvm_arch_init(const void *opaque)
15286 {
ae4e228f 15287 int r;
58c5fc13
MT		 15288- struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15289+ const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15290
15291 if (kvm_x86_ops) {
15292 printk(KERN_ERR "kvm: already loaded the other module\n");
57199397
MT		 15293diff -urNp linux-2.6.35.4/arch/x86/lib/checksum_32.S linux-2.6.35.4/arch/x86/lib/checksum_32.S
15294--- linux-2.6.35.4/arch/x86/lib/checksum_32.S 2010-08-26 19:47:12.000000000 -0400
15295+++ linux-2.6.35.4/arch/x86/lib/checksum_32.S 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 15296@@ -28,7 +28,8 @@
15297 #include <linux/linkage.h>
15298 #include <asm/dwarf2.h>
15299 #include <asm/errno.h>
15300-
15301+#include <asm/segment.h>
15302+
15303 /*
15304 * computes a partial checksum, e.g. for TCP/UDP fragments
15305 */
15306@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
15307
15308 #define ARGBASE 16
15309 #define FP 12
15310-
15311-ENTRY(csum_partial_copy_generic)
15312+
15313+ENTRY(csum_partial_copy_generic_to_user)
15314 CFI_STARTPROC
15315+ pushl $(__USER_DS)
15316+ CFI_ADJUST_CFA_OFFSET 4
15317+ popl %es
15318+ CFI_ADJUST_CFA_OFFSET -4
15319+ jmp csum_partial_copy_generic
15320+
15321+ENTRY(csum_partial_copy_generic_from_user)
15322+ pushl $(__USER_DS)
15323+ CFI_ADJUST_CFA_OFFSET 4
15324+ popl %ds
15325+ CFI_ADJUST_CFA_OFFSET -4
15326+
15327+ENTRY(csum_partial_copy_generic)
15328 subl $4,%esp
15329 CFI_ADJUST_CFA_OFFSET 4
15330 pushl %edi
15331@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
15332 jmp 4f
15333 SRC(1: movw (%esi), %bx )
15334 addl $2, %esi
15335-DST( movw %bx, (%edi) )
15336+DST( movw %bx, %es:(%edi) )
15337 addl $2, %edi
15338 addw %bx, %ax
15339 adcl $0, %eax
15340@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
15341 SRC(1: movl (%esi), %ebx )
15342 SRC( movl 4(%esi), %edx )
15343 adcl %ebx, %eax
15344-DST( movl %ebx, (%edi) )
15345+DST( movl %ebx, %es:(%edi) )
15346 adcl %edx, %eax
15347-DST( movl %edx, 4(%edi) )
15348+DST( movl %edx, %es:4(%edi) )
15349
15350 SRC( movl 8(%esi), %ebx )
15351 SRC( movl 12(%esi), %edx )
15352 adcl %ebx, %eax
15353-DST( movl %ebx, 8(%edi) )
15354+DST( movl %ebx, %es:8(%edi) )
15355 adcl %edx, %eax
15356-DST( movl %edx, 12(%edi) )
15357+DST( movl %edx, %es:12(%edi) )
15358
15359 SRC( movl 16(%esi), %ebx )
15360 SRC( movl 20(%esi), %edx )
15361 adcl %ebx, %eax
15362-DST( movl %ebx, 16(%edi) )
15363+DST( movl %ebx, %es:16(%edi) )
15364 adcl %edx, %eax
15365-DST( movl %edx, 20(%edi) )
15366+DST( movl %edx, %es:20(%edi) )
15367
15368 SRC( movl 24(%esi), %ebx )
15369 SRC( movl 28(%esi), %edx )
15370 adcl %ebx, %eax
15371-DST( movl %ebx, 24(%edi) )
15372+DST( movl %ebx, %es:24(%edi) )
15373 adcl %edx, %eax
15374-DST( movl %edx, 28(%edi) )
15375+DST( movl %edx, %es:28(%edi) )
15376
15377 lea 32(%esi), %esi
15378 lea 32(%edi), %edi
15379@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
15380 shrl $2, %edx # This clears CF
15381 SRC(3: movl (%esi), %ebx )
15382 adcl %ebx, %eax
15383-DST( movl %ebx, (%edi) )
15384+DST( movl %ebx, %es:(%edi) )
15385 lea 4(%esi), %esi
15386 lea 4(%edi), %edi
15387 dec %edx
15388@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
15389 jb 5f
15390 SRC( movw (%esi), %cx )
15391 leal 2(%esi), %esi
15392-DST( movw %cx, (%edi) )
15393+DST( movw %cx, %es:(%edi) )
15394 leal 2(%edi), %edi
15395 je 6f
15396 shll $16,%ecx
15397 SRC(5: movb (%esi), %cl )
15398-DST( movb %cl, (%edi) )
15399+DST( movb %cl, %es:(%edi) )
15400 6: addl %ecx, %eax
15401 adcl $0, %eax
15402 7:
15403@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
15404
15405 6001:
15406 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15407- movl $-EFAULT, (%ebx)
15408+ movl $-EFAULT, %ss:(%ebx)
15409
15410 # zero the complete destination - computing the rest
15411 # is too much work
15412@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
15413
15414 6002:
15415 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15416- movl $-EFAULT,(%ebx)
15417+ movl $-EFAULT,%ss:(%ebx)
15418 jmp 5000b
15419
15420 .previous
15421
15422+ pushl %ss
15423+ CFI_ADJUST_CFA_OFFSET 4
15424+ popl %ds
15425+ CFI_ADJUST_CFA_OFFSET -4
15426+ pushl %ss
15427+ CFI_ADJUST_CFA_OFFSET 4
15428+ popl %es
15429+ CFI_ADJUST_CFA_OFFSET -4
15430 popl %ebx
15431 CFI_ADJUST_CFA_OFFSET -4
15432 CFI_RESTORE ebx
15433@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
15434 CFI_ADJUST_CFA_OFFSET -4
15435 ret
15436 CFI_ENDPROC
15437-ENDPROC(csum_partial_copy_generic)
15438+ENDPROC(csum_partial_copy_generic_to_user)
15439
15440 #else
15441
15442 /* Version for PentiumII/PPro */
15443
15444 #define ROUND1(x) \
15445+ nop; nop; nop; \
15446 SRC(movl x(%esi), %ebx ) ; \
15447 addl %ebx, %eax ; \
15448- DST(movl %ebx, x(%edi) ) ;
15449+ DST(movl %ebx, %es:x(%edi)) ;
15450
15451 #define ROUND(x) \
15452+ nop; nop; nop; \
15453 SRC(movl x(%esi), %ebx ) ; \
15454 adcl %ebx, %eax ; \
15455- DST(movl %ebx, x(%edi) ) ;
15456+ DST(movl %ebx, %es:x(%edi)) ;
15457
15458 #define ARGBASE 12
15459-
15460-ENTRY(csum_partial_copy_generic)
15461+
15462+ENTRY(csum_partial_copy_generic_to_user)
15463 CFI_STARTPROC
15464+ pushl $(__USER_DS)
15465+ CFI_ADJUST_CFA_OFFSET 4
15466+ popl %es
15467+ CFI_ADJUST_CFA_OFFSET -4
15468+ jmp csum_partial_copy_generic
15469+
15470+ENTRY(csum_partial_copy_generic_from_user)
15471+ pushl $(__USER_DS)
15472+ CFI_ADJUST_CFA_OFFSET 4
15473+ popl %ds
15474+ CFI_ADJUST_CFA_OFFSET -4
15475+
15476+ENTRY(csum_partial_copy_generic)
15477 pushl %ebx
15478 CFI_ADJUST_CFA_OFFSET 4
15479 CFI_REL_OFFSET ebx, 0
15480@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
15481 subl %ebx, %edi
15482 lea -1(%esi),%edx
15483 andl $-32,%edx
15484- lea 3f(%ebx,%ebx), %ebx
15485+ lea 3f(%ebx,%ebx,2), %ebx
15486 testl %esi, %esi
15487 jmp *%ebx
15488 1: addl $64,%esi
15489@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
15490 jb 5f
15491 SRC( movw (%esi), %dx )
15492 leal 2(%esi), %esi
15493-DST( movw %dx, (%edi) )
15494+DST( movw %dx, %es:(%edi) )
15495 leal 2(%edi), %edi
15496 je 6f
15497 shll $16,%edx
15498 5:
15499 SRC( movb (%esi), %dl )
15500-DST( movb %dl, (%edi) )
15501+DST( movb %dl, %es:(%edi) )
15502 6: addl %edx, %eax
15503 adcl $0, %eax
15504 7:
15505 .section .fixup, "ax"
15506 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15507- movl $-EFAULT, (%ebx)
15508+ movl $-EFAULT, %ss:(%ebx)
15509 # zero the complete destination (computing the rest is too much work)
15510 movl ARGBASE+8(%esp),%edi # dst
15511 movl ARGBASE+12(%esp),%ecx # len
15512@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
15513 rep; stosb
15514 jmp 7b
15515 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15516- movl $-EFAULT, (%ebx)
15517+ movl $-EFAULT, %ss:(%ebx)
15518 jmp 7b
15519 .previous
15520
15521+ pushl %ss
15522+ CFI_ADJUST_CFA_OFFSET 4
15523+ popl %ds
15524+ CFI_ADJUST_CFA_OFFSET -4
15525+ pushl %ss
15526+ CFI_ADJUST_CFA_OFFSET 4
15527+ popl %es
15528+ CFI_ADJUST_CFA_OFFSET -4
15529 popl %esi
15530 CFI_ADJUST_CFA_OFFSET -4
15531 CFI_RESTORE esi
15532@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
15533 CFI_RESTORE ebx
15534 ret
15535 CFI_ENDPROC
15536-ENDPROC(csum_partial_copy_generic)
15537+ENDPROC(csum_partial_copy_generic_to_user)
15538
15539 #undef ROUND
15540 #undef ROUND1
57199397
MT		 15541diff -urNp linux-2.6.35.4/arch/x86/lib/clear_page_64.S linux-2.6.35.4/arch/x86/lib/clear_page_64.S
15542--- linux-2.6.35.4/arch/x86/lib/clear_page_64.S 2010-08-26 19:47:12.000000000 -0400
15543+++ linux-2.6.35.4/arch/x86/lib/clear_page_64.S 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 15544@@ -43,7 +43,7 @@ ENDPROC(clear_page)
15545
15546 #include <asm/cpufeature.h>
15547
15548- .section .altinstr_replacement,"ax"
15549+ .section .altinstr_replacement,"a"
15550 1: .byte 0xeb /* jmp <disp8> */
15551 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15552 2:
57199397
MT		 15553diff -urNp linux-2.6.35.4/arch/x86/lib/copy_page_64.S linux-2.6.35.4/arch/x86/lib/copy_page_64.S
15554--- linux-2.6.35.4/arch/x86/lib/copy_page_64.S 2010-08-26 19:47:12.000000000 -0400
15555+++ linux-2.6.35.4/arch/x86/lib/copy_page_64.S 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 15556@@ -104,7 +104,7 @@ ENDPROC(copy_page)
15557
15558 #include <asm/cpufeature.h>
15559
15560- .section .altinstr_replacement,"ax"
15561+ .section .altinstr_replacement,"a"
15562 1: .byte 0xeb /* jmp <disp8> */
15563 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15564 2:
57199397
MT		 15565diff -urNp linux-2.6.35.4/arch/x86/lib/copy_user_64.S linux-2.6.35.4/arch/x86/lib/copy_user_64.S
15566--- linux-2.6.35.4/arch/x86/lib/copy_user_64.S 2010-08-26 19:47:12.000000000 -0400
15567+++ linux-2.6.35.4/arch/x86/lib/copy_user_64.S 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 15568@@ -15,13 +15,14 @@
15569 #include <asm/asm-offsets.h>
15570 #include <asm/thread_info.h>
15571 #include <asm/cpufeature.h>
15572+#include <asm/pgtable.h>
15573
15574 .macro ALTERNATIVE_JUMP feature,orig,alt
15575 0:
58c5fc13
MT		 15576 .byte 0xe9 /* 32bit jump */
15577 .long \orig-1f /* by default jump to orig */
15578 1:
15579- .section .altinstr_replacement,"ax"
15580+ .section .altinstr_replacement,"a"
15581 2: .byte 0xe9 /* near jump with 32bit immediate */
15582 .long \alt-1b /* offset */ /* or alternatively to alt */
15583 .previous
df50ba0c 15584@@ -64,37 +65,13 @@
58c5fc13
MT		 15585 #endif
15586 .endm
15587
15588-/* Standard copy_to_user with segment limit checking */
ae4e228f 15589-ENTRY(_copy_to_user)
58c5fc13
MT		 15590- CFI_STARTPROC
15591- GET_THREAD_INFO(%rax)
15592- movq %rdi,%rcx
15593- addq %rdx,%rcx
15594- jc bad_to_user
15595- cmpq TI_addr_limit(%rax),%rcx
15596- jae bad_to_user
15597- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15598- CFI_ENDPROC
ae4e228f 15599-ENDPROC(_copy_to_user)
58c5fc13
MT		 15600-
15601-/* Standard copy_from_user with segment limit checking */
ae4e228f 15602-ENTRY(_copy_from_user)
58c5fc13
MT		 15603- CFI_STARTPROC
15604- GET_THREAD_INFO(%rax)
15605- movq %rsi,%rcx
15606- addq %rdx,%rcx
15607- jc bad_from_user
15608- cmpq TI_addr_limit(%rax),%rcx
15609- jae bad_from_user
15610- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15611- CFI_ENDPROC
ae4e228f 15612-ENDPROC(_copy_from_user)
58c5fc13 15613-
df50ba0c
MT		 15614 .section .fixup,"ax"
15615 /* must zero dest */
58c5fc13
MT		 15616 ENTRY(bad_from_user)
15617 bad_from_user:
15618 CFI_STARTPROC
15619+ testl %edx,%edx
15620+ js bad_to_user
15621 movl %edx,%ecx
15622 xorl %eax,%eax
15623 rep
57199397
MT		 15624diff -urNp linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S
15625--- linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S 2010-08-26 19:47:12.000000000 -0400
15626+++ linux-2.6.35.4/arch/x86/lib/copy_user_nocache_64.S 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 15627@@ -14,6 +14,7 @@
15628 #include <asm/current.h>
15629 #include <asm/asm-offsets.h>
15630 #include <asm/thread_info.h>
15631+#include <asm/pgtable.h>
15632
15633 .macro ALIGN_DESTINATION
15634 #ifdef FIX_ALIGNMENT
15635@@ -50,6 +51,15 @@
15636 */
15637 ENTRY(__copy_user_nocache)
15638 CFI_STARTPROC
15639+
15640+#ifdef CONFIG_PAX_MEMORY_UDEREF
15641+ mov $PAX_USER_SHADOW_BASE,%rcx
15642+ cmp %rcx,%rsi
15643+ jae 1f
15644+ add %rcx,%rsi
15645+1:
15646+#endif
15647+
15648 cmpl $8,%edx
15649 jb 20f /* less then 8 bytes, go to byte copy loop */
15650 ALIGN_DESTINATION
57199397
MT		 15651diff -urNp linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c
15652--- linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c 2010-08-26 19:47:12.000000000 -0400
15653+++ linux-2.6.35.4/arch/x86/lib/csum-wrappers_64.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 15654@@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15655 len -= 2;
15656 }
15657 }
15658+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15659+ src += PAX_USER_SHADOW_BASE;
15660 isum = csum_partial_copy_generic((__force const void *)src,
15661 dst, len, isum, errp, NULL);
15662 if (unlikely(*errp))
15663@@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15664 }
15665
15666 *errp = 0;
15667+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15668+ dst += PAX_USER_SHADOW_BASE;
15669 return csum_partial_copy_generic(src, (void __force *)dst,
15670 len, isum, NULL, errp);
15671 }
57199397
MT		 15672diff -urNp linux-2.6.35.4/arch/x86/lib/getuser.S linux-2.6.35.4/arch/x86/lib/getuser.S
15673--- linux-2.6.35.4/arch/x86/lib/getuser.S 2010-08-26 19:47:12.000000000 -0400
15674+++ linux-2.6.35.4/arch/x86/lib/getuser.S 2010-09-17 20:12:09.000000000 -0400
df50ba0c 15675@@ -33,14 +33,38 @@
58c5fc13
MT		 15676 #include <asm/asm-offsets.h>
15677 #include <asm/thread_info.h>
15678 #include <asm/asm.h>
15679+#include <asm/segment.h>
df50ba0c 15680+#include <asm/pgtable.h>
58c5fc13
MT		 15681
15682 .text
15683 ENTRY(__get_user_1)
ae4e228f 15684 CFI_STARTPROC
58c5fc13 15685+
ae4e228f 15686+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 15687+ pushl $(__USER_DS)
15688+ popl %ds
ae4e228f
MT		 15689+#else
15690 GET_THREAD_INFO(%_ASM_DX)
15691 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15692 jae bad_get_user
df50ba0c
MT		 15693+
15694+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15695+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15696+ cmp %_ASM_DX,%_ASM_AX
15697+ jae 1234f
15698+ add %_ASM_DX,%_ASM_AX
15699+1234:
15700+#endif
15701+
58c5fc13
MT		 15702+#endif
15703+
15704 1: movzb (%_ASM_AX),%edx
15705+
ae4e228f 15706+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 15707+ pushl %ss
15708+ pop %ds
15709+#endif
15710+
15711 xor %eax,%eax
15712 ret
15713 CFI_ENDPROC
df50ba0c 15714@@ -49,11 +73,33 @@ ENDPROC(__get_user_1)
ae4e228f
MT		 15715 ENTRY(__get_user_2)
15716 CFI_STARTPROC
15717 add $1,%_ASM_AX
58c5fc13 15718+
ae4e228f 15719+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 15720+ pushl $(__USER_DS)
15721+ popl %ds
ae4e228f
MT		 15722+#else
15723 jc bad_get_user
15724 GET_THREAD_INFO(%_ASM_DX)
15725 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15726 jae bad_get_user
df50ba0c
MT		 15727+
15728+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15729+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15730+ cmp %_ASM_DX,%_ASM_AX
15731+ jae 1234f
15732+ add %_ASM_DX,%_ASM_AX
15733+1234:
15734+#endif
15735+
58c5fc13
MT		 15736+#endif
15737+
15738 2: movzwl -1(%_ASM_AX),%edx
15739+
ae4e228f 15740+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 15741+ pushl %ss
15742+ pop %ds
15743+#endif
15744+
15745 xor %eax,%eax
15746 ret
15747 CFI_ENDPROC
df50ba0c 15748@@ -62,11 +108,33 @@ ENDPROC(__get_user_2)
ae4e228f
MT		 15749 ENTRY(__get_user_4)
15750 CFI_STARTPROC
15751 add $3,%_ASM_AX
58c5fc13 15752+
ae4e228f 15753+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 15754+ pushl $(__USER_DS)
15755+ popl %ds
ae4e228f
MT		 15756+#else
15757 jc bad_get_user
15758 GET_THREAD_INFO(%_ASM_DX)
15759 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15760 jae bad_get_user
df50ba0c
MT		 15761+
15762+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15763+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15764+ cmp %_ASM_DX,%_ASM_AX
15765+ jae 1234f
15766+ add %_ASM_DX,%_ASM_AX
15767+1234:
15768+#endif
15769+
58c5fc13
MT		 15770+#endif
15771+
15772 3: mov -3(%_ASM_AX),%edx
15773+
ae4e228f 15774+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 15775+ pushl %ss
15776+ pop %ds
15777+#endif
15778+
15779 xor %eax,%eax
15780 ret
15781 CFI_ENDPROC
df50ba0c
MT		 15782@@ -80,6 +148,15 @@ ENTRY(__get_user_8)
15783 GET_THREAD_INFO(%_ASM_DX)
15784 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15785 jae bad_get_user
15786+
15787+#ifdef CONFIG_PAX_MEMORY_UDEREF
15788+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15789+ cmp %_ASM_DX,%_ASM_AX
15790+ jae 1234f
15791+ add %_ASM_DX,%_ASM_AX
15792+1234:
15793+#endif
15794+
15795 4: movq -7(%_ASM_AX),%_ASM_DX
15796 xor %eax,%eax
15797 ret
15798@@ -89,6 +166,12 @@ ENDPROC(__get_user_8)
58c5fc13
MT		 15799
15800 bad_get_user:
15801 CFI_STARTPROC
15802+
ae4e228f 15803+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 15804+ pushl %ss
15805+ pop %ds
15806+#endif
15807+
15808 xor %edx,%edx
15809 mov $(-EFAULT),%_ASM_AX
15810 ret
57199397
MT		 15811diff -urNp linux-2.6.35.4/arch/x86/lib/insn.c linux-2.6.35.4/arch/x86/lib/insn.c
15812--- linux-2.6.35.4/arch/x86/lib/insn.c 2010-08-26 19:47:12.000000000 -0400
15813+++ linux-2.6.35.4/arch/x86/lib/insn.c 2010-09-17 20:12:09.000000000 -0400
15814@@ -21,6 +21,7 @@
15815 #include <linux/string.h>
15816 #include <asm/inat.h>
15817 #include <asm/insn.h>
15818+#include <asm/pgtable_types.h>
15819
15820 #define get_next(t, insn) \
15821 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15822@@ -40,8 +41,8 @@
15823 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15824 {
15825 memset(insn, 0, sizeof(*insn));
15826- insn->kaddr = kaddr;
15827- insn->next_byte = kaddr;
15828+ insn->kaddr = ktla_ktva(kaddr);
15829+ insn->next_byte = ktla_ktva(kaddr);
15830 insn->x86_64 = x86_64 ? 1 : 0;
15831 insn->opnd_bytes = 4;
15832 if (x86_64)
15833diff -urNp linux-2.6.35.4/arch/x86/lib/mmx_32.c linux-2.6.35.4/arch/x86/lib/mmx_32.c
15834--- linux-2.6.35.4/arch/x86/lib/mmx_32.c 2010-08-26 19:47:12.000000000 -0400
15835+++ linux-2.6.35.4/arch/x86/lib/mmx_32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 15836@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15837 {
15838 void *p;
15839 int i;
15840+ unsigned long cr0;
15841
15842 if (unlikely(in_interrupt()))
15843 return __memcpy(to, from, len);
15844@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
15845 kernel_fpu_begin();
15846
15847 __asm__ __volatile__ (
15848- "1: prefetch (%0)\n" /* This set is 28 bytes */
15849- " prefetch 64(%0)\n"
15850- " prefetch 128(%0)\n"
15851- " prefetch 192(%0)\n"
15852- " prefetch 256(%0)\n"
15853+ "1: prefetch (%1)\n" /* This set is 28 bytes */
15854+ " prefetch 64(%1)\n"
15855+ " prefetch 128(%1)\n"
15856+ " prefetch 192(%1)\n"
15857+ " prefetch 256(%1)\n"
15858 "2: \n"
15859 ".section .fixup, \"ax\"\n"
15860- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15861+ "3: \n"
15862+
15863+#ifdef CONFIG_PAX_KERNEXEC
15864+ " movl %%cr0, %0\n"
15865+ " movl %0, %%eax\n"
15866+ " andl $0xFFFEFFFF, %%eax\n"
15867+ " movl %%eax, %%cr0\n"
15868+#endif
15869+
15870+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15871+
15872+#ifdef CONFIG_PAX_KERNEXEC
15873+ " movl %0, %%cr0\n"
15874+#endif
15875+
15876 " jmp 2b\n"
15877 ".previous\n"
15878 _ASM_EXTABLE(1b, 3b)
15879- : : "r" (from));
15880+ : "=&r" (cr0) : "r" (from) : "ax");
15881
15882 for ( ; i > 5; i--) {
15883 __asm__ __volatile__ (
15884- "1: prefetch 320(%0)\n"
15885- "2: movq (%0), %%mm0\n"
15886- " movq 8(%0), %%mm1\n"
15887- " movq 16(%0), %%mm2\n"
15888- " movq 24(%0), %%mm3\n"
15889- " movq %%mm0, (%1)\n"
15890- " movq %%mm1, 8(%1)\n"
15891- " movq %%mm2, 16(%1)\n"
15892- " movq %%mm3, 24(%1)\n"
15893- " movq 32(%0), %%mm0\n"
15894- " movq 40(%0), %%mm1\n"
15895- " movq 48(%0), %%mm2\n"
15896- " movq 56(%0), %%mm3\n"
15897- " movq %%mm0, 32(%1)\n"
15898- " movq %%mm1, 40(%1)\n"
15899- " movq %%mm2, 48(%1)\n"
15900- " movq %%mm3, 56(%1)\n"
15901+ "1: prefetch 320(%1)\n"
15902+ "2: movq (%1), %%mm0\n"
15903+ " movq 8(%1), %%mm1\n"
15904+ " movq 16(%1), %%mm2\n"
15905+ " movq 24(%1), %%mm3\n"
15906+ " movq %%mm0, (%2)\n"
15907+ " movq %%mm1, 8(%2)\n"
15908+ " movq %%mm2, 16(%2)\n"
15909+ " movq %%mm3, 24(%2)\n"
15910+ " movq 32(%1), %%mm0\n"
15911+ " movq 40(%1), %%mm1\n"
15912+ " movq 48(%1), %%mm2\n"
15913+ " movq 56(%1), %%mm3\n"
15914+ " movq %%mm0, 32(%2)\n"
15915+ " movq %%mm1, 40(%2)\n"
15916+ " movq %%mm2, 48(%2)\n"
15917+ " movq %%mm3, 56(%2)\n"
15918 ".section .fixup, \"ax\"\n"
15919- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15920+ "3:\n"
15921+
15922+#ifdef CONFIG_PAX_KERNEXEC
15923+ " movl %%cr0, %0\n"
15924+ " movl %0, %%eax\n"
15925+ " andl $0xFFFEFFFF, %%eax\n"
15926+ " movl %%eax, %%cr0\n"
15927+#endif
15928+
15929+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15930+
15931+#ifdef CONFIG_PAX_KERNEXEC
15932+ " movl %0, %%cr0\n"
15933+#endif
15934+
15935 " jmp 2b\n"
15936 ".previous\n"
15937 _ASM_EXTABLE(1b, 3b)
15938- : : "r" (from), "r" (to) : "memory");
15939+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15940
15941 from += 64;
15942 to += 64;
15943@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
15944 static void fast_copy_page(void *to, void *from)
15945 {
15946 int i;
15947+ unsigned long cr0;
15948
15949 kernel_fpu_begin();
15950
15951@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
15952 * but that is for later. -AV
15953 */
15954 __asm__ __volatile__(
15955- "1: prefetch (%0)\n"
15956- " prefetch 64(%0)\n"
15957- " prefetch 128(%0)\n"
15958- " prefetch 192(%0)\n"
15959- " prefetch 256(%0)\n"
15960+ "1: prefetch (%1)\n"
15961+ " prefetch 64(%1)\n"
15962+ " prefetch 128(%1)\n"
15963+ " prefetch 192(%1)\n"
15964+ " prefetch 256(%1)\n"
15965 "2: \n"
15966 ".section .fixup, \"ax\"\n"
15967- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15968+ "3: \n"
15969+
15970+#ifdef CONFIG_PAX_KERNEXEC
15971+ " movl %%cr0, %0\n"
15972+ " movl %0, %%eax\n"
15973+ " andl $0xFFFEFFFF, %%eax\n"
15974+ " movl %%eax, %%cr0\n"
15975+#endif
15976+
15977+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15978+
15979+#ifdef CONFIG_PAX_KERNEXEC
15980+ " movl %0, %%cr0\n"
15981+#endif
15982+
15983 " jmp 2b\n"
15984 ".previous\n"
15985- _ASM_EXTABLE(1b, 3b) : : "r" (from));
15986+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15987
15988 for (i = 0; i < (4096-320)/64; i++) {
15989 __asm__ __volatile__ (
15990- "1: prefetch 320(%0)\n"
15991- "2: movq (%0), %%mm0\n"
15992- " movntq %%mm0, (%1)\n"
15993- " movq 8(%0), %%mm1\n"
15994- " movntq %%mm1, 8(%1)\n"
15995- " movq 16(%0), %%mm2\n"
15996- " movntq %%mm2, 16(%1)\n"
15997- " movq 24(%0), %%mm3\n"
15998- " movntq %%mm3, 24(%1)\n"
15999- " movq 32(%0), %%mm4\n"
16000- " movntq %%mm4, 32(%1)\n"
16001- " movq 40(%0), %%mm5\n"
16002- " movntq %%mm5, 40(%1)\n"
16003- " movq 48(%0), %%mm6\n"
16004- " movntq %%mm6, 48(%1)\n"
16005- " movq 56(%0), %%mm7\n"
16006- " movntq %%mm7, 56(%1)\n"
16007+ "1: prefetch 320(%1)\n"
16008+ "2: movq (%1), %%mm0\n"
16009+ " movntq %%mm0, (%2)\n"
16010+ " movq 8(%1), %%mm1\n"
16011+ " movntq %%mm1, 8(%2)\n"
16012+ " movq 16(%1), %%mm2\n"
16013+ " movntq %%mm2, 16(%2)\n"
16014+ " movq 24(%1), %%mm3\n"
16015+ " movntq %%mm3, 24(%2)\n"
16016+ " movq 32(%1), %%mm4\n"
16017+ " movntq %%mm4, 32(%2)\n"
16018+ " movq 40(%1), %%mm5\n"
16019+ " movntq %%mm5, 40(%2)\n"
16020+ " movq 48(%1), %%mm6\n"
16021+ " movntq %%mm6, 48(%2)\n"
16022+ " movq 56(%1), %%mm7\n"
16023+ " movntq %%mm7, 56(%2)\n"
16024 ".section .fixup, \"ax\"\n"
16025- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16026+ "3:\n"
16027+
16028+#ifdef CONFIG_PAX_KERNEXEC
16029+ " movl %%cr0, %0\n"
16030+ " movl %0, %%eax\n"
16031+ " andl $0xFFFEFFFF, %%eax\n"
16032+ " movl %%eax, %%cr0\n"
16033+#endif
16034+
16035+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16036+
16037+#ifdef CONFIG_PAX_KERNEXEC
16038+ " movl %0, %%cr0\n"
16039+#endif
16040+
16041 " jmp 2b\n"
16042 ".previous\n"
16043- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16044+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16045
16046 from += 64;
16047 to += 64;
16048@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16049 static void fast_copy_page(void *to, void *from)
16050 {
16051 int i;
16052+ unsigned long cr0;
16053
16054 kernel_fpu_begin();
16055
16056 __asm__ __volatile__ (
16057- "1: prefetch (%0)\n"
16058- " prefetch 64(%0)\n"
16059- " prefetch 128(%0)\n"
16060- " prefetch 192(%0)\n"
16061- " prefetch 256(%0)\n"
16062+ "1: prefetch (%1)\n"
16063+ " prefetch 64(%1)\n"
16064+ " prefetch 128(%1)\n"
16065+ " prefetch 192(%1)\n"
16066+ " prefetch 256(%1)\n"
16067 "2: \n"
16068 ".section .fixup, \"ax\"\n"
16069- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16070+ "3: \n"
16071+
16072+#ifdef CONFIG_PAX_KERNEXEC
16073+ " movl %%cr0, %0\n"
16074+ " movl %0, %%eax\n"
16075+ " andl $0xFFFEFFFF, %%eax\n"
16076+ " movl %%eax, %%cr0\n"
16077+#endif
16078+
16079+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16080+
16081+#ifdef CONFIG_PAX_KERNEXEC
16082+ " movl %0, %%cr0\n"
16083+#endif
16084+
16085 " jmp 2b\n"
16086 ".previous\n"
16087- _ASM_EXTABLE(1b, 3b) : : "r" (from));
16088+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16089
16090 for (i = 0; i < 4096/64; i++) {
16091 __asm__ __volatile__ (
16092- "1: prefetch 320(%0)\n"
16093- "2: movq (%0), %%mm0\n"
16094- " movq 8(%0), %%mm1\n"
16095- " movq 16(%0), %%mm2\n"
16096- " movq 24(%0), %%mm3\n"
16097- " movq %%mm0, (%1)\n"
16098- " movq %%mm1, 8(%1)\n"
16099- " movq %%mm2, 16(%1)\n"
16100- " movq %%mm3, 24(%1)\n"
16101- " movq 32(%0), %%mm0\n"
16102- " movq 40(%0), %%mm1\n"
16103- " movq 48(%0), %%mm2\n"
16104- " movq 56(%0), %%mm3\n"
16105- " movq %%mm0, 32(%1)\n"
16106- " movq %%mm1, 40(%1)\n"
16107- " movq %%mm2, 48(%1)\n"
16108- " movq %%mm3, 56(%1)\n"
16109+ "1: prefetch 320(%1)\n"
16110+ "2: movq (%1), %%mm0\n"
16111+ " movq 8(%1), %%mm1\n"
16112+ " movq 16(%1), %%mm2\n"
16113+ " movq 24(%1), %%mm3\n"
16114+ " movq %%mm0, (%2)\n"
16115+ " movq %%mm1, 8(%2)\n"
16116+ " movq %%mm2, 16(%2)\n"
16117+ " movq %%mm3, 24(%2)\n"
16118+ " movq 32(%1), %%mm0\n"
16119+ " movq 40(%1), %%mm1\n"
16120+ " movq 48(%1), %%mm2\n"
16121+ " movq 56(%1), %%mm3\n"
16122+ " movq %%mm0, 32(%2)\n"
16123+ " movq %%mm1, 40(%2)\n"
16124+ " movq %%mm2, 48(%2)\n"
16125+ " movq %%mm3, 56(%2)\n"
16126 ".section .fixup, \"ax\"\n"
16127- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16128+ "3:\n"
16129+
16130+#ifdef CONFIG_PAX_KERNEXEC
16131+ " movl %%cr0, %0\n"
16132+ " movl %0, %%eax\n"
16133+ " andl $0xFFFEFFFF, %%eax\n"
16134+ " movl %%eax, %%cr0\n"
16135+#endif
16136+
16137+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16138+
16139+#ifdef CONFIG_PAX_KERNEXEC
16140+ " movl %0, %%cr0\n"
16141+#endif
16142+
16143 " jmp 2b\n"
16144 ".previous\n"
16145 _ASM_EXTABLE(1b, 3b)
16146- : : "r" (from), "r" (to) : "memory");
16147+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16148
16149 from += 64;
16150 to += 64;
57199397
MT		 16151diff -urNp linux-2.6.35.4/arch/x86/lib/putuser.S linux-2.6.35.4/arch/x86/lib/putuser.S
16152--- linux-2.6.35.4/arch/x86/lib/putuser.S 2010-08-26 19:47:12.000000000 -0400
16153+++ linux-2.6.35.4/arch/x86/lib/putuser.S 2010-09-17 20:12:09.000000000 -0400
df50ba0c 16154@@ -15,7 +15,8 @@
58c5fc13
MT		 16155 #include <asm/thread_info.h>
16156 #include <asm/errno.h>
16157 #include <asm/asm.h>
df50ba0c 16158-
58c5fc13 16159+#include <asm/segment.h>
df50ba0c 16160+#include <asm/pgtable.h>
58c5fc13
MT		 16161
16162 /*
df50ba0c 16163 * __put_user_X
57199397 16164@@ -29,59 +30,162 @@
ae4e228f
MT		 16165 * as they get called from within inline assembly.
16166 */
16167
16168-#define ENTER CFI_STARTPROC ; \
16169- GET_THREAD_INFO(%_ASM_BX)
16170+#define ENTER CFI_STARTPROC
16171 #define EXIT ret ; \
16172 CFI_ENDPROC
16173
57199397
MT		 16174+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16175+#define _DEST %_ASM_CX,%_ASM_BX
16176+#else
16177+#define _DEST %_ASM_CX
16178+#endif
16179+
ae4e228f
MT		 16180 .text
16181 ENTRY(__put_user_1)
58c5fc13 16182 ENTER
58c5fc13 16183+
ae4e228f 16184+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16185+ pushl $(__USER_DS)
16186+ popl %ds
ae4e228f
MT		 16187+#else
16188+ GET_THREAD_INFO(%_ASM_BX)
16189 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16190 jae bad_put_user
57199397 16191-1: movb %al,(%_ASM_CX)
df50ba0c
MT		 16192+
16193+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16194+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16195+ cmp %_ASM_BX,%_ASM_CX
57199397
MT		 16196+ jb 1234f
16197+ xor %ebx,%ebx
df50ba0c
MT		 16198+1234:
16199+#endif
16200+
58c5fc13
MT		 16201+#endif
16202+
57199397 16203+1: movb %al,(_DEST)
58c5fc13 16204+
ae4e228f 16205+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16206+ pushl %ss
16207+ popl %ds
16208+#endif
16209+
16210 xor %eax,%eax
16211 EXIT
16212 ENDPROC(__put_user_1)
ae4e228f
MT		 16213
16214 ENTRY(__put_user_2)
16215 ENTER
58c5fc13 16216+
ae4e228f 16217+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16218+ pushl $(__USER_DS)
16219+ popl %ds
ae4e228f
MT		 16220+#else
16221+ GET_THREAD_INFO(%_ASM_BX)
16222 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16223 sub $1,%_ASM_BX
16224 cmp %_ASM_BX,%_ASM_CX
16225 jae bad_put_user
57199397 16226-2: movw %ax,(%_ASM_CX)
df50ba0c
MT		 16227+
16228+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16229+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16230+ cmp %_ASM_BX,%_ASM_CX
57199397
MT		 16231+ jb 1234f
16232+ xor %ebx,%ebx
df50ba0c
MT		 16233+1234:
16234+#endif
16235+
58c5fc13
MT		 16236+#endif
16237+
57199397 16238+2: movw %ax,(_DEST)
58c5fc13 16239+
ae4e228f 16240+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16241+ pushl %ss
16242+ popl %ds
16243+#endif
16244+
16245 xor %eax,%eax
16246 EXIT
16247 ENDPROC(__put_user_2)
ae4e228f
MT		 16248
16249 ENTRY(__put_user_4)
16250 ENTER
58c5fc13 16251+
ae4e228f 16252+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16253+ pushl $(__USER_DS)
16254+ popl %ds
ae4e228f
MT		 16255+#else
16256+ GET_THREAD_INFO(%_ASM_BX)
16257 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16258 sub $3,%_ASM_BX
16259 cmp %_ASM_BX,%_ASM_CX
16260 jae bad_put_user
57199397 16261-3: movl %eax,(%_ASM_CX)
df50ba0c
MT		 16262+
16263+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16264+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16265+ cmp %_ASM_BX,%_ASM_CX
57199397
MT		 16266+ jb 1234f
16267+ xor %ebx,%ebx
df50ba0c
MT		 16268+1234:
16269+#endif
16270+
58c5fc13
MT		 16271+#endif
16272+
57199397 16273+3: movl %eax,(_DEST)
58c5fc13 16274+
ae4e228f 16275+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16276+ pushl %ss
16277+ popl %ds
16278+#endif
16279+
16280 xor %eax,%eax
16281 EXIT
16282 ENDPROC(__put_user_4)
ae4e228f
MT		 16283
16284 ENTRY(__put_user_8)
16285 ENTER
58c5fc13 16286+
ae4e228f 16287+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16288+ pushl $(__USER_DS)
16289+ popl %ds
ae4e228f
MT		 16290+#else
16291+ GET_THREAD_INFO(%_ASM_BX)
16292 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16293 sub $7,%_ASM_BX
16294 cmp %_ASM_BX,%_ASM_CX
16295 jae bad_put_user
57199397 16296-4: mov %_ASM_AX,(%_ASM_CX)
df50ba0c
MT		 16297+
16298+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16299+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16300+ cmp %_ASM_BX,%_ASM_CX
57199397
MT		 16301+ jb 1234f
16302+ xor %ebx,%ebx
df50ba0c
MT		 16303+1234:
16304+#endif
16305+
58c5fc13
MT		 16306+#endif
16307+
57199397 16308+4: mov %_ASM_AX,(_DEST)
58c5fc13 16309 #ifdef CONFIG_X86_32
57199397
MT		 16310-5: movl %edx,4(%_ASM_CX)
16311+5: movl %edx,4(_DEST)
58c5fc13
MT		 16312 #endif
16313+
ae4e228f 16314+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16315+ pushl %ss
16316+ popl %ds
16317+#endif
16318+
16319 xor %eax,%eax
16320 EXIT
16321 ENDPROC(__put_user_8)
16322
16323 bad_put_user:
16324 CFI_STARTPROC
16325+
ae4e228f 16326+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 16327+ pushl %ss
16328+ popl %ds
16329+#endif
16330+
16331 movl $-EFAULT,%eax
16332 EXIT
16333 END(bad_put_user)
57199397
MT		 16334diff -urNp linux-2.6.35.4/arch/x86/lib/usercopy_32.c linux-2.6.35.4/arch/x86/lib/usercopy_32.c
16335--- linux-2.6.35.4/arch/x86/lib/usercopy_32.c 2010-08-26 19:47:12.000000000 -0400
16336+++ linux-2.6.35.4/arch/x86/lib/usercopy_32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 16337@@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
16338 * Copy a null terminated string from userspace.
16339 */
16340
16341-#define __do_strncpy_from_user(dst, src, count, res) \
16342-do { \
16343- int __d0, __d1, __d2; \
16344- might_fault(); \
16345- __asm__ __volatile__( \
16346- " testl %1,%1\n" \
16347- " jz 2f\n" \
16348- "0: lodsb\n" \
16349- " stosb\n" \
16350- " testb %%al,%%al\n" \
16351- " jz 1f\n" \
16352- " decl %1\n" \
16353- " jnz 0b\n" \
16354- "1: subl %1,%0\n" \
16355- "2:\n" \
16356- ".section .fixup,\"ax\"\n" \
16357- "3: movl %5,%0\n" \
16358- " jmp 2b\n" \
16359- ".previous\n" \
16360- _ASM_EXTABLE(0b,3b) \
16361- : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
16362- "=&D" (__d2) \
16363- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
16364- : "memory"); \
16365-} while (0)
16366+static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
16367+{
16368+ int __d0, __d1, __d2;
16369+ long res = -EFAULT;
16370+
16371+ might_fault();
16372+ __asm__ __volatile__(
16373+ " movw %w10,%%ds\n"
16374+ " testl %1,%1\n"
16375+ " jz 2f\n"
16376+ "0: lodsb\n"
16377+ " stosb\n"
16378+ " testb %%al,%%al\n"
16379+ " jz 1f\n"
16380+ " decl %1\n"
16381+ " jnz 0b\n"
16382+ "1: subl %1,%0\n"
16383+ "2:\n"
16384+ " pushl %%ss\n"
16385+ " popl %%ds\n"
16386+ ".section .fixup,\"ax\"\n"
16387+ "3: movl %5,%0\n"
16388+ " jmp 2b\n"
16389+ ".previous\n"
16390+ _ASM_EXTABLE(0b,3b)
16391+ : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
16392+ "=&D" (__d2)
16393+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
16394+ "r"(__USER_DS)
16395+ : "memory");
16396+ return res;
16397+}
16398
16399 /**
16400 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
16401@@ -85,9 +92,7 @@ do { \
16402 long
16403 __strncpy_from_user(char *dst, const char __user *src, long count)
16404 {
16405- long res;
16406- __do_strncpy_from_user(dst, src, count, res);
16407- return res;
16408+ return __do_strncpy_from_user(dst, src, count);
16409 }
16410 EXPORT_SYMBOL(__strncpy_from_user);
16411
16412@@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
16413 {
16414 long res = -EFAULT;
16415 if (access_ok(VERIFY_READ, src, 1))
16416- __do_strncpy_from_user(dst, src, count, res);
16417+ res = __do_strncpy_from_user(dst, src, count);
16418 return res;
16419 }
16420 EXPORT_SYMBOL(strncpy_from_user);
16421@@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
16422 * Zero Userspace
16423 */
16424
16425-#define __do_clear_user(addr,size) \
16426-do { \
16427- int __d0; \
16428- might_fault(); \
16429- __asm__ __volatile__( \
16430- "0: rep; stosl\n" \
16431- " movl %2,%0\n" \
16432- "1: rep; stosb\n" \
16433- "2:\n" \
16434- ".section .fixup,\"ax\"\n" \
16435- "3: lea 0(%2,%0,4),%0\n" \
16436- " jmp 2b\n" \
16437- ".previous\n" \
16438- _ASM_EXTABLE(0b,3b) \
16439- _ASM_EXTABLE(1b,2b) \
16440- : "=&c"(size), "=&D" (__d0) \
16441- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
16442-} while (0)
16443+static unsigned long __do_clear_user(void __user *addr, unsigned long size)
16444+{
16445+ int __d0;
16446+
16447+ might_fault();
16448+ __asm__ __volatile__(
16449+ " movw %w6,%%es\n"
16450+ "0: rep; stosl\n"
16451+ " movl %2,%0\n"
16452+ "1: rep; stosb\n"
16453+ "2:\n"
16454+ " pushl %%ss\n"
16455+ " popl %%es\n"
16456+ ".section .fixup,\"ax\"\n"
16457+ "3: lea 0(%2,%0,4),%0\n"
16458+ " jmp 2b\n"
16459+ ".previous\n"
16460+ _ASM_EXTABLE(0b,3b)
16461+ _ASM_EXTABLE(1b,2b)
16462+ : "=&c"(size), "=&D" (__d0)
16463+ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
16464+ "r"(__USER_DS));
16465+ return size;
16466+}
16467
16468 /**
16469 * clear_user: - Zero a block of memory in user space.
16470@@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
16471 {
16472 might_fault();
16473 if (access_ok(VERIFY_WRITE, to, n))
16474- __do_clear_user(to, n);
16475+ n = __do_clear_user(to, n);
16476 return n;
16477 }
16478 EXPORT_SYMBOL(clear_user);
16479@@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
16480 unsigned long
16481 __clear_user(void __user *to, unsigned long n)
16482 {
16483- __do_clear_user(to, n);
16484- return n;
16485+ return __do_clear_user(to, n);
16486 }
16487 EXPORT_SYMBOL(__clear_user);
16488
16489@@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
16490 might_fault();
16491
16492 __asm__ __volatile__(
16493+ " movw %w8,%%es\n"
16494 " testl %0, %0\n"
16495 " jz 3f\n"
16496- " andl %0,%%ecx\n"
16497+ " movl %0,%%ecx\n"
16498 "0: repne; scasb\n"
16499 " setne %%al\n"
16500 " subl %%ecx,%0\n"
16501 " addl %0,%%eax\n"
16502 "1:\n"
16503+ " pushl %%ss\n"
16504+ " popl %%es\n"
16505 ".section .fixup,\"ax\"\n"
16506 "2: xorl %%eax,%%eax\n"
16507 " jmp 1b\n"
16508@@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
16509 " .long 0b,2b\n"
16510 ".previous"
16511 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
16512- :"0" (n), "1" (s), "2" (0), "3" (mask)
16513+ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
16514 :"cc");
16515 return res & mask;
16516 }
16517@@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
16518
16519 #ifdef CONFIG_X86_INTEL_USERCOPY
16520 static unsigned long
16521-__copy_user_intel(void __user *to, const void *from, unsigned long size)
16522+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16523+{
16524+ int d0, d1;
16525+ __asm__ __volatile__(
16526+ " movw %w6, %%es\n"
16527+ " .align 2,0x90\n"
16528+ "1: movl 32(%4), %%eax\n"
16529+ " cmpl $67, %0\n"
16530+ " jbe 3f\n"
16531+ "2: movl 64(%4), %%eax\n"
16532+ " .align 2,0x90\n"
16533+ "3: movl 0(%4), %%eax\n"
16534+ "4: movl 4(%4), %%edx\n"
16535+ "5: movl %%eax, %%es:0(%3)\n"
16536+ "6: movl %%edx, %%es:4(%3)\n"
16537+ "7: movl 8(%4), %%eax\n"
16538+ "8: movl 12(%4),%%edx\n"
16539+ "9: movl %%eax, %%es:8(%3)\n"
16540+ "10: movl %%edx, %%es:12(%3)\n"
16541+ "11: movl 16(%4), %%eax\n"
16542+ "12: movl 20(%4), %%edx\n"
16543+ "13: movl %%eax, %%es:16(%3)\n"
16544+ "14: movl %%edx, %%es:20(%3)\n"
16545+ "15: movl 24(%4), %%eax\n"
16546+ "16: movl 28(%4), %%edx\n"
16547+ "17: movl %%eax, %%es:24(%3)\n"
16548+ "18: movl %%edx, %%es:28(%3)\n"
16549+ "19: movl 32(%4), %%eax\n"
16550+ "20: movl 36(%4), %%edx\n"
16551+ "21: movl %%eax, %%es:32(%3)\n"
16552+ "22: movl %%edx, %%es:36(%3)\n"
16553+ "23: movl 40(%4), %%eax\n"
16554+ "24: movl 44(%4), %%edx\n"
16555+ "25: movl %%eax, %%es:40(%3)\n"
16556+ "26: movl %%edx, %%es:44(%3)\n"
16557+ "27: movl 48(%4), %%eax\n"
16558+ "28: movl 52(%4), %%edx\n"
16559+ "29: movl %%eax, %%es:48(%3)\n"
16560+ "30: movl %%edx, %%es:52(%3)\n"
16561+ "31: movl 56(%4), %%eax\n"
16562+ "32: movl 60(%4), %%edx\n"
16563+ "33: movl %%eax, %%es:56(%3)\n"
16564+ "34: movl %%edx, %%es:60(%3)\n"
16565+ " addl $-64, %0\n"
16566+ " addl $64, %4\n"
16567+ " addl $64, %3\n"
16568+ " cmpl $63, %0\n"
16569+ " ja 1b\n"
16570+ "35: movl %0, %%eax\n"
16571+ " shrl $2, %0\n"
16572+ " andl $3, %%eax\n"
16573+ " cld\n"
16574+ "99: rep; movsl\n"
16575+ "36: movl %%eax, %0\n"
16576+ "37: rep; movsb\n"
16577+ "100:\n"
16578+ " pushl %%ss\n"
16579+ " popl %%es\n"
16580+ ".section .fixup,\"ax\"\n"
16581+ "101: lea 0(%%eax,%0,4),%0\n"
16582+ " jmp 100b\n"
16583+ ".previous\n"
16584+ ".section __ex_table,\"a\"\n"
16585+ " .align 4\n"
16586+ " .long 1b,100b\n"
16587+ " .long 2b,100b\n"
16588+ " .long 3b,100b\n"
16589+ " .long 4b,100b\n"
16590+ " .long 5b,100b\n"
16591+ " .long 6b,100b\n"
16592+ " .long 7b,100b\n"
16593+ " .long 8b,100b\n"
16594+ " .long 9b,100b\n"
16595+ " .long 10b,100b\n"
16596+ " .long 11b,100b\n"
16597+ " .long 12b,100b\n"
16598+ " .long 13b,100b\n"
16599+ " .long 14b,100b\n"
16600+ " .long 15b,100b\n"
16601+ " .long 16b,100b\n"
16602+ " .long 17b,100b\n"
16603+ " .long 18b,100b\n"
16604+ " .long 19b,100b\n"
16605+ " .long 20b,100b\n"
16606+ " .long 21b,100b\n"
16607+ " .long 22b,100b\n"
16608+ " .long 23b,100b\n"
16609+ " .long 24b,100b\n"
16610+ " .long 25b,100b\n"
16611+ " .long 26b,100b\n"
16612+ " .long 27b,100b\n"
16613+ " .long 28b,100b\n"
16614+ " .long 29b,100b\n"
16615+ " .long 30b,100b\n"
16616+ " .long 31b,100b\n"
16617+ " .long 32b,100b\n"
16618+ " .long 33b,100b\n"
16619+ " .long 34b,100b\n"
16620+ " .long 35b,100b\n"
16621+ " .long 36b,100b\n"
16622+ " .long 37b,100b\n"
16623+ " .long 99b,101b\n"
16624+ ".previous"
16625+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
16626+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16627+ : "eax", "edx", "memory");
16628+ return size;
16629+}
16630+
16631+static unsigned long
16632+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16633 {
16634 int d0, d1;
16635 __asm__ __volatile__(
16636+ " movw %w6, %%ds\n"
16637 " .align 2,0x90\n"
16638 "1: movl 32(%4), %%eax\n"
16639 " cmpl $67, %0\n"
16640@@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
16641 " .align 2,0x90\n"
16642 "3: movl 0(%4), %%eax\n"
16643 "4: movl 4(%4), %%edx\n"
16644- "5: movl %%eax, 0(%3)\n"
16645- "6: movl %%edx, 4(%3)\n"
16646+ "5: movl %%eax, %%es:0(%3)\n"
16647+ "6: movl %%edx, %%es:4(%3)\n"
16648 "7: movl 8(%4), %%eax\n"
16649 "8: movl 12(%4),%%edx\n"
16650- "9: movl %%eax, 8(%3)\n"
16651- "10: movl %%edx, 12(%3)\n"
16652+ "9: movl %%eax, %%es:8(%3)\n"
16653+ "10: movl %%edx, %%es:12(%3)\n"
16654 "11: movl 16(%4), %%eax\n"
16655 "12: movl 20(%4), %%edx\n"
16656- "13: movl %%eax, 16(%3)\n"
16657- "14: movl %%edx, 20(%3)\n"
16658+ "13: movl %%eax, %%es:16(%3)\n"
16659+ "14: movl %%edx, %%es:20(%3)\n"
16660 "15: movl 24(%4), %%eax\n"
16661 "16: movl 28(%4), %%edx\n"
16662- "17: movl %%eax, 24(%3)\n"
16663- "18: movl %%edx, 28(%3)\n"
16664+ "17: movl %%eax, %%es:24(%3)\n"
16665+ "18: movl %%edx, %%es:28(%3)\n"
16666 "19: movl 32(%4), %%eax\n"
16667 "20: movl 36(%4), %%edx\n"
16668- "21: movl %%eax, 32(%3)\n"
16669- "22: movl %%edx, 36(%3)\n"
16670+ "21: movl %%eax, %%es:32(%3)\n"
16671+ "22: movl %%edx, %%es:36(%3)\n"
16672 "23: movl 40(%4), %%eax\n"
16673 "24: movl 44(%4), %%edx\n"
16674- "25: movl %%eax, 40(%3)\n"
16675- "26: movl %%edx, 44(%3)\n"
16676+ "25: movl %%eax, %%es:40(%3)\n"
16677+ "26: movl %%edx, %%es:44(%3)\n"
16678 "27: movl 48(%4), %%eax\n"
16679 "28: movl 52(%4), %%edx\n"
16680- "29: movl %%eax, 48(%3)\n"
16681- "30: movl %%edx, 52(%3)\n"
16682+ "29: movl %%eax, %%es:48(%3)\n"
16683+ "30: movl %%edx, %%es:52(%3)\n"
16684 "31: movl 56(%4), %%eax\n"
16685 "32: movl 60(%4), %%edx\n"
16686- "33: movl %%eax, 56(%3)\n"
16687- "34: movl %%edx, 60(%3)\n"
16688+ "33: movl %%eax, %%es:56(%3)\n"
16689+ "34: movl %%edx, %%es:60(%3)\n"
16690 " addl $-64, %0\n"
16691 " addl $64, %4\n"
16692 " addl $64, %3\n"
16693@@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
16694 "36: movl %%eax, %0\n"
16695 "37: rep; movsb\n"
16696 "100:\n"
16697+ " pushl %%ss\n"
16698+ " popl %%ds\n"
16699 ".section .fixup,\"ax\"\n"
16700 "101: lea 0(%%eax,%0,4),%0\n"
16701 " jmp 100b\n"
16702@@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
16703 " .long 99b,101b\n"
16704 ".previous"
16705 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16706- : "1"(to), "2"(from), "0"(size)
16707+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16708 : "eax", "edx", "memory");
16709 return size;
16710 }
16711@@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
16712 {
16713 int d0, d1;
16714 __asm__ __volatile__(
16715+ " movw %w6, %%ds\n"
16716 " .align 2,0x90\n"
16717 "0: movl 32(%4), %%eax\n"
16718 " cmpl $67, %0\n"
16719@@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
16720 " .align 2,0x90\n"
16721 "2: movl 0(%4), %%eax\n"
16722 "21: movl 4(%4), %%edx\n"
16723- " movl %%eax, 0(%3)\n"
16724- " movl %%edx, 4(%3)\n"
16725+ " movl %%eax, %%es:0(%3)\n"
16726+ " movl %%edx, %%es:4(%3)\n"
16727 "3: movl 8(%4), %%eax\n"
16728 "31: movl 12(%4),%%edx\n"
16729- " movl %%eax, 8(%3)\n"
16730- " movl %%edx, 12(%3)\n"
16731+ " movl %%eax, %%es:8(%3)\n"
16732+ " movl %%edx, %%es:12(%3)\n"
16733 "4: movl 16(%4), %%eax\n"
16734 "41: movl 20(%4), %%edx\n"
16735- " movl %%eax, 16(%3)\n"
16736- " movl %%edx, 20(%3)\n"
16737+ " movl %%eax, %%es:16(%3)\n"
16738+ " movl %%edx, %%es:20(%3)\n"
16739 "10: movl 24(%4), %%eax\n"
16740 "51: movl 28(%4), %%edx\n"
16741- " movl %%eax, 24(%3)\n"
16742- " movl %%edx, 28(%3)\n"
16743+ " movl %%eax, %%es:24(%3)\n"
16744+ " movl %%edx, %%es:28(%3)\n"
16745 "11: movl 32(%4), %%eax\n"
16746 "61: movl 36(%4), %%edx\n"
16747- " movl %%eax, 32(%3)\n"
16748- " movl %%edx, 36(%3)\n"
16749+ " movl %%eax, %%es:32(%3)\n"
16750+ " movl %%edx, %%es:36(%3)\n"
16751 "12: movl 40(%4), %%eax\n"
16752 "71: movl 44(%4), %%edx\n"
16753- " movl %%eax, 40(%3)\n"
16754- " movl %%edx, 44(%3)\n"
16755+ " movl %%eax, %%es:40(%3)\n"
16756+ " movl %%edx, %%es:44(%3)\n"
16757 "13: movl 48(%4), %%eax\n"
16758 "81: movl 52(%4), %%edx\n"
16759- " movl %%eax, 48(%3)\n"
16760- " movl %%edx, 52(%3)\n"
16761+ " movl %%eax, %%es:48(%3)\n"
16762+ " movl %%edx, %%es:52(%3)\n"
16763 "14: movl 56(%4), %%eax\n"
16764 "91: movl 60(%4), %%edx\n"
16765- " movl %%eax, 56(%3)\n"
16766- " movl %%edx, 60(%3)\n"
16767+ " movl %%eax, %%es:56(%3)\n"
16768+ " movl %%edx, %%es:60(%3)\n"
16769 " addl $-64, %0\n"
16770 " addl $64, %4\n"
16771 " addl $64, %3\n"
16772@@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
16773 " movl %%eax,%0\n"
16774 "7: rep; movsb\n"
16775 "8:\n"
16776+ " pushl %%ss\n"
16777+ " popl %%ds\n"
16778 ".section .fixup,\"ax\"\n"
16779 "9: lea 0(%%eax,%0,4),%0\n"
16780 "16: pushl %0\n"
16781@@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
16782 " .long 7b,16b\n"
16783 ".previous"
16784 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16785- : "1"(to), "2"(from), "0"(size)
16786+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16787 : "eax", "edx", "memory");
16788 return size;
16789 }
16790@@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
16791 int d0, d1;
16792
16793 __asm__ __volatile__(
16794+ " movw %w6, %%ds\n"
16795 " .align 2,0x90\n"
16796 "0: movl 32(%4), %%eax\n"
16797 " cmpl $67, %0\n"
16798@@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
16799 " .align 2,0x90\n"
16800 "2: movl 0(%4), %%eax\n"
16801 "21: movl 4(%4), %%edx\n"
16802- " movnti %%eax, 0(%3)\n"
16803- " movnti %%edx, 4(%3)\n"
16804+ " movnti %%eax, %%es:0(%3)\n"
16805+ " movnti %%edx, %%es:4(%3)\n"
16806 "3: movl 8(%4), %%eax\n"
16807 "31: movl 12(%4),%%edx\n"
16808- " movnti %%eax, 8(%3)\n"
16809- " movnti %%edx, 12(%3)\n"
16810+ " movnti %%eax, %%es:8(%3)\n"
16811+ " movnti %%edx, %%es:12(%3)\n"
16812 "4: movl 16(%4), %%eax\n"
16813 "41: movl 20(%4), %%edx\n"
16814- " movnti %%eax, 16(%3)\n"
16815- " movnti %%edx, 20(%3)\n"
16816+ " movnti %%eax, %%es:16(%3)\n"
16817+ " movnti %%edx, %%es:20(%3)\n"
16818 "10: movl 24(%4), %%eax\n"
16819 "51: movl 28(%4), %%edx\n"
16820- " movnti %%eax, 24(%3)\n"
16821- " movnti %%edx, 28(%3)\n"
16822+ " movnti %%eax, %%es:24(%3)\n"
16823+ " movnti %%edx, %%es:28(%3)\n"
16824 "11: movl 32(%4), %%eax\n"
16825 "61: movl 36(%4), %%edx\n"
16826- " movnti %%eax, 32(%3)\n"
16827- " movnti %%edx, 36(%3)\n"
16828+ " movnti %%eax, %%es:32(%3)\n"
16829+ " movnti %%edx, %%es:36(%3)\n"
16830 "12: movl 40(%4), %%eax\n"
16831 "71: movl 44(%4), %%edx\n"
16832- " movnti %%eax, 40(%3)\n"
16833- " movnti %%edx, 44(%3)\n"
16834+ " movnti %%eax, %%es:40(%3)\n"
16835+ " movnti %%edx, %%es:44(%3)\n"
16836 "13: movl 48(%4), %%eax\n"
16837 "81: movl 52(%4), %%edx\n"
16838- " movnti %%eax, 48(%3)\n"
16839- " movnti %%edx, 52(%3)\n"
16840+ " movnti %%eax, %%es:48(%3)\n"
16841+ " movnti %%edx, %%es:52(%3)\n"
16842 "14: movl 56(%4), %%eax\n"
16843 "91: movl 60(%4), %%edx\n"
16844- " movnti %%eax, 56(%3)\n"
16845- " movnti %%edx, 60(%3)\n"
16846+ " movnti %%eax, %%es:56(%3)\n"
16847+ " movnti %%edx, %%es:60(%3)\n"
16848 " addl $-64, %0\n"
16849 " addl $64, %4\n"
16850 " addl $64, %3\n"
16851@@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
16852 " movl %%eax,%0\n"
16853 "7: rep; movsb\n"
16854 "8:\n"
16855+ " pushl %%ss\n"
16856+ " popl %%ds\n"
16857 ".section .fixup,\"ax\"\n"
16858 "9: lea 0(%%eax,%0,4),%0\n"
16859 "16: pushl %0\n"
16860@@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
16861 " .long 7b,16b\n"
16862 ".previous"
16863 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16864- : "1"(to), "2"(from), "0"(size)
16865+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16866 : "eax", "edx", "memory");
16867 return size;
16868 }
16869@@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
16870 int d0, d1;
16871
16872 __asm__ __volatile__(
16873+ " movw %w6, %%ds\n"
16874 " .align 2,0x90\n"
16875 "0: movl 32(%4), %%eax\n"
16876 " cmpl $67, %0\n"
16877@@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
16878 " .align 2,0x90\n"
16879 "2: movl 0(%4), %%eax\n"
16880 "21: movl 4(%4), %%edx\n"
16881- " movnti %%eax, 0(%3)\n"
16882- " movnti %%edx, 4(%3)\n"
16883+ " movnti %%eax, %%es:0(%3)\n"
16884+ " movnti %%edx, %%es:4(%3)\n"
16885 "3: movl 8(%4), %%eax\n"
16886 "31: movl 12(%4),%%edx\n"
16887- " movnti %%eax, 8(%3)\n"
16888- " movnti %%edx, 12(%3)\n"
16889+ " movnti %%eax, %%es:8(%3)\n"
16890+ " movnti %%edx, %%es:12(%3)\n"
16891 "4: movl 16(%4), %%eax\n"
16892 "41: movl 20(%4), %%edx\n"
16893- " movnti %%eax, 16(%3)\n"
16894- " movnti %%edx, 20(%3)\n"
16895+ " movnti %%eax, %%es:16(%3)\n"
16896+ " movnti %%edx, %%es:20(%3)\n"
16897 "10: movl 24(%4), %%eax\n"
16898 "51: movl 28(%4), %%edx\n"
16899- " movnti %%eax, 24(%3)\n"
16900- " movnti %%edx, 28(%3)\n"
16901+ " movnti %%eax, %%es:24(%3)\n"
16902+ " movnti %%edx, %%es:28(%3)\n"
16903 "11: movl 32(%4), %%eax\n"
16904 "61: movl 36(%4), %%edx\n"
16905- " movnti %%eax, 32(%3)\n"
16906- " movnti %%edx, 36(%3)\n"
16907+ " movnti %%eax, %%es:32(%3)\n"
16908+ " movnti %%edx, %%es:36(%3)\n"
16909 "12: movl 40(%4), %%eax\n"
16910 "71: movl 44(%4), %%edx\n"
16911- " movnti %%eax, 40(%3)\n"
16912- " movnti %%edx, 44(%3)\n"
16913+ " movnti %%eax, %%es:40(%3)\n"
16914+ " movnti %%edx, %%es:44(%3)\n"
16915 "13: movl 48(%4), %%eax\n"
16916 "81: movl 52(%4), %%edx\n"
16917- " movnti %%eax, 48(%3)\n"
16918- " movnti %%edx, 52(%3)\n"
16919+ " movnti %%eax, %%es:48(%3)\n"
16920+ " movnti %%edx, %%es:52(%3)\n"
16921 "14: movl 56(%4), %%eax\n"
16922 "91: movl 60(%4), %%edx\n"
16923- " movnti %%eax, 56(%3)\n"
16924- " movnti %%edx, 60(%3)\n"
16925+ " movnti %%eax, %%es:56(%3)\n"
16926+ " movnti %%edx, %%es:60(%3)\n"
16927 " addl $-64, %0\n"
16928 " addl $64, %4\n"
16929 " addl $64, %3\n"
16930@@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
16931 " movl %%eax,%0\n"
16932 "7: rep; movsb\n"
16933 "8:\n"
16934+ " pushl %%ss\n"
16935+ " popl %%ds\n"
16936 ".section .fixup,\"ax\"\n"
16937 "9: lea 0(%%eax,%0,4),%0\n"
16938 "16: jmp 8b\n"
16939@@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
16940 " .long 7b,16b\n"
16941 ".previous"
16942 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16943- : "1"(to), "2"(from), "0"(size)
16944+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16945 : "eax", "edx", "memory");
16946 return size;
16947 }
16948@@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
16949 */
16950 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16951 unsigned long size);
16952-unsigned long __copy_user_intel(void __user *to, const void *from,
16953+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16954+ unsigned long size);
16955+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16956 unsigned long size);
16957 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16958 const void __user *from, unsigned long size);
16959 #endif /* CONFIG_X86_INTEL_USERCOPY */
16960
16961 /* Generic arbitrary sized copy. */
16962-#define __copy_user(to, from, size) \
16963-do { \
16964- int __d0, __d1, __d2; \
16965- __asm__ __volatile__( \
16966- " cmp $7,%0\n" \
16967- " jbe 1f\n" \
16968- " movl %1,%0\n" \
16969- " negl %0\n" \
16970- " andl $7,%0\n" \
16971- " subl %0,%3\n" \
16972- "4: rep; movsb\n" \
16973- " movl %3,%0\n" \
16974- " shrl $2,%0\n" \
16975- " andl $3,%3\n" \
16976- " .align 2,0x90\n" \
16977- "0: rep; movsl\n" \
16978- " movl %3,%0\n" \
16979- "1: rep; movsb\n" \
16980- "2:\n" \
16981- ".section .fixup,\"ax\"\n" \
16982- "5: addl %3,%0\n" \
16983- " jmp 2b\n" \
16984- "3: lea 0(%3,%0,4),%0\n" \
16985- " jmp 2b\n" \
16986- ".previous\n" \
16987- ".section __ex_table,\"a\"\n" \
16988- " .align 4\n" \
16989- " .long 4b,5b\n" \
16990- " .long 0b,3b\n" \
16991- " .long 1b,2b\n" \
16992- ".previous" \
16993- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16994- : "3"(size), "0"(size), "1"(to), "2"(from) \
16995- : "memory"); \
16996-} while (0)
16997-
16998-#define __copy_user_zeroing(to, from, size) \
16999-do { \
17000- int __d0, __d1, __d2; \
17001- __asm__ __volatile__( \
17002- " cmp $7,%0\n" \
17003- " jbe 1f\n" \
17004- " movl %1,%0\n" \
17005- " negl %0\n" \
17006- " andl $7,%0\n" \
17007- " subl %0,%3\n" \
17008- "4: rep; movsb\n" \
17009- " movl %3,%0\n" \
17010- " shrl $2,%0\n" \
17011- " andl $3,%3\n" \
17012- " .align 2,0x90\n" \
17013- "0: rep; movsl\n" \
17014- " movl %3,%0\n" \
17015- "1: rep; movsb\n" \
17016- "2:\n" \
17017- ".section .fixup,\"ax\"\n" \
17018- "5: addl %3,%0\n" \
17019- " jmp 6f\n" \
17020- "3: lea 0(%3,%0,4),%0\n" \
17021- "6: pushl %0\n" \
17022- " pushl %%eax\n" \
17023- " xorl %%eax,%%eax\n" \
17024- " rep; stosb\n" \
17025- " popl %%eax\n" \
17026- " popl %0\n" \
17027- " jmp 2b\n" \
17028- ".previous\n" \
17029- ".section __ex_table,\"a\"\n" \
17030- " .align 4\n" \
17031- " .long 4b,5b\n" \
17032- " .long 0b,3b\n" \
17033- " .long 1b,6b\n" \
17034- ".previous" \
17035- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
17036- : "3"(size), "0"(size), "1"(to), "2"(from) \
17037- : "memory"); \
17038-} while (0)
17039+static unsigned long
17040+__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
17041+{
17042+ int __d0, __d1, __d2;
17043+
17044+ __asm__ __volatile__(
17045+ " movw %w8,%%es\n"
17046+ " cmp $7,%0\n"
17047+ " jbe 1f\n"
17048+ " movl %1,%0\n"
17049+ " negl %0\n"
17050+ " andl $7,%0\n"
17051+ " subl %0,%3\n"
17052+ "4: rep; movsb\n"
17053+ " movl %3,%0\n"
17054+ " shrl $2,%0\n"
17055+ " andl $3,%3\n"
17056+ " .align 2,0x90\n"
17057+ "0: rep; movsl\n"
17058+ " movl %3,%0\n"
17059+ "1: rep; movsb\n"
17060+ "2:\n"
17061+ " pushl %%ss\n"
17062+ " popl %%es\n"
17063+ ".section .fixup,\"ax\"\n"
17064+ "5: addl %3,%0\n"
17065+ " jmp 2b\n"
17066+ "3: lea 0(%3,%0,4),%0\n"
17067+ " jmp 2b\n"
17068+ ".previous\n"
17069+ ".section __ex_table,\"a\"\n"
17070+ " .align 4\n"
17071+ " .long 4b,5b\n"
17072+ " .long 0b,3b\n"
17073+ " .long 1b,2b\n"
17074+ ".previous"
17075+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17076+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17077+ : "memory");
17078+ return size;
17079+}
17080+
17081+static unsigned long
17082+__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
17083+{
17084+ int __d0, __d1, __d2;
17085+
17086+ __asm__ __volatile__(
17087+ " movw %w8,%%ds\n"
17088+ " cmp $7,%0\n"
17089+ " jbe 1f\n"
17090+ " movl %1,%0\n"
17091+ " negl %0\n"
17092+ " andl $7,%0\n"
17093+ " subl %0,%3\n"
17094+ "4: rep; movsb\n"
17095+ " movl %3,%0\n"
17096+ " shrl $2,%0\n"
17097+ " andl $3,%3\n"
17098+ " .align 2,0x90\n"
17099+ "0: rep; movsl\n"
17100+ " movl %3,%0\n"
17101+ "1: rep; movsb\n"
17102+ "2:\n"
17103+ " pushl %%ss\n"
17104+ " popl %%ds\n"
17105+ ".section .fixup,\"ax\"\n"
17106+ "5: addl %3,%0\n"
17107+ " jmp 2b\n"
17108+ "3: lea 0(%3,%0,4),%0\n"
17109+ " jmp 2b\n"
17110+ ".previous\n"
17111+ ".section __ex_table,\"a\"\n"
17112+ " .align 4\n"
17113+ " .long 4b,5b\n"
17114+ " .long 0b,3b\n"
17115+ " .long 1b,2b\n"
17116+ ".previous"
17117+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17118+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17119+ : "memory");
17120+ return size;
17121+}
17122+
17123+static unsigned long
17124+__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
17125+{
17126+ int __d0, __d1, __d2;
17127+
17128+ __asm__ __volatile__(
17129+ " movw %w8,%%ds\n"
17130+ " cmp $7,%0\n"
17131+ " jbe 1f\n"
17132+ " movl %1,%0\n"
17133+ " negl %0\n"
17134+ " andl $7,%0\n"
17135+ " subl %0,%3\n"
17136+ "4: rep; movsb\n"
17137+ " movl %3,%0\n"
17138+ " shrl $2,%0\n"
17139+ " andl $3,%3\n"
17140+ " .align 2,0x90\n"
17141+ "0: rep; movsl\n"
17142+ " movl %3,%0\n"
17143+ "1: rep; movsb\n"
17144+ "2:\n"
17145+ " pushl %%ss\n"
17146+ " popl %%ds\n"
17147+ ".section .fixup,\"ax\"\n"
17148+ "5: addl %3,%0\n"
17149+ " jmp 6f\n"
17150+ "3: lea 0(%3,%0,4),%0\n"
17151+ "6: pushl %0\n"
17152+ " pushl %%eax\n"
17153+ " xorl %%eax,%%eax\n"
17154+ " rep; stosb\n"
17155+ " popl %%eax\n"
17156+ " popl %0\n"
17157+ " jmp 2b\n"
17158+ ".previous\n"
17159+ ".section __ex_table,\"a\"\n"
17160+ " .align 4\n"
17161+ " .long 4b,5b\n"
17162+ " .long 0b,3b\n"
17163+ " .long 1b,6b\n"
17164+ ".previous"
17165+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17166+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17167+ : "memory");
17168+ return size;
17169+}
17170
17171 unsigned long __copy_to_user_ll(void __user *to, const void *from,
17172 unsigned long n)
17173@@ -775,9 +966,9 @@ survive:
17174 }
17175 #endif
17176 if (movsl_is_ok(to, from, n))
17177- __copy_user(to, from, n);
17178+ n = __generic_copy_to_user(to, from, n);
17179 else
17180- n = __copy_user_intel(to, from, n);
17181+ n = __generic_copy_to_user_intel(to, from, n);
17182 return n;
17183 }
17184 EXPORT_SYMBOL(__copy_to_user_ll);
17185@@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
17186 unsigned long n)
17187 {
17188 if (movsl_is_ok(to, from, n))
17189- __copy_user_zeroing(to, from, n);
17190+ n = __copy_user_zeroing(to, from, n);
17191 else
17192 n = __copy_user_zeroing_intel(to, from, n);
17193 return n;
17194@@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
17195 unsigned long n)
17196 {
17197 if (movsl_is_ok(to, from, n))
17198- __copy_user(to, from, n);
17199+ n = __generic_copy_from_user(to, from, n);
17200 else
17201- n = __copy_user_intel((void __user *)to,
17202- (const void *)from, n);
17203+ n = __generic_copy_from_user_intel(to, from, n);
17204 return n;
17205 }
17206 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17207@@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
17208 if (n > 64 && cpu_has_xmm2)
17209 n = __copy_user_zeroing_intel_nocache(to, from, n);
17210 else
17211- __copy_user_zeroing(to, from, n);
17212+ n = __copy_user_zeroing(to, from, n);
17213 #else
17214- __copy_user_zeroing(to, from, n);
17215+ n = __copy_user_zeroing(to, from, n);
17216 #endif
17217 return n;
17218 }
ae4e228f 17219@@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
58c5fc13
MT		 17220 if (n > 64 && cpu_has_xmm2)
17221 n = __copy_user_intel_nocache(to, from, n);
17222 else
17223- __copy_user(to, from, n);
17224+ n = __generic_copy_from_user(to, from, n);
17225 #else
17226- __copy_user(to, from, n);
17227+ n = __generic_copy_from_user(to, from, n);
17228 #endif
17229 return n;
17230 }
17231 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17232
17233-/**
17234- * copy_to_user: - Copy a block of data into user space.
17235- * @to: Destination address, in user space.
17236- * @from: Source address, in kernel space.
17237- * @n: Number of bytes to copy.
17238- *
17239- * Context: User context only. This function may sleep.
17240- *
17241- * Copy data from kernel space to user space.
17242- *
17243- * Returns number of bytes that could not be copied.
17244- * On success, this will be zero.
17245- */
17246-unsigned long
17247-copy_to_user(void __user *to, const void *from, unsigned long n)
ae4e228f 17248+void copy_from_user_overflow(void)
58c5fc13
MT		 17249 {
17250- if (access_ok(VERIFY_WRITE, to, n))
17251- n = __copy_to_user(to, from, n);
17252- return n;
ae4e228f 17253+ WARN(1, "Buffer overflow detected!\n");
58c5fc13
MT		 17254 }
17255-EXPORT_SYMBOL(copy_to_user);
ae4e228f 17256+EXPORT_SYMBOL(copy_from_user_overflow);
58c5fc13
MT		 17257
17258-/**
17259- * copy_from_user: - Copy a block of data from user space.
17260- * @to: Destination address, in kernel space.
17261- * @from: Source address, in user space.
17262- * @n: Number of bytes to copy.
17263- *
17264- * Context: User context only. This function may sleep.
17265- *
17266- * Copy data from user space to kernel space.
17267- *
17268- * Returns number of bytes that could not be copied.
17269- * On success, this will be zero.
17270- *
17271- * If some data could not be copied, this function will pad the copied
17272- * data to the requested size using zero bytes.
17273- */
17274-unsigned long
ae4e228f
MT		 17275-_copy_from_user(void *to, const void __user *from, unsigned long n)
17276+void copy_to_user_overflow(void)
58c5fc13
MT		 17277 {
17278- if (access_ok(VERIFY_READ, from, n))
17279- n = __copy_from_user(to, from, n);
17280- else
17281- memset(to, 0, n);
17282- return n;
ae4e228f
MT		 17283+ WARN(1, "Buffer overflow detected!\n");
17284 }
17285-EXPORT_SYMBOL(_copy_from_user);
17286+EXPORT_SYMBOL(copy_to_user_overflow);
17287
17288-void copy_from_user_overflow(void)
17289+#ifdef CONFIG_PAX_MEMORY_UDEREF
17290+void __set_fs(mm_segment_t x, int cpu)
17291 {
17292- WARN(1, "Buffer overflow detected!\n");
17293+ unsigned long limit = x.seg;
17294+ struct desc_struct d;
17295+
17296+ current_thread_info()->addr_limit = x;
17297+ if (unlikely(paravirt_enabled()))
17298+ return;
17299+
17300+ if (likely(limit))
17301+ limit = (limit - 1UL) >> PAGE_SHIFT;
17302+ pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
17303+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
17304 }
17305-EXPORT_SYMBOL(copy_from_user_overflow);
17306+
17307+void set_fs(mm_segment_t x)
17308+{
58c5fc13
MT		 17309+ __set_fs(x, get_cpu());
17310+ put_cpu();
ae4e228f
MT		 17311+}
17312+EXPORT_SYMBOL(copy_from_user);
58c5fc13
MT		 17313+#else
17314+void set_fs(mm_segment_t x)
17315+{
17316+ current_thread_info()->addr_limit = x;
17317+}
17318+#endif
17319+
17320+EXPORT_SYMBOL(set_fs);
57199397
MT		 17321diff -urNp linux-2.6.35.4/arch/x86/lib/usercopy_64.c linux-2.6.35.4/arch/x86/lib/usercopy_64.c
17322--- linux-2.6.35.4/arch/x86/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
17323+++ linux-2.6.35.4/arch/x86/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 17324@@ -42,6 +42,8 @@ long
17325 __strncpy_from_user(char *dst, const char __user *src, long count)
17326 {
17327 long res;
17328+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17329+ src += PAX_USER_SHADOW_BASE;
17330 __do_strncpy_from_user(dst, src, count, res);
17331 return res;
17332 }
17333@@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17334 {
17335 long __d0;
17336 might_fault();
17337+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17338+ addr += PAX_USER_SHADOW_BASE;
17339 /* no memory constraint because it doesn't change any memory gcc knows
17340 about */
17341 asm volatile(
17342@@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17343
17344 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17345 {
17346- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17347+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17348+ if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17349+ to += PAX_USER_SHADOW_BASE;
17350+ if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17351+ from += PAX_USER_SHADOW_BASE;
17352 return copy_user_generic((__force void *)to, (__force void *)from, len);
17353- }
17354- return len;
17355+ }
17356+ return len;
17357 }
17358 EXPORT_SYMBOL(copy_in_user);
17359
57199397
MT		 17360diff -urNp linux-2.6.35.4/arch/x86/Makefile linux-2.6.35.4/arch/x86/Makefile
17361--- linux-2.6.35.4/arch/x86/Makefile 2010-08-26 19:47:12.000000000 -0400
17362+++ linux-2.6.35.4/arch/x86/Makefile 2010-09-17 20:12:09.000000000 -0400
17363@@ -191,3 +191,12 @@ define archhelp
17364 echo ' FDARGS="..." arguments for the booted kernel'
17365 echo ' FDINITRD=file initrd for the booted kernel'
17366 endef
17367+
17368+define OLD_LD
17369+
17370+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17371+*** Please upgrade your binutils to 2.18 or newer
17372+endef
17373+
17374+archprepare:
17375+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17376diff -urNp linux-2.6.35.4/arch/x86/mm/extable.c linux-2.6.35.4/arch/x86/mm/extable.c
17377--- linux-2.6.35.4/arch/x86/mm/extable.c 2010-08-26 19:47:12.000000000 -0400
17378+++ linux-2.6.35.4/arch/x86/mm/extable.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 17379@@ -1,14 +1,71 @@
58c5fc13
MT		 17380 #include <linux/module.h>
17381 #include <linux/spinlock.h>
17382+#include <linux/sort.h>
17383 #include <asm/uaccess.h>
ae4e228f 17384+#include <asm/pgtable.h>
58c5fc13
MT		 17385
17386+/*
17387+ * The exception table needs to be sorted so that the binary
17388+ * search that we use to find entries in it works properly.
17389+ * This is used both for the kernel exception table and for
17390+ * the exception tables of modules that get loaded.
17391+ */
17392+static int cmp_ex(const void *a, const void *b)
17393+{
17394+ const struct exception_table_entry *x = a, *y = b;
17395+
17396+ /* avoid overflow */
17397+ if (x->insn > y->insn)
17398+ return 1;
17399+ if (x->insn < y->insn)
17400+ return -1;
17401+ return 0;
17402+}
17403+
17404+static void swap_ex(void *a, void *b, int size)
17405+{
17406+ struct exception_table_entry t, *x = a, *y = b;
17407+
58c5fc13
MT		 17408+ t = *x;
17409+
ae4e228f 17410+ pax_open_kernel();
58c5fc13
MT		 17411+ *x = *y;
17412+ *y = t;
ae4e228f 17413+ pax_close_kernel();
58c5fc13
MT		 17414+}
17415+
17416+void sort_extable(struct exception_table_entry *start,
17417+ struct exception_table_entry *finish)
17418+{
17419+ sort(start, finish - start, sizeof(struct exception_table_entry),
17420+ cmp_ex, swap_ex);
17421+}
17422+
17423+#ifdef CONFIG_MODULES
17424+/*
17425+ * If the exception table is sorted, any referring to the module init
17426+ * will be at the beginning or the end.
17427+ */
17428+void trim_init_extable(struct module *m)
17429+{
17430+ /*trim the beginning*/
17431+ while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17432+ m->extable++;
17433+ m->num_exentries--;
17434+ }
17435+ /*trim the end*/
17436+ while (m->num_exentries &&
17437+ within_module_init(m->extable[m->num_exentries-1].insn, m))
17438+ m->num_exentries--;
17439+}
17440+#endif /* CONFIG_MODULES */
17441
17442 int fixup_exception(struct pt_regs *regs)
17443 {
17444 const struct exception_table_entry *fixup;
17445
17446 #ifdef CONFIG_PNPBIOS
17447- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17448+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17449 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17450 extern u32 pnp_bios_is_utter_crap;
17451 pnp_bios_is_utter_crap = 1;
57199397
MT		 17452diff -urNp linux-2.6.35.4/arch/x86/mm/fault.c linux-2.6.35.4/arch/x86/mm/fault.c
17453--- linux-2.6.35.4/arch/x86/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
17454+++ linux-2.6.35.4/arch/x86/mm/fault.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 17455@@ -11,10 +11,19 @@
58c5fc13
MT		 17456 #include <linux/kprobes.h> /* __kprobes, ... */
17457 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
ae4e228f 17458 #include <linux/perf_event.h> /* perf_sw_event */
58c5fc13
MT		 17459+#include <linux/unistd.h>
17460+#include <linux/compiler.h>
17461
17462 #include <asm/traps.h> /* dotraplinkage, ... */
17463 #include <asm/pgalloc.h> /* pgd_*(), ... */
17464 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17465+#include <asm/vsyscall.h>
17466+#include <asm/tlbflush.h>
df50ba0c
MT		 17467+
17468+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17469+#include <asm/stacktrace.h>
17470+#include "../kernel/dumpstack.h"
17471+#endif
58c5fc13
MT		 17472
17473 /*
17474 * Page fault error code bits:
df50ba0c 17475@@ -52,7 +61,7 @@ static inline int __kprobes notify_page_
58c5fc13
MT		 17476 int ret = 0;
17477
17478 /* kprobe_running() needs smp_processor_id() */
17479- if (kprobes_built_in() && !user_mode_vm(regs)) {
17480+ if (kprobes_built_in() && !user_mode(regs)) {
17481 preempt_disable();
17482 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17483 ret = 1;
df50ba0c 17484@@ -173,6 +182,30 @@ force_sig_info_fault(int si_signo, int s
58c5fc13
MT		 17485 force_sig_info(si_signo, &info, tsk);
17486 }
17487
17488+#ifdef CONFIG_PAX_EMUTRAMP
17489+static int pax_handle_fetch_fault(struct pt_regs *regs);
17490+#endif
17491+
17492+#ifdef CONFIG_PAX_PAGEEXEC
17493+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17494+{
17495+ pgd_t *pgd;
17496+ pud_t *pud;
17497+ pmd_t *pmd;
17498+
17499+ pgd = pgd_offset(mm, address);
17500+ if (!pgd_present(*pgd))
17501+ return NULL;
17502+ pud = pud_offset(pgd, address);
17503+ if (!pud_present(*pud))
17504+ return NULL;
17505+ pmd = pmd_offset(pud, address);
17506+ if (!pmd_present(*pmd))
17507+ return NULL;
17508+ return pmd;
17509+}
17510+#endif
17511+
17512 DEFINE_SPINLOCK(pgd_lock);
17513 LIST_HEAD(pgd_list);
17514
df50ba0c
MT		 17515@@ -225,11 +258,24 @@ void vmalloc_sync_all(void)
17516 address += PMD_SIZE) {
17517
17518 unsigned long flags;
17519+
17520+#ifdef CONFIG_PAX_PER_CPU_PGD
17521+ unsigned long cpu;
17522+#else
17523 struct page *page;
17524+#endif
17525
17526 spin_lock_irqsave(&pgd_lock, flags);
17527+
17528+#ifdef CONFIG_PAX_PER_CPU_PGD
17529+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17530+ pgd_t *pgd = get_cpu_pgd(cpu);
17531+#else
17532 list_for_each_entry(page, &pgd_list, lru) {
17533- if (!vmalloc_sync_one(page_address(page), address))
17534+ pgd_t *pgd = page_address(page);
17535+#endif
17536+
17537+ if (!vmalloc_sync_one(pgd, address))
17538 break;
17539 }
17540 spin_unlock_irqrestore(&pgd_lock, flags);
17541@@ -259,6 +305,11 @@ static noinline __kprobes int vmalloc_fa
17542 * an interrupt in the middle of a task switch..
17543 */
17544 pgd_paddr = read_cr3();
17545+
17546+#ifdef CONFIG_PAX_PER_CPU_PGD
17547+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17548+#endif
17549+
17550 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17551 if (!pmd_k)
17552 return -1;
17553@@ -333,15 +384,27 @@ void vmalloc_sync_all(void)
17554
17555 const pgd_t *pgd_ref = pgd_offset_k(address);
17556 unsigned long flags;
17557+
17558+#ifdef CONFIG_PAX_PER_CPU_PGD
17559+ unsigned long cpu;
17560+#else
17561 struct page *page;
17562+#endif
17563
17564 if (pgd_none(*pgd_ref))
17565 continue;
17566
17567 spin_lock_irqsave(&pgd_lock, flags);
17568+
17569+#ifdef CONFIG_PAX_PER_CPU_PGD
17570+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17571+ pgd_t *pgd = pgd_offset_cpu(cpu, address);
17572+#else
17573 list_for_each_entry(page, &pgd_list, lru) {
17574 pgd_t *pgd;
17575 pgd = (pgd_t *)page_address(page) + pgd_index(address);
17576+#endif
17577+
17578 if (pgd_none(*pgd))
17579 set_pgd(pgd, *pgd_ref);
17580 else
17581@@ -374,7 +437,14 @@ static noinline __kprobes int vmalloc_fa
17582 * happen within a race in page table update. In the later
17583 * case just flush:
17584 */
17585+
17586+#ifdef CONFIG_PAX_PER_CPU_PGD
17587+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17588+ pgd = pgd_offset_cpu(smp_processor_id(), address);
17589+#else
17590 pgd = pgd_offset(current->active_mm, address);
17591+#endif
17592+
17593 pgd_ref = pgd_offset_k(address);
17594 if (pgd_none(*pgd_ref))
17595 return -1;
17596@@ -536,7 +606,7 @@ static int is_errata93(struct pt_regs *r
58c5fc13
MT		 17597 static int is_errata100(struct pt_regs *regs, unsigned long address)
17598 {
17599 #ifdef CONFIG_X86_64
17600- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17601+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17602 return 1;
17603 #endif
17604 return 0;
df50ba0c 17605@@ -563,7 +633,7 @@ static int is_f00f_bug(struct pt_regs *r
58c5fc13
MT		 17606 }
17607
17608 static const char nx_warning[] = KERN_CRIT
17609-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17610+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17611
17612 static void
17613 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
df50ba0c 17614@@ -572,15 +642,26 @@ show_fault_oops(struct pt_regs *regs, un
58c5fc13
MT		 17615 if (!oops_may_print())
17616 return;
17617
17618- if (error_code & PF_INSTR) {
ae4e228f 17619+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
58c5fc13
MT		 17620 unsigned int level;
17621
17622 pte_t *pte = lookup_address(address, &level);
17623
17624 if (pte && pte_present(*pte) && !pte_exec(*pte))
17625- printk(nx_warning, current_uid());
17626+ printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17627 }
17628
17629+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f 17630+ if (init_mm.start_code <= address && address < init_mm.end_code) {
58c5fc13 17631+ if (current->signal->curr_ip)
ae4e228f
MT		 17632+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17633+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
58c5fc13
MT		 17634+ else
17635+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17636+ current->comm, task_pid_nr(current), current_uid(), current_euid());
17637+ }
17638+#endif
17639+
17640 printk(KERN_ALERT "BUG: unable to handle kernel ");
17641 if (address < PAGE_SIZE)
17642 printk(KERN_CONT "NULL pointer dereference");
df50ba0c 17643@@ -705,6 +786,68 @@ __bad_area_nosemaphore(struct pt_regs *r
58c5fc13
MT		 17644 unsigned long address, int si_code)
17645 {
17646 struct task_struct *tsk = current;
17647+ struct mm_struct *mm = tsk->mm;
17648+
17649+#ifdef CONFIG_X86_64
17650+ if (mm && (error_code & PF_INSTR)) {
17651+ if (regs->ip == (unsigned long)vgettimeofday) {
17652+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17653+ return;
17654+ } else if (regs->ip == (unsigned long)vtime) {
17655+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17656+ return;
17657+ } else if (regs->ip == (unsigned long)vgetcpu) {
17658+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17659+ return;
17660+ }
17661+ }
17662+#endif
17663+
17664+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17665+ if (mm && (error_code & PF_USER)) {
17666+ unsigned long ip = regs->ip;
17667+
17668+ if (v8086_mode(regs))
17669+ ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
17670+
17671+ /*
17672+ * It's possible to have interrupts off here:
17673+ */
17674+ local_irq_enable();
17675+
17676+#ifdef CONFIG_PAX_PAGEEXEC
17677+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
ae4e228f 17678+ (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
58c5fc13
MT		 17679+
17680+#ifdef CONFIG_PAX_EMUTRAMP
17681+ switch (pax_handle_fetch_fault(regs)) {
17682+ case 2:
17683+ return;
17684+ }
17685+#endif
17686+
17687+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17688+ do_group_exit(SIGKILL);
17689+ }
17690+#endif
17691+
17692+#ifdef CONFIG_PAX_SEGMEXEC
17693+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
17694+
17695+#ifdef CONFIG_PAX_EMUTRAMP
17696+ switch (pax_handle_fetch_fault(regs)) {
17697+ case 2:
17698+ return;
17699+ }
17700+#endif
17701+
17702+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17703+ do_group_exit(SIGKILL);
17704+ }
17705+#endif
17706+
17707+ }
17708+#endif
17709
17710 /* User mode accesses just cause a SIGSEGV */
17711 if (error_code & PF_USER) {
57199397 17712@@ -851,6 +994,106 @@ static int spurious_fault_check(unsigned
58c5fc13
MT		 17713 return 1;
17714 }
17715
17716+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17717+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17718+{
17719+ pte_t *pte;
17720+ pmd_t *pmd;
17721+ spinlock_t *ptl;
17722+ unsigned char pte_mask;
17723+
ae4e228f 17724+ if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
58c5fc13
MT		 17725+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
17726+ return 0;
17727+
17728+ /* PaX: it's our fault, let's handle it if we can */
17729+
17730+ /* PaX: take a look at read faults before acquiring any locks */
17731+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17732+ /* instruction fetch attempt from a protected page in user mode */
17733+ up_read(&mm->mmap_sem);
17734+
17735+#ifdef CONFIG_PAX_EMUTRAMP
17736+ switch (pax_handle_fetch_fault(regs)) {
17737+ case 2:
17738+ return 1;
17739+ }
17740+#endif
17741+
17742+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17743+ do_group_exit(SIGKILL);
17744+ }
17745+
17746+ pmd = pax_get_pmd(mm, address);
17747+ if (unlikely(!pmd))
17748+ return 0;
17749+
17750+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17751+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17752+ pte_unmap_unlock(pte, ptl);
17753+ return 0;
17754+ }
17755+
17756+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17757+ /* write attempt to a protected page in user mode */
17758+ pte_unmap_unlock(pte, ptl);
17759+ return 0;
17760+ }
17761+
17762+#ifdef CONFIG_SMP
17763+ if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17764+#else
17765+ if (likely(address > get_limit(regs->cs)))
17766+#endif
17767+ {
17768+ set_pte(pte, pte_mkread(*pte));
17769+ __flush_tlb_one(address);
17770+ pte_unmap_unlock(pte, ptl);
17771+ up_read(&mm->mmap_sem);
17772+ return 1;
17773+ }
17774+
17775+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17776+
17777+ /*
17778+ * PaX: fill DTLB with user rights and retry
17779+ */
17780+ __asm__ __volatile__ (
17781+#ifdef CONFIG_PAX_MEMORY_UDEREF
17782+ "movw %w4,%%es\n"
17783+#endif
17784+ "orb %2,(%1)\n"
17785+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17786+/*
17787+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17788+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17789+ * page fault when examined during a TLB load attempt. this is true not only
17790+ * for PTEs holding a non-present entry but also present entries that will
17791+ * raise a page fault (such as those set up by PaX, or the copy-on-write
17792+ * mechanism). in effect it means that we do *not* need to flush the TLBs
17793+ * for our target pages since their PTEs are simply not in the TLBs at all.
17794+
17795+ * the best thing in omitting it is that we gain around 15-20% speed in the
17796+ * fast path of the page fault handler and can get rid of tracing since we
17797+ * can no longer flush unintended entries.
17798+ */
17799+ "invlpg (%0)\n"
17800+#endif
17801+ "testb $0,%%es:(%0)\n"
17802+ "xorb %3,(%1)\n"
17803+#ifdef CONFIG_PAX_MEMORY_UDEREF
17804+ "pushl %%ss\n"
17805+ "popl %%es\n"
17806+#endif
17807+ :
17808+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
17809+ : "memory", "cc");
17810+ pte_unmap_unlock(pte, ptl);
17811+ up_read(&mm->mmap_sem);
17812+ return 1;
17813+}
17814+#endif
17815+
17816 /*
17817 * Handle a spurious fault caused by a stale TLB entry.
17818 *
57199397 17819@@ -917,6 +1160,9 @@ int show_unhandled_signals = 1;
58c5fc13
MT		 17820 static inline int
17821 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
17822 {
ae4e228f 17823+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
58c5fc13
MT		 17824+ return 1;
17825+
17826 if (write) {
17827 /* write, present and write, not present: */
17828 if (unlikely(!(vma->vm_flags & VM_WRITE)))
57199397 17829@@ -950,17 +1196,31 @@ do_page_fault(struct pt_regs *regs, unsi
58c5fc13
MT		 17830 {
17831 struct vm_area_struct *vma;
17832 struct task_struct *tsk;
17833- unsigned long address;
17834 struct mm_struct *mm;
17835 int write;
17836 int fault;
17837
17838+ /* Get the faulting address: */
df50ba0c
MT		 17839+ unsigned long address = read_cr2();
17840+
17841+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17842+ if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17843+ if (!search_exception_tables(regs->ip)) {
17844+ bad_area_nosemaphore(regs, error_code, address);
17845+ return;
17846+ }
17847+ if (address < PAX_USER_SHADOW_BASE) {
17848+ printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17849+ printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
17850+ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
17851+ } else
17852+ address -= PAX_USER_SHADOW_BASE;
17853+ }
17854+#endif
58c5fc13
MT		 17855+
17856 tsk = current;
17857 mm = tsk->mm;
17858
17859- /* Get the faulting address: */
17860- address = read_cr2();
17861-
17862 /*
17863 * Detect and handle instructions that would cause a page fault for
17864 * both a tracked kernel page and a userspace page.
57199397 17865@@ -1020,7 +1280,7 @@ do_page_fault(struct pt_regs *regs, unsi
58c5fc13
MT		 17866 * User-mode registers count as a user access even for any
17867 * potential system fault or CPU buglet:
17868 */
17869- if (user_mode_vm(regs)) {
17870+ if (user_mode(regs)) {
17871 local_irq_enable();
17872 error_code |= PF_USER;
17873 } else {
57199397 17874@@ -1074,6 +1334,11 @@ do_page_fault(struct pt_regs *regs, unsi
58c5fc13
MT		 17875 might_sleep();
17876 }
17877
17878+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17879+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17880+ return;
17881+#endif
17882+
17883 vma = find_vma(mm, address);
17884 if (unlikely(!vma)) {
17885 bad_area(regs, error_code, address);
57199397 17886@@ -1085,18 +1350,24 @@ do_page_fault(struct pt_regs *regs, unsi
58c5fc13
MT		 17887 bad_area(regs, error_code, address);
17888 return;
17889 }
17890- if (error_code & PF_USER) {
17891- /*
17892- * Accessing the stack below %sp is always a bug.
17893- * The large cushion allows instructions like enter
17894- * and pusha to work. ("enter $65535, $31" pushes
17895- * 32 pointers and then decrements %sp by 65535.)
17896- */
17897- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17898- bad_area(regs, error_code, address);
17899- return;
17900- }
17901+ /*
17902+ * Accessing the stack below %sp is always a bug.
17903+ * The large cushion allows instructions like enter
17904+ * and pusha to work. ("enter $65535, $31" pushes
17905+ * 32 pointers and then decrements %sp by 65535.)
17906+ */
17907+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17908+ bad_area(regs, error_code, address);
17909+ return;
df50ba0c 17910 }
58c5fc13
MT		 17911+
17912+#ifdef CONFIG_PAX_SEGMEXEC
17913+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17914+ bad_area(regs, error_code, address);
17915+ return;
df50ba0c 17916+ }
58c5fc13
MT		 17917+#endif
17918+
17919 if (unlikely(expand_stack(vma, address))) {
17920 bad_area(regs, error_code, address);
17921 return;
57199397 17922@@ -1140,3 +1411,199 @@ good_area:
58c5fc13
MT		 17923
17924 up_read(&mm->mmap_sem);
17925 }
17926+
17927+#ifdef CONFIG_PAX_EMUTRAMP
17928+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17929+{
17930+ int err;
17931+
17932+ do { /* PaX: gcc trampoline emulation #1 */
17933+ unsigned char mov1, mov2;
17934+ unsigned short jmp;
17935+ unsigned int addr1, addr2;
17936+
17937+#ifdef CONFIG_X86_64
17938+ if ((regs->ip + 11) >> 32)
17939+ break;
17940+#endif
17941+
17942+ err = get_user(mov1, (unsigned char __user *)regs->ip);
17943+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17944+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17945+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17946+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17947+
17948+ if (err)
17949+ break;
17950+
17951+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17952+ regs->cx = addr1;
17953+ regs->ax = addr2;
17954+ regs->ip = addr2;
17955+ return 2;
17956+ }
17957+ } while (0);
17958+
17959+ do { /* PaX: gcc trampoline emulation #2 */
17960+ unsigned char mov, jmp;
17961+ unsigned int addr1, addr2;
17962+
17963+#ifdef CONFIG_X86_64
17964+ if ((regs->ip + 9) >> 32)
17965+ break;
17966+#endif
17967+
17968+ err = get_user(mov, (unsigned char __user *)regs->ip);
17969+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17970+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17971+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17972+
17973+ if (err)
17974+ break;
17975+
17976+ if (mov == 0xB9 && jmp == 0xE9) {
17977+ regs->cx = addr1;
17978+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17979+ return 2;
17980+ }
17981+ } while (0);
17982+
17983+ return 1; /* PaX in action */
17984+}
17985+
17986+#ifdef CONFIG_X86_64
17987+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17988+{
17989+ int err;
17990+
17991+ do { /* PaX: gcc trampoline emulation #1 */
17992+ unsigned short mov1, mov2, jmp1;
17993+ unsigned char jmp2;
17994+ unsigned int addr1;
17995+ unsigned long addr2;
17996+
17997+ err = get_user(mov1, (unsigned short __user *)regs->ip);
17998+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17999+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
18000+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
18001+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
18002+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
18003+
18004+ if (err)
18005+ break;
18006+
18007+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18008+ regs->r11 = addr1;
18009+ regs->r10 = addr2;
18010+ regs->ip = addr1;
18011+ return 2;
18012+ }
18013+ } while (0);
18014+
18015+ do { /* PaX: gcc trampoline emulation #2 */
18016+ unsigned short mov1, mov2, jmp1;
18017+ unsigned char jmp2;
18018+ unsigned long addr1, addr2;
18019+
18020+ err = get_user(mov1, (unsigned short __user *)regs->ip);
18021+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
18022+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
18023+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
18024+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
18025+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
18026+
18027+ if (err)
18028+ break;
18029+
18030+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18031+ regs->r11 = addr1;
18032+ regs->r10 = addr2;
18033+ regs->ip = addr1;
18034+ return 2;
18035+ }
18036+ } while (0);
18037+
18038+ return 1; /* PaX in action */
18039+}
18040+#endif
18041+
18042+/*
18043+ * PaX: decide what to do with offenders (regs->ip = fault address)
18044+ *
18045+ * returns 1 when task should be killed
18046+ * 2 when gcc trampoline was detected
18047+ */
18048+static int pax_handle_fetch_fault(struct pt_regs *regs)
18049+{
18050+ if (v8086_mode(regs))
18051+ return 1;
18052+
18053+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
18054+ return 1;
18055+
18056+#ifdef CONFIG_X86_32
18057+ return pax_handle_fetch_fault_32(regs);
18058+#else
18059+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
18060+ return pax_handle_fetch_fault_32(regs);
18061+ else
18062+ return pax_handle_fetch_fault_64(regs);
18063+#endif
18064+}
18065+#endif
18066+
18067+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18068+void pax_report_insns(void *pc, void *sp)
18069+{
18070+ long i;
18071+
18072+ printk(KERN_ERR "PAX: bytes at PC: ");
18073+ for (i = 0; i < 20; i++) {
18074+ unsigned char c;
ae4e228f 18075+ if (get_user(c, (__force unsigned char __user *)pc+i))
58c5fc13
MT		 18076+ printk(KERN_CONT "?? ");
18077+ else
18078+ printk(KERN_CONT "%02x ", c);
18079+ }
18080+ printk("\n");
18081+
18082+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
ae4e228f 18083+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
58c5fc13 18084+ unsigned long c;
ae4e228f 18085+ if (get_user(c, (__force unsigned long __user *)sp+i))
58c5fc13
MT		 18086+#ifdef CONFIG_X86_32
18087+ printk(KERN_CONT "???????? ");
18088+#else
18089+ printk(KERN_CONT "???????????????? ");
18090+#endif
18091+ else
18092+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
18093+ }
18094+ printk("\n");
18095+}
18096+#endif
58c5fc13 18097+
ae4e228f
MT		 18098+/**
18099+ * probe_kernel_write(): safely attempt to write to a location
18100+ * @dst: address to write to
18101+ * @src: pointer to the data that shall be written
18102+ * @size: size of the data chunk
18103+ *
18104+ * Safely write to address @dst from the buffer at @src. If a kernel fault
18105+ * happens, handle that and return -EFAULT.
18106+ */
18107+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
18108+{
18109+ long ret;
18110+ mm_segment_t old_fs = get_fs();
18111+
18112+ set_fs(KERNEL_DS);
18113+ pagefault_disable();
18114+ pax_open_kernel();
18115+ ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
18116+ pax_close_kernel();
18117+ pagefault_enable();
18118+ set_fs(old_fs);
18119+
18120+ return ret ? -EFAULT : 0;
18121+}
57199397
MT		 18122diff -urNp linux-2.6.35.4/arch/x86/mm/gup.c linux-2.6.35.4/arch/x86/mm/gup.c
18123--- linux-2.6.35.4/arch/x86/mm/gup.c 2010-08-26 19:47:12.000000000 -0400
18124+++ linux-2.6.35.4/arch/x86/mm/gup.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 18125@@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
18126 addr = start;
18127 len = (unsigned long) nr_pages << PAGE_SHIFT;
18128 end = start + len;
18129- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18130+ if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18131 (void __user *)start, len)))
18132 return 0;
58c5fc13 18133
57199397
MT		 18134diff -urNp linux-2.6.35.4/arch/x86/mm/highmem_32.c linux-2.6.35.4/arch/x86/mm/highmem_32.c
18135--- linux-2.6.35.4/arch/x86/mm/highmem_32.c 2010-08-26 19:47:12.000000000 -0400
18136+++ linux-2.6.35.4/arch/x86/mm/highmem_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 18137@@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
58c5fc13
MT		 18138 idx = type + KM_TYPE_NR*smp_processor_id();
18139 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18140 BUG_ON(!pte_none(*(kmap_pte-idx)));
18141+
ae4e228f 18142+ pax_open_kernel();
58c5fc13 18143 set_pte(kmap_pte-idx, mk_pte(page, prot));
ae4e228f 18144+ pax_close_kernel();
58c5fc13 18145
58c5fc13
MT		 18146 return (void *)vaddr;
18147 }
57199397
MT		 18148diff -urNp linux-2.6.35.4/arch/x86/mm/hugetlbpage.c linux-2.6.35.4/arch/x86/mm/hugetlbpage.c
18149--- linux-2.6.35.4/arch/x86/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
18150+++ linux-2.6.35.4/arch/x86/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 18151@@ -266,13 +266,18 @@ static unsigned long hugetlb_get_unmappe
58c5fc13
MT		 18152 struct hstate *h = hstate_file(file);
18153 struct mm_struct *mm = current->mm;
18154 struct vm_area_struct *vma;
18155- unsigned long start_addr;
18156+ unsigned long start_addr, pax_task_size = TASK_SIZE;
18157+
18158+#ifdef CONFIG_PAX_SEGMEXEC
18159+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18160+ pax_task_size = SEGMEXEC_TASK_SIZE;
18161+#endif
18162
18163 if (len > mm->cached_hole_size) {
18164- start_addr = mm->free_area_cache;
18165+ start_addr = mm->free_area_cache;
18166 } else {
18167- start_addr = TASK_UNMAPPED_BASE;
18168- mm->cached_hole_size = 0;
18169+ start_addr = mm->mmap_base;
18170+ mm->cached_hole_size = 0;
18171 }
18172
18173 full_search:
57199397 18174@@ -280,26 +285,27 @@ full_search:
58c5fc13
MT		 18175
18176 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18177 /* At this point: (!vma || addr < vma->vm_end). */
18178- if (TASK_SIZE - len < addr) {
18179+ if (pax_task_size - len < addr) {
18180 /*
18181 * Start a new search - just in case we missed
18182 * some holes.
18183 */
18184- if (start_addr != TASK_UNMAPPED_BASE) {
18185- start_addr = TASK_UNMAPPED_BASE;
18186+ if (start_addr != mm->mmap_base) {
18187+ start_addr = mm->mmap_base;
18188 mm->cached_hole_size = 0;
18189 goto full_search;
18190 }
57199397
MT		 18191 return -ENOMEM;
18192 }
18193- if (!vma || addr + len <= vma->vm_start) {
18194- mm->free_area_cache = addr + len;
18195- return addr;
18196- }
18197+ if (check_heap_stack_gap(vma, addr, len))
18198+ break;
18199 if (addr + mm->cached_hole_size < vma->vm_start)
18200 mm->cached_hole_size = vma->vm_start - addr;
18201 addr = ALIGN(vma->vm_end, huge_page_size(h));
18202 }
18203+
18204+ mm->free_area_cache = addr + len;
18205+ return addr;
18206 }
18207
18208 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18209@@ -308,10 +314,9 @@ static unsigned long hugetlb_get_unmappe
18210 {
58c5fc13
MT		 18211 struct hstate *h = hstate_file(file);
18212 struct mm_struct *mm = current->mm;
57199397 18213- struct vm_area_struct *vma, *prev_vma;
58c5fc13 18214- unsigned long base = mm->mmap_base, addr = addr0;
57199397 18215+ struct vm_area_struct *vma;
58c5fc13
MT		 18216+ unsigned long base = mm->mmap_base, addr;
18217 unsigned long largest_hole = mm->cached_hole_size;
18218- int first_time = 1;
18219
18220 /* don't allow allocations above current base */
18221 if (mm->free_area_cache > base)
57199397 18222@@ -321,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
58c5fc13
MT		 18223 largest_hole = 0;
18224 mm->free_area_cache = base;
18225 }
18226-try_again:
18227+
18228 /* make sure it can fit in the remaining address space */
18229 if (mm->free_area_cache < len)
18230 goto fail;
57199397
MT		 18231@@ -329,33 +334,27 @@ try_again:
18232 /* either no address requested or cant fit in requested address hole */
18233 addr = (mm->free_area_cache - len) & huge_page_mask(h);
18234 do {
18235+ vma = find_vma(mm, addr);
18236 /*
18237 * Lookup failure means no vma is above this address,
18238 * i.e. return with success:
18239- */
18240- if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18241- return addr;
18242-
18243- /*
18244 * new region fits between prev_vma->vm_end and
18245 * vma->vm_start, use it:
18246 */
18247- if (addr + len <= vma->vm_start &&
18248- (!prev_vma || (addr >= prev_vma->vm_end))) {
18249+ if (check_heap_stack_gap(vma, addr, len)) {
18250 /* remember the address as a hint for next time */
18251- mm->cached_hole_size = largest_hole;
18252- return (mm->free_area_cache = addr);
18253- } else {
18254- /* pull free_area_cache down to the first hole */
18255- if (mm->free_area_cache == vma->vm_end) {
18256- mm->free_area_cache = vma->vm_start;
18257- mm->cached_hole_size = largest_hole;
18258- }
18259+ mm->cached_hole_size = largest_hole;
18260+ return (mm->free_area_cache = addr);
18261+ }
18262+ /* pull free_area_cache down to the first hole */
18263+ if (mm->free_area_cache == vma->vm_end) {
18264+ mm->free_area_cache = vma->vm_start;
18265+ mm->cached_hole_size = largest_hole;
18266 }
18267
18268 /* remember the largest hole we saw so far */
18269 if (addr + largest_hole < vma->vm_start)
18270- largest_hole = vma->vm_start - addr;
18271+ largest_hole = vma->vm_start - addr;
18272
18273 /* try just below the current vma->vm_start */
18274 addr = (vma->vm_start - len) & huge_page_mask(h);
18275@@ -363,22 +362,26 @@ try_again:
58c5fc13
MT		 18276
18277 fail:
18278 /*
18279- * if hint left us with no space for the requested
18280- * mapping then try again:
18281- */
18282- if (first_time) {
18283- mm->free_area_cache = base;
18284- largest_hole = 0;
18285- first_time = 0;
18286- goto try_again;
18287- }
18288- /*
18289 * A failed mmap() very likely causes application failure,
18290 * so fall back to the bottom-up function here. This scenario
18291 * can happen with large stack limits and large mmap()
18292 * allocations.
18293 */
18294- mm->free_area_cache = TASK_UNMAPPED_BASE;
18295+
18296+#ifdef CONFIG_PAX_SEGMEXEC
18297+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18298+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18299+ else
18300+#endif
18301+
18302+ mm->mmap_base = TASK_UNMAPPED_BASE;
18303+
18304+#ifdef CONFIG_PAX_RANDMMAP
18305+ if (mm->pax_flags & MF_PAX_RANDMMAP)
18306+ mm->mmap_base += mm->delta_mmap;
18307+#endif
18308+
18309+ mm->free_area_cache = mm->mmap_base;
18310 mm->cached_hole_size = ~0UL;
18311 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18312 len, pgoff, flags);
57199397 18313@@ -386,6 +389,7 @@ fail:
58c5fc13
MT		 18314 /*
18315 * Restore the topdown base:
18316 */
18317+ mm->mmap_base = base;
18318 mm->free_area_cache = base;
18319 mm->cached_hole_size = ~0UL;
18320
57199397 18321@@ -399,10 +403,17 @@ hugetlb_get_unmapped_area(struct file *f
58c5fc13
MT		 18322 struct hstate *h = hstate_file(file);
18323 struct mm_struct *mm = current->mm;
18324 struct vm_area_struct *vma;
18325+ unsigned long pax_task_size = TASK_SIZE;
18326
18327 if (len & ~huge_page_mask(h))
18328 return -EINVAL;
18329- if (len > TASK_SIZE)
18330+
18331+#ifdef CONFIG_PAX_SEGMEXEC
18332+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18333+ pax_task_size = SEGMEXEC_TASK_SIZE;
18334+#endif
18335+
18336+ if (len > pax_task_size)
18337 return -ENOMEM;
18338
18339 if (flags & MAP_FIXED) {
57199397 18340@@ -414,8 +425,7 @@ hugetlb_get_unmapped_area(struct file *f
58c5fc13
MT		 18341 if (addr) {
18342 addr = ALIGN(addr, huge_page_size(h));
18343 vma = find_vma(mm, addr);
18344- if (TASK_SIZE - len >= addr &&
57199397
MT		 18345- (!vma || addr + len <= vma->vm_start))
18346+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
58c5fc13
MT		 18347 return addr;
18348 }
57199397
MT		 18349 if (mm->get_unmapped_area == arch_get_unmapped_area)
18350diff -urNp linux-2.6.35.4/arch/x86/mm/init_32.c linux-2.6.35.4/arch/x86/mm/init_32.c
18351--- linux-2.6.35.4/arch/x86/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
18352+++ linux-2.6.35.4/arch/x86/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 18353@@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
58c5fc13
MT		 18354 }
18355
18356 /*
18357- * Creates a middle page table and puts a pointer to it in the
18358- * given global directory entry. This only returns the gd entry
18359- * in non-PAE compilation mode, since the middle layer is folded.
18360- */
18361-static pmd_t * __init one_md_table_init(pgd_t *pgd)
18362-{
18363- pud_t *pud;
18364- pmd_t *pmd_table;
18365-
18366-#ifdef CONFIG_X86_PAE
18367- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18368- if (after_bootmem)
ae4e228f 18369- pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
58c5fc13
MT		 18370- else
18371- pmd_table = (pmd_t *)alloc_low_page();
18372- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18373- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18374- pud = pud_offset(pgd, 0);
18375- BUG_ON(pmd_table != pmd_offset(pud, 0));
18376-
18377- return pmd_table;
18378- }
18379-#endif
18380- pud = pud_offset(pgd, 0);
18381- pmd_table = pmd_offset(pud, 0);
18382-
18383- return pmd_table;
18384-}
18385-
18386-/*
18387 * Create a page table and place a pointer to it in a middle page
18388 * directory entry:
18389 */
ae4e228f 18390@@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
58c5fc13
MT		 18391 page_table = (pte_t *)alloc_low_page();
18392
18393 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18394+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18395+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18396+#else
18397 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18398+#endif
18399 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18400 }
18401
18402 return pte_offset_kernel(pmd, 0);
18403 }
18404
18405+static pmd_t * __init one_md_table_init(pgd_t *pgd)
18406+{
18407+ pud_t *pud;
18408+ pmd_t *pmd_table;
18409+
18410+ pud = pud_offset(pgd, 0);
18411+ pmd_table = pmd_offset(pud, 0);
18412+
18413+ return pmd_table;
18414+}
18415+
18416 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18417 {
18418 int pgd_idx = pgd_index(vaddr);
ae4e228f 18419@@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
58c5fc13
MT		 18420 int pgd_idx, pmd_idx;
18421 unsigned long vaddr;
18422 pgd_t *pgd;
18423+ pud_t *pud;
18424 pmd_t *pmd;
18425 pte_t *pte = NULL;
18426
ae4e228f 18427@@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
58c5fc13
MT		 18428 pgd = pgd_base + pgd_idx;
18429
18430 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18431- pmd = one_md_table_init(pgd);
18432- pmd = pmd + pmd_index(vaddr);
18433+ pud = pud_offset(pgd, vaddr);
18434+ pmd = pmd_offset(pud, vaddr);
18435+
18436+#ifdef CONFIG_X86_PAE
18437+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18438+#endif
18439+
18440 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18441 pmd++, pmd_idx++) {
18442 pte = page_table_kmap_check(one_page_table_init(pmd),
ae4e228f 18443@@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
58c5fc13
MT		 18444 }
18445 }
18446
18447-static inline int is_kernel_text(unsigned long addr)
18448+static inline int is_kernel_text(unsigned long start, unsigned long end)
18449 {
18450- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18451- return 1;
18452- return 0;
ae4e228f 18453+ if ((start > ktla_ktva((unsigned long)_etext) ||
58c5fc13
MT		 18454+ end <= ktla_ktva((unsigned long)_stext)) &&
18455+ (start > ktla_ktva((unsigned long)_einittext) ||
18456+ end <= ktla_ktva((unsigned long)_sinittext)) &&
ae4e228f
MT		 18457+
18458+#ifdef CONFIG_ACPI_SLEEP
18459+ (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18460+#endif
18461+
58c5fc13
MT		 18462+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18463+ return 0;
18464+ return 1;
18465 }
18466
18467 /*
df50ba0c
MT		 18468@@ -244,9 +244,10 @@ kernel_physical_mapping_init(unsigned lo
18469 unsigned long last_map_addr = end;
58c5fc13
MT		 18470 unsigned long start_pfn, end_pfn;
18471 pgd_t *pgd_base = swapper_pg_dir;
18472- int pgd_idx, pmd_idx, pte_ofs;
18473+ unsigned int pgd_idx, pmd_idx, pte_ofs;
18474 unsigned long pfn;
18475 pgd_t *pgd;
18476+ pud_t *pud;
18477 pmd_t *pmd;
18478 pte_t *pte;
18479 unsigned pages_2m, pages_4k;
df50ba0c 18480@@ -279,8 +280,13 @@ repeat:
58c5fc13
MT		 18481 pfn = start_pfn;
18482 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18483 pgd = pgd_base + pgd_idx;
18484- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18485- pmd = one_md_table_init(pgd);
18486+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18487+ pud = pud_offset(pgd, 0);
18488+ pmd = pmd_offset(pud, 0);
18489+
18490+#ifdef CONFIG_X86_PAE
18491+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18492+#endif
18493
18494 if (pfn >= end_pfn)
18495 continue;
df50ba0c 18496@@ -292,14 +298,13 @@ repeat:
58c5fc13
MT		 18497 #endif
18498 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18499 pmd++, pmd_idx++) {
18500- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18501+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18502
18503 /*
18504 * Map with big pages if possible, otherwise
18505 * create normal page tables:
18506 */
18507 if (use_pse) {
18508- unsigned int addr2;
18509 pgprot_t prot = PAGE_KERNEL_LARGE;
18510 /*
18511 * first pass will use the same initial
df50ba0c 18512@@ -309,11 +314,7 @@ repeat:
58c5fc13
MT		 18513 __pgprot(PTE_IDENT_ATTR |
18514 _PAGE_PSE);
18515
18516- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18517- PAGE_OFFSET + PAGE_SIZE-1;
18518-
18519- if (is_kernel_text(addr) ||
18520- is_kernel_text(addr2))
18521+ if (is_kernel_text(address, address + PMD_SIZE))
18522 prot = PAGE_KERNEL_LARGE_EXEC;
18523
18524 pages_2m++;
df50ba0c 18525@@ -330,7 +331,7 @@ repeat:
58c5fc13
MT		 18526 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18527 pte += pte_ofs;
18528 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18529- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18530+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18531 pgprot_t prot = PAGE_KERNEL;
18532 /*
18533 * first pass will use the same initial
df50ba0c 18534@@ -338,7 +339,7 @@ repeat:
58c5fc13
MT		 18535 */
18536 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18537
18538- if (is_kernel_text(addr))
18539+ if (is_kernel_text(address, address + PAGE_SIZE))
18540 prot = PAGE_KERNEL_EXEC;
18541
18542 pages_4k++;
df50ba0c 18543@@ -491,7 +492,7 @@ void __init native_pagetable_setup_start
58c5fc13
MT		 18544
18545 pud = pud_offset(pgd, va);
18546 pmd = pmd_offset(pud, va);
18547- if (!pmd_present(*pmd))
18548+ if (!pmd_present(*pmd) || pmd_huge(*pmd))
18549 break;
18550
18551 pte = pte_offset_kernel(pmd, va);
df50ba0c 18552@@ -543,9 +544,7 @@ void __init early_ioremap_page_table_ran
58c5fc13
MT		 18553
18554 static void __init pagetable_init(void)
18555 {
18556- pgd_t *pgd_base = swapper_pg_dir;
18557-
18558- permanent_kmaps_init(pgd_base);
18559+ permanent_kmaps_init(swapper_pg_dir);
18560 }
18561
18562 #ifdef CONFIG_ACPI_SLEEP
df50ba0c 18563@@ -553,12 +552,12 @@ static void __init pagetable_init(void)
58c5fc13
MT		 18564 * ACPI suspend needs this for resume, because things like the intel-agp
18565 * driver might have split up a kernel 4MB mapping.
18566 */
18567-char swsusp_pg_dir[PAGE_SIZE]
18568+pgd_t swsusp_pg_dir[PTRS_PER_PGD]
18569 __attribute__ ((aligned(PAGE_SIZE)));
18570
18571 static inline void save_pg_dir(void)
18572 {
18573- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
18574+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
18575 }
18576 #else /* !CONFIG_ACPI_SLEEP */
18577 static inline void save_pg_dir(void)
df50ba0c 18578@@ -590,7 +589,7 @@ void zap_low_mappings(bool early)
58c5fc13
MT		 18579 flush_tlb_all();
18580 }
18581
18582-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18583+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18584 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18585
18586 /* user-defined highmem size */
df50ba0c 18587@@ -781,7 +780,7 @@ void __init setup_bootmem_allocator(void
ae4e228f
MT		 18588 * Initialize the boot-time allocator (with low memory only):
18589 */
18590 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
18591- bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18592+ bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18593 PAGE_SIZE);
18594 if (bootmap == -1L)
18595 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
df50ba0c
MT		 18596@@ -871,6 +870,12 @@ void __init mem_init(void)
18597
18598 pci_iommu_alloc();
18599
18600+#ifdef CONFIG_PAX_PER_CPU_PGD
18601+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18602+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18603+ KERNEL_PGD_PTRS);
18604+#endif
18605+
18606 #ifdef CONFIG_FLATMEM
18607 BUG_ON(!mem_map);
18608 #endif
18609@@ -888,7 +893,7 @@ void __init mem_init(void)
58c5fc13
MT		 18610 set_highmem_pages_init();
18611
18612 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18613- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18614+ datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18615 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18616
ae4e228f 18617 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
df50ba0c 18618@@ -929,10 +934,10 @@ void __init mem_init(void)
58c5fc13
MT		 18619 ((unsigned long)&__init_end -
18620 (unsigned long)&__init_begin) >> 10,
18621
18622- (unsigned long)&_etext, (unsigned long)&_edata,
18623- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18624+ (unsigned long)&_sdata, (unsigned long)&_edata,
18625+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18626
18627- (unsigned long)&_text, (unsigned long)&_etext,
18628+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18629 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18630
18631 /*
df50ba0c 18632@@ -1013,6 +1018,7 @@ void set_kernel_text_rw(void)
ae4e228f
MT		 18633 if (!kernel_set_to_readonly)
18634 return;
58c5fc13 18635
ae4e228f
MT		 18636+ start = ktla_ktva(start);
18637 pr_debug("Set kernel text: %lx - %lx for read write\n",
18638 start, start+size);
18639
df50ba0c 18640@@ -1027,6 +1033,7 @@ void set_kernel_text_ro(void)
ae4e228f
MT		 18641 if (!kernel_set_to_readonly)
18642 return;
18643
18644+ start = ktla_ktva(start);
18645 pr_debug("Set kernel text: %lx - %lx for read only\n",
18646 start, start+size);
18647
df50ba0c 18648@@ -1038,6 +1045,7 @@ void mark_rodata_ro(void)
ae4e228f
MT		 18649 unsigned long start = PFN_ALIGN(_text);
18650 unsigned long size = PFN_ALIGN(_etext) - start;
18651
18652+ start = ktla_ktva(start);
18653 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18654 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18655 size >> 10);
57199397
MT		 18656diff -urNp linux-2.6.35.4/arch/x86/mm/init_64.c linux-2.6.35.4/arch/x86/mm/init_64.c
18657--- linux-2.6.35.4/arch/x86/mm/init_64.c 2010-08-26 19:47:12.000000000 -0400
18658+++ linux-2.6.35.4/arch/x86/mm/init_64.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 18659@@ -50,7 +50,6 @@
18660 #include <asm/numa.h>
18661 #include <asm/cacheflush.h>
18662 #include <asm/init.h>
18663-#include <linux/bootmem.h>
18664
18665 static unsigned long dma_reserve __initdata;
18666
18667@@ -74,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
ae4e228f
MT		 18668 * around without checking the pgd every time.
18669 */
18670
18671-pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18672+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18673 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18674
18675 int force_personality32;
df50ba0c 18676@@ -165,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
58c5fc13
MT		 18677 pmd = fill_pmd(pud, vaddr);
18678 pte = fill_pte(pmd, vaddr);
18679
ae4e228f 18680+ pax_open_kernel();
58c5fc13 18681 set_pte(pte, new_pte);
ae4e228f 18682+ pax_close_kernel();
58c5fc13 18683
58c5fc13
MT		 18684 /*
18685 * It's enough to flush this one mapping.
df50ba0c 18686@@ -224,14 +225,12 @@ static void __init __init_extra_mapping(
58c5fc13
MT		 18687 pgd = pgd_offset_k((unsigned long)__va(phys));
18688 if (pgd_none(*pgd)) {
18689 pud = (pud_t *) spp_getpage();
18690- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18691- _PAGE_USER));
18692+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18693 }
18694 pud = pud_offset(pgd, (unsigned long)__va(phys));
18695 if (pud_none(*pud)) {
18696 pmd = (pmd_t *) spp_getpage();
18697- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18698- _PAGE_USER));
18699+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18700 }
18701 pmd = pmd_offset(pud, phys);
18702 BUG_ON(!pmd_none(*pmd));
df50ba0c
MT		 18703@@ -680,6 +679,12 @@ void __init mem_init(void)
18704
18705 pci_iommu_alloc();
18706
18707+#ifdef CONFIG_PAX_PER_CPU_PGD
18708+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18709+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18710+ KERNEL_PGD_PTRS);
18711+#endif
18712+
18713 /* clear_bss() already clear the empty_zero_page */
18714
18715 reservedpages = 0;
18716@@ -886,8 +891,8 @@ int kern_addr_valid(unsigned long addr)
58c5fc13
MT		 18717 static struct vm_area_struct gate_vma = {
18718 .vm_start = VSYSCALL_START,
18719 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18720- .vm_page_prot = PAGE_READONLY_EXEC,
18721- .vm_flags = VM_READ | VM_EXEC
18722+ .vm_page_prot = PAGE_READONLY,
18723+ .vm_flags = VM_READ
18724 };
18725
18726 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
df50ba0c 18727@@ -921,7 +926,7 @@ int in_gate_area_no_task(unsigned long a
58c5fc13
MT		 18728
18729 const char *arch_vma_name(struct vm_area_struct *vma)
18730 {
18731- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18732+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18733 return "[vdso]";
18734 if (vma == &gate_vma)
18735 return "[vsyscall]";
57199397
MT		 18736diff -urNp linux-2.6.35.4/arch/x86/mm/init.c linux-2.6.35.4/arch/x86/mm/init.c
18737--- linux-2.6.35.4/arch/x86/mm/init.c 2010-08-26 19:47:12.000000000 -0400
18738+++ linux-2.6.35.4/arch/x86/mm/init.c 2010-09-17 20:12:09.000000000 -0400
18739@@ -70,11 +70,7 @@ static void __init find_early_table_spac
18740 * cause a hotspot and fill up ZONE_DMA. The page tables
18741 * need roughly 0.5KB per GB.
18742 */
18743-#ifdef CONFIG_X86_32
18744- start = 0x7000;
18745-#else
18746- start = 0x8000;
18747-#endif
18748+ start = 0x100000;
18749 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
18750 tables, PAGE_SIZE);
18751 if (e820_table_start == -1UL)
18752@@ -321,7 +317,13 @@ unsigned long __init_refok init_memory_m
18753 */
18754 int devmem_is_allowed(unsigned long pagenr)
18755 {
18756- if (pagenr <= 256)
18757+ if (!pagenr)
18758+ return 1;
18759+#ifdef CONFIG_VM86
18760+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18761+ return 1;
18762+#endif
18763+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18764 return 1;
18765 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18766 return 0;
18767@@ -380,6 +382,88 @@ void free_init_pages(char *what, unsigne
18768
18769 void free_initmem(void)
18770 {
18771+
18772+#ifdef CONFIG_PAX_KERNEXEC
18773+#ifdef CONFIG_X86_32
18774+ /* PaX: limit KERNEL_CS to actual size */
18775+ unsigned long addr, limit;
18776+ struct desc_struct d;
18777+ int cpu;
18778+
18779+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18780+ limit = (limit - 1UL) >> PAGE_SHIFT;
18781+
18782+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18783+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
18784+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18785+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18786+ }
18787+
18788+ /* PaX: make KERNEL_CS read-only */
18789+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18790+ if (!paravirt_enabled())
18791+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18792+/*
18793+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18794+ pgd = pgd_offset_k(addr);
18795+ pud = pud_offset(pgd, addr);
18796+ pmd = pmd_offset(pud, addr);
18797+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18798+ }
18799+*/
18800+#ifdef CONFIG_X86_PAE
18801+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18802+/*
18803+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18804+ pgd = pgd_offset_k(addr);
18805+ pud = pud_offset(pgd, addr);
18806+ pmd = pmd_offset(pud, addr);
18807+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18808+ }
18809+*/
18810+#endif
18811+
18812+#ifdef CONFIG_MODULES
18813+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18814+#endif
18815+
18816+#else
18817+ pgd_t *pgd;
18818+ pud_t *pud;
18819+ pmd_t *pmd;
18820+ unsigned long addr, end;
18821+
18822+ /* PaX: make kernel code/rodata read-only, rest non-executable */
18823+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18824+ pgd = pgd_offset_k(addr);
18825+ pud = pud_offset(pgd, addr);
18826+ pmd = pmd_offset(pud, addr);
18827+ if (!pmd_present(*pmd))
18828+ continue;
18829+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18830+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18831+ else
18832+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18833+ }
18834+
18835+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18836+ end = addr + KERNEL_IMAGE_SIZE;
18837+ for (; addr < end; addr += PMD_SIZE) {
18838+ pgd = pgd_offset_k(addr);
18839+ pud = pud_offset(pgd, addr);
18840+ pmd = pmd_offset(pud, addr);
18841+ if (!pmd_present(*pmd))
18842+ continue;
18843+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18844+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18845+ else
18846+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18847+ }
18848+#endif
18849+
18850+ flush_tlb_all();
18851+#endif
18852+
18853 free_init_pages("unused kernel memory",
18854 (unsigned long)(&__init_begin),
18855 (unsigned long)(&__init_end));
18856diff -urNp linux-2.6.35.4/arch/x86/mm/iomap_32.c linux-2.6.35.4/arch/x86/mm/iomap_32.c
18857--- linux-2.6.35.4/arch/x86/mm/iomap_32.c 2010-08-26 19:47:12.000000000 -0400
18858+++ linux-2.6.35.4/arch/x86/mm/iomap_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 18859@@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
58c5fc13
MT		 18860 debug_kmap_atomic(type);
18861 idx = type + KM_TYPE_NR * smp_processor_id();
18862 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18863+
ae4e228f 18864+ pax_open_kernel();
58c5fc13 18865 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
ae4e228f 18866+ pax_close_kernel();
58c5fc13
MT		 18867+
18868 arch_flush_lazy_mmu_mode();
18869
18870 return (void *)vaddr;
57199397
MT		 18871diff -urNp linux-2.6.35.4/arch/x86/mm/ioremap.c linux-2.6.35.4/arch/x86/mm/ioremap.c
18872--- linux-2.6.35.4/arch/x86/mm/ioremap.c 2010-08-26 19:47:12.000000000 -0400
18873+++ linux-2.6.35.4/arch/x86/mm/ioremap.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 18874@@ -100,13 +100,10 @@ static void __iomem *__ioremap_caller(re
58c5fc13
MT		 18875 /*
18876 * Don't allow anybody to remap normal RAM that we're using..
18877 */
18878- for (pfn = phys_addr >> PAGE_SHIFT;
18879- (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
18880- pfn++) {
18881-
18882+ for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
18883 int is_ram = page_is_ram(pfn);
18884
ae4e228f
MT		 18885- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18886+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18887 return NULL;
18888 WARN_ON_ONCE(is_ram);
58c5fc13 18889 }
df50ba0c 18890@@ -346,7 +343,7 @@ static int __init early_ioremap_debug_se
58c5fc13
MT		 18891 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18892
18893 static __initdata int after_paging_init;
18894-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18895+static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18896
18897 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18898 {
df50ba0c 18899@@ -378,8 +375,7 @@ void __init early_ioremap_init(void)
58c5fc13
MT		 18900 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18901
18902 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18903- memset(bm_pte, 0, sizeof(bm_pte));
18904- pmd_populate_kernel(&init_mm, pmd, bm_pte);
18905+ pmd_populate_user(&init_mm, pmd, bm_pte);
18906
18907 /*
18908 * The boot-ioremap range spans multiple pmds, for which
57199397
MT		 18909diff -urNp linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c
18910--- linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c 2010-08-26 19:47:12.000000000 -0400
18911+++ linux-2.6.35.4/arch/x86/mm/kmemcheck/kmemcheck.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 18912@@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18913 * memory (e.g. tracked pages)? For now, we need this to avoid
18914 * invoking kmemcheck for PnP BIOS calls.
18915 */
18916- if (regs->flags & X86_VM_MASK)
18917+ if (v8086_mode(regs))
18918 return false;
18919- if (regs->cs != __KERNEL_CS)
18920+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18921 return false;
18922
18923 pte = kmemcheck_pte_lookup(address);
57199397
MT		 18924diff -urNp linux-2.6.35.4/arch/x86/mm/mmap.c linux-2.6.35.4/arch/x86/mm/mmap.c
18925--- linux-2.6.35.4/arch/x86/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
18926+++ linux-2.6.35.4/arch/x86/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 18927@@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18928 * Leave an at least ~128 MB hole with possible stack randomization.
58c5fc13 18929 */
ae4e228f 18930 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
58c5fc13
MT		 18931-#define MAX_GAP (TASK_SIZE/6*5)
18932+#define MAX_GAP (pax_task_size/6*5)
18933
18934 /*
18935 * True on X86_32 or when emulating IA32 on X86_64
ae4e228f 18936@@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
58c5fc13
MT		 18937 return rnd << PAGE_SHIFT;
18938 }
18939
18940-static unsigned long mmap_base(void)
18941+static unsigned long mmap_base(struct mm_struct *mm)
18942 {
df50ba0c 18943 unsigned long gap = rlimit(RLIMIT_STACK);
58c5fc13
MT		 18944+ unsigned long pax_task_size = TASK_SIZE;
18945+
18946+#ifdef CONFIG_PAX_SEGMEXEC
18947+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18948+ pax_task_size = SEGMEXEC_TASK_SIZE;
18949+#endif
18950
18951 if (gap < MIN_GAP)
18952 gap = MIN_GAP;
18953 else if (gap > MAX_GAP)
18954 gap = MAX_GAP;
18955
18956- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18957+ return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18958 }
18959
18960 /*
18961 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18962 * does, but not when emulating X86_32
18963 */
18964-static unsigned long mmap_legacy_base(void)
18965+static unsigned long mmap_legacy_base(struct mm_struct *mm)
18966 {
18967- if (mmap_is_ia32())
18968+ if (mmap_is_ia32()) {
18969+
18970+#ifdef CONFIG_PAX_SEGMEXEC
18971+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18972+ return SEGMEXEC_TASK_UNMAPPED_BASE;
18973+ else
18974+#endif
18975+
18976 return TASK_UNMAPPED_BASE;
18977- else
18978+ } else
18979 return TASK_UNMAPPED_BASE + mmap_rnd();
18980 }
18981
ae4e228f 18982@@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
58c5fc13
MT		 18983 void arch_pick_mmap_layout(struct mm_struct *mm)
18984 {
18985 if (mmap_is_legacy()) {
18986- mm->mmap_base = mmap_legacy_base();
18987+ mm->mmap_base = mmap_legacy_base(mm);
18988+
18989+#ifdef CONFIG_PAX_RANDMMAP
18990+ if (mm->pax_flags & MF_PAX_RANDMMAP)
18991+ mm->mmap_base += mm->delta_mmap;
18992+#endif
18993+
18994 mm->get_unmapped_area = arch_get_unmapped_area;
18995 mm->unmap_area = arch_unmap_area;
18996 } else {
18997- mm->mmap_base = mmap_base();
18998+ mm->mmap_base = mmap_base(mm);
18999+
19000+#ifdef CONFIG_PAX_RANDMMAP
19001+ if (mm->pax_flags & MF_PAX_RANDMMAP)
19002+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
19003+#endif
19004+
19005 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
19006 mm->unmap_area = arch_unmap_area_topdown;
19007 }
57199397
MT		 19008diff -urNp linux-2.6.35.4/arch/x86/mm/numa_32.c linux-2.6.35.4/arch/x86/mm/numa_32.c
19009--- linux-2.6.35.4/arch/x86/mm/numa_32.c 2010-08-26 19:47:12.000000000 -0400
19010+++ linux-2.6.35.4/arch/x86/mm/numa_32.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 19011@@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
19012 }
19013 #endif
19014
19015-extern unsigned long find_max_low_pfn(void);
19016 extern unsigned long highend_pfn, highstart_pfn;
19017
19018 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
57199397
MT		 19019diff -urNp linux-2.6.35.4/arch/x86/mm/pageattr.c linux-2.6.35.4/arch/x86/mm/pageattr.c
19020--- linux-2.6.35.4/arch/x86/mm/pageattr.c 2010-08-26 19:47:12.000000000 -0400
19021+++ linux-2.6.35.4/arch/x86/mm/pageattr.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 19022@@ -261,16 +261,17 @@ static inline pgprot_t static_protection
19023 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
19024 */
19025 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
19026- pgprot_val(forbidden) |= _PAGE_NX;
19027+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19028
19029 /*
19030 * The kernel text needs to be executable for obvious reasons
58c5fc13
MT		 19031 * Does not cover __inittext since that is gone later on. On
19032 * 64bit we do not enforce !NX on the low mapping
19033 */
19034- if (within(address, (unsigned long)_text, (unsigned long)_etext))
df50ba0c 19035- pgprot_val(forbidden) |= _PAGE_NX;
58c5fc13 19036+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
df50ba0c 19037+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
58c5fc13
MT		 19038
19039+#ifdef CONFIG_DEBUG_RODATA
19040 /*
19041 * The .rodata section needs to be read-only. Using the pfn
19042 * catches all aliases.
ae4e228f 19043@@ -278,6 +279,7 @@ static inline pgprot_t static_protection
58c5fc13
MT		 19044 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
19045 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
19046 pgprot_val(forbidden) |= _PAGE_RW;
19047+#endif
19048
ae4e228f
MT		 19049 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
19050 /*
df50ba0c
MT		 19051@@ -316,6 +318,13 @@ static inline pgprot_t static_protection
19052 }
19053 #endif
19054
19055+#ifdef CONFIG_PAX_KERNEXEC
19056+ if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
19057+ pgprot_val(forbidden) |= _PAGE_RW;
19058+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19059+ }
19060+#endif
19061+
19062 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
19063
19064 return prot;
19065@@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
58c5fc13
MT		 19066 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
19067 {
58c5fc13 19068 /* change init_mm */
ae4e228f 19069+ pax_open_kernel();
58c5fc13 19070 set_pte_atomic(kpte, pte);
58c5fc13
MT		 19071+
19072 #ifdef CONFIG_X86_32
19073 if (!SHARED_KERNEL_PMD) {
df50ba0c
MT		 19074+
19075+#ifdef CONFIG_PAX_PER_CPU_PGD
19076+ unsigned long cpu;
19077+#else
58c5fc13 19078 struct page *page;
df50ba0c
MT		 19079+#endif
19080
19081+#ifdef CONFIG_PAX_PER_CPU_PGD
19082+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19083+ pgd_t *pgd = get_cpu_pgd(cpu);
19084+#else
19085 list_for_each_entry(page, &pgd_list, lru) {
19086- pgd_t *pgd;
19087+ pgd_t *pgd = (pgd_t *)page_address(page);
19088+#endif
19089+
19090 pud_t *pud;
19091 pmd_t *pmd;
19092
19093- pgd = (pgd_t *)page_address(page) + pgd_index(address);
19094+ pgd += pgd_index(address);
19095 pud = pud_offset(pgd, address);
19096 pmd = pmd_offset(pud, address);
19097 set_pte_atomic((pte_t *)pmd, pte);
19098 }
19099 }
19100 #endif
19101+ pax_close_kernel();
19102 }
19103
19104 static int
57199397
MT		 19105diff -urNp linux-2.6.35.4/arch/x86/mm/pageattr-test.c linux-2.6.35.4/arch/x86/mm/pageattr-test.c
19106--- linux-2.6.35.4/arch/x86/mm/pageattr-test.c 2010-08-26 19:47:12.000000000 -0400
19107+++ linux-2.6.35.4/arch/x86/mm/pageattr-test.c 2010-09-17 20:12:09.000000000 -0400
19108@@ -36,7 +36,7 @@ enum {
58c5fc13 19109
57199397
MT		 19110 static int pte_testbit(pte_t pte)
19111 {
19112- return pte_flags(pte) & _PAGE_UNUSED1;
19113+ return pte_flags(pte) & _PAGE_CPA_TEST;
58c5fc13 19114 }
58c5fc13 19115
57199397
MT		 19116 struct split_state {
19117diff -urNp linux-2.6.35.4/arch/x86/mm/pat.c linux-2.6.35.4/arch/x86/mm/pat.c
19118--- linux-2.6.35.4/arch/x86/mm/pat.c 2010-08-26 19:47:12.000000000 -0400
19119+++ linux-2.6.35.4/arch/x86/mm/pat.c 2010-09-17 20:12:09.000000000 -0400
19120@@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
19121
19122 if (!entry) {
58c5fc13
MT		 19123 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
19124- current->comm, current->pid, start, end);
19125+ current->comm, task_pid_nr(current), start, end);
57199397 19126 return -EINVAL;
58c5fc13
MT		 19127 }
19128
57199397
MT		 19129@@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
19130 while (cursor < to) {
19131 if (!devmem_is_allowed(pfn)) {
19132 printk(KERN_INFO
19133- "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
19134- current->comm, from, to);
19135+ "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
19136+ current->comm, from, to, cursor);
19137 return 0;
19138 }
19139 cursor += PAGE_SIZE;
19140@@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
58c5fc13
MT		 19141 printk(KERN_INFO
19142 "%s:%d ioremap_change_attr failed %s "
19143 "for %Lx-%Lx\n",
19144- current->comm, current->pid,
19145+ current->comm, task_pid_nr(current),
19146 cattr_name(flags),
19147 base, (unsigned long long)(base + size));
19148 return -EINVAL;
57199397
MT		 19149@@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
19150 if (want_flags != flags) {
19151 printk(KERN_WARNING
19152 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19153- current->comm, current->pid,
19154+ current->comm, task_pid_nr(current),
19155 cattr_name(want_flags),
19156 (unsigned long long)paddr,
19157 (unsigned long long)(paddr + size),
19158@@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
58c5fc13
MT		 19159 free_memtype(paddr, paddr + size);
19160 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19161 " for %Lx-%Lx, got %s\n",
19162- current->comm, current->pid,
19163+ current->comm, task_pid_nr(current),
19164 cattr_name(want_flags),
19165 (unsigned long long)paddr,
19166 (unsigned long long)(paddr + size),
57199397
MT		 19167diff -urNp linux-2.6.35.4/arch/x86/mm/pgtable_32.c linux-2.6.35.4/arch/x86/mm/pgtable_32.c
19168--- linux-2.6.35.4/arch/x86/mm/pgtable_32.c 2010-08-26 19:47:12.000000000 -0400
19169+++ linux-2.6.35.4/arch/x86/mm/pgtable_32.c 2010-09-17 20:12:09.000000000 -0400
19170@@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19171 return;
19172 }
19173 pte = pte_offset_kernel(pmd, vaddr);
19174+
19175+ pax_open_kernel();
19176 if (pte_val(pteval))
19177 set_pte_at(&init_mm, vaddr, pte, pteval);
19178 else
19179 pte_clear(&init_mm, vaddr, pte);
19180+ pax_close_kernel();
19181
19182 /*
19183 * It's enough to flush this one mapping.
19184diff -urNp linux-2.6.35.4/arch/x86/mm/pgtable.c linux-2.6.35.4/arch/x86/mm/pgtable.c
19185--- linux-2.6.35.4/arch/x86/mm/pgtable.c 2010-08-26 19:47:12.000000000 -0400
19186+++ linux-2.6.35.4/arch/x86/mm/pgtable.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 19187@@ -84,8 +84,59 @@ static inline void pgd_list_del(pgd_t *p
19188 list_del(&page->lru);
19189 }
19190
19191-#define UNSHARED_PTRS_PER_PGD \
19192- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19193+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19194+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19195+
19196+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19197+{
19198+ while (count--)
19199+ *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
19200+
19201+}
19202+#endif
19203+
19204+#ifdef CONFIG_PAX_PER_CPU_PGD
19205+void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19206+{
19207+ while (count--)
19208+
19209+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19210+ *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19211+#else
19212+ *dst++ = *src++;
19213+#endif
19214+
19215+}
19216+#endif
19217+
19218+#ifdef CONFIG_PAX_PER_CPU_PGD
19219+static inline void pgd_ctor(pgd_t *pgd) {}
19220+static inline void pgd_dtor(pgd_t *pgd) {}
19221+#ifdef CONFIG_X86_64
19222+#define pxd_t pud_t
19223+#define pyd_t pgd_t
19224+#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19225+#define pxd_free(mm, pud) pud_free((mm), (pud))
19226+#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19227+#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19228+#define PYD_SIZE PGDIR_SIZE
19229+#else
19230+#define pxd_t pmd_t
19231+#define pyd_t pud_t
19232+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19233+#define pxd_free(mm, pud) pmd_free((mm), (pud))
19234+#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19235+#define pyd_offset(mm ,address) pud_offset((mm), (address))
19236+#define PYD_SIZE PUD_SIZE
19237+#endif
19238+#else
19239+#define pxd_t pmd_t
19240+#define pyd_t pud_t
19241+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19242+#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19243+#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19244+#define pyd_offset(mm ,address) pud_offset((mm), (address))
19245+#define PYD_SIZE PUD_SIZE
19246
19247 static void pgd_ctor(pgd_t *pgd)
19248 {
19249@@ -120,6 +171,7 @@ static void pgd_dtor(pgd_t *pgd)
19250 pgd_list_del(pgd);
19251 spin_unlock_irqrestore(&pgd_lock, flags);
19252 }
19253+#endif
19254
19255 /*
19256 * List of all pgd's needed for non-PAE so it can invalidate entries
19257@@ -132,7 +184,7 @@ static void pgd_dtor(pgd_t *pgd)
19258 * -- wli
19259 */
19260
19261-#ifdef CONFIG_X86_PAE
19262+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19263 /*
19264 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19265 * updating the top-level pagetable entries to guarantee the
19266@@ -144,7 +196,7 @@ static void pgd_dtor(pgd_t *pgd)
19267 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19268 * and initialize the kernel pmds here.
19269 */
19270-#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19271+#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19272
19273 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19274 {
19275@@ -163,36 +215,38 @@ void pud_populate(struct mm_struct *mm,
19276 if (mm == current->active_mm)
19277 write_cr3(read_cr3());
19278 }
19279+#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19280+#define PREALLOCATED_PXDS USER_PGD_PTRS
19281 #else /* !CONFIG_X86_PAE */
19282
19283 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19284-#define PREALLOCATED_PMDS 0
19285+#define PREALLOCATED_PXDS 0
19286
19287 #endif /* CONFIG_X86_PAE */
19288
19289-static void free_pmds(pmd_t *pmds[])
19290+static void free_pxds(pxd_t *pxds[])
19291 {
19292 int i;
19293
19294- for(i = 0; i < PREALLOCATED_PMDS; i++)
19295- if (pmds[i])
19296- free_page((unsigned long)pmds[i]);
19297+ for(i = 0; i < PREALLOCATED_PXDS; i++)
19298+ if (pxds[i])
19299+ free_page((unsigned long)pxds[i]);
19300 }
19301
19302-static int preallocate_pmds(pmd_t *pmds[])
19303+static int preallocate_pxds(pxd_t *pxds[])
19304 {
19305 int i;
19306 bool failed = false;
19307
19308- for(i = 0; i < PREALLOCATED_PMDS; i++) {
19309- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19310- if (pmd == NULL)
19311+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
19312+ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19313+ if (pxd == NULL)
19314 failed = true;
19315- pmds[i] = pmd;
19316+ pxds[i] = pxd;
19317 }
19318
19319 if (failed) {
19320- free_pmds(pmds);
19321+ free_pxds(pxds);
19322 return -ENOMEM;
19323 }
19324
19325@@ -205,51 +259,56 @@ static int preallocate_pmds(pmd_t *pmds[
19326 * preallocate which never got a corresponding vma will need to be
19327 * freed manually.
19328 */
19329-static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19330+static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19331 {
19332 int i;
19333
19334- for(i = 0; i < PREALLOCATED_PMDS; i++) {
19335+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
19336 pgd_t pgd = pgdp[i];
19337
19338 if (pgd_val(pgd) != 0) {
19339- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19340+ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19341
19342- pgdp[i] = native_make_pgd(0);
19343+ set_pgd(pgdp + i, native_make_pgd(0));
19344
19345- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19346- pmd_free(mm, pmd);
19347+ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19348+ pxd_free(mm, pxd);
19349 }
19350 }
19351 }
19352
19353-static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19354+static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19355 {
19356- pud_t *pud;
19357+ pyd_t *pyd;
19358 unsigned long addr;
19359 int i;
19360
19361- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19362+ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19363 return;
19364
19365- pud = pud_offset(pgd, 0);
19366+#ifdef CONFIG_X86_64
19367+ pyd = pyd_offset(mm, 0L);
19368+#else
19369+ pyd = pyd_offset(pgd, 0L);
19370+#endif
19371
19372- for (addr = i = 0; i < PREALLOCATED_PMDS;
19373- i++, pud++, addr += PUD_SIZE) {
19374- pmd_t *pmd = pmds[i];
19375+ for (addr = i = 0; i < PREALLOCATED_PXDS;
19376+ i++, pyd++, addr += PYD_SIZE) {
19377+ pxd_t *pxd = pxds[i];
19378
19379 if (i >= KERNEL_PGD_BOUNDARY)
19380- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19381- sizeof(pmd_t) * PTRS_PER_PMD);
19382+ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19383+ sizeof(pxd_t) * PTRS_PER_PMD);
19384
19385- pud_populate(mm, pud, pmd);
19386+ pyd_populate(mm, pyd, pxd);
19387 }
19388 }
19389
19390 pgd_t *pgd_alloc(struct mm_struct *mm)
19391 {
19392 pgd_t *pgd;
19393- pmd_t *pmds[PREALLOCATED_PMDS];
19394+ pxd_t *pxds[PREALLOCATED_PXDS];
19395+
19396 unsigned long flags;
19397
19398 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19399@@ -259,11 +318,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19400
19401 mm->pgd = pgd;
19402
19403- if (preallocate_pmds(pmds) != 0)
19404+ if (preallocate_pxds(pxds) != 0)
19405 goto out_free_pgd;
19406
19407 if (paravirt_pgd_alloc(mm) != 0)
19408- goto out_free_pmds;
19409+ goto out_free_pxds;
19410
19411 /*
19412 * Make sure that pre-populating the pmds is atomic with
19413@@ -273,14 +332,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19414 spin_lock_irqsave(&pgd_lock, flags);
19415
19416 pgd_ctor(pgd);
19417- pgd_prepopulate_pmd(mm, pgd, pmds);
19418+ pgd_prepopulate_pxd(mm, pgd, pxds);
19419
19420 spin_unlock_irqrestore(&pgd_lock, flags);
19421
19422 return pgd;
19423
19424-out_free_pmds:
19425- free_pmds(pmds);
19426+out_free_pxds:
19427+ free_pxds(pxds);
19428 out_free_pgd:
19429 free_page((unsigned long)pgd);
19430 out:
19431@@ -289,7 +348,7 @@ out:
19432
19433 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19434 {
19435- pgd_mop_up_pmds(mm, pgd);
19436+ pgd_mop_up_pxds(mm, pgd);
19437 pgd_dtor(pgd);
19438 paravirt_pgd_free(mm, pgd);
19439 free_page((unsigned long)pgd);
57199397
MT		 19440diff -urNp linux-2.6.35.4/arch/x86/mm/setup_nx.c linux-2.6.35.4/arch/x86/mm/setup_nx.c
19441--- linux-2.6.35.4/arch/x86/mm/setup_nx.c 2010-08-26 19:47:12.000000000 -0400
19442+++ linux-2.6.35.4/arch/x86/mm/setup_nx.c 2010-09-17 20:12:09.000000000 -0400
efbe55a5 19443@@ -5,8 +5,10 @@
df50ba0c
MT		 19444 #include <asm/pgtable.h>
19445 #include <asm/proto.h>
19446
19447+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19448 static int disable_nx __cpuinitdata;
df50ba0c 19449
efbe55a5 19450+#ifndef CONFIG_PAX_PAGEEXEC
df50ba0c
MT		 19451 /*
19452 * noexec = on|off
19453 *
efbe55a5 19454@@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
df50ba0c
MT		 19455 return 0;
19456 }
19457 early_param("noexec", noexec_setup);
efbe55a5
MT		 19458+#endif
19459+
df50ba0c
MT		 19460+#endif
19461
19462 void __cpuinit x86_configure_nx(void)
19463 {
19464+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19465 if (cpu_has_nx && !disable_nx)
19466 __supported_pte_mask |= _PAGE_NX;
19467 else
19468+#endif
19469 __supported_pte_mask &= ~_PAGE_NX;
19470 }
19471
57199397
MT		 19472diff -urNp linux-2.6.35.4/arch/x86/mm/tlb.c linux-2.6.35.4/arch/x86/mm/tlb.c
19473--- linux-2.6.35.4/arch/x86/mm/tlb.c 2010-08-26 19:47:12.000000000 -0400
19474+++ linux-2.6.35.4/arch/x86/mm/tlb.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 19475@@ -13,7 +13,7 @@
58c5fc13
MT		 19476 #include <asm/uv/uv.h>
19477
19478 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19479- = { &init_mm, 0, };
19480+ = { &init_mm, 0 };
19481
19482 /*
19483 * Smarter SMP flushing macros.
df50ba0c
MT		 19484@@ -62,7 +62,11 @@ void leave_mm(int cpu)
19485 BUG();
19486 cpumask_clear_cpu(cpu,
19487 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19488+
19489+#ifndef CONFIG_PAX_PER_CPU_PGD
19490 load_cr3(swapper_pg_dir);
19491+#endif
19492+
19493 }
19494 EXPORT_SYMBOL_GPL(leave_mm);
19495
57199397
MT		 19496diff -urNp linux-2.6.35.4/arch/x86/oprofile/backtrace.c linux-2.6.35.4/arch/x86/oprofile/backtrace.c
19497--- linux-2.6.35.4/arch/x86/oprofile/backtrace.c 2010-08-26 19:47:12.000000000 -0400
19498+++ linux-2.6.35.4/arch/x86/oprofile/backtrace.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 19499@@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
19500 struct frame_head bufhead[2];
19501
19502 /* Also check accessibility of one struct frame_head beyond */
19503- if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19504+ if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19505 return NULL;
19506 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19507 return NULL;
19508@@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
58c5fc13
MT		 19509 {
19510 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
19511
19512- if (!user_mode_vm(regs)) {
19513+ if (!user_mode(regs)) {
19514 unsigned long stack = kernel_stack_pointer(regs);
19515 if (depth)
19516 dump_trace(NULL, regs, (unsigned long *)stack, 0,
57199397
MT		 19517diff -urNp linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c
19518--- linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c 2010-08-26 19:47:12.000000000 -0400
19519+++ linux-2.6.35.4/arch/x86/oprofile/op_model_p4.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 19520@@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
58c5fc13
MT		 19521 #endif
19522 }
19523
19524-static int inline addr_increment(void)
19525+static inline int addr_increment(void)
19526 {
19527 #ifdef CONFIG_SMP
19528 return smp_num_siblings == 2 ? 2 : 1;
57199397
MT		 19529diff -urNp linux-2.6.35.4/arch/x86/pci/common.c linux-2.6.35.4/arch/x86/pci/common.c
19530--- linux-2.6.35.4/arch/x86/pci/common.c 2010-08-26 19:47:12.000000000 -0400
19531+++ linux-2.6.35.4/arch/x86/pci/common.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 19532@@ -32,8 +32,8 @@ int noioapicreroute = 1;
ae4e228f
MT		 19533 int pcibios_last_bus = -1;
19534 unsigned long pirq_table_addr;
19535 struct pci_bus *pci_root_bus;
19536-struct pci_raw_ops *raw_pci_ops;
19537-struct pci_raw_ops *raw_pci_ext_ops;
19538+const struct pci_raw_ops *raw_pci_ops;
19539+const struct pci_raw_ops *raw_pci_ext_ops;
19540
19541 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19542 int reg, int len, u32 *val)
df50ba0c 19543@@ -365,7 +365,7 @@ static const struct dmi_system_id __devi
58c5fc13
MT		 19544 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19545 },
19546 },
19547- {}
19548+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19549 };
19550
19551 void __init dmi_check_pciprobe(void)
57199397
MT		 19552diff -urNp linux-2.6.35.4/arch/x86/pci/direct.c linux-2.6.35.4/arch/x86/pci/direct.c
19553--- linux-2.6.35.4/arch/x86/pci/direct.c 2010-08-26 19:47:12.000000000 -0400
19554+++ linux-2.6.35.4/arch/x86/pci/direct.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 19555@@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19556
19557 #undef PCI_CONF1_ADDRESS
19558
19559-struct pci_raw_ops pci_direct_conf1 = {
19560+const struct pci_raw_ops pci_direct_conf1 = {
19561 .read = pci_conf1_read,
19562 .write = pci_conf1_write,
19563 };
19564@@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19565
19566 #undef PCI_CONF2_ADDRESS
19567
19568-struct pci_raw_ops pci_direct_conf2 = {
19569+const struct pci_raw_ops pci_direct_conf2 = {
19570 .read = pci_conf2_read,
19571 .write = pci_conf2_write,
19572 };
19573@@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19574 * This should be close to trivial, but it isn't, because there are buggy
19575 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19576 */
19577-static int __init pci_sanity_check(struct pci_raw_ops *o)
19578+static int __init pci_sanity_check(const struct pci_raw_ops *o)
19579 {
19580 u32 x = 0;
19581 int year, devfn;
57199397
MT		 19582diff -urNp linux-2.6.35.4/arch/x86/pci/fixup.c linux-2.6.35.4/arch/x86/pci/fixup.c
19583--- linux-2.6.35.4/arch/x86/pci/fixup.c 2010-08-26 19:47:12.000000000 -0400
19584+++ linux-2.6.35.4/arch/x86/pci/fixup.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 19585@@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19586 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19587 },
19588 },
19589- {}
19590+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19591 };
19592
19593 /*
19594@@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19595 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19596 },
19597 },
19598- { }
19599+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19600 };
19601
19602 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
57199397
MT		 19603diff -urNp linux-2.6.35.4/arch/x86/pci/irq.c linux-2.6.35.4/arch/x86/pci/irq.c
19604--- linux-2.6.35.4/arch/x86/pci/irq.c 2010-08-26 19:47:12.000000000 -0400
19605+++ linux-2.6.35.4/arch/x86/pci/irq.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 19606@@ -542,7 +542,7 @@ static __init int intel_router_probe(str
58c5fc13
MT		 19607 static struct pci_device_id __initdata pirq_440gx[] = {
19608 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19609 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19610- { },
19611+ { PCI_DEVICE(0, 0) }
19612 };
19613
19614 /* 440GX has a proprietary PIRQ router -- don't use it */
57199397 19615@@ -1113,7 +1113,7 @@ static struct dmi_system_id __initdata p
58c5fc13
MT		 19616 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19617 },
19618 },
19619- { }
19620+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19621 };
19622
df50ba0c 19623 void __init pcibios_irq_init(void)
57199397
MT		 19624diff -urNp linux-2.6.35.4/arch/x86/pci/mmconfig_32.c linux-2.6.35.4/arch/x86/pci/mmconfig_32.c
19625--- linux-2.6.35.4/arch/x86/pci/mmconfig_32.c 2010-08-26 19:47:12.000000000 -0400
19626+++ linux-2.6.35.4/arch/x86/pci/mmconfig_32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 19627@@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19628 return 0;
19629 }
19630
19631-static struct pci_raw_ops pci_mmcfg = {
19632+static const struct pci_raw_ops pci_mmcfg = {
19633 .read = pci_mmcfg_read,
19634 .write = pci_mmcfg_write,
19635 };
57199397
MT		 19636diff -urNp linux-2.6.35.4/arch/x86/pci/mmconfig_64.c linux-2.6.35.4/arch/x86/pci/mmconfig_64.c
19637--- linux-2.6.35.4/arch/x86/pci/mmconfig_64.c 2010-08-26 19:47:12.000000000 -0400
19638+++ linux-2.6.35.4/arch/x86/pci/mmconfig_64.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 19639@@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19640 return 0;
19641 }
19642
19643-static struct pci_raw_ops pci_mmcfg = {
19644+static const struct pci_raw_ops pci_mmcfg = {
19645 .read = pci_mmcfg_read,
19646 .write = pci_mmcfg_write,
19647 };
57199397
MT		 19648diff -urNp linux-2.6.35.4/arch/x86/pci/numaq_32.c linux-2.6.35.4/arch/x86/pci/numaq_32.c
19649--- linux-2.6.35.4/arch/x86/pci/numaq_32.c 2010-08-26 19:47:12.000000000 -0400
19650+++ linux-2.6.35.4/arch/x86/pci/numaq_32.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 19651@@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
ae4e228f
MT		 19652
19653 #undef PCI_CONF1_MQ_ADDRESS
19654
19655-static struct pci_raw_ops pci_direct_conf1_mq = {
19656+static const struct pci_raw_ops pci_direct_conf1_mq = {
19657 .read = pci_conf1_mq_read,
19658 .write = pci_conf1_mq_write
19659 };
57199397
MT		 19660diff -urNp linux-2.6.35.4/arch/x86/pci/olpc.c linux-2.6.35.4/arch/x86/pci/olpc.c
19661--- linux-2.6.35.4/arch/x86/pci/olpc.c 2010-08-26 19:47:12.000000000 -0400
19662+++ linux-2.6.35.4/arch/x86/pci/olpc.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 19663@@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19664 return 0;
19665 }
19666
19667-static struct pci_raw_ops pci_olpc_conf = {
19668+static const struct pci_raw_ops pci_olpc_conf = {
19669 .read = pci_olpc_read,
19670 .write = pci_olpc_write,
19671 };
57199397
MT		 19672diff -urNp linux-2.6.35.4/arch/x86/pci/pcbios.c linux-2.6.35.4/arch/x86/pci/pcbios.c
19673--- linux-2.6.35.4/arch/x86/pci/pcbios.c 2010-08-26 19:47:12.000000000 -0400
19674+++ linux-2.6.35.4/arch/x86/pci/pcbios.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 19675@@ -57,50 +57,93 @@ union bios32 {
58c5fc13
MT		 19676 static struct {
19677 unsigned long address;
19678 unsigned short segment;
19679-} bios32_indirect = { 0, __KERNEL_CS };
19680+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19681
19682 /*
19683 * Returns the entry point for the given service, NULL on error
19684 */
19685
19686-static unsigned long bios32_service(unsigned long service)
19687+static unsigned long __devinit bios32_service(unsigned long service)
19688 {
19689 unsigned char return_code; /* %al */
19690 unsigned long address; /* %ebx */
19691 unsigned long length; /* %ecx */
19692 unsigned long entry; /* %edx */
19693 unsigned long flags;
19694+ struct desc_struct d, *gdt;
58c5fc13
MT		 19695
19696 local_irq_save(flags);
19697- __asm__("lcall *(%%edi); cld"
19698+
19699+ gdt = get_cpu_gdt_table(smp_processor_id());
19700+
58c5fc13
MT		 19701+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19702+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19703+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19704+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19705+
58c5fc13
MT		 19706+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19707 : "=a" (return_code),
19708 "=b" (address),
19709 "=c" (length),
19710 "=d" (entry)
19711 : "0" (service),
19712 "1" (0),
19713- "D" (&bios32_indirect));
19714+ "D" (&bios32_indirect),
19715+ "r"(__PCIBIOS_DS)
19716+ : "memory");
19717+
ae4e228f 19718+ pax_open_kernel();
58c5fc13
MT		 19719+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19720+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19721+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19722+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
ae4e228f 19723+ pax_close_kernel();
58c5fc13
MT		 19724+
19725 local_irq_restore(flags);
19726
19727 switch (return_code) {
19728- case 0:
19729- return address + entry;
19730- case 0x80: /* Not present */
19731- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19732- return 0;
19733- default: /* Shouldn't happen */
19734- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19735- service, return_code);
19736+ case 0: {
19737+ int cpu;
19738+ unsigned char flags;
19739+
19740+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19741+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19742+ printk(KERN_WARNING "bios32_service: not valid\n");
19743 return 0;
19744+ }
19745+ address = address + PAGE_OFFSET;
19746+ length += 16UL; /* some BIOSs underreport this... */
19747+ flags = 4;
19748+ if (length >= 64*1024*1024) {
19749+ length >>= PAGE_SHIFT;
19750+ flags |= 8;
19751+ }
19752+
58c5fc13
MT		 19753+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
19754+ gdt = get_cpu_gdt_table(cpu);
19755+ pack_descriptor(&d, address, length, 0x9b, flags);
19756+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19757+ pack_descriptor(&d, address, length, 0x93, flags);
19758+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19759+ }
58c5fc13
MT		 19760+ return entry;
19761+ }
19762+ case 0x80: /* Not present */
19763+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19764+ return 0;
19765+ default: /* Shouldn't happen */
19766+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19767+ service, return_code);
19768+ return 0;
19769 }
19770 }
19771
19772 static struct {
19773 unsigned long address;
19774 unsigned short segment;
19775-} pci_indirect = { 0, __KERNEL_CS };
19776+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19777
19778-static int pci_bios_present;
19779+static int pci_bios_present __read_only;
19780
19781 static int __devinit check_pcibios(void)
19782 {
df50ba0c 19783@@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
58c5fc13
MT		 19784 unsigned long flags, pcibios_entry;
19785
19786 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19787- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19788+ pci_indirect.address = pcibios_entry;
19789
19790 local_irq_save(flags);
19791- __asm__(
19792- "lcall *(%%edi); cld\n\t"
19793+ __asm__("movw %w6, %%ds\n\t"
19794+ "lcall *%%ss:(%%edi); cld\n\t"
19795+ "push %%ss\n\t"
19796+ "pop %%ds\n\t"
19797 "jc 1f\n\t"
19798 "xor %%ah, %%ah\n"
19799 "1:"
df50ba0c 19800@@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
58c5fc13
MT		 19801 "=b" (ebx),
19802 "=c" (ecx)
19803 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19804- "D" (&pci_indirect)
19805+ "D" (&pci_indirect),
19806+ "r" (__PCIBIOS_DS)
19807 : "memory");
19808 local_irq_restore(flags);
19809
df50ba0c 19810@@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 19811
19812 switch (len) {
19813 case 1:
19814- __asm__("lcall *(%%esi); cld\n\t"
19815+ __asm__("movw %w6, %%ds\n\t"
19816+ "lcall *%%ss:(%%esi); cld\n\t"
19817+ "push %%ss\n\t"
19818+ "pop %%ds\n\t"
19819 "jc 1f\n\t"
19820 "xor %%ah, %%ah\n"
19821 "1:"
df50ba0c 19822@@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 19823 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19824 "b" (bx),
19825 "D" ((long)reg),
19826- "S" (&pci_indirect));
19827+ "S" (&pci_indirect),
19828+ "r" (__PCIBIOS_DS));
19829 /*
19830 * Zero-extend the result beyond 8 bits, do not trust the
19831 * BIOS having done it:
df50ba0c 19832@@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 19833 *value &= 0xff;
19834 break;
19835 case 2:
19836- __asm__("lcall *(%%esi); cld\n\t"
19837+ __asm__("movw %w6, %%ds\n\t"
19838+ "lcall *%%ss:(%%esi); cld\n\t"
19839+ "push %%ss\n\t"
19840+ "pop %%ds\n\t"
19841 "jc 1f\n\t"
19842 "xor %%ah, %%ah\n"
19843 "1:"
df50ba0c 19844@@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 19845 : "1" (PCIBIOS_READ_CONFIG_WORD),
19846 "b" (bx),
19847 "D" ((long)reg),
19848- "S" (&pci_indirect));
19849+ "S" (&pci_indirect),
19850+ "r" (__PCIBIOS_DS));
19851 /*
19852 * Zero-extend the result beyond 16 bits, do not trust the
19853 * BIOS having done it:
df50ba0c 19854@@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 19855 *value &= 0xffff;
19856 break;
19857 case 4:
19858- __asm__("lcall *(%%esi); cld\n\t"
19859+ __asm__("movw %w6, %%ds\n\t"
19860+ "lcall *%%ss:(%%esi); cld\n\t"
19861+ "push %%ss\n\t"
19862+ "pop %%ds\n\t"
19863 "jc 1f\n\t"
19864 "xor %%ah, %%ah\n"
19865 "1:"
df50ba0c 19866@@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
58c5fc13
MT		 19867 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19868 "b" (bx),
19869 "D" ((long)reg),
19870- "S" (&pci_indirect));
19871+ "S" (&pci_indirect),
19872+ "r" (__PCIBIOS_DS));
19873 break;
19874 }
19875
df50ba0c 19876@@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
58c5fc13
MT		 19877
19878 switch (len) {
19879 case 1:
19880- __asm__("lcall *(%%esi); cld\n\t"
19881+ __asm__("movw %w6, %%ds\n\t"
19882+ "lcall *%%ss:(%%esi); cld\n\t"
19883+ "push %%ss\n\t"
19884+ "pop %%ds\n\t"
19885 "jc 1f\n\t"
19886 "xor %%ah, %%ah\n"
19887 "1:"
df50ba0c 19888@@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
58c5fc13
MT		 19889 "c" (value),
19890 "b" (bx),
19891 "D" ((long)reg),
19892- "S" (&pci_indirect));
19893+ "S" (&pci_indirect),
19894+ "r" (__PCIBIOS_DS));
19895 break;
19896 case 2:
19897- __asm__("lcall *(%%esi); cld\n\t"
19898+ __asm__("movw %w6, %%ds\n\t"
19899+ "lcall *%%ss:(%%esi); cld\n\t"
19900+ "push %%ss\n\t"
19901+ "pop %%ds\n\t"
19902 "jc 1f\n\t"
19903 "xor %%ah, %%ah\n"
19904 "1:"
df50ba0c 19905@@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
58c5fc13
MT		 19906 "c" (value),
19907 "b" (bx),
19908 "D" ((long)reg),
19909- "S" (&pci_indirect));
19910+ "S" (&pci_indirect),
19911+ "r" (__PCIBIOS_DS));
19912 break;
19913 case 4:
19914- __asm__("lcall *(%%esi); cld\n\t"
19915+ __asm__("movw %w6, %%ds\n\t"
19916+ "lcall *%%ss:(%%esi); cld\n\t"
19917+ "push %%ss\n\t"
19918+ "pop %%ds\n\t"
19919 "jc 1f\n\t"
19920 "xor %%ah, %%ah\n"
19921 "1:"
df50ba0c 19922@@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
58c5fc13
MT		 19923 "c" (value),
19924 "b" (bx),
19925 "D" ((long)reg),
19926- "S" (&pci_indirect));
19927+ "S" (&pci_indirect),
19928+ "r" (__PCIBIOS_DS));
19929 break;
19930 }
19931
df50ba0c 19932@@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
ae4e228f
MT		 19933 * Function table for BIOS32 access
19934 */
19935
19936-static struct pci_raw_ops pci_bios_access = {
19937+static const struct pci_raw_ops pci_bios_access = {
19938 .read = pci_bios_read,
19939 .write = pci_bios_write
19940 };
df50ba0c 19941@@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
ae4e228f
MT		 19942 * Try to find PCI BIOS.
19943 */
19944
19945-static struct pci_raw_ops * __devinit pci_find_bios(void)
19946+static const struct pci_raw_ops * __devinit pci_find_bios(void)
19947 {
19948 union bios32 *check;
19949 unsigned char sum;
df50ba0c 19950@@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
58c5fc13
MT		 19951
19952 DBG("PCI: Fetching IRQ routing table... ");
19953 __asm__("push %%es\n\t"
19954+ "movw %w8, %%ds\n\t"
19955 "push %%ds\n\t"
19956 "pop %%es\n\t"
19957- "lcall *(%%esi); cld\n\t"
19958+ "lcall *%%ss:(%%esi); cld\n\t"
19959 "pop %%es\n\t"
19960+ "push %%ss\n\t"
19961+ "pop %%ds\n"
19962 "jc 1f\n\t"
19963 "xor %%ah, %%ah\n"
19964 "1:"
df50ba0c 19965@@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
58c5fc13
MT		 19966 "1" (0),
19967 "D" ((long) &opt),
19968 "S" (&pci_indirect),
19969- "m" (opt)
19970+ "m" (opt),
19971+ "r" (__PCIBIOS_DS)
19972 : "memory");
19973 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19974 if (ret & 0xff00)
df50ba0c 19975@@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
58c5fc13
MT		 19976 {
19977 int ret;
19978
19979- __asm__("lcall *(%%esi); cld\n\t"
19980+ __asm__("movw %w5, %%ds\n\t"
19981+ "lcall *%%ss:(%%esi); cld\n\t"
19982+ "push %%ss\n\t"
19983+ "pop %%ds\n"
19984 "jc 1f\n\t"
19985 "xor %%ah, %%ah\n"
19986 "1:"
df50ba0c 19987@@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
58c5fc13
MT		 19988 : "0" (PCIBIOS_SET_PCI_HW_INT),
19989 "b" ((dev->bus->number << 8) | dev->devfn),
19990 "c" ((irq << 8) | (pin + 10)),
19991- "S" (&pci_indirect));
19992+ "S" (&pci_indirect),
19993+ "r" (__PCIBIOS_DS));
19994 return !(ret & 0xff00);
19995 }
19996 EXPORT_SYMBOL(pcibios_set_irq_routing);
57199397
MT		 19997diff -urNp linux-2.6.35.4/arch/x86/power/cpu.c linux-2.6.35.4/arch/x86/power/cpu.c
19998--- linux-2.6.35.4/arch/x86/power/cpu.c 2010-08-26 19:47:12.000000000 -0400
19999+++ linux-2.6.35.4/arch/x86/power/cpu.c 2010-09-17 20:12:09.000000000 -0400
20000@@ -129,7 +129,7 @@ static void do_fpu_end(void)
58c5fc13
MT		 20001 static void fix_processor_context(void)
20002 {
20003 int cpu = smp_processor_id();
20004- struct tss_struct *t = &per_cpu(init_tss, cpu);
20005+ struct tss_struct *t = init_tss + cpu;
58c5fc13
MT		 20006
20007 set_tss_desc(cpu, t); /*
20008 * This just modifies memory; should not be
57199397 20009@@ -139,7 +139,9 @@ static void fix_processor_context(void)
58c5fc13
MT		 20010 */
20011
20012 #ifdef CONFIG_X86_64
ae4e228f 20013+ pax_open_kernel();
58c5fc13 20014 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
ae4e228f 20015+ pax_close_kernel();
58c5fc13 20016
58c5fc13
MT		 20017 syscall_init(); /* This sets MSR_*STAR and related */
20018 #endif
57199397
MT		 20019diff -urNp linux-2.6.35.4/arch/x86/vdso/Makefile linux-2.6.35.4/arch/x86/vdso/Makefile
20020--- linux-2.6.35.4/arch/x86/vdso/Makefile 2010-08-26 19:47:12.000000000 -0400
20021+++ linux-2.6.35.4/arch/x86/vdso/Makefile 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 20022@@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
20023 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
20024 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
20025
ae4e228f
MT		 20026-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20027+VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
58c5fc13
MT		 20028 GCOV_PROFILE := n
20029
20030 #
57199397
MT		 20031diff -urNp linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c
20032--- linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c 2010-08-26 19:47:12.000000000 -0400
20033+++ linux-2.6.35.4/arch/x86/vdso/vclock_gettime.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 20034@@ -22,24 +22,48 @@
20035 #include <asm/hpet.h>
20036 #include <asm/unistd.h>
20037 #include <asm/io.h>
20038+#include <asm/fixmap.h>
20039 #include "vextern.h"
20040
20041 #define gtod vdso_vsyscall_gtod_data
20042
20043+notrace noinline long __vdso_fallback_time(long *t)
20044+{
20045+ long secs;
20046+ asm volatile("syscall"
20047+ : "=a" (secs)
20048+ : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
20049+ return secs;
20050+}
20051+
20052 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
20053 {
20054 long ret;
20055 asm("syscall" : "=a" (ret) :
20056- "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20057+ "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20058 return ret;
20059 }
20060
20061+notrace static inline cycle_t __vdso_vread_hpet(void)
20062+{
20063+ return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20064+}
20065+
20066+notrace static inline cycle_t __vdso_vread_tsc(void)
20067+{
20068+ cycle_t ret = (cycle_t)vget_cycles();
20069+
20070+ return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20071+}
20072+
20073 notrace static inline long vgetns(void)
20074 {
20075 long v;
20076- cycles_t (*vread)(void);
20077- vread = gtod->clock.vread;
20078- v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20079+ if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20080+ v = __vdso_vread_tsc();
20081+ else
20082+ v = __vdso_vread_hpet();
20083+ v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20084 return (v * gtod->clock.mult) >> gtod->clock.shift;
20085 }
20086
ae4e228f 20087@@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
58c5fc13
MT		 20088
20089 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20090 {
ae4e228f 20091- if (likely(gtod->sysctl_enabled))
58c5fc13
MT		 20092+ if (likely(gtod->sysctl_enabled &&
20093+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20094+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20095 switch (clock) {
20096 case CLOCK_REALTIME:
ae4e228f
MT		 20097 if (likely(gtod->clock.vread))
20098@@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
58c5fc13
MT		 20099 int clock_gettime(clockid_t, struct timespec *)
20100 __attribute__((weak, alias("__vdso_clock_gettime")));
20101
20102-notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20103+notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20104 {
20105 long ret;
20106- if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20107+ asm("syscall" : "=a" (ret) :
20108+ "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20109+ return ret;
20110+}
20111+
20112+notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20113+{
20114+ if (likely(gtod->sysctl_enabled &&
20115+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20116+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20117+ {
20118 if (likely(tv != NULL)) {
20119 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20120 offsetof(struct timespec, tv_nsec) ||
ae4e228f 20121@@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
58c5fc13
MT		 20122 }
20123 return 0;
20124 }
20125- asm("syscall" : "=a" (ret) :
20126- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20127- return ret;
20128+ return __vdso_fallback_gettimeofday(tv, tz);
20129 }
20130 int gettimeofday(struct timeval *, struct timezone *)
20131 __attribute__((weak, alias("__vdso_gettimeofday")));
57199397
MT		 20132diff -urNp linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c
20133--- linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c 2010-08-26 19:47:12.000000000 -0400
20134+++ linux-2.6.35.4/arch/x86/vdso/vdso32-setup.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 20135@@ -25,6 +25,7 @@
20136 #include <asm/tlbflush.h>
20137 #include <asm/vdso.h>
20138 #include <asm/proto.h>
20139+#include <asm/mman.h>
20140
20141 enum {
20142 VDSO_DISABLED = 0,
20143@@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20144 void enable_sep_cpu(void)
20145 {
20146 int cpu = get_cpu();
20147- struct tss_struct *tss = &per_cpu(init_tss, cpu);
20148+ struct tss_struct *tss = init_tss + cpu;
20149
20150 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20151 put_cpu();
20152@@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20153 gate_vma.vm_start = FIXADDR_USER_START;
20154 gate_vma.vm_end = FIXADDR_USER_END;
20155 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20156- gate_vma.vm_page_prot = __P101;
20157+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20158 /*
20159 * Make sure the vDSO gets into every core dump.
20160 * Dumping its contents makes post-mortem fully interpretable later
20161@@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20162 if (compat)
20163 addr = VDSO_HIGH_BASE;
20164 else {
20165- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20166+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20167 if (IS_ERR_VALUE(addr)) {
20168 ret = addr;
20169 goto up_fail;
20170 }
20171 }
20172
20173- current->mm->context.vdso = (void *)addr;
20174+ current->mm->context.vdso = addr;
20175
20176 if (compat_uses_vma || !compat) {
20177 /*
ae4e228f
MT		 20178@@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20179 }
20180
20181 current_thread_info()->sysenter_return =
20182- VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20183+ (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
58c5fc13
MT		 20184
20185 up_fail:
20186 if (ret)
20187- current->mm->context.vdso = NULL;
20188+ current->mm->context.vdso = 0;
20189
20190 up_write(&mm->mmap_sem);
20191
ae4e228f 20192@@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
58c5fc13
MT		 20193
20194 const char *arch_vma_name(struct vm_area_struct *vma)
20195 {
20196- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20197+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20198 return "[vdso]";
20199+
20200+#ifdef CONFIG_PAX_SEGMEXEC
20201+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20202+ return "[vdso]";
20203+#endif
20204+
20205 return NULL;
20206 }
20207
ae4e228f 20208@@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
58c5fc13
MT		 20209 struct mm_struct *mm = tsk->mm;
20210
20211 /* Check to see if this task was created in compat vdso mode */
20212- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20213+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20214 return &gate_vma;
20215 return NULL;
20216 }
57199397
MT		 20217diff -urNp linux-2.6.35.4/arch/x86/vdso/vdso.lds.S linux-2.6.35.4/arch/x86/vdso/vdso.lds.S
20218--- linux-2.6.35.4/arch/x86/vdso/vdso.lds.S 2010-08-26 19:47:12.000000000 -0400
20219+++ linux-2.6.35.4/arch/x86/vdso/vdso.lds.S 2010-09-17 20:12:09.000000000 -0400
20220@@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20221 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20222 #include "vextern.h"
20223 #undef VEXTERN
20224+
20225+#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20226+VEXTERN(fallback_gettimeofday)
20227+VEXTERN(fallback_time)
20228+VEXTERN(getcpu)
20229+#undef VEXTERN
20230diff -urNp linux-2.6.35.4/arch/x86/vdso/vextern.h linux-2.6.35.4/arch/x86/vdso/vextern.h
20231--- linux-2.6.35.4/arch/x86/vdso/vextern.h 2010-08-26 19:47:12.000000000 -0400
20232+++ linux-2.6.35.4/arch/x86/vdso/vextern.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 20233@@ -11,6 +11,5 @@
20234 put into vextern.h and be referenced as a pointer with vdso prefix.
20235 The main kernel later fills in the values. */
20236
20237-VEXTERN(jiffies)
20238 VEXTERN(vgetcpu_mode)
20239 VEXTERN(vsyscall_gtod_data)
57199397
MT		 20240diff -urNp linux-2.6.35.4/arch/x86/vdso/vma.c linux-2.6.35.4/arch/x86/vdso/vma.c
20241--- linux-2.6.35.4/arch/x86/vdso/vma.c 2010-08-26 19:47:12.000000000 -0400
20242+++ linux-2.6.35.4/arch/x86/vdso/vma.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 20243@@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
58c5fc13
MT		 20244 if (!vbase)
20245 goto oom;
20246
20247- if (memcmp(vbase, "\177ELF", 4)) {
20248+ if (memcmp(vbase, ELFMAG, SELFMAG)) {
20249 printk("VDSO: I'm broken; not ELF\n");
20250 vdso_enabled = 0;
20251 }
df50ba0c 20252@@ -67,6 +67,7 @@ static int __init init_vdso_vars(void)
58c5fc13
MT		 20253 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
20254 #include "vextern.h"
20255 #undef VEXTERN
20256+ vunmap(vbase);
20257 return 0;
20258
20259 oom:
df50ba0c 20260@@ -117,7 +118,7 @@ int arch_setup_additional_pages(struct l
58c5fc13
MT		 20261 goto up_fail;
20262 }
20263
20264- current->mm->context.vdso = (void *)addr;
20265+ current->mm->context.vdso = addr;
20266
20267 ret = install_special_mapping(mm, addr, vdso_size,
20268 VM_READ|VM_EXEC|
df50ba0c 20269@@ -125,7 +126,7 @@ int arch_setup_additional_pages(struct l
58c5fc13
MT		 20270 VM_ALWAYSDUMP,
20271 vdso_pages);
20272 if (ret) {
20273- current->mm->context.vdso = NULL;
20274+ current->mm->context.vdso = 0;
20275 goto up_fail;
20276 }
20277
df50ba0c 20278@@ -133,10 +134,3 @@ up_fail:
58c5fc13
MT		 20279 up_write(&mm->mmap_sem);
20280 return ret;
20281 }
20282-
20283-static __init int vdso_setup(char *s)
20284-{
20285- vdso_enabled = simple_strtoul(s, NULL, 0);
20286- return 0;
20287-}
20288-__setup("vdso=", vdso_setup);
57199397
MT		 20289diff -urNp linux-2.6.35.4/arch/x86/xen/enlighten.c linux-2.6.35.4/arch/x86/xen/enlighten.c
20290--- linux-2.6.35.4/arch/x86/xen/enlighten.c 2010-08-26 19:47:12.000000000 -0400
20291+++ linux-2.6.35.4/arch/x86/xen/enlighten.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 20292@@ -74,8 +74,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
58c5fc13
MT		 20293
20294 struct shared_info xen_dummy_shared_info;
20295
20296-void *xen_initial_gdt;
20297-
20298 /*
20299 * Point at some empty memory to start with. We map the real shared_info
20300 * page as soon as fixmap is up and running.
df50ba0c 20301@@ -551,7 +549,7 @@ static void xen_write_idt_entry(gate_des
58c5fc13
MT		 20302
20303 preempt_disable();
20304
20305- start = __get_cpu_var(idt_desc).address;
20306+ start = (unsigned long)__get_cpu_var(idt_desc).address;
20307 end = start + __get_cpu_var(idt_desc).size + 1;
20308
20309 xen_mc_flush();
df50ba0c
MT		 20310@@ -1103,7 +1101,17 @@ asmlinkage void __init xen_start_kernel(
20311 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20312
20313 /* Work out if we support NX */
20314- x86_configure_nx();
20315+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20316+ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
57199397 20317+ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
df50ba0c
MT		 20318+ unsigned l, h;
20319+
20320+ __supported_pte_mask |= _PAGE_NX;
20321+ rdmsr(MSR_EFER, l, h);
20322+ l |= EFER_NX;
20323+ wrmsr(MSR_EFER, l, h);
20324+ }
20325+#endif
20326
20327 xen_setup_features();
20328
20329@@ -1134,13 +1142,6 @@ asmlinkage void __init xen_start_kernel(
58c5fc13
MT		 20330
20331 machine_ops = xen_machine_ops;
20332
20333- /*
20334- * The only reliable way to retain the initial address of the
20335- * percpu gdt_page is to remember it here, so we can go and
20336- * mark it RW later, when the initial percpu area is freed.
20337- */
20338- xen_initial_gdt = &per_cpu(gdt_page, 0);
20339-
20340 xen_smp_init();
20341
ae4e228f 20342 pgd = (pgd_t *)xen_start_info->pt_base;
57199397
MT		 20343diff -urNp linux-2.6.35.4/arch/x86/xen/mmu.c linux-2.6.35.4/arch/x86/xen/mmu.c
20344--- linux-2.6.35.4/arch/x86/xen/mmu.c 2010-08-26 19:47:12.000000000 -0400
20345+++ linux-2.6.35.4/arch/x86/xen/mmu.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 20346@@ -1694,6 +1694,8 @@ __init pgd_t *xen_setup_kernel_pagetable
58c5fc13
MT		 20347 convert_pfn_mfn(init_level4_pgt);
20348 convert_pfn_mfn(level3_ident_pgt);
20349 convert_pfn_mfn(level3_kernel_pgt);
20350+ convert_pfn_mfn(level3_vmalloc_pgt);
20351+ convert_pfn_mfn(level3_vmemmap_pgt);
20352
20353 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20354 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
df50ba0c 20355@@ -1712,7 +1714,10 @@ __init pgd_t *xen_setup_kernel_pagetable
58c5fc13
MT		 20356 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20357 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20358 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20359+ set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20360+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20361 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20362+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20363 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20364 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20365
57199397
MT		 20366diff -urNp linux-2.6.35.4/arch/x86/xen/smp.c linux-2.6.35.4/arch/x86/xen/smp.c
20367--- linux-2.6.35.4/arch/x86/xen/smp.c 2010-08-26 19:47:12.000000000 -0400
20368+++ linux-2.6.35.4/arch/x86/xen/smp.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 20369@@ -169,11 +169,6 @@ static void __init xen_smp_prepare_boot_
58c5fc13
MT		 20370 {
20371 BUG_ON(smp_processor_id() != 0);
20372 native_smp_prepare_boot_cpu();
20373-
20374- /* We've switched to the "real" per-cpu gdt, so make sure the
20375- old memory can be recycled */
20376- make_lowmem_page_readwrite(xen_initial_gdt);
20377-
20378 xen_setup_vcpu_info_placement();
20379 }
20380
df50ba0c 20381@@ -233,8 +228,8 @@ cpu_initialize_context(unsigned int cpu,
58c5fc13
MT		 20382 gdt = get_cpu_gdt_table(cpu);
20383
20384 ctxt->flags = VGCF_IN_KERNEL;
20385- ctxt->user_regs.ds = __USER_DS;
20386- ctxt->user_regs.es = __USER_DS;
20387+ ctxt->user_regs.ds = __KERNEL_DS;
20388+ ctxt->user_regs.es = __KERNEL_DS;
20389 ctxt->user_regs.ss = __KERNEL_DS;
20390 #ifdef CONFIG_X86_32
20391 ctxt->user_regs.fs = __KERNEL_PERCPU;
57199397
MT		 20392diff -urNp linux-2.6.35.4/arch/x86/xen/xen-head.S linux-2.6.35.4/arch/x86/xen/xen-head.S
20393--- linux-2.6.35.4/arch/x86/xen/xen-head.S 2010-08-26 19:47:12.000000000 -0400
20394+++ linux-2.6.35.4/arch/x86/xen/xen-head.S 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 20395@@ -19,6 +19,17 @@ ENTRY(startup_xen)
20396 #ifdef CONFIG_X86_32
20397 mov %esi,xen_start_info
20398 mov $init_thread_union+THREAD_SIZE,%esp
20399+#ifdef CONFIG_SMP
20400+ movl $cpu_gdt_table,%edi
20401+ movl $__per_cpu_load,%eax
20402+ movw %ax,__KERNEL_PERCPU + 2(%edi)
20403+ rorl $16,%eax
20404+ movb %al,__KERNEL_PERCPU + 4(%edi)
20405+ movb %ah,__KERNEL_PERCPU + 7(%edi)
20406+ movl $__per_cpu_end - 1,%eax
20407+ subl $__per_cpu_start,%eax
20408+ movw %ax,__KERNEL_PERCPU + 0(%edi)
20409+#endif
20410 #else
20411 mov %rsi,xen_start_info
20412 mov $init_thread_union+THREAD_SIZE,%rsp
57199397
MT		 20413diff -urNp linux-2.6.35.4/arch/x86/xen/xen-ops.h linux-2.6.35.4/arch/x86/xen/xen-ops.h
20414--- linux-2.6.35.4/arch/x86/xen/xen-ops.h 2010-08-26 19:47:12.000000000 -0400
20415+++ linux-2.6.35.4/arch/x86/xen/xen-ops.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 20416@@ -10,8 +10,6 @@
20417 extern const char xen_hypervisor_callback[];
20418 extern const char xen_failsafe_callback[];
20419
20420-extern void *xen_initial_gdt;
20421-
20422 struct trap_info;
20423 void xen_copy_trap_info(struct trap_info *traps);
20424
57199397
MT		 20425diff -urNp linux-2.6.35.4/block/blk-iopoll.c linux-2.6.35.4/block/blk-iopoll.c
20426--- linux-2.6.35.4/block/blk-iopoll.c 2010-08-26 19:47:12.000000000 -0400
20427+++ linux-2.6.35.4/block/blk-iopoll.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 20428@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20429 }
20430 EXPORT_SYMBOL(blk_iopoll_complete);
20431
20432-static void blk_iopoll_softirq(struct softirq_action *h)
20433+static void blk_iopoll_softirq(void)
20434 {
20435 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20436 int rearm = 0, budget = blk_iopoll_budget;
57199397
MT		 20437diff -urNp linux-2.6.35.4/block/blk-map.c linux-2.6.35.4/block/blk-map.c
20438--- linux-2.6.35.4/block/blk-map.c 2010-08-26 19:47:12.000000000 -0400
20439+++ linux-2.6.35.4/block/blk-map.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 20440@@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
20441 * direct dma. else, set up kernel bounce buffers
20442 */
20443 uaddr = (unsigned long) ubuf;
20444- if (blk_rq_aligned(q, ubuf, len) && !map_data)
20445+ if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
20446 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
20447 else
20448 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
20449@@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
20450 if (!len || !kbuf)
20451 return -EINVAL;
58c5fc13 20452
ae4e228f
MT		 20453- do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
20454+ do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
20455 if (do_copy)
20456 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20457 else
57199397
MT		 20458diff -urNp linux-2.6.35.4/block/blk-softirq.c linux-2.6.35.4/block/blk-softirq.c
20459--- linux-2.6.35.4/block/blk-softirq.c 2010-08-26 19:47:12.000000000 -0400
20460+++ linux-2.6.35.4/block/blk-softirq.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 20461@@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20462 * Softirq action handler - move entries to local list and loop over them
20463 * while passing them to the queue registered handler.
20464 */
20465-static void blk_done_softirq(struct softirq_action *h)
20466+static void blk_done_softirq(void)
20467 {
20468 struct list_head *cpu_list, local_list;
58c5fc13 20469
57199397
MT		 20470diff -urNp linux-2.6.35.4/crypto/lrw.c linux-2.6.35.4/crypto/lrw.c
20471--- linux-2.6.35.4/crypto/lrw.c 2010-08-26 19:47:12.000000000 -0400
20472+++ linux-2.6.35.4/crypto/lrw.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 20473@@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20474 struct priv *ctx = crypto_tfm_ctx(parent);
20475 struct crypto_cipher *child = ctx->child;
20476 int err, i;
20477- be128 tmp = { 0 };
20478+ be128 tmp = { 0, 0 };
20479 int bsize = crypto_cipher_blocksize(child);
20480
20481 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
57199397
MT		 20482diff -urNp linux-2.6.35.4/Documentation/dontdiff linux-2.6.35.4/Documentation/dontdiff
20483--- linux-2.6.35.4/Documentation/dontdiff 2010-08-26 19:47:12.000000000 -0400
20484+++ linux-2.6.35.4/Documentation/dontdiff 2010-09-17 20:12:09.000000000 -0400
20485@@ -3,6 +3,7 @@
20486 *.bin
20487 *.cpio
20488 *.csp
20489+*.dbg
20490 *.dsp
20491 *.dvi
20492 *.elf
20493@@ -38,8 +39,10 @@
20494 *.tab.h
20495 *.tex
20496 *.ver
20497+*.vim
20498 *.xml
20499 *_MODULES
20500+*_reg_safe.h
20501 *_vga16.c
20502 *~
20503 *.9
20504@@ -49,11 +52,16 @@
20505 53c700_d.h
20506 CVS
20507 ChangeSet
20508+GPATH
20509+GRTAGS
20510+GSYMS
20511+GTAGS
20512 Image
20513 Kerntypes
20514 Module.markers
20515 Module.symvers
20516 PENDING
20517+PERF*
20518 SCCS
20519 System.map*
20520 TAGS
20521@@ -76,7 +84,10 @@ btfixupprep
20522 build
20523 bvmlinux
20524 bzImage*
20525+capflags.c
20526 classlist.h*
20527+clut_vga16.c
20528+common-cmds.h
20529 comp*.log
20530 compile.h*
20531 conf
20532@@ -100,19 +111,22 @@ fore200e_mkfirm
20533 fore200e_pca_fw.c*
20534 gconf
20535 gen-devlist
20536+gen-kdb_cmds.c
20537 gen_crc32table
20538 gen_init_cpio
20539 generated
20540 genheaders
20541 genksyms
20542 *_gray256.c
20543+hash
20544 ihex2fw
20545 ikconfig.h*
20546+inat-tables.c
20547 initramfs_data.cpio
20548+initramfs_data.cpio.bz2
20549 initramfs_data.cpio.gz
20550 initramfs_list
20551 kallsyms
20552-kconfig
20553 keywords.c
20554 ksym.c*
20555 ksym.h*
20556@@ -136,10 +150,13 @@ mkboot
20557 mkbugboot
20558 mkcpustr
20559 mkdep
20560+mkpiggy
20561 mkprep
20562+mkregtable
20563 mktables
20564 mktree
20565 modpost
20566+modules.builtin
20567 modules.order
20568 modversions.h*
20569 ncscope.*
20570@@ -151,7 +168,9 @@ parse.h
20571 patches*
20572 pca200e.bin
20573 pca200e_ecd.bin2
20574+perf-archive
20575 piggy.gz
20576+piggy.S
20577 piggyback
20578 pnmtologo
20579 ppc_defs.h*
20580@@ -160,12 +179,14 @@ qconf
20581 raid6altivec*.c
20582 raid6int*.c
20583 raid6tables.c
20584+regdb.c
20585 relocs
20586 series
20587 setup
20588 setup.bin
20589 setup.elf
20590 sImage
20591+slabinfo
20592 sm_tbl*
20593 split-include
20594 syscalltab.h
20595@@ -189,14 +210,20 @@ version.h*
20596 vmlinux
20597 vmlinux-*
20598 vmlinux.aout
20599+vmlinux.bin.all
20600+vmlinux.bin.bz2
20601 vmlinux.lds
20602+vmlinux.relocs
20603+voffset.h
20604 vsyscall.lds
20605 vsyscall_32.lds
20606 wanxlfw.inc
20607 uImage
20608 unifdef
20609+utsrelease.h
20610 wakeup.bin
20611 wakeup.elf
20612 wakeup.lds
20613 zImage*
20614 zconf.hash.c
20615+zoffset.h
20616diff -urNp linux-2.6.35.4/Documentation/filesystems/sysfs.txt linux-2.6.35.4/Documentation/filesystems/sysfs.txt
20617--- linux-2.6.35.4/Documentation/filesystems/sysfs.txt 2010-08-26 19:47:12.000000000 -0400
20618+++ linux-2.6.35.4/Documentation/filesystems/sysfs.txt 2010-09-17 20:12:09.000000000 -0400
20619@@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20620 show and store methods of the attribute owners.
20621
20622 struct sysfs_ops {
20623- ssize_t (*show)(struct kobject *, struct attribute *, char *);
20624- ssize_t (*store)(struct kobject *, struct attribute *, const char *);
20625+ ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20626+ ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
20627 };
20628
20629 [ Subsystems should have already defined a struct kobj_type as a
20630diff -urNp linux-2.6.35.4/Documentation/kernel-parameters.txt linux-2.6.35.4/Documentation/kernel-parameters.txt
20631--- linux-2.6.35.4/Documentation/kernel-parameters.txt 2010-08-26 19:47:12.000000000 -0400
20632+++ linux-2.6.35.4/Documentation/kernel-parameters.txt 2010-09-17 20:12:09.000000000 -0400
20633@@ -1910,6 +1910,12 @@ and is between 256 and 4096 characters.
20634 the specified number of seconds. This is to be used if
20635 your oopses keep scrolling off the screen.
20636
20637+ pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
20638+ virtualization environments that don't cope well with the
20639+ expand down segment used by UDEREF on X86-32.
20640+
20641+ pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20642+
20643 pcbit= [HW,ISDN]
20644
20645 pcd. [PARIDE]
20646diff -urNp linux-2.6.35.4/drivers/acpi/battery.c linux-2.6.35.4/drivers/acpi/battery.c
20647--- linux-2.6.35.4/drivers/acpi/battery.c 2010-08-26 19:47:12.000000000 -0400
20648+++ linux-2.6.35.4/drivers/acpi/battery.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 20649@@ -810,7 +810,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
ae4e228f
MT		 20650 }
20651
20652 static struct battery_file {
20653- struct file_operations ops;
20654+ const struct file_operations ops;
20655 mode_t mode;
20656 const char *name;
20657 } acpi_battery_file[] = {
57199397
MT		 20658diff -urNp linux-2.6.35.4/drivers/acpi/blacklist.c linux-2.6.35.4/drivers/acpi/blacklist.c
20659--- linux-2.6.35.4/drivers/acpi/blacklist.c 2010-08-26 19:47:12.000000000 -0400
20660+++ linux-2.6.35.4/drivers/acpi/blacklist.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 20661@@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
58c5fc13
MT		 20662 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20663 "Incorrect _ADR", 1},
20664
20665- {""}
ae4e228f 20666+ {"", "", 0, NULL, all_versions, NULL, 0}
58c5fc13
MT		 20667 };
20668
20669 #if CONFIG_ACPI_BLACKLIST_YEAR
57199397
MT		 20670diff -urNp linux-2.6.35.4/drivers/acpi/dock.c linux-2.6.35.4/drivers/acpi/dock.c
20671--- linux-2.6.35.4/drivers/acpi/dock.c 2010-08-26 19:47:12.000000000 -0400
20672+++ linux-2.6.35.4/drivers/acpi/dock.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 20673@@ -77,7 +77,7 @@ struct dock_dependent_device {
ae4e228f
MT		 20674 struct list_head list;
20675 struct list_head hotplug_list;
20676 acpi_handle handle;
20677- struct acpi_dock_ops *ops;
20678+ const struct acpi_dock_ops *ops;
20679 void *context;
20680 };
20681
df50ba0c 20682@@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
ae4e228f
MT		 20683 * the dock driver after _DCK is executed.
20684 */
20685 int
20686-register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20687+register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20688 void *context)
20689 {
20690 struct dock_dependent_device *dd;
57199397
MT		 20691diff -urNp linux-2.6.35.4/drivers/acpi/osl.c linux-2.6.35.4/drivers/acpi/osl.c
20692--- linux-2.6.35.4/drivers/acpi/osl.c 2010-08-26 19:47:12.000000000 -0400
20693+++ linux-2.6.35.4/drivers/acpi/osl.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 20694@@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
58c5fc13
MT		 20695 void __iomem *virt_addr;
20696
20697 virt_addr = ioremap(phys_addr, width);
20698+ if (!virt_addr)
20699+ return AE_NO_MEMORY;
20700 if (!value)
20701 value = &dummy;
20702
ae4e228f 20703@@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
58c5fc13
MT		 20704 void __iomem *virt_addr;
20705
20706 virt_addr = ioremap(phys_addr, width);
20707+ if (!virt_addr)
20708+ return AE_NO_MEMORY;
20709
20710 switch (width) {
20711 case 8:
57199397
MT		 20712diff -urNp linux-2.6.35.4/drivers/acpi/power_meter.c linux-2.6.35.4/drivers/acpi/power_meter.c
20713--- linux-2.6.35.4/drivers/acpi/power_meter.c 2010-08-26 19:47:12.000000000 -0400
20714+++ linux-2.6.35.4/drivers/acpi/power_meter.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 20715@@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20716 return res;
20717
20718 temp /= 1000;
20719- if (temp < 0)
20720- return -EINVAL;
20721
20722 mutex_lock(&resource->lock);
20723 resource->trip[attr->index - 7] = temp;
57199397
MT		 20724diff -urNp linux-2.6.35.4/drivers/acpi/proc.c linux-2.6.35.4/drivers/acpi/proc.c
20725--- linux-2.6.35.4/drivers/acpi/proc.c 2010-08-26 19:47:12.000000000 -0400
20726+++ linux-2.6.35.4/drivers/acpi/proc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 20727@@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
20728 size_t count, loff_t * ppos)
20729 {
20730 struct list_head *node, *next;
20731- char strbuf[5];
20732- char str[5] = "";
20733- unsigned int len = count;
20734+ char strbuf[5] = {0};
20735 struct acpi_device *found_dev = NULL;
20736
20737- if (len > 4)
20738- len = 4;
20739- if (len < 0)
20740- return -EFAULT;
20741+ if (count > 4)
20742+ count = 4;
20743
20744- if (copy_from_user(strbuf, buffer, len))
20745+ if (copy_from_user(strbuf, buffer, count))
20746 return -EFAULT;
20747- strbuf[len] = '\0';
20748- sscanf(strbuf, "%s", str);
20749+ strbuf[count] = '\0';
20750
20751 mutex_lock(&acpi_device_lock);
20752 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20753@@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
20754 if (!dev->wakeup.flags.valid)
20755 continue;
20756
20757- if (!strncmp(dev->pnp.bus_id, str, 4)) {
20758+ if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20759 dev->wakeup.state.enabled =
20760 dev->wakeup.state.enabled ? 0 : 1;
20761 found_dev = dev;
57199397
MT		 20762diff -urNp linux-2.6.35.4/drivers/acpi/processor_driver.c linux-2.6.35.4/drivers/acpi/processor_driver.c
20763--- linux-2.6.35.4/drivers/acpi/processor_driver.c 2010-08-26 19:47:12.000000000 -0400
20764+++ linux-2.6.35.4/drivers/acpi/processor_driver.c 2010-09-17 20:12:09.000000000 -0400
20765@@ -586,7 +586,7 @@ static int __cpuinit acpi_processor_add(
58c5fc13 20766 return 0;
57199397 20767 #endif
58c5fc13
MT		 20768
20769- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20770+ BUG_ON(pr->id >= nr_cpu_ids);
20771
20772 /*
20773 * Buggy BIOS check
57199397
MT		 20774diff -urNp linux-2.6.35.4/drivers/acpi/processor_idle.c linux-2.6.35.4/drivers/acpi/processor_idle.c
20775--- linux-2.6.35.4/drivers/acpi/processor_idle.c 2010-08-26 19:47:12.000000000 -0400
20776+++ linux-2.6.35.4/drivers/acpi/processor_idle.c 2010-09-17 20:12:09.000000000 -0400
20777@@ -124,7 +124,7 @@ static struct dmi_system_id __cpuinitdat
ae4e228f
MT		 20778 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20779 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20780 (void *)1},
58c5fc13
MT		 20781- {},
20782+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20783 };
20784
20785
57199397
MT		 20786diff -urNp linux-2.6.35.4/drivers/acpi/sleep.c linux-2.6.35.4/drivers/acpi/sleep.c
20787--- linux-2.6.35.4/drivers/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
20788+++ linux-2.6.35.4/drivers/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
20789@@ -318,7 +318,7 @@ static int acpi_suspend_state_valid(susp
ae4e228f
MT		 20790 }
20791 }
20792
20793-static struct platform_suspend_ops acpi_suspend_ops = {
20794+static const struct platform_suspend_ops acpi_suspend_ops = {
20795 .valid = acpi_suspend_state_valid,
20796 .begin = acpi_suspend_begin,
20797 .prepare_late = acpi_pm_prepare,
57199397 20798@@ -346,7 +346,7 @@ static int acpi_suspend_begin_old(suspen
ae4e228f
MT		 20799 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20800 * been requested.
20801 */
20802-static struct platform_suspend_ops acpi_suspend_ops_old = {
20803+static const struct platform_suspend_ops acpi_suspend_ops_old = {
20804 .valid = acpi_suspend_state_valid,
20805 .begin = acpi_suspend_begin_old,
57199397
MT		 20806 .prepare_late = acpi_pm_freeze,
20807@@ -478,7 +478,7 @@ static void acpi_pm_thaw(void)
ae4e228f
MT		 20808 acpi_enable_all_runtime_gpes();
20809 }
20810
20811-static struct platform_hibernation_ops acpi_hibernation_ops = {
20812+static const struct platform_hibernation_ops acpi_hibernation_ops = {
20813 .begin = acpi_hibernation_begin,
20814 .end = acpi_pm_end,
20815 .pre_snapshot = acpi_hibernation_pre_snapshot,
57199397 20816@@ -528,7 +528,7 @@ static int acpi_hibernation_pre_snapshot
ae4e228f
MT		 20817 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20818 * been requested.
20819 */
20820-static struct platform_hibernation_ops acpi_hibernation_ops_old = {
20821+static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
20822 .begin = acpi_hibernation_begin_old,
20823 .end = acpi_pm_end,
20824 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
57199397
MT		 20825diff -urNp linux-2.6.35.4/drivers/acpi/video.c linux-2.6.35.4/drivers/acpi/video.c
20826--- linux-2.6.35.4/drivers/acpi/video.c 2010-08-26 19:47:12.000000000 -0400
20827+++ linux-2.6.35.4/drivers/acpi/video.c 2010-09-17 20:12:09.000000000 -0400
20828@@ -363,7 +363,7 @@ static int acpi_video_set_brightness(str
ae4e228f
MT		 20829 vd->brightness->levels[request_level]);
20830 }
20831
20832-static struct backlight_ops acpi_backlight_ops = {
20833+static const struct backlight_ops acpi_backlight_ops = {
20834 .get_brightness = acpi_video_get_brightness,
20835 .update_status = acpi_video_set_brightness,
20836 };
57199397
MT		 20837diff -urNp linux-2.6.35.4/drivers/ata/ahci.c linux-2.6.35.4/drivers/ata/ahci.c
20838--- linux-2.6.35.4/drivers/ata/ahci.c 2010-08-26 19:47:12.000000000 -0400
20839+++ linux-2.6.35.4/drivers/ata/ahci.c 2010-09-17 20:12:09.000000000 -0400
20840@@ -89,17 +89,17 @@ static int ahci_pci_device_suspend(struc
20841 static int ahci_pci_device_resume(struct pci_dev *pdev);
20842 #endif
ae4e228f
MT		 20843
20844-static struct ata_port_operations ahci_vt8251_ops = {
20845+static const struct ata_port_operations ahci_vt8251_ops = {
20846 .inherits = &ahci_ops,
20847 .hardreset = ahci_vt8251_hardreset,
20848 };
20849
20850-static struct ata_port_operations ahci_p5wdh_ops = {
20851+static const struct ata_port_operations ahci_p5wdh_ops = {
20852 .inherits = &ahci_ops,
20853 .hardreset = ahci_p5wdh_hardreset,
20854 };
20855
20856-static struct ata_port_operations ahci_sb600_ops = {
20857+static const struct ata_port_operations ahci_sb600_ops = {
20858 .inherits = &ahci_ops,
20859 .softreset = ahci_sb600_softreset,
20860 .pmp_softreset = ahci_sb600_softreset,
57199397 20861@@ -370,7 +370,7 @@ static const struct pci_device_id ahci_p
58c5fc13
MT		 20862 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20863 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20864
20865- { } /* terminate list */
20866+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20867 };
20868
20869
57199397
MT		 20870diff -urNp linux-2.6.35.4/drivers/ata/ahci.h linux-2.6.35.4/drivers/ata/ahci.h
20871--- linux-2.6.35.4/drivers/ata/ahci.h 2010-08-26 19:47:12.000000000 -0400
20872+++ linux-2.6.35.4/drivers/ata/ahci.h 2010-09-17 20:12:09.000000000 -0400
20873@@ -298,7 +298,7 @@ struct ahci_host_priv {
20874 extern int ahci_ignore_sss;
20875
20876 extern struct scsi_host_template ahci_sht;
20877-extern struct ata_port_operations ahci_ops;
20878+extern const struct ata_port_operations ahci_ops;
20879
20880 void ahci_save_initial_config(struct device *dev,
20881 struct ahci_host_priv *hpriv,
20882diff -urNp linux-2.6.35.4/drivers/ata/ata_generic.c linux-2.6.35.4/drivers/ata/ata_generic.c
20883--- linux-2.6.35.4/drivers/ata/ata_generic.c 2010-08-26 19:47:12.000000000 -0400
20884+++ linux-2.6.35.4/drivers/ata/ata_generic.c 2010-09-17 20:12:09.000000000 -0400
20885@@ -104,7 +104,7 @@ static struct scsi_host_template generic
ae4e228f
MT		 20886 ATA_BMDMA_SHT(DRV_NAME),
20887 };
20888
20889-static struct ata_port_operations generic_port_ops = {
20890+static const struct ata_port_operations generic_port_ops = {
20891 .inherits = &ata_bmdma_port_ops,
20892 .cable_detect = ata_cable_unknown,
20893 .set_mode = generic_set_mode,
57199397
MT		 20894diff -urNp linux-2.6.35.4/drivers/ata/ata_piix.c linux-2.6.35.4/drivers/ata/ata_piix.c
20895--- linux-2.6.35.4/drivers/ata/ata_piix.c 2010-08-26 19:47:12.000000000 -0400
20896+++ linux-2.6.35.4/drivers/ata/ata_piix.c 2010-09-17 20:12:09.000000000 -0400
20897@@ -302,7 +302,7 @@ static const struct pci_device_id piix_p
df50ba0c
MT		 20898 { 0x8086, 0x1c08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20899 /* SATA Controller IDE (CPT) */
20900 { 0x8086, 0x1c09, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
58c5fc13
MT		 20901- { } /* terminate list */
20902+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20903 };
20904
20905 static struct pci_driver piix_pci_driver = {
57199397 20906@@ -320,12 +320,12 @@ static struct scsi_host_template piix_sh
ae4e228f
MT		 20907 ATA_BMDMA_SHT(DRV_NAME),
20908 };
20909
df50ba0c
MT		 20910-static struct ata_port_operations piix_sata_ops = {
20911+static const struct ata_port_operations piix_sata_ops = {
20912 .inherits = &ata_bmdma32_port_ops,
20913 .sff_irq_check = piix_irq_check,
20914 };
20915
ae4e228f
MT		 20916-static struct ata_port_operations piix_pata_ops = {
20917+static const struct ata_port_operations piix_pata_ops = {
df50ba0c 20918 .inherits = &piix_sata_ops,
ae4e228f
MT		 20919 .cable_detect = ata_cable_40wire,
20920 .set_piomode = piix_set_piomode,
57199397 20921@@ -333,18 +333,18 @@ static struct ata_port_operations piix_p
ae4e228f
MT		 20922 .prereset = piix_pata_prereset,
20923 };
20924
20925-static struct ata_port_operations piix_vmw_ops = {
20926+static const struct ata_port_operations piix_vmw_ops = {
20927 .inherits = &piix_pata_ops,
20928 .bmdma_status = piix_vmw_bmdma_status,
20929 };
20930
20931-static struct ata_port_operations ich_pata_ops = {
20932+static const struct ata_port_operations ich_pata_ops = {
20933 .inherits = &piix_pata_ops,
20934 .cable_detect = ich_pata_cable_detect,
20935 .set_dmamode = ich_set_dmamode,
20936 };
20937
ae4e228f
MT		 20938-static struct ata_port_operations piix_sidpr_sata_ops = {
20939+static const struct ata_port_operations piix_sidpr_sata_ops = {
20940 .inherits = &piix_sata_ops,
20941 .hardreset = sata_std_hardreset,
20942 .scr_read = piix_sidpr_scr_read,
57199397 20943@@ -620,7 +620,7 @@ static const struct ich_laptop ich_lapto
58c5fc13
MT		 20944 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20945 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20946 /* end marker */
20947- { 0, }
20948+ { 0, 0, 0 }
20949 };
20950
20951 /**
57199397 20952@@ -1112,7 +1112,7 @@ static int piix_broken_suspend(void)
58c5fc13
MT		 20953 },
20954 },
20955
20956- { } /* terminate list */
20957+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20958 };
20959 static const char *oemstrs[] = {
20960 "Tecra M3,",
57199397
MT		 20961diff -urNp linux-2.6.35.4/drivers/ata/libahci.c linux-2.6.35.4/drivers/ata/libahci.c
20962--- linux-2.6.35.4/drivers/ata/libahci.c 2010-08-26 19:47:12.000000000 -0400
20963+++ linux-2.6.35.4/drivers/ata/libahci.c 2010-09-17 20:12:09.000000000 -0400
20964@@ -149,7 +149,7 @@ struct scsi_host_template ahci_sht = {
20965 };
20966 EXPORT_SYMBOL_GPL(ahci_sht);
20967
20968-struct ata_port_operations ahci_ops = {
20969+const struct ata_port_operations ahci_ops = {
20970 .inherits = &sata_pmp_port_ops,
20971
20972 .qc_defer = ahci_pmp_qc_defer,
20973diff -urNp linux-2.6.35.4/drivers/ata/libata-acpi.c linux-2.6.35.4/drivers/ata/libata-acpi.c
20974--- linux-2.6.35.4/drivers/ata/libata-acpi.c 2010-08-26 19:47:12.000000000 -0400
20975+++ linux-2.6.35.4/drivers/ata/libata-acpi.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 20976@@ -224,12 +224,12 @@ static void ata_acpi_dev_uevent(acpi_han
ae4e228f
MT		 20977 ata_acpi_uevent(dev->link->ap, dev, event);
20978 }
20979
20980-static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20981+static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20982 .handler = ata_acpi_dev_notify_dock,
20983 .uevent = ata_acpi_dev_uevent,
20984 };
20985
20986-static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20987+static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20988 .handler = ata_acpi_ap_notify_dock,
20989 .uevent = ata_acpi_ap_uevent,
20990 };
57199397
MT		 20991diff -urNp linux-2.6.35.4/drivers/ata/libata-core.c linux-2.6.35.4/drivers/ata/libata-core.c
20992--- linux-2.6.35.4/drivers/ata/libata-core.c 2010-08-26 19:47:12.000000000 -0400
20993+++ linux-2.6.35.4/drivers/ata/libata-core.c 2010-09-17 20:12:09.000000000 -0400
efbe55a5 20994@@ -901,7 +901,7 @@ static const struct ata_xfer_ent {
58c5fc13
MT		 20995 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20996 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20997 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20998- { -1, },
20999+ { -1, 0, 0 }
21000 };
21001
21002 /**
57199397 21003@@ -3073,7 +3073,7 @@ static const struct ata_timing ata_timin
58c5fc13
MT		 21004 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
21005 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
21006
21007- { 0xFF }
21008+ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
21009 };
21010
21011 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
57199397 21012@@ -4323,7 +4323,7 @@ static const struct ata_blacklist_entry
58c5fc13
MT		 21013 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
21014
21015 /* End Marker */
21016- { }
21017+ { NULL, NULL, 0 }
21018 };
21019
21020 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
57199397 21021@@ -5869,7 +5869,7 @@ static void ata_host_stop(struct device
ae4e228f
MT		 21022 * LOCKING:
21023 * None.
21024 */
21025-static void ata_finalize_port_ops(struct ata_port_operations *ops)
21026+static void ata_finalize_port_ops(const struct ata_port_operations *ops)
21027 {
21028 static DEFINE_SPINLOCK(lock);
21029 const struct ata_port_operations *cur;
57199397 21030@@ -5881,6 +5881,7 @@ static void ata_finalize_port_ops(struct
ae4e228f
MT		 21031 return;
21032
21033 spin_lock(&lock);
21034+ pax_open_kernel();
21035
21036 for (cur = ops->inherits; cur; cur = cur->inherits) {
21037 void **inherit = (void **)cur;
57199397 21038@@ -5894,8 +5895,9 @@ static void ata_finalize_port_ops(struct
ae4e228f
MT		 21039 if (IS_ERR(*pp))
21040 *pp = NULL;
21041
21042- ops->inherits = NULL;
21043+ ((struct ata_port_operations *)ops)->inherits = NULL;
21044
21045+ pax_close_kernel();
21046 spin_unlock(&lock);
21047 }
21048
57199397 21049@@ -5992,7 +5994,7 @@ int ata_host_start(struct ata_host *host
ae4e228f
MT		 21050 */
21051 /* KILLME - the only user left is ipr */
21052 void ata_host_init(struct ata_host *host, struct device *dev,
21053- unsigned long flags, struct ata_port_operations *ops)
21054+ unsigned long flags, const struct ata_port_operations *ops)
21055 {
21056 spin_lock_init(&host->lock);
21057 host->dev = dev;
57199397 21058@@ -6642,7 +6644,7 @@ static void ata_dummy_error_handler(stru
ae4e228f
MT		 21059 /* truly dummy */
21060 }
21061
21062-struct ata_port_operations ata_dummy_port_ops = {
21063+const struct ata_port_operations ata_dummy_port_ops = {
21064 .qc_prep = ata_noop_qc_prep,
21065 .qc_issue = ata_dummy_qc_issue,
21066 .error_handler = ata_dummy_error_handler,
57199397
MT		 21067diff -urNp linux-2.6.35.4/drivers/ata/libata-eh.c linux-2.6.35.4/drivers/ata/libata-eh.c
21068--- linux-2.6.35.4/drivers/ata/libata-eh.c 2010-08-26 19:47:12.000000000 -0400
21069+++ linux-2.6.35.4/drivers/ata/libata-eh.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21070@@ -3680,7 +3680,7 @@ void ata_do_eh(struct ata_port *ap, ata_
ae4e228f
MT		 21071 */
21072 void ata_std_error_handler(struct ata_port *ap)
21073 {
21074- struct ata_port_operations *ops = ap->ops;
21075+ const struct ata_port_operations *ops = ap->ops;
21076 ata_reset_fn_t hardreset = ops->hardreset;
21077
21078 /* ignore built-in hardreset if SCR access is not available */
57199397
MT		 21079diff -urNp linux-2.6.35.4/drivers/ata/libata-pmp.c linux-2.6.35.4/drivers/ata/libata-pmp.c
21080--- linux-2.6.35.4/drivers/ata/libata-pmp.c 2010-08-26 19:47:12.000000000 -0400
21081+++ linux-2.6.35.4/drivers/ata/libata-pmp.c 2010-09-17 20:12:09.000000000 -0400
21082@@ -868,7 +868,7 @@ static int sata_pmp_handle_link_fail(str
ae4e228f
MT		 21083 */
21084 static int sata_pmp_eh_recover(struct ata_port *ap)
21085 {
21086- struct ata_port_operations *ops = ap->ops;
21087+ const struct ata_port_operations *ops = ap->ops;
21088 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21089 struct ata_link *pmp_link = &ap->link;
21090 struct ata_device *pmp_dev = pmp_link->device;
57199397
MT		 21091diff -urNp linux-2.6.35.4/drivers/ata/pata_acpi.c linux-2.6.35.4/drivers/ata/pata_acpi.c
21092--- linux-2.6.35.4/drivers/ata/pata_acpi.c 2010-08-26 19:47:12.000000000 -0400
21093+++ linux-2.6.35.4/drivers/ata/pata_acpi.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21094@@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
ae4e228f
MT		 21095 ATA_BMDMA_SHT(DRV_NAME),
21096 };
21097
21098-static struct ata_port_operations pacpi_ops = {
21099+static const struct ata_port_operations pacpi_ops = {
21100 .inherits = &ata_bmdma_port_ops,
21101 .qc_issue = pacpi_qc_issue,
21102 .cable_detect = pacpi_cable_detect,
57199397
MT		 21103diff -urNp linux-2.6.35.4/drivers/ata/pata_ali.c linux-2.6.35.4/drivers/ata/pata_ali.c
21104--- linux-2.6.35.4/drivers/ata/pata_ali.c 2010-08-26 19:47:12.000000000 -0400
21105+++ linux-2.6.35.4/drivers/ata/pata_ali.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21106@@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
ae4e228f
MT		 21107 * Port operations for PIO only ALi
21108 */
21109
21110-static struct ata_port_operations ali_early_port_ops = {
21111+static const struct ata_port_operations ali_early_port_ops = {
21112 .inherits = &ata_sff_port_ops,
21113 .cable_detect = ata_cable_40wire,
21114 .set_piomode = ali_set_piomode,
df50ba0c 21115@@ -380,7 +380,7 @@ static const struct ata_port_operations
ae4e228f
MT		 21116 * Port operations for DMA capable ALi without cable
21117 * detect
21118 */
21119-static struct ata_port_operations ali_20_port_ops = {
21120+static const struct ata_port_operations ali_20_port_ops = {
21121 .inherits = &ali_dma_base_ops,
21122 .cable_detect = ata_cable_40wire,
21123 .mode_filter = ali_20_filter,
df50ba0c 21124@@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
ae4e228f
MT		 21125 /*
21126 * Port operations for DMA capable ALi with cable detect
21127 */
21128-static struct ata_port_operations ali_c2_port_ops = {
21129+static const struct ata_port_operations ali_c2_port_ops = {
21130 .inherits = &ali_dma_base_ops,
21131 .check_atapi_dma = ali_check_atapi_dma,
21132 .cable_detect = ali_c2_cable_detect,
df50ba0c 21133@@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
ae4e228f
MT		 21134 /*
21135 * Port operations for DMA capable ALi with cable detect
21136 */
21137-static struct ata_port_operations ali_c4_port_ops = {
21138+static const struct ata_port_operations ali_c4_port_ops = {
21139 .inherits = &ali_dma_base_ops,
21140 .check_atapi_dma = ali_check_atapi_dma,
21141 .cable_detect = ali_c2_cable_detect,
df50ba0c 21142@@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
ae4e228f
MT		 21143 /*
21144 * Port operations for DMA capable ALi with cable detect and LBA48
21145 */
21146-static struct ata_port_operations ali_c5_port_ops = {
21147+static const struct ata_port_operations ali_c5_port_ops = {
21148 .inherits = &ali_dma_base_ops,
21149 .check_atapi_dma = ali_check_atapi_dma,
21150 .dev_config = ali_warn_atapi_dma,
57199397
MT		 21151diff -urNp linux-2.6.35.4/drivers/ata/pata_amd.c linux-2.6.35.4/drivers/ata/pata_amd.c
21152--- linux-2.6.35.4/drivers/ata/pata_amd.c 2010-08-26 19:47:12.000000000 -0400
21153+++ linux-2.6.35.4/drivers/ata/pata_amd.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21154@@ -397,28 +397,28 @@ static const struct ata_port_operations
21155 .prereset = amd_pre_reset,
21156 };
21157
21158-static struct ata_port_operations amd33_port_ops = {
21159+static const struct ata_port_operations amd33_port_ops = {
21160 .inherits = &amd_base_port_ops,
21161 .cable_detect = ata_cable_40wire,
21162 .set_piomode = amd33_set_piomode,
21163 .set_dmamode = amd33_set_dmamode,
21164 };
21165
21166-static struct ata_port_operations amd66_port_ops = {
21167+static const struct ata_port_operations amd66_port_ops = {
21168 .inherits = &amd_base_port_ops,
21169 .cable_detect = ata_cable_unknown,
21170 .set_piomode = amd66_set_piomode,
21171 .set_dmamode = amd66_set_dmamode,
21172 };
21173
21174-static struct ata_port_operations amd100_port_ops = {
21175+static const struct ata_port_operations amd100_port_ops = {
21176 .inherits = &amd_base_port_ops,
21177 .cable_detect = ata_cable_unknown,
21178 .set_piomode = amd100_set_piomode,
21179 .set_dmamode = amd100_set_dmamode,
21180 };
21181
21182-static struct ata_port_operations amd133_port_ops = {
21183+static const struct ata_port_operations amd133_port_ops = {
21184 .inherits = &amd_base_port_ops,
21185 .cable_detect = amd_cable_detect,
21186 .set_piomode = amd133_set_piomode,
21187@@ -433,13 +433,13 @@ static const struct ata_port_operations
21188 .host_stop = nv_host_stop,
21189 };
21190
21191-static struct ata_port_operations nv100_port_ops = {
21192+static const struct ata_port_operations nv100_port_ops = {
21193 .inherits = &nv_base_port_ops,
21194 .set_piomode = nv100_set_piomode,
21195 .set_dmamode = nv100_set_dmamode,
21196 };
21197
21198-static struct ata_port_operations nv133_port_ops = {
21199+static const struct ata_port_operations nv133_port_ops = {
21200 .inherits = &nv_base_port_ops,
21201 .set_piomode = nv133_set_piomode,
21202 .set_dmamode = nv133_set_dmamode,
57199397
MT		 21203diff -urNp linux-2.6.35.4/drivers/ata/pata_artop.c linux-2.6.35.4/drivers/ata/pata_artop.c
21204--- linux-2.6.35.4/drivers/ata/pata_artop.c 2010-08-26 19:47:12.000000000 -0400
21205+++ linux-2.6.35.4/drivers/ata/pata_artop.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21206@@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
21207 ATA_BMDMA_SHT(DRV_NAME),
21208 };
21209
21210-static struct ata_port_operations artop6210_ops = {
21211+static const struct ata_port_operations artop6210_ops = {
21212 .inherits = &ata_bmdma_port_ops,
21213 .cable_detect = ata_cable_40wire,
21214 .set_piomode = artop6210_set_piomode,
21215@@ -320,7 +320,7 @@ static struct ata_port_operations artop6
21216 .qc_defer = artop6210_qc_defer,
21217 };
21218
21219-static struct ata_port_operations artop6260_ops = {
21220+static const struct ata_port_operations artop6260_ops = {
21221 .inherits = &ata_bmdma_port_ops,
21222 .cable_detect = artop6260_cable_detect,
21223 .set_piomode = artop6260_set_piomode,
57199397
MT		 21224diff -urNp linux-2.6.35.4/drivers/ata/pata_at32.c linux-2.6.35.4/drivers/ata/pata_at32.c
21225--- linux-2.6.35.4/drivers/ata/pata_at32.c 2010-08-26 19:47:12.000000000 -0400
21226+++ linux-2.6.35.4/drivers/ata/pata_at32.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21227@@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
ae4e228f
MT		 21228 ATA_PIO_SHT(DRV_NAME),
21229 };
21230
21231-static struct ata_port_operations at32_port_ops = {
21232+static const struct ata_port_operations at32_port_ops = {
21233 .inherits = &ata_sff_port_ops,
21234 .cable_detect = ata_cable_40wire,
21235 .set_piomode = pata_at32_set_piomode,
57199397
MT		 21236diff -urNp linux-2.6.35.4/drivers/ata/pata_at91.c linux-2.6.35.4/drivers/ata/pata_at91.c
21237--- linux-2.6.35.4/drivers/ata/pata_at91.c 2010-08-26 19:47:12.000000000 -0400
21238+++ linux-2.6.35.4/drivers/ata/pata_at91.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21239@@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
ae4e228f
MT		 21240 ATA_PIO_SHT(DRV_NAME),
21241 };
21242
21243-static struct ata_port_operations pata_at91_port_ops = {
21244+static const struct ata_port_operations pata_at91_port_ops = {
21245 .inherits = &ata_sff_port_ops,
21246
21247 .sff_data_xfer = pata_at91_data_xfer_noirq,
57199397
MT		 21248diff -urNp linux-2.6.35.4/drivers/ata/pata_atiixp.c linux-2.6.35.4/drivers/ata/pata_atiixp.c
21249--- linux-2.6.35.4/drivers/ata/pata_atiixp.c 2010-08-26 19:47:12.000000000 -0400
21250+++ linux-2.6.35.4/drivers/ata/pata_atiixp.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21251@@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
ae4e228f
MT		 21252 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21253 };
21254
21255-static struct ata_port_operations atiixp_port_ops = {
21256+static const struct ata_port_operations atiixp_port_ops = {
21257 .inherits = &ata_bmdma_port_ops,
21258
57199397
MT		 21259 .qc_prep = ata_bmdma_dumb_qc_prep,
21260diff -urNp linux-2.6.35.4/drivers/ata/pata_atp867x.c linux-2.6.35.4/drivers/ata/pata_atp867x.c
21261--- linux-2.6.35.4/drivers/ata/pata_atp867x.c 2010-08-26 19:47:12.000000000 -0400
21262+++ linux-2.6.35.4/drivers/ata/pata_atp867x.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21263@@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
ae4e228f
MT		 21264 ATA_BMDMA_SHT(DRV_NAME),
21265 };
21266
21267-static struct ata_port_operations atp867x_ops = {
21268+static const struct ata_port_operations atp867x_ops = {
21269 .inherits = &ata_bmdma_port_ops,
21270 .cable_detect = atp867x_cable_detect,
21271 .set_piomode = atp867x_set_piomode,
57199397
MT		 21272diff -urNp linux-2.6.35.4/drivers/ata/pata_bf54x.c linux-2.6.35.4/drivers/ata/pata_bf54x.c
21273--- linux-2.6.35.4/drivers/ata/pata_bf54x.c 2010-08-26 19:47:12.000000000 -0400
21274+++ linux-2.6.35.4/drivers/ata/pata_bf54x.c 2010-09-17 20:12:09.000000000 -0400
21275@@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
ae4e228f
MT		 21276 .dma_boundary = ATA_DMA_BOUNDARY,
21277 };
21278
21279-static struct ata_port_operations bfin_pata_ops = {
21280+static const struct ata_port_operations bfin_pata_ops = {
57199397 21281 .inherits = &ata_bmdma_port_ops,
ae4e228f
MT		 21282
21283 .set_piomode = bfin_set_piomode,
57199397
MT		 21284diff -urNp linux-2.6.35.4/drivers/ata/pata_cmd640.c linux-2.6.35.4/drivers/ata/pata_cmd640.c
21285--- linux-2.6.35.4/drivers/ata/pata_cmd640.c 2010-08-26 19:47:12.000000000 -0400
21286+++ linux-2.6.35.4/drivers/ata/pata_cmd640.c 2010-09-17 20:12:09.000000000 -0400
21287@@ -165,7 +165,7 @@ static struct scsi_host_template cmd640_
21288 ATA_PIO_SHT(DRV_NAME),
ae4e228f
MT		 21289 };
21290
21291-static struct ata_port_operations cmd640_port_ops = {
21292+static const struct ata_port_operations cmd640_port_ops = {
57199397 21293 .inherits = &ata_sff_port_ops,
ae4e228f
MT		 21294 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21295 .sff_data_xfer = ata_sff_data_xfer_noirq,
57199397
MT		 21296diff -urNp linux-2.6.35.4/drivers/ata/pata_cmd64x.c linux-2.6.35.4/drivers/ata/pata_cmd64x.c
21297--- linux-2.6.35.4/drivers/ata/pata_cmd64x.c 2010-08-26 19:47:12.000000000 -0400
21298+++ linux-2.6.35.4/drivers/ata/pata_cmd64x.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21299@@ -274,18 +274,18 @@ static const struct ata_port_operations
ae4e228f
MT		 21300 .set_dmamode = cmd64x_set_dmamode,
21301 };
21302
21303-static struct ata_port_operations cmd64x_port_ops = {
21304+static const struct ata_port_operations cmd64x_port_ops = {
21305 .inherits = &cmd64x_base_ops,
21306 .cable_detect = ata_cable_40wire,
21307 };
21308
21309-static struct ata_port_operations cmd646r1_port_ops = {
21310+static const struct ata_port_operations cmd646r1_port_ops = {
21311 .inherits = &cmd64x_base_ops,
21312 .bmdma_stop = cmd646r1_bmdma_stop,
21313 .cable_detect = ata_cable_40wire,
21314 };
21315
21316-static struct ata_port_operations cmd648_port_ops = {
21317+static const struct ata_port_operations cmd648_port_ops = {
21318 .inherits = &cmd64x_base_ops,
21319 .bmdma_stop = cmd648_bmdma_stop,
21320 .cable_detect = cmd648_cable_detect,
57199397
MT		 21321diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5520.c linux-2.6.35.4/drivers/ata/pata_cs5520.c
21322--- linux-2.6.35.4/drivers/ata/pata_cs5520.c 2010-08-26 19:47:12.000000000 -0400
21323+++ linux-2.6.35.4/drivers/ata/pata_cs5520.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21324@@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21325 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21326 };
21327
21328-static struct ata_port_operations cs5520_port_ops = {
21329+static const struct ata_port_operations cs5520_port_ops = {
21330 .inherits = &ata_bmdma_port_ops,
57199397 21331 .qc_prep = ata_bmdma_dumb_qc_prep,
ae4e228f 21332 .cable_detect = ata_cable_40wire,
57199397
MT		 21333diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5530.c linux-2.6.35.4/drivers/ata/pata_cs5530.c
21334--- linux-2.6.35.4/drivers/ata/pata_cs5530.c 2010-08-26 19:47:12.000000000 -0400
21335+++ linux-2.6.35.4/drivers/ata/pata_cs5530.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21336@@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21337 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21338 };
21339
21340-static struct ata_port_operations cs5530_port_ops = {
21341+static const struct ata_port_operations cs5530_port_ops = {
21342 .inherits = &ata_bmdma_port_ops,
21343
57199397
MT		 21344 .qc_prep = ata_bmdma_dumb_qc_prep,
21345diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5535.c linux-2.6.35.4/drivers/ata/pata_cs5535.c
21346--- linux-2.6.35.4/drivers/ata/pata_cs5535.c 2010-08-26 19:47:12.000000000 -0400
21347+++ linux-2.6.35.4/drivers/ata/pata_cs5535.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21348@@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21349 ATA_BMDMA_SHT(DRV_NAME),
21350 };
21351
21352-static struct ata_port_operations cs5535_port_ops = {
21353+static const struct ata_port_operations cs5535_port_ops = {
21354 .inherits = &ata_bmdma_port_ops,
21355 .cable_detect = cs5535_cable_detect,
21356 .set_piomode = cs5535_set_piomode,
57199397
MT		 21357diff -urNp linux-2.6.35.4/drivers/ata/pata_cs5536.c linux-2.6.35.4/drivers/ata/pata_cs5536.c
21358--- linux-2.6.35.4/drivers/ata/pata_cs5536.c 2010-08-26 19:47:12.000000000 -0400
21359+++ linux-2.6.35.4/drivers/ata/pata_cs5536.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21360@@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
21361 ATA_BMDMA_SHT(DRV_NAME),
21362 };
21363
21364-static struct ata_port_operations cs5536_port_ops = {
21365+static const struct ata_port_operations cs5536_port_ops = {
21366 .inherits = &ata_bmdma32_port_ops,
21367 .cable_detect = cs5536_cable_detect,
21368 .set_piomode = cs5536_set_piomode,
57199397
MT		 21369diff -urNp linux-2.6.35.4/drivers/ata/pata_cypress.c linux-2.6.35.4/drivers/ata/pata_cypress.c
21370--- linux-2.6.35.4/drivers/ata/pata_cypress.c 2010-08-26 19:47:12.000000000 -0400
21371+++ linux-2.6.35.4/drivers/ata/pata_cypress.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21372@@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
ae4e228f
MT		 21373 ATA_BMDMA_SHT(DRV_NAME),
21374 };
21375
21376-static struct ata_port_operations cy82c693_port_ops = {
21377+static const struct ata_port_operations cy82c693_port_ops = {
21378 .inherits = &ata_bmdma_port_ops,
21379 .cable_detect = ata_cable_40wire,
21380 .set_piomode = cy82c693_set_piomode,
57199397
MT		 21381diff -urNp linux-2.6.35.4/drivers/ata/pata_efar.c linux-2.6.35.4/drivers/ata/pata_efar.c
21382--- linux-2.6.35.4/drivers/ata/pata_efar.c 2010-08-26 19:47:12.000000000 -0400
21383+++ linux-2.6.35.4/drivers/ata/pata_efar.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21384@@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
ae4e228f
MT		 21385 ATA_BMDMA_SHT(DRV_NAME),
21386 };
21387
21388-static struct ata_port_operations efar_ops = {
21389+static const struct ata_port_operations efar_ops = {
21390 .inherits = &ata_bmdma_port_ops,
21391 .cable_detect = efar_cable_detect,
21392 .set_piomode = efar_set_piomode,
57199397
MT		 21393diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt366.c linux-2.6.35.4/drivers/ata/pata_hpt366.c
21394--- linux-2.6.35.4/drivers/ata/pata_hpt366.c 2010-08-26 19:47:12.000000000 -0400
21395+++ linux-2.6.35.4/drivers/ata/pata_hpt366.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21396@@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
ae4e228f
MT		 21397 * Configuration for HPT366/68
21398 */
21399
21400-static struct ata_port_operations hpt366_port_ops = {
21401+static const struct ata_port_operations hpt366_port_ops = {
21402 .inherits = &ata_bmdma_port_ops,
21403 .cable_detect = hpt36x_cable_detect,
21404 .mode_filter = hpt366_filter,
57199397
MT		 21405diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt37x.c linux-2.6.35.4/drivers/ata/pata_hpt37x.c
21406--- linux-2.6.35.4/drivers/ata/pata_hpt37x.c 2010-08-26 19:47:12.000000000 -0400
21407+++ linux-2.6.35.4/drivers/ata/pata_hpt37x.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21408@@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
ae4e228f
MT		 21409 * Configuration for HPT370
21410 */
21411
21412-static struct ata_port_operations hpt370_port_ops = {
21413+static const struct ata_port_operations hpt370_port_ops = {
21414 .inherits = &ata_bmdma_port_ops,
21415
21416 .bmdma_stop = hpt370_bmdma_stop,
df50ba0c 21417@@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
ae4e228f
MT		 21418 * Configuration for HPT370A. Close to 370 but less filters
21419 */
21420
21421-static struct ata_port_operations hpt370a_port_ops = {
21422+static const struct ata_port_operations hpt370a_port_ops = {
21423 .inherits = &hpt370_port_ops,
21424 .mode_filter = hpt370a_filter,
21425 };
df50ba0c 21426@@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
ae4e228f
MT		 21427 * and DMA mode setting functionality.
21428 */
21429
21430-static struct ata_port_operations hpt372_port_ops = {
21431+static const struct ata_port_operations hpt372_port_ops = {
21432 .inherits = &ata_bmdma_port_ops,
21433
21434 .bmdma_stop = hpt37x_bmdma_stop,
df50ba0c 21435@@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
ae4e228f
MT		 21436 * but we have a different cable detection procedure for function 1.
21437 */
21438
21439-static struct ata_port_operations hpt374_fn1_port_ops = {
21440+static const struct ata_port_operations hpt374_fn1_port_ops = {
21441 .inherits = &hpt372_port_ops,
21442 .cable_detect = hpt374_fn1_cable_detect,
21443 .prereset = hpt37x_pre_reset,
57199397
MT		 21444diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c
21445--- linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c 2010-08-26 19:47:12.000000000 -0400
21446+++ linux-2.6.35.4/drivers/ata/pata_hpt3x2n.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21447@@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
ae4e228f
MT		 21448 * Configuration for HPT3x2n.
21449 */
21450
21451-static struct ata_port_operations hpt3x2n_port_ops = {
21452+static const struct ata_port_operations hpt3x2n_port_ops = {
21453 .inherits = &ata_bmdma_port_ops,
21454
21455 .bmdma_stop = hpt3x2n_bmdma_stop,
57199397
MT		 21456diff -urNp linux-2.6.35.4/drivers/ata/pata_hpt3x3.c linux-2.6.35.4/drivers/ata/pata_hpt3x3.c
21457--- linux-2.6.35.4/drivers/ata/pata_hpt3x3.c 2010-08-26 19:47:12.000000000 -0400
21458+++ linux-2.6.35.4/drivers/ata/pata_hpt3x3.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21459@@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21460 ATA_BMDMA_SHT(DRV_NAME),
21461 };
21462
21463-static struct ata_port_operations hpt3x3_port_ops = {
21464+static const struct ata_port_operations hpt3x3_port_ops = {
21465 .inherits = &ata_bmdma_port_ops,
21466 .cable_detect = ata_cable_40wire,
21467 .set_piomode = hpt3x3_set_piomode,
57199397
MT		 21468diff -urNp linux-2.6.35.4/drivers/ata/pata_icside.c linux-2.6.35.4/drivers/ata/pata_icside.c
21469--- linux-2.6.35.4/drivers/ata/pata_icside.c 2010-08-26 19:47:12.000000000 -0400
21470+++ linux-2.6.35.4/drivers/ata/pata_icside.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21471@@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
ae4e228f
MT		 21472 }
21473 }
21474
21475-static struct ata_port_operations pata_icside_port_ops = {
21476+static const struct ata_port_operations pata_icside_port_ops = {
57199397 21477 .inherits = &ata_bmdma_port_ops,
ae4e228f
MT		 21478 /* no need to build any PRD tables for DMA */
21479 .qc_prep = ata_noop_qc_prep,
57199397
MT		 21480diff -urNp linux-2.6.35.4/drivers/ata/pata_isapnp.c linux-2.6.35.4/drivers/ata/pata_isapnp.c
21481--- linux-2.6.35.4/drivers/ata/pata_isapnp.c 2010-08-26 19:47:12.000000000 -0400
21482+++ linux-2.6.35.4/drivers/ata/pata_isapnp.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21483@@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21484 ATA_PIO_SHT(DRV_NAME),
21485 };
21486
21487-static struct ata_port_operations isapnp_port_ops = {
21488+static const struct ata_port_operations isapnp_port_ops = {
21489 .inherits = &ata_sff_port_ops,
21490 .cable_detect = ata_cable_40wire,
21491 };
21492
21493-static struct ata_port_operations isapnp_noalt_port_ops = {
21494+static const struct ata_port_operations isapnp_noalt_port_ops = {
21495 .inherits = &ata_sff_port_ops,
21496 .cable_detect = ata_cable_40wire,
21497 /* No altstatus so we don't want to use the lost interrupt poll */
57199397
MT		 21498diff -urNp linux-2.6.35.4/drivers/ata/pata_it8213.c linux-2.6.35.4/drivers/ata/pata_it8213.c
21499--- linux-2.6.35.4/drivers/ata/pata_it8213.c 2010-08-26 19:47:12.000000000 -0400
21500+++ linux-2.6.35.4/drivers/ata/pata_it8213.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21501@@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21502 };
21503
21504
21505-static struct ata_port_operations it8213_ops = {
21506+static const struct ata_port_operations it8213_ops = {
21507 .inherits = &ata_bmdma_port_ops,
21508 .cable_detect = it8213_cable_detect,
21509 .set_piomode = it8213_set_piomode,
57199397
MT		 21510diff -urNp linux-2.6.35.4/drivers/ata/pata_it821x.c linux-2.6.35.4/drivers/ata/pata_it821x.c
21511--- linux-2.6.35.4/drivers/ata/pata_it821x.c 2010-08-26 19:47:12.000000000 -0400
21512+++ linux-2.6.35.4/drivers/ata/pata_it821x.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21513@@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
ae4e228f
MT		 21514 ATA_BMDMA_SHT(DRV_NAME),
21515 };
21516
21517-static struct ata_port_operations it821x_smart_port_ops = {
21518+static const struct ata_port_operations it821x_smart_port_ops = {
21519 .inherits = &ata_bmdma_port_ops,
21520
21521 .check_atapi_dma= it821x_check_atapi_dma,
df50ba0c 21522@@ -815,7 +815,7 @@ static struct ata_port_operations it821x
ae4e228f
MT		 21523 .port_start = it821x_port_start,
21524 };
21525
21526-static struct ata_port_operations it821x_passthru_port_ops = {
21527+static const struct ata_port_operations it821x_passthru_port_ops = {
21528 .inherits = &ata_bmdma_port_ops,
21529
21530 .check_atapi_dma= it821x_check_atapi_dma,
df50ba0c 21531@@ -831,7 +831,7 @@ static struct ata_port_operations it821x
ae4e228f
MT		 21532 .port_start = it821x_port_start,
21533 };
21534
21535-static struct ata_port_operations it821x_rdc_port_ops = {
21536+static const struct ata_port_operations it821x_rdc_port_ops = {
21537 .inherits = &ata_bmdma_port_ops,
21538
21539 .check_atapi_dma= it821x_check_atapi_dma,
57199397
MT		 21540diff -urNp linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c
21541--- linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c 2010-08-26 19:47:12.000000000 -0400
21542+++ linux-2.6.35.4/drivers/ata/pata_ixp4xx_cf.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21543@@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21544 ATA_PIO_SHT(DRV_NAME),
21545 };
21546
21547-static struct ata_port_operations ixp4xx_port_ops = {
21548+static const struct ata_port_operations ixp4xx_port_ops = {
21549 .inherits = &ata_sff_port_ops,
21550 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21551 .cable_detect = ata_cable_40wire,
57199397
MT		 21552diff -urNp linux-2.6.35.4/drivers/ata/pata_jmicron.c linux-2.6.35.4/drivers/ata/pata_jmicron.c
21553--- linux-2.6.35.4/drivers/ata/pata_jmicron.c 2010-08-26 19:47:12.000000000 -0400
21554+++ linux-2.6.35.4/drivers/ata/pata_jmicron.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21555@@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21556 ATA_BMDMA_SHT(DRV_NAME),
21557 };
21558
21559-static struct ata_port_operations jmicron_ops = {
21560+static const struct ata_port_operations jmicron_ops = {
21561 .inherits = &ata_bmdma_port_ops,
21562 .prereset = jmicron_pre_reset,
21563 };
57199397
MT		 21564diff -urNp linux-2.6.35.4/drivers/ata/pata_legacy.c linux-2.6.35.4/drivers/ata/pata_legacy.c
21565--- linux-2.6.35.4/drivers/ata/pata_legacy.c 2010-08-26 19:47:12.000000000 -0400
21566+++ linux-2.6.35.4/drivers/ata/pata_legacy.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21567@@ -113,7 +113,7 @@ struct legacy_probe {
21568
21569 struct legacy_controller {
21570 const char *name;
21571- struct ata_port_operations *ops;
21572+ const struct ata_port_operations *ops;
21573 unsigned int pio_mask;
21574 unsigned int flags;
21575 unsigned int pflags;
21576@@ -230,12 +230,12 @@ static const struct ata_port_operations
21577 * pio_mask as well.
21578 */
21579
21580-static struct ata_port_operations simple_port_ops = {
21581+static const struct ata_port_operations simple_port_ops = {
21582 .inherits = &legacy_base_port_ops,
21583 .sff_data_xfer = ata_sff_data_xfer_noirq,
21584 };
21585
21586-static struct ata_port_operations legacy_port_ops = {
21587+static const struct ata_port_operations legacy_port_ops = {
21588 .inherits = &legacy_base_port_ops,
21589 .sff_data_xfer = ata_sff_data_xfer_noirq,
21590 .set_mode = legacy_set_mode,
21591@@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
21592 return buflen;
21593 }
21594
21595-static struct ata_port_operations pdc20230_port_ops = {
21596+static const struct ata_port_operations pdc20230_port_ops = {
21597 .inherits = &legacy_base_port_ops,
21598 .set_piomode = pdc20230_set_piomode,
21599 .sff_data_xfer = pdc_data_xfer_vlb,
21600@@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
21601 ioread8(ap->ioaddr.status_addr);
21602 }
21603
21604-static struct ata_port_operations ht6560a_port_ops = {
21605+static const struct ata_port_operations ht6560a_port_ops = {
21606 .inherits = &legacy_base_port_ops,
21607 .set_piomode = ht6560a_set_piomode,
21608 };
21609@@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
21610 ioread8(ap->ioaddr.status_addr);
21611 }
21612
21613-static struct ata_port_operations ht6560b_port_ops = {
21614+static const struct ata_port_operations ht6560b_port_ops = {
21615 .inherits = &legacy_base_port_ops,
21616 .set_piomode = ht6560b_set_piomode,
21617 };
21618@@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
21619 }
21620
21621
21622-static struct ata_port_operations opti82c611a_port_ops = {
21623+static const struct ata_port_operations opti82c611a_port_ops = {
21624 .inherits = &legacy_base_port_ops,
21625 .set_piomode = opti82c611a_set_piomode,
21626 };
21627@@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
21628 return ata_sff_qc_issue(qc);
21629 }
21630
21631-static struct ata_port_operations opti82c46x_port_ops = {
21632+static const struct ata_port_operations opti82c46x_port_ops = {
21633 .inherits = &legacy_base_port_ops,
21634 .set_piomode = opti82c46x_set_piomode,
21635 .qc_issue = opti82c46x_qc_issue,
21636@@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
21637 return 0;
21638 }
21639
21640-static struct ata_port_operations qdi6500_port_ops = {
21641+static const struct ata_port_operations qdi6500_port_ops = {
21642 .inherits = &legacy_base_port_ops,
21643 .set_piomode = qdi6500_set_piomode,
21644 .qc_issue = qdi_qc_issue,
21645 .sff_data_xfer = vlb32_data_xfer,
21646 };
21647
21648-static struct ata_port_operations qdi6580_port_ops = {
21649+static const struct ata_port_operations qdi6580_port_ops = {
21650 .inherits = &legacy_base_port_ops,
21651 .set_piomode = qdi6580_set_piomode,
21652 .sff_data_xfer = vlb32_data_xfer,
21653 };
21654
21655-static struct ata_port_operations qdi6580dp_port_ops = {
21656+static const struct ata_port_operations qdi6580dp_port_ops = {
21657 .inherits = &legacy_base_port_ops,
21658 .set_piomode = qdi6580dp_set_piomode,
21659 .qc_issue = qdi_qc_issue,
21660@@ -863,7 +863,7 @@ static int winbond_port(struct platform_
21661 return 0;
21662 }
21663
21664-static struct ata_port_operations winbond_port_ops = {
21665+static const struct ata_port_operations winbond_port_ops = {
21666 .inherits = &legacy_base_port_ops,
21667 .set_piomode = winbond_set_piomode,
21668 .sff_data_xfer = vlb32_data_xfer,
21669@@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
21670 int pio_modes = controller->pio_mask;
21671 unsigned long io = probe->port;
21672 u32 mask = (1 << probe->slot);
21673- struct ata_port_operations *ops = controller->ops;
21674+ const struct ata_port_operations *ops = controller->ops;
21675 struct legacy_data *ld = &legacy_data[probe->slot];
21676 struct ata_host *host = NULL;
21677 struct ata_port *ap;
57199397
MT		 21678diff -urNp linux-2.6.35.4/drivers/ata/pata_macio.c linux-2.6.35.4/drivers/ata/pata_macio.c
21679--- linux-2.6.35.4/drivers/ata/pata_macio.c 2010-08-26 19:47:12.000000000 -0400
21680+++ linux-2.6.35.4/drivers/ata/pata_macio.c 2010-09-17 20:12:09.000000000 -0400
21681@@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
ae4e228f
MT		 21682 .slave_configure = pata_macio_slave_config,
21683 };
21684
21685-static struct ata_port_operations pata_macio_ops = {
21686+static const struct ata_port_operations pata_macio_ops = {
57199397
MT		 21687 .inherits = &ata_bmdma_port_ops,
21688-
ae4e228f 21689 .freeze = pata_macio_freeze,
57199397
MT		 21690 .set_piomode = pata_macio_set_timings,
21691 .set_dmamode = pata_macio_set_timings,
21692diff -urNp linux-2.6.35.4/drivers/ata/pata_marvell.c linux-2.6.35.4/drivers/ata/pata_marvell.c
21693--- linux-2.6.35.4/drivers/ata/pata_marvell.c 2010-08-26 19:47:12.000000000 -0400
21694+++ linux-2.6.35.4/drivers/ata/pata_marvell.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21695@@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21696 ATA_BMDMA_SHT(DRV_NAME),
21697 };
21698
21699-static struct ata_port_operations marvell_ops = {
21700+static const struct ata_port_operations marvell_ops = {
21701 .inherits = &ata_bmdma_port_ops,
21702 .cable_detect = marvell_cable_detect,
21703 .prereset = marvell_pre_reset,
57199397
MT		 21704diff -urNp linux-2.6.35.4/drivers/ata/pata_mpc52xx.c linux-2.6.35.4/drivers/ata/pata_mpc52xx.c
21705--- linux-2.6.35.4/drivers/ata/pata_mpc52xx.c 2010-08-26 19:47:12.000000000 -0400
21706+++ linux-2.6.35.4/drivers/ata/pata_mpc52xx.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21707@@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21708 ATA_PIO_SHT(DRV_NAME),
21709 };
21710
21711-static struct ata_port_operations mpc52xx_ata_port_ops = {
21712+static const struct ata_port_operations mpc52xx_ata_port_ops = {
21713 .inherits = &ata_sff_port_ops,
21714 .sff_dev_select = mpc52xx_ata_dev_select,
21715 .set_piomode = mpc52xx_ata_set_piomode,
57199397
MT		 21716diff -urNp linux-2.6.35.4/drivers/ata/pata_mpiix.c linux-2.6.35.4/drivers/ata/pata_mpiix.c
21717--- linux-2.6.35.4/drivers/ata/pata_mpiix.c 2010-08-26 19:47:12.000000000 -0400
21718+++ linux-2.6.35.4/drivers/ata/pata_mpiix.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21719@@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21720 ATA_PIO_SHT(DRV_NAME),
21721 };
21722
21723-static struct ata_port_operations mpiix_port_ops = {
21724+static const struct ata_port_operations mpiix_port_ops = {
21725 .inherits = &ata_sff_port_ops,
21726 .qc_issue = mpiix_qc_issue,
21727 .cable_detect = ata_cable_40wire,
57199397
MT		 21728diff -urNp linux-2.6.35.4/drivers/ata/pata_netcell.c linux-2.6.35.4/drivers/ata/pata_netcell.c
21729--- linux-2.6.35.4/drivers/ata/pata_netcell.c 2010-08-26 19:47:12.000000000 -0400
21730+++ linux-2.6.35.4/drivers/ata/pata_netcell.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21731@@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21732 ATA_BMDMA_SHT(DRV_NAME),
21733 };
21734
21735-static struct ata_port_operations netcell_ops = {
21736+static const struct ata_port_operations netcell_ops = {
21737 .inherits = &ata_bmdma_port_ops,
21738 .cable_detect = ata_cable_80wire,
21739 .read_id = netcell_read_id,
57199397
MT		 21740diff -urNp linux-2.6.35.4/drivers/ata/pata_ninja32.c linux-2.6.35.4/drivers/ata/pata_ninja32.c
21741--- linux-2.6.35.4/drivers/ata/pata_ninja32.c 2010-08-26 19:47:12.000000000 -0400
21742+++ linux-2.6.35.4/drivers/ata/pata_ninja32.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21743@@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21744 ATA_BMDMA_SHT(DRV_NAME),
21745 };
21746
21747-static struct ata_port_operations ninja32_port_ops = {
21748+static const struct ata_port_operations ninja32_port_ops = {
21749 .inherits = &ata_bmdma_port_ops,
21750 .sff_dev_select = ninja32_dev_select,
21751 .cable_detect = ata_cable_40wire,
57199397
MT		 21752diff -urNp linux-2.6.35.4/drivers/ata/pata_ns87410.c linux-2.6.35.4/drivers/ata/pata_ns87410.c
21753--- linux-2.6.35.4/drivers/ata/pata_ns87410.c 2010-08-26 19:47:12.000000000 -0400
21754+++ linux-2.6.35.4/drivers/ata/pata_ns87410.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21755@@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21756 ATA_PIO_SHT(DRV_NAME),
21757 };
21758
21759-static struct ata_port_operations ns87410_port_ops = {
21760+static const struct ata_port_operations ns87410_port_ops = {
21761 .inherits = &ata_sff_port_ops,
21762 .qc_issue = ns87410_qc_issue,
21763 .cable_detect = ata_cable_40wire,
57199397
MT		 21764diff -urNp linux-2.6.35.4/drivers/ata/pata_ns87415.c linux-2.6.35.4/drivers/ata/pata_ns87415.c
21765--- linux-2.6.35.4/drivers/ata/pata_ns87415.c 2010-08-26 19:47:12.000000000 -0400
21766+++ linux-2.6.35.4/drivers/ata/pata_ns87415.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21767@@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21768 }
21769 #endif /* 87560 SuperIO Support */
21770
21771-static struct ata_port_operations ns87415_pata_ops = {
21772+static const struct ata_port_operations ns87415_pata_ops = {
21773 .inherits = &ata_bmdma_port_ops,
21774
21775 .check_atapi_dma = ns87415_check_atapi_dma,
21776@@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21777 };
21778
21779 #if defined(CONFIG_SUPERIO)
21780-static struct ata_port_operations ns87560_pata_ops = {
21781+static const struct ata_port_operations ns87560_pata_ops = {
21782 .inherits = &ns87415_pata_ops,
21783 .sff_tf_read = ns87560_tf_read,
21784 .sff_check_status = ns87560_check_status,
57199397
MT		 21785diff -urNp linux-2.6.35.4/drivers/ata/pata_octeon_cf.c linux-2.6.35.4/drivers/ata/pata_octeon_cf.c
21786--- linux-2.6.35.4/drivers/ata/pata_octeon_cf.c 2010-08-26 19:47:12.000000000 -0400
21787+++ linux-2.6.35.4/drivers/ata/pata_octeon_cf.c 2010-09-17 20:12:09.000000000 -0400
21788@@ -782,6 +782,7 @@ static unsigned int octeon_cf_qc_issue(s
ae4e228f
MT		 21789 return 0;
21790 }
21791
21792+/* cannot be const */
21793 static struct ata_port_operations octeon_cf_ops = {
21794 .inherits = &ata_sff_port_ops,
21795 .check_atapi_dma = octeon_cf_check_atapi_dma,
57199397
MT		 21796diff -urNp linux-2.6.35.4/drivers/ata/pata_oldpiix.c linux-2.6.35.4/drivers/ata/pata_oldpiix.c
21797--- linux-2.6.35.4/drivers/ata/pata_oldpiix.c 2010-08-26 19:47:12.000000000 -0400
21798+++ linux-2.6.35.4/drivers/ata/pata_oldpiix.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21799@@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21800 ATA_BMDMA_SHT(DRV_NAME),
21801 };
21802
21803-static struct ata_port_operations oldpiix_pata_ops = {
21804+static const struct ata_port_operations oldpiix_pata_ops = {
21805 .inherits = &ata_bmdma_port_ops,
21806 .qc_issue = oldpiix_qc_issue,
21807 .cable_detect = ata_cable_40wire,
57199397
MT		 21808diff -urNp linux-2.6.35.4/drivers/ata/pata_opti.c linux-2.6.35.4/drivers/ata/pata_opti.c
21809--- linux-2.6.35.4/drivers/ata/pata_opti.c 2010-08-26 19:47:12.000000000 -0400
21810+++ linux-2.6.35.4/drivers/ata/pata_opti.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21811@@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21812 ATA_PIO_SHT(DRV_NAME),
21813 };
21814
21815-static struct ata_port_operations opti_port_ops = {
21816+static const struct ata_port_operations opti_port_ops = {
21817 .inherits = &ata_sff_port_ops,
21818 .cable_detect = ata_cable_40wire,
21819 .set_piomode = opti_set_piomode,
57199397
MT		 21820diff -urNp linux-2.6.35.4/drivers/ata/pata_optidma.c linux-2.6.35.4/drivers/ata/pata_optidma.c
21821--- linux-2.6.35.4/drivers/ata/pata_optidma.c 2010-08-26 19:47:12.000000000 -0400
21822+++ linux-2.6.35.4/drivers/ata/pata_optidma.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21823@@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21824 ATA_BMDMA_SHT(DRV_NAME),
21825 };
21826
21827-static struct ata_port_operations optidma_port_ops = {
21828+static const struct ata_port_operations optidma_port_ops = {
21829 .inherits = &ata_bmdma_port_ops,
21830 .cable_detect = ata_cable_40wire,
21831 .set_piomode = optidma_set_pio_mode,
21832@@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21833 .prereset = optidma_pre_reset,
21834 };
21835
21836-static struct ata_port_operations optiplus_port_ops = {
21837+static const struct ata_port_operations optiplus_port_ops = {
21838 .inherits = &optidma_port_ops,
21839 .set_piomode = optiplus_set_pio_mode,
21840 .set_dmamode = optiplus_set_dma_mode,
57199397
MT		 21841diff -urNp linux-2.6.35.4/drivers/ata/pata_palmld.c linux-2.6.35.4/drivers/ata/pata_palmld.c
21842--- linux-2.6.35.4/drivers/ata/pata_palmld.c 2010-08-26 19:47:12.000000000 -0400
21843+++ linux-2.6.35.4/drivers/ata/pata_palmld.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21844@@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21845 ATA_PIO_SHT(DRV_NAME),
21846 };
21847
21848-static struct ata_port_operations palmld_port_ops = {
21849+static const struct ata_port_operations palmld_port_ops = {
21850 .inherits = &ata_sff_port_ops,
21851 .sff_data_xfer = ata_sff_data_xfer_noirq,
21852 .cable_detect = ata_cable_40wire,
57199397
MT		 21853diff -urNp linux-2.6.35.4/drivers/ata/pata_pcmcia.c linux-2.6.35.4/drivers/ata/pata_pcmcia.c
21854--- linux-2.6.35.4/drivers/ata/pata_pcmcia.c 2010-08-26 19:47:12.000000000 -0400
21855+++ linux-2.6.35.4/drivers/ata/pata_pcmcia.c 2010-09-17 20:12:09.000000000 -0400
21856@@ -153,14 +153,14 @@ static struct scsi_host_template pcmcia_
ae4e228f
MT		 21857 ATA_PIO_SHT(DRV_NAME),
21858 };
21859
21860-static struct ata_port_operations pcmcia_port_ops = {
21861+static const struct ata_port_operations pcmcia_port_ops = {
21862 .inherits = &ata_sff_port_ops,
21863 .sff_data_xfer = ata_sff_data_xfer_noirq,
21864 .cable_detect = ata_cable_40wire,
21865 .set_mode = pcmcia_set_mode,
21866 };
21867
21868-static struct ata_port_operations pcmcia_8bit_port_ops = {
21869+static const struct ata_port_operations pcmcia_8bit_port_ops = {
21870 .inherits = &ata_sff_port_ops,
21871 .sff_data_xfer = ata_data_xfer_8bit,
21872 .cable_detect = ata_cable_40wire,
57199397 21873@@ -243,7 +243,7 @@ static int pcmcia_init_one(struct pcmcia
ae4e228f
MT		 21874 unsigned long io_base, ctl_base;
21875 void __iomem *io_addr, *ctl_addr;
21876 int n_ports = 1;
21877- struct ata_port_operations *ops = &pcmcia_port_ops;
21878+ const struct ata_port_operations *ops = &pcmcia_port_ops;
21879
57199397
MT		 21880 /* Set up attributes in order to probe card and get resources */
21881 pdev->io.Attributes1 = IO_DATA_PATH_WIDTH_AUTO;
21882diff -urNp linux-2.6.35.4/drivers/ata/pata_pdc2027x.c linux-2.6.35.4/drivers/ata/pata_pdc2027x.c
21883--- linux-2.6.35.4/drivers/ata/pata_pdc2027x.c 2010-08-26 19:47:12.000000000 -0400
21884+++ linux-2.6.35.4/drivers/ata/pata_pdc2027x.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21885@@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21886 ATA_BMDMA_SHT(DRV_NAME),
21887 };
21888
21889-static struct ata_port_operations pdc2027x_pata100_ops = {
21890+static const struct ata_port_operations pdc2027x_pata100_ops = {
21891 .inherits = &ata_bmdma_port_ops,
21892 .check_atapi_dma = pdc2027x_check_atapi_dma,
21893 .cable_detect = pdc2027x_cable_detect,
21894 .prereset = pdc2027x_prereset,
21895 };
21896
21897-static struct ata_port_operations pdc2027x_pata133_ops = {
21898+static const struct ata_port_operations pdc2027x_pata133_ops = {
21899 .inherits = &pdc2027x_pata100_ops,
21900 .mode_filter = pdc2027x_mode_filter,
21901 .set_piomode = pdc2027x_set_piomode,
57199397
MT		 21902diff -urNp linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c
21903--- linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c 2010-08-26 19:47:12.000000000 -0400
21904+++ linux-2.6.35.4/drivers/ata/pata_pdc202xx_old.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21905@@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
ae4e228f
MT		 21906 ATA_BMDMA_SHT(DRV_NAME),
21907 };
21908
21909-static struct ata_port_operations pdc2024x_port_ops = {
21910+static const struct ata_port_operations pdc2024x_port_ops = {
21911 .inherits = &ata_bmdma_port_ops,
21912
21913 .cable_detect = ata_cable_40wire,
df50ba0c
MT		 21914@@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
21915 .sff_exec_command = pdc202xx_exec_command,
ae4e228f
MT		 21916 };
21917
21918-static struct ata_port_operations pdc2026x_port_ops = {
21919+static const struct ata_port_operations pdc2026x_port_ops = {
21920 .inherits = &pdc2024x_port_ops,
21921
21922 .check_atapi_dma = pdc2026x_check_atapi_dma,
57199397
MT		 21923diff -urNp linux-2.6.35.4/drivers/ata/pata_piccolo.c linux-2.6.35.4/drivers/ata/pata_piccolo.c
21924--- linux-2.6.35.4/drivers/ata/pata_piccolo.c 2010-08-26 19:47:12.000000000 -0400
21925+++ linux-2.6.35.4/drivers/ata/pata_piccolo.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21926@@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21927 ATA_BMDMA_SHT(DRV_NAME),
21928 };
21929
21930-static struct ata_port_operations tosh_port_ops = {
21931+static const struct ata_port_operations tosh_port_ops = {
21932 .inherits = &ata_bmdma_port_ops,
21933 .cable_detect = ata_cable_unknown,
21934 .set_piomode = tosh_set_piomode,
57199397
MT		 21935diff -urNp linux-2.6.35.4/drivers/ata/pata_platform.c linux-2.6.35.4/drivers/ata/pata_platform.c
21936--- linux-2.6.35.4/drivers/ata/pata_platform.c 2010-08-26 19:47:12.000000000 -0400
21937+++ linux-2.6.35.4/drivers/ata/pata_platform.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21938@@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21939 ATA_PIO_SHT(DRV_NAME),
21940 };
21941
21942-static struct ata_port_operations pata_platform_port_ops = {
21943+static const struct ata_port_operations pata_platform_port_ops = {
21944 .inherits = &ata_sff_port_ops,
21945 .sff_data_xfer = ata_sff_data_xfer_noirq,
21946 .cable_detect = ata_cable_unknown,
57199397
MT		 21947diff -urNp linux-2.6.35.4/drivers/ata/pata_qdi.c linux-2.6.35.4/drivers/ata/pata_qdi.c
21948--- linux-2.6.35.4/drivers/ata/pata_qdi.c 2010-08-26 19:47:12.000000000 -0400
21949+++ linux-2.6.35.4/drivers/ata/pata_qdi.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21950@@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21951 ATA_PIO_SHT(DRV_NAME),
21952 };
21953
21954-static struct ata_port_operations qdi6500_port_ops = {
21955+static const struct ata_port_operations qdi6500_port_ops = {
21956 .inherits = &ata_sff_port_ops,
21957 .qc_issue = qdi_qc_issue,
21958 .sff_data_xfer = qdi_data_xfer,
21959@@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21960 .set_piomode = qdi6500_set_piomode,
21961 };
21962
21963-static struct ata_port_operations qdi6580_port_ops = {
21964+static const struct ata_port_operations qdi6580_port_ops = {
21965 .inherits = &qdi6500_port_ops,
21966 .set_piomode = qdi6580_set_piomode,
21967 };
57199397
MT		 21968diff -urNp linux-2.6.35.4/drivers/ata/pata_radisys.c linux-2.6.35.4/drivers/ata/pata_radisys.c
21969--- linux-2.6.35.4/drivers/ata/pata_radisys.c 2010-08-26 19:47:12.000000000 -0400
21970+++ linux-2.6.35.4/drivers/ata/pata_radisys.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 21971@@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21972 ATA_BMDMA_SHT(DRV_NAME),
21973 };
21974
21975-static struct ata_port_operations radisys_pata_ops = {
21976+static const struct ata_port_operations radisys_pata_ops = {
21977 .inherits = &ata_bmdma_port_ops,
21978 .qc_issue = radisys_qc_issue,
21979 .cable_detect = ata_cable_unknown,
57199397
MT		 21980diff -urNp linux-2.6.35.4/drivers/ata/pata_rb532_cf.c linux-2.6.35.4/drivers/ata/pata_rb532_cf.c
21981--- linux-2.6.35.4/drivers/ata/pata_rb532_cf.c 2010-08-26 19:47:12.000000000 -0400
21982+++ linux-2.6.35.4/drivers/ata/pata_rb532_cf.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21983@@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
ae4e228f
MT		 21984 return IRQ_HANDLED;
21985 }
21986
21987-static struct ata_port_operations rb532_pata_port_ops = {
21988+static const struct ata_port_operations rb532_pata_port_ops = {
21989 .inherits = &ata_sff_port_ops,
21990 .sff_data_xfer = ata_sff_data_xfer32,
21991 };
57199397
MT		 21992diff -urNp linux-2.6.35.4/drivers/ata/pata_rdc.c linux-2.6.35.4/drivers/ata/pata_rdc.c
21993--- linux-2.6.35.4/drivers/ata/pata_rdc.c 2010-08-26 19:47:12.000000000 -0400
21994+++ linux-2.6.35.4/drivers/ata/pata_rdc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 21995@@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
ae4e228f
MT		 21996 pci_write_config_byte(dev, 0x48, udma_enable);
21997 }
21998
21999-static struct ata_port_operations rdc_pata_ops = {
22000+static const struct ata_port_operations rdc_pata_ops = {
22001 .inherits = &ata_bmdma32_port_ops,
22002 .cable_detect = rdc_pata_cable_detect,
22003 .set_piomode = rdc_set_piomode,
57199397
MT		 22004diff -urNp linux-2.6.35.4/drivers/ata/pata_rz1000.c linux-2.6.35.4/drivers/ata/pata_rz1000.c
22005--- linux-2.6.35.4/drivers/ata/pata_rz1000.c 2010-08-26 19:47:12.000000000 -0400
22006+++ linux-2.6.35.4/drivers/ata/pata_rz1000.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22007@@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
22008 ATA_PIO_SHT(DRV_NAME),
22009 };
22010
22011-static struct ata_port_operations rz1000_port_ops = {
22012+static const struct ata_port_operations rz1000_port_ops = {
22013 .inherits = &ata_sff_port_ops,
22014 .cable_detect = ata_cable_40wire,
22015 .set_mode = rz1000_set_mode,
57199397
MT		 22016diff -urNp linux-2.6.35.4/drivers/ata/pata_sc1200.c linux-2.6.35.4/drivers/ata/pata_sc1200.c
22017--- linux-2.6.35.4/drivers/ata/pata_sc1200.c 2010-08-26 19:47:12.000000000 -0400
22018+++ linux-2.6.35.4/drivers/ata/pata_sc1200.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22019@@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22020 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22021 };
22022
22023-static struct ata_port_operations sc1200_port_ops = {
22024+static const struct ata_port_operations sc1200_port_ops = {
22025 .inherits = &ata_bmdma_port_ops,
57199397 22026 .qc_prep = ata_bmdma_dumb_qc_prep,
ae4e228f 22027 .qc_issue = sc1200_qc_issue,
57199397
MT		 22028diff -urNp linux-2.6.35.4/drivers/ata/pata_scc.c linux-2.6.35.4/drivers/ata/pata_scc.c
22029--- linux-2.6.35.4/drivers/ata/pata_scc.c 2010-08-26 19:47:12.000000000 -0400
22030+++ linux-2.6.35.4/drivers/ata/pata_scc.c 2010-09-17 20:12:09.000000000 -0400
22031@@ -927,7 +927,7 @@ static struct scsi_host_template scc_sht
ae4e228f
MT		 22032 ATA_BMDMA_SHT(DRV_NAME),
22033 };
22034
22035-static struct ata_port_operations scc_pata_ops = {
22036+static const struct ata_port_operations scc_pata_ops = {
22037 .inherits = &ata_bmdma_port_ops,
22038
22039 .set_piomode = scc_set_piomode,
57199397
MT		 22040diff -urNp linux-2.6.35.4/drivers/ata/pata_sch.c linux-2.6.35.4/drivers/ata/pata_sch.c
22041--- linux-2.6.35.4/drivers/ata/pata_sch.c 2010-08-26 19:47:12.000000000 -0400
22042+++ linux-2.6.35.4/drivers/ata/pata_sch.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22043@@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22044 ATA_BMDMA_SHT(DRV_NAME),
22045 };
22046
22047-static struct ata_port_operations sch_pata_ops = {
22048+static const struct ata_port_operations sch_pata_ops = {
22049 .inherits = &ata_bmdma_port_ops,
22050 .cable_detect = ata_cable_unknown,
22051 .set_piomode = sch_set_piomode,
57199397
MT		 22052diff -urNp linux-2.6.35.4/drivers/ata/pata_serverworks.c linux-2.6.35.4/drivers/ata/pata_serverworks.c
22053--- linux-2.6.35.4/drivers/ata/pata_serverworks.c 2010-08-26 19:47:12.000000000 -0400
22054+++ linux-2.6.35.4/drivers/ata/pata_serverworks.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22055@@ -300,7 +300,7 @@ static struct scsi_host_template serverw
ae4e228f
MT		 22056 ATA_BMDMA_SHT(DRV_NAME),
22057 };
22058
22059-static struct ata_port_operations serverworks_osb4_port_ops = {
22060+static const struct ata_port_operations serverworks_osb4_port_ops = {
22061 .inherits = &ata_bmdma_port_ops,
22062 .cable_detect = serverworks_cable_detect,
22063 .mode_filter = serverworks_osb4_filter,
df50ba0c 22064@@ -308,7 +308,7 @@ static struct ata_port_operations server
ae4e228f
MT		 22065 .set_dmamode = serverworks_set_dmamode,
22066 };
22067
22068-static struct ata_port_operations serverworks_csb_port_ops = {
22069+static const struct ata_port_operations serverworks_csb_port_ops = {
22070 .inherits = &serverworks_osb4_port_ops,
22071 .mode_filter = serverworks_csb_filter,
22072 };
57199397
MT		 22073diff -urNp linux-2.6.35.4/drivers/ata/pata_sil680.c linux-2.6.35.4/drivers/ata/pata_sil680.c
22074--- linux-2.6.35.4/drivers/ata/pata_sil680.c 2010-08-26 19:47:12.000000000 -0400
22075+++ linux-2.6.35.4/drivers/ata/pata_sil680.c 2010-09-17 20:12:09.000000000 -0400
22076@@ -214,8 +214,7 @@ static struct scsi_host_template sil680_
ae4e228f
MT		 22077 ATA_BMDMA_SHT(DRV_NAME),
22078 };
22079
57199397 22080-
ae4e228f
MT		 22081-static struct ata_port_operations sil680_port_ops = {
22082+static const struct ata_port_operations sil680_port_ops = {
57199397
MT		 22083 .inherits = &ata_bmdma32_port_ops,
22084 .sff_exec_command = sil680_sff_exec_command,
22085 .cable_detect = sil680_cable_detect,
22086diff -urNp linux-2.6.35.4/drivers/ata/pata_sis.c linux-2.6.35.4/drivers/ata/pata_sis.c
22087--- linux-2.6.35.4/drivers/ata/pata_sis.c 2010-08-26 19:47:12.000000000 -0400
22088+++ linux-2.6.35.4/drivers/ata/pata_sis.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22089@@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22090 ATA_BMDMA_SHT(DRV_NAME),
22091 };
22092
22093-static struct ata_port_operations sis_133_for_sata_ops = {
22094+static const struct ata_port_operations sis_133_for_sata_ops = {
22095 .inherits = &ata_bmdma_port_ops,
22096 .set_piomode = sis_133_set_piomode,
22097 .set_dmamode = sis_133_set_dmamode,
22098 .cable_detect = sis_133_cable_detect,
22099 };
22100
22101-static struct ata_port_operations sis_base_ops = {
22102+static const struct ata_port_operations sis_base_ops = {
22103 .inherits = &ata_bmdma_port_ops,
22104 .prereset = sis_pre_reset,
22105 };
22106
22107-static struct ata_port_operations sis_133_ops = {
22108+static const struct ata_port_operations sis_133_ops = {
22109 .inherits = &sis_base_ops,
22110 .set_piomode = sis_133_set_piomode,
22111 .set_dmamode = sis_133_set_dmamode,
22112 .cable_detect = sis_133_cable_detect,
22113 };
22114
22115-static struct ata_port_operations sis_133_early_ops = {
22116+static const struct ata_port_operations sis_133_early_ops = {
22117 .inherits = &sis_base_ops,
22118 .set_piomode = sis_100_set_piomode,
22119 .set_dmamode = sis_133_early_set_dmamode,
22120 .cable_detect = sis_66_cable_detect,
22121 };
22122
22123-static struct ata_port_operations sis_100_ops = {
22124+static const struct ata_port_operations sis_100_ops = {
22125 .inherits = &sis_base_ops,
22126 .set_piomode = sis_100_set_piomode,
22127 .set_dmamode = sis_100_set_dmamode,
22128 .cable_detect = sis_66_cable_detect,
22129 };
22130
22131-static struct ata_port_operations sis_66_ops = {
22132+static const struct ata_port_operations sis_66_ops = {
22133 .inherits = &sis_base_ops,
22134 .set_piomode = sis_old_set_piomode,
22135 .set_dmamode = sis_66_set_dmamode,
22136 .cable_detect = sis_66_cable_detect,
22137 };
22138
22139-static struct ata_port_operations sis_old_ops = {
22140+static const struct ata_port_operations sis_old_ops = {
22141 .inherits = &sis_base_ops,
22142 .set_piomode = sis_old_set_piomode,
22143 .set_dmamode = sis_old_set_dmamode,
57199397
MT		 22144diff -urNp linux-2.6.35.4/drivers/ata/pata_sl82c105.c linux-2.6.35.4/drivers/ata/pata_sl82c105.c
22145--- linux-2.6.35.4/drivers/ata/pata_sl82c105.c 2010-08-26 19:47:12.000000000 -0400
22146+++ linux-2.6.35.4/drivers/ata/pata_sl82c105.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22147@@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
22148 ATA_BMDMA_SHT(DRV_NAME),
22149 };
22150
22151-static struct ata_port_operations sl82c105_port_ops = {
22152+static const struct ata_port_operations sl82c105_port_ops = {
22153 .inherits = &ata_bmdma_port_ops,
22154 .qc_defer = sl82c105_qc_defer,
22155 .bmdma_start = sl82c105_bmdma_start,
57199397
MT		 22156diff -urNp linux-2.6.35.4/drivers/ata/pata_triflex.c linux-2.6.35.4/drivers/ata/pata_triflex.c
22157--- linux-2.6.35.4/drivers/ata/pata_triflex.c 2010-08-26 19:47:12.000000000 -0400
22158+++ linux-2.6.35.4/drivers/ata/pata_triflex.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22159@@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22160 ATA_BMDMA_SHT(DRV_NAME),
22161 };
22162
22163-static struct ata_port_operations triflex_port_ops = {
22164+static const struct ata_port_operations triflex_port_ops = {
22165 .inherits = &ata_bmdma_port_ops,
22166 .bmdma_start = triflex_bmdma_start,
22167 .bmdma_stop = triflex_bmdma_stop,
57199397
MT		 22168diff -urNp linux-2.6.35.4/drivers/ata/pata_via.c linux-2.6.35.4/drivers/ata/pata_via.c
22169--- linux-2.6.35.4/drivers/ata/pata_via.c 2010-08-26 19:47:12.000000000 -0400
22170+++ linux-2.6.35.4/drivers/ata/pata_via.c 2010-09-17 20:12:09.000000000 -0400
22171@@ -439,7 +439,7 @@ static struct scsi_host_template via_sht
ae4e228f
MT		 22172 ATA_BMDMA_SHT(DRV_NAME),
22173 };
22174
22175-static struct ata_port_operations via_port_ops = {
22176+static const struct ata_port_operations via_port_ops = {
22177 .inherits = &ata_bmdma_port_ops,
22178 .cable_detect = via_cable_detect,
22179 .set_piomode = via_set_piomode,
57199397 22180@@ -450,7 +450,7 @@ static struct ata_port_operations via_po
ae4e228f
MT		 22181 .mode_filter = via_mode_filter,
22182 };
22183
22184-static struct ata_port_operations via_port_ops_noirq = {
22185+static const struct ata_port_operations via_port_ops_noirq = {
22186 .inherits = &via_port_ops,
22187 .sff_data_xfer = ata_sff_data_xfer_noirq,
22188 };
57199397
MT		 22189diff -urNp linux-2.6.35.4/drivers/ata/pata_winbond.c linux-2.6.35.4/drivers/ata/pata_winbond.c
22190--- linux-2.6.35.4/drivers/ata/pata_winbond.c 2010-08-26 19:47:12.000000000 -0400
22191+++ linux-2.6.35.4/drivers/ata/pata_winbond.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22192@@ -125,7 +125,7 @@ static struct scsi_host_template winbond
22193 ATA_PIO_SHT(DRV_NAME),
22194 };
22195
22196-static struct ata_port_operations winbond_port_ops = {
22197+static const struct ata_port_operations winbond_port_ops = {
22198 .inherits = &ata_sff_port_ops,
22199 .sff_data_xfer = winbond_data_xfer,
22200 .cable_detect = ata_cable_40wire,
57199397
MT		 22201diff -urNp linux-2.6.35.4/drivers/ata/pdc_adma.c linux-2.6.35.4/drivers/ata/pdc_adma.c
22202--- linux-2.6.35.4/drivers/ata/pdc_adma.c 2010-08-26 19:47:12.000000000 -0400
22203+++ linux-2.6.35.4/drivers/ata/pdc_adma.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22204@@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
ae4e228f
MT		 22205 .dma_boundary = ADMA_DMA_BOUNDARY,
22206 };
22207
22208-static struct ata_port_operations adma_ata_ops = {
22209+static const struct ata_port_operations adma_ata_ops = {
22210 .inherits = &ata_sff_port_ops,
22211
22212 .lost_interrupt = ATA_OP_NULL,
57199397
MT		 22213diff -urNp linux-2.6.35.4/drivers/ata/sata_fsl.c linux-2.6.35.4/drivers/ata/sata_fsl.c
22214--- linux-2.6.35.4/drivers/ata/sata_fsl.c 2010-08-26 19:47:12.000000000 -0400
22215+++ linux-2.6.35.4/drivers/ata/sata_fsl.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22216@@ -1261,7 +1261,7 @@ static struct scsi_host_template sata_fs
ae4e228f
MT		 22217 .dma_boundary = ATA_DMA_BOUNDARY,
22218 };
22219
22220-static struct ata_port_operations sata_fsl_ops = {
22221+static const struct ata_port_operations sata_fsl_ops = {
22222 .inherits = &sata_pmp_port_ops,
22223
22224 .qc_defer = ata_std_qc_defer,
57199397
MT		 22225diff -urNp linux-2.6.35.4/drivers/ata/sata_inic162x.c linux-2.6.35.4/drivers/ata/sata_inic162x.c
22226--- linux-2.6.35.4/drivers/ata/sata_inic162x.c 2010-08-26 19:47:12.000000000 -0400
22227+++ linux-2.6.35.4/drivers/ata/sata_inic162x.c 2010-09-17 20:12:09.000000000 -0400
22228@@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
ae4e228f
MT		 22229 return 0;
22230 }
22231
22232-static struct ata_port_operations inic_port_ops = {
22233+static const struct ata_port_operations inic_port_ops = {
22234 .inherits = &sata_port_ops,
22235
22236 .check_atapi_dma = inic_check_atapi_dma,
57199397
MT		 22237diff -urNp linux-2.6.35.4/drivers/ata/sata_mv.c linux-2.6.35.4/drivers/ata/sata_mv.c
22238--- linux-2.6.35.4/drivers/ata/sata_mv.c 2010-08-26 19:47:12.000000000 -0400
22239+++ linux-2.6.35.4/drivers/ata/sata_mv.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22240@@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
ae4e228f
MT		 22241 .dma_boundary = MV_DMA_BOUNDARY,
22242 };
22243
22244-static struct ata_port_operations mv5_ops = {
22245+static const struct ata_port_operations mv5_ops = {
22246 .inherits = &ata_sff_port_ops,
22247
22248 .lost_interrupt = ATA_OP_NULL,
57199397 22249@@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
ae4e228f
MT		 22250 .port_stop = mv_port_stop,
22251 };
22252
22253-static struct ata_port_operations mv6_ops = {
22254+static const struct ata_port_operations mv6_ops = {
57199397
MT		 22255 .inherits = &ata_bmdma_port_ops,
22256
22257 .lost_interrupt = ATA_OP_NULL,
22258@@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22259 .port_stop = mv_port_stop,
ae4e228f
MT		 22260 };
22261
22262-static struct ata_port_operations mv_iie_ops = {
22263+static const struct ata_port_operations mv_iie_ops = {
22264 .inherits = &mv6_ops,
22265 .dev_config = ATA_OP_NULL,
22266 .qc_prep = mv_qc_prep_iie,
57199397
MT		 22267diff -urNp linux-2.6.35.4/drivers/ata/sata_nv.c linux-2.6.35.4/drivers/ata/sata_nv.c
22268--- linux-2.6.35.4/drivers/ata/sata_nv.c 2010-08-26 19:47:12.000000000 -0400
22269+++ linux-2.6.35.4/drivers/ata/sata_nv.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22270@@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
ae4e228f
MT		 22271 * cases. Define nv_hardreset() which only kicks in for post-boot
22272 * probing and use it for all variants.
22273 */
22274-static struct ata_port_operations nv_generic_ops = {
22275+static const struct ata_port_operations nv_generic_ops = {
22276 .inherits = &ata_bmdma_port_ops,
22277 .lost_interrupt = ATA_OP_NULL,
22278 .scr_read = nv_scr_read,
df50ba0c 22279@@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
ae4e228f
MT		 22280 .hardreset = nv_hardreset,
22281 };
22282
22283-static struct ata_port_operations nv_nf2_ops = {
22284+static const struct ata_port_operations nv_nf2_ops = {
22285 .inherits = &nv_generic_ops,
22286 .freeze = nv_nf2_freeze,
22287 .thaw = nv_nf2_thaw,
22288 };
22289
22290-static struct ata_port_operations nv_ck804_ops = {
22291+static const struct ata_port_operations nv_ck804_ops = {
22292 .inherits = &nv_generic_ops,
22293 .freeze = nv_ck804_freeze,
22294 .thaw = nv_ck804_thaw,
22295 .host_stop = nv_ck804_host_stop,
22296 };
22297
22298-static struct ata_port_operations nv_adma_ops = {
22299+static const struct ata_port_operations nv_adma_ops = {
22300 .inherits = &nv_ck804_ops,
22301
22302 .check_atapi_dma = nv_adma_check_atapi_dma,
df50ba0c 22303@@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
ae4e228f
MT		 22304 .host_stop = nv_adma_host_stop,
22305 };
22306
22307-static struct ata_port_operations nv_swncq_ops = {
22308+static const struct ata_port_operations nv_swncq_ops = {
22309 .inherits = &nv_generic_ops,
22310
22311 .qc_defer = ata_std_qc_defer,
57199397
MT		 22312diff -urNp linux-2.6.35.4/drivers/ata/sata_promise.c linux-2.6.35.4/drivers/ata/sata_promise.c
22313--- linux-2.6.35.4/drivers/ata/sata_promise.c 2010-08-26 19:47:12.000000000 -0400
22314+++ linux-2.6.35.4/drivers/ata/sata_promise.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22315@@ -196,7 +196,7 @@ static const struct ata_port_operations
ae4e228f
MT		 22316 .error_handler = pdc_error_handler,
22317 };
22318
22319-static struct ata_port_operations pdc_sata_ops = {
22320+static const struct ata_port_operations pdc_sata_ops = {
22321 .inherits = &pdc_common_ops,
22322 .cable_detect = pdc_sata_cable_detect,
22323 .freeze = pdc_sata_freeze,
df50ba0c 22324@@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
ae4e228f
MT		 22325
22326 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22327 and ->freeze/thaw that ignore the hotplug controls. */
22328-static struct ata_port_operations pdc_old_sata_ops = {
22329+static const struct ata_port_operations pdc_old_sata_ops = {
22330 .inherits = &pdc_sata_ops,
22331 .freeze = pdc_freeze,
22332 .thaw = pdc_thaw,
22333 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22334 };
22335
22336-static struct ata_port_operations pdc_pata_ops = {
22337+static const struct ata_port_operations pdc_pata_ops = {
22338 .inherits = &pdc_common_ops,
22339 .cable_detect = pdc_pata_cable_detect,
22340 .freeze = pdc_freeze,
57199397
MT		 22341diff -urNp linux-2.6.35.4/drivers/ata/sata_qstor.c linux-2.6.35.4/drivers/ata/sata_qstor.c
22342--- linux-2.6.35.4/drivers/ata/sata_qstor.c 2010-08-26 19:47:12.000000000 -0400
22343+++ linux-2.6.35.4/drivers/ata/sata_qstor.c 2010-09-17 20:12:09.000000000 -0400
22344@@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
ae4e228f
MT		 22345 .dma_boundary = QS_DMA_BOUNDARY,
22346 };
22347
22348-static struct ata_port_operations qs_ata_ops = {
22349+static const struct ata_port_operations qs_ata_ops = {
22350 .inherits = &ata_sff_port_ops,
22351
22352 .check_atapi_dma = qs_check_atapi_dma,
57199397
MT		 22353diff -urNp linux-2.6.35.4/drivers/ata/sata_sil24.c linux-2.6.35.4/drivers/ata/sata_sil24.c
22354--- linux-2.6.35.4/drivers/ata/sata_sil24.c 2010-08-26 19:47:12.000000000 -0400
22355+++ linux-2.6.35.4/drivers/ata/sata_sil24.c 2010-09-17 20:12:09.000000000 -0400
efbe55a5
MT		 22356@@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22357 .dma_boundary = ATA_DMA_BOUNDARY,
22358 };
22359
22360-static struct ata_port_operations sil24_ops = {
22361+static const struct ata_port_operations sil24_ops = {
22362 .inherits = &sata_pmp_port_ops,
22363
22364 .qc_defer = sil24_qc_defer,
57199397
MT		 22365diff -urNp linux-2.6.35.4/drivers/ata/sata_sil.c linux-2.6.35.4/drivers/ata/sata_sil.c
22366--- linux-2.6.35.4/drivers/ata/sata_sil.c 2010-08-26 19:47:12.000000000 -0400
22367+++ linux-2.6.35.4/drivers/ata/sata_sil.c 2010-09-17 20:12:09.000000000 -0400
22368@@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22369 .sg_tablesize = ATA_MAX_PRD
22370 };
22371
22372-static struct ata_port_operations sil_ops = {
22373+static const struct ata_port_operations sil_ops = {
22374 .inherits = &ata_bmdma32_port_ops,
22375 .dev_config = sil_dev_config,
22376 .set_mode = sil_set_mode,
22377diff -urNp linux-2.6.35.4/drivers/ata/sata_sis.c linux-2.6.35.4/drivers/ata/sata_sis.c
22378--- linux-2.6.35.4/drivers/ata/sata_sis.c 2010-08-26 19:47:12.000000000 -0400
22379+++ linux-2.6.35.4/drivers/ata/sata_sis.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22380@@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22381 ATA_BMDMA_SHT(DRV_NAME),
22382 };
22383
22384-static struct ata_port_operations sis_ops = {
22385+static const struct ata_port_operations sis_ops = {
22386 .inherits = &ata_bmdma_port_ops,
22387 .scr_read = sis_scr_read,
22388 .scr_write = sis_scr_write,
57199397
MT		 22389diff -urNp linux-2.6.35.4/drivers/ata/sata_svw.c linux-2.6.35.4/drivers/ata/sata_svw.c
22390--- linux-2.6.35.4/drivers/ata/sata_svw.c 2010-08-26 19:47:12.000000000 -0400
22391+++ linux-2.6.35.4/drivers/ata/sata_svw.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 22392@@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22393 };
22394
22395
22396-static struct ata_port_operations k2_sata_ops = {
22397+static const struct ata_port_operations k2_sata_ops = {
22398 .inherits = &ata_bmdma_port_ops,
22399 .sff_tf_load = k2_sata_tf_load,
22400 .sff_tf_read = k2_sata_tf_read,
57199397
MT		 22401diff -urNp linux-2.6.35.4/drivers/ata/sata_sx4.c linux-2.6.35.4/drivers/ata/sata_sx4.c
22402--- linux-2.6.35.4/drivers/ata/sata_sx4.c 2010-08-26 19:47:12.000000000 -0400
22403+++ linux-2.6.35.4/drivers/ata/sata_sx4.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22404@@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
ae4e228f
MT		 22405 };
22406
22407 /* TODO: inherit from base port_ops after converting to new EH */
22408-static struct ata_port_operations pdc_20621_ops = {
22409+static const struct ata_port_operations pdc_20621_ops = {
22410 .inherits = &ata_sff_port_ops,
22411
22412 .check_atapi_dma = pdc_check_atapi_dma,
57199397
MT		 22413diff -urNp linux-2.6.35.4/drivers/ata/sata_uli.c linux-2.6.35.4/drivers/ata/sata_uli.c
22414--- linux-2.6.35.4/drivers/ata/sata_uli.c 2010-08-26 19:47:12.000000000 -0400
22415+++ linux-2.6.35.4/drivers/ata/sata_uli.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22416@@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
ae4e228f
MT		 22417 ATA_BMDMA_SHT(DRV_NAME),
22418 };
22419
22420-static struct ata_port_operations uli_ops = {
22421+static const struct ata_port_operations uli_ops = {
22422 .inherits = &ata_bmdma_port_ops,
22423 .scr_read = uli_scr_read,
22424 .scr_write = uli_scr_write,
57199397
MT		 22425diff -urNp linux-2.6.35.4/drivers/ata/sata_via.c linux-2.6.35.4/drivers/ata/sata_via.c
22426--- linux-2.6.35.4/drivers/ata/sata_via.c 2010-08-26 19:47:12.000000000 -0400
22427+++ linux-2.6.35.4/drivers/ata/sata_via.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22428@@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
ae4e228f
MT		 22429 ATA_BMDMA_SHT(DRV_NAME),
22430 };
22431
22432-static struct ata_port_operations svia_base_ops = {
22433+static const struct ata_port_operations svia_base_ops = {
22434 .inherits = &ata_bmdma_port_ops,
22435 .sff_tf_load = svia_tf_load,
22436 };
22437
22438-static struct ata_port_operations vt6420_sata_ops = {
22439+static const struct ata_port_operations vt6420_sata_ops = {
22440 .inherits = &svia_base_ops,
22441 .freeze = svia_noop_freeze,
22442 .prereset = vt6420_prereset,
df50ba0c 22443 .bmdma_start = vt6420_bmdma_start,
ae4e228f
MT		 22444 };
22445
22446-static struct ata_port_operations vt6421_pata_ops = {
22447+static const struct ata_port_operations vt6421_pata_ops = {
22448 .inherits = &svia_base_ops,
22449 .cable_detect = vt6421_pata_cable_detect,
22450 .set_piomode = vt6421_set_pio_mode,
22451 .set_dmamode = vt6421_set_dma_mode,
22452 };
22453
22454-static struct ata_port_operations vt6421_sata_ops = {
22455+static const struct ata_port_operations vt6421_sata_ops = {
22456 .inherits = &svia_base_ops,
22457 .scr_read = svia_scr_read,
22458 .scr_write = svia_scr_write,
22459 };
22460
22461-static struct ata_port_operations vt8251_ops = {
22462+static const struct ata_port_operations vt8251_ops = {
22463 .inherits = &svia_base_ops,
22464 .hardreset = sata_std_hardreset,
22465 .scr_read = vt8251_scr_read,
57199397
MT		 22466diff -urNp linux-2.6.35.4/drivers/ata/sata_vsc.c linux-2.6.35.4/drivers/ata/sata_vsc.c
22467--- linux-2.6.35.4/drivers/ata/sata_vsc.c 2010-08-26 19:47:12.000000000 -0400
22468+++ linux-2.6.35.4/drivers/ata/sata_vsc.c 2010-09-17 20:12:09.000000000 -0400
22469@@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
ae4e228f
MT		 22470 };
22471
22472
22473-static struct ata_port_operations vsc_sata_ops = {
22474+static const struct ata_port_operations vsc_sata_ops = {
22475 .inherits = &ata_bmdma_port_ops,
22476 /* The IRQ handling is not quite standard SFF behaviour so we
22477 cannot use the default lost interrupt handler */
57199397
MT		 22478diff -urNp linux-2.6.35.4/drivers/atm/adummy.c linux-2.6.35.4/drivers/atm/adummy.c
22479--- linux-2.6.35.4/drivers/atm/adummy.c 2010-08-26 19:47:12.000000000 -0400
22480+++ linux-2.6.35.4/drivers/atm/adummy.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22481@@ -78,7 +78,7 @@ adummy_send(struct atm_vcc *vcc, struct
58c5fc13
MT		 22482 vcc->pop(vcc, skb);
22483 else
22484 dev_kfree_skb_any(skb);
22485- atomic_inc(&vcc->stats->tx);
22486+ atomic_inc_unchecked(&vcc->stats->tx);
22487
22488 return 0;
22489 }
57199397
MT		 22490diff -urNp linux-2.6.35.4/drivers/atm/ambassador.c linux-2.6.35.4/drivers/atm/ambassador.c
22491--- linux-2.6.35.4/drivers/atm/ambassador.c 2010-08-26 19:47:12.000000000 -0400
22492+++ linux-2.6.35.4/drivers/atm/ambassador.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22493@@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
58c5fc13
MT		 22494 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22495
22496 // VC layer stats
22497- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22498+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22499
22500 // free the descriptor
22501 kfree (tx_descr);
df50ba0c 22502@@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
58c5fc13
MT		 22503 dump_skb ("<<<", vc, skb);
22504
22505 // VC layer stats
22506- atomic_inc(&atm_vcc->stats->rx);
22507+ atomic_inc_unchecked(&atm_vcc->stats->rx);
22508 __net_timestamp(skb);
22509 // end of our responsability
22510 atm_vcc->push (atm_vcc, skb);
df50ba0c 22511@@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
58c5fc13
MT		 22512 } else {
22513 PRINTK (KERN_INFO, "dropped over-size frame");
22514 // should we count this?
22515- atomic_inc(&atm_vcc->stats->rx_drop);
22516+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22517 }
22518
22519 } else {
df50ba0c 22520@@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
58c5fc13
MT		 22521 }
22522
22523 if (check_area (skb->data, skb->len)) {
22524- atomic_inc(&atm_vcc->stats->tx_err);
22525+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22526 return -ENOMEM; // ?
22527 }
22528
57199397
MT		 22529diff -urNp linux-2.6.35.4/drivers/atm/atmtcp.c linux-2.6.35.4/drivers/atm/atmtcp.c
22530--- linux-2.6.35.4/drivers/atm/atmtcp.c 2010-08-26 19:47:12.000000000 -0400
22531+++ linux-2.6.35.4/drivers/atm/atmtcp.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22532@@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
58c5fc13
MT		 22533 if (vcc->pop) vcc->pop(vcc,skb);
22534 else dev_kfree_skb(skb);
22535 if (dev_data) return 0;
22536- atomic_inc(&vcc->stats->tx_err);
22537+ atomic_inc_unchecked(&vcc->stats->tx_err);
22538 return -ENOLINK;
22539 }
22540 size = skb->len+sizeof(struct atmtcp_hdr);
df50ba0c 22541@@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
58c5fc13
MT		 22542 if (!new_skb) {
22543 if (vcc->pop) vcc->pop(vcc,skb);
22544 else dev_kfree_skb(skb);
22545- atomic_inc(&vcc->stats->tx_err);
22546+ atomic_inc_unchecked(&vcc->stats->tx_err);
22547 return -ENOBUFS;
22548 }
22549 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
df50ba0c 22550@@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
58c5fc13
MT		 22551 if (vcc->pop) vcc->pop(vcc,skb);
22552 else dev_kfree_skb(skb);
22553 out_vcc->push(out_vcc,new_skb);
22554- atomic_inc(&vcc->stats->tx);
22555- atomic_inc(&out_vcc->stats->rx);
22556+ atomic_inc_unchecked(&vcc->stats->tx);
22557+ atomic_inc_unchecked(&out_vcc->stats->rx);
22558 return 0;
22559 }
22560
df50ba0c 22561@@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
58c5fc13
MT		 22562 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22563 read_unlock(&vcc_sklist_lock);
22564 if (!out_vcc) {
22565- atomic_inc(&vcc->stats->tx_err);
22566+ atomic_inc_unchecked(&vcc->stats->tx_err);
22567 goto done;
22568 }
22569 skb_pull(skb,sizeof(struct atmtcp_hdr));
df50ba0c 22570@@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
58c5fc13
MT		 22571 __net_timestamp(new_skb);
22572 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22573 out_vcc->push(out_vcc,new_skb);
22574- atomic_inc(&vcc->stats->tx);
22575- atomic_inc(&out_vcc->stats->rx);
22576+ atomic_inc_unchecked(&vcc->stats->tx);
22577+ atomic_inc_unchecked(&out_vcc->stats->rx);
22578 done:
22579 if (vcc->pop) vcc->pop(vcc,skb);
22580 else dev_kfree_skb(skb);
57199397
MT		 22581diff -urNp linux-2.6.35.4/drivers/atm/eni.c linux-2.6.35.4/drivers/atm/eni.c
22582--- linux-2.6.35.4/drivers/atm/eni.c 2010-08-26 19:47:12.000000000 -0400
22583+++ linux-2.6.35.4/drivers/atm/eni.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22584@@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
58c5fc13
MT		 22585 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22586 vcc->dev->number);
22587 length = 0;
22588- atomic_inc(&vcc->stats->rx_err);
22589+ atomic_inc_unchecked(&vcc->stats->rx_err);
22590 }
22591 else {
22592 length = ATM_CELL_SIZE-1; /* no HEC */
df50ba0c 22593@@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
58c5fc13
MT		 22594 size);
22595 }
22596 eff = length = 0;
22597- atomic_inc(&vcc->stats->rx_err);
22598+ atomic_inc_unchecked(&vcc->stats->rx_err);
22599 }
22600 else {
22601 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
df50ba0c 22602@@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
58c5fc13
MT		 22603 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22604 vcc->dev->number,vcc->vci,length,size << 2,descr);
22605 length = eff = 0;
22606- atomic_inc(&vcc->stats->rx_err);
22607+ atomic_inc_unchecked(&vcc->stats->rx_err);
22608 }
22609 }
22610 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
df50ba0c 22611@@ -771,7 +771,7 @@ rx_dequeued++;
58c5fc13
MT		 22612 vcc->push(vcc,skb);
22613 pushed++;
22614 }
22615- atomic_inc(&vcc->stats->rx);
22616+ atomic_inc_unchecked(&vcc->stats->rx);
22617 }
22618 wake_up(&eni_dev->rx_wait);
22619 }
df50ba0c 22620@@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
58c5fc13
MT		 22621 PCI_DMA_TODEVICE);
22622 if (vcc->pop) vcc->pop(vcc,skb);
22623 else dev_kfree_skb_irq(skb);
22624- atomic_inc(&vcc->stats->tx);
22625+ atomic_inc_unchecked(&vcc->stats->tx);
22626 wake_up(&eni_dev->tx_wait);
22627 dma_complete++;
22628 }
57199397
MT		 22629diff -urNp linux-2.6.35.4/drivers/atm/firestream.c linux-2.6.35.4/drivers/atm/firestream.c
22630--- linux-2.6.35.4/drivers/atm/firestream.c 2010-08-26 19:47:12.000000000 -0400
22631+++ linux-2.6.35.4/drivers/atm/firestream.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22632@@ -749,7 +749,7 @@ static void process_txdone_queue (struct
58c5fc13
MT		 22633 }
22634 }
22635
22636- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22637+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22638
22639 fs_dprintk (FS_DEBUG_TXMEM, "i");
22640 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
df50ba0c 22641@@ -816,7 +816,7 @@ static void process_incoming (struct fs_
58c5fc13
MT		 22642 #endif
22643 skb_put (skb, qe->p1 & 0xffff);
22644 ATM_SKB(skb)->vcc = atm_vcc;
22645- atomic_inc(&atm_vcc->stats->rx);
22646+ atomic_inc_unchecked(&atm_vcc->stats->rx);
22647 __net_timestamp(skb);
22648 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22649 atm_vcc->push (atm_vcc, skb);
df50ba0c 22650@@ -837,12 +837,12 @@ static void process_incoming (struct fs_
58c5fc13
MT		 22651 kfree (pe);
22652 }
22653 if (atm_vcc)
22654- atomic_inc(&atm_vcc->stats->rx_drop);
22655+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22656 break;
22657 case 0x1f: /* Reassembly abort: no buffers. */
22658 /* Silently increment error counter. */
22659 if (atm_vcc)
22660- atomic_inc(&atm_vcc->stats->rx_drop);
22661+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22662 break;
22663 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22664 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
57199397
MT		 22665diff -urNp linux-2.6.35.4/drivers/atm/fore200e.c linux-2.6.35.4/drivers/atm/fore200e.c
22666--- linux-2.6.35.4/drivers/atm/fore200e.c 2010-08-26 19:47:12.000000000 -0400
22667+++ linux-2.6.35.4/drivers/atm/fore200e.c 2010-09-17 20:12:09.000000000 -0400
22668@@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
58c5fc13
MT		 22669 #endif
22670 /* check error condition */
22671 if (*entry->status & STATUS_ERROR)
22672- atomic_inc(&vcc->stats->tx_err);
22673+ atomic_inc_unchecked(&vcc->stats->tx_err);
22674 else
22675- atomic_inc(&vcc->stats->tx);
22676+ atomic_inc_unchecked(&vcc->stats->tx);
22677 }
22678 }
22679
57199397 22680@@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
58c5fc13
MT		 22681 if (skb == NULL) {
22682 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22683
22684- atomic_inc(&vcc->stats->rx_drop);
22685+ atomic_inc_unchecked(&vcc->stats->rx_drop);
22686 return -ENOMEM;
22687 }
22688
57199397 22689@@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
58c5fc13
MT		 22690
22691 dev_kfree_skb_any(skb);
22692
22693- atomic_inc(&vcc->stats->rx_drop);
22694+ atomic_inc_unchecked(&vcc->stats->rx_drop);
22695 return -ENOMEM;
22696 }
22697
22698 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22699
22700 vcc->push(vcc, skb);
22701- atomic_inc(&vcc->stats->rx);
22702+ atomic_inc_unchecked(&vcc->stats->rx);
22703
22704 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22705
57199397 22706@@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
58c5fc13
MT		 22707 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22708 fore200e->atm_dev->number,
22709 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22710- atomic_inc(&vcc->stats->rx_err);
22711+ atomic_inc_unchecked(&vcc->stats->rx_err);
22712 }
22713 }
22714
57199397 22715@@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
58c5fc13
MT		 22716 goto retry_here;
22717 }
22718
22719- atomic_inc(&vcc->stats->tx_err);
22720+ atomic_inc_unchecked(&vcc->stats->tx_err);
22721
22722 fore200e->tx_sat++;
22723 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
57199397
MT		 22724diff -urNp linux-2.6.35.4/drivers/atm/he.c linux-2.6.35.4/drivers/atm/he.c
22725--- linux-2.6.35.4/drivers/atm/he.c 2010-08-26 19:47:12.000000000 -0400
22726+++ linux-2.6.35.4/drivers/atm/he.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22727@@ -1770,7 +1770,7 @@ he_service_rbrq(struct he_dev *he_dev, i
58c5fc13
MT		 22728
22729 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22730 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22731- atomic_inc(&vcc->stats->rx_drop);
22732+ atomic_inc_unchecked(&vcc->stats->rx_drop);
22733 goto return_host_buffers;
22734 }
22735
df50ba0c 22736@@ -1803,7 +1803,7 @@ he_service_rbrq(struct he_dev *he_dev, i
58c5fc13
MT		 22737 RBRQ_LEN_ERR(he_dev->rbrq_head)
22738 ? "LEN_ERR" : "",
22739 vcc->vpi, vcc->vci);
22740- atomic_inc(&vcc->stats->rx_err);
22741+ atomic_inc_unchecked(&vcc->stats->rx_err);
22742 goto return_host_buffers;
22743 }
22744
df50ba0c 22745@@ -1862,7 +1862,7 @@ he_service_rbrq(struct he_dev *he_dev, i
58c5fc13
MT		 22746 vcc->push(vcc, skb);
22747 spin_lock(&he_dev->global_lock);
22748
22749- atomic_inc(&vcc->stats->rx);
22750+ atomic_inc_unchecked(&vcc->stats->rx);
22751
22752 return_host_buffers:
22753 ++pdus_assembled;
df50ba0c 22754@@ -2207,7 +2207,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
58c5fc13
MT		 22755 tpd->vcc->pop(tpd->vcc, tpd->skb);
22756 else
22757 dev_kfree_skb_any(tpd->skb);
22758- atomic_inc(&tpd->vcc->stats->tx_err);
22759+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22760 }
22761 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22762 return;
df50ba0c 22763@@ -2619,7 +2619,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 22764 vcc->pop(vcc, skb);
22765 else
22766 dev_kfree_skb_any(skb);
22767- atomic_inc(&vcc->stats->tx_err);
22768+ atomic_inc_unchecked(&vcc->stats->tx_err);
22769 return -EINVAL;
22770 }
22771
df50ba0c 22772@@ -2630,7 +2630,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 22773 vcc->pop(vcc, skb);
22774 else
22775 dev_kfree_skb_any(skb);
22776- atomic_inc(&vcc->stats->tx_err);
22777+ atomic_inc_unchecked(&vcc->stats->tx_err);
22778 return -EINVAL;
22779 }
22780 #endif
df50ba0c 22781@@ -2642,7 +2642,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 22782 vcc->pop(vcc, skb);
22783 else
22784 dev_kfree_skb_any(skb);
22785- atomic_inc(&vcc->stats->tx_err);
22786+ atomic_inc_unchecked(&vcc->stats->tx_err);
22787 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22788 return -ENOMEM;
22789 }
df50ba0c 22790@@ -2684,7 +2684,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 22791 vcc->pop(vcc, skb);
22792 else
22793 dev_kfree_skb_any(skb);
22794- atomic_inc(&vcc->stats->tx_err);
22795+ atomic_inc_unchecked(&vcc->stats->tx_err);
22796 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22797 return -ENOMEM;
22798 }
df50ba0c 22799@@ -2715,7 +2715,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
58c5fc13
MT		 22800 __enqueue_tpd(he_dev, tpd, cid);
22801 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22802
22803- atomic_inc(&vcc->stats->tx);
22804+ atomic_inc_unchecked(&vcc->stats->tx);
22805
22806 return 0;
22807 }
57199397
MT		 22808diff -urNp linux-2.6.35.4/drivers/atm/horizon.c linux-2.6.35.4/drivers/atm/horizon.c
22809--- linux-2.6.35.4/drivers/atm/horizon.c 2010-08-26 19:47:12.000000000 -0400
22810+++ linux-2.6.35.4/drivers/atm/horizon.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22811@@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
58c5fc13
MT		 22812 {
22813 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22814 // VC layer stats
22815- atomic_inc(&vcc->stats->rx);
22816+ atomic_inc_unchecked(&vcc->stats->rx);
22817 __net_timestamp(skb);
22818 // end of our responsability
22819 vcc->push (vcc, skb);
df50ba0c 22820@@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
58c5fc13
MT		 22821 dev->tx_iovec = NULL;
22822
22823 // VC layer stats
22824- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22825+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22826
22827 // free the skb
22828 hrz_kfree_skb (skb);
57199397
MT		 22829diff -urNp linux-2.6.35.4/drivers/atm/idt77252.c linux-2.6.35.4/drivers/atm/idt77252.c
22830--- linux-2.6.35.4/drivers/atm/idt77252.c 2010-08-26 19:47:12.000000000 -0400
22831+++ linux-2.6.35.4/drivers/atm/idt77252.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22832@@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
58c5fc13
MT		 22833 else
22834 dev_kfree_skb(skb);
22835
22836- atomic_inc(&vcc->stats->tx);
22837+ atomic_inc_unchecked(&vcc->stats->tx);
22838 }
22839
22840 atomic_dec(&scq->used);
df50ba0c 22841@@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
58c5fc13
MT		 22842 if ((sb = dev_alloc_skb(64)) == NULL) {
22843 printk("%s: Can't allocate buffers for aal0.\n",
22844 card->name);
22845- atomic_add(i, &vcc->stats->rx_drop);
22846+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
22847 break;
22848 }
22849 if (!atm_charge(vcc, sb->truesize)) {
22850 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22851 card->name);
22852- atomic_add(i - 1, &vcc->stats->rx_drop);
22853+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22854 dev_kfree_skb(sb);
22855 break;
22856 }
df50ba0c 22857@@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
58c5fc13
MT		 22858 ATM_SKB(sb)->vcc = vcc;
22859 __net_timestamp(sb);
22860 vcc->push(vcc, sb);
22861- atomic_inc(&vcc->stats->rx);
22862+ atomic_inc_unchecked(&vcc->stats->rx);
22863
22864 cell += ATM_CELL_PAYLOAD;
22865 }
df50ba0c 22866@@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
58c5fc13
MT		 22867 "(CDC: %08x)\n",
22868 card->name, len, rpp->len, readl(SAR_REG_CDC));
22869 recycle_rx_pool_skb(card, rpp);
22870- atomic_inc(&vcc->stats->rx_err);
22871+ atomic_inc_unchecked(&vcc->stats->rx_err);
22872 return;
22873 }
22874 if (stat & SAR_RSQE_CRC) {
22875 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22876 recycle_rx_pool_skb(card, rpp);
22877- atomic_inc(&vcc->stats->rx_err);
22878+ atomic_inc_unchecked(&vcc->stats->rx_err);
22879 return;
22880 }
22881 if (skb_queue_len(&rpp->queue) > 1) {
df50ba0c 22882@@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
58c5fc13
MT		 22883 RXPRINTK("%s: Can't alloc RX skb.\n",
22884 card->name);
22885 recycle_rx_pool_skb(card, rpp);
22886- atomic_inc(&vcc->stats->rx_err);
22887+ atomic_inc_unchecked(&vcc->stats->rx_err);
22888 return;
22889 }
22890 if (!atm_charge(vcc, skb->truesize)) {
df50ba0c 22891@@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
58c5fc13
MT		 22892 __net_timestamp(skb);
22893
22894 vcc->push(vcc, skb);
22895- atomic_inc(&vcc->stats->rx);
22896+ atomic_inc_unchecked(&vcc->stats->rx);
22897
22898 return;
22899 }
df50ba0c 22900@@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
58c5fc13
MT		 22901 __net_timestamp(skb);
22902
22903 vcc->push(vcc, skb);
22904- atomic_inc(&vcc->stats->rx);
22905+ atomic_inc_unchecked(&vcc->stats->rx);
22906
22907 if (skb->truesize > SAR_FB_SIZE_3)
22908 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
df50ba0c 22909@@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
58c5fc13
MT		 22910 if (vcc->qos.aal != ATM_AAL0) {
22911 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22912 card->name, vpi, vci);
22913- atomic_inc(&vcc->stats->rx_drop);
22914+ atomic_inc_unchecked(&vcc->stats->rx_drop);
22915 goto drop;
22916 }
22917
22918 if ((sb = dev_alloc_skb(64)) == NULL) {
22919 printk("%s: Can't allocate buffers for AAL0.\n",
22920 card->name);
22921- atomic_inc(&vcc->stats->rx_err);
22922+ atomic_inc_unchecked(&vcc->stats->rx_err);
22923 goto drop;
22924 }
22925
df50ba0c 22926@@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
58c5fc13
MT		 22927 ATM_SKB(sb)->vcc = vcc;
22928 __net_timestamp(sb);
22929 vcc->push(vcc, sb);
22930- atomic_inc(&vcc->stats->rx);
22931+ atomic_inc_unchecked(&vcc->stats->rx);
22932
22933 drop:
22934 skb_pull(queue, 64);
df50ba0c 22935@@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
58c5fc13
MT		 22936
22937 if (vc == NULL) {
22938 printk("%s: NULL connection in send().\n", card->name);
22939- atomic_inc(&vcc->stats->tx_err);
22940+ atomic_inc_unchecked(&vcc->stats->tx_err);
22941 dev_kfree_skb(skb);
22942 return -EINVAL;
22943 }
22944 if (!test_bit(VCF_TX, &vc->flags)) {
22945 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22946- atomic_inc(&vcc->stats->tx_err);
22947+ atomic_inc_unchecked(&vcc->stats->tx_err);
22948 dev_kfree_skb(skb);
22949 return -EINVAL;
22950 }
df50ba0c 22951@@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
58c5fc13
MT		 22952 break;
22953 default:
22954 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22955- atomic_inc(&vcc->stats->tx_err);
22956+ atomic_inc_unchecked(&vcc->stats->tx_err);
22957 dev_kfree_skb(skb);
22958 return -EINVAL;
22959 }
22960
22961 if (skb_shinfo(skb)->nr_frags != 0) {
22962 printk("%s: No scatter-gather yet.\n", card->name);
22963- atomic_inc(&vcc->stats->tx_err);
22964+ atomic_inc_unchecked(&vcc->stats->tx_err);
22965 dev_kfree_skb(skb);
22966 return -EINVAL;
22967 }
df50ba0c 22968@@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
58c5fc13
MT		 22969
22970 err = queue_skb(card, vc, skb, oam);
22971 if (err) {
22972- atomic_inc(&vcc->stats->tx_err);
22973+ atomic_inc_unchecked(&vcc->stats->tx_err);
22974 dev_kfree_skb(skb);
22975 return err;
22976 }
df50ba0c 22977@@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
58c5fc13
MT		 22978 skb = dev_alloc_skb(64);
22979 if (!skb) {
22980 printk("%s: Out of memory in send_oam().\n", card->name);
22981- atomic_inc(&vcc->stats->tx_err);
22982+ atomic_inc_unchecked(&vcc->stats->tx_err);
22983 return -ENOMEM;
22984 }
22985 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
57199397
MT		 22986diff -urNp linux-2.6.35.4/drivers/atm/iphase.c linux-2.6.35.4/drivers/atm/iphase.c
22987--- linux-2.6.35.4/drivers/atm/iphase.c 2010-08-26 19:47:12.000000000 -0400
22988+++ linux-2.6.35.4/drivers/atm/iphase.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 22989@@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
58c5fc13
MT		 22990 status = (u_short) (buf_desc_ptr->desc_mode);
22991 if (status & (RX_CER | RX_PTE | RX_OFL))
22992 {
22993- atomic_inc(&vcc->stats->rx_err);
22994+ atomic_inc_unchecked(&vcc->stats->rx_err);
22995 IF_ERR(printk("IA: bad packet, dropping it");)
22996 if (status & RX_CER) {
22997 IF_ERR(printk(" cause: packet CRC error\n");)
df50ba0c 22998@@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
58c5fc13
MT		 22999 len = dma_addr - buf_addr;
23000 if (len > iadev->rx_buf_sz) {
23001 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
23002- atomic_inc(&vcc->stats->rx_err);
23003+ atomic_inc_unchecked(&vcc->stats->rx_err);
23004 goto out_free_desc;
23005 }
23006
df50ba0c 23007@@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
58c5fc13
MT		 23008 ia_vcc = INPH_IA_VCC(vcc);
23009 if (ia_vcc == NULL)
23010 {
23011- atomic_inc(&vcc->stats->rx_err);
23012+ atomic_inc_unchecked(&vcc->stats->rx_err);
23013 dev_kfree_skb_any(skb);
23014 atm_return(vcc, atm_guess_pdu2truesize(len));
23015 goto INCR_DLE;
df50ba0c 23016@@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
58c5fc13
MT		 23017 if ((length > iadev->rx_buf_sz) || (length >
23018 (skb->len - sizeof(struct cpcs_trailer))))
23019 {
23020- atomic_inc(&vcc->stats->rx_err);
23021+ atomic_inc_unchecked(&vcc->stats->rx_err);
23022 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23023 length, skb->len);)
23024 dev_kfree_skb_any(skb);
df50ba0c 23025@@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
58c5fc13
MT		 23026
23027 IF_RX(printk("rx_dle_intr: skb push");)
23028 vcc->push(vcc,skb);
23029- atomic_inc(&vcc->stats->rx);
23030+ atomic_inc_unchecked(&vcc->stats->rx);
23031 iadev->rx_pkt_cnt++;
23032 }
23033 INCR_DLE:
df50ba0c 23034@@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
58c5fc13
MT		 23035 {
23036 struct k_sonet_stats *stats;
23037 stats = &PRIV(_ia_dev[board])->sonet_stats;
23038- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23039- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23040- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23041- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23042- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23043- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23044- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23045- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23046- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23047+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23048+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23049+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23050+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23051+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23052+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23053+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23054+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23055+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23056 }
23057 ia_cmds.status = 0;
23058 break;
df50ba0c 23059@@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
58c5fc13
MT		 23060 if ((desc == 0) || (desc > iadev->num_tx_desc))
23061 {
23062 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23063- atomic_inc(&vcc->stats->tx);
23064+ atomic_inc_unchecked(&vcc->stats->tx);
23065 if (vcc->pop)
23066 vcc->pop(vcc, skb);
23067 else
df50ba0c 23068@@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
58c5fc13
MT		 23069 ATM_DESC(skb) = vcc->vci;
23070 skb_queue_tail(&iadev->tx_dma_q, skb);
23071
23072- atomic_inc(&vcc->stats->tx);
23073+ atomic_inc_unchecked(&vcc->stats->tx);
23074 iadev->tx_pkt_cnt++;
23075 /* Increment transaction counter */
23076 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23077
23078 #if 0
23079 /* add flow control logic */
23080- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23081+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23082 if (iavcc->vc_desc_cnt > 10) {
23083 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23084 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
57199397
MT		 23085diff -urNp linux-2.6.35.4/drivers/atm/lanai.c linux-2.6.35.4/drivers/atm/lanai.c
23086--- linux-2.6.35.4/drivers/atm/lanai.c 2010-08-26 19:47:12.000000000 -0400
23087+++ linux-2.6.35.4/drivers/atm/lanai.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23088@@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
58c5fc13
MT		 23089 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23090 lanai_endtx(lanai, lvcc);
23091 lanai_free_skb(lvcc->tx.atmvcc, skb);
23092- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23093+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23094 }
23095
23096 /* Try to fill the buffer - don't call unless there is backlog */
df50ba0c 23097@@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
58c5fc13
MT		 23098 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23099 __net_timestamp(skb);
23100 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23101- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23102+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23103 out:
23104 lvcc->rx.buf.ptr = end;
23105 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
df50ba0c 23106@@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
58c5fc13
MT		 23107 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23108 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23109 lanai->stats.service_rxnotaal5++;
23110- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23111+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23112 return 0;
23113 }
23114 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
df50ba0c 23115@@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
58c5fc13
MT		 23116 int bytes;
23117 read_unlock(&vcc_sklist_lock);
23118 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23119- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23120+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23121 lvcc->stats.x.aal5.service_trash++;
23122 bytes = (SERVICE_GET_END(s) * 16) -
23123 (((unsigned long) lvcc->rx.buf.ptr) -
df50ba0c 23124@@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
58c5fc13
MT		 23125 }
23126 if (s & SERVICE_STREAM) {
23127 read_unlock(&vcc_sklist_lock);
23128- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23129+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23130 lvcc->stats.x.aal5.service_stream++;
23131 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23132 "PDU on VCI %d!\n", lanai->number, vci);
df50ba0c 23133@@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
58c5fc13
MT		 23134 return 0;
23135 }
23136 DPRINTK("got rx crc error on vci %d\n", vci);
23137- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23138+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23139 lvcc->stats.x.aal5.service_rxcrc++;
23140 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23141 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
57199397
MT		 23142diff -urNp linux-2.6.35.4/drivers/atm/nicstar.c linux-2.6.35.4/drivers/atm/nicstar.c
23143--- linux-2.6.35.4/drivers/atm/nicstar.c 2010-08-26 19:47:12.000000000 -0400
23144+++ linux-2.6.35.4/drivers/atm/nicstar.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23145@@ -1722,7 +1722,7 @@ static int ns_send(struct atm_vcc *vcc,
58c5fc13
MT		 23146 if ((vc = (vc_map *) vcc->dev_data) == NULL)
23147 {
23148 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
23149- atomic_inc(&vcc->stats->tx_err);
23150+ atomic_inc_unchecked(&vcc->stats->tx_err);
23151 dev_kfree_skb_any(skb);
23152 return -EINVAL;
23153 }
df50ba0c 23154@@ -1730,7 +1730,7 @@ static int ns_send(struct atm_vcc *vcc,
58c5fc13
MT		 23155 if (!vc->tx)
23156 {
23157 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
23158- atomic_inc(&vcc->stats->tx_err);
23159+ atomic_inc_unchecked(&vcc->stats->tx_err);
23160 dev_kfree_skb_any(skb);
23161 return -EINVAL;
23162 }
df50ba0c 23163@@ -1738,7 +1738,7 @@ static int ns_send(struct atm_vcc *vcc,
58c5fc13
MT		 23164 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
23165 {
23166 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
23167- atomic_inc(&vcc->stats->tx_err);
23168+ atomic_inc_unchecked(&vcc->stats->tx_err);
23169 dev_kfree_skb_any(skb);
23170 return -EINVAL;
23171 }
df50ba0c 23172@@ -1746,7 +1746,7 @@ static int ns_send(struct atm_vcc *vcc,
58c5fc13
MT		 23173 if (skb_shinfo(skb)->nr_frags != 0)
23174 {
23175 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23176- atomic_inc(&vcc->stats->tx_err);
23177+ atomic_inc_unchecked(&vcc->stats->tx_err);
23178 dev_kfree_skb_any(skb);
23179 return -EINVAL;
23180 }
df50ba0c 23181@@ -1791,11 +1791,11 @@ static int ns_send(struct atm_vcc *vcc,
58c5fc13
MT		 23182
23183 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
23184 {
23185- atomic_inc(&vcc->stats->tx_err);
23186+ atomic_inc_unchecked(&vcc->stats->tx_err);
23187 dev_kfree_skb_any(skb);
23188 return -EIO;
23189 }
23190- atomic_inc(&vcc->stats->tx);
23191+ atomic_inc_unchecked(&vcc->stats->tx);
23192
23193 return 0;
23194 }
df50ba0c 23195@@ -2110,14 +2110,14 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23196 {
23197 printk("nicstar%d: Can't allocate buffers for aal0.\n",
23198 card->index);
23199- atomic_add(i,&vcc->stats->rx_drop);
23200+ atomic_add_unchecked(i,&vcc->stats->rx_drop);
23201 break;
23202 }
23203 if (!atm_charge(vcc, sb->truesize))
23204 {
23205 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
23206 card->index);
23207- atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23208+ atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23209 dev_kfree_skb_any(sb);
23210 break;
23211 }
df50ba0c 23212@@ -2132,7 +2132,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23213 ATM_SKB(sb)->vcc = vcc;
23214 __net_timestamp(sb);
23215 vcc->push(vcc, sb);
23216- atomic_inc(&vcc->stats->rx);
23217+ atomic_inc_unchecked(&vcc->stats->rx);
23218 cell += ATM_CELL_PAYLOAD;
23219 }
23220
df50ba0c 23221@@ -2151,7 +2151,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23222 if (iovb == NULL)
23223 {
23224 printk("nicstar%d: Out of iovec buffers.\n", card->index);
23225- atomic_inc(&vcc->stats->rx_drop);
23226+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23227 recycle_rx_buf(card, skb);
23228 return;
23229 }
df50ba0c 23230@@ -2181,7 +2181,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23231 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
23232 {
23233 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23234- atomic_inc(&vcc->stats->rx_err);
23235+ atomic_inc_unchecked(&vcc->stats->rx_err);
23236 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
23237 NS_SKB(iovb)->iovcnt = 0;
23238 iovb->len = 0;
df50ba0c 23239@@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23240 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
23241 card->index);
23242 which_list(card, skb);
23243- atomic_inc(&vcc->stats->rx_err);
23244+ atomic_inc_unchecked(&vcc->stats->rx_err);
23245 recycle_rx_buf(card, skb);
23246 vc->rx_iov = NULL;
23247 recycle_iov_buf(card, iovb);
df50ba0c 23248@@ -2215,7 +2215,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23249 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
23250 card->index);
23251 which_list(card, skb);
23252- atomic_inc(&vcc->stats->rx_err);
23253+ atomic_inc_unchecked(&vcc->stats->rx_err);
23254 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23255 NS_SKB(iovb)->iovcnt);
23256 vc->rx_iov = NULL;
df50ba0c 23257@@ -2239,7 +2239,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23258 printk(" - PDU size mismatch.\n");
23259 else
23260 printk(".\n");
23261- atomic_inc(&vcc->stats->rx_err);
23262+ atomic_inc_unchecked(&vcc->stats->rx_err);
23263 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23264 NS_SKB(iovb)->iovcnt);
23265 vc->rx_iov = NULL;
df50ba0c 23266@@ -2255,7 +2255,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23267 if (!atm_charge(vcc, skb->truesize))
23268 {
23269 push_rxbufs(card, skb);
23270- atomic_inc(&vcc->stats->rx_drop);
23271+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23272 }
23273 else
23274 {
df50ba0c 23275@@ -2267,7 +2267,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23276 ATM_SKB(skb)->vcc = vcc;
23277 __net_timestamp(skb);
23278 vcc->push(vcc, skb);
23279- atomic_inc(&vcc->stats->rx);
23280+ atomic_inc_unchecked(&vcc->stats->rx);
23281 }
23282 }
23283 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
df50ba0c 23284@@ -2282,7 +2282,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23285 if (!atm_charge(vcc, sb->truesize))
23286 {
23287 push_rxbufs(card, sb);
23288- atomic_inc(&vcc->stats->rx_drop);
23289+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23290 }
23291 else
23292 {
df50ba0c 23293@@ -2294,7 +2294,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23294 ATM_SKB(sb)->vcc = vcc;
23295 __net_timestamp(sb);
23296 vcc->push(vcc, sb);
23297- atomic_inc(&vcc->stats->rx);
23298+ atomic_inc_unchecked(&vcc->stats->rx);
23299 }
23300
23301 push_rxbufs(card, skb);
df50ba0c 23302@@ -2305,7 +2305,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23303 if (!atm_charge(vcc, skb->truesize))
23304 {
23305 push_rxbufs(card, skb);
23306- atomic_inc(&vcc->stats->rx_drop);
23307+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23308 }
23309 else
23310 {
df50ba0c 23311@@ -2319,7 +2319,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23312 ATM_SKB(skb)->vcc = vcc;
23313 __net_timestamp(skb);
23314 vcc->push(vcc, skb);
23315- atomic_inc(&vcc->stats->rx);
23316+ atomic_inc_unchecked(&vcc->stats->rx);
23317 }
23318
23319 push_rxbufs(card, sb);
df50ba0c 23320@@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23321 if (hb == NULL)
23322 {
23323 printk("nicstar%d: Out of huge buffers.\n", card->index);
23324- atomic_inc(&vcc->stats->rx_drop);
23325+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23326 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23327 NS_SKB(iovb)->iovcnt);
23328 vc->rx_iov = NULL;
df50ba0c 23329@@ -2392,7 +2392,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23330 }
23331 else
23332 dev_kfree_skb_any(hb);
23333- atomic_inc(&vcc->stats->rx_drop);
23334+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23335 }
23336 else
23337 {
df50ba0c 23338@@ -2426,7 +2426,7 @@ static void dequeue_rx(ns_dev *card, ns_
58c5fc13
MT		 23339 #endif /* NS_USE_DESTRUCTORS */
23340 __net_timestamp(hb);
23341 vcc->push(vcc, hb);
23342- atomic_inc(&vcc->stats->rx);
23343+ atomic_inc_unchecked(&vcc->stats->rx);
23344 }
23345 }
23346
57199397
MT		 23347diff -urNp linux-2.6.35.4/drivers/atm/solos-pci.c linux-2.6.35.4/drivers/atm/solos-pci.c
23348--- linux-2.6.35.4/drivers/atm/solos-pci.c 2010-08-26 19:47:12.000000000 -0400
23349+++ linux-2.6.35.4/drivers/atm/solos-pci.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23350@@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
58c5fc13
MT		 23351 }
23352 atm_charge(vcc, skb->truesize);
23353 vcc->push(vcc, skb);
23354- atomic_inc(&vcc->stats->rx);
23355+ atomic_inc_unchecked(&vcc->stats->rx);
23356 break;
23357
23358 case PKT_STATUS:
57199397 23359@@ -1023,7 +1023,7 @@ static uint32_t fpga_tx(struct solos_car
58c5fc13
MT		 23360 vcc = SKB_CB(oldskb)->vcc;
23361
23362 if (vcc) {
23363- atomic_inc(&vcc->stats->tx);
23364+ atomic_inc_unchecked(&vcc->stats->tx);
23365 solos_pop(vcc, oldskb);
23366 } else
23367 dev_kfree_skb_irq(oldskb);
57199397
MT		 23368diff -urNp linux-2.6.35.4/drivers/atm/suni.c linux-2.6.35.4/drivers/atm/suni.c
23369--- linux-2.6.35.4/drivers/atm/suni.c 2010-08-26 19:47:12.000000000 -0400
23370+++ linux-2.6.35.4/drivers/atm/suni.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23371@@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
58c5fc13
MT		 23372
23373
23374 #define ADD_LIMITED(s,v) \
23375- atomic_add((v),&stats->s); \
23376- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23377+ atomic_add_unchecked((v),&stats->s); \
23378+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23379
23380
23381 static void suni_hz(unsigned long from_timer)
57199397
MT		 23382diff -urNp linux-2.6.35.4/drivers/atm/uPD98402.c linux-2.6.35.4/drivers/atm/uPD98402.c
23383--- linux-2.6.35.4/drivers/atm/uPD98402.c 2010-08-26 19:47:12.000000000 -0400
23384+++ linux-2.6.35.4/drivers/atm/uPD98402.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23385@@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
58c5fc13
MT		 23386 struct sonet_stats tmp;
23387 int error = 0;
23388
23389- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23390+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23391 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23392 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23393 if (zero && !error) {
df50ba0c 23394@@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
58c5fc13
MT		 23395
23396
23397 #define ADD_LIMITED(s,v) \
23398- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23399- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23400- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23401+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23402+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23403+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23404
23405
23406 static void stat_event(struct atm_dev *dev)
df50ba0c 23407@@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
58c5fc13
MT		 23408 if (reason & uPD98402_INT_PFM) stat_event(dev);
23409 if (reason & uPD98402_INT_PCO) {
23410 (void) GET(PCOCR); /* clear interrupt cause */
23411- atomic_add(GET(HECCT),
23412+ atomic_add_unchecked(GET(HECCT),
23413 &PRIV(dev)->sonet_stats.uncorr_hcs);
23414 }
23415 if ((reason & uPD98402_INT_RFO) &&
df50ba0c 23416@@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
58c5fc13
MT		 23417 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23418 uPD98402_INT_LOS),PIMR); /* enable them */
23419 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23420- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23421- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23422- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23423+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23424+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23425+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23426 return 0;
23427 }
23428
57199397
MT		 23429diff -urNp linux-2.6.35.4/drivers/atm/zatm.c linux-2.6.35.4/drivers/atm/zatm.c
23430--- linux-2.6.35.4/drivers/atm/zatm.c 2010-08-26 19:47:12.000000000 -0400
23431+++ linux-2.6.35.4/drivers/atm/zatm.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23432@@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
58c5fc13
MT		 23433 }
23434 if (!size) {
23435 dev_kfree_skb_irq(skb);
23436- if (vcc) atomic_inc(&vcc->stats->rx_err);
23437+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23438 continue;
23439 }
23440 if (!atm_charge(vcc,skb->truesize)) {
df50ba0c 23441@@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
58c5fc13
MT		 23442 skb->len = size;
23443 ATM_SKB(skb)->vcc = vcc;
23444 vcc->push(vcc,skb);
23445- atomic_inc(&vcc->stats->rx);
23446+ atomic_inc_unchecked(&vcc->stats->rx);
23447 }
23448 zout(pos & 0xffff,MTA(mbx));
23449 #if 0 /* probably a stupid idea */
df50ba0c 23450@@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
58c5fc13
MT		 23451 skb_queue_head(&zatm_vcc->backlog,skb);
23452 break;
23453 }
23454- atomic_inc(&vcc->stats->tx);
23455+ atomic_inc_unchecked(&vcc->stats->tx);
23456 wake_up(&zatm_vcc->tx_wait);
23457 }
23458
57199397
MT		 23459diff -urNp linux-2.6.35.4/drivers/char/agp/frontend.c linux-2.6.35.4/drivers/char/agp/frontend.c
23460--- linux-2.6.35.4/drivers/char/agp/frontend.c 2010-08-26 19:47:12.000000000 -0400
23461+++ linux-2.6.35.4/drivers/char/agp/frontend.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 23462@@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
58c5fc13
MT		 23463 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23464 return -EFAULT;
23465
23466- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23467+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23468 return -EFAULT;
23469
23470 client = agp_find_client_by_pid(reserve.pid);
57199397
MT		 23471diff -urNp linux-2.6.35.4/drivers/char/agp/intel-agp.c linux-2.6.35.4/drivers/char/agp/intel-agp.c
23472--- linux-2.6.35.4/drivers/char/agp/intel-agp.c 2010-08-26 19:47:12.000000000 -0400
23473+++ linux-2.6.35.4/drivers/char/agp/intel-agp.c 2010-09-17 20:12:09.000000000 -0400
23474@@ -1036,7 +1036,7 @@ static struct pci_device_id agp_intel_pc
ae4e228f 23475 ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB),
df50ba0c
MT		 23476 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23477 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
58c5fc13
MT		 23478- { }
23479+ { 0, 0, 0, 0, 0, 0, 0 }
23480 };
23481
23482 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
57199397
MT		 23483diff -urNp linux-2.6.35.4/drivers/char/hpet.c linux-2.6.35.4/drivers/char/hpet.c
23484--- linux-2.6.35.4/drivers/char/hpet.c 2010-08-26 19:47:12.000000000 -0400
23485+++ linux-2.6.35.4/drivers/char/hpet.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 23486@@ -429,7 +429,7 @@ static int hpet_release(struct inode *in
23487 return 0;
23488 }
58c5fc13 23489
df50ba0c
MT		 23490-static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
23491+static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
58c5fc13 23492
57199397
MT		 23493 static long hpet_ioctl(struct file *file, unsigned int cmd,
23494 unsigned long arg)
23495@@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
ae4e228f
MT		 23496 }
23497
df50ba0c
MT		 23498 static int
23499-hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
23500+hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
ae4e228f 23501 {
df50ba0c
MT		 23502 struct hpet_timer __iomem *timer;
23503 struct hpet __iomem *hpet;
57199397 23504@@ -998,7 +998,7 @@ static struct acpi_driver hpet_acpi_driv
df50ba0c 23505 },
ae4e228f
MT		 23506 };
23507
df50ba0c
MT		 23508-static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23509+static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
ae4e228f 23510
df50ba0c
MT		 23511 static int __init hpet_init(void)
23512 {
57199397
MT		 23513diff -urNp linux-2.6.35.4/drivers/char/hvc_console.h linux-2.6.35.4/drivers/char/hvc_console.h
23514--- linux-2.6.35.4/drivers/char/hvc_console.h 2010-08-26 19:47:12.000000000 -0400
23515+++ linux-2.6.35.4/drivers/char/hvc_console.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23516@@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
ae4e228f 23517 /* register a vterm for hvc tty operation (module_init or hotplug add) */
df50ba0c
MT		 23518 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23519 const struct hv_ops *ops, int outbuf_size);
23520+
ae4e228f
MT		 23521 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23522 extern int hvc_remove(struct hvc_struct *hp);
23523
57199397
MT		 23524diff -urNp linux-2.6.35.4/drivers/char/hvcs.c linux-2.6.35.4/drivers/char/hvcs.c
23525--- linux-2.6.35.4/drivers/char/hvcs.c 2010-08-26 19:47:12.000000000 -0400
23526+++ linux-2.6.35.4/drivers/char/hvcs.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23527@@ -270,7 +270,7 @@ struct hvcs_struct {
58c5fc13
MT		 23528 unsigned int index;
23529
23530 struct tty_struct *tty;
23531- int open_count;
23532+ atomic_t open_count;
23533
23534 /*
23535 * Used to tell the driver kernel_thread what operations need to take
df50ba0c 23536@@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
58c5fc13
MT		 23537
23538 spin_lock_irqsave(&hvcsd->lock, flags);
23539
23540- if (hvcsd->open_count > 0) {
23541+ if (atomic_read(&hvcsd->open_count) > 0) {
23542 spin_unlock_irqrestore(&hvcsd->lock, flags);
23543 printk(KERN_INFO "HVCS: vterm state unchanged. "
23544 "The hvcs device node is still in use.\n");
df50ba0c 23545@@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
58c5fc13
MT		 23546 if ((retval = hvcs_partner_connect(hvcsd)))
23547 goto error_release;
23548
23549- hvcsd->open_count = 1;
23550+ atomic_set(&hvcsd->open_count, 1);
23551 hvcsd->tty = tty;
23552 tty->driver_data = hvcsd;
23553
df50ba0c 23554@@ -1170,7 +1170,7 @@ fast_open:
58c5fc13
MT		 23555
23556 spin_lock_irqsave(&hvcsd->lock, flags);
23557 kref_get(&hvcsd->kref);
23558- hvcsd->open_count++;
23559+ atomic_inc(&hvcsd->open_count);
23560 hvcsd->todo_mask |= HVCS_SCHED_READ;
23561 spin_unlock_irqrestore(&hvcsd->lock, flags);
23562
df50ba0c 23563@@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
58c5fc13
MT		 23564 hvcsd = tty->driver_data;
23565
23566 spin_lock_irqsave(&hvcsd->lock, flags);
23567- if (--hvcsd->open_count == 0) {
23568+ if (atomic_dec_and_test(&hvcsd->open_count)) {
23569
23570 vio_disable_interrupts(hvcsd->vdev);
23571
df50ba0c 23572@@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
58c5fc13
MT		 23573 free_irq(irq, hvcsd);
23574 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23575 return;
23576- } else if (hvcsd->open_count < 0) {
23577+ } else if (atomic_read(&hvcsd->open_count) < 0) {
23578 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23579 " is missmanaged.\n",
23580- hvcsd->vdev->unit_address, hvcsd->open_count);
23581+ hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
23582 }
23583
23584 spin_unlock_irqrestore(&hvcsd->lock, flags);
df50ba0c 23585@@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
58c5fc13
MT		 23586
23587 spin_lock_irqsave(&hvcsd->lock, flags);
23588 /* Preserve this so that we know how many kref refs to put */
23589- temp_open_count = hvcsd->open_count;
23590+ temp_open_count = atomic_read(&hvcsd->open_count);
23591
23592 /*
23593 * Don't kref put inside the spinlock because the destruction
df50ba0c 23594@@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
58c5fc13
MT		 23595 hvcsd->tty->driver_data = NULL;
23596 hvcsd->tty = NULL;
23597
23598- hvcsd->open_count = 0;
23599+ atomic_set(&hvcsd->open_count, 0);
23600
23601 /* This will drop any buffered data on the floor which is OK in a hangup
23602 * scenario. */
df50ba0c 23603@@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
58c5fc13
MT		 23604 * the middle of a write operation? This is a crummy place to do this
23605 * but we want to keep it all in the spinlock.
23606 */
23607- if (hvcsd->open_count <= 0) {
23608+ if (atomic_read(&hvcsd->open_count) <= 0) {
23609 spin_unlock_irqrestore(&hvcsd->lock, flags);
23610 return -ENODEV;
23611 }
df50ba0c 23612@@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
58c5fc13
MT		 23613 {
23614 struct hvcs_struct *hvcsd = tty->driver_data;
23615
23616- if (!hvcsd || hvcsd->open_count <= 0)
23617+ if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
23618 return 0;
23619
23620 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
57199397
MT		 23621diff -urNp linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c
23622--- linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c 2010-08-26 19:47:12.000000000 -0400
23623+++ linux-2.6.35.4/drivers/char/ipmi/ipmi_msghandler.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 23624@@ -414,7 +414,7 @@ struct ipmi_smi {
58c5fc13
MT		 23625 struct proc_dir_entry *proc_dir;
23626 char proc_dir_name[10];
23627
23628- atomic_t stats[IPMI_NUM_STATS];
23629+ atomic_unchecked_t stats[IPMI_NUM_STATS];
23630
23631 /*
23632 * run_to_completion duplicate of smb_info, smi_info
ae4e228f 23633@@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
58c5fc13
MT		 23634
23635
23636 #define ipmi_inc_stat(intf, stat) \
23637- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23638+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23639 #define ipmi_get_stat(intf, stat) \
23640- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23641+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23642
23643 static int is_lan_addr(struct ipmi_addr *addr)
23644 {
57199397 23645@@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
58c5fc13
MT		 23646 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23647 init_waitqueue_head(&intf->waitq);
23648 for (i = 0; i < IPMI_NUM_STATS; i++)
23649- atomic_set(&intf->stats[i], 0);
23650+ atomic_set_unchecked(&intf->stats[i], 0);
23651
23652 intf->proc_dir = NULL;
23653
57199397
MT		 23654diff -urNp linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c
23655--- linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c 2010-08-26 19:47:12.000000000 -0400
23656+++ linux-2.6.35.4/drivers/char/ipmi/ipmi_si_intf.c 2010-09-17 20:12:09.000000000 -0400
23657@@ -286,7 +286,7 @@ struct smi_info {
58c5fc13
MT		 23658 unsigned char slave_addr;
23659
23660 /* Counters and things for the proc filesystem. */
23661- atomic_t stats[SI_NUM_STATS];
23662+ atomic_unchecked_t stats[SI_NUM_STATS];
23663
23664 struct task_struct *thread;
23665
57199397 23666@@ -294,9 +294,9 @@ struct smi_info {
58c5fc13
MT		 23667 };
23668
23669 #define smi_inc_stat(smi, stat) \
23670- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23671+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23672 #define smi_get_stat(smi, stat) \
23673- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23674+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23675
23676 #define SI_MAX_PARMS 4
23677
57199397 23678@@ -3143,7 +3143,7 @@ static int try_smi_init(struct smi_info
58c5fc13
MT		 23679 atomic_set(&new_smi->req_events, 0);
23680 new_smi->run_to_completion = 0;
23681 for (i = 0; i < SI_NUM_STATS; i++)
23682- atomic_set(&new_smi->stats[i], 0);
23683+ atomic_set_unchecked(&new_smi->stats[i], 0);
23684
57199397 23685 new_smi->interrupt_disabled = 1;
58c5fc13 23686 atomic_set(&new_smi->stop_operation, 0);
57199397
MT		 23687diff -urNp linux-2.6.35.4/drivers/char/keyboard.c linux-2.6.35.4/drivers/char/keyboard.c
23688--- linux-2.6.35.4/drivers/char/keyboard.c 2010-08-26 19:47:12.000000000 -0400
23689+++ linux-2.6.35.4/drivers/char/keyboard.c 2010-09-17 20:12:37.000000000 -0400
23690@@ -640,6 +640,16 @@ static void k_spec(struct vc_data *vc, u
58c5fc13
MT		 23691 kbd->kbdmode == VC_MEDIUMRAW) &&
23692 value != KVAL(K_SAK))
23693 return; /* SAK is allowed even in raw mode */
23694+
23695+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
23696+ {
23697+ void *func = fn_handler[value];
23698+ if (func == fn_show_state || func == fn_show_ptregs ||
23699+ func == fn_show_mem)
23700+ return;
23701+ }
23702+#endif
23703+
23704 fn_handler[value](vc);
23705 }
23706
57199397 23707@@ -1392,7 +1402,7 @@ static const struct input_device_id kbd_
58c5fc13
MT		 23708 .evbit = { BIT_MASK(EV_SND) },
23709 },
23710
23711- { }, /* Terminating entry */
23712+ { 0 }, /* Terminating entry */
23713 };
23714
23715 MODULE_DEVICE_TABLE(input, kbd_ids);
57199397
MT		 23716diff -urNp linux-2.6.35.4/drivers/char/mem.c linux-2.6.35.4/drivers/char/mem.c
23717--- linux-2.6.35.4/drivers/char/mem.c 2010-08-26 19:47:12.000000000 -0400
23718+++ linux-2.6.35.4/drivers/char/mem.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 23719@@ -18,6 +18,7 @@
23720 #include <linux/raw.h>
23721 #include <linux/tty.h>
23722 #include <linux/capability.h>
23723+#include <linux/security.h>
23724 #include <linux/ptrace.h>
23725 #include <linux/device.h>
23726 #include <linux/highmem.h>
ae4e228f 23727@@ -34,6 +35,10 @@
58c5fc13
MT		 23728 # include <linux/efi.h>
23729 #endif
23730
23731+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23732+extern struct file_operations grsec_fops;
23733+#endif
23734+
ae4e228f
MT		 23735 static inline unsigned long size_inside_page(unsigned long start,
23736 unsigned long size)
23737 {
57199397
MT		 23738@@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23739
23740 while (count > 0) {
23741 unsigned long remaining;
23742+ char *temp;
23743
23744 sz = size_inside_page(p, count);
23745
23746@@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23747 if (!ptr)
23748 return -EFAULT;
23749
23750- remaining = copy_to_user(buf, ptr, sz);
23751+#ifdef CONFIG_PAX_USERCOPY
23752+ temp = kmalloc(sz, GFP_KERNEL);
23753+ if (!temp) {
23754+ unxlate_dev_mem_ptr(p, ptr);
23755+ return -ENOMEM;
23756+ }
23757+ memcpy(temp, ptr, sz);
23758+#else
23759+ temp = ptr;
23760+#endif
23761+
23762+ remaining = copy_to_user(buf, temp, sz);
23763+
23764+#ifdef CONFIG_PAX_USERCOPY
23765+ kfree(temp);
23766+#endif
23767+
23768 unxlate_dev_mem_ptr(p, ptr);
23769 if (remaining)
23770 return -EFAULT;
23771@@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
58c5fc13
MT		 23772 if (!valid_phys_addr_range(p, count))
23773 return -EFAULT;
23774
23775+#ifdef CONFIG_GRKERNSEC_KMEM
23776+ gr_handle_mem_write();
23777+ return -EPERM;
23778+#endif
23779+
23780 written = 0;
23781
23782 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
57199397 23783@@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
58c5fc13
MT		 23784 &vma->vm_page_prot))
23785 return -EINVAL;
23786
23787+#ifdef CONFIG_GRKERNSEC_KMEM
23788+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23789+ return -EPERM;
23790+#endif
23791+
23792 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23793 size,
23794 vma->vm_page_prot);
57199397
MT		 23795@@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23796 size_t count, loff_t *ppos)
23797 {
23798 unsigned long p = *ppos;
23799- ssize_t low_count, read, sz;
23800+ ssize_t low_count, read, sz, err = 0;
23801 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23802- int err = 0;
23803
23804 read = 0;
23805 if (p < (unsigned long) high_memory) {
23806@@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23807 }
23808 #endif
23809 while (low_count > 0) {
23810+ char *temp;
23811+
23812 sz = size_inside_page(p, low_count);
23813
23814 /*
23815@@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23816 */
23817 kbuf = xlate_dev_kmem_ptr((char *)p);
23818
23819- if (copy_to_user(buf, kbuf, sz))
23820+#ifdef CONFIG_PAX_USERCOPY
23821+ temp = kmalloc(sz, GFP_KERNEL);
23822+ if (!temp)
23823+ return -ENOMEM;
23824+ memcpy(temp, kbuf, sz);
23825+#else
23826+ temp = kbuf;
23827+#endif
23828+
23829+ err = copy_to_user(buf, temp, sz);
23830+
23831+#ifdef CONFIG_PAX_USERCOPY
23832+ kfree(temp);
23833+#endif
23834+
23835+ if (err)
23836 return -EFAULT;
23837 buf += sz;
23838 p += sz;
23839@@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
58c5fc13 23840 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
ae4e228f 23841 int err = 0;
58c5fc13
MT		 23842
23843+#ifdef CONFIG_GRKERNSEC_KMEM
23844+ gr_handle_kmem_write();
23845+ return -EPERM;
23846+#endif
23847+
23848 if (p < (unsigned long) high_memory) {
ae4e228f
MT		 23849 unsigned long to_write = min_t(unsigned long, count,
23850 (unsigned long)high_memory - p);
57199397 23851@@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
58c5fc13
MT		 23852
23853 static int open_port(struct inode * inode, struct file * filp)
23854 {
23855+#ifdef CONFIG_GRKERNSEC_KMEM
23856+ gr_handle_open_port();
23857+ return -EPERM;
23858+#endif
23859+
23860+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23861+}
23862+
23863+static int open_mem(struct inode * inode, struct file * filp)
23864+{
23865 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23866 }
23867
57199397 23868@@ -738,7 +801,6 @@ static int open_port(struct inode * inod
58c5fc13
MT		 23869 #define full_lseek null_lseek
23870 #define write_zero write_null
23871 #define read_full read_zero
23872-#define open_mem open_port
23873 #define open_kmem open_mem
23874 #define open_oldmem open_mem
23875
57199397 23876@@ -854,6 +916,9 @@ static const struct memdev {
58c5fc13 23877 #ifdef CONFIG_CRASH_DUMP
ae4e228f 23878 [12] = { "oldmem", 0, &oldmem_fops, NULL },
58c5fc13
MT		 23879 #endif
23880+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
ae4e228f 23881+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
58c5fc13
MT		 23882+#endif
23883 };
23884
23885 static int memory_open(struct inode *inode, struct file *filp)
57199397
MT		 23886diff -urNp linux-2.6.35.4/drivers/char/n_tty.c linux-2.6.35.4/drivers/char/n_tty.c
23887--- linux-2.6.35.4/drivers/char/n_tty.c 2010-08-26 19:47:12.000000000 -0400
23888+++ linux-2.6.35.4/drivers/char/n_tty.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 23889@@ -2105,6 +2105,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
23890 {
23891 *ops = tty_ldisc_N_TTY;
23892 ops->owner = NULL;
23893- ops->refcount = ops->flags = 0;
23894+ atomic_set(&ops->refcount, 0);
23895+ ops->flags = 0;
23896 }
23897 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
57199397
MT		 23898diff -urNp linux-2.6.35.4/drivers/char/nvram.c linux-2.6.35.4/drivers/char/nvram.c
23899--- linux-2.6.35.4/drivers/char/nvram.c 2010-08-26 19:47:12.000000000 -0400
23900+++ linux-2.6.35.4/drivers/char/nvram.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 23901@@ -245,7 +245,7 @@ static ssize_t nvram_read(struct file *f
ae4e228f
MT		 23902
23903 spin_unlock_irq(&rtc_lock);
58c5fc13 23904
ae4e228f
MT		 23905- if (copy_to_user(buf, contents, tmp - contents))
23906+ if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23907 return -EFAULT;
23908
23909 *ppos = i;
57199397 23910@@ -434,7 +434,10 @@ static const struct file_operations nvra
58c5fc13
MT		 23911 static struct miscdevice nvram_dev = {
23912 NVRAM_MINOR,
23913 "nvram",
23914- &nvram_fops
23915+ &nvram_fops,
23916+ {NULL, NULL},
23917+ NULL,
23918+ NULL
23919 };
23920
23921 static int __init nvram_init(void)
57199397
MT		 23922diff -urNp linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c
23923--- linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c 2010-08-26 19:47:12.000000000 -0400
23924+++ linux-2.6.35.4/drivers/char/pcmcia/ipwireless/tty.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 23925@@ -51,7 +51,7 @@ struct ipw_tty {
23926 int tty_type;
23927 struct ipw_network *network;
23928 struct tty_struct *linux_tty;
23929- int open_count;
23930+ atomic_t open_count;
23931 unsigned int control_lines;
23932 struct mutex ipw_tty_mutex;
23933 int tx_bytes_queued;
23934@@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
23935 mutex_unlock(&tty->ipw_tty_mutex);
23936 return -ENODEV;
23937 }
23938- if (tty->open_count == 0)
23939+ if (atomic_read(&tty->open_count) == 0)
23940 tty->tx_bytes_queued = 0;
23941
23942- tty->open_count++;
23943+ atomic_inc(&tty->open_count);
23944
23945 tty->linux_tty = linux_tty;
23946 linux_tty->driver_data = tty;
23947@@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
23948
23949 static void do_ipw_close(struct ipw_tty *tty)
23950 {
23951- tty->open_count--;
23952-
23953- if (tty->open_count == 0) {
23954+ if (atomic_dec_return(&tty->open_count) == 0) {
23955 struct tty_struct *linux_tty = tty->linux_tty;
23956
23957 if (linux_tty != NULL) {
23958@@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
23959 return;
23960
23961 mutex_lock(&tty->ipw_tty_mutex);
23962- if (tty->open_count == 0) {
23963+ if (atomic_read(&tty->open_count) == 0) {
23964 mutex_unlock(&tty->ipw_tty_mutex);
23965 return;
23966 }
23967@@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
23968 return;
23969 }
23970
23971- if (!tty->open_count) {
23972+ if (!atomic_read(&tty->open_count)) {
23973 mutex_unlock(&tty->ipw_tty_mutex);
23974 return;
23975 }
23976@@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
23977 return -ENODEV;
23978
23979 mutex_lock(&tty->ipw_tty_mutex);
23980- if (!tty->open_count) {
23981+ if (!atomic_read(&tty->open_count)) {
23982 mutex_unlock(&tty->ipw_tty_mutex);
23983 return -EINVAL;
23984 }
23985@@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
23986 if (!tty)
23987 return -ENODEV;
23988
23989- if (!tty->open_count)
23990+ if (!atomic_read(&tty->open_count))
23991 return -EINVAL;
23992
23993 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
23994@@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
23995 if (!tty)
23996 return 0;
23997
23998- if (!tty->open_count)
23999+ if (!atomic_read(&tty->open_count))
24000 return 0;
24001
24002 return tty->tx_bytes_queued;
24003@@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
24004 if (!tty)
24005 return -ENODEV;
24006
24007- if (!tty->open_count)
24008+ if (!atomic_read(&tty->open_count))
24009 return -EINVAL;
24010
24011 return get_control_lines(tty);
24012@@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24013 if (!tty)
24014 return -ENODEV;
24015
24016- if (!tty->open_count)
24017+ if (!atomic_read(&tty->open_count))
24018 return -EINVAL;
24019
24020 return set_control_lines(tty, set, clear);
24021@@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
24022 if (!tty)
24023 return -ENODEV;
24024
24025- if (!tty->open_count)
24026+ if (!atomic_read(&tty->open_count))
24027 return -EINVAL;
24028
24029 /* FIXME: Exactly how is the tty object locked here .. */
57199397 24030@@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
58c5fc13
MT		 24031 against a parallel ioctl etc */
24032 mutex_lock(&ttyj->ipw_tty_mutex);
24033 }
24034- while (ttyj->open_count)
24035+ while (atomic_read(&ttyj->open_count))
24036 do_ipw_close(ttyj);
24037 ipwireless_disassociate_network_ttys(network,
24038 ttyj->channel_idx);
57199397
MT		 24039diff -urNp linux-2.6.35.4/drivers/char/pty.c linux-2.6.35.4/drivers/char/pty.c
24040--- linux-2.6.35.4/drivers/char/pty.c 2010-08-26 19:47:12.000000000 -0400
24041+++ linux-2.6.35.4/drivers/char/pty.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 24042@@ -677,7 +677,18 @@ static int ptmx_open(struct inode *inode
ae4e228f
MT		 24043 return ret;
24044 }
24045
24046-static struct file_operations ptmx_fops;
24047+static const struct file_operations ptmx_fops = {
24048+ .llseek = no_llseek,
24049+ .read = tty_read,
24050+ .write = tty_write,
24051+ .poll = tty_poll,
24052+ .unlocked_ioctl = tty_ioctl,
24053+ .compat_ioctl = tty_compat_ioctl,
24054+ .open = ptmx_open,
24055+ .release = tty_release,
24056+ .fasync = tty_fasync,
24057+};
24058+
24059
24060 static void __init unix98_pty_init(void)
24061 {
df50ba0c 24062@@ -731,9 +742,6 @@ static void __init unix98_pty_init(void)
ae4e228f
MT		 24063 register_sysctl_table(pty_root_table);
24064
24065 /* Now create the /dev/ptmx special device */
24066- tty_default_fops(&ptmx_fops);
24067- ptmx_fops.open = ptmx_open;
24068-
24069 cdev_init(&ptmx_cdev, &ptmx_fops);
24070 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
24071 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
57199397
MT		 24072diff -urNp linux-2.6.35.4/drivers/char/random.c linux-2.6.35.4/drivers/char/random.c
24073--- linux-2.6.35.4/drivers/char/random.c 2010-08-26 19:47:12.000000000 -0400
24074+++ linux-2.6.35.4/drivers/char/random.c 2010-09-17 20:24:41.000000000 -0400
ae4e228f 24075@@ -254,8 +254,13 @@
58c5fc13
MT		 24076 /*
24077 * Configuration information
24078 */
24079+#ifdef CONFIG_GRKERNSEC_RANDNET
24080+#define INPUT_POOL_WORDS 512
24081+#define OUTPUT_POOL_WORDS 128
24082+#else
24083 #define INPUT_POOL_WORDS 128
24084 #define OUTPUT_POOL_WORDS 32
24085+#endif
24086 #define SEC_XFER_SIZE 512
57199397 24087 #define EXTRACT_SIZE 10
58c5fc13 24088
57199397 24089@@ -293,10 +298,17 @@ static struct poolinfo {
58c5fc13
MT		 24090 int poolwords;
24091 int tap1, tap2, tap3, tap4, tap5;
24092 } poolinfo_table[] = {
24093+#ifdef CONFIG_GRKERNSEC_RANDNET
24094+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24095+ { 512, 411, 308, 208, 104, 1 },
24096+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24097+ { 128, 103, 76, 51, 25, 1 },
24098+#else
24099 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24100 { 128, 103, 76, 51, 25, 1 },
24101 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24102 { 32, 26, 20, 14, 7, 1 },
24103+#endif
24104 #if 0
24105 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24106 { 2048, 1638, 1231, 819, 411, 1 },
57199397 24107@@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
ae4e228f
MT		 24108
24109 extract_buf(r, tmp);
24110 i = min_t(int, nbytes, EXTRACT_SIZE);
24111- if (copy_to_user(buf, tmp, i)) {
24112+ if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24113 ret = -EFAULT;
24114 break;
24115 }
57199397 24116@@ -1205,7 +1217,7 @@ EXPORT_SYMBOL(generate_random_uuid);
58c5fc13
MT		 24117 #include <linux/sysctl.h>
24118
24119 static int min_read_thresh = 8, min_write_thresh;
24120-static int max_read_thresh = INPUT_POOL_WORDS * 32;
24121+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24122 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24123 static char sysctl_bootid[16];
24124
57199397
MT		 24125diff -urNp linux-2.6.35.4/drivers/char/sonypi.c linux-2.6.35.4/drivers/char/sonypi.c
24126--- linux-2.6.35.4/drivers/char/sonypi.c 2010-08-26 19:47:12.000000000 -0400
24127+++ linux-2.6.35.4/drivers/char/sonypi.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 24128@@ -491,7 +491,7 @@ static struct sonypi_device {
58c5fc13
MT		 24129 spinlock_t fifo_lock;
24130 wait_queue_head_t fifo_proc_list;
24131 struct fasync_struct *fifo_async;
24132- int open_count;
24133+ atomic_t open_count;
24134 int model;
24135 struct input_dev *input_jog_dev;
24136 struct input_dev *input_key_dev;
df50ba0c 24137@@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
58c5fc13
MT		 24138 static int sonypi_misc_release(struct inode *inode, struct file *file)
24139 {
24140 mutex_lock(&sonypi_device.lock);
24141- sonypi_device.open_count--;
24142+ atomic_dec(&sonypi_device.open_count);
24143 mutex_unlock(&sonypi_device.lock);
24144 return 0;
24145 }
df50ba0c 24146@@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
ae4e228f 24147 {
58c5fc13
MT		 24148 mutex_lock(&sonypi_device.lock);
24149 /* Flush input queue on first open */
24150- if (!sonypi_device.open_count)
24151+ if (!atomic_read(&sonypi_device.open_count))
ae4e228f 24152 kfifo_reset(&sonypi_device.fifo);
58c5fc13
MT		 24153- sonypi_device.open_count++;
24154+ atomic_inc(&sonypi_device.open_count);
24155 mutex_unlock(&sonypi_device.lock);
ae4e228f 24156
58c5fc13 24157 return 0;
57199397
MT		 24158diff -urNp linux-2.6.35.4/drivers/char/tpm/tpm_bios.c linux-2.6.35.4/drivers/char/tpm/tpm_bios.c
24159--- linux-2.6.35.4/drivers/char/tpm/tpm_bios.c 2010-08-26 19:47:12.000000000 -0400
24160+++ linux-2.6.35.4/drivers/char/tpm/tpm_bios.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 24161@@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
ae4e228f
MT		 24162 event = addr;
24163
24164 if ((event->event_type == 0 && event->event_size == 0) ||
24165- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24166+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24167 return NULL;
24168
24169 return addr;
df50ba0c 24170@@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
ae4e228f
MT		 24171 return NULL;
24172
24173 if ((event->event_type == 0 && event->event_size == 0) ||
24174- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24175+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24176 return NULL;
24177
24178 (*pos)++;
df50ba0c 24179@@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
ae4e228f
MT		 24180 int i;
24181
24182 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24183- seq_putc(m, data[i]);
24184+ if (!seq_putc(m, data[i]))
24185+ return -EFAULT;
24186
58c5fc13
MT		 24187 return 0;
24188 }
df50ba0c 24189@@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
ae4e228f 24190 log->bios_event_log_end = log->bios_event_log + len;
58c5fc13 24191
ae4e228f
MT		 24192 virt = acpi_os_map_memory(start, len);
24193+ if (!virt) {
24194+ kfree(log->bios_event_log);
24195+ log->bios_event_log = NULL;
24196+ return -EFAULT;
24197+ }
24198
24199 memcpy(log->bios_event_log, virt, len);
24200
57199397
MT		 24201diff -urNp linux-2.6.35.4/drivers/char/tty_io.c linux-2.6.35.4/drivers/char/tty_io.c
24202--- linux-2.6.35.4/drivers/char/tty_io.c 2010-08-26 19:47:12.000000000 -0400
24203+++ linux-2.6.35.4/drivers/char/tty_io.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 24204@@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
24205 DEFINE_MUTEX(tty_mutex);
24206 EXPORT_SYMBOL(tty_mutex);
24207
24208-static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
24209-static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
24210 ssize_t redirected_tty_write(struct file *, const char __user *,
24211 size_t, loff_t *);
24212-static unsigned int tty_poll(struct file *, poll_table *);
24213 static int tty_open(struct inode *, struct file *);
24214 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
24215-#ifdef CONFIG_COMPAT
24216-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24217- unsigned long arg);
24218-#else
24219-#define tty_compat_ioctl NULL
24220-#endif
24221-static int tty_fasync(int fd, struct file *filp, int on);
24222 static void release_tty(struct tty_struct *tty, int idx);
24223 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24224 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24225@@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
24226 * read calls may be outstanding in parallel.
24227 */
24228
24229-static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24230+ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24231 loff_t *ppos)
24232 {
24233 int i;
24234@@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
24235 return i;
24236 }
24237
24238+EXPORT_SYMBOL(tty_read);
24239+
24240 void tty_write_unlock(struct tty_struct *tty)
24241 {
24242 mutex_unlock(&tty->atomic_write_lock);
24243@@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
24244 * write method will not be invoked in parallel for each device.
24245 */
24246
24247-static ssize_t tty_write(struct file *file, const char __user *buf,
24248+ssize_t tty_write(struct file *file, const char __user *buf,
24249 size_t count, loff_t *ppos)
24250 {
24251 struct tty_struct *tty;
24252@@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
24253 return ret;
24254 }
24255
24256+EXPORT_SYMBOL(tty_write);
24257+
24258 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
24259 size_t count, loff_t *ppos)
24260 {
df50ba0c 24261@@ -1897,6 +1891,8 @@ got_driver:
ae4e228f
MT		 24262
24263
24264
24265+EXPORT_SYMBOL(tty_release);
24266+
24267 /**
24268 * tty_poll - check tty status
24269 * @filp: file being polled
df50ba0c 24270@@ -1909,7 +1905,7 @@ got_driver:
ae4e228f
MT		 24271 * may be re-entered freely by other callers.
24272 */
58c5fc13 24273
ae4e228f
MT		 24274-static unsigned int tty_poll(struct file *filp, poll_table *wait)
24275+unsigned int tty_poll(struct file *filp, poll_table *wait)
24276 {
24277 struct tty_struct *tty;
24278 struct tty_ldisc *ld;
df50ba0c 24279@@ -1926,7 +1922,9 @@ static unsigned int tty_poll(struct file
ae4e228f
MT		 24280 return ret;
24281 }
24282
24283-static int tty_fasync(int fd, struct file *filp, int on)
24284+EXPORT_SYMBOL(tty_poll);
24285+
24286+int tty_fasync(int fd, struct file *filp, int on)
24287 {
24288 struct tty_struct *tty;
24289 unsigned long flags;
df50ba0c 24290@@ -1970,6 +1968,8 @@ out:
ae4e228f
MT		 24291 return retval;
24292 }
24293
24294+EXPORT_SYMBOL(tty_fasync);
24295+
24296 /**
24297 * tiocsti - fake input character
24298 * @tty: tty to fake input into
df50ba0c 24299@@ -2602,8 +2602,10 @@ long tty_ioctl(struct file *file, unsign
ae4e228f
MT		 24300 return retval;
24301 }
24302
24303+EXPORT_SYMBOL(tty_ioctl);
24304+
24305 #ifdef CONFIG_COMPAT
24306-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24307+long tty_compat_ioctl(struct file *file, unsigned int cmd,
24308 unsigned long arg)
24309 {
24310 struct inode *inode = file->f_dentry->d_inode;
df50ba0c 24311@@ -2627,6 +2629,9 @@ static long tty_compat_ioctl(struct file
ae4e228f
MT		 24312
24313 return retval;
24314 }
24315+
24316+EXPORT_SYMBOL(tty_compat_ioctl);
24317+
24318 #endif
24319
24320 /*
df50ba0c 24321@@ -3070,11 +3075,6 @@ struct tty_struct *get_current_tty(void)
ae4e228f
MT		 24322 }
24323 EXPORT_SYMBOL_GPL(get_current_tty);
24324
24325-void tty_default_fops(struct file_operations *fops)
24326-{
24327- *fops = tty_fops;
24328-}
24329-
24330 /*
24331 * Initialize the console device. This is called *early*, so
24332 * we can't necessarily depend on lots of kernel help here.
57199397
MT		 24333diff -urNp linux-2.6.35.4/drivers/char/tty_ldisc.c linux-2.6.35.4/drivers/char/tty_ldisc.c
24334--- linux-2.6.35.4/drivers/char/tty_ldisc.c 2010-08-26 19:47:12.000000000 -0400
24335+++ linux-2.6.35.4/drivers/char/tty_ldisc.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 24336@@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
58c5fc13
MT		 24337 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
24338 struct tty_ldisc_ops *ldo = ld->ops;
24339
24340- ldo->refcount--;
24341+ atomic_dec(&ldo->refcount);
24342 module_put(ldo->owner);
24343 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24344
ae4e228f 24345@@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
58c5fc13
MT		 24346 spin_lock_irqsave(&tty_ldisc_lock, flags);
24347 tty_ldiscs[disc] = new_ldisc;
24348 new_ldisc->num = disc;
24349- new_ldisc->refcount = 0;
24350+ atomic_set(&new_ldisc->refcount, 0);
24351 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24352
24353 return ret;
ae4e228f 24354@@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
58c5fc13
MT		 24355 return -EINVAL;
24356
24357 spin_lock_irqsave(&tty_ldisc_lock, flags);
24358- if (tty_ldiscs[disc]->refcount)
24359+ if (atomic_read(&tty_ldiscs[disc]->refcount))
24360 ret = -EBUSY;
24361 else
24362 tty_ldiscs[disc] = NULL;
ae4e228f
MT		 24363@@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
24364 if (ldops) {
24365 ret = ERR_PTR(-EAGAIN);
24366 if (try_module_get(ldops->owner)) {
58c5fc13
MT		 24367- ldops->refcount++;
24368+ atomic_inc(&ldops->refcount);
ae4e228f
MT		 24369 ret = ldops;
24370 }
24371 }
24372@@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
24373 unsigned long flags;
24374
24375 spin_lock_irqsave(&tty_ldisc_lock, flags);
24376- ldops->refcount--;
24377+ atomic_dec(&ldops->refcount);
24378 module_put(ldops->owner);
24379 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24380 }
57199397
MT		 24381diff -urNp linux-2.6.35.4/drivers/char/vt_ioctl.c linux-2.6.35.4/drivers/char/vt_ioctl.c
24382--- linux-2.6.35.4/drivers/char/vt_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24383+++ linux-2.6.35.4/drivers/char/vt_ioctl.c 2010-09-17 20:12:37.000000000 -0400
24384@@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24385 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
24386 return -EFAULT;
24387
24388- if (!capable(CAP_SYS_TTY_CONFIG))
24389- perm = 0;
24390-
24391 switch (cmd) {
24392 case KDGKBENT:
24393 key_map = key_maps[s];
24394@@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24395 val = (i ? K_HOLE : K_NOSUCHMAP);
24396 return put_user(val, &user_kbe->kb_value);
58c5fc13 24397 case KDSKBENT:
57199397
MT		 24398+ if (!capable(CAP_SYS_TTY_CONFIG))
24399+ perm = 0;
24400+
58c5fc13
MT		 24401 if (!perm)
24402 return -EPERM;
58c5fc13
MT		 24403+
24404 if (!i && v == K_NOSUCHMAP) {
24405 /* deallocate map */
24406 key_map = key_maps[s];
57199397
MT		 24407@@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24408 int i, j, k;
24409 int ret;
58c5fc13 24410
57199397
MT		 24411- if (!capable(CAP_SYS_TTY_CONFIG))
24412- perm = 0;
24413-
24414 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
24415 if (!kbs) {
24416 ret = -ENOMEM;
24417@@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24418 kfree(kbs);
24419 return ((p && *p) ? -EOVERFLOW : 0);
24420 case KDSKBSENT:
24421+ if (!capable(CAP_SYS_TTY_CONFIG))
24422+ perm = 0;
58c5fc13 24423+
57199397
MT		 24424 if (!perm) {
24425 ret = -EPERM;
24426 goto reterr;
24427diff -urNp linux-2.6.35.4/drivers/cpuidle/sysfs.c linux-2.6.35.4/drivers/cpuidle/sysfs.c
24428--- linux-2.6.35.4/drivers/cpuidle/sysfs.c 2010-08-26 19:47:12.000000000 -0400
24429+++ linux-2.6.35.4/drivers/cpuidle/sysfs.c 2010-09-17 20:12:09.000000000 -0400
24430@@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
df50ba0c 24431 .release = cpuidle_state_sysfs_release,
ae4e228f
MT		 24432 };
24433
df50ba0c
MT		 24434-static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24435+static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24436 {
24437 kobject_put(&device->kobjs[i]->kobj);
24438 wait_for_completion(&device->kobjs[i]->kobj_unregister);
57199397
MT		 24439diff -urNp linux-2.6.35.4/drivers/edac/edac_core.h linux-2.6.35.4/drivers/edac/edac_core.h
24440--- linux-2.6.35.4/drivers/edac/edac_core.h 2010-08-26 19:47:12.000000000 -0400
24441+++ linux-2.6.35.4/drivers/edac/edac_core.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 24442@@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
58c5fc13
MT		 24443
24444 #else /* !CONFIG_EDAC_DEBUG */
24445
24446-#define debugf0( ... )
24447-#define debugf1( ... )
24448-#define debugf2( ... )
24449-#define debugf3( ... )
24450-#define debugf4( ... )
24451+#define debugf0( ... ) do {} while (0)
24452+#define debugf1( ... ) do {} while (0)
24453+#define debugf2( ... ) do {} while (0)
24454+#define debugf3( ... ) do {} while (0)
24455+#define debugf4( ... ) do {} while (0)
24456
24457 #endif /* !CONFIG_EDAC_DEBUG */
24458
57199397
MT		 24459diff -urNp linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c
24460--- linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c 2010-08-26 19:47:12.000000000 -0400
24461+++ linux-2.6.35.4/drivers/edac/edac_mc_sysfs.c 2010-09-17 20:12:09.000000000 -0400
24462@@ -776,7 +776,7 @@ static void edac_inst_grp_release(struct
24463 }
24464
24465 /* Intermediate show/store table */
24466-static struct sysfs_ops inst_grp_ops = {
24467+static const struct sysfs_ops inst_grp_ops = {
24468 .show = inst_grp_show,
24469 .store = inst_grp_store
24470 };
24471diff -urNp linux-2.6.35.4/drivers/firewire/core-cdev.c linux-2.6.35.4/drivers/firewire/core-cdev.c
24472--- linux-2.6.35.4/drivers/firewire/core-cdev.c 2010-08-26 19:47:12.000000000 -0400
24473+++ linux-2.6.35.4/drivers/firewire/core-cdev.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 24474@@ -1195,8 +1195,7 @@ static int init_iso_resource(struct clie
24475 int ret;
ae4e228f 24476
df50ba0c
MT		 24477 if ((request->channels == 0 && request->bandwidth == 0) ||
24478- request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24479- request->bandwidth < 0)
24480+ request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24481 return -EINVAL;
ae4e228f 24482
df50ba0c 24483 r = kmalloc(sizeof(*r), GFP_KERNEL);
57199397
MT		 24484diff -urNp linux-2.6.35.4/drivers/firmware/dmi_scan.c linux-2.6.35.4/drivers/firmware/dmi_scan.c
24485--- linux-2.6.35.4/drivers/firmware/dmi_scan.c 2010-08-26 19:47:12.000000000 -0400
24486+++ linux-2.6.35.4/drivers/firmware/dmi_scan.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 24487@@ -387,11 +387,6 @@ void __init dmi_scan_machine(void)
58c5fc13
MT		 24488 }
24489 }
24490 else {
24491- /*
24492- * no iounmap() for that ioremap(); it would be a no-op, but
24493- * it's so early in setup that sucker gets confused into doing
24494- * what it shouldn't if we actually call it.
24495- */
24496 p = dmi_ioremap(0xF0000, 0x10000);
24497 if (p == NULL)
24498 goto error;
57199397
MT		 24499diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_drv.c linux-2.6.35.4/drivers/gpu/drm/drm_drv.c
24500--- linux-2.6.35.4/drivers/gpu/drm/drm_drv.c 2010-08-26 19:47:12.000000000 -0400
24501+++ linux-2.6.35.4/drivers/gpu/drm/drm_drv.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 24502@@ -449,7 +449,7 @@ long drm_ioctl(struct file *filp,
ae4e228f
MT		 24503
24504 dev = file_priv->minor->dev;
58c5fc13
MT		 24505 atomic_inc(&dev->ioctl_count);
24506- atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24507+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24508 ++file_priv->ioctl_count;
24509
24510 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
57199397
MT		 24511diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_fops.c linux-2.6.35.4/drivers/gpu/drm/drm_fops.c
24512--- linux-2.6.35.4/drivers/gpu/drm/drm_fops.c 2010-08-26 19:47:12.000000000 -0400
24513+++ linux-2.6.35.4/drivers/gpu/drm/drm_fops.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 24514@@ -67,7 +67,7 @@ static int drm_setup(struct drm_device *
58c5fc13
MT		 24515 }
24516
24517 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24518- atomic_set(&dev->counts[i], 0);
24519+ atomic_set_unchecked(&dev->counts[i], 0);
24520
24521 dev->sigdata.lock = NULL;
24522
df50ba0c 24523@@ -131,9 +131,9 @@ int drm_open(struct inode *inode, struct
58c5fc13
MT		 24524
24525 retcode = drm_open_helper(inode, filp, dev);
24526 if (!retcode) {
24527- atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24528+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24529 spin_lock(&dev->count_lock);
24530- if (!dev->open_count++) {
24531+ if (atomic_inc_return(&dev->open_count) == 1) {
24532 spin_unlock(&dev->count_lock);
24533 retcode = drm_setup(dev);
24534 goto out;
57199397 24535@@ -474,7 +474,7 @@ int drm_release(struct inode *inode, str
58c5fc13
MT		 24536
24537 lock_kernel();
24538
24539- DRM_DEBUG("open_count = %d\n", dev->open_count);
24540+ DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
24541
24542 if (dev->driver->preclose)
24543 dev->driver->preclose(dev, file_priv);
57199397 24544@@ -486,7 +486,7 @@ int drm_release(struct inode *inode, str
58c5fc13
MT		 24545 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24546 task_pid_nr(current),
24547 (long)old_encode_dev(file_priv->minor->device),
24548- dev->open_count);
24549+ atomic_read(&dev->open_count));
24550
24551 /* if the master has gone away we can't do anything with the lock */
24552 if (file_priv->minor->master)
57199397 24553@@ -567,9 +567,9 @@ int drm_release(struct inode *inode, str
58c5fc13
MT		 24554 * End inline drm_release
24555 */
24556
24557- atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24558+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24559 spin_lock(&dev->count_lock);
24560- if (!--dev->open_count) {
24561+ if (atomic_dec_and_test(&dev->open_count)) {
24562 if (atomic_read(&dev->ioctl_count)) {
24563 DRM_ERROR("Device busy: %d\n",
24564 atomic_read(&dev->ioctl_count));
57199397
MT		 24565diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c
24566--- linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24567+++ linux-2.6.35.4/drivers/gpu/drm/drm_ioctl.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 24568@@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
24569 stats->data[i].value =
24570 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24571 else
24572- stats->data[i].value = atomic_read(&dev->counts[i]);
24573+ stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24574 stats->data[i].type = dev->types[i];
24575 }
24576
57199397
MT		 24577diff -urNp linux-2.6.35.4/drivers/gpu/drm/drm_lock.c linux-2.6.35.4/drivers/gpu/drm/drm_lock.c
24578--- linux-2.6.35.4/drivers/gpu/drm/drm_lock.c 2010-08-26 19:47:12.000000000 -0400
24579+++ linux-2.6.35.4/drivers/gpu/drm/drm_lock.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 24580@@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
24581 if (drm_lock_take(&master->lock, lock->context)) {
24582 master->lock.file_priv = file_priv;
24583 master->lock.lock_time = jiffies;
24584- atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24585+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24586 break; /* Got lock */
24587 }
24588
24589@@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
24590 return -EINVAL;
24591 }
24592
24593- atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24594+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24595
24596 /* kernel_context_switch isn't used by any of the x86 drm
24597 * modules but is required by the Sparc driver.
57199397
MT		 24598diff -urNp linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c
24599--- linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c 2010-08-26 19:47:12.000000000 -0400
24600+++ linux-2.6.35.4/drivers/gpu/drm/i810/i810_dma.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 24601@@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
58c5fc13
MT		 24602 dma->buflist[vertex->idx],
24603 vertex->discard, vertex->used);
24604
24605- atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24606- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24607+ atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24608+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24609 sarea_priv->last_enqueue = dev_priv->counter - 1;
24610 sarea_priv->last_dispatch = (int)hw_status[5];
24611
df50ba0c 24612@@ -1116,8 +1116,8 @@ static int i810_dma_mc(struct drm_device
58c5fc13
MT		 24613 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24614 mc->last_render);
24615
24616- atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24617- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24618+ atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24619+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24620 sarea_priv->last_enqueue = dev_priv->counter - 1;
24621 sarea_priv->last_dispatch = (int)hw_status[5];
24622
57199397
MT		 24623diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c
24624--- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c 2010-08-26 19:47:12.000000000 -0400
24625+++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7017.c 2010-09-17 20:12:09.000000000 -0400
24626@@ -402,7 +402,7 @@ static void ch7017_destroy(struct intel_
24627 }
24628 }
24629
24630-struct intel_dvo_dev_ops ch7017_ops = {
24631+const struct intel_dvo_dev_ops ch7017_ops = {
24632 .init = ch7017_init,
24633 .detect = ch7017_detect,
24634 .mode_valid = ch7017_mode_valid,
24635diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c
24636--- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-08-26 19:47:12.000000000 -0400
24637+++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-09-17 20:12:09.000000000 -0400
24638@@ -322,7 +322,7 @@ static void ch7xxx_destroy(struct intel_
24639 }
24640 }
24641
24642-struct intel_dvo_dev_ops ch7xxx_ops = {
24643+const struct intel_dvo_dev_ops ch7xxx_ops = {
24644 .init = ch7xxx_init,
24645 .detect = ch7xxx_detect,
24646 .mode_valid = ch7xxx_mode_valid,
24647diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h
24648--- linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h 2010-08-26 19:47:12.000000000 -0400
24649+++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo.h 2010-09-17 20:12:09.000000000 -0400
24650@@ -125,23 +125,23 @@ struct intel_dvo_dev_ops {
ae4e228f
MT		 24651 *
24652 * \return singly-linked list of modes or NULL if no modes found.
24653 */
24654- struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24655+ struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24656
24657 /**
24658 * Clean up driver-specific bits of the output
24659 */
24660- void (*destroy) (struct intel_dvo_device *dvo);
24661+ void (* const destroy) (struct intel_dvo_device *dvo);
24662
24663 /**
24664 * Debugging hook to dump device registers to log file
24665 */
24666- void (*dump_regs)(struct intel_dvo_device *dvo);
24667+ void (* const dump_regs)(struct intel_dvo_device *dvo);
24668 };
24669
24670-extern struct intel_dvo_dev_ops sil164_ops;
24671-extern struct intel_dvo_dev_ops ch7xxx_ops;
24672-extern struct intel_dvo_dev_ops ivch_ops;
24673-extern struct intel_dvo_dev_ops tfp410_ops;
24674-extern struct intel_dvo_dev_ops ch7017_ops;
24675+extern const struct intel_dvo_dev_ops sil164_ops;
24676+extern const struct intel_dvo_dev_ops ch7xxx_ops;
24677+extern const struct intel_dvo_dev_ops ivch_ops;
24678+extern const struct intel_dvo_dev_ops tfp410_ops;
24679+extern const struct intel_dvo_dev_ops ch7017_ops;
24680
24681 #endif /* _INTEL_DVO_H */
57199397
MT		 24682diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c
24683--- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c 2010-08-26 19:47:12.000000000 -0400
24684+++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_ivch.c 2010-09-17 20:12:09.000000000 -0400
24685@@ -412,7 +412,7 @@ static void ivch_destroy(struct intel_dv
ae4e228f
MT		 24686 }
24687 }
24688
24689-struct intel_dvo_dev_ops ivch_ops= {
24690+const struct intel_dvo_dev_ops ivch_ops= {
24691 .init = ivch_init,
24692 .dpms = ivch_dpms,
57199397
MT		 24693 .mode_valid = ivch_mode_valid,
24694diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c
24695--- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c 2010-08-26 19:47:12.000000000 -0400
24696+++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_sil164.c 2010-09-17 20:12:09.000000000 -0400
24697@@ -254,7 +254,7 @@ static void sil164_destroy(struct intel_
ae4e228f
MT		 24698 }
24699 }
24700
24701-struct intel_dvo_dev_ops sil164_ops = {
24702+const struct intel_dvo_dev_ops sil164_ops = {
24703 .init = sil164_init,
24704 .detect = sil164_detect,
24705 .mode_valid = sil164_mode_valid,
57199397
MT		 24706diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c
24707--- linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c 2010-08-26 19:47:12.000000000 -0400
24708+++ linux-2.6.35.4/drivers/gpu/drm/i915/dvo_tfp410.c 2010-09-17 20:12:09.000000000 -0400
24709@@ -295,7 +295,7 @@ static void tfp410_destroy(struct intel_
ae4e228f
MT		 24710 }
24711 }
24712
24713-struct intel_dvo_dev_ops tfp410_ops = {
24714+const struct intel_dvo_dev_ops tfp410_ops = {
24715 .init = tfp410_init,
24716 .detect = tfp410_detect,
24717 .mode_valid = tfp410_mode_valid,
57199397
MT		 24718diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c
24719--- linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c 2010-08-26 19:47:12.000000000 -0400
24720+++ linux-2.6.35.4/drivers/gpu/drm/i915/i915_dma.c 2010-09-17 20:12:09.000000000 -0400
24721@@ -1342,7 +1342,7 @@ static bool i915_switcheroo_can_switch(s
efbe55a5
MT		 24722 bool can_switch;
24723
24724 spin_lock(&dev->count_lock);
24725- can_switch = (dev->open_count == 0);
24726+ can_switch = (atomic_read(&dev->open_count) == 0);
24727 spin_unlock(&dev->count_lock);
24728 return can_switch;
24729 }
57199397
MT		 24730diff -urNp linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c
24731--- linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c 2010-08-26 19:47:12.000000000 -0400
24732+++ linux-2.6.35.4/drivers/gpu/drm/i915/i915_drv.c 2010-09-17 20:12:09.000000000 -0400
24733@@ -491,7 +491,7 @@ const struct dev_pm_ops i915_pm_ops = {
ae4e228f
MT		 24734 .restore = i915_pm_resume,
24735 };
24736
58c5fc13
MT		 24737-static struct vm_operations_struct i915_gem_vm_ops = {
24738+static const struct vm_operations_struct i915_gem_vm_ops = {
24739 .fault = i915_gem_fault,
24740 .open = drm_gem_vm_open,
24741 .close = drm_gem_vm_close,
57199397
MT		 24742diff -urNp linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c
24743--- linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-08-26 19:47:12.000000000 -0400
24744+++ linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 24745@@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
24746 return 0;
24747 }
24748
24749-static struct backlight_ops nv40_bl_ops = {
24750+static const struct backlight_ops nv40_bl_ops = {
24751 .options = BL_CORE_SUSPENDRESUME,
24752 .get_brightness = nv40_get_intensity,
24753 .update_status = nv40_set_intensity,
24754@@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
24755 return 0;
24756 }
24757
24758-static struct backlight_ops nv50_bl_ops = {
24759+static const struct backlight_ops nv50_bl_ops = {
24760 .options = BL_CORE_SUSPENDRESUME,
24761 .get_brightness = nv50_get_intensity,
24762 .update_status = nv50_set_intensity,
57199397
MT		 24763diff -urNp linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c
24764--- linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c 2010-08-26 19:47:12.000000000 -0400
24765+++ linux-2.6.35.4/drivers/gpu/drm/nouveau/nouveau_state.c 2010-09-17 20:12:09.000000000 -0400
24766@@ -395,7 +395,7 @@ static bool nouveau_switcheroo_can_switc
efbe55a5
MT		 24767 bool can_switch;
24768
24769 spin_lock(&dev->count_lock);
24770- can_switch = (dev->open_count == 0);
24771+ can_switch = (atomic_read(&dev->open_count) == 0);
24772 spin_unlock(&dev->count_lock);
24773 return can_switch;
24774 }
57199397
MT		 24775diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c
24776--- linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c 2010-08-26 19:47:12.000000000 -0400
24777+++ linux-2.6.35.4/drivers/gpu/drm/radeon/mkregtable.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 24778@@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24779 regex_t mask_rex;
24780 regmatch_t match[4];
24781 char buf[1024];
24782- size_t end;
24783+ long end;
24784 int len;
24785 int done = 0;
24786 int r;
24787 unsigned o;
24788 struct offset *offset;
24789 char last_reg_s[10];
24790- int last_reg;
24791+ unsigned long last_reg;
24792
24793 if (regcomp
24794 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
57199397
MT		 24795diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c
24796--- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c 2010-08-26 19:47:12.000000000 -0400
24797+++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_device.c 2010-09-17 20:12:09.000000000 -0400
24798@@ -562,7 +562,7 @@ static bool radeon_switcheroo_can_switch
df50ba0c 24799 bool can_switch;
58c5fc13 24800
df50ba0c
MT		 24801 spin_lock(&dev->count_lock);
24802- can_switch = (dev->open_count == 0);
24803+ can_switch = (atomic_read(&dev->open_count) == 0);
24804 spin_unlock(&dev->count_lock);
24805 return can_switch;
24806 }
57199397
MT		 24807diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c
24808--- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c 2010-08-26 19:47:12.000000000 -0400
24809+++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_display.c 2010-09-17 20:12:09.000000000 -0400
24810@@ -559,7 +559,7 @@ static void radeon_compute_pll_legacy(st
df50ba0c
MT		 24811
24812 if (pll->flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
24813 error = freq - current_freq;
24814- error = error < 0 ? 0xffffffff : error;
24815+ error = (int32_t)error < 0 ? 0xffffffff : error;
24816 } else
24817 error = abs(current_freq - freq);
24818 vco_diff = abs(vco - best_vco);
57199397
MT		 24819diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c
24820--- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c 2010-08-26 19:47:12.000000000 -0400
24821+++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_state.c 2010-09-17 20:12:09.000000000 -0400
efbe55a5 24822@@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
ae4e228f
MT		 24823 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24824 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24825
24826- if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24827+ if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24828 sarea_priv->nbox * sizeof(depth_boxes[0])))
24829 return -EFAULT;
24830
efbe55a5 24831@@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
58c5fc13
MT		 24832 {
24833 drm_radeon_private_t *dev_priv = dev->dev_private;
24834 drm_radeon_getparam_t *param = data;
24835- int value;
24836+ int value = 0;
24837
24838 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24839
57199397
MT		 24840diff -urNp linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c
24841--- linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c 2010-08-26 19:47:12.000000000 -0400
24842+++ linux-2.6.35.4/drivers/gpu/drm/radeon/radeon_ttm.c 2010-09-17 20:12:09.000000000 -0400
24843@@ -601,8 +601,9 @@ void radeon_ttm_fini(struct radeon_devic
58c5fc13
MT		 24844 DRM_INFO("radeon: ttm finalized\n");
24845 }
24846
24847-static struct vm_operations_struct radeon_ttm_vm_ops;
ae4e228f 24848-static const struct vm_operations_struct *ttm_vm_ops = NULL;
57199397
MT		 24849+extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24850+extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24851+extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24852
24853 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24854 {
24855@@ -610,17 +611,22 @@ static int radeon_ttm_fault(struct vm_ar
24856 struct radeon_device *rdev;
24857 int r;
24858
24859- bo = (struct ttm_buffer_object *)vma->vm_private_data;
58c5fc13 24860- if (bo == NULL) {
57199397
MT		 24861+ bo = (struct ttm_buffer_object *)vma->vm_private_data;
24862+ if (!bo)
24863 return VM_FAULT_NOPAGE;
58c5fc13 24864- }
57199397
MT		 24865 rdev = radeon_get_rdev(bo->bdev);
24866 mutex_lock(&rdev->vram_mutex);
58c5fc13 24867- r = ttm_vm_ops->fault(vma, vmf);
57199397
MT		 24868+ r = ttm_bo_vm_fault(vma, vmf);
24869 mutex_unlock(&rdev->vram_mutex);
24870 return r;
24871 }
24872
24873+static const struct vm_operations_struct radeon_ttm_vm_ops = {
24874+ .fault = radeon_ttm_fault,
24875+ .open = ttm_bo_vm_open,
24876+ .close = ttm_bo_vm_close
24877+};
24878+
58c5fc13
MT		 24879 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24880 {
24881 struct drm_file *file_priv;
57199397 24882@@ -633,18 +639,11 @@ int radeon_mmap(struct file *filp, struc
58c5fc13
MT		 24883
24884 file_priv = (struct drm_file *)filp->private_data;
24885 rdev = file_priv->minor->dev->dev_private;
24886- if (rdev == NULL) {
24887+ if (!rdev)
24888 return -EINVAL;
24889- }
57199397 24890 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
58c5fc13 24891- if (unlikely(r != 0)) {
57199397
MT		 24892+ if (r)
24893 return r;
58c5fc13
MT		 24894- }
24895- if (unlikely(ttm_vm_ops == NULL)) {
24896- ttm_vm_ops = vma->vm_ops;
24897- radeon_ttm_vm_ops = *ttm_vm_ops;
24898- radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24899- }
57199397
MT		 24900 vma->vm_ops = &radeon_ttm_vm_ops;
24901 return 0;
58c5fc13 24902 }
57199397
MT		 24903diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c
24904--- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c 2010-08-26 19:47:12.000000000 -0400
24905+++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 24906@@ -47,7 +47,7 @@
24907 #include <linux/module.h>
ae4e228f 24908
df50ba0c
MT		 24909 #define TTM_ASSERT_LOCKED(param)
24910-#define TTM_DEBUG(fmt, arg...)
24911+#define TTM_DEBUG(fmt, arg...) do {} while (0)
24912 #define TTM_BO_HASH_ORDER 13
ae4e228f 24913
df50ba0c 24914 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
57199397
MT		 24915diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c
24916--- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-08-26 19:47:12.000000000 -0400
24917+++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-09-17 20:12:09.000000000 -0400
24918@@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24919 return best_bo;
24920 }
24921
24922-static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24923+int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
58c5fc13
MT		 24924 {
24925 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24926 vma->vm_private_data;
24927- struct ttm_bo_device *bdev = bo->bdev;
24928+ struct ttm_bo_device *bdev;
57199397
MT		 24929 unsigned long page_offset;
24930 unsigned long page_last;
24931 unsigned long pfn;
24932@@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
58c5fc13
MT		 24933 unsigned long address = (unsigned long)vmf->virtual_address;
24934 int retval = VM_FAULT_NOPAGE;
24935
24936+ if (!bo)
24937+ return VM_FAULT_NOPAGE;
24938+ bdev = bo->bdev;
24939+
24940 /*
24941 * Work around locking order reversal in fault / nopfn
24942 * between mmap_sem and bo_reserve: Perform a trylock operation
57199397
MT		 24943@@ -213,7 +217,7 @@ out_unlock:
24944 return retval;
24945 }
24946
24947-static void ttm_bo_vm_open(struct vm_area_struct *vma)
24948+void ttm_bo_vm_open(struct vm_area_struct *vma)
24949 {
24950 struct ttm_buffer_object *bo =
24951 (struct ttm_buffer_object *)vma->vm_private_data;
24952@@ -221,7 +225,7 @@ static void ttm_bo_vm_open(struct vm_are
24953 (void)ttm_bo_reference(bo);
24954 }
24955
24956-static void ttm_bo_vm_close(struct vm_area_struct *vma)
24957+void ttm_bo_vm_close(struct vm_area_struct *vma)
24958 {
24959 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24960
24961diff -urNp linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c
24962--- linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c 2010-08-26 19:47:12.000000000 -0400
24963+++ linux-2.6.35.4/drivers/gpu/drm/ttm/ttm_global.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 24964@@ -36,7 +36,7 @@
24965 struct ttm_global_item {
24966 struct mutex mutex;
24967 void *object;
24968- int refcount;
24969+ atomic_t refcount;
24970 };
58c5fc13 24971
ae4e228f
MT		 24972 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
24973@@ -49,7 +49,7 @@ void ttm_global_init(void)
24974 struct ttm_global_item *item = &glob[i];
24975 mutex_init(&item->mutex);
24976 item->object = NULL;
24977- item->refcount = 0;
24978+ atomic_set(&item->refcount, 0);
24979 }
24980 }
24981
24982@@ -59,7 +59,7 @@ void ttm_global_release(void)
24983 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
24984 struct ttm_global_item *item = &glob[i];
24985 BUG_ON(item->object != NULL);
24986- BUG_ON(item->refcount != 0);
24987+ BUG_ON(atomic_read(&item->refcount) != 0);
24988 }
24989 }
24990
24991@@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
24992 void *object;
24993
24994 mutex_lock(&item->mutex);
24995- if (item->refcount == 0) {
24996+ if (atomic_read(&item->refcount) == 0) {
24997 item->object = kzalloc(ref->size, GFP_KERNEL);
24998 if (unlikely(item->object == NULL)) {
24999 ret = -ENOMEM;
25000@@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
25001 goto out_err;
25002
25003 }
25004- ++item->refcount;
25005+ atomic_inc(&item->refcount);
25006 ref->object = item->object;
25007 object = item->object;
25008 mutex_unlock(&item->mutex);
25009@@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
25010 struct ttm_global_item *item = &glob[ref->global_type];
25011
25012 mutex_lock(&item->mutex);
25013- BUG_ON(item->refcount == 0);
25014+ BUG_ON(atomic_read(&item->refcount) == 0);
25015 BUG_ON(ref->object != item->object);
25016- if (--item->refcount == 0) {
25017+ if (atomic_dec_and_test(&item->refcount)) {
25018 ref->release(ref);
25019 item->object = NULL;
25020 }
57199397
MT		 25021diff -urNp linux-2.6.35.4/drivers/hid/usbhid/hiddev.c linux-2.6.35.4/drivers/hid/usbhid/hiddev.c
25022--- linux-2.6.35.4/drivers/hid/usbhid/hiddev.c 2010-08-26 19:47:12.000000000 -0400
25023+++ linux-2.6.35.4/drivers/hid/usbhid/hiddev.c 2010-09-17 20:12:09.000000000 -0400
25024@@ -616,7 +616,7 @@ static long hiddev_ioctl(struct file *fi
df50ba0c 25025 return put_user(HID_VERSION, (int __user *)arg);
ae4e228f 25026
df50ba0c
MT		 25027 case HIDIOCAPPLICATION:
25028- if (arg < 0 || arg >= hid->maxapplication)
25029+ if (arg >= hid->maxapplication)
25030 return -EINVAL;
25031
25032 for (i = 0; i < hid->maxcollection; i++)
57199397
MT		 25033diff -urNp linux-2.6.35.4/drivers/hwmon/k8temp.c linux-2.6.35.4/drivers/hwmon/k8temp.c
25034--- linux-2.6.35.4/drivers/hwmon/k8temp.c 2010-08-26 19:47:12.000000000 -0400
25035+++ linux-2.6.35.4/drivers/hwmon/k8temp.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 25036@@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
25037
ae4e228f 25038 static const struct pci_device_id k8temp_ids[] = {
58c5fc13
MT		 25039 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
25040- { 0 },
25041+ { 0, 0, 0, 0, 0, 0, 0 },
25042 };
25043
25044 MODULE_DEVICE_TABLE(pci, k8temp_ids);
57199397
MT		 25045diff -urNp linux-2.6.35.4/drivers/hwmon/sis5595.c linux-2.6.35.4/drivers/hwmon/sis5595.c
25046--- linux-2.6.35.4/drivers/hwmon/sis5595.c 2010-08-26 19:47:12.000000000 -0400
25047+++ linux-2.6.35.4/drivers/hwmon/sis5595.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 25048@@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
25049
ae4e228f 25050 static const struct pci_device_id sis5595_pci_ids[] = {
58c5fc13
MT		 25051 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25052- { 0, }
25053+ { 0, 0, 0, 0, 0, 0, 0 }
25054 };
25055
25056 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
57199397
MT		 25057diff -urNp linux-2.6.35.4/drivers/hwmon/via686a.c linux-2.6.35.4/drivers/hwmon/via686a.c
25058--- linux-2.6.35.4/drivers/hwmon/via686a.c 2010-08-26 19:47:12.000000000 -0400
25059+++ linux-2.6.35.4/drivers/hwmon/via686a.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 25060@@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
25061
ae4e228f 25062 static const struct pci_device_id via686a_pci_ids[] = {
58c5fc13
MT		 25063 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
25064- { 0, }
25065+ { 0, 0, 0, 0, 0, 0, 0 }
25066 };
25067
25068 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
57199397
MT		 25069diff -urNp linux-2.6.35.4/drivers/hwmon/vt8231.c linux-2.6.35.4/drivers/hwmon/vt8231.c
25070--- linux-2.6.35.4/drivers/hwmon/vt8231.c 2010-08-26 19:47:12.000000000 -0400
25071+++ linux-2.6.35.4/drivers/hwmon/vt8231.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 25072@@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
25073
ae4e228f 25074 static const struct pci_device_id vt8231_pci_ids[] = {
58c5fc13
MT		 25075 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
25076- { 0, }
25077+ { 0, 0, 0, 0, 0, 0, 0 }
25078 };
25079
25080 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
57199397
MT		 25081diff -urNp linux-2.6.35.4/drivers/hwmon/w83791d.c linux-2.6.35.4/drivers/hwmon/w83791d.c
25082--- linux-2.6.35.4/drivers/hwmon/w83791d.c 2010-08-26 19:47:12.000000000 -0400
25083+++ linux-2.6.35.4/drivers/hwmon/w83791d.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 25084@@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
58c5fc13
MT		 25085 struct i2c_board_info *info);
25086 static int w83791d_remove(struct i2c_client *client);
25087
25088-static int w83791d_read(struct i2c_client *client, u8 register);
25089-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
25090+static int w83791d_read(struct i2c_client *client, u8 reg);
25091+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
25092 static struct w83791d_data *w83791d_update_device(struct device *dev);
25093
25094 #ifdef DEBUG
57199397
MT		 25095diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c
25096--- linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c 2010-08-26 19:47:12.000000000 -0400
25097+++ linux-2.6.35.4/drivers/i2c/busses/i2c-i801.c 2010-09-17 20:12:09.000000000 -0400
25098@@ -592,7 +592,7 @@ static const struct pci_device_id i801_i
58c5fc13
MT		 25099 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
25100 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
df50ba0c 25101 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CPT_SMBUS) },
58c5fc13
MT		 25102- { 0, }
25103+ { 0, 0, 0, 0, 0, 0, 0 }
25104 };
25105
57199397
MT		 25106 MODULE_DEVICE_TABLE(pci, i801_ids);
25107diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c
25108--- linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c 2010-08-26 19:47:12.000000000 -0400
25109+++ linux-2.6.35.4/drivers/i2c/busses/i2c-piix4.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 25110@@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
58c5fc13
MT		 25111 .ident = "IBM",
25112 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
25113 },
25114- { },
ae4e228f 25115+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
58c5fc13
MT		 25116 };
25117
25118 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
df50ba0c 25119@@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
58c5fc13
MT		 25120 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
25121 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
25122 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
25123- { 0, }
25124+ { 0, 0, 0, 0, 0, 0, 0 }
25125 };
25126
25127 MODULE_DEVICE_TABLE (pci, piix4_ids);
57199397
MT		 25128diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c
25129--- linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c 2010-08-26 19:47:12.000000000 -0400
25130+++ linux-2.6.35.4/drivers/i2c/busses/i2c-sis630.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13 25131@@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
df50ba0c 25132 static const struct pci_device_id sis630_ids[] __devinitconst = {
58c5fc13
MT		 25133 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25134 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
25135- { 0, }
25136+ { 0, 0, 0, 0, 0, 0, 0 }
25137 };
25138
25139 MODULE_DEVICE_TABLE (pci, sis630_ids);
57199397
MT		 25140diff -urNp linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c
25141--- linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c 2010-08-26 19:47:12.000000000 -0400
25142+++ linux-2.6.35.4/drivers/i2c/busses/i2c-sis96x.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 25143@@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25144
df50ba0c 25145 static const struct pci_device_id sis96x_ids[] = {
58c5fc13
MT		 25146 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25147- { 0, }
25148+ { 0, 0, 0, 0, 0, 0, 0 }
25149 };
25150
25151 MODULE_DEVICE_TABLE (pci, sis96x_ids);
57199397
MT		 25152diff -urNp linux-2.6.35.4/drivers/ide/ide-cd.c linux-2.6.35.4/drivers/ide/ide-cd.c
25153--- linux-2.6.35.4/drivers/ide/ide-cd.c 2010-08-26 19:47:12.000000000 -0400
25154+++ linux-2.6.35.4/drivers/ide/ide-cd.c 2010-09-17 20:12:09.000000000 -0400
25155@@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
ae4e228f
MT		 25156 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25157 if ((unsigned long)buf & alignment
25158 || blk_rq_bytes(rq) & q->dma_pad_mask
25159- || object_is_on_stack(buf))
25160+ || object_starts_on_stack(buf))
25161 drive->dma = 0;
25162 }
25163 }
57199397
MT		 25164diff -urNp linux-2.6.35.4/drivers/ieee1394/dv1394.c linux-2.6.35.4/drivers/ieee1394/dv1394.c
25165--- linux-2.6.35.4/drivers/ieee1394/dv1394.c 2010-08-26 19:47:12.000000000 -0400
25166+++ linux-2.6.35.4/drivers/ieee1394/dv1394.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 25167@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
25168 based upon DIF section and sequence
25169 */
25170
25171-static void inline
25172+static inline void
25173 frame_put_packet (struct frame *f, struct packet *p)
25174 {
25175 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
57199397 25176@@ -2179,7 +2179,7 @@ static const struct ieee1394_device_id d
58c5fc13
MT		 25177 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
25178 .version = AVC_SW_VERSION_ENTRY & 0xffffff
25179 },
25180- { }
25181+ { 0, 0, 0, 0, 0, 0 }
25182 };
25183
25184 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
57199397
MT		 25185diff -urNp linux-2.6.35.4/drivers/ieee1394/eth1394.c linux-2.6.35.4/drivers/ieee1394/eth1394.c
25186--- linux-2.6.35.4/drivers/ieee1394/eth1394.c 2010-08-26 19:47:12.000000000 -0400
25187+++ linux-2.6.35.4/drivers/ieee1394/eth1394.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 25188@@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
58c5fc13
MT		 25189 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
25190 .version = ETHER1394_GASP_VERSION,
25191 },
25192- {}
25193+ { 0, 0, 0, 0, 0, 0 }
25194 };
25195
25196 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
57199397
MT		 25197diff -urNp linux-2.6.35.4/drivers/ieee1394/hosts.c linux-2.6.35.4/drivers/ieee1394/hosts.c
25198--- linux-2.6.35.4/drivers/ieee1394/hosts.c 2010-08-26 19:47:12.000000000 -0400
25199+++ linux-2.6.35.4/drivers/ieee1394/hosts.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 25200@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
25201 }
25202
25203 static struct hpsb_host_driver dummy_driver = {
25204+ .name = "dummy",
25205 .transmit_packet = dummy_transmit_packet,
25206 .devctl = dummy_devctl,
25207 .isoctl = dummy_isoctl
57199397
MT		 25208diff -urNp linux-2.6.35.4/drivers/ieee1394/ohci1394.c linux-2.6.35.4/drivers/ieee1394/ohci1394.c
25209--- linux-2.6.35.4/drivers/ieee1394/ohci1394.c 2010-08-26 19:47:12.000000000 -0400
25210+++ linux-2.6.35.4/drivers/ieee1394/ohci1394.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 25211@@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
58c5fc13
MT		 25212 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
25213
25214 /* Module Parameters */
25215-static int phys_dma = 1;
25216+static int phys_dma;
25217 module_param(phys_dma, int, 0444);
25218-MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
25219+MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
25220
25221 static void dma_trm_tasklet(unsigned long data);
25222 static void dma_trm_reset(struct dma_trm_ctx *d);
ae4e228f 25223@@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
58c5fc13
MT		 25224 .subvendor = PCI_ANY_ID,
25225 .subdevice = PCI_ANY_ID,
25226 },
25227- { 0, },
25228+ { 0, 0, 0, 0, 0, 0, 0 },
25229 };
25230
25231 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
57199397
MT		 25232diff -urNp linux-2.6.35.4/drivers/ieee1394/raw1394.c linux-2.6.35.4/drivers/ieee1394/raw1394.c
25233--- linux-2.6.35.4/drivers/ieee1394/raw1394.c 2010-08-26 19:47:12.000000000 -0400
25234+++ linux-2.6.35.4/drivers/ieee1394/raw1394.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 25235@@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
58c5fc13
MT		 25236 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25237 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25238 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
25239- {}
25240+ { 0, 0, 0, 0, 0, 0 }
25241 };
25242
25243 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
57199397
MT		 25244diff -urNp linux-2.6.35.4/drivers/ieee1394/sbp2.c linux-2.6.35.4/drivers/ieee1394/sbp2.c
25245--- linux-2.6.35.4/drivers/ieee1394/sbp2.c 2010-08-26 19:47:12.000000000 -0400
25246+++ linux-2.6.35.4/drivers/ieee1394/sbp2.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25247@@ -289,7 +289,7 @@ static const struct ieee1394_device_id s
58c5fc13
MT		 25248 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25249 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
25250 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
25251- {}
25252+ { 0, 0, 0, 0, 0, 0 }
25253 };
25254 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
25255
df50ba0c 25256@@ -2110,7 +2110,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
58c5fc13
MT		 25257 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
25258 MODULE_LICENSE("GPL");
25259
25260-static int sbp2_module_init(void)
25261+static int __init sbp2_module_init(void)
25262 {
25263 int ret;
25264
57199397
MT		 25265diff -urNp linux-2.6.35.4/drivers/ieee1394/video1394.c linux-2.6.35.4/drivers/ieee1394/video1394.c
25266--- linux-2.6.35.4/drivers/ieee1394/video1394.c 2010-08-26 19:47:12.000000000 -0400
25267+++ linux-2.6.35.4/drivers/ieee1394/video1394.c 2010-09-17 20:12:09.000000000 -0400
25268@@ -1312,7 +1312,7 @@ static const struct ieee1394_device_id v
58c5fc13
MT		 25269 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25270 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
25271 },
25272- { }
25273+ { 0, 0, 0, 0, 0, 0 }
25274 };
25275
25276 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
57199397
MT		 25277diff -urNp linux-2.6.35.4/drivers/infiniband/core/cm.c linux-2.6.35.4/drivers/infiniband/core/cm.c
25278--- linux-2.6.35.4/drivers/infiniband/core/cm.c 2010-08-26 19:47:12.000000000 -0400
25279+++ linux-2.6.35.4/drivers/infiniband/core/cm.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25280@@ -113,7 +113,7 @@ static char const counter_group_names[CM
ae4e228f
MT		 25281
25282 struct cm_counter_group {
25283 struct kobject obj;
25284- atomic_long_t counter[CM_ATTR_COUNT];
25285+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25286 };
25287
25288 struct cm_counter_attribute {
df50ba0c 25289@@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
ae4e228f
MT		 25290 struct ib_mad_send_buf *msg = NULL;
25291 int ret;
25292
25293- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25294+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25295 counter[CM_REQ_COUNTER]);
25296
25297 /* Quick state check to discard duplicate REQs. */
df50ba0c 25298@@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
ae4e228f
MT		 25299 if (!cm_id_priv)
25300 return;
58c5fc13 25301
ae4e228f
MT		 25302- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25303+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25304 counter[CM_REP_COUNTER]);
25305 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25306 if (ret)
df50ba0c 25307@@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
ae4e228f
MT		 25308 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25309 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25310 spin_unlock_irq(&cm_id_priv->lock);
25311- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25312+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25313 counter[CM_RTU_COUNTER]);
25314 goto out;
25315 }
df50ba0c 25316@@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
ae4e228f
MT		 25317 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25318 dreq_msg->local_comm_id);
25319 if (!cm_id_priv) {
25320- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25321+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25322 counter[CM_DREQ_COUNTER]);
25323 cm_issue_drep(work->port, work->mad_recv_wc);
25324 return -EINVAL;
df50ba0c 25325@@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
ae4e228f
MT		 25326 case IB_CM_MRA_REP_RCVD:
25327 break;
25328 case IB_CM_TIMEWAIT:
25329- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25330+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25331 counter[CM_DREQ_COUNTER]);
25332 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25333 goto unlock;
df50ba0c 25334@@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
ae4e228f
MT		 25335 cm_free_msg(msg);
25336 goto deref;
25337 case IB_CM_DREQ_RCVD:
25338- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25339+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25340 counter[CM_DREQ_COUNTER]);
25341 goto unlock;
25342 default:
df50ba0c 25343@@ -2502,7 +2502,7 @@ static int cm_mra_handler(struct cm_work
ae4e228f
MT		 25344 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25345 cm_id_priv->msg, timeout)) {
25346 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25347- atomic_long_inc(&work->port->
25348+ atomic_long_inc_unchecked(&work->port->
25349 counter_group[CM_RECV_DUPLICATES].
25350 counter[CM_MRA_COUNTER]);
25351 goto out;
df50ba0c 25352@@ -2511,7 +2511,7 @@ static int cm_mra_handler(struct cm_work
ae4e228f
MT		 25353 break;
25354 case IB_CM_MRA_REQ_RCVD:
25355 case IB_CM_MRA_REP_RCVD:
25356- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25357+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25358 counter[CM_MRA_COUNTER]);
25359 /* fall through */
25360 default:
df50ba0c 25361@@ -2673,7 +2673,7 @@ static int cm_lap_handler(struct cm_work
ae4e228f
MT		 25362 case IB_CM_LAP_IDLE:
25363 break;
25364 case IB_CM_MRA_LAP_SENT:
25365- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25366+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25367 counter[CM_LAP_COUNTER]);
25368 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25369 goto unlock;
df50ba0c 25370@@ -2689,7 +2689,7 @@ static int cm_lap_handler(struct cm_work
ae4e228f
MT		 25371 cm_free_msg(msg);
25372 goto deref;
25373 case IB_CM_LAP_RCVD:
25374- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25375+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25376 counter[CM_LAP_COUNTER]);
25377 goto unlock;
25378 default:
df50ba0c 25379@@ -2973,7 +2973,7 @@ static int cm_sidr_req_handler(struct cm
ae4e228f
MT		 25380 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25381 if (cur_cm_id_priv) {
25382 spin_unlock_irq(&cm.lock);
25383- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25384+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25385 counter[CM_SIDR_REQ_COUNTER]);
25386 goto out; /* Duplicate message. */
25387 }
df50ba0c 25388@@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
ae4e228f
MT		 25389 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25390 msg->retries = 1;
25391
25392- atomic_long_add(1 + msg->retries,
25393+ atomic_long_add_unchecked(1 + msg->retries,
25394 &port->counter_group[CM_XMIT].counter[attr_index]);
25395 if (msg->retries)
25396- atomic_long_add(msg->retries,
25397+ atomic_long_add_unchecked(msg->retries,
25398 &port->counter_group[CM_XMIT_RETRIES].
25399 counter[attr_index]);
25400
df50ba0c 25401@@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
ae4e228f
MT		 25402 }
25403
25404 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25405- atomic_long_inc(&port->counter_group[CM_RECV].
25406+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25407 counter[attr_id - CM_ATTR_ID_OFFSET]);
25408
25409 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
df50ba0c 25410@@ -3595,7 +3595,7 @@ static ssize_t cm_show_counter(struct ko
ae4e228f
MT		 25411 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25412
25413 return sprintf(buf, "%ld\n",
25414- atomic_long_read(&group->counter[cm_attr->index]));
25415+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25416 }
25417
df50ba0c 25418 static const struct sysfs_ops cm_counter_ops = {
57199397
MT		 25419diff -urNp linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h
25420--- linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h 2010-08-26 19:47:12.000000000 -0400
25421+++ linux-2.6.35.4/drivers/infiniband/hw/qib/qib.h 2010-09-17 20:12:09.000000000 -0400
25422@@ -50,6 +50,7 @@
25423 #include <linux/completion.h>
25424 #include <linux/kref.h>
25425 #include <linux/sched.h>
25426+#include <linux/slab.h>
25427
25428 #include "qib_common.h"
25429 #include "qib_verbs.h"
25430diff -urNp linux-2.6.35.4/drivers/input/keyboard/atkbd.c linux-2.6.35.4/drivers/input/keyboard/atkbd.c
25431--- linux-2.6.35.4/drivers/input/keyboard/atkbd.c 2010-08-26 19:47:12.000000000 -0400
25432+++ linux-2.6.35.4/drivers/input/keyboard/atkbd.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25433@@ -1240,7 +1240,7 @@ static struct serio_device_id atkbd_seri
58c5fc13
MT		 25434 .id = SERIO_ANY,
25435 .extra = SERIO_ANY,
25436 },
25437- { 0 }
25438+ { 0, 0, 0, 0 }
25439 };
25440
25441 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
57199397
MT		 25442diff -urNp linux-2.6.35.4/drivers/input/mouse/lifebook.c linux-2.6.35.4/drivers/input/mouse/lifebook.c
25443--- linux-2.6.35.4/drivers/input/mouse/lifebook.c 2010-08-26 19:47:12.000000000 -0400
25444+++ linux-2.6.35.4/drivers/input/mouse/lifebook.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25445@@ -123,7 +123,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 25446 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25447 },
25448 },
25449- { }
25450+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25451 };
25452
ae4e228f 25453 void __init lifebook_module_init(void)
57199397
MT		 25454diff -urNp linux-2.6.35.4/drivers/input/mouse/psmouse-base.c linux-2.6.35.4/drivers/input/mouse/psmouse-base.c
25455--- linux-2.6.35.4/drivers/input/mouse/psmouse-base.c 2010-08-26 19:47:12.000000000 -0400
25456+++ linux-2.6.35.4/drivers/input/mouse/psmouse-base.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25457@@ -1460,7 +1460,7 @@ static struct serio_device_id psmouse_se
58c5fc13
MT		 25458 .id = SERIO_ANY,
25459 .extra = SERIO_ANY,
25460 },
25461- { 0 }
25462+ { 0, 0, 0, 0 }
25463 };
25464
25465 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
57199397
MT		 25466diff -urNp linux-2.6.35.4/drivers/input/mouse/synaptics.c linux-2.6.35.4/drivers/input/mouse/synaptics.c
25467--- linux-2.6.35.4/drivers/input/mouse/synaptics.c 2010-08-26 19:47:12.000000000 -0400
25468+++ linux-2.6.35.4/drivers/input/mouse/synaptics.c 2010-09-17 20:12:09.000000000 -0400
25469@@ -476,7 +476,7 @@ static void synaptics_process_packet(str
58c5fc13
MT		 25470 break;
25471 case 2:
25472 if (SYN_MODEL_PEN(priv->model_id))
25473- ; /* Nothing, treat a pen as a single finger */
25474+ break; /* Nothing, treat a pen as a single finger */
25475 break;
25476 case 4 ... 15:
25477 if (SYN_CAP_PALMDETECT(priv->capabilities))
57199397 25478@@ -701,7 +701,6 @@ static const struct dmi_system_id __init
ae4e228f 25479 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
58c5fc13
MT		 25480 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25481 },
ae4e228f
MT		 25482-
25483 },
25484 {
25485 /* Toshiba Portege M300 */
57199397 25486@@ -710,9 +709,8 @@ static const struct dmi_system_id __init
ae4e228f
MT		 25487 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25488 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25489 },
25490-
58c5fc13
MT		 25491 },
25492- { }
25493+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
58c5fc13 25494 #endif
ae4e228f 25495 };
58c5fc13 25496
57199397
MT		 25497diff -urNp linux-2.6.35.4/drivers/input/mousedev.c linux-2.6.35.4/drivers/input/mousedev.c
25498--- linux-2.6.35.4/drivers/input/mousedev.c 2010-08-26 19:47:12.000000000 -0400
25499+++ linux-2.6.35.4/drivers/input/mousedev.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25500@@ -754,7 +754,7 @@ static ssize_t mousedev_read(struct file
ae4e228f
MT		 25501
25502 spin_unlock_irq(&client->packet_lock);
25503
25504- if (copy_to_user(buffer, data, count))
25505+ if (count > sizeof(data) || copy_to_user(buffer, data, count))
25506 return -EFAULT;
25507
25508 return count;
df50ba0c 25509@@ -1051,7 +1051,7 @@ static struct input_handler mousedev_han
58c5fc13
MT		 25510
25511 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25512 static struct miscdevice psaux_mouse = {
25513- PSMOUSE_MINOR, "psaux", &mousedev_fops
25514+ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25515 };
25516 static int psaux_registered;
25517 #endif
57199397
MT		 25518diff -urNp linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h
25519--- linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h 2010-08-26 19:47:12.000000000 -0400
25520+++ linux-2.6.35.4/drivers/input/serio/i8042-x86ia64io.h 2010-09-17 20:12:09.000000000 -0400
25521@@ -183,7 +183,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 25522 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25523 },
25524 },
25525- { }
25526+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25527 };
25528
25529 /*
57199397 25530@@ -413,7 +413,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 25531 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
25532 },
25533 },
25534- { }
25535+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25536 };
25537
ae4e228f 25538 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
57199397 25539@@ -487,7 +487,7 @@ static const struct dmi_system_id __init
ae4e228f 25540 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
58c5fc13
MT		 25541 },
25542 },
25543- { }
25544+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25545 };
25546
25547 #ifdef CONFIG_PNP
57199397 25548@@ -506,7 +506,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 25549 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25550 },
25551 },
25552- { }
ae4e228f
MT		 25553+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25554 };
25555
25556 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
57199397 25557@@ -530,7 +530,7 @@ static const struct dmi_system_id __init
ae4e228f
MT		 25558 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25559 },
25560 },
25561- { }
58c5fc13
MT		 25562+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25563 };
25564 #endif
25565
57199397 25566@@ -604,7 +604,7 @@ static const struct dmi_system_id __init
58c5fc13
MT		 25567 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25568 },
25569 },
25570- { }
25571+ { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25572 };
25573
25574 #endif /* CONFIG_X86 */
57199397
MT		 25575diff -urNp linux-2.6.35.4/drivers/input/serio/serio_raw.c linux-2.6.35.4/drivers/input/serio/serio_raw.c
25576--- linux-2.6.35.4/drivers/input/serio/serio_raw.c 2010-08-26 19:47:12.000000000 -0400
25577+++ linux-2.6.35.4/drivers/input/serio/serio_raw.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25578@@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
58c5fc13
MT		 25579 .id = SERIO_ANY,
25580 .extra = SERIO_ANY,
25581 },
25582- { 0 }
25583+ { 0, 0, 0, 0 }
25584 };
25585
25586 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
57199397
MT		 25587diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/common.c linux-2.6.35.4/drivers/isdn/gigaset/common.c
25588--- linux-2.6.35.4/drivers/isdn/gigaset/common.c 2010-08-26 19:47:12.000000000 -0400
25589+++ linux-2.6.35.4/drivers/isdn/gigaset/common.c 2010-09-17 20:12:09.000000000 -0400
25590@@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
58c5fc13
MT		 25591 cs->commands_pending = 0;
25592 cs->cur_at_seq = 0;
25593 cs->gotfwver = -1;
25594- cs->open_count = 0;
25595+ atomic_set(&cs->open_count, 0);
25596 cs->dev = NULL;
25597 cs->tty = NULL;
25598 cs->tty_dev = NULL;
57199397
MT		 25599diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h
25600--- linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h 2010-08-26 19:47:12.000000000 -0400
25601+++ linux-2.6.35.4/drivers/isdn/gigaset/gigaset.h 2010-09-17 20:12:09.000000000 -0400
25602@@ -442,7 +442,7 @@ struct cardstate {
58c5fc13
MT		 25603 spinlock_t cmdlock;
25604 unsigned curlen, cmdbytes;
25605
25606- unsigned open_count;
25607+ atomic_t open_count;
25608 struct tty_struct *tty;
25609 struct tasklet_struct if_wake_tasklet;
25610 unsigned control_state;
57199397
MT		 25611diff -urNp linux-2.6.35.4/drivers/isdn/gigaset/interface.c linux-2.6.35.4/drivers/isdn/gigaset/interface.c
25612--- linux-2.6.35.4/drivers/isdn/gigaset/interface.c 2010-08-26 19:47:12.000000000 -0400
25613+++ linux-2.6.35.4/drivers/isdn/gigaset/interface.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25614@@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
ae4e228f 25615 return -ERESTARTSYS;
58c5fc13
MT		 25616 tty->driver_data = cs;
25617
25618- ++cs->open_count;
25619-
25620- if (cs->open_count == 1) {
25621+ if (atomic_inc_return(&cs->open_count) == 1) {
25622 spin_lock_irqsave(&cs->lock, flags);
25623 cs->tty = tty;
25624 spin_unlock_irqrestore(&cs->lock, flags);
df50ba0c 25625@@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
58c5fc13
MT		 25626
25627 if (!cs->connected)
25628 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25629- else if (!cs->open_count)
25630+ else if (!atomic_read(&cs->open_count))
25631 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25632 else {
25633- if (!--cs->open_count) {
25634+ if (!atomic_dec_return(&cs->open_count)) {
25635 spin_lock_irqsave(&cs->lock, flags);
25636 cs->tty = NULL;
25637 spin_unlock_irqrestore(&cs->lock, flags);
df50ba0c 25638@@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
58c5fc13
MT		 25639 if (!cs->connected) {
25640 gig_dbg(DEBUG_IF, "not connected");
25641 retval = -ENODEV;
25642- } else if (!cs->open_count)
25643+ } else if (!atomic_read(&cs->open_count))
25644 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25645 else {
25646 retval = 0;
df50ba0c 25647@@ -355,7 +353,7 @@ static int if_write(struct tty_struct *t
58c5fc13
MT		 25648 if (!cs->connected) {
25649 gig_dbg(DEBUG_IF, "not connected");
25650 retval = -ENODEV;
25651- } else if (!cs->open_count)
25652+ } else if (!atomic_read(&cs->open_count))
25653 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25654 else if (cs->mstate != MS_LOCKED) {
25655 dev_warn(cs->dev, "can't write to unlocked device\n");
df50ba0c 25656@@ -389,7 +387,7 @@ static int if_write_room(struct tty_stru
58c5fc13
MT		 25657 if (!cs->connected) {
25658 gig_dbg(DEBUG_IF, "not connected");
25659 retval = -ENODEV;
25660- } else if (!cs->open_count)
25661+ } else if (!atomic_read(&cs->open_count))
25662 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25663 else if (cs->mstate != MS_LOCKED) {
25664 dev_warn(cs->dev, "can't write to unlocked device\n");
df50ba0c 25665@@ -419,7 +417,7 @@ static int if_chars_in_buffer(struct tty
ae4e228f
MT		 25666
25667 if (!cs->connected)
58c5fc13 25668 gig_dbg(DEBUG_IF, "not connected");
ae4e228f
MT		 25669- else if (!cs->open_count)
25670+ else if (!atomic_read(&cs->open_count))
58c5fc13 25671 dev_warn(cs->dev, "%s: device not opened\n", __func__);
ae4e228f 25672 else if (cs->mstate != MS_LOCKED)
58c5fc13 25673 dev_warn(cs->dev, "can't write to unlocked device\n");
df50ba0c 25674@@ -447,7 +445,7 @@ static void if_throttle(struct tty_struc
58c5fc13
MT		 25675
25676 if (!cs->connected)
25677 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25678- else if (!cs->open_count)
25679+ else if (!atomic_read(&cs->open_count))
25680 dev_warn(cs->dev, "%s: device not opened\n", __func__);
ae4e228f 25681 else
df50ba0c
MT		 25682 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25683@@ -471,7 +469,7 @@ static void if_unthrottle(struct tty_str
58c5fc13
MT		 25684
25685 if (!cs->connected)
25686 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25687- else if (!cs->open_count)
25688+ else if (!atomic_read(&cs->open_count))
25689 dev_warn(cs->dev, "%s: device not opened\n", __func__);
ae4e228f 25690 else
df50ba0c
MT		 25691 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25692@@ -502,7 +500,7 @@ static void if_set_termios(struct tty_st
58c5fc13
MT		 25693 goto out;
25694 }
25695
25696- if (!cs->open_count) {
25697+ if (!atomic_read(&cs->open_count)) {
25698 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25699 goto out;
25700 }
57199397
MT		 25701diff -urNp linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c
25702--- linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c 2010-08-26 19:47:12.000000000 -0400
25703+++ linux-2.6.35.4/drivers/isdn/hardware/avm/b1.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 25704@@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
ae4e228f
MT		 25705 }
25706 if (left) {
25707 if (t4file->user) {
25708- if (copy_from_user(buf, dp, left))
25709+ if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25710 return -EFAULT;
25711 } else {
25712 memcpy(buf, dp, left);
df50ba0c 25713@@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
ae4e228f
MT		 25714 }
25715 if (left) {
25716 if (config->user) {
25717- if (copy_from_user(buf, dp, left))
25718+ if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25719 return -EFAULT;
25720 } else {
25721 memcpy(buf, dp, left);
57199397
MT		 25722diff -urNp linux-2.6.35.4/drivers/isdn/icn/icn.c linux-2.6.35.4/drivers/isdn/icn/icn.c
25723--- linux-2.6.35.4/drivers/isdn/icn/icn.c 2010-08-26 19:47:12.000000000 -0400
25724+++ linux-2.6.35.4/drivers/isdn/icn/icn.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 25725@@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
ae4e228f
MT		 25726 if (count > len)
25727 count = len;
25728 if (user) {
25729- if (copy_from_user(msg, buf, count))
25730+ if (count > sizeof(msg) || copy_from_user(msg, buf, count))
25731 return -EFAULT;
25732 } else
25733 memcpy(msg, buf, count);
57199397
MT		 25734diff -urNp linux-2.6.35.4/drivers/lguest/core.c linux-2.6.35.4/drivers/lguest/core.c
25735--- linux-2.6.35.4/drivers/lguest/core.c 2010-08-26 19:47:12.000000000 -0400
25736+++ linux-2.6.35.4/drivers/lguest/core.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25737@@ -92,9 +92,17 @@ static __init int map_switcher(void)
58c5fc13
MT		 25738 * it's worked so far. The end address needs +1 because __get_vm_area
25739 * allocates an extra guard page, so we need space for that.
25740 */
25741+
25742+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25743+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25744+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25745+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25746+#else
25747 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25748 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25749 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25750+#endif
25751+
25752 if (!switcher_vma) {
25753 err = -ENOMEM;
25754 printk("lguest: could not map switcher pages high\n");
57199397
MT		 25755diff -urNp linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c
25756--- linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c 2010-08-26 19:47:12.000000000 -0400
25757+++ linux-2.6.35.4/drivers/macintosh/via-pmu-backlight.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 25758@@ -15,7 +15,7 @@
25759
25760 #define MAX_PMU_LEVEL 0xFF
25761
25762-static struct backlight_ops pmu_backlight_data;
25763+static const struct backlight_ops pmu_backlight_data;
25764 static DEFINE_SPINLOCK(pmu_backlight_lock);
25765 static int sleeping, uses_pmu_bl;
25766 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
25767@@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
25768 return bd->props.brightness;
25769 }
25770
25771-static struct backlight_ops pmu_backlight_data = {
25772+static const struct backlight_ops pmu_backlight_data = {
25773 .get_brightness = pmu_backlight_get_brightness,
25774 .update_status = pmu_backlight_update_status,
25775
57199397
MT		 25776diff -urNp linux-2.6.35.4/drivers/macintosh/via-pmu.c linux-2.6.35.4/drivers/macintosh/via-pmu.c
25777--- linux-2.6.35.4/drivers/macintosh/via-pmu.c 2010-08-26 19:47:12.000000000 -0400
25778+++ linux-2.6.35.4/drivers/macintosh/via-pmu.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 25779@@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
25780 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
25781 }
25782
25783-static struct platform_suspend_ops pmu_pm_ops = {
25784+static const struct platform_suspend_ops pmu_pm_ops = {
25785 .enter = powerbook_sleep,
25786 .valid = pmu_sleep_valid,
25787 };
57199397
MT		 25788diff -urNp linux-2.6.35.4/drivers/md/bitmap.c linux-2.6.35.4/drivers/md/bitmap.c
25789--- linux-2.6.35.4/drivers/md/bitmap.c 2010-08-26 19:47:12.000000000 -0400
25790+++ linux-2.6.35.4/drivers/md/bitmap.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 25791@@ -58,7 +58,7 @@
25792 # if DEBUG > 0
25793 # define PRINTK(x...) printk(KERN_DEBUG x)
25794 # else
25795-# define PRINTK(x...)
25796+# define PRINTK(x...) do {} while (0)
25797 # endif
25798 #endif
25799
57199397
MT		 25800diff -urNp linux-2.6.35.4/drivers/md/dm-table.c linux-2.6.35.4/drivers/md/dm-table.c
25801--- linux-2.6.35.4/drivers/md/dm-table.c 2010-08-26 19:47:12.000000000 -0400
25802+++ linux-2.6.35.4/drivers/md/dm-table.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 25803@@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
58c5fc13
MT		 25804 if (!dev_size)
25805 return 0;
25806
25807- if ((start >= dev_size) || (start + len > dev_size)) {
25808+ if ((start >= dev_size) || (len > dev_size - start)) {
25809 DMWARN("%s: %s too small for target: "
25810 "start=%llu, len=%llu, dev_size=%llu",
25811 dm_device_name(ti->table->md), bdevname(bdev, b),
57199397
MT		 25812diff -urNp linux-2.6.35.4/drivers/md/md.c linux-2.6.35.4/drivers/md/md.c
25813--- linux-2.6.35.4/drivers/md/md.c 2010-08-26 19:47:12.000000000 -0400
25814+++ linux-2.6.35.4/drivers/md/md.c 2010-09-17 20:12:09.000000000 -0400
25815@@ -6352,7 +6352,7 @@ static int md_seq_show(struct seq_file *
58c5fc13
MT		 25816 chunk_kb ? "KB" : "B");
25817 if (bitmap->file) {
25818 seq_printf(seq, ", file: ");
25819- seq_path(seq, &bitmap->file->f_path, " \t\n");
25820+ seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25821 }
25822
25823 seq_printf(seq, "\n");
57199397 25824@@ -6446,7 +6446,7 @@ static int is_mddev_idle(mddev_t *mddev,
58c5fc13
MT		 25825 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25826 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25827 (int)part_stat_read(&disk->part0, sectors[1]) -
25828- atomic_read(&disk->sync_io);
25829+ atomic_read_unchecked(&disk->sync_io);
25830 /* sync IO will cause sync_io to increase before the disk_stats
25831 * as sync_io is counted when a request starts, and
25832 * disk_stats is counted when it completes.
57199397
MT		 25833diff -urNp linux-2.6.35.4/drivers/md/md.h linux-2.6.35.4/drivers/md/md.h
25834--- linux-2.6.35.4/drivers/md/md.h 2010-08-26 19:47:12.000000000 -0400
25835+++ linux-2.6.35.4/drivers/md/md.h 2010-09-17 20:12:09.000000000 -0400
25836@@ -334,7 +334,7 @@ static inline void rdev_dec_pending(mdk_
58c5fc13
MT		 25837
25838 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25839 {
25840- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25841+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25842 }
25843
25844 struct mdk_personality
57199397
MT		 25845diff -urNp linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c
25846--- linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c 2010-08-26 19:47:12.000000000 -0400
25847+++ linux-2.6.35.4/drivers/media/dvb/dvb-core/dvbdev.c 2010-09-17 20:12:09.000000000 -0400
25848@@ -196,6 +196,7 @@ int dvb_register_device(struct dvb_adapt
ae4e228f
MT		 25849 const struct dvb_device *template, void *priv, int type)
25850 {
25851 struct dvb_device *dvbdev;
df50ba0c 25852+ /* cannot be const, see this function */
ae4e228f
MT		 25853 struct file_operations *dvbdevfops;
25854 struct device *clsdev;
25855 int minor;
57199397
MT		 25856diff -urNp linux-2.6.35.4/drivers/media/radio/radio-cadet.c linux-2.6.35.4/drivers/media/radio/radio-cadet.c
25857--- linux-2.6.35.4/drivers/media/radio/radio-cadet.c 2010-08-26 19:47:12.000000000 -0400
25858+++ linux-2.6.35.4/drivers/media/radio/radio-cadet.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 25859@@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
25860 while (i < count && dev->rdsin != dev->rdsout)
25861 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25862
25863- if (copy_to_user(data, readbuf, i))
25864+ if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
25865 return -EFAULT;
25866 return i;
58c5fc13 25867 }
57199397
MT		 25868diff -urNp linux-2.6.35.4/drivers/message/fusion/mptbase.c linux-2.6.35.4/drivers/message/fusion/mptbase.c
25869--- linux-2.6.35.4/drivers/message/fusion/mptbase.c 2010-08-26 19:47:12.000000000 -0400
25870+++ linux-2.6.35.4/drivers/message/fusion/mptbase.c 2010-09-17 20:12:37.000000000 -0400
25871@@ -6715,8 +6715,14 @@ procmpt_iocinfo_read(char *buf, char **s
25872 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25873 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25874
25875+#ifdef CONFIG_GRKERNSEC_HIDESYM
25876+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25877+ NULL, NULL);
25878+#else
25879 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25880 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25881+#endif
25882+
25883 /*
25884 * Rounding UP to nearest 4-kB boundary here...
25885 */
25886diff -urNp linux-2.6.35.4/drivers/message/fusion/mptdebug.h linux-2.6.35.4/drivers/message/fusion/mptdebug.h
25887--- linux-2.6.35.4/drivers/message/fusion/mptdebug.h 2010-08-26 19:47:12.000000000 -0400
25888+++ linux-2.6.35.4/drivers/message/fusion/mptdebug.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 25889@@ -71,7 +71,7 @@
25890 CMD; \
25891 }
25892 #else
25893-#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25894+#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25895 #endif
25896
25897
57199397
MT		 25898diff -urNp linux-2.6.35.4/drivers/message/fusion/mptsas.c linux-2.6.35.4/drivers/message/fusion/mptsas.c
25899--- linux-2.6.35.4/drivers/message/fusion/mptsas.c 2010-08-26 19:47:12.000000000 -0400
25900+++ linux-2.6.35.4/drivers/message/fusion/mptsas.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 25901@@ -437,6 +437,23 @@ mptsas_is_end_device(struct mptsas_devin
25902 return 0;
25903 }
25904
25905+static inline void
25906+mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25907+{
25908+ if (phy_info->port_details) {
25909+ phy_info->port_details->rphy = rphy;
25910+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25911+ ioc->name, rphy));
25912+ }
25913+
25914+ if (rphy) {
25915+ dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25916+ &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25917+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25918+ ioc->name, rphy, rphy->dev.release));
25919+ }
25920+}
25921+
25922 /* no mutex */
25923 static void
25924 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25925@@ -475,23 +492,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25926 return NULL;
25927 }
25928
25929-static inline void
25930-mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25931-{
25932- if (phy_info->port_details) {
25933- phy_info->port_details->rphy = rphy;
25934- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25935- ioc->name, rphy));
25936- }
25937-
25938- if (rphy) {
25939- dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25940- &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25941- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25942- ioc->name, rphy, rphy->dev.release));
25943- }
25944-}
25945-
25946 static inline struct sas_port *
25947 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25948 {
57199397
MT		 25949diff -urNp linux-2.6.35.4/drivers/message/i2o/i2o_proc.c linux-2.6.35.4/drivers/message/i2o/i2o_proc.c
25950--- linux-2.6.35.4/drivers/message/i2o/i2o_proc.c 2010-08-26 19:47:12.000000000 -0400
25951+++ linux-2.6.35.4/drivers/message/i2o/i2o_proc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 25952@@ -255,13 +255,6 @@ static char *scsi_devices[] = {
58c5fc13
MT		 25953 "Array Controller Device"
25954 };
25955
25956-static char *chtostr(u8 * chars, int n)
25957-{
25958- char tmp[256];
25959- tmp[0] = 0;
25960- return strncat(tmp, (char *)chars, n);
25961-}
25962-
25963 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25964 char *group)
25965 {
df50ba0c 25966@@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
58c5fc13
MT		 25967
25968 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25969 seq_printf(seq, "%-#8x", ddm_table.module_id);
25970- seq_printf(seq, "%-29s",
25971- chtostr(ddm_table.module_name_version, 28));
25972+ seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25973 seq_printf(seq, "%9d ", ddm_table.data_size);
25974 seq_printf(seq, "%8d", ddm_table.code_size);
25975
df50ba0c 25976@@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
58c5fc13
MT		 25977
25978 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25979 seq_printf(seq, "%-#8x", dst->module_id);
25980- seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25981- seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25982+ seq_printf(seq, "%-.28s", dst->module_name_version);
25983+ seq_printf(seq, "%-.8s", dst->date);
25984 seq_printf(seq, "%8d ", dst->module_size);
25985 seq_printf(seq, "%8d ", dst->mpb_size);
25986 seq_printf(seq, "0x%04x", dst->module_flags);
df50ba0c 25987@@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
58c5fc13
MT		 25988 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25989 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25990 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25991- seq_printf(seq, "Vendor info : %s\n",
25992- chtostr((u8 *) (work32 + 2), 16));
25993- seq_printf(seq, "Product info : %s\n",
25994- chtostr((u8 *) (work32 + 6), 16));
25995- seq_printf(seq, "Description : %s\n",
25996- chtostr((u8 *) (work32 + 10), 16));
25997- seq_printf(seq, "Product rev. : %s\n",
25998- chtostr((u8 *) (work32 + 14), 8));
25999+ seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
26000+ seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
26001+ seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
26002+ seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
26003
26004 seq_printf(seq, "Serial number : ");
26005 print_serial_number(seq, (u8 *) (work32 + 16),
df50ba0c 26006@@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
58c5fc13
MT		 26007 }
26008
26009 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
26010- seq_printf(seq, "Module name : %s\n",
26011- chtostr(result.module_name, 24));
26012- seq_printf(seq, "Module revision : %s\n",
26013- chtostr(result.module_rev, 8));
26014+ seq_printf(seq, "Module name : %.24s\n", result.module_name);
26015+ seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
26016
26017 seq_printf(seq, "Serial number : ");
26018 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
df50ba0c 26019@@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
58c5fc13
MT		 26020 return 0;
26021 }
26022
26023- seq_printf(seq, "Device name : %s\n",
26024- chtostr(result.device_name, 64));
26025- seq_printf(seq, "Service name : %s\n",
26026- chtostr(result.service_name, 64));
26027- seq_printf(seq, "Physical name : %s\n",
26028- chtostr(result.physical_location, 64));
26029- seq_printf(seq, "Instance number : %s\n",
26030- chtostr(result.instance_number, 4));
26031+ seq_printf(seq, "Device name : %.64s\n", result.device_name);
26032+ seq_printf(seq, "Service name : %.64s\n", result.service_name);
26033+ seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
26034+ seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
26035
26036 return 0;
26037 }
57199397
MT		 26038diff -urNp linux-2.6.35.4/drivers/mfd/janz-cmodio.c linux-2.6.35.4/drivers/mfd/janz-cmodio.c
26039--- linux-2.6.35.4/drivers/mfd/janz-cmodio.c 2010-08-26 19:47:12.000000000 -0400
26040+++ linux-2.6.35.4/drivers/mfd/janz-cmodio.c 2010-09-17 20:12:09.000000000 -0400
26041@@ -13,6 +13,7 @@
26042
26043 #include <linux/kernel.h>
26044 #include <linux/module.h>
26045+#include <linux/slab.h>
26046 #include <linux/init.h>
26047 #include <linux/pci.h>
26048 #include <linux/interrupt.h>
26049diff -urNp linux-2.6.35.4/drivers/misc/kgdbts.c linux-2.6.35.4/drivers/misc/kgdbts.c
26050--- linux-2.6.35.4/drivers/misc/kgdbts.c 2010-08-26 19:47:12.000000000 -0400
26051+++ linux-2.6.35.4/drivers/misc/kgdbts.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26052@@ -118,7 +118,7 @@
26053 } while (0)
26054 #define MAX_CONFIG_LEN 40
26055
26056-static struct kgdb_io kgdbts_io_ops;
26057+static const struct kgdb_io kgdbts_io_ops;
26058 static char get_buf[BUFMAX];
26059 static int get_buf_cnt;
26060 static char put_buf[BUFMAX];
df50ba0c 26061@@ -1114,7 +1114,7 @@ static void kgdbts_post_exp_handler(void
ae4e228f
MT		 26062 module_put(THIS_MODULE);
26063 }
26064
26065-static struct kgdb_io kgdbts_io_ops = {
26066+static const struct kgdb_io kgdbts_io_ops = {
26067 .name = "kgdbts",
26068 .read_char = kgdbts_get_char,
26069 .write_char = kgdbts_put_char,
57199397
MT		 26070diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c
26071--- linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c 2010-08-26 19:47:12.000000000 -0400
26072+++ linux-2.6.35.4/drivers/misc/sgi-gru/gruhandles.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26073@@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
26074 unsigned long nsec;
26075
26076 nsec = CLKS2NSEC(clks);
26077- atomic_long_inc(&mcs_op_statistics[op].count);
26078- atomic_long_add(nsec, &mcs_op_statistics[op].total);
26079+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
26080+ atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
26081 if (mcs_op_statistics[op].max < nsec)
26082 mcs_op_statistics[op].max = nsec;
26083 }
57199397
MT		 26084diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c
26085--- linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c 2010-08-26 19:47:12.000000000 -0400
26086+++ linux-2.6.35.4/drivers/misc/sgi-gru/gruprocfs.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26087@@ -32,9 +32,9 @@
26088
26089 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
26090
26091-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
26092+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
26093 {
26094- unsigned long val = atomic_long_read(v);
26095+ unsigned long val = atomic_long_read_unchecked(v);
26096
26097 seq_printf(s, "%16lu %s\n", val, id);
26098 }
26099@@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
26100
26101 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
26102 for (op = 0; op < mcsop_last; op++) {
26103- count = atomic_long_read(&mcs_op_statistics[op].count);
26104- total = atomic_long_read(&mcs_op_statistics[op].total);
26105+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
26106+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
26107 max = mcs_op_statistics[op].max;
26108 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
26109 count ? total / count : 0, max);
57199397
MT		 26110diff -urNp linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h
26111--- linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h 2010-08-26 19:47:12.000000000 -0400
26112+++ linux-2.6.35.4/drivers/misc/sgi-gru/grutables.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26113@@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
26114 * GRU statistics.
26115 */
26116 struct gru_stats_s {
26117- atomic_long_t vdata_alloc;
26118- atomic_long_t vdata_free;
26119- atomic_long_t gts_alloc;
26120- atomic_long_t gts_free;
26121- atomic_long_t gms_alloc;
26122- atomic_long_t gms_free;
26123- atomic_long_t gts_double_allocate;
26124- atomic_long_t assign_context;
26125- atomic_long_t assign_context_failed;
26126- atomic_long_t free_context;
26127- atomic_long_t load_user_context;
26128- atomic_long_t load_kernel_context;
26129- atomic_long_t lock_kernel_context;
26130- atomic_long_t unlock_kernel_context;
26131- atomic_long_t steal_user_context;
26132- atomic_long_t steal_kernel_context;
26133- atomic_long_t steal_context_failed;
26134- atomic_long_t nopfn;
26135- atomic_long_t asid_new;
26136- atomic_long_t asid_next;
26137- atomic_long_t asid_wrap;
26138- atomic_long_t asid_reuse;
26139- atomic_long_t intr;
26140- atomic_long_t intr_cbr;
26141- atomic_long_t intr_tfh;
26142- atomic_long_t intr_spurious;
26143- atomic_long_t intr_mm_lock_failed;
26144- atomic_long_t call_os;
26145- atomic_long_t call_os_wait_queue;
26146- atomic_long_t user_flush_tlb;
26147- atomic_long_t user_unload_context;
26148- atomic_long_t user_exception;
26149- atomic_long_t set_context_option;
26150- atomic_long_t check_context_retarget_intr;
26151- atomic_long_t check_context_unload;
26152- atomic_long_t tlb_dropin;
26153- atomic_long_t tlb_preload_page;
26154- atomic_long_t tlb_dropin_fail_no_asid;
26155- atomic_long_t tlb_dropin_fail_upm;
26156- atomic_long_t tlb_dropin_fail_invalid;
26157- atomic_long_t tlb_dropin_fail_range_active;
26158- atomic_long_t tlb_dropin_fail_idle;
26159- atomic_long_t tlb_dropin_fail_fmm;
26160- atomic_long_t tlb_dropin_fail_no_exception;
26161- atomic_long_t tfh_stale_on_fault;
26162- atomic_long_t mmu_invalidate_range;
26163- atomic_long_t mmu_invalidate_page;
26164- atomic_long_t flush_tlb;
26165- atomic_long_t flush_tlb_gru;
26166- atomic_long_t flush_tlb_gru_tgh;
26167- atomic_long_t flush_tlb_gru_zero_asid;
26168-
26169- atomic_long_t copy_gpa;
26170- atomic_long_t read_gpa;
26171-
26172- atomic_long_t mesq_receive;
26173- atomic_long_t mesq_receive_none;
26174- atomic_long_t mesq_send;
26175- atomic_long_t mesq_send_failed;
26176- atomic_long_t mesq_noop;
26177- atomic_long_t mesq_send_unexpected_error;
26178- atomic_long_t mesq_send_lb_overflow;
26179- atomic_long_t mesq_send_qlimit_reached;
26180- atomic_long_t mesq_send_amo_nacked;
26181- atomic_long_t mesq_send_put_nacked;
26182- atomic_long_t mesq_page_overflow;
26183- atomic_long_t mesq_qf_locked;
26184- atomic_long_t mesq_qf_noop_not_full;
26185- atomic_long_t mesq_qf_switch_head_failed;
26186- atomic_long_t mesq_qf_unexpected_error;
26187- atomic_long_t mesq_noop_unexpected_error;
26188- atomic_long_t mesq_noop_lb_overflow;
26189- atomic_long_t mesq_noop_qlimit_reached;
26190- atomic_long_t mesq_noop_amo_nacked;
26191- atomic_long_t mesq_noop_put_nacked;
26192- atomic_long_t mesq_noop_page_overflow;
26193+ atomic_long_unchecked_t vdata_alloc;
26194+ atomic_long_unchecked_t vdata_free;
26195+ atomic_long_unchecked_t gts_alloc;
26196+ atomic_long_unchecked_t gts_free;
26197+ atomic_long_unchecked_t gms_alloc;
26198+ atomic_long_unchecked_t gms_free;
26199+ atomic_long_unchecked_t gts_double_allocate;
26200+ atomic_long_unchecked_t assign_context;
26201+ atomic_long_unchecked_t assign_context_failed;
26202+ atomic_long_unchecked_t free_context;
26203+ atomic_long_unchecked_t load_user_context;
26204+ atomic_long_unchecked_t load_kernel_context;
26205+ atomic_long_unchecked_t lock_kernel_context;
26206+ atomic_long_unchecked_t unlock_kernel_context;
26207+ atomic_long_unchecked_t steal_user_context;
26208+ atomic_long_unchecked_t steal_kernel_context;
26209+ atomic_long_unchecked_t steal_context_failed;
26210+ atomic_long_unchecked_t nopfn;
26211+ atomic_long_unchecked_t asid_new;
26212+ atomic_long_unchecked_t asid_next;
26213+ atomic_long_unchecked_t asid_wrap;
26214+ atomic_long_unchecked_t asid_reuse;
26215+ atomic_long_unchecked_t intr;
26216+ atomic_long_unchecked_t intr_cbr;
26217+ atomic_long_unchecked_t intr_tfh;
26218+ atomic_long_unchecked_t intr_spurious;
26219+ atomic_long_unchecked_t intr_mm_lock_failed;
26220+ atomic_long_unchecked_t call_os;
26221+ atomic_long_unchecked_t call_os_wait_queue;
26222+ atomic_long_unchecked_t user_flush_tlb;
26223+ atomic_long_unchecked_t user_unload_context;
26224+ atomic_long_unchecked_t user_exception;
26225+ atomic_long_unchecked_t set_context_option;
26226+ atomic_long_unchecked_t check_context_retarget_intr;
26227+ atomic_long_unchecked_t check_context_unload;
26228+ atomic_long_unchecked_t tlb_dropin;
26229+ atomic_long_unchecked_t tlb_preload_page;
26230+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26231+ atomic_long_unchecked_t tlb_dropin_fail_upm;
26232+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
26233+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
26234+ atomic_long_unchecked_t tlb_dropin_fail_idle;
26235+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
26236+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26237+ atomic_long_unchecked_t tfh_stale_on_fault;
26238+ atomic_long_unchecked_t mmu_invalidate_range;
26239+ atomic_long_unchecked_t mmu_invalidate_page;
26240+ atomic_long_unchecked_t flush_tlb;
26241+ atomic_long_unchecked_t flush_tlb_gru;
26242+ atomic_long_unchecked_t flush_tlb_gru_tgh;
26243+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26244+
26245+ atomic_long_unchecked_t copy_gpa;
26246+ atomic_long_unchecked_t read_gpa;
26247+
26248+ atomic_long_unchecked_t mesq_receive;
26249+ atomic_long_unchecked_t mesq_receive_none;
26250+ atomic_long_unchecked_t mesq_send;
26251+ atomic_long_unchecked_t mesq_send_failed;
26252+ atomic_long_unchecked_t mesq_noop;
26253+ atomic_long_unchecked_t mesq_send_unexpected_error;
26254+ atomic_long_unchecked_t mesq_send_lb_overflow;
26255+ atomic_long_unchecked_t mesq_send_qlimit_reached;
26256+ atomic_long_unchecked_t mesq_send_amo_nacked;
26257+ atomic_long_unchecked_t mesq_send_put_nacked;
26258+ atomic_long_unchecked_t mesq_page_overflow;
26259+ atomic_long_unchecked_t mesq_qf_locked;
26260+ atomic_long_unchecked_t mesq_qf_noop_not_full;
26261+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
26262+ atomic_long_unchecked_t mesq_qf_unexpected_error;
26263+ atomic_long_unchecked_t mesq_noop_unexpected_error;
26264+ atomic_long_unchecked_t mesq_noop_lb_overflow;
26265+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
26266+ atomic_long_unchecked_t mesq_noop_amo_nacked;
26267+ atomic_long_unchecked_t mesq_noop_put_nacked;
26268+ atomic_long_unchecked_t mesq_noop_page_overflow;
58c5fc13 26269
58c5fc13 26270 };
58c5fc13 26271
ae4e228f
MT		 26272@@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26273 tghop_invalidate, mcsop_last};
58c5fc13 26274
ae4e228f
MT		 26275 struct mcs_op_statistic {
26276- atomic_long_t count;
26277- atomic_long_t total;
26278+ atomic_long_unchecked_t count;
26279+ atomic_long_unchecked_t total;
26280 unsigned long max;
58c5fc13
MT		 26281 };
26282
ae4e228f 26283@@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
58c5fc13 26284
ae4e228f
MT		 26285 #define STAT(id) do { \
26286 if (gru_options & OPT_STATS) \
26287- atomic_long_inc(&gru_stats.id); \
26288+ atomic_long_inc_unchecked(&gru_stats.id); \
26289 } while (0)
58c5fc13 26290
ae4e228f 26291 #ifdef CONFIG_SGI_GRU_DEBUG
57199397
MT		 26292diff -urNp linux-2.6.35.4/drivers/mtd/devices/doc2000.c linux-2.6.35.4/drivers/mtd/devices/doc2000.c
26293--- linux-2.6.35.4/drivers/mtd/devices/doc2000.c 2010-08-26 19:47:12.000000000 -0400
26294+++ linux-2.6.35.4/drivers/mtd/devices/doc2000.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 26295@@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26296
26297 /* The ECC will not be calculated correctly if less than 512 is written */
26298 /* DBB-
26299- if (len != 0x200 && eccbuf)
26300+ if (len != 0x200)
26301 printk(KERN_WARNING
26302 "ECC needs a full sector write (adr: %lx size %lx)\n",
26303 (long) to, (long) len);
57199397
MT		 26304diff -urNp linux-2.6.35.4/drivers/mtd/devices/doc2001.c linux-2.6.35.4/drivers/mtd/devices/doc2001.c
26305--- linux-2.6.35.4/drivers/mtd/devices/doc2001.c 2010-08-26 19:47:12.000000000 -0400
26306+++ linux-2.6.35.4/drivers/mtd/devices/doc2001.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26307@@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26308 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26309
58c5fc13 26310 /* Don't allow read past end of device */
ae4e228f
MT		 26311- if (from >= this->totlen)
26312+ if (from >= this->totlen || !len)
58c5fc13 26313 return -EINVAL;
58c5fc13
MT		 26314
26315 /* Don't allow a single read to cross a 512-byte block boundary */
57199397
MT		 26316diff -urNp linux-2.6.35.4/drivers/mtd/nand/denali.c linux-2.6.35.4/drivers/mtd/nand/denali.c
26317--- linux-2.6.35.4/drivers/mtd/nand/denali.c 2010-08-26 19:47:12.000000000 -0400
26318+++ linux-2.6.35.4/drivers/mtd/nand/denali.c 2010-09-17 20:12:09.000000000 -0400
26319@@ -24,6 +24,7 @@
26320 #include <linux/pci.h>
26321 #include <linux/mtd/mtd.h>
26322 #include <linux/module.h>
26323+#include <linux/slab.h>
26324
26325 #include "denali.h"
26326
26327diff -urNp linux-2.6.35.4/drivers/mtd/ubi/build.c linux-2.6.35.4/drivers/mtd/ubi/build.c
26328--- linux-2.6.35.4/drivers/mtd/ubi/build.c 2010-08-26 19:47:12.000000000 -0400
26329+++ linux-2.6.35.4/drivers/mtd/ubi/build.c 2010-09-17 20:12:09.000000000 -0400
26330@@ -1282,7 +1282,7 @@ module_exit(ubi_exit);
ae4e228f
MT		 26331 static int __init bytes_str_to_int(const char *str)
26332 {
26333 char *endp;
26334- unsigned long result;
26335+ unsigned long result, scale = 1;
58c5fc13
MT		 26336
26337 result = simple_strtoul(str, &endp, 0);
ae4e228f 26338 if (str == endp || result >= INT_MAX) {
57199397 26339@@ -1293,11 +1293,11 @@ static int __init bytes_str_to_int(const
ae4e228f
MT		 26340
26341 switch (*endp) {
26342 case 'G':
26343- result *= 1024;
26344+ scale *= 1024;
26345 case 'M':
26346- result *= 1024;
26347+ scale *= 1024;
26348 case 'K':
26349- result *= 1024;
26350+ scale *= 1024;
26351 if (endp[1] == 'i' && endp[2] == 'B')
26352 endp += 2;
26353 case '\0':
57199397 26354@@ -1308,7 +1308,13 @@ static int __init bytes_str_to_int(const
58c5fc13 26355 return -EINVAL;
ae4e228f
MT		 26356 }
26357
26358- return result;
26359+ if ((intoverflow_t)result*scale >= INT_MAX) {
26360+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26361+ str);
26362+ return -EINVAL;
26363+ }
26364+
26365+ return result*scale;
26366 }
26367
26368 /**
57199397
MT		 26369diff -urNp linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c
26370--- linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c 2010-08-26 19:47:12.000000000 -0400
26371+++ linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c 2010-09-17 20:12:37.000000000 -0400
26372@@ -2296,6 +2296,8 @@ static int cxgb_extension_ioctl(struct n
26373 case CHELSIO_GET_QSET_NUM:{
26374 struct ch_reg edata;
26375
26376+ memset(&edata, 0, sizeof(edata));
26377+
26378 edata.cmd = CHELSIO_GET_QSET_NUM;
26379 edata.val = pi->nqsets;
26380 if (copy_to_user(useraddr, &edata, sizeof(edata)))
26381diff -urNp linux-2.6.35.4/drivers/net/e1000e/82571.c linux-2.6.35.4/drivers/net/e1000e/82571.c
26382--- linux-2.6.35.4/drivers/net/e1000e/82571.c 2010-08-26 19:47:12.000000000 -0400
26383+++ linux-2.6.35.4/drivers/net/e1000e/82571.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26384@@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
26385 {
26386 struct e1000_hw *hw = &adapter->hw;
26387 struct e1000_mac_info *mac = &hw->mac;
26388+ /* cannot be const */
26389 struct e1000_mac_operations *func = &mac->ops;
26390 u32 swsm = 0;
26391 u32 swsm2 = 0;
57199397 26392@@ -1703,7 +1704,7 @@ static void e1000_clear_hw_cntrs_82571(s
ae4e228f
MT		 26393 er32(ICRXDMTC);
26394 }
26395
26396-static struct e1000_mac_operations e82571_mac_ops = {
26397+static const struct e1000_mac_operations e82571_mac_ops = {
26398 /* .check_mng_mode: mac type dependent */
26399 /* .check_for_link: media type dependent */
26400 .id_led_init = e1000e_id_led_init,
57199397 26401@@ -1725,7 +1726,7 @@ static struct e1000_mac_operations e8257
df50ba0c 26402 .read_mac_addr = e1000_read_mac_addr_82571,
ae4e228f
MT		 26403 };
26404
26405-static struct e1000_phy_operations e82_phy_ops_igp = {
26406+static const struct e1000_phy_operations e82_phy_ops_igp = {
26407 .acquire = e1000_get_hw_semaphore_82571,
26408 .check_polarity = e1000_check_polarity_igp,
26409 .check_reset_block = e1000e_check_reset_block_generic,
57199397 26410@@ -1743,7 +1744,7 @@ static struct e1000_phy_operations e82_p
ae4e228f
MT		 26411 .cfg_on_link_up = NULL,
26412 };
26413
26414-static struct e1000_phy_operations e82_phy_ops_m88 = {
26415+static const struct e1000_phy_operations e82_phy_ops_m88 = {
26416 .acquire = e1000_get_hw_semaphore_82571,
26417 .check_polarity = e1000_check_polarity_m88,
26418 .check_reset_block = e1000e_check_reset_block_generic,
57199397 26419@@ -1761,7 +1762,7 @@ static struct e1000_phy_operations e82_p
ae4e228f
MT		 26420 .cfg_on_link_up = NULL,
26421 };
26422
26423-static struct e1000_phy_operations e82_phy_ops_bm = {
26424+static const struct e1000_phy_operations e82_phy_ops_bm = {
26425 .acquire = e1000_get_hw_semaphore_82571,
26426 .check_polarity = e1000_check_polarity_m88,
26427 .check_reset_block = e1000e_check_reset_block_generic,
57199397 26428@@ -1779,7 +1780,7 @@ static struct e1000_phy_operations e82_p
ae4e228f
MT		 26429 .cfg_on_link_up = NULL,
26430 };
26431
26432-static struct e1000_nvm_operations e82571_nvm_ops = {
26433+static const struct e1000_nvm_operations e82571_nvm_ops = {
26434 .acquire = e1000_acquire_nvm_82571,
26435 .read = e1000e_read_nvm_eerd,
26436 .release = e1000_release_nvm_82571,
57199397
MT		 26437diff -urNp linux-2.6.35.4/drivers/net/e1000e/e1000.h linux-2.6.35.4/drivers/net/e1000e/e1000.h
26438--- linux-2.6.35.4/drivers/net/e1000e/e1000.h 2010-08-26 19:47:12.000000000 -0400
26439+++ linux-2.6.35.4/drivers/net/e1000e/e1000.h 2010-09-17 20:12:09.000000000 -0400
26440@@ -377,9 +377,9 @@ struct e1000_info {
ae4e228f
MT		 26441 u32 pba;
26442 u32 max_hw_frame_size;
26443 s32 (*get_variants)(struct e1000_adapter *);
26444- struct e1000_mac_operations *mac_ops;
26445- struct e1000_phy_operations *phy_ops;
26446- struct e1000_nvm_operations *nvm_ops;
26447+ const struct e1000_mac_operations *mac_ops;
26448+ const struct e1000_phy_operations *phy_ops;
26449+ const struct e1000_nvm_operations *nvm_ops;
26450 };
26451
26452 /* hardware capability, feature, and workaround flags */
57199397
MT		 26453diff -urNp linux-2.6.35.4/drivers/net/e1000e/es2lan.c linux-2.6.35.4/drivers/net/e1000e/es2lan.c
26454--- linux-2.6.35.4/drivers/net/e1000e/es2lan.c 2010-08-26 19:47:12.000000000 -0400
26455+++ linux-2.6.35.4/drivers/net/e1000e/es2lan.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26456@@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26457 {
26458 struct e1000_hw *hw = &adapter->hw;
26459 struct e1000_mac_info *mac = &hw->mac;
26460+ /* cannot be const */
26461 struct e1000_mac_operations *func = &mac->ops;
26462
26463 /* Set media type */
57199397 26464@@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
ae4e228f
MT		 26465 er32(ICRXDMTC);
26466 }
26467
26468-static struct e1000_mac_operations es2_mac_ops = {
26469+static const struct e1000_mac_operations es2_mac_ops = {
df50ba0c 26470 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
ae4e228f
MT		 26471 .id_led_init = e1000e_id_led_init,
26472 .check_mng_mode = e1000e_check_mng_mode_generic,
57199397 26473@@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
ae4e228f
MT		 26474 .setup_led = e1000e_setup_led_generic,
26475 };
26476
26477-static struct e1000_phy_operations es2_phy_ops = {
26478+static const struct e1000_phy_operations es2_phy_ops = {
26479 .acquire = e1000_acquire_phy_80003es2lan,
26480 .check_polarity = e1000_check_polarity_m88,
26481 .check_reset_block = e1000e_check_reset_block_generic,
57199397 26482@@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
ae4e228f
MT		 26483 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26484 };
26485
26486-static struct e1000_nvm_operations es2_nvm_ops = {
26487+static const struct e1000_nvm_operations es2_nvm_ops = {
26488 .acquire = e1000_acquire_nvm_80003es2lan,
26489 .read = e1000e_read_nvm_eerd,
26490 .release = e1000_release_nvm_80003es2lan,
57199397
MT		 26491diff -urNp linux-2.6.35.4/drivers/net/e1000e/hw.h linux-2.6.35.4/drivers/net/e1000e/hw.h
26492--- linux-2.6.35.4/drivers/net/e1000e/hw.h 2010-08-26 19:47:12.000000000 -0400
26493+++ linux-2.6.35.4/drivers/net/e1000e/hw.h 2010-09-17 20:12:09.000000000 -0400
26494@@ -791,13 +791,13 @@ struct e1000_phy_operations {
ae4e228f
MT		 26495
26496 /* Function pointers for the NVM. */
26497 struct e1000_nvm_operations {
26498- s32 (*acquire)(struct e1000_hw *);
26499- s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26500- void (*release)(struct e1000_hw *);
26501- s32 (*update)(struct e1000_hw *);
26502- s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26503- s32 (*validate)(struct e1000_hw *);
26504- s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26505+ s32 (* const acquire)(struct e1000_hw *);
26506+ s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26507+ void (* const release)(struct e1000_hw *);
26508+ s32 (* const update)(struct e1000_hw *);
26509+ s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26510+ s32 (* const validate)(struct e1000_hw *);
26511+ s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26512 };
26513
26514 struct e1000_mac_info {
57199397 26515@@ -877,6 +877,7 @@ struct e1000_phy_info {
ae4e228f
MT		 26516 };
26517
26518 struct e1000_nvm_info {
26519+ /* cannot be const */
26520 struct e1000_nvm_operations ops;
26521
26522 enum e1000_nvm_type type;
57199397
MT		 26523diff -urNp linux-2.6.35.4/drivers/net/e1000e/ich8lan.c linux-2.6.35.4/drivers/net/e1000e/ich8lan.c
26524--- linux-2.6.35.4/drivers/net/e1000e/ich8lan.c 2010-08-26 19:47:12.000000000 -0400
26525+++ linux-2.6.35.4/drivers/net/e1000e/ich8lan.c 2010-09-17 20:12:09.000000000 -0400
26526@@ -3388,7 +3388,7 @@ static void e1000_clear_hw_cntrs_ich8lan
ae4e228f
MT		 26527 }
26528 }
26529
26530-static struct e1000_mac_operations ich8_mac_ops = {
26531+static const struct e1000_mac_operations ich8_mac_ops = {
26532 .id_led_init = e1000e_id_led_init,
26533 .check_mng_mode = e1000_check_mng_mode_ich8lan,
26534 .check_for_link = e1000_check_for_copper_link_ich8lan,
57199397 26535@@ -3407,7 +3407,7 @@ static struct e1000_mac_operations ich8_
ae4e228f
MT		 26536 /* id_led_init dependent on mac type */
26537 };
26538
26539-static struct e1000_phy_operations ich8_phy_ops = {
26540+static const struct e1000_phy_operations ich8_phy_ops = {
26541 .acquire = e1000_acquire_swflag_ich8lan,
26542 .check_reset_block = e1000_check_reset_block_ich8lan,
26543 .commit = NULL,
57199397 26544@@ -3421,7 +3421,7 @@ static struct e1000_phy_operations ich8_
ae4e228f
MT		 26545 .write_reg = e1000e_write_phy_reg_igp,
26546 };
26547
26548-static struct e1000_nvm_operations ich8_nvm_ops = {
26549+static const struct e1000_nvm_operations ich8_nvm_ops = {
26550 .acquire = e1000_acquire_nvm_ich8lan,
26551 .read = e1000_read_nvm_ich8lan,
26552 .release = e1000_release_nvm_ich8lan,
57199397
MT		 26553diff -urNp linux-2.6.35.4/drivers/net/eql.c linux-2.6.35.4/drivers/net/eql.c
26554--- linux-2.6.35.4/drivers/net/eql.c 2010-08-26 19:47:12.000000000 -0400
26555+++ linux-2.6.35.4/drivers/net/eql.c 2010-09-17 20:12:37.000000000 -0400
26556@@ -555,6 +555,8 @@ static int eql_g_master_cfg(struct net_d
26557 equalizer_t *eql;
26558 master_config_t mc;
26559
26560+ memset(&mc, 0, sizeof(mc));
26561+
26562 if (eql_is_master(dev)) {
26563 eql = netdev_priv(dev);
26564 mc.max_slaves = eql->max_slaves;
26565diff -urNp linux-2.6.35.4/drivers/net/igb/e1000_82575.c linux-2.6.35.4/drivers/net/igb/e1000_82575.c
26566--- linux-2.6.35.4/drivers/net/igb/e1000_82575.c 2010-08-26 19:47:12.000000000 -0400
26567+++ linux-2.6.35.4/drivers/net/igb/e1000_82575.c 2010-09-17 20:12:09.000000000 -0400
26568@@ -1597,7 +1597,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
ae4e228f
MT		 26569 return ret_val;
26570 }
26571
26572-static struct e1000_mac_operations e1000_mac_ops_82575 = {
26573+static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26574 .init_hw = igb_init_hw_82575,
26575 .check_for_link = igb_check_for_link_82575,
26576 .rar_set = igb_rar_set,
57199397 26577@@ -1605,13 +1605,13 @@ static struct e1000_mac_operations e1000
ae4e228f
MT		 26578 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26579 };
26580
26581-static struct e1000_phy_operations e1000_phy_ops_82575 = {
26582+static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26583 .acquire = igb_acquire_phy_82575,
26584 .get_cfg_done = igb_get_cfg_done_82575,
26585 .release = igb_release_phy_82575,
26586 };
26587
26588-static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26589+static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26590 .acquire = igb_acquire_nvm_82575,
26591 .read = igb_read_nvm_eerd,
26592 .release = igb_release_nvm_82575,
57199397
MT		 26593diff -urNp linux-2.6.35.4/drivers/net/igb/e1000_hw.h linux-2.6.35.4/drivers/net/igb/e1000_hw.h
26594--- linux-2.6.35.4/drivers/net/igb/e1000_hw.h 2010-08-26 19:47:12.000000000 -0400
26595+++ linux-2.6.35.4/drivers/net/igb/e1000_hw.h 2010-09-17 20:12:09.000000000 -0400
26596@@ -323,17 +323,17 @@ struct e1000_phy_operations {
ae4e228f
MT		 26597 };
26598
26599 struct e1000_nvm_operations {
26600- s32 (*acquire)(struct e1000_hw *);
26601- s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26602- void (*release)(struct e1000_hw *);
26603- s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26604+ s32 (* const acquire)(struct e1000_hw *);
26605+ s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26606+ void (* const release)(struct e1000_hw *);
26607+ s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26608 };
26609
26610 struct e1000_info {
26611 s32 (*get_invariants)(struct e1000_hw *);
26612- struct e1000_mac_operations *mac_ops;
26613- struct e1000_phy_operations *phy_ops;
26614- struct e1000_nvm_operations *nvm_ops;
26615+ const struct e1000_mac_operations *mac_ops;
26616+ const struct e1000_phy_operations *phy_ops;
26617+ const struct e1000_nvm_operations *nvm_ops;
26618 };
26619
26620 extern const struct e1000_info e1000_82575_info;
57199397 26621@@ -412,6 +412,7 @@ struct e1000_phy_info {
ae4e228f
MT		 26622 };
26623
26624 struct e1000_nvm_info {
26625+ /* cannot be const */
26626 struct e1000_nvm_operations ops;
26627
26628 enum e1000_nvm_type type;
57199397
MT		 26629diff -urNp linux-2.6.35.4/drivers/net/irda/vlsi_ir.c linux-2.6.35.4/drivers/net/irda/vlsi_ir.c
26630--- linux-2.6.35.4/drivers/net/irda/vlsi_ir.c 2010-08-26 19:47:12.000000000 -0400
26631+++ linux-2.6.35.4/drivers/net/irda/vlsi_ir.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 26632@@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
58c5fc13
MT		 26633 /* no race - tx-ring already empty */
26634 vlsi_set_baud(idev, iobase);
26635 netif_wake_queue(ndev);
26636- }
26637- else
26638- ;
26639+ } else {
26640 /* keep the speed change pending like it would
26641 * for any len>0 packet. tx completion interrupt
26642 * will apply it when the tx ring becomes empty.
26643 */
26644+ }
26645 spin_unlock_irqrestore(&idev->lock, flags);
26646 dev_kfree_skb_any(skb);
ae4e228f 26647 return NETDEV_TX_OK;
57199397
MT		 26648diff -urNp linux-2.6.35.4/drivers/net/pcnet32.c linux-2.6.35.4/drivers/net/pcnet32.c
26649--- linux-2.6.35.4/drivers/net/pcnet32.c 2010-08-26 19:47:12.000000000 -0400
26650+++ linux-2.6.35.4/drivers/net/pcnet32.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 26651@@ -82,7 +82,7 @@ static int cards_found;
58c5fc13
MT		 26652 /*
26653 * VLB I/O addresses
26654 */
26655-static unsigned int pcnet32_portlist[] __initdata =
26656+static unsigned int pcnet32_portlist[] __devinitdata =
26657 { 0x300, 0x320, 0x340, 0x360, 0 };
26658
df50ba0c 26659 static int pcnet32_debug;
57199397
MT		 26660diff -urNp linux-2.6.35.4/drivers/net/ppp_generic.c linux-2.6.35.4/drivers/net/ppp_generic.c
26661--- linux-2.6.35.4/drivers/net/ppp_generic.c 2010-08-26 19:47:12.000000000 -0400
26662+++ linux-2.6.35.4/drivers/net/ppp_generic.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 26663@@ -992,7 +992,6 @@ ppp_net_ioctl(struct net_device *dev, st
ae4e228f
MT		 26664 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26665 struct ppp_stats stats;
26666 struct ppp_comp_stats cstats;
26667- char *vers;
26668
26669 switch (cmd) {
26670 case SIOCGPPPSTATS:
df50ba0c 26671@@ -1014,8 +1013,7 @@ ppp_net_ioctl(struct net_device *dev, st
ae4e228f
MT		 26672 break;
26673
26674 case SIOCGPPPVER:
26675- vers = PPP_VERSION;
26676- if (copy_to_user(addr, vers, strlen(vers) + 1))
26677+ if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26678 break;
26679 err = 0;
26680 break;
57199397
MT		 26681diff -urNp linux-2.6.35.4/drivers/net/tg3.c linux-2.6.35.4/drivers/net/tg3.c
26682--- linux-2.6.35.4/drivers/net/tg3.c 2010-08-26 19:47:12.000000000 -0400
26683+++ linux-2.6.35.4/drivers/net/tg3.c 2010-09-17 20:12:09.000000000 -0400
26684@@ -12410,7 +12410,7 @@ static void __devinit tg3_read_vpd(struc
26685 cnt = pci_read_vpd(tp->pdev, pos,
26686 TG3_NVM_VPD_LEN - pos,
26687 &vpd_data[pos]);
26688- if (cnt == -ETIMEDOUT || -EINTR)
26689+ if (cnt == -ETIMEDOUT || cnt == -EINTR)
26690 cnt = 0;
26691 else if (cnt < 0)
26692 goto out_not_found;
26693diff -urNp linux-2.6.35.4/drivers/net/tg3.h linux-2.6.35.4/drivers/net/tg3.h
26694--- linux-2.6.35.4/drivers/net/tg3.h 2010-08-26 19:47:12.000000000 -0400
26695+++ linux-2.6.35.4/drivers/net/tg3.h 2010-09-17 20:12:09.000000000 -0400
26696@@ -130,6 +130,7 @@
58c5fc13
MT		 26697 #define CHIPREV_ID_5750_A0 0x4000
26698 #define CHIPREV_ID_5750_A1 0x4001
26699 #define CHIPREV_ID_5750_A3 0x4003
26700+#define CHIPREV_ID_5750_C1 0x4201
26701 #define CHIPREV_ID_5750_C2 0x4202
26702 #define CHIPREV_ID_5752_A0_HW 0x5000
26703 #define CHIPREV_ID_5752_A0 0x6000
57199397
MT		 26704diff -urNp linux-2.6.35.4/drivers/net/tulip/de4x5.c linux-2.6.35.4/drivers/net/tulip/de4x5.c
26705--- linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-08-26 19:47:12.000000000 -0400
26706+++ linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-09-17 20:12:37.000000000 -0400
26707@@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
ae4e228f
MT		 26708 for (i=0; i<ETH_ALEN; i++) {
26709 tmp.addr[i] = dev->dev_addr[i];
26710 }
26711- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26712+ if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26713 break;
26714
26715 case DE4X5_SET_HWADDR: /* Set the hardware address */
57199397 26716@@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
ae4e228f
MT		 26717 spin_lock_irqsave(&lp->lock, flags);
26718 memcpy(&statbuf, &lp->pktStats, ioc->len);
26719 spin_unlock_irqrestore(&lp->lock, flags);
26720- if (copy_to_user(ioc->data, &statbuf, ioc->len))
26721+ if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
26722 return -EFAULT;
26723 break;
26724 }
57199397
MT		 26725@@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
26726 tmp.lval[6] = inl(DE4X5_STRR); j+=4;
26727 tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
26728 ioc->len = j;
26729- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26730+ if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
26731 break;
26732
26733 #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
26734diff -urNp linux-2.6.35.4/drivers/net/usb/hso.c linux-2.6.35.4/drivers/net/usb/hso.c
26735--- linux-2.6.35.4/drivers/net/usb/hso.c 2010-08-26 19:47:12.000000000 -0400
26736+++ linux-2.6.35.4/drivers/net/usb/hso.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 26737@@ -258,7 +258,7 @@ struct hso_serial {
26738
26739 /* from usb_serial_port */
26740 struct tty_struct *tty;
26741- int open_count;
26742+ atomic_t open_count;
26743 spinlock_t serial_lock;
26744
26745 int (*write_data) (struct hso_serial *serial);
57199397 26746@@ -1201,7 +1201,7 @@ static void put_rxbuf_data_and_resubmit_
58c5fc13
MT		 26747 struct urb *urb;
26748
26749 urb = serial->rx_urb[0];
26750- if (serial->open_count > 0) {
26751+ if (atomic_read(&serial->open_count) > 0) {
26752 count = put_rxbuf_data(urb, serial);
26753 if (count == -1)
26754 return;
57199397 26755@@ -1237,7 +1237,7 @@ static void hso_std_serial_read_bulk_cal
58c5fc13
MT		 26756 DUMP1(urb->transfer_buffer, urb->actual_length);
26757
26758 /* Anyone listening? */
26759- if (serial->open_count == 0)
26760+ if (atomic_read(&serial->open_count) == 0)
26761 return;
26762
26763 if (status == 0) {
57199397 26764@@ -1332,8 +1332,7 @@ static int hso_serial_open(struct tty_st
58c5fc13
MT		 26765 spin_unlock_irq(&serial->serial_lock);
26766
26767 /* check for port already opened, if not set the termios */
26768- serial->open_count++;
26769- if (serial->open_count == 1) {
26770+ if (atomic_inc_return(&serial->open_count) == 1) {
58c5fc13
MT		 26771 serial->rx_state = RX_IDLE;
26772 /* Force default termio settings */
57199397 26773 _hso_serial_set_termios(tty, NULL);
df50ba0c 26774@@ -1345,7 +1344,7 @@ static int hso_serial_open(struct tty_st
58c5fc13
MT		 26775 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26776 if (result) {
26777 hso_stop_serial_device(serial->parent);
26778- serial->open_count--;
26779+ atomic_dec(&serial->open_count);
26780 kref_put(&serial->parent->ref, hso_serial_ref_free);
26781 }
26782 } else {
df50ba0c 26783@@ -1382,10 +1381,10 @@ static void hso_serial_close(struct tty_
58c5fc13
MT		 26784
26785 /* reset the rts and dtr */
26786 /* do the actual close */
26787- serial->open_count--;
26788+ atomic_dec(&serial->open_count);
ae4e228f 26789
58c5fc13
MT		 26790- if (serial->open_count <= 0) {
26791- serial->open_count = 0;
26792+ if (atomic_read(&serial->open_count) <= 0) {
26793+ atomic_set(&serial->open_count, 0);
26794 spin_lock_irq(&serial->serial_lock);
26795 if (serial->tty == tty) {
26796 serial->tty->driver_data = NULL;
df50ba0c 26797@@ -1467,7 +1466,7 @@ static void hso_serial_set_termios(struc
58c5fc13
MT		 26798
26799 /* the actual setup */
26800 spin_lock_irqsave(&serial->serial_lock, flags);
26801- if (serial->open_count)
26802+ if (atomic_read(&serial->open_count))
26803 _hso_serial_set_termios(tty, old);
26804 else
26805 tty->termios = old;
57199397
MT		 26806@@ -1655,6 +1654,9 @@ static int hso_get_count(struct hso_seri
26807
26808 if (!tiocmget)
26809 return -ENOENT;
26810+
26811+ memset(&icount, 0, sizeof(icount));
26812+
26813 spin_lock_irq(&serial->serial_lock);
26814 memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
26815 spin_unlock_irq(&serial->serial_lock);
26816@@ -1929,7 +1931,7 @@ static void intr_callback(struct urb *ur
ae4e228f
MT		 26817 D1("Pending read interrupt on port %d\n", i);
26818 spin_lock(&serial->serial_lock);
26819 if (serial->rx_state == RX_IDLE &&
26820- serial->open_count > 0) {
26821+ atomic_read(&serial->open_count) > 0) {
26822 /* Setup and send a ctrl req read on
26823 * port i */
26824 if (!serial->rx_urb_filled[0]) {
57199397 26825@@ -3119,7 +3121,7 @@ static int hso_resume(struct usb_interfa
58c5fc13
MT		 26826 /* Start all serial ports */
26827 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26828 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26829- if (dev2ser(serial_table[i])->open_count) {
26830+ if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
26831 result =
26832 hso_start_serial_device(serial_table[i], GFP_NOIO);
26833 hso_kick_transmit(dev2ser(serial_table[i]));
57199397
MT		 26834diff -urNp linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c
26835--- linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26836+++ linux-2.6.35.4/drivers/net/wireless/b43/debugfs.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26837@@ -43,7 +43,7 @@ static struct dentry *rootdir;
26838 struct b43_debugfs_fops {
26839 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26840 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26841- struct file_operations fops;
26842+ const struct file_operations fops;
26843 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26844 size_t file_struct_offset;
26845 };
57199397
MT		 26846diff -urNp linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c
26847--- linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26848+++ linux-2.6.35.4/drivers/net/wireless/b43legacy/debugfs.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26849@@ -44,7 +44,7 @@ static struct dentry *rootdir;
26850 struct b43legacy_debugfs_fops {
26851 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26852 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26853- struct file_operations fops;
26854+ const struct file_operations fops;
26855 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26856 size_t file_struct_offset;
26857 /* Take wl->irq_lock before calling read/write? */
57199397
MT		 26858diff -urNp linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h
26859--- linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-08-26 19:47:12.000000000 -0400
26860+++ linux-2.6.35.4/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 26861@@ -68,8 +68,8 @@ do {
26862 } while (0)
ae4e228f 26863
df50ba0c
MT		 26864 #else
26865-#define IWL_DEBUG(__priv, level, fmt, args...)
26866-#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26867+#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26868+#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26869 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26870 void *p, u32 len)
26871 {}
57199397
MT		 26872diff -urNp linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c
26873--- linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26874+++ linux-2.6.35.4/drivers/net/wireless/libertas/debugfs.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 26875@@ -718,7 +718,7 @@ out_unlock:
ae4e228f
MT		 26876 struct lbs_debugfs_files {
26877 const char *name;
26878 int perm;
26879- struct file_operations fops;
26880+ const struct file_operations fops;
26881 };
26882
26883 static const struct lbs_debugfs_files debugfs_files[] = {
57199397
MT		 26884diff -urNp linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c
26885--- linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c 2010-08-26 19:47:12.000000000 -0400
26886+++ linux-2.6.35.4/drivers/net/wireless/rndis_wlan.c 2010-09-17 20:12:09.000000000 -0400
26887@@ -1235,7 +1235,7 @@ static int set_rts_threshold(struct usbn
df50ba0c
MT		 26888
26889 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26890
26891- if (rts_threshold < 0 || rts_threshold > 2347)
26892+ if (rts_threshold > 2347)
26893 rts_threshold = 2347;
26894
26895 tmp = cpu_to_le32(rts_threshold);
57199397
MT		 26896diff -urNp linux-2.6.35.4/drivers/oprofile/buffer_sync.c linux-2.6.35.4/drivers/oprofile/buffer_sync.c
26897--- linux-2.6.35.4/drivers/oprofile/buffer_sync.c 2010-08-26 19:47:12.000000000 -0400
26898+++ linux-2.6.35.4/drivers/oprofile/buffer_sync.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 26899@@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
58c5fc13
MT		 26900 if (cookie == NO_COOKIE)
26901 offset = pc;
26902 if (cookie == INVALID_COOKIE) {
26903- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26904+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26905 offset = pc;
26906 }
26907 if (cookie != last_cookie) {
df50ba0c 26908@@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
58c5fc13
MT		 26909 /* add userspace sample */
26910
26911 if (!mm) {
26912- atomic_inc(&oprofile_stats.sample_lost_no_mm);
26913+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26914 return 0;
26915 }
26916
26917 cookie = lookup_dcookie(mm, s->eip, &offset);
26918
26919 if (cookie == INVALID_COOKIE) {
26920- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26921+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26922 return 0;
26923 }
26924
df50ba0c 26925@@ -561,7 +561,7 @@ void sync_buffer(int cpu)
58c5fc13
MT		 26926 /* ignore backtraces if failed to add a sample */
26927 if (state == sb_bt_start) {
26928 state = sb_bt_ignore;
26929- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26930+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26931 }
26932 }
26933 release_mm(mm);
57199397
MT		 26934diff -urNp linux-2.6.35.4/drivers/oprofile/event_buffer.c linux-2.6.35.4/drivers/oprofile/event_buffer.c
26935--- linux-2.6.35.4/drivers/oprofile/event_buffer.c 2010-08-26 19:47:12.000000000 -0400
26936+++ linux-2.6.35.4/drivers/oprofile/event_buffer.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26937@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26938 }
26939
58c5fc13
MT		 26940 if (buffer_pos == buffer_size) {
26941- atomic_inc(&oprofile_stats.event_lost_overflow);
26942+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26943 return;
26944 }
26945
57199397
MT		 26946diff -urNp linux-2.6.35.4/drivers/oprofile/oprof.c linux-2.6.35.4/drivers/oprofile/oprof.c
26947--- linux-2.6.35.4/drivers/oprofile/oprof.c 2010-08-26 19:47:12.000000000 -0400
26948+++ linux-2.6.35.4/drivers/oprofile/oprof.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 26949@@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26950 if (oprofile_ops.switch_events())
26951 return;
58c5fc13 26952
ae4e228f
MT		 26953- atomic_inc(&oprofile_stats.multiplex_counter);
26954+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26955 start_switch_worker();
26956 }
58c5fc13 26957
57199397
MT		 26958diff -urNp linux-2.6.35.4/drivers/oprofile/oprofilefs.c linux-2.6.35.4/drivers/oprofile/oprofilefs.c
26959--- linux-2.6.35.4/drivers/oprofile/oprofilefs.c 2010-08-26 19:47:12.000000000 -0400
26960+++ linux-2.6.35.4/drivers/oprofile/oprofilefs.c 2010-09-17 20:12:09.000000000 -0400
26961@@ -187,7 +187,7 @@ static const struct file_operations atom
26962
26963
26964 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26965- char const *name, atomic_t *val)
26966+ char const *name, atomic_unchecked_t *val)
26967 {
26968 struct dentry *d = __oprofilefs_create_file(sb, root, name,
26969 &atomic_ro_fops, 0444);
26970diff -urNp linux-2.6.35.4/drivers/oprofile/oprofile_stats.c linux-2.6.35.4/drivers/oprofile/oprofile_stats.c
26971--- linux-2.6.35.4/drivers/oprofile/oprofile_stats.c 2010-08-26 19:47:12.000000000 -0400
26972+++ linux-2.6.35.4/drivers/oprofile/oprofile_stats.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 26973@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
58c5fc13
MT		 26974 cpu_buf->sample_invalid_eip = 0;
26975 }
26976
26977- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26978- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26979- atomic_set(&oprofile_stats.event_lost_overflow, 0);
26980- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
ae4e228f 26981- atomic_set(&oprofile_stats.multiplex_counter, 0);
58c5fc13
MT		 26982+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26983+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26984+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26985+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
ae4e228f 26986+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
58c5fc13
MT		 26987 }
26988
26989
57199397
MT		 26990diff -urNp linux-2.6.35.4/drivers/oprofile/oprofile_stats.h linux-2.6.35.4/drivers/oprofile/oprofile_stats.h
26991--- linux-2.6.35.4/drivers/oprofile/oprofile_stats.h 2010-08-26 19:47:12.000000000 -0400
26992+++ linux-2.6.35.4/drivers/oprofile/oprofile_stats.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 26993@@ -13,11 +13,11 @@
58c5fc13
MT		 26994 #include <asm/atomic.h>
26995
26996 struct oprofile_stat_struct {
26997- atomic_t sample_lost_no_mm;
26998- atomic_t sample_lost_no_mapping;
26999- atomic_t bt_lost_no_mapping;
27000- atomic_t event_lost_overflow;
ae4e228f 27001- atomic_t multiplex_counter;
58c5fc13
MT		 27002+ atomic_unchecked_t sample_lost_no_mm;
27003+ atomic_unchecked_t sample_lost_no_mapping;
27004+ atomic_unchecked_t bt_lost_no_mapping;
27005+ atomic_unchecked_t event_lost_overflow;
ae4e228f 27006+ atomic_unchecked_t multiplex_counter;
58c5fc13
MT		 27007 };
27008
27009 extern struct oprofile_stat_struct oprofile_stats;
57199397
MT		 27010diff -urNp linux-2.6.35.4/drivers/parport/procfs.c linux-2.6.35.4/drivers/parport/procfs.c
27011--- linux-2.6.35.4/drivers/parport/procfs.c 2010-08-26 19:47:12.000000000 -0400
27012+++ linux-2.6.35.4/drivers/parport/procfs.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 27013@@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
27014
27015 *ppos += len;
27016
27017- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
27018+ return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
27019 }
27020
27021 #ifdef CONFIG_PARPORT_1284
27022@@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
27023
27024 *ppos += len;
27025
27026- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
27027+ return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
27028 }
27029 #endif /* IEEE1284.3 support. */
27030
57199397
MT		 27031diff -urNp linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c
27032--- linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c 2010-08-26 19:47:12.000000000 -0400
27033+++ linux-2.6.35.4/drivers/pci/hotplug/acpiphp_glue.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27034@@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
ae4e228f
MT		 27035 }
27036
27037
27038-static struct acpi_dock_ops acpiphp_dock_ops = {
27039+static const struct acpi_dock_ops acpiphp_dock_ops = {
27040 .handler = handle_hotplug_event_func,
27041 };
27042
57199397
MT		 27043diff -urNp linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c
27044--- linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c 2010-08-26 19:47:12.000000000 -0400
27045+++ linux-2.6.35.4/drivers/pci/hotplug/cpqphp_nvram.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 27046@@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
27047
27048 void compaq_nvram_init (void __iomem *rom_start)
27049 {
27050+
27051+#ifndef CONFIG_PAX_KERNEXEC
27052 if (rom_start) {
27053 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
27054 }
27055+#endif
27056+
27057 dbg("int15 entry = %p\n", compaq_int15_entry_point);
27058
27059 /* initialize our int15 lock */
57199397
MT		 27060diff -urNp linux-2.6.35.4/drivers/pci/intel-iommu.c linux-2.6.35.4/drivers/pci/intel-iommu.c
27061--- linux-2.6.35.4/drivers/pci/intel-iommu.c 2010-08-26 19:47:12.000000000 -0400
27062+++ linux-2.6.35.4/drivers/pci/intel-iommu.c 2010-09-17 20:12:09.000000000 -0400
27063@@ -2938,7 +2938,7 @@ static int intel_mapping_error(struct de
ae4e228f
MT		 27064 return !dma_addr;
27065 }
27066
27067-struct dma_map_ops intel_dma_ops = {
27068+const struct dma_map_ops intel_dma_ops = {
27069 .alloc_coherent = intel_alloc_coherent,
27070 .free_coherent = intel_free_coherent,
27071 .map_sg = intel_map_sg,
57199397
MT		 27072diff -urNp linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c
27073--- linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c 2010-08-26 19:47:12.000000000 -0400
27074+++ linux-2.6.35.4/drivers/pci/pcie/portdrv_pci.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 27075@@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
58c5fc13
MT		 27076 static const struct pci_device_id port_pci_ids[] = { {
27077 /* handle any PCI-Express port */
27078 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
27079- }, { /* end: all zeroes */ }
27080+ }, { 0, 0, 0, 0, 0, 0, 0 }
27081 };
27082 MODULE_DEVICE_TABLE(pci, port_pci_ids);
27083
57199397
MT		 27084diff -urNp linux-2.6.35.4/drivers/pci/probe.c linux-2.6.35.4/drivers/pci/probe.c
27085--- linux-2.6.35.4/drivers/pci/probe.c 2010-08-26 19:47:12.000000000 -0400
27086+++ linux-2.6.35.4/drivers/pci/probe.c 2010-09-17 20:12:09.000000000 -0400
27087@@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
df50ba0c
MT		 27088 return ret;
27089 }
27090
27091-static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
27092+static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
27093 struct device_attribute *attr,
27094 char *buf)
27095 {
27096 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
27097 }
27098
27099-static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
27100+static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
27101 struct device_attribute *attr,
27102 char *buf)
27103 {
57199397
MT		 27104diff -urNp linux-2.6.35.4/drivers/pci/proc.c linux-2.6.35.4/drivers/pci/proc.c
27105--- linux-2.6.35.4/drivers/pci/proc.c 2010-08-26 19:47:12.000000000 -0400
27106+++ linux-2.6.35.4/drivers/pci/proc.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 27107@@ -481,7 +481,16 @@ static const struct file_operations proc
58c5fc13
MT		 27108 static int __init pci_proc_init(void)
27109 {
27110 struct pci_dev *dev = NULL;
27111+
27112+#ifdef CONFIG_GRKERNSEC_PROC_ADD
27113+#ifdef CONFIG_GRKERNSEC_PROC_USER
27114+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27115+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27116+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27117+#endif
27118+#else
27119 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27120+#endif
27121 proc_create("devices", 0, proc_bus_pci_dir,
27122 &proc_bus_pci_dev_operations);
27123 proc_initialized = 1;
57199397
MT		 27124diff -urNp linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c
27125--- linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c 2010-08-26 19:47:12.000000000 -0400
27126+++ linux-2.6.35.4/drivers/pcmcia/pcmcia_ioctl.c 2010-09-17 20:12:09.000000000 -0400
27127@@ -850,7 +850,7 @@ static int ds_ioctl(struct file *file, u
27128 return -EFAULT;
27129 }
27130 }
27131- buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
27132+ buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
27133 if (!buf)
27134 return -ENOMEM;
27135
27136diff -urNp linux-2.6.35.4/drivers/pcmcia/ti113x.h linux-2.6.35.4/drivers/pcmcia/ti113x.h
27137--- linux-2.6.35.4/drivers/pcmcia/ti113x.h 2010-08-26 19:47:12.000000000 -0400
27138+++ linux-2.6.35.4/drivers/pcmcia/ti113x.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27139@@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
58c5fc13
MT		 27140 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27141 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27142
27143- {}
27144+ { 0, 0, 0, 0, 0, 0, 0 }
27145 };
27146
27147 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
57199397
MT		 27148diff -urNp linux-2.6.35.4/drivers/pcmcia/yenta_socket.c linux-2.6.35.4/drivers/pcmcia/yenta_socket.c
27149--- linux-2.6.35.4/drivers/pcmcia/yenta_socket.c 2010-08-26 19:47:12.000000000 -0400
27150+++ linux-2.6.35.4/drivers/pcmcia/yenta_socket.c 2010-09-17 20:12:09.000000000 -0400
27151@@ -1428,7 +1428,7 @@ static struct pci_device_id yenta_table[
58c5fc13
MT		 27152
27153 /* match any cardbus bridge */
27154 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27155- { /* all zeroes */ }
27156+ { 0, 0, 0, 0, 0, 0, 0 }
27157 };
27158 MODULE_DEVICE_TABLE(pci, yenta_table);
27159
57199397
MT		 27160diff -urNp linux-2.6.35.4/drivers/platform/x86/acer-wmi.c linux-2.6.35.4/drivers/platform/x86/acer-wmi.c
27161--- linux-2.6.35.4/drivers/platform/x86/acer-wmi.c 2010-08-26 19:47:12.000000000 -0400
27162+++ linux-2.6.35.4/drivers/platform/x86/acer-wmi.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27163@@ -916,7 +916,7 @@ static int update_bl_status(struct backl
ae4e228f
MT		 27164 return 0;
27165 }
27166
27167-static struct backlight_ops acer_bl_ops = {
27168+static const struct backlight_ops acer_bl_ops = {
27169 .get_brightness = read_brightness,
27170 .update_status = update_bl_status,
27171 };
57199397
MT		 27172diff -urNp linux-2.6.35.4/drivers/platform/x86/asus_acpi.c linux-2.6.35.4/drivers/platform/x86/asus_acpi.c
27173--- linux-2.6.35.4/drivers/platform/x86/asus_acpi.c 2010-08-26 19:47:12.000000000 -0400
27174+++ linux-2.6.35.4/drivers/platform/x86/asus_acpi.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 27175@@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
27176 return 0;
27177 }
27178
27179-static struct backlight_ops asus_backlight_data = {
27180+static const struct backlight_ops asus_backlight_data = {
27181 .get_brightness = read_brightness,
27182 .update_status = set_brightness_status,
27183 };
57199397
MT		 27184diff -urNp linux-2.6.35.4/drivers/platform/x86/asus-laptop.c linux-2.6.35.4/drivers/platform/x86/asus-laptop.c
27185--- linux-2.6.35.4/drivers/platform/x86/asus-laptop.c 2010-08-26 19:47:12.000000000 -0400
27186+++ linux-2.6.35.4/drivers/platform/x86/asus-laptop.c 2010-09-17 20:12:09.000000000 -0400
27187@@ -224,7 +224,6 @@ struct asus_laptop {
27188 struct asus_led gled;
27189 struct asus_led kled;
27190 struct workqueue_struct *led_workqueue;
27191-
27192 int wireless_status;
27193 bool have_rsts;
27194 int lcd_state;
27195@@ -621,7 +620,7 @@ static int update_bl_status(struct backl
27196 return asus_lcd_set(asus, value);
27197 }
27198
27199-static struct backlight_ops asusbl_ops = {
27200+static const struct backlight_ops asusbl_ops = {
27201 .get_brightness = asus_read_brightness,
27202 .update_status = update_bl_status,
27203 };
27204diff -urNp linux-2.6.35.4/drivers/platform/x86/compal-laptop.c linux-2.6.35.4/drivers/platform/x86/compal-laptop.c
27205--- linux-2.6.35.4/drivers/platform/x86/compal-laptop.c 2010-08-26 19:47:12.000000000 -0400
27206+++ linux-2.6.35.4/drivers/platform/x86/compal-laptop.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27207@@ -168,7 +168,7 @@ static int bl_update_status(struct backl
ae4e228f
MT		 27208 return set_lcd_level(b->props.brightness);
27209 }
27210
27211-static struct backlight_ops compalbl_ops = {
27212+static const struct backlight_ops compalbl_ops = {
27213 .get_brightness = bl_get_brightness,
27214 .update_status = bl_update_status,
27215 };
57199397
MT		 27216diff -urNp linux-2.6.35.4/drivers/platform/x86/dell-laptop.c linux-2.6.35.4/drivers/platform/x86/dell-laptop.c
27217--- linux-2.6.35.4/drivers/platform/x86/dell-laptop.c 2010-08-26 19:47:12.000000000 -0400
27218+++ linux-2.6.35.4/drivers/platform/x86/dell-laptop.c 2010-09-17 20:12:09.000000000 -0400
27219@@ -469,7 +469,7 @@ out:
df50ba0c 27220 return buffer->output[1];
ae4e228f
MT		 27221 }
27222
27223-static struct backlight_ops dell_ops = {
27224+static const struct backlight_ops dell_ops = {
27225 .get_brightness = dell_get_intensity,
27226 .update_status = dell_send_intensity,
27227 };
57199397
MT		 27228diff -urNp linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c
27229--- linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c 2010-08-26 19:47:12.000000000 -0400
27230+++ linux-2.6.35.4/drivers/platform/x86/eeepc-laptop.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27231@@ -1114,7 +1114,7 @@ static int update_bl_status(struct backl
ae4e228f
MT		 27232 return set_brightness(bd, bd->props.brightness);
27233 }
27234
27235-static struct backlight_ops eeepcbl_ops = {
27236+static const struct backlight_ops eeepcbl_ops = {
27237 .get_brightness = read_brightness,
27238 .update_status = update_bl_status,
27239 };
57199397
MT		 27240diff -urNp linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c
27241--- linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c 2010-08-26 19:47:12.000000000 -0400
27242+++ linux-2.6.35.4/drivers/platform/x86/fujitsu-laptop.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27243@@ -437,7 +437,7 @@ static int bl_update_status(struct backl
ae4e228f
MT		 27244 return ret;
27245 }
27246
27247-static struct backlight_ops fujitsubl_ops = {
27248+static const struct backlight_ops fujitsubl_ops = {
27249 .get_brightness = bl_get_brightness,
27250 .update_status = bl_update_status,
27251 };
57199397
MT		 27252diff -urNp linux-2.6.35.4/drivers/platform/x86/sony-laptop.c linux-2.6.35.4/drivers/platform/x86/sony-laptop.c
27253--- linux-2.6.35.4/drivers/platform/x86/sony-laptop.c 2010-08-26 19:47:12.000000000 -0400
27254+++ linux-2.6.35.4/drivers/platform/x86/sony-laptop.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27255@@ -857,7 +857,7 @@ static int sony_backlight_get_brightness
ae4e228f
MT		 27256 }
27257
27258 static struct backlight_device *sony_backlight_device;
27259-static struct backlight_ops sony_backlight_ops = {
27260+static const struct backlight_ops sony_backlight_ops = {
27261 .update_status = sony_backlight_update_status,
27262 .get_brightness = sony_backlight_get_brightness,
27263 };
57199397
MT		 27264diff -urNp linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c
27265--- linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c 2010-08-26 19:47:12.000000000 -0400
27266+++ linux-2.6.35.4/drivers/platform/x86/thinkpad_acpi.c 2010-09-17 20:12:09.000000000 -0400
27267@@ -6142,7 +6142,7 @@ static void tpacpi_brightness_notify_cha
ae4e228f
MT		 27268 BACKLIGHT_UPDATE_HOTKEY);
27269 }
27270
27271-static struct backlight_ops ibm_backlight_data = {
27272+static const struct backlight_ops ibm_backlight_data = {
27273 .get_brightness = brightness_get,
27274 .update_status = brightness_update_status,
27275 };
57199397
MT		 27276diff -urNp linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c
27277--- linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c 2010-08-26 19:47:12.000000000 -0400
27278+++ linux-2.6.35.4/drivers/platform/x86/toshiba_acpi.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27279@@ -741,7 +741,7 @@ static acpi_status remove_device(void)
ae4e228f
MT		 27280 return AE_OK;
27281 }
27282
27283-static struct backlight_ops toshiba_backlight_data = {
27284+static const struct backlight_ops toshiba_backlight_data = {
27285 .get_brightness = get_lcd,
27286 .update_status = set_lcd_status,
27287 };
57199397
MT		 27288diff -urNp linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c
27289--- linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c 2010-08-26 19:47:12.000000000 -0400
27290+++ linux-2.6.35.4/drivers/pnp/pnpbios/bioscalls.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27291@@ -59,7 +59,7 @@ do { \
ae4e228f 27292 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
58c5fc13
MT		 27293 } while(0)
27294
ae4e228f
MT		 27295-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27296+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27297 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
58c5fc13
MT		 27298
27299 /*
df50ba0c 27300@@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
58c5fc13
MT		 27301
27302 cpu = get_cpu();
27303 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27304+
ae4e228f 27305+ pax_open_kernel();
58c5fc13 27306 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
ae4e228f 27307+ pax_close_kernel();
58c5fc13 27308
58c5fc13
MT		 27309 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27310 spin_lock_irqsave(&pnp_bios_lock, flags);
df50ba0c 27311@@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
58c5fc13
MT		 27312 :"memory");
27313 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27314
ae4e228f 27315+ pax_open_kernel();
58c5fc13 27316 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
ae4e228f 27317+ pax_close_kernel();
58c5fc13
MT		 27318+
27319 put_cpu();
27320
27321 /* If we get here and this is set then the PnP BIOS faulted on us. */
df50ba0c 27322@@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
58c5fc13
MT		 27323 return status;
27324 }
27325
27326-void pnpbios_calls_init(union pnp_bios_install_struct *header)
27327+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27328 {
27329 int i;
27330
df50ba0c 27331@@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
58c5fc13
MT		 27332 pnp_bios_callpoint.offset = header->fields.pm16offset;
27333 pnp_bios_callpoint.segment = PNP_CS16;
27334
ae4e228f 27335+ pax_open_kernel();
58c5fc13 27336+
ae4e228f
MT		 27337 for_each_possible_cpu(i) {
27338 struct desc_struct *gdt = get_cpu_gdt_table(i);
27339 if (!gdt)
df50ba0c 27340@@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
ae4e228f
MT		 27341 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27342 (unsigned long)__va(header->fields.pm16dseg));
58c5fc13
MT		 27343 }
27344+
ae4e228f 27345+ pax_close_kernel();
58c5fc13 27346 }
57199397
MT		 27347diff -urNp linux-2.6.35.4/drivers/pnp/quirks.c linux-2.6.35.4/drivers/pnp/quirks.c
27348--- linux-2.6.35.4/drivers/pnp/quirks.c 2010-08-26 19:47:12.000000000 -0400
27349+++ linux-2.6.35.4/drivers/pnp/quirks.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 27350@@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
58c5fc13
MT		 27351 /* PnP resources that might overlap PCI BARs */
27352 {"PNP0c01", quirk_system_pci_resources},
27353 {"PNP0c02", quirk_system_pci_resources},
27354- {""}
27355+ {"", NULL}
27356 };
27357
27358 void pnp_fixup_device(struct pnp_dev *dev)
57199397
MT		 27359diff -urNp linux-2.6.35.4/drivers/pnp/resource.c linux-2.6.35.4/drivers/pnp/resource.c
27360--- linux-2.6.35.4/drivers/pnp/resource.c 2010-08-26 19:47:12.000000000 -0400
27361+++ linux-2.6.35.4/drivers/pnp/resource.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27362@@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
58c5fc13
MT		 27363 return 1;
27364
27365 /* check if the resource is valid */
27366- if (*irq < 0 || *irq > 15)
27367+ if (*irq > 15)
27368 return 0;
27369
27370 /* check if the resource is reserved */
df50ba0c 27371@@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
58c5fc13
MT		 27372 return 1;
27373
27374 /* check if the resource is valid */
27375- if (*dma < 0 || *dma == 4 || *dma > 7)
27376+ if (*dma == 4 || *dma > 7)
27377 return 0;
27378
27379 /* check if the resource is reserved */
57199397
MT		 27380diff -urNp linux-2.6.35.4/drivers/s390/cio/qdio_debug.c linux-2.6.35.4/drivers/s390/cio/qdio_debug.c
27381--- linux-2.6.35.4/drivers/s390/cio/qdio_debug.c 2010-08-26 19:47:12.000000000 -0400
27382+++ linux-2.6.35.4/drivers/s390/cio/qdio_debug.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27383@@ -233,7 +233,7 @@ static int qperf_seq_open(struct inode *
ae4e228f 27384 filp->f_path.dentry->d_inode->i_private);
58c5fc13
MT		 27385 }
27386
ae4e228f
MT		 27387-static struct file_operations debugfs_perf_fops = {
27388+static const struct file_operations debugfs_perf_fops = {
58c5fc13 27389 .owner = THIS_MODULE,
ae4e228f 27390 .open = qperf_seq_open,
58c5fc13 27391 .read = seq_read,
57199397
MT		 27392diff -urNp linux-2.6.35.4/drivers/scsi/ipr.c linux-2.6.35.4/drivers/scsi/ipr.c
27393--- linux-2.6.35.4/drivers/scsi/ipr.c 2010-08-26 19:47:12.000000000 -0400
27394+++ linux-2.6.35.4/drivers/scsi/ipr.c 2010-09-17 20:12:09.000000000 -0400
27395@@ -6091,7 +6091,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
ae4e228f 27396 return true;
58c5fc13
MT		 27397 }
27398
ae4e228f
MT		 27399-static struct ata_port_operations ipr_sata_ops = {
27400+static const struct ata_port_operations ipr_sata_ops = {
27401 .phy_reset = ipr_ata_phy_reset,
27402 .hardreset = ipr_sata_reset,
27403 .post_internal_cmd = ipr_ata_post_internal,
57199397
MT		 27404diff -urNp linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c
27405--- linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c 2010-08-26 19:47:12.000000000 -0400
27406+++ linux-2.6.35.4/drivers/scsi/libfc/fc_exch.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 27407@@ -100,12 +100,12 @@ struct fc_exch_mgr {
58c5fc13
MT		 27408 * all together if not used XXX
27409 */
27410 struct {
27411- atomic_t no_free_exch;
27412- atomic_t no_free_exch_xid;
27413- atomic_t xid_not_found;
27414- atomic_t xid_busy;
27415- atomic_t seq_not_found;
27416- atomic_t non_bls_resp;
27417+ atomic_unchecked_t no_free_exch;
27418+ atomic_unchecked_t no_free_exch_xid;
27419+ atomic_unchecked_t xid_not_found;
27420+ atomic_unchecked_t xid_busy;
27421+ atomic_unchecked_t seq_not_found;
27422+ atomic_unchecked_t non_bls_resp;
27423 } stats;
58c5fc13 27424 };
ae4e228f
MT		 27425 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27426@@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
58c5fc13
MT		 27427 /* allocate memory for exchange */
27428 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27429 if (!ep) {
27430- atomic_inc(&mp->stats.no_free_exch);
27431+ atomic_inc_unchecked(&mp->stats.no_free_exch);
27432 goto out;
27433 }
27434 memset(ep, 0, sizeof(*ep));
57199397 27435@@ -719,7 +719,7 @@ out:
58c5fc13
MT		 27436 return ep;
27437 err:
ae4e228f 27438 spin_unlock_bh(&pool->lock);
58c5fc13
MT		 27439- atomic_inc(&mp->stats.no_free_exch_xid);
27440+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27441 mempool_free(ep, mp->ep_pool);
27442 return NULL;
27443 }
57199397 27444@@ -864,7 +864,7 @@ static enum fc_pf_rjt_reason fc_seq_look
58c5fc13
MT		 27445 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27446 ep = fc_exch_find(mp, xid);
27447 if (!ep) {
27448- atomic_inc(&mp->stats.xid_not_found);
27449+ atomic_inc_unchecked(&mp->stats.xid_not_found);
27450 reject = FC_RJT_OX_ID;
27451 goto out;
27452 }
57199397 27453@@ -894,7 +894,7 @@ static enum fc_pf_rjt_reason fc_seq_look
58c5fc13
MT		 27454 ep = fc_exch_find(mp, xid);
27455 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27456 if (ep) {
27457- atomic_inc(&mp->stats.xid_busy);
27458+ atomic_inc_unchecked(&mp->stats.xid_busy);
27459 reject = FC_RJT_RX_ID;
27460 goto rel;
27461 }
57199397 27462@@ -905,7 +905,7 @@ static enum fc_pf_rjt_reason fc_seq_look
58c5fc13
MT		 27463 }
27464 xid = ep->xid; /* get our XID */
27465 } else if (!ep) {
27466- atomic_inc(&mp->stats.xid_not_found);
27467+ atomic_inc_unchecked(&mp->stats.xid_not_found);
27468 reject = FC_RJT_RX_ID; /* XID not found */
27469 goto out;
27470 }
57199397 27471@@ -922,7 +922,7 @@ static enum fc_pf_rjt_reason fc_seq_look
58c5fc13
MT		 27472 } else {
27473 sp = &ep->seq;
27474 if (sp->id != fh->fh_seq_id) {
27475- atomic_inc(&mp->stats.seq_not_found);
27476+ atomic_inc_unchecked(&mp->stats.seq_not_found);
27477 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27478 goto rel;
27479 }
57199397 27480@@ -1303,22 +1303,22 @@ static void fc_exch_recv_seq_resp(struct
58c5fc13
MT		 27481
27482 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27483 if (!ep) {
27484- atomic_inc(&mp->stats.xid_not_found);
27485+ atomic_inc_unchecked(&mp->stats.xid_not_found);
27486 goto out;
27487 }
27488 if (ep->esb_stat & ESB_ST_COMPLETE) {
27489- atomic_inc(&mp->stats.xid_not_found);
27490+ atomic_inc_unchecked(&mp->stats.xid_not_found);
27491 goto out;
27492 }
27493 if (ep->rxid == FC_XID_UNKNOWN)
27494 ep->rxid = ntohs(fh->fh_rx_id);
27495 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27496- atomic_inc(&mp->stats.xid_not_found);
27497+ atomic_inc_unchecked(&mp->stats.xid_not_found);
27498 goto rel;
27499 }
27500 if (ep->did != ntoh24(fh->fh_s_id) &&
27501 ep->did != FC_FID_FLOGI) {
27502- atomic_inc(&mp->stats.xid_not_found);
27503+ atomic_inc_unchecked(&mp->stats.xid_not_found);
27504 goto rel;
27505 }
27506 sof = fr_sof(fp);
57199397
MT		 27507@@ -1327,7 +1327,7 @@ static void fc_exch_recv_seq_resp(struct
27508 sp->ssb_stat |= SSB_ST_RESP;
27509 sp->id = fh->fh_seq_id;
27510 } else if (sp->id != fh->fh_seq_id) {
27511- atomic_inc(&mp->stats.seq_not_found);
27512+ atomic_inc_unchecked(&mp->stats.seq_not_found);
27513 goto rel;
58c5fc13 27514 }
57199397
MT		 27515
27516@@ -1390,9 +1390,9 @@ static void fc_exch_recv_resp(struct fc_
58c5fc13 27517 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
ae4e228f
MT		 27518
27519 if (!sp)
58c5fc13
MT		 27520- atomic_inc(&mp->stats.xid_not_found);
27521+ atomic_inc_unchecked(&mp->stats.xid_not_found);
ae4e228f 27522 else
58c5fc13
MT		 27523- atomic_inc(&mp->stats.non_bls_resp);
27524+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
ae4e228f 27525
58c5fc13 27526 fc_frame_free(fp);
ae4e228f 27527 }
57199397
MT		 27528diff -urNp linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c
27529--- linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c 2010-08-26 19:47:12.000000000 -0400
27530+++ linux-2.6.35.4/drivers/scsi/libsas/sas_ata.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27531@@ -344,7 +344,7 @@ static int sas_ata_scr_read(struct ata_l
ae4e228f
MT		 27532 }
27533 }
27534
27535-static struct ata_port_operations sas_sata_ops = {
27536+static const struct ata_port_operations sas_sata_ops = {
27537 .phy_reset = sas_ata_phy_reset,
27538 .post_internal_cmd = sas_ata_post_internal,
27539 .qc_prep = ata_noop_qc_prep,
57199397
MT		 27540diff -urNp linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h
27541--- linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-08-26 19:47:12.000000000 -0400
27542+++ linux-2.6.35.4/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 27543@@ -79,7 +79,7 @@
27544 CMD; \
27545 }
27546 #else
27547-#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27548+#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27549 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27550
27551
57199397
MT		 27552diff -urNp linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c
27553--- linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c 2010-08-26 19:47:12.000000000 -0400
27554+++ linux-2.6.35.4/drivers/scsi/qla2xxx/qla_os.c 2010-09-17 20:12:09.000000000 -0400
27555@@ -3899,7 +3899,7 @@ static struct pci_driver qla2xxx_pci_dri
27556 .err_handler = &qla2xxx_err_handler,
27557 };
27558
27559-static struct file_operations apidev_fops = {
27560+static const struct file_operations apidev_fops = {
27561 .owner = THIS_MODULE,
27562 };
27563
27564diff -urNp linux-2.6.35.4/drivers/scsi/scsi_logging.h linux-2.6.35.4/drivers/scsi/scsi_logging.h
27565--- linux-2.6.35.4/drivers/scsi/scsi_logging.h 2010-08-26 19:47:12.000000000 -0400
27566+++ linux-2.6.35.4/drivers/scsi/scsi_logging.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 27567@@ -51,7 +51,7 @@ do { \
27568 } while (0); \
27569 } while (0)
27570 #else
27571-#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27572+#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27573 #endif /* CONFIG_SCSI_LOGGING */
27574
27575 /*
57199397
MT		 27576diff -urNp linux-2.6.35.4/drivers/scsi/sg.c linux-2.6.35.4/drivers/scsi/sg.c
27577--- linux-2.6.35.4/drivers/scsi/sg.c 2010-08-26 19:47:12.000000000 -0400
27578+++ linux-2.6.35.4/drivers/scsi/sg.c 2010-09-17 20:12:09.000000000 -0400
27579@@ -2302,7 +2302,7 @@ struct sg_proc_leaf {
ae4e228f 27580 const struct file_operations * fops;
58c5fc13
MT		 27581 };
27582
ae4e228f
MT		 27583-static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27584+static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27585 {"allow_dio", &adio_fops},
27586 {"debug", &debug_fops},
27587 {"def_reserved_size", &dressz_fops},
57199397 27588@@ -2317,7 +2317,7 @@ sg_proc_init(void)
ae4e228f
MT		 27589 {
27590 int k, mask;
27591 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27592- struct sg_proc_leaf * leaf;
27593+ const struct sg_proc_leaf * leaf;
27594
27595 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27596 if (!sg_proc_sgp)
57199397
MT		 27597diff -urNp linux-2.6.35.4/drivers/serial/8250_pci.c linux-2.6.35.4/drivers/serial/8250_pci.c
27598--- linux-2.6.35.4/drivers/serial/8250_pci.c 2010-08-26 19:47:12.000000000 -0400
27599+++ linux-2.6.35.4/drivers/serial/8250_pci.c 2010-09-17 20:12:09.000000000 -0400
27600@@ -3777,7 +3777,7 @@ static struct pci_device_id serial_pci_t
58c5fc13
MT		 27601 PCI_ANY_ID, PCI_ANY_ID,
27602 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27603 0xffff00, pbn_default },
27604- { 0, }
27605+ { 0, 0, 0, 0, 0, 0, 0 }
27606 };
27607
27608 static struct pci_driver serial_pci_driver = {
57199397
MT		 27609diff -urNp linux-2.6.35.4/drivers/serial/kgdboc.c linux-2.6.35.4/drivers/serial/kgdboc.c
27610--- linux-2.6.35.4/drivers/serial/kgdboc.c 2010-08-26 19:47:12.000000000 -0400
27611+++ linux-2.6.35.4/drivers/serial/kgdboc.c 2010-09-17 20:12:09.000000000 -0400
27612@@ -20,7 +20,7 @@
ae4e228f
MT		 27613
27614 #define MAX_CONFIG_LEN 40
27615
27616-static struct kgdb_io kgdboc_io_ops;
57199397 27617+static struct kgdb_io kgdboc_io_ops;
ae4e228f
MT		 27618
27619 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27620 static int configured = -1;
57199397
MT		 27621diff -urNp linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c
27622--- linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c 2010-08-26 19:47:12.000000000 -0400
27623+++ linux-2.6.35.4/drivers/staging/comedi/comedi_fops.c 2010-09-17 20:12:09.000000000 -0400
27624@@ -1425,7 +1425,7 @@ static void comedi_unmap(struct vm_area_
58c5fc13
MT		 27625 mutex_unlock(&dev->mutex);
27626 }
27627
27628-static struct vm_operations_struct comedi_vm_ops = {
27629+static const struct vm_operations_struct comedi_vm_ops = {
ae4e228f 27630 .close = comedi_unmap,
58c5fc13
MT		 27631 };
27632
57199397
MT		 27633diff -urNp linux-2.6.35.4/drivers/staging/dream/pmem.c linux-2.6.35.4/drivers/staging/dream/pmem.c
27634--- linux-2.6.35.4/drivers/staging/dream/pmem.c 2010-08-26 19:47:12.000000000 -0400
27635+++ linux-2.6.35.4/drivers/staging/dream/pmem.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27636@@ -175,7 +175,7 @@ static int pmem_mmap(struct file *, stru
ae4e228f
MT		 27637 static int pmem_open(struct inode *, struct file *);
27638 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
27639
27640-struct file_operations pmem_fops = {
27641+const struct file_operations pmem_fops = {
27642 .release = pmem_release,
27643 .mmap = pmem_mmap,
27644 .open = pmem_open,
df50ba0c 27645@@ -1201,7 +1201,7 @@ static ssize_t debug_read(struct file *f
ae4e228f
MT		 27646 return simple_read_from_buffer(buf, count, ppos, buffer, n);
27647 }
58c5fc13 27648
ae4e228f
MT		 27649-static struct file_operations debug_fops = {
27650+static const struct file_operations debug_fops = {
27651 .read = debug_read,
27652 .open = debug_open,
27653 };
57199397
MT		 27654diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c
27655--- linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c 2010-08-26 19:47:12.000000000 -0400
27656+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/adsp_driver.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27657@@ -577,7 +577,7 @@ static struct adsp_device *inode_to_devi
ae4e228f
MT		 27658 static dev_t adsp_devno;
27659 static struct class *adsp_class;
27660
27661-static struct file_operations adsp_fops = {
27662+static const struct file_operations adsp_fops = {
27663 .owner = THIS_MODULE,
27664 .open = adsp_open,
27665 .unlocked_ioctl = adsp_ioctl,
57199397
MT		 27666diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c
27667--- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c 2010-08-26 19:47:12.000000000 -0400
27668+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_aac.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27669@@ -1023,7 +1023,7 @@ done:
ae4e228f
MT		 27670 return rc;
27671 }
58c5fc13 27672
ae4e228f
MT		 27673-static struct file_operations audio_aac_fops = {
27674+static const struct file_operations audio_aac_fops = {
27675 .owner = THIS_MODULE,
27676 .open = audio_open,
27677 .release = audio_release,
57199397
MT		 27678diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c
27679--- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-08-26 19:47:12.000000000 -0400
27680+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27681@@ -834,7 +834,7 @@ done:
ae4e228f
MT		 27682 return rc;
27683 }
27684
27685-static struct file_operations audio_amrnb_fops = {
27686+static const struct file_operations audio_amrnb_fops = {
27687 .owner = THIS_MODULE,
27688 .open = audamrnb_open,
27689 .release = audamrnb_release,
57199397
MT		 27690diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c
27691--- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c 2010-08-26 19:47:12.000000000 -0400
27692+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_evrc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27693@@ -806,7 +806,7 @@ dma_fail:
ae4e228f
MT		 27694 return rc;
27695 }
27696
27697-static struct file_operations audio_evrc_fops = {
27698+static const struct file_operations audio_evrc_fops = {
27699 .owner = THIS_MODULE,
27700 .open = audevrc_open,
27701 .release = audevrc_release,
57199397
MT		 27702diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c
27703--- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c 2010-08-26 19:47:12.000000000 -0400
27704+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_in.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27705@@ -914,7 +914,7 @@ static int audpre_open(struct inode *ino
ae4e228f
MT		 27706 return 0;
27707 }
27708
27709-static struct file_operations audio_fops = {
27710+static const struct file_operations audio_fops = {
27711 .owner = THIS_MODULE,
27712 .open = audio_in_open,
27713 .release = audio_in_release,
df50ba0c 27714@@ -923,7 +923,7 @@ static struct file_operations audio_fops
ae4e228f
MT		 27715 .unlocked_ioctl = audio_in_ioctl,
27716 };
27717
27718-static struct file_operations audpre_fops = {
27719+static const struct file_operations audpre_fops = {
27720 .owner = THIS_MODULE,
27721 .open = audpre_open,
27722 .unlocked_ioctl = audpre_ioctl,
57199397
MT		 27723diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c
27724--- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c 2010-08-26 19:47:12.000000000 -0400
27725+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_mp3.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 27726@@ -941,7 +941,7 @@ done:
27727 return rc;
27728 }
27729
27730-static struct file_operations audio_mp3_fops = {
27731+static const struct file_operations audio_mp3_fops = {
27732 .owner = THIS_MODULE,
27733 .open = audio_open,
27734 .release = audio_release,
57199397
MT		 27735diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c
27736--- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c 2010-08-26 19:47:12.000000000 -0400
27737+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_out.c 2010-09-17 20:12:09.000000000 -0400
27738@@ -800,7 +800,7 @@ static int audpp_open(struct inode *inod
ae4e228f
MT		 27739 return 0;
27740 }
27741
27742-static struct file_operations audio_fops = {
27743+static const struct file_operations audio_fops = {
27744 .owner = THIS_MODULE,
27745 .open = audio_open,
27746 .release = audio_release,
57199397 27747@@ -809,7 +809,7 @@ static struct file_operations audio_fops
ae4e228f
MT		 27748 .unlocked_ioctl = audio_ioctl,
27749 };
27750
27751-static struct file_operations audpp_fops = {
27752+static const struct file_operations audpp_fops = {
27753 .owner = THIS_MODULE,
27754 .open = audpp_open,
27755 .unlocked_ioctl = audpp_ioctl,
57199397
MT		 27756diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c
27757--- linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-08-26 19:47:12.000000000 -0400
27758+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27759@@ -817,7 +817,7 @@ err:
ae4e228f
MT		 27760 return rc;
27761 }
27762
27763-static struct file_operations audio_qcelp_fops = {
27764+static const struct file_operations audio_qcelp_fops = {
58c5fc13 27765 .owner = THIS_MODULE,
ae4e228f
MT		 27766 .open = audqcelp_open,
27767 .release = audqcelp_release,
57199397
MT		 27768diff -urNp linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c
27769--- linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c 2010-08-26 19:47:12.000000000 -0400
27770+++ linux-2.6.35.4/drivers/staging/dream/qdsp5/snd.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 27771@@ -242,7 +242,7 @@ err:
27772 return rc;
27773 }
27774
27775-static struct file_operations snd_fops = {
27776+static const struct file_operations snd_fops = {
27777 .owner = THIS_MODULE,
27778 .open = snd_open,
27779 .release = snd_release,
57199397
MT		 27780diff -urNp linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c
27781--- linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c 2010-08-26 19:47:12.000000000 -0400
27782+++ linux-2.6.35.4/drivers/staging/dt3155/dt3155_drv.c 2010-09-17 20:12:09.000000000 -0400
27783@@ -853,7 +853,7 @@ dt3155_unlocked_ioctl(struct file *file,
df50ba0c
MT		 27784 * needed by init_module
27785 * register_chrdev
27786 *****************************************************/
27787-static struct file_operations dt3155_fops = {
27788+static const struct file_operations dt3155_fops = {
57199397
MT		 27789 .read = dt3155_read,
27790 .unlocked_ioctl = dt3155_unlocked_ioctl,
27791 .mmap = dt3155_mmap,
27792diff -urNp linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c
27793--- linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c 2010-08-26 19:47:12.000000000 -0400
27794+++ linux-2.6.35.4/drivers/staging/go7007/go7007-v4l2.c 2010-09-17 20:12:09.000000000 -0400
27795@@ -1673,7 +1673,7 @@ static int go7007_vm_fault(struct vm_are
58c5fc13
MT		 27796 return 0;
27797 }
27798
27799-static struct vm_operations_struct go7007_vm_ops = {
27800+static const struct vm_operations_struct go7007_vm_ops = {
27801 .open = go7007_vm_open,
27802 .close = go7007_vm_close,
27803 .fault = go7007_vm_fault,
57199397
MT		 27804diff -urNp linux-2.6.35.4/drivers/staging/hv/hv.c linux-2.6.35.4/drivers/staging/hv/hv.c
27805--- linux-2.6.35.4/drivers/staging/hv/hv.c 2010-08-26 19:47:12.000000000 -0400
27806+++ linux-2.6.35.4/drivers/staging/hv/hv.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 27807@@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
27808 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
27809 u32 outputAddressHi = outputAddress >> 32;
27810 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
27811- volatile void *hypercallPage = gHvContext.HypercallPage;
27812+ volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
27813
27814 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27815 Control, Input, Output);
57199397
MT		 27816diff -urNp linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c
27817--- linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c 2010-08-26 19:47:12.000000000 -0400
27818+++ linux-2.6.35.4/drivers/staging/msm/msm_fb_bl.c 2010-09-17 20:12:09.000000000 -0400
27819@@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
27820 return 0;
27821 }
27822
27823-static struct backlight_ops msm_fb_bl_ops = {
27824+static const struct backlight_ops msm_fb_bl_ops = {
27825 .get_brightness = msm_fb_bl_get_brightness,
27826 .update_status = msm_fb_bl_update_status,
27827 };
27828diff -urNp linux-2.6.35.4/drivers/staging/panel/panel.c linux-2.6.35.4/drivers/staging/panel/panel.c
27829--- linux-2.6.35.4/drivers/staging/panel/panel.c 2010-08-26 19:47:12.000000000 -0400
27830+++ linux-2.6.35.4/drivers/staging/panel/panel.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27831@@ -1304,7 +1304,7 @@ static int lcd_release(struct inode *ino
58c5fc13
MT		 27832 return 0;
27833 }
27834
27835-static struct file_operations lcd_fops = {
27836+static const struct file_operations lcd_fops = {
27837 .write = lcd_write,
27838 .open = lcd_open,
27839 .release = lcd_release,
df50ba0c 27840@@ -1564,7 +1564,7 @@ static int keypad_release(struct inode *
58c5fc13
MT		 27841 return 0;
27842 }
27843
27844-static struct file_operations keypad_fops = {
27845+static const struct file_operations keypad_fops = {
27846 .read = keypad_read, /* read */
27847 .open = keypad_open, /* open */
27848 .release = keypad_release, /* close */
57199397
MT		 27849diff -urNp linux-2.6.35.4/drivers/staging/phison/phison.c linux-2.6.35.4/drivers/staging/phison/phison.c
27850--- linux-2.6.35.4/drivers/staging/phison/phison.c 2010-08-26 19:47:12.000000000 -0400
27851+++ linux-2.6.35.4/drivers/staging/phison/phison.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 27852@@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27853 ATA_BMDMA_SHT(DRV_NAME),
27854 };
27855
27856-static struct ata_port_operations phison_ops = {
27857+static const struct ata_port_operations phison_ops = {
27858 .inherits = &ata_bmdma_port_ops,
27859 .prereset = phison_pre_reset,
27860 };
57199397
MT		 27861diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/inode.c linux-2.6.35.4/drivers/staging/pohmelfs/inode.c
27862--- linux-2.6.35.4/drivers/staging/pohmelfs/inode.c 2010-08-26 19:47:12.000000000 -0400
27863+++ linux-2.6.35.4/drivers/staging/pohmelfs/inode.c 2010-09-17 20:12:09.000000000 -0400
27864@@ -1846,7 +1846,7 @@ static int pohmelfs_fill_super(struct su
ae4e228f
MT		 27865 mutex_init(&psb->mcache_lock);
27866 psb->mcache_root = RB_ROOT;
27867 psb->mcache_timeout = msecs_to_jiffies(5000);
27868- atomic_long_set(&psb->mcache_gen, 0);
27869+ atomic_long_set_unchecked(&psb->mcache_gen, 0);
27870
27871 psb->trans_max_pages = 100;
27872
57199397
MT		 27873diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c
27874--- linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c 2010-08-26 19:47:12.000000000 -0400
27875+++ linux-2.6.35.4/drivers/staging/pohmelfs/mcache.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 27876@@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27877 m->data = data;
27878 m->start = start;
27879 m->size = size;
27880- m->gen = atomic_long_inc_return(&psb->mcache_gen);
27881+ m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27882
27883 mutex_lock(&psb->mcache_lock);
27884 err = pohmelfs_mcache_insert(psb, m);
57199397
MT		 27885diff -urNp linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h
27886--- linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h 2010-08-26 19:47:12.000000000 -0400
27887+++ linux-2.6.35.4/drivers/staging/pohmelfs/netfs.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 27888@@ -571,7 +571,7 @@ struct pohmelfs_config;
27889 struct pohmelfs_sb {
27890 struct rb_root mcache_root;
27891 struct mutex mcache_lock;
27892- atomic_long_t mcache_gen;
27893+ atomic_long_unchecked_t mcache_gen;
27894 unsigned long mcache_timeout;
27895
27896 unsigned int idx;
57199397
MT		 27897diff -urNp linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c
27898--- linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c 2010-08-26 19:47:12.000000000 -0400
27899+++ linux-2.6.35.4/drivers/staging/ramzswap/ramzswap_drv.c 2010-09-17 20:12:09.000000000 -0400
27900@@ -693,7 +693,7 @@ void ramzswap_slot_free_notify(struct bl
27901 return;
58c5fc13
MT		 27902 }
27903
ae4e228f
MT		 27904-static struct block_device_operations ramzswap_devops = {
27905+static const struct block_device_operations ramzswap_devops = {
27906 .ioctl = ramzswap_ioctl,
57199397
MT		 27907 .swap_slot_free_notify = ramzswap_slot_free_notify,
27908 .owner = THIS_MODULE
27909diff -urNp linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c
27910--- linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c 2010-08-26 19:47:12.000000000 -0400
27911+++ linux-2.6.35.4/drivers/staging/rtl8192u/ieee80211/proc.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 27912@@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27913 return seq_open(file, &crypto_seq_ops);
27914 }
27915
27916-static struct file_operations proc_crypto_ops = {
27917+static const struct file_operations proc_crypto_ops = {
27918 .open = crypto_info_open,
27919 .read = seq_read,
27920 .llseek = seq_lseek,
57199397
MT		 27921diff -urNp linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c
27922--- linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c 2010-08-26 19:47:12.000000000 -0400
27923+++ linux-2.6.35.4/drivers/staging/samsung-laptop/samsung-laptop.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 27924@@ -269,7 +269,7 @@ static int update_status(struct backligh
58c5fc13
MT		 27925 return 0;
27926 }
27927
ae4e228f
MT		 27928-static struct backlight_ops backlight_ops = {
27929+static const struct backlight_ops backlight_ops = {
27930 .get_brightness = get_brightness,
27931 .update_status = update_status,
27932 };
57199397
MT		 27933diff -urNp linux-2.6.35.4/drivers/staging/sep/sep_driver.c linux-2.6.35.4/drivers/staging/sep/sep_driver.c
27934--- linux-2.6.35.4/drivers/staging/sep/sep_driver.c 2010-08-26 19:47:12.000000000 -0400
27935+++ linux-2.6.35.4/drivers/staging/sep/sep_driver.c 2010-09-17 20:12:09.000000000 -0400
27936@@ -2637,7 +2637,7 @@ static struct pci_driver sep_pci_driver
ae4e228f
MT		 27937 static dev_t sep_devno;
27938
27939 /* the files operations structure of the driver */
27940-static struct file_operations sep_file_operations = {
27941+static const struct file_operations sep_file_operations = {
27942 .owner = THIS_MODULE,
df50ba0c 27943 .unlocked_ioctl = sep_ioctl,
ae4e228f 27944 .poll = sep_poll,
57199397
MT		 27945diff -urNp linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c
27946--- linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c 2010-08-26 19:47:12.000000000 -0400
27947+++ linux-2.6.35.4/drivers/staging/vme/devices/vme_user.c 2010-09-17 20:12:09.000000000 -0400
27948@@ -136,7 +136,7 @@ static long vme_user_unlocked_ioctl(stru
ae4e228f
MT		 27949 static int __init vme_user_probe(struct device *, int, int);
27950 static int __exit vme_user_remove(struct device *, int, int);
27951
27952-static struct file_operations vme_user_fops = {
27953+static const struct file_operations vme_user_fops = {
27954 .open = vme_user_open,
27955 .release = vme_user_release,
27956 .read = vme_user_read,
57199397
MT		 27957diff -urNp linux-2.6.35.4/drivers/usb/atm/usbatm.c linux-2.6.35.4/drivers/usb/atm/usbatm.c
27958--- linux-2.6.35.4/drivers/usb/atm/usbatm.c 2010-08-26 19:47:12.000000000 -0400
27959+++ linux-2.6.35.4/drivers/usb/atm/usbatm.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 27960@@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
27961 if (printk_ratelimit())
27962 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
27963 __func__, vpi, vci);
27964- atomic_inc(&vcc->stats->rx_err);
27965+ atomic_inc_unchecked(&vcc->stats->rx_err);
27966 return;
27967 }
27968
27969@@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
27970 if (length > ATM_MAX_AAL5_PDU) {
27971 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
27972 __func__, length, vcc);
27973- atomic_inc(&vcc->stats->rx_err);
27974+ atomic_inc_unchecked(&vcc->stats->rx_err);
27975 goto out;
27976 }
27977
27978@@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
27979 if (sarb->len < pdu_length) {
27980 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
27981 __func__, pdu_length, sarb->len, vcc);
27982- atomic_inc(&vcc->stats->rx_err);
27983+ atomic_inc_unchecked(&vcc->stats->rx_err);
27984 goto out;
27985 }
27986
27987 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
27988 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
27989 __func__, vcc);
27990- atomic_inc(&vcc->stats->rx_err);
27991+ atomic_inc_unchecked(&vcc->stats->rx_err);
27992 goto out;
27993 }
27994
27995@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
27996 if (printk_ratelimit())
27997 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
27998 __func__, length);
27999- atomic_inc(&vcc->stats->rx_drop);
28000+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28001 goto out;
28002 }
28003
28004@@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
28005
28006 vcc->push(vcc, skb);
28007
28008- atomic_inc(&vcc->stats->rx);
28009+ atomic_inc_unchecked(&vcc->stats->rx);
28010 out:
28011 skb_trim(sarb, 0);
28012 }
28013@@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
28014 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28015
28016 usbatm_pop(vcc, skb);
28017- atomic_inc(&vcc->stats->tx);
28018+ atomic_inc_unchecked(&vcc->stats->tx);
28019
28020 skb = skb_dequeue(&instance->sndqueue);
28021 }
28022@@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
28023 if (!left--)
28024 return sprintf(page,
28025 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28026- atomic_read(&atm_dev->stats.aal5.tx),
28027- atomic_read(&atm_dev->stats.aal5.tx_err),
28028- atomic_read(&atm_dev->stats.aal5.rx),
28029- atomic_read(&atm_dev->stats.aal5.rx_err),
28030- atomic_read(&atm_dev->stats.aal5.rx_drop));
28031+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28032+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28033+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28034+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28035+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28036
28037 if (!left--) {
28038 if (instance->disconnected)
57199397
MT		 28039diff -urNp linux-2.6.35.4/drivers/usb/class/cdc-acm.c linux-2.6.35.4/drivers/usb/class/cdc-acm.c
28040--- linux-2.6.35.4/drivers/usb/class/cdc-acm.c 2010-08-26 19:47:12.000000000 -0400
28041+++ linux-2.6.35.4/drivers/usb/class/cdc-acm.c 2010-09-17 20:12:09.000000000 -0400
28042@@ -1619,7 +1619,7 @@ static const struct usb_device_id acm_id
ae4e228f 28043 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
58c5fc13
MT		 28044 USB_CDC_ACM_PROTO_AT_CDMA) },
28045
58c5fc13
MT		 28046- { }
28047+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28048 };
28049
28050 MODULE_DEVICE_TABLE(usb, acm_ids);
57199397
MT		 28051diff -urNp linux-2.6.35.4/drivers/usb/class/cdc-wdm.c linux-2.6.35.4/drivers/usb/class/cdc-wdm.c
28052--- linux-2.6.35.4/drivers/usb/class/cdc-wdm.c 2010-08-26 19:47:12.000000000 -0400
28053+++ linux-2.6.35.4/drivers/usb/class/cdc-wdm.c 2010-09-17 20:12:09.000000000 -0400
28054@@ -342,7 +342,7 @@ static ssize_t wdm_write
28055 goto outnp;
28056 }
28057
28058- if (!file->f_flags && O_NONBLOCK)
28059+ if (!(file->f_flags & O_NONBLOCK))
28060 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
28061 &desc->flags));
28062 else
28063diff -urNp linux-2.6.35.4/drivers/usb/class/usblp.c linux-2.6.35.4/drivers/usb/class/usblp.c
28064--- linux-2.6.35.4/drivers/usb/class/usblp.c 2010-08-26 19:47:12.000000000 -0400
28065+++ linux-2.6.35.4/drivers/usb/class/usblp.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 28066@@ -226,7 +226,7 @@ static const struct quirk_printer_struct
58c5fc13
MT		 28067 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28068 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28069 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28070- { 0, 0 }
28071+ { 0, 0, 0 }
28072 };
28073
28074 static int usblp_wwait(struct usblp *usblp, int nonblock);
df50ba0c 28075@@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
58c5fc13
MT		 28076 { USB_INTERFACE_INFO(7, 1, 2) },
28077 { USB_INTERFACE_INFO(7, 1, 3) },
28078 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28079- { } /* Terminating entry */
28080+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28081 };
28082
28083 MODULE_DEVICE_TABLE (usb, usblp_ids);
57199397
MT		 28084diff -urNp linux-2.6.35.4/drivers/usb/core/hcd.c linux-2.6.35.4/drivers/usb/core/hcd.c
28085--- linux-2.6.35.4/drivers/usb/core/hcd.c 2010-08-26 19:47:12.000000000 -0400
28086+++ linux-2.6.35.4/drivers/usb/core/hcd.c 2010-09-17 20:12:09.000000000 -0400
28087@@ -2381,7 +2381,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
ae4e228f
MT		 28088
28089 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28090
28091-struct usb_mon_operations *mon_ops;
28092+const struct usb_mon_operations *mon_ops;
28093
28094 /*
28095 * The registration is unlocked.
57199397 28096@@ -2391,7 +2391,7 @@ struct usb_mon_operations *mon_ops;
ae4e228f
MT		 28097 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28098 */
28099
28100-int usb_mon_register (struct usb_mon_operations *ops)
28101+int usb_mon_register (const struct usb_mon_operations *ops)
28102 {
28103
28104 if (mon_ops)
57199397
MT		 28105diff -urNp linux-2.6.35.4/drivers/usb/core/hub.c linux-2.6.35.4/drivers/usb/core/hub.c
28106--- linux-2.6.35.4/drivers/usb/core/hub.c 2010-08-26 19:47:12.000000000 -0400
28107+++ linux-2.6.35.4/drivers/usb/core/hub.c 2010-09-17 20:12:09.000000000 -0400
28108@@ -3453,7 +3453,7 @@ static const struct usb_device_id hub_id
58c5fc13
MT		 28109 .bDeviceClass = USB_CLASS_HUB},
28110 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28111 .bInterfaceClass = USB_CLASS_HUB},
28112- { } /* Terminating entry */
28113+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28114 };
28115
28116 MODULE_DEVICE_TABLE (usb, hub_id_table);
57199397
MT		 28117diff -urNp linux-2.6.35.4/drivers/usb/core/message.c linux-2.6.35.4/drivers/usb/core/message.c
28118--- linux-2.6.35.4/drivers/usb/core/message.c 2010-08-26 19:47:12.000000000 -0400
28119+++ linux-2.6.35.4/drivers/usb/core/message.c 2010-09-17 20:12:09.000000000 -0400
28120@@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
ae4e228f 28121 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
58c5fc13
MT		 28122 if (buf) {
28123 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28124- if (len > 0) {
ae4e228f 28125- smallbuf = kmalloc(++len, GFP_NOIO);
58c5fc13 28126+ if (len++ > 0) {
ae4e228f 28127+ smallbuf = kmalloc(len, GFP_NOIO);
58c5fc13
MT		 28128 if (!smallbuf)
28129 return buf;
28130 memcpy(smallbuf, buf, len);
57199397
MT		 28131diff -urNp linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c
28132--- linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c 2010-08-26 19:47:12.000000000 -0400
28133+++ linux-2.6.35.4/drivers/usb/early/ehci-dbgp.c 2010-09-17 20:12:09.000000000 -0400
28134@@ -1026,6 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
28135 early_dbgp_write(NULL, &chr, 1);
28136 }
28137
28138+/* cannot be const, see kgdbdbgp_parse_config() */
28139 static struct kgdb_io kgdbdbgp_io_ops = {
28140 .name = "kgdbdbgp",
28141 .read_char = kgdbdbgp_read_char,
28142diff -urNp linux-2.6.35.4/drivers/usb/host/ehci-pci.c linux-2.6.35.4/drivers/usb/host/ehci-pci.c
28143--- linux-2.6.35.4/drivers/usb/host/ehci-pci.c 2010-08-26 19:47:12.000000000 -0400
28144+++ linux-2.6.35.4/drivers/usb/host/ehci-pci.c 2010-09-17 20:12:09.000000000 -0400
28145@@ -419,7 +419,7 @@ static const struct pci_device_id pci_id
58c5fc13
MT		 28146 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28147 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28148 },
28149- { /* end: all zeroes */ }
28150+ { 0, 0, 0, 0, 0, 0, 0 }
28151 };
28152 MODULE_DEVICE_TABLE(pci, pci_ids);
28153
57199397
MT		 28154diff -urNp linux-2.6.35.4/drivers/usb/host/uhci-hcd.c linux-2.6.35.4/drivers/usb/host/uhci-hcd.c
28155--- linux-2.6.35.4/drivers/usb/host/uhci-hcd.c 2010-08-26 19:47:12.000000000 -0400
28156+++ linux-2.6.35.4/drivers/usb/host/uhci-hcd.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 28157@@ -941,7 +941,7 @@ static const struct pci_device_id uhci_p
58c5fc13
MT		 28158 /* handle any USB UHCI controller */
28159 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28160 .driver_data = (unsigned long) &uhci_driver,
28161- }, { /* end: all zeroes */ }
28162+ }, { 0, 0, 0, 0, 0, 0, 0 }
28163 };
28164
28165 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
57199397
MT		 28166diff -urNp linux-2.6.35.4/drivers/usb/mon/mon_main.c linux-2.6.35.4/drivers/usb/mon/mon_main.c
28167--- linux-2.6.35.4/drivers/usb/mon/mon_main.c 2010-08-26 19:47:12.000000000 -0400
28168+++ linux-2.6.35.4/drivers/usb/mon/mon_main.c 2010-09-17 20:12:09.000000000 -0400
28169@@ -240,7 +240,7 @@ static struct notifier_block mon_nb = {
ae4e228f
MT		 28170 /*
28171 * Ops
28172 */
28173-static struct usb_mon_operations mon_ops_0 = {
28174+static const struct usb_mon_operations mon_ops_0 = {
28175 .urb_submit = mon_submit,
28176 .urb_submit_error = mon_submit_error,
28177 .urb_complete = mon_complete,
57199397
MT		 28178diff -urNp linux-2.6.35.4/drivers/usb/storage/debug.h linux-2.6.35.4/drivers/usb/storage/debug.h
28179--- linux-2.6.35.4/drivers/usb/storage/debug.h 2010-08-26 19:47:12.000000000 -0400
28180+++ linux-2.6.35.4/drivers/usb/storage/debug.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 28181@@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28182 #define US_DEBUGPX(x...) printk( x )
28183 #define US_DEBUG(x) x
28184 #else
28185-#define US_DEBUGP(x...)
28186-#define US_DEBUGPX(x...)
28187-#define US_DEBUG(x)
28188+#define US_DEBUGP(x...) do {} while (0)
28189+#define US_DEBUGPX(x...) do {} while (0)
28190+#define US_DEBUG(x) do {} while (0)
28191 #endif
28192
28193 #endif
57199397
MT		 28194diff -urNp linux-2.6.35.4/drivers/usb/storage/usb.c linux-2.6.35.4/drivers/usb/storage/usb.c
28195--- linux-2.6.35.4/drivers/usb/storage/usb.c 2010-08-26 19:47:12.000000000 -0400
28196+++ linux-2.6.35.4/drivers/usb/storage/usb.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 28197@@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
58c5fc13
MT		 28198
28199 static struct us_unusual_dev us_unusual_dev_list[] = {
28200 # include "unusual_devs.h"
28201- { } /* Terminating entry */
28202+ { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28203 };
28204
28205 #undef UNUSUAL_DEV
57199397
MT		 28206diff -urNp linux-2.6.35.4/drivers/usb/storage/usual-tables.c linux-2.6.35.4/drivers/usb/storage/usual-tables.c
28207--- linux-2.6.35.4/drivers/usb/storage/usual-tables.c 2010-08-26 19:47:12.000000000 -0400
28208+++ linux-2.6.35.4/drivers/usb/storage/usual-tables.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 28209@@ -48,7 +48,7 @@
28210
28211 struct usb_device_id usb_storage_usb_ids[] = {
28212 # include "unusual_devs.h"
28213- { } /* Terminating entry */
28214+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28215 };
28216 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28217
57199397
MT		 28218diff -urNp linux-2.6.35.4/drivers/uwb/wlp/messages.c linux-2.6.35.4/drivers/uwb/wlp/messages.c
28219--- linux-2.6.35.4/drivers/uwb/wlp/messages.c 2010-08-26 19:47:12.000000000 -0400
28220+++ linux-2.6.35.4/drivers/uwb/wlp/messages.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 28221@@ -920,7 +920,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
58c5fc13
MT		 28222 size_t len = skb->len;
28223 size_t used;
28224 ssize_t result;
28225- struct wlp_nonce enonce, rnonce;
28226+ struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
28227 enum wlp_assc_error assc_err;
28228 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
28229 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
57199397
MT		 28230diff -urNp linux-2.6.35.4/drivers/vhost/vhost.c linux-2.6.35.4/drivers/vhost/vhost.c
28231--- linux-2.6.35.4/drivers/vhost/vhost.c 2010-08-26 19:47:12.000000000 -0400
28232+++ linux-2.6.35.4/drivers/vhost/vhost.c 2010-09-17 20:12:09.000000000 -0400
28233@@ -357,7 +357,7 @@ static int init_used(struct vhost_virtqu
28234 return get_user(vq->last_used_idx, &used->idx);
28235 }
28236
28237-static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28238+static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28239 {
28240 struct file *eventfp, *filep = NULL,
28241 *pollstart = NULL, *pollstop = NULL;
28242diff -urNp linux-2.6.35.4/drivers/video/atmel_lcdfb.c linux-2.6.35.4/drivers/video/atmel_lcdfb.c
28243--- linux-2.6.35.4/drivers/video/atmel_lcdfb.c 2010-08-26 19:47:12.000000000 -0400
28244+++ linux-2.6.35.4/drivers/video/atmel_lcdfb.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 28245@@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
ae4e228f
MT		 28246 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28247 }
28248
28249-static struct backlight_ops atmel_lcdc_bl_ops = {
28250+static const struct backlight_ops atmel_lcdc_bl_ops = {
28251 .update_status = atmel_bl_update_status,
28252 .get_brightness = atmel_bl_get_brightness,
28253 };
57199397
MT		 28254diff -urNp linux-2.6.35.4/drivers/video/aty/aty128fb.c linux-2.6.35.4/drivers/video/aty/aty128fb.c
28255--- linux-2.6.35.4/drivers/video/aty/aty128fb.c 2010-08-26 19:47:12.000000000 -0400
28256+++ linux-2.6.35.4/drivers/video/aty/aty128fb.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 28257@@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
ae4e228f
MT		 28258 return bd->props.brightness;
28259 }
28260
28261-static struct backlight_ops aty128_bl_data = {
28262+static const struct backlight_ops aty128_bl_data = {
28263 .get_brightness = aty128_bl_get_brightness,
28264 .update_status = aty128_bl_update_status,
28265 };
57199397
MT		 28266diff -urNp linux-2.6.35.4/drivers/video/aty/atyfb_base.c linux-2.6.35.4/drivers/video/aty/atyfb_base.c
28267--- linux-2.6.35.4/drivers/video/aty/atyfb_base.c 2010-08-26 19:47:12.000000000 -0400
28268+++ linux-2.6.35.4/drivers/video/aty/atyfb_base.c 2010-09-17 20:12:09.000000000 -0400
28269@@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
ae4e228f
MT		 28270 return bd->props.brightness;
28271 }
28272
28273-static struct backlight_ops aty_bl_data = {
28274+static const struct backlight_ops aty_bl_data = {
28275 .get_brightness = aty_bl_get_brightness,
28276 .update_status = aty_bl_update_status,
28277 };
57199397
MT		 28278diff -urNp linux-2.6.35.4/drivers/video/aty/radeon_backlight.c linux-2.6.35.4/drivers/video/aty/radeon_backlight.c
28279--- linux-2.6.35.4/drivers/video/aty/radeon_backlight.c 2010-08-26 19:47:12.000000000 -0400
28280+++ linux-2.6.35.4/drivers/video/aty/radeon_backlight.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 28281@@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
ae4e228f
MT		 28282 return bd->props.brightness;
28283 }
28284
28285-static struct backlight_ops radeon_bl_data = {
28286+static const struct backlight_ops radeon_bl_data = {
28287 .get_brightness = radeon_bl_get_brightness,
28288 .update_status = radeon_bl_update_status,
28289 };
57199397
MT		 28290diff -urNp linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c
28291--- linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c 2010-08-26 19:47:12.000000000 -0400
28292+++ linux-2.6.35.4/drivers/video/backlight/88pm860x_bl.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 28293@@ -155,7 +155,7 @@ out:
28294 return -EINVAL;
28295 }
28296
28297-static struct backlight_ops pm860x_backlight_ops = {
28298+static const struct backlight_ops pm860x_backlight_ops = {
28299 .options = BL_CORE_SUSPENDRESUME,
28300 .update_status = pm860x_backlight_update_status,
28301 .get_brightness = pm860x_backlight_get_brightness,
57199397
MT		 28302diff -urNp linux-2.6.35.4/drivers/video/backlight/max8925_bl.c linux-2.6.35.4/drivers/video/backlight/max8925_bl.c
28303--- linux-2.6.35.4/drivers/video/backlight/max8925_bl.c 2010-08-26 19:47:12.000000000 -0400
28304+++ linux-2.6.35.4/drivers/video/backlight/max8925_bl.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 28305@@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28306 return ret;
ae4e228f
MT		 28307 }
28308
df50ba0c
MT		 28309-static struct backlight_ops max8925_backlight_ops = {
28310+static const struct backlight_ops max8925_backlight_ops = {
28311 .options = BL_CORE_SUSPENDRESUME,
28312 .update_status = max8925_backlight_update_status,
28313 .get_brightness = max8925_backlight_get_brightness,
57199397
MT		 28314diff -urNp linux-2.6.35.4/drivers/video/fbcmap.c linux-2.6.35.4/drivers/video/fbcmap.c
28315--- linux-2.6.35.4/drivers/video/fbcmap.c 2010-08-26 19:47:12.000000000 -0400
28316+++ linux-2.6.35.4/drivers/video/fbcmap.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 28317@@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28318 rc = -ENODEV;
28319 goto out;
28320 }
28321- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28322- !info->fbops->fb_setcmap)) {
28323+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28324 rc = -EINVAL;
28325 goto out1;
28326 }
57199397
MT		 28327diff -urNp linux-2.6.35.4/drivers/video/fbmem.c linux-2.6.35.4/drivers/video/fbmem.c
28328--- linux-2.6.35.4/drivers/video/fbmem.c 2010-08-26 19:47:12.000000000 -0400
28329+++ linux-2.6.35.4/drivers/video/fbmem.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 28330@@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28331 image->dx += image->width + 8;
28332 }
28333 } else if (rotate == FB_ROTATE_UD) {
28334- for (x = 0; x < num && image->dx >= 0; x++) {
28335+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28336 info->fbops->fb_imageblit(info, image);
28337 image->dx -= image->width + 8;
28338 }
28339@@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28340 image->dy += image->height + 8;
28341 }
28342 } else if (rotate == FB_ROTATE_CCW) {
28343- for (x = 0; x < num && image->dy >= 0; x++) {
28344+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28345 info->fbops->fb_imageblit(info, image);
28346 image->dy -= image->height + 8;
28347 }
ae4e228f 28348@@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
58c5fc13
MT		 28349 return -EFAULT;
28350 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28351 return -EINVAL;
28352- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28353+ if (con2fb.framebuffer >= FB_MAX)
28354 return -EINVAL;
28355 if (!registered_fb[con2fb.framebuffer])
28356 request_module("fb%d", con2fb.framebuffer);
57199397
MT		 28357diff -urNp linux-2.6.35.4/drivers/video/fbmon.c linux-2.6.35.4/drivers/video/fbmon.c
28358--- linux-2.6.35.4/drivers/video/fbmon.c 2010-08-26 19:47:12.000000000 -0400
28359+++ linux-2.6.35.4/drivers/video/fbmon.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 28360@@ -46,7 +46,7 @@
58c5fc13
MT		 28361 #ifdef DEBUG
28362 #define DPRINTK(fmt, args...) printk(fmt,## args)
28363 #else
28364-#define DPRINTK(fmt, args...)
28365+#define DPRINTK(fmt, args...) do {} while (0)
28366 #endif
28367
28368 #define FBMON_FIX_HEADER 1
57199397
MT		 28369diff -urNp linux-2.6.35.4/drivers/video/i810/i810_accel.c linux-2.6.35.4/drivers/video/i810/i810_accel.c
28370--- linux-2.6.35.4/drivers/video/i810/i810_accel.c 2010-08-26 19:47:12.000000000 -0400
28371+++ linux-2.6.35.4/drivers/video/i810/i810_accel.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 28372@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28373 }
28374 }
28375 printk("ringbuffer lockup!!!\n");
28376+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28377 i810_report_error(mmio);
28378 par->dev_flags |= LOCKUP;
28379 info->pixmap.scan_align = 1;
57199397
MT		 28380diff -urNp linux-2.6.35.4/drivers/video/i810/i810_main.c linux-2.6.35.4/drivers/video/i810/i810_main.c
28381--- linux-2.6.35.4/drivers/video/i810/i810_main.c 2010-08-26 19:47:12.000000000 -0400
28382+++ linux-2.6.35.4/drivers/video/i810/i810_main.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 28383@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28384 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28385 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28386 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28387- { 0 },
28388+ { 0, 0, 0, 0, 0, 0, 0 },
28389 };
28390
28391 static struct pci_driver i810fb_driver = {
57199397
MT		 28392diff -urNp linux-2.6.35.4/drivers/video/modedb.c linux-2.6.35.4/drivers/video/modedb.c
28393--- linux-2.6.35.4/drivers/video/modedb.c 2010-08-26 19:47:12.000000000 -0400
28394+++ linux-2.6.35.4/drivers/video/modedb.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 28395@@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
58c5fc13
MT		 28396 {
28397 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28398 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28399- 0, FB_VMODE_NONINTERLACED
28400+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28401 }, {
28402 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28403 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28404- 0, FB_VMODE_NONINTERLACED
28405+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28406 }, {
28407 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28408 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28409- 0, FB_VMODE_NONINTERLACED
28410+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28411 }, {
28412 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28413 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28414- 0, FB_VMODE_INTERLACED
28415+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28416 }, {
28417 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28418 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28419- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28420+ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28421 }, {
28422 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28423 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28424- 0, FB_VMODE_NONINTERLACED
28425+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28426 }, {
28427 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28428 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28429- 0, FB_VMODE_NONINTERLACED
28430+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28431 }, {
28432 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28433 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28434- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28435+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28436 }, {
28437 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28438 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28439- 0, FB_VMODE_NONINTERLACED
28440+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28441 }, {
28442 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28443 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28444- 0, FB_VMODE_INTERLACED
28445+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28446 }, {
28447 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28448 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28449- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28450+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28451 }, {
28452 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28453 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28454- 0, FB_VMODE_NONINTERLACED
28455+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28456 }, {
28457 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28458 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28459- 0, FB_VMODE_NONINTERLACED
28460+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28461 }, {
28462 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28463 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28464- 0, FB_VMODE_NONINTERLACED
28465+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28466 }, {
28467 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28468 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28469- 0, FB_VMODE_NONINTERLACED
28470+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28471 }, {
28472 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28473 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28474- 0, FB_VMODE_NONINTERLACED
28475+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28476 }, {
28477 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28478 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28479- 0, FB_VMODE_INTERLACED
28480+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28481 }, {
28482 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28483 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28484- 0, FB_VMODE_NONINTERLACED
28485+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28486 }, {
28487 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28488 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28489- 0, FB_VMODE_NONINTERLACED
28490+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28491 }, {
28492 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28493 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28494- 0, FB_VMODE_NONINTERLACED
28495+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28496 }, {
28497 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28498 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28499- 0, FB_VMODE_NONINTERLACED
28500+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28501 }, {
28502 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28503 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28504- 0, FB_VMODE_NONINTERLACED
28505+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28506 }, {
28507 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28508 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28509- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28510+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28511 }, {
28512 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28513 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28514- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28515+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28516 }, {
28517 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28518 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28519- 0, FB_VMODE_NONINTERLACED
28520+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28521 }, {
28522 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28523 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28524- 0, FB_VMODE_NONINTERLACED
28525+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28526 }, {
28527 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28528 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
28529- 0, FB_VMODE_NONINTERLACED
28530+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28531 }, {
28532 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28533 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28534- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28535+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28536 }, {
28537 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28538 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
28539- 0, FB_VMODE_NONINTERLACED
28540+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28541 }, {
28542 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28543 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
28544- 0, FB_VMODE_NONINTERLACED
28545+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28546 }, {
28547 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28548 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
28549- 0, FB_VMODE_NONINTERLACED
28550+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28551 }, {
28552 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28553 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
28554- 0, FB_VMODE_NONINTERLACED
28555+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28556 }, {
28557 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28558 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
28559- 0, FB_VMODE_NONINTERLACED
28560+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28561 }, {
28562 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28563 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
28564- 0, FB_VMODE_NONINTERLACED
28565+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28566 }, {
28567 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28568 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28569- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28570+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28571 }, {
28572 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28573 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28574- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28575+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28576 }, {
28577 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28578 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28579- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28580+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28581 }, {
28582 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28583 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28584- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28585+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28586 }, {
28587 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28588 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
28589- 0, FB_VMODE_NONINTERLACED
28590+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28591 }, {
28592 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28593 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28594- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28595+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28596 }, {
28597 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28598 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28599- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28600+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28601 }, {
28602 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28603 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
28604- 0, FB_VMODE_NONINTERLACED
28605+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28606 }, {
28607 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28608 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
28609- 0, FB_VMODE_NONINTERLACED
28610+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28611 }, {
28612 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28613 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
28614- 0, FB_VMODE_DOUBLE
28615+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28616 }, {
28617 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28618 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
28619- 0, FB_VMODE_DOUBLE
28620+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28621 }, {
28622 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28623 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
28624- 0, FB_VMODE_DOUBLE
28625+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28626 }, {
28627 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28628 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
28629- 0, FB_VMODE_DOUBLE
28630+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28631 }, {
28632 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28633 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
28634- 0, FB_VMODE_DOUBLE
28635+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28636 }, {
28637 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28638 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
28639- 0, FB_VMODE_DOUBLE
28640+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28641 }, {
28642 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28643 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
28644- 0, FB_VMODE_DOUBLE
28645+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28646 }, {
28647 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28648 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
28649- 0, FB_VMODE_DOUBLE
28650+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28651 }, {
28652 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28653 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
28654- 0, FB_VMODE_DOUBLE
28655+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28656 }, {
28657 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28658 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
28659- 0, FB_VMODE_DOUBLE
28660+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28661 }, {
28662 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28663 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28664 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28665- FB_VMODE_NONINTERLACED
28666+ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28667 }, {
28668 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28669 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28670- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28671+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28672 }, {
28673 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28674 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
28675- 0, FB_VMODE_NONINTERLACED
28676+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28677 }, {
28678 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28679 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
28680- 0, FB_VMODE_NONINTERLACED
28681+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28682 }, {
28683 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28684 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
28685- 0, FB_VMODE_INTERLACED
28686+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28687 }, {
28688 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28689 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
28690- 0, FB_VMODE_INTERLACED
28691+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28692 },
28693 };
28694
57199397
MT		 28695diff -urNp linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c
28696--- linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c 2010-08-26 19:47:12.000000000 -0400
28697+++ linux-2.6.35.4/drivers/video/nvidia/nv_backlight.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 28698@@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
28699 return bd->props.brightness;
28700 }
28701
28702-static struct backlight_ops nvidia_bl_ops = {
28703+static const struct backlight_ops nvidia_bl_ops = {
28704 .get_brightness = nvidia_bl_get_brightness,
28705 .update_status = nvidia_bl_update_status,
28706 };
57199397
MT		 28707diff -urNp linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c
28708--- linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c 2010-08-26 19:47:12.000000000 -0400
28709+++ linux-2.6.35.4/drivers/video/omap2/displays/panel-taal.c 2010-09-17 20:12:09.000000000 -0400
28710@@ -319,7 +319,7 @@ static int taal_bl_get_intensity(struct
ae4e228f
MT		 28711 return 0;
28712 }
28713
28714-static struct backlight_ops taal_bl_ops = {
28715+static const struct backlight_ops taal_bl_ops = {
28716 .get_brightness = taal_bl_get_intensity,
28717 .update_status = taal_bl_update_status,
28718 };
57199397
MT		 28719diff -urNp linux-2.6.35.4/drivers/video/riva/fbdev.c linux-2.6.35.4/drivers/video/riva/fbdev.c
28720--- linux-2.6.35.4/drivers/video/riva/fbdev.c 2010-08-26 19:47:12.000000000 -0400
28721+++ linux-2.6.35.4/drivers/video/riva/fbdev.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 28722@@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
28723 return bd->props.brightness;
28724 }
28725
28726-static struct backlight_ops riva_bl_ops = {
28727+static const struct backlight_ops riva_bl_ops = {
28728 .get_brightness = riva_bl_get_brightness,
28729 .update_status = riva_bl_update_status,
28730 };
57199397
MT		 28731diff -urNp linux-2.6.35.4/drivers/video/uvesafb.c linux-2.6.35.4/drivers/video/uvesafb.c
28732--- linux-2.6.35.4/drivers/video/uvesafb.c 2010-08-26 19:47:12.000000000 -0400
28733+++ linux-2.6.35.4/drivers/video/uvesafb.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 28734@@ -19,6 +19,7 @@
58c5fc13
MT		 28735 #include <linux/io.h>
28736 #include <linux/mutex.h>
df50ba0c 28737 #include <linux/slab.h>
58c5fc13
MT		 28738+#include <linux/moduleloader.h>
28739 #include <video/edid.h>
28740 #include <video/uvesafb.h>
28741 #ifdef CONFIG_X86
df50ba0c 28742@@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
58c5fc13
MT		 28743 NULL,
28744 };
28745
28746- return call_usermodehelper(v86d_path, argv, envp, 1);
28747+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
28748 }
28749
28750 /*
df50ba0c 28751@@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
58c5fc13
MT		 28752 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
28753 par->pmi_setpal = par->ypan = 0;
28754 } else {
28755+
28756+#ifdef CONFIG_PAX_KERNEXEC
28757+#ifdef CONFIG_MODULES
58c5fc13
MT		 28758+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
28759+#endif
28760+ if (!par->pmi_code) {
28761+ par->pmi_setpal = par->ypan = 0;
28762+ return 0;
28763+ }
28764+#endif
28765+
28766 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
28767 + task->t.regs.edi);
28768+
28769+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
ae4e228f 28770+ pax_open_kernel();
58c5fc13 28771+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
ae4e228f 28772+ pax_close_kernel();
58c5fc13
MT		 28773+
28774+ par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
28775+ par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
28776+#else
28777 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
28778 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
28779+#endif
28780+
28781 printk(KERN_INFO "uvesafb: protected mode interface info at "
28782 "%04x:%04x\n",
28783 (u16)task->t.regs.es, (u16)task->t.regs.edi);
df50ba0c 28784@@ -1800,6 +1823,11 @@ out:
58c5fc13
MT		 28785 if (par->vbe_modes)
28786 kfree(par->vbe_modes);
28787
28788+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28789+ if (par->pmi_code)
28790+ module_free_exec(NULL, par->pmi_code);
28791+#endif
28792+
28793 framebuffer_release(info);
28794 return err;
28795 }
df50ba0c 28796@@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
58c5fc13
MT		 28797 kfree(par->vbe_state_orig);
28798 if (par->vbe_state_saved)
28799 kfree(par->vbe_state_saved);
28800+
28801+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28802+ if (par->pmi_code)
28803+ module_free_exec(NULL, par->pmi_code);
28804+#endif
28805+
28806 }
28807
28808 framebuffer_release(info);
57199397
MT		 28809diff -urNp linux-2.6.35.4/drivers/video/vesafb.c linux-2.6.35.4/drivers/video/vesafb.c
28810--- linux-2.6.35.4/drivers/video/vesafb.c 2010-08-26 19:47:12.000000000 -0400
28811+++ linux-2.6.35.4/drivers/video/vesafb.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 28812@@ -9,6 +9,7 @@
28813 */
28814
28815 #include <linux/module.h>
28816+#include <linux/moduleloader.h>
28817 #include <linux/kernel.h>
28818 #include <linux/errno.h>
28819 #include <linux/string.h>
df50ba0c 28820@@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
58c5fc13
MT		 28821 static int vram_total __initdata; /* Set total amount of memory */
28822 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
28823 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
28824-static void (*pmi_start)(void) __read_mostly;
28825-static void (*pmi_pal) (void) __read_mostly;
28826+static void (*pmi_start)(void) __read_only;
28827+static void (*pmi_pal) (void) __read_only;
28828 static int depth __read_mostly;
28829 static int vga_compat __read_mostly;
28830 /* --------------------------------------------------------------------- */
df50ba0c 28831@@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
58c5fc13
MT		 28832 unsigned int size_vmode;
28833 unsigned int size_remap;
28834 unsigned int size_total;
28835+ void *pmi_code = NULL;
28836
28837 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
28838 return -ENODEV;
df50ba0c 28839@@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
58c5fc13
MT		 28840 size_remap = size_total;
28841 vesafb_fix.smem_len = size_remap;
28842
28843-#ifndef __i386__
28844- screen_info.vesapm_seg = 0;
28845-#endif
28846-
28847 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
28848 printk(KERN_WARNING
28849 "vesafb: cannot reserve video memory at 0x%lx\n",
57199397 28850@@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
58c5fc13
MT		 28851 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
28852 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
28853
28854+#ifdef __i386__
28855+
28856+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28857+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
28858+ if (!pmi_code)
28859+#elif !defined(CONFIG_PAX_KERNEXEC)
28860+ if (0)
28861+#endif
28862+
28863+#endif
28864+ screen_info.vesapm_seg = 0;
28865+
28866 if (screen_info.vesapm_seg) {
28867- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
28868- screen_info.vesapm_seg,screen_info.vesapm_off);
28869+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
28870+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
28871 }
28872
28873 if (screen_info.vesapm_seg < 0xc000)
57199397 28874@@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
58c5fc13
MT		 28875
28876 if (ypan || pmi_setpal) {
28877 unsigned short *pmi_base;
28878- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28879- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
28880- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
28881+
58c5fc13
MT		 28882+ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28883+
28884+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
ae4e228f 28885+ pax_open_kernel();
58c5fc13
MT		 28886+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
28887+#else
28888+ pmi_code = pmi_base;
28889+#endif
28890+
28891+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
28892+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
28893+
28894+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28895+ pmi_start = ktva_ktla(pmi_start);
28896+ pmi_pal = ktva_ktla(pmi_pal);
ae4e228f 28897+ pax_close_kernel();
58c5fc13
MT		 28898+#endif
28899+
28900 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
28901 if (pmi_base[3]) {
28902 printk(KERN_INFO "vesafb: pmi: ports = ");
57199397 28903@@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
58c5fc13
MT		 28904 info->node, info->fix.id);
28905 return 0;
28906 err:
28907+
28908+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28909+ module_free_exec(NULL, pmi_code);
28910+#endif
28911+
28912 if (info->screen_base)
28913 iounmap(info->screen_base);
28914 framebuffer_release(info);
57199397
MT		 28915diff -urNp linux-2.6.35.4/fs/9p/vfs_inode.c linux-2.6.35.4/fs/9p/vfs_inode.c
28916--- linux-2.6.35.4/fs/9p/vfs_inode.c 2010-08-26 19:47:12.000000000 -0400
28917+++ linux-2.6.35.4/fs/9p/vfs_inode.c 2010-09-17 20:12:09.000000000 -0400
28918@@ -1087,7 +1087,7 @@ static void *v9fs_vfs_follow_link(struct
58c5fc13
MT		 28919 static void
28920 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
28921 {
28922- char *s = nd_get_link(nd);
28923+ const char *s = nd_get_link(nd);
28924
28925 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
28926 IS_ERR(s) ? "<error>" : s);
57199397
MT		 28927diff -urNp linux-2.6.35.4/fs/aio.c linux-2.6.35.4/fs/aio.c
28928--- linux-2.6.35.4/fs/aio.c 2010-08-26 19:47:12.000000000 -0400
28929+++ linux-2.6.35.4/fs/aio.c 2010-09-17 20:12:09.000000000 -0400
efbe55a5 28930@@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
58c5fc13
MT		 28931 size += sizeof(struct io_event) * nr_events;
28932 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
28933
28934- if (nr_pages < 0)
28935+ if (nr_pages <= 0)
28936 return -EINVAL;
28937
28938 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
57199397
MT		 28939diff -urNp linux-2.6.35.4/fs/attr.c linux-2.6.35.4/fs/attr.c
28940--- linux-2.6.35.4/fs/attr.c 2010-08-26 19:47:12.000000000 -0400
28941+++ linux-2.6.35.4/fs/attr.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 28942@@ -82,6 +82,7 @@ int inode_newsize_ok(const struct inode
ae4e228f
MT		 28943 unsigned long limit;
28944
df50ba0c 28945 limit = rlimit(RLIMIT_FSIZE);
ae4e228f
MT		 28946+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
28947 if (limit != RLIM_INFINITY && offset > limit)
28948 goto out_sig;
28949 if (offset > inode->i_sb->s_maxbytes)
57199397
MT		 28950diff -urNp linux-2.6.35.4/fs/autofs/root.c linux-2.6.35.4/fs/autofs/root.c
28951--- linux-2.6.35.4/fs/autofs/root.c 2010-08-26 19:47:12.000000000 -0400
28952+++ linux-2.6.35.4/fs/autofs/root.c 2010-09-17 20:12:09.000000000 -0400
28953@@ -301,7 +301,8 @@ static int autofs_root_symlink(struct in
58c5fc13
MT		 28954 set_bit(n,sbi->symlink_bitmap);
28955 sl = &sbi->symlink[n];
28956 sl->len = strlen(symname);
28957- sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
28958+ slsize = sl->len+1;
28959+ sl->data = kmalloc(slsize, GFP_KERNEL);
28960 if (!sl->data) {
28961 clear_bit(n,sbi->symlink_bitmap);
28962 unlock_kernel();
57199397
MT		 28963diff -urNp linux-2.6.35.4/fs/autofs4/symlink.c linux-2.6.35.4/fs/autofs4/symlink.c
28964--- linux-2.6.35.4/fs/autofs4/symlink.c 2010-08-26 19:47:12.000000000 -0400
28965+++ linux-2.6.35.4/fs/autofs4/symlink.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 28966@@ -15,7 +15,7 @@
28967 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
28968 {
28969 struct autofs_info *ino = autofs4_dentry_ino(dentry);
28970- nd_set_link(nd, (char *)ino->u.symlink);
28971+ nd_set_link(nd, ino->u.symlink);
28972 return NULL;
28973 }
28974
57199397
MT		 28975diff -urNp linux-2.6.35.4/fs/befs/linuxvfs.c linux-2.6.35.4/fs/befs/linuxvfs.c
28976--- linux-2.6.35.4/fs/befs/linuxvfs.c 2010-08-26 19:47:12.000000000 -0400
28977+++ linux-2.6.35.4/fs/befs/linuxvfs.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 28978@@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
28979 {
28980 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
28981 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
28982- char *link = nd_get_link(nd);
28983+ const char *link = nd_get_link(nd);
28984 if (!IS_ERR(link))
28985 kfree(link);
28986 }
57199397
MT		 28987diff -urNp linux-2.6.35.4/fs/binfmt_aout.c linux-2.6.35.4/fs/binfmt_aout.c
28988--- linux-2.6.35.4/fs/binfmt_aout.c 2010-08-26 19:47:12.000000000 -0400
28989+++ linux-2.6.35.4/fs/binfmt_aout.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 28990@@ -16,6 +16,7 @@
28991 #include <linux/string.h>
28992 #include <linux/fs.h>
28993 #include <linux/file.h>
28994+#include <linux/security.h>
28995 #include <linux/stat.h>
28996 #include <linux/fcntl.h>
28997 #include <linux/ptrace.h>
df50ba0c 28998@@ -97,10 +98,12 @@ static int aout_core_dump(struct coredum
58c5fc13
MT		 28999
29000 /* If the size of the dump file exceeds the rlimit, then see what would happen
29001 if we wrote the stack, but not the data area. */
29002+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
ae4e228f 29003 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
58c5fc13
MT		 29004 dump.u_dsize = 0;
29005
29006 /* Make sure we have enough room to write the stack and data areas. */
29007+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
ae4e228f 29008 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
58c5fc13
MT		 29009 dump.u_ssize = 0;
29010
df50ba0c
MT		 29011@@ -238,6 +241,8 @@ static int load_aout_binary(struct linux
29012 rlim = rlimit(RLIMIT_DATA);
58c5fc13
MT		 29013 if (rlim >= RLIM_INFINITY)
29014 rlim = ~0;
29015+
29016+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29017 if (ex.a_data + ex.a_bss > rlim)
29018 return -ENOMEM;
29019
df50ba0c 29020@@ -266,6 +271,27 @@ static int load_aout_binary(struct linux
58c5fc13
MT		 29021 install_exec_creds(bprm);
29022 current->flags &= ~PF_FORKNOEXEC;
29023
29024+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29025+ current->mm->pax_flags = 0UL;
29026+#endif
29027+
29028+#ifdef CONFIG_PAX_PAGEEXEC
29029+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29030+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29031+
29032+#ifdef CONFIG_PAX_EMUTRAMP
29033+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29034+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29035+#endif
29036+
29037+#ifdef CONFIG_PAX_MPROTECT
29038+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29039+ current->mm->pax_flags |= MF_PAX_MPROTECT;
29040+#endif
29041+
29042+ }
29043+#endif
29044+
29045 if (N_MAGIC(ex) == OMAGIC) {
29046 unsigned long text_addr, map_size;
29047 loff_t pos;
df50ba0c 29048@@ -338,7 +364,7 @@ static int load_aout_binary(struct linux
58c5fc13
MT		 29049
29050 down_write(&current->mm->mmap_sem);
29051 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29052- PROT_READ | PROT_WRITE | PROT_EXEC,
29053+ PROT_READ | PROT_WRITE,
29054 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29055 fd_offset + ex.a_text);
29056 up_write(&current->mm->mmap_sem);
57199397
MT		 29057diff -urNp linux-2.6.35.4/fs/binfmt_elf.c linux-2.6.35.4/fs/binfmt_elf.c
29058--- linux-2.6.35.4/fs/binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
29059+++ linux-2.6.35.4/fs/binfmt_elf.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 29060@@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
58c5fc13
MT		 29061 #define elf_core_dump NULL
29062 #endif
29063
29064+#ifdef CONFIG_PAX_MPROTECT
29065+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29066+#endif
29067+
29068 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29069 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29070 #else
df50ba0c 29071@@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
58c5fc13
MT		 29072 .load_binary = load_elf_binary,
29073 .load_shlib = load_elf_library,
29074 .core_dump = elf_core_dump,
29075+
29076+#ifdef CONFIG_PAX_MPROTECT
29077+ .handle_mprotect= elf_handle_mprotect,
29078+#endif
29079+
29080 .min_coredump = ELF_EXEC_PAGESIZE,
29081 .hasvdso = 1
29082 };
df50ba0c 29083@@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
58c5fc13
MT		 29084
29085 static int set_brk(unsigned long start, unsigned long end)
29086 {
29087+ unsigned long e = end;
29088+
29089 start = ELF_PAGEALIGN(start);
29090 end = ELF_PAGEALIGN(end);
29091 if (end > start) {
df50ba0c 29092@@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
58c5fc13
MT		 29093 if (BAD_ADDR(addr))
29094 return addr;
29095 }
29096- current->mm->start_brk = current->mm->brk = end;
29097+ current->mm->start_brk = current->mm->brk = e;
29098 return 0;
29099 }
29100
df50ba0c 29101@@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
58c5fc13
MT		 29102 elf_addr_t __user *u_rand_bytes;
29103 const char *k_platform = ELF_PLATFORM;
29104 const char *k_base_platform = ELF_BASE_PLATFORM;
29105- unsigned char k_rand_bytes[16];
29106+ u32 k_rand_bytes[4];
29107 int items;
29108 elf_addr_t *elf_info;
29109 int ei_index = 0;
df50ba0c 29110@@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
58c5fc13
MT		 29111 * Generate 16 random bytes for userspace PRNG seeding.
29112 */
29113 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
df50ba0c
MT		 29114- u_rand_bytes = (elf_addr_t __user *)
29115- STACK_ALLOC(p, sizeof(k_rand_bytes));
58c5fc13
MT		 29116+ srandom32(k_rand_bytes[0] ^ random32());
29117+ srandom32(k_rand_bytes[1] ^ random32());
29118+ srandom32(k_rand_bytes[2] ^ random32());
29119+ srandom32(k_rand_bytes[3] ^ random32());
df50ba0c
MT		 29120+ p = STACK_ROUND(p, sizeof(k_rand_bytes));
29121+ u_rand_bytes = (elf_addr_t __user *) p;
58c5fc13 29122 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
df50ba0c
MT		 29123 return -EFAULT;
29124
29125@@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
58c5fc13
MT		 29126 {
29127 struct elf_phdr *elf_phdata;
29128 struct elf_phdr *eppnt;
29129- unsigned long load_addr = 0;
29130+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29131 int load_addr_set = 0;
29132 unsigned long last_bss = 0, elf_bss = 0;
29133- unsigned long error = ~0UL;
29134+ unsigned long error = -EINVAL;
29135 unsigned long total_size;
29136 int retval, i, size;
29137
df50ba0c 29138@@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
58c5fc13
MT		 29139 goto out_close;
29140 }
29141
29142+#ifdef CONFIG_PAX_SEGMEXEC
29143+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29144+ pax_task_size = SEGMEXEC_TASK_SIZE;
29145+#endif
29146+
29147 eppnt = elf_phdata;
29148 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29149 if (eppnt->p_type == PT_LOAD) {
df50ba0c 29150@@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
58c5fc13
MT		 29151 k = load_addr + eppnt->p_vaddr;
29152 if (BAD_ADDR(k) ||
29153 eppnt->p_filesz > eppnt->p_memsz ||
29154- eppnt->p_memsz > TASK_SIZE ||
29155- TASK_SIZE - eppnt->p_memsz < k) {
29156+ eppnt->p_memsz > pax_task_size ||
29157+ pax_task_size - eppnt->p_memsz < k) {
29158 error = -ENOMEM;
29159 goto out_close;
29160 }
df50ba0c 29161@@ -533,6 +553,177 @@ out:
58c5fc13
MT		 29162 return error;
29163 }
29164
29165+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29166+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29167+{
29168+ unsigned long pax_flags = 0UL;
29169+
29170+#ifdef CONFIG_PAX_PAGEEXEC
29171+ if (elf_phdata->p_flags & PF_PAGEEXEC)
29172+ pax_flags |= MF_PAX_PAGEEXEC;
29173+#endif
29174+
29175+#ifdef CONFIG_PAX_SEGMEXEC
29176+ if (elf_phdata->p_flags & PF_SEGMEXEC)
29177+ pax_flags |= MF_PAX_SEGMEXEC;
29178+#endif
29179+
29180+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29181+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
ae4e228f 29182+ if ((__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 29183+ pax_flags &= ~MF_PAX_SEGMEXEC;
29184+ else
29185+ pax_flags &= ~MF_PAX_PAGEEXEC;
29186+ }
29187+#endif
29188+
29189+#ifdef CONFIG_PAX_EMUTRAMP
29190+ if (elf_phdata->p_flags & PF_EMUTRAMP)
29191+ pax_flags |= MF_PAX_EMUTRAMP;
29192+#endif
29193+
29194+#ifdef CONFIG_PAX_MPROTECT
29195+ if (elf_phdata->p_flags & PF_MPROTECT)
29196+ pax_flags |= MF_PAX_MPROTECT;
29197+#endif
29198+
29199+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29200+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29201+ pax_flags |= MF_PAX_RANDMMAP;
29202+#endif
29203+
29204+ return pax_flags;
29205+}
29206+#endif
29207+
29208+#ifdef CONFIG_PAX_PT_PAX_FLAGS
29209+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29210+{
29211+ unsigned long pax_flags = 0UL;
29212+
29213+#ifdef CONFIG_PAX_PAGEEXEC
29214+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29215+ pax_flags |= MF_PAX_PAGEEXEC;
29216+#endif
29217+
29218+#ifdef CONFIG_PAX_SEGMEXEC
29219+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29220+ pax_flags |= MF_PAX_SEGMEXEC;
29221+#endif
29222+
29223+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29224+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
ae4e228f 29225+ if ((__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 29226+ pax_flags &= ~MF_PAX_SEGMEXEC;
29227+ else
29228+ pax_flags &= ~MF_PAX_PAGEEXEC;
29229+ }
29230+#endif
29231+
29232+#ifdef CONFIG_PAX_EMUTRAMP
29233+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29234+ pax_flags |= MF_PAX_EMUTRAMP;
29235+#endif
29236+
29237+#ifdef CONFIG_PAX_MPROTECT
29238+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29239+ pax_flags |= MF_PAX_MPROTECT;
29240+#endif
29241+
29242+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29243+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29244+ pax_flags |= MF_PAX_RANDMMAP;
29245+#endif
29246+
29247+ return pax_flags;
29248+}
29249+#endif
29250+
29251+#ifdef CONFIG_PAX_EI_PAX
29252+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29253+{
29254+ unsigned long pax_flags = 0UL;
29255+
29256+#ifdef CONFIG_PAX_PAGEEXEC
29257+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29258+ pax_flags |= MF_PAX_PAGEEXEC;
29259+#endif
29260+
29261+#ifdef CONFIG_PAX_SEGMEXEC
29262+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29263+ pax_flags |= MF_PAX_SEGMEXEC;
29264+#endif
29265+
29266+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29267+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
ae4e228f 29268+ if ((__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 29269+ pax_flags &= ~MF_PAX_SEGMEXEC;
29270+ else
29271+ pax_flags &= ~MF_PAX_PAGEEXEC;
29272+ }
29273+#endif
29274+
29275+#ifdef CONFIG_PAX_EMUTRAMP
29276+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29277+ pax_flags |= MF_PAX_EMUTRAMP;
29278+#endif
29279+
29280+#ifdef CONFIG_PAX_MPROTECT
29281+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29282+ pax_flags |= MF_PAX_MPROTECT;
29283+#endif
29284+
29285+#ifdef CONFIG_PAX_ASLR
29286+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29287+ pax_flags |= MF_PAX_RANDMMAP;
29288+#endif
29289+
29290+ return pax_flags;
29291+}
29292+#endif
29293+
29294+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29295+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29296+{
29297+ unsigned long pax_flags = 0UL;
29298+
29299+#ifdef CONFIG_PAX_PT_PAX_FLAGS
29300+ unsigned long i;
29301+#endif
29302+
29303+#ifdef CONFIG_PAX_EI_PAX
29304+ pax_flags = pax_parse_ei_pax(elf_ex);
29305+#endif
29306+
29307+#ifdef CONFIG_PAX_PT_PAX_FLAGS
29308+ for (i = 0UL; i < elf_ex->e_phnum; i++)
29309+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29310+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29311+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29312+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29313+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29314+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29315+ return -EINVAL;
29316+
29317+#ifdef CONFIG_PAX_SOFTMODE
29318+ if (pax_softmode)
29319+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
29320+ else
29321+#endif
29322+
29323+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29324+ break;
29325+ }
29326+#endif
29327+
29328+ if (0 > pax_check_flags(&pax_flags))
29329+ return -EINVAL;
29330+
29331+ current->mm->pax_flags = pax_flags;
29332+ return 0;
29333+}
29334+#endif
29335+
29336 /*
29337 * These are the functions used to load ELF style executables and shared
29338 * libraries. There is no binary dependent code anywhere else.
df50ba0c 29339@@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
58c5fc13
MT		 29340 {
29341 unsigned int random_variable = 0;
29342
29343+#ifdef CONFIG_PAX_RANDUSTACK
29344+ if (randomize_va_space)
29345+ return stack_top - current->mm->delta_stack;
29346+#endif
29347+
29348 if ((current->flags & PF_RANDOMIZE) &&
29349 !(current->personality & ADDR_NO_RANDOMIZE)) {
29350 random_variable = get_random_int() & STACK_RND_MASK;
df50ba0c 29351@@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 29352 unsigned long load_addr = 0, load_bias = 0;
29353 int load_addr_set = 0;
29354 char * elf_interpreter = NULL;
29355- unsigned long error;
29356+ unsigned long error = 0;
29357 struct elf_phdr *elf_ppnt, *elf_phdata;
29358 unsigned long elf_bss, elf_brk;
29359 int retval, i;
df50ba0c 29360@@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 29361 unsigned long start_code, end_code, start_data, end_data;
29362 unsigned long reloc_func_desc = 0;
29363 int executable_stack = EXSTACK_DEFAULT;
29364- unsigned long def_flags = 0;
29365 struct {
29366 struct elfhdr elf_ex;
29367 struct elfhdr interp_elf_ex;
29368 } *loc;
29369+ unsigned long pax_task_size = TASK_SIZE;
29370
29371 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29372 if (!loc) {
df50ba0c 29373@@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 29374
29375 /* OK, This is the point of no return */
29376 current->flags &= ~PF_FORKNOEXEC;
29377- current->mm->def_flags = def_flags;
29378+
29379+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29380+ current->mm->pax_flags = 0UL;
29381+#endif
29382+
29383+#ifdef CONFIG_PAX_DLRESOLVE
29384+ current->mm->call_dl_resolve = 0UL;
29385+#endif
29386+
29387+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29388+ current->mm->call_syscall = 0UL;
29389+#endif
29390+
29391+#ifdef CONFIG_PAX_ASLR
29392+ current->mm->delta_mmap = 0UL;
29393+ current->mm->delta_stack = 0UL;
29394+#endif
29395+
29396+ current->mm->def_flags = 0;
29397+
29398+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29399+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29400+ send_sig(SIGKILL, current, 0);
29401+ goto out_free_dentry;
29402+ }
29403+#endif
29404+
29405+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29406+ pax_set_initial_flags(bprm);
29407+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29408+ if (pax_set_initial_flags_func)
29409+ (pax_set_initial_flags_func)(bprm);
29410+#endif
29411+
29412+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
ae4e228f 29413+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
58c5fc13
MT		 29414+ current->mm->context.user_cs_limit = PAGE_SIZE;
29415+ current->mm->def_flags |= VM_PAGEEXEC;
29416+ }
29417+#endif
29418+
29419+#ifdef CONFIG_PAX_SEGMEXEC
29420+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29421+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29422+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29423+ pax_task_size = SEGMEXEC_TASK_SIZE;
29424+ }
29425+#endif
29426+
29427+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29428+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29429+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29430+ put_cpu();
29431+ }
29432+#endif
ae4e228f
MT		 29433
29434 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29435 may depend on the personality. */
29436 SET_PERSONALITY(loc->elf_ex);
58c5fc13
MT		 29437+
29438+#ifdef CONFIG_PAX_ASLR
29439+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29440+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29441+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29442+ }
29443+#endif
58c5fc13
MT		 29444+
29445+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29446+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29447+ executable_stack = EXSTACK_DISABLE_X;
29448+ current->personality &= ~READ_IMPLIES_EXEC;
29449+ } else
29450+#endif
29451+
29452 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29453 current->personality |= READ_IMPLIES_EXEC;
29454
df50ba0c 29455@@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 29456 #else
29457 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29458 #endif
29459+
29460+#ifdef CONFIG_PAX_RANDMMAP
29461+ /* PaX: randomize base address at the default exe base if requested */
29462+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29463+#ifdef CONFIG_SPARC64
29464+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29465+#else
29466+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29467+#endif
29468+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29469+ elf_flags |= MAP_FIXED;
29470+ }
29471+#endif
29472+
29473 }
29474
29475 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
df50ba0c 29476@@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 29477 * allowed task size. Note that p_filesz must always be
29478 * <= p_memsz so it is only necessary to check p_memsz.
29479 */
29480- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29481- elf_ppnt->p_memsz > TASK_SIZE ||
29482- TASK_SIZE - elf_ppnt->p_memsz < k) {
29483+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29484+ elf_ppnt->p_memsz > pax_task_size ||
29485+ pax_task_size - elf_ppnt->p_memsz < k) {
29486 /* set_brk can never work. Avoid overflows. */
29487 send_sig(SIGKILL, current, 0);
29488 retval = -EINVAL;
df50ba0c 29489@@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 29490 start_data += load_bias;
29491 end_data += load_bias;
29492
29493+#ifdef CONFIG_PAX_RANDMMAP
29494+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29495+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29496+#endif
29497+
29498 /* Calling set_brk effectively mmaps the pages that we need
29499 * for the bss and break sections. We must do this before
29500 * mapping in the interpreter, to make sure it doesn't wind
df50ba0c 29501@@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
58c5fc13
MT		 29502 goto out_free_dentry;
29503 }
29504 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29505- send_sig(SIGSEGV, current, 0);
29506- retval = -EFAULT; /* Nobody gets to see this, but.. */
29507- goto out_free_dentry;
29508+ /*
29509+ * This bss-zeroing can fail if the ELF
29510+ * file specifies odd protections. So
29511+ * we don't check the return value
29512+ */
29513 }
29514
29515 if (elf_interpreter) {
df50ba0c 29516@@ -1091,7 +1377,7 @@ out:
58c5fc13
MT		 29517 * Decide what to dump of a segment, part, all or none.
29518 */
29519 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29520- unsigned long mm_flags)
29521+ unsigned long mm_flags, long signr)
29522 {
29523 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29524
df50ba0c 29525@@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
58c5fc13
MT		 29526 if (vma->vm_file == NULL)
29527 return 0;
29528
29529- if (FILTER(MAPPED_PRIVATE))
29530+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29531 goto whole;
29532
29533 /*
df50ba0c 29534@@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
ae4e228f
MT		 29535 {
29536 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29537 int i = 0;
29538- do
29539+ do {
29540 i += 2;
29541- while (auxv[i - 2] != AT_NULL);
29542+ } while (auxv[i - 2] != AT_NULL);
29543 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29544 }
29545
df50ba0c
MT		 29546@@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
29547 }
29548
29549 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29550- unsigned long mm_flags)
29551+ struct coredump_params *cprm)
29552 {
29553 struct vm_area_struct *vma;
29554 size_t size = 0;
29555
29556 for (vma = first_vma(current, gate_vma); vma != NULL;
29557 vma = next_vma(vma, gate_vma))
29558- size += vma_dump_size(vma, mm_flags);
29559+ size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29560 return size;
29561 }
29562
29563@@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
29564
29565 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29566
29567- offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29568+ offset += elf_core_vma_data_size(gate_vma, cprm);
29569 offset += elf_core_extra_data_size();
29570 e_shoff = offset;
29571
29572@@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
29573 offset = dataoff;
29574
29575 size += sizeof(*elf);
29576+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
29577 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29578 goto end_coredump;
29579
29580 size += sizeof(*phdr4note);
29581+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
29582 if (size > cprm->limit
29583 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29584 goto end_coredump;
29585@@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
58c5fc13
MT		 29586 phdr.p_offset = offset;
29587 phdr.p_vaddr = vma->vm_start;
29588 phdr.p_paddr = 0;
df50ba0c
MT		 29589- phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29590+ phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
58c5fc13
MT		 29591 phdr.p_memsz = vma->vm_end - vma->vm_start;
29592 offset += phdr.p_filesz;
29593 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
df50ba0c
MT		 29594@@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
29595 phdr.p_align = ELF_EXEC_PAGESIZE;
29596
29597 size += sizeof(phdr);
29598+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
29599 if (size > cprm->limit
29600 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29601 goto end_coredump;
29602@@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
58c5fc13
MT		 29603 unsigned long addr;
29604 unsigned long end;
29605
df50ba0c
MT		 29606- end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29607+ end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
58c5fc13
MT		 29608
29609 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29610 struct page *page;
df50ba0c 29611@@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
ae4e228f
MT		 29612 page = get_dump_page(addr);
29613 if (page) {
29614 void *kaddr = kmap(page);
29615+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29616 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29617 !dump_write(cprm->file, kaddr,
29618 PAGE_SIZE);
df50ba0c
MT		 29619@@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
29620
29621 if (e_phnum == PN_XNUM) {
29622 size += sizeof(*shdr4extnum);
29623+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
29624 if (size > cprm->limit
29625 || !dump_write(cprm->file, shdr4extnum,
29626 sizeof(*shdr4extnum)))
29627@@ -2068,6 +2359,97 @@ out:
ae4e228f
MT		 29628
29629 #endif /* CONFIG_ELF_CORE */
58c5fc13
MT		 29630
29631+#ifdef CONFIG_PAX_MPROTECT
29632+/* PaX: non-PIC ELF libraries need relocations on their executable segments
29633+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29634+ * we'll remove VM_MAYWRITE for good on RELRO segments.
29635+ *
29636+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29637+ * basis because we want to allow the common case and not the special ones.
29638+ */
29639+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29640+{
29641+ struct elfhdr elf_h;
29642+ struct elf_phdr elf_p;
29643+ unsigned long i;
29644+ unsigned long oldflags;
29645+ bool is_textrel_rw, is_textrel_rx, is_relro;
29646+
29647+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29648+ return;
29649+
29650+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29651+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29652+
57199397 29653+#ifdef CONFIG_PAX_ELFRELOCS
58c5fc13
MT		 29654+ /* possible TEXTREL */
29655+ is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29656+ is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
57199397
MT		 29657+#else
29658+ is_textrel_rw = false;
29659+ is_textrel_rx = false;
58c5fc13
MT		 29660+#endif
29661+
29662+ /* possible RELRO */
29663+ is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29664+
29665+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29666+ return;
29667+
29668+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29669+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29670+
29671+#ifdef CONFIG_PAX_ETEXECRELOCS
29672+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29673+#else
29674+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29675+#endif
29676+
29677+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29678+ !elf_check_arch(&elf_h) ||
29679+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29680+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29681+ return;
29682+
29683+ for (i = 0UL; i < elf_h.e_phnum; i++) {
29684+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29685+ return;
29686+ switch (elf_p.p_type) {
29687+ case PT_DYNAMIC:
29688+ if (!is_textrel_rw && !is_textrel_rx)
29689+ continue;
29690+ i = 0UL;
29691+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29692+ elf_dyn dyn;
29693+
29694+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29695+ return;
29696+ if (dyn.d_tag == DT_NULL)
29697+ return;
29698+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29699+ gr_log_textrel(vma);
29700+ if (is_textrel_rw)
29701+ vma->vm_flags |= VM_MAYWRITE;
29702+ else
29703+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29704+ vma->vm_flags &= ~VM_MAYWRITE;
29705+ return;
29706+ }
29707+ i++;
29708+ }
29709+ return;
29710+
29711+ case PT_GNU_RELRO:
29712+ if (!is_relro)
29713+ continue;
29714+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29715+ vma->vm_flags &= ~VM_MAYWRITE;
29716+ return;
29717+ }
29718+ }
29719+}
29720+#endif
29721+
29722 static int __init init_elf_binfmt(void)
29723 {
29724 return register_binfmt(&elf_format);
57199397
MT		 29725diff -urNp linux-2.6.35.4/fs/binfmt_flat.c linux-2.6.35.4/fs/binfmt_flat.c
29726--- linux-2.6.35.4/fs/binfmt_flat.c 2010-08-26 19:47:12.000000000 -0400
29727+++ linux-2.6.35.4/fs/binfmt_flat.c 2010-09-17 20:12:09.000000000 -0400
29728@@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
58c5fc13
MT		 29729 realdatastart = (unsigned long) -ENOMEM;
29730 printk("Unable to allocate RAM for process data, errno %d\n",
29731 (int)-realdatastart);
29732+ down_write(&current->mm->mmap_sem);
29733 do_munmap(current->mm, textpos, text_len);
29734+ up_write(&current->mm->mmap_sem);
29735 ret = realdatastart;
29736 goto err;
29737 }
57199397 29738@@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
58c5fc13 29739 }
ae4e228f 29740 if (IS_ERR_VALUE(result)) {
58c5fc13
MT		 29741 printk("Unable to read data+bss, errno %d\n", (int)-result);
29742+ down_write(&current->mm->mmap_sem);
29743 do_munmap(current->mm, textpos, text_len);
57199397 29744 do_munmap(current->mm, realdatastart, len);
58c5fc13
MT		 29745+ up_write(&current->mm->mmap_sem);
29746 ret = result;
29747 goto err;
29748 }
57199397 29749@@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
58c5fc13 29750 }
ae4e228f 29751 if (IS_ERR_VALUE(result)) {
58c5fc13
MT		 29752 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
29753+ down_write(&current->mm->mmap_sem);
29754 do_munmap(current->mm, textpos, text_len + data_len + extra +
29755 MAX_SHARED_LIBS * sizeof(unsigned long));
29756+ up_write(&current->mm->mmap_sem);
29757 ret = result;
29758 goto err;
29759 }
57199397
MT		 29760diff -urNp linux-2.6.35.4/fs/binfmt_misc.c linux-2.6.35.4/fs/binfmt_misc.c
29761--- linux-2.6.35.4/fs/binfmt_misc.c 2010-08-26 19:47:12.000000000 -0400
29762+++ linux-2.6.35.4/fs/binfmt_misc.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 29763@@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
29764 static struct tree_descr bm_files[] = {
29765 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
29766 [3] = {"register", &bm_register_operations, S_IWUSR},
29767- /* last one */ {""}
29768+ /* last one */ {"", NULL, 0}
29769 };
29770 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
29771 if (!err)
57199397
MT		 29772diff -urNp linux-2.6.35.4/fs/bio.c linux-2.6.35.4/fs/bio.c
29773--- linux-2.6.35.4/fs/bio.c 2010-08-26 19:47:12.000000000 -0400
29774+++ linux-2.6.35.4/fs/bio.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 29775@@ -1213,7 +1213,7 @@ static void bio_copy_kern_endio(struct b
ae4e228f
MT		 29776 const int read = bio_data_dir(bio) == READ;
29777 struct bio_map_data *bmd = bio->bi_private;
29778 int i;
29779- char *p = bmd->sgvecs[0].iov_base;
29780+ char *p = (__force char *)bmd->sgvecs[0].iov_base;
29781
29782 __bio_for_each_segment(bvec, bio, i, 0) {
29783 char *addr = page_address(bvec->bv_page);
57199397
MT		 29784diff -urNp linux-2.6.35.4/fs/block_dev.c linux-2.6.35.4/fs/block_dev.c
29785--- linux-2.6.35.4/fs/block_dev.c 2010-08-26 19:47:12.000000000 -0400
29786+++ linux-2.6.35.4/fs/block_dev.c 2010-09-17 20:12:09.000000000 -0400
29787@@ -647,7 +647,7 @@ static bool bd_may_claim(struct block_de
df50ba0c 29788 else if (bdev->bd_contains == bdev)
57199397
MT		 29789 return true; /* is a whole device which isn't held */
29790
29791- else if (whole->bd_holder == bd_claim)
29792+ else if (whole->bd_holder == (void *)bd_claim)
29793 return true; /* is a partition of a device that is being partitioned */
29794 else if (whole->bd_holder != NULL)
29795 return false; /* is a partition of a held device */
29796diff -urNp linux-2.6.35.4/fs/btrfs/ctree.c linux-2.6.35.4/fs/btrfs/ctree.c
29797--- linux-2.6.35.4/fs/btrfs/ctree.c 2010-08-26 19:47:12.000000000 -0400
29798+++ linux-2.6.35.4/fs/btrfs/ctree.c 2010-09-17 20:12:09.000000000 -0400
29799@@ -3763,7 +3763,6 @@ setup_items_for_insert(struct btrfs_tran
ae4e228f
MT		 29800
29801 ret = 0;
29802 if (slot == 0) {
29803- struct btrfs_disk_key disk_key;
29804 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
29805 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
29806 }
57199397
MT		 29807diff -urNp linux-2.6.35.4/fs/btrfs/disk-io.c linux-2.6.35.4/fs/btrfs/disk-io.c
29808--- linux-2.6.35.4/fs/btrfs/disk-io.c 2010-08-26 19:47:12.000000000 -0400
29809+++ linux-2.6.35.4/fs/btrfs/disk-io.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 29810@@ -40,7 +40,7 @@
ae4e228f
MT		 29811 #include "tree-log.h"
29812 #include "free-space-cache.h"
29813
29814-static struct extent_io_ops btree_extent_io_ops;
29815+static const struct extent_io_ops btree_extent_io_ops;
29816 static void end_workqueue_fn(struct btrfs_work *work);
29817 static void free_fs_root(struct btrfs_root *root);
29818
57199397 29819@@ -2597,7 +2597,7 @@ out:
58c5fc13
MT		 29820 return 0;
29821 }
29822
ae4e228f
MT		 29823-static struct extent_io_ops btree_extent_io_ops = {
29824+static const struct extent_io_ops btree_extent_io_ops = {
29825 .write_cache_pages_lock_hook = btree_lock_page_hook,
29826 .readpage_end_io_hook = btree_readpage_end_io_hook,
29827 .submit_bio_hook = btree_submit_bio_hook,
57199397
MT		 29828diff -urNp linux-2.6.35.4/fs/btrfs/extent_io.h linux-2.6.35.4/fs/btrfs/extent_io.h
29829--- linux-2.6.35.4/fs/btrfs/extent_io.h 2010-08-26 19:47:12.000000000 -0400
29830+++ linux-2.6.35.4/fs/btrfs/extent_io.h 2010-09-17 20:12:09.000000000 -0400
29831@@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
ae4e228f 29832 struct bio *bio, int mirror_num,
57199397 29833 unsigned long bio_flags, u64 bio_offset);
ae4e228f
MT		 29834 struct extent_io_ops {
29835- int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
29836+ int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
29837 u64 start, u64 end, int *page_started,
29838 unsigned long *nr_written);
29839- int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
29840- int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
29841+ int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
29842+ int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
29843 extent_submit_bio_hook_t *submit_bio_hook;
29844- int (*merge_bio_hook)(struct page *page, unsigned long offset,
29845+ int (* const merge_bio_hook)(struct page *page, unsigned long offset,
29846 size_t size, struct bio *bio,
29847 unsigned long bio_flags);
29848- int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
29849- int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
29850+ int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
29851+ int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
29852 u64 start, u64 end,
29853 struct extent_state *state);
29854- int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
29855+ int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
29856 u64 start, u64 end,
29857 struct extent_state *state);
29858- int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29859+ int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29860 struct extent_state *state);
29861- int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29862+ int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29863 struct extent_state *state, int uptodate);
57199397
MT		 29864- int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
29865+ int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
29866 int *bits);
ae4e228f
MT		 29867- int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
29868+ int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
57199397 29869 int *bits);
ae4e228f
MT		 29870- int (*merge_extent_hook)(struct inode *inode,
29871+ int (* const merge_extent_hook)(struct inode *inode,
29872 struct extent_state *new,
29873 struct extent_state *other);
29874- int (*split_extent_hook)(struct inode *inode,
29875+ int (* const split_extent_hook)(struct inode *inode,
29876 struct extent_state *orig, u64 split);
29877- int (*write_cache_pages_lock_hook)(struct page *page);
29878+ int (* const write_cache_pages_lock_hook)(struct page *page);
29879 };
29880
29881 struct extent_io_tree {
57199397 29882@@ -90,7 +90,7 @@ struct extent_io_tree {
ae4e228f
MT		 29883 u64 dirty_bytes;
29884 spinlock_t lock;
29885 spinlock_t buffer_lock;
29886- struct extent_io_ops *ops;
29887+ const struct extent_io_ops *ops;
29888 };
29889
29890 struct extent_state {
57199397
MT		 29891diff -urNp linux-2.6.35.4/fs/btrfs/free-space-cache.c linux-2.6.35.4/fs/btrfs/free-space-cache.c
29892--- linux-2.6.35.4/fs/btrfs/free-space-cache.c 2010-08-26 19:47:12.000000000 -0400
29893+++ linux-2.6.35.4/fs/btrfs/free-space-cache.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 29894@@ -1075,8 +1075,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
ae4e228f
MT		 29895
29896 while(1) {
29897 if (entry->bytes < bytes || entry->offset < min_start) {
29898- struct rb_node *node;
29899-
29900 node = rb_next(&entry->offset_index);
29901 if (!node)
29902 break;
df50ba0c 29903@@ -1227,7 +1225,7 @@ again:
ae4e228f
MT		 29904 */
29905 while (entry->bitmap || found_bitmap ||
29906 (!entry->bitmap && entry->bytes < min_bytes)) {
29907- struct rb_node *node = rb_next(&entry->offset_index);
29908+ node = rb_next(&entry->offset_index);
29909
29910 if (entry->bitmap && entry->bytes > bytes + empty_size) {
29911 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
57199397
MT		 29912diff -urNp linux-2.6.35.4/fs/btrfs/inode.c linux-2.6.35.4/fs/btrfs/inode.c
29913--- linux-2.6.35.4/fs/btrfs/inode.c 2010-08-26 19:47:12.000000000 -0400
29914+++ linux-2.6.35.4/fs/btrfs/inode.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 29915@@ -64,7 +64,7 @@ static const struct inode_operations btr
ae4e228f
MT		 29916 static const struct address_space_operations btrfs_aops;
29917 static const struct address_space_operations btrfs_symlink_aops;
29918 static const struct file_operations btrfs_dir_file_operations;
29919-static struct extent_io_ops btrfs_extent_io_ops;
29920+static const struct extent_io_ops btrfs_extent_io_ops;
58c5fc13
MT		 29921
29922 static struct kmem_cache *btrfs_inode_cachep;
ae4e228f 29923 struct kmem_cache *btrfs_trans_handle_cachep;
57199397 29924@@ -6958,7 +6958,7 @@ static const struct file_operations btrf
ae4e228f
MT		 29925 .fsync = btrfs_sync_file,
29926 };
58c5fc13 29927
ae4e228f
MT		 29928-static struct extent_io_ops btrfs_extent_io_ops = {
29929+static const struct extent_io_ops btrfs_extent_io_ops = {
29930 .fill_delalloc = run_delalloc_range,
29931 .submit_bio_hook = btrfs_submit_bio_hook,
29932 .merge_bio_hook = btrfs_merge_bio_hook,
57199397
MT		 29933diff -urNp linux-2.6.35.4/fs/buffer.c linux-2.6.35.4/fs/buffer.c
29934--- linux-2.6.35.4/fs/buffer.c 2010-08-26 19:47:12.000000000 -0400
29935+++ linux-2.6.35.4/fs/buffer.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 29936@@ -25,6 +25,7 @@
29937 #include <linux/percpu.h>
29938 #include <linux/slab.h>
29939 #include <linux/capability.h>
29940+#include <linux/security.h>
29941 #include <linux/blkdev.h>
29942 #include <linux/file.h>
29943 #include <linux/quotaops.h>
57199397
MT		 29944diff -urNp linux-2.6.35.4/fs/cachefiles/bind.c linux-2.6.35.4/fs/cachefiles/bind.c
29945--- linux-2.6.35.4/fs/cachefiles/bind.c 2010-08-26 19:47:12.000000000 -0400
29946+++ linux-2.6.35.4/fs/cachefiles/bind.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 29947@@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
29948 args);
29949
29950 /* start by checking things over */
29951- ASSERT(cache->fstop_percent >= 0 &&
29952- cache->fstop_percent < cache->fcull_percent &&
29953+ ASSERT(cache->fstop_percent < cache->fcull_percent &&
29954 cache->fcull_percent < cache->frun_percent &&
29955 cache->frun_percent < 100);
29956
29957- ASSERT(cache->bstop_percent >= 0 &&
29958- cache->bstop_percent < cache->bcull_percent &&
29959+ ASSERT(cache->bstop_percent < cache->bcull_percent &&
29960 cache->bcull_percent < cache->brun_percent &&
29961 cache->brun_percent < 100);
29962
57199397
MT		 29963diff -urNp linux-2.6.35.4/fs/cachefiles/daemon.c linux-2.6.35.4/fs/cachefiles/daemon.c
29964--- linux-2.6.35.4/fs/cachefiles/daemon.c 2010-08-26 19:47:12.000000000 -0400
29965+++ linux-2.6.35.4/fs/cachefiles/daemon.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 29966@@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
29967 if (n > buflen)
29968 return -EMSGSIZE;
29969
29970- if (copy_to_user(_buffer, buffer, n) != 0)
29971+ if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
29972 return -EFAULT;
58c5fc13 29973
ae4e228f 29974 return n;
df50ba0c
MT		 29975@@ -221,7 +221,7 @@ static ssize_t cachefiles_daemon_write(s
29976 if (test_bit(CACHEFILES_DEAD, &cache->flags))
29977 return -EIO;
29978
29979- if (datalen < 0 || datalen > PAGE_SIZE - 1)
29980+ if (datalen > PAGE_SIZE - 1)
29981 return -EOPNOTSUPP;
29982
29983 /* drag the command string into the kernel so we can parse it */
29984@@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
29985 if (args[0] != '%' || args[1] != '\0')
29986 return -EINVAL;
29987
29988- if (fstop < 0 || fstop >= cache->fcull_percent)
29989+ if (fstop >= cache->fcull_percent)
29990 return cachefiles_daemon_range_error(cache, args);
29991
29992 cache->fstop_percent = fstop;
29993@@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
29994 if (args[0] != '%' || args[1] != '\0')
29995 return -EINVAL;
29996
29997- if (bstop < 0 || bstop >= cache->bcull_percent)
29998+ if (bstop >= cache->bcull_percent)
29999 return cachefiles_daemon_range_error(cache, args);
30000
30001 cache->bstop_percent = bstop;
57199397
MT		 30002diff -urNp linux-2.6.35.4/fs/cachefiles/rdwr.c linux-2.6.35.4/fs/cachefiles/rdwr.c
30003--- linux-2.6.35.4/fs/cachefiles/rdwr.c 2010-08-26 19:47:12.000000000 -0400
30004+++ linux-2.6.35.4/fs/cachefiles/rdwr.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 30005@@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
ae4e228f
MT		 30006 old_fs = get_fs();
30007 set_fs(KERNEL_DS);
30008 ret = file->f_op->write(
30009- file, (const void __user *) data, len, &pos);
30010+ file, (__force const void __user *) data, len, &pos);
30011 set_fs(old_fs);
30012 kunmap(page);
30013 if (ret != len)
57199397
MT		 30014diff -urNp linux-2.6.35.4/fs/cifs/cifs_uniupr.h linux-2.6.35.4/fs/cifs/cifs_uniupr.h
30015--- linux-2.6.35.4/fs/cifs/cifs_uniupr.h 2010-08-26 19:47:12.000000000 -0400
30016+++ linux-2.6.35.4/fs/cifs/cifs_uniupr.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 30017@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30018 {0x0490, 0x04cc, UniCaseRangeU0490},
30019 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30020 {0xff40, 0xff5a, UniCaseRangeUff40},
30021- {0}
30022+ {0, 0, NULL}
30023 };
30024 #endif
30025
57199397
MT		 30026diff -urNp linux-2.6.35.4/fs/cifs/link.c linux-2.6.35.4/fs/cifs/link.c
30027--- linux-2.6.35.4/fs/cifs/link.c 2010-08-26 19:47:12.000000000 -0400
30028+++ linux-2.6.35.4/fs/cifs/link.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 30029@@ -216,7 +216,7 @@ cifs_symlink(struct inode *inode, struct
58c5fc13
MT		 30030
30031 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30032 {
30033- char *p = nd_get_link(nd);
30034+ const char *p = nd_get_link(nd);
30035 if (!IS_ERR(p))
30036 kfree(p);
30037 }
57199397
MT		 30038diff -urNp linux-2.6.35.4/fs/compat_binfmt_elf.c linux-2.6.35.4/fs/compat_binfmt_elf.c
30039--- linux-2.6.35.4/fs/compat_binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
30040+++ linux-2.6.35.4/fs/compat_binfmt_elf.c 2010-09-17 20:12:09.000000000 -0400
30041@@ -30,11 +30,13 @@
30042 #undef elf_phdr
30043 #undef elf_shdr
30044 #undef elf_note
30045+#undef elf_dyn
30046 #undef elf_addr_t
30047 #define elfhdr elf32_hdr
30048 #define elf_phdr elf32_phdr
30049 #define elf_shdr elf32_shdr
30050 #define elf_note elf32_note
30051+#define elf_dyn Elf32_Dyn
30052 #define elf_addr_t Elf32_Addr
30053
30054 /*
30055diff -urNp linux-2.6.35.4/fs/compat.c linux-2.6.35.4/fs/compat.c
30056--- linux-2.6.35.4/fs/compat.c 2010-08-26 19:47:12.000000000 -0400
30057+++ linux-2.6.35.4/fs/compat.c 2010-09-17 20:12:37.000000000 -0400
efbe55a5 30058@@ -1433,14 +1433,12 @@ static int compat_copy_strings(int argc,
58c5fc13
MT		 30059 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
30060 struct page *page;
30061
30062-#ifdef CONFIG_STACK_GROWSUP
30063 ret = expand_stack_downwards(bprm->vma, pos);
30064 if (ret < 0) {
30065 /* We've exceed the stack rlimit. */
30066 ret = -E2BIG;
30067 goto out;
30068 }
30069-#endif
30070 ret = get_user_pages(current, bprm->mm, pos,
30071 1, 1, 1, &page, NULL);
30072 if (ret <= 0) {
efbe55a5 30073@@ -1486,6 +1484,11 @@ int compat_do_execve(char * filename,
58c5fc13
MT		 30074 compat_uptr_t __user *envp,
30075 struct pt_regs * regs)
30076 {
30077+#ifdef CONFIG_GRKERNSEC
30078+ struct file *old_exec_file;
30079+ struct acl_subject_label *old_acl;
30080+ struct rlimit old_rlim[RLIM_NLIMITS];
30081+#endif
30082 struct linux_binprm *bprm;
30083 struct file *file;
30084 struct files_struct *displaced;
efbe55a5 30085@@ -1522,6 +1525,14 @@ int compat_do_execve(char * filename,
58c5fc13
MT		 30086 bprm->filename = filename;
30087 bprm->interp = filename;
30088
30089+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
30090+ retval = -EAGAIN;
30091+ if (gr_handle_nproc())
30092+ goto out_file;
30093+ retval = -EACCES;
30094+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30095+ goto out_file;
30096+
30097 retval = bprm_mm_init(bprm);
30098 if (retval)
30099 goto out_file;
efbe55a5 30100@@ -1551,9 +1562,40 @@ int compat_do_execve(char * filename,
58c5fc13
MT		 30101 if (retval < 0)
30102 goto out;
30103
30104+ if (!gr_tpe_allow(file)) {
30105+ retval = -EACCES;
30106+ goto out;
30107+ }
30108+
30109+ if (gr_check_crash_exec(file)) {
30110+ retval = -EACCES;
30111+ goto out;
30112+ }
30113+
30114+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30115+
30116+ gr_handle_exec_args(bprm, (char __user * __user *)argv);
30117+
30118+#ifdef CONFIG_GRKERNSEC
30119+ old_acl = current->acl;
30120+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30121+ old_exec_file = current->exec_file;
30122+ get_file(file);
30123+ current->exec_file = file;
30124+#endif
30125+
30126+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30127+ bprm->unsafe & LSM_UNSAFE_SHARE);
30128+ if (retval < 0)
30129+ goto out_fail;
30130+
30131 retval = search_binary_handler(bprm, regs);
30132 if (retval < 0)
30133- goto out;
30134+ goto out_fail;
30135+#ifdef CONFIG_GRKERNSEC
30136+ if (old_exec_file)
30137+ fput(old_exec_file);
30138+#endif
30139
df50ba0c
MT		 30140 /* execve succeeded */
30141 current->fs->in_exec = 0;
efbe55a5 30142@@ -1564,6 +1606,14 @@ int compat_do_execve(char * filename,
58c5fc13
MT		 30143 put_files_struct(displaced);
30144 return retval;
30145
30146+out_fail:
30147+#ifdef CONFIG_GRKERNSEC
30148+ current->acl = old_acl;
30149+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30150+ fput(current->exec_file);
30151+ current->exec_file = old_exec_file;
30152+#endif
30153+
30154 out:
30155 if (bprm->mm)
30156 mmput(bprm->mm);
57199397
MT		 30157diff -urNp linux-2.6.35.4/fs/debugfs/inode.c linux-2.6.35.4/fs/debugfs/inode.c
30158--- linux-2.6.35.4/fs/debugfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30159+++ linux-2.6.35.4/fs/debugfs/inode.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 30160@@ -129,7 +129,7 @@ static inline int debugfs_positive(struc
58c5fc13
MT		 30161
30162 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30163 {
30164- static struct tree_descr debug_files[] = {{""}};
30165+ static struct tree_descr debug_files[] = {{"", NULL, 0}};
30166
30167 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30168 }
57199397
MT		 30169diff -urNp linux-2.6.35.4/fs/dlm/lockspace.c linux-2.6.35.4/fs/dlm/lockspace.c
30170--- linux-2.6.35.4/fs/dlm/lockspace.c 2010-08-26 19:47:12.000000000 -0400
30171+++ linux-2.6.35.4/fs/dlm/lockspace.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 30172@@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30173 return 0;
58c5fc13
MT		 30174 }
30175
df50ba0c
MT		 30176-static struct kset_uevent_ops dlm_uevent_ops = {
30177+static const struct kset_uevent_ops dlm_uevent_ops = {
30178 .uevent = dlm_uevent,
ae4e228f 30179 };
df50ba0c 30180
57199397
MT		 30181diff -urNp linux-2.6.35.4/fs/ecryptfs/inode.c linux-2.6.35.4/fs/ecryptfs/inode.c
30182--- linux-2.6.35.4/fs/ecryptfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30183+++ linux-2.6.35.4/fs/ecryptfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30184@@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
ae4e228f
MT		 30185 old_fs = get_fs();
30186 set_fs(get_ds());
30187 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30188- (char __user *)lower_buf,
30189+ (__force char __user *)lower_buf,
30190 lower_bufsiz);
30191 set_fs(old_fs);
df50ba0c 30192 if (rc < 0)
57199397 30193@@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
ae4e228f
MT		 30194 }
30195 old_fs = get_fs();
30196 set_fs(get_ds());
30197- rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30198+ rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30199 set_fs(old_fs);
30200 if (rc < 0) {
30201 kfree(buf);
57199397 30202@@ -719,7 +719,7 @@ out:
ae4e228f
MT		 30203 static void
30204 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30205 {
30206- char *buf = nd_get_link(nd);
30207+ const char *buf = nd_get_link(nd);
30208 if (!IS_ERR(buf)) {
30209 /* Free the char* */
30210 kfree(buf);
57199397
MT		 30211diff -urNp linux-2.6.35.4/fs/ecryptfs/miscdev.c linux-2.6.35.4/fs/ecryptfs/miscdev.c
30212--- linux-2.6.35.4/fs/ecryptfs/miscdev.c 2010-08-26 19:47:12.000000000 -0400
30213+++ linux-2.6.35.4/fs/ecryptfs/miscdev.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 30214@@ -328,7 +328,7 @@ check_list:
ae4e228f
MT		 30215 goto out_unlock_msg_ctx;
30216 i = 5;
30217 if (msg_ctx->msg) {
30218- if (copy_to_user(&buf[i], packet_length, packet_length_size))
30219+ if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30220 goto out_unlock_msg_ctx;
30221 i += packet_length_size;
30222 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
57199397
MT		 30223diff -urNp linux-2.6.35.4/fs/exec.c linux-2.6.35.4/fs/exec.c
30224--- linux-2.6.35.4/fs/exec.c 2010-08-26 19:47:12.000000000 -0400
30225+++ linux-2.6.35.4/fs/exec.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13 30226@@ -55,12 +55,24 @@
58c5fc13
MT		 30227 #include <linux/fsnotify.h>
30228 #include <linux/fs_struct.h>
ae4e228f 30229 #include <linux/pipe_fs_i.h>
58c5fc13
MT		 30230+#include <linux/random.h>
30231+#include <linux/seq_file.h>
30232+
30233+#ifdef CONFIG_PAX_REFCOUNT
30234+#include <linux/kallsyms.h>
30235+#include <linux/kdebug.h>
30236+#endif
30237
30238 #include <asm/uaccess.h>
30239 #include <asm/mmu_context.h>
30240 #include <asm/tlb.h>
30241 #include "internal.h"
30242
30243+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30244+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30245+EXPORT_SYMBOL(pax_set_initial_flags_func);
30246+#endif
30247+
30248 int core_uses_pid;
30249 char core_pattern[CORENAME_MAX_SIZE] = "core";
ae4e228f
MT		 30250 unsigned int core_pipe_limit;
30251@@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
58c5fc13
MT		 30252 goto out;
30253
30254 file = do_filp_open(AT_FDCWD, tmp,
30255- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30256+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30257 MAY_READ | MAY_EXEC | MAY_OPEN);
30258 putname(tmp);
30259 error = PTR_ERR(file);
ae4e228f 30260@@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
58c5fc13
MT		 30261 int write)
30262 {
30263 struct page *page;
30264- int ret;
30265
30266-#ifdef CONFIG_STACK_GROWSUP
30267- if (write) {
30268- ret = expand_stack_downwards(bprm->vma, pos);
30269- if (ret < 0)
30270- return NULL;
30271- }
30272-#endif
30273- ret = get_user_pages(current, bprm->mm, pos,
30274- 1, write, 1, &page, NULL);
30275- if (ret <= 0)
30276+ if (0 > expand_stack_downwards(bprm->vma, pos))
30277+ return NULL;
30278+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30279 return NULL;
30280
30281 if (write) {
57199397 30282@@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
58c5fc13
MT		 30283 vma->vm_end = STACK_TOP_MAX;
30284 vma->vm_start = vma->vm_end - PAGE_SIZE;
57199397 30285 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
58c5fc13
MT		 30286+
30287+#ifdef CONFIG_PAX_SEGMEXEC
30288+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30289+#endif
30290+
30291 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
df50ba0c 30292 INIT_LIST_HEAD(&vma->anon_vma_chain);
58c5fc13 30293 err = insert_vm_struct(mm, vma);
57199397 30294@@ -255,6 +264,12 @@ static int __bprm_mm_init(struct linux_b
58c5fc13
MT		 30295 mm->stack_vm = mm->total_vm = 1;
30296 up_write(&mm->mmap_sem);
30297 bprm->p = vma->vm_end - sizeof(void *);
30298+
30299+#ifdef CONFIG_PAX_RANDUSTACK
30300+ if (randomize_va_space)
30301+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30302+#endif
30303+
30304 return 0;
30305 err:
30306 up_write(&mm->mmap_sem);
57199397 30307@@ -476,7 +491,7 @@ int copy_strings_kernel(int argc,char **
ae4e228f
MT		 30308 int r;
30309 mm_segment_t oldfs = get_fs();
30310 set_fs(KERNEL_DS);
30311- r = copy_strings(argc, (char __user * __user *)argv, bprm);
30312+ r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
30313 set_fs(oldfs);
30314 return r;
30315 }
57199397 30316@@ -506,7 +521,8 @@ static int shift_arg_pages(struct vm_are
58c5fc13
MT		 30317 unsigned long new_end = old_end - shift;
30318 struct mmu_gather *tlb;
30319
30320- BUG_ON(new_start > new_end);
30321+ if (new_start >= new_end || new_start < mmap_min_addr)
30322+ return -EFAULT;
30323
30324 /*
30325 * ensure there are no vmas between where we want to go
57199397 30326@@ -515,6 +531,10 @@ static int shift_arg_pages(struct vm_are
58c5fc13
MT		 30327 if (vma != find_vma(mm, new_start))
30328 return -EFAULT;
30329
30330+#ifdef CONFIG_PAX_SEGMEXEC
30331+ BUG_ON(pax_find_mirror_vma(vma));
30332+#endif
30333+
30334 /*
30335 * cover the whole range: [new_start, old_end)
30336 */
57199397 30337@@ -605,8 +625,28 @@ int setup_arg_pages(struct linux_binprm
58c5fc13
MT		 30338 bprm->exec -= stack_shift;
30339
30340 down_write(&mm->mmap_sem);
30341+
30342+ /* Move stack pages down in memory. */
30343+ if (stack_shift) {
30344+ ret = shift_arg_pages(vma, stack_shift);
30345+ if (ret)
30346+ goto out_unlock;
30347+ }
30348+
30349 vm_flags = VM_STACK_FLAGS;
30350
58c5fc13
MT		 30351+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30352+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30353+ vm_flags &= ~VM_EXEC;
30354+
30355+#ifdef CONFIG_PAX_MPROTECT
30356+ if (mm->pax_flags & MF_PAX_MPROTECT)
30357+ vm_flags &= ~VM_MAYEXEC;
30358+#endif
30359+
30360+ }
30361+#endif
30362+
ae4e228f
MT		 30363 /*
30364 * Adjust stack execute permissions; explicitly enable for
30365 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
57199397 30366@@ -625,13 +665,6 @@ int setup_arg_pages(struct linux_binprm
58c5fc13
MT		 30367 goto out_unlock;
30368 BUG_ON(prev != vma);
30369
30370- /* Move stack pages down in memory. */
30371- if (stack_shift) {
30372- ret = shift_arg_pages(vma, stack_shift);
ae4e228f
MT		 30373- if (ret)
30374- goto out_unlock;
58c5fc13
MT		 30375- }
30376-
57199397
MT		 30377 /* mprotect_fixup is overkill to remove the temporary stack flags */
30378 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30379
30380@@ -671,7 +704,7 @@ struct file *open_exec(const char *name)
58c5fc13
MT		 30381 int err;
30382
30383 file = do_filp_open(AT_FDCWD, name,
30384- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30385+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30386 MAY_EXEC | MAY_OPEN);
30387 if (IS_ERR(file))
30388 goto out;
57199397 30389@@ -708,7 +741,7 @@ int kernel_read(struct file *file, loff_
ae4e228f
MT		 30390 old_fs = get_fs();
30391 set_fs(get_ds());
30392 /* The cast to a user pointer is valid due to the set_fs() */
30393- result = vfs_read(file, (void __user *)addr, count, &pos);
30394+ result = vfs_read(file, (__force void __user *)addr, count, &pos);
30395 set_fs(old_fs);
30396 return result;
30397 }
57199397 30398@@ -1125,7 +1158,7 @@ int check_unsafe_exec(struct linux_binpr
58c5fc13
MT		 30399 }
30400 rcu_read_unlock();
30401
30402- if (p->fs->users > n_fs) {
30403+ if (atomic_read(&p->fs->users) > n_fs) {
30404 bprm->unsafe |= LSM_UNSAFE_SHARE;
30405 } else {
30406 res = -EAGAIN;
57199397 30407@@ -1321,6 +1354,11 @@ int do_execve(char * filename,
58c5fc13
MT		 30408 char __user *__user *envp,
30409 struct pt_regs * regs)
30410 {
30411+#ifdef CONFIG_GRKERNSEC
30412+ struct file *old_exec_file;
30413+ struct acl_subject_label *old_acl;
30414+ struct rlimit old_rlim[RLIM_NLIMITS];
30415+#endif
30416 struct linux_binprm *bprm;
30417 struct file *file;
30418 struct files_struct *displaced;
57199397 30419@@ -1357,6 +1395,18 @@ int do_execve(char * filename,
58c5fc13
MT		 30420 bprm->filename = filename;
30421 bprm->interp = filename;
30422
30423+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
30424+
30425+ if (gr_handle_nproc()) {
30426+ retval = -EAGAIN;
30427+ goto out_file;
30428+ }
30429+
30430+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30431+ retval = -EACCES;
30432+ goto out_file;
30433+ }
30434+
30435 retval = bprm_mm_init(bprm);
30436 if (retval)
30437 goto out_file;
57199397 30438@@ -1386,10 +1436,41 @@ int do_execve(char * filename,
58c5fc13
MT		 30439 if (retval < 0)
30440 goto out;
30441
30442+ if (!gr_tpe_allow(file)) {
30443+ retval = -EACCES;
30444+ goto out;
30445+ }
30446+
30447+ if (gr_check_crash_exec(file)) {
30448+ retval = -EACCES;
30449+ goto out;
30450+ }
30451+
30452+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30453+
30454+ gr_handle_exec_args(bprm, argv);
30455+
30456+#ifdef CONFIG_GRKERNSEC
30457+ old_acl = current->acl;
30458+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30459+ old_exec_file = current->exec_file;
30460+ get_file(file);
30461+ current->exec_file = file;
30462+#endif
30463+
30464+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30465+ bprm->unsafe & LSM_UNSAFE_SHARE);
30466+ if (retval < 0)
30467+ goto out_fail;
30468+
30469 current->flags &= ~PF_KTHREAD;
30470 retval = search_binary_handler(bprm,regs);
30471 if (retval < 0)
30472- goto out;
30473+ goto out_fail;
30474+#ifdef CONFIG_GRKERNSEC
30475+ if (old_exec_file)
30476+ fput(old_exec_file);
30477+#endif
30478
df50ba0c
MT		 30479 /* execve succeeded */
30480 current->fs->in_exec = 0;
57199397 30481@@ -1400,6 +1481,14 @@ int do_execve(char * filename,
58c5fc13
MT		 30482 put_files_struct(displaced);
30483 return retval;
30484
30485+out_fail:
30486+#ifdef CONFIG_GRKERNSEC
30487+ current->acl = old_acl;
30488+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30489+ fput(current->exec_file);
30490+ current->exec_file = old_exec_file;
30491+#endif
30492+
30493 out:
30494 if (bprm->mm)
30495 mmput (bprm->mm);
57199397 30496@@ -1563,6 +1652,225 @@ out:
58c5fc13
MT		 30497 return ispipe;
30498 }
30499
30500+int pax_check_flags(unsigned long *flags)
30501+{
30502+ int retval = 0;
30503+
30504+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30505+ if (*flags & MF_PAX_SEGMEXEC)
30506+ {
30507+ *flags &= ~MF_PAX_SEGMEXEC;
30508+ retval = -EINVAL;
30509+ }
30510+#endif
30511+
30512+ if ((*flags & MF_PAX_PAGEEXEC)
30513+
30514+#ifdef CONFIG_PAX_PAGEEXEC
30515+ && (*flags & MF_PAX_SEGMEXEC)
30516+#endif
30517+
30518+ )
30519+ {
30520+ *flags &= ~MF_PAX_PAGEEXEC;
30521+ retval = -EINVAL;
30522+ }
30523+
30524+ if ((*flags & MF_PAX_MPROTECT)
30525+
30526+#ifdef CONFIG_PAX_MPROTECT
30527+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30528+#endif
30529+
30530+ )
30531+ {
30532+ *flags &= ~MF_PAX_MPROTECT;
30533+ retval = -EINVAL;
30534+ }
30535+
30536+ if ((*flags & MF_PAX_EMUTRAMP)
30537+
30538+#ifdef CONFIG_PAX_EMUTRAMP
30539+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30540+#endif
30541+
30542+ )
30543+ {
30544+ *flags &= ~MF_PAX_EMUTRAMP;
30545+ retval = -EINVAL;
30546+ }
30547+
30548+ return retval;
30549+}
30550+
30551+EXPORT_SYMBOL(pax_check_flags);
30552+
30553+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30554+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30555+{
30556+ struct task_struct *tsk = current;
30557+ struct mm_struct *mm = current->mm;
30558+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30559+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30560+ char *path_exec = NULL;
30561+ char *path_fault = NULL;
30562+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
30563+
30564+ if (buffer_exec && buffer_fault) {
30565+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30566+
30567+ down_read(&mm->mmap_sem);
30568+ vma = mm->mmap;
30569+ while (vma && (!vma_exec || !vma_fault)) {
30570+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30571+ vma_exec = vma;
30572+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30573+ vma_fault = vma;
30574+ vma = vma->vm_next;
30575+ }
30576+ if (vma_exec) {
30577+ path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30578+ if (IS_ERR(path_exec))
30579+ path_exec = "<path too long>";
30580+ else {
30581+ path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30582+ if (path_exec) {
30583+ *path_exec = 0;
30584+ path_exec = buffer_exec;
30585+ } else
30586+ path_exec = "<path too long>";
30587+ }
30588+ }
30589+ if (vma_fault) {
30590+ start = vma_fault->vm_start;
30591+ end = vma_fault->vm_end;
30592+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30593+ if (vma_fault->vm_file) {
30594+ path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30595+ if (IS_ERR(path_fault))
30596+ path_fault = "<path too long>";
30597+ else {
30598+ path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30599+ if (path_fault) {
30600+ *path_fault = 0;
30601+ path_fault = buffer_fault;
30602+ } else
30603+ path_fault = "<path too long>";
30604+ }
30605+ } else
30606+ path_fault = "<anonymous mapping>";
30607+ }
30608+ up_read(&mm->mmap_sem);
30609+ }
30610+ if (tsk->signal->curr_ip)
ae4e228f 30611+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
58c5fc13
MT		 30612+ else
30613+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30614+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30615+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30616+ task_uid(tsk), task_euid(tsk), pc, sp);
30617+ free_page((unsigned long)buffer_exec);
30618+ free_page((unsigned long)buffer_fault);
30619+ pax_report_insns(pc, sp);
30620+ do_coredump(SIGKILL, SIGKILL, regs);
30621+}
30622+#endif
30623+
30624+#ifdef CONFIG_PAX_REFCOUNT
30625+void pax_report_refcount_overflow(struct pt_regs *regs)
30626+{
30627+ if (current->signal->curr_ip)
ae4e228f
MT		 30628+ printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30629+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
58c5fc13
MT		 30630+ else
30631+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30632+ current->comm, task_pid_nr(current), current_uid(), current_euid());
30633+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
30634+ show_regs(regs);
ae4e228f 30635+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
58c5fc13
MT		 30636+}
30637+#endif
30638+
30639+#ifdef CONFIG_PAX_USERCOPY
57199397
MT		 30640+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30641+struct stack_frame {
30642+ struct stack_frame *next_frame;
30643+ unsigned long return_address;
30644+};
30645+#endif
30646+
30647+/* 0: not at all, 1: fully, 2: fully inside frame,
30648+ -1: partially (implies an error) */
30649+
30650+int object_is_on_stack(const void *obj, unsigned long len)
30651+{
30652+ const void *stack = task_stack_page(current);
30653+ const void *stackend = stack + THREAD_SIZE;
30654+
30655+ if (obj + len < obj)
30656+ return -1;
30657+
30658+ if (stack <= obj && obj + len <= stackend) {
30659+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30660+ void *frame = __builtin_frame_address(2);
30661+ void *oldframe = __builtin_frame_address(1);
30662+ /*
30663+ bottom ----------------------------------------------> top
30664+ [saved bp][saved ip][args][local vars][saved bp][saved ip]
30665+ ^----------------^
30666+ allow copies only within here
30667+ */
30668+ while (frame) {
30669+ /* if obj + len extends past the last frame, this
30670+ check won't pass and the next frame will be 0,
30671+ causing us to bail out and correctly report
30672+ the copy as invalid
30673+ */
30674+ if (obj + len <= frame) {
30675+ if (obj >= (oldframe + (2 * sizeof(void *))))
30676+ return 2;
30677+ else
30678+ return -1;
30679+ }
30680+ oldframe = frame;
30681+ frame = ((struct stack_frame *)frame)->next_frame;
30682+ }
30683+ return -1;
30684+#else
30685+ return 1;
30686+#endif
30687+ }
30688+
30689+ if (obj + len <= stack || stackend <= obj)
30690+ return 0;
30691+
30692+ return -1;
30693+}
30694+
30695+
58c5fc13
MT		 30696+void pax_report_leak_to_user(const void *ptr, unsigned long len)
30697+{
30698+ if (current->signal->curr_ip)
ae4e228f
MT		 30699+ printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
30700+ &current->signal->curr_ip, ptr, len);
58c5fc13
MT		 30701+ else
30702+ printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
30703+ dump_stack();
30704+ do_group_exit(SIGKILL);
30705+}
30706+
30707+void pax_report_overflow_from_user(const void *ptr, unsigned long len)
30708+{
ae4e228f
MT		 30709+ if (current->signal->curr_ip)
30710+ printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
30711+ &current->signal->curr_ip, ptr, len);
30712+ else
30713+ printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
58c5fc13
MT		 30714+ dump_stack();
30715+ do_group_exit(SIGKILL);
30716+}
30717+#endif
30718+
df50ba0c 30719 static int zap_process(struct task_struct *start, int exit_code)
58c5fc13
MT		 30720 {
30721 struct task_struct *t;
57199397 30722@@ -1773,17 +2081,17 @@ static void wait_for_dump_helpers(struct
ae4e228f
MT		 30723 pipe = file->f_path.dentry->d_inode->i_pipe;
30724
30725 pipe_lock(pipe);
30726- pipe->readers++;
30727- pipe->writers--;
30728+ atomic_inc(&pipe->readers);
30729+ atomic_dec(&pipe->writers);
30730
30731- while ((pipe->readers > 1) && (!signal_pending(current))) {
30732+ while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
30733 wake_up_interruptible_sync(&pipe->wait);
30734 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30735 pipe_wait(pipe);
30736 }
30737
30738- pipe->readers--;
30739- pipe->writers++;
30740+ atomic_dec(&pipe->readers);
30741+ atomic_inc(&pipe->writers);
30742 pipe_unlock(pipe);
30743
30744 }
57199397 30745@@ -1891,6 +2199,10 @@ void do_coredump(long signr, int exit_co
58c5fc13
MT		 30746 */
30747 clear_thread_flag(TIF_SIGPENDING);
30748
30749+ if (signr == SIGKILL || signr == SIGILL)
30750+ gr_handle_brute_attach(current);
30751+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
30752+
30753 /*
30754 * lock_kernel() because format_corename() is controlled by sysctl, which
30755 * uses lock_kernel()
57199397
MT		 30756diff -urNp linux-2.6.35.4/fs/ext2/balloc.c linux-2.6.35.4/fs/ext2/balloc.c
30757--- linux-2.6.35.4/fs/ext2/balloc.c 2010-08-26 19:47:12.000000000 -0400
30758+++ linux-2.6.35.4/fs/ext2/balloc.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 30759@@ -1193,7 +1193,7 @@ static int ext2_has_free_blocks(struct e
58c5fc13
MT		 30760
30761 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30762 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30763- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30764+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30765 sbi->s_resuid != current_fsuid() &&
30766 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30767 return 0;
57199397
MT		 30768diff -urNp linux-2.6.35.4/fs/ext2/xattr.c linux-2.6.35.4/fs/ext2/xattr.c
30769--- linux-2.6.35.4/fs/ext2/xattr.c 2010-08-26 19:47:12.000000000 -0400
30770+++ linux-2.6.35.4/fs/ext2/xattr.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 30771@@ -86,8 +86,8 @@
30772 printk("\n"); \
30773 } while (0)
30774 #else
30775-# define ea_idebug(f...)
30776-# define ea_bdebug(f...)
30777+# define ea_idebug(inode, f...) do {} while (0)
30778+# define ea_bdebug(bh, f...) do {} while (0)
30779 #endif
30780
30781 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
57199397
MT		 30782diff -urNp linux-2.6.35.4/fs/ext3/balloc.c linux-2.6.35.4/fs/ext3/balloc.c
30783--- linux-2.6.35.4/fs/ext3/balloc.c 2010-08-26 19:47:12.000000000 -0400
30784+++ linux-2.6.35.4/fs/ext3/balloc.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 30785@@ -1422,7 +1422,7 @@ static int ext3_has_free_blocks(struct e
58c5fc13
MT		 30786
30787 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30788 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30789- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30790+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30791 sbi->s_resuid != current_fsuid() &&
30792 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30793 return 0;
57199397
MT		 30794diff -urNp linux-2.6.35.4/fs/ext3/namei.c linux-2.6.35.4/fs/ext3/namei.c
30795--- linux-2.6.35.4/fs/ext3/namei.c 2010-08-26 19:47:12.000000000 -0400
30796+++ linux-2.6.35.4/fs/ext3/namei.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 30797@@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
30798 char *data1 = (*bh)->b_data, *data2;
30799 unsigned split, move, size;
30800 struct ext3_dir_entry_2 *de = NULL, *de2;
30801- int err = 0, i;
30802+ int i, err = 0;
30803
30804 bh2 = ext3_append (handle, dir, &newblock, &err);
30805 if (!(bh2)) {
57199397
MT		 30806diff -urNp linux-2.6.35.4/fs/ext3/xattr.c linux-2.6.35.4/fs/ext3/xattr.c
30807--- linux-2.6.35.4/fs/ext3/xattr.c 2010-08-26 19:47:12.000000000 -0400
30808+++ linux-2.6.35.4/fs/ext3/xattr.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 30809@@ -89,8 +89,8 @@
30810 printk("\n"); \
30811 } while (0)
30812 #else
30813-# define ea_idebug(f...)
30814-# define ea_bdebug(f...)
30815+# define ea_idebug(f...) do {} while (0)
30816+# define ea_bdebug(f...) do {} while (0)
30817 #endif
30818
30819 static void ext3_xattr_cache_insert(struct buffer_head *);
57199397
MT		 30820diff -urNp linux-2.6.35.4/fs/ext4/balloc.c linux-2.6.35.4/fs/ext4/balloc.c
30821--- linux-2.6.35.4/fs/ext4/balloc.c 2010-08-26 19:47:12.000000000 -0400
30822+++ linux-2.6.35.4/fs/ext4/balloc.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 30823@@ -522,7 +522,7 @@ int ext4_has_free_blocks(struct ext4_sb_
58c5fc13
MT		 30824 /* Hm, nope. Are (enough) root reserved blocks available? */
30825 if (sbi->s_resuid == current_fsuid() ||
30826 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
30827- capable(CAP_SYS_RESOURCE)) {
30828+ capable_nolog(CAP_SYS_RESOURCE)) {
30829 if (free_blocks >= (nblocks + dirty_blocks))
30830 return 1;
30831 }
57199397
MT		 30832diff -urNp linux-2.6.35.4/fs/ext4/namei.c linux-2.6.35.4/fs/ext4/namei.c
30833--- linux-2.6.35.4/fs/ext4/namei.c 2010-08-26 19:47:12.000000000 -0400
30834+++ linux-2.6.35.4/fs/ext4/namei.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 30835@@ -1197,7 +1197,7 @@ static struct ext4_dir_entry_2 *do_split
58c5fc13
MT		 30836 char *data1 = (*bh)->b_data, *data2;
30837 unsigned split, move, size;
30838 struct ext4_dir_entry_2 *de = NULL, *de2;
30839- int err = 0, i;
30840+ int i, err = 0;
30841
30842 bh2 = ext4_append (handle, dir, &newblock, &err);
30843 if (!(bh2)) {
57199397
MT		 30844diff -urNp linux-2.6.35.4/fs/ext4/xattr.c linux-2.6.35.4/fs/ext4/xattr.c
30845--- linux-2.6.35.4/fs/ext4/xattr.c 2010-08-26 19:47:12.000000000 -0400
30846+++ linux-2.6.35.4/fs/ext4/xattr.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 30847@@ -82,8 +82,8 @@
30848 printk("\n"); \
30849 } while (0)
30850 #else
30851-# define ea_idebug(f...)
30852-# define ea_bdebug(f...)
30853+# define ea_idebug(inode, f...) do {} while (0)
30854+# define ea_bdebug(bh, f...) do {} while (0)
30855 #endif
ae4e228f 30856
df50ba0c 30857 static void ext4_xattr_cache_insert(struct buffer_head *);
57199397
MT		 30858diff -urNp linux-2.6.35.4/fs/fcntl.c linux-2.6.35.4/fs/fcntl.c
30859--- linux-2.6.35.4/fs/fcntl.c 2010-08-26 19:47:12.000000000 -0400
30860+++ linux-2.6.35.4/fs/fcntl.c 2010-09-17 20:12:37.000000000 -0400
30861@@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
30862 if (err)
30863 return err;
30864
30865+ if (gr_handle_chroot_fowner(pid, type))
30866+ return -ENOENT;
30867+ if (gr_check_protected_task_fowner(pid, type))
30868+ return -EACCES;
30869+
30870 f_modown(filp, pid, type, force);
30871 return 0;
30872 }
30873@@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
58c5fc13
MT		 30874 switch (cmd) {
30875 case F_DUPFD:
30876 case F_DUPFD_CLOEXEC:
30877+ gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
df50ba0c 30878 if (arg >= rlimit(RLIMIT_NOFILE))
58c5fc13
MT		 30879 break;
30880 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
57199397
MT		 30881diff -urNp linux-2.6.35.4/fs/fifo.c linux-2.6.35.4/fs/fifo.c
30882--- linux-2.6.35.4/fs/fifo.c 2010-08-26 19:47:12.000000000 -0400
30883+++ linux-2.6.35.4/fs/fifo.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 30884@@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
ae4e228f
MT		 30885 */
30886 filp->f_op = &read_pipefifo_fops;
30887 pipe->r_counter++;
30888- if (pipe->readers++ == 0)
30889+ if (atomic_inc_return(&pipe->readers) == 1)
30890 wake_up_partner(inode);
30891
30892- if (!pipe->writers) {
30893+ if (!atomic_read(&pipe->writers)) {
30894 if ((filp->f_flags & O_NONBLOCK)) {
30895 /* suppress POLLHUP until we have
30896 * seen a writer */
df50ba0c 30897@@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
ae4e228f
MT		 30898 * errno=ENXIO when there is no process reading the FIFO.
30899 */
30900 ret = -ENXIO;
30901- if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
30902+ if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
30903 goto err;
30904
30905 filp->f_op = &write_pipefifo_fops;
30906 pipe->w_counter++;
30907- if (!pipe->writers++)
30908+ if (atomic_inc_return(&pipe->writers) == 1)
30909 wake_up_partner(inode);
30910
30911- if (!pipe->readers) {
30912+ if (!atomic_read(&pipe->readers)) {
30913 wait_for_partner(inode, &pipe->r_counter);
30914 if (signal_pending(current))
30915 goto err_wr;
df50ba0c 30916@@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
ae4e228f
MT		 30917 */
30918 filp->f_op = &rdwr_pipefifo_fops;
30919
30920- pipe->readers++;
30921- pipe->writers++;
30922+ atomic_inc(&pipe->readers);
30923+ atomic_inc(&pipe->writers);
30924 pipe->r_counter++;
30925 pipe->w_counter++;
30926- if (pipe->readers == 1 || pipe->writers == 1)
30927+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
30928 wake_up_partner(inode);
30929 break;
30930
df50ba0c 30931@@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
ae4e228f
MT		 30932 return 0;
30933
30934 err_rd:
30935- if (!--pipe->readers)
30936+ if (atomic_dec_and_test(&pipe->readers))
30937 wake_up_interruptible(&pipe->wait);
30938 ret = -ERESTARTSYS;
30939 goto err;
30940
30941 err_wr:
30942- if (!--pipe->writers)
30943+ if (atomic_dec_and_test(&pipe->writers))
30944 wake_up_interruptible(&pipe->wait);
30945 ret = -ERESTARTSYS;
30946 goto err;
30947
30948 err:
30949- if (!pipe->readers && !pipe->writers)
30950+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
30951 free_pipe_info(inode);
30952
30953 err_nocleanup:
57199397
MT		 30954diff -urNp linux-2.6.35.4/fs/file.c linux-2.6.35.4/fs/file.c
30955--- linux-2.6.35.4/fs/file.c 2010-08-26 19:47:12.000000000 -0400
30956+++ linux-2.6.35.4/fs/file.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 30957@@ -14,6 +14,7 @@
58c5fc13
MT		 30958 #include <linux/slab.h>
30959 #include <linux/vmalloc.h>
30960 #include <linux/file.h>
30961+#include <linux/security.h>
30962 #include <linux/fdtable.h>
30963 #include <linux/bitops.h>
30964 #include <linux/interrupt.h>
df50ba0c 30965@@ -257,6 +258,7 @@ int expand_files(struct files_struct *fi
58c5fc13
MT		 30966 * N.B. For clone tasks sharing a files structure, this test
30967 * will limit the total number of files that can be opened.
30968 */
58c5fc13 30969+ gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
df50ba0c 30970 if (nr >= rlimit(RLIMIT_NOFILE))
58c5fc13
MT		 30971 return -EMFILE;
30972
57199397
MT		 30973diff -urNp linux-2.6.35.4/fs/fs_struct.c linux-2.6.35.4/fs/fs_struct.c
30974--- linux-2.6.35.4/fs/fs_struct.c 2010-08-26 19:47:12.000000000 -0400
30975+++ linux-2.6.35.4/fs/fs_struct.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c
MT		 30976@@ -4,6 +4,7 @@
30977 #include <linux/path.h>
30978 #include <linux/slab.h>
30979 #include <linux/fs_struct.h>
30980+#include <linux/grsecurity.h>
ae4e228f 30981
df50ba0c
MT		 30982 /*
30983 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
30984@@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
30985 old_root = fs->root;
30986 fs->root = *path;
30987 path_get(path);
30988+ gr_set_chroot_entries(current, path);
30989 write_unlock(&fs->lock);
30990 if (old_root.dentry)
30991 path_put(&old_root);
30992@@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
30993 && fs->root.mnt == old_root->mnt) {
30994 path_get(new_root);
30995 fs->root = *new_root;
30996+ gr_set_chroot_entries(p, new_root);
30997 count++;
ae4e228f 30998 }
df50ba0c
MT		 30999 if (fs->pwd.dentry == old_root->dentry
31000@@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
58c5fc13
MT		 31001 task_lock(tsk);
31002 write_lock(&fs->lock);
31003 tsk->fs = NULL;
31004- kill = !--fs->users;
df50ba0c 31005+ gr_clear_chroot_entries(tsk);
58c5fc13
MT		 31006+ kill = !atomic_dec_return(&fs->users);
31007 write_unlock(&fs->lock);
31008 task_unlock(tsk);
31009 if (kill)
df50ba0c 31010@@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
58c5fc13
MT		 31011 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31012 /* We don't need to lock fs - think why ;-) */
31013 if (fs) {
31014- fs->users = 1;
31015+ atomic_set(&fs->users, 1);
31016 fs->in_exec = 0;
31017 rwlock_init(&fs->lock);
31018 fs->umask = old->umask;
df50ba0c 31019@@ -127,8 +131,9 @@ int unshare_fs_struct(void)
58c5fc13
MT		 31020
31021 task_lock(current);
31022 write_lock(&fs->lock);
31023- kill = !--fs->users;
31024+ kill = !atomic_dec_return(&fs->users);
31025 current->fs = new_fs;
df50ba0c 31026+ gr_set_chroot_entries(current, &new_fs->root);
58c5fc13
MT		 31027 write_unlock(&fs->lock);
31028 task_unlock(current);
ae4e228f 31029
df50ba0c 31030@@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
58c5fc13
MT		 31031
31032 /* to be mentioned only in INIT_TASK */
31033 struct fs_struct init_fs = {
31034- .users = 1,
31035+ .users = ATOMIC_INIT(1),
31036 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
31037 .umask = 0022,
31038 };
df50ba0c 31039@@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
58c5fc13
MT		 31040 task_lock(current);
31041
31042 write_lock(&init_fs.lock);
31043- init_fs.users++;
31044+ atomic_inc(&init_fs.users);
31045 write_unlock(&init_fs.lock);
31046
31047 write_lock(&fs->lock);
31048 current->fs = &init_fs;
31049- kill = !--fs->users;
df50ba0c 31050+ gr_set_chroot_entries(current, &current->fs->root);
58c5fc13
MT		 31051+ kill = !atomic_dec_return(&fs->users);
31052 write_unlock(&fs->lock);
31053
31054 task_unlock(current);
57199397
MT		 31055diff -urNp linux-2.6.35.4/fs/fuse/control.c linux-2.6.35.4/fs/fuse/control.c
31056--- linux-2.6.35.4/fs/fuse/control.c 2010-08-26 19:47:12.000000000 -0400
31057+++ linux-2.6.35.4/fs/fuse/control.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 31058@@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
58c5fc13
MT		 31059
31060 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31061 {
31062- struct tree_descr empty_descr = {""};
31063+ struct tree_descr empty_descr = {"", NULL, 0};
31064 struct fuse_conn *fc;
31065 int err;
31066
57199397
MT		 31067diff -urNp linux-2.6.35.4/fs/fuse/cuse.c linux-2.6.35.4/fs/fuse/cuse.c
31068--- linux-2.6.35.4/fs/fuse/cuse.c 2010-08-26 19:47:12.000000000 -0400
31069+++ linux-2.6.35.4/fs/fuse/cuse.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 31070@@ -529,8 +529,18 @@ static int cuse_channel_release(struct i
ae4e228f
MT		 31071 return rc;
31072 }
31073
31074-static struct file_operations cuse_channel_fops; /* initialized during init */
31075-
31076+static const struct file_operations cuse_channel_fops = { /* initialized during init */
31077+ .owner = THIS_MODULE,
31078+ .llseek = no_llseek,
31079+ .read = do_sync_read,
31080+ .aio_read = fuse_dev_read,
31081+ .write = do_sync_write,
31082+ .aio_write = fuse_dev_write,
31083+ .poll = fuse_dev_poll,
31084+ .open = cuse_channel_open,
31085+ .release = cuse_channel_release,
31086+ .fasync = fuse_dev_fasync,
31087+};
31088
31089 /**************************************************************************
31090 * Misc stuff and module initializatiion
df50ba0c 31091@@ -576,12 +586,6 @@ static int __init cuse_init(void)
ae4e228f
MT		 31092 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31093 INIT_LIST_HEAD(&cuse_conntbl[i]);
31094
31095- /* inherit and extend fuse_dev_operations */
31096- cuse_channel_fops = fuse_dev_operations;
31097- cuse_channel_fops.owner = THIS_MODULE;
31098- cuse_channel_fops.open = cuse_channel_open;
31099- cuse_channel_fops.release = cuse_channel_release;
31100-
31101 cuse_class = class_create(THIS_MODULE, "cuse");
31102 if (IS_ERR(cuse_class))
31103 return PTR_ERR(cuse_class);
57199397
MT		 31104diff -urNp linux-2.6.35.4/fs/fuse/dev.c linux-2.6.35.4/fs/fuse/dev.c
31105--- linux-2.6.35.4/fs/fuse/dev.c 2010-08-26 19:47:12.000000000 -0400
31106+++ linux-2.6.35.4/fs/fuse/dev.c 2010-09-17 20:12:09.000000000 -0400
31107@@ -1031,7 +1031,7 @@ static ssize_t fuse_dev_do_read(struct f
31108 return err;
31109 }
31110
ae4e228f
MT		 31111-static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31112+ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31113 unsigned long nr_segs, loff_t pos)
31114 {
57199397
MT		 31115 struct fuse_copy_state cs;
31116@@ -1045,6 +1045,8 @@ static ssize_t fuse_dev_read(struct kioc
31117 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
ae4e228f
MT		 31118 }
31119
31120+EXPORT_SYMBOL_GPL(fuse_dev_read);
31121+
57199397
MT		 31122 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31123 struct pipe_buffer *buf)
ae4e228f 31124 {
57199397
MT		 31125@@ -1088,7 +1090,7 @@ static ssize_t fuse_dev_splice_read(stru
31126 ret = 0;
31127 pipe_lock(pipe);
31128
31129- if (!pipe->readers) {
31130+ if (!atomic_read(&pipe->readers)) {
31131 send_sig(SIGPIPE, current, 0);
31132 if (!ret)
31133 ret = -EPIPE;
31134@@ -1387,7 +1389,7 @@ static ssize_t fuse_dev_do_write(struct
31135 return err;
31136 }
31137
ae4e228f
MT		 31138-static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31139+ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
57199397 31140 unsigned long nr_segs, loff_t pos)
ae4e228f 31141 {
57199397
MT		 31142 struct fuse_copy_state cs;
31143@@ -1400,6 +1402,8 @@ static ssize_t fuse_dev_write(struct kio
31144 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
ae4e228f
MT		 31145 }
31146
ae4e228f
MT		 31147+EXPORT_SYMBOL_GPL(fuse_dev_write);
31148+
57199397
MT		 31149 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31150 struct file *out, loff_t *ppos,
31151 size_t len, unsigned int flags)
31152@@ -1478,7 +1482,7 @@ out:
31153 return ret;
31154 }
31155
31156-static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
ae4e228f
MT		 31157+unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31158 {
31159 unsigned mask = POLLOUT | POLLWRNORM;
31160 struct fuse_conn *fc = fuse_get_conn(file);
57199397 31161@@ -1497,6 +1501,8 @@ static unsigned fuse_dev_poll(struct fil
ae4e228f
MT		 31162 return mask;
31163 }
31164
31165+EXPORT_SYMBOL_GPL(fuse_dev_poll);
31166+
31167 /*
31168 * Abort all requests on the given list (pending or processing)
31169 *
57199397 31170@@ -1604,7 +1610,7 @@ int fuse_dev_release(struct inode *inode
ae4e228f
MT		 31171 }
31172 EXPORT_SYMBOL_GPL(fuse_dev_release);
31173
31174-static int fuse_dev_fasync(int fd, struct file *file, int on)
31175+int fuse_dev_fasync(int fd, struct file *file, int on)
31176 {
31177 struct fuse_conn *fc = fuse_get_conn(file);
31178 if (!fc)
57199397 31179@@ -1614,6 +1620,8 @@ static int fuse_dev_fasync(int fd, struc
ae4e228f
MT		 31180 return fasync_helper(fd, file, on, &fc->fasync);
31181 }
31182
31183+EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31184+
31185 const struct file_operations fuse_dev_operations = {
31186 .owner = THIS_MODULE,
31187 .llseek = no_llseek,
57199397
MT		 31188diff -urNp linux-2.6.35.4/fs/fuse/dir.c linux-2.6.35.4/fs/fuse/dir.c
31189--- linux-2.6.35.4/fs/fuse/dir.c 2010-08-26 19:47:12.000000000 -0400
31190+++ linux-2.6.35.4/fs/fuse/dir.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 31191@@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
58c5fc13
MT		 31192 return link;
31193 }
31194
31195-static void free_link(char *link)
31196+static void free_link(const char *link)
31197 {
31198 if (!IS_ERR(link))
31199 free_page((unsigned long) link);
57199397
MT		 31200diff -urNp linux-2.6.35.4/fs/fuse/fuse_i.h linux-2.6.35.4/fs/fuse/fuse_i.h
31201--- linux-2.6.35.4/fs/fuse/fuse_i.h 2010-08-26 19:47:12.000000000 -0400
31202+++ linux-2.6.35.4/fs/fuse/fuse_i.h 2010-09-17 20:12:09.000000000 -0400
31203@@ -524,6 +524,16 @@ extern const struct file_operations fuse
ae4e228f
MT		 31204
31205 extern const struct dentry_operations fuse_dentry_operations;
31206
31207+extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31208+ unsigned long nr_segs, loff_t pos);
31209+
31210+extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31211+ unsigned long nr_segs, loff_t pos);
31212+
31213+extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31214+
31215+extern int fuse_dev_fasync(int fd, struct file *file, int on);
31216+
31217 /**
31218 * Inode to nodeid comparison.
31219 */
57199397
MT		 31220diff -urNp linux-2.6.35.4/fs/hfs/inode.c linux-2.6.35.4/fs/hfs/inode.c
31221--- linux-2.6.35.4/fs/hfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31222+++ linux-2.6.35.4/fs/hfs/inode.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 31223@@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
31224
31225 if (S_ISDIR(main_inode->i_mode)) {
31226 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31227- /* panic? */;
31228+ {/* panic? */}
31229 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31230 sizeof(struct hfs_cat_dir));
31231 if (rec.type != HFS_CDR_DIR ||
31232@@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
31233 sizeof(struct hfs_cat_file));
31234 } else {
31235 if (fd.entrylength < sizeof(struct hfs_cat_file))
31236- /* panic? */;
31237+ {/* panic? */}
31238 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31239 sizeof(struct hfs_cat_file));
31240 if (rec.type != HFS_CDR_FIL ||
57199397
MT		 31241diff -urNp linux-2.6.35.4/fs/hfsplus/inode.c linux-2.6.35.4/fs/hfsplus/inode.c
31242--- linux-2.6.35.4/fs/hfsplus/inode.c 2010-08-26 19:47:12.000000000 -0400
31243+++ linux-2.6.35.4/fs/hfsplus/inode.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 31244@@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
31245 struct hfsplus_cat_folder *folder = &entry.folder;
31246
31247 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31248- /* panic? */;
31249+ {/* panic? */}
31250 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31251 sizeof(struct hfsplus_cat_folder));
31252 hfsplus_get_perms(inode, &folder->permissions, 1);
31253@@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
31254 struct hfsplus_cat_file *file = &entry.file;
31255
31256 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31257- /* panic? */;
31258+ {/* panic? */}
31259 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31260 sizeof(struct hfsplus_cat_file));
31261
31262@@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
31263 struct hfsplus_cat_folder *folder = &entry.folder;
31264
31265 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31266- /* panic? */;
31267+ {/* panic? */}
31268 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31269 sizeof(struct hfsplus_cat_folder));
31270 /* simple node checks? */
31271@@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
31272 struct hfsplus_cat_file *file = &entry.file;
31273
31274 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31275- /* panic? */;
31276+ {/* panic? */}
31277 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31278 sizeof(struct hfsplus_cat_file));
31279 hfsplus_inode_write_fork(inode, &file->data_fork);
57199397
MT		 31280diff -urNp linux-2.6.35.4/fs/hugetlbfs/inode.c linux-2.6.35.4/fs/hugetlbfs/inode.c
31281--- linux-2.6.35.4/fs/hugetlbfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31282+++ linux-2.6.35.4/fs/hugetlbfs/inode.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c
MT		 31283@@ -908,7 +908,7 @@ static struct file_system_type hugetlbfs
31284 .kill_sb = kill_litter_super,
31285 };
31286
31287-static struct vfsmount *hugetlbfs_vfsmount;
31288+struct vfsmount *hugetlbfs_vfsmount;
31289
31290 static int can_do_hugetlb_shm(void)
31291 {
57199397
MT		 31292diff -urNp linux-2.6.35.4/fs/ioctl.c linux-2.6.35.4/fs/ioctl.c
31293--- linux-2.6.35.4/fs/ioctl.c 2010-08-26 19:47:12.000000000 -0400
31294+++ linux-2.6.35.4/fs/ioctl.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 31295@@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
31296 u64 phys, u64 len, u32 flags)
31297 {
31298 struct fiemap_extent extent;
31299- struct fiemap_extent *dest = fieinfo->fi_extents_start;
31300+ struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31301
31302 /* only count the extents */
31303 if (fieinfo->fi_extents_max == 0) {
31304@@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
31305
31306 fieinfo.fi_flags = fiemap.fm_flags;
31307 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31308- fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31309+ fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31310
31311 if (fiemap.fm_extent_count != 0 &&
31312 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31313@@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
31314 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31315 fiemap.fm_flags = fieinfo.fi_flags;
31316 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31317- if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31318+ if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31319 error = -EFAULT;
58c5fc13 31320
ae4e228f 31321 return error;
57199397
MT		 31322diff -urNp linux-2.6.35.4/fs/jffs2/debug.h linux-2.6.35.4/fs/jffs2/debug.h
31323--- linux-2.6.35.4/fs/jffs2/debug.h 2010-08-26 19:47:12.000000000 -0400
31324+++ linux-2.6.35.4/fs/jffs2/debug.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 31325@@ -52,13 +52,13 @@
31326 #if CONFIG_JFFS2_FS_DEBUG > 0
31327 #define D1(x) x
31328 #else
31329-#define D1(x)
31330+#define D1(x) do {} while (0);
31331 #endif
31332
31333 #if CONFIG_JFFS2_FS_DEBUG > 1
31334 #define D2(x) x
31335 #else
31336-#define D2(x)
31337+#define D2(x) do {} while (0);
31338 #endif
31339
31340 /* The prefixes of JFFS2 messages */
31341@@ -114,73 +114,73 @@
31342 #ifdef JFFS2_DBG_READINODE_MESSAGES
31343 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31344 #else
31345-#define dbg_readinode(fmt, ...)
31346+#define dbg_readinode(fmt, ...) do {} while (0)
31347 #endif
31348 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31349 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31350 #else
31351-#define dbg_readinode2(fmt, ...)
31352+#define dbg_readinode2(fmt, ...) do {} while (0)
31353 #endif
31354
31355 /* Fragtree build debugging messages */
31356 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31357 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31358 #else
31359-#define dbg_fragtree(fmt, ...)
31360+#define dbg_fragtree(fmt, ...) do {} while (0)
31361 #endif
31362 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31363 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31364 #else
31365-#define dbg_fragtree2(fmt, ...)
31366+#define dbg_fragtree2(fmt, ...) do {} while (0)
31367 #endif
31368
31369 /* Directory entry list manilulation debugging messages */
31370 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31371 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31372 #else
31373-#define dbg_dentlist(fmt, ...)
31374+#define dbg_dentlist(fmt, ...) do {} while (0)
31375 #endif
31376
31377 /* Print the messages about manipulating node_refs */
31378 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31379 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31380 #else
31381-#define dbg_noderef(fmt, ...)
31382+#define dbg_noderef(fmt, ...) do {} while (0)
31383 #endif
31384
31385 /* Manipulations with the list of inodes (JFFS2 inocache) */
31386 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31387 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31388 #else
31389-#define dbg_inocache(fmt, ...)
31390+#define dbg_inocache(fmt, ...) do {} while (0)
31391 #endif
31392
31393 /* Summary debugging messages */
31394 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31395 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31396 #else
31397-#define dbg_summary(fmt, ...)
31398+#define dbg_summary(fmt, ...) do {} while (0)
31399 #endif
31400
31401 /* File system build messages */
31402 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31403 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31404 #else
31405-#define dbg_fsbuild(fmt, ...)
31406+#define dbg_fsbuild(fmt, ...) do {} while (0)
31407 #endif
31408
31409 /* Watch the object allocations */
31410 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31411 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31412 #else
31413-#define dbg_memalloc(fmt, ...)
31414+#define dbg_memalloc(fmt, ...) do {} while (0)
31415 #endif
31416
31417 /* Watch the XATTR subsystem */
31418 #ifdef JFFS2_DBG_XATTR_MESSAGES
31419 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31420 #else
31421-#define dbg_xattr(fmt, ...)
31422+#define dbg_xattr(fmt, ...) do {} while (0)
31423 #endif
31424
31425 /* "Sanity" checks */
57199397
MT		 31426diff -urNp linux-2.6.35.4/fs/jffs2/erase.c linux-2.6.35.4/fs/jffs2/erase.c
31427--- linux-2.6.35.4/fs/jffs2/erase.c 2010-08-26 19:47:12.000000000 -0400
31428+++ linux-2.6.35.4/fs/jffs2/erase.c 2010-09-17 20:12:09.000000000 -0400
31429@@ -438,7 +438,8 @@ static void jffs2_mark_erased_block(stru
58c5fc13
MT		 31430 struct jffs2_unknown_node marker = {
31431 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31432 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31433- .totlen = cpu_to_je32(c->cleanmarker_size)
31434+ .totlen = cpu_to_je32(c->cleanmarker_size),
31435+ .hdr_crc = cpu_to_je32(0)
31436 };
31437
31438 jffs2_prealloc_raw_node_refs(c, jeb, 1);
57199397
MT		 31439diff -urNp linux-2.6.35.4/fs/jffs2/summary.h linux-2.6.35.4/fs/jffs2/summary.h
31440--- linux-2.6.35.4/fs/jffs2/summary.h 2010-08-26 19:47:12.000000000 -0400
31441+++ linux-2.6.35.4/fs/jffs2/summary.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 31442@@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31443
31444 #define jffs2_sum_active() (0)
31445 #define jffs2_sum_init(a) (0)
31446-#define jffs2_sum_exit(a)
31447-#define jffs2_sum_disable_collecting(a)
31448+#define jffs2_sum_exit(a) do {} while (0)
31449+#define jffs2_sum_disable_collecting(a) do {} while (0)
31450 #define jffs2_sum_is_disabled(a) (0)
31451-#define jffs2_sum_reset_collected(a)
31452+#define jffs2_sum_reset_collected(a) do {} while (0)
31453 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31454-#define jffs2_sum_move_collected(a,b)
31455+#define jffs2_sum_move_collected(a,b) do {} while (0)
31456 #define jffs2_sum_write_sumnode(a) (0)
31457-#define jffs2_sum_add_padding_mem(a,b)
31458-#define jffs2_sum_add_inode_mem(a,b,c)
31459-#define jffs2_sum_add_dirent_mem(a,b,c)
31460-#define jffs2_sum_add_xattr_mem(a,b,c)
31461-#define jffs2_sum_add_xref_mem(a,b,c)
31462+#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31463+#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31464+#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31465+#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31466+#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31467 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31468
31469 #endif /* CONFIG_JFFS2_SUMMARY */
57199397
MT		 31470diff -urNp linux-2.6.35.4/fs/jffs2/wbuf.c linux-2.6.35.4/fs/jffs2/wbuf.c
31471--- linux-2.6.35.4/fs/jffs2/wbuf.c 2010-08-26 19:47:12.000000000 -0400
31472+++ linux-2.6.35.4/fs/jffs2/wbuf.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 31473@@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31474 {
31475 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31476 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31477- .totlen = constant_cpu_to_je32(8)
31478+ .totlen = constant_cpu_to_je32(8),
31479+ .hdr_crc = constant_cpu_to_je32(0)
31480 };
31481
31482 /*
57199397
MT		 31483diff -urNp linux-2.6.35.4/fs/lockd/svc.c linux-2.6.35.4/fs/lockd/svc.c
31484--- linux-2.6.35.4/fs/lockd/svc.c 2010-08-26 19:47:12.000000000 -0400
31485+++ linux-2.6.35.4/fs/lockd/svc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 31486@@ -42,7 +42,7 @@
ae4e228f
MT		 31487
31488 static struct svc_program nlmsvc_program;
31489
31490-struct nlmsvc_binding * nlmsvc_ops;
31491+const struct nlmsvc_binding * nlmsvc_ops;
31492 EXPORT_SYMBOL_GPL(nlmsvc_ops);
31493
31494 static DEFINE_MUTEX(nlmsvc_mutex);
57199397
MT		 31495diff -urNp linux-2.6.35.4/fs/locks.c linux-2.6.35.4/fs/locks.c
31496--- linux-2.6.35.4/fs/locks.c 2010-08-26 19:47:12.000000000 -0400
31497+++ linux-2.6.35.4/fs/locks.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 31498@@ -2008,16 +2008,16 @@ void locks_remove_flock(struct file *fil
58c5fc13
MT		 31499 return;
31500
31501 if (filp->f_op && filp->f_op->flock) {
31502- struct file_lock fl = {
31503+ struct file_lock flock = {
31504 .fl_pid = current->tgid,
31505 .fl_file = filp,
31506 .fl_flags = FL_FLOCK,
31507 .fl_type = F_UNLCK,
31508 .fl_end = OFFSET_MAX,
31509 };
31510- filp->f_op->flock(filp, F_SETLKW, &fl);
31511- if (fl.fl_ops && fl.fl_ops->fl_release_private)
31512- fl.fl_ops->fl_release_private(&fl);
31513+ filp->f_op->flock(filp, F_SETLKW, &flock);
31514+ if (flock.fl_ops && flock.fl_ops->fl_release_private)
31515+ flock.fl_ops->fl_release_private(&flock);
31516 }
31517
31518 lock_kernel();
57199397
MT		 31519diff -urNp linux-2.6.35.4/fs/namei.c linux-2.6.35.4/fs/namei.c
31520--- linux-2.6.35.4/fs/namei.c 2010-08-26 19:47:12.000000000 -0400
31521+++ linux-2.6.35.4/fs/namei.c 2010-09-17 20:12:37.000000000 -0400
31522@@ -548,7 +548,7 @@ __do_follow_link(struct path *path, stru
df50ba0c
MT		 31523 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
31524 error = PTR_ERR(*p);
31525 if (!IS_ERR(*p)) {
58c5fc13
MT		 31526- char *s = nd_get_link(nd);
31527+ const char *s = nd_get_link(nd);
31528 error = 0;
31529 if (s)
31530 error = __vfs_follow_link(nd, s);
57199397 31531@@ -581,6 +581,13 @@ static inline int do_follow_link(struct
58c5fc13
MT		 31532 err = security_inode_follow_link(path->dentry, nd);
31533 if (err)
31534 goto loop;
31535+
31536+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
31537+ path->dentry->d_inode, path->dentry, nd->path.mnt)) {
31538+ err = -EACCES;
31539+ goto loop;
31540+ }
31541+
31542 current->link_count++;
31543 current->total_link_count++;
31544 nd->depth++;
57199397 31545@@ -965,11 +972,18 @@ return_reval:
58c5fc13
MT		 31546 break;
31547 }
31548 return_base:
df50ba0c 31549+ if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
58c5fc13
MT		 31550+ path_put(&nd->path);
31551+ return -ENOENT;
31552+ }
31553 return 0;
31554 out_dput:
31555 path_put_conditional(&next, nd);
31556 break;
31557 }
df50ba0c 31558+ if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
58c5fc13
MT		 31559+ err = -ENOENT;
31560+
31561 path_put(&nd->path);
31562 return_err:
31563 return err;
57199397 31564@@ -1506,12 +1520,19 @@ static int __open_namei_create(struct na
58c5fc13
MT		 31565 int error;
31566 struct dentry *dir = nd->path.dentry;
31567
df50ba0c 31568+ if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, open_flag, mode)) {
58c5fc13
MT		 31569+ error = -EACCES;
31570+ goto out_unlock;
31571+ }
31572+
31573 if (!IS_POSIXACL(dir->d_inode))
31574 mode &= ~current_umask();
31575 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
31576 if (error)
31577 goto out_unlock;
31578 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
31579+ if (!error)
31580+ gr_handle_create(path->dentry, nd->path.mnt);
31581 out_unlock:
31582 mutex_unlock(&dir->d_inode->i_mutex);
31583 dput(nd->path.dentry);
57199397 31584@@ -1614,6 +1635,7 @@ static struct file *do_last(struct namei
df50ba0c
MT		 31585 int mode, const char *pathname)
31586 {
31587 struct dentry *dir = nd->path.dentry;
31588+ int flag = open_to_namei_flags(open_flag);
31589 struct file *filp;
31590 int error = -EISDIR;
31591
57199397 31592@@ -1662,6 +1684,22 @@ static struct file *do_last(struct namei
df50ba0c
MT		 31593 }
31594 path_to_nameidata(path, nd);
31595 audit_inode(pathname, nd->path.dentry);
58c5fc13 31596+
df50ba0c 31597+ if (gr_handle_rofs_blockwrite(nd->path.dentry, nd->path.mnt, acc_mode)) {
ae4e228f
MT		 31598+ error = -EPERM;
31599+ goto exit;
31600+ }
31601+
df50ba0c 31602+ if (gr_handle_rawio(nd->path.dentry->d_inode)) {
58c5fc13
MT		 31603+ error = -EPERM;
31604+ goto exit;
31605+ }
31606+
df50ba0c 31607+ if (!gr_acl_handle_open(nd->path.dentry, nd->path.mnt, flag)) {
58c5fc13
MT		 31608+ error = -EACCES;
31609+ goto exit;
31610+ }
31611+
31612 goto ok;
31613 }
31614
57199397 31615@@ -1714,6 +1752,24 @@ static struct file *do_last(struct namei
58c5fc13
MT		 31616 /*
31617 * It already exists.
31618 */
31619+
df50ba0c 31620+ if (gr_handle_rofs_blockwrite(path->dentry, nd->path.mnt, acc_mode)) {
ae4e228f
MT		 31621+ error = -EPERM;
31622+ goto exit_mutex_unlock;
31623+ }
df50ba0c 31624+ if (gr_handle_rawio(path->dentry->d_inode)) {
58c5fc13
MT		 31625+ error = -EPERM;
31626+ goto exit_mutex_unlock;
31627+ }
df50ba0c 31628+ if (!gr_acl_handle_open(path->dentry, nd->path.mnt, flag)) {
58c5fc13
MT		 31629+ error = -EACCES;
31630+ goto exit_mutex_unlock;
31631+ }
df50ba0c 31632+ if (gr_handle_fifo(path->dentry, nd->path.mnt, dir, flag, acc_mode)) {
58c5fc13
MT		 31633+ error = -EACCES;
31634+ goto exit_mutex_unlock;
31635+ }
31636+
31637 mutex_unlock(&dir->d_inode->i_mutex);
df50ba0c 31638 audit_inode(pathname, path->dentry);
58c5fc13 31639
57199397 31640@@ -2034,6 +2090,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
58c5fc13
MT		 31641 error = may_mknod(mode);
31642 if (error)
31643 goto out_dput;
31644+
31645+ if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
31646+ error = -EPERM;
31647+ goto out_dput;
31648+ }
31649+
31650+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
31651+ error = -EACCES;
31652+ goto out_dput;
31653+ }
31654+
31655 error = mnt_want_write(nd.path.mnt);
31656 if (error)
31657 goto out_dput;
57199397 31658@@ -2054,6 +2121,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
58c5fc13
MT		 31659 }
31660 out_drop_write:
31661 mnt_drop_write(nd.path.mnt);
31662+
31663+ if (!error)
31664+ gr_handle_create(dentry, nd.path.mnt);
31665 out_dput:
31666 dput(dentry);
31667 out_unlock:
57199397 31668@@ -2106,6 +2176,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
58c5fc13
MT		 31669 if (IS_ERR(dentry))
31670 goto out_unlock;
31671
31672+ if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
31673+ error = -EACCES;
31674+ goto out_dput;
31675+ }
31676+
31677 if (!IS_POSIXACL(nd.path.dentry->d_inode))
31678 mode &= ~current_umask();
31679 error = mnt_want_write(nd.path.mnt);
57199397 31680@@ -2117,6 +2192,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
58c5fc13
MT		 31681 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
31682 out_drop_write:
31683 mnt_drop_write(nd.path.mnt);
31684+
31685+ if (!error)
31686+ gr_handle_create(dentry, nd.path.mnt);
31687+
31688 out_dput:
31689 dput(dentry);
31690 out_unlock:
57199397 31691@@ -2198,6 +2277,8 @@ static long do_rmdir(int dfd, const char
58c5fc13
MT		 31692 char * name;
31693 struct dentry *dentry;
31694 struct nameidata nd;
31695+ ino_t saved_ino = 0;
31696+ dev_t saved_dev = 0;
31697
31698 error = user_path_parent(dfd, pathname, &nd, &name);
31699 if (error)
57199397 31700@@ -2222,6 +2303,19 @@ static long do_rmdir(int dfd, const char
58c5fc13
MT		 31701 error = PTR_ERR(dentry);
31702 if (IS_ERR(dentry))
31703 goto exit2;
31704+
31705+ if (dentry->d_inode != NULL) {
31706+ if (dentry->d_inode->i_nlink <= 1) {
31707+ saved_ino = dentry->d_inode->i_ino;
31708+ saved_dev = dentry->d_inode->i_sb->s_dev;
31709+ }
31710+
31711+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
31712+ error = -EACCES;
31713+ goto exit3;
31714+ }
31715+ }
31716+
31717 error = mnt_want_write(nd.path.mnt);
31718 if (error)
31719 goto exit3;
57199397 31720@@ -2229,6 +2323,8 @@ static long do_rmdir(int dfd, const char
58c5fc13
MT		 31721 if (error)
31722 goto exit4;
31723 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
31724+ if (!error && (saved_dev || saved_ino))
31725+ gr_handle_delete(saved_ino, saved_dev);
31726 exit4:
31727 mnt_drop_write(nd.path.mnt);
31728 exit3:
57199397 31729@@ -2291,6 +2387,8 @@ static long do_unlinkat(int dfd, const c
58c5fc13
MT		 31730 struct dentry *dentry;
31731 struct nameidata nd;
31732 struct inode *inode = NULL;
31733+ ino_t saved_ino = 0;
31734+ dev_t saved_dev = 0;
31735
31736 error = user_path_parent(dfd, pathname, &nd, &name);
31737 if (error)
57199397 31738@@ -2310,8 +2408,19 @@ static long do_unlinkat(int dfd, const c
58c5fc13
MT		 31739 if (nd.last.name[nd.last.len])
31740 goto slashes;
31741 inode = dentry->d_inode;
31742- if (inode)
31743+ if (inode) {
31744+ if (inode->i_nlink <= 1) {
31745+ saved_ino = inode->i_ino;
31746+ saved_dev = inode->i_sb->s_dev;
31747+ }
31748+
31749 atomic_inc(&inode->i_count);
31750+
31751+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
31752+ error = -EACCES;
31753+ goto exit2;
31754+ }
31755+ }
31756 error = mnt_want_write(nd.path.mnt);
31757 if (error)
31758 goto exit2;
57199397 31759@@ -2319,6 +2428,8 @@ static long do_unlinkat(int dfd, const c
58c5fc13
MT		 31760 if (error)
31761 goto exit3;
31762 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
31763+ if (!error && (saved_ino || saved_dev))
31764+ gr_handle_delete(saved_ino, saved_dev);
31765 exit3:
31766 mnt_drop_write(nd.path.mnt);
31767 exit2:
57199397 31768@@ -2396,6 +2507,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
58c5fc13
MT		 31769 if (IS_ERR(dentry))
31770 goto out_unlock;
31771
31772+ if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
31773+ error = -EACCES;
31774+ goto out_dput;
31775+ }
31776+
31777 error = mnt_want_write(nd.path.mnt);
31778 if (error)
31779 goto out_dput;
57199397 31780@@ -2403,6 +2519,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
58c5fc13
MT		 31781 if (error)
31782 goto out_drop_write;
31783 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
31784+ if (!error)
31785+ gr_handle_create(dentry, nd.path.mnt);
31786 out_drop_write:
31787 mnt_drop_write(nd.path.mnt);
31788 out_dput:
57199397 31789@@ -2495,6 +2613,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
58c5fc13
MT		 31790 error = PTR_ERR(new_dentry);
31791 if (IS_ERR(new_dentry))
31792 goto out_unlock;
31793+
31794+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
31795+ old_path.dentry->d_inode,
31796+ old_path.dentry->d_inode->i_mode, to)) {
31797+ error = -EACCES;
31798+ goto out_dput;
31799+ }
31800+
31801+ if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
31802+ old_path.dentry, old_path.mnt, to)) {
31803+ error = -EACCES;
31804+ goto out_dput;
31805+ }
31806+
31807 error = mnt_want_write(nd.path.mnt);
31808 if (error)
31809 goto out_dput;
57199397 31810@@ -2502,6 +2634,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
58c5fc13
MT		 31811 if (error)
31812 goto out_drop_write;
31813 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
31814+ if (!error)
31815+ gr_handle_create(new_dentry, nd.path.mnt);
31816 out_drop_write:
31817 mnt_drop_write(nd.path.mnt);
31818 out_dput:
57199397 31819@@ -2735,6 +2869,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
58c5fc13
MT		 31820 if (new_dentry == trap)
31821 goto exit5;
31822
31823+ error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
31824+ old_dentry, old_dir->d_inode, oldnd.path.mnt,
31825+ to);
31826+ if (error)
31827+ goto exit5;
31828+
31829 error = mnt_want_write(oldnd.path.mnt);
31830 if (error)
31831 goto exit5;
57199397 31832@@ -2744,6 +2884,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
58c5fc13
MT		 31833 goto exit6;
31834 error = vfs_rename(old_dir->d_inode, old_dentry,
31835 new_dir->d_inode, new_dentry);
31836+ if (!error)
31837+ gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
31838+ new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
31839 exit6:
31840 mnt_drop_write(oldnd.path.mnt);
31841 exit5:
57199397
MT		 31842diff -urNp linux-2.6.35.4/fs/namespace.c linux-2.6.35.4/fs/namespace.c
31843--- linux-2.6.35.4/fs/namespace.c 2010-08-26 19:47:12.000000000 -0400
31844+++ linux-2.6.35.4/fs/namespace.c 2010-09-17 20:21:58.000000000 -0400
31845@@ -1099,6 +1099,9 @@ static int do_umount(struct vfsmount *mn
58c5fc13
MT		 31846 if (!(sb->s_flags & MS_RDONLY))
31847 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
31848 up_write(&sb->s_umount);
31849+
31850+ gr_log_remount(mnt->mnt_devname, retval);
31851+
31852 return retval;
31853 }
31854
57199397
MT		 31855@@ -1118,6 +1121,9 @@ static int do_umount(struct vfsmount *mn
31856 spin_unlock(&vfsmount_lock);
58c5fc13
MT		 31857 up_write(&namespace_sem);
31858 release_mounts(&umount_list);
31859+
31860+ gr_log_unmount(mnt->mnt_devname, retval);
31861+
31862 return retval;
31863 }
31864
57199397 31865@@ -1988,6 +1994,16 @@ long do_mount(char *dev_name, char *dir_
ae4e228f
MT		 31866 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
31867 MS_STRICTATIME);
58c5fc13 31868
ae4e228f
MT		 31869+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
31870+ retval = -EPERM;
31871+ goto dput_out;
31872+ }
31873+
58c5fc13
MT		 31874+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
31875+ retval = -EPERM;
31876+ goto dput_out;
31877+ }
31878+
31879 if (flags & MS_REMOUNT)
31880 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
31881 data_page);
57199397 31882@@ -2002,6 +2018,9 @@ long do_mount(char *dev_name, char *dir_
58c5fc13
MT		 31883 dev_name, data_page);
31884 dput_out:
31885 path_put(&path);
31886+
31887+ gr_log_mount(dev_name, dir_name, retval);
31888+
31889 return retval;
31890 }
31891
57199397 31892@@ -2208,6 +2227,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
58c5fc13
MT		 31893 goto out1;
31894 }
31895
31896+ if (gr_handle_chroot_pivot()) {
31897+ error = -EPERM;
31898+ path_put(&old);
31899+ goto out1;
31900+ }
31901+
31902 read_lock(&current->fs->lock);
31903 root = current->fs->root;
31904 path_get(&current->fs->root);
57199397
MT		 31905diff -urNp linux-2.6.35.4/fs/nfs/inode.c linux-2.6.35.4/fs/nfs/inode.c
31906--- linux-2.6.35.4/fs/nfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31907+++ linux-2.6.35.4/fs/nfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31908@@ -915,16 +915,16 @@ static int nfs_size_need_update(const st
ae4e228f
MT		 31909 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
31910 }
31911
31912-static atomic_long_t nfs_attr_generation_counter;
31913+static atomic_long_unchecked_t nfs_attr_generation_counter;
31914
31915 static unsigned long nfs_read_attr_generation_counter(void)
31916 {
31917- return atomic_long_read(&nfs_attr_generation_counter);
31918+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
31919 }
31920
31921 unsigned long nfs_inc_attr_generation_counter(void)
31922 {
31923- return atomic_long_inc_return(&nfs_attr_generation_counter);
31924+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
31925 }
31926
31927 void nfs_fattr_init(struct nfs_fattr *fattr)
57199397
MT		 31928diff -urNp linux-2.6.35.4/fs/nfs/nfs4proc.c linux-2.6.35.4/fs/nfs/nfs4proc.c
31929--- linux-2.6.35.4/fs/nfs/nfs4proc.c 2010-08-26 19:47:12.000000000 -0400
31930+++ linux-2.6.35.4/fs/nfs/nfs4proc.c 2010-09-17 20:12:09.000000000 -0400
31931@@ -1166,7 +1166,7 @@ static int _nfs4_do_open_reclaim(struct
58c5fc13
MT		 31932 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
31933 {
31934 struct nfs_server *server = NFS_SERVER(state->inode);
31935- struct nfs4_exception exception = { };
31936+ struct nfs4_exception exception = {0, 0};
31937 int err;
31938 do {
31939 err = _nfs4_do_open_reclaim(ctx, state);
57199397 31940@@ -1208,7 +1208,7 @@ static int _nfs4_open_delegation_recall(
58c5fc13
MT		 31941
31942 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
31943 {
31944- struct nfs4_exception exception = { };
31945+ struct nfs4_exception exception = {0, 0};
31946 struct nfs_server *server = NFS_SERVER(state->inode);
31947 int err;
31948 do {
57199397 31949@@ -1581,7 +1581,7 @@ static int _nfs4_open_expired(struct nfs
ae4e228f 31950 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
58c5fc13
MT		 31951 {
31952 struct nfs_server *server = NFS_SERVER(state->inode);
31953- struct nfs4_exception exception = { };
31954+ struct nfs4_exception exception = {0, 0};
31955 int err;
31956
31957 do {
57199397 31958@@ -1697,7 +1697,7 @@ out_err:
58c5fc13
MT		 31959
31960 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
31961 {
31962- struct nfs4_exception exception = { };
31963+ struct nfs4_exception exception = {0, 0};
31964 struct nfs4_state *res;
31965 int status;
31966
57199397 31967@@ -1788,7 +1788,7 @@ static int nfs4_do_setattr(struct inode
58c5fc13
MT		 31968 struct nfs4_state *state)
31969 {
31970 struct nfs_server *server = NFS_SERVER(inode);
31971- struct nfs4_exception exception = { };
31972+ struct nfs4_exception exception = {0, 0};
31973 int err;
31974 do {
31975 err = nfs4_handle_exception(server,
57199397 31976@@ -2166,7 +2166,7 @@ static int _nfs4_server_capabilities(str
58c5fc13
MT		 31977
31978 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
31979 {
31980- struct nfs4_exception exception = { };
31981+ struct nfs4_exception exception = {0, 0};
31982 int err;
31983 do {
31984 err = nfs4_handle_exception(server,
57199397 31985@@ -2200,7 +2200,7 @@ static int _nfs4_lookup_root(struct nfs_
58c5fc13
MT		 31986 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
31987 struct nfs_fsinfo *info)
31988 {
31989- struct nfs4_exception exception = { };
31990+ struct nfs4_exception exception = {0, 0};
31991 int err;
31992 do {
31993 err = nfs4_handle_exception(server,
57199397 31994@@ -2289,7 +2289,7 @@ static int _nfs4_proc_getattr(struct nfs
58c5fc13
MT		 31995
31996 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
31997 {
31998- struct nfs4_exception exception = { };
31999+ struct nfs4_exception exception = {0, 0};
32000 int err;
32001 do {
32002 err = nfs4_handle_exception(server,
57199397 32003@@ -2377,7 +2377,7 @@ static int nfs4_proc_lookupfh(struct nfs
58c5fc13
MT		 32004 struct qstr *name, struct nfs_fh *fhandle,
32005 struct nfs_fattr *fattr)
32006 {
32007- struct nfs4_exception exception = { };
32008+ struct nfs4_exception exception = {0, 0};
32009 int err;
32010 do {
32011 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
57199397 32012@@ -2406,7 +2406,7 @@ static int _nfs4_proc_lookup(struct inod
58c5fc13
MT		 32013
32014 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32015 {
32016- struct nfs4_exception exception = { };
32017+ struct nfs4_exception exception = {0, 0};
32018 int err;
32019 do {
32020 err = nfs4_handle_exception(NFS_SERVER(dir),
57199397 32021@@ -2473,7 +2473,7 @@ static int _nfs4_proc_access(struct inod
58c5fc13
MT		 32022
32023 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32024 {
32025- struct nfs4_exception exception = { };
32026+ struct nfs4_exception exception = {0, 0};
32027 int err;
32028 do {
32029 err = nfs4_handle_exception(NFS_SERVER(inode),
57199397 32030@@ -2529,7 +2529,7 @@ static int _nfs4_proc_readlink(struct in
58c5fc13
MT		 32031 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32032 unsigned int pgbase, unsigned int pglen)
32033 {
32034- struct nfs4_exception exception = { };
32035+ struct nfs4_exception exception = {0, 0};
32036 int err;
32037 do {
32038 err = nfs4_handle_exception(NFS_SERVER(inode),
57199397 32039@@ -2625,7 +2625,7 @@ out:
58c5fc13
MT		 32040
32041 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32042 {
32043- struct nfs4_exception exception = { };
32044+ struct nfs4_exception exception = {0, 0};
32045 int err;
32046 do {
32047 err = nfs4_handle_exception(NFS_SERVER(dir),
57199397 32048@@ -2700,7 +2700,7 @@ out:
58c5fc13
MT		 32049 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32050 struct inode *new_dir, struct qstr *new_name)
32051 {
32052- struct nfs4_exception exception = { };
32053+ struct nfs4_exception exception = {0, 0};
32054 int err;
32055 do {
32056 err = nfs4_handle_exception(NFS_SERVER(old_dir),
57199397 32057@@ -2749,7 +2749,7 @@ out:
58c5fc13
MT		 32058
32059 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32060 {
32061- struct nfs4_exception exception = { };
32062+ struct nfs4_exception exception = {0, 0};
32063 int err;
32064 do {
32065 err = nfs4_handle_exception(NFS_SERVER(inode),
57199397 32066@@ -2841,7 +2841,7 @@ out:
58c5fc13
MT		 32067 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32068 struct page *page, unsigned int len, struct iattr *sattr)
32069 {
32070- struct nfs4_exception exception = { };
32071+ struct nfs4_exception exception = {0, 0};
32072 int err;
32073 do {
32074 err = nfs4_handle_exception(NFS_SERVER(dir),
57199397 32075@@ -2872,7 +2872,7 @@ out:
58c5fc13
MT		 32076 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32077 struct iattr *sattr)
32078 {
32079- struct nfs4_exception exception = { };
32080+ struct nfs4_exception exception = {0, 0};
32081 int err;
32082 do {
32083 err = nfs4_handle_exception(NFS_SERVER(dir),
57199397 32084@@ -2921,7 +2921,7 @@ static int _nfs4_proc_readdir(struct den
58c5fc13
MT		 32085 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32086 u64 cookie, struct page *page, unsigned int count, int plus)
32087 {
32088- struct nfs4_exception exception = { };
32089+ struct nfs4_exception exception = {0, 0};
32090 int err;
32091 do {
32092 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
57199397 32093@@ -2969,7 +2969,7 @@ out:
58c5fc13
MT		 32094 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32095 struct iattr *sattr, dev_t rdev)
32096 {
32097- struct nfs4_exception exception = { };
32098+ struct nfs4_exception exception = {0, 0};
32099 int err;
32100 do {
32101 err = nfs4_handle_exception(NFS_SERVER(dir),
57199397 32102@@ -3001,7 +3001,7 @@ static int _nfs4_proc_statfs(struct nfs_
58c5fc13
MT		 32103
32104 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32105 {
32106- struct nfs4_exception exception = { };
32107+ struct nfs4_exception exception = {0, 0};
32108 int err;
32109 do {
32110 err = nfs4_handle_exception(server,
57199397 32111@@ -3032,7 +3032,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
58c5fc13
MT		 32112
32113 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32114 {
32115- struct nfs4_exception exception = { };
32116+ struct nfs4_exception exception = {0, 0};
32117 int err;
32118
32119 do {
57199397 32120@@ -3078,7 +3078,7 @@ static int _nfs4_proc_pathconf(struct nf
58c5fc13
MT		 32121 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32122 struct nfs_pathconf *pathconf)
32123 {
32124- struct nfs4_exception exception = { };
32125+ struct nfs4_exception exception = {0, 0};
32126 int err;
32127
32128 do {
57199397 32129@@ -3399,7 +3399,7 @@ out_free:
58c5fc13
MT		 32130
32131 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32132 {
32133- struct nfs4_exception exception = { };
32134+ struct nfs4_exception exception = {0, 0};
32135 ssize_t ret;
32136 do {
32137 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
57199397 32138@@ -3455,7 +3455,7 @@ static int __nfs4_proc_set_acl(struct in
58c5fc13
MT		 32139
32140 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32141 {
32142- struct nfs4_exception exception = { };
32143+ struct nfs4_exception exception = {0, 0};
32144 int err;
32145 do {
32146 err = nfs4_handle_exception(NFS_SERVER(inode),
57199397 32147@@ -3745,7 +3745,7 @@ out:
58c5fc13
MT		 32148 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32149 {
32150 struct nfs_server *server = NFS_SERVER(inode);
32151- struct nfs4_exception exception = { };
32152+ struct nfs4_exception exception = {0, 0};
32153 int err;
32154 do {
32155 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
57199397 32156@@ -3818,7 +3818,7 @@ out:
58c5fc13
MT		 32157
32158 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32159 {
32160- struct nfs4_exception exception = { };
32161+ struct nfs4_exception exception = {0, 0};
32162 int err;
32163
32164 do {
57199397 32165@@ -4232,7 +4232,7 @@ static int _nfs4_do_setlk(struct nfs4_st
58c5fc13
MT		 32166 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32167 {
32168 struct nfs_server *server = NFS_SERVER(state->inode);
32169- struct nfs4_exception exception = { };
32170+ struct nfs4_exception exception = {0, 0};
32171 int err;
32172
32173 do {
57199397 32174@@ -4250,7 +4250,7 @@ static int nfs4_lock_reclaim(struct nfs4
58c5fc13
MT		 32175 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32176 {
32177 struct nfs_server *server = NFS_SERVER(state->inode);
32178- struct nfs4_exception exception = { };
32179+ struct nfs4_exception exception = {0, 0};
32180 int err;
32181
32182 err = nfs4_set_lock_state(state, request);
57199397 32183@@ -4315,7 +4315,7 @@ out:
58c5fc13
MT		 32184
32185 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32186 {
32187- struct nfs4_exception exception = { };
32188+ struct nfs4_exception exception = {0, 0};
32189 int err;
32190
32191 do {
57199397 32192@@ -4375,7 +4375,7 @@ nfs4_proc_lock(struct file *filp, int cm
58c5fc13
MT		 32193 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32194 {
32195 struct nfs_server *server = NFS_SERVER(state->inode);
32196- struct nfs4_exception exception = { };
32197+ struct nfs4_exception exception = {0, 0};
32198 int err;
32199
32200 err = nfs4_set_lock_state(state, fl);
57199397
MT		 32201diff -urNp linux-2.6.35.4/fs/nfsd/lockd.c linux-2.6.35.4/fs/nfsd/lockd.c
32202--- linux-2.6.35.4/fs/nfsd/lockd.c 2010-08-26 19:47:12.000000000 -0400
32203+++ linux-2.6.35.4/fs/nfsd/lockd.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 32204@@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32205 fput(filp);
58c5fc13
MT		 32206 }
32207
ae4e228f
MT		 32208-static struct nlmsvc_binding nfsd_nlm_ops = {
32209+static const struct nlmsvc_binding nfsd_nlm_ops = {
32210 .fopen = nlm_fopen, /* open file for locking */
32211 .fclose = nlm_fclose, /* close file */
58c5fc13 32212 };
57199397
MT		 32213diff -urNp linux-2.6.35.4/fs/nfsd/nfsctl.c linux-2.6.35.4/fs/nfsd/nfsctl.c
32214--- linux-2.6.35.4/fs/nfsd/nfsctl.c 2010-08-26 19:47:12.000000000 -0400
32215+++ linux-2.6.35.4/fs/nfsd/nfsctl.c 2010-09-17 20:12:09.000000000 -0400
32216@@ -163,7 +163,7 @@ static int export_features_open(struct i
ae4e228f 32217 return single_open(file, export_features_show, NULL);
58c5fc13
MT		 32218 }
32219
ae4e228f
MT		 32220-static struct file_operations export_features_operations = {
32221+static const struct file_operations export_features_operations = {
32222 .open = export_features_open,
32223 .read = seq_read,
32224 .llseek = seq_lseek,
57199397
MT		 32225diff -urNp linux-2.6.35.4/fs/nfsd/vfs.c linux-2.6.35.4/fs/nfsd/vfs.c
32226--- linux-2.6.35.4/fs/nfsd/vfs.c 2010-08-26 19:47:12.000000000 -0400
32227+++ linux-2.6.35.4/fs/nfsd/vfs.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 32228@@ -933,7 +933,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
ae4e228f
MT		 32229 } else {
32230 oldfs = get_fs();
32231 set_fs(KERNEL_DS);
32232- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32233+ host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32234 set_fs(oldfs);
32235 }
32236
df50ba0c 32237@@ -1056,7 +1056,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
ae4e228f
MT		 32238
32239 /* Write the data. */
32240 oldfs = get_fs(); set_fs(KERNEL_DS);
32241- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32242+ host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32243 set_fs(oldfs);
32244 if (host_err < 0)
32245 goto out_nfserr;
57199397 32246@@ -1541,7 +1541,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
ae4e228f 32247 */
58c5fc13 32248
ae4e228f
MT		 32249 oldfs = get_fs(); set_fs(KERNEL_DS);
32250- host_err = inode->i_op->readlink(dentry, buf, *lenp);
32251+ host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32252 set_fs(oldfs);
58c5fc13 32253
ae4e228f 32254 if (host_err < 0)
57199397
MT		 32255diff -urNp linux-2.6.35.4/fs/nls/nls_base.c linux-2.6.35.4/fs/nls/nls_base.c
32256--- linux-2.6.35.4/fs/nls/nls_base.c 2010-08-26 19:47:12.000000000 -0400
32257+++ linux-2.6.35.4/fs/nls/nls_base.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 32258@@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32259 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32260 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32261 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32262- {0, /* end of table */}
32263+ {0, 0, 0, 0, 0, /* end of table */}
32264 };
32265
32266 #define UNICODE_MAX 0x0010ffff
57199397
MT		 32267diff -urNp linux-2.6.35.4/fs/ntfs/file.c linux-2.6.35.4/fs/ntfs/file.c
32268--- linux-2.6.35.4/fs/ntfs/file.c 2010-08-26 19:47:12.000000000 -0400
32269+++ linux-2.6.35.4/fs/ntfs/file.c 2010-09-17 20:12:09.000000000 -0400
32270@@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
58c5fc13
MT		 32271 #endif /* NTFS_RW */
32272 };
32273
32274-const struct file_operations ntfs_empty_file_ops = {};
ae4e228f 32275+const struct file_operations ntfs_empty_file_ops __read_only;
58c5fc13
MT		 32276
32277-const struct inode_operations ntfs_empty_inode_ops = {};
ae4e228f 32278+const struct inode_operations ntfs_empty_inode_ops __read_only;
57199397
MT		 32279diff -urNp linux-2.6.35.4/fs/ocfs2/localalloc.c linux-2.6.35.4/fs/ocfs2/localalloc.c
32280--- linux-2.6.35.4/fs/ocfs2/localalloc.c 2010-08-26 19:47:12.000000000 -0400
32281+++ linux-2.6.35.4/fs/ocfs2/localalloc.c 2010-09-17 20:12:09.000000000 -0400
32282@@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
58c5fc13
MT		 32283 goto bail;
32284 }
32285
32286- atomic_inc(&osb->alloc_stats.moves);
32287+ atomic_inc_unchecked(&osb->alloc_stats.moves);
32288
58c5fc13 32289 bail:
57199397
MT		 32290 if (handle)
32291diff -urNp linux-2.6.35.4/fs/ocfs2/ocfs2.h linux-2.6.35.4/fs/ocfs2/ocfs2.h
32292--- linux-2.6.35.4/fs/ocfs2/ocfs2.h 2010-08-26 19:47:12.000000000 -0400
32293+++ linux-2.6.35.4/fs/ocfs2/ocfs2.h 2010-09-17 20:12:09.000000000 -0400
32294@@ -223,11 +223,11 @@ enum ocfs2_vol_state
58c5fc13
MT		 32295
32296 struct ocfs2_alloc_stats
32297 {
32298- atomic_t moves;
32299- atomic_t local_data;
32300- atomic_t bitmap_data;
32301- atomic_t bg_allocs;
32302- atomic_t bg_extends;
32303+ atomic_unchecked_t moves;
32304+ atomic_unchecked_t local_data;
32305+ atomic_unchecked_t bitmap_data;
32306+ atomic_unchecked_t bg_allocs;
32307+ atomic_unchecked_t bg_extends;
32308 };
32309
32310 enum ocfs2_local_alloc_state
57199397
MT		 32311diff -urNp linux-2.6.35.4/fs/ocfs2/suballoc.c linux-2.6.35.4/fs/ocfs2/suballoc.c
32312--- linux-2.6.35.4/fs/ocfs2/suballoc.c 2010-08-26 19:47:12.000000000 -0400
32313+++ linux-2.6.35.4/fs/ocfs2/suballoc.c 2010-09-17 20:12:09.000000000 -0400
32314@@ -856,7 +856,7 @@ static int ocfs2_reserve_suballoc_bits(s
58c5fc13
MT		 32315 mlog_errno(status);
32316 goto bail;
32317 }
32318- atomic_inc(&osb->alloc_stats.bg_extends);
32319+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
32320
32321 /* You should never ask for this much metadata */
32322 BUG_ON(bits_wanted >
57199397 32323@@ -1968,7 +1968,7 @@ int ocfs2_claim_metadata(handle_t *handl
58c5fc13
MT		 32324 mlog_errno(status);
32325 goto bail;
32326 }
57199397
MT		 32327- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32328+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
58c5fc13 32329
57199397
MT		 32330 *suballoc_loc = res.sr_bg_blkno;
32331 *suballoc_bit_start = res.sr_bit_offset;
32332@@ -2045,7 +2045,7 @@ int ocfs2_claim_new_inode(handle_t *hand
58c5fc13
MT		 32333 mlog_errno(status);
32334 goto bail;
32335 }
57199397
MT		 32336- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32337+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
58c5fc13 32338
57199397 32339 BUG_ON(res.sr_bits != 1);
58c5fc13 32340
57199397 32341@@ -2150,7 +2150,7 @@ int __ocfs2_claim_clusters(handle_t *han
58c5fc13
MT		 32342 cluster_start,
32343 num_clusters);
32344 if (!status)
32345- atomic_inc(&osb->alloc_stats.local_data);
32346+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
32347 } else {
32348 if (min_clusters > (osb->bitmap_cpg - 1)) {
32349 /* The only paths asking for contiguousness
57199397 32350@@ -2176,7 +2176,7 @@ int __ocfs2_claim_clusters(handle_t *han
58c5fc13 32351 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
57199397
MT		 32352 res.sr_bg_blkno,
32353 res.sr_bit_offset);
58c5fc13
MT		 32354- atomic_inc(&osb->alloc_stats.bitmap_data);
32355+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
57199397 32356 *num_clusters = res.sr_bits;
58c5fc13
MT		 32357 }
32358 }
57199397
MT		 32359diff -urNp linux-2.6.35.4/fs/ocfs2/super.c linux-2.6.35.4/fs/ocfs2/super.c
32360--- linux-2.6.35.4/fs/ocfs2/super.c 2010-08-26 19:47:12.000000000 -0400
32361+++ linux-2.6.35.4/fs/ocfs2/super.c 2010-09-17 20:12:09.000000000 -0400
32362@@ -293,11 +293,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
58c5fc13
MT		 32363 "%10s => GlobalAllocs: %d LocalAllocs: %d "
32364 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
32365 "Stats",
32366- atomic_read(&osb->alloc_stats.bitmap_data),
32367- atomic_read(&osb->alloc_stats.local_data),
32368- atomic_read(&osb->alloc_stats.bg_allocs),
32369- atomic_read(&osb->alloc_stats.moves),
32370- atomic_read(&osb->alloc_stats.bg_extends));
32371+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
32372+ atomic_read_unchecked(&osb->alloc_stats.local_data),
32373+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
32374+ atomic_read_unchecked(&osb->alloc_stats.moves),
32375+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
32376
32377 out += snprintf(buf + out, len - out,
32378 "%10s => State: %u Descriptor: %llu Size: %u bits "
57199397 32379@@ -2047,11 +2047,11 @@ static int ocfs2_initialize_super(struct
58c5fc13 32380 spin_lock_init(&osb->osb_xattr_lock);
df50ba0c 32381 ocfs2_init_steal_slots(osb);
58c5fc13
MT		 32382
32383- atomic_set(&osb->alloc_stats.moves, 0);
32384- atomic_set(&osb->alloc_stats.local_data, 0);
32385- atomic_set(&osb->alloc_stats.bitmap_data, 0);
32386- atomic_set(&osb->alloc_stats.bg_allocs, 0);
32387- atomic_set(&osb->alloc_stats.bg_extends, 0);
32388+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
32389+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
32390+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
32391+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
32392+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
32393
32394 /* Copy the blockcheck stats from the superblock probe */
32395 osb->osb_ecc_stats = *stats;
57199397
MT		 32396diff -urNp linux-2.6.35.4/fs/ocfs2/symlink.c linux-2.6.35.4/fs/ocfs2/symlink.c
32397--- linux-2.6.35.4/fs/ocfs2/symlink.c 2010-08-26 19:47:12.000000000 -0400
32398+++ linux-2.6.35.4/fs/ocfs2/symlink.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 32399@@ -148,7 +148,7 @@ bail:
58c5fc13 32400
ae4e228f
MT		 32401 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32402 {
32403- char *link = nd_get_link(nd);
32404+ const char *link = nd_get_link(nd);
32405 if (!IS_ERR(link))
32406 kfree(link);
58c5fc13 32407 }
57199397
MT		 32408diff -urNp linux-2.6.35.4/fs/open.c linux-2.6.35.4/fs/open.c
32409--- linux-2.6.35.4/fs/open.c 2010-08-26 19:47:12.000000000 -0400
32410+++ linux-2.6.35.4/fs/open.c 2010-09-17 20:12:37.000000000 -0400
32411@@ -42,6 +42,9 @@ int do_truncate(struct dentry *dentry, l
58c5fc13
MT		 32412 if (length < 0)
32413 return -EINVAL;
32414
32415+ if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
32416+ return -EACCES;
32417+
32418 newattrs.ia_size = length;
32419 newattrs.ia_valid = ATTR_SIZE | time_attrs;
32420 if (filp) {
57199397 32421@@ -345,6 +348,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
58c5fc13
MT		 32422 if (__mnt_is_readonly(path.mnt))
32423 res = -EROFS;
32424
32425+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
32426+ res = -EACCES;
32427+
32428 out_path_release:
32429 path_put(&path);
32430 out:
57199397 32431@@ -371,6 +377,8 @@ SYSCALL_DEFINE1(chdir, const char __user
58c5fc13
MT		 32432 if (error)
32433 goto dput_and_out;
32434
32435+ gr_log_chdir(path.dentry, path.mnt);
32436+
32437 set_fs_pwd(current->fs, &path);
32438
32439 dput_and_out:
57199397 32440@@ -397,6 +405,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
58c5fc13
MT		 32441 goto out_putf;
32442
32443 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
32444+
32445+ if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
32446+ error = -EPERM;
32447+
32448+ if (!error)
32449+ gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
32450+
32451 if (!error)
32452 set_fs_pwd(current->fs, &file->f_path);
32453 out_putf:
57199397 32454@@ -425,7 +440,18 @@ SYSCALL_DEFINE1(chroot, const char __use
ae4e228f 32455 if (error)
58c5fc13
MT		 32456 goto dput_and_out;
32457
32458+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
32459+ goto dput_and_out;
32460+
32461+ if (gr_handle_chroot_caps(&path)) {
32462+ error = -ENOMEM;
32463+ goto dput_and_out;
32464+ }
32465+
32466 set_fs_root(current->fs, &path);
32467+
32468+ gr_handle_chroot_chdir(&path);
32469+
32470 error = 0;
32471 dput_and_out:
32472 path_put(&path);
57199397 32473@@ -453,6 +479,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
58c5fc13
MT		 32474 err = mnt_want_write_file(file);
32475 if (err)
32476 goto out_putf;
32477+
32478+ if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
32479+ err = -EACCES;
32480+ goto out_drop_write;
32481+ }
32482+
32483 mutex_lock(&inode->i_mutex);
ae4e228f
MT		 32484 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
32485 if (err)
57199397 32486@@ -464,6 +496,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
58c5fc13 32487 err = notify_change(dentry, &newattrs);
ae4e228f 32488 out_unlock:
58c5fc13 32489 mutex_unlock(&inode->i_mutex);
58c5fc13
MT		 32490+out_drop_write:
32491 mnt_drop_write(file->f_path.mnt);
32492 out_putf:
32493 fput(file);
57199397 32494@@ -486,17 +519,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
58c5fc13
MT		 32495 error = mnt_want_write(path.mnt);
32496 if (error)
32497 goto dput_and_out;
32498+
32499+ if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
32500+ error = -EACCES;
32501+ goto out_drop_write;
32502+ }
32503+
32504 mutex_lock(&inode->i_mutex);
ae4e228f
MT		 32505 error = security_path_chmod(path.dentry, path.mnt, mode);
32506 if (error)
32507 goto out_unlock;
58c5fc13
MT		 32508 if (mode == (mode_t) -1)
32509 mode = inode->i_mode;
32510+
32511+ if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
32512+ error = -EACCES;
ae4e228f 32513+ goto out_unlock;
58c5fc13
MT		 32514+ }
32515+
32516 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
32517 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
32518 error = notify_change(path.dentry, &newattrs);
ae4e228f 32519 out_unlock:
58c5fc13 32520 mutex_unlock(&inode->i_mutex);
58c5fc13
MT		 32521+out_drop_write:
32522 mnt_drop_write(path.mnt);
32523 dput_and_out:
32524 path_put(&path);
57199397 32525@@ -515,6 +561,9 @@ static int chown_common(struct path *pat
58c5fc13
MT		 32526 int error;
32527 struct iattr newattrs;
32528
ae4e228f 32529+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
58c5fc13
MT		 32530+ return -EACCES;
32531+
32532 newattrs.ia_valid = ATTR_CTIME;
32533 if (user != (uid_t) -1) {
32534 newattrs.ia_valid |= ATTR_UID;
57199397
MT		 32535diff -urNp linux-2.6.35.4/fs/pipe.c linux-2.6.35.4/fs/pipe.c
32536--- linux-2.6.35.4/fs/pipe.c 2010-08-26 19:47:12.000000000 -0400
32537+++ linux-2.6.35.4/fs/pipe.c 2010-09-17 20:12:37.000000000 -0400
32538@@ -420,9 +420,9 @@ redo:
ae4e228f
MT		 32539 }
32540 if (bufs) /* More to do? */
32541 continue;
32542- if (!pipe->writers)
32543+ if (!atomic_read(&pipe->writers))
32544 break;
32545- if (!pipe->waiting_writers) {
32546+ if (!atomic_read(&pipe->waiting_writers)) {
32547 /* syscall merging: Usually we must not sleep
32548 * if O_NONBLOCK is set, or if we got some data.
32549 * But if a writer sleeps in kernel space, then
57199397 32550@@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
ae4e228f
MT		 32551 mutex_lock(&inode->i_mutex);
32552 pipe = inode->i_pipe;
32553
32554- if (!pipe->readers) {
32555+ if (!atomic_read(&pipe->readers)) {
32556 send_sig(SIGPIPE, current, 0);
32557 ret = -EPIPE;
32558 goto out;
57199397 32559@@ -530,7 +530,7 @@ redo1:
ae4e228f
MT		 32560 for (;;) {
32561 int bufs;
32562
32563- if (!pipe->readers) {
32564+ if (!atomic_read(&pipe->readers)) {
32565 send_sig(SIGPIPE, current, 0);
32566 if (!ret)
32567 ret = -EPIPE;
57199397 32568@@ -616,9 +616,9 @@ redo2:
ae4e228f
MT		 32569 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
32570 do_wakeup = 0;
32571 }
32572- pipe->waiting_writers++;
32573+ atomic_inc(&pipe->waiting_writers);
32574 pipe_wait(pipe);
32575- pipe->waiting_writers--;
32576+ atomic_dec(&pipe->waiting_writers);
32577 }
32578 out:
32579 mutex_unlock(&inode->i_mutex);
57199397 32580@@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
ae4e228f
MT		 32581 mask = 0;
32582 if (filp->f_mode & FMODE_READ) {
32583 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
32584- if (!pipe->writers && filp->f_version != pipe->w_counter)
32585+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
32586 mask |= POLLHUP;
32587 }
32588
57199397 32589@@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
ae4e228f
MT		 32590 * Most Unices do not set POLLERR for FIFOs but on Linux they
32591 * behave exactly like pipes for poll().
32592 */
32593- if (!pipe->readers)
32594+ if (!atomic_read(&pipe->readers))
32595 mask |= POLLERR;
32596 }
32597
57199397 32598@@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
ae4e228f
MT		 32599
32600 mutex_lock(&inode->i_mutex);
32601 pipe = inode->i_pipe;
32602- pipe->readers -= decr;
32603- pipe->writers -= decw;
32604+ atomic_sub(decr, &pipe->readers);
32605+ atomic_sub(decw, &pipe->writers);
32606
32607- if (!pipe->readers && !pipe->writers) {
32608+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
32609 free_pipe_info(inode);
32610 } else {
32611 wake_up_interruptible_sync(&pipe->wait);
57199397 32612@@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
ae4e228f
MT		 32613
32614 if (inode->i_pipe) {
32615 ret = 0;
32616- inode->i_pipe->readers++;
32617+ atomic_inc(&inode->i_pipe->readers);
32618 }
32619
32620 mutex_unlock(&inode->i_mutex);
57199397 32621@@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
ae4e228f
MT		 32622
32623 if (inode->i_pipe) {
32624 ret = 0;
32625- inode->i_pipe->writers++;
32626+ atomic_inc(&inode->i_pipe->writers);
32627 }
32628
32629 mutex_unlock(&inode->i_mutex);
57199397 32630@@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
ae4e228f
MT		 32631 if (inode->i_pipe) {
32632 ret = 0;
32633 if (filp->f_mode & FMODE_READ)
32634- inode->i_pipe->readers++;
32635+ atomic_inc(&inode->i_pipe->readers);
32636 if (filp->f_mode & FMODE_WRITE)
32637- inode->i_pipe->writers++;
32638+ atomic_inc(&inode->i_pipe->writers);
32639 }
32640
32641 mutex_unlock(&inode->i_mutex);
57199397 32642@@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
58c5fc13
MT		 32643 inode->i_pipe = NULL;
32644 }
32645
32646-static struct vfsmount *pipe_mnt __read_mostly;
32647+struct vfsmount *pipe_mnt __read_mostly;
ae4e228f
MT		 32648
32649 /*
32650 * pipefs_dname() is called from d_path().
57199397 32651@@ -959,7 +959,8 @@ static struct inode * get_pipe_inode(voi
ae4e228f
MT		 32652 goto fail_iput;
32653 inode->i_pipe = pipe;
32654
32655- pipe->readers = pipe->writers = 1;
32656+ atomic_set(&pipe->readers, 1);
32657+ atomic_set(&pipe->writers, 1);
32658 inode->i_fop = &rdwr_pipefifo_fops;
32659
58c5fc13 32660 /*
57199397
MT		 32661diff -urNp linux-2.6.35.4/fs/proc/array.c linux-2.6.35.4/fs/proc/array.c
32662--- linux-2.6.35.4/fs/proc/array.c 2010-08-26 19:47:12.000000000 -0400
32663+++ linux-2.6.35.4/fs/proc/array.c 2010-09-17 20:12:37.000000000 -0400
32664@@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
32665 seq_printf(m, "\n");
32666 }
32667
32668+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32669+static inline void task_pax(struct seq_file *m, struct task_struct *p)
32670+{
32671+ if (p->mm)
32672+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
32673+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
32674+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
32675+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
32676+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
32677+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
32678+ else
32679+ seq_printf(m, "PaX:\t-----\n");
32680+}
32681+#endif
32682+
32683 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
32684 struct pid *pid, struct task_struct *task)
32685 {
32686@@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
32687 task_show_regs(m, task);
32688 #endif
32689 task_context_switch_counts(m, task);
32690+
32691+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32692+ task_pax(m, task);
32693+#endif
32694+
32695 return 0;
32696 }
32697
32698+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32699+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32700+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
32701+ _mm->pax_flags & MF_PAX_SEGMEXEC))
32702+#endif
32703+
32704 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
32705 struct pid *pid, struct task_struct *task, int whole)
32706 {
32707@@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
32708 gtime = task->gtime;
32709 }
32710
32711+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32712+ if (PAX_RAND_FLAGS(mm)) {
32713+ eip = 0;
32714+ esp = 0;
32715+ wchan = 0;
32716+ }
32717+#endif
32718+#ifdef CONFIG_GRKERNSEC_HIDESYM
32719+ wchan = 0;
32720+ eip =0;
32721+ esp =0;
32722+#endif
32723+
32724 /* scale priority and nice values from timeslices to -20..20 */
32725 /* to make it look like a "normal" Unix priority/nice value */
32726 priority = task_prio(task);
32727@@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
32728 vsize,
32729 mm ? get_mm_rss(mm) : 0,
32730 rsslim,
32731+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32732+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
32733+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
32734+ PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
32735+#else
32736 mm ? mm->start_code : 0,
32737 mm ? mm->end_code : 0,
32738 (permitted && mm) ? mm->start_stack : 0,
32739+#endif
32740 esp,
32741 eip,
32742 /* The signal information here is obsolete.
32743@@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
32744
32745 return 0;
32746 }
32747+
32748+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
32749+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
32750+{
32751+ return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
32752+}
32753+#endif
32754diff -urNp linux-2.6.35.4/fs/proc/base.c linux-2.6.35.4/fs/proc/base.c
32755--- linux-2.6.35.4/fs/proc/base.c 2010-08-26 19:47:12.000000000 -0400
32756+++ linux-2.6.35.4/fs/proc/base.c 2010-09-17 20:12:37.000000000 -0400
32757@@ -103,6 +103,22 @@ struct pid_entry {
32758 union proc_op op;
32759 };
32760
32761+struct getdents_callback {
32762+ struct linux_dirent __user * current_dir;
32763+ struct linux_dirent __user * previous;
32764+ struct file * file;
32765+ int count;
32766+ int error;
32767+};
32768+
32769+static int gr_fake_filldir(void * __buf, const char *name, int namlen,
32770+ loff_t offset, u64 ino, unsigned int d_type)
32771+{
32772+ struct getdents_callback * buf = (struct getdents_callback *) __buf;
32773+ buf->error = -EINVAL;
32774+ return 0;
32775+}
32776+
32777 #define NOD(NAME, MODE, IOP, FOP, OP) { \
32778 .name = (NAME), \
32779 .len = sizeof(NAME) - 1, \
32780@@ -202,6 +218,9 @@ static int check_mem_permission(struct t
32781 if (task == current)
32782 return 0;
32783
32784+ if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
32785+ return -EPERM;
32786+
32787 /*
32788 * If current is actively ptrace'ing, and would also be
32789 * permitted to freshly attach with ptrace now, permit it.
32790@@ -249,6 +268,9 @@ static int proc_pid_cmdline(struct task_
32791 if (!mm->arg_end)
32792 goto out_mm; /* Shh! No looking before we're done */
32793
32794+ if (gr_acl_handle_procpidmem(task))
32795+ goto out_mm;
32796+
32797 len = mm->arg_end - mm->arg_start;
32798
32799 if (len > PAGE_SIZE)
32800@@ -276,12 +298,26 @@ out:
32801 return res;
32802 }
32803
32804+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32805+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32806+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
32807+ _mm->pax_flags & MF_PAX_SEGMEXEC))
32808+#endif
32809+
32810 static int proc_pid_auxv(struct task_struct *task, char *buffer)
32811 {
32812 int res = 0;
32813 struct mm_struct *mm = get_task_mm(task);
32814 if (mm) {
32815 unsigned int nwords = 0;
32816+
32817+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32818+ if (PAX_RAND_FLAGS(mm)) {
32819+ mmput(mm);
32820+ return res;
32821+ }
32822+#endif
32823+
32824 do {
32825 nwords += 2;
32826 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
32827@@ -317,7 +353,7 @@ static int proc_pid_wchan(struct task_st
32828 }
32829 #endif /* CONFIG_KALLSYMS */
32830
32831-#ifdef CONFIG_STACKTRACE
32832+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32833
32834 #define MAX_STACK_TRACE_DEPTH 64
32835
32836@@ -511,7 +547,7 @@ static int proc_pid_limits(struct task_s
32837 return count;
32838 }
32839
32840-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32841+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32842 static int proc_pid_syscall(struct task_struct *task, char *buffer)
32843 {
32844 long nr;
32845@@ -920,6 +956,9 @@ static ssize_t environ_read(struct file
32846 if (!task)
32847 goto out_no_task;
32848
32849+ if (gr_acl_handle_procpidmem(task))
32850+ goto out;
32851+
32852 if (!ptrace_may_access(task, PTRACE_MODE_READ))
32853 goto out;
32854
32855@@ -1514,7 +1553,11 @@ static struct inode *proc_pid_make_inode
32856 rcu_read_lock();
32857 cred = __task_cred(task);
32858 inode->i_uid = cred->euid;
32859+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32860+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32861+#else
32862 inode->i_gid = cred->egid;
32863+#endif
32864 rcu_read_unlock();
32865 }
32866 security_task_to_inode(task, inode);
32867@@ -1532,6 +1575,9 @@ static int pid_getattr(struct vfsmount *
32868 struct inode *inode = dentry->d_inode;
32869 struct task_struct *task;
32870 const struct cred *cred;
32871+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32872+ const struct cred *tmpcred = current_cred();
32873+#endif
32874
32875 generic_fillattr(inode, stat);
32876
32877@@ -1539,12 +1585,34 @@ static int pid_getattr(struct vfsmount *
32878 stat->uid = 0;
32879 stat->gid = 0;
32880 task = pid_task(proc_pid(inode), PIDTYPE_PID);
32881+
32882+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
32883+ rcu_read_unlock();
32884+ return -ENOENT;
32885+ }
32886+
32887 if (task) {
32888+ cred = __task_cred(task);
32889+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32890+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
32891+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32892+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
32893+#endif
32894+ )
32895+#endif
32896 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32897+#ifdef CONFIG_GRKERNSEC_PROC_USER
32898+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32899+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32900+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32901+#endif
32902 task_dumpable(task)) {
32903- cred = __task_cred(task);
32904 stat->uid = cred->euid;
32905+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32906+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
32907+#else
32908 stat->gid = cred->egid;
32909+#endif
32910 }
32911 }
32912 rcu_read_unlock();
32913@@ -1576,11 +1644,20 @@ static int pid_revalidate(struct dentry
32914
32915 if (task) {
32916 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32917+#ifdef CONFIG_GRKERNSEC_PROC_USER
32918+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32919+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32920+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32921+#endif
32922 task_dumpable(task)) {
32923 rcu_read_lock();
32924 cred = __task_cred(task);
32925 inode->i_uid = cred->euid;
32926+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32927+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32928+#else
32929 inode->i_gid = cred->egid;
32930+#endif
32931 rcu_read_unlock();
32932 } else {
32933 inode->i_uid = 0;
32934@@ -1701,7 +1778,8 @@ static int proc_fd_info(struct inode *in
32935 int fd = proc_fd(inode);
32936
32937 if (task) {
32938- files = get_files_struct(task);
32939+ if (!gr_acl_handle_procpidmem(task))
32940+ files = get_files_struct(task);
32941 put_task_struct(task);
32942 }
32943 if (files) {
32944@@ -1953,12 +2031,22 @@ static const struct file_operations proc
32945 static int proc_fd_permission(struct inode *inode, int mask)
32946 {
32947 int rv;
32948+ struct task_struct *task;
32949
32950 rv = generic_permission(inode, mask, NULL);
32951- if (rv == 0)
32952- return 0;
32953+
32954 if (task_pid(current) == proc_pid(inode))
32955 rv = 0;
32956+
32957+ task = get_proc_task(inode);
32958+ if (task == NULL)
32959+ return rv;
32960+
32961+ if (gr_acl_handle_procpidmem(task))
32962+ rv = -EACCES;
32963+
32964+ put_task_struct(task);
32965+
32966 return rv;
32967 }
32968
32969@@ -2067,6 +2155,9 @@ static struct dentry *proc_pident_lookup
32970 if (!task)
32971 goto out_no_task;
32972
32973+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32974+ goto out;
32975+
32976 /*
32977 * Yes, it does not scale. And it should not. Don't add
32978 * new entries into /proc/<tgid>/ without very good reasons.
32979@@ -2111,6 +2202,9 @@ static int proc_pident_readdir(struct fi
32980 if (!task)
32981 goto out_no_task;
32982
32983+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32984+ goto out;
32985+
32986 ret = 0;
32987 i = filp->f_pos;
32988 switch (i) {
32989@@ -2380,7 +2474,7 @@ static void *proc_self_follow_link(struc
32990 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
32991 void *cookie)
32992 {
32993- char *s = nd_get_link(nd);
32994+ const char *s = nd_get_link(nd);
32995 if (!IS_ERR(s))
32996 __putname(s);
32997 }
32998@@ -2580,7 +2674,7 @@ static const struct pid_entry tgid_base_
32999 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33000 #endif
33001 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33002-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33003+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33004 INF("syscall", S_IRUSR, proc_pid_syscall),
33005 #endif
33006 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33007@@ -2608,7 +2702,7 @@ static const struct pid_entry tgid_base_
33008 #ifdef CONFIG_KALLSYMS
33009 INF("wchan", S_IRUGO, proc_pid_wchan),
33010 #endif
33011-#ifdef CONFIG_STACKTRACE
33012+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33013 ONE("stack", S_IRUSR, proc_pid_stack),
33014 #endif
33015 #ifdef CONFIG_SCHEDSTATS
33016@@ -2638,6 +2732,9 @@ static const struct pid_entry tgid_base_
33017 #ifdef CONFIG_TASK_IO_ACCOUNTING
33018 INF("io", S_IRUGO, proc_tgid_io_accounting),
33019 #endif
33020+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33021+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33022+#endif
33023 };
33024
33025 static int proc_tgid_base_readdir(struct file * filp,
33026@@ -2762,7 +2859,14 @@ static struct dentry *proc_pid_instantia
33027 if (!inode)
33028 goto out;
33029
33030+#ifdef CONFIG_GRKERNSEC_PROC_USER
33031+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33032+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33033+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33034+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33035+#else
33036 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33037+#endif
33038 inode->i_op = &proc_tgid_base_inode_operations;
33039 inode->i_fop = &proc_tgid_base_operations;
33040 inode->i_flags|=S_IMMUTABLE;
33041@@ -2804,7 +2908,11 @@ struct dentry *proc_pid_lookup(struct in
33042 if (!task)
33043 goto out;
33044
33045+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33046+ goto out_put_task;
33047+
33048 result = proc_pid_instantiate(dir, dentry, task, NULL);
33049+out_put_task:
33050 put_task_struct(task);
33051 out:
33052 return result;
33053@@ -2869,6 +2977,11 @@ int proc_pid_readdir(struct file * filp,
33054 {
33055 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33056 struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
33057+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33058+ const struct cred *tmpcred = current_cred();
33059+ const struct cred *itercred;
33060+#endif
33061+ filldir_t __filldir = filldir;
33062 struct tgid_iter iter;
33063 struct pid_namespace *ns;
33064
33065@@ -2887,8 +3000,27 @@ int proc_pid_readdir(struct file * filp,
33066 for (iter = next_tgid(ns, iter);
33067 iter.task;
33068 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33069+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33070+ rcu_read_lock();
33071+ itercred = __task_cred(iter.task);
33072+#endif
33073+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33074+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33075+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33076+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33077+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33078+#endif
33079+ )
33080+#endif
33081+ )
33082+ __filldir = &gr_fake_filldir;
33083+ else
33084+ __filldir = filldir;
33085+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33086+ rcu_read_unlock();
33087+#endif
33088 filp->f_pos = iter.tgid + TGID_OFFSET;
33089- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33090+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33091 put_task_struct(iter.task);
33092 goto out;
33093 }
33094@@ -2915,7 +3047,7 @@ static const struct pid_entry tid_base_s
33095 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33096 #endif
33097 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33098-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33099+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33100 INF("syscall", S_IRUSR, proc_pid_syscall),
33101 #endif
33102 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33103@@ -2942,7 +3074,7 @@ static const struct pid_entry tid_base_s
33104 #ifdef CONFIG_KALLSYMS
33105 INF("wchan", S_IRUGO, proc_pid_wchan),
33106 #endif
33107-#ifdef CONFIG_STACKTRACE
33108+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33109 ONE("stack", S_IRUSR, proc_pid_stack),
33110 #endif
33111 #ifdef CONFIG_SCHEDSTATS
33112diff -urNp linux-2.6.35.4/fs/proc/cmdline.c linux-2.6.35.4/fs/proc/cmdline.c
33113--- linux-2.6.35.4/fs/proc/cmdline.c 2010-08-26 19:47:12.000000000 -0400
33114+++ linux-2.6.35.4/fs/proc/cmdline.c 2010-09-17 20:12:37.000000000 -0400
33115@@ -23,7 +23,11 @@ static const struct file_operations cmdl
33116
33117 static int __init proc_cmdline_init(void)
33118 {
33119+#ifdef CONFIG_GRKERNSEC_PROC_ADD
33120+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33121+#else
33122 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33123+#endif
33124 return 0;
33125 }
33126 module_init(proc_cmdline_init);
33127diff -urNp linux-2.6.35.4/fs/proc/devices.c linux-2.6.35.4/fs/proc/devices.c
33128--- linux-2.6.35.4/fs/proc/devices.c 2010-08-26 19:47:12.000000000 -0400
33129+++ linux-2.6.35.4/fs/proc/devices.c 2010-09-17 20:12:37.000000000 -0400
33130@@ -64,7 +64,11 @@ static const struct file_operations proc
33131
33132 static int __init proc_devices_init(void)
33133 {
33134+#ifdef CONFIG_GRKERNSEC_PROC_ADD
33135+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33136+#else
33137 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33138+#endif
33139 return 0;
33140 }
33141 module_init(proc_devices_init);
33142diff -urNp linux-2.6.35.4/fs/proc/inode.c linux-2.6.35.4/fs/proc/inode.c
33143--- linux-2.6.35.4/fs/proc/inode.c 2010-08-26 19:47:12.000000000 -0400
33144+++ linux-2.6.35.4/fs/proc/inode.c 2010-09-17 20:12:37.000000000 -0400
33145@@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
33146 if (de->mode) {
33147 inode->i_mode = de->mode;
33148 inode->i_uid = de->uid;
33149+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33150+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33151+#else
33152 inode->i_gid = de->gid;
33153+#endif
33154 }
33155 if (de->size)
33156 inode->i_size = de->size;
33157diff -urNp linux-2.6.35.4/fs/proc/internal.h linux-2.6.35.4/fs/proc/internal.h
33158--- linux-2.6.35.4/fs/proc/internal.h 2010-08-26 19:47:12.000000000 -0400
33159+++ linux-2.6.35.4/fs/proc/internal.h 2010-09-17 20:12:37.000000000 -0400
33160@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33161 struct pid *pid, struct task_struct *task);
33162 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
33163 struct pid *pid, struct task_struct *task);
33164+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33165+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33166+#endif
33167 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33168
33169 extern const struct file_operations proc_maps_operations;
33170diff -urNp linux-2.6.35.4/fs/proc/Kconfig linux-2.6.35.4/fs/proc/Kconfig
33171--- linux-2.6.35.4/fs/proc/Kconfig 2010-08-26 19:47:12.000000000 -0400
33172+++ linux-2.6.35.4/fs/proc/Kconfig 2010-09-17 20:12:37.000000000 -0400
efbe55a5
MT		 33173@@ -30,12 +30,12 @@ config PROC_FS
33174
33175 config PROC_KCORE
33176 bool "/proc/kcore support" if !ARM
33177- depends on PROC_FS && MMU
33178+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33179
33180 config PROC_VMCORE
33181 bool "/proc/vmcore support (EXPERIMENTAL)"
33182- depends on PROC_FS && CRASH_DUMP
33183- default y
33184+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33185+ default n
33186 help
33187 Exports the dump image of crashed kernel in ELF format.
33188
33189@@ -59,8 +59,8 @@ config PROC_SYSCTL
33190 limited in memory.
33191
33192 config PROC_PAGE_MONITOR
33193- default y
33194- depends on PROC_FS && MMU
33195+ default n
33196+ depends on PROC_FS && MMU && !GRKERNSEC
33197 bool "Enable /proc page monitoring" if EMBEDDED
33198 help
33199 Various /proc files exist to monitor process memory utilization:
57199397
MT		 33200diff -urNp linux-2.6.35.4/fs/proc/kcore.c linux-2.6.35.4/fs/proc/kcore.c
33201--- linux-2.6.35.4/fs/proc/kcore.c 2010-08-26 19:47:12.000000000 -0400
33202+++ linux-2.6.35.4/fs/proc/kcore.c 2010-09-17 20:12:37.000000000 -0400
33203@@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33204 * the addresses in the elf_phdr on our list.
33205 */
33206 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33207- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33208+ tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33209+ if (tsz > buflen)
33210 tsz = buflen;
33211-
58c5fc13 33212+
57199397
MT		 33213 while (buflen) {
33214 struct kcore_list *m;
58c5fc13 33215
57199397
MT		 33216@@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use
33217 kfree(elf_buf);
58c5fc13 33218 } else {
57199397
MT		 33219 if (kern_addr_valid(start)) {
33220- unsigned long n;
33221+ char *elf_buf;
33222
33223- n = copy_to_user(buffer, (char *)start, tsz);
33224- /*
33225- * We cannot distingush between fault on source
33226- * and fault on destination. When this happens
33227- * we clear too and hope it will trigger the
33228- * EFAULT again.
33229- */
33230- if (n) {
33231- if (clear_user(buffer + tsz - n,
33232- n))
33233+ elf_buf = kmalloc(tsz, GFP_KERNEL);
33234+ if (!elf_buf)
33235+ return -ENOMEM;
33236+ if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33237+ if (copy_to_user(buffer, elf_buf, tsz)) {
33238+ kfree(elf_buf);
33239 return -EFAULT;
33240+ }
33241 }
33242+ kfree(elf_buf);
33243 } else {
33244 if (clear_user(buffer, tsz))
33245 return -EFAULT;
33246@@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use
58c5fc13 33247
ae4e228f 33248 static int open_kcore(struct inode *inode, struct file *filp)
58c5fc13 33249 {
ae4e228f
MT		 33250+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
33251+ return -EPERM;
58c5fc13 33252+#endif
ae4e228f
MT		 33253 if (!capable(CAP_SYS_RAWIO))
33254 return -EPERM;
33255 if (kcore_need_update)
57199397
MT		 33256diff -urNp linux-2.6.35.4/fs/proc/meminfo.c linux-2.6.35.4/fs/proc/meminfo.c
33257--- linux-2.6.35.4/fs/proc/meminfo.c 2010-08-26 19:47:12.000000000 -0400
33258+++ linux-2.6.35.4/fs/proc/meminfo.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 33259@@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
33260 vmi.used >> 10,
33261 vmi.largest_chunk >> 10
33262 #ifdef CONFIG_MEMORY_FAILURE
33263- ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
33264+ ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
33265 #endif
33266 );
33267
57199397
MT		 33268diff -urNp linux-2.6.35.4/fs/proc/nommu.c linux-2.6.35.4/fs/proc/nommu.c
33269--- linux-2.6.35.4/fs/proc/nommu.c 2010-08-26 19:47:12.000000000 -0400
33270+++ linux-2.6.35.4/fs/proc/nommu.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 33271@@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
58c5fc13
MT		 33272 if (len < 1)
33273 len = 1;
33274 seq_printf(m, "%*c", len, ' ');
33275- seq_path(m, &file->f_path, "");
33276+ seq_path(m, &file->f_path, "\n\\");
33277 }
33278
33279 seq_putc(m, '\n');
57199397
MT		 33280diff -urNp linux-2.6.35.4/fs/proc/proc_net.c linux-2.6.35.4/fs/proc/proc_net.c
33281--- linux-2.6.35.4/fs/proc/proc_net.c 2010-08-26 19:47:12.000000000 -0400
33282+++ linux-2.6.35.4/fs/proc/proc_net.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 33283@@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
58c5fc13
MT		 33284 struct task_struct *task;
33285 struct nsproxy *ns;
33286 struct net *net = NULL;
33287+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33288+ const struct cred *cred = current_cred();
33289+#endif
33290+
33291+#ifdef CONFIG_GRKERNSEC_PROC_USER
33292+ if (cred->fsuid)
33293+ return net;
33294+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33295+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
33296+ return net;
33297+#endif
33298
33299 rcu_read_lock();
33300 task = pid_task(proc_pid(dir), PIDTYPE_PID);
57199397
MT		 33301diff -urNp linux-2.6.35.4/fs/proc/proc_sysctl.c linux-2.6.35.4/fs/proc/proc_sysctl.c
33302--- linux-2.6.35.4/fs/proc/proc_sysctl.c 2010-08-26 19:47:12.000000000 -0400
33303+++ linux-2.6.35.4/fs/proc/proc_sysctl.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 33304@@ -7,6 +7,8 @@
33305 #include <linux/security.h>
33306 #include "internal.h"
33307
33308+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
33309+
33310 static const struct dentry_operations proc_sys_dentry_operations;
33311 static const struct file_operations proc_sys_file_operations;
33312 static const struct inode_operations proc_sys_inode_operations;
33313@@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
33314 if (!p)
33315 goto out;
33316
33317+ if (gr_handle_sysctl(p, MAY_EXEC))
33318+ goto out;
33319+
33320 err = ERR_PTR(-ENOMEM);
33321 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
33322 if (h)
33323@@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
33324 if (*pos < file->f_pos)
33325 continue;
33326
33327+ if (gr_handle_sysctl(table, 0))
33328+ continue;
33329+
33330 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
33331 if (res)
33332 return res;
33333@@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
33334 if (IS_ERR(head))
33335 return PTR_ERR(head);
33336
33337+ if (table && gr_handle_sysctl(table, MAY_EXEC))
33338+ return -ENOENT;
33339+
33340 generic_fillattr(inode, stat);
33341 if (table)
33342 stat->mode = (stat->mode & S_IFMT) | table->mode;
57199397
MT		 33343diff -urNp linux-2.6.35.4/fs/proc/root.c linux-2.6.35.4/fs/proc/root.c
33344--- linux-2.6.35.4/fs/proc/root.c 2010-08-26 19:47:12.000000000 -0400
33345+++ linux-2.6.35.4/fs/proc/root.c 2010-09-17 20:12:37.000000000 -0400
33346@@ -133,7 +133,15 @@ void __init proc_root_init(void)
58c5fc13
MT		 33347 #ifdef CONFIG_PROC_DEVICETREE
33348 proc_device_tree_init();
33349 #endif
33350+#ifdef CONFIG_GRKERNSEC_PROC_ADD
33351+#ifdef CONFIG_GRKERNSEC_PROC_USER
33352+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
33353+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33354+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33355+#endif
33356+#else
33357 proc_mkdir("bus", NULL);
33358+#endif
33359 proc_sys_init();
33360 }
33361
57199397
MT		 33362diff -urNp linux-2.6.35.4/fs/proc/task_mmu.c linux-2.6.35.4/fs/proc/task_mmu.c
33363--- linux-2.6.35.4/fs/proc/task_mmu.c 2010-08-26 19:47:12.000000000 -0400
33364+++ linux-2.6.35.4/fs/proc/task_mmu.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 33365@@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
58c5fc13
MT		 33366 "VmExe:\t%8lu kB\n"
33367 "VmLib:\t%8lu kB\n"
df50ba0c
MT		 33368 "VmPTE:\t%8lu kB\n"
33369- "VmSwap:\t%8lu kB\n",
58c5fc13 33370- hiwater_vm << (PAGE_SHIFT-10),
df50ba0c 33371+ "VmSwap:\t%8lu kB\n"
58c5fc13
MT		 33372+
33373+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33374+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
33375+#endif
33376+
33377+ ,hiwater_vm << (PAGE_SHIFT-10),
33378 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
33379 mm->locked_vm << (PAGE_SHIFT-10),
33380 hiwater_rss << (PAGE_SHIFT-10),
df50ba0c 33381@@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
58c5fc13
MT		 33382 data << (PAGE_SHIFT-10),
33383 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
df50ba0c
MT		 33384 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
33385- swap << (PAGE_SHIFT-10));
33386+ swap << (PAGE_SHIFT-10)
58c5fc13
MT		 33387+
33388+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33389+ , mm->context.user_cs_base, mm->context.user_cs_limit
33390+#endif
33391+
33392+ );
33393 }
33394
33395 unsigned long task_vsize(struct mm_struct *mm)
df50ba0c 33396@@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
58c5fc13
MT		 33397 return ret;
33398 }
33399
33400+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33401+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33402+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
33403+ _mm->pax_flags & MF_PAX_SEGMEXEC))
33404+#endif
33405+
33406 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
33407 {
33408 struct mm_struct *mm = vma->vm_mm;
57199397
MT		 33409@@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
33410 int flags = vma->vm_flags;
33411 unsigned long ino = 0;
33412 unsigned long long pgoff = 0;
33413- unsigned long start;
33414 dev_t dev = 0;
33415 int len;
33416
33417@@ -221,19 +237,24 @@ static void show_map_vma(struct seq_file
33418 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
58c5fc13
MT		 33419 }
33420
57199397
MT		 33421- /* We don't show the stack guard page in /proc/maps */
33422- start = vma->vm_start;
33423- if (vma->vm_flags & VM_GROWSDOWN)
33424- start += PAGE_SIZE;
33425
58c5fc13 33426 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
57199397 33427- start,
58c5fc13
MT		 33428+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33429+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
33430+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
33431+#else
57199397 33432+ vma->vm_start,
58c5fc13
MT		 33433 vma->vm_end,
33434+#endif
33435 flags & VM_READ ? 'r' : '-',
33436 flags & VM_WRITE ? 'w' : '-',
33437 flags & VM_EXEC ? 'x' : '-',
33438 flags & VM_MAYSHARE ? 's' : 'p',
33439+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33440+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
33441+#else
33442 pgoff,
33443+#endif
33444 MAJOR(dev), MINOR(dev), ino, &len);
33445
33446 /*
57199397 33447@@ -242,16 +263,16 @@ static void show_map_vma(struct seq_file
58c5fc13
MT		 33448 */
33449 if (file) {
33450 pad_len_spaces(m, len);
33451- seq_path(m, &file->f_path, "\n");
33452+ seq_path(m, &file->f_path, "\n\\");
33453 } else {
33454 const char *name = arch_vma_name(vma);
33455 if (!name) {
33456 if (mm) {
33457- if (vma->vm_start <= mm->start_brk &&
33458- vma->vm_end >= mm->brk) {
33459+ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
33460 name = "[heap]";
33461- } else if (vma->vm_start <= mm->start_stack &&
33462- vma->vm_end >= mm->start_stack) {
33463+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
33464+ (vma->vm_start <= mm->start_stack &&
33465+ vma->vm_end >= mm->start_stack)) {
33466 name = "[stack]";
df50ba0c
MT		 33467 }
33468 } else {
57199397 33469@@ -393,11 +414,16 @@ static int show_smap(struct seq_file *m,
58c5fc13
MT		 33470 };
33471
33472 memset(&mss, 0, sizeof mss);
33473- mss.vma = vma;
df50ba0c 33474- /* mmap_sem is held in m_start */
58c5fc13
MT		 33475- if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33476- walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
df50ba0c 33477-
58c5fc13
MT		 33478+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33479+ if (!PAX_RAND_FLAGS(vma->vm_mm)) {
33480+#endif
33481+ mss.vma = vma;
df50ba0c 33482+ /* mmap_sem is held in m_start */
58c5fc13
MT		 33483+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33484+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33485+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33486+ }
33487+#endif
58c5fc13
MT		 33488 show_map_vma(m, vma);
33489
df50ba0c 33490 seq_printf(m,
57199397 33491@@ -412,7 +438,11 @@ static int show_smap(struct seq_file *m,
58c5fc13
MT		 33492 "Swap: %8lu kB\n"
33493 "KernelPageSize: %8lu kB\n"
33494 "MMUPageSize: %8lu kB\n",
33495+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33496+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
33497+#else
33498 (vma->vm_end - vma->vm_start) >> 10,
33499+#endif
33500 mss.resident >> 10,
33501 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
33502 mss.shared_clean >> 10,
57199397
MT		 33503diff -urNp linux-2.6.35.4/fs/proc/task_nommu.c linux-2.6.35.4/fs/proc/task_nommu.c
33504--- linux-2.6.35.4/fs/proc/task_nommu.c 2010-08-26 19:47:12.000000000 -0400
33505+++ linux-2.6.35.4/fs/proc/task_nommu.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 33506@@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
58c5fc13
MT		 33507 else
33508 bytes += kobjsize(mm);
33509
33510- if (current->fs && current->fs->users > 1)
33511+ if (current->fs && atomic_read(&current->fs->users) > 1)
33512 sbytes += kobjsize(current->fs);
33513 else
33514 bytes += kobjsize(current->fs);
57199397
MT		 33515@@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
33516
33517 if (file) {
33518 pad_len_spaces(m, len);
58c5fc13
MT		 33519- seq_path(m, &file->f_path, "");
33520+ seq_path(m, &file->f_path, "\n\\");
57199397
MT		 33521 } else if (mm) {
33522 if (vma->vm_start <= mm->start_stack &&
33523 vma->vm_end >= mm->start_stack) {
33524diff -urNp linux-2.6.35.4/fs/readdir.c linux-2.6.35.4/fs/readdir.c
33525--- linux-2.6.35.4/fs/readdir.c 2010-08-26 19:47:12.000000000 -0400
33526+++ linux-2.6.35.4/fs/readdir.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 33527@@ -16,6 +16,7 @@
33528 #include <linux/security.h>
33529 #include <linux/syscalls.h>
33530 #include <linux/unistd.h>
33531+#include <linux/namei.h>
33532
33533 #include <asm/uaccess.h>
33534
33535@@ -67,6 +68,7 @@ struct old_linux_dirent {
33536
33537 struct readdir_callback {
33538 struct old_linux_dirent __user * dirent;
33539+ struct file * file;
33540 int result;
33541 };
33542
33543@@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
33544 buf->result = -EOVERFLOW;
33545 return -EOVERFLOW;
33546 }
33547+
33548+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33549+ return 0;
33550+
33551 buf->result++;
33552 dirent = buf->dirent;
33553 if (!access_ok(VERIFY_WRITE, dirent,
33554@@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
33555
33556 buf.result = 0;
33557 buf.dirent = dirent;
33558+ buf.file = file;
33559
33560 error = vfs_readdir(file, fillonedir, &buf);
33561 if (buf.result)
33562@@ -142,6 +149,7 @@ struct linux_dirent {
33563 struct getdents_callback {
33564 struct linux_dirent __user * current_dir;
33565 struct linux_dirent __user * previous;
33566+ struct file * file;
33567 int count;
33568 int error;
33569 };
33570@@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
33571 buf->error = -EOVERFLOW;
33572 return -EOVERFLOW;
33573 }
33574+
33575+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33576+ return 0;
33577+
33578 dirent = buf->previous;
33579 if (dirent) {
33580 if (__put_user(offset, &dirent->d_off))
33581@@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
33582 buf.previous = NULL;
33583 buf.count = count;
33584 buf.error = 0;
33585+ buf.file = file;
33586
33587 error = vfs_readdir(file, filldir, &buf);
33588 if (error >= 0)
33589@@ -228,6 +241,7 @@ out:
33590 struct getdents_callback64 {
33591 struct linux_dirent64 __user * current_dir;
33592 struct linux_dirent64 __user * previous;
33593+ struct file *file;
33594 int count;
33595 int error;
33596 };
33597@@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
33598 buf->error = -EINVAL; /* only used if we fail.. */
33599 if (reclen > buf->count)
33600 return -EINVAL;
33601+
33602+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33603+ return 0;
33604+
33605 dirent = buf->previous;
33606 if (dirent) {
33607 if (__put_user(offset, &dirent->d_off))
33608@@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
33609
33610 buf.current_dir = dirent;
33611 buf.previous = NULL;
33612+ buf.file = file;
33613 buf.count = count;
33614 buf.error = 0;
33615
57199397
MT		 33616diff -urNp linux-2.6.35.4/fs/reiserfs/do_balan.c linux-2.6.35.4/fs/reiserfs/do_balan.c
33617--- linux-2.6.35.4/fs/reiserfs/do_balan.c 2010-08-26 19:47:12.000000000 -0400
33618+++ linux-2.6.35.4/fs/reiserfs/do_balan.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 33619@@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
58c5fc13
MT		 33620 return;
33621 }
33622
33623- atomic_inc(&(fs_generation(tb->tb_sb)));
33624+ atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
33625 do_balance_starts(tb);
33626
33627 /* balance leaf returns 0 except if combining L R and S into
57199397
MT		 33628diff -urNp linux-2.6.35.4/fs/reiserfs/item_ops.c linux-2.6.35.4/fs/reiserfs/item_ops.c
33629--- linux-2.6.35.4/fs/reiserfs/item_ops.c 2010-08-26 19:47:12.000000000 -0400
33630+++ linux-2.6.35.4/fs/reiserfs/item_ops.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 33631@@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
33632 vi->vi_index, vi->vi_type, vi->vi_ih);
33633 }
33634
33635-static struct item_operations stat_data_ops = {
33636+static const struct item_operations stat_data_ops = {
33637 .bytes_number = sd_bytes_number,
33638 .decrement_key = sd_decrement_key,
33639 .is_left_mergeable = sd_is_left_mergeable,
33640@@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
33641 vi->vi_index, vi->vi_type, vi->vi_ih);
33642 }
33643
33644-static struct item_operations direct_ops = {
33645+static const struct item_operations direct_ops = {
33646 .bytes_number = direct_bytes_number,
33647 .decrement_key = direct_decrement_key,
33648 .is_left_mergeable = direct_is_left_mergeable,
33649@@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
33650 vi->vi_index, vi->vi_type, vi->vi_ih);
33651 }
33652
33653-static struct item_operations indirect_ops = {
33654+static const struct item_operations indirect_ops = {
33655 .bytes_number = indirect_bytes_number,
33656 .decrement_key = indirect_decrement_key,
33657 .is_left_mergeable = indirect_is_left_mergeable,
33658@@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
33659 printk("\n");
33660 }
33661
33662-static struct item_operations direntry_ops = {
33663+static const struct item_operations direntry_ops = {
33664 .bytes_number = direntry_bytes_number,
33665 .decrement_key = direntry_decrement_key,
33666 .is_left_mergeable = direntry_is_left_mergeable,
33667@@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
33668 "Invalid item type observed, run fsck ASAP");
33669 }
33670
33671-static struct item_operations errcatch_ops = {
33672+static const struct item_operations errcatch_ops = {
33673 errcatch_bytes_number,
33674 errcatch_decrement_key,
33675 errcatch_is_left_mergeable,
33676@@ -746,7 +746,7 @@ static struct item_operations errcatch_o
33677 #error Item types must use disk-format assigned values.
33678 #endif
33679
33680-struct item_operations *item_ops[TYPE_ANY + 1] = {
33681+const struct item_operations * const item_ops[TYPE_ANY + 1] = {
33682 &stat_data_ops,
33683 &indirect_ops,
33684 &direct_ops,
57199397
MT		 33685diff -urNp linux-2.6.35.4/fs/reiserfs/procfs.c linux-2.6.35.4/fs/reiserfs/procfs.c
33686--- linux-2.6.35.4/fs/reiserfs/procfs.c 2010-08-26 19:47:12.000000000 -0400
33687+++ linux-2.6.35.4/fs/reiserfs/procfs.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 33688@@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
58c5fc13
MT		 33689 "SMALL_TAILS " : "NO_TAILS ",
33690 replay_only(sb) ? "REPLAY_ONLY " : "",
33691 convert_reiserfs(sb) ? "CONV " : "",
33692- atomic_read(&r->s_generation_counter),
33693+ atomic_read_unchecked(&r->s_generation_counter),
33694 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
33695 SF(s_do_balance), SF(s_unneeded_left_neighbor),
33696 SF(s_good_search_by_key_reada), SF(s_bmaps),
57199397
MT		 33697diff -urNp linux-2.6.35.4/fs/select.c linux-2.6.35.4/fs/select.c
33698--- linux-2.6.35.4/fs/select.c 2010-08-26 19:47:12.000000000 -0400
33699+++ linux-2.6.35.4/fs/select.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 33700@@ -20,6 +20,7 @@
58c5fc13
MT		 33701 #include <linux/module.h>
33702 #include <linux/slab.h>
33703 #include <linux/poll.h>
33704+#include <linux/security.h>
33705 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
33706 #include <linux/file.h>
33707 #include <linux/fdtable.h>
df50ba0c 33708@@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
58c5fc13
MT		 33709 struct poll_list *walk = head;
33710 unsigned long todo = nfds;
33711
33712+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
df50ba0c 33713 if (nfds > rlimit(RLIMIT_NOFILE))
58c5fc13
MT		 33714 return -EINVAL;
33715
57199397
MT		 33716diff -urNp linux-2.6.35.4/fs/seq_file.c linux-2.6.35.4/fs/seq_file.c
33717--- linux-2.6.35.4/fs/seq_file.c 2010-08-26 19:47:12.000000000 -0400
33718+++ linux-2.6.35.4/fs/seq_file.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 33719@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
33720 return 0;
33721 }
33722 if (!m->buf) {
33723- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33724+ m->size = PAGE_SIZE;
ae4e228f 33725+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
58c5fc13
MT		 33726 if (!m->buf)
33727 return -ENOMEM;
33728 }
33729@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
33730 Eoverflow:
33731 m->op->stop(m, p);
33732 kfree(m->buf);
33733- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33734+ m->size <<= 1;
33735+ m->buf = kmalloc(m->size, GFP_KERNEL);
33736 return !m->buf ? -ENOMEM : -EAGAIN;
33737 }
33738
33739@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
33740 m->version = file->f_version;
33741 /* grab buffer if we didn't have one */
33742 if (!m->buf) {
33743- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33744+ m->size = PAGE_SIZE;
ae4e228f 33745+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
58c5fc13
MT		 33746 if (!m->buf)
33747 goto Enomem;
33748 }
33749@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
33750 goto Fill;
33751 m->op->stop(m, p);
33752 kfree(m->buf);
33753- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33754+ m->size <<= 1;
33755+ m->buf = kmalloc(m->size, GFP_KERNEL);
33756 if (!m->buf)
33757 goto Enomem;
33758 m->count = 0;
57199397
MT		 33759diff -urNp linux-2.6.35.4/fs/smbfs/symlink.c linux-2.6.35.4/fs/smbfs/symlink.c
33760--- linux-2.6.35.4/fs/smbfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33761+++ linux-2.6.35.4/fs/smbfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33762@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
58c5fc13
MT		 33763
33764 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
33765 {
33766- char *s = nd_get_link(nd);
33767+ const char *s = nd_get_link(nd);
33768 if (!IS_ERR(s))
33769 __putname(s);
33770 }
57199397
MT		 33771diff -urNp linux-2.6.35.4/fs/splice.c linux-2.6.35.4/fs/splice.c
33772--- linux-2.6.35.4/fs/splice.c 2010-08-26 19:47:12.000000000 -0400
33773+++ linux-2.6.35.4/fs/splice.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 33774@@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
ae4e228f
MT		 33775 pipe_lock(pipe);
33776
33777 for (;;) {
33778- if (!pipe->readers) {
33779+ if (!atomic_read(&pipe->readers)) {
33780 send_sig(SIGPIPE, current, 0);
33781 if (!ret)
33782 ret = -EPIPE;
df50ba0c 33783@@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
ae4e228f
MT		 33784 do_wakeup = 0;
33785 }
33786
33787- pipe->waiting_writers++;
33788+ atomic_inc(&pipe->waiting_writers);
33789 pipe_wait(pipe);
33790- pipe->waiting_writers--;
33791+ atomic_dec(&pipe->waiting_writers);
33792 }
33793
33794 pipe_unlock(pipe);
57199397 33795@@ -566,7 +566,7 @@ static ssize_t kernel_readv(struct file
ae4e228f
MT		 33796 old_fs = get_fs();
33797 set_fs(get_ds());
33798 /* The cast to a user pointer is valid due to the set_fs() */
33799- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
33800+ res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
33801 set_fs(old_fs);
33802
33803 return res;
57199397 33804@@ -581,7 +581,7 @@ static ssize_t kernel_write(struct file
ae4e228f
MT		 33805 old_fs = get_fs();
33806 set_fs(get_ds());
33807 /* The cast to a user pointer is valid due to the set_fs() */
33808- res = vfs_write(file, (const char __user *)buf, count, &pos);
33809+ res = vfs_write(file, (__force const char __user *)buf, count, &pos);
33810 set_fs(old_fs);
33811
33812 return res;
57199397 33813@@ -634,7 +634,7 @@ ssize_t default_file_splice_read(struct
ae4e228f
MT		 33814 goto err;
33815
33816 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
33817- vec[i].iov_base = (void __user *) page_address(page);
33818+ vec[i].iov_base = (__force void __user *) page_address(page);
33819 vec[i].iov_len = this_len;
57199397 33820 spd.pages[i] = page;
ae4e228f 33821 spd.nr_pages++;
57199397 33822@@ -861,10 +861,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
ae4e228f
MT		 33823 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
33824 {
33825 while (!pipe->nrbufs) {
33826- if (!pipe->writers)
33827+ if (!atomic_read(&pipe->writers))
33828 return 0;
33829
33830- if (!pipe->waiting_writers && sd->num_spliced)
33831+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
33832 return 0;
33833
33834 if (sd->flags & SPLICE_F_NONBLOCK)
57199397 33835@@ -1201,7 +1201,7 @@ ssize_t splice_direct_to_actor(struct fi
ae4e228f
MT		 33836 * out of the pipe right after the splice_to_pipe(). So set
33837 * PIPE_READERS appropriately.
33838 */
33839- pipe->readers = 1;
33840+ atomic_set(&pipe->readers, 1);
33841
33842 current->splice_pipe = pipe;
33843 }
57199397 33844@@ -1769,9 +1769,9 @@ static int ipipe_prep(struct pipe_inode_
ae4e228f
MT		 33845 ret = -ERESTARTSYS;
33846 break;
33847 }
33848- if (!pipe->writers)
33849+ if (!atomic_read(&pipe->writers))
33850 break;
33851- if (!pipe->waiting_writers) {
33852+ if (!atomic_read(&pipe->waiting_writers)) {
33853 if (flags & SPLICE_F_NONBLOCK) {
33854 ret = -EAGAIN;
33855 break;
57199397 33856@@ -1803,7 +1803,7 @@ static int opipe_prep(struct pipe_inode_
ae4e228f
MT		 33857 pipe_lock(pipe);
33858
57199397 33859 while (pipe->nrbufs >= pipe->buffers) {
ae4e228f
MT		 33860- if (!pipe->readers) {
33861+ if (!atomic_read(&pipe->readers)) {
33862 send_sig(SIGPIPE, current, 0);
33863 ret = -EPIPE;
33864 break;
57199397 33865@@ -1816,9 +1816,9 @@ static int opipe_prep(struct pipe_inode_
ae4e228f
MT		 33866 ret = -ERESTARTSYS;
33867 break;
33868 }
33869- pipe->waiting_writers++;
33870+ atomic_inc(&pipe->waiting_writers);
33871 pipe_wait(pipe);
33872- pipe->waiting_writers--;
33873+ atomic_dec(&pipe->waiting_writers);
33874 }
58c5fc13 33875
ae4e228f 33876 pipe_unlock(pipe);
57199397 33877@@ -1854,14 +1854,14 @@ retry:
ae4e228f
MT		 33878 pipe_double_lock(ipipe, opipe);
33879
33880 do {
33881- if (!opipe->readers) {
33882+ if (!atomic_read(&opipe->readers)) {
33883 send_sig(SIGPIPE, current, 0);
33884 if (!ret)
33885 ret = -EPIPE;
33886 break;
33887 }
33888
33889- if (!ipipe->nrbufs && !ipipe->writers)
33890+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
33891 break;
33892
33893 /*
57199397 33894@@ -1961,7 +1961,7 @@ static int link_pipe(struct pipe_inode_i
ae4e228f
MT		 33895 pipe_double_lock(ipipe, opipe);
33896
33897 do {
33898- if (!opipe->readers) {
33899+ if (!atomic_read(&opipe->readers)) {
33900 send_sig(SIGPIPE, current, 0);
33901 if (!ret)
33902 ret = -EPIPE;
57199397 33903@@ -2006,7 +2006,7 @@ static int link_pipe(struct pipe_inode_i
ae4e228f
MT		 33904 * return EAGAIN if we have the potential of some data in the
33905 * future, otherwise just return 0
33906 */
33907- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
33908+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
33909 ret = -EAGAIN;
33910
33911 pipe_unlock(ipipe);
57199397
MT		 33912diff -urNp linux-2.6.35.4/fs/sysfs/symlink.c linux-2.6.35.4/fs/sysfs/symlink.c
33913--- linux-2.6.35.4/fs/sysfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33914+++ linux-2.6.35.4/fs/sysfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33915@@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
58c5fc13
MT		 33916
33917 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33918 {
33919- char *page = nd_get_link(nd);
33920+ const char *page = nd_get_link(nd);
33921 if (!IS_ERR(page))
33922 free_page((unsigned long)page);
33923 }
57199397
MT		 33924diff -urNp linux-2.6.35.4/fs/udf/misc.c linux-2.6.35.4/fs/udf/misc.c
33925--- linux-2.6.35.4/fs/udf/misc.c 2010-08-26 19:47:12.000000000 -0400
33926+++ linux-2.6.35.4/fs/udf/misc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 33927@@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
33928 iinfo->i_lenEAttr += size;
33929 return (struct genericFormat *)&ea[offset];
33930 }
33931- if (loc & 0x02)
33932- ;
33933+ if (loc & 0x02) {
33934+ }
33935
33936 return NULL;
33937 }
57199397
MT		 33938diff -urNp linux-2.6.35.4/fs/udf/udfdecl.h linux-2.6.35.4/fs/udf/udfdecl.h
33939--- linux-2.6.35.4/fs/udf/udfdecl.h 2010-08-26 19:47:12.000000000 -0400
33940+++ linux-2.6.35.4/fs/udf/udfdecl.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 33941@@ -26,7 +26,7 @@ do { \
33942 printk(f, ##a); \
33943 } while (0)
33944 #else
33945-#define udf_debug(f, a...) /**/
33946+#define udf_debug(f, a...) do {} while (0)
33947 #endif
33948
33949 #define udf_info(f, a...) \
57199397
MT		 33950diff -urNp linux-2.6.35.4/fs/utimes.c linux-2.6.35.4/fs/utimes.c
33951--- linux-2.6.35.4/fs/utimes.c 2010-08-26 19:47:12.000000000 -0400
33952+++ linux-2.6.35.4/fs/utimes.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 33953@@ -1,6 +1,7 @@
33954 #include <linux/compiler.h>
33955 #include <linux/file.h>
33956 #include <linux/fs.h>
33957+#include <linux/security.h>
33958 #include <linux/linkage.h>
33959 #include <linux/mount.h>
33960 #include <linux/namei.h>
33961@@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
33962 goto mnt_drop_write_and_out;
33963 }
33964 }
33965+
33966+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
33967+ error = -EACCES;
33968+ goto mnt_drop_write_and_out;
33969+ }
33970+
33971 mutex_lock(&inode->i_mutex);
33972 error = notify_change(path->dentry, &newattrs);
33973 mutex_unlock(&inode->i_mutex);
57199397
MT		 33974diff -urNp linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c
33975--- linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c 2010-08-26 19:47:12.000000000 -0400
33976+++ linux-2.6.35.4/fs/xfs/linux-2.6/xfs_ioctl.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 33977@@ -136,7 +136,7 @@ xfs_find_handle(
ae4e228f 33978 }
58c5fc13 33979
ae4e228f
MT		 33980 error = -EFAULT;
33981- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
33982+ if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
33983 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
33984 goto out_put;
58c5fc13 33985
57199397
MT		 33986diff -urNp linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c
33987--- linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c 2010-08-26 19:47:12.000000000 -0400
33988+++ linux-2.6.35.4/fs/xfs/linux-2.6/xfs_iops.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 33989@@ -480,7 +480,7 @@ xfs_vn_put_link(
58c5fc13
MT		 33990 struct nameidata *nd,
33991 void *p)
33992 {
33993- char *s = nd_get_link(nd);
33994+ const char *s = nd_get_link(nd);
33995
33996 if (!IS_ERR(s))
33997 kfree(s);
57199397
MT		 33998diff -urNp linux-2.6.35.4/fs/xfs/xfs_bmap.c linux-2.6.35.4/fs/xfs/xfs_bmap.c
33999--- linux-2.6.35.4/fs/xfs/xfs_bmap.c 2010-08-26 19:47:12.000000000 -0400
34000+++ linux-2.6.35.4/fs/xfs/xfs_bmap.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 34001@@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
58c5fc13
MT		 34002 int nmap,
34003 int ret_nmap);
34004 #else
34005-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34006+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34007 #endif /* DEBUG */
34008
ae4e228f 34009 STATIC int
57199397
MT		 34010diff -urNp linux-2.6.35.4/grsecurity/gracl_alloc.c linux-2.6.35.4/grsecurity/gracl_alloc.c
34011--- linux-2.6.35.4/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34012+++ linux-2.6.35.4/grsecurity/gracl_alloc.c 2010-09-17 20:12:37.000000000 -0400
34013@@ -0,0 +1,105 @@
34014+#include <linux/kernel.h>
34015+#include <linux/mm.h>
34016+#include <linux/slab.h>
34017+#include <linux/vmalloc.h>
34018+#include <linux/gracl.h>
34019+#include <linux/grsecurity.h>
58c5fc13 34020+
57199397
MT		 34021+static unsigned long alloc_stack_next = 1;
34022+static unsigned long alloc_stack_size = 1;
34023+static void **alloc_stack;
58c5fc13 34024+
57199397
MT		 34025+static __inline__ int
34026+alloc_pop(void)
34027+{
34028+ if (alloc_stack_next == 1)
34029+ return 0;
58c5fc13 34030+
57199397 34031+ kfree(alloc_stack[alloc_stack_next - 2]);
58c5fc13 34032+
57199397 34033+ alloc_stack_next--;
58c5fc13 34034+
57199397
MT		 34035+ return 1;
34036+}
58c5fc13 34037+
57199397
MT		 34038+static __inline__ int
34039+alloc_push(void *buf)
34040+{
34041+ if (alloc_stack_next >= alloc_stack_size)
34042+ return 1;
58c5fc13 34043+
57199397 34044+ alloc_stack[alloc_stack_next - 1] = buf;
58c5fc13 34045+
57199397 34046+ alloc_stack_next++;
58c5fc13 34047+
57199397
MT		 34048+ return 0;
34049+}
58c5fc13 34050+
57199397
MT		 34051+void *
34052+acl_alloc(unsigned long len)
34053+{
34054+ void *ret = NULL;
58c5fc13 34055+
57199397
MT		 34056+ if (!len || len > PAGE_SIZE)
34057+ goto out;
58c5fc13 34058+
57199397 34059+ ret = kmalloc(len, GFP_KERNEL);
58c5fc13 34060+
57199397
MT		 34061+ if (ret) {
34062+ if (alloc_push(ret)) {
34063+ kfree(ret);
34064+ ret = NULL;
34065+ }
34066+ }
58c5fc13 34067+
57199397
MT		 34068+out:
34069+ return ret;
34070+}
58c5fc13 34071+
57199397
MT		 34072+void *
34073+acl_alloc_num(unsigned long num, unsigned long len)
34074+{
34075+ if (!len || (num > (PAGE_SIZE / len)))
34076+ return NULL;
58c5fc13 34077+
57199397
MT		 34078+ return acl_alloc(num * len);
34079+}
58c5fc13 34080+
57199397
MT		 34081+void
34082+acl_free_all(void)
34083+{
34084+ if (gr_acl_is_enabled() || !alloc_stack)
34085+ return;
58c5fc13 34086+
57199397 34087+ while (alloc_pop()) ;
58c5fc13 34088+
57199397
MT		 34089+ if (alloc_stack) {
34090+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34091+ kfree(alloc_stack);
34092+ else
34093+ vfree(alloc_stack);
34094+ }
58c5fc13 34095+
57199397
MT		 34096+ alloc_stack = NULL;
34097+ alloc_stack_size = 1;
34098+ alloc_stack_next = 1;
58c5fc13 34099+
57199397
MT		 34100+ return;
34101+}
58c5fc13 34102+
57199397
MT		 34103+int
34104+acl_alloc_stack_init(unsigned long size)
34105+{
34106+ if ((size * sizeof (void *)) <= PAGE_SIZE)
34107+ alloc_stack =
34108+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
34109+ else
34110+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
58c5fc13 34111+
57199397 34112+ alloc_stack_size = size;
58c5fc13 34113+
57199397
MT		 34114+ if (!alloc_stack)
34115+ return 0;
34116+ else
34117+ return 1;
34118+}
34119diff -urNp linux-2.6.35.4/grsecurity/gracl.c linux-2.6.35.4/grsecurity/gracl.c
34120--- linux-2.6.35.4/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
34121+++ linux-2.6.35.4/grsecurity/gracl.c 2010-09-17 20:18:36.000000000 -0400
34122@@ -0,0 +1,3922 @@
34123+#include <linux/kernel.h>
34124+#include <linux/module.h>
34125+#include <linux/sched.h>
34126+#include <linux/mm.h>
34127+#include <linux/file.h>
34128+#include <linux/fs.h>
34129+#include <linux/namei.h>
34130+#include <linux/mount.h>
34131+#include <linux/tty.h>
34132+#include <linux/proc_fs.h>
34133+#include <linux/smp_lock.h>
34134+#include <linux/slab.h>
34135+#include <linux/vmalloc.h>
34136+#include <linux/types.h>
34137+#include <linux/sysctl.h>
34138+#include <linux/netdevice.h>
34139+#include <linux/ptrace.h>
34140+#include <linux/gracl.h>
34141+#include <linux/gralloc.h>
34142+#include <linux/grsecurity.h>
34143+#include <linux/grinternal.h>
34144+#include <linux/pid_namespace.h>
34145+#include <linux/fdtable.h>
34146+#include <linux/percpu.h>
58c5fc13 34147+
57199397
MT		 34148+#include <asm/uaccess.h>
34149+#include <asm/errno.h>
34150+#include <asm/mman.h>
58c5fc13 34151+
57199397
MT		 34152+static struct acl_role_db acl_role_set;
34153+static struct name_db name_set;
34154+static struct inodev_db inodev_set;
58c5fc13 34155+
57199397
MT		 34156+/* for keeping track of userspace pointers used for subjects, so we
34157+ can share references in the kernel as well
34158+*/
58c5fc13 34159+
57199397
MT		 34160+static struct dentry *real_root;
34161+static struct vfsmount *real_root_mnt;
58c5fc13 34162+
57199397 34163+static struct acl_subj_map_db subj_map_set;
ae4e228f 34164+
57199397 34165+static struct acl_role_label *default_role;
58c5fc13 34166+
57199397 34167+static struct acl_role_label *role_list;
58c5fc13 34168+
57199397 34169+static u16 acl_sp_role_value;
58c5fc13 34170+
57199397
MT		 34171+extern char *gr_shared_page[4];
34172+static DECLARE_MUTEX(gr_dev_sem);
34173+DEFINE_RWLOCK(gr_inode_lock);
58c5fc13 34174+
57199397 34175+struct gr_arg *gr_usermode;
58c5fc13 34176+
57199397 34177+static unsigned int gr_status __read_only = GR_STATUS_INIT;
58c5fc13 34178+
57199397
MT		 34179+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
34180+extern void gr_clear_learn_entries(void);
58c5fc13 34181+
57199397
MT		 34182+#ifdef CONFIG_GRKERNSEC_RESLOG
34183+extern void gr_log_resource(const struct task_struct *task,
34184+ const int res, const unsigned long wanted, const int gt);
34185+#endif
58c5fc13 34186+
57199397
MT		 34187+unsigned char *gr_system_salt;
34188+unsigned char *gr_system_sum;
58c5fc13 34189+
57199397
MT		 34190+static struct sprole_pw **acl_special_roles = NULL;
34191+static __u16 num_sprole_pws = 0;
58c5fc13 34192+
57199397 34193+static struct acl_role_label *kernel_role = NULL;
df50ba0c 34194+
57199397
MT		 34195+static unsigned int gr_auth_attempts = 0;
34196+static unsigned long gr_auth_expires = 0UL;
58c5fc13 34197+
57199397
MT		 34198+extern struct vfsmount *sock_mnt;
34199+extern struct vfsmount *pipe_mnt;
34200+extern struct vfsmount *shm_mnt;
34201+#ifdef CONFIG_HUGETLBFS
34202+extern struct vfsmount *hugetlbfs_vfsmount;
34203+#endif
58c5fc13 34204+
57199397 34205+static struct acl_object_label *fakefs_obj;
df50ba0c 34206+
57199397
MT		 34207+extern int gr_init_uidset(void);
34208+extern void gr_free_uidset(void);
34209+extern void gr_remove_uid(uid_t uid);
34210+extern int gr_find_uid(uid_t uid);
58c5fc13 34211+
57199397 34212+extern spinlock_t vfsmount_lock;
58c5fc13 34213+
57199397
MT		 34214+__inline__ int
34215+gr_acl_is_enabled(void)
34216+{
34217+ return (gr_status & GR_READY);
34218+}
58c5fc13 34219+
57199397
MT		 34220+char gr_roletype_to_char(void)
34221+{
34222+ switch (current->role->roletype &
34223+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
34224+ GR_ROLE_SPECIAL)) {
34225+ case GR_ROLE_DEFAULT:
34226+ return 'D';
34227+ case GR_ROLE_USER:
34228+ return 'U';
34229+ case GR_ROLE_GROUP:
34230+ return 'G';
34231+ case GR_ROLE_SPECIAL:
34232+ return 'S';
34233+ }
58c5fc13 34234+
57199397
MT		 34235+ return 'X';
34236+}
58c5fc13 34237+
57199397
MT		 34238+__inline__ int
34239+gr_acl_tpe_check(void)
34240+{
34241+ if (unlikely(!(gr_status & GR_READY)))
34242+ return 0;
34243+ if (current->role->roletype & GR_ROLE_TPE)
34244+ return 1;
34245+ else
34246+ return 0;
34247+}
58c5fc13 34248+
57199397
MT		 34249+int
34250+gr_handle_rawio(const struct inode *inode)
34251+{
34252+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
34253+ if (inode && S_ISBLK(inode->i_mode) &&
34254+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
34255+ !capable(CAP_SYS_RAWIO))
34256+ return 1;
34257+#endif
34258+ return 0;
34259+}
58c5fc13 34260+
57199397
MT		 34261+static int
34262+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
34263+{
34264+ if (likely(lena != lenb))
34265+ return 0;
58c5fc13 34266+
57199397
MT		 34267+ return !memcmp(a, b, lena);
34268+}
58c5fc13 34269+
57199397
MT		 34270+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34271+ struct dentry *root, struct vfsmount *rootmnt,
34272+ char *buffer, int buflen)
34273+{
34274+ char * end = buffer+buflen;
34275+ char * retval;
34276+ int namelen;
58c5fc13 34277+
57199397
MT		 34278+ spin_lock(&vfsmount_lock);
34279+ *--end = '\0';
34280+ buflen--;
58c5fc13 34281+
57199397
MT		 34282+ if (buflen < 1)
34283+ goto Elong;
34284+ /* Get '/' right */
34285+ retval = end-1;
34286+ *retval = '/';
58c5fc13 34287+
57199397
MT		 34288+ for (;;) {
34289+ struct dentry * parent;
58c5fc13 34290+
57199397
MT		 34291+ if (dentry == root && vfsmnt == rootmnt)
34292+ break;
34293+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
34294+ /* Global root? */
34295+ if (vfsmnt->mnt_parent == vfsmnt) {
34296+ goto global_root;
34297+ }
34298+ dentry = vfsmnt->mnt_mountpoint;
34299+ vfsmnt = vfsmnt->mnt_parent;
34300+ continue;
34301+ }
34302+ parent = dentry->d_parent;
34303+ prefetch(parent);
34304+ namelen = dentry->d_name.len;
34305+ buflen -= namelen + 1;
34306+ if (buflen < 0)
34307+ goto Elong;
34308+ end -= namelen;
34309+ memcpy(end, dentry->d_name.name, namelen);
34310+ *--end = '/';
34311+ retval = end;
34312+ dentry = parent;
34313+ }
58c5fc13 34314+
57199397
MT		 34315+out:
34316+ spin_unlock(&vfsmount_lock);
34317+ return retval;
58c5fc13 34318+
57199397
MT		 34319+global_root:
34320+ namelen = dentry->d_name.len;
34321+ buflen -= namelen;
34322+ if (buflen < 0)
34323+ goto Elong;
34324+ retval -= namelen-1; /* hit the slash */
34325+ memcpy(retval, dentry->d_name.name, namelen);
34326+ goto out;
34327+Elong:
34328+ retval = ERR_PTR(-ENAMETOOLONG);
34329+ goto out;
34330+}
58c5fc13 34331+
57199397
MT		 34332+static char *
34333+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34334+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
34335+{
34336+ char *retval;
58c5fc13 34337+
57199397
MT		 34338+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
34339+ if (unlikely(IS_ERR(retval)))
34340+ retval = strcpy(buf, "<path too long>");
34341+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
34342+ retval[1] = '\0';
58c5fc13 34343+
57199397
MT		 34344+ return retval;
34345+}
58c5fc13 34346+
57199397
MT		 34347+static char *
34348+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34349+ char *buf, int buflen)
34350+{
34351+ char *res;
58c5fc13 34352+
57199397
MT		 34353+ /* we can use real_root, real_root_mnt, because this is only called
34354+ by the RBAC system */
34355+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
58c5fc13 34356+
57199397
MT		 34357+ return res;
34358+}
58c5fc13 34359+
57199397
MT		 34360+static char *
34361+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34362+ char *buf, int buflen)
34363+{
34364+ char *res;
34365+ struct dentry *root;
34366+ struct vfsmount *rootmnt;
34367+ struct task_struct *reaper = &init_task;
58c5fc13 34368+
57199397
MT		 34369+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
34370+ read_lock(&reaper->fs->lock);
34371+ root = dget(reaper->fs->root.dentry);
34372+ rootmnt = mntget(reaper->fs->root.mnt);
34373+ read_unlock(&reaper->fs->lock);
58c5fc13 34374+
57199397
MT		 34375+ spin_lock(&dcache_lock);
34376+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
34377+ spin_unlock(&dcache_lock);
58c5fc13 34378+
57199397
MT		 34379+ dput(root);
34380+ mntput(rootmnt);
34381+ return res;
34382+}
58c5fc13 34383+
57199397
MT		 34384+static char *
34385+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
34386+{
34387+ char *ret;
34388+ spin_lock(&dcache_lock);
34389+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34390+ PAGE_SIZE);
34391+ spin_unlock(&dcache_lock);
34392+ return ret;
34393+}
58c5fc13 34394+
57199397
MT		 34395+char *
34396+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
34397+{
34398+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34399+ PAGE_SIZE);
34400+}
58c5fc13 34401+
57199397
MT		 34402+char *
34403+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
34404+{
34405+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
34406+ PAGE_SIZE);
34407+}
58c5fc13 34408+
57199397
MT		 34409+char *
34410+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
34411+{
34412+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
34413+ PAGE_SIZE);
34414+}
58c5fc13 34415+
57199397
MT		 34416+char *
34417+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
34418+{
34419+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
34420+ PAGE_SIZE);
34421+}
58c5fc13 34422+
57199397
MT		 34423+char *
34424+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
34425+{
34426+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
34427+ PAGE_SIZE);
34428+}
58c5fc13 34429+
57199397
MT		 34430+__inline__ __u32
34431+to_gr_audit(const __u32 reqmode)
34432+{
34433+ /* masks off auditable permission flags, then shifts them to create
34434+ auditing flags, and adds the special case of append auditing if
34435+ we're requesting write */
34436+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
34437+}
58c5fc13 34438+
57199397
MT		 34439+struct acl_subject_label *
34440+lookup_subject_map(const struct acl_subject_label *userp)
34441+{
34442+ unsigned int index = shash(userp, subj_map_set.s_size);
34443+ struct subject_map *match;
58c5fc13 34444+
57199397 34445+ match = subj_map_set.s_hash[index];
58c5fc13 34446+
57199397
MT		 34447+ while (match && match->user != userp)
34448+ match = match->next;
58c5fc13 34449+
57199397
MT		 34450+ if (match != NULL)
34451+ return match->kernel;
34452+ else
34453+ return NULL;
34454+}
58c5fc13 34455+
57199397
MT		 34456+static void
34457+insert_subj_map_entry(struct subject_map *subjmap)
34458+{
34459+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
34460+ struct subject_map **curr;
58c5fc13 34461+
57199397 34462+ subjmap->prev = NULL;
58c5fc13 34463+
57199397
MT		 34464+ curr = &subj_map_set.s_hash[index];
34465+ if (*curr != NULL)
34466+ (*curr)->prev = subjmap;
58c5fc13 34467+
57199397
MT		 34468+ subjmap->next = *curr;
34469+ *curr = subjmap;
58c5fc13 34470+
57199397
MT		 34471+ return;
34472+}
58c5fc13 34473+
57199397
MT		 34474+static struct acl_role_label *
34475+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
34476+ const gid_t gid)
34477+{
34478+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
34479+ struct acl_role_label *match;
34480+ struct role_allowed_ip *ipp;
34481+ unsigned int x;
58c5fc13 34482+
57199397 34483+ match = acl_role_set.r_hash[index];
58c5fc13 34484+
57199397
MT		 34485+ while (match) {
34486+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
34487+ for (x = 0; x < match->domain_child_num; x++) {
34488+ if (match->domain_children[x] == uid)
34489+ goto found;
34490+ }
34491+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
34492+ break;
34493+ match = match->next;
34494+ }
34495+found:
34496+ if (match == NULL) {
34497+ try_group:
34498+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
34499+ match = acl_role_set.r_hash[index];
58c5fc13 34500+
57199397
MT		 34501+ while (match) {
34502+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
34503+ for (x = 0; x < match->domain_child_num; x++) {
34504+ if (match->domain_children[x] == gid)
34505+ goto found2;
34506+ }
34507+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
34508+ break;
34509+ match = match->next;
34510+ }
34511+found2:
34512+ if (match == NULL)
34513+ match = default_role;
34514+ if (match->allowed_ips == NULL)
34515+ return match;
34516+ else {
34517+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34518+ if (likely
34519+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34520+ (ntohl(ipp->addr) & ipp->netmask)))
34521+ return match;
34522+ }
34523+ match = default_role;
34524+ }
34525+ } else if (match->allowed_ips == NULL) {
34526+ return match;
34527+ } else {
34528+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34529+ if (likely
34530+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34531+ (ntohl(ipp->addr) & ipp->netmask)))
34532+ return match;
34533+ }
34534+ goto try_group;
34535+ }
58c5fc13 34536+
57199397
MT		 34537+ return match;
34538+}
58c5fc13 34539+
57199397
MT		 34540+struct acl_subject_label *
34541+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
34542+ const struct acl_role_label *role)
34543+{
34544+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
34545+ struct acl_subject_label *match;
58c5fc13 34546+
57199397 34547+ match = role->subj_hash[index];
58c5fc13 34548+
57199397
MT		 34549+ while (match && (match->inode != ino || match->device != dev ||
34550+ (match->mode & GR_DELETED))) {
34551+ match = match->next;
34552+ }
58c5fc13 34553+
57199397
MT		 34554+ if (match && !(match->mode & GR_DELETED))
34555+ return match;
34556+ else
34557+ return NULL;
34558+}
58c5fc13 34559+
57199397
MT		 34560+struct acl_subject_label *
34561+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
34562+ const struct acl_role_label *role)
34563+{
34564+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
34565+ struct acl_subject_label *match;
58c5fc13 34566+
57199397 34567+ match = role->subj_hash[index];
58c5fc13 34568+
57199397
MT		 34569+ while (match && (match->inode != ino || match->device != dev ||
34570+ !(match->mode & GR_DELETED))) {
34571+ match = match->next;
34572+ }
58c5fc13 34573+
57199397
MT		 34574+ if (match && (match->mode & GR_DELETED))
34575+ return match;
34576+ else
34577+ return NULL;
34578+}
58c5fc13 34579+
57199397
MT		 34580+static struct acl_object_label *
34581+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
34582+ const struct acl_subject_label *subj)
34583+{
34584+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34585+ struct acl_object_label *match;
58c5fc13 34586+
57199397 34587+ match = subj->obj_hash[index];
58c5fc13 34588+
57199397
MT		 34589+ while (match && (match->inode != ino || match->device != dev ||
34590+ (match->mode & GR_DELETED))) {
34591+ match = match->next;
34592+ }
58c5fc13 34593+
57199397
MT		 34594+ if (match && !(match->mode & GR_DELETED))
34595+ return match;
34596+ else
34597+ return NULL;
34598+}
58c5fc13 34599+
57199397
MT		 34600+static struct acl_object_label *
34601+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
34602+ const struct acl_subject_label *subj)
34603+{
34604+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34605+ struct acl_object_label *match;
58c5fc13 34606+
57199397 34607+ match = subj->obj_hash[index];
58c5fc13 34608+
57199397
MT		 34609+ while (match && (match->inode != ino || match->device != dev ||
34610+ !(match->mode & GR_DELETED))) {
34611+ match = match->next;
34612+ }
58c5fc13 34613+
57199397
MT		 34614+ if (match && (match->mode & GR_DELETED))
34615+ return match;
58c5fc13 34616+
57199397 34617+ match = subj->obj_hash[index];
58c5fc13 34618+
57199397
MT		 34619+ while (match && (match->inode != ino || match->device != dev ||
34620+ (match->mode & GR_DELETED))) {
34621+ match = match->next;
34622+ }
58c5fc13 34623+
57199397
MT		 34624+ if (match && !(match->mode & GR_DELETED))
34625+ return match;
34626+ else
34627+ return NULL;
34628+}
58c5fc13 34629+
57199397
MT		 34630+static struct name_entry *
34631+lookup_name_entry(const char *name)
34632+{
34633+ unsigned int len = strlen(name);
34634+ unsigned int key = full_name_hash(name, len);
34635+ unsigned int index = key % name_set.n_size;
34636+ struct name_entry *match;
58c5fc13 34637+
57199397 34638+ match = name_set.n_hash[index];
58c5fc13 34639+
57199397
MT		 34640+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
34641+ match = match->next;
58c5fc13 34642+
57199397
MT		 34643+ return match;
34644+}
58c5fc13 34645+
57199397
MT		 34646+static struct name_entry *
34647+lookup_name_entry_create(const char *name)
34648+{
34649+ unsigned int len = strlen(name);
34650+ unsigned int key = full_name_hash(name, len);
34651+ unsigned int index = key % name_set.n_size;
34652+ struct name_entry *match;
58c5fc13 34653+
57199397 34654+ match = name_set.n_hash[index];
58c5fc13 34655+
57199397
MT		 34656+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34657+ !match->deleted))
34658+ match = match->next;
58c5fc13 34659+
57199397
MT		 34660+ if (match && match->deleted)
34661+ return match;
58c5fc13 34662+
57199397 34663+ match = name_set.n_hash[index];
58c5fc13 34664+
57199397
MT		 34665+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34666+ match->deleted))
34667+ match = match->next;
58c5fc13 34668+
57199397
MT		 34669+ if (match && !match->deleted)
34670+ return match;
34671+ else
34672+ return NULL;
34673+}
58c5fc13 34674+
57199397
MT		 34675+static struct inodev_entry *
34676+lookup_inodev_entry(const ino_t ino, const dev_t dev)
34677+{
34678+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
34679+ struct inodev_entry *match;
58c5fc13 34680+
57199397 34681+ match = inodev_set.i_hash[index];
58c5fc13 34682+
57199397
MT		 34683+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
34684+ match = match->next;
58c5fc13 34685+
57199397 34686+ return match;
58c5fc13
MT		 34687+}
34688+
57199397
MT		 34689+static void
34690+insert_inodev_entry(struct inodev_entry *entry)
58c5fc13 34691+{
57199397
MT		 34692+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
34693+ inodev_set.i_size);
34694+ struct inodev_entry **curr;
58c5fc13 34695+
57199397 34696+ entry->prev = NULL;
58c5fc13 34697+
57199397
MT		 34698+ curr = &inodev_set.i_hash[index];
34699+ if (*curr != NULL)
34700+ (*curr)->prev = entry;
34701+
34702+ entry->next = *curr;
34703+ *curr = entry;
ae4e228f 34704+
57199397 34705+ return;
58c5fc13 34706+}
efbe55a5 34707+
57199397
MT		 34708+static void
34709+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
efbe55a5
MT		 34710+{
34711+ unsigned int index =
34712+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
34713+ struct acl_role_label **curr;
34714+ struct acl_role_label *tmp;
34715+
34716+ curr = &acl_role_set.r_hash[index];
34717+
34718+ /* if role was already inserted due to domains and already has
34719+ a role in the same bucket as it attached, then we need to
34720+ combine these two buckets
34721+ */
34722+ if (role->next) {
34723+ tmp = role->next;
34724+ while (tmp->next)
34725+ tmp = tmp->next;
34726+ tmp->next = *curr;
34727+ } else
34728+ role->next = *curr;
34729+ *curr = role;
34730+
34731+ return;
34732+}
34733+
34734+static void
34735+insert_acl_role_label(struct acl_role_label *role)
34736+{
34737+ int i;
34738+
34739+ if (role_list == NULL) {
34740+ role_list = role;
34741+ role->prev = NULL;
34742+ } else {
34743+ role->prev = role_list;
34744+ role_list = role;
34745+ }
34746+
34747+ /* used for hash chains */
34748+ role->next = NULL;
34749+
34750+ if (role->roletype & GR_ROLE_DOMAIN) {
34751+ for (i = 0; i < role->domain_child_num; i++)
34752+ __insert_acl_role_label(role, role->domain_children[i]);
34753+ } else
34754+ __insert_acl_role_label(role, role->uidgid);
34755+}
34756+
34757+static int
34758+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
34759+{
34760+ struct name_entry **curr, *nentry;
34761+ struct inodev_entry *ientry;
34762+ unsigned int len = strlen(name);
34763+ unsigned int key = full_name_hash(name, len);
34764+ unsigned int index = key % name_set.n_size;
34765+
34766+ curr = &name_set.n_hash[index];
34767+
34768+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
34769+ curr = &((*curr)->next);
34770+
34771+ if (*curr != NULL)
34772+ return 1;
34773+
34774+ nentry = acl_alloc(sizeof (struct name_entry));
34775+ if (nentry == NULL)
34776+ return 0;
34777+ ientry = acl_alloc(sizeof (struct inodev_entry));
34778+ if (ientry == NULL)
34779+ return 0;
34780+ ientry->nentry = nentry;
34781+
34782+ nentry->key = key;
34783+ nentry->name = name;
34784+ nentry->inode = inode;
34785+ nentry->device = device;
34786+ nentry->len = len;
34787+ nentry->deleted = deleted;
34788+
34789+ nentry->prev = NULL;
34790+ curr = &name_set.n_hash[index];
34791+ if (*curr != NULL)
34792+ (*curr)->prev = nentry;
34793+ nentry->next = *curr;
34794+ *curr = nentry;
34795+
34796+ /* insert us into the table searchable by inode/dev */
34797+ insert_inodev_entry(ientry);
34798+
34799+ return 1;
34800+}
34801+
34802+static void
34803+insert_acl_obj_label(struct acl_object_label *obj,
34804+ struct acl_subject_label *subj)
34805+{
34806+ unsigned int index =
34807+ fhash(obj->inode, obj->device, subj->obj_hash_size);
34808+ struct acl_object_label **curr;
34809+
34810+
34811+ obj->prev = NULL;
34812+
34813+ curr = &subj->obj_hash[index];
34814+ if (*curr != NULL)
34815+ (*curr)->prev = obj;
34816+
34817+ obj->next = *curr;
34818+ *curr = obj;
34819+
34820+ return;
34821+}
34822+
34823+static void
34824+insert_acl_subj_label(struct acl_subject_label *obj,
34825+ struct acl_role_label *role)
34826+{
34827+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
34828+ struct acl_subject_label **curr;
34829+
34830+ obj->prev = NULL;
34831+
34832+ curr = &role->subj_hash[index];
34833+ if (*curr != NULL)
34834+ (*curr)->prev = obj;
34835+
34836+ obj->next = *curr;
34837+ *curr = obj;
34838+
34839+ return;
34840+}
34841+
34842+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
34843+
34844+static void *
34845+create_table(__u32 * len, int elementsize)
34846+{
34847+ unsigned int table_sizes[] = {
34848+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
34849+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
34850+ 4194301, 8388593, 16777213, 33554393, 67108859
34851+ };
34852+ void *newtable = NULL;
34853+ unsigned int pwr = 0;
34854+
34855+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
34856+ table_sizes[pwr] <= *len)
34857+ pwr++;
34858+
34859+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
34860+ return newtable;
34861+
34862+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
34863+ newtable =
34864+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
34865+ else
34866+ newtable = vmalloc(table_sizes[pwr] * elementsize);
34867+
34868+ *len = table_sizes[pwr];
34869+
34870+ return newtable;
34871+}
34872+
34873+static int
34874+init_variables(const struct gr_arg *arg)
34875+{
34876+ struct task_struct *reaper = &init_task;
34877+ unsigned int stacksize;
58c5fc13
MT		 34878+
34879+ subj_map_set.s_size = arg->role_db.num_subjects;
34880+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
34881+ name_set.n_size = arg->role_db.num_objects;
34882+ inodev_set.i_size = arg->role_db.num_objects;
34883+
34884+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
34885+ !name_set.n_size || !inodev_set.i_size)
34886+ return 1;
34887+
34888+ if (!gr_init_uidset())
34889+ return 1;
34890+
34891+ /* set up the stack that holds allocation info */
34892+
34893+ stacksize = arg->role_db.num_pointers + 5;
34894+
34895+ if (!acl_alloc_stack_init(stacksize))
34896+ return 1;
34897+
34898+ /* grab reference for the real root dentry and vfsmount */
34899+ read_lock(&reaper->fs->lock);
34900+ real_root_mnt = mntget(reaper->fs->root.mnt);
34901+ real_root = dget(reaper->fs->root.dentry);
34902+ read_unlock(&reaper->fs->lock);
34903+
34904+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
34905+ if (fakefs_obj == NULL)
34906+ return 1;
34907+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
34908+
34909+ subj_map_set.s_hash =
34910+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
34911+ acl_role_set.r_hash =
34912+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
34913+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
34914+ inodev_set.i_hash =
34915+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
34916+
34917+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
34918+ !name_set.n_hash || !inodev_set.i_hash)
34919+ return 1;
34920+
34921+ memset(subj_map_set.s_hash, 0,
34922+ sizeof(struct subject_map *) * subj_map_set.s_size);
34923+ memset(acl_role_set.r_hash, 0,
34924+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
34925+ memset(name_set.n_hash, 0,
34926+ sizeof (struct name_entry *) * name_set.n_size);
34927+ memset(inodev_set.i_hash, 0,
34928+ sizeof (struct inodev_entry *) * inodev_set.i_size);
34929+
34930+ return 0;
34931+}
34932+
34933+/* free information not needed after startup
34934+ currently contains user->kernel pointer mappings for subjects
34935+*/
34936+
34937+static void
34938+free_init_variables(void)
34939+{
34940+ __u32 i;
34941+
34942+ if (subj_map_set.s_hash) {
34943+ for (i = 0; i < subj_map_set.s_size; i++) {
34944+ if (subj_map_set.s_hash[i]) {
34945+ kfree(subj_map_set.s_hash[i]);
34946+ subj_map_set.s_hash[i] = NULL;
34947+ }
34948+ }
34949+
34950+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
34951+ PAGE_SIZE)
34952+ kfree(subj_map_set.s_hash);
34953+ else
34954+ vfree(subj_map_set.s_hash);
34955+ }
34956+
34957+ return;
34958+}
34959+
34960+static void
34961+free_variables(void)
34962+{
34963+ struct acl_subject_label *s;
34964+ struct acl_role_label *r;
34965+ struct task_struct *task, *task2;
ae4e228f 34966+ unsigned int x;
58c5fc13
MT		 34967+
34968+ gr_clear_learn_entries();
34969+
34970+ read_lock(&tasklist_lock);
34971+ do_each_thread(task2, task) {
34972+ task->acl_sp_role = 0;
34973+ task->acl_role_id = 0;
34974+ task->acl = NULL;
34975+ task->role = NULL;
34976+ } while_each_thread(task2, task);
34977+ read_unlock(&tasklist_lock);
34978+
34979+ /* release the reference to the real root dentry and vfsmount */
34980+ if (real_root)
34981+ dput(real_root);
34982+ real_root = NULL;
34983+ if (real_root_mnt)
34984+ mntput(real_root_mnt);
34985+ real_root_mnt = NULL;
34986+
34987+ /* free all object hash tables */
34988+
ae4e228f 34989+ FOR_EACH_ROLE_START(r)
58c5fc13 34990+ if (r->subj_hash == NULL)
ae4e228f 34991+ goto next_role;
58c5fc13
MT		 34992+ FOR_EACH_SUBJECT_START(r, s, x)
34993+ if (s->obj_hash == NULL)
34994+ break;
34995+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
34996+ kfree(s->obj_hash);
34997+ else
34998+ vfree(s->obj_hash);
34999+ FOR_EACH_SUBJECT_END(s, x)
35000+ FOR_EACH_NESTED_SUBJECT_START(r, s)
35001+ if (s->obj_hash == NULL)
35002+ break;
35003+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35004+ kfree(s->obj_hash);
35005+ else
35006+ vfree(s->obj_hash);
35007+ FOR_EACH_NESTED_SUBJECT_END(s)
35008+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35009+ kfree(r->subj_hash);
35010+ else
35011+ vfree(r->subj_hash);
35012+ r->subj_hash = NULL;
ae4e228f
MT		 35013+next_role:
35014+ FOR_EACH_ROLE_END(r)
58c5fc13
MT		 35015+
35016+ acl_free_all();
35017+
35018+ if (acl_role_set.r_hash) {
35019+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35020+ PAGE_SIZE)
35021+ kfree(acl_role_set.r_hash);
35022+ else
35023+ vfree(acl_role_set.r_hash);
35024+ }
35025+ if (name_set.n_hash) {
35026+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
35027+ PAGE_SIZE)
35028+ kfree(name_set.n_hash);
35029+ else
35030+ vfree(name_set.n_hash);
35031+ }
35032+
35033+ if (inodev_set.i_hash) {
35034+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35035+ PAGE_SIZE)
35036+ kfree(inodev_set.i_hash);
35037+ else
35038+ vfree(inodev_set.i_hash);
35039+ }
35040+
35041+ gr_free_uidset();
35042+
35043+ memset(&name_set, 0, sizeof (struct name_db));
35044+ memset(&inodev_set, 0, sizeof (struct inodev_db));
35045+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35046+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35047+
35048+ default_role = NULL;
ae4e228f 35049+ role_list = NULL;
58c5fc13
MT		 35050+
35051+ return;
35052+}
35053+
35054+static __u32
35055+count_user_objs(struct acl_object_label *userp)
35056+{
35057+ struct acl_object_label o_tmp;
35058+ __u32 num = 0;
35059+
35060+ while (userp) {
35061+ if (copy_from_user(&o_tmp, userp,
35062+ sizeof (struct acl_object_label)))
35063+ break;
35064+
35065+ userp = o_tmp.prev;
35066+ num++;
35067+ }
35068+
35069+ return num;
35070+}
35071+
35072+static struct acl_subject_label *
35073+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
35074+
35075+static int
35076+copy_user_glob(struct acl_object_label *obj)
35077+{
35078+ struct acl_object_label *g_tmp, **guser;
35079+ unsigned int len;
35080+ char *tmp;
35081+
35082+ if (obj->globbed == NULL)
35083+ return 0;
35084+
35085+ guser = &obj->globbed;
35086+ while (*guser) {
35087+ g_tmp = (struct acl_object_label *)
35088+ acl_alloc(sizeof (struct acl_object_label));
35089+ if (g_tmp == NULL)
35090+ return -ENOMEM;
35091+
35092+ if (copy_from_user(g_tmp, *guser,
35093+ sizeof (struct acl_object_label)))
35094+ return -EFAULT;
35095+
35096+ len = strnlen_user(g_tmp->filename, PATH_MAX);
35097+
35098+ if (!len || len >= PATH_MAX)
35099+ return -EINVAL;
35100+
35101+ if ((tmp = (char *) acl_alloc(len)) == NULL)
35102+ return -ENOMEM;
35103+
35104+ if (copy_from_user(tmp, g_tmp->filename, len))
35105+ return -EFAULT;
35106+ tmp[len-1] = '\0';
35107+ g_tmp->filename = tmp;
35108+
35109+ *guser = g_tmp;
35110+ guser = &(g_tmp->next);
35111+ }
35112+
35113+ return 0;
35114+}
35115+
35116+static int
35117+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
35118+ struct acl_role_label *role)
35119+{
35120+ struct acl_object_label *o_tmp;
35121+ unsigned int len;
35122+ int ret;
35123+ char *tmp;
35124+
35125+ while (userp) {
35126+ if ((o_tmp = (struct acl_object_label *)
35127+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
35128+ return -ENOMEM;
35129+
35130+ if (copy_from_user(o_tmp, userp,
35131+ sizeof (struct acl_object_label)))
35132+ return -EFAULT;
35133+
35134+ userp = o_tmp->prev;
35135+
35136+ len = strnlen_user(o_tmp->filename, PATH_MAX);
35137+
35138+ if (!len || len >= PATH_MAX)
35139+ return -EINVAL;
35140+
35141+ if ((tmp = (char *) acl_alloc(len)) == NULL)
35142+ return -ENOMEM;
35143+
35144+ if (copy_from_user(tmp, o_tmp->filename, len))
35145+ return -EFAULT;
35146+ tmp[len-1] = '\0';
35147+ o_tmp->filename = tmp;
35148+
35149+ insert_acl_obj_label(o_tmp, subj);
35150+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
35151+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
35152+ return -ENOMEM;
35153+
35154+ ret = copy_user_glob(o_tmp);
35155+ if (ret)
35156+ return ret;
35157+
35158+ if (o_tmp->nested) {
35159+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
35160+ if (IS_ERR(o_tmp->nested))
35161+ return PTR_ERR(o_tmp->nested);
35162+
35163+ /* insert into nested subject list */
35164+ o_tmp->nested->next = role->hash->first;
35165+ role->hash->first = o_tmp->nested;
35166+ }
35167+ }
35168+
35169+ return 0;
35170+}
35171+
35172+static __u32
35173+count_user_subjs(struct acl_subject_label *userp)
35174+{
35175+ struct acl_subject_label s_tmp;
35176+ __u32 num = 0;
35177+
35178+ while (userp) {
35179+ if (copy_from_user(&s_tmp, userp,
35180+ sizeof (struct acl_subject_label)))
35181+ break;
35182+
35183+ userp = s_tmp.prev;
35184+ /* do not count nested subjects against this count, since
35185+ they are not included in the hash table, but are
35186+ attached to objects. We have already counted
35187+ the subjects in userspace for the allocation
35188+ stack
35189+ */
35190+ if (!(s_tmp.mode & GR_NESTED))
35191+ num++;
35192+ }
35193+
35194+ return num;
35195+}
35196+
35197+static int
35198+copy_user_allowedips(struct acl_role_label *rolep)
35199+{
35200+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
35201+
35202+ ruserip = rolep->allowed_ips;
35203+
35204+ while (ruserip) {
35205+ rlast = rtmp;
35206+
35207+ if ((rtmp = (struct role_allowed_ip *)
35208+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
35209+ return -ENOMEM;
35210+
35211+ if (copy_from_user(rtmp, ruserip,
35212+ sizeof (struct role_allowed_ip)))
35213+ return -EFAULT;
35214+
35215+ ruserip = rtmp->prev;
35216+
35217+ if (!rlast) {
35218+ rtmp->prev = NULL;
35219+ rolep->allowed_ips = rtmp;
35220+ } else {
35221+ rlast->next = rtmp;
35222+ rtmp->prev = rlast;
35223+ }
35224+
35225+ if (!ruserip)
35226+ rtmp->next = NULL;
35227+ }
35228+
35229+ return 0;
35230+}
35231+
35232+static int
35233+copy_user_transitions(struct acl_role_label *rolep)
35234+{
35235+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
35236+
35237+ unsigned int len;
35238+ char *tmp;
35239+
35240+ rusertp = rolep->transitions;
35241+
35242+ while (rusertp) {
35243+ rlast = rtmp;
35244+
35245+ if ((rtmp = (struct role_transition *)
35246+ acl_alloc(sizeof (struct role_transition))) == NULL)
35247+ return -ENOMEM;
35248+
35249+ if (copy_from_user(rtmp, rusertp,
35250+ sizeof (struct role_transition)))
35251+ return -EFAULT;
35252+
35253+ rusertp = rtmp->prev;
35254+
35255+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
35256+
35257+ if (!len || len >= GR_SPROLE_LEN)
35258+ return -EINVAL;
35259+
35260+ if ((tmp = (char *) acl_alloc(len)) == NULL)
35261+ return -ENOMEM;
35262+
35263+ if (copy_from_user(tmp, rtmp->rolename, len))
35264+ return -EFAULT;
35265+ tmp[len-1] = '\0';
35266+ rtmp->rolename = tmp;
35267+
35268+ if (!rlast) {
35269+ rtmp->prev = NULL;
35270+ rolep->transitions = rtmp;
35271+ } else {
35272+ rlast->next = rtmp;
35273+ rtmp->prev = rlast;
35274+ }
35275+
35276+ if (!rusertp)
35277+ rtmp->next = NULL;
35278+ }
35279+
35280+ return 0;
35281+}
35282+
35283+static struct acl_subject_label *
35284+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
35285+{
35286+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
35287+ unsigned int len;
35288+ char *tmp;
35289+ __u32 num_objs;
35290+ struct acl_ip_label **i_tmp, *i_utmp2;
35291+ struct gr_hash_struct ghash;
35292+ struct subject_map *subjmap;
35293+ unsigned int i_num;
35294+ int err;
35295+
35296+ s_tmp = lookup_subject_map(userp);
35297+
35298+ /* we've already copied this subject into the kernel, just return
35299+ the reference to it, and don't copy it over again
35300+ */
35301+ if (s_tmp)
35302+ return(s_tmp);
35303+
35304+ if ((s_tmp = (struct acl_subject_label *)
35305+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
35306+ return ERR_PTR(-ENOMEM);
35307+
35308+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
35309+ if (subjmap == NULL)
35310+ return ERR_PTR(-ENOMEM);
35311+
35312+ subjmap->user = userp;
35313+ subjmap->kernel = s_tmp;
35314+ insert_subj_map_entry(subjmap);
35315+
35316+ if (copy_from_user(s_tmp, userp,
35317+ sizeof (struct acl_subject_label)))
35318+ return ERR_PTR(-EFAULT);
35319+
35320+ len = strnlen_user(s_tmp->filename, PATH_MAX);
35321+
35322+ if (!len || len >= PATH_MAX)
35323+ return ERR_PTR(-EINVAL);
35324+
35325+ if ((tmp = (char *) acl_alloc(len)) == NULL)
35326+ return ERR_PTR(-ENOMEM);
35327+
35328+ if (copy_from_user(tmp, s_tmp->filename, len))
35329+ return ERR_PTR(-EFAULT);
35330+ tmp[len-1] = '\0';
35331+ s_tmp->filename = tmp;
35332+
35333+ if (!strcmp(s_tmp->filename, "/"))
35334+ role->root_label = s_tmp;
35335+
35336+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
35337+ return ERR_PTR(-EFAULT);
35338+
35339+ /* copy user and group transition tables */
35340+
35341+ if (s_tmp->user_trans_num) {
35342+ uid_t *uidlist;
35343+
35344+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
35345+ if (uidlist == NULL)
35346+ return ERR_PTR(-ENOMEM);
35347+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
35348+ return ERR_PTR(-EFAULT);
35349+
35350+ s_tmp->user_transitions = uidlist;
35351+ }
35352+
35353+ if (s_tmp->group_trans_num) {
35354+ gid_t *gidlist;
35355+
35356+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
35357+ if (gidlist == NULL)
35358+ return ERR_PTR(-ENOMEM);
35359+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
35360+ return ERR_PTR(-EFAULT);
35361+
35362+ s_tmp->group_transitions = gidlist;
35363+ }
35364+
35365+ /* set up object hash table */
35366+ num_objs = count_user_objs(ghash.first);
35367+
35368+ s_tmp->obj_hash_size = num_objs;
35369+ s_tmp->obj_hash =
35370+ (struct acl_object_label **)
35371+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
35372+
35373+ if (!s_tmp->obj_hash)
35374+ return ERR_PTR(-ENOMEM);
35375+
35376+ memset(s_tmp->obj_hash, 0,
35377+ s_tmp->obj_hash_size *
35378+ sizeof (struct acl_object_label *));
35379+
35380+ /* add in objects */
35381+ err = copy_user_objs(ghash.first, s_tmp, role);
35382+
35383+ if (err)
35384+ return ERR_PTR(err);
35385+
35386+ /* set pointer for parent subject */
35387+ if (s_tmp->parent_subject) {
35388+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
35389+
35390+ if (IS_ERR(s_tmp2))
35391+ return s_tmp2;
35392+
35393+ s_tmp->parent_subject = s_tmp2;
35394+ }
35395+
35396+ /* add in ip acls */
35397+
35398+ if (!s_tmp->ip_num) {
35399+ s_tmp->ips = NULL;
35400+ goto insert;
35401+ }
35402+
35403+ i_tmp =
35404+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
35405+ sizeof (struct acl_ip_label *));
35406+
35407+ if (!i_tmp)
35408+ return ERR_PTR(-ENOMEM);
35409+
35410+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
35411+ *(i_tmp + i_num) =
35412+ (struct acl_ip_label *)
35413+ acl_alloc(sizeof (struct acl_ip_label));
35414+ if (!*(i_tmp + i_num))
35415+ return ERR_PTR(-ENOMEM);
35416+
35417+ if (copy_from_user
35418+ (&i_utmp2, s_tmp->ips + i_num,
35419+ sizeof (struct acl_ip_label *)))
35420+ return ERR_PTR(-EFAULT);
35421+
35422+ if (copy_from_user
35423+ (*(i_tmp + i_num), i_utmp2,
35424+ sizeof (struct acl_ip_label)))
35425+ return ERR_PTR(-EFAULT);
35426+
35427+ if ((*(i_tmp + i_num))->iface == NULL)
35428+ continue;
35429+
35430+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
35431+ if (!len || len >= IFNAMSIZ)
35432+ return ERR_PTR(-EINVAL);
35433+ tmp = acl_alloc(len);
35434+ if (tmp == NULL)
35435+ return ERR_PTR(-ENOMEM);
35436+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
35437+ return ERR_PTR(-EFAULT);
35438+ (*(i_tmp + i_num))->iface = tmp;
35439+ }
35440+
35441+ s_tmp->ips = i_tmp;
35442+
35443+insert:
35444+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
35445+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
35446+ return ERR_PTR(-ENOMEM);
35447+
35448+ return s_tmp;
35449+}
35450+
35451+static int
35452+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
35453+{
35454+ struct acl_subject_label s_pre;
35455+ struct acl_subject_label * ret;
35456+ int err;
35457+
35458+ while (userp) {
35459+ if (copy_from_user(&s_pre, userp,
35460+ sizeof (struct acl_subject_label)))
35461+ return -EFAULT;
35462+
35463+ /* do not add nested subjects here, add
35464+ while parsing objects
35465+ */
35466+
35467+ if (s_pre.mode & GR_NESTED) {
35468+ userp = s_pre.prev;
35469+ continue;
35470+ }
35471+
35472+ ret = do_copy_user_subj(userp, role);
35473+
35474+ err = PTR_ERR(ret);
35475+ if (IS_ERR(ret))
35476+ return err;
35477+
35478+ insert_acl_subj_label(ret, role);
35479+
35480+ userp = s_pre.prev;
35481+ }
35482+
35483+ return 0;
35484+}
35485+
35486+static int
35487+copy_user_acl(struct gr_arg *arg)
35488+{
35489+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
35490+ struct sprole_pw *sptmp;
35491+ struct gr_hash_struct *ghash;
35492+ uid_t *domainlist;
35493+ unsigned int r_num;
35494+ unsigned int len;
35495+ char *tmp;
35496+ int err = 0;
35497+ __u16 i;
35498+ __u32 num_subjs;
35499+
35500+ /* we need a default and kernel role */
35501+ if (arg->role_db.num_roles < 2)
35502+ return -EINVAL;
35503+
35504+ /* copy special role authentication info from userspace */
35505+
35506+ num_sprole_pws = arg->num_sprole_pws;
35507+ acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
35508+
35509+ if (!acl_special_roles) {
35510+ err = -ENOMEM;
35511+ goto cleanup;
35512+ }
35513+
35514+ for (i = 0; i < num_sprole_pws; i++) {
35515+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
35516+ if (!sptmp) {
35517+ err = -ENOMEM;
35518+ goto cleanup;
35519+ }
35520+ if (copy_from_user(sptmp, arg->sprole_pws + i,
35521+ sizeof (struct sprole_pw))) {
35522+ err = -EFAULT;
35523+ goto cleanup;
35524+ }
35525+
35526+ len =
35527+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
35528+
35529+ if (!len || len >= GR_SPROLE_LEN) {
35530+ err = -EINVAL;
35531+ goto cleanup;
35532+ }
35533+
35534+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
35535+ err = -ENOMEM;
35536+ goto cleanup;
35537+ }
35538+
35539+ if (copy_from_user(tmp, sptmp->rolename, len)) {
35540+ err = -EFAULT;
35541+ goto cleanup;
35542+ }
35543+ tmp[len-1] = '\0';
35544+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35545+ printk(KERN_ALERT "Copying special role %s\n", tmp);
35546+#endif
35547+ sptmp->rolename = tmp;
35548+ acl_special_roles[i] = sptmp;
35549+ }
35550+
35551+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
35552+
35553+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
35554+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
35555+
35556+ if (!r_tmp) {
35557+ err = -ENOMEM;
35558+ goto cleanup;
35559+ }
35560+
35561+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
35562+ sizeof (struct acl_role_label *))) {
35563+ err = -EFAULT;
35564+ goto cleanup;
35565+ }
35566+
35567+ if (copy_from_user(r_tmp, r_utmp2,
35568+ sizeof (struct acl_role_label))) {
35569+ err = -EFAULT;
35570+ goto cleanup;
35571+ }
35572+
35573+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
35574+
35575+ if (!len || len >= PATH_MAX) {
35576+ err = -EINVAL;
35577+ goto cleanup;
35578+ }
35579+
35580+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
35581+ err = -ENOMEM;
35582+ goto cleanup;
35583+ }
35584+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
35585+ err = -EFAULT;
35586+ goto cleanup;
35587+ }
35588+ tmp[len-1] = '\0';
35589+ r_tmp->rolename = tmp;
35590+
35591+ if (!strcmp(r_tmp->rolename, "default")
35592+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
35593+ default_role = r_tmp;
35594+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
35595+ kernel_role = r_tmp;
35596+ }
35597+
35598+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
35599+ err = -ENOMEM;
35600+ goto cleanup;
35601+ }
35602+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
35603+ err = -EFAULT;
35604+ goto cleanup;
35605+ }
35606+
35607+ r_tmp->hash = ghash;
35608+
35609+ num_subjs = count_user_subjs(r_tmp->hash->first);
35610+
35611+ r_tmp->subj_hash_size = num_subjs;
35612+ r_tmp->subj_hash =
35613+ (struct acl_subject_label **)
35614+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
35615+
35616+ if (!r_tmp->subj_hash) {
35617+ err = -ENOMEM;
35618+ goto cleanup;
35619+ }
35620+
35621+ err = copy_user_allowedips(r_tmp);
35622+ if (err)
35623+ goto cleanup;
35624+
35625+ /* copy domain info */
35626+ if (r_tmp->domain_children != NULL) {
35627+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
35628+ if (domainlist == NULL) {
35629+ err = -ENOMEM;
35630+ goto cleanup;
35631+ }
35632+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
35633+ err = -EFAULT;
35634+ goto cleanup;
35635+ }
35636+ r_tmp->domain_children = domainlist;
35637+ }
35638+
35639+ err = copy_user_transitions(r_tmp);
35640+ if (err)
35641+ goto cleanup;
35642+
35643+ memset(r_tmp->subj_hash, 0,
35644+ r_tmp->subj_hash_size *
35645+ sizeof (struct acl_subject_label *));
35646+
35647+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
35648+
35649+ if (err)
35650+ goto cleanup;
35651+
35652+ /* set nested subject list to null */
35653+ r_tmp->hash->first = NULL;
35654+
35655+ insert_acl_role_label(r_tmp);
35656+ }
35657+
35658+ goto return_err;
35659+ cleanup:
35660+ free_variables();
35661+ return_err:
35662+ return err;
35663+
35664+}
35665+
35666+static int
35667+gracl_init(struct gr_arg *args)
35668+{
35669+ int error = 0;
35670+
35671+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
35672+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
35673+
35674+ if (init_variables(args)) {
35675+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
35676+ error = -ENOMEM;
35677+ free_variables();
35678+ goto out;
35679+ }
35680+
35681+ error = copy_user_acl(args);
35682+ free_init_variables();
35683+ if (error) {
35684+ free_variables();
35685+ goto out;
35686+ }
35687+
35688+ if ((error = gr_set_acls(0))) {
35689+ free_variables();
35690+ goto out;
35691+ }
35692+
ae4e228f 35693+ pax_open_kernel();
58c5fc13 35694+ gr_status |= GR_READY;
ae4e228f 35695+ pax_close_kernel();
58c5fc13
MT		 35696+
35697+ out:
35698+ return error;
35699+}
35700+
35701+/* derived from glibc fnmatch() 0: match, 1: no match*/
35702+
35703+static int
35704+glob_match(const char *p, const char *n)
35705+{
35706+ char c;
35707+
35708+ while ((c = *p++) != '\0') {
35709+ switch (c) {
35710+ case '?':
35711+ if (*n == '\0')
35712+ return 1;
35713+ else if (*n == '/')
35714+ return 1;
35715+ break;
35716+ case '\\':
35717+ if (*n != c)
35718+ return 1;
35719+ break;
35720+ case '*':
35721+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
35722+ if (*n == '/')
35723+ return 1;
35724+ else if (c == '?') {
35725+ if (*n == '\0')
35726+ return 1;
35727+ else
35728+ ++n;
35729+ }
35730+ }
35731+ if (c == '\0') {
35732+ return 0;
35733+ } else {
35734+ const char *endp;
35735+
35736+ if ((endp = strchr(n, '/')) == NULL)
35737+ endp = n + strlen(n);
35738+
35739+ if (c == '[') {
35740+ for (--p; n < endp; ++n)
35741+ if (!glob_match(p, n))
35742+ return 0;
35743+ } else if (c == '/') {
35744+ while (*n != '\0' && *n != '/')
35745+ ++n;
35746+ if (*n == '/' && !glob_match(p, n + 1))
35747+ return 0;
35748+ } else {
35749+ for (--p; n < endp; ++n)
35750+ if (*n == c && !glob_match(p, n))
35751+ return 0;
35752+ }
35753+
35754+ return 1;
35755+ }
35756+ case '[':
35757+ {
35758+ int not;
35759+ char cold;
35760+
35761+ if (*n == '\0' || *n == '/')
35762+ return 1;
35763+
35764+ not = (*p == '!' || *p == '^');
35765+ if (not)
35766+ ++p;
35767+
35768+ c = *p++;
35769+ for (;;) {
35770+ unsigned char fn = (unsigned char)*n;
35771+
35772+ if (c == '\0')
35773+ return 1;
35774+ else {
35775+ if (c == fn)
35776+ goto matched;
35777+ cold = c;
35778+ c = *p++;
35779+
35780+ if (c == '-' && *p != ']') {
35781+ unsigned char cend = *p++;
35782+
35783+ if (cend == '\0')
35784+ return 1;
35785+
35786+ if (cold <= fn && fn <= cend)
35787+ goto matched;
35788+
35789+ c = *p++;
35790+ }
35791+ }
35792+
35793+ if (c == ']')
35794+ break;
35795+ }
35796+ if (!not)
35797+ return 1;
35798+ break;
35799+ matched:
35800+ while (c != ']') {
35801+ if (c == '\0')
35802+ return 1;
35803+
35804+ c = *p++;
35805+ }
35806+ if (not)
35807+ return 1;
35808+ }
35809+ break;
35810+ default:
35811+ if (c != *n)
35812+ return 1;
35813+ }
35814+
35815+ ++n;
35816+ }
35817+
35818+ if (*n == '\0')
35819+ return 0;
35820+
35821+ if (*n == '/')
35822+ return 0;
35823+
35824+ return 1;
35825+}
35826+
35827+static struct acl_object_label *
35828+chk_glob_label(struct acl_object_label *globbed,
35829+ struct dentry *dentry, struct vfsmount *mnt, char **path)
35830+{
35831+ struct acl_object_label *tmp;
35832+
35833+ if (*path == NULL)
35834+ *path = gr_to_filename_nolock(dentry, mnt);
35835+
35836+ tmp = globbed;
35837+
35838+ while (tmp) {
35839+ if (!glob_match(tmp->filename, *path))
35840+ return tmp;
35841+ tmp = tmp->next;
35842+ }
35843+
35844+ return NULL;
35845+}
35846+
35847+static struct acl_object_label *
35848+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35849+ const ino_t curr_ino, const dev_t curr_dev,
35850+ const struct acl_subject_label *subj, char **path, const int checkglob)
35851+{
35852+ struct acl_subject_label *tmpsubj;
35853+ struct acl_object_label *retval;
35854+ struct acl_object_label *retval2;
35855+
35856+ tmpsubj = (struct acl_subject_label *) subj;
35857+ read_lock(&gr_inode_lock);
35858+ do {
35859+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
35860+ if (retval) {
35861+ if (checkglob && retval->globbed) {
35862+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
35863+ (struct vfsmount *)orig_mnt, path);
35864+ if (retval2)
35865+ retval = retval2;
35866+ }
35867+ break;
35868+ }
35869+ } while ((tmpsubj = tmpsubj->parent_subject));
35870+ read_unlock(&gr_inode_lock);
35871+
35872+ return retval;
35873+}
35874+
35875+static __inline__ struct acl_object_label *
35876+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35877+ const struct dentry *curr_dentry,
35878+ const struct acl_subject_label *subj, char **path, const int checkglob)
35879+{
35880+ return __full_lookup(orig_dentry, orig_mnt,
35881+ curr_dentry->d_inode->i_ino,
35882+ curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
35883+}
35884+
35885+static struct acl_object_label *
35886+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35887+ const struct acl_subject_label *subj, char *path, const int checkglob)
35888+{
35889+ struct dentry *dentry = (struct dentry *) l_dentry;
35890+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35891+ struct acl_object_label *retval;
35892+
35893+ spin_lock(&dcache_lock);
35894+
35895+ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
df50ba0c
MT		 35896+#ifdef CONFIG_HUGETLBFS
35897+ mnt == hugetlbfs_vfsmount ||
35898+#endif
58c5fc13
MT		 35899+ /* ignore Eric Biederman */
35900+ IS_PRIVATE(l_dentry->d_inode))) {
35901+ retval = fakefs_obj;
35902+ goto out;
35903+ }
35904+
35905+ for (;;) {
35906+ if (dentry == real_root && mnt == real_root_mnt)
35907+ break;
35908+
35909+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35910+ if (mnt->mnt_parent == mnt)
35911+ break;
35912+
35913+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35914+ if (retval != NULL)
35915+ goto out;
35916+
35917+ dentry = mnt->mnt_mountpoint;
35918+ mnt = mnt->mnt_parent;
35919+ continue;
35920+ }
35921+
35922+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35923+ if (retval != NULL)
35924+ goto out;
35925+
35926+ dentry = dentry->d_parent;
35927+ }
35928+
35929+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35930+
35931+ if (retval == NULL)
35932+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
35933+out:
35934+ spin_unlock(&dcache_lock);
35935+ return retval;
35936+}
35937+
35938+static __inline__ struct acl_object_label *
35939+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35940+ const struct acl_subject_label *subj)
35941+{
35942+ char *path = NULL;
35943+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35944+}
35945+
35946+static __inline__ struct acl_object_label *
35947+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35948+ const struct acl_subject_label *subj)
35949+{
35950+ char *path = NULL;
35951+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
35952+}
35953+
35954+static __inline__ struct acl_object_label *
35955+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35956+ const struct acl_subject_label *subj, char *path)
35957+{
35958+ return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35959+}
35960+
35961+static struct acl_subject_label *
35962+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35963+ const struct acl_role_label *role)
35964+{
35965+ struct dentry *dentry = (struct dentry *) l_dentry;
35966+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35967+ struct acl_subject_label *retval;
35968+
35969+ spin_lock(&dcache_lock);
35970+
35971+ for (;;) {
35972+ if (dentry == real_root && mnt == real_root_mnt)
35973+ break;
35974+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35975+ if (mnt->mnt_parent == mnt)
35976+ break;
35977+
35978+ read_lock(&gr_inode_lock);
35979+ retval =
35980+ lookup_acl_subj_label(dentry->d_inode->i_ino,
35981+ dentry->d_inode->i_sb->s_dev, role);
35982+ read_unlock(&gr_inode_lock);
35983+ if (retval != NULL)
35984+ goto out;
35985+
35986+ dentry = mnt->mnt_mountpoint;
35987+ mnt = mnt->mnt_parent;
35988+ continue;
35989+ }
35990+
35991+ read_lock(&gr_inode_lock);
35992+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
35993+ dentry->d_inode->i_sb->s_dev, role);
35994+ read_unlock(&gr_inode_lock);
35995+ if (retval != NULL)
35996+ goto out;
35997+
35998+ dentry = dentry->d_parent;
35999+ }
36000+
36001+ read_lock(&gr_inode_lock);
36002+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36003+ dentry->d_inode->i_sb->s_dev, role);
36004+ read_unlock(&gr_inode_lock);
36005+
36006+ if (unlikely(retval == NULL)) {
36007+ read_lock(&gr_inode_lock);
36008+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
36009+ real_root->d_inode->i_sb->s_dev, role);
36010+ read_unlock(&gr_inode_lock);
36011+ }
36012+out:
36013+ spin_unlock(&dcache_lock);
36014+
36015+ return retval;
36016+}
36017+
36018+static void
36019+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36020+{
36021+ struct task_struct *task = current;
36022+ const struct cred *cred = current_cred();
36023+
36024+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36025+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36026+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
ae4e228f 36027+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
58c5fc13
MT		 36028+
36029+ return;
36030+}
36031+
36032+static void
36033+gr_log_learn_sysctl(const char *path, const __u32 mode)
36034+{
36035+ struct task_struct *task = current;
36036+ const struct cred *cred = current_cred();
36037+
36038+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36039+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36040+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
ae4e228f 36041+ 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
58c5fc13
MT		 36042+
36043+ return;
36044+}
36045+
36046+static void
36047+gr_log_learn_id_change(const char type, const unsigned int real,
36048+ const unsigned int effective, const unsigned int fs)
36049+{
36050+ struct task_struct *task = current;
36051+ const struct cred *cred = current_cred();
36052+
36053+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
36054+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36055+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
ae4e228f 36056+ type, real, effective, fs, &task->signal->curr_ip);
58c5fc13
MT		 36057+
36058+ return;
36059+}
36060+
36061+__u32
36062+gr_check_link(const struct dentry * new_dentry,
36063+ const struct dentry * parent_dentry,
36064+ const struct vfsmount * parent_mnt,
36065+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
36066+{
36067+ struct acl_object_label *obj;
36068+ __u32 oldmode, newmode;
36069+ __u32 needmode;
36070+
36071+ if (unlikely(!(gr_status & GR_READY)))
36072+ return (GR_CREATE | GR_LINK);
36073+
36074+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
36075+ oldmode = obj->mode;
36076+
36077+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36078+ oldmode |= (GR_CREATE | GR_LINK);
36079+
36080+ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
36081+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36082+ needmode |= GR_SETID | GR_AUDIT_SETID;
36083+
36084+ newmode =
36085+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
36086+ oldmode | needmode);
36087+
36088+ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
36089+ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
36090+ GR_INHERIT | GR_AUDIT_INHERIT);
36091+
36092+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
36093+ goto bad;
36094+
36095+ if ((oldmode & needmode) != needmode)
36096+ goto bad;
36097+
36098+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
36099+ if ((newmode & needmode) != needmode)
36100+ goto bad;
36101+
36102+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
36103+ return newmode;
36104+bad:
36105+ needmode = oldmode;
36106+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36107+ needmode |= GR_SETID;
36108+
36109+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36110+ gr_log_learn(old_dentry, old_mnt, needmode);
36111+ return (GR_CREATE | GR_LINK);
36112+ } else if (newmode & GR_SUPPRESS)
36113+ return GR_SUPPRESS;
36114+ else
36115+ return 0;
36116+}
36117+
36118+__u32
36119+gr_search_file(const struct dentry * dentry, const __u32 mode,
36120+ const struct vfsmount * mnt)
36121+{
36122+ __u32 retval = mode;
36123+ struct acl_subject_label *curracl;
36124+ struct acl_object_label *currobj;
36125+
36126+ if (unlikely(!(gr_status & GR_READY)))
36127+ return (mode & ~GR_AUDITS);
36128+
36129+ curracl = current->acl;
36130+
36131+ currobj = chk_obj_label(dentry, mnt, curracl);
36132+ retval = currobj->mode & mode;
36133+
36134+ if (unlikely
36135+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
36136+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
36137+ __u32 new_mode = mode;
36138+
36139+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36140+
36141+ retval = new_mode;
36142+
36143+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
36144+ new_mode |= GR_INHERIT;
36145+
36146+ if (!(mode & GR_NOLEARN))
36147+ gr_log_learn(dentry, mnt, new_mode);
36148+ }
36149+
36150+ return retval;
36151+}
36152+
36153+__u32
36154+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
36155+ const struct vfsmount * mnt, const __u32 mode)
36156+{
36157+ struct name_entry *match;
36158+ struct acl_object_label *matchpo;
36159+ struct acl_subject_label *curracl;
36160+ char *path;
36161+ __u32 retval;
36162+
36163+ if (unlikely(!(gr_status & GR_READY)))
36164+ return (mode & ~GR_AUDITS);
36165+
36166+ preempt_disable();
36167+ path = gr_to_filename_rbac(new_dentry, mnt);
36168+ match = lookup_name_entry_create(path);
36169+
36170+ if (!match)
36171+ goto check_parent;
36172+
36173+ curracl = current->acl;
36174+
36175+ read_lock(&gr_inode_lock);
36176+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
36177+ read_unlock(&gr_inode_lock);
36178+
36179+ if (matchpo) {
36180+ if ((matchpo->mode & mode) !=
36181+ (mode & ~(GR_AUDITS | GR_SUPPRESS))
36182+ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36183+ __u32 new_mode = mode;
36184+
36185+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36186+
36187+ gr_log_learn(new_dentry, mnt, new_mode);
36188+
36189+ preempt_enable();
36190+ return new_mode;
36191+ }
36192+ preempt_enable();
36193+ return (matchpo->mode & mode);
36194+ }
36195+
36196+ check_parent:
36197+ curracl = current->acl;
36198+
36199+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
36200+ retval = matchpo->mode & mode;
36201+
36202+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
36203+ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
36204+ __u32 new_mode = mode;
36205+
36206+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36207+
36208+ gr_log_learn(new_dentry, mnt, new_mode);
36209+ preempt_enable();
36210+ return new_mode;
36211+ }
36212+
36213+ preempt_enable();
36214+ return retval;
36215+}
36216+
36217+int
36218+gr_check_hidden_task(const struct task_struct *task)
36219+{
36220+ if (unlikely(!(gr_status & GR_READY)))
36221+ return 0;
36222+
36223+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
36224+ return 1;
36225+
36226+ return 0;
36227+}
36228+
36229+int
36230+gr_check_protected_task(const struct task_struct *task)
36231+{
36232+ if (unlikely(!(gr_status & GR_READY) || !task))
36233+ return 0;
36234+
36235+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36236+ task->acl != current->acl)
36237+ return 1;
36238+
36239+ return 0;
36240+}
36241+
57199397
MT		 36242+int
36243+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
36244+{
36245+ struct task_struct *p;
36246+ int ret = 0;
36247+
36248+ if (unlikely(!(gr_status & GR_READY) || !pid))
36249+ return ret;
36250+
36251+ read_lock(&tasklist_lock);
36252+ do_each_pid_task(pid, type, p) {
36253+ if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36254+ p->acl != current->acl) {
36255+ ret = 1;
36256+ goto out;
36257+ }
36258+ } while_each_pid_task(pid, type, p);
36259+out:
36260+ read_unlock(&tasklist_lock);
36261+
36262+ return ret;
36263+}
36264+
58c5fc13
MT		 36265+void
36266+gr_copy_label(struct task_struct *tsk)
36267+{
36268+ tsk->signal->used_accept = 0;
36269+ tsk->acl_sp_role = 0;
36270+ tsk->acl_role_id = current->acl_role_id;
36271+ tsk->acl = current->acl;
36272+ tsk->role = current->role;
36273+ tsk->signal->curr_ip = current->signal->curr_ip;
36274+ if (current->exec_file)
36275+ get_file(current->exec_file);
36276+ tsk->exec_file = current->exec_file;
36277+ tsk->is_writable = current->is_writable;
36278+ if (unlikely(current->signal->used_accept))
36279+ current->signal->curr_ip = 0;
36280+
36281+ return;
36282+}
36283+
36284+static void
36285+gr_set_proc_res(struct task_struct *task)
36286+{
36287+ struct acl_subject_label *proc;
36288+ unsigned short i;
36289+
36290+ proc = task->acl;
36291+
36292+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
36293+ return;
36294+
36295+ for (i = 0; i < RLIM_NLIMITS; i++) {
36296+ if (!(proc->resmask & (1 << i)))
36297+ continue;
36298+
36299+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
36300+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
36301+ }
36302+
36303+ return;
36304+}
36305+
36306+int
36307+gr_check_user_change(int real, int effective, int fs)
36308+{
36309+ unsigned int i;
36310+ __u16 num;
36311+ uid_t *uidlist;
36312+ int curuid;
36313+ int realok = 0;
36314+ int effectiveok = 0;
36315+ int fsok = 0;
36316+
36317+ if (unlikely(!(gr_status & GR_READY)))
36318+ return 0;
36319+
36320+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36321+ gr_log_learn_id_change('u', real, effective, fs);
36322+
36323+ num = current->acl->user_trans_num;
36324+ uidlist = current->acl->user_transitions;
36325+
36326+ if (uidlist == NULL)
36327+ return 0;
36328+
36329+ if (real == -1)
36330+ realok = 1;
36331+ if (effective == -1)
36332+ effectiveok = 1;
36333+ if (fs == -1)
36334+ fsok = 1;
36335+
36336+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
36337+ for (i = 0; i < num; i++) {
36338+ curuid = (int)uidlist[i];
36339+ if (real == curuid)
36340+ realok = 1;
36341+ if (effective == curuid)
36342+ effectiveok = 1;
36343+ if (fs == curuid)
36344+ fsok = 1;
36345+ }
36346+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
36347+ for (i = 0; i < num; i++) {
36348+ curuid = (int)uidlist[i];
36349+ if (real == curuid)
36350+ break;
36351+ if (effective == curuid)
36352+ break;
36353+ if (fs == curuid)
36354+ break;
36355+ }
36356+ /* not in deny list */
36357+ if (i == num) {
36358+ realok = 1;
36359+ effectiveok = 1;
36360+ fsok = 1;
36361+ }
36362+ }
36363+
36364+ if (realok && effectiveok && fsok)
36365+ return 0;
36366+ else {
36367+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36368+ return 1;
36369+ }
36370+}
36371+
36372+int
36373+gr_check_group_change(int real, int effective, int fs)
36374+{
36375+ unsigned int i;
36376+ __u16 num;
36377+ gid_t *gidlist;
36378+ int curgid;
36379+ int realok = 0;
36380+ int effectiveok = 0;
36381+ int fsok = 0;
36382+
36383+ if (unlikely(!(gr_status & GR_READY)))
36384+ return 0;
36385+
36386+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36387+ gr_log_learn_id_change('g', real, effective, fs);
36388+
36389+ num = current->acl->group_trans_num;
36390+ gidlist = current->acl->group_transitions;
36391+
36392+ if (gidlist == NULL)
36393+ return 0;
36394+
36395+ if (real == -1)
36396+ realok = 1;
36397+ if (effective == -1)
36398+ effectiveok = 1;
36399+ if (fs == -1)
36400+ fsok = 1;
36401+
36402+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
36403+ for (i = 0; i < num; i++) {
36404+ curgid = (int)gidlist[i];
36405+ if (real == curgid)
36406+ realok = 1;
36407+ if (effective == curgid)
36408+ effectiveok = 1;
36409+ if (fs == curgid)
36410+ fsok = 1;
36411+ }
36412+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
36413+ for (i = 0; i < num; i++) {
36414+ curgid = (int)gidlist[i];
36415+ if (real == curgid)
36416+ break;
36417+ if (effective == curgid)
36418+ break;
36419+ if (fs == curgid)
36420+ break;
36421+ }
36422+ /* not in deny list */
36423+ if (i == num) {
36424+ realok = 1;
36425+ effectiveok = 1;
36426+ fsok = 1;
36427+ }
36428+ }
36429+
36430+ if (realok && effectiveok && fsok)
36431+ return 0;
36432+ else {
36433+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36434+ return 1;
36435+ }
36436+}
36437+
36438+void
36439+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
36440+{
36441+ struct acl_role_label *role = task->role;
36442+ struct acl_subject_label *subj = NULL;
36443+ struct acl_object_label *obj;
36444+ struct file *filp;
36445+
36446+ if (unlikely(!(gr_status & GR_READY)))
36447+ return;
36448+
36449+ filp = task->exec_file;
36450+
36451+ /* kernel process, we'll give them the kernel role */
36452+ if (unlikely(!filp)) {
36453+ task->role = kernel_role;
36454+ task->acl = kernel_role->root_label;
36455+ return;
36456+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
36457+ role = lookup_acl_role_label(task, uid, gid);
36458+
36459+ /* perform subject lookup in possibly new role
36460+ we can use this result below in the case where role == task->role
36461+ */
36462+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
36463+
36464+ /* if we changed uid/gid, but result in the same role
36465+ and are using inheritance, don't lose the inherited subject
36466+ if current subject is other than what normal lookup
36467+ would result in, we arrived via inheritance, don't
36468+ lose subject
36469+ */
36470+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
36471+ (subj == task->acl)))
36472+ task->acl = subj;
36473+
36474+ task->role = role;
36475+
36476+ task->is_writable = 0;
36477+
36478+ /* ignore additional mmap checks for processes that are writable
36479+ by the default ACL */
36480+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36481+ if (unlikely(obj->mode & GR_WRITE))
36482+ task->is_writable = 1;
36483+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
36484+ if (unlikely(obj->mode & GR_WRITE))
36485+ task->is_writable = 1;
36486+
36487+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36488+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36489+#endif
36490+
36491+ gr_set_proc_res(task);
36492+
36493+ return;
36494+}
36495+
36496+int
36497+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
36498+ const int unsafe_share)
36499+{
36500+ struct task_struct *task = current;
36501+ struct acl_subject_label *newacl;
36502+ struct acl_object_label *obj;
36503+ __u32 retmode;
36504+
36505+ if (unlikely(!(gr_status & GR_READY)))
36506+ return 0;
36507+
36508+ newacl = chk_subj_label(dentry, mnt, task->role);
36509+
36510+ task_lock(task);
ae4e228f
MT		 36511+ if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
36512+ !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
58c5fc13
MT		 36513+ !(task->role->roletype & GR_ROLE_GOD) &&
36514+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
ae4e228f 36515+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
58c5fc13 36516+ task_unlock(task);
ae4e228f
MT		 36517+ if (unsafe_share)
36518+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
36519+ else
36520+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
58c5fc13
MT		 36521+ return -EACCES;
36522+ }
36523+ task_unlock(task);
36524+
36525+ obj = chk_obj_label(dentry, mnt, task->acl);
36526+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
36527+
36528+ if (!(task->acl->mode & GR_INHERITLEARN) &&
36529+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
36530+ if (obj->nested)
36531+ task->acl = obj->nested;
36532+ else
36533+ task->acl = newacl;
36534+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
36535+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
36536+
36537+ task->is_writable = 0;
36538+
36539+ /* ignore additional mmap checks for processes that are writable
36540+ by the default ACL */
36541+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
36542+ if (unlikely(obj->mode & GR_WRITE))
36543+ task->is_writable = 1;
36544+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
36545+ if (unlikely(obj->mode & GR_WRITE))
36546+ task->is_writable = 1;
36547+
36548+ gr_set_proc_res(task);
36549+
36550+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36551+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36552+#endif
36553+ return 0;
36554+}
36555+
36556+/* always called with valid inodev ptr */
36557+static void
36558+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
36559+{
36560+ struct acl_object_label *matchpo;
36561+ struct acl_subject_label *matchps;
36562+ struct acl_subject_label *subj;
36563+ struct acl_role_label *role;
ae4e228f 36564+ unsigned int x;
58c5fc13 36565+
ae4e228f 36566+ FOR_EACH_ROLE_START(role)
58c5fc13
MT		 36567+ FOR_EACH_SUBJECT_START(role, subj, x)
36568+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
36569+ matchpo->mode |= GR_DELETED;
36570+ FOR_EACH_SUBJECT_END(subj,x)
36571+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
36572+ if (subj->inode == ino && subj->device == dev)
36573+ subj->mode |= GR_DELETED;
36574+ FOR_EACH_NESTED_SUBJECT_END(subj)
36575+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
36576+ matchps->mode |= GR_DELETED;
ae4e228f 36577+ FOR_EACH_ROLE_END(role)
58c5fc13
MT		 36578+
36579+ inodev->nentry->deleted = 1;
36580+
36581+ return;
36582+}
36583+
36584+void
36585+gr_handle_delete(const ino_t ino, const dev_t dev)
36586+{
36587+ struct inodev_entry *inodev;
36588+
36589+ if (unlikely(!(gr_status & GR_READY)))
36590+ return;
36591+
36592+ write_lock(&gr_inode_lock);
36593+ inodev = lookup_inodev_entry(ino, dev);
36594+ if (inodev != NULL)
36595+ do_handle_delete(inodev, ino, dev);
36596+ write_unlock(&gr_inode_lock);
36597+
36598+ return;
36599+}
36600+
36601+static void
36602+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
36603+ const ino_t newinode, const dev_t newdevice,
36604+ struct acl_subject_label *subj)
36605+{
36606+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
36607+ struct acl_object_label *match;
36608+
36609+ match = subj->obj_hash[index];
36610+
36611+ while (match && (match->inode != oldinode ||
36612+ match->device != olddevice ||
36613+ !(match->mode & GR_DELETED)))
36614+ match = match->next;
36615+
36616+ if (match && (match->inode == oldinode)
36617+ && (match->device == olddevice)
36618+ && (match->mode & GR_DELETED)) {
36619+ if (match->prev == NULL) {
36620+ subj->obj_hash[index] = match->next;
36621+ if (match->next != NULL)
36622+ match->next->prev = NULL;
36623+ } else {
36624+ match->prev->next = match->next;
36625+ if (match->next != NULL)
36626+ match->next->prev = match->prev;
36627+ }
36628+ match->prev = NULL;
36629+ match->next = NULL;
36630+ match->inode = newinode;
36631+ match->device = newdevice;
36632+ match->mode &= ~GR_DELETED;
36633+
36634+ insert_acl_obj_label(match, subj);
36635+ }
36636+
36637+ return;
36638+}
36639+
36640+static void
36641+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
36642+ const ino_t newinode, const dev_t newdevice,
36643+ struct acl_role_label *role)
36644+{
36645+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
36646+ struct acl_subject_label *match;
36647+
36648+ match = role->subj_hash[index];
36649+
36650+ while (match && (match->inode != oldinode ||
36651+ match->device != olddevice ||
36652+ !(match->mode & GR_DELETED)))
36653+ match = match->next;
36654+
36655+ if (match && (match->inode == oldinode)
36656+ && (match->device == olddevice)
36657+ && (match->mode & GR_DELETED)) {
36658+ if (match->prev == NULL) {
36659+ role->subj_hash[index] = match->next;
36660+ if (match->next != NULL)
36661+ match->next->prev = NULL;
36662+ } else {
36663+ match->prev->next = match->next;
36664+ if (match->next != NULL)
36665+ match->next->prev = match->prev;
36666+ }
36667+ match->prev = NULL;
36668+ match->next = NULL;
36669+ match->inode = newinode;
36670+ match->device = newdevice;
36671+ match->mode &= ~GR_DELETED;
36672+
36673+ insert_acl_subj_label(match, role);
36674+ }
36675+
36676+ return;
36677+}
36678+
36679+static void
36680+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
36681+ const ino_t newinode, const dev_t newdevice)
36682+{
36683+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
36684+ struct inodev_entry *match;
36685+
36686+ match = inodev_set.i_hash[index];
36687+
36688+ while (match && (match->nentry->inode != oldinode ||
36689+ match->nentry->device != olddevice || !match->nentry->deleted))
36690+ match = match->next;
36691+
36692+ if (match && (match->nentry->inode == oldinode)
36693+ && (match->nentry->device == olddevice) &&
36694+ match->nentry->deleted) {
36695+ if (match->prev == NULL) {
36696+ inodev_set.i_hash[index] = match->next;
36697+ if (match->next != NULL)
36698+ match->next->prev = NULL;
36699+ } else {
36700+ match->prev->next = match->next;
36701+ if (match->next != NULL)
36702+ match->next->prev = match->prev;
36703+ }
36704+ match->prev = NULL;
36705+ match->next = NULL;
36706+ match->nentry->inode = newinode;
36707+ match->nentry->device = newdevice;
36708+ match->nentry->deleted = 0;
36709+
36710+ insert_inodev_entry(match);
36711+ }
36712+
36713+ return;
36714+}
36715+
36716+static void
36717+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
36718+ const struct vfsmount *mnt)
36719+{
36720+ struct acl_subject_label *subj;
36721+ struct acl_role_label *role;
ae4e228f
MT		 36722+ unsigned int x;
36723+
36724+ FOR_EACH_ROLE_START(role)
58c5fc13
MT		 36725+ update_acl_subj_label(matchn->inode, matchn->device,
36726+ dentry->d_inode->i_ino,
36727+ dentry->d_inode->i_sb->s_dev, role);
36728+
36729+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
36730+ if ((subj->inode == dentry->d_inode->i_ino) &&
36731+ (subj->device == dentry->d_inode->i_sb->s_dev)) {
36732+ subj->inode = dentry->d_inode->i_ino;
36733+ subj->device = dentry->d_inode->i_sb->s_dev;
36734+ }
36735+ FOR_EACH_NESTED_SUBJECT_END(subj)
36736+ FOR_EACH_SUBJECT_START(role, subj, x)
36737+ update_acl_obj_label(matchn->inode, matchn->device,
36738+ dentry->d_inode->i_ino,
36739+ dentry->d_inode->i_sb->s_dev, subj);
36740+ FOR_EACH_SUBJECT_END(subj,x)
ae4e228f 36741+ FOR_EACH_ROLE_END(role)
58c5fc13
MT		 36742+
36743+ update_inodev_entry(matchn->inode, matchn->device,
36744+ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
36745+
36746+ return;
36747+}
36748+
36749+void
36750+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
36751+{
36752+ struct name_entry *matchn;
36753+
36754+ if (unlikely(!(gr_status & GR_READY)))
36755+ return;
36756+
36757+ preempt_disable();
36758+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
36759+
36760+ if (unlikely((unsigned long)matchn)) {
36761+ write_lock(&gr_inode_lock);
36762+ do_handle_create(matchn, dentry, mnt);
36763+ write_unlock(&gr_inode_lock);
36764+ }
36765+ preempt_enable();
36766+
36767+ return;
36768+}
36769+
36770+void
36771+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
36772+ struct dentry *old_dentry,
36773+ struct dentry *new_dentry,
36774+ struct vfsmount *mnt, const __u8 replace)
36775+{
36776+ struct name_entry *matchn;
36777+ struct inodev_entry *inodev;
36778+
36779+ /* vfs_rename swaps the name and parent link for old_dentry and
36780+ new_dentry
36781+ at this point, old_dentry has the new name, parent link, and inode
36782+ for the renamed file
36783+ if a file is being replaced by a rename, new_dentry has the inode
36784+ and name for the replaced file
36785+ */
36786+
36787+ if (unlikely(!(gr_status & GR_READY)))
36788+ return;
36789+
36790+ preempt_disable();
36791+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
36792+
36793+ /* we wouldn't have to check d_inode if it weren't for
36794+ NFS silly-renaming
36795+ */
36796+
36797+ write_lock(&gr_inode_lock);
36798+ if (unlikely(replace && new_dentry->d_inode)) {
36799+ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
36800+ new_dentry->d_inode->i_sb->s_dev);
36801+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
36802+ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
36803+ new_dentry->d_inode->i_sb->s_dev);
36804+ }
36805+
36806+ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
36807+ old_dentry->d_inode->i_sb->s_dev);
36808+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
36809+ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
36810+ old_dentry->d_inode->i_sb->s_dev);
36811+
36812+ if (unlikely((unsigned long)matchn))
36813+ do_handle_create(matchn, old_dentry, mnt);
36814+
36815+ write_unlock(&gr_inode_lock);
36816+ preempt_enable();
36817+
36818+ return;
36819+}
36820+
36821+static int
36822+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
36823+ unsigned char **sum)
36824+{
36825+ struct acl_role_label *r;
36826+ struct role_allowed_ip *ipp;
36827+ struct role_transition *trans;
36828+ unsigned int i;
36829+ int found = 0;
36830+
36831+ /* check transition table */
36832+
36833+ for (trans = current->role->transitions; trans; trans = trans->next) {
36834+ if (!strcmp(rolename, trans->rolename)) {
36835+ found = 1;
36836+ break;
36837+ }
36838+ }
36839+
36840+ if (!found)
36841+ return 0;
36842+
36843+ /* handle special roles that do not require authentication
36844+ and check ip */
36845+
ae4e228f 36846+ FOR_EACH_ROLE_START(r)
58c5fc13
MT		 36847+ if (!strcmp(rolename, r->rolename) &&
36848+ (r->roletype & GR_ROLE_SPECIAL)) {
36849+ found = 0;
36850+ if (r->allowed_ips != NULL) {
36851+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
36852+ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
36853+ (ntohl(ipp->addr) & ipp->netmask))
36854+ found = 1;
36855+ }
36856+ } else
36857+ found = 2;
36858+ if (!found)
36859+ return 0;
36860+
36861+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
36862+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
36863+ *salt = NULL;
36864+ *sum = NULL;
36865+ return 1;
36866+ }
36867+ }
ae4e228f 36868+ FOR_EACH_ROLE_END(r)
58c5fc13
MT		 36869+
36870+ for (i = 0; i < num_sprole_pws; i++) {
36871+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
36872+ *salt = acl_special_roles[i]->salt;
36873+ *sum = acl_special_roles[i]->sum;
36874+ return 1;
36875+ }
36876+ }
36877+
36878+ return 0;
36879+}
36880+
36881+static void
36882+assign_special_role(char *rolename)
36883+{
36884+ struct acl_object_label *obj;
36885+ struct acl_role_label *r;
36886+ struct acl_role_label *assigned = NULL;
36887+ struct task_struct *tsk;
36888+ struct file *filp;
58c5fc13 36889+
ae4e228f 36890+ FOR_EACH_ROLE_START(r)
58c5fc13 36891+ if (!strcmp(rolename, r->rolename) &&
ae4e228f 36892+ (r->roletype & GR_ROLE_SPECIAL)) {
58c5fc13 36893+ assigned = r;
ae4e228f
MT		 36894+ break;
36895+ }
36896+ FOR_EACH_ROLE_END(r)
58c5fc13
MT		 36897+
36898+ if (!assigned)
36899+ return;
36900+
36901+ read_lock(&tasklist_lock);
36902+ read_lock(&grsec_exec_file_lock);
36903+
36904+ tsk = current->parent;
36905+ if (tsk == NULL)
36906+ goto out_unlock;
36907+
36908+ filp = tsk->exec_file;
36909+ if (filp == NULL)
36910+ goto out_unlock;
36911+
36912+ tsk->is_writable = 0;
36913+
36914+ tsk->acl_sp_role = 1;
36915+ tsk->acl_role_id = ++acl_sp_role_value;
36916+ tsk->role = assigned;
36917+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
36918+
36919+ /* ignore additional mmap checks for processes that are writable
36920+ by the default ACL */
36921+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36922+ if (unlikely(obj->mode & GR_WRITE))
36923+ tsk->is_writable = 1;
36924+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
36925+ if (unlikely(obj->mode & GR_WRITE))
36926+ tsk->is_writable = 1;
36927+
36928+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36929+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
36930+#endif
36931+
36932+out_unlock:
36933+ read_unlock(&grsec_exec_file_lock);
36934+ read_unlock(&tasklist_lock);
36935+ return;
36936+}
36937+
36938+int gr_check_secure_terminal(struct task_struct *task)
36939+{
36940+ struct task_struct *p, *p2, *p3;
36941+ struct files_struct *files;
36942+ struct fdtable *fdt;
36943+ struct file *our_file = NULL, *file;
36944+ int i;
36945+
36946+ if (task->signal->tty == NULL)
36947+ return 1;
36948+
36949+ files = get_files_struct(task);
36950+ if (files != NULL) {
36951+ rcu_read_lock();
36952+ fdt = files_fdtable(files);
36953+ for (i=0; i < fdt->max_fds; i++) {
36954+ file = fcheck_files(files, i);
36955+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
36956+ get_file(file);
36957+ our_file = file;
36958+ }
36959+ }
36960+ rcu_read_unlock();
36961+ put_files_struct(files);
36962+ }
36963+
36964+ if (our_file == NULL)
36965+ return 1;
36966+
36967+ read_lock(&tasklist_lock);
36968+ do_each_thread(p2, p) {
36969+ files = get_files_struct(p);
36970+ if (files == NULL ||
36971+ (p->signal && p->signal->tty == task->signal->tty)) {
36972+ if (files != NULL)
36973+ put_files_struct(files);
36974+ continue;
36975+ }
36976+ rcu_read_lock();
36977+ fdt = files_fdtable(files);
36978+ for (i=0; i < fdt->max_fds; i++) {
36979+ file = fcheck_files(files, i);
36980+ if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
36981+ file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
36982+ p3 = task;
36983+ while (p3->pid > 0) {
36984+ if (p3 == p)
36985+ break;
36986+ p3 = p3->parent;
36987+ }
36988+ if (p3 == p)
36989+ break;
36990+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
36991+ gr_handle_alertkill(p);
36992+ rcu_read_unlock();
36993+ put_files_struct(files);
36994+ read_unlock(&tasklist_lock);
36995+ fput(our_file);
36996+ return 0;
36997+ }
36998+ }
36999+ rcu_read_unlock();
37000+ put_files_struct(files);
37001+ } while_each_thread(p2, p);
37002+ read_unlock(&tasklist_lock);
37003+
37004+ fput(our_file);
37005+ return 1;
37006+}
37007+
37008+ssize_t
37009+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37010+{
37011+ struct gr_arg_wrapper uwrap;
ae4e228f
MT		 37012+ unsigned char *sprole_salt = NULL;
37013+ unsigned char *sprole_sum = NULL;
58c5fc13
MT		 37014+ int error = sizeof (struct gr_arg_wrapper);
37015+ int error2 = 0;
37016+
37017+ down(&gr_dev_sem);
37018+
37019+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37020+ error = -EPERM;
37021+ goto out;
37022+ }
37023+
37024+ if (count != sizeof (struct gr_arg_wrapper)) {
37025+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
37026+ error = -EINVAL;
37027+ goto out;
37028+ }
37029+
37030+
37031+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
37032+ gr_auth_expires = 0;
37033+ gr_auth_attempts = 0;
37034+ }
37035+
37036+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
37037+ error = -EFAULT;
37038+ goto out;
37039+ }
37040+
37041+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
37042+ error = -EINVAL;
37043+ goto out;
37044+ }
37045+
37046+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
37047+ error = -EFAULT;
37048+ goto out;
37049+ }
37050+
37051+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37052+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37053+ time_after(gr_auth_expires, get_seconds())) {
37054+ error = -EBUSY;
37055+ goto out;
37056+ }
37057+
37058+ /* if non-root trying to do anything other than use a special role,
37059+ do not attempt authentication, do not count towards authentication
37060+ locking
37061+ */
37062+
37063+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
37064+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37065+ current_uid()) {
37066+ error = -EPERM;
37067+ goto out;
37068+ }
37069+
37070+ /* ensure pw and special role name are null terminated */
37071+
37072+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
37073+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
37074+
37075+ /* Okay.
37076+ * We have our enough of the argument structure..(we have yet
37077+ * to copy_from_user the tables themselves) . Copy the tables
37078+ * only if we need them, i.e. for loading operations. */
37079+
37080+ switch (gr_usermode->mode) {
37081+ case GR_STATUS:
37082+ if (gr_status & GR_READY) {
37083+ error = 1;
37084+ if (!gr_check_secure_terminal(current))
37085+ error = 3;
37086+ } else
37087+ error = 2;
37088+ goto out;
37089+ case GR_SHUTDOWN:
37090+ if ((gr_status & GR_READY)
37091+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
ae4e228f 37092+ pax_open_kernel();
58c5fc13 37093+ gr_status &= ~GR_READY;
ae4e228f
MT		 37094+ pax_close_kernel();
37095+
58c5fc13
MT		 37096+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
37097+ free_variables();
37098+ memset(gr_usermode, 0, sizeof (struct gr_arg));
37099+ memset(gr_system_salt, 0, GR_SALT_LEN);
37100+ memset(gr_system_sum, 0, GR_SHA_LEN);
37101+ } else if (gr_status & GR_READY) {
37102+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
37103+ error = -EPERM;
37104+ } else {
37105+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
37106+ error = -EAGAIN;
37107+ }
37108+ break;
37109+ case GR_ENABLE:
37110+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
37111+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
37112+ else {
37113+ if (gr_status & GR_READY)
37114+ error = -EAGAIN;
37115+ else
37116+ error = error2;
37117+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
37118+ }
37119+ break;
37120+ case GR_RELOAD:
37121+ if (!(gr_status & GR_READY)) {
37122+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
37123+ error = -EAGAIN;
37124+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37125+ lock_kernel();
58c5fc13 37126+
ae4e228f 37127+ pax_open_kernel();
58c5fc13 37128+ gr_status &= ~GR_READY;
ae4e228f
MT		 37129+ pax_close_kernel();
37130+
58c5fc13
MT		 37131+ free_variables();
37132+ if (!(error2 = gracl_init(gr_usermode))) {
37133+ unlock_kernel();
37134+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
37135+ } else {
37136+ unlock_kernel();
37137+ error = error2;
37138+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37139+ }
37140+ } else {
37141+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37142+ error = -EPERM;
37143+ }
37144+ break;
37145+ case GR_SEGVMOD:
37146+ if (unlikely(!(gr_status & GR_READY))) {
37147+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
37148+ error = -EAGAIN;
37149+ break;
37150+ }
37151+
37152+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37153+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
37154+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
37155+ struct acl_subject_label *segvacl;
37156+ segvacl =
37157+ lookup_acl_subj_label(gr_usermode->segv_inode,
37158+ gr_usermode->segv_device,
37159+ current->role);
37160+ if (segvacl) {
37161+ segvacl->crashes = 0;
37162+ segvacl->expires = 0;
37163+ }
37164+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
37165+ gr_remove_uid(gr_usermode->segv_uid);
37166+ }
37167+ } else {
37168+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
37169+ error = -EPERM;
37170+ }
37171+ break;
37172+ case GR_SPROLE:
37173+ case GR_SPROLEPAM:
37174+ if (unlikely(!(gr_status & GR_READY))) {
37175+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
37176+ error = -EAGAIN;
37177+ break;
37178+ }
37179+
37180+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
37181+ current->role->expires = 0;
37182+ current->role->auth_attempts = 0;
37183+ }
37184+
37185+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37186+ time_after(current->role->expires, get_seconds())) {
37187+ error = -EBUSY;
37188+ goto out;
37189+ }
37190+
37191+ if (lookup_special_role_auth
37192+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
37193+ && ((!sprole_salt && !sprole_sum)
37194+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
37195+ char *p = "";
37196+ assign_special_role(gr_usermode->sp_role);
37197+ read_lock(&tasklist_lock);
37198+ if (current->parent)
37199+ p = current->parent->role->rolename;
37200+ read_unlock(&tasklist_lock);
37201+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
37202+ p, acl_sp_role_value);
37203+ } else {
37204+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
37205+ error = -EPERM;
37206+ if(!(current->role->auth_attempts++))
37207+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37208+
37209+ goto out;
37210+ }
37211+ break;
37212+ case GR_UNSPROLE:
37213+ if (unlikely(!(gr_status & GR_READY))) {
37214+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
37215+ error = -EAGAIN;
37216+ break;
37217+ }
37218+
37219+ if (current->role->roletype & GR_ROLE_SPECIAL) {
37220+ char *p = "";
37221+ int i = 0;
37222+
37223+ read_lock(&tasklist_lock);
37224+ if (current->parent) {
37225+ p = current->parent->role->rolename;
37226+ i = current->parent->acl_role_id;
37227+ }
37228+ read_unlock(&tasklist_lock);
37229+
37230+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
37231+ gr_set_acls(1);
37232+ } else {
58c5fc13
MT		 37233+ error = -EPERM;
37234+ goto out;
37235+ }
37236+ break;
37237+ default:
37238+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
37239+ error = -EINVAL;
37240+ break;
37241+ }
37242+
37243+ if (error != -EPERM)
37244+ goto out;
37245+
37246+ if(!(gr_auth_attempts++))
37247+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37248+
37249+ out:
37250+ up(&gr_dev_sem);
37251+ return error;
37252+}
37253+
37254+int
37255+gr_set_acls(const int type)
37256+{
37257+ struct acl_object_label *obj;
37258+ struct task_struct *task, *task2;
37259+ struct file *filp;
37260+ struct acl_role_label *role = current->role;
37261+ __u16 acl_role_id = current->acl_role_id;
37262+ const struct cred *cred;
37263+ char *tmpname;
37264+ struct name_entry *nmatch;
37265+ struct acl_subject_label *tmpsubj;
37266+
ae4e228f 37267+ rcu_read_lock();
58c5fc13
MT		 37268+ read_lock(&tasklist_lock);
37269+ read_lock(&grsec_exec_file_lock);
37270+ do_each_thread(task2, task) {
37271+ /* check to see if we're called from the exit handler,
37272+ if so, only replace ACLs that have inherited the admin
37273+ ACL */
37274+
37275+ if (type && (task->role != role ||
37276+ task->acl_role_id != acl_role_id))
37277+ continue;
37278+
37279+ task->acl_role_id = 0;
37280+ task->acl_sp_role = 0;
37281+
37282+ if ((filp = task->exec_file)) {
37283+ cred = __task_cred(task);
37284+ task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
37285+
37286+ /* the following is to apply the correct subject
37287+ on binaries running when the RBAC system
37288+ is enabled, when the binaries have been
37289+ replaced or deleted since their execution
37290+ -----
37291+ when the RBAC system starts, the inode/dev
37292+ from exec_file will be one the RBAC system
37293+ is unaware of. It only knows the inode/dev
37294+ of the present file on disk, or the absence
37295+ of it.
37296+ */
37297+ preempt_disable();
37298+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
37299+
37300+ nmatch = lookup_name_entry(tmpname);
37301+ preempt_enable();
37302+ tmpsubj = NULL;
37303+ if (nmatch) {
37304+ if (nmatch->deleted)
37305+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
37306+ else
37307+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
37308+ if (tmpsubj != NULL)
37309+ task->acl = tmpsubj;
37310+ }
37311+ if (tmpsubj == NULL)
37312+ task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
37313+ task->role);
37314+ if (task->acl) {
37315+ struct acl_subject_label *curr;
37316+ curr = task->acl;
37317+
37318+ task->is_writable = 0;
37319+ /* ignore additional mmap checks for processes that are writable
37320+ by the default ACL */
37321+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37322+ if (unlikely(obj->mode & GR_WRITE))
37323+ task->is_writable = 1;
37324+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37325+ if (unlikely(obj->mode & GR_WRITE))
37326+ task->is_writable = 1;
37327+
37328+ gr_set_proc_res(task);
37329+
37330+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37331+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37332+#endif
37333+ } else {
37334+ read_unlock(&grsec_exec_file_lock);
37335+ read_unlock(&tasklist_lock);
ae4e228f 37336+ rcu_read_unlock();
58c5fc13
MT		 37337+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
37338+ return 1;
37339+ }
37340+ } else {
37341+ // it's a kernel process
37342+ task->role = kernel_role;
37343+ task->acl = kernel_role->root_label;
37344+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
37345+ task->acl->mode &= ~GR_PROCFIND;
37346+#endif
37347+ }
37348+ } while_each_thread(task2, task);
37349+ read_unlock(&grsec_exec_file_lock);
37350+ read_unlock(&tasklist_lock);
ae4e228f
MT		 37351+ rcu_read_unlock();
37352+
58c5fc13
MT		 37353+ return 0;
37354+}
37355+
37356+void
37357+gr_learn_resource(const struct task_struct *task,
37358+ const int res, const unsigned long wanted, const int gt)
37359+{
37360+ struct acl_subject_label *acl;
37361+ const struct cred *cred;
37362+
37363+ if (unlikely((gr_status & GR_READY) &&
37364+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
37365+ goto skip_reslog;
37366+
37367+#ifdef CONFIG_GRKERNSEC_RESLOG
37368+ gr_log_resource(task, res, wanted, gt);
37369+#endif
37370+ skip_reslog:
37371+
37372+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
37373+ return;
37374+
37375+ acl = task->acl;
37376+
37377+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
37378+ !(acl->resmask & (1 << (unsigned short) res))))
37379+ return;
37380+
37381+ if (wanted >= acl->res[res].rlim_cur) {
37382+ unsigned long res_add;
37383+
37384+ res_add = wanted;
37385+ switch (res) {
37386+ case RLIMIT_CPU:
37387+ res_add += GR_RLIM_CPU_BUMP;
37388+ break;
37389+ case RLIMIT_FSIZE:
37390+ res_add += GR_RLIM_FSIZE_BUMP;
37391+ break;
37392+ case RLIMIT_DATA:
37393+ res_add += GR_RLIM_DATA_BUMP;
37394+ break;
37395+ case RLIMIT_STACK:
37396+ res_add += GR_RLIM_STACK_BUMP;
37397+ break;
37398+ case RLIMIT_CORE:
37399+ res_add += GR_RLIM_CORE_BUMP;
37400+ break;
37401+ case RLIMIT_RSS:
37402+ res_add += GR_RLIM_RSS_BUMP;
37403+ break;
37404+ case RLIMIT_NPROC:
37405+ res_add += GR_RLIM_NPROC_BUMP;
37406+ break;
37407+ case RLIMIT_NOFILE:
37408+ res_add += GR_RLIM_NOFILE_BUMP;
37409+ break;
37410+ case RLIMIT_MEMLOCK:
37411+ res_add += GR_RLIM_MEMLOCK_BUMP;
37412+ break;
37413+ case RLIMIT_AS:
37414+ res_add += GR_RLIM_AS_BUMP;
37415+ break;
37416+ case RLIMIT_LOCKS:
37417+ res_add += GR_RLIM_LOCKS_BUMP;
37418+ break;
37419+ case RLIMIT_SIGPENDING:
37420+ res_add += GR_RLIM_SIGPENDING_BUMP;
37421+ break;
37422+ case RLIMIT_MSGQUEUE:
37423+ res_add += GR_RLIM_MSGQUEUE_BUMP;
37424+ break;
37425+ case RLIMIT_NICE:
37426+ res_add += GR_RLIM_NICE_BUMP;
37427+ break;
37428+ case RLIMIT_RTPRIO:
37429+ res_add += GR_RLIM_RTPRIO_BUMP;
37430+ break;
37431+ case RLIMIT_RTTIME:
37432+ res_add += GR_RLIM_RTTIME_BUMP;
37433+ break;
37434+ }
37435+
37436+ acl->res[res].rlim_cur = res_add;
37437+
37438+ if (wanted > acl->res[res].rlim_max)
37439+ acl->res[res].rlim_max = res_add;
37440+
37441+ /* only log the subject filename, since resource logging is supported for
37442+ single-subject learning only */
ae4e228f 37443+ rcu_read_lock();
58c5fc13
MT		 37444+ cred = __task_cred(task);
37445+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
37446+ task->role->roletype, cred->uid, cred->gid, acl->filename,
37447+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
ae4e228f
MT		 37448+ "", (unsigned long) res, &task->signal->curr_ip);
37449+ rcu_read_unlock();
58c5fc13
MT		 37450+ }
37451+
37452+ return;
37453+}
37454+
37455+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
37456+void
37457+pax_set_initial_flags(struct linux_binprm *bprm)
37458+{
37459+ struct task_struct *task = current;
37460+ struct acl_subject_label *proc;
37461+ unsigned long flags;
37462+
37463+ if (unlikely(!(gr_status & GR_READY)))
37464+ return;
37465+
37466+ flags = pax_get_flags(task);
37467+
37468+ proc = task->acl;
37469+
37470+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
37471+ flags &= ~MF_PAX_PAGEEXEC;
37472+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
37473+ flags &= ~MF_PAX_SEGMEXEC;
37474+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
37475+ flags &= ~MF_PAX_RANDMMAP;
37476+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
37477+ flags &= ~MF_PAX_EMUTRAMP;
37478+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
37479+ flags &= ~MF_PAX_MPROTECT;
37480+
37481+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
37482+ flags |= MF_PAX_PAGEEXEC;
37483+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
37484+ flags |= MF_PAX_SEGMEXEC;
37485+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
37486+ flags |= MF_PAX_RANDMMAP;
37487+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
37488+ flags |= MF_PAX_EMUTRAMP;
37489+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
37490+ flags |= MF_PAX_MPROTECT;
37491+
37492+ pax_set_flags(task, flags);
37493+
37494+ return;
37495+}
37496+#endif
37497+
37498+#ifdef CONFIG_SYSCTL
37499+/* Eric Biederman likes breaking userland ABI and every inode-based security
37500+ system to save 35kb of memory */
37501+
37502+/* we modify the passed in filename, but adjust it back before returning */
37503+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
37504+{
37505+ struct name_entry *nmatch;
37506+ char *p, *lastp = NULL;
37507+ struct acl_object_label *obj = NULL, *tmp;
37508+ struct acl_subject_label *tmpsubj;
37509+ char c = '\0';
37510+
37511+ read_lock(&gr_inode_lock);
37512+
37513+ p = name + len - 1;
37514+ do {
37515+ nmatch = lookup_name_entry(name);
37516+ if (lastp != NULL)
37517+ *lastp = c;
37518+
37519+ if (nmatch == NULL)
37520+ goto next_component;
37521+ tmpsubj = current->acl;
37522+ do {
37523+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
37524+ if (obj != NULL) {
37525+ tmp = obj->globbed;
37526+ while (tmp) {
37527+ if (!glob_match(tmp->filename, name)) {
37528+ obj = tmp;
37529+ goto found_obj;
37530+ }
37531+ tmp = tmp->next;
37532+ }
37533+ goto found_obj;
37534+ }
37535+ } while ((tmpsubj = tmpsubj->parent_subject));
37536+next_component:
37537+ /* end case */
37538+ if (p == name)
37539+ break;
37540+
37541+ while (*p != '/')
37542+ p--;
37543+ if (p == name)
37544+ lastp = p + 1;
37545+ else {
37546+ lastp = p;
37547+ p--;
37548+ }
37549+ c = *lastp;
37550+ *lastp = '\0';
37551+ } while (1);
37552+found_obj:
37553+ read_unlock(&gr_inode_lock);
37554+ /* obj returned will always be non-null */
37555+ return obj;
37556+}
37557+
37558+/* returns 0 when allowing, non-zero on error
37559+ op of 0 is used for readdir, so we don't log the names of hidden files
37560+*/
37561+__u32
37562+gr_handle_sysctl(const struct ctl_table *table, const int op)
37563+{
57199397 37564+ struct ctl_table *tmp;
58c5fc13
MT		 37565+ const char *proc_sys = "/proc/sys";
37566+ char *path;
37567+ struct acl_object_label *obj;
37568+ unsigned short len = 0, pos = 0, depth = 0, i;
37569+ __u32 err = 0;
37570+ __u32 mode = 0;
37571+
37572+ if (unlikely(!(gr_status & GR_READY)))
37573+ return 0;
37574+
37575+ /* for now, ignore operations on non-sysctl entries if it's not a
37576+ readdir*/
37577+ if (table->child != NULL && op != 0)
37578+ return 0;
37579+
37580+ mode |= GR_FIND;
37581+ /* it's only a read if it's an entry, read on dirs is for readdir */
37582+ if (op & MAY_READ)
37583+ mode |= GR_READ;
37584+ if (op & MAY_WRITE)
37585+ mode |= GR_WRITE;
37586+
37587+ preempt_disable();
37588+
37589+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
37590+
37591+ /* it's only a read/write if it's an actual entry, not a dir
37592+ (which are opened for readdir)
37593+ */
37594+
37595+ /* convert the requested sysctl entry into a pathname */
37596+
57199397 37597+ for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
58c5fc13
MT		 37598+ len += strlen(tmp->procname);
37599+ len++;
37600+ depth++;
37601+ }
37602+
37603+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
37604+ /* deny */
37605+ goto out;
37606+ }
37607+
37608+ memset(path, 0, PAGE_SIZE);
37609+
37610+ memcpy(path, proc_sys, strlen(proc_sys));
37611+
37612+ pos += strlen(proc_sys);
37613+
37614+ for (; depth > 0; depth--) {
37615+ path[pos] = '/';
37616+ pos++;
57199397 37617+ for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
58c5fc13
MT		 37618+ if (depth == i) {
37619+ memcpy(path + pos, tmp->procname,
37620+ strlen(tmp->procname));
37621+ pos += strlen(tmp->procname);
37622+ }
37623+ i++;
37624+ }
37625+ }
37626+
37627+ obj = gr_lookup_by_name(path, pos);
37628+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
37629+
37630+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
37631+ ((err & mode) != mode))) {
37632+ __u32 new_mode = mode;
37633+
37634+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37635+
37636+ err = 0;
37637+ gr_log_learn_sysctl(path, new_mode);
37638+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
37639+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
37640+ err = -ENOENT;
37641+ } else if (!(err & GR_FIND)) {
37642+ err = -ENOENT;
37643+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
37644+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
37645+ path, (mode & GR_READ) ? " reading" : "",
37646+ (mode & GR_WRITE) ? " writing" : "");
37647+ err = -EACCES;
37648+ } else if ((err & mode) != mode) {
37649+ err = -EACCES;
37650+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
37651+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
37652+ path, (mode & GR_READ) ? " reading" : "",
37653+ (mode & GR_WRITE) ? " writing" : "");
37654+ err = 0;
37655+ } else
37656+ err = 0;
37657+
37658+ out:
37659+ preempt_enable();
37660+
37661+ return err;
37662+}
37663+#endif
37664+
37665+int
37666+gr_handle_proc_ptrace(struct task_struct *task)
37667+{
37668+ struct file *filp;
37669+ struct task_struct *tmp = task;
37670+ struct task_struct *curtemp = current;
37671+ __u32 retmode;
37672+
37673+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37674+ if (unlikely(!(gr_status & GR_READY)))
37675+ return 0;
37676+#endif
37677+
37678+ read_lock(&tasklist_lock);
37679+ read_lock(&grsec_exec_file_lock);
37680+ filp = task->exec_file;
37681+
37682+ while (tmp->pid > 0) {
37683+ if (tmp == curtemp)
37684+ break;
37685+ tmp = tmp->parent;
37686+ }
37687+
37688+ if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37689+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
37690+ read_unlock(&grsec_exec_file_lock);
37691+ read_unlock(&tasklist_lock);
37692+ return 1;
37693+ }
37694+
37695+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37696+ if (!(gr_status & GR_READY)) {
37697+ read_unlock(&grsec_exec_file_lock);
37698+ read_unlock(&tasklist_lock);
37699+ return 0;
37700+ }
37701+#endif
37702+
37703+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
37704+ read_unlock(&grsec_exec_file_lock);
37705+ read_unlock(&tasklist_lock);
37706+
37707+ if (retmode & GR_NOPTRACE)
37708+ return 1;
37709+
37710+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
37711+ && (current->acl != task->acl || (current->acl != current->role->root_label
37712+ && current->pid != task->pid)))
37713+ return 1;
37714+
37715+ return 0;
37716+}
37717+
37718+int
37719+gr_handle_ptrace(struct task_struct *task, const long request)
37720+{
37721+ struct task_struct *tmp = task;
37722+ struct task_struct *curtemp = current;
37723+ __u32 retmode;
37724+
37725+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37726+ if (unlikely(!(gr_status & GR_READY)))
37727+ return 0;
37728+#endif
37729+
37730+ read_lock(&tasklist_lock);
37731+ while (tmp->pid > 0) {
37732+ if (tmp == curtemp)
37733+ break;
37734+ tmp = tmp->parent;
37735+ }
37736+
37737+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37738+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
37739+ read_unlock(&tasklist_lock);
37740+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37741+ return 1;
37742+ }
37743+ read_unlock(&tasklist_lock);
37744+
37745+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37746+ if (!(gr_status & GR_READY))
37747+ return 0;
37748+#endif
37749+
37750+ read_lock(&grsec_exec_file_lock);
37751+ if (unlikely(!task->exec_file)) {
37752+ read_unlock(&grsec_exec_file_lock);
37753+ return 0;
37754+ }
37755+
37756+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
37757+ read_unlock(&grsec_exec_file_lock);
37758+
37759+ if (retmode & GR_NOPTRACE) {
37760+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37761+ return 1;
37762+ }
37763+
37764+ if (retmode & GR_PTRACERD) {
37765+ switch (request) {
37766+ case PTRACE_POKETEXT:
37767+ case PTRACE_POKEDATA:
37768+ case PTRACE_POKEUSR:
37769+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
37770+ case PTRACE_SETREGS:
37771+ case PTRACE_SETFPREGS:
37772+#endif
37773+#ifdef CONFIG_X86
37774+ case PTRACE_SETFPXREGS:
37775+#endif
37776+#ifdef CONFIG_ALTIVEC
37777+ case PTRACE_SETVRREGS:
37778+#endif
37779+ return 1;
37780+ default:
37781+ return 0;
37782+ }
37783+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
37784+ !(current->role->roletype & GR_ROLE_GOD) &&
37785+ (current->acl != task->acl)) {
37786+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37787+ return 1;
37788+ }
37789+
37790+ return 0;
37791+}
37792+
37793+static int is_writable_mmap(const struct file *filp)
37794+{
37795+ struct task_struct *task = current;
37796+ struct acl_object_label *obj, *obj2;
37797+
37798+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
57199397 37799+ !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
58c5fc13
MT		 37800+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37801+ obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
37802+ task->role->root_label);
37803+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
37804+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
37805+ return 1;
37806+ }
37807+ }
37808+ return 0;
37809+}
37810+
37811+int
37812+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
37813+{
37814+ __u32 mode;
37815+
37816+ if (unlikely(!file || !(prot & PROT_EXEC)))
37817+ return 1;
37818+
37819+ if (is_writable_mmap(file))
37820+ return 0;
37821+
37822+ mode =
37823+ gr_search_file(file->f_path.dentry,
37824+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37825+ file->f_path.mnt);
37826+
37827+ if (!gr_tpe_allow(file))
37828+ return 0;
37829+
37830+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37831+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37832+ return 0;
37833+ } else if (unlikely(!(mode & GR_EXEC))) {
37834+ return 0;
37835+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37836+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37837+ return 1;
37838+ }
37839+
37840+ return 1;
37841+}
37842+
37843+int
37844+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
37845+{
37846+ __u32 mode;
37847+
37848+ if (unlikely(!file || !(prot & PROT_EXEC)))
37849+ return 1;
37850+
37851+ if (is_writable_mmap(file))
37852+ return 0;
37853+
37854+ mode =
37855+ gr_search_file(file->f_path.dentry,
37856+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37857+ file->f_path.mnt);
37858+
37859+ if (!gr_tpe_allow(file))
37860+ return 0;
37861+
37862+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37863+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37864+ return 0;
37865+ } else if (unlikely(!(mode & GR_EXEC))) {
37866+ return 0;
37867+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37868+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37869+ return 1;
37870+ }
37871+
37872+ return 1;
37873+}
37874+
37875+void
37876+gr_acl_handle_psacct(struct task_struct *task, const long code)
37877+{
37878+ unsigned long runtime;
37879+ unsigned long cputime;
37880+ unsigned int wday, cday;
37881+ __u8 whr, chr;
37882+ __u8 wmin, cmin;
37883+ __u8 wsec, csec;
37884+ struct timespec timeval;
37885+
37886+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
37887+ !(task->acl->mode & GR_PROCACCT)))
37888+ return;
37889+
37890+ do_posix_clock_monotonic_gettime(&timeval);
37891+ runtime = timeval.tv_sec - task->start_time.tv_sec;
37892+ wday = runtime / (3600 * 24);
37893+ runtime -= wday * (3600 * 24);
37894+ whr = runtime / 3600;
37895+ runtime -= whr * 3600;
37896+ wmin = runtime / 60;
37897+ runtime -= wmin * 60;
37898+ wsec = runtime;
37899+
37900+ cputime = (task->utime + task->stime) / HZ;
37901+ cday = cputime / (3600 * 24);
37902+ cputime -= cday * (3600 * 24);
37903+ chr = cputime / 3600;
37904+ cputime -= chr * 3600;
37905+ cmin = cputime / 60;
37906+ cputime -= cmin * 60;
37907+ csec = cputime;
37908+
37909+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
37910+
37911+ return;
37912+}
37913+
37914+void gr_set_kernel_label(struct task_struct *task)
37915+{
37916+ if (gr_status & GR_READY) {
37917+ task->role = kernel_role;
37918+ task->acl = kernel_role->root_label;
37919+ }
37920+ return;
37921+}
37922+
37923+#ifdef CONFIG_TASKSTATS
37924+int gr_is_taskstats_denied(int pid)
37925+{
37926+ struct task_struct *task;
37927+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37928+ const struct cred *cred;
37929+#endif
37930+ int ret = 0;
37931+
37932+ /* restrict taskstats viewing to un-chrooted root users
37933+ who have the 'view' subject flag if the RBAC system is enabled
37934+ */
37935+
df50ba0c 37936+ rcu_read_lock();
58c5fc13
MT		 37937+ read_lock(&tasklist_lock);
37938+ task = find_task_by_vpid(pid);
37939+ if (task) {
58c5fc13
MT		 37940+#ifdef CONFIG_GRKERNSEC_CHROOT
37941+ if (proc_is_chrooted(task))
37942+ ret = -EACCES;
37943+#endif
37944+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37945+ cred = __task_cred(task);
37946+#ifdef CONFIG_GRKERNSEC_PROC_USER
37947+ if (cred->uid != 0)
37948+ ret = -EACCES;
37949+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37950+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
37951+ ret = -EACCES;
37952+#endif
37953+#endif
37954+ if (gr_status & GR_READY) {
37955+ if (!(task->acl->mode & GR_VIEW))
37956+ ret = -EACCES;
37957+ }
58c5fc13
MT		 37958+ } else
37959+ ret = -ENOENT;
37960+
37961+ read_unlock(&tasklist_lock);
df50ba0c 37962+ rcu_read_unlock();
58c5fc13
MT		 37963+
37964+ return ret;
37965+}
37966+#endif
37967+
37968+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
37969+{
37970+ struct task_struct *task = current;
37971+ struct dentry *dentry = file->f_path.dentry;
37972+ struct vfsmount *mnt = file->f_path.mnt;
37973+ struct acl_object_label *obj, *tmp;
37974+ struct acl_subject_label *subj;
37975+ unsigned int bufsize;
37976+ int is_not_root;
37977+ char *path;
37978+
37979+ if (unlikely(!(gr_status & GR_READY)))
37980+ return 1;
37981+
37982+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37983+ return 1;
37984+
37985+ /* ignore Eric Biederman */
37986+ if (IS_PRIVATE(dentry->d_inode))
37987+ return 1;
37988+
37989+ subj = task->acl;
37990+ do {
37991+ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
37992+ if (obj != NULL)
37993+ return (obj->mode & GR_FIND) ? 1 : 0;
37994+ } while ((subj = subj->parent_subject));
37995+
37996+ /* this is purely an optimization since we're looking for an object
37997+ for the directory we're doing a readdir on
37998+ if it's possible for any globbed object to match the entry we're
37999+ filling into the directory, then the object we find here will be
38000+ an anchor point with attached globbed objects
38001+ */
38002+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
38003+ if (obj->globbed == NULL)
38004+ return (obj->mode & GR_FIND) ? 1 : 0;
38005+
38006+ is_not_root = ((obj->filename[0] == '/') &&
38007+ (obj->filename[1] == '\0')) ? 0 : 1;
38008+ bufsize = PAGE_SIZE - namelen - is_not_root;
38009+
38010+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
38011+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
38012+ return 1;
38013+
38014+ preempt_disable();
38015+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
38016+ bufsize);
38017+
38018+ bufsize = strlen(path);
38019+
38020+ /* if base is "/", don't append an additional slash */
38021+ if (is_not_root)
38022+ *(path + bufsize) = '/';
38023+ memcpy(path + bufsize + is_not_root, name, namelen);
38024+ *(path + bufsize + namelen + is_not_root) = '\0';
38025+
38026+ tmp = obj->globbed;
38027+ while (tmp) {
38028+ if (!glob_match(tmp->filename, path)) {
38029+ preempt_enable();
38030+ return (tmp->mode & GR_FIND) ? 1 : 0;
38031+ }
38032+ tmp = tmp->next;
38033+ }
38034+ preempt_enable();
38035+ return (obj->mode & GR_FIND) ? 1 : 0;
38036+}
38037+
38038+EXPORT_SYMBOL(gr_learn_resource);
38039+EXPORT_SYMBOL(gr_set_kernel_label);
38040+#ifdef CONFIG_SECURITY
38041+EXPORT_SYMBOL(gr_check_user_change);
38042+EXPORT_SYMBOL(gr_check_group_change);
38043+#endif
38044+
57199397
MT		 38045diff -urNp linux-2.6.35.4/grsecurity/gracl_cap.c linux-2.6.35.4/grsecurity/gracl_cap.c
38046--- linux-2.6.35.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
38047+++ linux-2.6.35.4/grsecurity/gracl_cap.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 38048@@ -0,0 +1,138 @@
58c5fc13
MT		 38049+#include <linux/kernel.h>
38050+#include <linux/module.h>
38051+#include <linux/sched.h>
38052+#include <linux/gracl.h>
38053+#include <linux/grsecurity.h>
38054+#include <linux/grinternal.h>
38055+
38056+static const char *captab_log[] = {
38057+ "CAP_CHOWN",
38058+ "CAP_DAC_OVERRIDE",
38059+ "CAP_DAC_READ_SEARCH",
38060+ "CAP_FOWNER",
38061+ "CAP_FSETID",
38062+ "CAP_KILL",
38063+ "CAP_SETGID",
38064+ "CAP_SETUID",
38065+ "CAP_SETPCAP",
38066+ "CAP_LINUX_IMMUTABLE",
38067+ "CAP_NET_BIND_SERVICE",
38068+ "CAP_NET_BROADCAST",
38069+ "CAP_NET_ADMIN",
38070+ "CAP_NET_RAW",
38071+ "CAP_IPC_LOCK",
38072+ "CAP_IPC_OWNER",
38073+ "CAP_SYS_MODULE",
38074+ "CAP_SYS_RAWIO",
38075+ "CAP_SYS_CHROOT",
38076+ "CAP_SYS_PTRACE",
38077+ "CAP_SYS_PACCT",
38078+ "CAP_SYS_ADMIN",
38079+ "CAP_SYS_BOOT",
38080+ "CAP_SYS_NICE",
38081+ "CAP_SYS_RESOURCE",
38082+ "CAP_SYS_TIME",
38083+ "CAP_SYS_TTY_CONFIG",
38084+ "CAP_MKNOD",
38085+ "CAP_LEASE",
38086+ "CAP_AUDIT_WRITE",
38087+ "CAP_AUDIT_CONTROL",
38088+ "CAP_SETFCAP",
38089+ "CAP_MAC_OVERRIDE",
38090+ "CAP_MAC_ADMIN"
38091+};
38092+
38093+EXPORT_SYMBOL(gr_is_capable);
38094+EXPORT_SYMBOL(gr_is_capable_nolog);
38095+
38096+int
38097+gr_is_capable(const int cap)
38098+{
38099+ struct task_struct *task = current;
38100+ const struct cred *cred = current_cred();
38101+ struct acl_subject_label *curracl;
38102+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
df50ba0c 38103+ kernel_cap_t cap_audit = __cap_empty_set;
58c5fc13
MT		 38104+
38105+ if (!gr_acl_is_enabled())
38106+ return 1;
38107+
38108+ curracl = task->acl;
38109+
38110+ cap_drop = curracl->cap_lower;
38111+ cap_mask = curracl->cap_mask;
df50ba0c 38112+ cap_audit = curracl->cap_invert_audit;
58c5fc13
MT		 38113+
38114+ while ((curracl = curracl->parent_subject)) {
38115+ /* if the cap isn't specified in the current computed mask but is specified in the
38116+ current level subject, and is lowered in the current level subject, then add
38117+ it to the set of dropped capabilities
38118+ otherwise, add the current level subject's mask to the current computed mask
38119+ */
38120+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38121+ cap_raise(cap_mask, cap);
38122+ if (cap_raised(curracl->cap_lower, cap))
38123+ cap_raise(cap_drop, cap);
df50ba0c
MT		 38124+ if (cap_raised(curracl->cap_invert_audit, cap))
38125+ cap_raise(cap_audit, cap);
58c5fc13
MT		 38126+ }
38127+ }
38128+
df50ba0c
MT		 38129+ if (!cap_raised(cap_drop, cap)) {
38130+ if (cap_raised(cap_audit, cap))
38131+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
58c5fc13 38132+ return 1;
df50ba0c 38133+ }
58c5fc13
MT		 38134+
38135+ curracl = task->acl;
38136+
38137+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
38138+ && cap_raised(cred->cap_effective, cap)) {
38139+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38140+ task->role->roletype, cred->uid,
38141+ cred->gid, task->exec_file ?
38142+ gr_to_filename(task->exec_file->f_path.dentry,
38143+ task->exec_file->f_path.mnt) : curracl->filename,
38144+ curracl->filename, 0UL,
ae4e228f 38145+ 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
58c5fc13
MT		 38146+ return 1;
38147+ }
38148+
df50ba0c 38149+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
58c5fc13
MT		 38150+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
38151+ return 0;
38152+}
38153+
38154+int
38155+gr_is_capable_nolog(const int cap)
38156+{
38157+ struct acl_subject_label *curracl;
38158+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38159+
38160+ if (!gr_acl_is_enabled())
38161+ return 1;
38162+
38163+ curracl = current->acl;
38164+
38165+ cap_drop = curracl->cap_lower;
38166+ cap_mask = curracl->cap_mask;
38167+
38168+ while ((curracl = curracl->parent_subject)) {
38169+ /* if the cap isn't specified in the current computed mask but is specified in the
38170+ current level subject, and is lowered in the current level subject, then add
38171+ it to the set of dropped capabilities
38172+ otherwise, add the current level subject's mask to the current computed mask
38173+ */
38174+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38175+ cap_raise(cap_mask, cap);
38176+ if (cap_raised(curracl->cap_lower, cap))
38177+ cap_raise(cap_drop, cap);
38178+ }
38179+ }
38180+
38181+ if (!cap_raised(cap_drop, cap))
38182+ return 1;
38183+
38184+ return 0;
38185+}
38186+
57199397
MT		 38187diff -urNp linux-2.6.35.4/grsecurity/gracl_fs.c linux-2.6.35.4/grsecurity/gracl_fs.c
38188--- linux-2.6.35.4/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
38189+++ linux-2.6.35.4/grsecurity/gracl_fs.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 38190@@ -0,0 +1,424 @@
38191+#include <linux/kernel.h>
38192+#include <linux/sched.h>
38193+#include <linux/types.h>
38194+#include <linux/fs.h>
38195+#include <linux/file.h>
38196+#include <linux/stat.h>
38197+#include <linux/grsecurity.h>
38198+#include <linux/grinternal.h>
38199+#include <linux/gracl.h>
38200+
38201+__u32
38202+gr_acl_handle_hidden_file(const struct dentry * dentry,
38203+ const struct vfsmount * mnt)
38204+{
38205+ __u32 mode;
38206+
38207+ if (unlikely(!dentry->d_inode))
38208+ return GR_FIND;
38209+
38210+ mode =
38211+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
38212+
38213+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
38214+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38215+ return mode;
38216+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
38217+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38218+ return 0;
38219+ } else if (unlikely(!(mode & GR_FIND)))
38220+ return 0;
38221+
38222+ return GR_FIND;
38223+}
38224+
38225+__u32
38226+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38227+ const int fmode)
38228+{
38229+ __u32 reqmode = GR_FIND;
38230+ __u32 mode;
38231+
38232+ if (unlikely(!dentry->d_inode))
38233+ return reqmode;
38234+
38235+ if (unlikely(fmode & O_APPEND))
38236+ reqmode |= GR_APPEND;
38237+ else if (unlikely(fmode & FMODE_WRITE))
38238+ reqmode |= GR_WRITE;
38239+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38240+ reqmode |= GR_READ;
38241+ if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
38242+ reqmode &= ~GR_READ;
38243+ mode =
38244+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38245+ mnt);
38246+
38247+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38248+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38249+ reqmode & GR_READ ? " reading" : "",
38250+ reqmode & GR_WRITE ? " writing" : reqmode &
38251+ GR_APPEND ? " appending" : "");
38252+ return reqmode;
38253+ } else
38254+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38255+ {
38256+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38257+ reqmode & GR_READ ? " reading" : "",
38258+ reqmode & GR_WRITE ? " writing" : reqmode &
38259+ GR_APPEND ? " appending" : "");
38260+ return 0;
38261+ } else if (unlikely((mode & reqmode) != reqmode))
38262+ return 0;
38263+
38264+ return reqmode;
38265+}
38266+
38267+__u32
38268+gr_acl_handle_creat(const struct dentry * dentry,
38269+ const struct dentry * p_dentry,
38270+ const struct vfsmount * p_mnt, const int fmode,
38271+ const int imode)
38272+{
38273+ __u32 reqmode = GR_WRITE | GR_CREATE;
38274+ __u32 mode;
38275+
38276+ if (unlikely(fmode & O_APPEND))
38277+ reqmode |= GR_APPEND;
38278+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38279+ reqmode |= GR_READ;
38280+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
38281+ reqmode |= GR_SETID;
38282+
38283+ mode =
38284+ gr_check_create(dentry, p_dentry, p_mnt,
38285+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38286+
38287+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38288+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38289+ reqmode & GR_READ ? " reading" : "",
38290+ reqmode & GR_WRITE ? " writing" : reqmode &
38291+ GR_APPEND ? " appending" : "");
38292+ return reqmode;
38293+ } else
38294+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38295+ {
38296+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38297+ reqmode & GR_READ ? " reading" : "",
38298+ reqmode & GR_WRITE ? " writing" : reqmode &
38299+ GR_APPEND ? " appending" : "");
38300+ return 0;
38301+ } else if (unlikely((mode & reqmode) != reqmode))
38302+ return 0;
38303+
38304+ return reqmode;
38305+}
38306+
38307+__u32
38308+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
38309+ const int fmode)
38310+{
38311+ __u32 mode, reqmode = GR_FIND;
38312+
38313+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
38314+ reqmode |= GR_EXEC;
38315+ if (fmode & S_IWOTH)
38316+ reqmode |= GR_WRITE;
38317+ if (fmode & S_IROTH)
38318+ reqmode |= GR_READ;
38319+
38320+ mode =
38321+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38322+ mnt);
38323+
38324+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38325+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38326+ reqmode & GR_READ ? " reading" : "",
38327+ reqmode & GR_WRITE ? " writing" : "",
38328+ reqmode & GR_EXEC ? " executing" : "");
38329+ return reqmode;
38330+ } else
38331+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38332+ {
38333+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38334+ reqmode & GR_READ ? " reading" : "",
38335+ reqmode & GR_WRITE ? " writing" : "",
38336+ reqmode & GR_EXEC ? " executing" : "");
38337+ return 0;
38338+ } else if (unlikely((mode & reqmode) != reqmode))
38339+ return 0;
38340+
38341+ return reqmode;
38342+}
38343+
38344+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
38345+{
38346+ __u32 mode;
38347+
38348+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
38349+
38350+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38351+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
38352+ return mode;
38353+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38354+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
38355+ return 0;
38356+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
38357+ return 0;
38358+
38359+ return (reqmode);
38360+}
38361+
38362+__u32
38363+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38364+{
38365+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
38366+}
38367+
38368+__u32
38369+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
38370+{
38371+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
38372+}
38373+
38374+__u32
38375+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
38376+{
38377+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
38378+}
38379+
38380+__u32
38381+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
38382+{
38383+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
38384+}
38385+
38386+__u32
38387+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
38388+ mode_t mode)
38389+{
38390+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
38391+ return 1;
38392+
38393+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38394+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38395+ GR_FCHMOD_ACL_MSG);
38396+ } else {
38397+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
38398+ }
38399+}
38400+
38401+__u32
38402+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
38403+ mode_t mode)
38404+{
38405+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38406+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38407+ GR_CHMOD_ACL_MSG);
38408+ } else {
38409+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
38410+ }
38411+}
38412+
38413+__u32
38414+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
38415+{
38416+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
38417+}
38418+
38419+__u32
38420+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
38421+{
38422+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
38423+}
38424+
38425+__u32
38426+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
38427+{
38428+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
38429+ GR_UNIXCONNECT_ACL_MSG);
38430+}
38431+
38432+/* hardlinks require at minimum create permission,
38433+ any additional privilege required is based on the
38434+ privilege of the file being linked to
38435+*/
38436+__u32
38437+gr_acl_handle_link(const struct dentry * new_dentry,
38438+ const struct dentry * parent_dentry,
38439+ const struct vfsmount * parent_mnt,
38440+ const struct dentry * old_dentry,
38441+ const struct vfsmount * old_mnt, const char *to)
38442+{
38443+ __u32 mode;
38444+ __u32 needmode = GR_CREATE | GR_LINK;
38445+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
38446+
38447+ mode =
38448+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
38449+ old_mnt);
38450+
38451+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
38452+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38453+ return mode;
38454+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38455+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38456+ return 0;
38457+ } else if (unlikely((mode & needmode) != needmode))
38458+ return 0;
38459+
38460+ return 1;
38461+}
38462+
38463+__u32
38464+gr_acl_handle_symlink(const struct dentry * new_dentry,
38465+ const struct dentry * parent_dentry,
38466+ const struct vfsmount * parent_mnt, const char *from)
38467+{
38468+ __u32 needmode = GR_WRITE | GR_CREATE;
38469+ __u32 mode;
38470+
38471+ mode =
38472+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
38473+ GR_CREATE | GR_AUDIT_CREATE |
38474+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
38475+
38476+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
38477+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38478+ return mode;
38479+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38480+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38481+ return 0;
38482+ } else if (unlikely((mode & needmode) != needmode))
38483+ return 0;
38484+
38485+ return (GR_WRITE | GR_CREATE);
38486+}
38487+
38488+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
38489+{
38490+ __u32 mode;
38491+
38492+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38493+
38494+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38495+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
38496+ return mode;
38497+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38498+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
38499+ return 0;
38500+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
38501+ return 0;
38502+
38503+ return (reqmode);
38504+}
38505+
38506+__u32
38507+gr_acl_handle_mknod(const struct dentry * new_dentry,
38508+ const struct dentry * parent_dentry,
38509+ const struct vfsmount * parent_mnt,
38510+ const int mode)
38511+{
38512+ __u32 reqmode = GR_WRITE | GR_CREATE;
38513+ if (unlikely(mode & (S_ISUID | S_ISGID)))
38514+ reqmode |= GR_SETID;
38515+
38516+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38517+ reqmode, GR_MKNOD_ACL_MSG);
38518+}
38519+
38520+__u32
38521+gr_acl_handle_mkdir(const struct dentry *new_dentry,
38522+ const struct dentry *parent_dentry,
38523+ const struct vfsmount *parent_mnt)
38524+{
38525+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38526+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
38527+}
38528+
38529+#define RENAME_CHECK_SUCCESS(old, new) \
38530+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
38531+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
38532+
38533+int
38534+gr_acl_handle_rename(struct dentry *new_dentry,
38535+ struct dentry *parent_dentry,
38536+ const struct vfsmount *parent_mnt,
38537+ struct dentry *old_dentry,
38538+ struct inode *old_parent_inode,
38539+ struct vfsmount *old_mnt, const char *newname)
38540+{
38541+ __u32 comp1, comp2;
38542+ int error = 0;
38543+
38544+ if (unlikely(!gr_acl_is_enabled()))
38545+ return 0;
38546+
38547+ if (!new_dentry->d_inode) {
38548+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
38549+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
38550+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
38551+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
38552+ GR_DELETE | GR_AUDIT_DELETE |
38553+ GR_AUDIT_READ | GR_AUDIT_WRITE |
38554+ GR_SUPPRESS, old_mnt);
38555+ } else {
38556+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
38557+ GR_CREATE | GR_DELETE |
38558+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
38559+ GR_AUDIT_READ | GR_AUDIT_WRITE |
38560+ GR_SUPPRESS, parent_mnt);
38561+ comp2 =
38562+ gr_search_file(old_dentry,
38563+ GR_READ | GR_WRITE | GR_AUDIT_READ |
38564+ GR_DELETE | GR_AUDIT_DELETE |
38565+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
38566+ }
38567+
38568+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
38569+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
38570+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38571+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
38572+ && !(comp2 & GR_SUPPRESS)) {
38573+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38574+ error = -EACCES;
38575+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
38576+ error = -EACCES;
38577+
38578+ return error;
38579+}
38580+
38581+void
38582+gr_acl_handle_exit(void)
38583+{
38584+ u16 id;
38585+ char *rolename;
38586+ struct file *exec_file;
38587+
38588+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
38589+ id = current->acl_role_id;
38590+ rolename = current->role->rolename;
38591+ gr_set_acls(1);
38592+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
38593+ }
38594+
38595+ write_lock(&grsec_exec_file_lock);
38596+ exec_file = current->exec_file;
38597+ current->exec_file = NULL;
38598+ write_unlock(&grsec_exec_file_lock);
38599+
38600+ if (exec_file)
38601+ fput(exec_file);
38602+}
38603+
38604+int
38605+gr_acl_handle_procpidmem(const struct task_struct *task)
38606+{
38607+ if (unlikely(!gr_acl_is_enabled()))
38608+ return 0;
38609+
38610+ if (task != current && task->acl->mode & GR_PROTPROCFD)
38611+ return -EACCES;
38612+
38613+ return 0;
38614+}
57199397
MT		 38615diff -urNp linux-2.6.35.4/grsecurity/gracl_ip.c linux-2.6.35.4/grsecurity/gracl_ip.c
38616--- linux-2.6.35.4/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
38617+++ linux-2.6.35.4/grsecurity/gracl_ip.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 38618@@ -0,0 +1,339 @@
58c5fc13
MT		 38619+#include <linux/kernel.h>
38620+#include <asm/uaccess.h>
38621+#include <asm/errno.h>
38622+#include <net/sock.h>
38623+#include <linux/file.h>
38624+#include <linux/fs.h>
38625+#include <linux/net.h>
38626+#include <linux/in.h>
38627+#include <linux/skbuff.h>
38628+#include <linux/ip.h>
38629+#include <linux/udp.h>
38630+#include <linux/smp_lock.h>
38631+#include <linux/types.h>
38632+#include <linux/sched.h>
38633+#include <linux/netdevice.h>
38634+#include <linux/inetdevice.h>
38635+#include <linux/gracl.h>
38636+#include <linux/grsecurity.h>
38637+#include <linux/grinternal.h>
38638+
38639+#define GR_BIND 0x01
38640+#define GR_CONNECT 0x02
38641+#define GR_INVERT 0x04
38642+#define GR_BINDOVERRIDE 0x08
38643+#define GR_CONNECTOVERRIDE 0x10
38644+
38645+static const char * gr_protocols[256] = {
38646+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
38647+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
38648+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
38649+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
38650+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
38651+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
38652+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
38653+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
38654+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
38655+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
38656+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
38657+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
38658+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
38659+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
38660+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
38661+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
38662+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
38663+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
38664+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
38665+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
38666+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
38667+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
38668+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
38669+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
38670+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
38671+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
38672+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
38673+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
38674+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
38675+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
38676+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
38677+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
38678+ };
38679+
38680+static const char * gr_socktypes[11] = {
38681+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
38682+ "unknown:7", "unknown:8", "unknown:9", "packet"
38683+ };
38684+
38685+const char *
38686+gr_proto_to_name(unsigned char proto)
38687+{
38688+ return gr_protocols[proto];
38689+}
38690+
38691+const char *
38692+gr_socktype_to_name(unsigned char type)
38693+{
38694+ return gr_socktypes[type];
38695+}
38696+
38697+int
38698+gr_search_socket(const int domain, const int type, const int protocol)
38699+{
38700+ struct acl_subject_label *curr;
38701+ const struct cred *cred = current_cred();
38702+
38703+ if (unlikely(!gr_acl_is_enabled()))
38704+ goto exit;
38705+
38706+ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
38707+ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
38708+ goto exit; // let the kernel handle it
38709+
38710+ curr = current->acl;
38711+
38712+ if (!curr->ips)
38713+ goto exit;
38714+
38715+ if ((curr->ip_type & (1 << type)) &&
38716+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
38717+ goto exit;
38718+
38719+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38720+ /* we don't place acls on raw sockets , and sometimes
38721+ dgram/ip sockets are opened for ioctl and not
38722+ bind/connect, so we'll fake a bind learn log */
38723+ if (type == SOCK_RAW || type == SOCK_PACKET) {
38724+ __u32 fakeip = 0;
38725+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38726+ current->role->roletype, cred->uid,
38727+ cred->gid, current->exec_file ?
38728+ gr_to_filename(current->exec_file->f_path.dentry,
38729+ current->exec_file->f_path.mnt) :
38730+ curr->filename, curr->filename,
ae4e228f
MT		 38731+ &fakeip, 0, type,
38732+ protocol, GR_CONNECT, &current->signal->curr_ip);
58c5fc13
MT		 38733+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
38734+ __u32 fakeip = 0;
38735+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38736+ current->role->roletype, cred->uid,
38737+ cred->gid, current->exec_file ?
38738+ gr_to_filename(current->exec_file->f_path.dentry,
38739+ current->exec_file->f_path.mnt) :
38740+ curr->filename, curr->filename,
ae4e228f
MT		 38741+ &fakeip, 0, type,
38742+ protocol, GR_BIND, &current->signal->curr_ip);
58c5fc13
MT		 38743+ }
38744+ /* we'll log when they use connect or bind */
38745+ goto exit;
38746+ }
38747+
38748+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
38749+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
38750+
38751+ return 0;
38752+ exit:
38753+ return 1;
38754+}
38755+
38756+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
38757+{
38758+ if ((ip->mode & mode) &&
38759+ (ip_port >= ip->low) &&
38760+ (ip_port <= ip->high) &&
38761+ ((ntohl(ip_addr) & our_netmask) ==
38762+ (ntohl(our_addr) & our_netmask))
38763+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
38764+ && (ip->type & (1 << type))) {
38765+ if (ip->mode & GR_INVERT)
38766+ return 2; // specifically denied
38767+ else
38768+ return 1; // allowed
38769+ }
38770+
38771+ return 0; // not specifically allowed, may continue parsing
38772+}
38773+
38774+static int
38775+gr_search_connectbind(const int full_mode, struct sock *sk,
38776+ struct sockaddr_in *addr, const int type)
38777+{
38778+ char iface[IFNAMSIZ] = {0};
38779+ struct acl_subject_label *curr;
38780+ struct acl_ip_label *ip;
38781+ struct inet_sock *isk;
38782+ struct net_device *dev;
38783+ struct in_device *idev;
38784+ unsigned long i;
38785+ int ret;
38786+ int mode = full_mode & (GR_BIND | GR_CONNECT);
38787+ __u32 ip_addr = 0;
38788+ __u32 our_addr;
38789+ __u32 our_netmask;
38790+ char *p;
38791+ __u16 ip_port = 0;
38792+ const struct cred *cred = current_cred();
38793+
38794+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
38795+ return 0;
38796+
38797+ curr = current->acl;
38798+ isk = inet_sk(sk);
38799+
38800+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
38801+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
38802+ addr->sin_addr.s_addr = curr->inaddr_any_override;
ae4e228f 38803+ if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
58c5fc13
MT		 38804+ struct sockaddr_in saddr;
38805+ int err;
38806+
38807+ saddr.sin_family = AF_INET;
38808+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
ae4e228f 38809+ saddr.sin_port = isk->inet_sport;
58c5fc13
MT		 38810+
38811+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38812+ if (err)
38813+ return err;
38814+
38815+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38816+ if (err)
38817+ return err;
38818+ }
38819+
38820+ if (!curr->ips)
38821+ return 0;
38822+
38823+ ip_addr = addr->sin_addr.s_addr;
38824+ ip_port = ntohs(addr->sin_port);
38825+
38826+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38827+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38828+ current->role->roletype, cred->uid,
38829+ cred->gid, current->exec_file ?
38830+ gr_to_filename(current->exec_file->f_path.dentry,
38831+ current->exec_file->f_path.mnt) :
38832+ curr->filename, curr->filename,
ae4e228f
MT		 38833+ &ip_addr, ip_port, type,
38834+ sk->sk_protocol, mode, &current->signal->curr_ip);
58c5fc13
MT		 38835+ return 0;
38836+ }
38837+
38838+ for (i = 0; i < curr->ip_num; i++) {
38839+ ip = *(curr->ips + i);
38840+ if (ip->iface != NULL) {
38841+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
38842+ p = strchr(iface, ':');
38843+ if (p != NULL)
38844+ *p = '\0';
38845+ dev = dev_get_by_name(sock_net(sk), iface);
38846+ if (dev == NULL)
38847+ continue;
38848+ idev = in_dev_get(dev);
38849+ if (idev == NULL) {
38850+ dev_put(dev);
38851+ continue;
38852+ }
38853+ rcu_read_lock();
38854+ for_ifa(idev) {
38855+ if (!strcmp(ip->iface, ifa->ifa_label)) {
38856+ our_addr = ifa->ifa_address;
38857+ our_netmask = 0xffffffff;
38858+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38859+ if (ret == 1) {
38860+ rcu_read_unlock();
38861+ in_dev_put(idev);
38862+ dev_put(dev);
38863+ return 0;
38864+ } else if (ret == 2) {
38865+ rcu_read_unlock();
38866+ in_dev_put(idev);
38867+ dev_put(dev);
38868+ goto denied;
38869+ }
38870+ }
38871+ } endfor_ifa(idev);
38872+ rcu_read_unlock();
38873+ in_dev_put(idev);
38874+ dev_put(dev);
38875+ } else {
38876+ our_addr = ip->addr;
38877+ our_netmask = ip->netmask;
38878+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38879+ if (ret == 1)
38880+ return 0;
38881+ else if (ret == 2)
38882+ goto denied;
38883+ }
38884+ }
38885+
38886+denied:
38887+ if (mode == GR_BIND)
ae4e228f 38888+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
58c5fc13 38889+ else if (mode == GR_CONNECT)
ae4e228f 38890+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
58c5fc13
MT		 38891+
38892+ return -EACCES;
38893+}
38894+
38895+int
38896+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
38897+{
38898+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
38899+}
38900+
38901+int
38902+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
38903+{
38904+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
38905+}
38906+
38907+int gr_search_listen(struct socket *sock)
38908+{
38909+ struct sock *sk = sock->sk;
38910+ struct sockaddr_in addr;
38911+
ae4e228f
MT		 38912+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38913+ addr.sin_port = inet_sk(sk)->inet_sport;
58c5fc13
MT		 38914+
38915+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38916+}
38917+
38918+int gr_search_accept(struct socket *sock)
38919+{
38920+ struct sock *sk = sock->sk;
38921+ struct sockaddr_in addr;
38922+
ae4e228f
MT		 38923+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38924+ addr.sin_port = inet_sk(sk)->inet_sport;
58c5fc13
MT		 38925+
38926+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38927+}
38928+
38929+int
38930+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
38931+{
38932+ if (addr)
38933+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
38934+ else {
38935+ struct sockaddr_in sin;
38936+ const struct inet_sock *inet = inet_sk(sk);
38937+
ae4e228f
MT		 38938+ sin.sin_addr.s_addr = inet->inet_daddr;
38939+ sin.sin_port = inet->inet_dport;
58c5fc13
MT		 38940+
38941+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38942+ }
38943+}
38944+
38945+int
38946+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
38947+{
38948+ struct sockaddr_in sin;
38949+
38950+ if (unlikely(skb->len < sizeof (struct udphdr)))
38951+ return 0; // skip this packet
38952+
38953+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
38954+ sin.sin_port = udp_hdr(skb)->source;
38955+
38956+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38957+}
57199397
MT		 38958diff -urNp linux-2.6.35.4/grsecurity/gracl_learn.c linux-2.6.35.4/grsecurity/gracl_learn.c
38959--- linux-2.6.35.4/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
38960+++ linux-2.6.35.4/grsecurity/gracl_learn.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 38961@@ -0,0 +1,211 @@
38962+#include <linux/kernel.h>
38963+#include <linux/mm.h>
38964+#include <linux/sched.h>
38965+#include <linux/poll.h>
38966+#include <linux/smp_lock.h>
38967+#include <linux/string.h>
38968+#include <linux/file.h>
38969+#include <linux/types.h>
38970+#include <linux/vmalloc.h>
38971+#include <linux/grinternal.h>
38972+
38973+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
38974+ size_t count, loff_t *ppos);
38975+extern int gr_acl_is_enabled(void);
38976+
38977+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
38978+static int gr_learn_attached;
38979+
38980+/* use a 512k buffer */
38981+#define LEARN_BUFFER_SIZE (512 * 1024)
38982+
38983+static DEFINE_SPINLOCK(gr_learn_lock);
38984+static DECLARE_MUTEX(gr_learn_user_sem);
38985+
38986+/* we need to maintain two buffers, so that the kernel context of grlearn
38987+ uses a semaphore around the userspace copying, and the other kernel contexts
38988+ use a spinlock when copying into the buffer, since they cannot sleep
38989+*/
38990+static char *learn_buffer;
38991+static char *learn_buffer_user;
38992+static int learn_buffer_len;
38993+static int learn_buffer_user_len;
38994+
38995+static ssize_t
38996+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
38997+{
38998+ DECLARE_WAITQUEUE(wait, current);
38999+ ssize_t retval = 0;
39000+
39001+ add_wait_queue(&learn_wait, &wait);
39002+ set_current_state(TASK_INTERRUPTIBLE);
39003+ do {
39004+ down(&gr_learn_user_sem);
39005+ spin_lock(&gr_learn_lock);
39006+ if (learn_buffer_len)
39007+ break;
39008+ spin_unlock(&gr_learn_lock);
39009+ up(&gr_learn_user_sem);
39010+ if (file->f_flags & O_NONBLOCK) {
39011+ retval = -EAGAIN;
39012+ goto out;
39013+ }
39014+ if (signal_pending(current)) {
39015+ retval = -ERESTARTSYS;
39016+ goto out;
39017+ }
39018+
39019+ schedule();
39020+ } while (1);
39021+
39022+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
39023+ learn_buffer_user_len = learn_buffer_len;
39024+ retval = learn_buffer_len;
39025+ learn_buffer_len = 0;
39026+
39027+ spin_unlock(&gr_learn_lock);
39028+
39029+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
39030+ retval = -EFAULT;
39031+
39032+ up(&gr_learn_user_sem);
39033+out:
39034+ set_current_state(TASK_RUNNING);
39035+ remove_wait_queue(&learn_wait, &wait);
39036+ return retval;
39037+}
39038+
39039+static unsigned int
39040+poll_learn(struct file * file, poll_table * wait)
39041+{
39042+ poll_wait(file, &learn_wait, wait);
39043+
39044+ if (learn_buffer_len)
39045+ return (POLLIN | POLLRDNORM);
39046+
39047+ return 0;
39048+}
39049+
39050+void
39051+gr_clear_learn_entries(void)
39052+{
39053+ char *tmp;
39054+
39055+ down(&gr_learn_user_sem);
39056+ if (learn_buffer != NULL) {
39057+ spin_lock(&gr_learn_lock);
39058+ tmp = learn_buffer;
39059+ learn_buffer = NULL;
39060+ spin_unlock(&gr_learn_lock);
39061+ vfree(learn_buffer);
39062+ }
39063+ if (learn_buffer_user != NULL) {
39064+ vfree(learn_buffer_user);
39065+ learn_buffer_user = NULL;
39066+ }
39067+ learn_buffer_len = 0;
39068+ up(&gr_learn_user_sem);
39069+
39070+ return;
39071+}
39072+
39073+void
39074+gr_add_learn_entry(const char *fmt, ...)
39075+{
39076+ va_list args;
39077+ unsigned int len;
39078+
39079+ if (!gr_learn_attached)
39080+ return;
39081+
39082+ spin_lock(&gr_learn_lock);
39083+
39084+ /* leave a gap at the end so we know when it's "full" but don't have to
39085+ compute the exact length of the string we're trying to append
39086+ */
39087+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
39088+ spin_unlock(&gr_learn_lock);
39089+ wake_up_interruptible(&learn_wait);
39090+ return;
39091+ }
39092+ if (learn_buffer == NULL) {
39093+ spin_unlock(&gr_learn_lock);
39094+ return;
39095+ }
39096+
39097+ va_start(args, fmt);
39098+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
39099+ va_end(args);
39100+
39101+ learn_buffer_len += len + 1;
39102+
39103+ spin_unlock(&gr_learn_lock);
39104+ wake_up_interruptible(&learn_wait);
39105+
39106+ return;
39107+}
39108+
39109+static int
39110+open_learn(struct inode *inode, struct file *file)
39111+{
39112+ if (file->f_mode & FMODE_READ && gr_learn_attached)
39113+ return -EBUSY;
39114+ if (file->f_mode & FMODE_READ) {
39115+ int retval = 0;
39116+ down(&gr_learn_user_sem);
39117+ if (learn_buffer == NULL)
39118+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
39119+ if (learn_buffer_user == NULL)
39120+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
39121+ if (learn_buffer == NULL) {
39122+ retval = -ENOMEM;
39123+ goto out_error;
39124+ }
39125+ if (learn_buffer_user == NULL) {
39126+ retval = -ENOMEM;
39127+ goto out_error;
39128+ }
39129+ learn_buffer_len = 0;
39130+ learn_buffer_user_len = 0;
39131+ gr_learn_attached = 1;
39132+out_error:
39133+ up(&gr_learn_user_sem);
39134+ return retval;
39135+ }
39136+ return 0;
39137+}
39138+
39139+static int
39140+close_learn(struct inode *inode, struct file *file)
39141+{
39142+ char *tmp;
39143+
39144+ if (file->f_mode & FMODE_READ) {
39145+ down(&gr_learn_user_sem);
39146+ if (learn_buffer != NULL) {
39147+ spin_lock(&gr_learn_lock);
39148+ tmp = learn_buffer;
39149+ learn_buffer = NULL;
39150+ spin_unlock(&gr_learn_lock);
39151+ vfree(tmp);
39152+ }
39153+ if (learn_buffer_user != NULL) {
39154+ vfree(learn_buffer_user);
39155+ learn_buffer_user = NULL;
39156+ }
39157+ learn_buffer_len = 0;
39158+ learn_buffer_user_len = 0;
39159+ gr_learn_attached = 0;
39160+ up(&gr_learn_user_sem);
39161+ }
39162+
39163+ return 0;
39164+}
39165+
39166+const struct file_operations grsec_fops = {
39167+ .read = read_learn,
39168+ .write = write_grsec_handler,
39169+ .open = open_learn,
39170+ .release = close_learn,
39171+ .poll = poll_learn,
39172+};
57199397
MT		 39173diff -urNp linux-2.6.35.4/grsecurity/gracl_res.c linux-2.6.35.4/grsecurity/gracl_res.c
39174--- linux-2.6.35.4/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
39175+++ linux-2.6.35.4/grsecurity/gracl_res.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 39176@@ -0,0 +1,68 @@
58c5fc13
MT		 39177+#include <linux/kernel.h>
39178+#include <linux/sched.h>
39179+#include <linux/gracl.h>
39180+#include <linux/grinternal.h>
39181+
39182+static const char *restab_log[] = {
39183+ [RLIMIT_CPU] = "RLIMIT_CPU",
39184+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
39185+ [RLIMIT_DATA] = "RLIMIT_DATA",
39186+ [RLIMIT_STACK] = "RLIMIT_STACK",
39187+ [RLIMIT_CORE] = "RLIMIT_CORE",
39188+ [RLIMIT_RSS] = "RLIMIT_RSS",
39189+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
39190+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
39191+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
39192+ [RLIMIT_AS] = "RLIMIT_AS",
39193+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
39194+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
39195+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
39196+ [RLIMIT_NICE] = "RLIMIT_NICE",
39197+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
39198+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
39199+ [GR_CRASH_RES] = "RLIMIT_CRASH"
39200+};
39201+
39202+void
39203+gr_log_resource(const struct task_struct *task,
39204+ const int res, const unsigned long wanted, const int gt)
39205+{
ae4e228f 39206+ const struct cred *cred;
df50ba0c 39207+ unsigned long rlim;
58c5fc13
MT		 39208+
39209+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
39210+ return;
39211+
39212+ // not yet supported resource
df50ba0c
MT		 39213+ if (unlikely(!restab_log[res]))
39214+ return;
39215+
39216+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
39217+ rlim = task_rlimit_max(task, res);
39218+ else
39219+ rlim = task_rlimit(task, res);
39220+
39221+ if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
58c5fc13
MT		 39222+ return;
39223+
ae4e228f
MT		 39224+ rcu_read_lock();
39225+ cred = __task_cred(task);
39226+
39227+ if (res == RLIMIT_NPROC &&
39228+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
39229+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
39230+ goto out_rcu_unlock;
39231+ else if (res == RLIMIT_MEMLOCK &&
39232+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
39233+ goto out_rcu_unlock;
39234+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
39235+ goto out_rcu_unlock;
39236+ rcu_read_unlock();
39237+
df50ba0c 39238+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
58c5fc13
MT		 39239+
39240+ return;
ae4e228f
MT		 39241+out_rcu_unlock:
39242+ rcu_read_unlock();
39243+ return;
58c5fc13 39244+}
57199397
MT		 39245diff -urNp linux-2.6.35.4/grsecurity/gracl_segv.c linux-2.6.35.4/grsecurity/gracl_segv.c
39246--- linux-2.6.35.4/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
39247+++ linux-2.6.35.4/grsecurity/gracl_segv.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 39248@@ -0,0 +1,310 @@
58c5fc13
MT		 39249+#include <linux/kernel.h>
39250+#include <linux/mm.h>
39251+#include <asm/uaccess.h>
39252+#include <asm/errno.h>
39253+#include <asm/mman.h>
39254+#include <net/sock.h>
39255+#include <linux/file.h>
39256+#include <linux/fs.h>
39257+#include <linux/net.h>
39258+#include <linux/in.h>
39259+#include <linux/smp_lock.h>
39260+#include <linux/slab.h>
39261+#include <linux/types.h>
39262+#include <linux/sched.h>
39263+#include <linux/timer.h>
39264+#include <linux/gracl.h>
39265+#include <linux/grsecurity.h>
39266+#include <linux/grinternal.h>
39267+
39268+static struct crash_uid *uid_set;
39269+static unsigned short uid_used;
39270+static DEFINE_SPINLOCK(gr_uid_lock);
39271+extern rwlock_t gr_inode_lock;
39272+extern struct acl_subject_label *
39273+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
39274+ struct acl_role_label *role);
39275+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
39276+
39277+int
39278+gr_init_uidset(void)
39279+{
39280+ uid_set =
39281+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
39282+ uid_used = 0;
39283+
39284+ return uid_set ? 1 : 0;
39285+}
39286+
39287+void
39288+gr_free_uidset(void)
39289+{
39290+ if (uid_set)
39291+ kfree(uid_set);
39292+
39293+ return;
39294+}
39295+
39296+int
39297+gr_find_uid(const uid_t uid)
39298+{
39299+ struct crash_uid *tmp = uid_set;
39300+ uid_t buid;
39301+ int low = 0, high = uid_used - 1, mid;
39302+
39303+ while (high >= low) {
39304+ mid = (low + high) >> 1;
39305+ buid = tmp[mid].uid;
39306+ if (buid == uid)
39307+ return mid;
39308+ if (buid > uid)
39309+ high = mid - 1;
39310+ if (buid < uid)
39311+ low = mid + 1;
39312+ }
39313+
39314+ return -1;
39315+}
39316+
39317+static __inline__ void
39318+gr_insertsort(void)
39319+{
39320+ unsigned short i, j;
39321+ struct crash_uid index;
39322+
39323+ for (i = 1; i < uid_used; i++) {
39324+ index = uid_set[i];
39325+ j = i;
39326+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
39327+ uid_set[j] = uid_set[j - 1];
39328+ j--;
39329+ }
39330+ uid_set[j] = index;
39331+ }
39332+
39333+ return;
39334+}
39335+
39336+static __inline__ void
39337+gr_insert_uid(const uid_t uid, const unsigned long expires)
39338+{
39339+ int loc;
39340+
39341+ if (uid_used == GR_UIDTABLE_MAX)
39342+ return;
39343+
39344+ loc = gr_find_uid(uid);
39345+
39346+ if (loc >= 0) {
39347+ uid_set[loc].expires = expires;
39348+ return;
39349+ }
39350+
39351+ uid_set[uid_used].uid = uid;
39352+ uid_set[uid_used].expires = expires;
39353+ uid_used++;
39354+
39355+ gr_insertsort();
39356+
39357+ return;
39358+}
39359+
39360+void
39361+gr_remove_uid(const unsigned short loc)
39362+{
39363+ unsigned short i;
39364+
39365+ for (i = loc + 1; i < uid_used; i++)
39366+ uid_set[i - 1] = uid_set[i];
39367+
39368+ uid_used--;
39369+
39370+ return;
39371+}
39372+
39373+int
39374+gr_check_crash_uid(const uid_t uid)
39375+{
39376+ int loc;
39377+ int ret = 0;
39378+
39379+ if (unlikely(!gr_acl_is_enabled()))
39380+ return 0;
39381+
39382+ spin_lock(&gr_uid_lock);
39383+ loc = gr_find_uid(uid);
39384+
39385+ if (loc < 0)
39386+ goto out_unlock;
39387+
39388+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
39389+ gr_remove_uid(loc);
39390+ else
39391+ ret = 1;
39392+
39393+out_unlock:
39394+ spin_unlock(&gr_uid_lock);
39395+ return ret;
39396+}
39397+
39398+static __inline__ int
39399+proc_is_setxid(const struct cred *cred)
39400+{
39401+ if (cred->uid != cred->euid || cred->uid != cred->suid ||
39402+ cred->uid != cred->fsuid)
39403+ return 1;
39404+ if (cred->gid != cred->egid || cred->gid != cred->sgid ||
39405+ cred->gid != cred->fsgid)
39406+ return 1;
39407+
39408+ return 0;
39409+}
39410+static __inline__ int
39411+gr_fake_force_sig(int sig, struct task_struct *t)
39412+{
39413+ unsigned long int flags;
39414+ int ret, blocked, ignored;
39415+ struct k_sigaction *action;
39416+
39417+ spin_lock_irqsave(&t->sighand->siglock, flags);
39418+ action = &t->sighand->action[sig-1];
39419+ ignored = action->sa.sa_handler == SIG_IGN;
39420+ blocked = sigismember(&t->blocked, sig);
39421+ if (blocked || ignored) {
39422+ action->sa.sa_handler = SIG_DFL;
39423+ if (blocked) {
39424+ sigdelset(&t->blocked, sig);
39425+ recalc_sigpending_and_wake(t);
39426+ }
39427+ }
39428+ if (action->sa.sa_handler == SIG_DFL)
39429+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
39430+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
39431+
39432+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
39433+
39434+ return ret;
39435+}
39436+
39437+void
39438+gr_handle_crash(struct task_struct *task, const int sig)
39439+{
39440+ struct acl_subject_label *curr;
39441+ struct acl_subject_label *curr2;
39442+ struct task_struct *tsk, *tsk2;
ae4e228f 39443+ const struct cred *cred;
58c5fc13
MT		 39444+ const struct cred *cred2;
39445+
39446+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
39447+ return;
39448+
39449+ if (unlikely(!gr_acl_is_enabled()))
39450+ return;
39451+
39452+ curr = task->acl;
39453+
39454+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
39455+ return;
39456+
39457+ if (time_before_eq(curr->expires, get_seconds())) {
39458+ curr->expires = 0;
39459+ curr->crashes = 0;
39460+ }
39461+
39462+ curr->crashes++;
39463+
39464+ if (!curr->expires)
39465+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
39466+
39467+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39468+ time_after(curr->expires, get_seconds())) {
ae4e228f
MT		 39469+ rcu_read_lock();
39470+ cred = __task_cred(task);
58c5fc13
MT		 39471+ if (cred->uid && proc_is_setxid(cred)) {
39472+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39473+ spin_lock(&gr_uid_lock);
39474+ gr_insert_uid(cred->uid, curr->expires);
39475+ spin_unlock(&gr_uid_lock);
39476+ curr->expires = 0;
39477+ curr->crashes = 0;
39478+ read_lock(&tasklist_lock);
39479+ do_each_thread(tsk2, tsk) {
39480+ cred2 = __task_cred(tsk);
39481+ if (tsk != task && cred2->uid == cred->uid)
39482+ gr_fake_force_sig(SIGKILL, tsk);
39483+ } while_each_thread(tsk2, tsk);
39484+ read_unlock(&tasklist_lock);
39485+ } else {
39486+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39487+ read_lock(&tasklist_lock);
39488+ do_each_thread(tsk2, tsk) {
39489+ if (likely(tsk != task)) {
39490+ curr2 = tsk->acl;
39491+
39492+ if (curr2->device == curr->device &&
39493+ curr2->inode == curr->inode)
39494+ gr_fake_force_sig(SIGKILL, tsk);
39495+ }
39496+ } while_each_thread(tsk2, tsk);
39497+ read_unlock(&tasklist_lock);
39498+ }
ae4e228f 39499+ rcu_read_unlock();
58c5fc13
MT		 39500+ }
39501+
39502+ return;
39503+}
39504+
39505+int
39506+gr_check_crash_exec(const struct file *filp)
39507+{
39508+ struct acl_subject_label *curr;
39509+
39510+ if (unlikely(!gr_acl_is_enabled()))
39511+ return 0;
39512+
39513+ read_lock(&gr_inode_lock);
39514+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
39515+ filp->f_path.dentry->d_inode->i_sb->s_dev,
39516+ current->role);
39517+ read_unlock(&gr_inode_lock);
39518+
39519+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
39520+ (!curr->crashes && !curr->expires))
39521+ return 0;
39522+
39523+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39524+ time_after(curr->expires, get_seconds()))
39525+ return 1;
39526+ else if (time_before_eq(curr->expires, get_seconds())) {
39527+ curr->crashes = 0;
39528+ curr->expires = 0;
39529+ }
39530+
39531+ return 0;
39532+}
39533+
39534+void
39535+gr_handle_alertkill(struct task_struct *task)
39536+{
39537+ struct acl_subject_label *curracl;
39538+ __u32 curr_ip;
39539+ struct task_struct *p, *p2;
39540+
39541+ if (unlikely(!gr_acl_is_enabled()))
39542+ return;
39543+
39544+ curracl = task->acl;
39545+ curr_ip = task->signal->curr_ip;
39546+
39547+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
39548+ read_lock(&tasklist_lock);
39549+ do_each_thread(p2, p) {
39550+ if (p->signal->curr_ip == curr_ip)
39551+ gr_fake_force_sig(SIGKILL, p);
39552+ } while_each_thread(p2, p);
39553+ read_unlock(&tasklist_lock);
39554+ } else if (curracl->mode & GR_KILLPROC)
39555+ gr_fake_force_sig(SIGKILL, task);
39556+
39557+ return;
39558+}
57199397
MT		 39559diff -urNp linux-2.6.35.4/grsecurity/gracl_shm.c linux-2.6.35.4/grsecurity/gracl_shm.c
39560--- linux-2.6.35.4/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
39561+++ linux-2.6.35.4/grsecurity/gracl_shm.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 39562@@ -0,0 +1,40 @@
58c5fc13
MT		 39563+#include <linux/kernel.h>
39564+#include <linux/mm.h>
39565+#include <linux/sched.h>
39566+#include <linux/file.h>
39567+#include <linux/ipc.h>
39568+#include <linux/gracl.h>
39569+#include <linux/grsecurity.h>
39570+#include <linux/grinternal.h>
39571+
39572+int
39573+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39574+ const time_t shm_createtime, const uid_t cuid, const int shmid)
39575+{
39576+ struct task_struct *task;
39577+
39578+ if (!gr_acl_is_enabled())
39579+ return 1;
39580+
df50ba0c 39581+ rcu_read_lock();
58c5fc13
MT		 39582+ read_lock(&tasklist_lock);
39583+
39584+ task = find_task_by_vpid(shm_cprid);
39585+
39586+ if (unlikely(!task))
39587+ task = find_task_by_vpid(shm_lapid);
39588+
39589+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
39590+ (task->pid == shm_lapid)) &&
39591+ (task->acl->mode & GR_PROTSHM) &&
39592+ (task->acl != current->acl))) {
39593+ read_unlock(&tasklist_lock);
df50ba0c 39594+ rcu_read_unlock();
58c5fc13
MT		 39595+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
39596+ return 0;
39597+ }
39598+ read_unlock(&tasklist_lock);
df50ba0c 39599+ rcu_read_unlock();
58c5fc13
MT		 39600+
39601+ return 1;
39602+}
57199397
MT		 39603diff -urNp linux-2.6.35.4/grsecurity/grsec_chdir.c linux-2.6.35.4/grsecurity/grsec_chdir.c
39604--- linux-2.6.35.4/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
39605+++ linux-2.6.35.4/grsecurity/grsec_chdir.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 39606@@ -0,0 +1,19 @@
39607+#include <linux/kernel.h>
39608+#include <linux/sched.h>
39609+#include <linux/fs.h>
39610+#include <linux/file.h>
39611+#include <linux/grsecurity.h>
39612+#include <linux/grinternal.h>
39613+
39614+void
39615+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
39616+{
39617+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
39618+ if ((grsec_enable_chdir && grsec_enable_group &&
39619+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
39620+ !grsec_enable_group)) {
39621+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
39622+ }
39623+#endif
39624+ return;
39625+}
57199397
MT		 39626diff -urNp linux-2.6.35.4/grsecurity/grsec_chroot.c linux-2.6.35.4/grsecurity/grsec_chroot.c
39627--- linux-2.6.35.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
39628+++ linux-2.6.35.4/grsecurity/grsec_chroot.c 2010-09-17 20:12:37.000000000 -0400
39629@@ -0,0 +1,389 @@
58c5fc13
MT		 39630+#include <linux/kernel.h>
39631+#include <linux/module.h>
39632+#include <linux/sched.h>
39633+#include <linux/file.h>
39634+#include <linux/fs.h>
39635+#include <linux/mount.h>
39636+#include <linux/types.h>
39637+#include <linux/pid_namespace.h>
39638+#include <linux/grsecurity.h>
39639+#include <linux/grinternal.h>
39640+
df50ba0c
MT		 39641+void gr_set_chroot_entries(struct task_struct *task, struct path *path)
39642+{
39643+#ifdef CONFIG_GRKERNSEC
39644+ if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
39645+ path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
39646+ task->gr_is_chrooted = 1;
39647+ else
39648+ task->gr_is_chrooted = 0;
39649+
39650+ task->gr_chroot_dentry = path->dentry;
39651+#endif
39652+ return;
39653+}
39654+
39655+void gr_clear_chroot_entries(struct task_struct *task)
39656+{
39657+#ifdef CONFIG_GRKERNSEC
39658+ task->gr_is_chrooted = 0;
39659+ task->gr_chroot_dentry = NULL;
39660+#endif
39661+ return;
39662+}
39663+
58c5fc13
MT		 39664+int
39665+gr_handle_chroot_unix(const pid_t pid)
39666+{
39667+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39668+ struct pid *spid = NULL;
39669+
39670+ if (unlikely(!grsec_enable_chroot_unix))
39671+ return 1;
39672+
39673+ if (likely(!proc_is_chrooted(current)))
39674+ return 1;
39675+
df50ba0c 39676+ rcu_read_lock();
58c5fc13
MT		 39677+ read_lock(&tasklist_lock);
39678+
39679+ spid = find_vpid(pid);
39680+ if (spid) {
39681+ struct task_struct *p;
39682+ p = pid_task(spid, PIDTYPE_PID);
58c5fc13 39683+ if (unlikely(!have_same_root(current, p))) {
58c5fc13 39684+ read_unlock(&tasklist_lock);
df50ba0c 39685+ rcu_read_unlock();
58c5fc13
MT		 39686+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
39687+ return 0;
39688+ }
58c5fc13
MT		 39689+ }
39690+ read_unlock(&tasklist_lock);
df50ba0c 39691+ rcu_read_unlock();
58c5fc13
MT		 39692+#endif
39693+ return 1;
39694+}
39695+
39696+int
39697+gr_handle_chroot_nice(void)
39698+{
39699+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39700+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
39701+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
39702+ return -EPERM;
39703+ }
39704+#endif
39705+ return 0;
39706+}
39707+
39708+int
39709+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
39710+{
39711+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39712+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
39713+ && proc_is_chrooted(current)) {
39714+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
39715+ return -EACCES;
39716+ }
39717+#endif
39718+ return 0;
39719+}
39720+
39721+int
39722+gr_handle_chroot_rawio(const struct inode *inode)
39723+{
39724+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39725+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
39726+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
39727+ return 1;
39728+#endif
39729+ return 0;
39730+}
39731+
39732+int
57199397
MT		 39733+gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
39734+{
39735+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39736+ struct task_struct *p;
39737+ int ret = 0;
39738+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
39739+ return ret;
39740+
39741+ read_lock(&tasklist_lock);
39742+ do_each_pid_task(pid, type, p) {
39743+ if (!have_same_root(current, p)) {
39744+ ret = 1;
39745+ goto out;
39746+ }
39747+ } while_each_pid_task(pid, type, p);
39748+out:
39749+ read_unlock(&tasklist_lock);
39750+ return ret;
39751+#endif
39752+ return 0;
39753+}
39754+
39755+int
58c5fc13
MT		 39756+gr_pid_is_chrooted(struct task_struct *p)
39757+{
39758+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39759+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
39760+ return 0;
39761+
58c5fc13
MT		 39762+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
39763+ !have_same_root(current, p)) {
58c5fc13
MT		 39764+ return 1;
39765+ }
58c5fc13
MT		 39766+#endif
39767+ return 0;
39768+}
39769+
39770+EXPORT_SYMBOL(gr_pid_is_chrooted);
39771+
39772+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
39773+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
39774+{
39775+ struct dentry *dentry = (struct dentry *)u_dentry;
39776+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
39777+ struct dentry *realroot;
39778+ struct vfsmount *realrootmnt;
39779+ struct dentry *currentroot;
39780+ struct vfsmount *currentmnt;
39781+ struct task_struct *reaper = &init_task;
39782+ int ret = 1;
39783+
39784+ read_lock(&reaper->fs->lock);
39785+ realrootmnt = mntget(reaper->fs->root.mnt);
39786+ realroot = dget(reaper->fs->root.dentry);
39787+ read_unlock(&reaper->fs->lock);
39788+
39789+ read_lock(&current->fs->lock);
39790+ currentmnt = mntget(current->fs->root.mnt);
39791+ currentroot = dget(current->fs->root.dentry);
39792+ read_unlock(&current->fs->lock);
39793+
39794+ spin_lock(&dcache_lock);
39795+ for (;;) {
39796+ if (unlikely((dentry == realroot && mnt == realrootmnt)
39797+ || (dentry == currentroot && mnt == currentmnt)))
39798+ break;
39799+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
39800+ if (mnt->mnt_parent == mnt)
39801+ break;
39802+ dentry = mnt->mnt_mountpoint;
39803+ mnt = mnt->mnt_parent;
39804+ continue;
39805+ }
39806+ dentry = dentry->d_parent;
39807+ }
39808+ spin_unlock(&dcache_lock);
39809+
39810+ dput(currentroot);
39811+ mntput(currentmnt);
39812+
39813+ /* access is outside of chroot */
39814+ if (dentry == realroot && mnt == realrootmnt)
39815+ ret = 0;
39816+
39817+ dput(realroot);
39818+ mntput(realrootmnt);
39819+ return ret;
39820+}
39821+#endif
39822+
39823+int
39824+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
39825+{
39826+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39827+ if (!grsec_enable_chroot_fchdir)
39828+ return 1;
39829+
39830+ if (!proc_is_chrooted(current))
39831+ return 1;
39832+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
39833+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
39834+ return 0;
39835+ }
39836+#endif
39837+ return 1;
39838+}
39839+
39840+int
39841+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39842+ const time_t shm_createtime)
39843+{
39844+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39845+ struct pid *pid = NULL;
39846+ time_t starttime;
39847+
39848+ if (unlikely(!grsec_enable_chroot_shmat))
39849+ return 1;
39850+
39851+ if (likely(!proc_is_chrooted(current)))
39852+ return 1;
39853+
df50ba0c 39854+ rcu_read_lock();
58c5fc13
MT		 39855+ read_lock(&tasklist_lock);
39856+
39857+ pid = find_vpid(shm_cprid);
39858+ if (pid) {
39859+ struct task_struct *p;
39860+ p = pid_task(pid, PIDTYPE_PID);
58c5fc13
MT		 39861+ starttime = p->start_time.tv_sec;
39862+ if (unlikely(!have_same_root(current, p) &&
39863+ time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
58c5fc13 39864+ read_unlock(&tasklist_lock);
df50ba0c 39865+ rcu_read_unlock();
58c5fc13
MT		 39866+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39867+ return 0;
39868+ }
58c5fc13
MT		 39869+ } else {
39870+ pid = find_vpid(shm_lapid);
39871+ if (pid) {
39872+ struct task_struct *p;
39873+ p = pid_task(pid, PIDTYPE_PID);
58c5fc13 39874+ if (unlikely(!have_same_root(current, p))) {
58c5fc13 39875+ read_unlock(&tasklist_lock);
df50ba0c 39876+ rcu_read_unlock();
58c5fc13
MT		 39877+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39878+ return 0;
39879+ }
58c5fc13
MT		 39880+ }
39881+ }
39882+
39883+ read_unlock(&tasklist_lock);
df50ba0c 39884+ rcu_read_unlock();
58c5fc13
MT		 39885+#endif
39886+ return 1;
39887+}
39888+
39889+void
39890+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
39891+{
39892+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39893+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
39894+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
39895+#endif
39896+ return;
39897+}
39898+
39899+int
39900+gr_handle_chroot_mknod(const struct dentry *dentry,
39901+ const struct vfsmount *mnt, const int mode)
39902+{
39903+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39904+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
39905+ proc_is_chrooted(current)) {
39906+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
39907+ return -EPERM;
39908+ }
39909+#endif
39910+ return 0;
39911+}
39912+
39913+int
39914+gr_handle_chroot_mount(const struct dentry *dentry,
39915+ const struct vfsmount *mnt, const char *dev_name)
39916+{
39917+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39918+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
39919+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
39920+ return -EPERM;
39921+ }
39922+#endif
39923+ return 0;
39924+}
39925+
39926+int
39927+gr_handle_chroot_pivot(void)
39928+{
39929+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39930+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
39931+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
39932+ return -EPERM;
39933+ }
39934+#endif
39935+ return 0;
39936+}
39937+
39938+int
39939+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
39940+{
39941+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39942+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
39943+ !gr_is_outside_chroot(dentry, mnt)) {
39944+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
39945+ return -EPERM;
39946+ }
39947+#endif
39948+ return 0;
39949+}
39950+
39951+int
39952+gr_handle_chroot_caps(struct path *path)
39953+{
39954+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39955+ if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
39956+ (init_task.fs->root.dentry != path->dentry) &&
39957+ (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
39958+
39959+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
39960+ const struct cred *old = current_cred();
39961+ struct cred *new = prepare_creds();
39962+ if (new == NULL)
39963+ return 1;
39964+
39965+ new->cap_permitted = cap_drop(old->cap_permitted,
39966+ chroot_caps);
39967+ new->cap_inheritable = cap_drop(old->cap_inheritable,
39968+ chroot_caps);
39969+ new->cap_effective = cap_drop(old->cap_effective,
39970+ chroot_caps);
39971+
39972+ commit_creds(new);
39973+
39974+ return 0;
39975+ }
39976+#endif
39977+ return 0;
39978+}
39979+
39980+int
39981+gr_handle_chroot_sysctl(const int op)
39982+{
39983+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
ae4e228f
MT		 39984+ if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
39985+ proc_is_chrooted(current))
58c5fc13
MT		 39986+ return -EACCES;
39987+#endif
39988+ return 0;
39989+}
39990+
39991+void
39992+gr_handle_chroot_chdir(struct path *path)
39993+{
39994+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
39995+ if (grsec_enable_chroot_chdir)
39996+ set_fs_pwd(current->fs, path);
39997+#endif
39998+ return;
39999+}
40000+
40001+int
40002+gr_handle_chroot_chmod(const struct dentry *dentry,
40003+ const struct vfsmount *mnt, const int mode)
40004+{
40005+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40006+ if (grsec_enable_chroot_chmod &&
40007+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
40008+ proc_is_chrooted(current)) {
40009+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
40010+ return -EPERM;
40011+ }
40012+#endif
40013+ return 0;
40014+}
40015+
40016+#ifdef CONFIG_SECURITY
40017+EXPORT_SYMBOL(gr_handle_chroot_caps);
40018+#endif
57199397
MT		 40019diff -urNp linux-2.6.35.4/grsecurity/grsec_disabled.c linux-2.6.35.4/grsecurity/grsec_disabled.c
40020--- linux-2.6.35.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
40021+++ linux-2.6.35.4/grsecurity/grsec_disabled.c 2010-09-17 20:12:37.000000000 -0400
40022@@ -0,0 +1,431 @@
58c5fc13
MT		 40023+#include <linux/kernel.h>
40024+#include <linux/module.h>
40025+#include <linux/sched.h>
40026+#include <linux/file.h>
40027+#include <linux/fs.h>
40028+#include <linux/kdev_t.h>
40029+#include <linux/net.h>
40030+#include <linux/in.h>
40031+#include <linux/ip.h>
40032+#include <linux/skbuff.h>
40033+#include <linux/sysctl.h>
40034+
40035+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40036+void
40037+pax_set_initial_flags(struct linux_binprm *bprm)
40038+{
40039+ return;
40040+}
40041+#endif
40042+
40043+#ifdef CONFIG_SYSCTL
40044+__u32
40045+gr_handle_sysctl(const struct ctl_table * table, const int op)
40046+{
40047+ return 0;
40048+}
40049+#endif
40050+
40051+#ifdef CONFIG_TASKSTATS
40052+int gr_is_taskstats_denied(int pid)
40053+{
40054+ return 0;
40055+}
40056+#endif
40057+
40058+int
40059+gr_acl_is_enabled(void)
40060+{
40061+ return 0;
40062+}
40063+
40064+int
40065+gr_handle_rawio(const struct inode *inode)
40066+{
40067+ return 0;
40068+}
40069+
40070+void
40071+gr_acl_handle_psacct(struct task_struct *task, const long code)
40072+{
40073+ return;
40074+}
40075+
40076+int
40077+gr_handle_ptrace(struct task_struct *task, const long request)
40078+{
40079+ return 0;
40080+}
40081+
40082+int
40083+gr_handle_proc_ptrace(struct task_struct *task)
40084+{
40085+ return 0;
40086+}
40087+
40088+void
40089+gr_learn_resource(const struct task_struct *task,
40090+ const int res, const unsigned long wanted, const int gt)
40091+{
40092+ return;
40093+}
40094+
40095+int
40096+gr_set_acls(const int type)
40097+{
40098+ return 0;
40099+}
40100+
40101+int
40102+gr_check_hidden_task(const struct task_struct *tsk)
40103+{
40104+ return 0;
40105+}
40106+
40107+int
40108+gr_check_protected_task(const struct task_struct *task)
40109+{
40110+ return 0;
40111+}
40112+
57199397
MT		 40113+int
40114+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
40115+{
40116+ return 0;
40117+}
40118+
58c5fc13
MT		 40119+void
40120+gr_copy_label(struct task_struct *tsk)
40121+{
40122+ return;
40123+}
40124+
40125+void
40126+gr_set_pax_flags(struct task_struct *task)
40127+{
40128+ return;
40129+}
40130+
40131+int
40132+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
40133+ const int unsafe_share)
40134+{
40135+ return 0;
40136+}
40137+
40138+void
40139+gr_handle_delete(const ino_t ino, const dev_t dev)
40140+{
40141+ return;
40142+}
40143+
40144+void
40145+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
40146+{
40147+ return;
40148+}
40149+
40150+void
40151+gr_handle_crash(struct task_struct *task, const int sig)
40152+{
40153+ return;
40154+}
40155+
40156+int
40157+gr_check_crash_exec(const struct file *filp)
40158+{
40159+ return 0;
40160+}
40161+
40162+int
40163+gr_check_crash_uid(const uid_t uid)
40164+{
40165+ return 0;
40166+}
40167+
40168+void
40169+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
40170+ struct dentry *old_dentry,
40171+ struct dentry *new_dentry,
40172+ struct vfsmount *mnt, const __u8 replace)
40173+{
40174+ return;
40175+}
40176+
40177+int
40178+gr_search_socket(const int family, const int type, const int protocol)
40179+{
40180+ return 1;
40181+}
40182+
40183+int
40184+gr_search_connectbind(const int mode, const struct socket *sock,
40185+ const struct sockaddr_in *addr)
40186+{
40187+ return 0;
40188+}
40189+
40190+int
40191+gr_is_capable(const int cap)
40192+{
40193+ return 1;
40194+}
40195+
40196+int
40197+gr_is_capable_nolog(const int cap)
40198+{
40199+ return 1;
40200+}
40201+
40202+void
40203+gr_handle_alertkill(struct task_struct *task)
40204+{
40205+ return;
40206+}
40207+
40208+__u32
40209+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
40210+{
40211+ return 1;
40212+}
40213+
40214+__u32
40215+gr_acl_handle_hidden_file(const struct dentry * dentry,
40216+ const struct vfsmount * mnt)
40217+{
40218+ return 1;
40219+}
40220+
40221+__u32
40222+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40223+ const int fmode)
40224+{
40225+ return 1;
40226+}
40227+
40228+__u32
40229+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40230+{
40231+ return 1;
40232+}
40233+
40234+__u32
40235+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
40236+{
40237+ return 1;
40238+}
40239+
40240+int
40241+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
40242+ unsigned int *vm_flags)
40243+{
40244+ return 1;
40245+}
40246+
40247+__u32
40248+gr_acl_handle_truncate(const struct dentry * dentry,
40249+ const struct vfsmount * mnt)
40250+{
40251+ return 1;
40252+}
40253+
40254+__u32
40255+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
40256+{
40257+ return 1;
40258+}
40259+
40260+__u32
40261+gr_acl_handle_access(const struct dentry * dentry,
40262+ const struct vfsmount * mnt, const int fmode)
40263+{
40264+ return 1;
40265+}
40266+
40267+__u32
40268+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
40269+ mode_t mode)
40270+{
40271+ return 1;
40272+}
40273+
40274+__u32
40275+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
40276+ mode_t mode)
40277+{
40278+ return 1;
40279+}
40280+
40281+__u32
40282+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
40283+{
40284+ return 1;
40285+}
40286+
40287+void
40288+grsecurity_init(void)
40289+{
40290+ return;
40291+}
40292+
40293+__u32
40294+gr_acl_handle_mknod(const struct dentry * new_dentry,
40295+ const struct dentry * parent_dentry,
40296+ const struct vfsmount * parent_mnt,
40297+ const int mode)
40298+{
40299+ return 1;
40300+}
40301+
40302+__u32
40303+gr_acl_handle_mkdir(const struct dentry * new_dentry,
40304+ const struct dentry * parent_dentry,
40305+ const struct vfsmount * parent_mnt)
40306+{
40307+ return 1;
40308+}
40309+
40310+__u32
40311+gr_acl_handle_symlink(const struct dentry * new_dentry,
40312+ const struct dentry * parent_dentry,
40313+ const struct vfsmount * parent_mnt, const char *from)
40314+{
40315+ return 1;
40316+}
40317+
40318+__u32
40319+gr_acl_handle_link(const struct dentry * new_dentry,
40320+ const struct dentry * parent_dentry,
40321+ const struct vfsmount * parent_mnt,
40322+ const struct dentry * old_dentry,
40323+ const struct vfsmount * old_mnt, const char *to)
40324+{
40325+ return 1;
40326+}
40327+
40328+int
40329+gr_acl_handle_rename(const struct dentry *new_dentry,
40330+ const struct dentry *parent_dentry,
40331+ const struct vfsmount *parent_mnt,
40332+ const struct dentry *old_dentry,
40333+ const struct inode *old_parent_inode,
40334+ const struct vfsmount *old_mnt, const char *newname)
40335+{
40336+ return 0;
40337+}
40338+
40339+int
40340+gr_acl_handle_filldir(const struct file *file, const char *name,
40341+ const int namelen, const ino_t ino)
40342+{
40343+ return 1;
40344+}
40345+
40346+int
40347+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40348+ const time_t shm_createtime, const uid_t cuid, const int shmid)
40349+{
40350+ return 1;
40351+}
40352+
40353+int
40354+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
40355+{
40356+ return 0;
40357+}
40358+
40359+int
40360+gr_search_accept(const struct socket *sock)
40361+{
40362+ return 0;
40363+}
40364+
40365+int
40366+gr_search_listen(const struct socket *sock)
40367+{
40368+ return 0;
40369+}
40370+
40371+int
40372+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
40373+{
40374+ return 0;
40375+}
40376+
40377+__u32
40378+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
40379+{
40380+ return 1;
40381+}
40382+
40383+__u32
40384+gr_acl_handle_creat(const struct dentry * dentry,
40385+ const struct dentry * p_dentry,
40386+ const struct vfsmount * p_mnt, const int fmode,
40387+ const int imode)
40388+{
40389+ return 1;
40390+}
40391+
40392+void
40393+gr_acl_handle_exit(void)
40394+{
40395+ return;
40396+}
40397+
40398+int
40399+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
40400+{
40401+ return 1;
40402+}
40403+
40404+void
40405+gr_set_role_label(const uid_t uid, const gid_t gid)
40406+{
40407+ return;
40408+}
40409+
40410+int
40411+gr_acl_handle_procpidmem(const struct task_struct *task)
40412+{
40413+ return 0;
40414+}
40415+
40416+int
40417+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
40418+{
40419+ return 0;
40420+}
40421+
40422+int
40423+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
40424+{
40425+ return 0;
40426+}
40427+
40428+void
40429+gr_set_kernel_label(struct task_struct *task)
40430+{
40431+ return;
40432+}
40433+
40434+int
40435+gr_check_user_change(int real, int effective, int fs)
40436+{
40437+ return 0;
40438+}
40439+
40440+int
40441+gr_check_group_change(int real, int effective, int fs)
40442+{
40443+ return 0;
40444+}
40445+
58c5fc13
MT		 40446+EXPORT_SYMBOL(gr_is_capable);
40447+EXPORT_SYMBOL(gr_is_capable_nolog);
40448+EXPORT_SYMBOL(gr_learn_resource);
40449+EXPORT_SYMBOL(gr_set_kernel_label);
40450+#ifdef CONFIG_SECURITY
40451+EXPORT_SYMBOL(gr_check_user_change);
40452+EXPORT_SYMBOL(gr_check_group_change);
40453+#endif
57199397
MT		 40454diff -urNp linux-2.6.35.4/grsecurity/grsec_exec.c linux-2.6.35.4/grsecurity/grsec_exec.c
40455--- linux-2.6.35.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
40456+++ linux-2.6.35.4/grsecurity/grsec_exec.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 40457@@ -0,0 +1,88 @@
58c5fc13
MT		 40458+#include <linux/kernel.h>
40459+#include <linux/sched.h>
40460+#include <linux/file.h>
40461+#include <linux/binfmts.h>
40462+#include <linux/smp_lock.h>
40463+#include <linux/fs.h>
40464+#include <linux/types.h>
40465+#include <linux/grdefs.h>
40466+#include <linux/grinternal.h>
40467+#include <linux/capability.h>
40468+
40469+#include <asm/uaccess.h>
40470+
40471+#ifdef CONFIG_GRKERNSEC_EXECLOG
40472+static char gr_exec_arg_buf[132];
40473+static DECLARE_MUTEX(gr_exec_arg_sem);
40474+#endif
40475+
40476+int
40477+gr_handle_nproc(void)
40478+{
40479+#ifdef CONFIG_GRKERNSEC_EXECVE
40480+ const struct cred *cred = current_cred();
40481+ if (grsec_enable_execve && cred->user &&
df50ba0c 40482+ (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
58c5fc13
MT		 40483+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
40484+ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
40485+ return -EAGAIN;
40486+ }
40487+#endif
40488+ return 0;
40489+}
40490+
40491+void
40492+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
40493+{
40494+#ifdef CONFIG_GRKERNSEC_EXECLOG
40495+ char *grarg = gr_exec_arg_buf;
40496+ unsigned int i, x, execlen = 0;
40497+ char c;
40498+
40499+ if (!((grsec_enable_execlog && grsec_enable_group &&
40500+ in_group_p(grsec_audit_gid))
40501+ || (grsec_enable_execlog && !grsec_enable_group)))
40502+ return;
40503+
40504+ down(&gr_exec_arg_sem);
40505+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
40506+
40507+ if (unlikely(argv == NULL))
40508+ goto log;
40509+
40510+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
40511+ const char __user *p;
40512+ unsigned int len;
40513+
40514+ if (copy_from_user(&p, argv + i, sizeof(p)))
40515+ goto log;
40516+ if (!p)
40517+ goto log;
40518+ len = strnlen_user(p, 128 - execlen);
40519+ if (len > 128 - execlen)
40520+ len = 128 - execlen;
40521+ else if (len > 0)
40522+ len--;
40523+ if (copy_from_user(grarg + execlen, p, len))
40524+ goto log;
40525+
40526+ /* rewrite unprintable characters */
40527+ for (x = 0; x < len; x++) {
40528+ c = *(grarg + execlen + x);
40529+ if (c < 32 || c > 126)
40530+ *(grarg + execlen + x) = ' ';
40531+ }
40532+
40533+ execlen += len;
40534+ *(grarg + execlen) = ' ';
40535+ *(grarg + execlen + 1) = '\0';
40536+ execlen++;
40537+ }
40538+
40539+ log:
40540+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
40541+ bprm->file->f_path.mnt, grarg);
40542+ up(&gr_exec_arg_sem);
40543+#endif
40544+ return;
40545+}
57199397
MT		 40546diff -urNp linux-2.6.35.4/grsecurity/grsec_fifo.c linux-2.6.35.4/grsecurity/grsec_fifo.c
40547--- linux-2.6.35.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
40548+++ linux-2.6.35.4/grsecurity/grsec_fifo.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 40549@@ -0,0 +1,24 @@
40550+#include <linux/kernel.h>
40551+#include <linux/sched.h>
40552+#include <linux/fs.h>
40553+#include <linux/file.h>
40554+#include <linux/grinternal.h>
40555+
40556+int
40557+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
40558+ const struct dentry *dir, const int flag, const int acc_mode)
40559+{
40560+#ifdef CONFIG_GRKERNSEC_FIFO
40561+ const struct cred *cred = current_cred();
40562+
40563+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
40564+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
40565+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
40566+ (cred->fsuid != dentry->d_inode->i_uid)) {
40567+ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
40568+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
40569+ return -EACCES;
40570+ }
40571+#endif
40572+ return 0;
40573+}
57199397
MT		 40574diff -urNp linux-2.6.35.4/grsecurity/grsec_fork.c linux-2.6.35.4/grsecurity/grsec_fork.c
40575--- linux-2.6.35.4/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
40576+++ linux-2.6.35.4/grsecurity/grsec_fork.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 40577@@ -0,0 +1,15 @@
40578+#include <linux/kernel.h>
40579+#include <linux/sched.h>
40580+#include <linux/grsecurity.h>
40581+#include <linux/grinternal.h>
40582+#include <linux/errno.h>
40583+
40584+void
40585+gr_log_forkfail(const int retval)
40586+{
40587+#ifdef CONFIG_GRKERNSEC_FORKFAIL
40588+ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
40589+ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
40590+#endif
40591+ return;
40592+}
57199397
MT		 40593diff -urNp linux-2.6.35.4/grsecurity/grsec_init.c linux-2.6.35.4/grsecurity/grsec_init.c
40594--- linux-2.6.35.4/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
40595+++ linux-2.6.35.4/grsecurity/grsec_init.c 2010-09-17 20:12:37.000000000 -0400
40596@@ -0,0 +1,266 @@
58c5fc13
MT		 40597+#include <linux/kernel.h>
40598+#include <linux/sched.h>
40599+#include <linux/mm.h>
40600+#include <linux/smp_lock.h>
40601+#include <linux/gracl.h>
40602+#include <linux/slab.h>
40603+#include <linux/vmalloc.h>
40604+#include <linux/percpu.h>
df50ba0c 40605+#include <linux/module.h>
58c5fc13
MT		 40606+
40607+int grsec_enable_link;
40608+int grsec_enable_dmesg;
40609+int grsec_enable_harden_ptrace;
40610+int grsec_enable_fifo;
40611+int grsec_enable_execve;
40612+int grsec_enable_execlog;
40613+int grsec_enable_signal;
40614+int grsec_enable_forkfail;
ae4e228f 40615+int grsec_enable_audit_ptrace;
58c5fc13
MT		 40616+int grsec_enable_time;
40617+int grsec_enable_audit_textrel;
40618+int grsec_enable_group;
40619+int grsec_audit_gid;
40620+int grsec_enable_chdir;
40621+int grsec_enable_mount;
ae4e228f 40622+int grsec_enable_rofs;
58c5fc13
MT		 40623+int grsec_enable_chroot_findtask;
40624+int grsec_enable_chroot_mount;
40625+int grsec_enable_chroot_shmat;
40626+int grsec_enable_chroot_fchdir;
40627+int grsec_enable_chroot_double;
40628+int grsec_enable_chroot_pivot;
40629+int grsec_enable_chroot_chdir;
40630+int grsec_enable_chroot_chmod;
40631+int grsec_enable_chroot_mknod;
40632+int grsec_enable_chroot_nice;
40633+int grsec_enable_chroot_execlog;
40634+int grsec_enable_chroot_caps;
40635+int grsec_enable_chroot_sysctl;
40636+int grsec_enable_chroot_unix;
40637+int grsec_enable_tpe;
40638+int grsec_tpe_gid;
ae4e228f 40639+int grsec_enable_blackhole;
df50ba0c
MT		 40640+#ifdef CONFIG_IPV6_MODULE
40641+EXPORT_SYMBOL(grsec_enable_blackhole);
40642+#endif
ae4e228f 40643+int grsec_lastack_retries;
58c5fc13 40644+int grsec_enable_tpe_all;
57199397 40645+int grsec_enable_tpe_invert;
58c5fc13
MT		 40646+int grsec_enable_socket_all;
40647+int grsec_socket_all_gid;
40648+int grsec_enable_socket_client;
40649+int grsec_socket_client_gid;
40650+int grsec_enable_socket_server;
40651+int grsec_socket_server_gid;
40652+int grsec_resource_logging;
df50ba0c 40653+int grsec_disable_privio;
58c5fc13
MT		 40654+int grsec_lock;
40655+
40656+DEFINE_SPINLOCK(grsec_alert_lock);
40657+unsigned long grsec_alert_wtime = 0;
40658+unsigned long grsec_alert_fyet = 0;
40659+
40660+DEFINE_SPINLOCK(grsec_audit_lock);
40661+
40662+DEFINE_RWLOCK(grsec_exec_file_lock);
40663+
40664+char *gr_shared_page[4];
40665+
40666+char *gr_alert_log_fmt;
40667+char *gr_audit_log_fmt;
40668+char *gr_alert_log_buf;
40669+char *gr_audit_log_buf;
40670+
40671+extern struct gr_arg *gr_usermode;
40672+extern unsigned char *gr_system_salt;
40673+extern unsigned char *gr_system_sum;
40674+
40675+void __init
40676+grsecurity_init(void)
40677+{
40678+ int j;
40679+ /* create the per-cpu shared pages */
40680+
40681+#ifdef CONFIG_X86
40682+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
40683+#endif
40684+
40685+ for (j = 0; j < 4; j++) {
40686+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
40687+ if (gr_shared_page[j] == NULL) {
40688+ panic("Unable to allocate grsecurity shared page");
40689+ return;
40690+ }
40691+ }
40692+
40693+ /* allocate log buffers */
40694+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
40695+ if (!gr_alert_log_fmt) {
40696+ panic("Unable to allocate grsecurity alert log format buffer");
40697+ return;
40698+ }
40699+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
40700+ if (!gr_audit_log_fmt) {
40701+ panic("Unable to allocate grsecurity audit log format buffer");
40702+ return;
40703+ }
40704+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40705+ if (!gr_alert_log_buf) {
40706+ panic("Unable to allocate grsecurity alert log buffer");
40707+ return;
40708+ }
40709+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40710+ if (!gr_audit_log_buf) {
40711+ panic("Unable to allocate grsecurity audit log buffer");
40712+ return;
40713+ }
40714+
40715+ /* allocate memory for authentication structure */
40716+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
40717+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
40718+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
40719+
40720+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
40721+ panic("Unable to allocate grsecurity authentication structure");
40722+ return;
40723+ }
40724+
df50ba0c
MT		 40725+
40726+#ifdef CONFIG_GRKERNSEC_IO
40727+#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
40728+ grsec_disable_privio = 1;
40729+#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40730+ grsec_disable_privio = 1;
40731+#else
40732+ grsec_disable_privio = 0;
40733+#endif
40734+#endif
40735+
57199397
MT		 40736+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40737+ /* for backward compatibility, tpe_invert always defaults to on if
40738+ enabled in the kernel
40739+ */
40740+ grsec_enable_tpe_invert = 1;
40741+#endif
40742+
58c5fc13
MT		 40743+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40744+#ifndef CONFIG_GRKERNSEC_SYSCTL
40745+ grsec_lock = 1;
40746+#endif
df50ba0c 40747+
58c5fc13
MT		 40748+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40749+ grsec_enable_audit_textrel = 1;
40750+#endif
40751+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
40752+ grsec_enable_group = 1;
40753+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
40754+#endif
40755+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40756+ grsec_enable_chdir = 1;
40757+#endif
40758+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40759+ grsec_enable_harden_ptrace = 1;
40760+#endif
40761+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
40762+ grsec_enable_mount = 1;
40763+#endif
40764+#ifdef CONFIG_GRKERNSEC_LINK
40765+ grsec_enable_link = 1;
40766+#endif
40767+#ifdef CONFIG_GRKERNSEC_DMESG
40768+ grsec_enable_dmesg = 1;
40769+#endif
ae4e228f
MT		 40770+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
40771+ grsec_enable_blackhole = 1;
40772+ grsec_lastack_retries = 4;
40773+#endif
58c5fc13
MT		 40774+#ifdef CONFIG_GRKERNSEC_FIFO
40775+ grsec_enable_fifo = 1;
40776+#endif
40777+#ifdef CONFIG_GRKERNSEC_EXECVE
40778+ grsec_enable_execve = 1;
40779+#endif
40780+#ifdef CONFIG_GRKERNSEC_EXECLOG
40781+ grsec_enable_execlog = 1;
40782+#endif
40783+#ifdef CONFIG_GRKERNSEC_SIGNAL
40784+ grsec_enable_signal = 1;
40785+#endif
40786+#ifdef CONFIG_GRKERNSEC_FORKFAIL
40787+ grsec_enable_forkfail = 1;
40788+#endif
40789+#ifdef CONFIG_GRKERNSEC_TIME
40790+ grsec_enable_time = 1;
40791+#endif
40792+#ifdef CONFIG_GRKERNSEC_RESLOG
40793+ grsec_resource_logging = 1;
40794+#endif
40795+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40796+ grsec_enable_chroot_findtask = 1;
40797+#endif
40798+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40799+ grsec_enable_chroot_unix = 1;
40800+#endif
40801+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40802+ grsec_enable_chroot_mount = 1;
40803+#endif
40804+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40805+ grsec_enable_chroot_fchdir = 1;
40806+#endif
40807+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40808+ grsec_enable_chroot_shmat = 1;
40809+#endif
ae4e228f
MT		 40810+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
40811+ grsec_enable_audit_ptrace = 1;
40812+#endif
58c5fc13
MT		 40813+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40814+ grsec_enable_chroot_double = 1;
40815+#endif
40816+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40817+ grsec_enable_chroot_pivot = 1;
40818+#endif
40819+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40820+ grsec_enable_chroot_chdir = 1;
40821+#endif
40822+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40823+ grsec_enable_chroot_chmod = 1;
40824+#endif
40825+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40826+ grsec_enable_chroot_mknod = 1;
40827+#endif
40828+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40829+ grsec_enable_chroot_nice = 1;
40830+#endif
40831+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40832+ grsec_enable_chroot_execlog = 1;
40833+#endif
40834+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40835+ grsec_enable_chroot_caps = 1;
40836+#endif
40837+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40838+ grsec_enable_chroot_sysctl = 1;
40839+#endif
40840+#ifdef CONFIG_GRKERNSEC_TPE
40841+ grsec_enable_tpe = 1;
40842+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
40843+#ifdef CONFIG_GRKERNSEC_TPE_ALL
40844+ grsec_enable_tpe_all = 1;
40845+#endif
40846+#endif
40847+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
40848+ grsec_enable_socket_all = 1;
40849+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
40850+#endif
40851+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
40852+ grsec_enable_socket_client = 1;
40853+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
40854+#endif
40855+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
40856+ grsec_enable_socket_server = 1;
40857+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
40858+#endif
40859+#endif
40860+
40861+ return;
40862+}
57199397
MT		 40863diff -urNp linux-2.6.35.4/grsecurity/grsec_link.c linux-2.6.35.4/grsecurity/grsec_link.c
40864--- linux-2.6.35.4/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
40865+++ linux-2.6.35.4/grsecurity/grsec_link.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 40866@@ -0,0 +1,43 @@
40867+#include <linux/kernel.h>
40868+#include <linux/sched.h>
40869+#include <linux/fs.h>
40870+#include <linux/file.h>
40871+#include <linux/grinternal.h>
40872+
40873+int
40874+gr_handle_follow_link(const struct inode *parent,
40875+ const struct inode *inode,
40876+ const struct dentry *dentry, const struct vfsmount *mnt)
40877+{
40878+#ifdef CONFIG_GRKERNSEC_LINK
40879+ const struct cred *cred = current_cred();
40880+
40881+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
40882+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
40883+ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
40884+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
40885+ return -EACCES;
40886+ }
40887+#endif
40888+ return 0;
40889+}
40890+
40891+int
40892+gr_handle_hardlink(const struct dentry *dentry,
40893+ const struct vfsmount *mnt,
40894+ struct inode *inode, const int mode, const char *to)
40895+{
40896+#ifdef CONFIG_GRKERNSEC_LINK
40897+ const struct cred *cred = current_cred();
40898+
40899+ if (grsec_enable_link && cred->fsuid != inode->i_uid &&
40900+ (!S_ISREG(mode) || (mode & S_ISUID) ||
40901+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
40902+ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
40903+ !capable(CAP_FOWNER) && cred->uid) {
40904+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
40905+ return -EPERM;
40906+ }
40907+#endif
40908+ return 0;
40909+}
57199397
MT		 40910diff -urNp linux-2.6.35.4/grsecurity/grsec_log.c linux-2.6.35.4/grsecurity/grsec_log.c
40911--- linux-2.6.35.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
40912+++ linux-2.6.35.4/grsecurity/grsec_log.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 40913@@ -0,0 +1,306 @@
58c5fc13
MT		 40914+#include <linux/kernel.h>
40915+#include <linux/sched.h>
40916+#include <linux/file.h>
40917+#include <linux/tty.h>
40918+#include <linux/fs.h>
40919+#include <linux/grinternal.h>
40920+
df50ba0c
MT		 40921+#ifdef CONFIG_TREE_PREEMPT_RCU
40922+#define DISABLE_PREEMPT() preempt_disable()
40923+#define ENABLE_PREEMPT() preempt_enable()
40924+#else
40925+#define DISABLE_PREEMPT()
40926+#define ENABLE_PREEMPT()
40927+#endif
40928+
58c5fc13 40929+#define BEGIN_LOCKS(x) \
df50ba0c 40930+ DISABLE_PREEMPT(); \
ae4e228f 40931+ rcu_read_lock(); \
58c5fc13
MT		 40932+ read_lock(&tasklist_lock); \
40933+ read_lock(&grsec_exec_file_lock); \
40934+ if (x != GR_DO_AUDIT) \
40935+ spin_lock(&grsec_alert_lock); \
40936+ else \
40937+ spin_lock(&grsec_audit_lock)
40938+
40939+#define END_LOCKS(x) \
40940+ if (x != GR_DO_AUDIT) \
40941+ spin_unlock(&grsec_alert_lock); \
40942+ else \
40943+ spin_unlock(&grsec_audit_lock); \
40944+ read_unlock(&grsec_exec_file_lock); \
40945+ read_unlock(&tasklist_lock); \
ae4e228f 40946+ rcu_read_unlock(); \
df50ba0c 40947+ ENABLE_PREEMPT(); \
58c5fc13
MT		 40948+ if (x == GR_DONT_AUDIT) \
40949+ gr_handle_alertkill(current)
40950+
40951+enum {
40952+ FLOODING,
40953+ NO_FLOODING
40954+};
40955+
40956+extern char *gr_alert_log_fmt;
40957+extern char *gr_audit_log_fmt;
40958+extern char *gr_alert_log_buf;
40959+extern char *gr_audit_log_buf;
40960+
40961+static int gr_log_start(int audit)
40962+{
40963+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
40964+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
40965+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40966+
40967+ if (audit == GR_DO_AUDIT)
40968+ goto set_fmt;
40969+
40970+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
40971+ grsec_alert_wtime = jiffies;
40972+ grsec_alert_fyet = 0;
40973+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
40974+ grsec_alert_fyet++;
40975+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
40976+ grsec_alert_wtime = jiffies;
40977+ grsec_alert_fyet++;
40978+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
40979+ return FLOODING;
40980+ } else return FLOODING;
40981+
40982+set_fmt:
40983+ memset(buf, 0, PAGE_SIZE);
40984+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
ae4e228f
MT		 40985+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
40986+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
58c5fc13 40987+ } else if (current->signal->curr_ip) {
ae4e228f
MT		 40988+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
40989+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
58c5fc13
MT		 40990+ } else if (gr_acl_is_enabled()) {
40991+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
40992+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
40993+ } else {
40994+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
40995+ strcpy(buf, fmt);
40996+ }
40997+
40998+ return NO_FLOODING;
40999+}
41000+
41001+static void gr_log_middle(int audit, const char *msg, va_list ap)
41002+ __attribute__ ((format (printf, 2, 0)));
41003+
41004+static void gr_log_middle(int audit, const char *msg, va_list ap)
41005+{
41006+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41007+ unsigned int len = strlen(buf);
41008+
41009+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41010+
41011+ return;
41012+}
41013+
41014+static void gr_log_middle_varargs(int audit, const char *msg, ...)
41015+ __attribute__ ((format (printf, 2, 3)));
41016+
41017+static void gr_log_middle_varargs(int audit, const char *msg, ...)
41018+{
41019+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41020+ unsigned int len = strlen(buf);
41021+ va_list ap;
41022+
41023+ va_start(ap, msg);
41024+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41025+ va_end(ap);
41026+
41027+ return;
41028+}
41029+
41030+static void gr_log_end(int audit)
41031+{
41032+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41033+ unsigned int len = strlen(buf);
41034+
41035+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
41036+ printk("%s\n", buf);
41037+
41038+ return;
41039+}
41040+
41041+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
41042+{
41043+ int logtype;
41044+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
41045+ char *str1, *str2, *str3;
41046+ void *voidptr;
41047+ int num1, num2;
41048+ unsigned long ulong1, ulong2;
41049+ struct dentry *dentry;
41050+ struct vfsmount *mnt;
41051+ struct file *file;
41052+ struct task_struct *task;
41053+ const struct cred *cred, *pcred;
41054+ va_list ap;
41055+
41056+ BEGIN_LOCKS(audit);
41057+ logtype = gr_log_start(audit);
41058+ if (logtype == FLOODING) {
41059+ END_LOCKS(audit);
41060+ return;
41061+ }
41062+ va_start(ap, argtypes);
41063+ switch (argtypes) {
41064+ case GR_TTYSNIFF:
41065+ task = va_arg(ap, struct task_struct *);
ae4e228f 41066+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
58c5fc13
MT		 41067+ break;
41068+ case GR_SYSCTL_HIDDEN:
41069+ str1 = va_arg(ap, char *);
41070+ gr_log_middle_varargs(audit, msg, result, str1);
41071+ break;
41072+ case GR_RBAC:
41073+ dentry = va_arg(ap, struct dentry *);
41074+ mnt = va_arg(ap, struct vfsmount *);
41075+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
41076+ break;
41077+ case GR_RBAC_STR:
41078+ dentry = va_arg(ap, struct dentry *);
41079+ mnt = va_arg(ap, struct vfsmount *);
41080+ str1 = va_arg(ap, char *);
41081+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
41082+ break;
41083+ case GR_STR_RBAC:
41084+ str1 = va_arg(ap, char *);
41085+ dentry = va_arg(ap, struct dentry *);
41086+ mnt = va_arg(ap, struct vfsmount *);
41087+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
41088+ break;
41089+ case GR_RBAC_MODE2:
41090+ dentry = va_arg(ap, struct dentry *);
41091+ mnt = va_arg(ap, struct vfsmount *);
41092+ str1 = va_arg(ap, char *);
41093+ str2 = va_arg(ap, char *);
41094+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
41095+ break;
41096+ case GR_RBAC_MODE3:
41097+ dentry = va_arg(ap, struct dentry *);
41098+ mnt = va_arg(ap, struct vfsmount *);
41099+ str1 = va_arg(ap, char *);
41100+ str2 = va_arg(ap, char *);
41101+ str3 = va_arg(ap, char *);
41102+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
41103+ break;
41104+ case GR_FILENAME:
41105+ dentry = va_arg(ap, struct dentry *);
41106+ mnt = va_arg(ap, struct vfsmount *);
41107+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
41108+ break;
41109+ case GR_STR_FILENAME:
41110+ str1 = va_arg(ap, char *);
41111+ dentry = va_arg(ap, struct dentry *);
41112+ mnt = va_arg(ap, struct vfsmount *);
41113+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
41114+ break;
41115+ case GR_FILENAME_STR:
41116+ dentry = va_arg(ap, struct dentry *);
41117+ mnt = va_arg(ap, struct vfsmount *);
41118+ str1 = va_arg(ap, char *);
41119+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
41120+ break;
41121+ case GR_FILENAME_TWO_INT:
41122+ dentry = va_arg(ap, struct dentry *);
41123+ mnt = va_arg(ap, struct vfsmount *);
41124+ num1 = va_arg(ap, int);
41125+ num2 = va_arg(ap, int);
41126+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
41127+ break;
41128+ case GR_FILENAME_TWO_INT_STR:
41129+ dentry = va_arg(ap, struct dentry *);
41130+ mnt = va_arg(ap, struct vfsmount *);
41131+ num1 = va_arg(ap, int);
41132+ num2 = va_arg(ap, int);
41133+ str1 = va_arg(ap, char *);
41134+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
41135+ break;
41136+ case GR_TEXTREL:
41137+ file = va_arg(ap, struct file *);
41138+ ulong1 = va_arg(ap, unsigned long);
41139+ ulong2 = va_arg(ap, unsigned long);
41140+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
41141+ break;
41142+ case GR_PTRACE:
41143+ task = va_arg(ap, struct task_struct *);
41144+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
41145+ break;
41146+ case GR_RESOURCE:
41147+ task = va_arg(ap, struct task_struct *);
41148+ cred = __task_cred(task);
41149+ pcred = __task_cred(task->parent);
41150+ ulong1 = va_arg(ap, unsigned long);
41151+ str1 = va_arg(ap, char *);
41152+ ulong2 = va_arg(ap, unsigned long);
41153+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41154+ break;
41155+ case GR_CAP:
41156+ task = va_arg(ap, struct task_struct *);
41157+ cred = __task_cred(task);
41158+ pcred = __task_cred(task->parent);
41159+ str1 = va_arg(ap, char *);
41160+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41161+ break;
41162+ case GR_SIG:
41163+ str1 = va_arg(ap, char *);
41164+ voidptr = va_arg(ap, void *);
41165+ gr_log_middle_varargs(audit, msg, str1, voidptr);
41166+ break;
41167+ case GR_SIG2:
41168+ task = va_arg(ap, struct task_struct *);
41169+ cred = __task_cred(task);
41170+ pcred = __task_cred(task->parent);
41171+ num1 = va_arg(ap, int);
41172+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41173+ break;
41174+ case GR_CRASH1:
41175+ task = va_arg(ap, struct task_struct *);
41176+ cred = __task_cred(task);
41177+ pcred = __task_cred(task->parent);
41178+ ulong1 = va_arg(ap, unsigned long);
41179+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
41180+ break;
41181+ case GR_CRASH2:
41182+ task = va_arg(ap, struct task_struct *);
41183+ cred = __task_cred(task);
41184+ pcred = __task_cred(task->parent);
41185+ ulong1 = va_arg(ap, unsigned long);
41186+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
41187+ break;
41188+ case GR_PSACCT:
41189+ {
41190+ unsigned int wday, cday;
41191+ __u8 whr, chr;
41192+ __u8 wmin, cmin;
41193+ __u8 wsec, csec;
41194+ char cur_tty[64] = { 0 };
41195+ char parent_tty[64] = { 0 };
41196+
41197+ task = va_arg(ap, struct task_struct *);
41198+ wday = va_arg(ap, unsigned int);
41199+ cday = va_arg(ap, unsigned int);
41200+ whr = va_arg(ap, int);
41201+ chr = va_arg(ap, int);
41202+ wmin = va_arg(ap, int);
41203+ cmin = va_arg(ap, int);
41204+ wsec = va_arg(ap, int);
41205+ csec = va_arg(ap, int);
41206+ ulong1 = va_arg(ap, unsigned long);
41207+ cred = __task_cred(task);
41208+ pcred = __task_cred(task->parent);
41209+
ae4e228f 41210+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
58c5fc13
MT		 41211+ }
41212+ break;
41213+ default:
41214+ gr_log_middle(audit, msg, ap);
41215+ }
41216+ va_end(ap);
41217+ gr_log_end(audit);
41218+ END_LOCKS(audit);
41219+}
57199397
MT		 41220diff -urNp linux-2.6.35.4/grsecurity/grsec_mem.c linux-2.6.35.4/grsecurity/grsec_mem.c
41221--- linux-2.6.35.4/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
41222+++ linux-2.6.35.4/grsecurity/grsec_mem.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 41223@@ -0,0 +1,85 @@
58c5fc13
MT		 41224+#include <linux/kernel.h>
41225+#include <linux/sched.h>
41226+#include <linux/mm.h>
41227+#include <linux/mman.h>
41228+#include <linux/grinternal.h>
41229+
41230+void
41231+gr_handle_ioperm(void)
41232+{
41233+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
41234+ return;
41235+}
41236+
41237+void
41238+gr_handle_iopl(void)
41239+{
41240+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
41241+ return;
41242+}
41243+
41244+void
41245+gr_handle_mem_write(void)
41246+{
41247+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
41248+ return;
41249+}
41250+
41251+void
41252+gr_handle_kmem_write(void)
41253+{
41254+ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
41255+ return;
41256+}
41257+
41258+void
41259+gr_handle_open_port(void)
41260+{
41261+ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
41262+ return;
41263+}
41264+
41265+int
41266+gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
41267+{
41268+ unsigned long start, end;
41269+
41270+ start = offset;
41271+ end = start + vma->vm_end - vma->vm_start;
41272+
41273+ if (start > end) {
41274+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41275+ return -EPERM;
41276+ }
41277+
41278+ /* allowed ranges : ISA I/O BIOS */
41279+ if ((start >= __pa(high_memory))
41280+#if defined(CONFIG_X86) || defined(CONFIG_PPC)
41281+ || (start >= 0x000a0000 && end <= 0x00100000)
41282+ || (start >= 0x00000000 && end <= 0x00001000)
41283+#endif
41284+ )
41285+ return 0;
41286+
41287+ if (vma->vm_flags & VM_WRITE) {
41288+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41289+ return -EPERM;
41290+ } else
41291+ vma->vm_flags &= ~VM_MAYWRITE;
41292+
41293+ return 0;
41294+}
41295+
41296+void
41297+gr_log_nonroot_mod_load(const char *modname)
41298+{
41299+ gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
41300+ return;
41301+}
41302+
ae4e228f
MT		 41303+void
41304+gr_handle_vm86(void)
41305+{
41306+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
41307+ return;
41308+}
57199397
MT		 41309diff -urNp linux-2.6.35.4/grsecurity/grsec_mount.c linux-2.6.35.4/grsecurity/grsec_mount.c
41310--- linux-2.6.35.4/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
41311+++ linux-2.6.35.4/grsecurity/grsec_mount.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 41312@@ -0,0 +1,62 @@
58c5fc13
MT		 41313+#include <linux/kernel.h>
41314+#include <linux/sched.h>
ae4e228f 41315+#include <linux/mount.h>
58c5fc13
MT		 41316+#include <linux/grsecurity.h>
41317+#include <linux/grinternal.h>
41318+
41319+void
41320+gr_log_remount(const char *devname, const int retval)
41321+{
41322+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41323+ if (grsec_enable_mount && (retval >= 0))
41324+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
41325+#endif
41326+ return;
41327+}
41328+
41329+void
41330+gr_log_unmount(const char *devname, const int retval)
41331+{
41332+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41333+ if (grsec_enable_mount && (retval >= 0))
41334+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
41335+#endif
41336+ return;
41337+}
41338+
41339+void
41340+gr_log_mount(const char *from, const char *to, const int retval)
41341+{
41342+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41343+ if (grsec_enable_mount && (retval >= 0))
41344+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
41345+#endif
41346+ return;
41347+}
ae4e228f
MT		 41348+
41349+int
41350+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
41351+{
41352+#ifdef CONFIG_GRKERNSEC_ROFS
41353+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
41354+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
41355+ return -EPERM;
41356+ } else
41357+ return 0;
41358+#endif
41359+ return 0;
41360+}
41361+
41362+int
41363+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
41364+{
41365+#ifdef CONFIG_GRKERNSEC_ROFS
41366+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
41367+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
41368+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
41369+ return -EPERM;
41370+ } else
41371+ return 0;
41372+#endif
41373+ return 0;
41374+}
57199397
MT		 41375diff -urNp linux-2.6.35.4/grsecurity/grsec_ptrace.c linux-2.6.35.4/grsecurity/grsec_ptrace.c
41376--- linux-2.6.35.4/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
41377+++ linux-2.6.35.4/grsecurity/grsec_ptrace.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 41378@@ -0,0 +1,14 @@
41379+#include <linux/kernel.h>
41380+#include <linux/sched.h>
41381+#include <linux/grinternal.h>
41382+#include <linux/grsecurity.h>
41383+
41384+void
41385+gr_audit_ptrace(struct task_struct *task)
41386+{
41387+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41388+ if (grsec_enable_audit_ptrace)
41389+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
41390+#endif
41391+ return;
41392+}
57199397
MT		 41393diff -urNp linux-2.6.35.4/grsecurity/grsec_sig.c linux-2.6.35.4/grsecurity/grsec_sig.c
41394--- linux-2.6.35.4/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
41395+++ linux-2.6.35.4/grsecurity/grsec_sig.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 41396@@ -0,0 +1,65 @@
41397+#include <linux/kernel.h>
41398+#include <linux/sched.h>
41399+#include <linux/delay.h>
41400+#include <linux/grsecurity.h>
41401+#include <linux/grinternal.h>
41402+
41403+char *signames[] = {
41404+ [SIGSEGV] = "Segmentation fault",
41405+ [SIGILL] = "Illegal instruction",
41406+ [SIGABRT] = "Abort",
41407+ [SIGBUS] = "Invalid alignment/Bus error"
41408+};
41409+
41410+void
41411+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
41412+{
41413+#ifdef CONFIG_GRKERNSEC_SIGNAL
41414+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
41415+ (sig == SIGABRT) || (sig == SIGBUS))) {
41416+ if (t->pid == current->pid) {
41417+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
41418+ } else {
41419+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
41420+ }
41421+ }
41422+#endif
41423+ return;
41424+}
41425+
41426+int
41427+gr_handle_signal(const struct task_struct *p, const int sig)
41428+{
41429+#ifdef CONFIG_GRKERNSEC
41430+ if (current->pid > 1 && gr_check_protected_task(p)) {
41431+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
41432+ return -EPERM;
41433+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
41434+ return -EPERM;
41435+ }
41436+#endif
41437+ return 0;
41438+}
41439+
41440+void gr_handle_brute_attach(struct task_struct *p)
41441+{
41442+#ifdef CONFIG_GRKERNSEC_BRUTE
41443+ read_lock(&tasklist_lock);
41444+ read_lock(&grsec_exec_file_lock);
41445+ if (p->parent && p->parent->exec_file == p->exec_file)
41446+ p->parent->brute = 1;
41447+ read_unlock(&grsec_exec_file_lock);
41448+ read_unlock(&tasklist_lock);
41449+#endif
41450+ return;
41451+}
41452+
41453+void gr_handle_brute_check(void)
41454+{
41455+#ifdef CONFIG_GRKERNSEC_BRUTE
41456+ if (current->brute)
41457+ msleep(30 * 1000);
41458+#endif
41459+ return;
41460+}
41461+
57199397
MT		 41462diff -urNp linux-2.6.35.4/grsecurity/grsec_sock.c linux-2.6.35.4/grsecurity/grsec_sock.c
41463--- linux-2.6.35.4/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
41464+++ linux-2.6.35.4/grsecurity/grsec_sock.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 41465@@ -0,0 +1,271 @@
58c5fc13
MT		 41466+#include <linux/kernel.h>
41467+#include <linux/module.h>
41468+#include <linux/sched.h>
41469+#include <linux/file.h>
41470+#include <linux/net.h>
41471+#include <linux/in.h>
41472+#include <linux/ip.h>
41473+#include <net/sock.h>
41474+#include <net/inet_sock.h>
41475+#include <linux/grsecurity.h>
41476+#include <linux/grinternal.h>
41477+#include <linux/gracl.h>
41478+
41479+kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
41480+EXPORT_SYMBOL(gr_cap_rtnetlink);
41481+
41482+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
41483+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
41484+
41485+EXPORT_SYMBOL(gr_search_udp_recvmsg);
41486+EXPORT_SYMBOL(gr_search_udp_sendmsg);
41487+
41488+#ifdef CONFIG_UNIX_MODULE
41489+EXPORT_SYMBOL(gr_acl_handle_unix);
41490+EXPORT_SYMBOL(gr_acl_handle_mknod);
41491+EXPORT_SYMBOL(gr_handle_chroot_unix);
41492+EXPORT_SYMBOL(gr_handle_create);
41493+#endif
41494+
41495+#ifdef CONFIG_GRKERNSEC
41496+#define gr_conn_table_size 32749
41497+struct conn_table_entry {
41498+ struct conn_table_entry *next;
41499+ struct signal_struct *sig;
41500+};
41501+
41502+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
41503+DEFINE_SPINLOCK(gr_conn_table_lock);
41504+
41505+extern const char * gr_socktype_to_name(unsigned char type);
41506+extern const char * gr_proto_to_name(unsigned char proto);
41507+
41508+static __inline__ int
41509+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
41510+{
41511+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
41512+}
41513+
41514+static __inline__ int
41515+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
41516+ __u16 sport, __u16 dport)
41517+{
41518+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
41519+ sig->gr_sport == sport && sig->gr_dport == dport))
41520+ return 1;
41521+ else
41522+ return 0;
41523+}
41524+
41525+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
41526+{
41527+ struct conn_table_entry **match;
41528+ unsigned int index;
41529+
41530+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41531+ sig->gr_sport, sig->gr_dport,
41532+ gr_conn_table_size);
41533+
41534+ newent->sig = sig;
41535+
41536+ match = &gr_conn_table[index];
41537+ newent->next = *match;
41538+ *match = newent;
41539+
41540+ return;
41541+}
41542+
41543+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
41544+{
41545+ struct conn_table_entry *match, *last = NULL;
41546+ unsigned int index;
41547+
41548+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41549+ sig->gr_sport, sig->gr_dport,
41550+ gr_conn_table_size);
41551+
41552+ match = gr_conn_table[index];
41553+ while (match && !conn_match(match->sig,
41554+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
41555+ sig->gr_dport)) {
41556+ last = match;
41557+ match = match->next;
41558+ }
41559+
41560+ if (match) {
41561+ if (last)
41562+ last->next = match->next;
41563+ else
41564+ gr_conn_table[index] = NULL;
41565+ kfree(match);
41566+ }
41567+
41568+ return;
41569+}
41570+
41571+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
41572+ __u16 sport, __u16 dport)
41573+{
41574+ struct conn_table_entry *match;
41575+ unsigned int index;
41576+
41577+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
41578+
41579+ match = gr_conn_table[index];
41580+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
41581+ match = match->next;
41582+
41583+ if (match)
41584+ return match->sig;
41585+ else
41586+ return NULL;
41587+}
41588+
41589+#endif
41590+
41591+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
41592+{
41593+#ifdef CONFIG_GRKERNSEC
41594+ struct signal_struct *sig = task->signal;
41595+ struct conn_table_entry *newent;
41596+
41597+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
41598+ if (newent == NULL)
41599+ return;
41600+ /* no bh lock needed since we are called with bh disabled */
41601+ spin_lock(&gr_conn_table_lock);
41602+ gr_del_task_from_ip_table_nolock(sig);
ae4e228f
MT		 41603+ sig->gr_saddr = inet->inet_rcv_saddr;
41604+ sig->gr_daddr = inet->inet_daddr;
41605+ sig->gr_sport = inet->inet_sport;
41606+ sig->gr_dport = inet->inet_dport;
58c5fc13
MT		 41607+ gr_add_to_task_ip_table_nolock(sig, newent);
41608+ spin_unlock(&gr_conn_table_lock);
41609+#endif
41610+ return;
41611+}
41612+
41613+void gr_del_task_from_ip_table(struct task_struct *task)
41614+{
41615+#ifdef CONFIG_GRKERNSEC
41616+ spin_lock_bh(&gr_conn_table_lock);
41617+ gr_del_task_from_ip_table_nolock(task->signal);
41618+ spin_unlock_bh(&gr_conn_table_lock);
41619+#endif
41620+ return;
41621+}
41622+
41623+void
41624+gr_attach_curr_ip(const struct sock *sk)
41625+{
41626+#ifdef CONFIG_GRKERNSEC
41627+ struct signal_struct *p, *set;
41628+ const struct inet_sock *inet = inet_sk(sk);
41629+
41630+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
41631+ return;
41632+
41633+ set = current->signal;
41634+
41635+ spin_lock_bh(&gr_conn_table_lock);
ae4e228f
MT		 41636+ p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
41637+ inet->inet_dport, inet->inet_sport);
58c5fc13
MT		 41638+ if (unlikely(p != NULL)) {
41639+ set->curr_ip = p->curr_ip;
41640+ set->used_accept = 1;
41641+ gr_del_task_from_ip_table_nolock(p);
41642+ spin_unlock_bh(&gr_conn_table_lock);
41643+ return;
41644+ }
41645+ spin_unlock_bh(&gr_conn_table_lock);
41646+
ae4e228f 41647+ set->curr_ip = inet->inet_daddr;
58c5fc13
MT		 41648+ set->used_accept = 1;
41649+#endif
41650+ return;
41651+}
41652+
41653+int
41654+gr_handle_sock_all(const int family, const int type, const int protocol)
41655+{
41656+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41657+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
41658+ (family != AF_UNIX) && (family != AF_LOCAL)) {
41659+ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
41660+ return -EACCES;
41661+ }
41662+#endif
41663+ return 0;
41664+}
41665+
41666+int
41667+gr_handle_sock_server(const struct sockaddr *sck)
41668+{
41669+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41670+ if (grsec_enable_socket_server &&
41671+ in_group_p(grsec_socket_server_gid) &&
41672+ sck && (sck->sa_family != AF_UNIX) &&
41673+ (sck->sa_family != AF_LOCAL)) {
41674+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41675+ return -EACCES;
41676+ }
41677+#endif
41678+ return 0;
41679+}
41680+
41681+int
41682+gr_handle_sock_server_other(const struct sock *sck)
41683+{
41684+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41685+ if (grsec_enable_socket_server &&
41686+ in_group_p(grsec_socket_server_gid) &&
41687+ sck && (sck->sk_family != AF_UNIX) &&
41688+ (sck->sk_family != AF_LOCAL)) {
41689+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41690+ return -EACCES;
41691+ }
41692+#endif
41693+ return 0;
41694+}
41695+
41696+int
41697+gr_handle_sock_client(const struct sockaddr *sck)
41698+{
41699+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41700+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
41701+ sck && (sck->sa_family != AF_UNIX) &&
41702+ (sck->sa_family != AF_LOCAL)) {
41703+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
41704+ return -EACCES;
41705+ }
41706+#endif
41707+ return 0;
41708+}
41709+
41710+kernel_cap_t
41711+gr_cap_rtnetlink(struct sock *sock)
41712+{
41713+#ifdef CONFIG_GRKERNSEC
41714+ if (!gr_acl_is_enabled())
41715+ return current_cap();
41716+ else if (sock->sk_protocol == NETLINK_ISCSI &&
41717+ cap_raised(current_cap(), CAP_SYS_ADMIN) &&
41718+ gr_is_capable(CAP_SYS_ADMIN))
41719+ return current_cap();
41720+ else if (sock->sk_protocol == NETLINK_AUDIT &&
41721+ cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
41722+ gr_is_capable(CAP_AUDIT_WRITE) &&
41723+ cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
41724+ gr_is_capable(CAP_AUDIT_CONTROL))
41725+ return current_cap();
41726+ else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
ae4e228f
MT		 41727+ ((sock->sk_protocol == NETLINK_ROUTE) ?
41728+ gr_is_capable_nolog(CAP_NET_ADMIN) :
41729+ gr_is_capable(CAP_NET_ADMIN)))
58c5fc13
MT		 41730+ return current_cap();
41731+ else
41732+ return __cap_empty_set;
41733+#else
41734+ return current_cap();
41735+#endif
41736+}
57199397
MT		 41737diff -urNp linux-2.6.35.4/grsecurity/grsec_sysctl.c linux-2.6.35.4/grsecurity/grsec_sysctl.c
41738--- linux-2.6.35.4/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
41739+++ linux-2.6.35.4/grsecurity/grsec_sysctl.c 2010-09-17 20:18:57.000000000 -0400
41740@@ -0,0 +1,424 @@
58c5fc13
MT		 41741+#include <linux/kernel.h>
41742+#include <linux/sched.h>
41743+#include <linux/sysctl.h>
41744+#include <linux/grsecurity.h>
41745+#include <linux/grinternal.h>
41746+
41747+int
41748+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
41749+{
41750+#ifdef CONFIG_GRKERNSEC_SYSCTL
41751+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
41752+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
41753+ return -EACCES;
41754+ }
41755+#endif
41756+ return 0;
41757+}
41758+
ae4e228f
MT		 41759+#ifdef CONFIG_GRKERNSEC_ROFS
41760+static int __maybe_unused one = 1;
41761+#endif
41762+
41763+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
57199397 41764+struct ctl_table grsecurity_table[] = {
58c5fc13 41765+#ifdef CONFIG_GRKERNSEC_SYSCTL
df50ba0c
MT		 41766+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
41767+#ifdef CONFIG_GRKERNSEC_IO
41768+ {
41769+ .procname = "disable_priv_io",
41770+ .data = &grsec_disable_privio,
41771+ .maxlen = sizeof(int),
41772+ .mode = 0600,
41773+ .proc_handler = &proc_dointvec,
41774+ },
41775+#endif
41776+#endif
58c5fc13
MT		 41777+#ifdef CONFIG_GRKERNSEC_LINK
41778+ {
58c5fc13
MT		 41779+ .procname = "linking_restrictions",
41780+ .data = &grsec_enable_link,
41781+ .maxlen = sizeof(int),
41782+ .mode = 0600,
41783+ .proc_handler = &proc_dointvec,
41784+ },
41785+#endif
41786+#ifdef CONFIG_GRKERNSEC_FIFO
41787+ {
58c5fc13
MT		 41788+ .procname = "fifo_restrictions",
41789+ .data = &grsec_enable_fifo,
41790+ .maxlen = sizeof(int),
41791+ .mode = 0600,
41792+ .proc_handler = &proc_dointvec,
41793+ },
41794+#endif
41795+#ifdef CONFIG_GRKERNSEC_EXECVE
41796+ {
58c5fc13
MT		 41797+ .procname = "execve_limiting",
41798+ .data = &grsec_enable_execve,
41799+ .maxlen = sizeof(int),
41800+ .mode = 0600,
41801+ .proc_handler = &proc_dointvec,
41802+ },
41803+#endif
ae4e228f
MT		 41804+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41805+ {
41806+ .procname = "ip_blackhole",
41807+ .data = &grsec_enable_blackhole,
41808+ .maxlen = sizeof(int),
41809+ .mode = 0600,
41810+ .proc_handler = &proc_dointvec,
41811+ },
41812+ {
41813+ .procname = "lastack_retries",
41814+ .data = &grsec_lastack_retries,
41815+ .maxlen = sizeof(int),
41816+ .mode = 0600,
41817+ .proc_handler = &proc_dointvec,
41818+ },
41819+#endif
58c5fc13
MT		 41820+#ifdef CONFIG_GRKERNSEC_EXECLOG
41821+ {
58c5fc13
MT		 41822+ .procname = "exec_logging",
41823+ .data = &grsec_enable_execlog,
41824+ .maxlen = sizeof(int),
41825+ .mode = 0600,
41826+ .proc_handler = &proc_dointvec,
41827+ },
41828+#endif
41829+#ifdef CONFIG_GRKERNSEC_SIGNAL
41830+ {
58c5fc13
MT		 41831+ .procname = "signal_logging",
41832+ .data = &grsec_enable_signal,
41833+ .maxlen = sizeof(int),
41834+ .mode = 0600,
41835+ .proc_handler = &proc_dointvec,
41836+ },
41837+#endif
41838+#ifdef CONFIG_GRKERNSEC_FORKFAIL
41839+ {
58c5fc13
MT		 41840+ .procname = "forkfail_logging",
41841+ .data = &grsec_enable_forkfail,
41842+ .maxlen = sizeof(int),
41843+ .mode = 0600,
41844+ .proc_handler = &proc_dointvec,
41845+ },
41846+#endif
41847+#ifdef CONFIG_GRKERNSEC_TIME
41848+ {
58c5fc13
MT		 41849+ .procname = "timechange_logging",
41850+ .data = &grsec_enable_time,
41851+ .maxlen = sizeof(int),
41852+ .mode = 0600,
41853+ .proc_handler = &proc_dointvec,
41854+ },
41855+#endif
41856+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41857+ {
58c5fc13
MT		 41858+ .procname = "chroot_deny_shmat",
41859+ .data = &grsec_enable_chroot_shmat,
41860+ .maxlen = sizeof(int),
41861+ .mode = 0600,
41862+ .proc_handler = &proc_dointvec,
41863+ },
41864+#endif
41865+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41866+ {
58c5fc13
MT		 41867+ .procname = "chroot_deny_unix",
41868+ .data = &grsec_enable_chroot_unix,
41869+ .maxlen = sizeof(int),
41870+ .mode = 0600,
41871+ .proc_handler = &proc_dointvec,
41872+ },
41873+#endif
41874+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41875+ {
58c5fc13
MT		 41876+ .procname = "chroot_deny_mount",
41877+ .data = &grsec_enable_chroot_mount,
41878+ .maxlen = sizeof(int),
41879+ .mode = 0600,
41880+ .proc_handler = &proc_dointvec,
41881+ },
41882+#endif
41883+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41884+ {
58c5fc13
MT		 41885+ .procname = "chroot_deny_fchdir",
41886+ .data = &grsec_enable_chroot_fchdir,
41887+ .maxlen = sizeof(int),
41888+ .mode = 0600,
41889+ .proc_handler = &proc_dointvec,
41890+ },
41891+#endif
41892+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41893+ {
58c5fc13
MT		 41894+ .procname = "chroot_deny_chroot",
41895+ .data = &grsec_enable_chroot_double,
41896+ .maxlen = sizeof(int),
41897+ .mode = 0600,
41898+ .proc_handler = &proc_dointvec,
41899+ },
41900+#endif
41901+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41902+ {
58c5fc13
MT		 41903+ .procname = "chroot_deny_pivot",
41904+ .data = &grsec_enable_chroot_pivot,
41905+ .maxlen = sizeof(int),
41906+ .mode = 0600,
41907+ .proc_handler = &proc_dointvec,
41908+ },
41909+#endif
41910+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41911+ {
58c5fc13
MT		 41912+ .procname = "chroot_enforce_chdir",
41913+ .data = &grsec_enable_chroot_chdir,
41914+ .maxlen = sizeof(int),
41915+ .mode = 0600,
41916+ .proc_handler = &proc_dointvec,
41917+ },
41918+#endif
41919+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41920+ {
58c5fc13
MT		 41921+ .procname = "chroot_deny_chmod",
41922+ .data = &grsec_enable_chroot_chmod,
41923+ .maxlen = sizeof(int),
41924+ .mode = 0600,
41925+ .proc_handler = &proc_dointvec,
41926+ },
41927+#endif
41928+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41929+ {
58c5fc13
MT		 41930+ .procname = "chroot_deny_mknod",
41931+ .data = &grsec_enable_chroot_mknod,
41932+ .maxlen = sizeof(int),
41933+ .mode = 0600,
41934+ .proc_handler = &proc_dointvec,
41935+ },
41936+#endif
41937+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41938+ {
58c5fc13
MT		 41939+ .procname = "chroot_restrict_nice",
41940+ .data = &grsec_enable_chroot_nice,
41941+ .maxlen = sizeof(int),
41942+ .mode = 0600,
41943+ .proc_handler = &proc_dointvec,
41944+ },
41945+#endif
41946+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41947+ {
58c5fc13
MT		 41948+ .procname = "chroot_execlog",
41949+ .data = &grsec_enable_chroot_execlog,
41950+ .maxlen = sizeof(int),
41951+ .mode = 0600,
41952+ .proc_handler = &proc_dointvec,
41953+ },
41954+#endif
41955+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41956+ {
58c5fc13
MT		 41957+ .procname = "chroot_caps",
41958+ .data = &grsec_enable_chroot_caps,
41959+ .maxlen = sizeof(int),
41960+ .mode = 0600,
41961+ .proc_handler = &proc_dointvec,
41962+ },
41963+#endif
41964+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41965+ {
58c5fc13
MT		 41966+ .procname = "chroot_deny_sysctl",
41967+ .data = &grsec_enable_chroot_sysctl,
41968+ .maxlen = sizeof(int),
41969+ .mode = 0600,
41970+ .proc_handler = &proc_dointvec,
41971+ },
41972+#endif
41973+#ifdef CONFIG_GRKERNSEC_TPE
41974+ {
58c5fc13
MT		 41975+ .procname = "tpe",
41976+ .data = &grsec_enable_tpe,
41977+ .maxlen = sizeof(int),
41978+ .mode = 0600,
41979+ .proc_handler = &proc_dointvec,
41980+ },
41981+ {
58c5fc13
MT		 41982+ .procname = "tpe_gid",
41983+ .data = &grsec_tpe_gid,
41984+ .maxlen = sizeof(int),
41985+ .mode = 0600,
41986+ .proc_handler = &proc_dointvec,
41987+ },
41988+#endif
57199397
MT		 41989+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41990+ {
41991+ .procname = "tpe_invert",
41992+ .data = &grsec_enable_tpe_invert,
41993+ .maxlen = sizeof(int),
41994+ .mode = 0600,
41995+ .proc_handler = &proc_dointvec,
41996+ },
41997+#endif
58c5fc13
MT		 41998+#ifdef CONFIG_GRKERNSEC_TPE_ALL
41999+ {
58c5fc13
MT		 42000+ .procname = "tpe_restrict_all",
42001+ .data = &grsec_enable_tpe_all,
42002+ .maxlen = sizeof(int),
42003+ .mode = 0600,
42004+ .proc_handler = &proc_dointvec,
42005+ },
42006+#endif
42007+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42008+ {
58c5fc13
MT		 42009+ .procname = "socket_all",
42010+ .data = &grsec_enable_socket_all,
42011+ .maxlen = sizeof(int),
42012+ .mode = 0600,
42013+ .proc_handler = &proc_dointvec,
42014+ },
42015+ {
58c5fc13
MT		 42016+ .procname = "socket_all_gid",
42017+ .data = &grsec_socket_all_gid,
42018+ .maxlen = sizeof(int),
42019+ .mode = 0600,
42020+ .proc_handler = &proc_dointvec,
42021+ },
42022+#endif
42023+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42024+ {
58c5fc13
MT		 42025+ .procname = "socket_client",
42026+ .data = &grsec_enable_socket_client,
42027+ .maxlen = sizeof(int),
42028+ .mode = 0600,
42029+ .proc_handler = &proc_dointvec,
efbe55a5
MT		 42030+ },
42031+ {
42032+ .procname = "socket_client_gid",
42033+ .data = &grsec_socket_client_gid,
42034+ .maxlen = sizeof(int),
42035+ .mode = 0600,
42036+ .proc_handler = &proc_dointvec,
42037+ },
42038+#endif
42039+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42040+ {
42041+ .procname = "socket_server",
42042+ .data = &grsec_enable_socket_server,
42043+ .maxlen = sizeof(int),
42044+ .mode = 0600,
42045+ .proc_handler = &proc_dointvec,
42046+ },
42047+ {
42048+ .procname = "socket_server_gid",
42049+ .data = &grsec_socket_server_gid,
42050+ .maxlen = sizeof(int),
42051+ .mode = 0600,
42052+ .proc_handler = &proc_dointvec,
42053+ },
42054+#endif
42055+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42056+ {
42057+ .procname = "audit_group",
42058+ .data = &grsec_enable_group,
42059+ .maxlen = sizeof(int),
42060+ .mode = 0600,
42061+ .proc_handler = &proc_dointvec,
42062+ },
42063+ {
42064+ .procname = "audit_gid",
42065+ .data = &grsec_audit_gid,
42066+ .maxlen = sizeof(int),
42067+ .mode = 0600,
42068+ .proc_handler = &proc_dointvec,
42069+ },
42070+#endif
42071+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42072+ {
42073+ .procname = "audit_chdir",
42074+ .data = &grsec_enable_chdir,
42075+ .maxlen = sizeof(int),
42076+ .mode = 0600,
42077+ .proc_handler = &proc_dointvec,
42078+ },
42079+#endif
42080+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42081+ {
42082+ .procname = "audit_mount",
42083+ .data = &grsec_enable_mount,
42084+ .maxlen = sizeof(int),
42085+ .mode = 0600,
42086+ .proc_handler = &proc_dointvec,
42087+ },
42088+#endif
42089+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42090+ {
42091+ .procname = "audit_textrel",
42092+ .data = &grsec_enable_audit_textrel,
42093+ .maxlen = sizeof(int),
42094+ .mode = 0600,
42095+ .proc_handler = &proc_dointvec,
42096+ },
42097+#endif
42098+#ifdef CONFIG_GRKERNSEC_DMESG
42099+ {
42100+ .procname = "dmesg",
42101+ .data = &grsec_enable_dmesg,
42102+ .maxlen = sizeof(int),
42103+ .mode = 0600,
42104+ .proc_handler = &proc_dointvec,
42105+ },
42106+#endif
42107+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42108+ {
42109+ .procname = "chroot_findtask",
42110+ .data = &grsec_enable_chroot_findtask,
42111+ .maxlen = sizeof(int),
42112+ .mode = 0600,
42113+ .proc_handler = &proc_dointvec,
42114+ },
42115+#endif
42116+#ifdef CONFIG_GRKERNSEC_RESLOG
42117+ {
42118+ .procname = "resource_logging",
42119+ .data = &grsec_resource_logging,
42120+ .maxlen = sizeof(int),
42121+ .mode = 0600,
42122+ .proc_handler = &proc_dointvec,
42123+ },
42124+#endif
42125+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42126+ {
42127+ .procname = "audit_ptrace",
42128+ .data = &grsec_enable_audit_ptrace,
42129+ .maxlen = sizeof(int),
42130+ .mode = 0600,
42131+ .proc_handler = &proc_dointvec,
42132+ },
42133+#endif
42134+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
42135+ {
42136+ .procname = "harden_ptrace",
42137+ .data = &grsec_enable_harden_ptrace,
42138+ .maxlen = sizeof(int),
42139+ .mode = 0600,
42140+ .proc_handler = &proc_dointvec,
42141+ },
42142+#endif
42143+ {
42144+ .procname = "grsec_lock",
42145+ .data = &grsec_lock,
42146+ .maxlen = sizeof(int),
42147+ .mode = 0600,
42148+ .proc_handler = &proc_dointvec,
42149+ },
42150+#endif
42151+#ifdef CONFIG_GRKERNSEC_ROFS
42152+ {
42153+ .procname = "romount_protect",
42154+ .data = &grsec_enable_rofs,
42155+ .maxlen = sizeof(int),
42156+ .mode = 0600,
42157+ .proc_handler = &proc_dointvec_minmax,
42158+ .extra1 = &one,
42159+ .extra2 = &one,
42160+ },
42161+#endif
42162+ { }
42163+};
42164+#endif
57199397
MT		 42165diff -urNp linux-2.6.35.4/grsecurity/grsec_textrel.c linux-2.6.35.4/grsecurity/grsec_textrel.c
42166--- linux-2.6.35.4/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
42167+++ linux-2.6.35.4/grsecurity/grsec_textrel.c 2010-09-17 20:12:37.000000000 -0400
efbe55a5
MT		 42168@@ -0,0 +1,16 @@
42169+#include <linux/kernel.h>
42170+#include <linux/sched.h>
42171+#include <linux/mm.h>
42172+#include <linux/file.h>
42173+#include <linux/grinternal.h>
42174+#include <linux/grsecurity.h>
58c5fc13 42175+
57199397
MT		 42176+void
42177+gr_log_textrel(struct vm_area_struct * vma)
42178+{
42179+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42180+ if (grsec_enable_audit_textrel)
42181+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42182+#endif
42183+ return;
42184+}
42185diff -urNp linux-2.6.35.4/grsecurity/grsec_time.c linux-2.6.35.4/grsecurity/grsec_time.c
42186--- linux-2.6.35.4/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
42187+++ linux-2.6.35.4/grsecurity/grsec_time.c 2010-09-17 20:12:37.000000000 -0400
42188@@ -0,0 +1,13 @@
42189+#include <linux/kernel.h>
42190+#include <linux/sched.h>
42191+#include <linux/grinternal.h>
42192+
42193+void
42194+gr_log_timechange(void)
42195+{
42196+#ifdef CONFIG_GRKERNSEC_TIME
42197+ if (grsec_enable_time)
42198+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
42199+#endif
42200+ return;
42201+}
42202diff -urNp linux-2.6.35.4/grsecurity/grsec_tpe.c linux-2.6.35.4/grsecurity/grsec_tpe.c
42203--- linux-2.6.35.4/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
42204+++ linux-2.6.35.4/grsecurity/grsec_tpe.c 2010-09-17 20:12:37.000000000 -0400
42205@@ -0,0 +1,39 @@
42206+#include <linux/kernel.h>
42207+#include <linux/sched.h>
42208+#include <linux/file.h>
42209+#include <linux/fs.h>
42210+#include <linux/grinternal.h>
42211+
42212+extern int gr_acl_tpe_check(void);
42213+
42214+int
42215+gr_tpe_allow(const struct file *file)
42216+{
42217+#ifdef CONFIG_GRKERNSEC
42218+ struct inode *inode = file->f_path.dentry->d_parent->d_inode;
42219+ const struct cred *cred = current_cred();
42220+
42221+ if (cred->uid && ((grsec_enable_tpe &&
42222+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42223+ ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
42224+ (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
42225+#else
42226+ in_group_p(grsec_tpe_gid)
42227+#endif
42228+ ) || gr_acl_tpe_check()) &&
42229+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
42230+ (inode->i_mode & S_IWOTH))))) {
42231+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42232+ return 0;
42233+ }
42234+#ifdef CONFIG_GRKERNSEC_TPE_ALL
42235+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
42236+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
42237+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
42238+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42239+ return 0;
42240+ }
42241+#endif
42242+#endif
42243+ return 1;
42244+}
42245diff -urNp linux-2.6.35.4/grsecurity/grsum.c linux-2.6.35.4/grsecurity/grsum.c
42246--- linux-2.6.35.4/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
42247+++ linux-2.6.35.4/grsecurity/grsum.c 2010-09-17 20:12:37.000000000 -0400
42248@@ -0,0 +1,61 @@
42249+#include <linux/err.h>
42250+#include <linux/kernel.h>
42251+#include <linux/sched.h>
42252+#include <linux/mm.h>
42253+#include <linux/scatterlist.h>
42254+#include <linux/crypto.h>
42255+#include <linux/gracl.h>
42256+
42257+
42258+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
42259+#error "crypto and sha256 must be built into the kernel"
42260+#endif
42261+
42262+int
42263+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
42264+{
42265+ char *p;
42266+ struct crypto_hash *tfm;
42267+ struct hash_desc desc;
42268+ struct scatterlist sg;
42269+ unsigned char temp_sum[GR_SHA_LEN];
42270+ volatile int retval = 0;
42271+ volatile int dummy = 0;
42272+ unsigned int i;
42273+
42274+ sg_init_table(&sg, 1);
42275+
42276+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
42277+ if (IS_ERR(tfm)) {
42278+ /* should never happen, since sha256 should be built in */
42279+ return 1;
42280+ }
42281+
42282+ desc.tfm = tfm;
42283+ desc.flags = 0;
42284+
42285+ crypto_hash_init(&desc);
42286+
42287+ p = salt;
42288+ sg_set_buf(&sg, p, GR_SALT_LEN);
42289+ crypto_hash_update(&desc, &sg, sg.length);
42290+
42291+ p = entry->pw;
42292+ sg_set_buf(&sg, p, strlen(p));
42293+
42294+ crypto_hash_update(&desc, &sg, sg.length);
42295+
42296+ crypto_hash_final(&desc, temp_sum);
42297+
42298+ memset(entry->pw, 0, GR_PW_LEN);
42299+
42300+ for (i = 0; i < GR_SHA_LEN; i++)
42301+ if (sum[i] != temp_sum[i])
42302+ retval = 1;
42303+ else
42304+ dummy = 1; // waste a cycle
42305+
42306+ crypto_free_hash(tfm);
42307+
42308+ return retval;
42309+}
42310diff -urNp linux-2.6.35.4/grsecurity/Kconfig linux-2.6.35.4/grsecurity/Kconfig
42311--- linux-2.6.35.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
42312+++ linux-2.6.35.4/grsecurity/Kconfig 2010-09-17 20:12:37.000000000 -0400
42313@@ -0,0 +1,986 @@
42314+#
42315+# grecurity configuration
42316+#
42317+
42318+menu "Grsecurity"
42319+
42320+config GRKERNSEC
42321+ bool "Grsecurity"
42322+ select CRYPTO
42323+ select CRYPTO_SHA256
42324+ help
42325+ If you say Y here, you will be able to configure many features
42326+ that will enhance the security of your system. It is highly
42327+ recommended that you say Y here and read through the help
42328+ for each option so that you fully understand the features and
42329+ can evaluate their usefulness for your machine.
42330+
42331+choice
42332+ prompt "Security Level"
42333+ depends on GRKERNSEC
42334+ default GRKERNSEC_CUSTOM
42335+
42336+config GRKERNSEC_LOW
42337+ bool "Low"
42338+ select GRKERNSEC_LINK
42339+ select GRKERNSEC_FIFO
42340+ select GRKERNSEC_EXECVE
42341+ select GRKERNSEC_RANDNET
42342+ select GRKERNSEC_DMESG
42343+ select GRKERNSEC_CHROOT
42344+ select GRKERNSEC_CHROOT_CHDIR
42345+
42346+ help
42347+ If you choose this option, several of the grsecurity options will
42348+ be enabled that will give you greater protection against a number
42349+ of attacks, while assuring that none of your software will have any
42350+ conflicts with the additional security measures. If you run a lot
42351+ of unusual software, or you are having problems with the higher
42352+ security levels, you should say Y here. With this option, the
42353+ following features are enabled:
42354+
42355+ - Linking restrictions
42356+ - FIFO restrictions
42357+ - Enforcing RLIMIT_NPROC on execve
42358+ - Restricted dmesg
42359+ - Enforced chdir("/") on chroot
42360+ - Runtime module disabling
42361+
42362+config GRKERNSEC_MEDIUM
42363+ bool "Medium"
42364+ select PAX
42365+ select PAX_EI_PAX
42366+ select PAX_PT_PAX_FLAGS
42367+ select PAX_HAVE_ACL_FLAGS
42368+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42369+ select GRKERNSEC_CHROOT
42370+ select GRKERNSEC_CHROOT_SYSCTL
42371+ select GRKERNSEC_LINK
42372+ select GRKERNSEC_FIFO
42373+ select GRKERNSEC_EXECVE
42374+ select GRKERNSEC_DMESG
42375+ select GRKERNSEC_RANDNET
42376+ select GRKERNSEC_FORKFAIL
42377+ select GRKERNSEC_TIME
42378+ select GRKERNSEC_SIGNAL
42379+ select GRKERNSEC_CHROOT
42380+ select GRKERNSEC_CHROOT_UNIX
42381+ select GRKERNSEC_CHROOT_MOUNT
42382+ select GRKERNSEC_CHROOT_PIVOT
42383+ select GRKERNSEC_CHROOT_DOUBLE
42384+ select GRKERNSEC_CHROOT_CHDIR
42385+ select GRKERNSEC_CHROOT_MKNOD
42386+ select GRKERNSEC_PROC
42387+ select GRKERNSEC_PROC_USERGROUP
42388+ select PAX_RANDUSTACK
42389+ select PAX_ASLR
42390+ select PAX_RANDMMAP
42391+ select PAX_REFCOUNT if (X86 || SPARC64)
42392+ select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
42393+
42394+ help
42395+ If you say Y here, several features in addition to those included
42396+ in the low additional security level will be enabled. These
42397+ features provide even more security to your system, though in rare
42398+ cases they may be incompatible with very old or poorly written
42399+ software. If you enable this option, make sure that your auth
42400+ service (identd) is running as gid 1001. With this option,
42401+ the following features (in addition to those provided in the
42402+ low additional security level) will be enabled:
42403+
42404+ - Failed fork logging
42405+ - Time change logging
42406+ - Signal logging
42407+ - Deny mounts in chroot
42408+ - Deny double chrooting
42409+ - Deny sysctl writes in chroot
42410+ - Deny mknod in chroot
42411+ - Deny access to abstract AF_UNIX sockets out of chroot
42412+ - Deny pivot_root in chroot
42413+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
42414+ - /proc restrictions with special GID set to 10 (usually wheel)
42415+ - Address Space Layout Randomization (ASLR)
42416+ - Prevent exploitation of most refcount overflows
42417+ - Bounds checking of copying between the kernel and userland
42418+
42419+config GRKERNSEC_HIGH
42420+ bool "High"
42421+ select GRKERNSEC_LINK
42422+ select GRKERNSEC_FIFO
42423+ select GRKERNSEC_EXECVE
42424+ select GRKERNSEC_DMESG
42425+ select GRKERNSEC_FORKFAIL
42426+ select GRKERNSEC_TIME
42427+ select GRKERNSEC_SIGNAL
42428+ select GRKERNSEC_CHROOT
42429+ select GRKERNSEC_CHROOT_SHMAT
42430+ select GRKERNSEC_CHROOT_UNIX
42431+ select GRKERNSEC_CHROOT_MOUNT
42432+ select GRKERNSEC_CHROOT_FCHDIR
42433+ select GRKERNSEC_CHROOT_PIVOT
42434+ select GRKERNSEC_CHROOT_DOUBLE
42435+ select GRKERNSEC_CHROOT_CHDIR
42436+ select GRKERNSEC_CHROOT_MKNOD
42437+ select GRKERNSEC_CHROOT_CAPS
42438+ select GRKERNSEC_CHROOT_SYSCTL
42439+ select GRKERNSEC_CHROOT_FINDTASK
42440+ select GRKERNSEC_PROC
42441+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42442+ select GRKERNSEC_HIDESYM
42443+ select GRKERNSEC_BRUTE
42444+ select GRKERNSEC_PROC_USERGROUP
42445+ select GRKERNSEC_KMEM
42446+ select GRKERNSEC_RESLOG
42447+ select GRKERNSEC_RANDNET
42448+ select GRKERNSEC_PROC_ADD
42449+ select GRKERNSEC_CHROOT_CHMOD
42450+ select GRKERNSEC_CHROOT_NICE
42451+ select GRKERNSEC_AUDIT_MOUNT
42452+ select GRKERNSEC_MODHARDEN if (MODULES)
42453+ select GRKERNSEC_HARDEN_PTRACE
42454+ select GRKERNSEC_VM86 if (X86_32)
42455+ select PAX
42456+ select PAX_RANDUSTACK
42457+ select PAX_ASLR
42458+ select PAX_RANDMMAP
42459+ select PAX_NOEXEC
42460+ select PAX_MPROTECT
42461+ select PAX_EI_PAX
42462+ select PAX_PT_PAX_FLAGS
42463+ select PAX_HAVE_ACL_FLAGS
42464+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
42465+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
42466+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
42467+ select PAX_SEGMEXEC if (X86_32)
42468+ select PAX_PAGEEXEC
42469+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
42470+ select PAX_EMUTRAMP if (PARISC)
42471+ select PAX_EMUSIGRT if (PARISC)
42472+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
42473+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
42474+ select PAX_REFCOUNT if (X86 || SPARC64)
42475+ select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
42476+ help
42477+ If you say Y here, many of the features of grsecurity will be
42478+ enabled, which will protect you against many kinds of attacks
42479+ against your system. The heightened security comes at a cost
42480+ of an increased chance of incompatibilities with rare software
42481+ on your machine. Since this security level enables PaX, you should
42482+ view <http://pax.grsecurity.net> and read about the PaX
42483+ project. While you are there, download chpax and run it on
42484+ binaries that cause problems with PaX. Also remember that
42485+ since the /proc restrictions are enabled, you must run your
42486+ identd as gid 1001. This security level enables the following
42487+ features in addition to those listed in the low and medium
42488+ security levels:
42489+
42490+ - Additional /proc restrictions
42491+ - Chmod restrictions in chroot
42492+ - No signals, ptrace, or viewing of processes outside of chroot
42493+ - Capability restrictions in chroot
42494+ - Deny fchdir out of chroot
42495+ - Priority restrictions in chroot
42496+ - Segmentation-based implementation of PaX
42497+ - Mprotect restrictions
42498+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
42499+ - Kernel stack randomization
42500+ - Mount/unmount/remount logging
42501+ - Kernel symbol hiding
42502+ - Prevention of memory exhaustion-based exploits
42503+ - Hardening of module auto-loading
42504+ - Ptrace restrictions
42505+ - Restricted vm86 mode
42506+
42507+config GRKERNSEC_CUSTOM
42508+ bool "Custom"
42509+ help
42510+ If you say Y here, you will be able to configure every grsecurity
42511+ option, which allows you to enable many more features that aren't
42512+ covered in the basic security levels. These additional features
42513+ include TPE, socket restrictions, and the sysctl system for
42514+ grsecurity. It is advised that you read through the help for
42515+ each option to determine its usefulness in your situation.
42516+
42517+endchoice
42518+
42519+menu "Address Space Protection"
42520+depends on GRKERNSEC
42521+
42522+config GRKERNSEC_KMEM
42523+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
42524+ help
42525+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
42526+ be written to via mmap or otherwise to modify the running kernel.
42527+ /dev/port will also not be allowed to be opened. If you have module
42528+ support disabled, enabling this will close up four ways that are
42529+ currently used to insert malicious code into the running kernel.
42530+ Even with all these features enabled, we still highly recommend that
42531+ you use the RBAC system, as it is still possible for an attacker to
42532+ modify the running kernel through privileged I/O granted by ioperm/iopl.
42533+ If you are not using XFree86, you may be able to stop this additional
42534+ case by enabling the 'Disable privileged I/O' option. Though nothing
42535+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
42536+ but only to video memory, which is the only writing we allow in this
42537+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
42538+ not be allowed to mprotect it with PROT_WRITE later.
42539+ It is highly recommended that you say Y here if you meet all the
42540+ conditions above.
42541+
42542+config GRKERNSEC_VM86
42543+ bool "Restrict VM86 mode"
42544+ depends on X86_32
42545+
42546+ help
42547+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
42548+ make use of a special execution mode on 32bit x86 processors called
42549+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
42550+ video cards and will still work with this option enabled. The purpose
42551+ of the option is to prevent exploitation of emulation errors in
42552+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
42553+ Nearly all users should be able to enable this option.
42554+
42555+config GRKERNSEC_IO
42556+ bool "Disable privileged I/O"
42557+ depends on X86
42558+ select RTC_CLASS
42559+ select RTC_INTF_DEV
42560+ select RTC_DRV_CMOS
42561+
42562+ help
42563+ If you say Y here, all ioperm and iopl calls will return an error.
42564+ Ioperm and iopl can be used to modify the running kernel.
42565+ Unfortunately, some programs need this access to operate properly,
42566+ the most notable of which are XFree86 and hwclock. hwclock can be
42567+ remedied by having RTC support in the kernel, so real-time
42568+ clock support is enabled if this option is enabled, to ensure
42569+ that hwclock operates correctly. XFree86 still will not
42570+ operate correctly with this option enabled, so DO NOT CHOOSE Y
42571+ IF YOU USE XFree86. If you use XFree86 and you still want to
42572+ protect your kernel against modification, use the RBAC system.
42573+
42574+config GRKERNSEC_PROC_MEMMAP
42575+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
42576+ default y if (PAX_NOEXEC || PAX_ASLR)
42577+ depends on PAX_NOEXEC || PAX_ASLR
42578+ help
42579+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
42580+ give no information about the addresses of its mappings if
42581+ PaX features that rely on random addresses are enabled on the task.
42582+ If you use PaX it is greatly recommended that you say Y here as it
42583+ closes up a hole that makes the full ASLR useless for suid
42584+ binaries.
42585+
42586+config GRKERNSEC_BRUTE
42587+ bool "Deter exploit bruteforcing"
42588+ help
42589+ If you say Y here, attempts to bruteforce exploits against forking
42590+ daemons such as apache or sshd will be deterred. When a child of a
42591+ forking daemon is killed by PaX or crashes due to an illegal
42592+ instruction, the parent process will be delayed 30 seconds upon every
42593+ subsequent fork until the administrator is able to assess the
42594+ situation and restart the daemon. It is recommended that you also
42595+ enable signal logging in the auditing section so that logs are
42596+ generated when a process performs an illegal instruction.
42597+
42598+config GRKERNSEC_MODHARDEN
42599+ bool "Harden module auto-loading"
42600+ depends on MODULES
42601+ help
42602+ If you say Y here, module auto-loading in response to use of some
42603+ feature implemented by an unloaded module will be restricted to
42604+ root users. Enabling this option helps defend against attacks
42605+ by unprivileged users who abuse the auto-loading behavior to
42606+ cause a vulnerable module to load that is then exploited.
42607+
42608+ If this option prevents a legitimate use of auto-loading for a
42609+ non-root user, the administrator can execute modprobe manually
42610+ with the exact name of the module mentioned in the alert log.
42611+ Alternatively, the administrator can add the module to the list
42612+ of modules loaded at boot by modifying init scripts.
42613+
42614+ Modification of init scripts will most likely be needed on
42615+ Ubuntu servers with encrypted home directory support enabled,
42616+ as the first non-root user logging in will cause the ecb(aes),
42617+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
42618+
42619+config GRKERNSEC_HIDESYM
42620+ bool "Hide kernel symbols"
42621+ help
42622+ If you say Y here, getting information on loaded modules, and
42623+ displaying all kernel symbols through a syscall will be restricted
42624+ to users with CAP_SYS_MODULE. For software compatibility reasons,
42625+ /proc/kallsyms will be restricted to the root user. The RBAC
42626+ system can hide that entry even from root.
42627+
42628+ This option also prevents leaking of kernel addresses through
42629+ several /proc entries.
42630+
42631+ Note that this option is only effective provided the following
42632+ conditions are met:
42633+ 1) The kernel using grsecurity is not precompiled by some distribution
42634+ 2) You are using the RBAC system and hiding other files such as your
42635+ kernel image and System.map. Alternatively, enabling this option
42636+ causes the permissions on /boot, /lib/modules, and the kernel
42637+ source directory to change at compile time to prevent
42638+ reading by non-root users.
42639+ If the above conditions are met, this option will aid in providing a
42640+ useful protection against local kernel exploitation of overflows
42641+ and arbitrary read/write vulnerabilities.
42642+
42643+endmenu
42644+menu "Role Based Access Control Options"
42645+depends on GRKERNSEC
42646+
42647+config GRKERNSEC_NO_RBAC
42648+ bool "Disable RBAC system"
42649+ help
42650+ If you say Y here, the /dev/grsec device will be removed from the kernel,
42651+ preventing the RBAC system from being enabled. You should only say Y
42652+ here if you have no intention of using the RBAC system, so as to prevent
42653+ an attacker with root access from misusing the RBAC system to hide files
42654+ and processes when loadable module support and /dev/[k]mem have been
42655+ locked down.
42656+
42657+config GRKERNSEC_ACL_HIDEKERN
42658+ bool "Hide kernel processes"
42659+ help
42660+ If you say Y here, all kernel threads will be hidden to all
42661+ processes but those whose subject has the "view hidden processes"
42662+ flag.
42663+
42664+config GRKERNSEC_ACL_MAXTRIES
42665+ int "Maximum tries before password lockout"
42666+ default 3
42667+ help
42668+ This option enforces the maximum number of times a user can attempt
42669+ to authorize themselves with the grsecurity RBAC system before being
42670+ denied the ability to attempt authorization again for a specified time.
42671+ The lower the number, the harder it will be to brute-force a password.
42672+
42673+config GRKERNSEC_ACL_TIMEOUT
42674+ int "Time to wait after max password tries, in seconds"
42675+ default 30
42676+ help
42677+ This option specifies the time the user must wait after attempting to
42678+ authorize to the RBAC system with the maximum number of invalid
42679+ passwords. The higher the number, the harder it will be to brute-force
42680+ a password.
42681+
42682+endmenu
42683+menu "Filesystem Protections"
42684+depends on GRKERNSEC
42685+
42686+config GRKERNSEC_PROC
42687+ bool "Proc restrictions"
42688+ help
42689+ If you say Y here, the permissions of the /proc filesystem
42690+ will be altered to enhance system security and privacy. You MUST
42691+ choose either a user only restriction or a user and group restriction.
42692+ Depending upon the option you choose, you can either restrict users to
42693+ see only the processes they themselves run, or choose a group that can
42694+ view all processes and files normally restricted to root if you choose
42695+ the "restrict to user only" option. NOTE: If you're running identd as
42696+ a non-root user, you will have to run it as the group you specify here.
42697+
42698+config GRKERNSEC_PROC_USER
42699+ bool "Restrict /proc to user only"
42700+ depends on GRKERNSEC_PROC
42701+ help
42702+ If you say Y here, non-root users will only be able to view their own
42703+ processes, and restricts them from viewing network-related information,
42704+ and viewing kernel symbol and module information.
42705+
42706+config GRKERNSEC_PROC_USERGROUP
42707+ bool "Allow special group"
42708+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
42709+ help
42710+ If you say Y here, you will be able to select a group that will be
42711+ able to view all processes, network-related information, and
42712+ kernel and symbol information. This option is useful if you want
42713+ to run identd as a non-root user.
42714+
42715+config GRKERNSEC_PROC_GID
42716+ int "GID for special group"
42717+ depends on GRKERNSEC_PROC_USERGROUP
42718+ default 1001
42719+
42720+config GRKERNSEC_PROC_ADD
42721+ bool "Additional restrictions"
42722+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
42723+ help
42724+ If you say Y here, additional restrictions will be placed on
42725+ /proc that keep normal users from viewing device information and
42726+ slabinfo information that could be useful for exploits.
42727+
42728+config GRKERNSEC_LINK
42729+ bool "Linking restrictions"
42730+ help
42731+ If you say Y here, /tmp race exploits will be prevented, since users
42732+ will no longer be able to follow symlinks owned by other users in
42733+ world-writable +t directories (i.e. /tmp), unless the owner of the
42734+ symlink is the owner of the directory. users will also not be
42735+ able to hardlink to files they do not own. If the sysctl option is
42736+ enabled, a sysctl option with name "linking_restrictions" is created.
42737+
42738+config GRKERNSEC_FIFO
42739+ bool "FIFO restrictions"
42740+ help
42741+ If you say Y here, users will not be able to write to FIFOs they don't
42742+ own in world-writable +t directories (i.e. /tmp), unless the owner of
42743+ the FIFO is the same owner of the directory it's held in. If the sysctl
42744+ option is enabled, a sysctl option with name "fifo_restrictions" is
42745+ created.
42746+
42747+config GRKERNSEC_ROFS
42748+ bool "Runtime read-only mount protection"
42749+ help
42750+ If you say Y here, a sysctl option with name "romount_protect" will
42751+ be created. By setting this option to 1 at runtime, filesystems
42752+ will be protected in the following ways:
42753+ * No new writable mounts will be allowed
42754+ * Existing read-only mounts won't be able to be remounted read/write
42755+ * Write operations will be denied on all block devices
42756+ This option acts independently of grsec_lock: once it is set to 1,
42757+ it cannot be turned off. Therefore, please be mindful of the resulting
42758+ behavior if this option is enabled in an init script on a read-only
42759+ filesystem. This feature is mainly intended for secure embedded systems.
42760+
42761+config GRKERNSEC_CHROOT
42762+ bool "Chroot jail restrictions"
42763+ help
42764+ If you say Y here, you will be able to choose several options that will
42765+ make breaking out of a chrooted jail much more difficult. If you
42766+ encounter no software incompatibilities with the following options, it
42767+ is recommended that you enable each one.
42768+
42769+config GRKERNSEC_CHROOT_MOUNT
42770+ bool "Deny mounts"
42771+ depends on GRKERNSEC_CHROOT
42772+ help
42773+ If you say Y here, processes inside a chroot will not be able to
42774+ mount or remount filesystems. If the sysctl option is enabled, a
42775+ sysctl option with name "chroot_deny_mount" is created.
42776+
42777+config GRKERNSEC_CHROOT_DOUBLE
42778+ bool "Deny double-chroots"
42779+ depends on GRKERNSEC_CHROOT
42780+ help
42781+ If you say Y here, processes inside a chroot will not be able to chroot
42782+ again outside the chroot. This is a widely used method of breaking
42783+ out of a chroot jail and should not be allowed. If the sysctl
42784+ option is enabled, a sysctl option with name
42785+ "chroot_deny_chroot" is created.
42786+
42787+config GRKERNSEC_CHROOT_PIVOT
42788+ bool "Deny pivot_root in chroot"
42789+ depends on GRKERNSEC_CHROOT
42790+ help
42791+ If you say Y here, processes inside a chroot will not be able to use
42792+ a function called pivot_root() that was introduced in Linux 2.3.41. It
42793+ works similar to chroot in that it changes the root filesystem. This
42794+ function could be misused in a chrooted process to attempt to break out
42795+ of the chroot, and therefore should not be allowed. If the sysctl
42796+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
42797+ created.
42798+
42799+config GRKERNSEC_CHROOT_CHDIR
42800+ bool "Enforce chdir(\"/\") on all chroots"
42801+ depends on GRKERNSEC_CHROOT
42802+ help
42803+ If you say Y here, the current working directory of all newly-chrooted
42804+ applications will be set to the the root directory of the chroot.
42805+ The man page on chroot(2) states:
42806+ Note that this call does not change the current working
42807+ directory, so that `.' can be outside the tree rooted at
42808+ `/'. In particular, the super-user can escape from a
42809+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
42810+
42811+ It is recommended that you say Y here, since it's not known to break
42812+ any software. If the sysctl option is enabled, a sysctl option with
42813+ name "chroot_enforce_chdir" is created.
42814+
42815+config GRKERNSEC_CHROOT_CHMOD
42816+ bool "Deny (f)chmod +s"
42817+ depends on GRKERNSEC_CHROOT
42818+ help
42819+ If you say Y here, processes inside a chroot will not be able to chmod
42820+ or fchmod files to make them have suid or sgid bits. This protects
42821+ against another published method of breaking a chroot. If the sysctl
42822+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
42823+ created.
42824+
42825+config GRKERNSEC_CHROOT_FCHDIR
42826+ bool "Deny fchdir out of chroot"
42827+ depends on GRKERNSEC_CHROOT
42828+ help
42829+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
42830+ to a file descriptor of the chrooting process that points to a directory
42831+ outside the filesystem will be stopped. If the sysctl option
42832+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
42833+
42834+config GRKERNSEC_CHROOT_MKNOD
42835+ bool "Deny mknod"
42836+ depends on GRKERNSEC_CHROOT
42837+ help
42838+ If you say Y here, processes inside a chroot will not be allowed to
42839+ mknod. The problem with using mknod inside a chroot is that it
42840+ would allow an attacker to create a device entry that is the same
42841+ as one on the physical root of your system, which could range from
42842+ anything from the console device to a device for your harddrive (which
42843+ they could then use to wipe the drive or steal data). It is recommended
42844+ that you say Y here, unless you run into software incompatibilities.
42845+ If the sysctl option is enabled, a sysctl option with name
42846+ "chroot_deny_mknod" is created.
42847+
42848+config GRKERNSEC_CHROOT_SHMAT
42849+ bool "Deny shmat() out of chroot"
42850+ depends on GRKERNSEC_CHROOT
42851+ help
42852+ If you say Y here, processes inside a chroot will not be able to attach
42853+ to shared memory segments that were created outside of the chroot jail.
42854+ It is recommended that you say Y here. If the sysctl option is enabled,
42855+ a sysctl option with name "chroot_deny_shmat" is created.
42856+
42857+config GRKERNSEC_CHROOT_UNIX
42858+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
42859+ depends on GRKERNSEC_CHROOT
42860+ help
42861+ If you say Y here, processes inside a chroot will not be able to
42862+ connect to abstract (meaning not belonging to a filesystem) Unix
42863+ domain sockets that were bound outside of a chroot. It is recommended
42864+ that you say Y here. If the sysctl option is enabled, a sysctl option
42865+ with name "chroot_deny_unix" is created.
42866+
42867+config GRKERNSEC_CHROOT_FINDTASK
42868+ bool "Protect outside processes"
42869+ depends on GRKERNSEC_CHROOT
42870+ help
42871+ If you say Y here, processes inside a chroot will not be able to
42872+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
42873+ getsid, or view any process outside of the chroot. If the sysctl
42874+ option is enabled, a sysctl option with name "chroot_findtask" is
42875+ created.
42876+
42877+config GRKERNSEC_CHROOT_NICE
42878+ bool "Restrict priority changes"
42879+ depends on GRKERNSEC_CHROOT
42880+ help
42881+ If you say Y here, processes inside a chroot will not be able to raise
42882+ the priority of processes in the chroot, or alter the priority of
42883+ processes outside the chroot. This provides more security than simply
42884+ removing CAP_SYS_NICE from the process' capability set. If the
42885+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
42886+ is created.
42887+
42888+config GRKERNSEC_CHROOT_SYSCTL
42889+ bool "Deny sysctl writes"
42890+ depends on GRKERNSEC_CHROOT
42891+ help
42892+ If you say Y here, an attacker in a chroot will not be able to
42893+ write to sysctl entries, either by sysctl(2) or through a /proc
42894+ interface. It is strongly recommended that you say Y here. If the
42895+ sysctl option is enabled, a sysctl option with name
42896+ "chroot_deny_sysctl" is created.
42897+
42898+config GRKERNSEC_CHROOT_CAPS
42899+ bool "Capability restrictions"
42900+ depends on GRKERNSEC_CHROOT
42901+ help
42902+ If you say Y here, the capabilities on all root processes within a
42903+ chroot jail will be lowered to stop module insertion, raw i/o,
42904+ system and net admin tasks, rebooting the system, modifying immutable
42905+ files, modifying IPC owned by another, and changing the system time.
42906+ This is left an option because it can break some apps. Disable this
42907+ if your chrooted apps are having problems performing those kinds of
42908+ tasks. If the sysctl option is enabled, a sysctl option with
42909+ name "chroot_caps" is created.
42910+
42911+endmenu
42912+menu "Kernel Auditing"
42913+depends on GRKERNSEC
42914+
42915+config GRKERNSEC_AUDIT_GROUP
42916+ bool "Single group for auditing"
42917+ help
42918+ If you say Y here, the exec, chdir, and (un)mount logging features
42919+ will only operate on a group you specify. This option is recommended
42920+ if you only want to watch certain users instead of having a large
42921+ amount of logs from the entire system. If the sysctl option is enabled,
42922+ a sysctl option with name "audit_group" is created.
42923+
42924+config GRKERNSEC_AUDIT_GID
42925+ int "GID for auditing"
42926+ depends on GRKERNSEC_AUDIT_GROUP
42927+ default 1007
42928+
42929+config GRKERNSEC_EXECLOG
42930+ bool "Exec logging"
42931+ help
42932+ If you say Y here, all execve() calls will be logged (since the
42933+ other exec*() calls are frontends to execve(), all execution
42934+ will be logged). Useful for shell-servers that like to keep track
42935+ of their users. If the sysctl option is enabled, a sysctl option with
42936+ name "exec_logging" is created.
42937+ WARNING: This option when enabled will produce a LOT of logs, especially
42938+ on an active system.
42939+
42940+config GRKERNSEC_RESLOG
42941+ bool "Resource logging"
42942+ help
42943+ If you say Y here, all attempts to overstep resource limits will
42944+ be logged with the resource name, the requested size, and the current
42945+ limit. It is highly recommended that you say Y here. If the sysctl
42946+ option is enabled, a sysctl option with name "resource_logging" is
42947+ created. If the RBAC system is enabled, the sysctl value is ignored.
42948+
42949+config GRKERNSEC_CHROOT_EXECLOG
42950+ bool "Log execs within chroot"
42951+ help
42952+ If you say Y here, all executions inside a chroot jail will be logged
42953+ to syslog. This can cause a large amount of logs if certain
42954+ applications (eg. djb's daemontools) are installed on the system, and
42955+ is therefore left as an option. If the sysctl option is enabled, a
42956+ sysctl option with name "chroot_execlog" is created.
42957+
42958+config GRKERNSEC_AUDIT_PTRACE
42959+ bool "Ptrace logging"
42960+ help
42961+ If you say Y here, all attempts to attach to a process via ptrace
42962+ will be logged. If the sysctl option is enabled, a sysctl option
42963+ with name "audit_ptrace" is created.
42964+
42965+config GRKERNSEC_AUDIT_CHDIR
42966+ bool "Chdir logging"
42967+ help
42968+ If you say Y here, all chdir() calls will be logged. If the sysctl
42969+ option is enabled, a sysctl option with name "audit_chdir" is created.
42970+
42971+config GRKERNSEC_AUDIT_MOUNT
42972+ bool "(Un)Mount logging"
42973+ help
42974+ If you say Y here, all mounts and unmounts will be logged. If the
42975+ sysctl option is enabled, a sysctl option with name "audit_mount" is
42976+ created.
42977+
42978+config GRKERNSEC_SIGNAL
42979+ bool "Signal logging"
42980+ help
42981+ If you say Y here, certain important signals will be logged, such as
42982+ SIGSEGV, which will as a result inform you of when a error in a program
42983+ occurred, which in some cases could mean a possible exploit attempt.
42984+ If the sysctl option is enabled, a sysctl option with name
42985+ "signal_logging" is created.
42986+
42987+config GRKERNSEC_FORKFAIL
42988+ bool "Fork failure logging"
42989+ help
42990+ If you say Y here, all failed fork() attempts will be logged.
42991+ This could suggest a fork bomb, or someone attempting to overstep
42992+ their process limit. If the sysctl option is enabled, a sysctl option
42993+ with name "forkfail_logging" is created.
42994+
42995+config GRKERNSEC_TIME
42996+ bool "Time change logging"
42997+ help
42998+ If you say Y here, any changes of the system clock will be logged.
42999+ If the sysctl option is enabled, a sysctl option with name
43000+ "timechange_logging" is created.
43001+
43002+config GRKERNSEC_PROC_IPADDR
43003+ bool "/proc/<pid>/ipaddr support"
43004+ help
43005+ If you say Y here, a new entry will be added to each /proc/<pid>
43006+ directory that contains the IP address of the person using the task.
43007+ The IP is carried across local TCP and AF_UNIX stream sockets.
43008+ This information can be useful for IDS/IPSes to perform remote response
43009+ to a local attack. The entry is readable by only the owner of the
43010+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
43011+ the RBAC system), and thus does not create privacy concerns.
43012+
43013+config GRKERNSEC_AUDIT_TEXTREL
43014+ bool 'ELF text relocations logging (READ HELP)'
43015+ depends on PAX_MPROTECT
43016+ help
43017+ If you say Y here, text relocations will be logged with the filename
43018+ of the offending library or binary. The purpose of the feature is
43019+ to help Linux distribution developers get rid of libraries and
43020+ binaries that need text relocations which hinder the future progress
43021+ of PaX. Only Linux distribution developers should say Y here, and
43022+ never on a production machine, as this option creates an information
43023+ leak that could aid an attacker in defeating the randomization of
43024+ a single memory region. If the sysctl option is enabled, a sysctl
43025+ option with name "audit_textrel" is created.
43026+
43027+endmenu
43028+
43029+menu "Executable Protections"
43030+depends on GRKERNSEC
43031+
43032+config GRKERNSEC_EXECVE
43033+ bool "Enforce RLIMIT_NPROC on execs"
43034+ help
43035+ If you say Y here, users with a resource limit on processes will
43036+ have the value checked during execve() calls. The current system
43037+ only checks the system limit during fork() calls. If the sysctl option
43038+ is enabled, a sysctl option with name "execve_limiting" is created.
43039+
43040+config GRKERNSEC_DMESG
43041+ bool "Dmesg(8) restriction"
43042+ help
43043+ If you say Y here, non-root users will not be able to use dmesg(8)
43044+ to view up to the last 4kb of messages in the kernel's log buffer.
43045+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
43046+ created.
43047+
43048+config GRKERNSEC_HARDEN_PTRACE
43049+ bool "Deter ptrace-based process snooping"
43050+ help
43051+ If you say Y here, TTY sniffers and other malicious monitoring
43052+ programs implemented through ptrace will be defeated. If you
43053+ have been using the RBAC system, this option has already been
43054+ enabled for several years for all users, with the ability to make
43055+ fine-grained exceptions.
43056+
43057+ This option only affects the ability of non-root users to ptrace
43058+ processes that are not a descendent of the ptracing process.
43059+ This means that strace ./binary and gdb ./binary will still work,
43060+ but attaching to arbitrary processes will not. If the sysctl
43061+ option is enabled, a sysctl option with name "harden_ptrace" is
43062+ created.
43063+
43064+config GRKERNSEC_TPE
43065+ bool "Trusted Path Execution (TPE)"
43066+ help
43067+ If you say Y here, you will be able to choose a gid to add to the
43068+ supplementary groups of users you want to mark as "untrusted."
43069+ These users will not be able to execute any files that are not in
43070+ root-owned directories writable only by root. If the sysctl option
43071+ is enabled, a sysctl option with name "tpe" is created.
43072+
43073+config GRKERNSEC_TPE_ALL
43074+ bool "Partially restrict all non-root users"
43075+ depends on GRKERNSEC_TPE
43076+ help
43077+ If you say Y here, all non-root users will be covered under
43078+ a weaker TPE restriction. This is separate from, and in addition to,
43079+ the main TPE options that you have selected elsewhere. Thus, if a
43080+ "trusted" GID is chosen, this restriction applies to even that GID.
43081+ Under this restriction, all non-root users will only be allowed to
43082+ execute files in directories they own that are not group or
43083+ world-writable, or in directories owned by root and writable only by
43084+ root. If the sysctl option is enabled, a sysctl option with name
43085+ "tpe_restrict_all" is created.
43086+
43087+config GRKERNSEC_TPE_INVERT
43088+ bool "Invert GID option"
43089+ depends on GRKERNSEC_TPE
43090+ help
43091+ If you say Y here, the group you specify in the TPE configuration will
43092+ decide what group TPE restrictions will be *disabled* for. This
43093+ option is useful if you want TPE restrictions to be applied to most
43094+ users on the system. If the sysctl option is enabled, a sysctl option
43095+ with name "tpe_invert" is created. Unlike other sysctl options, this
43096+ entry will default to on for backward-compatibility.
58c5fc13 43097+
57199397
MT		 43098+config GRKERNSEC_TPE_GID
43099+ int "GID for untrusted users"
43100+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
43101+ default 1005
43102+ help
43103+ Setting this GID determines what group TPE restrictions will be
43104+ *enabled* for. If the sysctl option is enabled, a sysctl option
43105+ with name "tpe_gid" is created.
58c5fc13 43106+
57199397
MT		 43107+config GRKERNSEC_TPE_GID
43108+ int "GID for trusted users"
43109+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
43110+ default 1005
43111+ help
43112+ Setting this GID determines what group TPE restrictions will be
43113+ *disabled* for. If the sysctl option is enabled, a sysctl option
43114+ with name "tpe_gid" is created.
58c5fc13 43115+
57199397
MT		 43116+endmenu
43117+menu "Network Protections"
43118+depends on GRKERNSEC
58c5fc13 43119+
57199397
MT		 43120+config GRKERNSEC_RANDNET
43121+ bool "Larger entropy pools"
43122+ help
43123+ If you say Y here, the entropy pools used for many features of Linux
43124+ and grsecurity will be doubled in size. Since several grsecurity
43125+ features use additional randomness, it is recommended that you say Y
43126+ here. Saying Y here has a similar effect as modifying
43127+ /proc/sys/kernel/random/poolsize.
58c5fc13 43128+
57199397
MT		 43129+config GRKERNSEC_BLACKHOLE
43130+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
43131+ help
43132+ If you say Y here, neither TCP resets nor ICMP
43133+ destination-unreachable packets will be sent in response to packets
43134+ sent to ports for which no associated listening process exists.
43135+ This feature supports both IPV4 and IPV6 and exempts the
43136+ loopback interface from blackholing. Enabling this feature
43137+ makes a host more resilient to DoS attacks and reduces network
43138+ visibility against scanners.
58c5fc13 43139+
57199397
MT		 43140+ The blackhole feature as-implemented is equivalent to the FreeBSD
43141+ blackhole feature, as it prevents RST responses to all packets, not
43142+ just SYNs. Under most application behavior this causes no
43143+ problems, but applications (like haproxy) may not close certain
43144+ connections in a way that cleanly terminates them on the remote
43145+ end, leaving the remote host in LAST_ACK state. Because of this
43146+ side-effect and to prevent intentional LAST_ACK DoSes, this
43147+ feature also adds automatic mitigation against such attacks.
43148+ The mitigation drastically reduces the amount of time a socket
43149+ can spend in LAST_ACK state. If you're using haproxy and not
43150+ all servers it connects to have this option enabled, consider
43151+ disabling this feature on the haproxy host.
58c5fc13 43152+
57199397
MT		 43153+ If the sysctl option is enabled, two sysctl options with names
43154+ "ip_blackhole" and "lastack_retries" will be created.
43155+ While "ip_blackhole" takes the standard zero/non-zero on/off
43156+ toggle, "lastack_retries" uses the same kinds of values as
43157+ "tcp_retries1" and "tcp_retries2". The default value of 4
43158+ prevents a socket from lasting more than 45 seconds in LAST_ACK
43159+ state.
df50ba0c 43160+
57199397
MT		 43161+config GRKERNSEC_SOCKET
43162+ bool "Socket restrictions"
43163+ help
43164+ If you say Y here, you will be able to choose from several options.
43165+ If you assign a GID on your system and add it to the supplementary
43166+ groups of users you want to restrict socket access to, this patch
43167+ will perform up to three things, based on the option(s) you choose.
df50ba0c 43168+
57199397
MT		 43169+config GRKERNSEC_SOCKET_ALL
43170+ bool "Deny any sockets to group"
43171+ depends on GRKERNSEC_SOCKET
43172+ help
43173+ If you say Y here, you will be able to choose a GID of whose users will
43174+ be unable to connect to other hosts from your machine or run server
43175+ applications from your machine. If the sysctl option is enabled, a
43176+ sysctl option with name "socket_all" is created.
58c5fc13 43177+
57199397
MT		 43178+config GRKERNSEC_SOCKET_ALL_GID
43179+ int "GID to deny all sockets for"
43180+ depends on GRKERNSEC_SOCKET_ALL
43181+ default 1004
43182+ help
43183+ Here you can choose the GID to disable socket access for. Remember to
43184+ add the users you want socket access disabled for to the GID
43185+ specified here. If the sysctl option is enabled, a sysctl option
43186+ with name "socket_all_gid" is created.
58c5fc13 43187+
57199397
MT		 43188+config GRKERNSEC_SOCKET_CLIENT
43189+ bool "Deny client sockets to group"
43190+ depends on GRKERNSEC_SOCKET
43191+ help
43192+ If you say Y here, you will be able to choose a GID of whose users will
43193+ be unable to connect to other hosts from your machine, but will be
43194+ able to run servers. If this option is enabled, all users in the group
43195+ you specify will have to use passive mode when initiating ftp transfers
43196+ from the shell on your machine. If the sysctl option is enabled, a
43197+ sysctl option with name "socket_client" is created.
58c5fc13 43198+
57199397
MT		 43199+config GRKERNSEC_SOCKET_CLIENT_GID
43200+ int "GID to deny client sockets for"
43201+ depends on GRKERNSEC_SOCKET_CLIENT
43202+ default 1003
43203+ help
43204+ Here you can choose the GID to disable client socket access for.
43205+ Remember to add the users you want client socket access disabled for to
43206+ the GID specified here. If the sysctl option is enabled, a sysctl
43207+ option with name "socket_client_gid" is created.
58c5fc13 43208+
57199397
MT		 43209+config GRKERNSEC_SOCKET_SERVER
43210+ bool "Deny server sockets to group"
43211+ depends on GRKERNSEC_SOCKET
43212+ help
43213+ If you say Y here, you will be able to choose a GID of whose users will
43214+ be unable to run server applications from your machine. If the sysctl
43215+ option is enabled, a sysctl option with name "socket_server" is created.
58c5fc13 43216+
57199397
MT		 43217+config GRKERNSEC_SOCKET_SERVER_GID
43218+ int "GID to deny server sockets for"
43219+ depends on GRKERNSEC_SOCKET_SERVER
43220+ default 1002
43221+ help
43222+ Here you can choose the GID to disable server socket access for.
43223+ Remember to add the users you want server socket access disabled for to
43224+ the GID specified here. If the sysctl option is enabled, a sysctl
43225+ option with name "socket_server_gid" is created.
58c5fc13 43226+
57199397
MT		 43227+endmenu
43228+menu "Sysctl support"
43229+depends on GRKERNSEC && SYSCTL
58c5fc13 43230+
57199397
MT		 43231+config GRKERNSEC_SYSCTL
43232+ bool "Sysctl support"
43233+ help
43234+ If you say Y here, you will be able to change the options that
43235+ grsecurity runs with at bootup, without having to recompile your
43236+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
43237+ to enable (1) or disable (0) various features. All the sysctl entries
43238+ are mutable until the "grsec_lock" entry is set to a non-zero value.
43239+ All features enabled in the kernel configuration are disabled at boot
43240+ if you do not say Y to the "Turn on features by default" option.
43241+ All options should be set at startup, and the grsec_lock entry should
43242+ be set to a non-zero value after all the options are set.
43243+ *THIS IS EXTREMELY IMPORTANT*
58c5fc13 43244+
57199397
MT		 43245+config GRKERNSEC_SYSCTL_DISTRO
43246+ bool "Extra sysctl support for distro makers (READ HELP)"
43247+ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
43248+ help
43249+ If you say Y here, additional sysctl options will be created
43250+ for features that affect processes running as root. Therefore,
43251+ it is critical when using this option that the grsec_lock entry be
43252+ enabled after boot. Only distros with prebuilt kernel packages
43253+ with this option enabled that can ensure grsec_lock is enabled
43254+ after boot should use this option.
43255+ *Failure to set grsec_lock after boot makes all grsec features
43256+ this option covers useless*
58c5fc13 43257+
57199397
MT		 43258+ Currently this option creates the following sysctl entries:
43259+ "Disable Privileged I/O": "disable_priv_io"
43260+
43261+config GRKERNSEC_SYSCTL_ON
43262+ bool "Turn on features by default"
43263+ depends on GRKERNSEC_SYSCTL
43264+ help
43265+ If you say Y here, instead of having all features enabled in the
43266+ kernel configuration disabled at boot time, the features will be
43267+ enabled at boot time. It is recommended you say Y here unless
43268+ there is some reason you would want all sysctl-tunable features to
43269+ be disabled by default. As mentioned elsewhere, it is important
43270+ to enable the grsec_lock entry once you have finished modifying
43271+ the sysctl entries.
43272+
43273+endmenu
43274+menu "Logging Options"
43275+depends on GRKERNSEC
43276+
43277+config GRKERNSEC_FLOODTIME
43278+ int "Seconds in between log messages (minimum)"
43279+ default 10
43280+ help
43281+ This option allows you to enforce the number of seconds between
43282+ grsecurity log messages. The default should be suitable for most
43283+ people, however, if you choose to change it, choose a value small enough
43284+ to allow informative logs to be produced, but large enough to
43285+ prevent flooding.
43286+
43287+config GRKERNSEC_FLOODBURST
43288+ int "Number of messages in a burst (maximum)"
43289+ default 4
43290+ help
43291+ This option allows you to choose the maximum number of messages allowed
43292+ within the flood time interval you chose in a separate option. The
43293+ default should be suitable for most people, however if you find that
43294+ many of your logs are being interpreted as flooding, you may want to
43295+ raise this value.
43296+
43297+endmenu
43298+
43299+endmenu
43300diff -urNp linux-2.6.35.4/grsecurity/Makefile linux-2.6.35.4/grsecurity/Makefile
43301--- linux-2.6.35.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
43302+++ linux-2.6.35.4/grsecurity/Makefile 2010-09-17 20:12:37.000000000 -0400
43303@@ -0,0 +1,29 @@
43304+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
43305+# during 2001-2009 it has been completely redesigned by Brad Spengler
43306+# into an RBAC system
43307+#
43308+# All code in this directory and various hooks inserted throughout the kernel
43309+# are copyright Brad Spengler - Open Source Security, Inc., and released
43310+# under the GPL v2 or higher
43311+
43312+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
43313+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
43314+ grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
43315+
43316+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
43317+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
43318+ gracl_learn.o grsec_log.o
43319+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
43320+
43321+ifndef CONFIG_GRKERNSEC
43322+obj-y += grsec_disabled.o
43323+endif
43324+
43325+ifdef CONFIG_GRKERNSEC_HIDESYM
43326+extra-y := grsec_hidesym.o
43327+$(obj)/grsec_hidesym.o:
43328+ @-chmod -f 500 /boot
43329+ @-chmod -f 500 /lib/modules
43330+ @-chmod -f 700 .
43331+ @echo ' grsec: protected kernel image paths'
43332+endif
43333diff -urNp linux-2.6.35.4/include/acpi/acoutput.h linux-2.6.35.4/include/acpi/acoutput.h
43334--- linux-2.6.35.4/include/acpi/acoutput.h 2010-08-26 19:47:12.000000000 -0400
43335+++ linux-2.6.35.4/include/acpi/acoutput.h 2010-09-17 20:12:09.000000000 -0400
43336@@ -268,8 +268,8 @@
df50ba0c
MT		 43337 * leaving no executable debug code!
43338 */
43339 #define ACPI_FUNCTION_NAME(a)
43340-#define ACPI_DEBUG_PRINT(pl)
43341-#define ACPI_DEBUG_PRINT_RAW(pl)
43342+#define ACPI_DEBUG_PRINT(pl) do {} while (0)
43343+#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
43344
43345 #endif /* ACPI_DEBUG_OUTPUT */
43346
57199397
MT		 43347diff -urNp linux-2.6.35.4/include/acpi/acpi_drivers.h linux-2.6.35.4/include/acpi/acpi_drivers.h
43348--- linux-2.6.35.4/include/acpi/acpi_drivers.h 2010-08-26 19:47:12.000000000 -0400
43349+++ linux-2.6.35.4/include/acpi/acpi_drivers.h 2010-09-17 20:12:09.000000000 -0400
43350@@ -121,8 +121,8 @@ int acpi_processor_set_thermal_limit(acp
ae4e228f
MT		 43351 Dock Station
43352 -------------------------------------------------------------------------- */
43353 struct acpi_dock_ops {
43354- acpi_notify_handler handler;
43355- acpi_notify_handler uevent;
43356+ const acpi_notify_handler handler;
43357+ const acpi_notify_handler uevent;
43358 };
58c5fc13 43359
ae4e228f 43360 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
57199397 43361@@ -130,7 +130,7 @@ extern int is_dock_device(acpi_handle ha
ae4e228f
MT		 43362 extern int register_dock_notifier(struct notifier_block *nb);
43363 extern void unregister_dock_notifier(struct notifier_block *nb);
43364 extern int register_hotplug_dock_device(acpi_handle handle,
43365- struct acpi_dock_ops *ops,
43366+ const struct acpi_dock_ops *ops,
43367 void *context);
43368 extern void unregister_hotplug_dock_device(acpi_handle handle);
43369 #else
57199397 43370@@ -146,7 +146,7 @@ static inline void unregister_dock_notif
ae4e228f
MT		 43371 {
43372 }
43373 static inline int register_hotplug_dock_device(acpi_handle handle,
43374- struct acpi_dock_ops *ops,
43375+ const struct acpi_dock_ops *ops,
43376 void *context)
43377 {
43378 return -ENODEV;
57199397
MT		 43379diff -urNp linux-2.6.35.4/include/asm-generic/atomic-long.h linux-2.6.35.4/include/asm-generic/atomic-long.h
43380--- linux-2.6.35.4/include/asm-generic/atomic-long.h 2010-08-26 19:47:12.000000000 -0400
43381+++ linux-2.6.35.4/include/asm-generic/atomic-long.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 43382@@ -22,6 +22,12 @@
43383
43384 typedef atomic64_t atomic_long_t;
43385
43386+#ifdef CONFIG_PAX_REFCOUNT
43387+typedef atomic64_unchecked_t atomic_long_unchecked_t;
43388+#else
43389+typedef atomic64_t atomic_long_unchecked_t;
43390+#endif
58c5fc13 43391+
ae4e228f 43392 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
58c5fc13 43393
ae4e228f
MT		 43394 static inline long atomic_long_read(atomic_long_t *l)
43395@@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
43396 return (long)atomic64_read(v);
43397 }
43398
43399+#ifdef CONFIG_PAX_REFCOUNT
43400+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43401+{
43402+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
58c5fc13 43403+
ae4e228f
MT		 43404+ return (long)atomic64_read_unchecked(v);
43405+}
43406+#endif
43407+
43408 static inline void atomic_long_set(atomic_long_t *l, long i)
43409 {
43410 atomic64_t *v = (atomic64_t *)l;
43411@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
43412 atomic64_set(v, i);
43413 }
58c5fc13 43414
ae4e228f
MT		 43415+#ifdef CONFIG_PAX_REFCOUNT
43416+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43417+{
43418+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43419+
43420+ atomic64_set_unchecked(v, i);
43421+}
43422+#endif
43423+
43424 static inline void atomic_long_inc(atomic_long_t *l)
43425 {
43426 atomic64_t *v = (atomic64_t *)l;
43427@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
43428 atomic64_inc(v);
58c5fc13
MT		 43429 }
43430
ae4e228f
MT		 43431+#ifdef CONFIG_PAX_REFCOUNT
43432+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
58c5fc13 43433+{
ae4e228f
MT		 43434+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43435+
43436+ atomic64_inc_unchecked(v);
58c5fc13 43437+}
ae4e228f 43438+#endif
58c5fc13 43439+
ae4e228f 43440 static inline void atomic_long_dec(atomic_long_t *l)
58c5fc13 43441 {
ae4e228f 43442 atomic64_t *v = (atomic64_t *)l;
df50ba0c
MT		 43443@@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
43444 atomic64_dec(v);
43445 }
43446
43447+#ifdef CONFIG_PAX_REFCOUNT
43448+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43449+{
43450+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43451+
43452+ atomic64_dec_unchecked(v);
43453+}
43454+#endif
43455+
43456 static inline void atomic_long_add(long i, atomic_long_t *l)
43457 {
43458 atomic64_t *v = (atomic64_t *)l;
43459@@ -59,6 +101,15 @@ static inline void atomic_long_add(long
ae4e228f 43460 atomic64_add(i, v);
58c5fc13
MT		 43461 }
43462
ae4e228f
MT		 43463+#ifdef CONFIG_PAX_REFCOUNT
43464+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
58c5fc13 43465+{
ae4e228f
MT		 43466+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43467+
43468+ atomic64_add_unchecked(i, v);
58c5fc13 43469+}
ae4e228f 43470+#endif
58c5fc13 43471+
ae4e228f 43472 static inline void atomic_long_sub(long i, atomic_long_t *l)
58c5fc13 43473 {
ae4e228f 43474 atomic64_t *v = (atomic64_t *)l;
df50ba0c 43475@@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
ae4e228f 43476 return (long)atomic64_inc_return(v);
58c5fc13
MT		 43477 }
43478
ae4e228f
MT		 43479+#ifdef CONFIG_PAX_REFCOUNT
43480+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
58c5fc13 43481+{
ae4e228f
MT		 43482+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43483+
43484+ return (long)atomic64_inc_return_unchecked(v);
58c5fc13 43485+}
ae4e228f 43486+#endif
58c5fc13 43487+
ae4e228f
MT		 43488 static inline long atomic_long_dec_return(atomic_long_t *l)
43489 {
43490 atomic64_t *v = (atomic64_t *)l;
df50ba0c 43491@@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
ae4e228f
MT		 43492
43493 typedef atomic_t atomic_long_t;
43494
43495+#ifdef CONFIG_PAX_REFCOUNT
43496+typedef atomic_unchecked_t atomic_long_unchecked_t;
43497+#else
43498+typedef atomic_t atomic_long_unchecked_t;
43499+#endif
43500+
43501 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
43502 static inline long atomic_long_read(atomic_long_t *l)
43503 {
df50ba0c 43504@@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
ae4e228f
MT		 43505 return (long)atomic_read(v);
43506 }
43507
43508+#ifdef CONFIG_PAX_REFCOUNT
43509+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43510+{
43511+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43512+
43513+ return (long)atomic_read_unchecked(v);
43514+}
43515+#endif
43516+
43517 static inline void atomic_long_set(atomic_long_t *l, long i)
43518 {
43519 atomic_t *v = (atomic_t *)l;
df50ba0c 43520@@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
ae4e228f
MT		 43521 atomic_set(v, i);
43522 }
43523
43524+#ifdef CONFIG_PAX_REFCOUNT
43525+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43526+{
43527+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43528+
43529+ atomic_set_unchecked(v, i);
43530+}
43531+#endif
43532+
43533 static inline void atomic_long_inc(atomic_long_t *l)
43534 {
43535 atomic_t *v = (atomic_t *)l;
df50ba0c 43536@@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
ae4e228f
MT		 43537 atomic_inc(v);
43538 }
43539
43540+#ifdef CONFIG_PAX_REFCOUNT
43541+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43542+{
43543+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43544+
43545+ atomic_inc_unchecked(v);
43546+}
43547+#endif
43548+
43549 static inline void atomic_long_dec(atomic_long_t *l)
43550 {
43551 atomic_t *v = (atomic_t *)l;
df50ba0c
MT		 43552@@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
43553 atomic_dec(v);
43554 }
43555
43556+#ifdef CONFIG_PAX_REFCOUNT
43557+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43558+{
43559+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43560+
43561+ atomic_dec_unchecked(v);
43562+}
43563+#endif
43564+
43565 static inline void atomic_long_add(long i, atomic_long_t *l)
43566 {
43567 atomic_t *v = (atomic_t *)l;
43568@@ -176,6 +278,15 @@ static inline void atomic_long_add(long
ae4e228f
MT		 43569 atomic_add(i, v);
43570 }
43571
43572+#ifdef CONFIG_PAX_REFCOUNT
43573+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43574+{
43575+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43576+
43577+ atomic_add_unchecked(i, v);
43578+}
43579+#endif
43580+
43581 static inline void atomic_long_sub(long i, atomic_long_t *l)
58c5fc13 43582 {
ae4e228f 43583 atomic_t *v = (atomic_t *)l;
df50ba0c 43584@@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
ae4e228f
MT		 43585 return (long)atomic_inc_return(v);
43586 }
43587
43588+#ifdef CONFIG_PAX_REFCOUNT
43589+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43590+{
43591+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43592+
43593+ return (long)atomic_inc_return_unchecked(v);
43594+}
43595+#endif
43596+
43597 static inline long atomic_long_dec_return(atomic_long_t *l)
43598 {
43599 atomic_t *v = (atomic_t *)l;
57199397 43600@@ -255,4 +375,37 @@ static inline long atomic_long_add_unles
ae4e228f
MT		 43601
43602 #endif /* BITS_PER_LONG == 64 */
43603
43604+#ifdef CONFIG_PAX_REFCOUNT
43605+static inline void pax_refcount_needs_these_functions(void)
43606+{
43607+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
43608+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
43609+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
43610+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
43611+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
57199397 43612+ atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
ae4e228f
MT		 43613+
43614+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
43615+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
43616+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
43617+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
43618+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
df50ba0c 43619+ atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
ae4e228f
MT		 43620+}
43621+#else
43622+#define atomic_read_unchecked(v) atomic_read(v)
43623+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
43624+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
43625+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
43626+#define atomic_inc_unchecked(v) atomic_inc(v)
57199397 43627+#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
ae4e228f
MT		 43628+
43629+#define atomic_long_read_unchecked(v) atomic_long_read(v)
43630+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
43631+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
43632+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
43633+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
df50ba0c 43634+#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
ae4e228f
MT		 43635+#endif
43636+
43637 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
57199397
MT		 43638diff -urNp linux-2.6.35.4/include/asm-generic/dma-mapping-common.h linux-2.6.35.4/include/asm-generic/dma-mapping-common.h
43639--- linux-2.6.35.4/include/asm-generic/dma-mapping-common.h 2010-08-26 19:47:12.000000000 -0400
43640+++ linux-2.6.35.4/include/asm-generic/dma-mapping-common.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 43641@@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
43642 enum dma_data_direction dir,
43643 struct dma_attrs *attrs)
43644 {
43645- struct dma_map_ops *ops = get_dma_ops(dev);
43646+ const struct dma_map_ops *ops = get_dma_ops(dev);
43647 dma_addr_t addr;
43648
43649 kmemcheck_mark_initialized(ptr, size);
43650@@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
43651 enum dma_data_direction dir,
43652 struct dma_attrs *attrs)
43653 {
43654- struct dma_map_ops *ops = get_dma_ops(dev);
43655+ const struct dma_map_ops *ops = get_dma_ops(dev);
43656
43657 BUG_ON(!valid_dma_direction(dir));
43658 if (ops->unmap_page)
43659@@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
43660 int nents, enum dma_data_direction dir,
43661 struct dma_attrs *attrs)
43662 {
43663- struct dma_map_ops *ops = get_dma_ops(dev);
43664+ const struct dma_map_ops *ops = get_dma_ops(dev);
43665 int i, ents;
43666 struct scatterlist *s;
43667
43668@@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
43669 int nents, enum dma_data_direction dir,
43670 struct dma_attrs *attrs)
43671 {
43672- struct dma_map_ops *ops = get_dma_ops(dev);
43673+ const struct dma_map_ops *ops = get_dma_ops(dev);
43674
43675 BUG_ON(!valid_dma_direction(dir));
43676 debug_dma_unmap_sg(dev, sg, nents, dir);
43677@@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
43678 size_t offset, size_t size,
43679 enum dma_data_direction dir)
43680 {
43681- struct dma_map_ops *ops = get_dma_ops(dev);
43682+ const struct dma_map_ops *ops = get_dma_ops(dev);
43683 dma_addr_t addr;
43684
43685 kmemcheck_mark_initialized(page_address(page) + offset, size);
43686@@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
43687 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
43688 size_t size, enum dma_data_direction dir)
43689 {
43690- struct dma_map_ops *ops = get_dma_ops(dev);
43691+ const struct dma_map_ops *ops = get_dma_ops(dev);
43692
43693 BUG_ON(!valid_dma_direction(dir));
43694 if (ops->unmap_page)
43695@@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
43696 size_t size,
43697 enum dma_data_direction dir)
43698 {
43699- struct dma_map_ops *ops = get_dma_ops(dev);
43700+ const struct dma_map_ops *ops = get_dma_ops(dev);
43701
43702 BUG_ON(!valid_dma_direction(dir));
43703 if (ops->sync_single_for_cpu)
43704@@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
43705 dma_addr_t addr, size_t size,
43706 enum dma_data_direction dir)
43707 {
43708- struct dma_map_ops *ops = get_dma_ops(dev);
43709+ const struct dma_map_ops *ops = get_dma_ops(dev);
43710
43711 BUG_ON(!valid_dma_direction(dir));
43712 if (ops->sync_single_for_device)
57199397 43713@@ -139,7 +139,7 @@ static inline void
ae4e228f
MT		 43714 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
43715 int nelems, enum dma_data_direction dir)
43716 {
43717- struct dma_map_ops *ops = get_dma_ops(dev);
43718+ const struct dma_map_ops *ops = get_dma_ops(dev);
43719
43720 BUG_ON(!valid_dma_direction(dir));
43721 if (ops->sync_sg_for_cpu)
57199397 43722@@ -151,7 +151,7 @@ static inline void
ae4e228f
MT		 43723 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
43724 int nelems, enum dma_data_direction dir)
43725 {
43726- struct dma_map_ops *ops = get_dma_ops(dev);
43727+ const struct dma_map_ops *ops = get_dma_ops(dev);
43728
43729 BUG_ON(!valid_dma_direction(dir));
43730 if (ops->sync_sg_for_device)
57199397
MT		 43731diff -urNp linux-2.6.35.4/include/asm-generic/futex.h linux-2.6.35.4/include/asm-generic/futex.h
43732--- linux-2.6.35.4/include/asm-generic/futex.h 2010-08-26 19:47:12.000000000 -0400
43733+++ linux-2.6.35.4/include/asm-generic/futex.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 43734@@ -6,7 +6,7 @@
43735 #include <asm/errno.h>
43736
43737 static inline int
43738-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
43739+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
43740 {
43741 int op = (encoded_op >> 28) & 7;
43742 int cmp = (encoded_op >> 24) & 15;
43743@@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
43744 }
43745
43746 static inline int
43747-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
43748+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
43749 {
43750 return -ENOSYS;
43751 }
57199397
MT		 43752diff -urNp linux-2.6.35.4/include/asm-generic/int-l64.h linux-2.6.35.4/include/asm-generic/int-l64.h
43753--- linux-2.6.35.4/include/asm-generic/int-l64.h 2010-08-26 19:47:12.000000000 -0400
43754+++ linux-2.6.35.4/include/asm-generic/int-l64.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 43755@@ -46,6 +46,8 @@ typedef unsigned int u32;
43756 typedef signed long s64;
43757 typedef unsigned long u64;
43758
43759+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
43760+
43761 #define S8_C(x) x
43762 #define U8_C(x) x ## U
43763 #define S16_C(x) x
57199397
MT		 43764diff -urNp linux-2.6.35.4/include/asm-generic/int-ll64.h linux-2.6.35.4/include/asm-generic/int-ll64.h
43765--- linux-2.6.35.4/include/asm-generic/int-ll64.h 2010-08-26 19:47:12.000000000 -0400
43766+++ linux-2.6.35.4/include/asm-generic/int-ll64.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 43767@@ -51,6 +51,8 @@ typedef unsigned int u32;
43768 typedef signed long long s64;
43769 typedef unsigned long long u64;
43770
43771+typedef unsigned long long intoverflow_t;
43772+
43773 #define S8_C(x) x
43774 #define U8_C(x) x ## U
43775 #define S16_C(x) x
57199397
MT		 43776diff -urNp linux-2.6.35.4/include/asm-generic/kmap_types.h linux-2.6.35.4/include/asm-generic/kmap_types.h
43777--- linux-2.6.35.4/include/asm-generic/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
43778+++ linux-2.6.35.4/include/asm-generic/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
43779@@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
ae4e228f
MT		 43780 KMAP_D(17) KM_NMI,
43781 KMAP_D(18) KM_NMI_PTE,
57199397
MT		 43782 KMAP_D(19) KM_KDB,
43783+KMAP_D(20) KM_CLEARPAGE,
43784 /*
43785 * Remember to update debug_kmap_atomic() when adding new kmap types!
43786 */
43787-KMAP_D(20) KM_TYPE_NR
43788+KMAP_D(21) KM_TYPE_NR
58c5fc13
MT		 43789 };
43790
ae4e228f 43791 #undef KMAP_D
57199397
MT		 43792diff -urNp linux-2.6.35.4/include/asm-generic/pgtable.h linux-2.6.35.4/include/asm-generic/pgtable.h
43793--- linux-2.6.35.4/include/asm-generic/pgtable.h 2010-08-26 19:47:12.000000000 -0400
43794+++ linux-2.6.35.4/include/asm-generic/pgtable.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 43795@@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
43796 unsigned long size);
43797 #endif
43798
43799+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
43800+static inline unsigned long pax_open_kernel(void) { return 0; }
43801+#endif
43802+
43803+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
43804+static inline unsigned long pax_close_kernel(void) { return 0; }
43805+#endif
43806+
43807 #endif /* !__ASSEMBLY__ */
43808
43809 #endif /* _ASM_GENERIC_PGTABLE_H */
57199397
MT		 43810diff -urNp linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h
43811--- linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h 2010-08-26 19:47:12.000000000 -0400
43812+++ linux-2.6.35.4/include/asm-generic/pgtable-nopmd.h 2010-09-17 20:12:09.000000000 -0400
43813@@ -1,14 +1,19 @@
43814 #ifndef _PGTABLE_NOPMD_H
43815 #define _PGTABLE_NOPMD_H
43816
43817-#ifndef __ASSEMBLY__
43818-
43819 #include <asm-generic/pgtable-nopud.h>
43820
43821-struct mm_struct;
43822-
43823 #define __PAGETABLE_PMD_FOLDED
43824
43825+#define PMD_SHIFT PUD_SHIFT
43826+#define PTRS_PER_PMD 1
43827+#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
43828+#define PMD_MASK (~(PMD_SIZE-1))
43829+
43830+#ifndef __ASSEMBLY__
43831+
43832+struct mm_struct;
43833+
43834 /*
43835 * Having the pmd type consist of a pud gets the size right, and allows
43836 * us to conceptually access the pud entry that this pmd is folded into
43837@@ -16,11 +21,6 @@ struct mm_struct;
43838 */
43839 typedef struct { pud_t pud; } pmd_t;
43840
43841-#define PMD_SHIFT PUD_SHIFT
43842-#define PTRS_PER_PMD 1
43843-#define PMD_SIZE (1UL << PMD_SHIFT)
43844-#define PMD_MASK (~(PMD_SIZE-1))
43845-
43846 /*
43847 * The "pud_xxx()" functions here are trivial for a folded two-level
43848 * setup: the pmd is never bad, and a pmd always exists (as it's folded
43849diff -urNp linux-2.6.35.4/include/asm-generic/pgtable-nopud.h linux-2.6.35.4/include/asm-generic/pgtable-nopud.h
43850--- linux-2.6.35.4/include/asm-generic/pgtable-nopud.h 2010-08-26 19:47:12.000000000 -0400
43851+++ linux-2.6.35.4/include/asm-generic/pgtable-nopud.h 2010-09-17 20:12:09.000000000 -0400
43852@@ -1,10 +1,15 @@
43853 #ifndef _PGTABLE_NOPUD_H
43854 #define _PGTABLE_NOPUD_H
43855
43856-#ifndef __ASSEMBLY__
43857-
43858 #define __PAGETABLE_PUD_FOLDED
43859
43860+#define PUD_SHIFT PGDIR_SHIFT
43861+#define PTRS_PER_PUD 1
43862+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
43863+#define PUD_MASK (~(PUD_SIZE-1))
43864+
43865+#ifndef __ASSEMBLY__
43866+
43867 /*
43868 * Having the pud type consist of a pgd gets the size right, and allows
43869 * us to conceptually access the pgd entry that this pud is folded into
43870@@ -12,11 +17,6 @@
43871 */
43872 typedef struct { pgd_t pgd; } pud_t;
43873
43874-#define PUD_SHIFT PGDIR_SHIFT
43875-#define PTRS_PER_PUD 1
43876-#define PUD_SIZE (1UL << PUD_SHIFT)
43877-#define PUD_MASK (~(PUD_SIZE-1))
43878-
43879 /*
43880 * The "pgd_xxx()" functions here are trivial for a folded two-level
43881 * setup: the pud is never bad, and a pud always exists (as it's folded
43882diff -urNp linux-2.6.35.4/include/asm-generic/vmlinux.lds.h linux-2.6.35.4/include/asm-generic/vmlinux.lds.h
43883--- linux-2.6.35.4/include/asm-generic/vmlinux.lds.h 2010-08-26 19:47:12.000000000 -0400
43884+++ linux-2.6.35.4/include/asm-generic/vmlinux.lds.h 2010-09-17 20:12:09.000000000 -0400
43885@@ -213,6 +213,7 @@
58c5fc13
MT		 43886 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
43887 VMLINUX_SYMBOL(__start_rodata) = .; \
43888 *(.rodata) *(.rodata.*) \
57199397 43889+ *(.data..read_only) \
58c5fc13
MT		 43890 *(__vermagic) /* Kernel version magic */ \
43891 *(__markers_strings) /* Markers: strings */ \
43892 *(__tracepoints_strings)/* Tracepoints: strings */ \
57199397 43893@@ -670,22 +671,24 @@
58c5fc13
MT		 43894 * section in the linker script will go there too. @phdr should have
43895 * a leading colon.
43896 *
43897- * Note that this macros defines __per_cpu_load as an absolute symbol.
43898+ * Note that this macros defines per_cpu_load as an absolute symbol.
43899 * If there is no need to put the percpu section at a predetermined
43900 * address, use PERCPU().
43901 */
43902 #define PERCPU_VADDR(vaddr, phdr) \
43903- VMLINUX_SYMBOL(__per_cpu_load) = .; \
57199397 43904- .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
58c5fc13 43905+ per_cpu_load = .; \
57199397 43906+ .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
58c5fc13
MT		 43907 - LOAD_OFFSET) { \
43908+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
43909 VMLINUX_SYMBOL(__per_cpu_start) = .; \
57199397
MT		 43910 *(.data..percpu..first) \
43911- *(.data..percpu..page_aligned) \
43912 *(.data..percpu) \
58c5fc13 43913+ . = ALIGN(PAGE_SIZE); \
57199397
MT		 43914+ *(.data..percpu..page_aligned) \
43915 *(.data..percpu..shared_aligned) \
58c5fc13
MT		 43916 VMLINUX_SYMBOL(__per_cpu_end) = .; \
43917 } phdr \
57199397
MT		 43918- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
43919+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
58c5fc13
MT		 43920
43921 /**
43922 * PERCPU - define output section for percpu area, simple version
57199397
MT		 43923diff -urNp linux-2.6.35.4/include/drm/drm_pciids.h linux-2.6.35.4/include/drm/drm_pciids.h
43924--- linux-2.6.35.4/include/drm/drm_pciids.h 2010-08-26 19:47:12.000000000 -0400
43925+++ linux-2.6.35.4/include/drm/drm_pciids.h 2010-09-17 20:12:09.000000000 -0400
43926@@ -419,7 +419,7 @@
58c5fc13
MT		 43927 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43928 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
df50ba0c 43929 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
58c5fc13
MT		 43930- {0, 0, 0}
43931+ {0, 0, 0, 0, 0, 0}
43932
43933 #define r128_PCI_IDS \
43934 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
57199397 43935@@ -459,14 +459,14 @@
58c5fc13
MT		 43936 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43937 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43938 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43939- {0, 0, 0}
43940+ {0, 0, 0, 0, 0, 0}
43941
43942 #define mga_PCI_IDS \
43943 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43944 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43945 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
43946 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
43947- {0, 0, 0}
43948+ {0, 0, 0, 0, 0, 0}
43949
43950 #define mach64_PCI_IDS \
43951 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
57199397 43952@@ -489,7 +489,7 @@
58c5fc13
MT		 43953 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43954 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43955 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43956- {0, 0, 0}
43957+ {0, 0, 0, 0, 0, 0}
43958
43959 #define sisdrv_PCI_IDS \
43960 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
57199397 43961@@ -500,7 +500,7 @@
58c5fc13
MT		 43962 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43963 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43964 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43965- {0, 0, 0}
43966+ {0, 0, 0, 0, 0, 0}
43967
43968 #define tdfx_PCI_IDS \
43969 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
57199397 43970@@ -509,7 +509,7 @@
58c5fc13
MT		 43971 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43972 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43973 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43974- {0, 0, 0}
43975+ {0, 0, 0, 0, 0, 0}
43976
43977 #define viadrv_PCI_IDS \
43978 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
57199397 43979@@ -521,14 +521,14 @@
58c5fc13
MT		 43980 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43981 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
43982 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
43983- {0, 0, 0}
43984+ {0, 0, 0, 0, 0, 0}
43985
43986 #define i810_PCI_IDS \
43987 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43988 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43989 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43990 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43991- {0, 0, 0}
43992+ {0, 0, 0, 0, 0, 0}
43993
43994 #define i830_PCI_IDS \
43995 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
57199397 43996@@ -536,11 +536,11 @@
58c5fc13
MT		 43997 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43998 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43999 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44000- {0, 0, 0}
44001+ {0, 0, 0, 0, 0, 0}
44002
44003 #define gamma_PCI_IDS \
44004 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44005- {0, 0, 0}
44006+ {0, 0, 0, 0, 0, 0}
44007
44008 #define savage_PCI_IDS \
44009 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
57199397 44010@@ -566,10 +566,10 @@
58c5fc13
MT		 44011 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
44012 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44013 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44014- {0, 0, 0}
44015+ {0, 0, 0, 0, 0, 0}
44016
44017 #define ffb_PCI_IDS \
44018- {0, 0, 0}
44019+ {0, 0, 0, 0, 0, 0}
44020
44021 #define i915_PCI_IDS \
44022 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
57199397 44023@@ -603,4 +603,4 @@
58c5fc13
MT		 44024 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44025 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
df50ba0c 44026 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
58c5fc13
MT		 44027- {0, 0, 0}
44028+ {0, 0, 0, 0, 0, 0}
57199397
MT		 44029diff -urNp linux-2.6.35.4/include/drm/drmP.h linux-2.6.35.4/include/drm/drmP.h
44030--- linux-2.6.35.4/include/drm/drmP.h 2010-08-26 19:47:12.000000000 -0400
44031+++ linux-2.6.35.4/include/drm/drmP.h 2010-09-17 20:12:09.000000000 -0400
44032@@ -808,7 +808,7 @@ struct drm_driver {
44033 void (*vgaarb_irq)(struct drm_device *dev, bool state);
44034
44035 /* Driver private ops for this object */
44036- struct vm_operations_struct *gem_vm_ops;
44037+ const struct vm_operations_struct *gem_vm_ops;
44038
44039 int major;
44040 int minor;
44041@@ -917,7 +917,7 @@ struct drm_device {
44042
44043 /** \name Usage Counters */
44044 /*@{ */
44045- int open_count; /**< Outstanding files open */
44046+ atomic_t open_count; /**< Outstanding files open */
44047 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
44048 atomic_t vma_count; /**< Outstanding vma areas open */
44049 int buf_use; /**< Buffers in use -- cannot alloc */
44050@@ -928,7 +928,7 @@ struct drm_device {
44051 /*@{ */
44052 unsigned long counters;
44053 enum drm_stat_type types[15];
44054- atomic_t counts[15];
44055+ atomic_unchecked_t counts[15];
44056 /*@} */
44057
44058 struct list_head filelist;
44059diff -urNp linux-2.6.35.4/include/linux/a.out.h linux-2.6.35.4/include/linux/a.out.h
44060--- linux-2.6.35.4/include/linux/a.out.h 2010-08-26 19:47:12.000000000 -0400
44061+++ linux-2.6.35.4/include/linux/a.out.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 44062@@ -39,6 +39,14 @@ enum machine_type {
44063 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
44064 };
44065
44066+/* Constants for the N_FLAGS field */
44067+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44068+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
44069+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
44070+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
44071+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44072+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44073+
44074 #if !defined (N_MAGIC)
44075 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
44076 #endif
57199397
MT		 44077diff -urNp linux-2.6.35.4/include/linux/atmdev.h linux-2.6.35.4/include/linux/atmdev.h
44078--- linux-2.6.35.4/include/linux/atmdev.h 2010-08-26 19:47:12.000000000 -0400
44079+++ linux-2.6.35.4/include/linux/atmdev.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 44080@@ -237,7 +237,7 @@ struct compat_atm_iobuf {
44081 #endif
44082
44083 struct k_atm_aal_stats {
44084-#define __HANDLE_ITEM(i) atomic_t i
44085+#define __HANDLE_ITEM(i) atomic_unchecked_t i
44086 __AAL_STAT_ITEMS
44087 #undef __HANDLE_ITEM
44088 };
57199397
MT		 44089diff -urNp linux-2.6.35.4/include/linux/binfmts.h linux-2.6.35.4/include/linux/binfmts.h
44090--- linux-2.6.35.4/include/linux/binfmts.h 2010-08-26 19:47:12.000000000 -0400
44091+++ linux-2.6.35.4/include/linux/binfmts.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 44092@@ -87,6 +87,7 @@ struct linux_binfmt {
58c5fc13
MT		 44093 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
44094 int (*load_shlib)(struct file *);
ae4e228f 44095 int (*core_dump)(struct coredump_params *cprm);
58c5fc13
MT		 44096+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
44097 unsigned long min_coredump; /* minimal dump size */
44098 int hasvdso;
44099 };
57199397
MT		 44100diff -urNp linux-2.6.35.4/include/linux/blkdev.h linux-2.6.35.4/include/linux/blkdev.h
44101--- linux-2.6.35.4/include/linux/blkdev.h 2010-08-26 19:47:12.000000000 -0400
44102+++ linux-2.6.35.4/include/linux/blkdev.h 2010-09-17 20:12:09.000000000 -0400
44103@@ -1331,20 +1331,20 @@ static inline int blk_integrity_rq(struc
ae4e228f
MT		 44104 #endif /* CONFIG_BLK_DEV_INTEGRITY */
44105
44106 struct block_device_operations {
44107- int (*open) (struct block_device *, fmode_t);
44108- int (*release) (struct gendisk *, fmode_t);
44109- int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44110- int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44111- int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44112- int (*direct_access) (struct block_device *, sector_t,
44113+ int (* const open) (struct block_device *, fmode_t);
44114+ int (* const release) (struct gendisk *, fmode_t);
44115+ int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44116+ int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44117+ int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44118+ int (* const direct_access) (struct block_device *, sector_t,
44119 void **, unsigned long *);
44120- int (*media_changed) (struct gendisk *);
57199397 44121- void (*unlock_native_capacity) (struct gendisk *);
ae4e228f
MT		 44122- int (*revalidate_disk) (struct gendisk *);
44123- int (*getgeo)(struct block_device *, struct hd_geometry *);
57199397
MT		 44124+ int (* const media_changed) (struct gendisk *);
44125+ void (* const unlock_native_capacity) (struct gendisk *);
ae4e228f 44126+ int (* const revalidate_disk) (struct gendisk *);
57199397
MT		 44127+ int (*const getgeo)(struct block_device *, struct hd_geometry *);
44128 /* this callback is with swap_lock and sometimes page table lock held */
44129- void (*swap_slot_free_notify) (struct block_device *, unsigned long);
44130- struct module *owner;
44131+ void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
ae4e228f
MT		 44132+ struct module * const owner;
44133 };
44134
44135 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
57199397
MT		 44136diff -urNp linux-2.6.35.4/include/linux/cache.h linux-2.6.35.4/include/linux/cache.h
44137--- linux-2.6.35.4/include/linux/cache.h 2010-08-26 19:47:12.000000000 -0400
44138+++ linux-2.6.35.4/include/linux/cache.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 44139@@ -16,6 +16,10 @@
44140 #define __read_mostly
44141 #endif
44142
44143+#ifndef __read_only
44144+#define __read_only __read_mostly
44145+#endif
44146+
44147 #ifndef ____cacheline_aligned
44148 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
44149 #endif
57199397
MT		 44150diff -urNp linux-2.6.35.4/include/linux/capability.h linux-2.6.35.4/include/linux/capability.h
44151--- linux-2.6.35.4/include/linux/capability.h 2010-08-26 19:47:12.000000000 -0400
44152+++ linux-2.6.35.4/include/linux/capability.h 2010-09-17 20:12:37.000000000 -0400
ae4e228f 44153@@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
58c5fc13
MT		 44154 (security_real_capable_noaudit((t), (cap)) == 0)
44155
44156 extern int capable(int cap);
44157+int capable_nolog(int cap);
44158
44159 /* audit system wants to get cap info from files as well */
44160 struct dentry;
57199397
MT		 44161diff -urNp linux-2.6.35.4/include/linux/compat.h linux-2.6.35.4/include/linux/compat.h
44162--- linux-2.6.35.4/include/linux/compat.h 2010-08-26 19:47:12.000000000 -0400
44163+++ linux-2.6.35.4/include/linux/compat.h 2010-09-17 20:12:37.000000000 -0400
44164@@ -360,5 +360,8 @@ extern ssize_t compat_rw_copy_check_uvec
44165 const struct compat_iovec __user *uvector, unsigned long nr_segs,
44166 unsigned long fast_segs, struct iovec *fast_pointer,
44167 struct iovec **ret_pointer);
44168+
44169+extern void __user *compat_alloc_user_space(unsigned long len);
44170+
44171 #endif /* CONFIG_COMPAT */
44172 #endif /* _LINUX_COMPAT_H */
44173diff -urNp linux-2.6.35.4/include/linux/compiler-gcc4.h linux-2.6.35.4/include/linux/compiler-gcc4.h
44174--- linux-2.6.35.4/include/linux/compiler-gcc4.h 2010-08-26 19:47:12.000000000 -0400
44175+++ linux-2.6.35.4/include/linux/compiler-gcc4.h 2010-09-17 20:12:09.000000000 -0400
44176@@ -54,6 +54,10 @@
44177
ae4e228f 44178 #endif
58c5fc13
MT		 44179
44180+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
44181+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
44182+#define __bos0(ptr) __bos((ptr), 0)
44183+#define __bos1(ptr) __bos((ptr), 1)
44184 #endif
ae4e228f
MT		 44185
44186 #if __GNUC_MINOR__ > 0
57199397
MT		 44187diff -urNp linux-2.6.35.4/include/linux/compiler.h linux-2.6.35.4/include/linux/compiler.h
44188--- linux-2.6.35.4/include/linux/compiler.h 2010-08-26 19:47:12.000000000 -0400
44189+++ linux-2.6.35.4/include/linux/compiler.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 44190@@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
58c5fc13
MT		 44191 #define __cold
44192 #endif
44193
44194+#ifndef __alloc_size
44195+#define __alloc_size
44196+#endif
44197+
44198+#ifndef __bos
44199+#define __bos
44200+#endif
44201+
44202+#ifndef __bos0
44203+#define __bos0
44204+#endif
44205+
44206+#ifndef __bos1
44207+#define __bos1
44208+#endif
44209+
44210 /* Simple shorthand for a section definition */
44211 #ifndef __section
44212 # define __section(S) __attribute__ ((__section__(#S)))
57199397
MT		 44213diff -urNp linux-2.6.35.4/include/linux/decompress/mm.h linux-2.6.35.4/include/linux/decompress/mm.h
44214--- linux-2.6.35.4/include/linux/decompress/mm.h 2010-08-26 19:47:12.000000000 -0400
44215+++ linux-2.6.35.4/include/linux/decompress/mm.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 44216@@ -78,7 +78,7 @@ static void free(void *where)
58c5fc13
MT		 44217 * warnings when not needed (indeed large_malloc / large_free are not
44218 * needed by inflate */
44219
44220-#define malloc(a) kmalloc(a, GFP_KERNEL)
44221+#define malloc(a) kmalloc((a), GFP_KERNEL)
44222 #define free(a) kfree(a)
44223
44224 #define large_malloc(a) vmalloc(a)
57199397
MT		 44225diff -urNp linux-2.6.35.4/include/linux/dma-mapping.h linux-2.6.35.4/include/linux/dma-mapping.h
44226--- linux-2.6.35.4/include/linux/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
44227+++ linux-2.6.35.4/include/linux/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
44228@@ -16,40 +16,40 @@ enum dma_data_direction {
ae4e228f
MT		 44229 };
44230
44231 struct dma_map_ops {
44232- void* (*alloc_coherent)(struct device *dev, size_t size,
44233+ void* (* const alloc_coherent)(struct device *dev, size_t size,
44234 dma_addr_t *dma_handle, gfp_t gfp);
44235- void (*free_coherent)(struct device *dev, size_t size,
44236+ void (* const free_coherent)(struct device *dev, size_t size,
44237 void *vaddr, dma_addr_t dma_handle);
44238- dma_addr_t (*map_page)(struct device *dev, struct page *page,
44239+ dma_addr_t (* const map_page)(struct device *dev, struct page *page,
44240 unsigned long offset, size_t size,
44241 enum dma_data_direction dir,
44242 struct dma_attrs *attrs);
44243- void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
44244+ void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
44245 size_t size, enum dma_data_direction dir,
44246 struct dma_attrs *attrs);
44247- int (*map_sg)(struct device *dev, struct scatterlist *sg,
44248+ int (* const map_sg)(struct device *dev, struct scatterlist *sg,
44249 int nents, enum dma_data_direction dir,
44250 struct dma_attrs *attrs);
44251- void (*unmap_sg)(struct device *dev,
44252+ void (* const unmap_sg)(struct device *dev,
44253 struct scatterlist *sg, int nents,
44254 enum dma_data_direction dir,
44255 struct dma_attrs *attrs);
44256- void (*sync_single_for_cpu)(struct device *dev,
44257+ void (* const sync_single_for_cpu)(struct device *dev,
44258 dma_addr_t dma_handle, size_t size,
44259 enum dma_data_direction dir);
44260- void (*sync_single_for_device)(struct device *dev,
44261+ void (* const sync_single_for_device)(struct device *dev,
44262 dma_addr_t dma_handle, size_t size,
44263 enum dma_data_direction dir);
ae4e228f
MT		 44264- void (*sync_sg_for_cpu)(struct device *dev,
44265+ void (* const sync_sg_for_cpu)(struct device *dev,
44266 struct scatterlist *sg, int nents,
44267 enum dma_data_direction dir);
44268- void (*sync_sg_for_device)(struct device *dev,
44269+ void (* const sync_sg_for_device)(struct device *dev,
44270 struct scatterlist *sg, int nents,
44271 enum dma_data_direction dir);
44272- int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
44273- int (*dma_supported)(struct device *dev, u64 mask);
44274- int (*set_dma_mask)(struct device *dev, u64 mask);
44275- int is_phys;
44276+ int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
44277+ int (* const dma_supported)(struct device *dev, u64 mask);
44278+ int (* set_dma_mask)(struct device *dev, u64 mask);
44279+ const int is_phys;
44280 };
44281
44282 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
57199397
MT		 44283diff -urNp linux-2.6.35.4/include/linux/elf.h linux-2.6.35.4/include/linux/elf.h
44284--- linux-2.6.35.4/include/linux/elf.h 2010-08-26 19:47:12.000000000 -0400
44285+++ linux-2.6.35.4/include/linux/elf.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 44286@@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
44287 #define PT_GNU_EH_FRAME 0x6474e550
44288
44289 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
44290+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
44291+
44292+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
44293+
44294+/* Constants for the e_flags field */
44295+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44296+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
44297+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
44298+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
44299+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44300+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44301
df50ba0c
MT		 44302 /*
44303 * Extended Numbering
44304@@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
58c5fc13
MT		 44305 #define DT_DEBUG 21
44306 #define DT_TEXTREL 22
44307 #define DT_JMPREL 23
44308+#define DT_FLAGS 30
44309+ #define DF_TEXTREL 0x00000004
44310 #define DT_ENCODING 32
44311 #define OLD_DT_LOOS 0x60000000
44312 #define DT_LOOS 0x6000000d
df50ba0c 44313@@ -252,6 +265,19 @@ typedef struct elf64_hdr {
58c5fc13
MT		 44314 #define PF_W 0x2
44315 #define PF_X 0x1
44316
44317+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
44318+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
44319+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
44320+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
44321+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
44322+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
44323+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
44324+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
44325+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
44326+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
44327+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
44328+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
44329+
44330 typedef struct elf32_phdr{
44331 Elf32_Word p_type;
44332 Elf32_Off p_offset;
df50ba0c 44333@@ -344,6 +370,8 @@ typedef struct elf64_shdr {
58c5fc13
MT		 44334 #define EI_OSABI 7
44335 #define EI_PAD 8
44336
44337+#define EI_PAX 14
44338+
44339 #define ELFMAG0 0x7f /* EI_MAG */
44340 #define ELFMAG1 'E'
44341 #define ELFMAG2 'L'
57199397 44342@@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
58c5fc13
MT		 44343 #define elf_note elf32_note
44344 #define elf_addr_t Elf32_Off
df50ba0c 44345 #define Elf_Half Elf32_Half
58c5fc13
MT		 44346+#define elf_dyn Elf32_Dyn
44347
44348 #else
44349
57199397 44350@@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
58c5fc13
MT		 44351 #define elf_note elf64_note
44352 #define elf_addr_t Elf64_Off
df50ba0c 44353 #define Elf_Half Elf64_Half
58c5fc13
MT		 44354+#define elf_dyn Elf64_Dyn
44355
44356 #endif
44357
57199397
MT		 44358diff -urNp linux-2.6.35.4/include/linux/fs.h linux-2.6.35.4/include/linux/fs.h
44359--- linux-2.6.35.4/include/linux/fs.h 2010-08-26 19:47:12.000000000 -0400
44360+++ linux-2.6.35.4/include/linux/fs.h 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 44361@@ -90,6 +90,11 @@ struct inodes_stat_t {
44362 /* Expect random access pattern */
df50ba0c 44363 #define FMODE_RANDOM ((__force fmode_t)0x1000)
58c5fc13
MT		 44364
44365+/* Hack for grsec so as not to require read permission simply to execute
ae4e228f
MT		 44366+ * a binary
44367+ */
df50ba0c 44368+#define FMODE_GREXEC ((__force fmode_t)0x2000)
58c5fc13
MT		 44369+
44370 /*
44371 * The below are the various read and write types that we support. Some of
44372 * them include behavioral modifiers that send information down to the
57199397 44373@@ -571,41 +576,41 @@ typedef int (*read_actor_t)(read_descrip
ae4e228f
MT		 44374 unsigned long, unsigned long);
44375
44376 struct address_space_operations {
44377- int (*writepage)(struct page *page, struct writeback_control *wbc);
44378- int (*readpage)(struct file *, struct page *);
44379- void (*sync_page)(struct page *);
44380+ int (* const writepage)(struct page *page, struct writeback_control *wbc);
44381+ int (* const readpage)(struct file *, struct page *);
44382+ void (* const sync_page)(struct page *);
44383
44384 /* Write back some dirty pages from this mapping. */
44385- int (*writepages)(struct address_space *, struct writeback_control *);
44386+ int (* const writepages)(struct address_space *, struct writeback_control *);
44387
44388 /* Set a page dirty. Return true if this dirtied it */
44389- int (*set_page_dirty)(struct page *page);
44390+ int (* const set_page_dirty)(struct page *page);
44391
44392- int (*readpages)(struct file *filp, struct address_space *mapping,
44393+ int (* const readpages)(struct file *filp, struct address_space *mapping,
44394 struct list_head *pages, unsigned nr_pages);
44395
44396- int (*write_begin)(struct file *, struct address_space *mapping,
44397+ int (* const write_begin)(struct file *, struct address_space *mapping,
44398 loff_t pos, unsigned len, unsigned flags,
44399 struct page **pagep, void **fsdata);
44400- int (*write_end)(struct file *, struct address_space *mapping,
44401+ int (* const write_end)(struct file *, struct address_space *mapping,
44402 loff_t pos, unsigned len, unsigned copied,
44403 struct page *page, void *fsdata);
44404
44405 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
44406- sector_t (*bmap)(struct address_space *, sector_t);
44407- void (*invalidatepage) (struct page *, unsigned long);
44408- int (*releasepage) (struct page *, gfp_t);
44409- ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
44410+ sector_t (* const bmap)(struct address_space *, sector_t);
44411+ void (* const invalidatepage) (struct page *, unsigned long);
44412+ int (* const releasepage) (struct page *, gfp_t);
44413+ ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
44414 loff_t offset, unsigned long nr_segs);
44415- int (*get_xip_mem)(struct address_space *, pgoff_t, int,
44416+ int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
44417 void **, unsigned long *);
44418 /* migrate the contents of a page to the specified target */
44419- int (*migratepage) (struct address_space *,
44420+ int (* const migratepage) (struct address_space *,
44421 struct page *, struct page *);
44422- int (*launder_page) (struct page *);
44423- int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
44424+ int (* const launder_page) (struct page *);
44425+ int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
44426 unsigned long);
44427- int (*error_remove_page)(struct address_space *, struct page *);
44428+ int (* const error_remove_page)(struct address_space *, struct page *);
44429 };
44430
44431 /*
57199397 44432@@ -1035,19 +1040,19 @@ static inline int file_check_writeable(s
ae4e228f
MT		 44433 typedef struct files_struct *fl_owner_t;
44434
44435 struct file_lock_operations {
44436- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44437- void (*fl_release_private)(struct file_lock *);
44438+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44439+ void (* const fl_release_private)(struct file_lock *);
44440 };
44441
44442 struct lock_manager_operations {
44443- int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
44444- void (*fl_notify)(struct file_lock *); /* unblock callback */
44445- int (*fl_grant)(struct file_lock *, struct file_lock *, int);
44446- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44447- void (*fl_release_private)(struct file_lock *);
44448- void (*fl_break)(struct file_lock *);
44449- int (*fl_mylease)(struct file_lock *, struct file_lock *);
44450- int (*fl_change)(struct file_lock **, int);
44451+ int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
44452+ void (* const fl_notify)(struct file_lock *); /* unblock callback */
44453+ int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
44454+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44455+ void (* const fl_release_private)(struct file_lock *);
44456+ void (* const fl_break)(struct file_lock *);
44457+ int (* const fl_mylease)(struct file_lock *, struct file_lock *);
44458+ int (* const fl_change)(struct file_lock **, int);
44459 };
44460
44461 struct lock_manager {
57199397 44462@@ -1440,7 +1445,7 @@ struct fiemap_extent_info {
ae4e228f
MT		 44463 unsigned int fi_flags; /* Flags as passed from user */
44464 unsigned int fi_extents_mapped; /* Number of mapped extents */
44465 unsigned int fi_extents_max; /* Size of fiemap_extent array */
44466- struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
44467+ struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
44468 * array */
44469 };
44470 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
57199397 44471@@ -1557,30 +1562,30 @@ extern ssize_t vfs_writev(struct file *,
ae4e228f
MT		 44472 unsigned long, loff_t *);
44473
44474 struct super_operations {
44475- struct inode *(*alloc_inode)(struct super_block *sb);
44476- void (*destroy_inode)(struct inode *);
44477+ struct inode *(* const alloc_inode)(struct super_block *sb);
44478+ void (* const destroy_inode)(struct inode *);
44479
44480- void (*dirty_inode) (struct inode *);
df50ba0c 44481- int (*write_inode) (struct inode *, struct writeback_control *wbc);
ae4e228f
MT		 44482- void (*drop_inode) (struct inode *);
44483- void (*delete_inode) (struct inode *);
44484- void (*put_super) (struct super_block *);
44485- void (*write_super) (struct super_block *);
44486- int (*sync_fs)(struct super_block *sb, int wait);
44487- int (*freeze_fs) (struct super_block *);
44488- int (*unfreeze_fs) (struct super_block *);
44489- int (*statfs) (struct dentry *, struct kstatfs *);
44490- int (*remount_fs) (struct super_block *, int *, char *);
44491- void (*clear_inode) (struct inode *);
44492- void (*umount_begin) (struct super_block *);
44493+ void (* const dirty_inode) (struct inode *);
df50ba0c 44494+ int (* const write_inode) (struct inode *, struct writeback_control *wbc);
ae4e228f
MT		 44495+ void (* const drop_inode) (struct inode *);
44496+ void (* const delete_inode) (struct inode *);
44497+ void (* const put_super) (struct super_block *);
44498+ void (* const write_super) (struct super_block *);
44499+ int (* const sync_fs)(struct super_block *sb, int wait);
44500+ int (* const freeze_fs) (struct super_block *);
44501+ int (* const unfreeze_fs) (struct super_block *);
44502+ int (* const statfs) (struct dentry *, struct kstatfs *);
44503+ int (* const remount_fs) (struct super_block *, int *, char *);
44504+ void (* const clear_inode) (struct inode *);
44505+ void (* const umount_begin) (struct super_block *);
44506
44507- int (*show_options)(struct seq_file *, struct vfsmount *);
44508- int (*show_stats)(struct seq_file *, struct vfsmount *);
44509+ int (* const show_options)(struct seq_file *, struct vfsmount *);
44510+ int (* const show_stats)(struct seq_file *, struct vfsmount *);
44511 #ifdef CONFIG_QUOTA
44512- ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
44513- ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
44514+ ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
44515+ ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
44516 #endif
44517- int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
44518+ int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
44519 };
44520
44521 /*
57199397
MT		 44522diff -urNp linux-2.6.35.4/include/linux/fs_struct.h linux-2.6.35.4/include/linux/fs_struct.h
44523--- linux-2.6.35.4/include/linux/fs_struct.h 2010-08-26 19:47:12.000000000 -0400
44524+++ linux-2.6.35.4/include/linux/fs_struct.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 44525@@ -4,7 +4,7 @@
44526 #include <linux/path.h>
44527
44528 struct fs_struct {
44529- int users;
44530+ atomic_t users;
44531 rwlock_t lock;
44532 int umask;
44533 int in_exec;
57199397
MT		 44534diff -urNp linux-2.6.35.4/include/linux/genhd.h linux-2.6.35.4/include/linux/genhd.h
44535--- linux-2.6.35.4/include/linux/genhd.h 2010-08-26 19:47:12.000000000 -0400
44536+++ linux-2.6.35.4/include/linux/genhd.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 44537@@ -162,7 +162,7 @@ struct gendisk {
58c5fc13
MT		 44538
44539 struct timer_rand_state *random;
44540
44541- atomic_t sync_io; /* RAID */
44542+ atomic_unchecked_t sync_io; /* RAID */
44543 struct work_struct async_notify;
44544 #ifdef CONFIG_BLK_DEV_INTEGRITY
44545 struct blk_integrity *integrity;
57199397
MT		 44546diff -urNp linux-2.6.35.4/include/linux/gracl.h linux-2.6.35.4/include/linux/gracl.h
44547--- linux-2.6.35.4/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
44548+++ linux-2.6.35.4/include/linux/gracl.h 2010-09-17 20:12:37.000000000 -0400
df50ba0c 44549@@ -0,0 +1,310 @@
58c5fc13
MT		 44550+#ifndef GR_ACL_H
44551+#define GR_ACL_H
44552+
44553+#include <linux/grdefs.h>
44554+#include <linux/resource.h>
44555+#include <linux/capability.h>
44556+#include <linux/dcache.h>
44557+#include <asm/resource.h>
44558+
44559+/* Major status information */
44560+
df50ba0c
MT		 44561+#define GR_VERSION "grsecurity 2.2.0"
44562+#define GRSECURITY_VERSION 0x2200
58c5fc13
MT		 44563+
44564+enum {
44565+ GR_SHUTDOWN = 0,
44566+ GR_ENABLE = 1,
44567+ GR_SPROLE = 2,
44568+ GR_RELOAD = 3,
44569+ GR_SEGVMOD = 4,
44570+ GR_STATUS = 5,
44571+ GR_UNSPROLE = 6,
44572+ GR_PASSSET = 7,
44573+ GR_SPROLEPAM = 8,
44574+};
44575+
44576+/* Password setup definitions
44577+ * kernel/grhash.c */
44578+enum {
44579+ GR_PW_LEN = 128,
44580+ GR_SALT_LEN = 16,
44581+ GR_SHA_LEN = 32,
44582+};
44583+
44584+enum {
44585+ GR_SPROLE_LEN = 64,
44586+};
44587+
44588+#define GR_NLIMITS 32
44589+
44590+/* Begin Data Structures */
44591+
44592+struct sprole_pw {
44593+ unsigned char *rolename;
44594+ unsigned char salt[GR_SALT_LEN];
44595+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
44596+};
44597+
44598+struct name_entry {
44599+ __u32 key;
44600+ ino_t inode;
44601+ dev_t device;
44602+ char *name;
44603+ __u16 len;
44604+ __u8 deleted;
44605+ struct name_entry *prev;
44606+ struct name_entry *next;
44607+};
44608+
44609+struct inodev_entry {
44610+ struct name_entry *nentry;
44611+ struct inodev_entry *prev;
44612+ struct inodev_entry *next;
44613+};
44614+
44615+struct acl_role_db {
44616+ struct acl_role_label **r_hash;
44617+ __u32 r_size;
44618+};
44619+
44620+struct inodev_db {
44621+ struct inodev_entry **i_hash;
44622+ __u32 i_size;
44623+};
44624+
44625+struct name_db {
44626+ struct name_entry **n_hash;
44627+ __u32 n_size;
44628+};
44629+
44630+struct crash_uid {
44631+ uid_t uid;
44632+ unsigned long expires;
44633+};
44634+
44635+struct gr_hash_struct {
44636+ void **table;
44637+ void **nametable;
44638+ void *first;
44639+ __u32 table_size;
44640+ __u32 used_size;
44641+ int type;
44642+};
44643+
44644+/* Userspace Grsecurity ACL data structures */
44645+
44646+struct acl_subject_label {
44647+ char *filename;
44648+ ino_t inode;
44649+ dev_t device;
44650+ __u32 mode;
44651+ kernel_cap_t cap_mask;
44652+ kernel_cap_t cap_lower;
df50ba0c 44653+ kernel_cap_t cap_invert_audit;
58c5fc13
MT		 44654+
44655+ struct rlimit res[GR_NLIMITS];
44656+ __u32 resmask;
44657+
44658+ __u8 user_trans_type;
44659+ __u8 group_trans_type;
44660+ uid_t *user_transitions;
44661+ gid_t *group_transitions;
44662+ __u16 user_trans_num;
44663+ __u16 group_trans_num;
44664+
44665+ __u32 ip_proto[8];
44666+ __u32 ip_type;
44667+ struct acl_ip_label **ips;
44668+ __u32 ip_num;
44669+ __u32 inaddr_any_override;
44670+
44671+ __u32 crashes;
44672+ unsigned long expires;
44673+
44674+ struct acl_subject_label *parent_subject;
44675+ struct gr_hash_struct *hash;
44676+ struct acl_subject_label *prev;
44677+ struct acl_subject_label *next;
44678+
44679+ struct acl_object_label **obj_hash;
44680+ __u32 obj_hash_size;
44681+ __u16 pax_flags;
44682+};
44683+
44684+struct role_allowed_ip {
44685+ __u32 addr;
44686+ __u32 netmask;
44687+
44688+ struct role_allowed_ip *prev;
44689+ struct role_allowed_ip *next;
44690+};
44691+
44692+struct role_transition {
44693+ char *rolename;
44694+
44695+ struct role_transition *prev;
44696+ struct role_transition *next;
44697+};
44698+
44699+struct acl_role_label {
44700+ char *rolename;
44701+ uid_t uidgid;
44702+ __u16 roletype;
44703+
44704+ __u16 auth_attempts;
44705+ unsigned long expires;
44706+
44707+ struct acl_subject_label *root_label;
44708+ struct gr_hash_struct *hash;
44709+
44710+ struct acl_role_label *prev;
44711+ struct acl_role_label *next;
44712+
44713+ struct role_transition *transitions;
44714+ struct role_allowed_ip *allowed_ips;
44715+ uid_t *domain_children;
44716+ __u16 domain_child_num;
44717+
44718+ struct acl_subject_label **subj_hash;
44719+ __u32 subj_hash_size;
44720+};
44721+
44722+struct user_acl_role_db {
44723+ struct acl_role_label **r_table;
44724+ __u32 num_pointers; /* Number of allocations to track */
44725+ __u32 num_roles; /* Number of roles */
44726+ __u32 num_domain_children; /* Number of domain children */
44727+ __u32 num_subjects; /* Number of subjects */
44728+ __u32 num_objects; /* Number of objects */
44729+};
44730+
44731+struct acl_object_label {
44732+ char *filename;
44733+ ino_t inode;
44734+ dev_t device;
44735+ __u32 mode;
44736+
44737+ struct acl_subject_label *nested;
44738+ struct acl_object_label *globbed;
44739+
44740+ /* next two structures not used */
44741+
44742+ struct acl_object_label *prev;
44743+ struct acl_object_label *next;
44744+};
44745+
44746+struct acl_ip_label {
44747+ char *iface;
44748+ __u32 addr;
44749+ __u32 netmask;
44750+ __u16 low, high;
44751+ __u8 mode;
44752+ __u32 type;
44753+ __u32 proto[8];
44754+
44755+ /* next two structures not used */
44756+
44757+ struct acl_ip_label *prev;
44758+ struct acl_ip_label *next;
44759+};
44760+
44761+struct gr_arg {
44762+ struct user_acl_role_db role_db;
44763+ unsigned char pw[GR_PW_LEN];
44764+ unsigned char salt[GR_SALT_LEN];
44765+ unsigned char sum[GR_SHA_LEN];
44766+ unsigned char sp_role[GR_SPROLE_LEN];
44767+ struct sprole_pw *sprole_pws;
44768+ dev_t segv_device;
44769+ ino_t segv_inode;
44770+ uid_t segv_uid;
44771+ __u16 num_sprole_pws;
44772+ __u16 mode;
44773+};
44774+
44775+struct gr_arg_wrapper {
44776+ struct gr_arg *arg;
44777+ __u32 version;
44778+ __u32 size;
44779+};
44780+
44781+struct subject_map {
44782+ struct acl_subject_label *user;
44783+ struct acl_subject_label *kernel;
44784+ struct subject_map *prev;
44785+ struct subject_map *next;
44786+};
44787+
44788+struct acl_subj_map_db {
44789+ struct subject_map **s_hash;
44790+ __u32 s_size;
44791+};
44792+
44793+/* End Data Structures Section */
44794+
44795+/* Hash functions generated by empirical testing by Brad Spengler
44796+ Makes good use of the low bits of the inode. Generally 0-1 times
44797+ in loop for successful match. 0-3 for unsuccessful match.
44798+ Shift/add algorithm with modulus of table size and an XOR*/
44799+
44800+static __inline__ unsigned int
44801+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
44802+{
ae4e228f 44803+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
58c5fc13
MT		 44804+}
44805+
44806+ static __inline__ unsigned int
44807+shash(const struct acl_subject_label *userp, const unsigned int sz)
44808+{
44809+ return ((const unsigned long)userp % sz);
44810+}
44811+
44812+static __inline__ unsigned int
44813+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
44814+{
44815+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
44816+}
44817+
44818+static __inline__ unsigned int
44819+nhash(const char *name, const __u16 len, const unsigned int sz)
44820+{
44821+ return full_name_hash((const unsigned char *)name, len) % sz;
44822+}
44823+
ae4e228f
MT		 44824+#define FOR_EACH_ROLE_START(role) \
44825+ role = role_list; \
44826+ while (role) {
58c5fc13 44827+
ae4e228f
MT		 44828+#define FOR_EACH_ROLE_END(role) \
44829+ role = role->prev; \
58c5fc13
MT		 44830+ }
44831+
44832+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
44833+ subj = NULL; \
44834+ iter = 0; \
44835+ while (iter < role->subj_hash_size) { \
44836+ if (subj == NULL) \
44837+ subj = role->subj_hash[iter]; \
44838+ if (subj == NULL) { \
44839+ iter++; \
44840+ continue; \
44841+ }
44842+
44843+#define FOR_EACH_SUBJECT_END(subj,iter) \
44844+ subj = subj->next; \
44845+ if (subj == NULL) \
44846+ iter++; \
44847+ }
44848+
44849+
44850+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
44851+ subj = role->hash->first; \
44852+ while (subj != NULL) {
44853+
44854+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
44855+ subj = subj->next; \
44856+ }
44857+
44858+#endif
44859+
57199397
MT		 44860diff -urNp linux-2.6.35.4/include/linux/gralloc.h linux-2.6.35.4/include/linux/gralloc.h
44861--- linux-2.6.35.4/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
44862+++ linux-2.6.35.4/include/linux/gralloc.h 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 44863@@ -0,0 +1,9 @@
44864+#ifndef __GRALLOC_H
44865+#define __GRALLOC_H
44866+
44867+void acl_free_all(void);
44868+int acl_alloc_stack_init(unsigned long size);
44869+void *acl_alloc(unsigned long len);
44870+void *acl_alloc_num(unsigned long num, unsigned long len);
44871+
44872+#endif
57199397
MT		 44873diff -urNp linux-2.6.35.4/include/linux/grdefs.h linux-2.6.35.4/include/linux/grdefs.h
44874--- linux-2.6.35.4/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
44875+++ linux-2.6.35.4/include/linux/grdefs.h 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 44876@@ -0,0 +1,136 @@
44877+#ifndef GRDEFS_H
44878+#define GRDEFS_H
44879+
44880+/* Begin grsecurity status declarations */
44881+
44882+enum {
44883+ GR_READY = 0x01,
44884+ GR_STATUS_INIT = 0x00 // disabled state
44885+};
44886+
44887+/* Begin ACL declarations */
44888+
44889+/* Role flags */
44890+
44891+enum {
44892+ GR_ROLE_USER = 0x0001,
44893+ GR_ROLE_GROUP = 0x0002,
44894+ GR_ROLE_DEFAULT = 0x0004,
44895+ GR_ROLE_SPECIAL = 0x0008,
44896+ GR_ROLE_AUTH = 0x0010,
44897+ GR_ROLE_NOPW = 0x0020,
44898+ GR_ROLE_GOD = 0x0040,
44899+ GR_ROLE_LEARN = 0x0080,
44900+ GR_ROLE_TPE = 0x0100,
44901+ GR_ROLE_DOMAIN = 0x0200,
44902+ GR_ROLE_PAM = 0x0400
44903+};
44904+
44905+/* ACL Subject and Object mode flags */
44906+enum {
44907+ GR_DELETED = 0x80000000
44908+};
44909+
44910+/* ACL Object-only mode flags */
44911+enum {
44912+ GR_READ = 0x00000001,
44913+ GR_APPEND = 0x00000002,
44914+ GR_WRITE = 0x00000004,
44915+ GR_EXEC = 0x00000008,
44916+ GR_FIND = 0x00000010,
44917+ GR_INHERIT = 0x00000020,
44918+ GR_SETID = 0x00000040,
44919+ GR_CREATE = 0x00000080,
44920+ GR_DELETE = 0x00000100,
44921+ GR_LINK = 0x00000200,
44922+ GR_AUDIT_READ = 0x00000400,
44923+ GR_AUDIT_APPEND = 0x00000800,
44924+ GR_AUDIT_WRITE = 0x00001000,
44925+ GR_AUDIT_EXEC = 0x00002000,
44926+ GR_AUDIT_FIND = 0x00004000,
44927+ GR_AUDIT_INHERIT= 0x00008000,
44928+ GR_AUDIT_SETID = 0x00010000,
44929+ GR_AUDIT_CREATE = 0x00020000,
44930+ GR_AUDIT_DELETE = 0x00040000,
44931+ GR_AUDIT_LINK = 0x00080000,
44932+ GR_PTRACERD = 0x00100000,
44933+ GR_NOPTRACE = 0x00200000,
44934+ GR_SUPPRESS = 0x00400000,
44935+ GR_NOLEARN = 0x00800000
44936+};
44937+
44938+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
44939+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
44940+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
44941+
44942+/* ACL subject-only mode flags */
44943+enum {
44944+ GR_KILL = 0x00000001,
44945+ GR_VIEW = 0x00000002,
44946+ GR_PROTECTED = 0x00000004,
44947+ GR_LEARN = 0x00000008,
44948+ GR_OVERRIDE = 0x00000010,
44949+ /* just a placeholder, this mode is only used in userspace */
44950+ GR_DUMMY = 0x00000020,
44951+ GR_PROTSHM = 0x00000040,
44952+ GR_KILLPROC = 0x00000080,
44953+ GR_KILLIPPROC = 0x00000100,
44954+ /* just a placeholder, this mode is only used in userspace */
44955+ GR_NOTROJAN = 0x00000200,
44956+ GR_PROTPROCFD = 0x00000400,
44957+ GR_PROCACCT = 0x00000800,
44958+ GR_RELAXPTRACE = 0x00001000,
44959+ GR_NESTED = 0x00002000,
44960+ GR_INHERITLEARN = 0x00004000,
44961+ GR_PROCFIND = 0x00008000,
44962+ GR_POVERRIDE = 0x00010000,
44963+ GR_KERNELAUTH = 0x00020000,
44964+};
44965+
44966+enum {
44967+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
44968+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
44969+ GR_PAX_ENABLE_MPROTECT = 0x0004,
44970+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
44971+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
44972+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
44973+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
44974+ GR_PAX_DISABLE_MPROTECT = 0x0400,
44975+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
44976+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
44977+};
44978+
44979+enum {
44980+ GR_ID_USER = 0x01,
44981+ GR_ID_GROUP = 0x02,
44982+};
44983+
44984+enum {
44985+ GR_ID_ALLOW = 0x01,
44986+ GR_ID_DENY = 0x02,
44987+};
44988+
44989+#define GR_CRASH_RES 31
44990+#define GR_UIDTABLE_MAX 500
44991+
44992+/* begin resource learning section */
44993+enum {
44994+ GR_RLIM_CPU_BUMP = 60,
44995+ GR_RLIM_FSIZE_BUMP = 50000,
44996+ GR_RLIM_DATA_BUMP = 10000,
44997+ GR_RLIM_STACK_BUMP = 1000,
44998+ GR_RLIM_CORE_BUMP = 10000,
44999+ GR_RLIM_RSS_BUMP = 500000,
45000+ GR_RLIM_NPROC_BUMP = 1,
45001+ GR_RLIM_NOFILE_BUMP = 5,
45002+ GR_RLIM_MEMLOCK_BUMP = 50000,
45003+ GR_RLIM_AS_BUMP = 500000,
45004+ GR_RLIM_LOCKS_BUMP = 2,
45005+ GR_RLIM_SIGPENDING_BUMP = 5,
45006+ GR_RLIM_MSGQUEUE_BUMP = 10000,
45007+ GR_RLIM_NICE_BUMP = 1,
45008+ GR_RLIM_RTPRIO_BUMP = 1,
45009+ GR_RLIM_RTTIME_BUMP = 1000000
45010+};
45011+
45012+#endif
57199397
MT		 45013diff -urNp linux-2.6.35.4/include/linux/grinternal.h linux-2.6.35.4/include/linux/grinternal.h
45014--- linux-2.6.35.4/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
45015+++ linux-2.6.35.4/include/linux/grinternal.h 2010-09-17 20:12:37.000000000 -0400
df50ba0c 45016@@ -0,0 +1,211 @@
58c5fc13
MT		 45017+#ifndef __GRINTERNAL_H
45018+#define __GRINTERNAL_H
45019+
45020+#ifdef CONFIG_GRKERNSEC
45021+
45022+#include <linux/fs.h>
45023+#include <linux/mnt_namespace.h>
45024+#include <linux/nsproxy.h>
45025+#include <linux/gracl.h>
45026+#include <linux/grdefs.h>
45027+#include <linux/grmsg.h>
45028+
45029+void gr_add_learn_entry(const char *fmt, ...)
45030+ __attribute__ ((format (printf, 1, 2)));
45031+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
45032+ const struct vfsmount *mnt);
45033+__u32 gr_check_create(const struct dentry *new_dentry,
45034+ const struct dentry *parent,
45035+ const struct vfsmount *mnt, const __u32 mode);
45036+int gr_check_protected_task(const struct task_struct *task);
45037+__u32 to_gr_audit(const __u32 reqmode);
45038+int gr_set_acls(const int type);
45039+
45040+int gr_acl_is_enabled(void);
45041+char gr_roletype_to_char(void);
45042+
45043+void gr_handle_alertkill(struct task_struct *task);
45044+char *gr_to_filename(const struct dentry *dentry,
45045+ const struct vfsmount *mnt);
45046+char *gr_to_filename1(const struct dentry *dentry,
45047+ const struct vfsmount *mnt);
45048+char *gr_to_filename2(const struct dentry *dentry,
45049+ const struct vfsmount *mnt);
45050+char *gr_to_filename3(const struct dentry *dentry,
45051+ const struct vfsmount *mnt);
45052+
45053+extern int grsec_enable_harden_ptrace;
45054+extern int grsec_enable_link;
45055+extern int grsec_enable_fifo;
45056+extern int grsec_enable_execve;
45057+extern int grsec_enable_shm;
45058+extern int grsec_enable_execlog;
45059+extern int grsec_enable_signal;
ae4e228f 45060+extern int grsec_enable_audit_ptrace;
58c5fc13
MT		 45061+extern int grsec_enable_forkfail;
45062+extern int grsec_enable_time;
ae4e228f 45063+extern int grsec_enable_rofs;
58c5fc13
MT		 45064+extern int grsec_enable_chroot_shmat;
45065+extern int grsec_enable_chroot_findtask;
45066+extern int grsec_enable_chroot_mount;
45067+extern int grsec_enable_chroot_double;
45068+extern int grsec_enable_chroot_pivot;
45069+extern int grsec_enable_chroot_chdir;
45070+extern int grsec_enable_chroot_chmod;
45071+extern int grsec_enable_chroot_mknod;
45072+extern int grsec_enable_chroot_fchdir;
45073+extern int grsec_enable_chroot_nice;
45074+extern int grsec_enable_chroot_execlog;
45075+extern int grsec_enable_chroot_caps;
45076+extern int grsec_enable_chroot_sysctl;
45077+extern int grsec_enable_chroot_unix;
45078+extern int grsec_enable_tpe;
45079+extern int grsec_tpe_gid;
45080+extern int grsec_enable_tpe_all;
57199397 45081+extern int grsec_enable_tpe_invert;
58c5fc13
MT		 45082+extern int grsec_enable_socket_all;
45083+extern int grsec_socket_all_gid;
45084+extern int grsec_enable_socket_client;
45085+extern int grsec_socket_client_gid;
45086+extern int grsec_enable_socket_server;
45087+extern int grsec_socket_server_gid;
45088+extern int grsec_audit_gid;
45089+extern int grsec_enable_group;
45090+extern int grsec_enable_audit_textrel;
45091+extern int grsec_enable_mount;
45092+extern int grsec_enable_chdir;
45093+extern int grsec_resource_logging;
ae4e228f
MT		 45094+extern int grsec_enable_blackhole;
45095+extern int grsec_lastack_retries;
58c5fc13
MT		 45096+extern int grsec_lock;
45097+
45098+extern spinlock_t grsec_alert_lock;
45099+extern unsigned long grsec_alert_wtime;
45100+extern unsigned long grsec_alert_fyet;
45101+
45102+extern spinlock_t grsec_audit_lock;
45103+
45104+extern rwlock_t grsec_exec_file_lock;
45105+
45106+#define gr_task_fullpath(tsk) (tsk->exec_file ? \
45107+ gr_to_filename2(tsk->exec_file->f_path.dentry, \
45108+ tsk->exec_file->f_vfsmnt) : "/")
45109+
45110+#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
45111+ gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
45112+ tsk->parent->exec_file->f_vfsmnt) : "/")
45113+
45114+#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
45115+ gr_to_filename(tsk->exec_file->f_path.dentry, \
45116+ tsk->exec_file->f_vfsmnt) : "/")
45117+
45118+#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
45119+ gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
45120+ tsk->parent->exec_file->f_vfsmnt) : "/")
45121+
df50ba0c 45122+#define proc_is_chrooted(tsk_a) (tsk_a->gr_is_chrooted)
58c5fc13 45123+
df50ba0c 45124+#define have_same_root(tsk_a,tsk_b) (tsk_a->gr_chroot_dentry == tsk_b->gr_chroot_dentry)
58c5fc13
MT		 45125+
45126+#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
45127+ task->pid, cred->uid, \
45128+ cred->euid, cred->gid, cred->egid, \
45129+ gr_parent_task_fullpath(task), \
45130+ task->parent->comm, task->parent->pid, \
45131+ pcred->uid, pcred->euid, \
45132+ pcred->gid, pcred->egid
45133+
45134+#define GR_CHROOT_CAPS {{ \
45135+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
45136+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
45137+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
45138+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
45139+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
45140+ CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
45141+
45142+#define security_learn(normal_msg,args...) \
45143+({ \
45144+ read_lock(&grsec_exec_file_lock); \
45145+ gr_add_learn_entry(normal_msg "\n", ## args); \
45146+ read_unlock(&grsec_exec_file_lock); \
45147+})
45148+
45149+enum {
45150+ GR_DO_AUDIT,
45151+ GR_DONT_AUDIT,
45152+ GR_DONT_AUDIT_GOOD
45153+};
45154+
45155+enum {
45156+ GR_TTYSNIFF,
45157+ GR_RBAC,
45158+ GR_RBAC_STR,
45159+ GR_STR_RBAC,
45160+ GR_RBAC_MODE2,
45161+ GR_RBAC_MODE3,
45162+ GR_FILENAME,
45163+ GR_SYSCTL_HIDDEN,
45164+ GR_NOARGS,
45165+ GR_ONE_INT,
45166+ GR_ONE_INT_TWO_STR,
45167+ GR_ONE_STR,
45168+ GR_STR_INT,
45169+ GR_TWO_INT,
45170+ GR_THREE_INT,
45171+ GR_FIVE_INT_TWO_STR,
45172+ GR_TWO_STR,
45173+ GR_THREE_STR,
45174+ GR_FOUR_STR,
45175+ GR_STR_FILENAME,
45176+ GR_FILENAME_STR,
45177+ GR_FILENAME_TWO_INT,
45178+ GR_FILENAME_TWO_INT_STR,
45179+ GR_TEXTREL,
45180+ GR_PTRACE,
45181+ GR_RESOURCE,
45182+ GR_CAP,
45183+ GR_SIG,
45184+ GR_SIG2,
45185+ GR_CRASH1,
45186+ GR_CRASH2,
45187+ GR_PSACCT
45188+};
45189+
45190+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
45191+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
45192+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
45193+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
45194+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
45195+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
45196+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
45197+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
45198+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
45199+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
45200+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
45201+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
45202+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
45203+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
45204+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
45205+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
45206+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
45207+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
45208+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
45209+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
45210+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
45211+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
45212+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
45213+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
45214+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
45215+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
45216+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
45217+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
45218+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
45219+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
45220+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
45221+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
45222+
45223+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
45224+
45225+#endif
45226+
45227+#endif
57199397
MT		 45228diff -urNp linux-2.6.35.4/include/linux/grmsg.h linux-2.6.35.4/include/linux/grmsg.h
45229--- linux-2.6.35.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
45230+++ linux-2.6.35.4/include/linux/grmsg.h 2010-09-17 20:12:37.000000000 -0400
df50ba0c 45231@@ -0,0 +1,108 @@
58c5fc13 45232+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
ae4e228f 45233+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
58c5fc13
MT		 45234+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
45235+#define GR_STOPMOD_MSG "denied modification of module state by "
ae4e228f
MT		 45236+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
45237+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
58c5fc13
MT		 45238+#define GR_IOPERM_MSG "denied use of ioperm() by "
45239+#define GR_IOPL_MSG "denied use of iopl() by "
45240+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
45241+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
45242+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
45243+#define GR_KMEM_MSG "denied write of /dev/kmem by "
45244+#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
45245+#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
45246+#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
45247+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
ae4e228f
MT		 45248+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
45249+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
58c5fc13
MT		 45250+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
45251+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
45252+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
45253+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
45254+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
45255+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
45256+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
ae4e228f 45257+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
58c5fc13
MT		 45258+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
45259+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
45260+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
45261+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
45262+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
45263+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
45264+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
45265+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
ae4e228f 45266+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
58c5fc13
MT		 45267+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
45268+#define GR_NPROC_MSG "denied overstep of process limit by "
45269+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
45270+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
45271+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
45272+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
45273+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
45274+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
45275+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
45276+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
45277+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
45278+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
45279+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
45280+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
45281+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
45282+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
45283+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
45284+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
45285+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
45286+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
45287+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
45288+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
45289+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
45290+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
45291+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
45292+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
45293+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
45294+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
45295+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
45296+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
45297+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
45298+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
45299+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
45300+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
45301+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
45302+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
45303+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
45304+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
58c5fc13
MT		 45305+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
45306+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
45307+#define GR_FAILFORK_MSG "failed fork with errno %d by "
45308+#define GR_NICE_CHROOT_MSG "denied priority change by "
45309+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
45310+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
45311+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
45312+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
45313+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
45314+#define GR_TIME_MSG "time set by "
45315+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
45316+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
45317+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
45318+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
45319+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
45320+#define GR_BIND_MSG "denied bind() by "
45321+#define GR_CONNECT_MSG "denied connect() by "
ae4e228f
MT		 45322+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
45323+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
45324+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
58c5fc13
MT		 45325+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
45326+#define GR_CAP_ACL_MSG "use of %s denied for "
df50ba0c 45327+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
58c5fc13
MT		 45328+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
45329+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
45330+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
45331+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
45332+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
45333+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
45334+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
45335+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
45336+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
45337+#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
ae4e228f
MT		 45338+#define GR_VM86_MSG "denied use of vm86 by "
45339+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
57199397
MT		 45340diff -urNp linux-2.6.35.4/include/linux/grsecurity.h linux-2.6.35.4/include/linux/grsecurity.h
45341--- linux-2.6.35.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
45342+++ linux-2.6.35.4/include/linux/grsecurity.h 2010-09-17 20:12:37.000000000 -0400
45343@@ -0,0 +1,203 @@
58c5fc13
MT		 45344+#ifndef GR_SECURITY_H
45345+#define GR_SECURITY_H
45346+#include <linux/fs.h>
45347+#include <linux/fs_struct.h>
45348+#include <linux/binfmts.h>
45349+#include <linux/gracl.h>
45350+
45351+/* notify of brain-dead configs */
45352+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
45353+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
45354+#endif
45355+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45356+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45357+#endif
45358+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45359+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45360+#endif
45361+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
45362+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
45363+#endif
45364+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
45365+#error "CONFIG_PAX enabled, but no PaX options are enabled."
45366+#endif
45367+
45368+void gr_handle_brute_attach(struct task_struct *p);
45369+void gr_handle_brute_check(void);
45370+
45371+char gr_roletype_to_char(void);
45372+
45373+int gr_check_user_change(int real, int effective, int fs);
45374+int gr_check_group_change(int real, int effective, int fs);
45375+
45376+void gr_del_task_from_ip_table(struct task_struct *p);
45377+
45378+int gr_pid_is_chrooted(struct task_struct *p);
57199397 45379+int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
58c5fc13
MT		 45380+int gr_handle_chroot_nice(void);
45381+int gr_handle_chroot_sysctl(const int op);
45382+int gr_handle_chroot_setpriority(struct task_struct *p,
45383+ const int niceval);
45384+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
45385+int gr_handle_chroot_chroot(const struct dentry *dentry,
45386+ const struct vfsmount *mnt);
45387+int gr_handle_chroot_caps(struct path *path);
45388+void gr_handle_chroot_chdir(struct path *path);
45389+int gr_handle_chroot_chmod(const struct dentry *dentry,
45390+ const struct vfsmount *mnt, const int mode);
45391+int gr_handle_chroot_mknod(const struct dentry *dentry,
45392+ const struct vfsmount *mnt, const int mode);
45393+int gr_handle_chroot_mount(const struct dentry *dentry,
45394+ const struct vfsmount *mnt,
45395+ const char *dev_name);
45396+int gr_handle_chroot_pivot(void);
45397+int gr_handle_chroot_unix(const pid_t pid);
45398+
45399+int gr_handle_rawio(const struct inode *inode);
45400+int gr_handle_nproc(void);
45401+
45402+void gr_handle_ioperm(void);
45403+void gr_handle_iopl(void);
45404+
45405+int gr_tpe_allow(const struct file *file);
45406+
df50ba0c
MT		 45407+void gr_set_chroot_entries(struct task_struct *task, struct path *path);
45408+void gr_clear_chroot_entries(struct task_struct *task);
58c5fc13
MT		 45409+
45410+void gr_log_forkfail(const int retval);
45411+void gr_log_timechange(void);
45412+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
45413+void gr_log_chdir(const struct dentry *dentry,
45414+ const struct vfsmount *mnt);
45415+void gr_log_chroot_exec(const struct dentry *dentry,
45416+ const struct vfsmount *mnt);
45417+void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
45418+void gr_log_remount(const char *devname, const int retval);
45419+void gr_log_unmount(const char *devname, const int retval);
45420+void gr_log_mount(const char *from, const char *to, const int retval);
45421+void gr_log_textrel(struct vm_area_struct *vma);
45422+
45423+int gr_handle_follow_link(const struct inode *parent,
45424+ const struct inode *inode,
45425+ const struct dentry *dentry,
45426+ const struct vfsmount *mnt);
45427+int gr_handle_fifo(const struct dentry *dentry,
45428+ const struct vfsmount *mnt,
45429+ const struct dentry *dir, const int flag,
45430+ const int acc_mode);
45431+int gr_handle_hardlink(const struct dentry *dentry,
45432+ const struct vfsmount *mnt,
45433+ struct inode *inode,
45434+ const int mode, const char *to);
45435+
45436+int gr_is_capable(const int cap);
45437+int gr_is_capable_nolog(const int cap);
45438+void gr_learn_resource(const struct task_struct *task, const int limit,
45439+ const unsigned long wanted, const int gt);
45440+void gr_copy_label(struct task_struct *tsk);
45441+void gr_handle_crash(struct task_struct *task, const int sig);
45442+int gr_handle_signal(const struct task_struct *p, const int sig);
45443+int gr_check_crash_uid(const uid_t uid);
45444+int gr_check_protected_task(const struct task_struct *task);
57199397 45445+int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
58c5fc13
MT		 45446+int gr_acl_handle_mmap(const struct file *file,
45447+ const unsigned long prot);
45448+int gr_acl_handle_mprotect(const struct file *file,
45449+ const unsigned long prot);
45450+int gr_check_hidden_task(const struct task_struct *tsk);
45451+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
45452+ const struct vfsmount *mnt);
45453+__u32 gr_acl_handle_utime(const struct dentry *dentry,
45454+ const struct vfsmount *mnt);
45455+__u32 gr_acl_handle_access(const struct dentry *dentry,
45456+ const struct vfsmount *mnt, const int fmode);
45457+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
45458+ const struct vfsmount *mnt, mode_t mode);
45459+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
45460+ const struct vfsmount *mnt, mode_t mode);
45461+__u32 gr_acl_handle_chown(const struct dentry *dentry,
45462+ const struct vfsmount *mnt);
45463+int gr_handle_ptrace(struct task_struct *task, const long request);
45464+int gr_handle_proc_ptrace(struct task_struct *task);
45465+__u32 gr_acl_handle_execve(const struct dentry *dentry,
45466+ const struct vfsmount *mnt);
45467+int gr_check_crash_exec(const struct file *filp);
45468+int gr_acl_is_enabled(void);
45469+void gr_set_kernel_label(struct task_struct *task);
45470+void gr_set_role_label(struct task_struct *task, const uid_t uid,
45471+ const gid_t gid);
45472+int gr_set_proc_label(const struct dentry *dentry,
45473+ const struct vfsmount *mnt,
45474+ const int unsafe_share);
45475+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
45476+ const struct vfsmount *mnt);
45477+__u32 gr_acl_handle_open(const struct dentry *dentry,
45478+ const struct vfsmount *mnt, const int fmode);
45479+__u32 gr_acl_handle_creat(const struct dentry *dentry,
45480+ const struct dentry *p_dentry,
45481+ const struct vfsmount *p_mnt, const int fmode,
45482+ const int imode);
45483+void gr_handle_create(const struct dentry *dentry,
45484+ const struct vfsmount *mnt);
45485+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
45486+ const struct dentry *parent_dentry,
45487+ const struct vfsmount *parent_mnt,
45488+ const int mode);
45489+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
45490+ const struct dentry *parent_dentry,
45491+ const struct vfsmount *parent_mnt);
45492+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
45493+ const struct vfsmount *mnt);
45494+void gr_handle_delete(const ino_t ino, const dev_t dev);
45495+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
45496+ const struct vfsmount *mnt);
45497+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
45498+ const struct dentry *parent_dentry,
45499+ const struct vfsmount *parent_mnt,
45500+ const char *from);
45501+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
45502+ const struct dentry *parent_dentry,
45503+ const struct vfsmount *parent_mnt,
45504+ const struct dentry *old_dentry,
45505+ const struct vfsmount *old_mnt, const char *to);
45506+int gr_acl_handle_rename(struct dentry *new_dentry,
45507+ struct dentry *parent_dentry,
45508+ const struct vfsmount *parent_mnt,
45509+ struct dentry *old_dentry,
45510+ struct inode *old_parent_inode,
45511+ struct vfsmount *old_mnt, const char *newname);
45512+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
45513+ struct dentry *old_dentry,
45514+ struct dentry *new_dentry,
45515+ struct vfsmount *mnt, const __u8 replace);
45516+__u32 gr_check_link(const struct dentry *new_dentry,
45517+ const struct dentry *parent_dentry,
45518+ const struct vfsmount *parent_mnt,
45519+ const struct dentry *old_dentry,
45520+ const struct vfsmount *old_mnt);
45521+int gr_acl_handle_filldir(const struct file *file, const char *name,
45522+ const unsigned int namelen, const ino_t ino);
45523+
45524+__u32 gr_acl_handle_unix(const struct dentry *dentry,
45525+ const struct vfsmount *mnt);
45526+void gr_acl_handle_exit(void);
45527+void gr_acl_handle_psacct(struct task_struct *task, const long code);
45528+int gr_acl_handle_procpidmem(const struct task_struct *task);
ae4e228f
MT		 45529+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
45530+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
45531+void gr_audit_ptrace(struct task_struct *task);
58c5fc13
MT		 45532+
45533+#ifdef CONFIG_GRKERNSEC
45534+void gr_log_nonroot_mod_load(const char *modname);
ae4e228f 45535+void gr_handle_vm86(void);
58c5fc13
MT		 45536+void gr_handle_mem_write(void);
45537+void gr_handle_kmem_write(void);
45538+void gr_handle_open_port(void);
45539+int gr_handle_mem_mmap(const unsigned long offset,
45540+ struct vm_area_struct *vma);
45541+
45542+extern int grsec_enable_dmesg;
df50ba0c 45543+extern int grsec_disable_privio;
58c5fc13
MT		 45544+#endif
45545+
45546+#endif
57199397
MT		 45547diff -urNp linux-2.6.35.4/include/linux/grsock.h linux-2.6.35.4/include/linux/grsock.h
45548--- linux-2.6.35.4/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
45549+++ linux-2.6.35.4/include/linux/grsock.h 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 45550@@ -0,0 +1,19 @@
45551+#ifndef __GRSOCK_H
45552+#define __GRSOCK_H
45553+
45554+extern void gr_attach_curr_ip(const struct sock *sk);
45555+extern int gr_handle_sock_all(const int family, const int type,
45556+ const int protocol);
45557+extern int gr_handle_sock_server(const struct sockaddr *sck);
df50ba0c 45558+extern int gr_handle_sock_server_other(const struct sock *sck);
ae4e228f
MT		 45559+extern int gr_handle_sock_client(const struct sockaddr *sck);
45560+extern int gr_search_connect(struct socket * sock,
45561+ struct sockaddr_in * addr);
45562+extern int gr_search_bind(struct socket * sock,
45563+ struct sockaddr_in * addr);
45564+extern int gr_search_listen(struct socket * sock);
45565+extern int gr_search_accept(struct socket * sock);
45566+extern int gr_search_socket(const int domain, const int type,
45567+ const int protocol);
45568+
45569+#endif
57199397
MT		 45570diff -urNp linux-2.6.35.4/include/linux/highmem.h linux-2.6.35.4/include/linux/highmem.h
45571--- linux-2.6.35.4/include/linux/highmem.h 2010-08-26 19:47:12.000000000 -0400
45572+++ linux-2.6.35.4/include/linux/highmem.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 45573@@ -143,6 +143,18 @@ static inline void clear_highpage(struct
58c5fc13
MT		 45574 kunmap_atomic(kaddr, KM_USER0);
45575 }
45576
45577+static inline void sanitize_highpage(struct page *page)
45578+{
45579+ void *kaddr;
45580+ unsigned long flags;
45581+
45582+ local_irq_save(flags);
45583+ kaddr = kmap_atomic(page, KM_CLEARPAGE);
45584+ clear_page(kaddr);
45585+ kunmap_atomic(kaddr, KM_CLEARPAGE);
45586+ local_irq_restore(flags);
45587+}
45588+
45589 static inline void zero_user_segments(struct page *page,
45590 unsigned start1, unsigned end1,
45591 unsigned start2, unsigned end2)
57199397
MT		 45592diff -urNp linux-2.6.35.4/include/linux/interrupt.h linux-2.6.35.4/include/linux/interrupt.h
45593--- linux-2.6.35.4/include/linux/interrupt.h 2010-08-26 19:47:12.000000000 -0400
45594+++ linux-2.6.35.4/include/linux/interrupt.h 2010-09-17 20:12:09.000000000 -0400
45595@@ -392,7 +392,7 @@ enum
ae4e228f
MT		 45596 /* map softirq index to softirq name. update 'softirq_to_name' in
45597 * kernel/softirq.c when adding a new softirq.
45598 */
45599-extern char *softirq_to_name[NR_SOFTIRQS];
45600+extern const char * const softirq_to_name[NR_SOFTIRQS];
45601
45602 /* softirq mask and active fields moved to irq_cpustat_t in
45603 * asm/hardirq.h to get better cache usage. KAO
57199397 45604@@ -400,12 +400,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
ae4e228f
MT		 45605
45606 struct softirq_action
45607 {
45608- void (*action)(struct softirq_action *);
45609+ void (*action)(void);
45610 };
45611
45612 asmlinkage void do_softirq(void);
45613 asmlinkage void __do_softirq(void);
45614-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
45615+extern void open_softirq(int nr, void (*action)(void));
45616 extern void softirq_init(void);
45617 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
45618 extern void raise_softirq_irqoff(unsigned int nr);
57199397
MT		 45619diff -urNp linux-2.6.35.4/include/linux/jbd2.h linux-2.6.35.4/include/linux/jbd2.h
45620--- linux-2.6.35.4/include/linux/jbd2.h 2010-08-26 19:47:12.000000000 -0400
45621+++ linux-2.6.35.4/include/linux/jbd2.h 2010-09-17 20:12:09.000000000 -0400
45622@@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
58c5fc13
MT		 45623 } \
45624 } while (0)
45625 #else
45626-#define jbd_debug(f, a...) /**/
45627+#define jbd_debug(f, a...) do {} while (0)
45628 #endif
45629
57199397
MT		 45630 extern void *jbd2_alloc(size_t size, gfp_t flags);
45631diff -urNp linux-2.6.35.4/include/linux/jbd.h linux-2.6.35.4/include/linux/jbd.h
45632--- linux-2.6.35.4/include/linux/jbd.h 2010-08-26 19:47:12.000000000 -0400
45633+++ linux-2.6.35.4/include/linux/jbd.h 2010-09-17 20:12:09.000000000 -0400
45634@@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
58c5fc13
MT		 45635 } \
45636 } while (0)
45637 #else
45638-#define jbd_debug(f, a...) /**/
45639+#define jbd_debug(f, a...) do {} while (0)
45640 #endif
45641
57199397
MT		 45642 static inline void *jbd_alloc(size_t size, gfp_t flags)
45643diff -urNp linux-2.6.35.4/include/linux/kallsyms.h linux-2.6.35.4/include/linux/kallsyms.h
45644--- linux-2.6.35.4/include/linux/kallsyms.h 2010-08-26 19:47:12.000000000 -0400
45645+++ linux-2.6.35.4/include/linux/kallsyms.h 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 45646@@ -15,7 +15,8 @@
45647
45648 struct module;
45649
45650-#ifdef CONFIG_KALLSYMS
45651+#ifndef __INCLUDED_BY_HIDESYM
45652+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45653 /* Lookup the address for a symbol. Returns 0 if not found. */
45654 unsigned long kallsyms_lookup_name(const char *name);
45655
45656@@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
45657 /* Stupid that this does nothing, but I didn't create this mess. */
45658 #define __print_symbol(fmt, addr)
45659 #endif /*CONFIG_KALLSYMS*/
45660+#else /* when included by kallsyms.c, with HIDESYM enabled */
45661+extern void __print_symbol(const char *fmt, unsigned long address);
45662+#endif
45663
45664 /* This macro allows us to keep printk typechecking */
45665 static void __check_printsym_format(const char *fmt, ...)
57199397
MT		 45666diff -urNp linux-2.6.35.4/include/linux/kgdb.h linux-2.6.35.4/include/linux/kgdb.h
45667--- linux-2.6.35.4/include/linux/kgdb.h 2010-08-26 19:47:12.000000000 -0400
45668+++ linux-2.6.35.4/include/linux/kgdb.h 2010-09-17 20:12:09.000000000 -0400
45669@@ -263,22 +263,22 @@ struct kgdb_arch {
ae4e228f
MT		 45670 */
45671 struct kgdb_io {
45672 const char *name;
45673- int (*read_char) (void);
45674- void (*write_char) (u8);
45675- void (*flush) (void);
45676- int (*init) (void);
45677- void (*pre_exception) (void);
45678- void (*post_exception) (void);
45679+ int (* const read_char) (void);
45680+ void (* const write_char) (u8);
45681+ void (* const flush) (void);
45682+ int (* const init) (void);
45683+ void (* const pre_exception) (void);
45684+ void (* const post_exception) (void);
57199397 45685 int is_console;
ae4e228f
MT		 45686 };
45687
45688-extern struct kgdb_arch arch_kgdb_ops;
45689+extern const struct kgdb_arch arch_kgdb_ops;
45690
45691 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
45692
45693-extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
45694-extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
57199397 45695-extern struct kgdb_io *dbg_io_ops;
ae4e228f
MT		 45696+extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
45697+extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
57199397 45698+extern const struct kgdb_io *dbg_io_ops;
ae4e228f
MT		 45699
45700 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
45701 extern int kgdb_mem2hex(char *mem, char *buf, int count);
57199397
MT		 45702diff -urNp linux-2.6.35.4/include/linux/kvm_host.h linux-2.6.35.4/include/linux/kvm_host.h
45703--- linux-2.6.35.4/include/linux/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
45704+++ linux-2.6.35.4/include/linux/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
45705@@ -243,7 +243,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
58c5fc13
MT		 45706 void vcpu_load(struct kvm_vcpu *vcpu);
45707 void vcpu_put(struct kvm_vcpu *vcpu);
45708
57199397
MT		 45709-int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45710+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
58c5fc13
MT		 45711 struct module *module);
45712 void kvm_exit(void);
45713
57199397 45714@@ -367,7 +367,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
58c5fc13
MT		 45715 struct kvm_guest_debug *dbg);
45716 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
45717
45718-int kvm_arch_init(void *opaque);
45719+int kvm_arch_init(const void *opaque);
45720 void kvm_arch_exit(void);
45721
45722 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
57199397
MT		 45723diff -urNp linux-2.6.35.4/include/linux/libata.h linux-2.6.35.4/include/linux/libata.h
45724--- linux-2.6.35.4/include/linux/libata.h 2010-08-26 19:47:12.000000000 -0400
45725+++ linux-2.6.35.4/include/linux/libata.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 45726@@ -64,11 +64,11 @@
45727 #ifdef ATA_VERBOSE_DEBUG
45728 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45729 #else
45730-#define VPRINTK(fmt, args...)
45731+#define VPRINTK(fmt, args...) do {} while (0)
45732 #endif /* ATA_VERBOSE_DEBUG */
45733 #else
45734-#define DPRINTK(fmt, args...)
45735-#define VPRINTK(fmt, args...)
45736+#define DPRINTK(fmt, args...) do {} while (0)
45737+#define VPRINTK(fmt, args...) do {} while (0)
45738 #endif /* ATA_DEBUG */
45739
45740 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
57199397 45741@@ -523,11 +523,11 @@ struct ata_ioports {
ae4e228f
MT		 45742
45743 struct ata_host {
45744 spinlock_t lock;
45745- struct device *dev;
45746+ struct device *dev;
45747 void __iomem * const *iomap;
45748 unsigned int n_ports;
45749 void *private_data;
45750- struct ata_port_operations *ops;
45751+ const struct ata_port_operations *ops;
45752 unsigned long flags;
45753 #ifdef CONFIG_ATA_ACPI
45754 acpi_handle acpi_handle;
57199397 45755@@ -709,7 +709,7 @@ struct ata_link {
ae4e228f
MT		 45756
45757 struct ata_port {
45758 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
45759- struct ata_port_operations *ops;
45760+ const struct ata_port_operations *ops;
45761 spinlock_t *lock;
45762 /* Flags owned by the EH context. Only EH should touch these once the
45763 port is active */
df50ba0c 45764@@ -894,7 +894,7 @@ struct ata_port_info {
ae4e228f
MT		 45765 unsigned long pio_mask;
45766 unsigned long mwdma_mask;
45767 unsigned long udma_mask;
45768- struct ata_port_operations *port_ops;
45769+ const struct ata_port_operations *port_ops;
45770 void *private_data;
45771 };
45772
df50ba0c 45773@@ -918,7 +918,7 @@ extern const unsigned long sata_deb_timi
ae4e228f
MT		 45774 extern const unsigned long sata_deb_timing_hotplug[];
45775 extern const unsigned long sata_deb_timing_long[];
45776
45777-extern struct ata_port_operations ata_dummy_port_ops;
45778+extern const struct ata_port_operations ata_dummy_port_ops;
45779 extern const struct ata_port_info ata_dummy_port_info;
45780
45781 static inline const unsigned long *
57199397 45782@@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
ae4e228f
MT		 45783 struct scsi_host_template *sht);
45784 extern void ata_host_detach(struct ata_host *host);
45785 extern void ata_host_init(struct ata_host *, struct device *,
45786- unsigned long, struct ata_port_operations *);
45787+ unsigned long, const struct ata_port_operations *);
45788 extern int ata_scsi_detect(struct scsi_host_template *sht);
45789 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
45790 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
57199397
MT		 45791diff -urNp linux-2.6.35.4/include/linux/lockd/bind.h linux-2.6.35.4/include/linux/lockd/bind.h
45792--- linux-2.6.35.4/include/linux/lockd/bind.h 2010-08-26 19:47:12.000000000 -0400
45793+++ linux-2.6.35.4/include/linux/lockd/bind.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 45794@@ -23,13 +23,13 @@ struct svc_rqst;
45795 * This is the set of functions for lockd->nfsd communication
45796 */
45797 struct nlmsvc_binding {
45798- __be32 (*fopen)(struct svc_rqst *,
45799+ __be32 (* const fopen)(struct svc_rqst *,
45800 struct nfs_fh *,
45801 struct file **);
45802- void (*fclose)(struct file *);
45803+ void (* const fclose)(struct file *);
45804 };
45805
45806-extern struct nlmsvc_binding * nlmsvc_ops;
45807+extern const struct nlmsvc_binding * nlmsvc_ops;
45808
45809 /*
45810 * Similar to nfs_client_initdata, but without the NFS-specific
57199397
MT		 45811diff -urNp linux-2.6.35.4/include/linux/mm.h linux-2.6.35.4/include/linux/mm.h
45812--- linux-2.6.35.4/include/linux/mm.h 2010-08-26 19:47:12.000000000 -0400
45813+++ linux-2.6.35.4/include/linux/mm.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 45814@@ -103,7 +103,14 @@ extern unsigned int kobjsize(const void
58c5fc13 45815
df50ba0c
MT		 45816 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
45817 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
45818+
45819+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
45820+#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
45821+#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
45822+#else
45823 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
58c5fc13
MT		 45824+#endif
45825+
df50ba0c
MT		 45826 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
45827 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
45828
57199397 45829@@ -1010,6 +1017,8 @@ struct shrinker {
58c5fc13
MT		 45830 extern void register_shrinker(struct shrinker *);
45831 extern void unregister_shrinker(struct shrinker *);
45832
45833+pgprot_t vm_get_page_prot(unsigned long vm_flags);
45834+
45835 int vma_wants_writenotify(struct vm_area_struct *vma);
45836
45837 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
57199397 45838@@ -1286,6 +1295,7 @@ out:
58c5fc13
MT		 45839 }
45840
45841 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
45842+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
45843
45844 extern unsigned long do_brk(unsigned long, unsigned long);
45845
57199397 45846@@ -1340,6 +1350,10 @@ extern struct vm_area_struct * find_vma(
58c5fc13
MT		 45847 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
45848 struct vm_area_struct **pprev);
45849
45850+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
df50ba0c 45851+extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
58c5fc13
MT		 45852+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
45853+
45854 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
45855 NULL if none. Assume start_addr < end_addr. */
45856 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
57199397 45857@@ -1356,7 +1370,6 @@ static inline unsigned long vma_pages(st
58c5fc13
MT		 45858 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
45859 }
45860
45861-pgprot_t vm_get_page_prot(unsigned long vm_flags);
45862 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
45863 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
45864 unsigned long pfn, unsigned long size, pgprot_t);
57199397 45865@@ -1463,10 +1476,16 @@ extern int unpoison_memory(unsigned long
ae4e228f
MT		 45866 extern int sysctl_memory_failure_early_kill;
45867 extern int sysctl_memory_failure_recovery;
45868 extern void shake_page(struct page *p, int access);
45869-extern atomic_long_t mce_bad_pages;
45870+extern atomic_long_unchecked_t mce_bad_pages;
45871 extern int soft_offline_page(struct page *page, int flags);
45872
df50ba0c
MT		 45873 extern void dump_page(struct page *page);
45874
58c5fc13
MT		 45875+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
45876+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
45877+#else
45878+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
45879+#endif
45880+
45881 #endif /* __KERNEL__ */
45882 #endif /* _LINUX_MM_H */
57199397
MT		 45883diff -urNp linux-2.6.35.4/include/linux/mm_types.h linux-2.6.35.4/include/linux/mm_types.h
45884--- linux-2.6.35.4/include/linux/mm_types.h 2010-08-26 19:47:12.000000000 -0400
45885+++ linux-2.6.35.4/include/linux/mm_types.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 45886@@ -183,6 +183,8 @@ struct vm_area_struct {
58c5fc13
MT		 45887 #ifdef CONFIG_NUMA
45888 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
45889 #endif
45890+
45891+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
45892 };
45893
45894 struct core_thread {
df50ba0c 45895@@ -310,6 +312,24 @@ struct mm_struct {
58c5fc13
MT		 45896 #ifdef CONFIG_MMU_NOTIFIER
45897 struct mmu_notifier_mm *mmu_notifier_mm;
45898 #endif
45899+
45900+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45901+ unsigned long pax_flags;
45902+#endif
45903+
45904+#ifdef CONFIG_PAX_DLRESOLVE
45905+ unsigned long call_dl_resolve;
45906+#endif
45907+
45908+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
45909+ unsigned long call_syscall;
45910+#endif
45911+
45912+#ifdef CONFIG_PAX_ASLR
45913+ unsigned long delta_mmap; /* randomized offset */
45914+ unsigned long delta_stack; /* randomized offset */
45915+#endif
45916+
45917 };
45918
45919 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
57199397
MT		 45920diff -urNp linux-2.6.35.4/include/linux/mmu_notifier.h linux-2.6.35.4/include/linux/mmu_notifier.h
45921--- linux-2.6.35.4/include/linux/mmu_notifier.h 2010-08-26 19:47:12.000000000 -0400
45922+++ linux-2.6.35.4/include/linux/mmu_notifier.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 45923@@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
45924 */
45925 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
45926 ({ \
45927- pte_t __pte; \
45928+ pte_t ___pte; \
45929 struct vm_area_struct *___vma = __vma; \
45930 unsigned long ___address = __address; \
45931- __pte = ptep_clear_flush(___vma, ___address, __ptep); \
45932+ ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
45933 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
45934- __pte; \
45935+ ___pte; \
45936 })
45937
45938 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
57199397
MT		 45939diff -urNp linux-2.6.35.4/include/linux/mmzone.h linux-2.6.35.4/include/linux/mmzone.h
45940--- linux-2.6.35.4/include/linux/mmzone.h 2010-08-26 19:47:12.000000000 -0400
45941+++ linux-2.6.35.4/include/linux/mmzone.h 2010-09-17 20:12:09.000000000 -0400
45942@@ -345,7 +345,7 @@ struct zone {
45943 unsigned long flags; /* zone flags, see below */
45944
45945 /* Zone statistics */
45946- atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45947+ atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45948
45949 /*
45950 * prev_priority holds the scanning priority for this zone. It is
45951diff -urNp linux-2.6.35.4/include/linux/mod_devicetable.h linux-2.6.35.4/include/linux/mod_devicetable.h
45952--- linux-2.6.35.4/include/linux/mod_devicetable.h 2010-08-26 19:47:12.000000000 -0400
45953+++ linux-2.6.35.4/include/linux/mod_devicetable.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 45954@@ -12,7 +12,7 @@
45955 typedef unsigned long kernel_ulong_t;
45956 #endif
45957
45958-#define PCI_ANY_ID (~0)
45959+#define PCI_ANY_ID ((__u16)~0)
45960
45961 struct pci_device_id {
45962 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
45963@@ -131,7 +131,7 @@ struct usb_device_id {
45964 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
45965 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
45966
45967-#define HID_ANY_ID (~0)
45968+#define HID_ANY_ID (~0U)
45969
45970 struct hid_device_id {
45971 __u16 bus;
57199397
MT		 45972diff -urNp linux-2.6.35.4/include/linux/module.h linux-2.6.35.4/include/linux/module.h
45973--- linux-2.6.35.4/include/linux/module.h 2010-08-26 19:47:12.000000000 -0400
45974+++ linux-2.6.35.4/include/linux/module.h 2010-09-17 20:12:09.000000000 -0400
45975@@ -297,16 +297,16 @@ struct module
58c5fc13
MT		 45976 int (*init)(void);
45977
45978 /* If this is non-NULL, vfree after init() returns */
45979- void *module_init;
45980+ void *module_init_rx, *module_init_rw;
45981
45982 /* Here is the actual code + data, vfree'd on unload. */
45983- void *module_core;
45984+ void *module_core_rx, *module_core_rw;
45985
45986 /* Here are the sizes of the init and core sections */
45987- unsigned int init_size, core_size;
45988+ unsigned int init_size_rw, core_size_rw;
45989
45990 /* The size of the executable code in each section. */
45991- unsigned int init_text_size, core_text_size;
45992+ unsigned int init_size_rx, core_size_rx;
45993
45994 /* Arch-specific module values */
45995 struct mod_arch_specific arch;
57199397 45996@@ -408,16 +408,46 @@ bool is_module_address(unsigned long add
df50ba0c 45997 bool is_module_percpu_address(unsigned long addr);
58c5fc13
MT		 45998 bool is_module_text_address(unsigned long addr);
45999
46000+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
46001+{
46002+
46003+#ifdef CONFIG_PAX_KERNEXEC
46004+ if (ktla_ktva(addr) >= (unsigned long)start &&
46005+ ktla_ktva(addr) < (unsigned long)start + size)
46006+ return 1;
46007+#endif
46008+
46009+ return ((void *)addr >= start && (void *)addr < start + size);
46010+}
46011+
46012+static inline int within_module_core_rx(unsigned long addr, struct module *mod)
46013+{
46014+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
46015+}
46016+
46017+static inline int within_module_core_rw(unsigned long addr, struct module *mod)
46018+{
46019+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
46020+}
46021+
46022+static inline int within_module_init_rx(unsigned long addr, struct module *mod)
46023+{
46024+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
46025+}
46026+
46027+static inline int within_module_init_rw(unsigned long addr, struct module *mod)
46028+{
46029+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
46030+}
46031+
46032 static inline int within_module_core(unsigned long addr, struct module *mod)
46033 {
46034- return (unsigned long)mod->module_core <= addr &&
46035- addr < (unsigned long)mod->module_core + mod->core_size;
46036+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
46037 }
46038
46039 static inline int within_module_init(unsigned long addr, struct module *mod)
46040 {
46041- return (unsigned long)mod->module_init <= addr &&
46042- addr < (unsigned long)mod->module_init + mod->init_size;
46043+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
46044 }
46045
46046 /* Search for module by name: must hold module_mutex. */
57199397
MT		 46047diff -urNp linux-2.6.35.4/include/linux/moduleloader.h linux-2.6.35.4/include/linux/moduleloader.h
46048--- linux-2.6.35.4/include/linux/moduleloader.h 2010-08-26 19:47:12.000000000 -0400
46049+++ linux-2.6.35.4/include/linux/moduleloader.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 46050@@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
46051 sections. Returns NULL on failure. */
46052 void *module_alloc(unsigned long size);
46053
46054+#ifdef CONFIG_PAX_KERNEXEC
46055+void *module_alloc_exec(unsigned long size);
46056+#else
46057+#define module_alloc_exec(x) module_alloc(x)
46058+#endif
46059+
46060 /* Free memory returned from module_alloc. */
46061 void module_free(struct module *mod, void *module_region);
46062
46063+#ifdef CONFIG_PAX_KERNEXEC
46064+void module_free_exec(struct module *mod, void *module_region);
46065+#else
ae4e228f 46066+#define module_free_exec(x, y) module_free((x), (y))
58c5fc13
MT		 46067+#endif
46068+
46069 /* Apply the given relocation to the (simplified) ELF. Return -error
46070 or 0. */
46071 int apply_relocate(Elf_Shdr *sechdrs,
57199397
MT		 46072diff -urNp linux-2.6.35.4/include/linux/namei.h linux-2.6.35.4/include/linux/namei.h
46073--- linux-2.6.35.4/include/linux/namei.h 2010-08-26 19:47:12.000000000 -0400
46074+++ linux-2.6.35.4/include/linux/namei.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 46075@@ -22,7 +22,7 @@ struct nameidata {
46076 unsigned int flags;
46077 int last_type;
46078 unsigned depth;
46079- char *saved_names[MAX_NESTED_LINKS + 1];
46080+ const char *saved_names[MAX_NESTED_LINKS + 1];
46081
46082 /* Intent data */
46083 union {
ae4e228f 46084@@ -81,12 +81,12 @@ extern int follow_up(struct path *);
58c5fc13
MT		 46085 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
46086 extern void unlock_rename(struct dentry *, struct dentry *);
46087
46088-static inline void nd_set_link(struct nameidata *nd, char *path)
46089+static inline void nd_set_link(struct nameidata *nd, const char *path)
46090 {
46091 nd->saved_names[nd->depth] = path;
46092 }
46093
46094-static inline char *nd_get_link(struct nameidata *nd)
ae4e228f 46095+static inline const char *nd_get_link(const struct nameidata *nd)
58c5fc13
MT		 46096 {
46097 return nd->saved_names[nd->depth];
46098 }
57199397
MT		 46099diff -urNp linux-2.6.35.4/include/linux/oprofile.h linux-2.6.35.4/include/linux/oprofile.h
46100--- linux-2.6.35.4/include/linux/oprofile.h 2010-08-26 19:47:12.000000000 -0400
46101+++ linux-2.6.35.4/include/linux/oprofile.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 46102@@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
46103 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
46104 char const * name, ulong * val);
58c5fc13 46105
ae4e228f
MT		 46106-/** Create a file for read-only access to an atomic_t. */
46107+/** Create a file for read-only access to an atomic_unchecked_t. */
58c5fc13
MT		 46108 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
46109- char const * name, atomic_t * val);
46110+ char const * name, atomic_unchecked_t * val);
46111
46112 /** create a directory */
46113 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
57199397
MT		 46114diff -urNp linux-2.6.35.4/include/linux/pipe_fs_i.h linux-2.6.35.4/include/linux/pipe_fs_i.h
46115--- linux-2.6.35.4/include/linux/pipe_fs_i.h 2010-08-26 19:47:12.000000000 -0400
46116+++ linux-2.6.35.4/include/linux/pipe_fs_i.h 2010-09-17 20:12:09.000000000 -0400
46117@@ -45,9 +45,9 @@ struct pipe_buffer {
46118 struct pipe_inode_info {
ae4e228f 46119 wait_queue_head_t wait;
57199397 46120 unsigned int nrbufs, curbuf, buffers;
ae4e228f
MT		 46121- unsigned int readers;
46122- unsigned int writers;
46123- unsigned int waiting_writers;
46124+ atomic_t readers;
46125+ atomic_t writers;
46126+ atomic_t waiting_writers;
46127 unsigned int r_counter;
46128 unsigned int w_counter;
57199397
MT		 46129 struct page *tmp_page;
46130diff -urNp linux-2.6.35.4/include/linux/poison.h linux-2.6.35.4/include/linux/poison.h
46131--- linux-2.6.35.4/include/linux/poison.h 2010-08-26 19:47:12.000000000 -0400
46132+++ linux-2.6.35.4/include/linux/poison.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 46133@@ -19,8 +19,8 @@
58c5fc13
MT		 46134 * under normal circumstances, used to verify that nobody uses
46135 * non-initialized list entries.
46136 */
ae4e228f
MT		 46137-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
46138-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
46139+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
46140+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
58c5fc13
MT		 46141
46142 /********** include/linux/timer.h **********/
46143 /*
57199397
MT		 46144diff -urNp linux-2.6.35.4/include/linux/proc_fs.h linux-2.6.35.4/include/linux/proc_fs.h
46145--- linux-2.6.35.4/include/linux/proc_fs.h 2010-08-26 19:47:12.000000000 -0400
46146+++ linux-2.6.35.4/include/linux/proc_fs.h 2010-09-17 20:12:37.000000000 -0400
ae4e228f 46147@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
58c5fc13
MT		 46148 return proc_create_data(name, mode, parent, proc_fops, NULL);
46149 }
46150
46151+static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
46152+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
46153+{
46154+#ifdef CONFIG_GRKERNSEC_PROC_USER
46155+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
46156+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46157+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
46158+#else
46159+ return proc_create_data(name, mode, parent, proc_fops, NULL);
46160+#endif
46161+}
46162+
46163+
46164 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
46165 mode_t mode, struct proc_dir_entry *base,
46166 read_proc_t *read_proc, void * data)
57199397
MT		 46167diff -urNp linux-2.6.35.4/include/linux/random.h linux-2.6.35.4/include/linux/random.h
46168--- linux-2.6.35.4/include/linux/random.h 2010-08-26 19:47:12.000000000 -0400
46169+++ linux-2.6.35.4/include/linux/random.h 2010-09-17 20:12:09.000000000 -0400
46170@@ -80,12 +80,17 @@ void srandom32(u32 seed);
46171
46172 u32 prandom32(struct rnd_state *);
58c5fc13
MT		 46173
46174+static inline unsigned long pax_get_random_long(void)
46175+{
46176+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
46177+}
46178+
57199397
MT		 46179 /*
46180 * Handle minimum values for seeds
46181 */
46182 static inline u32 __seed(u32 x, u32 m)
46183 {
46184- return (x < m) ? x + m : x;
46185+ return (x <= m) ? x + m + 1 : x;
46186 }
58c5fc13 46187
57199397
MT		 46188 /**
46189diff -urNp linux-2.6.35.4/include/linux/reiserfs_fs.h linux-2.6.35.4/include/linux/reiserfs_fs.h
46190--- linux-2.6.35.4/include/linux/reiserfs_fs.h 2010-08-26 19:47:12.000000000 -0400
46191+++ linux-2.6.35.4/include/linux/reiserfs_fs.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 46192@@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
58c5fc13
MT		 46193 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
46194
46195 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
46196-#define get_generation(s) atomic_read (&fs_generation(s))
46197+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
46198 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
46199 #define __fs_changed(gen,s) (gen != get_generation (s))
ae4e228f
MT		 46200 #define fs_changed(gen,s) \
46201@@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
46202 */
46203
46204 struct item_operations {
46205- int (*bytes_number) (struct item_head * ih, int block_size);
46206- void (*decrement_key) (struct cpu_key *);
46207- int (*is_left_mergeable) (struct reiserfs_key * ih,
46208+ int (* const bytes_number) (struct item_head * ih, int block_size);
46209+ void (* const decrement_key) (struct cpu_key *);
46210+ int (* const is_left_mergeable) (struct reiserfs_key * ih,
46211 unsigned long bsize);
46212- void (*print_item) (struct item_head *, char *item);
46213- void (*check_item) (struct item_head *, char *item);
46214+ void (* const print_item) (struct item_head *, char *item);
46215+ void (* const check_item) (struct item_head *, char *item);
46216
46217- int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46218+ int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46219 int is_affected, int insert_size);
46220- int (*check_left) (struct virtual_item * vi, int free,
46221+ int (* const check_left) (struct virtual_item * vi, int free,
46222 int start_skip, int end_skip);
46223- int (*check_right) (struct virtual_item * vi, int free);
46224- int (*part_size) (struct virtual_item * vi, int from, int to);
46225- int (*unit_num) (struct virtual_item * vi);
46226- void (*print_vi) (struct virtual_item * vi);
46227+ int (* const check_right) (struct virtual_item * vi, int free);
46228+ int (* const part_size) (struct virtual_item * vi, int from, int to);
46229+ int (* const unit_num) (struct virtual_item * vi);
46230+ void (* const print_vi) (struct virtual_item * vi);
46231 };
46232
46233-extern struct item_operations *item_ops[TYPE_ANY + 1];
46234+extern const struct item_operations * const item_ops[TYPE_ANY + 1];
46235
46236 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
46237 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
57199397
MT		 46238diff -urNp linux-2.6.35.4/include/linux/reiserfs_fs_sb.h linux-2.6.35.4/include/linux/reiserfs_fs_sb.h
46239--- linux-2.6.35.4/include/linux/reiserfs_fs_sb.h 2010-08-26 19:47:12.000000000 -0400
46240+++ linux-2.6.35.4/include/linux/reiserfs_fs_sb.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 46241@@ -386,7 +386,7 @@ struct reiserfs_sb_info {
58c5fc13
MT		 46242 /* Comment? -Hans */
46243 wait_queue_head_t s_wait;
46244 /* To be obsoleted soon by per buffer seals.. -Hans */
46245- atomic_t s_generation_counter; // increased by one every time the
46246+ atomic_unchecked_t s_generation_counter; // increased by one every time the
46247 // tree gets re-balanced
46248 unsigned long s_properties; /* File system properties. Currently holds
46249 on-disk FS format */
57199397
MT		 46250diff -urNp linux-2.6.35.4/include/linux/rmap.h linux-2.6.35.4/include/linux/rmap.h
46251--- linux-2.6.35.4/include/linux/rmap.h 2010-08-26 19:47:12.000000000 -0400
46252+++ linux-2.6.35.4/include/linux/rmap.h 2010-09-17 20:12:09.000000000 -0400
46253@@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
46254 void anon_vma_init(void); /* create anon_vma_cachep */
46255 int anon_vma_prepare(struct vm_area_struct *);
46256 void unlink_anon_vmas(struct vm_area_struct *);
46257-int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
46258-int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
46259+int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
46260+int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
46261 void __anon_vma_link(struct vm_area_struct *);
46262 void anon_vma_free(struct anon_vma *);
46263
46264diff -urNp linux-2.6.35.4/include/linux/sched.h linux-2.6.35.4/include/linux/sched.h
46265--- linux-2.6.35.4/include/linux/sched.h 2010-08-26 19:47:12.000000000 -0400
46266+++ linux-2.6.35.4/include/linux/sched.h 2010-09-17 20:12:37.000000000 -0400
46267@@ -100,6 +100,7 @@ struct robust_list_head;
46268 struct bio_list;
58c5fc13 46269 struct fs_struct;
ae4e228f 46270 struct perf_event_context;
58c5fc13
MT		 46271+struct linux_binprm;
46272
46273 /*
46274 * List of flags we want to share for kernel threads,
57199397
MT		 46275@@ -381,10 +382,12 @@ struct user_namespace;
46276 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
46277
46278 extern int sysctl_max_map_count;
46279+extern unsigned long sysctl_heap_stack_gap;
46280
46281 #include <linux/aio.h>
46282
46283 #ifdef CONFIG_MMU
46284+extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
46285 extern void arch_pick_mmap_layout(struct mm_struct *mm);
46286 extern unsigned long
46287 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
46288@@ -628,6 +631,15 @@ struct signal_struct {
58c5fc13
MT		 46289 struct tty_audit_buf *tty_audit_buf;
46290 #endif
ae4e228f 46291
58c5fc13
MT		 46292+#ifdef CONFIG_GRKERNSEC
46293+ u32 curr_ip;
46294+ u32 gr_saddr;
46295+ u32 gr_daddr;
46296+ u16 gr_sport;
46297+ u16 gr_dport;
46298+ u8 used_accept:1;
46299+#endif
ae4e228f
MT		 46300+
46301 int oom_adj; /* OOM kill score adjustment (bit shift) */
58c5fc13
MT		 46302 };
46303
57199397 46304@@ -1166,7 +1178,7 @@ struct rcu_node;
58c5fc13
MT		 46305
46306 struct task_struct {
46307 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
46308- void *stack;
46309+ struct thread_info *stack;
46310 atomic_t usage;
46311 unsigned int flags; /* per process flags, defined below */
46312 unsigned int ptrace;
57199397 46313@@ -1274,8 +1286,8 @@ struct task_struct {
58c5fc13
MT		 46314 struct list_head thread_group;
46315
46316 struct completion *vfork_done; /* for vfork() */
46317- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
46318- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46319+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
46320+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46321
46322 cputime_t utime, stime, utimescaled, stimescaled;
46323 cputime_t gtime;
57199397 46324@@ -1291,16 +1303,6 @@ struct task_struct {
58c5fc13
MT		 46325 struct task_cputime cputime_expires;
46326 struct list_head cpu_timers[3];
46327
46328-/* process credentials */
46329- const struct cred *real_cred; /* objective and real subjective task
46330- * credentials (COW) */
46331- const struct cred *cred; /* effective (overridable) subjective task
46332- * credentials (COW) */
46333- struct mutex cred_guard_mutex; /* guard against foreign influences on
46334- * credential calculations
46335- * (notably. ptrace) */
ae4e228f 46336- struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
58c5fc13
MT		 46337-
46338 char comm[TASK_COMM_LEN]; /* executable name excluding path
46339 - access with [gs]et_task_comm (which lock
46340 it with task_lock())
57199397 46341@@ -1384,6 +1386,15 @@ struct task_struct {
ae4e228f
MT		 46342 int softirqs_enabled;
46343 int softirq_context;
58c5fc13
MT		 46344 #endif
46345+
46346+/* process credentials */
46347+ const struct cred *real_cred; /* objective and real subjective task
46348+ * credentials (COW) */
58c5fc13
MT		 46349+ struct mutex cred_guard_mutex; /* guard against foreign influences on
46350+ * credential calculations
46351+ * (notably. ptrace) */
ae4e228f 46352+ struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
58c5fc13 46353+
ae4e228f
MT		 46354 #ifdef CONFIG_LOCKDEP
46355 # define MAX_LOCK_DEPTH 48UL
46356 u64 curr_chain_key;
57199397 46357@@ -1404,6 +1415,9 @@ struct task_struct {
ae4e228f
MT		 46358
46359 struct backing_dev_info *backing_dev_info;
46360
46361+ const struct cred *cred; /* effective (overridable) subjective task
46362+ * credentials (COW) */
46363+
46364 struct io_context *io_context;
46365
46366 unsigned long ptrace_message;
57199397 46367@@ -1469,6 +1483,20 @@ struct task_struct {
ae4e228f
MT		 46368 unsigned long default_timer_slack_ns;
46369
46370 struct list_head *scm_work_list;
58c5fc13
MT		 46371+
46372+#ifdef CONFIG_GRKERNSEC
46373+ /* grsecurity */
df50ba0c 46374+ struct dentry *gr_chroot_dentry;
58c5fc13
MT		 46375+ struct acl_subject_label *acl;
46376+ struct acl_role_label *role;
46377+ struct file *exec_file;
46378+ u16 acl_role_id;
46379+ u8 acl_sp_role;
46380+ u8 is_writable;
46381+ u8 brute;
df50ba0c 46382+ u8 gr_is_chrooted;
58c5fc13
MT		 46383+#endif
46384+
ae4e228f 46385 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
df50ba0c 46386 /* Index of current stored address in ret_stack */
ae4e228f 46387 int curr_ret_stack;
57199397 46388@@ -1500,6 +1528,52 @@ struct task_struct {
ae4e228f 46389 #endif
58c5fc13
MT		 46390 };
46391
46392+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
46393+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
46394+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
46395+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
46396+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
46397+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
46398+
46399+#ifdef CONFIG_PAX_SOFTMODE
46400+extern unsigned int pax_softmode;
46401+#endif
46402+
46403+extern int pax_check_flags(unsigned long *);
46404+
46405+/* if tsk != current then task_lock must be held on it */
46406+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46407+static inline unsigned long pax_get_flags(struct task_struct *tsk)
46408+{
46409+ if (likely(tsk->mm))
46410+ return tsk->mm->pax_flags;
46411+ else
46412+ return 0UL;
46413+}
46414+
46415+/* if tsk != current then task_lock must be held on it */
46416+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
46417+{
46418+ if (likely(tsk->mm)) {
46419+ tsk->mm->pax_flags = flags;
46420+ return 0;
46421+ }
46422+ return -EINVAL;
46423+}
46424+#endif
46425+
46426+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
46427+extern void pax_set_initial_flags(struct linux_binprm *bprm);
46428+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
46429+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
46430+#endif
46431+
46432+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
46433+void pax_report_insns(void *pc, void *sp);
46434+void pax_report_refcount_overflow(struct pt_regs *regs);
46435+void pax_report_leak_to_user(const void *ptr, unsigned long len);
46436+void pax_report_overflow_from_user(const void *ptr, unsigned long len);
46437+
46438 /* Future-safe accessor for struct task_struct's cpus_allowed. */
ae4e228f 46439 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
58c5fc13 46440
57199397 46441@@ -2101,7 +2175,7 @@ extern void __cleanup_sighand(struct sig
58c5fc13
MT		 46442 extern void exit_itimers(struct signal_struct *);
46443 extern void flush_itimer_signals(void);
46444
46445-extern NORET_TYPE void do_group_exit(int);
46446+extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
46447
46448 extern void daemonize(const char *, ...);
46449 extern int allow_signal(int);
57199397 46450@@ -2217,8 +2291,8 @@ static inline void unlock_task_sighand(s
58c5fc13
MT		 46451
46452 #ifndef __HAVE_THREAD_FUNCTIONS
46453
46454-#define task_thread_info(task) ((struct thread_info *)(task)->stack)
46455-#define task_stack_page(task) ((task)->stack)
46456+#define task_thread_info(task) ((task)->stack)
46457+#define task_stack_page(task) ((void *)(task)->stack)
46458
46459 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
46460 {
57199397 46461@@ -2233,13 +2307,17 @@ static inline unsigned long *end_of_stac
58c5fc13
MT		 46462
46463 #endif
46464
46465-static inline int object_is_on_stack(void *obj)
ae4e228f 46466+static inline int object_starts_on_stack(void *obj)
58c5fc13 46467 {
ae4e228f
MT		 46468- void *stack = task_stack_page(current);
46469+ const void *stack = task_stack_page(current);
58c5fc13 46470
ae4e228f
MT		 46471 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
46472 }
46473
57199397
MT		 46474+#ifdef CONFIG_PAX_USERCOPY
46475+extern int object_is_on_stack(const void *obj, unsigned long len);
46476+#endif
ae4e228f
MT		 46477+
46478 extern void thread_info_cache_init(void);
46479
46480 #ifdef CONFIG_DEBUG_STACK_USAGE
57199397
MT		 46481diff -urNp linux-2.6.35.4/include/linux/screen_info.h linux-2.6.35.4/include/linux/screen_info.h
46482--- linux-2.6.35.4/include/linux/screen_info.h 2010-08-26 19:47:12.000000000 -0400
46483+++ linux-2.6.35.4/include/linux/screen_info.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 46484@@ -43,7 +43,8 @@ struct screen_info {
58c5fc13
MT		 46485 __u16 pages; /* 0x32 */
46486 __u16 vesa_attributes; /* 0x34 */
46487 __u32 capabilities; /* 0x36 */
46488- __u8 _reserved[6]; /* 0x3a */
46489+ __u16 vesapm_size; /* 0x3a */
46490+ __u8 _reserved[4]; /* 0x3c */
46491 } __attribute__((packed));
46492
46493 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
57199397
MT		 46494diff -urNp linux-2.6.35.4/include/linux/security.h linux-2.6.35.4/include/linux/security.h
46495--- linux-2.6.35.4/include/linux/security.h 2010-08-26 19:47:12.000000000 -0400
46496+++ linux-2.6.35.4/include/linux/security.h 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 46497@@ -34,6 +34,7 @@
46498 #include <linux/key.h>
46499 #include <linux/xfrm.h>
df50ba0c 46500 #include <linux/slab.h>
58c5fc13
MT		 46501+#include <linux/grsecurity.h>
46502 #include <net/flow.h>
46503
46504 /* Maximum number of letters for an LSM name string */
57199397
MT		 46505diff -urNp linux-2.6.35.4/include/linux/shm.h linux-2.6.35.4/include/linux/shm.h
46506--- linux-2.6.35.4/include/linux/shm.h 2010-08-26 19:47:12.000000000 -0400
46507+++ linux-2.6.35.4/include/linux/shm.h 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 46508@@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
46509 pid_t shm_cprid;
46510 pid_t shm_lprid;
46511 struct user_struct *mlock_user;
46512+#ifdef CONFIG_GRKERNSEC
46513+ time_t shm_createtime;
46514+ pid_t shm_lapid;
46515+#endif
46516 };
46517
46518 /* shm_mode upper byte flags */
57199397
MT		 46519diff -urNp linux-2.6.35.4/include/linux/slab.h linux-2.6.35.4/include/linux/slab.h
46520--- linux-2.6.35.4/include/linux/slab.h 2010-08-26 19:47:12.000000000 -0400
46521+++ linux-2.6.35.4/include/linux/slab.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 46522@@ -11,6 +11,7 @@
46523
46524 #include <linux/gfp.h>
46525 #include <linux/types.h>
46526+#include <linux/err.h>
46527
46528 /*
46529 * Flags to pass to kmem_cache_create().
df50ba0c 46530@@ -87,10 +88,13 @@
58c5fc13
MT		 46531 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
46532 * Both make kfree a no-op.
46533 */
46534-#define ZERO_SIZE_PTR ((void *)16)
ae4e228f
MT		 46535+#define ZERO_SIZE_PTR \
46536+({ \
46537+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
46538+ (void *)(-MAX_ERRNO-1L); \
46539+})
58c5fc13
MT		 46540
46541-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
46542- (unsigned long)ZERO_SIZE_PTR)
df50ba0c 46543+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
58c5fc13
MT		 46544
46545 /*
46546 * struct kmem_cache related prototypes
df50ba0c 46547@@ -144,6 +148,7 @@ void * __must_check krealloc(const void
58c5fc13
MT		 46548 void kfree(const void *);
46549 void kzfree(const void *);
46550 size_t ksize(const void *);
46551+void check_object_size(const void *ptr, unsigned long n, bool to);
46552
46553 /*
46554 * Allocator specific definitions. These are mainly used to establish optimized
df50ba0c 46555@@ -334,4 +339,37 @@ static inline void *kzalloc_node(size_t
58c5fc13
MT		 46556
46557 void __init kmem_cache_init_late(void);
46558
46559+#define kmalloc(x, y) \
46560+({ \
46561+ void *___retval; \
46562+ intoverflow_t ___x = (intoverflow_t)x; \
46563+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
46564+ ___retval = NULL; \
46565+ else \
46566+ ___retval = kmalloc((size_t)___x, (y)); \
46567+ ___retval; \
46568+})
46569+
46570+#define kmalloc_node(x, y, z) \
46571+({ \
46572+ void *___retval; \
46573+ intoverflow_t ___x = (intoverflow_t)x; \
46574+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
46575+ ___retval = NULL; \
46576+ else \
46577+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
46578+ ___retval; \
46579+})
46580+
46581+#define kzalloc(x, y) \
46582+({ \
46583+ void *___retval; \
46584+ intoverflow_t ___x = (intoverflow_t)x; \
46585+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
46586+ ___retval = NULL; \
46587+ else \
46588+ ___retval = kzalloc((size_t)___x, (y)); \
46589+ ___retval; \
46590+})
46591+
46592 #endif /* _LINUX_SLAB_H */
57199397
MT		 46593diff -urNp linux-2.6.35.4/include/linux/slub_def.h linux-2.6.35.4/include/linux/slub_def.h
46594--- linux-2.6.35.4/include/linux/slub_def.h 2010-08-26 19:47:12.000000000 -0400
46595+++ linux-2.6.35.4/include/linux/slub_def.h 2010-09-17 20:12:09.000000000 -0400
efbe55a5 46596@@ -79,7 +79,7 @@ struct kmem_cache {
58c5fc13
MT		 46597 struct kmem_cache_order_objects max;
46598 struct kmem_cache_order_objects min;
46599 gfp_t allocflags; /* gfp flags to use on each alloc */
46600- int refcount; /* Refcount for slab cache destroy */
46601+ atomic_t refcount; /* Refcount for slab cache destroy */
46602 void (*ctor)(void *);
46603 int inuse; /* Offset to metadata */
46604 int align; /* Alignment */
57199397
MT		 46605diff -urNp linux-2.6.35.4/include/linux/sonet.h linux-2.6.35.4/include/linux/sonet.h
46606--- linux-2.6.35.4/include/linux/sonet.h 2010-08-26 19:47:12.000000000 -0400
46607+++ linux-2.6.35.4/include/linux/sonet.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 46608@@ -61,7 +61,7 @@ struct sonet_stats {
46609 #include <asm/atomic.h>
46610
46611 struct k_sonet_stats {
46612-#define __HANDLE_ITEM(i) atomic_t i
46613+#define __HANDLE_ITEM(i) atomic_unchecked_t i
46614 __SONET_ITEMS
46615 #undef __HANDLE_ITEM
46616 };
57199397
MT		 46617diff -urNp linux-2.6.35.4/include/linux/suspend.h linux-2.6.35.4/include/linux/suspend.h
46618--- linux-2.6.35.4/include/linux/suspend.h 2010-08-26 19:47:12.000000000 -0400
46619+++ linux-2.6.35.4/include/linux/suspend.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 46620@@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
46621 * which require special recovery actions in that situation.
46622 */
46623 struct platform_suspend_ops {
46624- int (*valid)(suspend_state_t state);
46625- int (*begin)(suspend_state_t state);
46626- int (*prepare)(void);
46627- int (*prepare_late)(void);
46628- int (*enter)(suspend_state_t state);
46629- void (*wake)(void);
46630- void (*finish)(void);
46631- void (*end)(void);
46632- void (*recover)(void);
46633+ int (* const valid)(suspend_state_t state);
46634+ int (* const begin)(suspend_state_t state);
46635+ int (* const prepare)(void);
46636+ int (* const prepare_late)(void);
46637+ int (* const enter)(suspend_state_t state);
46638+ void (* const wake)(void);
46639+ void (* const finish)(void);
46640+ void (* const end)(void);
46641+ void (* const recover)(void);
46642 };
46643
46644 #ifdef CONFIG_SUSPEND
46645@@ -120,7 +120,7 @@ struct platform_suspend_ops {
46646 * suspend_set_ops - set platform dependent suspend operations
46647 * @ops: The new suspend operations to set.
46648 */
46649-extern void suspend_set_ops(struct platform_suspend_ops *ops);
46650+extern void suspend_set_ops(const struct platform_suspend_ops *ops);
46651 extern int suspend_valid_only_mem(suspend_state_t state);
46652
46653 /**
46654@@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
46655 #else /* !CONFIG_SUSPEND */
46656 #define suspend_valid_only_mem NULL
46657
46658-static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
46659+static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
46660 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
46661 #endif /* !CONFIG_SUSPEND */
46662
46663@@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
46664 * platforms which require special recovery actions in that situation.
46665 */
46666 struct platform_hibernation_ops {
46667- int (*begin)(void);
46668- void (*end)(void);
46669- int (*pre_snapshot)(void);
46670- void (*finish)(void);
46671- int (*prepare)(void);
46672- int (*enter)(void);
46673- void (*leave)(void);
46674- int (*pre_restore)(void);
46675- void (*restore_cleanup)(void);
46676- void (*recover)(void);
46677+ int (* const begin)(void);
46678+ void (* const end)(void);
46679+ int (* const pre_snapshot)(void);
46680+ void (* const finish)(void);
46681+ int (* const prepare)(void);
46682+ int (* const enter)(void);
46683+ void (* const leave)(void);
46684+ int (* const pre_restore)(void);
46685+ void (* const restore_cleanup)(void);
46686+ void (* const recover)(void);
46687 };
46688
46689 #ifdef CONFIG_HIBERNATION
46690@@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
46691 extern void swsusp_unset_page_free(struct page *);
46692 extern unsigned long get_safe_page(gfp_t gfp_mask);
46693
46694-extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
46695+extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
46696 extern int hibernate(void);
46697 extern bool system_entering_hibernation(void);
46698 #else /* CONFIG_HIBERNATION */
46699@@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
46700 static inline void swsusp_set_page_free(struct page *p) {}
46701 static inline void swsusp_unset_page_free(struct page *p) {}
46702
46703-static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
46704+static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
46705 static inline int hibernate(void) { return -ENOSYS; }
46706 static inline bool system_entering_hibernation(void) { return false; }
46707 #endif /* CONFIG_HIBERNATION */
57199397
MT		 46708diff -urNp linux-2.6.35.4/include/linux/sysctl.h linux-2.6.35.4/include/linux/sysctl.h
46709--- linux-2.6.35.4/include/linux/sysctl.h 2010-08-26 19:47:12.000000000 -0400
46710+++ linux-2.6.35.4/include/linux/sysctl.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f 46711@@ -155,7 +155,11 @@ enum
58c5fc13
MT		 46712 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
46713 };
46714
46715-
46716+#ifdef CONFIG_PAX_SOFTMODE
46717+enum {
46718+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
46719+};
46720+#endif
46721
46722 /* CTL_VM names: */
46723 enum
57199397
MT		 46724diff -urNp linux-2.6.35.4/include/linux/sysfs.h linux-2.6.35.4/include/linux/sysfs.h
46725--- linux-2.6.35.4/include/linux/sysfs.h 2010-08-26 19:47:12.000000000 -0400
46726+++ linux-2.6.35.4/include/linux/sysfs.h 2010-09-17 20:12:09.000000000 -0400
46727@@ -115,8 +115,8 @@ struct bin_attribute {
df50ba0c 46728 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
ae4e228f
MT		 46729
46730 struct sysfs_ops {
46731- ssize_t (*show)(struct kobject *, struct attribute *,char *);
46732- ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
46733+ ssize_t (* const show)(struct kobject *, struct attribute *,char *);
46734+ ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
46735 };
46736
46737 struct sysfs_dirent;
57199397
MT		 46738diff -urNp linux-2.6.35.4/include/linux/thread_info.h linux-2.6.35.4/include/linux/thread_info.h
46739--- linux-2.6.35.4/include/linux/thread_info.h 2010-08-26 19:47:12.000000000 -0400
46740+++ linux-2.6.35.4/include/linux/thread_info.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 46741@@ -23,7 +23,7 @@ struct restart_block {
46742 };
46743 /* For futex_wait and futex_wait_requeue_pi */
46744 struct {
46745- u32 *uaddr;
46746+ u32 __user *uaddr;
46747 u32 val;
46748 u32 flags;
46749 u32 bitset;
57199397
MT		 46750diff -urNp linux-2.6.35.4/include/linux/tty.h linux-2.6.35.4/include/linux/tty.h
46751--- linux-2.6.35.4/include/linux/tty.h 2010-08-26 19:47:12.000000000 -0400
46752+++ linux-2.6.35.4/include/linux/tty.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 46753@@ -13,6 +13,7 @@
46754 #include <linux/tty_driver.h>
46755 #include <linux/tty_ldisc.h>
46756 #include <linux/mutex.h>
46757+#include <linux/poll.h>
46758
46759 #include <asm/system.h>
46760
57199397 46761@@ -453,7 +454,6 @@ extern int tty_perform_flush(struct tty_
ae4e228f
MT		 46762 extern dev_t tty_devnum(struct tty_struct *tty);
46763 extern void proc_clear_tty(struct task_struct *p);
46764 extern struct tty_struct *get_current_tty(void);
46765-extern void tty_default_fops(struct file_operations *fops);
46766 extern struct tty_struct *alloc_tty_struct(void);
46767 extern void free_tty_struct(struct tty_struct *tty);
46768 extern void initialize_tty_struct(struct tty_struct *tty,
57199397 46769@@ -514,6 +514,18 @@ extern void tty_ldisc_begin(void);
ae4e228f
MT		 46770 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
46771 extern void tty_ldisc_enable(struct tty_struct *tty);
46772
46773+/* tty_io.c */
46774+extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
46775+extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
46776+extern unsigned int tty_poll(struct file *, poll_table *);
46777+#ifdef CONFIG_COMPAT
46778+extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
46779+ unsigned long arg);
46780+#else
46781+#define tty_compat_ioctl NULL
46782+#endif
46783+extern int tty_release(struct inode *, struct file *);
46784+extern int tty_fasync(int fd, struct file *filp, int on);
46785
46786 /* n_tty.c */
46787 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
57199397
MT		 46788diff -urNp linux-2.6.35.4/include/linux/tty_ldisc.h linux-2.6.35.4/include/linux/tty_ldisc.h
46789--- linux-2.6.35.4/include/linux/tty_ldisc.h 2010-08-26 19:47:12.000000000 -0400
46790+++ linux-2.6.35.4/include/linux/tty_ldisc.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 46791@@ -147,7 +147,7 @@ struct tty_ldisc_ops {
58c5fc13
MT		 46792
46793 struct module *owner;
46794
46795- int refcount;
46796+ atomic_t refcount;
46797 };
46798
46799 struct tty_ldisc {
57199397
MT		 46800diff -urNp linux-2.6.35.4/include/linux/types.h linux-2.6.35.4/include/linux/types.h
46801--- linux-2.6.35.4/include/linux/types.h 2010-08-26 19:47:12.000000000 -0400
46802+++ linux-2.6.35.4/include/linux/types.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13 46803@@ -191,10 +191,26 @@ typedef struct {
57199397 46804 int counter;
58c5fc13
MT		 46805 } atomic_t;
46806
46807+#ifdef CONFIG_PAX_REFCOUNT
46808+typedef struct {
57199397 46809+ int counter;
58c5fc13
MT		 46810+} atomic_unchecked_t;
46811+#else
46812+typedef atomic_t atomic_unchecked_t;
46813+#endif
46814+
46815 #ifdef CONFIG_64BIT
46816 typedef struct {
57199397 46817 long counter;
58c5fc13
MT		 46818 } atomic64_t;
46819+
46820+#ifdef CONFIG_PAX_REFCOUNT
46821+typedef struct {
57199397 46822+ long counter;
58c5fc13
MT		 46823+} atomic64_unchecked_t;
46824+#else
46825+typedef atomic64_t atomic64_unchecked_t;
46826+#endif
46827 #endif
46828
46829 struct ustat {
57199397
MT		 46830diff -urNp linux-2.6.35.4/include/linux/uaccess.h linux-2.6.35.4/include/linux/uaccess.h
46831--- linux-2.6.35.4/include/linux/uaccess.h 2010-08-26 19:47:12.000000000 -0400
46832+++ linux-2.6.35.4/include/linux/uaccess.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 46833@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
46834 long ret; \
46835 mm_segment_t old_fs = get_fs(); \
46836 \
46837- set_fs(KERNEL_DS); \
46838 pagefault_disable(); \
46839+ set_fs(KERNEL_DS); \
46840 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
46841- pagefault_enable(); \
46842 set_fs(old_fs); \
46843+ pagefault_enable(); \
46844 ret; \
46845 })
46846
ae4e228f
MT		 46847@@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
46848 * Safely read from address @src to the buffer at @dst. If a kernel fault
46849 * happens, handle that and return -EFAULT.
46850 */
46851-extern long probe_kernel_read(void *dst, void *src, size_t size);
46852-extern long __probe_kernel_read(void *dst, void *src, size_t size);
46853+extern long probe_kernel_read(void *dst, const void *src, size_t size);
46854+extern long __probe_kernel_read(void *dst, const void *src, size_t size);
46855
46856 /*
46857 * probe_kernel_write(): safely attempt to write to a location
46858@@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
46859 * Safely write to address @dst from the buffer at @src. If a kernel fault
46860 * happens, handle that and return -EFAULT.
46861 */
46862-extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
46863-extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
46864+extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
46865+extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
46866
46867 #endif /* __LINUX_UACCESS_H__ */
57199397
MT		 46868diff -urNp linux-2.6.35.4/include/linux/usb/hcd.h linux-2.6.35.4/include/linux/usb/hcd.h
46869--- linux-2.6.35.4/include/linux/usb/hcd.h 2010-08-26 19:47:12.000000000 -0400
46870+++ linux-2.6.35.4/include/linux/usb/hcd.h 2010-09-17 20:12:09.000000000 -0400
46871@@ -559,7 +559,7 @@ struct usb_mon_operations {
46872 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
46873 };
46874
46875-extern struct usb_mon_operations *mon_ops;
46876+extern const struct usb_mon_operations *mon_ops;
46877
46878 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
46879 {
46880@@ -581,7 +581,7 @@ static inline void usbmon_urb_complete(s
46881 (*mon_ops->urb_complete)(bus, urb, status);
46882 }
46883
46884-int usb_mon_register(struct usb_mon_operations *ops);
46885+int usb_mon_register(const struct usb_mon_operations *ops);
46886 void usb_mon_deregister(void);
46887
46888 #else
46889diff -urNp linux-2.6.35.4/include/linux/vmalloc.h linux-2.6.35.4/include/linux/vmalloc.h
46890--- linux-2.6.35.4/include/linux/vmalloc.h 2010-08-26 19:47:12.000000000 -0400
46891+++ linux-2.6.35.4/include/linux/vmalloc.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 46892@@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
46893 #define VM_MAP 0x00000004 /* vmap()ed pages */
46894 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
46895 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
46896+
df50ba0c 46897+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
58c5fc13
MT		 46898+#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
46899+#endif
46900+
46901 /* bits [20..32] reserved for arch specific ioremap internals */
46902
46903 /*
ae4e228f
MT		 46904@@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
46905
46906 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
58c5fc13
MT		 46907
46908+#define vmalloc(x) \
46909+({ \
46910+ void *___retval; \
46911+ intoverflow_t ___x = (intoverflow_t)x; \
46912+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
46913+ ___retval = NULL; \
46914+ else \
46915+ ___retval = vmalloc((unsigned long)___x); \
46916+ ___retval; \
46917+})
46918+
46919+#define __vmalloc(x, y, z) \
46920+({ \
46921+ void *___retval; \
46922+ intoverflow_t ___x = (intoverflow_t)x; \
46923+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
46924+ ___retval = NULL; \
46925+ else \
46926+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
46927+ ___retval; \
46928+})
46929+
46930+#define vmalloc_user(x) \
46931+({ \
46932+ void *___retval; \
46933+ intoverflow_t ___x = (intoverflow_t)x; \
46934+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
46935+ ___retval = NULL; \
46936+ else \
46937+ ___retval = vmalloc_user((unsigned long)___x); \
46938+ ___retval; \
46939+})
46940+
46941+#define vmalloc_exec(x) \
46942+({ \
46943+ void *___retval; \
46944+ intoverflow_t ___x = (intoverflow_t)x; \
46945+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
46946+ ___retval = NULL; \
46947+ else \
46948+ ___retval = vmalloc_exec((unsigned long)___x); \
46949+ ___retval; \
46950+})
46951+
46952+#define vmalloc_node(x, y) \
46953+({ \
46954+ void *___retval; \
46955+ intoverflow_t ___x = (intoverflow_t)x; \
46956+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
46957+ ___retval = NULL; \
46958+ else \
46959+ ___retval = vmalloc_node((unsigned long)___x, (y));\
46960+ ___retval; \
46961+})
46962+
46963+#define vmalloc_32(x) \
46964+({ \
46965+ void *___retval; \
46966+ intoverflow_t ___x = (intoverflow_t)x; \
46967+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
46968+ ___retval = NULL; \
46969+ else \
46970+ ___retval = vmalloc_32((unsigned long)___x); \
46971+ ___retval; \
46972+})
46973+
46974+#define vmalloc_32_user(x) \
46975+({ \
46976+ void *___retval; \
46977+ intoverflow_t ___x = (intoverflow_t)x; \
46978+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
46979+ ___retval = NULL; \
46980+ else \
46981+ ___retval = vmalloc_32_user((unsigned long)___x);\
46982+ ___retval; \
46983+})
46984+
46985 #endif /* _LINUX_VMALLOC_H */
57199397
MT		 46986diff -urNp linux-2.6.35.4/include/linux/vmstat.h linux-2.6.35.4/include/linux/vmstat.h
46987--- linux-2.6.35.4/include/linux/vmstat.h 2010-08-26 19:47:12.000000000 -0400
46988+++ linux-2.6.35.4/include/linux/vmstat.h 2010-09-17 20:12:09.000000000 -0400
46989@@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
46990 /*
46991 * Zone based page accounting with per cpu differentials.
46992 */
46993-extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46994+extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46995
46996 static inline void zone_page_state_add(long x, struct zone *zone,
46997 enum zone_stat_item item)
46998 {
46999- atomic_long_add(x, &zone->vm_stat[item]);
47000- atomic_long_add(x, &vm_stat[item]);
47001+ atomic_long_add_unchecked(x, &zone->vm_stat[item]);
47002+ atomic_long_add_unchecked(x, &vm_stat[item]);
47003 }
47004
47005 static inline unsigned long global_page_state(enum zone_stat_item item)
47006 {
47007- long x = atomic_long_read(&vm_stat[item]);
47008+ long x = atomic_long_read_unchecked(&vm_stat[item]);
47009 #ifdef CONFIG_SMP
47010 if (x < 0)
47011 x = 0;
47012@@ -162,7 +162,7 @@ static inline unsigned long global_page_
47013 static inline unsigned long zone_page_state(struct zone *zone,
47014 enum zone_stat_item item)
47015 {
47016- long x = atomic_long_read(&zone->vm_stat[item]);
47017+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
47018 #ifdef CONFIG_SMP
47019 if (x < 0)
47020 x = 0;
47021@@ -246,8 +246,8 @@ static inline void __mod_zone_page_state
47022
47023 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
47024 {
47025- atomic_long_inc(&zone->vm_stat[item]);
47026- atomic_long_inc(&vm_stat[item]);
47027+ atomic_long_inc_unchecked(&zone->vm_stat[item]);
47028+ atomic_long_inc_unchecked(&vm_stat[item]);
47029 }
47030
47031 static inline void __inc_zone_page_state(struct page *page,
47032@@ -258,8 +258,8 @@ static inline void __inc_zone_page_state
47033
47034 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
47035 {
47036- atomic_long_dec(&zone->vm_stat[item]);
47037- atomic_long_dec(&vm_stat[item]);
47038+ atomic_long_dec_unchecked(&zone->vm_stat[item]);
47039+ atomic_long_dec_unchecked(&vm_stat[item]);
47040 }
47041
47042 static inline void __dec_zone_page_state(struct page *page,
47043diff -urNp linux-2.6.35.4/include/net/irda/ircomm_tty.h linux-2.6.35.4/include/net/irda/ircomm_tty.h
47044--- linux-2.6.35.4/include/net/irda/ircomm_tty.h 2010-08-26 19:47:12.000000000 -0400
47045+++ linux-2.6.35.4/include/net/irda/ircomm_tty.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 47046@@ -105,8 +105,8 @@ struct ircomm_tty_cb {
47047 unsigned short close_delay;
47048 unsigned short closing_wait; /* time to wait before closing */
47049
47050- int open_count;
47051- int blocked_open; /* # of blocked opens */
47052+ atomic_t open_count;
47053+ atomic_t blocked_open; /* # of blocked opens */
47054
47055 /* Protect concurent access to :
47056 * o self->open_count
57199397
MT		 47057diff -urNp linux-2.6.35.4/include/net/neighbour.h linux-2.6.35.4/include/net/neighbour.h
47058--- linux-2.6.35.4/include/net/neighbour.h 2010-08-26 19:47:12.000000000 -0400
47059+++ linux-2.6.35.4/include/net/neighbour.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 47060@@ -116,12 +116,12 @@ struct neighbour {
47061
47062 struct neigh_ops {
47063 int family;
47064- void (*solicit)(struct neighbour *, struct sk_buff*);
47065- void (*error_report)(struct neighbour *, struct sk_buff*);
47066- int (*output)(struct sk_buff*);
47067- int (*connected_output)(struct sk_buff*);
47068- int (*hh_output)(struct sk_buff*);
47069- int (*queue_xmit)(struct sk_buff*);
47070+ void (* const solicit)(struct neighbour *, struct sk_buff*);
47071+ void (* const error_report)(struct neighbour *, struct sk_buff*);
47072+ int (* const output)(struct sk_buff*);
47073+ int (* const connected_output)(struct sk_buff*);
47074+ int (* const hh_output)(struct sk_buff*);
47075+ int (* const queue_xmit)(struct sk_buff*);
47076 };
47077
47078 struct pneigh_entry {
57199397
MT		 47079diff -urNp linux-2.6.35.4/include/net/sctp/sctp.h linux-2.6.35.4/include/net/sctp/sctp.h
47080--- linux-2.6.35.4/include/net/sctp/sctp.h 2010-08-26 19:47:12.000000000 -0400
47081+++ linux-2.6.35.4/include/net/sctp/sctp.h 2010-09-17 20:12:09.000000000 -0400
df50ba0c 47082@@ -305,8 +305,8 @@ extern int sctp_debug_flag;
58c5fc13
MT		 47083
47084 #else /* SCTP_DEBUG */
47085
47086-#define SCTP_DEBUG_PRINTK(whatever...)
47087-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
47088+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
47089+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
47090 #define SCTP_ENABLE_DEBUG
47091 #define SCTP_DISABLE_DEBUG
47092 #define SCTP_ASSERT(expr, str, func)
57199397
MT		 47093diff -urNp linux-2.6.35.4/include/net/tcp.h linux-2.6.35.4/include/net/tcp.h
47094--- linux-2.6.35.4/include/net/tcp.h 2010-08-26 19:47:12.000000000 -0400
47095+++ linux-2.6.35.4/include/net/tcp.h 2010-09-17 20:12:09.000000000 -0400
47096@@ -1404,6 +1404,7 @@ enum tcp_seq_states {
ae4e228f
MT		 47097 struct tcp_seq_afinfo {
47098 char *name;
47099 sa_family_t family;
47100+ /* cannot be const */
47101 struct file_operations seq_fops;
47102 struct seq_operations seq_ops;
47103 };
57199397
MT		 47104diff -urNp linux-2.6.35.4/include/net/udp.h linux-2.6.35.4/include/net/udp.h
47105--- linux-2.6.35.4/include/net/udp.h 2010-08-26 19:47:12.000000000 -0400
47106+++ linux-2.6.35.4/include/net/udp.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 47107@@ -221,6 +221,7 @@ struct udp_seq_afinfo {
47108 char *name;
47109 sa_family_t family;
47110 struct udp_table *udp_table;
47111+ /* cannot be const */
47112 struct file_operations seq_fops;
47113 struct seq_operations seq_ops;
47114 };
57199397
MT		 47115diff -urNp linux-2.6.35.4/include/sound/ac97_codec.h linux-2.6.35.4/include/sound/ac97_codec.h
47116--- linux-2.6.35.4/include/sound/ac97_codec.h 2010-08-26 19:47:12.000000000 -0400
47117+++ linux-2.6.35.4/include/sound/ac97_codec.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 47118@@ -419,15 +419,15 @@
47119 struct snd_ac97;
47120
47121 struct snd_ac97_build_ops {
47122- int (*build_3d) (struct snd_ac97 *ac97);
47123- int (*build_specific) (struct snd_ac97 *ac97);
47124- int (*build_spdif) (struct snd_ac97 *ac97);
47125- int (*build_post_spdif) (struct snd_ac97 *ac97);
47126+ int (* const build_3d) (struct snd_ac97 *ac97);
47127+ int (* const build_specific) (struct snd_ac97 *ac97);
47128+ int (* const build_spdif) (struct snd_ac97 *ac97);
47129+ int (* const build_post_spdif) (struct snd_ac97 *ac97);
47130 #ifdef CONFIG_PM
47131- void (*suspend) (struct snd_ac97 *ac97);
47132- void (*resume) (struct snd_ac97 *ac97);
47133+ void (* const suspend) (struct snd_ac97 *ac97);
47134+ void (* const resume) (struct snd_ac97 *ac97);
58c5fc13 47135 #endif
ae4e228f
MT		 47136- void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47137+ void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47138 };
47139
47140 struct snd_ac97_bus_ops {
47141@@ -477,7 +477,7 @@ struct snd_ac97_template {
47142
47143 struct snd_ac97 {
47144 /* -- lowlevel (hardware) driver specific -- */
47145- struct snd_ac97_build_ops * build_ops;
47146+ const struct snd_ac97_build_ops * build_ops;
47147 void *private_data;
47148 void (*private_free) (struct snd_ac97 *ac97);
47149 /* --- */
57199397
MT		 47150diff -urNp linux-2.6.35.4/include/trace/events/irq.h linux-2.6.35.4/include/trace/events/irq.h
47151--- linux-2.6.35.4/include/trace/events/irq.h 2010-08-26 19:47:12.000000000 -0400
47152+++ linux-2.6.35.4/include/trace/events/irq.h 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 47153@@ -34,7 +34,7 @@
47154 */
47155 TRACE_EVENT(irq_handler_entry,
47156
47157- TP_PROTO(int irq, struct irqaction *action),
47158+ TP_PROTO(int irq, const struct irqaction *action),
47159
47160 TP_ARGS(irq, action),
47161
47162@@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
47163 */
47164 TRACE_EVENT(irq_handler_exit,
47165
47166- TP_PROTO(int irq, struct irqaction *action, int ret),
47167+ TP_PROTO(int irq, const struct irqaction *action, int ret),
47168
47169 TP_ARGS(irq, action, ret),
47170
47171@@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
58c5fc13 47172
ae4e228f 47173 DECLARE_EVENT_CLASS(softirq,
58c5fc13 47174
ae4e228f
MT		 47175- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47176+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47177
47178 TP_ARGS(h, vec),
47179
47180@@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
47181 */
47182 DEFINE_EVENT(softirq, softirq_entry,
47183
47184- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47185+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47186
47187 TP_ARGS(h, vec)
47188 );
47189@@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
47190 */
47191 DEFINE_EVENT(softirq, softirq_exit,
47192
47193- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47194+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47195
47196 TP_ARGS(h, vec)
47197 );
57199397
MT		 47198diff -urNp linux-2.6.35.4/include/video/uvesafb.h linux-2.6.35.4/include/video/uvesafb.h
47199--- linux-2.6.35.4/include/video/uvesafb.h 2010-08-26 19:47:12.000000000 -0400
47200+++ linux-2.6.35.4/include/video/uvesafb.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 47201@@ -177,6 +177,7 @@ struct uvesafb_par {
47202 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
47203 u8 pmi_setpal; /* PMI for palette changes */
47204 u16 *pmi_base; /* protected mode interface location */
47205+ u8 *pmi_code; /* protected mode code location */
47206 void *pmi_start;
47207 void *pmi_pal;
47208 u8 *vbe_state_orig; /*
57199397
MT		 47209diff -urNp linux-2.6.35.4/init/do_mounts.c linux-2.6.35.4/init/do_mounts.c
47210--- linux-2.6.35.4/init/do_mounts.c 2010-08-26 19:47:12.000000000 -0400
47211+++ linux-2.6.35.4/init/do_mounts.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 47212@@ -217,11 +217,11 @@ static void __init get_fs_names(char *pa
58c5fc13
MT		 47213
47214 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
47215 {
47216- int err = sys_mount(name, "/root", fs, flags, data);
ae4e228f 47217+ int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
58c5fc13
MT		 47218 if (err)
47219 return err;
47220
47221- sys_chdir("/root");
ae4e228f 47222+ sys_chdir((__force char __user *)"/root");
58c5fc13
MT		 47223 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
47224 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
47225 current->fs->pwd.mnt->mnt_sb->s_type->name,
df50ba0c 47226@@ -312,18 +312,18 @@ void __init change_floppy(char *fmt, ...
58c5fc13
MT		 47227 va_start(args, fmt);
47228 vsprintf(buf, fmt, args);
47229 va_end(args);
47230- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
47231+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
47232 if (fd >= 0) {
47233 sys_ioctl(fd, FDEJECT, 0);
47234 sys_close(fd);
47235 }
47236 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
47237- fd = sys_open("/dev/console", O_RDWR, 0);
df50ba0c 47238+ fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
58c5fc13
MT		 47239 if (fd >= 0) {
47240 sys_ioctl(fd, TCGETS, (long)&termios);
47241 termios.c_lflag &= ~ICANON;
47242 sys_ioctl(fd, TCSETSF, (long)&termios);
47243- sys_read(fd, &c, 1);
47244+ sys_read(fd, (char __user *)&c, 1);
47245 termios.c_lflag |= ICANON;
47246 sys_ioctl(fd, TCSETSF, (long)&termios);
47247 sys_close(fd);
df50ba0c 47248@@ -417,6 +417,6 @@ void __init prepare_namespace(void)
58c5fc13
MT		 47249 mount_root();
47250 out:
ae4e228f 47251 devtmpfs_mount("dev");
58c5fc13
MT		 47252- sys_mount(".", "/", NULL, MS_MOVE, NULL);
47253- sys_chroot(".");
ae4e228f
MT		 47254+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47255+ sys_chroot((__force char __user *)".");
58c5fc13 47256 }
57199397
MT		 47257diff -urNp linux-2.6.35.4/init/do_mounts.h linux-2.6.35.4/init/do_mounts.h
47258--- linux-2.6.35.4/init/do_mounts.h 2010-08-26 19:47:12.000000000 -0400
47259+++ linux-2.6.35.4/init/do_mounts.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 47260@@ -15,15 +15,15 @@ extern int root_mountflags;
47261
47262 static inline int create_dev(char *name, dev_t dev)
47263 {
47264- sys_unlink(name);
47265- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
ae4e228f
MT		 47266+ sys_unlink((__force char __user *)name);
47267+ return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
58c5fc13
MT		 47268 }
47269
47270 #if BITS_PER_LONG == 32
47271 static inline u32 bstat(char *name)
47272 {
47273 struct stat64 stat;
47274- if (sys_stat64(name, &stat) != 0)
ae4e228f 47275+ if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
58c5fc13
MT		 47276 return 0;
47277 if (!S_ISBLK(stat.st_mode))
47278 return 0;
57199397
MT		 47279diff -urNp linux-2.6.35.4/init/do_mounts_initrd.c linux-2.6.35.4/init/do_mounts_initrd.c
47280--- linux-2.6.35.4/init/do_mounts_initrd.c 2010-08-26 19:47:12.000000000 -0400
47281+++ linux-2.6.35.4/init/do_mounts_initrd.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 47282@@ -43,13 +43,13 @@ static void __init handle_initrd(void)
58c5fc13
MT		 47283 create_dev("/dev/root.old", Root_RAM0);
47284 /* mount initrd on rootfs' /root */
47285 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
47286- sys_mkdir("/old", 0700);
47287- root_fd = sys_open("/", 0, 0);
47288- old_fd = sys_open("/old", 0, 0);
ae4e228f
MT		 47289+ sys_mkdir((__force const char __user *)"/old", 0700);
47290+ root_fd = sys_open((__force const char __user *)"/", 0, 0);
47291+ old_fd = sys_open((__force const char __user *)"/old", 0, 0);
58c5fc13
MT		 47292 /* move initrd over / and chdir/chroot in initrd root */
47293- sys_chdir("/root");
47294- sys_mount(".", "/", NULL, MS_MOVE, NULL);
47295- sys_chroot(".");
ae4e228f
MT		 47296+ sys_chdir((__force const char __user *)"/root");
47297+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47298+ sys_chroot((__force const char __user *)".");
58c5fc13
MT		 47299
47300 /*
47301 * In case that a resume from disk is carried out by linuxrc or one of
df50ba0c 47302@@ -66,15 +66,15 @@ static void __init handle_initrd(void)
58c5fc13
MT		 47303
47304 /* move initrd to rootfs' /old */
47305 sys_fchdir(old_fd);
47306- sys_mount("/", ".", NULL, MS_MOVE, NULL);
ae4e228f 47307+ sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
58c5fc13
MT		 47308 /* switch root and cwd back to / of rootfs */
47309 sys_fchdir(root_fd);
47310- sys_chroot(".");
ae4e228f 47311+ sys_chroot((__force const char __user *)".");
58c5fc13
MT		 47312 sys_close(old_fd);
47313 sys_close(root_fd);
47314
47315 if (new_decode_dev(real_root_dev) == Root_RAM0) {
47316- sys_chdir("/old");
ae4e228f 47317+ sys_chdir((__force const char __user *)"/old");
58c5fc13
MT		 47318 return;
47319 }
47320
df50ba0c 47321@@ -82,17 +82,17 @@ static void __init handle_initrd(void)
58c5fc13
MT		 47322 mount_root();
47323
47324 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
47325- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
ae4e228f 47326+ error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
58c5fc13
MT		 47327 if (!error)
47328 printk("okay\n");
47329 else {
47330- int fd = sys_open("/dev/root.old", O_RDWR, 0);
ae4e228f 47331+ int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
58c5fc13
MT		 47332 if (error == -ENOENT)
47333 printk("/initrd does not exist. Ignored.\n");
47334 else
47335 printk("failed\n");
47336 printk(KERN_NOTICE "Unmounting old root\n");
47337- sys_umount("/old", MNT_DETACH);
ae4e228f 47338+ sys_umount((__force char __user *)"/old", MNT_DETACH);
58c5fc13
MT		 47339 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
47340 if (fd < 0) {
47341 error = fd;
df50ba0c 47342@@ -115,11 +115,11 @@ int __init initrd_load(void)
58c5fc13
MT		 47343 * mounted in the normal path.
47344 */
47345 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
47346- sys_unlink("/initrd.image");
ae4e228f 47347+ sys_unlink((__force const char __user *)"/initrd.image");
58c5fc13
MT		 47348 handle_initrd();
47349 return 1;
47350 }
47351 }
47352- sys_unlink("/initrd.image");
ae4e228f 47353+ sys_unlink((__force const char __user *)"/initrd.image");
58c5fc13
MT		 47354 return 0;
47355 }
57199397
MT		 47356diff -urNp linux-2.6.35.4/init/do_mounts_md.c linux-2.6.35.4/init/do_mounts_md.c
47357--- linux-2.6.35.4/init/do_mounts_md.c 2010-08-26 19:47:12.000000000 -0400
47358+++ linux-2.6.35.4/init/do_mounts_md.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 47359@@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
47360 partitioned ? "_d" : "", minor,
47361 md_setup_args[ent].device_names);
47362
47363- fd = sys_open(name, 0, 0);
ae4e228f 47364+ fd = sys_open((__force char __user *)name, 0, 0);
58c5fc13
MT		 47365 if (fd < 0) {
47366 printk(KERN_ERR "md: open failed - cannot start "
47367 "array %s\n", name);
47368@@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
47369 * array without it
47370 */
47371 sys_close(fd);
47372- fd = sys_open(name, 0, 0);
ae4e228f 47373+ fd = sys_open((__force char __user *)name, 0, 0);
58c5fc13
MT		 47374 sys_ioctl(fd, BLKRRPART, 0);
47375 }
47376 sys_close(fd);
47377@@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
47378
47379 wait_for_device_probe();
47380
47381- fd = sys_open("/dev/md0", 0, 0);
ae4e228f 47382+ fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
58c5fc13
MT		 47383 if (fd >= 0) {
47384 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
47385 sys_close(fd);
57199397
MT		 47386diff -urNp linux-2.6.35.4/init/initramfs.c linux-2.6.35.4/init/initramfs.c
47387--- linux-2.6.35.4/init/initramfs.c 2010-08-26 19:47:12.000000000 -0400
47388+++ linux-2.6.35.4/init/initramfs.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 47389@@ -74,7 +74,7 @@ static void __init free_hash(void)
47390 }
47391 }
47392
47393-static long __init do_utime(char __user *filename, time_t mtime)
47394+static long __init do_utime(__force char __user *filename, time_t mtime)
47395 {
47396 struct timespec t[2];
47397
47398@@ -109,7 +109,7 @@ static void __init dir_utime(void)
47399 struct dir_entry *de, *tmp;
47400 list_for_each_entry_safe(de, tmp, &dir_list, list) {
47401 list_del(&de->list);
47402- do_utime(de->name, de->mtime);
47403+ do_utime((__force char __user *)de->name, de->mtime);
47404 kfree(de->name);
47405 kfree(de);
47406 }
58c5fc13
MT		 47407@@ -271,7 +271,7 @@ static int __init maybe_link(void)
47408 if (nlink >= 2) {
47409 char *old = find_link(major, minor, ino, mode, collected);
47410 if (old)
47411- return (sys_link(old, collected) < 0) ? -1 : 1;
ae4e228f 47412+ return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
58c5fc13
MT		 47413 }
47414 return 0;
47415 }
47416@@ -280,11 +280,11 @@ static void __init clean_path(char *path
47417 {
47418 struct stat st;
47419
47420- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
ae4e228f 47421+ if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
58c5fc13
MT		 47422 if (S_ISDIR(st.st_mode))
47423- sys_rmdir(path);
ae4e228f 47424+ sys_rmdir((__force char __user *)path);
58c5fc13
MT		 47425 else
47426- sys_unlink(path);
ae4e228f 47427+ sys_unlink((__force char __user *)path);
58c5fc13
MT		 47428 }
47429 }
47430
47431@@ -305,7 +305,7 @@ static int __init do_name(void)
47432 int openflags = O_WRONLY|O_CREAT;
47433 if (ml != 1)
47434 openflags |= O_TRUNC;
47435- wfd = sys_open(collected, openflags, mode);
ae4e228f 47436+ wfd = sys_open((__force char __user *)collected, openflags, mode);
58c5fc13
MT		 47437
47438 if (wfd >= 0) {
47439 sys_fchown(wfd, uid, gid);
ae4e228f 47440@@ -317,17 +317,17 @@ static int __init do_name(void)
58c5fc13
MT		 47441 }
47442 }
47443 } else if (S_ISDIR(mode)) {
47444- sys_mkdir(collected, mode);
47445- sys_chown(collected, uid, gid);
47446- sys_chmod(collected, mode);
ae4e228f
MT		 47447+ sys_mkdir((__force char __user *)collected, mode);
47448+ sys_chown((__force char __user *)collected, uid, gid);
47449+ sys_chmod((__force char __user *)collected, mode);
58c5fc13
MT		 47450 dir_add(collected, mtime);
47451 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
47452 S_ISFIFO(mode) || S_ISSOCK(mode)) {
47453 if (maybe_link() == 0) {
47454- sys_mknod(collected, mode, rdev);
47455- sys_chown(collected, uid, gid);
47456- sys_chmod(collected, mode);
ae4e228f
MT		 47457- do_utime(collected, mtime);
47458+ sys_mknod((__force char __user *)collected, mode, rdev);
47459+ sys_chown((__force char __user *)collected, uid, gid);
47460+ sys_chmod((__force char __user *)collected, mode);
47461+ do_utime((__force char __user *)collected, mtime);
58c5fc13
MT		 47462 }
47463 }
ae4e228f
MT		 47464 return 0;
47465@@ -336,15 +336,15 @@ static int __init do_name(void)
58c5fc13
MT		 47466 static int __init do_copy(void)
47467 {
47468 if (count >= body_len) {
47469- sys_write(wfd, victim, body_len);
ae4e228f 47470+ sys_write(wfd, (__force char __user *)victim, body_len);
58c5fc13 47471 sys_close(wfd);
ae4e228f
MT		 47472- do_utime(vcollected, mtime);
47473+ do_utime((__force char __user *)vcollected, mtime);
58c5fc13 47474 kfree(vcollected);
ae4e228f 47475 eat(body_len);
58c5fc13
MT		 47476 state = SkipIt;
47477 return 0;
47478 } else {
47479- sys_write(wfd, victim, count);
ae4e228f 47480+ sys_write(wfd, (__force char __user *)victim, count);
58c5fc13
MT		 47481 body_len -= count;
47482 eat(count);
47483 return 1;
ae4e228f 47484@@ -355,9 +355,9 @@ static int __init do_symlink(void)
58c5fc13
MT		 47485 {
47486 collected[N_ALIGN(name_len) + body_len] = '\0';
47487 clean_path(collected, 0);
47488- sys_symlink(collected + N_ALIGN(name_len), collected);
47489- sys_lchown(collected, uid, gid);
ae4e228f
MT		 47490- do_utime(collected, mtime);
47491+ sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
47492+ sys_lchown((__force char __user *)collected, uid, gid);
47493+ do_utime((__force char __user *)collected, mtime);
58c5fc13
MT		 47494 state = SkipIt;
47495 next_state = Reset;
ae4e228f 47496 return 0;
57199397
MT		 47497diff -urNp linux-2.6.35.4/init/Kconfig linux-2.6.35.4/init/Kconfig
47498--- linux-2.6.35.4/init/Kconfig 2010-08-26 19:47:12.000000000 -0400
47499+++ linux-2.6.35.4/init/Kconfig 2010-09-17 20:12:09.000000000 -0400
47500@@ -1063,7 +1063,7 @@ config SLUB_DEBUG
47501
47502 config COMPAT_BRK
47503 bool "Disable heap randomization"
47504- default y
47505+ default n
47506 help
47507 Randomizing heap placement makes heap exploits harder, but it
47508 also breaks ancient binaries (including anything libc5 based).
47509diff -urNp linux-2.6.35.4/init/main.c linux-2.6.35.4/init/main.c
47510--- linux-2.6.35.4/init/main.c 2010-08-26 19:47:12.000000000 -0400
47511+++ linux-2.6.35.4/init/main.c 2010-09-17 20:12:37.000000000 -0400
47512@@ -98,6 +98,7 @@ static inline void mark_rodata_ro(void)
58c5fc13
MT		 47513 #ifdef CONFIG_TC
47514 extern void tc_init(void);
47515 #endif
47516+extern void grsecurity_init(void);
47517
47518 enum system_states system_state __read_mostly;
47519 EXPORT_SYMBOL(system_state);
57199397 47520@@ -200,6 +201,50 @@ static int __init set_reset_devices(char
58c5fc13
MT		 47521
47522 __setup("reset_devices", set_reset_devices);
47523
df50ba0c
MT		 47524+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
47525+extern void pax_enter_kernel_user(void);
47526+extern void pax_exit_kernel_user(void);
47527+extern pgdval_t clone_pgd_mask;
47528+#endif
47529+
47530+#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
58c5fc13
MT		 47531+static int __init setup_pax_nouderef(char *str)
47532+{
df50ba0c 47533+#ifdef CONFIG_X86_32
58c5fc13
MT		 47534+ unsigned int cpu;
47535+
47536+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
47537+ get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
47538+ get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
47539+ }
47540+ asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
47541+ asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
47542+ asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
df50ba0c
MT		 47543+#else
47544+ char *p;
47545+ p = (char *)pax_enter_kernel_user;
47546+ *p = 0xc3;
47547+ p = (char *)pax_exit_kernel_user;
47548+ *p = 0xc3;
47549+ clone_pgd_mask = ~(pgdval_t)0UL;
47550+#endif
58c5fc13
MT		 47551+
47552+ return 0;
47553+}
47554+early_param("pax_nouderef", setup_pax_nouderef);
47555+#endif
47556+
47557+#ifdef CONFIG_PAX_SOFTMODE
47558+unsigned int pax_softmode;
47559+
47560+static int __init setup_pax_softmode(char *str)
47561+{
47562+ get_option(&str, &pax_softmode);
47563+ return 1;
47564+}
47565+__setup("pax_softmode=", setup_pax_softmode);
47566+#endif
47567+
47568 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
47569 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
47570 static const char *panic_later, *panic_param;
57199397 47571@@ -725,52 +770,53 @@ int initcall_debug;
ae4e228f 47572 core_param(initcall_debug, initcall_debug, bool, 0644);
58c5fc13 47573
ae4e228f
MT		 47574 static char msgbuf[64];
47575-static struct boot_trace_call call;
47576-static struct boot_trace_ret ret;
47577+static struct boot_trace_call trace_call;
47578+static struct boot_trace_ret trace_ret;
58c5fc13 47579
ae4e228f 47580 int do_one_initcall(initcall_t fn)
58c5fc13
MT		 47581 {
47582 int count = preempt_count();
47583 ktime_t calltime, delta, rettime;
47584+ const char *msg1 = "", *msg2 = "";
47585
47586 if (initcall_debug) {
ae4e228f
MT		 47587- call.caller = task_pid_nr(current);
47588- printk("calling %pF @ %i\n", fn, call.caller);
47589+ trace_call.caller = task_pid_nr(current);
47590+ printk("calling %pF @ %i\n", fn, trace_call.caller);
47591 calltime = ktime_get();
47592- trace_boot_call(&call, fn);
47593+ trace_boot_call(&trace_call, fn);
47594 enable_boot_trace();
47595 }
47596
47597- ret.result = fn();
47598+ trace_ret.result = fn();
47599
47600 if (initcall_debug) {
47601 disable_boot_trace();
47602 rettime = ktime_get();
47603 delta = ktime_sub(rettime, calltime);
47604- ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47605- trace_boot_ret(&ret, fn);
47606+ trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47607+ trace_boot_ret(&trace_ret, fn);
47608 printk("initcall %pF returned %d after %Ld usecs\n", fn,
47609- ret.result, ret.duration);
47610+ trace_ret.result, trace_ret.duration);
47611 }
47612
47613 msgbuf[0] = 0;
47614
47615- if (ret.result && ret.result != -ENODEV && initcall_debug)
47616- sprintf(msgbuf, "error code %d ", ret.result);
47617+ if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
47618+ sprintf(msgbuf, "error code %d ", trace_ret.result);
58c5fc13
MT		 47619
47620 if (preempt_count() != count) {
47621- strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
47622+ msg1 = " preemption imbalance";
47623 preempt_count() = count;
47624 }
47625 if (irqs_disabled()) {
47626- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
47627+ msg2 = " disabled interrupts";
47628 local_irq_enable();
47629 }
47630- if (msgbuf[0]) {
47631- printk("initcall %pF returned with %s\n", fn, msgbuf);
47632+ if (msgbuf[0] || *msg1 || *msg2) {
47633+ printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
47634 }
47635
ae4e228f
MT		 47636- return ret.result;
47637+ return trace_ret.result;
47638 }
47639
47640
57199397 47641@@ -902,7 +948,7 @@ static int __init kernel_init(void * unu
df50ba0c
MT		 47642 do_basic_setup();
47643
47644 /* Open the /dev/console on the rootfs, this should never fail */
47645- if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
47646+ if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
47647 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
47648
47649 (void) sys_dup(0);
57199397 47650@@ -915,11 +961,13 @@ static int __init kernel_init(void * unu
ae4e228f
MT		 47651 if (!ramdisk_execute_command)
47652 ramdisk_execute_command = "/init";
47653
47654- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
47655+ if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
47656 ramdisk_execute_command = NULL;
58c5fc13
MT		 47657 prepare_namespace();
47658 }
47659
47660+ grsecurity_init();
47661+
47662 /*
47663 * Ok, we have completed the initial bootup, and
47664 * we're essentially up and running. Get rid of the
57199397
MT		 47665diff -urNp linux-2.6.35.4/init/noinitramfs.c linux-2.6.35.4/init/noinitramfs.c
47666--- linux-2.6.35.4/init/noinitramfs.c 2010-08-26 19:47:12.000000000 -0400
47667+++ linux-2.6.35.4/init/noinitramfs.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 47668@@ -29,17 +29,17 @@ static int __init default_rootfs(void)
58c5fc13
MT		 47669 {
47670 int err;
47671
47672- err = sys_mkdir("/dev", 0755);
47673+ err = sys_mkdir((const char __user *)"/dev", 0755);
47674 if (err < 0)
47675 goto out;
47676
df50ba0c
MT		 47677- err = sys_mknod((const char __user *) "/dev/console",
47678+ err = sys_mknod((__force const char __user *) "/dev/console",
47679 S_IFCHR | S_IRUSR | S_IWUSR,
47680 new_encode_dev(MKDEV(5, 1)));
58c5fc13
MT		 47681 if (err < 0)
47682 goto out;
47683
47684- err = sys_mkdir("/root", 0700);
47685+ err = sys_mkdir((const char __user *)"/root", 0700);
47686 if (err < 0)
47687 goto out;
47688
57199397
MT		 47689diff -urNp linux-2.6.35.4/ipc/mqueue.c linux-2.6.35.4/ipc/mqueue.c
47690--- linux-2.6.35.4/ipc/mqueue.c 2010-08-26 19:47:12.000000000 -0400
47691+++ linux-2.6.35.4/ipc/mqueue.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 47692@@ -153,6 +153,7 @@ static struct inode *mqueue_get_inode(st
58c5fc13
MT		 47693 mq_bytes = (mq_msg_tblsz +
47694 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
47695
47696+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
47697 spin_lock(&mq_lock);
47698 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
47699 u->mq_bytes + mq_bytes >
57199397
MT		 47700diff -urNp linux-2.6.35.4/ipc/shm.c linux-2.6.35.4/ipc/shm.c
47701--- linux-2.6.35.4/ipc/shm.c 2010-08-26 19:47:12.000000000 -0400
47702+++ linux-2.6.35.4/ipc/shm.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 47703@@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
58c5fc13
MT		 47704 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
47705 #endif
47706
47707+#ifdef CONFIG_GRKERNSEC
47708+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47709+ const time_t shm_createtime, const uid_t cuid,
47710+ const int shmid);
47711+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47712+ const time_t shm_createtime);
47713+#endif
47714+
47715 void shm_init_ns(struct ipc_namespace *ns)
47716 {
47717 ns->shm_ctlmax = SHMMAX;
57199397 47718@@ -395,6 +403,14 @@ static int newseg(struct ipc_namespace *
58c5fc13
MT		 47719 shp->shm_lprid = 0;
47720 shp->shm_atim = shp->shm_dtim = 0;
47721 shp->shm_ctim = get_seconds();
47722+#ifdef CONFIG_GRKERNSEC
47723+ {
47724+ struct timespec timeval;
47725+ do_posix_clock_monotonic_gettime(&timeval);
47726+
47727+ shp->shm_createtime = timeval.tv_sec;
47728+ }
47729+#endif
47730 shp->shm_segsz = size;
47731 shp->shm_nattch = 0;
47732 shp->shm_file = file;
57199397 47733@@ -877,9 +893,21 @@ long do_shmat(int shmid, char __user *sh
58c5fc13
MT		 47734 if (err)
47735 goto out_unlock;
47736
47737+#ifdef CONFIG_GRKERNSEC
47738+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
47739+ shp->shm_perm.cuid, shmid) ||
47740+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
47741+ err = -EACCES;
47742+ goto out_unlock;
47743+ }
47744+#endif
47745+
ae4e228f
MT		 47746 path = shp->shm_file->f_path;
47747 path_get(&path);
58c5fc13
MT		 47748 shp->shm_nattch++;
47749+#ifdef CONFIG_GRKERNSEC
47750+ shp->shm_lapid = current->pid;
47751+#endif
47752 size = i_size_read(path.dentry->d_inode);
47753 shm_unlock(shp);
47754
57199397
MT		 47755diff -urNp linux-2.6.35.4/kernel/acct.c linux-2.6.35.4/kernel/acct.c
47756--- linux-2.6.35.4/kernel/acct.c 2010-08-26 19:47:12.000000000 -0400
47757+++ linux-2.6.35.4/kernel/acct.c 2010-09-17 20:12:09.000000000 -0400
47758@@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
58c5fc13
MT		 47759 */
47760 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
47761 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
47762- file->f_op->write(file, (char *)&ac,
ae4e228f 47763+ file->f_op->write(file, (__force char __user *)&ac,
58c5fc13
MT		 47764 sizeof(acct_t), &file->f_pos);
47765 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
47766 set_fs(fs);
57199397
MT		 47767diff -urNp linux-2.6.35.4/kernel/capability.c linux-2.6.35.4/kernel/capability.c
47768--- linux-2.6.35.4/kernel/capability.c 2010-08-26 19:47:12.000000000 -0400
47769+++ linux-2.6.35.4/kernel/capability.c 2010-09-17 20:12:37.000000000 -0400
47770@@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
ae4e228f
MT		 47771 * before modification is attempted and the application
47772 * fails.
47773 */
47774+ if (tocopy > ARRAY_SIZE(kdata))
47775+ return -EFAULT;
47776+
47777 if (copy_to_user(dataptr, kdata, tocopy
47778 * sizeof(struct __user_cap_data_struct))) {
47779 return -EFAULT;
57199397 47780@@ -306,10 +309,21 @@ int capable(int cap)
58c5fc13
MT		 47781 BUG();
47782 }
47783
47784- if (security_capable(cap) == 0) {
47785+ if (security_capable(cap) == 0 && gr_is_capable(cap)) {
58c5fc13
MT		 47786+ current->flags |= PF_SUPERPRIV;
47787+ return 1;
47788+ }
47789+ return 0;
47790+}
ae4e228f
MT		 47791+
47792+int capable_nolog(int cap)
47793+{
47794+ if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
47795 current->flags |= PF_SUPERPRIV;
47796 return 1;
47797 }
47798 return 0;
47799 }
58c5fc13
MT		 47800+
47801 EXPORT_SYMBOL(capable);
47802+EXPORT_SYMBOL(capable_nolog);
57199397
MT		 47803diff -urNp linux-2.6.35.4/kernel/compat.c linux-2.6.35.4/kernel/compat.c
47804--- linux-2.6.35.4/kernel/compat.c 2010-08-26 19:47:12.000000000 -0400
47805+++ linux-2.6.35.4/kernel/compat.c 2010-09-17 20:12:37.000000000 -0400
47806@@ -13,6 +13,7 @@
47807
47808 #include <linux/linkage.h>
47809 #include <linux/compat.h>
47810+#include <linux/module.h>
47811 #include <linux/errno.h>
47812 #include <linux/time.h>
47813 #include <linux/signal.h>
47814@@ -1137,3 +1138,24 @@ compat_sys_sysinfo(struct compat_sysinfo
47815
47816 return 0;
47817 }
47818+
47819+/*
47820+ * Allocate user-space memory for the duration of a single system call,
47821+ * in order to marshall parameters inside a compat thunk.
47822+ */
47823+void __user *compat_alloc_user_space(unsigned long len)
47824+{
47825+ void __user *ptr;
47826+
47827+ /* If len would occupy more than half of the entire compat space... */
47828+ if (unlikely(len > (((compat_uptr_t)~0) >> 1)))
47829+ return NULL;
47830+
47831+ ptr = arch_compat_alloc_user_space(len);
47832+
47833+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
47834+ return NULL;
47835+
47836+ return ptr;
47837+}
47838+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
47839diff -urNp linux-2.6.35.4/kernel/configs.c linux-2.6.35.4/kernel/configs.c
47840--- linux-2.6.35.4/kernel/configs.c 2010-08-26 19:47:12.000000000 -0400
47841+++ linux-2.6.35.4/kernel/configs.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 47842@@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
47843 struct proc_dir_entry *entry;
47844
47845 /* create the current config file */
47846+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
47847+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
47848+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
47849+ &ikconfig_file_ops);
47850+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47851+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
47852+ &ikconfig_file_ops);
47853+#endif
47854+#else
47855 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
47856 &ikconfig_file_ops);
47857+#endif
47858+
47859 if (!entry)
47860 return -ENOMEM;
47861
57199397
MT		 47862diff -urNp linux-2.6.35.4/kernel/cred.c linux-2.6.35.4/kernel/cred.c
47863--- linux-2.6.35.4/kernel/cred.c 2010-08-26 19:47:12.000000000 -0400
47864+++ linux-2.6.35.4/kernel/cred.c 2010-09-17 20:12:37.000000000 -0400
47865@@ -489,6 +489,8 @@ int commit_creds(struct cred *new)
58c5fc13
MT		 47866
47867 get_cred(new); /* we will require a ref for the subj creds too */
47868
47869+ gr_set_role_label(task, new->uid, new->gid);
47870+
47871 /* dumpability changes */
47872 if (old->euid != new->euid ||
47873 old->egid != new->egid ||
57199397
MT		 47874diff -urNp linux-2.6.35.4/kernel/debug/debug_core.c linux-2.6.35.4/kernel/debug/debug_core.c
47875--- linux-2.6.35.4/kernel/debug/debug_core.c 2010-08-26 19:47:12.000000000 -0400
47876+++ linux-2.6.35.4/kernel/debug/debug_core.c 2010-09-17 20:12:09.000000000 -0400
47877@@ -71,7 +71,7 @@ int kgdb_io_module_registered;
47878 /* Guard for recursive entry */
47879 static int exception_level;
47880
47881-struct kgdb_io *dbg_io_ops;
47882+const struct kgdb_io *dbg_io_ops;
47883 static DEFINE_SPINLOCK(kgdb_registration_lock);
47884
47885 /* kgdb console driver is loaded */
47886@@ -871,7 +871,7 @@ static void kgdb_initial_breakpoint(void
47887 *
47888 * Register it with the KGDB core.
47889 */
47890-int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
47891+int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
47892 {
47893 int err;
47894
47895@@ -916,7 +916,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
47896 *
47897 * Unregister it with the KGDB core.
47898 */
47899-void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
47900+void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
47901 {
47902 BUG_ON(kgdb_connected);
47903
47904diff -urNp linux-2.6.35.4/kernel/debug/kdb/kdb_main.c linux-2.6.35.4/kernel/debug/kdb/kdb_main.c
47905--- linux-2.6.35.4/kernel/debug/kdb/kdb_main.c 2010-08-26 19:47:12.000000000 -0400
47906+++ linux-2.6.35.4/kernel/debug/kdb/kdb_main.c 2010-09-17 20:12:09.000000000 -0400
47907@@ -1872,7 +1872,7 @@ static int kdb_lsmod(int argc, const cha
47908 list_for_each_entry(mod, kdb_modules, list) {
47909
47910 kdb_printf("%-20s%8u 0x%p ", mod->name,
47911- mod->core_size, (void *)mod);
47912+ mod->core_size_rx + mod->core_size_rw, (void *)mod);
47913 #ifdef CONFIG_MODULE_UNLOAD
47914 kdb_printf("%4d ", module_refcount(mod));
47915 #endif
47916@@ -1882,7 +1882,7 @@ static int kdb_lsmod(int argc, const cha
47917 kdb_printf(" (Loading)");
47918 else
47919 kdb_printf(" (Live)");
47920- kdb_printf(" 0x%p", mod->module_core);
47921+ kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
47922
47923 #ifdef CONFIG_MODULE_UNLOAD
47924 {
47925diff -urNp linux-2.6.35.4/kernel/exit.c linux-2.6.35.4/kernel/exit.c
47926--- linux-2.6.35.4/kernel/exit.c 2010-08-26 19:47:12.000000000 -0400
47927+++ linux-2.6.35.4/kernel/exit.c 2010-09-17 20:13:49.000000000 -0400
47928@@ -56,6 +56,10 @@
47929 #include <asm/pgtable.h>
58c5fc13 47930 #include <asm/mmu_context.h>
58c5fc13
MT		 47931
47932+#ifdef CONFIG_GRKERNSEC
47933+extern rwlock_t grsec_exec_file_lock;
47934+#endif
47935+
47936 static void exit_mm(struct task_struct * tsk);
47937
57199397
MT		 47938 static void __unhash_process(struct task_struct *p, bool group_dead)
47939@@ -162,6 +166,8 @@ void release_task(struct task_struct * p
58c5fc13
MT		 47940 struct task_struct *leader;
47941 int zap_leader;
47942 repeat:
47943+ gr_del_task_from_ip_table(p);
47944+
47945 tracehook_prepare_release_task(p);
47946 /* don't need to get the RCU readlock here - the process is dead and
df50ba0c 47947 * can't be modifying its own credentials. But shut RCU-lockdep up */
57199397 47948@@ -331,11 +337,22 @@ static void reparent_to_kthreadd(void)
58c5fc13
MT		 47949 {
47950 write_lock_irq(&tasklist_lock);
47951
47952+#ifdef CONFIG_GRKERNSEC
47953+ write_lock(&grsec_exec_file_lock);
47954+ if (current->exec_file) {
47955+ fput(current->exec_file);
47956+ current->exec_file = NULL;
47957+ }
47958+ write_unlock(&grsec_exec_file_lock);
47959+#endif
47960+
47961 ptrace_unlink(current);
47962 /* Reparent to init */
47963 current->real_parent = current->parent = kthreadd_task;
47964 list_move_tail(&current->sibling, &current->real_parent->children);
47965
47966+ gr_set_kernel_label(current);
47967+
47968 /* Set the exit signal to SIGCHLD so we signal init on exit */
47969 current->exit_signal = SIGCHLD;
47970
57199397 47971@@ -387,7 +404,7 @@ int allow_signal(int sig)
ae4e228f
MT		 47972 * know it'll be handled, so that they don't get converted to
47973 * SIGKILL or just silently dropped.
47974 */
47975- current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
47976+ current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
47977 recalc_sigpending();
47978 spin_unlock_irq(&current->sighand->siglock);
47979 return 0;
57199397 47980@@ -423,6 +440,17 @@ void daemonize(const char *name, ...)
58c5fc13
MT		 47981 vsnprintf(current->comm, sizeof(current->comm), name, args);
47982 va_end(args);
47983
47984+#ifdef CONFIG_GRKERNSEC
47985+ write_lock(&grsec_exec_file_lock);
47986+ if (current->exec_file) {
47987+ fput(current->exec_file);
47988+ current->exec_file = NULL;
47989+ }
47990+ write_unlock(&grsec_exec_file_lock);
47991+#endif
47992+
47993+ gr_set_kernel_label(current);
47994+
47995 /*
47996 * If we were started as result of loading a module, close all of the
47997 * user space pages. We don't need them, and if we didn't close them
57199397 47998@@ -960,6 +988,9 @@ NORET_TYPE void do_exit(long code)
58c5fc13
MT		 47999 tsk->exit_code = code;
48000 taskstats_exit(tsk, group_dead);
48001
48002+ gr_acl_handle_psacct(tsk, code);
48003+ gr_acl_handle_exit();
48004+
48005 exit_mm(tsk);
48006
48007 if (group_dead)
57199397
MT		 48008diff -urNp linux-2.6.35.4/kernel/fork.c linux-2.6.35.4/kernel/fork.c
48009--- linux-2.6.35.4/kernel/fork.c 2010-08-26 19:47:12.000000000 -0400
48010+++ linux-2.6.35.4/kernel/fork.c 2010-09-17 20:12:37.000000000 -0400
48011@@ -276,7 +276,7 @@ static struct task_struct *dup_task_stru
58c5fc13
MT		 48012 *stackend = STACK_END_MAGIC; /* for overflow detection */
48013
48014 #ifdef CONFIG_CC_STACKPROTECTOR
48015- tsk->stack_canary = get_random_int();
48016+ tsk->stack_canary = pax_get_random_long();
48017 #endif
48018
48019 /* One for us, one for whoever does the "release_task()" (usually parent) */
57199397
MT		 48020@@ -298,13 +298,78 @@ out:
48021 }
48022
48023 #ifdef CONFIG_MMU
48024+static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
48025+{
48026+ struct vm_area_struct *tmp;
48027+ unsigned long charge;
48028+ struct mempolicy *pol;
48029+ struct file *file;
48030+
48031+ charge = 0;
48032+ if (mpnt->vm_flags & VM_ACCOUNT) {
48033+ unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
48034+ if (security_vm_enough_memory(len))
48035+ goto fail_nomem;
48036+ charge = len;
48037+ }
48038+ tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
48039+ if (!tmp)
48040+ goto fail_nomem;
48041+ *tmp = *mpnt;
48042+ tmp->vm_mm = mm;
48043+ INIT_LIST_HEAD(&tmp->anon_vma_chain);
48044+ pol = mpol_dup(vma_policy(mpnt));
48045+ if (IS_ERR(pol))
48046+ goto fail_nomem_policy;
48047+ vma_set_policy(tmp, pol);
48048+ if (anon_vma_fork(tmp, mpnt))
48049+ goto fail_nomem_anon_vma_fork;
48050+ tmp->vm_flags &= ~VM_LOCKED;
48051+ tmp->vm_next = NULL;
48052+ tmp->vm_mirror = NULL;
48053+ file = tmp->vm_file;
48054+ if (file) {
48055+ struct inode *inode = file->f_path.dentry->d_inode;
48056+ struct address_space *mapping = file->f_mapping;
48057+
48058+ get_file(file);
48059+ if (tmp->vm_flags & VM_DENYWRITE)
48060+ atomic_dec(&inode->i_writecount);
48061+ spin_lock(&mapping->i_mmap_lock);
48062+ if (tmp->vm_flags & VM_SHARED)
48063+ mapping->i_mmap_writable++;
48064+ tmp->vm_truncate_count = mpnt->vm_truncate_count;
48065+ flush_dcache_mmap_lock(mapping);
48066+ /* insert tmp into the share list, just after mpnt */
48067+ vma_prio_tree_add(tmp, mpnt);
48068+ flush_dcache_mmap_unlock(mapping);
48069+ spin_unlock(&mapping->i_mmap_lock);
48070+ }
48071+
48072+ /*
48073+ * Clear hugetlb-related page reserves for children. This only
48074+ * affects MAP_PRIVATE mappings. Faults generated by the child
48075+ * are not guaranteed to succeed, even if read-only
48076+ */
48077+ if (is_vm_hugetlb_page(tmp))
48078+ reset_vma_resv_huge_pages(tmp);
48079+
48080+ return tmp;
48081+
48082+fail_nomem_anon_vma_fork:
48083+ mpol_put(pol);
48084+fail_nomem_policy:
48085+ kmem_cache_free(vm_area_cachep, tmp);
48086+fail_nomem:
48087+ vm_unacct_memory(charge);
48088+ return NULL;
48089+}
48090+
48091 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
48092 {
48093 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
48094 struct rb_node **rb_link, *rb_parent;
48095 int retval;
48096- unsigned long charge;
48097- struct mempolicy *pol;
48098
48099 down_write(&oldmm->mmap_sem);
48100 flush_cache_dup_mm(oldmm);
48101@@ -316,8 +381,8 @@ static int dup_mmap(struct mm_struct *mm
58c5fc13
MT		 48102 mm->locked_vm = 0;
48103 mm->mmap = NULL;
48104 mm->mmap_cache = NULL;
48105- mm->free_area_cache = oldmm->mmap_base;
48106- mm->cached_hole_size = ~0UL;
48107+ mm->free_area_cache = oldmm->free_area_cache;
48108+ mm->cached_hole_size = oldmm->cached_hole_size;
48109 mm->map_count = 0;
48110 cpumask_clear(mm_cpumask(mm));
48111 mm->mm_rb = RB_ROOT;
57199397
MT		 48112@@ -330,8 +395,6 @@ static int dup_mmap(struct mm_struct *mm
48113
48114 prev = NULL;
48115 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
48116- struct file *file;
48117-
48118 if (mpnt->vm_flags & VM_DONTCOPY) {
48119 long pages = vma_pages(mpnt);
48120 mm->total_vm -= pages;
48121@@ -339,56 +402,13 @@ static int dup_mmap(struct mm_struct *mm
48122 -pages);
48123 continue;
48124 }
48125- charge = 0;
48126- if (mpnt->vm_flags & VM_ACCOUNT) {
48127- unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
48128- if (security_vm_enough_memory(len))
48129- goto fail_nomem;
48130- charge = len;
48131- }
48132- tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
48133- if (!tmp)
48134- goto fail_nomem;
48135- *tmp = *mpnt;
48136- INIT_LIST_HEAD(&tmp->anon_vma_chain);
48137- pol = mpol_dup(vma_policy(mpnt));
48138- retval = PTR_ERR(pol);
48139- if (IS_ERR(pol))
48140- goto fail_nomem_policy;
48141- vma_set_policy(tmp, pol);
48142- if (anon_vma_fork(tmp, mpnt))
48143- goto fail_nomem_anon_vma_fork;
48144- tmp->vm_flags &= ~VM_LOCKED;
48145- tmp->vm_mm = mm;
48146- tmp->vm_next = tmp->vm_prev = NULL;
48147- file = tmp->vm_file;
48148- if (file) {
48149- struct inode *inode = file->f_path.dentry->d_inode;
48150- struct address_space *mapping = file->f_mapping;
48151-
48152- get_file(file);
48153- if (tmp->vm_flags & VM_DENYWRITE)
48154- atomic_dec(&inode->i_writecount);
48155- spin_lock(&mapping->i_mmap_lock);
48156- if (tmp->vm_flags & VM_SHARED)
48157- mapping->i_mmap_writable++;
48158- tmp->vm_truncate_count = mpnt->vm_truncate_count;
48159- flush_dcache_mmap_lock(mapping);
48160- /* insert tmp into the share list, just after mpnt */
48161- vma_prio_tree_add(tmp, mpnt);
48162- flush_dcache_mmap_unlock(mapping);
48163- spin_unlock(&mapping->i_mmap_lock);
48164+ tmp = dup_vma(mm, mpnt);
48165+ if (!tmp) {
48166+ retval = -ENOMEM;
48167+ goto out;
48168 }
48169
48170 /*
48171- * Clear hugetlb-related page reserves for children. This only
48172- * affects MAP_PRIVATE mappings. Faults generated by the child
48173- * are not guaranteed to succeed, even if read-only
48174- */
48175- if (is_vm_hugetlb_page(tmp))
48176- reset_vma_resv_huge_pages(tmp);
48177-
48178- /*
48179 * Link in the new vma and copy the page table entries.
48180 */
48181 *pprev = tmp;
48182@@ -409,6 +429,31 @@ static int dup_mmap(struct mm_struct *mm
58c5fc13
MT		 48183 if (retval)
48184 goto out;
48185 }
48186+
48187+#ifdef CONFIG_PAX_SEGMEXEC
48188+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
48189+ struct vm_area_struct *mpnt_m;
48190+
48191+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
48192+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
48193+
48194+ if (!mpnt->vm_mirror)
48195+ continue;
48196+
48197+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
48198+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
48199+ mpnt->vm_mirror = mpnt_m;
48200+ } else {
48201+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
48202+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
48203+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
48204+ mpnt->vm_mirror->vm_mirror = mpnt;
48205+ }
48206+ }
48207+ BUG_ON(mpnt_m);
48208+ }
48209+#endif
48210+
48211 /* a new mm has just been created */
48212 arch_dup_mmap(oldmm, mm);
48213 retval = 0;
57199397
MT		 48214@@ -417,14 +462,6 @@ out:
48215 flush_tlb_mm(oldmm);
48216 up_write(&oldmm->mmap_sem);
48217 return retval;
48218-fail_nomem_anon_vma_fork:
48219- mpol_put(pol);
48220-fail_nomem_policy:
48221- kmem_cache_free(vm_area_cachep, tmp);
48222-fail_nomem:
48223- retval = -ENOMEM;
48224- vm_unacct_memory(charge);
48225- goto out;
48226 }
48227
48228 static inline int mm_alloc_pgd(struct mm_struct * mm)
48229@@ -760,13 +797,14 @@ static int copy_fs(unsigned long clone_f
58c5fc13
MT		 48230 write_unlock(&fs->lock);
48231 return -EAGAIN;
48232 }
48233- fs->users++;
48234+ atomic_inc(&fs->users);
48235 write_unlock(&fs->lock);
48236 return 0;
48237 }
df50ba0c
MT		 48238 tsk->fs = copy_fs_struct(fs);
48239 if (!tsk->fs)
48240 return -ENOMEM;
48241+ gr_set_chroot_entries(tsk, &tsk->fs->root);
48242 return 0;
48243 }
48244
57199397 48245@@ -1019,10 +1057,13 @@ static struct task_struct *copy_process(
58c5fc13
MT		 48246 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
48247 #endif
48248 retval = -EAGAIN;
48249+
48250+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
48251+
48252 if (atomic_read(&p->real_cred->user->processes) >=
df50ba0c 48253 task_rlimit(p, RLIMIT_NPROC)) {
ae4e228f
MT		 48254- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
48255- p->real_cred->user != INIT_USER)
48256+ if (p->real_cred->user != INIT_USER &&
df50ba0c 48257+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
ae4e228f
MT		 48258 goto bad_fork_free;
48259 }
48260
57199397 48261@@ -1176,6 +1217,8 @@ static struct task_struct *copy_process(
58c5fc13
MT		 48262 goto bad_fork_free_pid;
48263 }
48264
48265+ gr_copy_label(p);
48266+
48267 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
48268 /*
48269 * Clear TID on mm_release()?
57199397 48270@@ -1328,6 +1371,8 @@ bad_fork_cleanup_count:
58c5fc13
MT		 48271 bad_fork_free:
48272 free_task(p);
48273 fork_out:
48274+ gr_log_forkfail(retval);
48275+
48276 return ERR_PTR(retval);
48277 }
48278
57199397 48279@@ -1433,6 +1478,8 @@ long do_fork(unsigned long clone_flags,
58c5fc13
MT		 48280 if (clone_flags & CLONE_PARENT_SETTID)
48281 put_user(nr, parent_tidptr);
48282
48283+ gr_handle_brute_check();
48284+
48285 if (clone_flags & CLONE_VFORK) {
48286 p->vfork_done = &vfork;
48287 init_completion(&vfork);
57199397 48288@@ -1557,7 +1604,7 @@ static int unshare_fs(unsigned long unsh
58c5fc13
MT		 48289 return 0;
48290
48291 /* don't need lock here; in the worst case we'll do useless copy */
48292- if (fs->users == 1)
48293+ if (atomic_read(&fs->users) == 1)
48294 return 0;
48295
48296 *new_fsp = copy_fs_struct(fs);
57199397 48297@@ -1680,7 +1727,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
58c5fc13
MT		 48298 fs = current->fs;
48299 write_lock(&fs->lock);
48300 current->fs = new_fs;
48301- if (--fs->users)
df50ba0c 48302+ gr_set_chroot_entries(current, &current->fs->root);
58c5fc13
MT		 48303+ if (atomic_dec_return(&fs->users))
48304 new_fs = NULL;
48305 else
48306 new_fs = fs;
57199397
MT		 48307diff -urNp linux-2.6.35.4/kernel/futex.c linux-2.6.35.4/kernel/futex.c
48308--- linux-2.6.35.4/kernel/futex.c 2010-08-26 19:47:12.000000000 -0400
48309+++ linux-2.6.35.4/kernel/futex.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 48310@@ -54,6 +54,7 @@
48311 #include <linux/mount.h>
48312 #include <linux/pagemap.h>
48313 #include <linux/syscalls.h>
48314+#include <linux/ptrace.h>
48315 #include <linux/signal.h>
48316 #include <linux/module.h>
48317 #include <linux/magic.h>
48318@@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
58c5fc13
MT		 48319 struct page *page;
48320 int err;
48321
48322+#ifdef CONFIG_PAX_SEGMEXEC
48323+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
48324+ return -EFAULT;
48325+#endif
48326+
48327 /*
48328 * The futex address must be "naturally" aligned.
48329 */
57199397 48330@@ -1843,7 +1849,7 @@ retry:
58c5fc13
MT		 48331
48332 restart = &current_thread_info()->restart_block;
48333 restart->fn = futex_wait_restart;
48334- restart->futex.uaddr = (u32 *)uaddr;
48335+ restart->futex.uaddr = uaddr;
48336 restart->futex.val = val;
48337 restart->futex.time = abs_time->tv64;
48338 restart->futex.bitset = bitset;
57199397 48339@@ -2376,7 +2382,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
ae4e228f
MT		 48340 {
48341 struct robust_list_head __user *head;
48342 unsigned long ret;
ae4e228f 48343+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
57199397 48344 const struct cred *cred = current_cred(), *pcred;
ae4e228f
MT		 48345+#endif
48346
48347 if (!futex_cmpxchg_enabled)
48348 return -ENOSYS;
57199397 48349@@ -2392,11 +2400,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
ae4e228f
MT		 48350 if (!p)
48351 goto err_unlock;
48352 ret = -EPERM;
48353+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48354+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
48355+ goto err_unlock;
48356+#else
48357 pcred = __task_cred(p);
48358 if (cred->euid != pcred->euid &&
48359 cred->euid != pcred->uid &&
48360 !capable(CAP_SYS_PTRACE))
48361 goto err_unlock;
48362+#endif
48363 head = p->robust_list;
48364 rcu_read_unlock();
48365 }
57199397 48366@@ -2458,7 +2471,7 @@ retry:
58c5fc13
MT		 48367 */
48368 static inline int fetch_robust_entry(struct robust_list __user **entry,
48369 struct robust_list __user * __user *head,
48370- int *pi)
48371+ unsigned int *pi)
48372 {
48373 unsigned long uentry;
48374
57199397
MT		 48375diff -urNp linux-2.6.35.4/kernel/futex_compat.c linux-2.6.35.4/kernel/futex_compat.c
48376--- linux-2.6.35.4/kernel/futex_compat.c 2010-08-26 19:47:12.000000000 -0400
48377+++ linux-2.6.35.4/kernel/futex_compat.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 48378@@ -10,6 +10,7 @@
48379 #include <linux/compat.h>
48380 #include <linux/nsproxy.h>
48381 #include <linux/futex.h>
48382+#include <linux/ptrace.h>
48383
48384 #include <asm/uaccess.h>
48385
48386@@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
48387 {
48388 struct compat_robust_list_head __user *head;
48389 unsigned long ret;
48390- const struct cred *cred = current_cred(), *pcred;
ae4e228f 48391+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
57199397 48392+ const struct cred *cred = current_cred();
ae4e228f
MT		 48393+ const struct cred *pcred;
48394+#endif
48395
48396 if (!futex_cmpxchg_enabled)
48397 return -ENOSYS;
48398@@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
48399 if (!p)
48400 goto err_unlock;
48401 ret = -EPERM;
48402+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48403+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
48404+ goto err_unlock;
48405+#else
48406 pcred = __task_cred(p);
48407 if (cred->euid != pcred->euid &&
48408 cred->euid != pcred->uid &&
48409 !capable(CAP_SYS_PTRACE))
48410 goto err_unlock;
48411+#endif
48412 head = p->compat_robust_list;
df50ba0c 48413 rcu_read_unlock();
ae4e228f 48414 }
57199397
MT		 48415diff -urNp linux-2.6.35.4/kernel/gcov/base.c linux-2.6.35.4/kernel/gcov/base.c
48416--- linux-2.6.35.4/kernel/gcov/base.c 2010-08-26 19:47:12.000000000 -0400
48417+++ linux-2.6.35.4/kernel/gcov/base.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 48418@@ -102,11 +102,6 @@ void gcov_enable_events(void)
48419 }
48420
48421 #ifdef CONFIG_MODULES
48422-static inline int within(void *addr, void *start, unsigned long size)
48423-{
48424- return ((addr >= start) && (addr < start + size));
48425-}
48426-
48427 /* Update list and generate events when modules are unloaded. */
48428 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
48429 void *data)
48430@@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
48431 prev = NULL;
48432 /* Remove entries located in module from linked list. */
48433 for (info = gcov_info_head; info; info = info->next) {
48434- if (within(info, mod->module_core, mod->core_size)) {
48435+ if (within_module_core_rw((unsigned long)info, mod)) {
48436 if (prev)
48437 prev->next = info->next;
48438 else
57199397
MT		 48439diff -urNp linux-2.6.35.4/kernel/hrtimer.c linux-2.6.35.4/kernel/hrtimer.c
48440--- linux-2.6.35.4/kernel/hrtimer.c 2010-08-26 19:47:12.000000000 -0400
48441+++ linux-2.6.35.4/kernel/hrtimer.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 48442@@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
48443 local_irq_restore(flags);
48444 }
48445
48446-static void run_hrtimer_softirq(struct softirq_action *h)
48447+static void run_hrtimer_softirq(void)
48448 {
48449 hrtimer_peek_ahead_timers();
48450 }
57199397
MT		 48451diff -urNp linux-2.6.35.4/kernel/kallsyms.c linux-2.6.35.4/kernel/kallsyms.c
48452--- linux-2.6.35.4/kernel/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
48453+++ linux-2.6.35.4/kernel/kallsyms.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 48454@@ -11,6 +11,9 @@
48455 * Changed the compression method from stem compression to "table lookup"
48456 * compression (see scripts/kallsyms.c for a more complete description)
48457 */
48458+#ifdef CONFIG_GRKERNSEC_HIDESYM
48459+#define __INCLUDED_BY_HIDESYM 1
48460+#endif
48461 #include <linux/kallsyms.h>
48462 #include <linux/module.h>
48463 #include <linux/init.h>
57199397 48464@@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
58c5fc13
MT		 48465
48466 static inline int is_kernel_inittext(unsigned long addr)
48467 {
48468+ if (system_state != SYSTEM_BOOTING)
48469+ return 0;
48470+
48471 if (addr >= (unsigned long)_sinittext
48472 && addr <= (unsigned long)_einittext)
48473 return 1;
57199397
MT		 48474 return 0;
48475 }
58c5fc13 48476
ae4e228f 48477+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
df50ba0c 48478+#ifdef CONFIG_MODULES
57199397
MT		 48479+static inline int is_module_text(unsigned long addr)
48480+{
48481+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
48482+ return 1;
48483+
48484+ addr = ktla_ktva(addr);
48485+ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
48486+}
48487+#else
48488+static inline int is_module_text(unsigned long addr)
48489+{
48490+ return 0;
48491+}
48492+#endif
df50ba0c 48493+#endif
58c5fc13 48494+
57199397
MT		 48495 static inline int is_kernel_text(unsigned long addr)
48496 {
48497 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
48498@@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
48499
48500 static inline int is_kernel(unsigned long addr)
48501 {
ae4e228f 48502+
57199397
MT		 48503+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48504+ if (is_kernel_text(addr) || is_kernel_inittext(addr))
58c5fc13 48505+ return 1;
ae4e228f 48506+
57199397
MT		 48507+ if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
48508+#else
48509 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
ae4e228f 48510+#endif
58c5fc13 48511+
58c5fc13
MT		 48512 return 1;
48513 return in_gate_area_no_task(addr);
57199397
MT		 48514 }
48515
48516 static int is_ksym_addr(unsigned long addr)
48517 {
48518+
48519+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48520+ if (is_module_text(addr))
48521+ return 0;
48522+#endif
48523+
48524 if (all_var)
48525 return is_kernel(addr);
48526
48527@@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
58c5fc13
MT		 48528
48529 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
48530 {
48531- iter->name[0] = '\0';
48532 iter->nameoff = get_symbol_offset(new_pos);
48533 iter->pos = new_pos;
48534 }
57199397 48535@@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
ae4e228f
MT		 48536 {
48537 struct kallsym_iter *iter = m->private;
48538
48539+#ifdef CONFIG_GRKERNSEC_HIDESYM
48540+ if (current_uid())
48541+ return 0;
48542+#endif
48543+
48544 /* Some debugging symbols have no name. Ignore them. */
48545 if (!iter->name[0])
48546 return 0;
57199397 48547@@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
58c5fc13
MT		 48548 struct kallsym_iter *iter;
48549 int ret;
48550
48551- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
48552+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
48553 if (!iter)
48554 return -ENOMEM;
48555 reset_iter(iter, 0);
57199397
MT		 48556diff -urNp linux-2.6.35.4/kernel/kmod.c linux-2.6.35.4/kernel/kmod.c
48557--- linux-2.6.35.4/kernel/kmod.c 2010-08-26 19:47:12.000000000 -0400
48558+++ linux-2.6.35.4/kernel/kmod.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 48559@@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
48560 if (ret)
48561 return ret;
58c5fc13
MT		 48562
48563+#ifdef CONFIG_GRKERNSEC_MODHARDEN
48564+ /* we could do a tighter check here, but some distros
48565+ are taking it upon themselves to remove CAP_SYS_MODULE
ae4e228f 48566+ from even root-running apps which cause modules to be
58c5fc13
MT		 48567+ auto-loaded
48568+ */
48569+ if (current_uid()) {
48570+ gr_log_nonroot_mod_load(module_name);
48571+ return -EPERM;
48572+ }
48573+#endif
48574+
48575 /* If modprobe needs a service that is in a module, we get a recursive
48576 * loop. Limit the number of running kmod threads to max_threads/2 or
48577 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
57199397
MT		 48578diff -urNp linux-2.6.35.4/kernel/kprobes.c linux-2.6.35.4/kernel/kprobes.c
48579--- linux-2.6.35.4/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
48580+++ linux-2.6.35.4/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 48581@@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
58c5fc13
MT		 48582 * kernel image and loaded module images reside. This is required
48583 * so x86_64 can correctly handle the %rip-relative fixups.
48584 */
48585- kip->insns = module_alloc(PAGE_SIZE);
48586+ kip->insns = module_alloc_exec(PAGE_SIZE);
48587 if (!kip->insns) {
48588 kfree(kip);
48589 return NULL;
ae4e228f
MT		 48590@@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
48591 */
df50ba0c 48592 if (!list_is_singular(&kip->list)) {
ae4e228f 48593 list_del(&kip->list);
58c5fc13
MT		 48594- module_free(NULL, kip->insns);
48595+ module_free_exec(NULL, kip->insns);
48596 kfree(kip);
48597 }
48598 return 1;
57199397 48599@@ -1709,7 +1709,7 @@ static int __init init_kprobes(void)
df50ba0c
MT		 48600 {
48601 int i, err = 0;
48602 unsigned long offset = 0, size = 0;
48603- char *modname, namebuf[128];
48604+ char *modname, namebuf[KSYM_NAME_LEN];
48605 const char *symbol_name;
48606 void *addr;
48607 struct kprobe_blackpoint *kb;
57199397 48608@@ -1835,7 +1835,7 @@ static int __kprobes show_kprobe_addr(st
df50ba0c
MT		 48609 const char *sym = NULL;
48610 unsigned int i = *(loff_t *) v;
48611 unsigned long offset = 0;
48612- char *modname, namebuf[128];
48613+ char *modname, namebuf[KSYM_NAME_LEN];
48614
48615 head = &kprobe_table[i];
48616 preempt_disable();
57199397
MT		 48617diff -urNp linux-2.6.35.4/kernel/lockdep.c linux-2.6.35.4/kernel/lockdep.c
48618--- linux-2.6.35.4/kernel/lockdep.c 2010-08-26 19:47:12.000000000 -0400
48619+++ linux-2.6.35.4/kernel/lockdep.c 2010-09-17 20:12:09.000000000 -0400
48620@@ -571,6 +571,10 @@ static int static_obj(void *obj)
df50ba0c
MT		 48621 end = (unsigned long) &_end,
48622 addr = (unsigned long) obj;
58c5fc13
MT		 48623
48624+#ifdef CONFIG_PAX_KERNEXEC
ae4e228f 48625+ start = ktla_ktva(start);
58c5fc13
MT		 48626+#endif
48627+
48628 /*
48629 * static variable?
48630 */
57199397 48631@@ -696,6 +700,7 @@ register_lock_class(struct lockdep_map *
ae4e228f
MT		 48632 if (!static_obj(lock->key)) {
48633 debug_locks_off();
48634 printk("INFO: trying to register non-static key.\n");
48635+ printk("lock:%pS key:%pS.\n", lock, lock->key);
48636 printk("the code is fine but needs lockdep annotation.\n");
48637 printk("turning off the locking correctness validator.\n");
48638 dump_stack();
57199397
MT		 48639diff -urNp linux-2.6.35.4/kernel/lockdep_proc.c linux-2.6.35.4/kernel/lockdep_proc.c
48640--- linux-2.6.35.4/kernel/lockdep_proc.c 2010-08-26 19:47:12.000000000 -0400
48641+++ linux-2.6.35.4/kernel/lockdep_proc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 48642@@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
48643
48644 static void print_name(struct seq_file *m, struct lock_class *class)
48645 {
48646- char str[128];
48647+ char str[KSYM_NAME_LEN];
48648 const char *name = class->name;
48649
48650 if (!name) {
57199397
MT		 48651diff -urNp linux-2.6.35.4/kernel/module.c linux-2.6.35.4/kernel/module.c
48652--- linux-2.6.35.4/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
48653+++ linux-2.6.35.4/kernel/module.c 2010-09-17 20:12:37.000000000 -0400
48654@@ -96,7 +96,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
58c5fc13 48655
57199397
MT		 48656 /* Bounds of module allocation, for speeding __module_address.
48657 * Protected by module_mutex. */
58c5fc13
MT		 48658-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
48659+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
48660+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
48661
48662 int register_module_notifier(struct notifier_block * nb)
48663 {
57199397 48664@@ -250,7 +251,7 @@ bool each_symbol(bool (*fn)(const struct
58c5fc13
MT		 48665 return true;
48666
48667 list_for_each_entry_rcu(mod, &modules, list) {
48668- struct symsearch arr[] = {
48669+ struct symsearch modarr[] = {
48670 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
48671 NOT_GPL_ONLY, false },
48672 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
57199397 48673@@ -272,7 +273,7 @@ bool each_symbol(bool (*fn)(const struct
58c5fc13
MT		 48674 #endif
48675 };
48676
48677- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
48678+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
48679 return true;
48680 }
48681 return false;
57199397 48682@@ -383,7 +384,7 @@ static inline void __percpu *mod_percpu(
df50ba0c
MT		 48683 static int percpu_modalloc(struct module *mod,
48684 unsigned long size, unsigned long align)
ae4e228f 48685 {
58c5fc13
MT		 48686- if (align > PAGE_SIZE) {
48687+ if (align-1 >= PAGE_SIZE) {
48688 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
df50ba0c 48689 mod->name, align, PAGE_SIZE);
58c5fc13 48690 align = PAGE_SIZE;
57199397 48691@@ -1562,7 +1563,8 @@ static void free_module(struct module *m
58c5fc13
MT		 48692 destroy_params(mod->kp, mod->num_kp);
48693
48694 /* This may be NULL, but that's OK */
48695- module_free(mod, mod->module_init);
48696+ module_free(mod, mod->module_init_rw);
48697+ module_free_exec(mod, mod->module_init_rx);
48698 kfree(mod->args);
df50ba0c
MT		 48699 percpu_modfree(mod);
48700 #if defined(CONFIG_MODULE_UNLOAD)
57199397 48701@@ -1570,10 +1572,12 @@ static void free_module(struct module *m
df50ba0c 48702 free_percpu(mod->refptr);
58c5fc13
MT		 48703 #endif
48704 /* Free lock-classes: */
48705- lockdep_free_key_range(mod->module_core, mod->core_size);
48706+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
48707+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
48708
48709 /* Finally, free the core (containing the module structure) */
48710- module_free(mod, mod->module_core);
48711+ module_free_exec(mod, mod->module_core_rx);
48712+ module_free(mod, mod->module_core_rw);
58c5fc13 48713
ae4e228f
MT		 48714 #ifdef CONFIG_MPU
48715 update_protections(current->mm);
57199397
MT		 48716@@ -1670,7 +1674,9 @@ static int simplify_symbols(Elf_Shdr *se
48717 mod);
58c5fc13 48718 /* Ok if resolved. */
57199397 48719 if (ksym && !IS_ERR(ksym)) {
ae4e228f 48720+ pax_open_kernel();
58c5fc13 48721 sym[i].st_value = ksym->value;
ae4e228f 48722+ pax_close_kernel();
58c5fc13
MT		 48723 break;
48724 }
48725
57199397 48726@@ -1690,7 +1696,9 @@ static int simplify_symbols(Elf_Shdr *se
df50ba0c 48727 secbase = (unsigned long)mod_percpu(mod);
58c5fc13
MT		 48728 else
48729 secbase = sechdrs[sym[i].st_shndx].sh_addr;
ae4e228f 48730+ pax_open_kernel();
58c5fc13 48731 sym[i].st_value += secbase;
ae4e228f 48732+ pax_close_kernel();
58c5fc13
MT		 48733 break;
48734 }
48735 }
57199397 48736@@ -1751,11 +1759,12 @@ static void layout_sections(struct modul
58c5fc13
MT		 48737 || s->sh_entsize != ~0UL
48738 || strstarts(secstrings + s->sh_name, ".init"))
48739 continue;
48740- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
48741+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48742+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
48743+ else
48744+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
48745 DEBUGP("\t%s\n", secstrings + s->sh_name);
48746 }
48747- if (m == 0)
48748- mod->core_text_size = mod->core_size;
48749 }
48750
48751 DEBUGP("Init section allocation order:\n");
57199397 48752@@ -1768,12 +1777,13 @@ static void layout_sections(struct modul
58c5fc13
MT		 48753 || s->sh_entsize != ~0UL
48754 || !strstarts(secstrings + s->sh_name, ".init"))
48755 continue;
48756- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
48757- | INIT_OFFSET_MASK);
48758+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48759+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
48760+ else
48761+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
48762+ s->sh_entsize |= INIT_OFFSET_MASK;
48763 DEBUGP("\t%s\n", secstrings + s->sh_name);
48764 }
48765- if (m == 0)
48766- mod->init_text_size = mod->init_size;
48767 }
48768 }
48769
57199397 48770@@ -1877,9 +1887,8 @@ static int is_exported(const char *name,
ae4e228f
MT		 48771
48772 /* As per nm */
48773 static char elf_type(const Elf_Sym *sym,
48774- Elf_Shdr *sechdrs,
48775- const char *secstrings,
48776- struct module *mod)
48777+ const Elf_Shdr *sechdrs,
48778+ const char *secstrings)
58c5fc13 48779 {
ae4e228f
MT		 48780 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
48781 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
57199397 48782@@ -1954,7 +1963,7 @@ static unsigned long layout_symtab(struc
58c5fc13 48783
ae4e228f
MT		 48784 /* Put symbol section at end of init part of module. */
48785 symsect->sh_flags |= SHF_ALLOC;
48786- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
48787+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
48788 symindex) | INIT_OFFSET_MASK;
48789 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
48790
57199397 48791@@ -1971,19 +1980,19 @@ static unsigned long layout_symtab(struc
ae4e228f
MT		 48792 }
48793
48794 /* Append room for core symbols at end of core part. */
48795- symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
48796- mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
48797+ symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
48798+ mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
48799
48800 /* Put string table section at end of init part of module. */
48801 strsect->sh_flags |= SHF_ALLOC;
48802- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
48803+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
48804 strindex) | INIT_OFFSET_MASK;
48805 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
48806
48807 /* Append room for core symbols' strings at end of core part. */
48808- *pstroffs = mod->core_size;
48809+ *pstroffs = mod->core_size_rx;
48810 __set_bit(0, strmap);
48811- mod->core_size += bitmap_weight(strmap, strsect->sh_size);
48812+ mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
48813
48814 return symoffs;
48815 }
57199397 48816@@ -2007,12 +2016,14 @@ static void add_kallsyms(struct module *
58c5fc13
MT		 48817 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
48818 mod->strtab = (void *)sechdrs[strindex].sh_addr;
48819
ae4e228f
MT		 48820+ pax_open_kernel();
48821+
58c5fc13 48822 /* Set types up while we still have access to sections. */
ae4e228f
MT		 48823 for (i = 0; i < mod->num_symtab; i++)
48824 mod->symtab[i].st_info
58c5fc13 48825- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
ae4e228f
MT		 48826+ = elf_type(&mod->symtab[i], sechdrs, secstrings);
48827
48828- mod->core_symtab = dst = mod->module_core + symoffs;
48829+ mod->core_symtab = dst = mod->module_core_rx + symoffs;
48830 src = mod->symtab;
48831 *dst = *src;
48832 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
57199397 48833@@ -2024,10 +2035,12 @@ static void add_kallsyms(struct module *
ae4e228f
MT		 48834 }
48835 mod->core_num_syms = ndst;
48836
48837- mod->core_strtab = s = mod->module_core + stroffs;
48838+ mod->core_strtab = s = mod->module_core_rx + stroffs;
48839 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
48840 if (test_bit(i, strmap))
48841 *++s = mod->strtab[i];
58c5fc13 48842+
ae4e228f 48843+ pax_close_kernel();
58c5fc13
MT		 48844 }
48845 #else
ae4e228f 48846 static inline unsigned long layout_symtab(struct module *mod,
57199397
MT		 48847@@ -2070,17 +2083,33 @@ static void dynamic_debug_remove(struct
48848 ddebug_remove_module(debug->modname);
58c5fc13
MT		 48849 }
48850
48851-static void *module_alloc_update_bounds(unsigned long size)
48852+static void *module_alloc_update_bounds_rw(unsigned long size)
48853 {
48854 void *ret = module_alloc(size);
48855
48856 if (ret) {
57199397 48857 mutex_lock(&module_mutex);
58c5fc13
MT		 48858 /* Update module bounds. */
48859- if ((unsigned long)ret < module_addr_min)
48860- module_addr_min = (unsigned long)ret;
48861- if ((unsigned long)ret + size > module_addr_max)
48862- module_addr_max = (unsigned long)ret + size;
48863+ if ((unsigned long)ret < module_addr_min_rw)
48864+ module_addr_min_rw = (unsigned long)ret;
48865+ if ((unsigned long)ret + size > module_addr_max_rw)
48866+ module_addr_max_rw = (unsigned long)ret + size;
57199397 48867+ mutex_unlock(&module_mutex);
58c5fc13
MT		 48868+ }
48869+ return ret;
48870+}
48871+
48872+static void *module_alloc_update_bounds_rx(unsigned long size)
48873+{
48874+ void *ret = module_alloc_exec(size);
48875+
48876+ if (ret) {
57199397 48877+ mutex_lock(&module_mutex);
58c5fc13
MT		 48878+ /* Update module bounds. */
48879+ if ((unsigned long)ret < module_addr_min_rx)
48880+ module_addr_min_rx = (unsigned long)ret;
48881+ if ((unsigned long)ret + size > module_addr_max_rx)
48882+ module_addr_max_rx = (unsigned long)ret + size;
57199397 48883 mutex_unlock(&module_mutex);
58c5fc13
MT		 48884 }
48885 return ret;
57199397 48886@@ -2284,7 +2313,7 @@ static noinline struct module *load_modu
ae4e228f 48887 secstrings, &stroffs, strmap);
58c5fc13
MT		 48888
48889 /* Do the allocs. */
48890- ptr = module_alloc_update_bounds(mod->core_size);
48891+ ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
48892 /*
48893 * The pointer to this block is stored in the module structure
48894 * which is inside the block. Just mark it as not being a
57199397 48895@@ -2295,23 +2324,47 @@ static noinline struct module *load_modu
58c5fc13
MT		 48896 err = -ENOMEM;
48897 goto free_percpu;
48898 }
48899- memset(ptr, 0, mod->core_size);
48900- mod->module_core = ptr;
48901+ memset(ptr, 0, mod->core_size_rw);
48902+ mod->module_core_rw = ptr;
48903
48904- ptr = module_alloc_update_bounds(mod->init_size);
48905+ ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
48906 /*
48907 * The pointer to this block is stored in the module structure
48908 * which is inside the block. This block doesn't need to be
48909 * scanned as it contains data and code that will be freed
48910 * after the module is initialized.
48911 */
48912- kmemleak_ignore(ptr);
48913- if (!ptr && mod->init_size) {
48914+ kmemleak_not_leak(ptr);
48915+ if (!ptr && mod->init_size_rw) {
ae4e228f 48916+ err = -ENOMEM;
58c5fc13 48917+ goto free_core_rw;
ae4e228f 48918+ }
58c5fc13
MT		 48919+ memset(ptr, 0, mod->init_size_rw);
48920+ mod->module_init_rw = ptr;
48921+
48922+ ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
48923+ kmemleak_not_leak(ptr);
48924+ if (!ptr) {
57199397 48925+ err = -ENOMEM;
58c5fc13 48926+ goto free_init_rw;
57199397 48927+ }
58c5fc13 48928+
ae4e228f 48929+ pax_open_kernel();
58c5fc13 48930+ memset(ptr, 0, mod->core_size_rx);
ae4e228f 48931+ pax_close_kernel();
58c5fc13
MT		 48932+ mod->module_core_rx = ptr;
48933+
48934+ ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
48935+ kmemleak_not_leak(ptr);
48936+ if (!ptr && mod->init_size_rx) {
57199397
MT		 48937 err = -ENOMEM;
48938- goto free_core;
58c5fc13 48939+ goto free_core_rx;
57199397
MT		 48940 }
48941- memset(ptr, 0, mod->init_size);
48942- mod->module_init = ptr;
58c5fc13 48943+
ae4e228f 48944+ pax_open_kernel();
58c5fc13 48945+ memset(ptr, 0, mod->init_size_rx);
ae4e228f 48946+ pax_close_kernel();
58c5fc13
MT		 48947+ mod->module_init_rx = ptr;
48948
48949 /* Transfer each section which specifies SHF_ALLOC */
48950 DEBUGP("final section addresses:\n");
57199397 48951@@ -2321,17 +2374,41 @@ static noinline struct module *load_modu
58c5fc13
MT		 48952 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
48953 continue;
48954
48955- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
48956- dest = mod->module_init
48957- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48958- else
48959- dest = mod->module_core + sechdrs[i].sh_entsize;
48960+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
48961+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48962+ dest = mod->module_init_rw
48963+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48964+ else
48965+ dest = mod->module_init_rx
48966+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48967+ } else {
48968+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48969+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
48970+ else
48971+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
48972+ }
48973+
48974+ if (sechdrs[i].sh_type != SHT_NOBITS) {
57199397
MT		 48975
48976- if (sechdrs[i].sh_type != SHT_NOBITS)
48977- memcpy(dest, (void *)sechdrs[i].sh_addr,
48978- sechdrs[i].sh_size);
58c5fc13
MT		 48979+#ifdef CONFIG_PAX_KERNEXEC
48980+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
ae4e228f 48981+ pax_open_kernel();
58c5fc13 48982+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
ae4e228f 48983+ pax_close_kernel();
58c5fc13
MT		 48984+ } else
48985+#endif
57199397 48986+
58c5fc13
MT		 48987+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48988+ }
48989 /* Update sh_addr to point to copy in image. */
48990- sechdrs[i].sh_addr = (unsigned long)dest;
48991+
48992+#ifdef CONFIG_PAX_KERNEXEC
48993+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
48994+ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
48995+ else
48996+#endif
48997+
48998+ sechdrs[i].sh_addr = (unsigned long)dest;
48999 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
49000 }
49001 /* Module has been moved. */
57199397 49002@@ -2342,7 +2419,7 @@ static noinline struct module *load_modu
df50ba0c 49003 mod->refptr = alloc_percpu(struct module_ref);
58c5fc13
MT		 49004 if (!mod->refptr) {
49005 err = -ENOMEM;
49006- goto free_init;
49007+ goto free_init_rx;
49008 }
49009 #endif
49010 /* Now we've moved module, initialize linked lists, etc. */
57199397 49011@@ -2452,8 +2529,8 @@ static noinline struct module *load_modu
58c5fc13
MT		 49012
49013 /* Now do relocations. */
49014 for (i = 1; i < hdr->e_shnum; i++) {
49015- const char *strtab = (char *)sechdrs[strindex].sh_addr;
49016 unsigned int info = sechdrs[i].sh_info;
49017+ strtab = (char *)sechdrs[strindex].sh_addr;
49018
49019 /* Not a valid relocation section? */
49020 if (info >= hdr->e_shnum)
57199397 49021@@ -2503,12 +2580,12 @@ static noinline struct module *load_modu
58c5fc13
MT		 49022 * Do it before processing of module parameters, so the module
49023 * can provide parameter accessor functions of its own.
49024 */
49025- if (mod->module_init)
49026- flush_icache_range((unsigned long)mod->module_init,
49027- (unsigned long)mod->module_init
49028- + mod->init_size);
49029- flush_icache_range((unsigned long)mod->module_core,
49030- (unsigned long)mod->module_core + mod->core_size);
49031+ if (mod->module_init_rx)
49032+ flush_icache_range((unsigned long)mod->module_init_rx,
49033+ (unsigned long)mod->module_init_rx
49034+ + mod->init_size_rx);
49035+ flush_icache_range((unsigned long)mod->module_core_rx,
49036+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
49037
49038 set_fs(old_fs);
49039
57199397
MT		 49040@@ -2574,12 +2651,16 @@ static noinline struct module *load_modu
49041 free_modinfo(mod);
58c5fc13 49042 module_unload_free(mod);
df50ba0c 49043 #if defined(CONFIG_MODULE_UNLOAD)
58c5fc13 49044+ free_init_rx:
df50ba0c 49045 free_percpu(mod->refptr);
ae4e228f 49046- free_init:
58c5fc13
MT		 49047 #endif
49048- module_free(mod, mod->module_init);
49049- free_core:
49050- module_free(mod, mod->module_core);
49051+ module_free_exec(mod, mod->module_init_rx);
49052+ free_core_rx:
49053+ module_free_exec(mod, mod->module_core_rx);
49054+ free_init_rw:
49055+ module_free(mod, mod->module_init_rw);
49056+ free_core_rw:
49057+ module_free(mod, mod->module_core_rw);
49058 /* mod will be freed with core. Don't access it beyond this line! */
49059 free_percpu:
57199397
MT		 49060 free_percpu(percpu);
49061@@ -2669,10 +2750,12 @@ SYSCALL_DEFINE3(init_module, void __user
ae4e228f
MT		 49062 mod->symtab = mod->core_symtab;
49063 mod->strtab = mod->core_strtab;
49064 #endif
58c5fc13
MT		 49065- module_free(mod, mod->module_init);
49066- mod->module_init = NULL;
49067- mod->init_size = 0;
49068- mod->init_text_size = 0;
49069+ module_free(mod, mod->module_init_rw);
49070+ module_free_exec(mod, mod->module_init_rx);
49071+ mod->module_init_rw = NULL;
49072+ mod->module_init_rx = NULL;
49073+ mod->init_size_rw = 0;
49074+ mod->init_size_rx = 0;
49075 mutex_unlock(&module_mutex);
49076
49077 return 0;
57199397 49078@@ -2703,10 +2786,16 @@ static const char *get_ksymbol(struct mo
58c5fc13
MT		 49079 unsigned long nextval;
49080
49081 /* At worse, next value is at end of module */
49082- if (within_module_init(addr, mod))
49083- nextval = (unsigned long)mod->module_init+mod->init_text_size;
49084+ if (within_module_init_rx(addr, mod))
49085+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
49086+ else if (within_module_init_rw(addr, mod))
49087+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
49088+ else if (within_module_core_rx(addr, mod))
49089+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
49090+ else if (within_module_core_rw(addr, mod))
49091+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
49092 else
49093- nextval = (unsigned long)mod->module_core+mod->core_text_size;
49094+ return NULL;
49095
49096 /* Scan for closest preceeding symbol, and next symbol. (ELF
49097 starts real symbols at 1). */
57199397 49098@@ -2952,7 +3041,7 @@ static int m_show(struct seq_file *m, vo
58c5fc13
MT		 49099 char buf[8];
49100
49101 seq_printf(m, "%s %u",
49102- mod->name, mod->init_size + mod->core_size);
49103+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
49104 print_unload_info(m, mod);
49105
49106 /* Informative for users. */
57199397 49107@@ -2961,7 +3050,7 @@ static int m_show(struct seq_file *m, vo
58c5fc13
MT		 49108 mod->state == MODULE_STATE_COMING ? "Loading":
49109 "Live");
49110 /* Used by oprofile and other similar tools. */
49111- seq_printf(m, " 0x%p", mod->module_core);
49112+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49113
49114 /* Taints info */
49115 if (mod->taints)
57199397 49116@@ -2997,7 +3086,17 @@ static const struct file_operations proc
58c5fc13
MT		 49117
49118 static int __init proc_modules_init(void)
49119 {
49120+#ifndef CONFIG_GRKERNSEC_HIDESYM
49121+#ifdef CONFIG_GRKERNSEC_PROC_USER
49122+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49123+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49124+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
49125+#else
49126 proc_create("modules", 0, NULL, &proc_modules_operations);
49127+#endif
49128+#else
49129+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49130+#endif
49131 return 0;
49132 }
49133 module_init(proc_modules_init);
57199397 49134@@ -3056,12 +3155,12 @@ struct module *__module_address(unsigned
58c5fc13
MT		 49135 {
49136 struct module *mod;
49137
49138- if (addr < module_addr_min || addr > module_addr_max)
49139+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
49140+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
49141 return NULL;
49142
49143 list_for_each_entry_rcu(mod, &modules, list)
49144- if (within_module_core(addr, mod)
49145- || within_module_init(addr, mod))
49146+ if (within_module_init(addr, mod) || within_module_core(addr, mod))
49147 return mod;
49148 return NULL;
49149 }
57199397 49150@@ -3095,11 +3194,20 @@ bool is_module_text_address(unsigned lon
58c5fc13
MT		 49151 */
49152 struct module *__module_text_address(unsigned long addr)
49153 {
49154- struct module *mod = __module_address(addr);
49155+ struct module *mod;
49156+
49157+#ifdef CONFIG_X86_32
49158+ addr = ktla_ktva(addr);
49159+#endif
49160+
49161+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
49162+ return NULL;
49163+
49164+ mod = __module_address(addr);
49165+
49166 if (mod) {
49167 /* Make sure it's within the text section. */
49168- if (!within(addr, mod->module_init, mod->init_text_size)
49169- && !within(addr, mod->module_core, mod->core_text_size))
49170+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
49171 mod = NULL;
49172 }
49173 return mod;
57199397
MT		 49174diff -urNp linux-2.6.35.4/kernel/panic.c linux-2.6.35.4/kernel/panic.c
49175--- linux-2.6.35.4/kernel/panic.c 2010-08-26 19:47:12.000000000 -0400
49176+++ linux-2.6.35.4/kernel/panic.c 2010-09-17 20:12:09.000000000 -0400
49177@@ -429,7 +429,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
58c5fc13
MT		 49178 */
49179 void __stack_chk_fail(void)
49180 {
49181- panic("stack-protector: Kernel stack is corrupted in: %p\n",
49182+ dump_stack();
49183+ panic("stack-protector: Kernel stack is corrupted in: %pS\n",
49184 __builtin_return_address(0));
49185 }
49186 EXPORT_SYMBOL(__stack_chk_fail);
57199397
MT		 49187diff -urNp linux-2.6.35.4/kernel/pid.c linux-2.6.35.4/kernel/pid.c
49188--- linux-2.6.35.4/kernel/pid.c 2010-08-26 19:47:12.000000000 -0400
49189+++ linux-2.6.35.4/kernel/pid.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 49190@@ -33,6 +33,7 @@
49191 #include <linux/rculist.h>
49192 #include <linux/bootmem.h>
49193 #include <linux/hash.h>
49194+#include <linux/security.h>
49195 #include <linux/pid_namespace.h>
49196 #include <linux/init_task.h>
49197 #include <linux/syscalls.h>
49198@@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
49199
49200 int pid_max = PID_MAX_DEFAULT;
49201
49202-#define RESERVED_PIDS 300
49203+#define RESERVED_PIDS 500
49204
49205 int pid_max_min = RESERVED_PIDS + 1;
49206 int pid_max_max = PID_MAX_LIMIT;
df50ba0c 49207@@ -382,7 +383,14 @@ EXPORT_SYMBOL(pid_task);
58c5fc13
MT		 49208 */
49209 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
49210 {
49211- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
49212+ struct task_struct *task;
49213+
49214+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
49215+
49216+ if (gr_pid_is_chrooted(task))
49217+ return NULL;
49218+
49219+ return task;
49220 }
49221
49222 struct task_struct *find_task_by_vpid(pid_t vnr)
57199397
MT		 49223diff -urNp linux-2.6.35.4/kernel/posix-cpu-timers.c linux-2.6.35.4/kernel/posix-cpu-timers.c
49224--- linux-2.6.35.4/kernel/posix-cpu-timers.c 2010-08-26 19:47:12.000000000 -0400
49225+++ linux-2.6.35.4/kernel/posix-cpu-timers.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 49226@@ -6,6 +6,7 @@
49227 #include <linux/posix-timers.h>
49228 #include <linux/errno.h>
49229 #include <linux/math64.h>
49230+#include <linux/security.h>
49231 #include <asm/uaccess.h>
49232 #include <linux/kernel_stat.h>
ae4e228f 49233 #include <trace/events/timer.h>
57199397 49234@@ -972,6 +973,7 @@ static void check_thread_timers(struct t
df50ba0c
MT		 49235 unsigned long hard =
49236 ACCESS_ONCE(sig->rlim[RLIMIT_RTTIME].rlim_max);
49237
49238+ gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout * (USEC_PER_SEC/HZ), 1);
49239 if (hard != RLIM_INFINITY &&
49240 tsk->rt.timeout > DIV_ROUND_UP(hard, USEC_PER_SEC/HZ)) {
58c5fc13 49241 /*
57199397 49242@@ -1138,6 +1140,7 @@ static void check_process_timers(struct
df50ba0c
MT		 49243 unsigned long hard =
49244 ACCESS_ONCE(sig->rlim[RLIMIT_CPU].rlim_max);
49245 cputime_t x;
58c5fc13 49246+ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
df50ba0c 49247 if (psecs >= hard) {
58c5fc13 49248 /*
df50ba0c 49249 * At the hard limit, we just die.
57199397
MT		 49250diff -urNp linux-2.6.35.4/kernel/power/hibernate.c linux-2.6.35.4/kernel/power/hibernate.c
49251--- linux-2.6.35.4/kernel/power/hibernate.c 2010-08-26 19:47:12.000000000 -0400
49252+++ linux-2.6.35.4/kernel/power/hibernate.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 49253@@ -50,14 +50,14 @@ enum {
ae4e228f
MT		 49254
49255 static int hibernation_mode = HIBERNATION_SHUTDOWN;
49256
49257-static struct platform_hibernation_ops *hibernation_ops;
49258+static const struct platform_hibernation_ops *hibernation_ops;
49259
49260 /**
49261 * hibernation_set_ops - set the global hibernate operations
49262 * @ops: the hibernation operations to use in subsequent hibernation transitions
49263 */
49264
49265-void hibernation_set_ops(struct platform_hibernation_ops *ops)
49266+void hibernation_set_ops(const struct platform_hibernation_ops *ops)
49267 {
49268 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
49269 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
57199397
MT		 49270diff -urNp linux-2.6.35.4/kernel/power/poweroff.c linux-2.6.35.4/kernel/power/poweroff.c
49271--- linux-2.6.35.4/kernel/power/poweroff.c 2010-08-26 19:47:12.000000000 -0400
49272+++ linux-2.6.35.4/kernel/power/poweroff.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 49273@@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
49274 .enable_mask = SYSRQ_ENABLE_BOOT,
49275 };
49276
49277-static int pm_sysrq_init(void)
49278+static int __init pm_sysrq_init(void)
49279 {
49280 register_sysrq_key('o', &sysrq_poweroff_op);
49281 return 0;
57199397
MT		 49282diff -urNp linux-2.6.35.4/kernel/power/process.c linux-2.6.35.4/kernel/power/process.c
49283--- linux-2.6.35.4/kernel/power/process.c 2010-08-26 19:47:12.000000000 -0400
49284+++ linux-2.6.35.4/kernel/power/process.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 49285@@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
58c5fc13
MT		 49286 struct timeval start, end;
49287 u64 elapsed_csecs64;
49288 unsigned int elapsed_csecs;
49289+ bool timedout = false;
49290
49291 do_gettimeofday(&start);
49292
49293 end_time = jiffies + TIMEOUT;
ae4e228f 49294 while (true) {
58c5fc13
MT		 49295 todo = 0;
49296+ if (time_after(jiffies, end_time))
49297+ timedout = true;
49298 read_lock(&tasklist_lock);
49299 do_each_thread(g, p) {
49300 if (frozen(p) || !freezeable(p))
ae4e228f 49301@@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
58c5fc13
MT		 49302 * It is "frozen enough". If the task does wake
49303 * up, it will immediately call try_to_freeze.
49304 */
49305- if (!task_is_stopped_or_traced(p) &&
49306- !freezer_should_skip(p))
49307+ if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
49308 todo++;
49309+ if (timedout) {
49310+ printk(KERN_ERR "Task refusing to freeze:\n");
49311+ sched_show_task(p);
49312+ }
49313+ }
49314 } while_each_thread(g, p);
49315 read_unlock(&tasklist_lock);
ae4e228f
MT		 49316- if (!todo || time_after(jiffies, end_time))
49317+ if (!todo || timedout)
49318 break;
49319
49320 /*
57199397
MT		 49321diff -urNp linux-2.6.35.4/kernel/power/suspend.c linux-2.6.35.4/kernel/power/suspend.c
49322--- linux-2.6.35.4/kernel/power/suspend.c 2010-08-26 19:47:12.000000000 -0400
49323+++ linux-2.6.35.4/kernel/power/suspend.c 2010-09-17 20:12:09.000000000 -0400
49324@@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
ae4e228f
MT		 49325 [PM_SUSPEND_MEM] = "mem",
49326 };
49327
49328-static struct platform_suspend_ops *suspend_ops;
49329+static const struct platform_suspend_ops *suspend_ops;
49330
49331 /**
49332 * suspend_set_ops - Set the global suspend method table.
49333 * @ops: Pointer to ops structure.
49334 */
49335-void suspend_set_ops(struct platform_suspend_ops *ops)
49336+void suspend_set_ops(const struct platform_suspend_ops *ops)
49337 {
49338 mutex_lock(&pm_mutex);
49339 suspend_ops = ops;
57199397
MT		 49340diff -urNp linux-2.6.35.4/kernel/printk.c linux-2.6.35.4/kernel/printk.c
49341--- linux-2.6.35.4/kernel/printk.c 2010-08-26 19:47:12.000000000 -0400
49342+++ linux-2.6.35.4/kernel/printk.c 2010-09-17 20:12:37.000000000 -0400
49343@@ -266,6 +266,11 @@ int do_syslog(int type, char __user *buf
58c5fc13
MT		 49344 char c;
49345 int error = 0;
49346
49347+#ifdef CONFIG_GRKERNSEC_DMESG
49348+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
49349+ return -EPERM;
49350+#endif
49351+
df50ba0c 49352 error = security_syslog(type, from_file);
58c5fc13
MT		 49353 if (error)
49354 return error;
57199397
MT		 49355diff -urNp linux-2.6.35.4/kernel/ptrace.c linux-2.6.35.4/kernel/ptrace.c
49356--- linux-2.6.35.4/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
49357+++ linux-2.6.35.4/kernel/ptrace.c 2010-09-17 20:12:37.000000000 -0400
49358@@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
58c5fc13
MT		 49359 cred->gid != tcred->egid ||
49360 cred->gid != tcred->sgid ||
49361 cred->gid != tcred->gid) &&
49362- !capable(CAP_SYS_PTRACE)) {
49363+ !capable_nolog(CAP_SYS_PTRACE)) {
49364 rcu_read_unlock();
49365 return -EPERM;
49366 }
57199397 49367@@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
58c5fc13
MT		 49368 smp_rmb();
49369 if (task->mm)
49370 dumpable = get_dumpable(task->mm);
49371- if (!dumpable && !capable(CAP_SYS_PTRACE))
49372+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
49373 return -EPERM;
49374
ae4e228f 49375 return security_ptrace_access_check(task, mode);
57199397 49376@@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
58c5fc13
MT		 49377 goto unlock_tasklist;
49378
49379 task->ptrace = PT_PTRACED;
49380- if (capable(CAP_SYS_PTRACE))
49381+ if (capable_nolog(CAP_SYS_PTRACE))
49382 task->ptrace |= PT_PTRACE_CAP;
49383
49384 __ptrace_link(task, current);
57199397 49385@@ -361,7 +361,7 @@ int ptrace_readdata(struct task_struct *
ae4e228f
MT		 49386 break;
49387 return -EIO;
49388 }
49389- if (copy_to_user(dst, buf, retval))
49390+ if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
49391 return -EFAULT;
49392 copied += retval;
49393 src += retval;
57199397 49394@@ -572,18 +572,18 @@ int ptrace_request(struct task_struct *c
ae4e228f
MT		 49395 ret = ptrace_setoptions(child, data);
49396 break;
49397 case PTRACE_GETEVENTMSG:
49398- ret = put_user(child->ptrace_message, (unsigned long __user *) data);
49399+ ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
49400 break;
49401
49402 case PTRACE_GETSIGINFO:
49403 ret = ptrace_getsiginfo(child, &siginfo);
49404 if (!ret)
49405- ret = copy_siginfo_to_user((siginfo_t __user *) data,
49406+ ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
49407 &siginfo);
49408 break;
49409
49410 case PTRACE_SETSIGINFO:
49411- if (copy_from_user(&siginfo, (siginfo_t __user *) data,
49412+ if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
49413 sizeof siginfo))
49414 ret = -EFAULT;
49415 else
57199397 49416@@ -703,14 +703,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
ae4e228f
MT		 49417 goto out;
49418 }
58c5fc13
MT		 49419
49420+ if (gr_handle_ptrace(child, request)) {
49421+ ret = -EPERM;
49422+ goto out_put_task_struct;
49423+ }
49424+
ae4e228f
MT		 49425 if (request == PTRACE_ATTACH) {
49426 ret = ptrace_attach(child);
49427 /*
49428 * Some architectures need to do book-keeping after
49429 * a ptrace attach.
49430 */
49431- if (!ret)
49432+ if (!ret) {
49433 arch_ptrace_attach(child);
49434+ gr_audit_ptrace(child);
49435+ }
49436 goto out_put_task_struct;
49437 }
58c5fc13 49438
57199397 49439@@ -734,7 +741,7 @@ int generic_ptrace_peekdata(struct task_
ae4e228f
MT		 49440 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
49441 if (copied != sizeof(tmp))
49442 return -EIO;
49443- return put_user(tmp, (unsigned long __user *)data);
49444+ return put_user(tmp, (__force unsigned long __user *)data);
58c5fc13
MT		 49445 }
49446
ae4e228f 49447 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
57199397
MT		 49448diff -urNp linux-2.6.35.4/kernel/rcutree.c linux-2.6.35.4/kernel/rcutree.c
49449--- linux-2.6.35.4/kernel/rcutree.c 2010-08-26 19:47:12.000000000 -0400
49450+++ linux-2.6.35.4/kernel/rcutree.c 2010-09-17 20:12:09.000000000 -0400
49451@@ -1356,7 +1356,7 @@ __rcu_process_callbacks(struct rcu_state
58c5fc13 49452 /*
ae4e228f 49453 * Do softirq processing for the current CPU.
58c5fc13 49454 */
ae4e228f
MT		 49455-static void rcu_process_callbacks(struct softirq_action *unused)
49456+static void rcu_process_callbacks(void)
49457 {
49458 /*
49459 * Memory references from any prior RCU read-side critical sections
57199397
MT		 49460diff -urNp linux-2.6.35.4/kernel/resource.c linux-2.6.35.4/kernel/resource.c
49461--- linux-2.6.35.4/kernel/resource.c 2010-08-26 19:47:12.000000000 -0400
49462+++ linux-2.6.35.4/kernel/resource.c 2010-09-17 20:12:37.000000000 -0400
49463@@ -133,8 +133,18 @@ static const struct file_operations proc
58c5fc13
MT		 49464
49465 static int __init ioresources_init(void)
49466 {
49467+#ifdef CONFIG_GRKERNSEC_PROC_ADD
49468+#ifdef CONFIG_GRKERNSEC_PROC_USER
49469+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
49470+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
49471+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49472+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
49473+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
49474+#endif
49475+#else
49476 proc_create("ioports", 0, NULL, &proc_ioports_operations);
49477 proc_create("iomem", 0, NULL, &proc_iomem_operations);
49478+#endif
49479 return 0;
49480 }
49481 __initcall(ioresources_init);
57199397
MT		 49482diff -urNp linux-2.6.35.4/kernel/sched.c linux-2.6.35.4/kernel/sched.c
49483--- linux-2.6.35.4/kernel/sched.c 2010-08-26 19:47:12.000000000 -0400
49484+++ linux-2.6.35.4/kernel/sched.c 2010-09-17 20:12:37.000000000 -0400
49485@@ -4266,6 +4266,8 @@ int can_nice(const struct task_struct *p
58c5fc13
MT		 49486 /* convert nice value [19,-20] to rlimit style value [1,40] */
49487 int nice_rlim = 20 - nice;
49488
49489+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
49490+
df50ba0c 49491 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
58c5fc13
MT		 49492 capable(CAP_SYS_NICE));
49493 }
57199397 49494@@ -4299,7 +4301,8 @@ SYSCALL_DEFINE1(nice, int, increment)
58c5fc13
MT		 49495 if (nice > 19)
49496 nice = 19;
49497
49498- if (increment < 0 && !can_nice(current, nice))
49499+ if (increment < 0 && (!can_nice(current, nice) ||
49500+ gr_handle_chroot_nice()))
49501 return -EPERM;
49502
49503 retval = security_task_setnice(current, nice);
57199397 49504@@ -4446,6 +4449,7 @@ recheck:
df50ba0c
MT		 49505 rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO);
49506 unlock_task_sighand(p, &flags);
58c5fc13
MT		 49507
49508+ gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
df50ba0c
MT		 49509 /* can't set/change the rt policy */
49510 if (policy != p->policy && !rlim_rtprio)
49511 return -EPERM;
57199397
MT		 49512diff -urNp linux-2.6.35.4/kernel/sched_fair.c linux-2.6.35.4/kernel/sched_fair.c
49513--- linux-2.6.35.4/kernel/sched_fair.c 2010-08-26 19:47:12.000000000 -0400
49514+++ linux-2.6.35.4/kernel/sched_fair.c 2010-09-17 20:12:09.000000000 -0400
49515@@ -3390,7 +3390,7 @@ out:
df50ba0c
MT		 49516 * In CONFIG_NO_HZ case, the idle load balance owner will do the
49517 * rebalancing for all the cpus for whom scheduler ticks are stopped.
49518 */
49519-static void run_rebalance_domains(struct softirq_action *h)
49520+static void run_rebalance_domains(void)
49521 {
49522 int this_cpu = smp_processor_id();
49523 struct rq *this_rq = cpu_rq(this_cpu);
57199397
MT		 49524diff -urNp linux-2.6.35.4/kernel/signal.c linux-2.6.35.4/kernel/signal.c
49525--- linux-2.6.35.4/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
49526+++ linux-2.6.35.4/kernel/signal.c 2010-09-17 20:20:18.000000000 -0400
df50ba0c
MT		 49527@@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
49528
49529 int print_fatal_signals __read_mostly;
49530
49531-static void __user *sig_handler(struct task_struct *t, int sig)
49532+static __sighandler_t sig_handler(struct task_struct *t, int sig)
49533 {
49534 return t->sighand->action[sig - 1].sa.sa_handler;
49535 }
49536
49537-static int sig_handler_ignored(void __user *handler, int sig)
49538+static int sig_handler_ignored(__sighandler_t handler, int sig)
49539 {
49540 /* Is it explicitly or implicitly ignored? */
49541 return handler == SIG_IGN ||
49542@@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
49543 static int sig_task_ignored(struct task_struct *t, int sig,
49544 int from_ancestor_ns)
49545 {
49546- void __user *handler;
49547+ __sighandler_t handler;
49548
49549 handler = sig_handler(t, sig);
49550
49551@@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
58c5fc13 49552 atomic_inc(&user->sigpending);
ae4e228f
MT		 49553 rcu_read_unlock();
49554
58c5fc13
MT		 49555+ if (!override_rlimit)
49556+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
ae4e228f 49557+
58c5fc13
MT		 49558 if (override_rlimit ||
49559 atomic_read(&user->sigpending) <=
df50ba0c
MT		 49560 task_rlimit(t, RLIMIT_SIGPENDING)) {
49561@@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
49562
49563 int unhandled_signal(struct task_struct *tsk, int sig)
49564 {
49565- void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
49566+ __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
49567 if (is_global_init(tsk))
49568 return 1;
49569 if (handler != SIG_IGN && handler != SIG_DFL)
efbe55a5 49570@@ -678,6 +681,9 @@ static int check_kill_permission(int sig
58c5fc13
MT		 49571 }
49572 }
49573
49574+ if (gr_handle_signal(t, sig))
49575+ return -EPERM;
49576+
49577 return security_task_kill(t, info, sig, 0);
49578 }
49579
efbe55a5 49580@@ -1025,7 +1031,7 @@ __group_send_sig_info(int sig, struct si
58c5fc13
MT		 49581 return send_signal(sig, info, p, 1);
49582 }
49583
49584-static int
49585+int
49586 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
49587 {
49588 return send_signal(sig, info, t, 0);
efbe55a5 49589@@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo *
58c5fc13
MT		 49590 ret = specific_send_sig_info(sig, info, t);
49591 spin_unlock_irqrestore(&t->sighand->siglock, flags);
49592
49593+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
49594+ gr_handle_crash(t, sig);
49595+
49596 return ret;
49597 }
49598
57199397
MT		 49599@@ -1136,8 +1145,11 @@ int group_send_sig_info(int sig, struct
49600 ret = check_kill_permission(sig, info, p);
49601 rcu_read_unlock();
ae4e228f
MT		 49602
49603- if (!ret && sig)
49604+ if (!ret && sig) {
49605 ret = do_send_sig_info(sig, info, p, true);
58c5fc13
MT		 49606+ if (!ret)
49607+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
ae4e228f 49608+ }
58c5fc13
MT		 49609
49610 return ret;
ae4e228f 49611 }
57199397
MT		 49612diff -urNp linux-2.6.35.4/kernel/smp.c linux-2.6.35.4/kernel/smp.c
49613--- linux-2.6.35.4/kernel/smp.c 2010-08-26 19:47:12.000000000 -0400
49614+++ linux-2.6.35.4/kernel/smp.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 49615@@ -499,22 +499,22 @@ int smp_call_function(void (*func)(void
ae4e228f
MT		 49616 }
49617 EXPORT_SYMBOL(smp_call_function);
49618
49619-void ipi_call_lock(void)
49620+void ipi_call_lock(void) __acquires(call_function.lock)
49621 {
49622 raw_spin_lock(&call_function.lock);
49623 }
49624
49625-void ipi_call_unlock(void)
49626+void ipi_call_unlock(void) __releases(call_function.lock)
49627 {
49628 raw_spin_unlock(&call_function.lock);
49629 }
49630
49631-void ipi_call_lock_irq(void)
49632+void ipi_call_lock_irq(void) __acquires(call_function.lock)
49633 {
49634 raw_spin_lock_irq(&call_function.lock);
49635 }
49636
49637-void ipi_call_unlock_irq(void)
49638+void ipi_call_unlock_irq(void) __releases(call_function.lock)
49639 {
49640 raw_spin_unlock_irq(&call_function.lock);
49641 }
57199397
MT		 49642diff -urNp linux-2.6.35.4/kernel/softirq.c linux-2.6.35.4/kernel/softirq.c
49643--- linux-2.6.35.4/kernel/softirq.c 2010-08-26 19:47:12.000000000 -0400
49644+++ linux-2.6.35.4/kernel/softirq.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 49645@@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
49646
49647 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
49648
49649-char *softirq_to_name[NR_SOFTIRQS] = {
49650+const char * const softirq_to_name[NR_SOFTIRQS] = {
49651 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
49652 "TASKLET", "SCHED", "HRTIMER", "RCU"
49653 };
49654@@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
49655
49656 asmlinkage void __do_softirq(void)
49657 {
49658- struct softirq_action *h;
49659+ const struct softirq_action *h;
49660 __u32 pending;
49661 int max_restart = MAX_SOFTIRQ_RESTART;
49662 int cpu;
49663@@ -216,7 +216,7 @@ restart:
49664 kstat_incr_softirqs_this_cpu(h - softirq_vec);
49665
49666 trace_softirq_entry(h, softirq_vec);
49667- h->action(h);
49668+ h->action();
49669 trace_softirq_exit(h, softirq_vec);
49670 if (unlikely(prev_count != preempt_count())) {
49671 printk(KERN_ERR "huh, entered softirq %td %s %p"
49672@@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
49673 local_irq_restore(flags);
49674 }
49675
49676-void open_softirq(int nr, void (*action)(struct softirq_action *))
49677+void open_softirq(int nr, void (*action)(void))
49678 {
49679 softirq_vec[nr].action = action;
49680 }
49681@@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
49682
49683 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
49684
49685-static void tasklet_action(struct softirq_action *a)
49686+static void tasklet_action(void)
49687 {
49688 struct tasklet_struct *list;
49689
49690@@ -431,7 +431,7 @@ static void tasklet_action(struct softir
49691 }
49692 }
49693
49694-static void tasklet_hi_action(struct softirq_action *a)
49695+static void tasklet_hi_action(void)
49696 {
49697 struct tasklet_struct *list;
49698
57199397
MT		 49699diff -urNp linux-2.6.35.4/kernel/sys.c linux-2.6.35.4/kernel/sys.c
49700--- linux-2.6.35.4/kernel/sys.c 2010-08-26 19:47:12.000000000 -0400
49701+++ linux-2.6.35.4/kernel/sys.c 2010-09-17 20:28:33.000000000 -0400
df50ba0c 49702@@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
58c5fc13
MT		 49703 error = -EACCES;
49704 goto out;
49705 }
49706+
49707+ if (gr_handle_chroot_setpriority(p, niceval)) {
49708+ error = -EACCES;
49709+ goto out;
49710+ }
49711+
49712 no_nice = security_task_setnice(p, niceval);
49713 if (no_nice) {
49714 error = no_nice;
57199397 49715@@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
58c5fc13
MT		 49716 goto error;
49717 }
49718
49719+ if (gr_check_group_change(new->gid, new->egid, -1))
49720+ goto error;
49721+
49722 if (rgid != (gid_t) -1 ||
49723 (egid != (gid_t) -1 && egid != old->gid))
49724 new->sgid = new->egid;
57199397
MT		 49725@@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
49726 old = current_cred();
58c5fc13
MT		 49727
49728 retval = -EPERM;
49729+
49730+ if (gr_check_group_change(gid, gid, gid))
49731+ goto error;
49732+
49733 if (capable(CAP_SETGID))
49734 new->gid = new->egid = new->sgid = new->fsgid = gid;
49735 else if (gid == old->gid || gid == old->sgid)
57199397 49736@@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
58c5fc13
MT		 49737 goto error;
49738 }
49739
49740+ if (gr_check_user_change(new->uid, new->euid, -1))
49741+ goto error;
49742+
49743 if (new->uid != old->uid) {
49744 retval = set_user(new);
49745 if (retval < 0)
57199397
MT		 49746@@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
49747 old = current_cred();
58c5fc13
MT		 49748
49749 retval = -EPERM;
49750+
49751+ if (gr_check_crash_uid(uid))
49752+ goto error;
49753+ if (gr_check_user_change(uid, uid, uid))
49754+ goto error;
49755+
49756 if (capable(CAP_SETUID)) {
49757 new->suid = new->uid = uid;
49758 if (uid != old->uid) {
57199397 49759@@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
58c5fc13
MT		 49760 goto error;
49761 }
49762
49763+ if (gr_check_user_change(ruid, euid, -1))
49764+ goto error;
49765+
49766 if (ruid != (uid_t) -1) {
49767 new->uid = ruid;
49768 if (ruid != old->uid) {
57199397 49769@@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
58c5fc13
MT		 49770 goto error;
49771 }
49772
49773+ if (gr_check_group_change(rgid, egid, -1))
49774+ goto error;
49775+
49776 if (rgid != (gid_t) -1)
49777 new->gid = rgid;
49778 if (egid != (gid_t) -1)
57199397
MT		 49779@@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49780 old = current_cred();
49781 old_fsuid = old->fsuid;
58c5fc13
MT		 49782
49783+ if (gr_check_user_change(-1, -1, uid))
49784+ goto error;
49785+
49786 if (uid == old->uid || uid == old->euid ||
49787 uid == old->suid || uid == old->fsuid ||
49788 capable(CAP_SETUID)) {
57199397
MT		 49789@@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49790 }
49791 }
49792
49793+error:
49794 abort_creds(new);
49795 return old_fsuid;
49796
49797@@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
58c5fc13
MT		 49798 if (gid == old->gid || gid == old->egid ||
49799 gid == old->sgid || gid == old->fsgid ||
49800 capable(CAP_SETGID)) {
49801+ if (gr_check_group_change(-1, -1, gid))
49802+ goto error;
49803+
49804 if (gid != old_fsgid) {
49805 new->fsgid = gid;
49806 goto change_okay;
57199397
MT		 49807 }
49808 }
49809
49810+error:
49811 abort_creds(new);
49812 return old_fsgid;
49813
49814@@ -1491,7 +1527,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
58c5fc13
MT		 49815 error = get_dumpable(me->mm);
49816 break;
49817 case PR_SET_DUMPABLE:
49818- if (arg2 < 0 || arg2 > 1) {
49819+ if (arg2 > 1) {
49820 error = -EINVAL;
49821 break;
49822 }
57199397
MT		 49823diff -urNp linux-2.6.35.4/kernel/sysctl.c linux-2.6.35.4/kernel/sysctl.c
49824--- linux-2.6.35.4/kernel/sysctl.c 2010-08-26 19:47:12.000000000 -0400
49825+++ linux-2.6.35.4/kernel/sysctl.c 2010-09-17 20:18:09.000000000 -0400
49826@@ -78,6 +78,13 @@
ae4e228f 49827
58c5fc13
MT		 49828
49829 #if defined(CONFIG_SYSCTL)
49830+#include <linux/grsecurity.h>
49831+#include <linux/grinternal.h>
49832+
49833+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
49834+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
49835+ const int op);
49836+extern int gr_handle_chroot_sysctl(const int op);
49837
49838 /* External variables not in a header file. */
df50ba0c 49839 extern int sysctl_overcommit_memory;
57199397
MT		 49840@@ -185,6 +192,7 @@ static int sysrq_sysctl_handler(ctl_tabl
49841 }
49842
58c5fc13 49843 #endif
57199397 49844+extern struct ctl_table grsecurity_table[];
58c5fc13
MT		 49845
49846 static struct ctl_table root_table[];
49847 static struct ctl_table_root sysctl_table_root;
57199397 49848@@ -217,6 +225,20 @@ extern struct ctl_table epoll_table[];
58c5fc13
MT		 49849 int sysctl_legacy_va_layout;
49850 #endif
49851
49852+#ifdef CONFIG_PAX_SOFTMODE
49853+static ctl_table pax_table[] = {
49854+ {
58c5fc13
MT		 49855+ .procname = "softmode",
49856+ .data = &pax_softmode,
49857+ .maxlen = sizeof(unsigned int),
49858+ .mode = 0600,
49859+ .proc_handler = &proc_dointvec,
49860+ },
49861+
ae4e228f 49862+ { }
58c5fc13
MT		 49863+};
49864+#endif
49865+
df50ba0c 49866 /* The default sysctl tables: */
58c5fc13 49867
df50ba0c 49868 static struct ctl_table root_table[] = {
57199397 49869@@ -269,6 +291,22 @@ static int max_extfrag_threshold = 1000;
58c5fc13
MT		 49870 #endif
49871
49872 static struct ctl_table kern_table[] = {
ae4e228f 49873+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
58c5fc13 49874+ {
58c5fc13
MT		 49875+ .procname = "grsecurity",
49876+ .mode = 0500,
49877+ .child = grsecurity_table,
49878+ },
49879+#endif
49880+
49881+#ifdef CONFIG_PAX_SOFTMODE
49882+ {
58c5fc13
MT		 49883+ .procname = "pax",
49884+ .mode = 0500,
49885+ .child = pax_table,
49886+ },
49887+#endif
49888+
58c5fc13 49889 {
ae4e228f
MT		 49890 .procname = "sched_child_runs_first",
49891 .data = &sysctl_sched_child_runs_first,
57199397
MT		 49892@@ -1171,6 +1209,13 @@ static struct ctl_table vm_table[] = {
49893 .proc_handler = proc_dointvec_minmax,
49894 .extra1 = &zero,
49895 },
49896+ {
49897+ .procname = "heap_stack_gap",
49898+ .data = &sysctl_heap_stack_gap,
49899+ .maxlen = sizeof(sysctl_heap_stack_gap),
49900+ .mode = 0644,
49901+ .proc_handler = proc_doulongvec_minmax,
49902+ },
49903 #else
49904 {
49905 .procname = "nr_trim_pages",
49906@@ -1686,6 +1731,16 @@ int sysctl_perm(struct ctl_table_root *r
58c5fc13
MT		 49907 int error;
49908 int mode;
49909
49910+ if (table->parent != NULL && table->parent->procname != NULL &&
49911+ table->procname != NULL &&
49912+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
49913+ return -EACCES;
49914+ if (gr_handle_chroot_sysctl(op))
49915+ return -EACCES;
49916+ error = gr_handle_sysctl(table, op);
49917+ if (error)
49918+ return error;
58c5fc13
MT		 49919+
49920 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
49921 if (error)
49922 return error;
57199397
MT		 49923@@ -2201,6 +2256,8 @@ static int proc_put_long(void __user **b
49924 len = strlen(tmp);
49925 if (len > *size)
49926 len = *size;
49927+ if (len > sizeof(tmp))
49928+ len = sizeof(tmp);
49929 if (copy_to_user(*buf, tmp, len))
49930 return -EFAULT;
49931 *size -= len;
49932diff -urNp linux-2.6.35.4/kernel/taskstats.c linux-2.6.35.4/kernel/taskstats.c
49933--- linux-2.6.35.4/kernel/taskstats.c 2010-08-26 19:47:12.000000000 -0400
49934+++ linux-2.6.35.4/kernel/taskstats.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 49935@@ -27,9 +27,12 @@
58c5fc13
MT		 49936 #include <linux/cgroup.h>
49937 #include <linux/fs.h>
49938 #include <linux/file.h>
49939+#include <linux/grsecurity.h>
49940 #include <net/genetlink.h>
49941 #include <asm/atomic.h>
49942
49943+extern int gr_is_taskstats_denied(int pid);
49944+
49945 /*
49946 * Maximum length of a cpumask that can be specified in
49947 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
df50ba0c 49948@@ -432,6 +435,9 @@ static int taskstats_user_cmd(struct sk_
58c5fc13
MT		 49949 size_t size;
49950 cpumask_var_t mask;
49951
49952+ if (gr_is_taskstats_denied(current->pid))
49953+ return -EACCES;
49954+
49955 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
49956 return -ENOMEM;
49957
57199397
MT		 49958diff -urNp linux-2.6.35.4/kernel/time/tick-broadcast.c linux-2.6.35.4/kernel/time/tick-broadcast.c
49959--- linux-2.6.35.4/kernel/time/tick-broadcast.c 2010-08-26 19:47:12.000000000 -0400
49960+++ linux-2.6.35.4/kernel/time/tick-broadcast.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 49961@@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
49962 * then clear the broadcast bit.
49963 */
49964 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
49965- int cpu = smp_processor_id();
49966+ cpu = smp_processor_id();
49967
49968 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
49969 tick_broadcast_clear_oneshot(cpu);
57199397
MT		 49970diff -urNp linux-2.6.35.4/kernel/time/timer_list.c linux-2.6.35.4/kernel/time/timer_list.c
49971--- linux-2.6.35.4/kernel/time/timer_list.c 2010-08-26 19:47:12.000000000 -0400
49972+++ linux-2.6.35.4/kernel/time/timer_list.c 2010-09-17 20:12:37.000000000 -0400
49973@@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
49974
49975 static void print_name_offset(struct seq_file *m, void *sym)
49976 {
49977+#ifdef CONFIG_GRKERNSEC_HIDESYM
49978+ SEQ_printf(m, "<%p>", NULL);
49979+#else
49980 char symname[KSYM_NAME_LEN];
49981
49982 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
49983 SEQ_printf(m, "<%p>", sym);
49984 else
49985 SEQ_printf(m, "%s", symname);
49986+#endif
49987 }
49988
49989 static void
49990@@ -112,7 +116,11 @@ next_one:
49991 static void
49992 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
49993 {
49994+#ifdef CONFIG_GRKERNSEC_HIDESYM
49995+ SEQ_printf(m, " .base: %p\n", NULL);
49996+#else
49997 SEQ_printf(m, " .base: %p\n", base);
49998+#endif
49999 SEQ_printf(m, " .index: %d\n",
50000 base->index);
50001 SEQ_printf(m, " .resolution: %Lu nsecs\n",
50002@@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
50003 {
50004 struct proc_dir_entry *pe;
50005
50006+#ifdef CONFIG_GRKERNSEC_PROC_ADD
50007+ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
50008+#else
50009 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
50010+#endif
50011 if (!pe)
50012 return -ENOMEM;
50013 return 0;
50014diff -urNp linux-2.6.35.4/kernel/time/timer_stats.c linux-2.6.35.4/kernel/time/timer_stats.c
50015--- linux-2.6.35.4/kernel/time/timer_stats.c 2010-08-26 19:47:12.000000000 -0400
50016+++ linux-2.6.35.4/kernel/time/timer_stats.c 2010-09-17 20:12:37.000000000 -0400
50017@@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
50018
50019 static void print_name_offset(struct seq_file *m, unsigned long addr)
50020 {
50021+#ifdef CONFIG_GRKERNSEC_HIDESYM
50022+ seq_printf(m, "<%p>", NULL);
50023+#else
50024 char symname[KSYM_NAME_LEN];
50025
50026 if (lookup_symbol_name(addr, symname) < 0)
50027 seq_printf(m, "<%p>", (void *)addr);
50028 else
50029 seq_printf(m, "%s", symname);
50030+#endif
50031 }
50032
50033 static int tstats_show(struct seq_file *m, void *v)
50034@@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
50035 {
50036 struct proc_dir_entry *pe;
50037
50038+#ifdef CONFIG_GRKERNSEC_PROC_ADD
50039+ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
50040+#else
50041 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
50042+#endif
50043 if (!pe)
50044 return -ENOMEM;
50045 return 0;
50046diff -urNp linux-2.6.35.4/kernel/time.c linux-2.6.35.4/kernel/time.c
50047--- linux-2.6.35.4/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
50048+++ linux-2.6.35.4/kernel/time.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 50049@@ -93,6 +93,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
58c5fc13
MT		 50050 return err;
50051
50052 do_settimeofday(&tv);
50053+
50054+ gr_log_timechange();
50055+
50056 return 0;
50057 }
50058
57199397 50059@@ -200,6 +203,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
58c5fc13
MT		 50060 return -EFAULT;
50061 }
50062
50063+ gr_log_timechange();
50064+
50065 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
50066 }
50067
57199397 50068@@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
58c5fc13
MT		 50069 * Avoid unnecessary multiplications/divisions in the
50070 * two most common HZ cases:
50071 */
50072-unsigned int inline jiffies_to_msecs(const unsigned long j)
50073+inline unsigned int jiffies_to_msecs(const unsigned long j)
50074 {
50075 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
50076 return (MSEC_PER_SEC / HZ) * j;
57199397 50077@@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
58c5fc13
MT		 50078 }
50079 EXPORT_SYMBOL(jiffies_to_msecs);
50080
50081-unsigned int inline jiffies_to_usecs(const unsigned long j)
50082+inline unsigned int jiffies_to_usecs(const unsigned long j)
50083 {
50084 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
50085 return (USEC_PER_SEC / HZ) * j;
57199397
MT		 50086diff -urNp linux-2.6.35.4/kernel/timer.c linux-2.6.35.4/kernel/timer.c
50087--- linux-2.6.35.4/kernel/timer.c 2010-08-26 19:47:12.000000000 -0400
50088+++ linux-2.6.35.4/kernel/timer.c 2010-09-17 20:12:09.000000000 -0400
50089@@ -1272,7 +1272,7 @@ void update_process_times(int user_tick)
ae4e228f
MT		 50090 /*
50091 * This function runs timers and the timer-tq in bottom half context.
50092 */
50093-static void run_timer_softirq(struct softirq_action *h)
50094+static void run_timer_softirq(void)
50095 {
50096 struct tvec_base *base = __get_cpu_var(tvec_bases);
58c5fc13 50097
57199397
MT		 50098diff -urNp linux-2.6.35.4/kernel/trace/ftrace.c linux-2.6.35.4/kernel/trace/ftrace.c
50099--- linux-2.6.35.4/kernel/trace/ftrace.c 2010-08-26 19:47:12.000000000 -0400
50100+++ linux-2.6.35.4/kernel/trace/ftrace.c 2010-09-17 20:12:09.000000000 -0400
50101@@ -1101,13 +1101,18 @@ ftrace_code_disable(struct module *mod,
ae4e228f
MT		 50102
50103 ip = rec->ip;
50104
50105+ ret = ftrace_arch_code_modify_prepare();
50106+ FTRACE_WARN_ON(ret);
50107+ if (ret)
50108+ return 0;
50109+
50110 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
50111+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
50112 if (ret) {
50113 ftrace_bug(ret, ip);
50114 rec->flags |= FTRACE_FL_FAILED;
50115- return 0;
50116 }
50117- return 1;
50118+ return ret ? 0 : 1;
58c5fc13
MT		 50119 }
50120
ae4e228f 50121 /*
57199397
MT		 50122diff -urNp linux-2.6.35.4/kernel/trace/ring_buffer.c linux-2.6.35.4/kernel/trace/ring_buffer.c
50123--- linux-2.6.35.4/kernel/trace/ring_buffer.c 2010-08-26 19:47:12.000000000 -0400
50124+++ linux-2.6.35.4/kernel/trace/ring_buffer.c 2010-09-17 20:12:09.000000000 -0400
50125@@ -635,7 +635,7 @@ static struct list_head *rb_list_head(st
df50ba0c
MT		 50126 * the reader page). But if the next page is a header page,
50127 * its flags will be non zero.
50128 */
50129-static int inline
50130+static inline int
50131 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
50132 struct buffer_page *page, struct list_head *list)
50133 {
57199397
MT		 50134diff -urNp linux-2.6.35.4/kernel/trace/trace.c linux-2.6.35.4/kernel/trace/trace.c
50135--- linux-2.6.35.4/kernel/trace/trace.c 2010-08-26 19:47:12.000000000 -0400
50136+++ linux-2.6.35.4/kernel/trace/trace.c 2010-09-17 20:12:09.000000000 -0400
50137@@ -3965,10 +3965,9 @@ static const struct file_operations trac
ae4e228f
MT		 50138 };
50139 #endif
58c5fc13 50140
ae4e228f
MT		 50141-static struct dentry *d_tracer;
50142-
50143 struct dentry *tracing_init_dentry(void)
50144 {
50145+ static struct dentry *d_tracer;
50146 static int once;
50147
50148 if (d_tracer)
57199397 50149@@ -3988,10 +3987,9 @@ struct dentry *tracing_init_dentry(void)
ae4e228f 50150 return d_tracer;
58c5fc13
MT		 50151 }
50152
ae4e228f
MT		 50153-static struct dentry *d_percpu;
50154-
50155 struct dentry *tracing_dentry_percpu(void)
50156 {
50157+ static struct dentry *d_percpu;
50158 static int once;
50159 struct dentry *d_tracer;
50160
57199397
MT		 50161diff -urNp linux-2.6.35.4/kernel/trace/trace_output.c linux-2.6.35.4/kernel/trace/trace_output.c
50162--- linux-2.6.35.4/kernel/trace/trace_output.c 2010-08-26 19:47:12.000000000 -0400
50163+++ linux-2.6.35.4/kernel/trace/trace_output.c 2010-09-17 20:12:09.000000000 -0400
50164@@ -281,7 +281,7 @@ int trace_seq_path(struct trace_seq *s,
ae4e228f 50165
58c5fc13
MT		 50166 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
50167 if (!IS_ERR(p)) {
50168- p = mangle_path(s->buffer + s->len, p, "\n");
50169+ p = mangle_path(s->buffer + s->len, p, "\n\\");
50170 if (p) {
50171 s->len = p - s->buffer;
50172 return 1;
57199397
MT		 50173diff -urNp linux-2.6.35.4/kernel/trace/trace_stack.c linux-2.6.35.4/kernel/trace/trace_stack.c
50174--- linux-2.6.35.4/kernel/trace/trace_stack.c 2010-08-26 19:47:12.000000000 -0400
50175+++ linux-2.6.35.4/kernel/trace/trace_stack.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 50176@@ -50,7 +50,7 @@ static inline void check_stack(void)
50177 return;
58c5fc13 50178
ae4e228f
MT		 50179 /* we do not handle interrupt stacks yet */
50180- if (!object_is_on_stack(&this_size))
50181+ if (!object_starts_on_stack(&this_size))
50182 return;
50183
50184 local_irq_save(flags);
57199397
MT		 50185diff -urNp linux-2.6.35.4/lib/bug.c linux-2.6.35.4/lib/bug.c
50186--- linux-2.6.35.4/lib/bug.c 2010-08-26 19:47:12.000000000 -0400
50187+++ linux-2.6.35.4/lib/bug.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 50188@@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
50189 return BUG_TRAP_TYPE_NONE;
50190
50191 bug = find_bug(bugaddr);
50192+ if (!bug)
50193+ return BUG_TRAP_TYPE_NONE;
50194
50195 printk(KERN_EMERG "------------[ cut here ]------------\n");
50196
57199397
MT		 50197diff -urNp linux-2.6.35.4/lib/debugobjects.c linux-2.6.35.4/lib/debugobjects.c
50198--- linux-2.6.35.4/lib/debugobjects.c 2010-08-26 19:47:12.000000000 -0400
50199+++ linux-2.6.35.4/lib/debugobjects.c 2010-09-17 20:12:09.000000000 -0400
50200@@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
ae4e228f
MT		 50201 if (limit > 4)
50202 return;
50203
50204- is_on_stack = object_is_on_stack(addr);
50205+ is_on_stack = object_starts_on_stack(addr);
50206 if (is_on_stack == onstack)
50207 return;
50208
57199397
MT		 50209diff -urNp linux-2.6.35.4/lib/dma-debug.c linux-2.6.35.4/lib/dma-debug.c
50210--- linux-2.6.35.4/lib/dma-debug.c 2010-08-26 19:47:12.000000000 -0400
50211+++ linux-2.6.35.4/lib/dma-debug.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 50212@@ -861,7 +861,7 @@ out:
58c5fc13 50213
ae4e228f
MT		 50214 static void check_for_stack(struct device *dev, void *addr)
50215 {
50216- if (object_is_on_stack(addr))
50217+ if (object_starts_on_stack(addr))
50218 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
50219 "stack [addr=%p]\n", addr);
50220 }
57199397
MT		 50221diff -urNp linux-2.6.35.4/lib/inflate.c linux-2.6.35.4/lib/inflate.c
50222--- linux-2.6.35.4/lib/inflate.c 2010-08-26 19:47:12.000000000 -0400
50223+++ linux-2.6.35.4/lib/inflate.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 50224@@ -267,7 +267,7 @@ static void free(void *where)
58c5fc13
MT		 50225 malloc_ptr = free_mem_ptr;
50226 }
50227 #else
50228-#define malloc(a) kmalloc(a, GFP_KERNEL)
50229+#define malloc(a) kmalloc((a), GFP_KERNEL)
50230 #define free(a) kfree(a)
50231 #endif
50232
57199397
MT		 50233diff -urNp linux-2.6.35.4/lib/Kconfig.debug linux-2.6.35.4/lib/Kconfig.debug
50234--- linux-2.6.35.4/lib/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
50235+++ linux-2.6.35.4/lib/Kconfig.debug 2010-09-17 20:12:37.000000000 -0400
50236@@ -970,7 +970,7 @@ config LATENCYTOP
50237 select STACKTRACE
50238 select SCHEDSTATS
50239 select SCHED_DEBUG
50240- depends on HAVE_LATENCYTOP_SUPPORT
50241+ depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
50242 help
50243 Enable this option if you want to use the LatencyTOP tool
50244 to find out which userspace is blocking on what kernel operations.
50245diff -urNp linux-2.6.35.4/lib/parser.c linux-2.6.35.4/lib/parser.c
50246--- linux-2.6.35.4/lib/parser.c 2010-08-26 19:47:12.000000000 -0400
50247+++ linux-2.6.35.4/lib/parser.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 50248@@ -129,7 +129,7 @@ static int match_number(substring_t *s,
58c5fc13
MT		 50249 char *buf;
50250 int ret;
50251
50252- buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
50253+ buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
50254 if (!buf)
50255 return -ENOMEM;
50256 memcpy(buf, s->from, s->to - s->from);
57199397
MT		 50257diff -urNp linux-2.6.35.4/lib/radix-tree.c linux-2.6.35.4/lib/radix-tree.c
50258--- linux-2.6.35.4/lib/radix-tree.c 2010-08-26 19:47:12.000000000 -0400
50259+++ linux-2.6.35.4/lib/radix-tree.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 50260@@ -80,7 +80,7 @@ struct radix_tree_preload {
58c5fc13
MT		 50261 int nr;
50262 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
50263 };
50264-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
50265+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
50266
50267 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
50268 {
57199397
MT		 50269diff -urNp linux-2.6.35.4/localversion-grsec linux-2.6.35.4/localversion-grsec
50270--- linux-2.6.35.4/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
50271+++ linux-2.6.35.4/localversion-grsec 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 50272@@ -0,0 +1 @@
50273+-grsec
57199397
MT		 50274diff -urNp linux-2.6.35.4/Makefile linux-2.6.35.4/Makefile
50275--- linux-2.6.35.4/Makefile 2010-08-26 19:47:12.000000000 -0400
50276+++ linux-2.6.35.4/Makefile 2010-09-17 20:12:37.000000000 -0400
50277@@ -230,8 +230,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
50278
50279 HOSTCC = gcc
50280 HOSTCXX = g++
50281-HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
50282-HOSTCXXFLAGS = -O2
50283+HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
50284+HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
50285
50286 # Decide whether to build built-in, modular, or both.
50287 # Normally, just do built-in.
50288@@ -650,7 +650,7 @@ export mod_strip_cmd
50289
50290
50291 ifeq ($(KBUILD_EXTMOD),)
50292-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
50293+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
50294
50295 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
50296 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
50297diff -urNp linux-2.6.35.4/mm/bootmem.c linux-2.6.35.4/mm/bootmem.c
50298--- linux-2.6.35.4/mm/bootmem.c 2010-08-26 19:47:12.000000000 -0400
50299+++ linux-2.6.35.4/mm/bootmem.c 2010-09-17 20:12:09.000000000 -0400
50300@@ -200,19 +200,30 @@ static void __init __free_pages_memory(u
50301 unsigned long __init free_all_memory_core_early(int nodeid)
50302 {
50303 int i;
50304- u64 start, end;
50305+ u64 start, end, startrange, endrange;
50306 unsigned long count = 0;
50307- struct range *range = NULL;
50308+ struct range *range = NULL, rangerange = { 0, 0 };
50309 int nr_range;
50310
50311 nr_range = get_free_all_memory_range(&range, nodeid);
50312+ startrange = __pa(range) >> PAGE_SHIFT;
50313+ endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
50314
50315 for (i = 0; i < nr_range; i++) {
50316 start = range[i].start;
50317 end = range[i].end;
50318+ if (start <= endrange && startrange < end) {
50319+ BUG_ON(rangerange.start | rangerange.end);
50320+ rangerange = range[i];
50321+ continue;
50322+ }
50323 count += end - start;
50324 __free_pages_memory(start, end);
50325 }
50326+ start = rangerange.start;
50327+ end = rangerange.end;
50328+ count += end - start;
50329+ __free_pages_memory(start, end);
50330
50331 return count;
50332 }
50333diff -urNp linux-2.6.35.4/mm/filemap.c linux-2.6.35.4/mm/filemap.c
50334--- linux-2.6.35.4/mm/filemap.c 2010-08-26 19:47:12.000000000 -0400
50335+++ linux-2.6.35.4/mm/filemap.c 2010-09-17 20:12:37.000000000 -0400
50336@@ -1640,7 +1640,7 @@ int generic_file_mmap(struct file * file
58c5fc13
MT		 50337 struct address_space *mapping = file->f_mapping;
50338
50339 if (!mapping->a_ops->readpage)
50340- return -ENOEXEC;
50341+ return -ENODEV;
50342 file_accessed(file);
50343 vma->vm_ops = &generic_file_vm_ops;
50344 vma->vm_flags |= VM_CAN_NONLINEAR;
57199397 50345@@ -2036,6 +2036,7 @@ inline int generic_write_checks(struct f
58c5fc13
MT		 50346 *pos = i_size_read(inode);
50347
50348 if (limit != RLIM_INFINITY) {
50349+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
50350 if (*pos >= limit) {
50351 send_sig(SIGXFSZ, current, 0);
50352 return -EFBIG;
57199397
MT		 50353diff -urNp linux-2.6.35.4/mm/fremap.c linux-2.6.35.4/mm/fremap.c
50354--- linux-2.6.35.4/mm/fremap.c 2010-08-26 19:47:12.000000000 -0400
50355+++ linux-2.6.35.4/mm/fremap.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 50356@@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50357 retry:
50358 vma = find_vma(mm, start);
50359
50360+#ifdef CONFIG_PAX_SEGMEXEC
50361+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
50362+ goto out;
50363+#endif
50364+
50365 /*
50366 * Make sure the vma is shared, that it supports prefaulting,
50367 * and that the remapped range is valid and fully within
57199397
MT		 50368@@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50369 /*
50370 * drop PG_Mlocked flag for over-mapped range
50371 */
50372- unsigned int saved_flags = vma->vm_flags;
50373+ unsigned long saved_flags = vma->vm_flags;
50374 munlock_vma_pages_range(vma, start, start + size);
50375 vma->vm_flags = saved_flags;
50376 }
50377diff -urNp linux-2.6.35.4/mm/highmem.c linux-2.6.35.4/mm/highmem.c
50378--- linux-2.6.35.4/mm/highmem.c 2010-08-26 19:47:12.000000000 -0400
50379+++ linux-2.6.35.4/mm/highmem.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 50380@@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
58c5fc13
MT		 50381 * So no dangers, even with speculative execution.
50382 */
50383 page = pte_page(pkmap_page_table[i]);
ae4e228f 50384+ pax_open_kernel();
58c5fc13
MT		 50385 pte_clear(&init_mm, (unsigned long)page_address(page),
50386 &pkmap_page_table[i]);
ae4e228f
MT		 50387-
50388+ pax_close_kernel();
58c5fc13
MT		 50389 set_page_address(page, NULL);
50390 need_flush = 1;
50391 }
ae4e228f 50392@@ -177,9 +178,11 @@ start:
58c5fc13
MT		 50393 }
50394 }
50395 vaddr = PKMAP_ADDR(last_pkmap_nr);
ae4e228f
MT		 50396+
50397+ pax_open_kernel();
58c5fc13
MT		 50398 set_pte_at(&init_mm, vaddr,
50399 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
ae4e228f
MT		 50400-
50401+ pax_close_kernel();
58c5fc13
MT		 50402 pkmap_count[last_pkmap_nr] = 1;
50403 set_page_address(page, (void *)vaddr);
58c5fc13 50404
57199397
MT		 50405diff -urNp linux-2.6.35.4/mm/hugetlb.c linux-2.6.35.4/mm/hugetlb.c
50406--- linux-2.6.35.4/mm/hugetlb.c 2010-08-26 19:47:12.000000000 -0400
50407+++ linux-2.6.35.4/mm/hugetlb.c 2010-09-17 20:12:09.000000000 -0400
50408@@ -2272,6 +2272,26 @@ static int unmap_ref_private(struct mm_s
58c5fc13
MT		 50409 return 1;
50410 }
50411
50412+#ifdef CONFIG_PAX_SEGMEXEC
50413+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
50414+{
50415+ struct mm_struct *mm = vma->vm_mm;
50416+ struct vm_area_struct *vma_m;
50417+ unsigned long address_m;
50418+ pte_t *ptep_m;
50419+
50420+ vma_m = pax_find_mirror_vma(vma);
50421+ if (!vma_m)
50422+ return;
50423+
50424+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50425+ address_m = address + SEGMEXEC_TASK_SIZE;
50426+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
50427+ get_page(page_m);
50428+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
50429+}
50430+#endif
50431+
50432 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
50433 unsigned long address, pte_t *ptep, pte_t pte,
50434 struct page *pagecache_page)
57199397 50435@@ -2352,6 +2372,11 @@ retry_avoidcopy:
58c5fc13
MT		 50436 huge_ptep_clear_flush(vma, address, ptep);
50437 set_huge_pte_at(mm, address, ptep,
50438 make_huge_pte(vma, new_page, 1));
50439+
50440+#ifdef CONFIG_PAX_SEGMEXEC
50441+ pax_mirror_huge_pte(vma, address, new_page);
50442+#endif
50443+
50444 /* Make the old page be freed below */
50445 new_page = old_page;
50446 }
57199397 50447@@ -2483,6 +2508,10 @@ retry:
58c5fc13
MT		 50448 && (vma->vm_flags & VM_SHARED)));
50449 set_huge_pte_at(mm, address, ptep, new_pte);
50450
50451+#ifdef CONFIG_PAX_SEGMEXEC
50452+ pax_mirror_huge_pte(vma, address, page);
50453+#endif
50454+
50455 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
50456 /* Optimization, do the COW without a second fault */
50457 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
57199397 50458@@ -2511,6 +2540,28 @@ int hugetlb_fault(struct mm_struct *mm,
58c5fc13
MT		 50459 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
50460 struct hstate *h = hstate_vma(vma);
50461
50462+#ifdef CONFIG_PAX_SEGMEXEC
50463+ struct vm_area_struct *vma_m;
50464+
50465+ vma_m = pax_find_mirror_vma(vma);
50466+ if (vma_m) {
50467+ unsigned long address_m;
50468+
50469+ if (vma->vm_start > vma_m->vm_start) {
50470+ address_m = address;
50471+ address -= SEGMEXEC_TASK_SIZE;
50472+ vma = vma_m;
50473+ h = hstate_vma(vma);
50474+ } else
50475+ address_m = address + SEGMEXEC_TASK_SIZE;
50476+
50477+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
50478+ return VM_FAULT_OOM;
50479+ address_m &= HPAGE_MASK;
50480+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
50481+ }
50482+#endif
50483+
50484 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
50485 if (!ptep)
50486 return VM_FAULT_OOM;
57199397
MT		 50487diff -urNp linux-2.6.35.4/mm/Kconfig linux-2.6.35.4/mm/Kconfig
50488--- linux-2.6.35.4/mm/Kconfig 2010-08-26 19:47:12.000000000 -0400
50489+++ linux-2.6.35.4/mm/Kconfig 2010-09-17 20:12:37.000000000 -0400
50490@@ -240,7 +240,7 @@ config KSM
50491 config DEFAULT_MMAP_MIN_ADDR
50492 int "Low address space to protect from user allocation"
50493 depends on MMU
50494- default 4096
50495+ default 65536
50496 help
50497 This is the portion of low virtual memory which should be protected
50498 from userspace allocation. Keeping a user from writing to low pages
50499diff -urNp linux-2.6.35.4/mm/maccess.c linux-2.6.35.4/mm/maccess.c
50500--- linux-2.6.35.4/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
50501+++ linux-2.6.35.4/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 50502@@ -15,10 +15,10 @@
50503 * happens, handle that and return -EFAULT.
50504 */
50505
50506-long __weak probe_kernel_read(void *dst, void *src, size_t size)
50507+long __weak probe_kernel_read(void *dst, const void *src, size_t size)
50508 __attribute__((alias("__probe_kernel_read")));
50509
50510-long __probe_kernel_read(void *dst, void *src, size_t size)
50511+long __probe_kernel_read(void *dst, const void *src, size_t size)
50512 {
50513 long ret;
50514 mm_segment_t old_fs = get_fs();
50515@@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
50516 * Safely write to address @dst from the buffer at @src. If a kernel fault
50517 * happens, handle that and return -EFAULT.
50518 */
50519-long __weak probe_kernel_write(void *dst, void *src, size_t size)
50520+long __weak probe_kernel_write(void *dst, const void *src, size_t size)
50521 __attribute__((alias("__probe_kernel_write")));
50522
50523-long __probe_kernel_write(void *dst, void *src, size_t size)
50524+long __probe_kernel_write(void *dst, const void *src, size_t size)
50525 {
50526 long ret;
50527 mm_segment_t old_fs = get_fs();
57199397
MT		 50528diff -urNp linux-2.6.35.4/mm/madvise.c linux-2.6.35.4/mm/madvise.c
50529--- linux-2.6.35.4/mm/madvise.c 2010-08-26 19:47:12.000000000 -0400
50530+++ linux-2.6.35.4/mm/madvise.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 50531@@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
58c5fc13 50532 pgoff_t pgoff;
ae4e228f 50533 unsigned long new_flags = vma->vm_flags;
58c5fc13
MT		 50534
50535+#ifdef CONFIG_PAX_SEGMEXEC
50536+ struct vm_area_struct *vma_m;
50537+#endif
50538+
50539 switch (behavior) {
50540 case MADV_NORMAL:
50541 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
ae4e228f 50542@@ -104,6 +108,13 @@ success:
58c5fc13
MT		 50543 /*
50544 * vm_flags is protected by the mmap_sem held in write mode.
50545 */
50546+
50547+#ifdef CONFIG_PAX_SEGMEXEC
50548+ vma_m = pax_find_mirror_vma(vma);
50549+ if (vma_m)
50550+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
50551+#endif
50552+
50553 vma->vm_flags = new_flags;
50554
50555 out:
ae4e228f
MT		 50556@@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
50557 struct vm_area_struct ** prev,
50558 unsigned long start, unsigned long end)
50559 {
58c5fc13
MT		 50560+
50561+#ifdef CONFIG_PAX_SEGMEXEC
ae4e228f
MT		 50562+ struct vm_area_struct *vma_m;
50563+#endif
58c5fc13 50564+
ae4e228f
MT		 50565 *prev = vma;
50566 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
50567 return -EINVAL;
50568@@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
50569 zap_page_range(vma, start, end - start, &details);
50570 } else
50571 zap_page_range(vma, start, end - start, NULL);
50572+
50573+#ifdef CONFIG_PAX_SEGMEXEC
50574+ vma_m = pax_find_mirror_vma(vma);
50575+ if (vma_m) {
50576+ if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
50577+ struct zap_details details = {
50578+ .nonlinear_vma = vma_m,
50579+ .last_index = ULONG_MAX,
50580+ };
50581+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
50582+ } else
50583+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
50584+ }
58c5fc13
MT		 50585+#endif
50586+
ae4e228f
MT		 50587 return 0;
50588 }
58c5fc13 50589
ae4e228f 50590@@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
58c5fc13
MT		 50591 if (end < start)
50592 goto out;
50593
50594+#ifdef CONFIG_PAX_SEGMEXEC
50595+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
50596+ if (end > SEGMEXEC_TASK_SIZE)
50597+ goto out;
50598+ } else
50599+#endif
50600+
50601+ if (end > TASK_SIZE)
50602+ goto out;
50603+
50604 error = 0;
50605 if (end == start)
50606 goto out;
57199397
MT		 50607diff -urNp linux-2.6.35.4/mm/memory.c linux-2.6.35.4/mm/memory.c
50608--- linux-2.6.35.4/mm/memory.c 2010-08-26 19:47:12.000000000 -0400
50609+++ linux-2.6.35.4/mm/memory.c 2010-09-17 20:12:09.000000000 -0400
50610@@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
df50ba0c
MT		 50611 return;
50612
50613 pmd = pmd_offset(pud, start);
50614+
50615+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
50616 pud_clear(pud);
50617 pmd_free_tlb(tlb, pmd, start);
50618+#endif
50619+
50620 }
50621
50622 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
57199397 50623@@ -292,8 +296,12 @@ static inline void free_pud_range(struct
df50ba0c
MT		 50624 return;
50625
50626 pud = pud_offset(pgd, start);
50627+
50628+#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
50629 pgd_clear(pgd);
50630 pud_free_tlb(tlb, pud, start);
50631+#endif
50632+
50633 }
50634
50635 /*
57199397 50636@@ -1363,10 +1371,10 @@ int __get_user_pages(struct task_struct
ae4e228f 50637 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
58c5fc13
MT		 50638 i = 0;
50639
50640- do {
50641+ while (nr_pages) {
50642 struct vm_area_struct *vma;
58c5fc13
MT		 50643
50644- vma = find_extend_vma(mm, start);
50645+ vma = find_vma(mm, start);
50646 if (!vma && in_gate_area(tsk, start)) {
50647 unsigned long pg = start & PAGE_MASK;
50648 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
57199397 50649@@ -1418,7 +1426,7 @@ int __get_user_pages(struct task_struct
58c5fc13
MT		 50650 continue;
50651 }
50652
50653- if (!vma ||
50654+ if (!vma || start < vma->vm_start ||
50655 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
ae4e228f 50656 !(vm_flags & vma->vm_flags))
58c5fc13 50657 return i ? : -EFAULT;
57199397 50658@@ -1493,7 +1501,7 @@ int __get_user_pages(struct task_struct
58c5fc13
MT		 50659 start += PAGE_SIZE;
50660 nr_pages--;
50661 } while (nr_pages && start < vma->vm_end);
50662- } while (nr_pages);
50663+ }
50664 return i;
50665 }
50666
57199397 50667@@ -2089,6 +2097,186 @@ static inline void cow_user_page(struct
58c5fc13
MT		 50668 copy_user_highpage(dst, src, va, vma);
50669 }
50670
50671+#ifdef CONFIG_PAX_SEGMEXEC
50672+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
50673+{
50674+ struct mm_struct *mm = vma->vm_mm;
50675+ spinlock_t *ptl;
50676+ pte_t *pte, entry;
50677+
50678+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
50679+ entry = *pte;
50680+ if (!pte_present(entry)) {
50681+ if (!pte_none(entry)) {
50682+ BUG_ON(pte_file(entry));
50683+ free_swap_and_cache(pte_to_swp_entry(entry));
50684+ pte_clear_not_present_full(mm, address, pte, 0);
50685+ }
50686+ } else {
50687+ struct page *page;
50688+
50689+ flush_cache_page(vma, address, pte_pfn(entry));
50690+ entry = ptep_clear_flush(vma, address, pte);
50691+ BUG_ON(pte_dirty(entry));
50692+ page = vm_normal_page(vma, address, entry);
50693+ if (page) {
50694+ update_hiwater_rss(mm);
50695+ if (PageAnon(page))
df50ba0c 50696+ dec_mm_counter_fast(mm, MM_ANONPAGES);
58c5fc13 50697+ else
df50ba0c 50698+ dec_mm_counter_fast(mm, MM_FILEPAGES);
58c5fc13
MT		 50699+ page_remove_rmap(page);
50700+ page_cache_release(page);
50701+ }
50702+ }
50703+ pte_unmap_unlock(pte, ptl);
50704+}
50705+
50706+/* PaX: if vma is mirrored, synchronize the mirror's PTE
50707+ *
50708+ * the ptl of the lower mapped page is held on entry and is not released on exit
50709+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
50710+ */
50711+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50712+{
50713+ struct mm_struct *mm = vma->vm_mm;
50714+ unsigned long address_m;
50715+ spinlock_t *ptl_m;
50716+ struct vm_area_struct *vma_m;
50717+ pmd_t *pmd_m;
50718+ pte_t *pte_m, entry_m;
50719+
50720+ BUG_ON(!page_m || !PageAnon(page_m));
50721+
50722+ vma_m = pax_find_mirror_vma(vma);
50723+ if (!vma_m)
50724+ return;
50725+
50726+ BUG_ON(!PageLocked(page_m));
50727+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50728+ address_m = address + SEGMEXEC_TASK_SIZE;
50729+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50730+ pte_m = pte_offset_map_nested(pmd_m, address_m);
50731+ ptl_m = pte_lockptr(mm, pmd_m);
50732+ if (ptl != ptl_m) {
50733+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50734+ if (!pte_none(*pte_m))
50735+ goto out;
50736+ }
50737+
50738+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50739+ page_cache_get(page_m);
50740+ page_add_anon_rmap(page_m, vma_m, address_m);
df50ba0c 50741+ inc_mm_counter_fast(mm, MM_ANONPAGES);
58c5fc13
MT		 50742+ set_pte_at(mm, address_m, pte_m, entry_m);
50743+ update_mmu_cache(vma_m, address_m, entry_m);
50744+out:
50745+ if (ptl != ptl_m)
50746+ spin_unlock(ptl_m);
50747+ pte_unmap_nested(pte_m);
50748+ unlock_page(page_m);
50749+}
50750+
50751+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50752+{
50753+ struct mm_struct *mm = vma->vm_mm;
50754+ unsigned long address_m;
50755+ spinlock_t *ptl_m;
50756+ struct vm_area_struct *vma_m;
50757+ pmd_t *pmd_m;
50758+ pte_t *pte_m, entry_m;
50759+
50760+ BUG_ON(!page_m || PageAnon(page_m));
50761+
50762+ vma_m = pax_find_mirror_vma(vma);
50763+ if (!vma_m)
50764+ return;
50765+
50766+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50767+ address_m = address + SEGMEXEC_TASK_SIZE;
50768+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50769+ pte_m = pte_offset_map_nested(pmd_m, address_m);
50770+ ptl_m = pte_lockptr(mm, pmd_m);
50771+ if (ptl != ptl_m) {
50772+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50773+ if (!pte_none(*pte_m))
50774+ goto out;
50775+ }
50776+
50777+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50778+ page_cache_get(page_m);
50779+ page_add_file_rmap(page_m);
df50ba0c 50780+ inc_mm_counter_fast(mm, MM_FILEPAGES);
58c5fc13
MT		 50781+ set_pte_at(mm, address_m, pte_m, entry_m);
50782+ update_mmu_cache(vma_m, address_m, entry_m);
50783+out:
50784+ if (ptl != ptl_m)
50785+ spin_unlock(ptl_m);
50786+ pte_unmap_nested(pte_m);
50787+}
50788+
50789+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
50790+{
50791+ struct mm_struct *mm = vma->vm_mm;
50792+ unsigned long address_m;
50793+ spinlock_t *ptl_m;
50794+ struct vm_area_struct *vma_m;
50795+ pmd_t *pmd_m;
50796+ pte_t *pte_m, entry_m;
50797+
50798+ vma_m = pax_find_mirror_vma(vma);
50799+ if (!vma_m)
50800+ return;
50801+
50802+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50803+ address_m = address + SEGMEXEC_TASK_SIZE;
50804+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50805+ pte_m = pte_offset_map_nested(pmd_m, address_m);
50806+ ptl_m = pte_lockptr(mm, pmd_m);
50807+ if (ptl != ptl_m) {
50808+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50809+ if (!pte_none(*pte_m))
50810+ goto out;
50811+ }
50812+
50813+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
50814+ set_pte_at(mm, address_m, pte_m, entry_m);
50815+out:
50816+ if (ptl != ptl_m)
50817+ spin_unlock(ptl_m);
50818+ pte_unmap_nested(pte_m);
50819+}
50820+
50821+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
50822+{
50823+ struct page *page_m;
50824+ pte_t entry;
50825+
50826+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
50827+ goto out;
50828+
50829+ entry = *pte;
50830+ page_m = vm_normal_page(vma, address, entry);
50831+ if (!page_m)
50832+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
50833+ else if (PageAnon(page_m)) {
50834+ if (pax_find_mirror_vma(vma)) {
50835+ pte_unmap_unlock(pte, ptl);
50836+ lock_page(page_m);
50837+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
50838+ if (pte_same(entry, *pte))
50839+ pax_mirror_anon_pte(vma, address, page_m, ptl);
50840+ else
50841+ unlock_page(page_m);
50842+ }
50843+ } else
50844+ pax_mirror_file_pte(vma, address, page_m, ptl);
50845+
50846+out:
50847+ pte_unmap_unlock(pte, ptl);
50848+}
50849+#endif
50850+
50851 /*
50852 * This routine handles present pages, when users try to write
50853 * to a shared page. It is done by copying the page to a new address
57199397 50854@@ -2275,6 +2463,12 @@ gotten:
58c5fc13
MT		 50855 */
50856 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50857 if (likely(pte_same(*page_table, orig_pte))) {
50858+
50859+#ifdef CONFIG_PAX_SEGMEXEC
50860+ if (pax_find_mirror_vma(vma))
50861+ BUG_ON(!trylock_page(new_page));
50862+#endif
50863+
50864 if (old_page) {
50865 if (!PageAnon(old_page)) {
df50ba0c 50866 dec_mm_counter_fast(mm, MM_FILEPAGES);
57199397 50867@@ -2326,6 +2520,10 @@ gotten:
58c5fc13
MT		 50868 page_remove_rmap(old_page);
50869 }
50870
50871+#ifdef CONFIG_PAX_SEGMEXEC
50872+ pax_mirror_anon_pte(vma, address, new_page, ptl);
50873+#endif
50874+
50875 /* Free the old page.. */
50876 new_page = old_page;
50877 ret |= VM_FAULT_WRITE;
57199397 50878@@ -2734,6 +2932,11 @@ static int do_swap_page(struct mm_struct
58c5fc13
MT		 50879 swap_free(entry);
50880 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
50881 try_to_free_swap(page);
50882+
50883+#ifdef CONFIG_PAX_SEGMEXEC
50884+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
50885+#endif
50886+
50887 unlock_page(page);
50888
50889 if (flags & FAULT_FLAG_WRITE) {
57199397 50890@@ -2745,6 +2948,11 @@ static int do_swap_page(struct mm_struct
58c5fc13
MT		 50891
50892 /* No need to invalidate - it was non-present before */
df50ba0c 50893 update_mmu_cache(vma, address, page_table);
58c5fc13
MT		 50894+
50895+#ifdef CONFIG_PAX_SEGMEXEC
50896+ pax_mirror_anon_pte(vma, address, page, ptl);
50897+#endif
50898+
50899 unlock:
50900 pte_unmap_unlock(page_table, ptl);
50901 out:
57199397
MT		 50902@@ -2760,33 +2968,6 @@ out_release:
50903 }
50904
50905 /*
50906- * This is like a special single-page "expand_downwards()",
50907- * except we must first make sure that 'address-PAGE_SIZE'
50908- * doesn't hit another vma.
50909- *
50910- * The "find_vma()" will do the right thing even if we wrap
50911- */
50912-static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
50913-{
50914- address &= PAGE_MASK;
50915- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
50916- struct vm_area_struct *prev = vma->vm_prev;
50917-
50918- /*
50919- * Is there a mapping abutting this one below?
50920- *
50921- * That's only ok if it's the same stack mapping
50922- * that has gotten split..
50923- */
50924- if (prev && prev->vm_end == address)
50925- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
50926-
50927- expand_stack(vma, address - PAGE_SIZE);
50928- }
50929- return 0;
50930-}
50931-
50932-/*
50933 * We enter with non-exclusive mmap_sem (to exclude vma changes,
50934 * but allow concurrent faults), and pte mapped but not yet locked.
50935 * We return with mmap_sem still held, but pte unmapped and unlocked.
50936@@ -2795,27 +2976,23 @@ static int do_anonymous_page(struct mm_s
ae4e228f
MT		 50937 unsigned long address, pte_t *page_table, pmd_t *pmd,
50938 unsigned int flags)
50939 {
50940- struct page *page;
50941+ struct page *page = NULL;
50942 spinlock_t *ptl;
50943 pte_t entry;
50944
57199397
MT		 50945- pte_unmap(page_table);
50946-
50947- /* Check if we need to add a guard page to the stack */
50948- if (check_stack_guard_page(vma, address) < 0)
50949- return VM_FAULT_SIGBUS;
50950-
50951- /* Use the zero-page for reads */
50952 if (!(flags & FAULT_FLAG_WRITE)) {
50953 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
50954 vma->vm_page_prot));
50955- page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50956+ ptl = pte_lockptr(mm, pmd);
50957+ spin_lock(ptl);
50958 if (!pte_none(*page_table))
50959 goto unlock;
50960 goto setpte;
50961 }
50962
50963 /* Allocate our own private page. */
50964+ pte_unmap(page_table);
50965+
50966 if (unlikely(anon_vma_prepare(vma)))
50967 goto oom;
50968 page = alloc_zeroed_user_highpage_movable(vma, address);
50969@@ -2834,6 +3011,11 @@ static int do_anonymous_page(struct mm_s
58c5fc13
MT		 50970 if (!pte_none(*page_table))
50971 goto release;
ae4e228f 50972
58c5fc13
MT		 50973+#ifdef CONFIG_PAX_SEGMEXEC
50974+ if (pax_find_mirror_vma(vma))
50975+ BUG_ON(!trylock_page(page));
50976+#endif
50977+
df50ba0c 50978 inc_mm_counter_fast(mm, MM_ANONPAGES);
58c5fc13 50979 page_add_new_anon_rmap(page, vma, address);
ae4e228f 50980 setpte:
57199397 50981@@ -2841,6 +3023,12 @@ setpte:
58c5fc13
MT		 50982
50983 /* No need to invalidate - it was non-present before */
df50ba0c 50984 update_mmu_cache(vma, address, page_table);
58c5fc13
MT		 50985+
50986+#ifdef CONFIG_PAX_SEGMEXEC
ae4e228f
MT		 50987+ if (page)
50988+ pax_mirror_anon_pte(vma, address, page, ptl);
58c5fc13
MT		 50989+#endif
50990+
50991 unlock:
50992 pte_unmap_unlock(page_table, ptl);
50993 return 0;
57199397 50994@@ -2983,6 +3171,12 @@ static int __do_fault(struct mm_struct *
58c5fc13
MT		 50995 */
50996 /* Only go through if we didn't race with anybody else... */
50997 if (likely(pte_same(*page_table, orig_pte))) {
50998+
50999+#ifdef CONFIG_PAX_SEGMEXEC
51000+ if (anon && pax_find_mirror_vma(vma))
51001+ BUG_ON(!trylock_page(page));
51002+#endif
51003+
51004 flush_icache_page(vma, page);
51005 entry = mk_pte(page, vma->vm_page_prot);
51006 if (flags & FAULT_FLAG_WRITE)
57199397 51007@@ -3002,6 +3196,14 @@ static int __do_fault(struct mm_struct *
58c5fc13
MT		 51008
51009 /* no need to invalidate: a not-present page won't be cached */
df50ba0c 51010 update_mmu_cache(vma, address, page_table);
58c5fc13
MT		 51011+
51012+#ifdef CONFIG_PAX_SEGMEXEC
51013+ if (anon)
51014+ pax_mirror_anon_pte(vma, address, page, ptl);
51015+ else
51016+ pax_mirror_file_pte(vma, address, page, ptl);
51017+#endif
51018+
51019 } else {
51020 if (charged)
51021 mem_cgroup_uncharge_page(page);
57199397 51022@@ -3149,6 +3351,12 @@ static inline int handle_pte_fault(struc
58c5fc13
MT		 51023 if (flags & FAULT_FLAG_WRITE)
51024 flush_tlb_page(vma, address);
51025 }
51026+
51027+#ifdef CONFIG_PAX_SEGMEXEC
51028+ pax_mirror_pte(vma, address, pte, pmd, ptl);
51029+ return 0;
51030+#endif
51031+
51032 unlock:
51033 pte_unmap_unlock(pte, ptl);
51034 return 0;
57199397 51035@@ -3165,6 +3373,10 @@ int handle_mm_fault(struct mm_struct *mm
58c5fc13
MT		 51036 pmd_t *pmd;
51037 pte_t *pte;
51038
51039+#ifdef CONFIG_PAX_SEGMEXEC
51040+ struct vm_area_struct *vma_m;
51041+#endif
51042+
51043 __set_current_state(TASK_RUNNING);
51044
51045 count_vm_event(PGFAULT);
57199397 51046@@ -3175,6 +3387,34 @@ int handle_mm_fault(struct mm_struct *mm
58c5fc13
MT		 51047 if (unlikely(is_vm_hugetlb_page(vma)))
51048 return hugetlb_fault(mm, vma, address, flags);
51049
51050+#ifdef CONFIG_PAX_SEGMEXEC
51051+ vma_m = pax_find_mirror_vma(vma);
51052+ if (vma_m) {
51053+ unsigned long address_m;
51054+ pgd_t *pgd_m;
51055+ pud_t *pud_m;
51056+ pmd_t *pmd_m;
51057+
51058+ if (vma->vm_start > vma_m->vm_start) {
51059+ address_m = address;
51060+ address -= SEGMEXEC_TASK_SIZE;
51061+ vma = vma_m;
51062+ } else
51063+ address_m = address + SEGMEXEC_TASK_SIZE;
51064+
51065+ pgd_m = pgd_offset(mm, address_m);
51066+ pud_m = pud_alloc(mm, pgd_m, address_m);
51067+ if (!pud_m)
51068+ return VM_FAULT_OOM;
51069+ pmd_m = pmd_alloc(mm, pud_m, address_m);
51070+ if (!pmd_m)
51071+ return VM_FAULT_OOM;
51072+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
51073+ return VM_FAULT_OOM;
51074+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
51075+ }
51076+#endif
51077+
51078 pgd = pgd_offset(mm, address);
51079 pud = pud_alloc(mm, pgd, address);
51080 if (!pud)
57199397 51081@@ -3272,7 +3512,7 @@ static int __init gate_vma_init(void)
58c5fc13
MT		 51082 gate_vma.vm_start = FIXADDR_USER_START;
51083 gate_vma.vm_end = FIXADDR_USER_END;
51084 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
51085- gate_vma.vm_page_prot = __P101;
51086+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
51087 /*
51088 * Make sure the vDSO gets into every core dump.
51089 * Dumping its contents makes post-mortem fully interpretable later
57199397
MT		 51090diff -urNp linux-2.6.35.4/mm/memory-failure.c linux-2.6.35.4/mm/memory-failure.c
51091--- linux-2.6.35.4/mm/memory-failure.c 2010-08-26 19:47:12.000000000 -0400
51092+++ linux-2.6.35.4/mm/memory-failure.c 2010-09-17 20:12:09.000000000 -0400
51093@@ -51,7 +51,7 @@ int sysctl_memory_failure_early_kill __r
51094
51095 int sysctl_memory_failure_recovery __read_mostly = 1;
51096
51097-atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51098+atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51099
51100 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
51101
51102@@ -939,7 +939,7 @@ int __memory_failure(unsigned long pfn,
51103 return 0;
51104 }
51105
51106- atomic_long_add(1, &mce_bad_pages);
51107+ atomic_long_add_unchecked(1, &mce_bad_pages);
51108
51109 /*
51110 * We need/can do nothing about count=0 pages.
51111@@ -1003,7 +1003,7 @@ int __memory_failure(unsigned long pfn,
51112 }
51113 if (hwpoison_filter(p)) {
51114 if (TestClearPageHWPoison(p))
51115- atomic_long_dec(&mce_bad_pages);
51116+ atomic_long_dec_unchecked(&mce_bad_pages);
51117 unlock_page(p);
51118 put_page(p);
51119 return 0;
51120@@ -1096,7 +1096,7 @@ int unpoison_memory(unsigned long pfn)
51121
51122 if (!get_page_unless_zero(page)) {
51123 if (TestClearPageHWPoison(p))
51124- atomic_long_dec(&mce_bad_pages);
51125+ atomic_long_dec_unchecked(&mce_bad_pages);
51126 pr_debug("MCE: Software-unpoisoned free page %#lx\n", pfn);
51127 return 0;
51128 }
51129@@ -1110,7 +1110,7 @@ int unpoison_memory(unsigned long pfn)
51130 */
51131 if (TestClearPageHWPoison(p)) {
51132 pr_debug("MCE: Software-unpoisoned page %#lx\n", pfn);
51133- atomic_long_dec(&mce_bad_pages);
51134+ atomic_long_dec_unchecked(&mce_bad_pages);
51135 freeit = 1;
51136 }
51137 unlock_page(page);
51138@@ -1291,7 +1291,7 @@ int soft_offline_page(struct page *page,
51139 return ret;
51140
51141 done:
51142- atomic_long_add(1, &mce_bad_pages);
51143+ atomic_long_add_unchecked(1, &mce_bad_pages);
51144 SetPageHWPoison(page);
51145 /* keep elevated page count for bad page */
51146 return ret;
51147diff -urNp linux-2.6.35.4/mm/mempolicy.c linux-2.6.35.4/mm/mempolicy.c
51148--- linux-2.6.35.4/mm/mempolicy.c 2010-08-26 19:47:12.000000000 -0400
51149+++ linux-2.6.35.4/mm/mempolicy.c 2010-09-17 20:12:37.000000000 -0400
51150@@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
df50ba0c
MT		 51151 unsigned long vmstart;
51152 unsigned long vmend;
58c5fc13
MT		 51153
51154+#ifdef CONFIG_PAX_SEGMEXEC
51155+ struct vm_area_struct *vma_m;
51156+#endif
51157+
df50ba0c
MT		 51158 vma = find_vma_prev(mm, start, &prev);
51159 if (!vma || vma->vm_start > start)
51160 return -EFAULT;
57199397 51161@@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
df50ba0c 51162 err = policy_vma(vma, new_pol);
58c5fc13 51163 if (err)
df50ba0c 51164 goto out;
58c5fc13
MT		 51165+
51166+#ifdef CONFIG_PAX_SEGMEXEC
51167+ vma_m = pax_find_mirror_vma(vma);
51168+ if (vma_m) {
df50ba0c 51169+ err = policy_vma(vma_m, new_pol);
58c5fc13 51170+ if (err)
df50ba0c 51171+ goto out;
58c5fc13
MT		 51172+ }
51173+#endif
51174+
51175 }
df50ba0c
MT		 51176
51177 out:
57199397 51178@@ -1098,6 +1112,17 @@ static long do_mbind(unsigned long start
58c5fc13
MT		 51179
51180 if (end < start)
51181 return -EINVAL;
51182+
51183+#ifdef CONFIG_PAX_SEGMEXEC
51184+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
51185+ if (end > SEGMEXEC_TASK_SIZE)
51186+ return -EINVAL;
51187+ } else
51188+#endif
51189+
51190+ if (end > TASK_SIZE)
51191+ return -EINVAL;
51192+
51193 if (end == start)
51194 return 0;
51195
57199397 51196@@ -1303,6 +1328,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
58c5fc13
MT		 51197 if (!mm)
51198 return -EINVAL;
51199
51200+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51201+ if (mm != current->mm &&
51202+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51203+ err = -EPERM;
51204+ goto out;
51205+ }
51206+#endif
51207+
51208 /*
51209 * Check if this process has the right to modify the specified
51210 * process. The right exists if the process has administrative
57199397 51211@@ -1312,8 +1345,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
58c5fc13
MT		 51212 rcu_read_lock();
51213 tcred = __task_cred(task);
51214 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51215- cred->uid != tcred->suid && cred->uid != tcred->uid &&
51216- !capable(CAP_SYS_NICE)) {
51217+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51218 rcu_read_unlock();
51219 err = -EPERM;
51220 goto out;
57199397 51221@@ -2564,7 +2596,7 @@ int show_numa_map(struct seq_file *m, vo
58c5fc13
MT		 51222
51223 if (file) {
51224 seq_printf(m, " file=");
51225- seq_path(m, &file->f_path, "\n\t= ");
51226+ seq_path(m, &file->f_path, "\n\t\\= ");
51227 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
51228 seq_printf(m, " heap");
51229 } else if (vma->vm_start <= mm->start_stack &&
57199397
MT		 51230diff -urNp linux-2.6.35.4/mm/migrate.c linux-2.6.35.4/mm/migrate.c
51231--- linux-2.6.35.4/mm/migrate.c 2010-08-26 19:47:12.000000000 -0400
51232+++ linux-2.6.35.4/mm/migrate.c 2010-09-17 20:12:37.000000000 -0400
51233@@ -1102,6 +1102,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
58c5fc13
MT		 51234 if (!mm)
51235 return -EINVAL;
51236
51237+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51238+ if (mm != current->mm &&
51239+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51240+ err = -EPERM;
51241+ goto out;
51242+ }
51243+#endif
51244+
51245 /*
51246 * Check if this process has the right to modify the specified
51247 * process. The right exists if the process has administrative
57199397 51248@@ -1111,8 +1119,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
58c5fc13
MT		 51249 rcu_read_lock();
51250 tcred = __task_cred(task);
51251 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51252- cred->uid != tcred->suid && cred->uid != tcred->uid &&
51253- !capable(CAP_SYS_NICE)) {
51254+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51255 rcu_read_unlock();
51256 err = -EPERM;
51257 goto out;
57199397
MT		 51258diff -urNp linux-2.6.35.4/mm/mlock.c linux-2.6.35.4/mm/mlock.c
51259--- linux-2.6.35.4/mm/mlock.c 2010-08-26 19:47:12.000000000 -0400
51260+++ linux-2.6.35.4/mm/mlock.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 51261@@ -13,6 +13,7 @@
51262 #include <linux/pagemap.h>
51263 #include <linux/mempolicy.h>
51264 #include <linux/syscalls.h>
51265+#include <linux/security.h>
51266 #include <linux/sched.h>
51267 #include <linux/module.h>
51268 #include <linux/rmap.h>
57199397
MT		 51269@@ -135,19 +136,6 @@ void munlock_vma_page(struct page *page)
51270 }
51271 }
51272
51273-/* Is the vma a continuation of the stack vma above it? */
51274-static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
51275-{
51276- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
51277-}
51278-
51279-static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
51280-{
51281- return (vma->vm_flags & VM_GROWSDOWN) &&
51282- (vma->vm_start == addr) &&
51283- !vma_stack_continue(vma->vm_prev, addr);
51284-}
51285-
51286 /**
51287 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
51288 * @vma: target vma
51289@@ -180,12 +168,6 @@ static long __mlock_vma_pages_range(stru
51290 if (vma->vm_flags & VM_WRITE)
51291 gup_flags |= FOLL_WRITE;
51292
51293- /* We don't try to access the guard page of a stack vma */
51294- if (stack_guard_page(vma, start)) {
51295- addr += PAGE_SIZE;
51296- nr_pages--;
51297- }
51298-
51299 while (nr_pages > 0) {
51300 int i;
51301
51302@@ -451,6 +433,9 @@ static int do_mlock(unsigned long start,
58c5fc13
MT		 51303 return -EINVAL;
51304 if (end == start)
51305 return 0;
58c5fc13
MT		 51306+ if (end > TASK_SIZE)
51307+ return -EINVAL;
51308+
51309 vma = find_vma_prev(current->mm, start, &prev);
51310 if (!vma || vma->vm_start > start)
51311 return -ENOMEM;
57199397
MT		 51312@@ -461,6 +446,11 @@ static int do_mlock(unsigned long start,
51313 for (nstart = start ; ; ) {
51314 unsigned int newflags;
51315
51316+#ifdef CONFIG_PAX_SEGMEXEC
51317+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51318+ break;
51319+#endif
51320+
51321 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
51322
51323 newflags = vma->vm_flags | VM_LOCKED;
51324@@ -510,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
58c5fc13
MT		 51325 lock_limit >>= PAGE_SHIFT;
51326
51327 /* check against resource limits */
51328+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
51329 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
51330 error = do_mlock(start, len, 1);
51331 up_write(&current->mm->mmap_sem);
57199397 51332@@ -531,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
58c5fc13
MT		 51333 static int do_mlockall(int flags)
51334 {
51335 struct vm_area_struct * vma, * prev = NULL;
51336- unsigned int def_flags = 0;
58c5fc13
MT		 51337
51338 if (flags & MCL_FUTURE)
51339- def_flags = VM_LOCKED;
57199397
MT		 51340- current->mm->def_flags = def_flags;
51341+ current->mm->def_flags |= VM_LOCKED;
51342+ else
51343+ current->mm->def_flags &= ~VM_LOCKED;
58c5fc13
MT		 51344 if (flags == MCL_FUTURE)
51345 goto out;
58c5fc13 51346
57199397
MT		 51347 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
51348- unsigned int newflags;
51349+ unsigned long newflags;
51350+
58c5fc13
MT		 51351+#ifdef CONFIG_PAX_SEGMEXEC
51352+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51353+ break;
51354+#endif
57199397 51355
58c5fc13
MT		 51356+ BUG_ON(vma->vm_end > TASK_SIZE);
51357 newflags = vma->vm_flags | VM_LOCKED;
51358 if (!(flags & MCL_CURRENT))
51359 newflags &= ~VM_LOCKED;
57199397 51360@@ -573,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
58c5fc13
MT		 51361 lock_limit >>= PAGE_SHIFT;
51362
51363 ret = -ENOMEM;
57199397 51364+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
58c5fc13
MT		 51365 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
51366 capable(CAP_IPC_LOCK))
51367 ret = do_mlockall(flags);
57199397
MT		 51368diff -urNp linux-2.6.35.4/mm/mmap.c linux-2.6.35.4/mm/mmap.c
51369--- linux-2.6.35.4/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
51370+++ linux-2.6.35.4/mm/mmap.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f 51371@@ -44,6 +44,16 @@
58c5fc13
MT		 51372 #define arch_rebalance_pgtables(addr, len) (addr)
51373 #endif
51374
51375+static inline void verify_mm_writelocked(struct mm_struct *mm)
51376+{
51377+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
51378+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
51379+ up_read(&mm->mmap_sem);
51380+ BUG();
51381+ }
51382+#endif
51383+}
51384+
51385 static void unmap_region(struct mm_struct *mm,
51386 struct vm_area_struct *vma, struct vm_area_struct *prev,
51387 unsigned long start, unsigned long end);
57199397 51388@@ -69,22 +79,32 @@ static void unmap_region(struct mm_struc
58c5fc13
MT		 51389 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
51390 *
51391 */
51392-pgprot_t protection_map[16] = {
51393+pgprot_t protection_map[16] __read_only = {
51394 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
51395 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
51396 };
51397
51398 pgprot_t vm_get_page_prot(unsigned long vm_flags)
51399 {
51400- return __pgprot(pgprot_val(protection_map[vm_flags &
51401+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
51402 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
51403 pgprot_val(arch_vm_get_page_prot(vm_flags)));
51404+
51405+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
ae4e228f 51406+ if (!(__supported_pte_mask & _PAGE_NX) &&
58c5fc13
MT		 51407+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
51408+ (vm_flags & (VM_READ | VM_WRITE)))
51409+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
51410+#endif
51411+
51412+ return prot;
51413 }
51414 EXPORT_SYMBOL(vm_get_page_prot);
51415
57199397
MT		 51416 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
51417 int sysctl_overcommit_ratio = 50; /* default is 50% */
51418 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
51419+unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
51420 struct percpu_counter vm_committed_as;
51421
51422 /*
51423@@ -230,6 +250,7 @@ static struct vm_area_struct *remove_vma
58c5fc13
MT		 51424 struct vm_area_struct *next = vma->vm_next;
51425
51426 might_sleep();
51427+ BUG_ON(vma->vm_mirror);
51428 if (vma->vm_ops && vma->vm_ops->close)
51429 vma->vm_ops->close(vma);
51430 if (vma->vm_file) {
57199397 51431@@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
58c5fc13
MT		 51432 * not page aligned -Ram Gupta
51433 */
df50ba0c 51434 rlim = rlimit(RLIMIT_DATA);
58c5fc13
MT		 51435+ gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
51436 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
51437 (mm->end_data - mm->start_data) > rlim)
51438 goto out;
57199397 51439@@ -695,6 +717,12 @@ static int
58c5fc13
MT		 51440 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
51441 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51442 {
51443+
51444+#ifdef CONFIG_PAX_SEGMEXEC
51445+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
51446+ return 0;
51447+#endif
51448+
51449 if (is_mergeable_vma(vma, file, vm_flags) &&
51450 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51451 if (vma->vm_pgoff == vm_pgoff)
57199397 51452@@ -714,6 +742,12 @@ static int
58c5fc13
MT		 51453 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
51454 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51455 {
51456+
51457+#ifdef CONFIG_PAX_SEGMEXEC
51458+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
51459+ return 0;
51460+#endif
51461+
51462 if (is_mergeable_vma(vma, file, vm_flags) &&
51463 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51464 pgoff_t vm_pglen;
57199397 51465@@ -756,13 +790,20 @@ can_vma_merge_after(struct vm_area_struc
58c5fc13
MT		 51466 struct vm_area_struct *vma_merge(struct mm_struct *mm,
51467 struct vm_area_struct *prev, unsigned long addr,
51468 unsigned long end, unsigned long vm_flags,
51469- struct anon_vma *anon_vma, struct file *file,
51470+ struct anon_vma *anon_vma, struct file *file,
51471 pgoff_t pgoff, struct mempolicy *policy)
51472 {
51473 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
51474 struct vm_area_struct *area, *next;
df50ba0c 51475 int err;
58c5fc13
MT		 51476
51477+#ifdef CONFIG_PAX_SEGMEXEC
51478+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
51479+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
51480+
51481+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
51482+#endif
51483+
51484 /*
51485 * We later require that vma->vm_flags == vm_flags,
51486 * so this tests vma->vm_flags & VM_SPECIAL, too.
57199397 51487@@ -778,6 +819,15 @@ struct vm_area_struct *vma_merge(struct
58c5fc13
MT		 51488 if (next && next->vm_end == end) /* cases 6, 7, 8 */
51489 next = next->vm_next;
51490
51491+#ifdef CONFIG_PAX_SEGMEXEC
51492+ if (prev)
51493+ prev_m = pax_find_mirror_vma(prev);
51494+ if (area)
51495+ area_m = pax_find_mirror_vma(area);
51496+ if (next)
51497+ next_m = pax_find_mirror_vma(next);
51498+#endif
51499+
51500 /*
51501 * Can it merge with the predecessor?
51502 */
57199397 51503@@ -797,9 +847,24 @@ struct vm_area_struct *vma_merge(struct
58c5fc13 51504 /* cases 1, 6 */
df50ba0c 51505 err = vma_adjust(prev, prev->vm_start,
58c5fc13
MT		 51506 next->vm_end, prev->vm_pgoff, NULL);
51507- } else /* cases 2, 5, 7 */
51508+
51509+#ifdef CONFIG_PAX_SEGMEXEC
df50ba0c
MT		 51510+ if (!err && prev_m)
51511+ err = vma_adjust(prev_m, prev_m->vm_start,
58c5fc13
MT		 51512+ next_m->vm_end, prev_m->vm_pgoff, NULL);
51513+#endif
51514+
51515+ } else { /* cases 2, 5, 7 */
df50ba0c 51516 err = vma_adjust(prev, prev->vm_start,
58c5fc13
MT		 51517 end, prev->vm_pgoff, NULL);
51518+
51519+#ifdef CONFIG_PAX_SEGMEXEC
df50ba0c
MT		 51520+ if (!err && prev_m)
51521+ err = vma_adjust(prev_m, prev_m->vm_start,
51522+ end_m, prev_m->vm_pgoff, NULL);
58c5fc13
MT		 51523+#endif
51524+
51525+ }
df50ba0c
MT		 51526 if (err)
51527 return NULL;
58c5fc13 51528 return prev;
57199397 51529@@ -812,12 +877,27 @@ struct vm_area_struct *vma_merge(struct
58c5fc13
MT		 51530 mpol_equal(policy, vma_policy(next)) &&
51531 can_vma_merge_before(next, vm_flags,
51532 anon_vma, file, pgoff+pglen)) {
51533- if (prev && addr < prev->vm_end) /* case 4 */
51534+ if (prev && addr < prev->vm_end) { /* case 4 */
df50ba0c 51535 err = vma_adjust(prev, prev->vm_start,
58c5fc13
MT		 51536 addr, prev->vm_pgoff, NULL);
51537- else /* cases 3, 8 */
51538+
51539+#ifdef CONFIG_PAX_SEGMEXEC
df50ba0c
MT		 51540+ if (!err && prev_m)
51541+ err = vma_adjust(prev_m, prev_m->vm_start,
51542+ addr_m, prev_m->vm_pgoff, NULL);
58c5fc13
MT		 51543+#endif
51544+
51545+ } else { /* cases 3, 8 */
df50ba0c 51546 err = vma_adjust(area, addr, next->vm_end,
58c5fc13
MT		 51547 next->vm_pgoff - pglen, NULL);
51548+
51549+#ifdef CONFIG_PAX_SEGMEXEC
df50ba0c
MT		 51550+ if (!err && area_m)
51551+ err = vma_adjust(area_m, addr_m, next_m->vm_end,
51552+ next_m->vm_pgoff - pglen, NULL);
58c5fc13
MT		 51553+#endif
51554+
51555+ }
df50ba0c
MT		 51556 if (err)
51557 return NULL;
58c5fc13 51558 return area;
57199397 51559@@ -932,14 +1012,11 @@ none:
58c5fc13
MT		 51560 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
51561 struct file *file, long pages)
51562 {
51563- const unsigned long stack_flags
51564- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
51565-
51566 if (file) {
51567 mm->shared_vm += pages;
51568 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
51569 mm->exec_vm += pages;
51570- } else if (flags & stack_flags)
51571+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
51572 mm->stack_vm += pages;
51573 if (flags & (VM_RESERVED|VM_IO))
51574 mm->reserved_vm += pages;
57199397 51575@@ -966,7 +1043,7 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 51576 * (the exception is when the underlying filesystem is noexec
51577 * mounted, in which case we dont add PROT_EXEC.)
51578 */
51579- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
51580+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
51581 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
51582 prot |= PROT_EXEC;
51583
57199397 51584@@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 51585 /* Obtain the address to map to. we verify (or select) it and ensure
51586 * that it represents a valid section of the address space.
51587 */
51588- addr = get_unmapped_area(file, addr, len, pgoff, flags);
51589+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
51590 if (addr & ~PAGE_MASK)
51591 return addr;
51592
57199397 51593@@ -1003,6 +1080,28 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 51594 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
51595 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
51596
58c5fc13 51597+#ifdef CONFIG_PAX_MPROTECT
57199397
MT		 51598+ if (mm->pax_flags & MF_PAX_MPROTECT) {
51599+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
51600+
51601+#ifdef CONFIG_PAX_EMUPLT
51602+ vm_flags &= ~VM_EXEC;
51603+#else
51604+ return -EPERM;
58c5fc13
MT		 51605+#endif
51606+
57199397
MT		 51607+ if (!(vm_flags & VM_EXEC))
51608+ vm_flags &= ~VM_MAYEXEC;
51609+ else
51610+ vm_flags &= ~VM_MAYWRITE;
58c5fc13
MT		 51611+ }
51612+#endif
51613+
51614+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51615+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
51616+ vm_flags &= ~VM_PAGEEXEC;
51617+#endif
51618+
ae4e228f 51619 if (flags & MAP_LOCKED)
58c5fc13
MT		 51620 if (!can_do_mlock())
51621 return -EPERM;
57199397 51622@@ -1014,6 +1113,7 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13 51623 locked += mm->locked_vm;
df50ba0c 51624 lock_limit = rlimit(RLIMIT_MEMLOCK);
58c5fc13
MT		 51625 lock_limit >>= PAGE_SHIFT;
51626+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51627 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
51628 return -EAGAIN;
51629 }
57199397 51630@@ -1084,6 +1184,9 @@ unsigned long do_mmap_pgoff(struct file
58c5fc13
MT		 51631 if (error)
51632 return error;
51633
51634+ if (!gr_acl_handle_mmap(file, prot))
51635+ return -EACCES;
51636+
51637 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
51638 }
51639 EXPORT_SYMBOL(do_mmap_pgoff);
57199397 51640@@ -1160,10 +1263,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
58c5fc13
MT		 51641 */
51642 int vma_wants_writenotify(struct vm_area_struct *vma)
51643 {
51644- unsigned int vm_flags = vma->vm_flags;
51645+ unsigned long vm_flags = vma->vm_flags;
51646
51647 /* If it was private or non-writable, the write bit is already clear */
51648- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
51649+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
51650 return 0;
51651
51652 /* The backer wishes to know when pages are first written to? */
57199397 51653@@ -1212,14 +1315,24 @@ unsigned long mmap_region(struct file *f
58c5fc13
MT		 51654 unsigned long charged = 0;
51655 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
51656
51657+#ifdef CONFIG_PAX_SEGMEXEC
51658+ struct vm_area_struct *vma_m = NULL;
51659+#endif
51660+
51661+ /*
51662+ * mm->mmap_sem is required to protect against another thread
51663+ * changing the mappings in case we sleep.
51664+ */
51665+ verify_mm_writelocked(mm);
51666+
51667 /* Clear old maps */
51668 error = -ENOMEM;
51669-munmap_back:
51670 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51671 if (vma && vma->vm_start < addr + len) {
51672 if (do_munmap(mm, addr, len))
51673 return -ENOMEM;
51674- goto munmap_back;
51675+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51676+ BUG_ON(vma && vma->vm_start < addr + len);
51677 }
51678
51679 /* Check against address space limit. */
57199397 51680@@ -1268,6 +1381,16 @@ munmap_back:
58c5fc13
MT		 51681 goto unacct_error;
51682 }
51683
51684+#ifdef CONFIG_PAX_SEGMEXEC
51685+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
51686+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
51687+ if (!vma_m) {
51688+ error = -ENOMEM;
51689+ goto free_vma;
51690+ }
51691+ }
51692+#endif
51693+
51694 vma->vm_mm = mm;
51695 vma->vm_start = addr;
51696 vma->vm_end = addr + len;
57199397 51697@@ -1291,6 +1414,19 @@ munmap_back:
58c5fc13
MT		 51698 error = file->f_op->mmap(file, vma);
51699 if (error)
51700 goto unmap_and_free_vma;
51701+
51702+#ifdef CONFIG_PAX_SEGMEXEC
51703+ if (vma_m && (vm_flags & VM_EXECUTABLE))
51704+ added_exe_file_vma(mm);
51705+#endif
51706+
51707+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51708+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
51709+ vma->vm_flags |= VM_PAGEEXEC;
51710+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
51711+ }
51712+#endif
51713+
51714 if (vm_flags & VM_EXECUTABLE)
51715 added_exe_file_vma(mm);
ae4e228f 51716
57199397 51717@@ -1326,6 +1462,11 @@ munmap_back:
58c5fc13
MT		 51718 vma_link(mm, vma, prev, rb_link, rb_parent);
51719 file = vma->vm_file;
51720
51721+#ifdef CONFIG_PAX_SEGMEXEC
51722+ if (vma_m)
df50ba0c 51723+ BUG_ON(pax_mirror_vma(vma_m, vma));
58c5fc13
MT		 51724+#endif
51725+
51726 /* Once vma denies write, undo our temporary denial count */
51727 if (correct_wcount)
51728 atomic_inc(&inode->i_writecount);
57199397 51729@@ -1334,6 +1475,7 @@ out:
58c5fc13
MT		 51730
51731 mm->total_vm += len >> PAGE_SHIFT;
51732 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
51733+ track_exec_limit(mm, addr, addr + len, vm_flags);
51734 if (vm_flags & VM_LOCKED) {
df50ba0c
MT		 51735 if (!mlock_vma_pages_range(vma, addr, addr + len))
51736 mm->locked_vm += (len >> PAGE_SHIFT);
57199397 51737@@ -1351,6 +1493,12 @@ unmap_and_free_vma:
58c5fc13
MT		 51738 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
51739 charged = 0;
51740 free_vma:
51741+
51742+#ifdef CONFIG_PAX_SEGMEXEC
51743+ if (vma_m)
51744+ kmem_cache_free(vm_area_cachep, vma_m);
51745+#endif
51746+
51747 kmem_cache_free(vm_area_cachep, vma);
51748 unacct_error:
51749 if (charged)
57199397
MT		 51750@@ -1358,6 +1506,33 @@ unacct_error:
51751 return error;
51752 }
51753
51754+bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
51755+{
51756+ if (!vma) {
51757+#ifdef CONFIG_STACK_GROWSUP
51758+ if (addr > sysctl_heap_stack_gap)
51759+ vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
51760+ else
51761+ vma = find_vma(current->mm, 0);
51762+ if (vma && (vma->vm_flags & VM_GROWSUP))
51763+ return false;
51764+#endif
51765+ return true;
51766+ }
51767+
51768+ if (addr + len > vma->vm_start)
51769+ return false;
51770+
51771+ if (vma->vm_flags & VM_GROWSDOWN)
51772+ return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
51773+#ifdef CONFIG_STACK_GROWSUP
51774+ else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
51775+ return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
51776+#endif
51777+
51778+ return true;
51779+}
51780+
51781 /* Get an address range which is currently unmapped.
51782 * For shmat() with addr=0.
51783 *
51784@@ -1384,18 +1559,23 @@ arch_get_unmapped_area(struct file *filp
58c5fc13
MT		 51785 if (flags & MAP_FIXED)
51786 return addr;
51787
51788+#ifdef CONFIG_PAX_RANDMMAP
51789+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51790+#endif
51791+
51792 if (addr) {
51793 addr = PAGE_ALIGN(addr);
57199397
MT		 51794- vma = find_vma(mm, addr);
51795- if (TASK_SIZE - len >= addr &&
51796- (!vma || addr + len <= vma->vm_start))
51797- return addr;
51798+ if (TASK_SIZE - len >= addr) {
51799+ vma = find_vma(mm, addr);
51800+ if (check_heap_stack_gap(vma, addr, len))
51801+ return addr;
51802+ }
58c5fc13
MT		 51803 }
51804 if (len > mm->cached_hole_size) {
51805- start_addr = addr = mm->free_area_cache;
51806+ start_addr = addr = mm->free_area_cache;
51807 } else {
51808- start_addr = addr = TASK_UNMAPPED_BASE;
51809- mm->cached_hole_size = 0;
51810+ start_addr = addr = mm->mmap_base;
51811+ mm->cached_hole_size = 0;
51812 }
51813
51814 full_search:
57199397 51815@@ -1406,34 +1586,40 @@ full_search:
58c5fc13
MT		 51816 * Start a new search - just in case we missed
51817 * some holes.
51818 */
51819- if (start_addr != TASK_UNMAPPED_BASE) {
51820- addr = TASK_UNMAPPED_BASE;
51821- start_addr = addr;
51822+ if (start_addr != mm->mmap_base) {
51823+ start_addr = addr = mm->mmap_base;
51824 mm->cached_hole_size = 0;
51825 goto full_search;
51826 }
57199397
MT		 51827 return -ENOMEM;
51828 }
51829- if (!vma || addr + len <= vma->vm_start) {
51830- /*
51831- * Remember the place where we stopped the search:
51832- */
51833- mm->free_area_cache = addr + len;
51834- return addr;
51835- }
51836+ if (check_heap_stack_gap(vma, addr, len))
51837+ break;
51838 if (addr + mm->cached_hole_size < vma->vm_start)
51839 mm->cached_hole_size = vma->vm_start - addr;
51840 addr = vma->vm_end;
51841 }
51842+
51843+ /*
51844+ * Remember the place where we stopped the search:
51845+ */
51846+ mm->free_area_cache = addr + len;
51847+ return addr;
51848 }
51849 #endif
58c5fc13
MT		 51850
51851 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
51852 {
51853+
51854+#ifdef CONFIG_PAX_SEGMEXEC
51855+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51856+ return;
51857+#endif
51858+
51859 /*
51860 * Is this a new hole at the lowest possible address?
51861 */
51862- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
51863+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
51864 mm->free_area_cache = addr;
51865 mm->cached_hole_size = ~0UL;
51866 }
57199397 51867@@ -1451,7 +1637,7 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 51868 {
51869 struct vm_area_struct *vma;
51870 struct mm_struct *mm = current->mm;
51871- unsigned long addr = addr0;
51872+ unsigned long base = mm->mmap_base, addr = addr0;
51873
51874 /* requested length too big for entire address space */
51875 if (len > TASK_SIZE)
57199397 51876@@ -1460,13 +1646,18 @@ arch_get_unmapped_area_topdown(struct fi
58c5fc13
MT		 51877 if (flags & MAP_FIXED)
51878 return addr;
51879
51880+#ifdef CONFIG_PAX_RANDMMAP
51881+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51882+#endif
51883+
51884 /* requesting a specific address */
51885 if (addr) {
51886 addr = PAGE_ALIGN(addr);
57199397
MT		 51887- vma = find_vma(mm, addr);
51888- if (TASK_SIZE - len >= addr &&
51889- (!vma || addr + len <= vma->vm_start))
51890- return addr;
51891+ if (TASK_SIZE - len >= addr) {
51892+ vma = find_vma(mm, addr);
51893+ if (check_heap_stack_gap(vma, addr, len))
51894+ return addr;
51895+ }
51896 }
51897
51898 /* check if free_area_cache is useful for us */
51899@@ -1481,7 +1672,7 @@ arch_get_unmapped_area_topdown(struct fi
51900 /* make sure it can fit in the remaining address space */
51901 if (addr > len) {
51902 vma = find_vma(mm, addr-len);
51903- if (!vma || addr <= vma->vm_start)
51904+ if (check_heap_stack_gap(vma, addr - len, len))
51905 /* remember the address as a hint for next time */
51906 return (mm->free_area_cache = addr-len);
51907 }
51908@@ -1498,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
51909 * return with success:
51910 */
51911 vma = find_vma(mm, addr);
51912- if (!vma || addr+len <= vma->vm_start)
51913+ if (check_heap_stack_gap(vma, addr, len))
51914 /* remember the address as a hint for next time */
51915 return (mm->free_area_cache = addr);
51916
51917@@ -1517,13 +1708,21 @@ bottomup:
58c5fc13
MT		 51918 * can happen with large stack limits and large mmap()
51919 * allocations.
51920 */
51921+ mm->mmap_base = TASK_UNMAPPED_BASE;
51922+
51923+#ifdef CONFIG_PAX_RANDMMAP
51924+ if (mm->pax_flags & MF_PAX_RANDMMAP)
51925+ mm->mmap_base += mm->delta_mmap;
51926+#endif
51927+
51928+ mm->free_area_cache = mm->mmap_base;
51929 mm->cached_hole_size = ~0UL;
51930- mm->free_area_cache = TASK_UNMAPPED_BASE;
51931 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
51932 /*
51933 * Restore the topdown base:
51934 */
51935- mm->free_area_cache = mm->mmap_base;
51936+ mm->mmap_base = base;
51937+ mm->free_area_cache = base;
51938 mm->cached_hole_size = ~0UL;
51939
51940 return addr;
57199397 51941@@ -1532,6 +1731,12 @@ bottomup:
58c5fc13
MT		 51942
51943 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
51944 {
51945+
51946+#ifdef CONFIG_PAX_SEGMEXEC
51947+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51948+ return;
51949+#endif
51950+
51951 /*
51952 * Is this a new hole at the highest possible address?
51953 */
57199397 51954@@ -1539,8 +1744,10 @@ void arch_unmap_area_topdown(struct mm_s
58c5fc13
MT		 51955 mm->free_area_cache = addr;
51956
51957 /* dont allow allocations above current base */
51958- if (mm->free_area_cache > mm->mmap_base)
51959+ if (mm->free_area_cache > mm->mmap_base) {
51960 mm->free_area_cache = mm->mmap_base;
51961+ mm->cached_hole_size = ~0UL;
51962+ }
51963 }
51964
51965 unsigned long
57199397 51966@@ -1648,6 +1855,34 @@ out:
58c5fc13
MT		 51967 return prev ? prev->vm_next : vma;
51968 }
51969
51970+#ifdef CONFIG_PAX_SEGMEXEC
51971+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
51972+{
51973+ struct vm_area_struct *vma_m;
51974+
51975+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
51976+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
51977+ BUG_ON(vma->vm_mirror);
51978+ return NULL;
51979+ }
51980+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
51981+ vma_m = vma->vm_mirror;
51982+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
51983+ BUG_ON(vma->vm_file != vma_m->vm_file);
51984+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
57199397
MT		 51985+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
51986+ if (vma->anon_vma != vma_m->anon_vma) {
51987+ struct anon_vma_chain *avc, *avc_m;
51988+
51989+ avc = list_entry(vma->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51990+ avc_m = list_entry(vma_m->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51991+ BUG_ON(avc->anon_vma != avc_m->anon_vma);
51992+ }
58c5fc13
MT		 51993+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
51994+ return vma_m;
51995+}
51996+#endif
51997+
51998 /*
51999 * Verify that the stack growth is acceptable and
52000 * update accounting. This is shared with both the
57199397 52001@@ -1664,6 +1899,7 @@ static int acct_stack_growth(struct vm_a
58c5fc13
MT		 52002 return -ENOMEM;
52003
52004 /* Stack limit test */
52005+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
df50ba0c 52006 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
58c5fc13
MT		 52007 return -ENOMEM;
52008
57199397 52009@@ -1674,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
58c5fc13 52010 locked = mm->locked_vm + grow;
df50ba0c
MT		 52011 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
52012 limit >>= PAGE_SHIFT;
58c5fc13
MT		 52013+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
52014 if (locked > limit && !capable(CAP_IPC_LOCK))
52015 return -ENOMEM;
52016 }
57199397 52017@@ -1709,35 +1946,42 @@ static
58c5fc13
MT		 52018 #endif
52019 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
52020 {
52021- int error;
52022+ int error, locknext;
52023
52024 if (!(vma->vm_flags & VM_GROWSUP))
52025 return -EFAULT;
52026
52027+ /* Also guard against wrapping around to address 0. */
52028+ if (address < PAGE_ALIGN(address+1))
52029+ address = PAGE_ALIGN(address+1);
52030+ else
52031+ return -ENOMEM;
52032+
52033 /*
52034 * We must make sure the anon_vma is allocated
52035 * so that the anon_vma locking is not a noop.
52036 */
52037 if (unlikely(anon_vma_prepare(vma)))
52038 return -ENOMEM;
52039+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
57199397 52040+ if (locknext && anon_vma_prepare(vma->vm_next))
58c5fc13
MT		 52041+ return -ENOMEM;
52042 anon_vma_lock(vma);
52043+ if (locknext)
52044+ anon_vma_lock(vma->vm_next);
52045
52046 /*
52047 * vma->vm_start/vm_end cannot change under us because the caller
52048 * is required to hold the mmap_sem in read mode. We need the
52049- * anon_vma lock to serialize against concurrent expand_stacks.
52050- * Also guard against wrapping around to address 0.
52051+ * anon_vma locks to serialize against concurrent expand_stacks
52052+ * and expand_upwards.
52053 */
52054- if (address < PAGE_ALIGN(address+4))
52055- address = PAGE_ALIGN(address+4);
52056- else {
52057- anon_vma_unlock(vma);
52058- return -ENOMEM;
52059- }
52060 error = 0;
52061
52062 /* Somebody else might have raced and expanded it already */
52063- if (address > vma->vm_end) {
57199397
MT		 52064+ if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
52065+ error = -ENOMEM;
52066+ else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
58c5fc13
MT		 52067 unsigned long size, grow;
52068
52069 size = address - vma->vm_start;
57199397 52070@@ -1747,6 +1991,8 @@ int expand_upwards(struct vm_area_struct
58c5fc13
MT		 52071 if (!error)
52072 vma->vm_end = address;
52073 }
52074+ if (locknext)
52075+ anon_vma_unlock(vma->vm_next);
52076 anon_vma_unlock(vma);
52077 return error;
52078 }
57199397 52079@@ -1758,7 +2004,8 @@ int expand_upwards(struct vm_area_struct
58c5fc13
MT		 52080 static int expand_downwards(struct vm_area_struct *vma,
52081 unsigned long address)
52082 {
52083- int error;
52084+ int error, lockprev = 0;
57199397 52085+ struct vm_area_struct *prev;
58c5fc13
MT		 52086
52087 /*
52088 * We must make sure the anon_vma is allocated
57199397 52089@@ -1772,6 +2019,15 @@ static int expand_downwards(struct vm_ar
58c5fc13
MT		 52090 if (error)
52091 return error;
52092
57199397 52093+ prev = vma->vm_prev;
58c5fc13 52094+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
58c5fc13
MT		 52095+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
52096+#endif
57199397 52097+ if (lockprev && anon_vma_prepare(prev))
58c5fc13
MT		 52098+ return -ENOMEM;
52099+ if (lockprev)
52100+ anon_vma_lock(prev);
52101+
52102 anon_vma_lock(vma);
52103
52104 /*
57199397 52105@@ -1781,9 +2037,17 @@ static int expand_downwards(struct vm_ar
58c5fc13
MT		 52106 */
52107
52108 /* Somebody else might have raced and expanded it already */
52109- if (address < vma->vm_start) {
57199397
MT		 52110+ if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
52111+ error = -ENOMEM;
52112+ else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
58c5fc13
MT		 52113 unsigned long size, grow;
52114
52115+#ifdef CONFIG_PAX_SEGMEXEC
52116+ struct vm_area_struct *vma_m;
52117+
52118+ vma_m = pax_find_mirror_vma(vma);
52119+#endif
52120+
52121 size = vma->vm_end - address;
52122 grow = (vma->vm_start - address) >> PAGE_SHIFT;
52123
57199397 52124@@ -1791,9 +2055,20 @@ static int expand_downwards(struct vm_ar
58c5fc13
MT		 52125 if (!error) {
52126 vma->vm_start = address;
52127 vma->vm_pgoff -= grow;
52128+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
52129+
52130+#ifdef CONFIG_PAX_SEGMEXEC
52131+ if (vma_m) {
52132+ vma_m->vm_start -= grow << PAGE_SHIFT;
52133+ vma_m->vm_pgoff -= grow;
52134+ }
52135+#endif
52136+
52137 }
52138 }
52139 anon_vma_unlock(vma);
52140+ if (lockprev)
52141+ anon_vma_unlock(prev);
52142 return error;
52143 }
52144
57199397 52145@@ -1867,6 +2142,13 @@ static void remove_vma_list(struct mm_st
58c5fc13
MT		 52146 do {
52147 long nrpages = vma_pages(vma);
52148
52149+#ifdef CONFIG_PAX_SEGMEXEC
52150+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
52151+ vma = remove_vma(vma);
52152+ continue;
52153+ }
52154+#endif
52155+
52156 mm->total_vm -= nrpages;
52157 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
52158 vma = remove_vma(vma);
57199397 52159@@ -1912,6 +2194,16 @@ detach_vmas_to_be_unmapped(struct mm_str
58c5fc13 52160 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
57199397 52161 vma->vm_prev = NULL;
58c5fc13
MT		 52162 do {
52163+
52164+#ifdef CONFIG_PAX_SEGMEXEC
52165+ if (vma->vm_mirror) {
52166+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
52167+ vma->vm_mirror->vm_mirror = NULL;
52168+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
52169+ vma->vm_mirror = NULL;
52170+ }
52171+#endif
52172+
52173 rb_erase(&vma->vm_rb, &mm->mm_rb);
52174 mm->map_count--;
52175 tail_vma = vma;
57199397 52176@@ -1940,14 +2232,33 @@ static int __split_vma(struct mm_struct
ae4e228f 52177 struct vm_area_struct *new;
df50ba0c 52178 int err = -ENOMEM;
ae4e228f 52179
58c5fc13 52180+#ifdef CONFIG_PAX_SEGMEXEC
ae4e228f 52181+ struct vm_area_struct *vma_m, *new_m = NULL;
58c5fc13 52182+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
ae4e228f 52183+#endif
58c5fc13 52184+
ae4e228f
MT		 52185 if (is_vm_hugetlb_page(vma) && (addr &
52186 ~(huge_page_mask(hstate_vma(vma)))))
52187 return -EINVAL;
52188
52189+#ifdef CONFIG_PAX_SEGMEXEC
58c5fc13 52190+ vma_m = pax_find_mirror_vma(vma);
ae4e228f 52191+#endif
58c5fc13 52192+
ae4e228f
MT		 52193 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52194 if (!new)
df50ba0c 52195 goto out_err;
ae4e228f
MT		 52196
52197+#ifdef CONFIG_PAX_SEGMEXEC
58c5fc13
MT		 52198+ if (vma_m) {
52199+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52200+ if (!new_m) {
52201+ kmem_cache_free(vm_area_cachep, new);
df50ba0c 52202+ goto out_err;
58c5fc13
MT		 52203+ }
52204+ }
ae4e228f 52205+#endif
58c5fc13 52206+
ae4e228f
MT		 52207 /* most fields are the same, copy all, and then fixup */
52208 *new = *vma;
52209
57199397 52210@@ -1960,6 +2271,22 @@ static int __split_vma(struct mm_struct
ae4e228f
MT		 52211 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
52212 }
52213
52214+#ifdef CONFIG_PAX_SEGMEXEC
58c5fc13
MT		 52215+ if (vma_m) {
52216+ *new_m = *vma_m;
df50ba0c 52217+ INIT_LIST_HEAD(&new_m->anon_vma_chain);
58c5fc13
MT		 52218+ new_m->vm_mirror = new;
52219+ new->vm_mirror = new_m;
52220+
52221+ if (new_below)
52222+ new_m->vm_end = addr_m;
52223+ else {
52224+ new_m->vm_start = addr_m;
52225+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
52226+ }
52227+ }
ae4e228f
MT		 52228+#endif
52229+
52230 pol = mpol_dup(vma_policy(vma));
52231 if (IS_ERR(pol)) {
df50ba0c 52232 err = PTR_ERR(pol);
57199397 52233@@ -1985,6 +2312,42 @@ static int __split_vma(struct mm_struct
ae4e228f 52234 else
df50ba0c 52235 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
ae4e228f
MT		 52236
52237+#ifdef CONFIG_PAX_SEGMEXEC
df50ba0c
MT		 52238+ if (!err && vma_m) {
52239+ if (anon_vma_clone(new_m, vma_m))
52240+ goto out_free_mpol;
52241+
58c5fc13
MT		 52242+ mpol_get(pol);
52243+ vma_set_policy(new_m, pol);
52244+
52245+ if (new_m->vm_file) {
52246+ get_file(new_m->vm_file);
52247+ if (vma_m->vm_flags & VM_EXECUTABLE)
52248+ added_exe_file_vma(mm);
52249+ }
52250+
52251+ if (new_m->vm_ops && new_m->vm_ops->open)
52252+ new_m->vm_ops->open(new_m);
52253+
52254+ if (new_below)
df50ba0c 52255+ err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
58c5fc13
MT		 52256+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
52257+ else
df50ba0c
MT		 52258+ err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
52259+
52260+ if (err) {
52261+ if (new_m->vm_ops && new_m->vm_ops->close)
52262+ new_m->vm_ops->close(new_m);
52263+ if (new_m->vm_file) {
52264+ if (vma_m->vm_flags & VM_EXECUTABLE)
52265+ removed_exe_file_vma(mm);
52266+ fput(new_m->vm_file);
52267+ }
52268+ mpol_put(pol);
52269+ }
58c5fc13 52270+ }
ae4e228f 52271+#endif
58c5fc13 52272+
df50ba0c
MT		 52273 /* Success. */
52274 if (!err)
52275 return 0;
57199397 52276@@ -2000,6 +2363,15 @@ static int __split_vma(struct mm_struct
df50ba0c
MT		 52277 out_free_mpol:
52278 mpol_put(pol);
52279 out_free_vma:
52280+
52281+#ifdef CONFIG_PAX_SEGMEXEC
52282+ if (new_m) {
52283+ unlink_anon_vmas(new_m);
52284+ kmem_cache_free(vm_area_cachep, new_m);
52285+ }
52286+#endif
52287+
52288+ unlink_anon_vmas(new);
52289 kmem_cache_free(vm_area_cachep, new);
52290 out_err:
52291 return err;
57199397 52292@@ -2012,6 +2384,15 @@ static int __split_vma(struct mm_struct
ae4e228f
MT		 52293 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
52294 unsigned long addr, int new_below)
52295 {
52296+
52297+#ifdef CONFIG_PAX_SEGMEXEC
52298+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52299+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
52300+ if (mm->map_count >= sysctl_max_map_count-1)
52301+ return -ENOMEM;
52302+ } else
58c5fc13 52303+#endif
ae4e228f
MT		 52304+
52305 if (mm->map_count >= sysctl_max_map_count)
52306 return -ENOMEM;
58c5fc13 52307
57199397 52308@@ -2023,11 +2404,30 @@ int split_vma(struct mm_struct *mm, stru
58c5fc13
MT		 52309 * work. This now handles partial unmappings.
52310 * Jeremy Fitzhardinge <jeremy@goop.org>
52311 */
52312+#ifdef CONFIG_PAX_SEGMEXEC
57199397
MT		 52313+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52314+{
58c5fc13
MT		 52315+ int ret = __do_munmap(mm, start, len);
52316+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
52317+ return ret;
52318+
52319+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
52320+}
52321+
52322+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52323+#else
57199397 52324 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
58c5fc13 52325+#endif
57199397 52326 {
58c5fc13
MT		 52327 unsigned long end;
52328 struct vm_area_struct *vma, *prev, *last;
52329
52330+ /*
52331+ * mm->mmap_sem is required to protect against another thread
52332+ * changing the mappings in case we sleep.
52333+ */
52334+ verify_mm_writelocked(mm);
52335+
52336 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
52337 return -EINVAL;
52338
57199397 52339@@ -2101,6 +2501,8 @@ int do_munmap(struct mm_struct *mm, unsi
58c5fc13
MT		 52340 /* Fix up all other VM information */
52341 remove_vma_list(mm, vma);
52342
52343+ track_exec_limit(mm, start, end, 0UL);
52344+
52345 return 0;
52346 }
52347
57199397 52348@@ -2113,22 +2515,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
58c5fc13
MT		 52349
52350 profile_munmap(addr);
52351
52352+#ifdef CONFIG_PAX_SEGMEXEC
52353+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
52354+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
52355+ return -EINVAL;
52356+#endif
52357+
52358 down_write(&mm->mmap_sem);
52359 ret = do_munmap(mm, addr, len);
52360 up_write(&mm->mmap_sem);
52361 return ret;
52362 }
52363
52364-static inline void verify_mm_writelocked(struct mm_struct *mm)
52365-{
52366-#ifdef CONFIG_DEBUG_VM
52367- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
52368- WARN_ON(1);
52369- up_read(&mm->mmap_sem);
52370- }
52371-#endif
52372-}
52373-
52374 /*
52375 * this is really a simplified "do_mmap". it only handles
52376 * anonymous maps. eventually we may be able to do some
57199397 52377@@ -2142,6 +2540,7 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 52378 struct rb_node ** rb_link, * rb_parent;
52379 pgoff_t pgoff = addr >> PAGE_SHIFT;
52380 int error;
52381+ unsigned long charged;
58c5fc13
MT		 52382
52383 len = PAGE_ALIGN(len);
52384 if (!len)
57199397 52385@@ -2153,16 +2552,30 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 52386
52387 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
52388
52389+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
52390+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52391+ flags &= ~VM_EXEC;
52392+
52393+#ifdef CONFIG_PAX_MPROTECT
52394+ if (mm->pax_flags & MF_PAX_MPROTECT)
52395+ flags &= ~VM_MAYEXEC;
52396+#endif
52397+
52398+ }
52399+#endif
52400+
ae4e228f
MT		 52401 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
52402 if (error & ~PAGE_MASK)
58c5fc13
MT		 52403 return error;
52404
52405+ charged = len >> PAGE_SHIFT;
52406+
52407 /*
52408 * mlock MCL_FUTURE?
52409 */
52410 if (mm->def_flags & VM_LOCKED) {
52411 unsigned long locked, lock_limit;
52412- locked = len >> PAGE_SHIFT;
52413+ locked = charged;
52414 locked += mm->locked_vm;
df50ba0c 52415 lock_limit = rlimit(RLIMIT_MEMLOCK);
58c5fc13 52416 lock_limit >>= PAGE_SHIFT;
57199397 52417@@ -2179,22 +2592,22 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 52418 /*
52419 * Clear old maps. this also does some error checking for us
52420 */
52421- munmap_back:
52422 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52423 if (vma && vma->vm_start < addr + len) {
52424 if (do_munmap(mm, addr, len))
52425 return -ENOMEM;
52426- goto munmap_back;
52427+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52428+ BUG_ON(vma && vma->vm_start < addr + len);
52429 }
52430
52431 /* Check against address space limits *after* clearing old maps... */
52432- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
52433+ if (!may_expand_vm(mm, charged))
52434 return -ENOMEM;
52435
52436 if (mm->map_count > sysctl_max_map_count)
52437 return -ENOMEM;
52438
52439- if (security_vm_enough_memory(len >> PAGE_SHIFT))
52440+ if (security_vm_enough_memory(charged))
52441 return -ENOMEM;
52442
52443 /* Can we just expand an old private anonymous mapping? */
57199397 52444@@ -2208,7 +2621,7 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 52445 */
52446 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52447 if (!vma) {
52448- vm_unacct_memory(len >> PAGE_SHIFT);
52449+ vm_unacct_memory(charged);
52450 return -ENOMEM;
52451 }
52452
57199397 52453@@ -2221,11 +2634,12 @@ unsigned long do_brk(unsigned long addr,
58c5fc13
MT		 52454 vma->vm_page_prot = vm_get_page_prot(flags);
52455 vma_link(mm, vma, prev, rb_link, rb_parent);
52456 out:
52457- mm->total_vm += len >> PAGE_SHIFT;
52458+ mm->total_vm += charged;
52459 if (flags & VM_LOCKED) {
52460 if (!mlock_vma_pages_range(vma, addr, addr + len))
52461- mm->locked_vm += (len >> PAGE_SHIFT);
52462+ mm->locked_vm += charged;
52463 }
52464+ track_exec_limit(mm, addr, addr + len, flags);
52465 return addr;
52466 }
52467
57199397 52468@@ -2272,8 +2686,10 @@ void exit_mmap(struct mm_struct *mm)
58c5fc13
MT		 52469 * Walk the list again, actually closing and freeing it,
52470 * with preemption enabled, without holding any MM locks.
52471 */
52472- while (vma)
52473+ while (vma) {
52474+ vma->vm_mirror = NULL;
52475 vma = remove_vma(vma);
52476+ }
52477
52478 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
52479 }
57199397 52480@@ -2287,6 +2703,10 @@ int insert_vm_struct(struct mm_struct *
58c5fc13
MT		 52481 struct vm_area_struct * __vma, * prev;
52482 struct rb_node ** rb_link, * rb_parent;
52483
52484+#ifdef CONFIG_PAX_SEGMEXEC
52485+ struct vm_area_struct *vma_m = NULL;
52486+#endif
52487+
52488 /*
52489 * The vm_pgoff of a purely anonymous vma should be irrelevant
52490 * until its first write fault, when page's anon_vma and index
57199397 52491@@ -2309,7 +2729,22 @@ int insert_vm_struct(struct mm_struct *
58c5fc13
MT		 52492 if ((vma->vm_flags & VM_ACCOUNT) &&
52493 security_vm_enough_memory_mm(mm, vma_pages(vma)))
52494 return -ENOMEM;
52495+
52496+#ifdef CONFIG_PAX_SEGMEXEC
52497+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
52498+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52499+ if (!vma_m)
52500+ return -ENOMEM;
52501+ }
52502+#endif
52503+
52504 vma_link(mm, vma, prev, rb_link, rb_parent);
52505+
52506+#ifdef CONFIG_PAX_SEGMEXEC
52507+ if (vma_m)
df50ba0c 52508+ BUG_ON(pax_mirror_vma(vma_m, vma));
58c5fc13
MT		 52509+#endif
52510+
52511 return 0;
52512 }
52513
57199397 52514@@ -2327,6 +2762,8 @@ struct vm_area_struct *copy_vma(struct v
58c5fc13
MT		 52515 struct rb_node **rb_link, *rb_parent;
52516 struct mempolicy *pol;
52517
52518+ BUG_ON(vma->vm_mirror);
52519+
52520 /*
52521 * If anonymous vma has not yet been faulted, update new pgoff
52522 * to match new location, to increase its chance of merging.
57199397 52523@@ -2376,6 +2813,39 @@ struct vm_area_struct *copy_vma(struct v
df50ba0c
MT		 52524 kmem_cache_free(vm_area_cachep, new_vma);
52525 return NULL;
58c5fc13 52526 }
df50ba0c 52527+
58c5fc13 52528+#ifdef CONFIG_PAX_SEGMEXEC
df50ba0c 52529+long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
58c5fc13
MT		 52530+{
52531+ struct vm_area_struct *prev_m;
52532+ struct rb_node **rb_link_m, *rb_parent_m;
52533+ struct mempolicy *pol_m;
52534+
52535+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
52536+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
52537+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
52538+ *vma_m = *vma;
df50ba0c
MT		 52539+ INIT_LIST_HEAD(&vma_m->anon_vma_chain);
52540+ if (anon_vma_clone(vma_m, vma))
52541+ return -ENOMEM;
58c5fc13
MT		 52542+ pol_m = vma_policy(vma_m);
52543+ mpol_get(pol_m);
52544+ vma_set_policy(vma_m, pol_m);
52545+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
52546+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
52547+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
52548+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
52549+ if (vma_m->vm_file)
52550+ get_file(vma_m->vm_file);
52551+ if (vma_m->vm_ops && vma_m->vm_ops->open)
52552+ vma_m->vm_ops->open(vma_m);
52553+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
52554+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
52555+ vma_m->vm_mirror = vma;
52556+ vma->vm_mirror = vma_m;
df50ba0c 52557+ return 0;
58c5fc13
MT		 52558+}
52559+#endif
df50ba0c 52560
58c5fc13
MT		 52561 /*
52562 * Return true if the calling process may expand its vm space by the passed
57199397 52563@@ -2387,7 +2857,7 @@ int may_expand_vm(struct mm_struct *mm,
58c5fc13
MT		 52564 unsigned long lim;
52565
df50ba0c 52566 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
58c5fc13
MT		 52567-
52568+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
52569 if (cur + npages > lim)
52570 return 0;
52571 return 1;
57199397 52572@@ -2457,6 +2927,17 @@ int install_special_mapping(struct mm_st
58c5fc13
MT		 52573 vma->vm_start = addr;
52574 vma->vm_end = addr + len;
52575
52576+#ifdef CONFIG_PAX_MPROTECT
52577+ if (mm->pax_flags & MF_PAX_MPROTECT) {
57199397
MT		 52578+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
52579+ return -EPERM;
52580+ if (!(vm_flags & VM_EXEC))
52581+ vm_flags &= ~VM_MAYEXEC;
58c5fc13 52582+ else
57199397 52583+ vm_flags &= ~VM_MAYWRITE;
58c5fc13
MT		 52584+ }
52585+#endif
52586+
52587 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
52588 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
52589
57199397
MT		 52590diff -urNp linux-2.6.35.4/mm/mprotect.c linux-2.6.35.4/mm/mprotect.c
52591--- linux-2.6.35.4/mm/mprotect.c 2010-08-26 19:47:12.000000000 -0400
52592+++ linux-2.6.35.4/mm/mprotect.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 52593@@ -23,10 +23,16 @@
58c5fc13
MT		 52594 #include <linux/mmu_notifier.h>
52595 #include <linux/migrate.h>
ae4e228f 52596 #include <linux/perf_event.h>
58c5fc13
MT		 52597+
52598+#ifdef CONFIG_PAX_MPROTECT
52599+#include <linux/elf.h>
52600+#endif
52601+
52602 #include <asm/uaccess.h>
52603 #include <asm/pgtable.h>
52604 #include <asm/cacheflush.h>
52605 #include <asm/tlbflush.h>
52606+#include <asm/mmu_context.h>
52607
52608 #ifndef pgprot_modify
52609 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
df50ba0c 52610@@ -131,6 +137,48 @@ static void change_protection(struct vm_
58c5fc13
MT		 52611 flush_tlb_range(vma, start, end);
52612 }
52613
52614+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52615+/* called while holding the mmap semaphor for writing except stack expansion */
52616+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
52617+{
52618+ unsigned long oldlimit, newlimit = 0UL;
52619+
ae4e228f 52620+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
58c5fc13
MT		 52621+ return;
52622+
52623+ spin_lock(&mm->page_table_lock);
52624+ oldlimit = mm->context.user_cs_limit;
52625+ if ((prot & VM_EXEC) && oldlimit < end)
52626+ /* USER_CS limit moved up */
52627+ newlimit = end;
52628+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
52629+ /* USER_CS limit moved down */
52630+ newlimit = start;
52631+
52632+ if (newlimit) {
52633+ mm->context.user_cs_limit = newlimit;
52634+
52635+#ifdef CONFIG_SMP
52636+ wmb();
52637+ cpus_clear(mm->context.cpu_user_cs_mask);
52638+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
52639+#endif
52640+
52641+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
52642+ }
52643+ spin_unlock(&mm->page_table_lock);
52644+ if (newlimit == end) {
52645+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
52646+
52647+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
52648+ if (is_vm_hugetlb_page(vma))
52649+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
52650+ else
52651+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
52652+ }
52653+}
52654+#endif
52655+
52656 int
52657 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
52658 unsigned long start, unsigned long end, unsigned long newflags)
57199397 52659@@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
58c5fc13
MT		 52660 int error;
52661 int dirty_accountable = 0;
52662
52663+#ifdef CONFIG_PAX_SEGMEXEC
52664+ struct vm_area_struct *vma_m = NULL;
52665+ unsigned long start_m, end_m;
52666+
52667+ start_m = start + SEGMEXEC_TASK_SIZE;
52668+ end_m = end + SEGMEXEC_TASK_SIZE;
52669+#endif
52670+
52671 if (newflags == oldflags) {
52672 *pprev = vma;
52673 return 0;
57199397
MT		 52674 }
52675
52676+ if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
52677+ struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
52678+
52679+ if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
52680+ return -ENOMEM;
52681+
52682+ if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
52683+ return -ENOMEM;
52684+ }
52685+
52686 /*
52687 * If we make a private mapping writable we increase our commit;
52688 * but (without finer accounting) cannot reduce our commit if we
52689@@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
58c5fc13
MT		 52690 }
52691 }
52692
52693+#ifdef CONFIG_PAX_SEGMEXEC
52694+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
52695+ if (start != vma->vm_start) {
52696+ error = split_vma(mm, vma, start, 1);
52697+ if (error)
52698+ goto fail;
52699+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
52700+ *pprev = (*pprev)->vm_next;
52701+ }
52702+
52703+ if (end != vma->vm_end) {
52704+ error = split_vma(mm, vma, end, 0);
52705+ if (error)
52706+ goto fail;
52707+ }
52708+
52709+ if (pax_find_mirror_vma(vma)) {
52710+ error = __do_munmap(mm, start_m, end_m - start_m);
52711+ if (error)
52712+ goto fail;
52713+ } else {
52714+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52715+ if (!vma_m) {
52716+ error = -ENOMEM;
52717+ goto fail;
52718+ }
52719+ vma->vm_flags = newflags;
df50ba0c
MT		 52720+ error = pax_mirror_vma(vma_m, vma);
52721+ if (error) {
52722+ vma->vm_flags = oldflags;
52723+ goto fail;
52724+ }
58c5fc13
MT		 52725+ }
52726+ }
52727+#endif
52728+
52729 /*
52730 * First try to merge with previous and/or next vma.
52731 */
57199397 52732@@ -194,9 +296,21 @@ success:
df50ba0c 52733 * vm_flags and vm_page_prot are protected by the mmap_sem
58c5fc13
MT		 52734 * held in write mode.
52735 */
df50ba0c
MT		 52736+
52737+#ifdef CONFIG_PAX_SEGMEXEC
52738+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
52739+ pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
52740+#endif
52741+
58c5fc13
MT		 52742 vma->vm_flags = newflags;
52743+
52744+#ifdef CONFIG_PAX_MPROTECT
ae4e228f
MT		 52745+ if (mm->binfmt && mm->binfmt->handle_mprotect)
52746+ mm->binfmt->handle_mprotect(vma, newflags);
58c5fc13
MT		 52747+#endif
52748+
52749 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
52750- vm_get_page_prot(newflags));
52751+ vm_get_page_prot(vma->vm_flags));
52752
52753 if (vma_wants_writenotify(vma)) {
52754 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
57199397 52755@@ -237,6 +351,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
58c5fc13
MT		 52756 end = start + len;
52757 if (end <= start)
52758 return -ENOMEM;
52759+
52760+#ifdef CONFIG_PAX_SEGMEXEC
52761+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52762+ if (end > SEGMEXEC_TASK_SIZE)
52763+ return -EINVAL;
52764+ } else
52765+#endif
52766+
52767+ if (end > TASK_SIZE)
52768+ return -EINVAL;
52769+
52770 if (!arch_validate_prot(prot))
52771 return -EINVAL;
52772
57199397 52773@@ -244,7 +369,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
58c5fc13
MT		 52774 /*
52775 * Does the application expect PROT_READ to imply PROT_EXEC:
52776 */
52777- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
52778+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
52779 prot |= PROT_EXEC;
52780
52781 vm_flags = calc_vm_prot_bits(prot);
57199397 52782@@ -276,6 +401,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
58c5fc13
MT		 52783 if (start > vma->vm_start)
52784 prev = vma;
52785
52786+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
52787+ error = -EACCES;
52788+ goto out;
52789+ }
52790+
52791+#ifdef CONFIG_PAX_MPROTECT
ae4e228f
MT		 52792+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
52793+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
58c5fc13
MT		 52794+#endif
52795+
52796 for (nstart = start ; ; ) {
52797 unsigned long newflags;
52798
57199397 52799@@ -300,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
58c5fc13
MT		 52800 if (error)
52801 goto out;
ae4e228f 52802 perf_event_mmap(vma);
58c5fc13
MT		 52803+
52804+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
52805+
52806 nstart = tmp;
52807
52808 if (nstart < prev->vm_end)
57199397
MT		 52809diff -urNp linux-2.6.35.4/mm/mremap.c linux-2.6.35.4/mm/mremap.c
52810--- linux-2.6.35.4/mm/mremap.c 2010-08-26 19:47:12.000000000 -0400
52811+++ linux-2.6.35.4/mm/mremap.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 52812@@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
58c5fc13
MT		 52813 continue;
52814 pte = ptep_clear_flush(vma, old_addr, old_pte);
52815 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
52816+
52817+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
ae4e228f 52818+ if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
58c5fc13
MT		 52819+ pte = pte_exprotect(pte);
52820+#endif
52821+
52822 set_pte_at(mm, new_addr, new_pte, pte);
52823 }
52824
df50ba0c 52825@@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
ae4e228f
MT		 52826 if (is_vm_hugetlb_page(vma))
52827 goto Einval;
52828
52829+#ifdef CONFIG_PAX_SEGMEXEC
52830+ if (pax_find_mirror_vma(vma))
52831+ goto Einval;
52832+#endif
52833+
52834 /* We can't remap across vm area boundaries */
52835 if (old_len > vma->vm_end - addr)
52836 goto Efault;
df50ba0c 52837@@ -321,20 +332,23 @@ static unsigned long mremap_to(unsigned
ae4e228f
MT		 52838 unsigned long ret = -EINVAL;
52839 unsigned long charged = 0;
52840 unsigned long map_flags;
52841+ unsigned long pax_task_size = TASK_SIZE;
52842
52843 if (new_addr & ~PAGE_MASK)
52844 goto out;
52845
52846- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
52847+#ifdef CONFIG_PAX_SEGMEXEC
52848+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
52849+ pax_task_size = SEGMEXEC_TASK_SIZE;
52850+#endif
52851+
52852+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
52853 goto out;
52854
52855 /* Check if the location we're moving into overlaps the
52856 * old location at all, and fail if it does.
52857 */
52858- if ((new_addr <= addr) && (new_addr+new_len) > addr)
52859- goto out;
52860-
52861- if ((addr <= new_addr) && (addr+old_len) > new_addr)
52862+ if (addr + old_len > new_addr && new_addr + new_len > addr)
52863 goto out;
52864
52865 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
df50ba0c 52866@@ -406,6 +420,7 @@ unsigned long do_mremap(unsigned long ad
58c5fc13
MT		 52867 struct vm_area_struct *vma;
52868 unsigned long ret = -EINVAL;
52869 unsigned long charged = 0;
52870+ unsigned long pax_task_size = TASK_SIZE;
52871
52872 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
52873 goto out;
df50ba0c 52874@@ -424,6 +439,15 @@ unsigned long do_mremap(unsigned long ad
58c5fc13
MT		 52875 if (!new_len)
52876 goto out;
52877
52878+#ifdef CONFIG_PAX_SEGMEXEC
ae4e228f 52879+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
58c5fc13
MT		 52880+ pax_task_size = SEGMEXEC_TASK_SIZE;
52881+#endif
52882+
52883+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
52884+ old_len > pax_task_size || addr > pax_task_size-old_len)
52885+ goto out;
52886+
58c5fc13 52887 if (flags & MREMAP_FIXED) {
ae4e228f
MT		 52888 if (flags & MREMAP_MAYMOVE)
52889 ret = mremap_to(addr, old_len, new_addr, new_len);
df50ba0c 52890@@ -473,6 +497,7 @@ unsigned long do_mremap(unsigned long ad
58c5fc13
MT		 52891 addr + new_len);
52892 }
52893 ret = addr;
52894+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
52895 goto out;
52896 }
52897 }
df50ba0c 52898@@ -499,7 +524,13 @@ unsigned long do_mremap(unsigned long ad
ae4e228f
MT		 52899 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52900 if (ret)
52901 goto out;
52902+
58c5fc13
MT		 52903+ map_flags = vma->vm_flags;
52904 ret = move_vma(vma, addr, old_len, new_len, new_addr);
52905+ if (!(ret & ~PAGE_MASK)) {
52906+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
52907+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
52908+ }
52909 }
52910 out:
52911 if (ret & ~PAGE_MASK)
57199397
MT		 52912diff -urNp linux-2.6.35.4/mm/nommu.c linux-2.6.35.4/mm/nommu.c
52913--- linux-2.6.35.4/mm/nommu.c 2010-08-26 19:47:12.000000000 -0400
52914+++ linux-2.6.35.4/mm/nommu.c 2010-09-17 20:12:09.000000000 -0400
52915@@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
52916 int sysctl_overcommit_ratio = 50; /* default is 50% */
52917 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
52918 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
52919-int heap_stack_gap = 0;
52920
52921 atomic_long_t mmap_pages_allocated;
52922
52923@@ -762,15 +761,6 @@ struct vm_area_struct *find_vma(struct m
58c5fc13
MT		 52924 EXPORT_SYMBOL(find_vma);
52925
52926 /*
52927- * find a VMA
52928- * - we don't extend stack VMAs under NOMMU conditions
52929- */
52930-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
52931-{
52932- return find_vma(mm, addr);
52933-}
52934-
52935-/*
52936 * expand a stack to a given address
52937 * - not supported under NOMMU conditions
52938 */
57199397 52939@@ -1491,6 +1481,7 @@ int split_vma(struct mm_struct *mm, stru
df50ba0c
MT		 52940
52941 /* most fields are the same, copy all, and then fixup */
52942 *new = *vma;
52943+ INIT_LIST_HEAD(&new->anon_vma_chain);
52944 *region = *vma->vm_region;
52945 new->vm_region = region;
52946
57199397
MT		 52947diff -urNp linux-2.6.35.4/mm/page_alloc.c linux-2.6.35.4/mm/page_alloc.c
52948--- linux-2.6.35.4/mm/page_alloc.c 2010-08-26 19:47:12.000000000 -0400
52949+++ linux-2.6.35.4/mm/page_alloc.c 2010-09-17 20:12:09.000000000 -0400
52950@@ -641,6 +641,10 @@ static bool free_pages_prepare(struct pa
52951 int i;
58c5fc13 52952 int bad = 0;
58c5fc13
MT		 52953
52954+#ifdef CONFIG_PAX_MEMORY_SANITIZE
52955+ unsigned long index = 1UL << order;
52956+#endif
52957+
df50ba0c 52958 trace_mm_page_free_direct(page, order);
58c5fc13
MT		 52959 kmemcheck_free_shadow(page, order);
52960
57199397 52961@@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
58c5fc13
MT		 52962 debug_check_no_obj_freed(page_address(page),
52963 PAGE_SIZE << order);
52964 }
52965+
52966+#ifdef CONFIG_PAX_MEMORY_SANITIZE
52967+ for (; index; --index)
52968+ sanitize_highpage(page + index - 1);
52969+#endif
52970+
52971 arch_free_page(page, order);
52972 kernel_map_pages(page, 1 << order, 0);
52973
57199397 52974@@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
58c5fc13
MT		 52975 arch_alloc_page(page, order);
52976 kernel_map_pages(page, 1 << order, 1);
52977
52978+#ifndef CONFIG_PAX_MEMORY_SANITIZE
52979 if (gfp_flags & __GFP_ZERO)
52980 prep_zero_page(page, order, gfp_flags);
52981+#endif
52982
52983 if (order && (gfp_flags & __GFP_COMP))
52984 prep_compound_page(page, order);
57199397 52985@@ -3973,7 +3985,7 @@ static void __init setup_usemap(struct p
df50ba0c
MT		 52986 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
52987 }
52988 #else
52989-static void inline setup_usemap(struct pglist_data *pgdat,
52990+static inline void setup_usemap(struct pglist_data *pgdat,
52991 struct zone *zone, unsigned long zonesize) {}
52992 #endif /* CONFIG_SPARSEMEM */
52993
57199397
MT		 52994diff -urNp linux-2.6.35.4/mm/percpu.c linux-2.6.35.4/mm/percpu.c
52995--- linux-2.6.35.4/mm/percpu.c 2010-08-26 19:47:12.000000000 -0400
52996+++ linux-2.6.35.4/mm/percpu.c 2010-09-17 20:12:09.000000000 -0400
52997@@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
ae4e228f 52998 static unsigned int pcpu_last_unit_cpu __read_mostly;
58c5fc13
MT		 52999
53000 /* the address of the first chunk which starts with the kernel static area */
53001-void *pcpu_base_addr __read_mostly;
53002+void *pcpu_base_addr __read_only;
53003 EXPORT_SYMBOL_GPL(pcpu_base_addr);
53004
ae4e228f 53005 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
57199397
MT		 53006diff -urNp linux-2.6.35.4/mm/rmap.c linux-2.6.35.4/mm/rmap.c
53007--- linux-2.6.35.4/mm/rmap.c 2010-08-26 19:47:12.000000000 -0400
53008+++ linux-2.6.35.4/mm/rmap.c 2010-09-17 20:12:09.000000000 -0400
53009@@ -116,6 +116,10 @@ int anon_vma_prepare(struct vm_area_stru
df50ba0c
MT		 53010 struct anon_vma *anon_vma = vma->anon_vma;
53011 struct anon_vma_chain *avc;
53012
53013+#ifdef CONFIG_PAX_SEGMEXEC
53014+ struct anon_vma_chain *avc_m = NULL;
53015+#endif
53016+
53017 might_sleep();
53018 if (unlikely(!anon_vma)) {
58c5fc13 53019 struct mm_struct *mm = vma->vm_mm;
57199397 53020@@ -125,6 +129,12 @@ int anon_vma_prepare(struct vm_area_stru
df50ba0c
MT		 53021 if (!avc)
53022 goto out_enomem;
53023
53024+#ifdef CONFIG_PAX_SEGMEXEC
53025+ avc_m = anon_vma_chain_alloc();
53026+ if (!avc_m)
53027+ goto out_enomem_free_avc;
53028+#endif
58c5fc13
MT		 53029+
53030 anon_vma = find_mergeable_anon_vma(vma);
53031 allocated = NULL;
53032 if (!anon_vma) {
57199397
MT		 53033@@ -138,6 +148,21 @@ int anon_vma_prepare(struct vm_area_stru
53034 /* page_table_lock to protect against threads */
53035 spin_lock(&mm->page_table_lock);
53036 if (likely(!vma->anon_vma)) {
58c5fc13
MT		 53037+
53038+#ifdef CONFIG_PAX_SEGMEXEC
57199397
MT		 53039+ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
53040+
58c5fc13 53041+ if (vma_m) {
df50ba0c 53042+ BUG_ON(vma_m->anon_vma);
58c5fc13 53043+ vma_m->anon_vma = anon_vma;
df50ba0c
MT		 53044+ avc_m->anon_vma = anon_vma;
53045+ avc_m->vma = vma;
53046+ list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
53047+ list_add(&avc_m->same_anon_vma, &anon_vma->head);
53048+ avc_m = NULL;
58c5fc13
MT		 53049+ }
53050+#endif
53051+
57199397
MT		 53052 vma->anon_vma = anon_vma;
53053 avc->anon_vma = anon_vma;
53054 avc->vma = vma;
53055@@ -151,12 +176,24 @@ int anon_vma_prepare(struct vm_area_stru
df50ba0c
MT		 53056
53057 if (unlikely(allocated))
53058 anon_vma_free(allocated);
53059+
53060+#ifdef CONFIG_PAX_SEGMEXEC
53061+ if (unlikely(avc_m))
53062+ anon_vma_chain_free(avc_m);
53063+#endif
53064+
53065 if (unlikely(avc))
53066 anon_vma_chain_free(avc);
53067 }
53068 return 0;
53069
53070 out_enomem_free_avc:
53071+
53072+#ifdef CONFIG_PAX_SEGMEXEC
53073+ if (avc_m)
53074+ anon_vma_chain_free(avc_m);
53075+#endif
53076+
53077 anon_vma_chain_free(avc);
53078 out_enomem:
53079 return -ENOMEM;
57199397
MT		 53080@@ -179,7 +216,7 @@ static void anon_vma_chain_link(struct v
53081 * Attach the anon_vmas from src to dst.
53082 * Returns 0 on success, -ENOMEM on failure.
53083 */
53084-int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
53085+int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
53086 {
53087 struct anon_vma_chain *avc, *pavc;
53088
53089@@ -201,7 +238,7 @@ int anon_vma_clone(struct vm_area_struct
53090 * the corresponding VMA in the parent process is attached to.
53091 * Returns 0 on success, non-zero on failure.
53092 */
53093-int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
53094+int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
53095 {
53096 struct anon_vma_chain *avc;
53097 struct anon_vma *anon_vma;
53098diff -urNp linux-2.6.35.4/mm/shmem.c linux-2.6.35.4/mm/shmem.c
53099--- linux-2.6.35.4/mm/shmem.c 2010-08-26 19:47:12.000000000 -0400
53100+++ linux-2.6.35.4/mm/shmem.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 53101@@ -30,7 +30,7 @@
53102 #include <linux/module.h>
58c5fc13 53103 #include <linux/swap.h>
58c5fc13
MT		 53104
53105-static struct vfsmount *shm_mnt;
53106+struct vfsmount *shm_mnt;
53107
53108 #ifdef CONFIG_SHMEM
53109 /*
57199397
MT		 53110diff -urNp linux-2.6.35.4/mm/slab.c linux-2.6.35.4/mm/slab.c
53111--- linux-2.6.35.4/mm/slab.c 2010-08-26 19:47:12.000000000 -0400
53112+++ linux-2.6.35.4/mm/slab.c 2010-09-17 20:12:37.000000000 -0400
53113@@ -285,7 +285,7 @@ struct kmem_list3 {
58c5fc13
MT		 53114 * Need this for bootstrapping a per node allocator.
53115 */
53116 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
53117-struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
53118+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
53119 #define CACHE_CACHE 0
53120 #define SIZE_AC MAX_NUMNODES
53121 #define SIZE_L3 (2 * MAX_NUMNODES)
57199397 53122@@ -535,7 +535,7 @@ static inline void *index_to_obj(struct
58c5fc13
MT		 53123 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
53124 */
53125 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
53126- const struct slab *slab, void *obj)
53127+ const struct slab *slab, const void *obj)
53128 {
53129 u32 offset = (obj - slab->s_mem);
53130 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
57199397 53131@@ -561,14 +561,14 @@ struct cache_names {
58c5fc13
MT		 53132 static struct cache_names __initdata cache_names[] = {
53133 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
53134 #include <linux/kmalloc_sizes.h>
53135- {NULL,}
53136+ {NULL, NULL}
53137 #undef CACHE
53138 };
53139
53140 static struct arraycache_init initarray_cache __initdata =
53141- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53142+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53143 static struct arraycache_init initarray_generic =
53144- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53145+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53146
53147 /* internal cache of cache description objs */
53148 static struct kmem_cache cache_cache = {
57199397 53149@@ -4558,15 +4558,66 @@ static const struct file_operations proc
58c5fc13 53150
df50ba0c 53151 static int __init slab_proc_init(void)
58c5fc13 53152 {
df50ba0c
MT		 53153- proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
53154+ mode_t gr_mode = S_IRUGO;
53155+
53156+#ifdef CONFIG_GRKERNSEC_PROC_ADD
53157+ gr_mode = S_IRUSR;
53158+#endif
53159+
53160+ proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
53161 #ifdef CONFIG_DEBUG_SLAB_LEAK
53162- proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
53163+ proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
53164 #endif
53165 return 0;
53166 }
58c5fc13
MT		 53167 module_init(slab_proc_init);
53168 #endif
53169
53170+void check_object_size(const void *ptr, unsigned long n, bool to)
53171+{
53172+
53173+#ifdef CONFIG_PAX_USERCOPY
53174+ struct kmem_cache *cachep;
53175+ struct slab *slabp;
53176+ struct page *page;
53177+ unsigned int objnr;
53178+ unsigned long offset;
53179+
53180+ if (!n)
53181+ return;
53182+
53183+ if (ZERO_OR_NULL_PTR(ptr))
53184+ goto report;
53185+
53186+ if (!virt_addr_valid(ptr))
53187+ return;
53188+
53189+ page = virt_to_head_page(ptr);
53190+
ae4e228f
MT		 53191+ if (!PageSlab(page)) {
53192+ if (object_is_on_stack(ptr, n) == -1)
53193+ goto report;
58c5fc13 53194+ return;
ae4e228f 53195+ }
58c5fc13
MT		 53196+
53197+ cachep = page_get_cache(page);
53198+ slabp = page_get_slab(page);
53199+ objnr = obj_to_index(cachep, slabp, ptr);
53200+ BUG_ON(objnr >= cachep->num);
53201+ offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
53202+ if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
53203+ return;
53204+
53205+report:
53206+ if (to)
53207+ pax_report_leak_to_user(ptr, n);
53208+ else
53209+ pax_report_overflow_from_user(ptr, n);
53210+#endif
53211+
53212+}
53213+EXPORT_SYMBOL(check_object_size);
53214+
53215 /**
53216 * ksize - get the actual amount of memory allocated for a given object
53217 * @objp: Pointer to the object
57199397
MT		 53218diff -urNp linux-2.6.35.4/mm/slob.c linux-2.6.35.4/mm/slob.c
53219--- linux-2.6.35.4/mm/slob.c 2010-08-26 19:47:12.000000000 -0400
53220+++ linux-2.6.35.4/mm/slob.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 53221@@ -29,7 +29,7 @@
53222 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
53223 * alloc_pages() directly, allocating compound pages so the page order
53224 * does not have to be separately tracked, and also stores the exact
53225- * allocation size in page->private so that it can be used to accurately
53226+ * allocation size in slob_page->size so that it can be used to accurately
53227 * provide ksize(). These objects are detected in kfree() because slob_page()
53228 * is false for them.
53229 *
53230@@ -58,6 +58,7 @@
53231 */
53232
53233 #include <linux/kernel.h>
53234+#include <linux/sched.h>
53235 #include <linux/slab.h>
53236 #include <linux/mm.h>
53237 #include <linux/swap.h> /* struct reclaim_state */
53238@@ -100,7 +101,8 @@ struct slob_page {
53239 unsigned long flags; /* mandatory */
53240 atomic_t _count; /* mandatory */
53241 slobidx_t units; /* free units left in page */
53242- unsigned long pad[2];
53243+ unsigned long pad[1];
53244+ unsigned long size; /* size when >=PAGE_SIZE */
53245 slob_t *free; /* first free slob_t in page */
53246 struct list_head list; /* linked list of free pages */
53247 };
53248@@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
53249 */
53250 static inline int is_slob_page(struct slob_page *sp)
53251 {
53252- return PageSlab((struct page *)sp);
53253+ return PageSlab((struct page *)sp) && !sp->size;
53254 }
53255
53256 static inline void set_slob_page(struct slob_page *sp)
53257@@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
53258
53259 static inline struct slob_page *slob_page(const void *addr)
53260 {
53261- return (struct slob_page *)virt_to_page(addr);
53262+ return (struct slob_page *)virt_to_head_page(addr);
53263 }
53264
53265 /*
53266@@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
53267 /*
53268 * Return the size of a slob block.
53269 */
53270-static slobidx_t slob_units(slob_t *s)
53271+static slobidx_t slob_units(const slob_t *s)
53272 {
53273 if (s->units > 0)
53274 return s->units;
53275@@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
53276 /*
53277 * Return the next free slob block pointer after this one.
53278 */
53279-static slob_t *slob_next(slob_t *s)
53280+static slob_t *slob_next(const slob_t *s)
53281 {
53282 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
53283 slobidx_t next;
53284@@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
53285 /*
53286 * Returns true if s is the last free block in its page.
53287 */
53288-static int slob_last(slob_t *s)
53289+static int slob_last(const slob_t *s)
53290 {
53291 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
53292 }
53293@@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
53294 if (!page)
53295 return NULL;
53296
53297+ set_slob_page(page);
53298 return page_address(page);
53299 }
53300
53301@@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
53302 if (!b)
53303 return NULL;
53304 sp = slob_page(b);
53305- set_slob_page(sp);
53306
53307 spin_lock_irqsave(&slob_lock, flags);
53308 sp->units = SLOB_UNITS(PAGE_SIZE);
53309 sp->free = b;
53310+ sp->size = 0;
53311 INIT_LIST_HEAD(&sp->list);
53312 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
53313 set_slob_page_free(sp, slob_list);
57199397
MT		 53314@@ -467,10 +470,9 @@ out:
53315 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
53316 */
58c5fc13
MT		 53317
53318-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53319+static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
53320 {
53321- unsigned int *m;
53322- int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53323+ slob_t *m;
53324 void *ret;
53325
53326 lockdep_trace_alloc(gfp);
57199397 53327@@ -483,7 +485,10 @@ void *__kmalloc_node(size_t size, gfp_t
58c5fc13
MT		 53328
53329 if (!m)
53330 return NULL;
53331- *m = size;
53332+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
53333+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
53334+ m[0].units = size;
53335+ m[1].units = align;
53336 ret = (void *)m + align;
53337
53338 trace_kmalloc_node(_RET_IP_, ret,
57199397 53339@@ -493,9 +498,9 @@ void *__kmalloc_node(size_t size, gfp_t
58c5fc13
MT		 53340
53341 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
53342 if (ret) {
53343- struct page *page;
53344- page = virt_to_page(ret);
53345- page->private = size;
53346+ struct slob_page *sp;
53347+ sp = slob_page(ret);
53348+ sp->size = size;
53349 }
53350
53351 trace_kmalloc_node(_RET_IP_, ret,
57199397 53352@@ -505,6 +510,13 @@ void *__kmalloc_node(size_t size, gfp_t
58c5fc13
MT		 53353 kmemleak_alloc(ret, size, 1, gfp);
53354 return ret;
53355 }
53356+
53357+void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53358+{
53359+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53360+
53361+ return __kmalloc_node_align(size, gfp, node, align);
53362+}
53363 EXPORT_SYMBOL(__kmalloc_node);
53364
53365 void kfree(const void *block)
57199397 53366@@ -520,13 +532,84 @@ void kfree(const void *block)
58c5fc13
MT		 53367 sp = slob_page(block);
53368 if (is_slob_page(sp)) {
53369 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53370- unsigned int *m = (unsigned int *)(block - align);
53371- slob_free(m, *m + align);
53372- } else
53373+ slob_t *m = (slob_t *)(block - align);
53374+ slob_free(m, m[0].units + align);
53375+ } else {
53376+ clear_slob_page(sp);
53377+ free_slob_page(sp);
53378+ sp->size = 0;
53379 put_page(&sp->page);
53380+ }
53381 }
53382 EXPORT_SYMBOL(kfree);
53383
53384+void check_object_size(const void *ptr, unsigned long n, bool to)
53385+{
53386+
53387+#ifdef CONFIG_PAX_USERCOPY
53388+ struct slob_page *sp;
53389+ const slob_t *free;
53390+ const void *base;
53391+
53392+ if (!n)
53393+ return;
53394+
53395+ if (ZERO_OR_NULL_PTR(ptr))
53396+ goto report;
53397+
53398+ if (!virt_addr_valid(ptr))
53399+ return;
53400+
53401+ sp = slob_page(ptr);
ae4e228f
MT		 53402+ if (!PageSlab((struct page*)sp)) {
53403+ if (object_is_on_stack(ptr, n) == -1)
53404+ goto report;
58c5fc13 53405+ return;
ae4e228f 53406+ }
58c5fc13
MT		 53407+
53408+ if (sp->size) {
53409+ base = page_address(&sp->page);
53410+ if (base <= ptr && n <= sp->size - (ptr - base))
53411+ return;
53412+ goto report;
53413+ }
53414+
53415+ /* some tricky double walking to find the chunk */
53416+ base = (void *)((unsigned long)ptr & PAGE_MASK);
53417+ free = sp->free;
53418+
53419+ while (!slob_last(free) && (void *)free <= ptr) {
53420+ base = free + slob_units(free);
53421+ free = slob_next(free);
53422+ }
53423+
53424+ while (base < (void *)free) {
53425+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
53426+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
53427+ int offset;
53428+
53429+ if (ptr < base + align)
53430+ goto report;
53431+
53432+ offset = ptr - base - align;
53433+ if (offset < m) {
53434+ if (n <= m - offset)
53435+ return;
53436+ goto report;
53437+ }
53438+ base += size;
53439+ }
53440+
53441+report:
53442+ if (to)
53443+ pax_report_leak_to_user(ptr, n);
53444+ else
53445+ pax_report_overflow_from_user(ptr, n);
53446+#endif
53447+
53448+}
53449+EXPORT_SYMBOL(check_object_size);
53450+
53451 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
53452 size_t ksize(const void *block)
53453 {
57199397 53454@@ -539,10 +622,10 @@ size_t ksize(const void *block)
58c5fc13
MT		 53455 sp = slob_page(block);
53456 if (is_slob_page(sp)) {
53457 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53458- unsigned int *m = (unsigned int *)(block - align);
53459- return SLOB_UNITS(*m) * SLOB_UNIT;
53460+ slob_t *m = (slob_t *)(block - align);
53461+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
53462 } else
53463- return sp->page.private;
53464+ return sp->size;
53465 }
53466 EXPORT_SYMBOL(ksize);
53467
57199397 53468@@ -597,17 +680,25 @@ void *kmem_cache_alloc_node(struct kmem_
58c5fc13
MT		 53469 {
53470 void *b;
53471
53472+#ifdef CONFIG_PAX_USERCOPY
53473+ b = __kmalloc_node_align(c->size, flags, node, c->align);
53474+#else
53475 if (c->size < PAGE_SIZE) {
53476 b = slob_alloc(c->size, flags, c->align, node);
53477 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53478 SLOB_UNITS(c->size) * SLOB_UNIT,
53479 flags, node);
53480 } else {
53481+ struct slob_page *sp;
53482+
53483 b = slob_new_pages(flags, get_order(c->size), node);
53484+ sp = slob_page(b);
53485+ sp->size = c->size;
53486 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53487 PAGE_SIZE << get_order(c->size),
53488 flags, node);
53489 }
53490+#endif
53491
53492 if (c->ctor)
53493 c->ctor(b);
57199397 53494@@ -619,10 +710,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
58c5fc13
MT		 53495
53496 static void __kmem_cache_free(void *b, int size)
53497 {
53498- if (size < PAGE_SIZE)
53499+ struct slob_page *sp = slob_page(b);
53500+
53501+ if (is_slob_page(sp))
53502 slob_free(b, size);
53503- else
53504+ else {
53505+ clear_slob_page(sp);
53506+ free_slob_page(sp);
53507+ sp->size = 0;
53508 slob_free_pages(b, get_order(size));
53509+ }
53510 }
53511
53512 static void kmem_rcu_free(struct rcu_head *head)
57199397 53513@@ -635,15 +732,24 @@ static void kmem_rcu_free(struct rcu_hea
58c5fc13
MT		 53514
53515 void kmem_cache_free(struct kmem_cache *c, void *b)
53516 {
53517+ int size = c->size;
53518+
53519+#ifdef CONFIG_PAX_USERCOPY
53520+ if (size + c->align < PAGE_SIZE) {
53521+ size += c->align;
53522+ b -= c->align;
53523+ }
53524+#endif
53525+
53526 kmemleak_free_recursive(b, c->flags);
53527 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
53528 struct slob_rcu *slob_rcu;
53529- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
53530+ slob_rcu = b + (size - sizeof(struct slob_rcu));
53531 INIT_RCU_HEAD(&slob_rcu->head);
53532- slob_rcu->size = c->size;
53533+ slob_rcu->size = size;
53534 call_rcu(&slob_rcu->head, kmem_rcu_free);
53535 } else {
53536- __kmem_cache_free(b, c->size);
53537+ __kmem_cache_free(b, size);
53538 }
53539
53540 trace_kmem_cache_free(_RET_IP_, b);
57199397
MT		 53541diff -urNp linux-2.6.35.4/mm/slub.c linux-2.6.35.4/mm/slub.c
53542--- linux-2.6.35.4/mm/slub.c 2010-08-26 19:47:12.000000000 -0400
53543+++ linux-2.6.35.4/mm/slub.c 2010-09-17 20:12:37.000000000 -0400
53544@@ -1873,6 +1873,8 @@ void kmem_cache_free(struct kmem_cache *
ae4e228f
MT		 53545
53546 page = virt_to_head_page(x);
53547
53548+ BUG_ON(!PageSlab(page));
53549+
53550 slab_free(s, page, x, _RET_IP_);
53551
53552 trace_kmem_cache_free(_RET_IP_, x);
57199397 53553@@ -1917,7 +1919,7 @@ static int slub_min_objects;
58c5fc13
MT		 53554 * Merge control. If this is set then no merging of slab caches will occur.
53555 * (Could be removed. This was introduced to pacify the merge skeptics.)
53556 */
53557-static int slub_nomerge;
53558+static int slub_nomerge = 1;
53559
53560 /*
53561 * Calculate the order of allocation given an slab object size.
57199397 53562@@ -2344,7 +2346,7 @@ static int kmem_cache_open(struct kmem_c
58c5fc13
MT		 53563 * list to avoid pounding the page allocator excessively.
53564 */
53565 set_min_partial(s, ilog2(s->size));
53566- s->refcount = 1;
53567+ atomic_set(&s->refcount, 1);
53568 #ifdef CONFIG_NUMA
53569 s->remote_node_defrag_ratio = 1000;
53570 #endif
57199397 53571@@ -2487,8 +2489,7 @@ static inline int kmem_cache_close(struc
58c5fc13
MT		 53572 void kmem_cache_destroy(struct kmem_cache *s)
53573 {
53574 down_write(&slub_lock);
53575- s->refcount--;
53576- if (!s->refcount) {
53577+ if (atomic_dec_and_test(&s->refcount)) {
53578 list_del(&s->list);
53579 up_write(&slub_lock);
53580 if (kmem_cache_close(s)) {
57199397 53581@@ -2780,6 +2781,46 @@ void *__kmalloc_node(size_t size, gfp_t
58c5fc13
MT		 53582 EXPORT_SYMBOL(__kmalloc_node);
53583 #endif
53584
53585+void check_object_size(const void *ptr, unsigned long n, bool to)
53586+{
53587+
53588+#ifdef CONFIG_PAX_USERCOPY
53589+ struct page *page;
53590+ struct kmem_cache *s;
53591+ unsigned long offset;
53592+
53593+ if (!n)
53594+ return;
53595+
53596+ if (ZERO_OR_NULL_PTR(ptr))
53597+ goto report;
53598+
53599+ if (!virt_addr_valid(ptr))
53600+ return;
53601+
53602+ page = get_object_page(ptr);
53603+
ae4e228f
MT		 53604+ if (!page) {
53605+ if (object_is_on_stack(ptr, n) == -1)
53606+ goto report;
58c5fc13 53607+ return;
ae4e228f 53608+ }
58c5fc13
MT		 53609+
53610+ s = page->slab;
53611+ offset = (ptr - page_address(page)) % s->size;
53612+ if (offset <= s->objsize && n <= s->objsize - offset)
53613+ return;
53614+
53615+report:
53616+ if (to)
53617+ pax_report_leak_to_user(ptr, n);
53618+ else
53619+ pax_report_overflow_from_user(ptr, n);
53620+#endif
53621+
53622+}
53623+EXPORT_SYMBOL(check_object_size);
53624+
53625 size_t ksize(const void *object)
53626 {
53627 struct page *page;
57199397 53628@@ -3049,7 +3090,7 @@ void __init kmem_cache_init(void)
58c5fc13
MT		 53629 */
53630 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
53631 sizeof(struct kmem_cache_node), GFP_NOWAIT);
53632- kmalloc_caches[0].refcount = -1;
53633+ atomic_set(&kmalloc_caches[0].refcount, -1);
53634 caches++;
53635
53636 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
57199397 53637@@ -3158,7 +3199,7 @@ static int slab_unmergeable(struct kmem_
58c5fc13
MT		 53638 /*
53639 * We may have set a slab to be unmergeable during bootstrap.
53640 */
53641- if (s->refcount < 0)
53642+ if (atomic_read(&s->refcount) < 0)
53643 return 1;
53644
53645 return 0;
57199397 53646@@ -3216,7 +3257,7 @@ struct kmem_cache *kmem_cache_create(con
df50ba0c
MT		 53647 down_write(&slub_lock);
53648 s = find_mergeable(size, align, flags, name, ctor);
58c5fc13 53649 if (s) {
58c5fc13
MT		 53650- s->refcount++;
53651+ atomic_inc(&s->refcount);
53652 /*
53653 * Adjust the object sizes so that we clear
53654 * the complete object on kzalloc.
57199397 53655@@ -3227,7 +3268,7 @@ struct kmem_cache *kmem_cache_create(con
58c5fc13
MT		 53656
53657 if (sysfs_slab_alias(s, name)) {
53658 down_write(&slub_lock);
53659- s->refcount--;
53660+ atomic_dec(&s->refcount);
53661 up_write(&slub_lock);
53662 goto err;
53663 }
57199397 53664@@ -3953,7 +3994,7 @@ SLAB_ATTR_RO(ctor);
58c5fc13
MT		 53665
53666 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
53667 {
53668- return sprintf(buf, "%d\n", s->refcount - 1);
53669+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
53670 }
53671 SLAB_ATTR_RO(aliases);
53672
57199397 53673@@ -4674,7 +4715,13 @@ static const struct file_operations proc
58c5fc13 53674
df50ba0c
MT		 53675 static int __init slab_proc_init(void)
53676 {
53677- proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
53678+ mode_t gr_mode = S_IRUGO;
53679+
53680+#ifdef CONFIG_GRKERNSEC_PROC_ADD
53681+ gr_mode = S_IRUSR;
53682+#endif
53683+
53684+ proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
58c5fc13
MT		 53685 return 0;
53686 }
df50ba0c 53687 module_init(slab_proc_init);
57199397
MT		 53688diff -urNp linux-2.6.35.4/mm/util.c linux-2.6.35.4/mm/util.c
53689--- linux-2.6.35.4/mm/util.c 2010-08-26 19:47:12.000000000 -0400
53690+++ linux-2.6.35.4/mm/util.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 53691@@ -245,6 +245,12 @@ EXPORT_SYMBOL(strndup_user);
58c5fc13
MT		 53692 void arch_pick_mmap_layout(struct mm_struct *mm)
53693 {
53694 mm->mmap_base = TASK_UNMAPPED_BASE;
53695+
53696+#ifdef CONFIG_PAX_RANDMMAP
53697+ if (mm->pax_flags & MF_PAX_RANDMMAP)
53698+ mm->mmap_base += mm->delta_mmap;
53699+#endif
53700+
53701 mm->get_unmapped_area = arch_get_unmapped_area;
53702 mm->unmap_area = arch_unmap_area;
53703 }
57199397
MT		 53704diff -urNp linux-2.6.35.4/mm/vmalloc.c linux-2.6.35.4/mm/vmalloc.c
53705--- linux-2.6.35.4/mm/vmalloc.c 2010-08-26 19:47:12.000000000 -0400
53706+++ linux-2.6.35.4/mm/vmalloc.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 53707@@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
53708
53709 pte = pte_offset_kernel(pmd, addr);
53710 do {
53711- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53712- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53713+
53714+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53715+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
53716+ BUG_ON(!pte_exec(*pte));
53717+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
53718+ continue;
53719+ }
53720+#endif
53721+
53722+ {
53723+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53724+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53725+ }
53726 } while (pte++, addr += PAGE_SIZE, addr != end);
53727 }
53728
53729@@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
58c5fc13
MT		 53730 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
53731 {
53732 pte_t *pte;
53733+ int ret = -ENOMEM;
58c5fc13
MT		 53734
53735 /*
53736 * nr is a running index into the array which helps higher level
57199397 53737@@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
58c5fc13
MT		 53738 pte = pte_alloc_kernel(pmd, addr);
53739 if (!pte)
53740 return -ENOMEM;
53741+
ae4e228f 53742+ pax_open_kernel();
58c5fc13
MT		 53743 do {
53744 struct page *page = pages[*nr];
53745
53746- if (WARN_ON(!pte_none(*pte)))
53747- return -EBUSY;
53748- if (WARN_ON(!page))
53749- return -ENOMEM;
ae4e228f 53750+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
57199397 53751+ if (pgprot_val(prot) & _PAGE_NX)
ae4e228f
MT		 53752+#endif
53753+
58c5fc13
MT		 53754+ if (WARN_ON(!pte_none(*pte))) {
53755+ ret = -EBUSY;
53756+ goto out;
53757+ }
53758+ if (WARN_ON(!page)) {
53759+ ret = -ENOMEM;
53760+ goto out;
53761+ }
53762 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
53763 (*nr)++;
53764 } while (pte++, addr += PAGE_SIZE, addr != end);
53765- return 0;
53766+ ret = 0;
53767+out:
ae4e228f
MT		 53768+ pax_close_kernel();
53769+ return ret;
53770 }
53771
53772 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
57199397 53773@@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
ae4e228f
MT		 53774 * and fall back on vmalloc() if that fails. Others
53775 * just put it in the vmalloc space.
53776 */
53777-#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
53778+#ifdef CONFIG_MODULES
53779+#ifdef MODULES_VADDR
53780 unsigned long addr = (unsigned long)x;
53781 if (addr >= MODULES_VADDR && addr < MODULES_END)
53782 return 1;
53783 #endif
58c5fc13 53784+
ae4e228f
MT		 53785+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53786+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
53787+ return 1;
58c5fc13
MT		 53788+#endif
53789+
ae4e228f
MT		 53790+#endif
53791+
53792 return is_vmalloc_addr(x);
58c5fc13
MT		 53793 }
53794
57199397
MT		 53795@@ -217,8 +251,14 @@ struct page *vmalloc_to_page(const void
53796
53797 if (!pgd_none(*pgd)) {
53798 pud_t *pud = pud_offset(pgd, addr);
53799+#ifdef CONFIG_X86
53800+ if (!pud_large(*pud))
53801+#endif
53802 if (!pud_none(*pud)) {
53803 pmd_t *pmd = pmd_offset(pud, addr);
53804+#ifdef CONFIG_X86
53805+ if (!pmd_large(*pmd))
53806+#endif
53807 if (!pmd_none(*pmd)) {
53808 pte_t *ptep, pte;
53809
53810@@ -292,13 +332,13 @@ static void __insert_vmap_area(struct vm
ae4e228f
MT		 53811 struct rb_node *tmp;
53812
53813 while (*p) {
53814- struct vmap_area *tmp;
53815+ struct vmap_area *varea;
53816
53817 parent = *p;
53818- tmp = rb_entry(parent, struct vmap_area, rb_node);
53819- if (va->va_start < tmp->va_end)
53820+ varea = rb_entry(parent, struct vmap_area, rb_node);
53821+ if (va->va_start < varea->va_end)
53822 p = &(*p)->rb_left;
53823- else if (va->va_end > tmp->va_start)
53824+ else if (va->va_end > varea->va_start)
53825 p = &(*p)->rb_right;
53826 else
53827 BUG();
57199397 53828@@ -1224,6 +1264,16 @@ static struct vm_struct *__get_vm_area_n
ae4e228f 53829 struct vm_struct *area;
58c5fc13
MT		 53830
53831 BUG_ON(in_interrupt());
53832+
df50ba0c 53833+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
58c5fc13
MT		 53834+ if (flags & VM_KERNEXEC) {
53835+ if (start != VMALLOC_START || end != VMALLOC_END)
53836+ return NULL;
df50ba0c
MT		 53837+ start = (unsigned long)MODULES_EXEC_VADDR;
53838+ end = (unsigned long)MODULES_EXEC_END;
58c5fc13
MT		 53839+ }
53840+#endif
53841+
53842 if (flags & VM_IOREMAP) {
53843 int bit = fls(size);
53844
57199397 53845@@ -1449,6 +1499,11 @@ void *vmap(struct page **pages, unsigned
ae4e228f 53846 if (count > totalram_pages)
58c5fc13
MT		 53847 return NULL;
53848
df50ba0c 53849+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
58c5fc13
MT		 53850+ if (!(pgprot_val(prot) & _PAGE_NX))
53851+ flags |= VM_KERNEXEC;
53852+#endif
53853+
53854 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
53855 __builtin_return_address(0));
53856 if (!area)
57199397 53857@@ -1558,6 +1613,13 @@ static void *__vmalloc_node(unsigned lon
ae4e228f 53858 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
58c5fc13
MT		 53859 return NULL;
53860
df50ba0c 53861+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
58c5fc13 53862+ if (!(pgprot_val(prot) & _PAGE_NX))
ae4e228f 53863+ area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
58c5fc13
MT		 53864+ node, gfp_mask, caller);
53865+ else
53866+#endif
53867+
ae4e228f
MT		 53868 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
53869 VMALLOC_END, node, gfp_mask, caller);
58c5fc13 53870
57199397 53871@@ -1576,6 +1638,7 @@ static void *__vmalloc_node(unsigned lon
58c5fc13
MT		 53872 return addr;
53873 }
53874
53875+#undef __vmalloc
53876 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
53877 {
ae4e228f 53878 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
57199397 53879@@ -1592,6 +1655,7 @@ EXPORT_SYMBOL(__vmalloc);
58c5fc13
MT		 53880 * For tight control over page level allocator and protection flags
53881 * use __vmalloc() instead.
53882 */
53883+#undef vmalloc
53884 void *vmalloc(unsigned long size)
53885 {
ae4e228f 53886 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
57199397 53887@@ -1606,6 +1670,7 @@ EXPORT_SYMBOL(vmalloc);
58c5fc13
MT		 53888 * The resulting memory area is zeroed so it can be mapped to userspace
53889 * without leaking data.
53890 */
53891+#undef vmalloc_user
53892 void *vmalloc_user(unsigned long size)
53893 {
53894 struct vm_struct *area;
57199397 53895@@ -1633,6 +1698,7 @@ EXPORT_SYMBOL(vmalloc_user);
58c5fc13
MT		 53896 * For tight control over page level allocator and protection flags
53897 * use __vmalloc() instead.
53898 */
53899+#undef vmalloc_node
53900 void *vmalloc_node(unsigned long size, int node)
53901 {
ae4e228f 53902 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
57199397 53903@@ -1655,10 +1721,10 @@ EXPORT_SYMBOL(vmalloc_node);
58c5fc13
MT		 53904 * For tight control over page level allocator and protection flags
53905 * use __vmalloc() instead.
53906 */
53907-
53908+#undef vmalloc_exec
53909 void *vmalloc_exec(unsigned long size)
53910 {
ae4e228f
MT		 53911- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
53912+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
58c5fc13
MT		 53913 -1, __builtin_return_address(0));
53914 }
53915
57199397 53916@@ -1677,6 +1743,7 @@ void *vmalloc_exec(unsigned long size)
58c5fc13
MT		 53917 * Allocate enough 32bit PA addressable pages to cover @size from the
53918 * page level allocator and map them into contiguous kernel virtual space.
53919 */
53920+#undef vmalloc_32
53921 void *vmalloc_32(unsigned long size)
53922 {
ae4e228f 53923 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
57199397 53924@@ -1691,6 +1758,7 @@ EXPORT_SYMBOL(vmalloc_32);
58c5fc13
MT		 53925 * The resulting memory area is 32bit addressable and zeroed so it can be
53926 * mapped to userspace without leaking data.
53927 */
53928+#undef vmalloc_32_user
53929 void *vmalloc_32_user(unsigned long size)
53930 {
53931 struct vm_struct *area;
57199397
MT		 53932diff -urNp linux-2.6.35.4/mm/vmstat.c linux-2.6.35.4/mm/vmstat.c
53933--- linux-2.6.35.4/mm/vmstat.c 2010-08-26 19:47:12.000000000 -0400
53934+++ linux-2.6.35.4/mm/vmstat.c 2010-09-17 20:12:37.000000000 -0400
53935@@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
53936 *
53937 * vm_stat contains the global counters
53938 */
53939-atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53940+atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53941 EXPORT_SYMBOL(vm_stat);
53942
53943 #ifdef CONFIG_SMP
53944@@ -315,7 +315,7 @@ void refresh_cpu_vm_stats(int cpu)
53945 v = p->vm_stat_diff[i];
53946 p->vm_stat_diff[i] = 0;
53947 local_irq_restore(flags);
53948- atomic_long_add(v, &zone->vm_stat[i]);
53949+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
53950 global_diff[i] += v;
53951 #ifdef CONFIG_NUMA
53952 /* 3 seconds idle till flush */
53953@@ -353,7 +353,7 @@ void refresh_cpu_vm_stats(int cpu)
53954
53955 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
53956 if (global_diff[i])
53957- atomic_long_add(global_diff[i], &vm_stat[i]);
53958+ atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
53959 }
53960
53961 #endif
53962@@ -1038,10 +1038,16 @@ static int __init setup_vmstat(void)
53963 start_cpu_timer(cpu);
53964 #endif
53965 #ifdef CONFIG_PROC_FS
53966- proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
53967- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
53968- proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
53969- proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
53970+ {
53971+ mode_t gr_mode = S_IRUGO;
53972+#ifdef CONFIG_GRKERNSEC_PROC_ADD
53973+ gr_mode = S_IRUSR;
53974+#endif
53975+ proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
53976+ proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
53977+ proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
53978+ proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
53979+ }
53980 #endif
53981 return 0;
53982 }
53983diff -urNp linux-2.6.35.4/net/8021q/vlan.c linux-2.6.35.4/net/8021q/vlan.c
53984--- linux-2.6.35.4/net/8021q/vlan.c 2010-08-26 19:47:12.000000000 -0400
53985+++ linux-2.6.35.4/net/8021q/vlan.c 2010-09-17 20:12:09.000000000 -0400
53986@@ -618,8 +618,7 @@ static int vlan_ioctl_handler(struct net
df50ba0c
MT		 53987 err = -EPERM;
53988 if (!capable(CAP_NET_ADMIN))
53989 break;
53990- if ((args.u.name_type >= 0) &&
53991- (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
53992+ if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
53993 struct vlan_net *vn;
53994
53995 vn = net_generic(net, vlan_net_id);
57199397
MT		 53996diff -urNp linux-2.6.35.4/net/atm/atm_misc.c linux-2.6.35.4/net/atm/atm_misc.c
53997--- linux-2.6.35.4/net/atm/atm_misc.c 2010-08-26 19:47:12.000000000 -0400
53998+++ linux-2.6.35.4/net/atm/atm_misc.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 53999@@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
58c5fc13
MT		 54000 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
54001 return 1;
df50ba0c 54002 atm_return(vcc, truesize);
58c5fc13
MT		 54003- atomic_inc(&vcc->stats->rx_drop);
54004+ atomic_inc_unchecked(&vcc->stats->rx_drop);
54005 return 0;
54006 }
df50ba0c
MT		 54007 EXPORT_SYMBOL(atm_charge);
54008@@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
58c5fc13
MT		 54009 }
54010 }
df50ba0c 54011 atm_return(vcc, guess);
58c5fc13
MT		 54012- atomic_inc(&vcc->stats->rx_drop);
54013+ atomic_inc_unchecked(&vcc->stats->rx_drop);
54014 return NULL;
54015 }
df50ba0c
MT		 54016 EXPORT_SYMBOL(atm_alloc_charge);
54017@@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
58c5fc13 54018
df50ba0c 54019 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
58c5fc13
MT		 54020 {
54021-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
54022+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
54023 __SONET_ITEMS
54024 #undef __HANDLE_ITEM
54025 }
df50ba0c 54026@@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
58c5fc13 54027
df50ba0c 54028 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
58c5fc13 54029 {
df50ba0c 54030-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
58c5fc13
MT		 54031+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
54032 __SONET_ITEMS
54033 #undef __HANDLE_ITEM
54034 }
57199397
MT		 54035diff -urNp linux-2.6.35.4/net/atm/proc.c linux-2.6.35.4/net/atm/proc.c
54036--- linux-2.6.35.4/net/atm/proc.c 2010-08-26 19:47:12.000000000 -0400
54037+++ linux-2.6.35.4/net/atm/proc.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 54038@@ -44,9 +44,9 @@ static void add_stats(struct seq_file *s
58c5fc13
MT		 54039 const struct k_atm_aal_stats *stats)
54040 {
54041 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
df50ba0c
MT		 54042- atomic_read(&stats->tx), atomic_read(&stats->tx_err),
54043- atomic_read(&stats->rx), atomic_read(&stats->rx_err),
54044- atomic_read(&stats->rx_drop));
54045+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
54046+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
54047+ atomic_read_unchecked(&stats->rx_drop));
58c5fc13
MT		 54048 }
54049
54050 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
57199397
MT		 54051@@ -190,7 +190,12 @@ static void vcc_info(struct seq_file *se
54052 {
54053 struct sock *sk = sk_atm(vcc);
54054
54055+#ifdef CONFIG_GRKERNSEC_HIDESYM
54056+ seq_printf(seq, "%p ", NULL);
54057+#else
54058 seq_printf(seq, "%p ", vcc);
54059+#endif
54060+
54061 if (!vcc->dev)
54062 seq_printf(seq, "Unassigned ");
54063 else
54064diff -urNp linux-2.6.35.4/net/atm/resources.c linux-2.6.35.4/net/atm/resources.c
54065--- linux-2.6.35.4/net/atm/resources.c 2010-08-26 19:47:12.000000000 -0400
54066+++ linux-2.6.35.4/net/atm/resources.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54067@@ -159,7 +159,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
58c5fc13
MT		 54068 static void copy_aal_stats(struct k_atm_aal_stats *from,
54069 struct atm_aal_stats *to)
54070 {
54071-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
54072+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
54073 __AAL_STAT_ITEMS
54074 #undef __HANDLE_ITEM
54075 }
df50ba0c 54076@@ -167,7 +167,7 @@ static void copy_aal_stats(struct k_atm_
58c5fc13
MT		 54077 static void subtract_aal_stats(struct k_atm_aal_stats *from,
54078 struct atm_aal_stats *to)
54079 {
54080-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
54081+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
54082 __AAL_STAT_ITEMS
54083 #undef __HANDLE_ITEM
54084 }
57199397
MT		 54085diff -urNp linux-2.6.35.4/net/bridge/br_stp_if.c linux-2.6.35.4/net/bridge/br_stp_if.c
54086--- linux-2.6.35.4/net/bridge/br_stp_if.c 2010-08-26 19:47:12.000000000 -0400
54087+++ linux-2.6.35.4/net/bridge/br_stp_if.c 2010-09-17 20:12:09.000000000 -0400
54088@@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
58c5fc13
MT		 54089 char *envp[] = { NULL };
54090
54091 if (br->stp_enabled == BR_USER_STP) {
54092- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
54093+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
57199397 54094 br_info(br, "userspace STP stopped, return code %d\n", r);
58c5fc13 54095
57199397
MT		 54096 /* To start timers on any ports left in blocking */
54097diff -urNp linux-2.6.35.4/net/bridge/netfilter/ebtables.c linux-2.6.35.4/net/bridge/netfilter/ebtables.c
54098--- linux-2.6.35.4/net/bridge/netfilter/ebtables.c 2010-08-26 19:47:12.000000000 -0400
54099+++ linux-2.6.35.4/net/bridge/netfilter/ebtables.c 2010-09-17 20:12:09.000000000 -0400
54100@@ -1501,7 +1501,7 @@ static int do_ebt_get_ctl(struct sock *s
ae4e228f
MT		 54101 tmp.valid_hooks = t->table->valid_hooks;
54102 }
54103 mutex_unlock(&ebt_mutex);
54104- if (copy_to_user(user, &tmp, *len) != 0){
54105+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
54106 BUGPRINT("c2u Didn't work\n");
54107 ret = -EFAULT;
54108 break;
57199397
MT		 54109diff -urNp linux-2.6.35.4/net/core/dev.c linux-2.6.35.4/net/core/dev.c
54110--- linux-2.6.35.4/net/core/dev.c 2010-08-26 19:47:12.000000000 -0400
54111+++ linux-2.6.35.4/net/core/dev.c 2010-09-17 20:12:09.000000000 -0400
54112@@ -2541,7 +2541,7 @@ int netif_rx_ni(struct sk_buff *skb)
ae4e228f
MT		 54113 }
54114 EXPORT_SYMBOL(netif_rx_ni);
54115
54116-static void net_tx_action(struct softirq_action *h)
54117+static void net_tx_action(void)
54118 {
54119 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54120
57199397
MT		 54121@@ -3474,7 +3474,7 @@ void netif_napi_del(struct napi_struct *
54122 }
ae4e228f
MT		 54123 EXPORT_SYMBOL(netif_napi_del);
54124
ae4e228f
MT		 54125-static void net_rx_action(struct softirq_action *h)
54126+static void net_rx_action(void)
54127 {
57199397 54128 struct softnet_data *sd = &__get_cpu_var(softnet_data);
ae4e228f 54129 unsigned long time_limit = jiffies + 2;
57199397
MT		 54130diff -urNp linux-2.6.35.4/net/core/net-sysfs.c linux-2.6.35.4/net/core/net-sysfs.c
54131--- linux-2.6.35.4/net/core/net-sysfs.c 2010-08-26 19:47:12.000000000 -0400
54132+++ linux-2.6.35.4/net/core/net-sysfs.c 2010-09-17 20:12:09.000000000 -0400
54133@@ -511,7 +511,7 @@ static ssize_t rx_queue_attr_store(struc
54134 return attribute->store(queue, attribute, buf, count);
54135 }
54136
54137-static struct sysfs_ops rx_queue_sysfs_ops = {
54138+static const struct sysfs_ops rx_queue_sysfs_ops = {
54139 .show = rx_queue_attr_show,
54140 .store = rx_queue_attr_store,
54141 };
54142diff -urNp linux-2.6.35.4/net/core/sock.c linux-2.6.35.4/net/core/sock.c
54143--- linux-2.6.35.4/net/core/sock.c 2010-08-26 19:47:12.000000000 -0400
54144+++ linux-2.6.35.4/net/core/sock.c 2010-09-17 20:12:09.000000000 -0400
54145@@ -915,7 +915,7 @@ int sock_getsockopt(struct socket *sock,
ae4e228f
MT		 54146 return -ENOTCONN;
54147 if (lv < len)
54148 return -EINVAL;
54149- if (copy_to_user(optval, address, len))
54150+ if (len > sizeof(address) || copy_to_user(optval, address, len))
54151 return -EFAULT;
54152 goto lenout;
54153 }
57199397 54154@@ -948,7 +948,7 @@ int sock_getsockopt(struct socket *sock,
ae4e228f
MT		 54155
54156 if (len > lv)
54157 len = lv;
54158- if (copy_to_user(optval, &v, len))
54159+ if (len > sizeof(v) || copy_to_user(optval, &v, len))
54160 return -EFAULT;
54161 lenout:
54162 if (put_user(len, optlen))
57199397
MT		 54163diff -urNp linux-2.6.35.4/net/dccp/ccids/ccid3.c linux-2.6.35.4/net/dccp/ccids/ccid3.c
54164--- linux-2.6.35.4/net/dccp/ccids/ccid3.c 2010-08-26 19:47:12.000000000 -0400
54165+++ linux-2.6.35.4/net/dccp/ccids/ccid3.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 54166@@ -41,7 +41,7 @@
58c5fc13
MT		 54167 static int ccid3_debug;
54168 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
54169 #else
54170-#define ccid3_pr_debug(format, a...)
54171+#define ccid3_pr_debug(format, a...) do {} while (0)
54172 #endif
54173
54174 /*
57199397
MT		 54175diff -urNp linux-2.6.35.4/net/dccp/dccp.h linux-2.6.35.4/net/dccp/dccp.h
54176--- linux-2.6.35.4/net/dccp/dccp.h 2010-08-26 19:47:12.000000000 -0400
54177+++ linux-2.6.35.4/net/dccp/dccp.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 54178@@ -44,9 +44,9 @@ extern int dccp_debug;
54179 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
54180 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
54181 #else
54182-#define dccp_pr_debug(format, a...)
54183-#define dccp_pr_debug_cat(format, a...)
54184-#define dccp_debug(format, a...)
54185+#define dccp_pr_debug(format, a...) do {} while (0)
54186+#define dccp_pr_debug_cat(format, a...) do {} while (0)
54187+#define dccp_debug(format, a...) do {} while (0)
54188 #endif
54189
54190 extern struct inet_hashinfo dccp_hashinfo;
57199397
MT		 54191diff -urNp linux-2.6.35.4/net/decnet/sysctl_net_decnet.c linux-2.6.35.4/net/decnet/sysctl_net_decnet.c
54192--- linux-2.6.35.4/net/decnet/sysctl_net_decnet.c 2010-08-26 19:47:12.000000000 -0400
54193+++ linux-2.6.35.4/net/decnet/sysctl_net_decnet.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 54194@@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
54195
54196 if (len > *lenp) len = *lenp;
54197
54198- if (copy_to_user(buffer, addr, len))
54199+ if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
54200 return -EFAULT;
54201
54202 *lenp = len;
54203@@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
54204
54205 if (len > *lenp) len = *lenp;
54206
54207- if (copy_to_user(buffer, devname, len))
54208+ if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
54209 return -EFAULT;
54210
54211 *lenp = len;
57199397
MT		 54212diff -urNp linux-2.6.35.4/net/ipv4/inet_hashtables.c linux-2.6.35.4/net/ipv4/inet_hashtables.c
54213--- linux-2.6.35.4/net/ipv4/inet_hashtables.c 2010-08-26 19:47:12.000000000 -0400
54214+++ linux-2.6.35.4/net/ipv4/inet_hashtables.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 54215@@ -18,11 +18,14 @@
54216 #include <linux/sched.h>
54217 #include <linux/slab.h>
54218 #include <linux/wait.h>
54219+#include <linux/security.h>
54220
54221 #include <net/inet_connection_sock.h>
54222 #include <net/inet_hashtables.h>
54223 #include <net/ip.h>
54224
54225+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
54226+
54227 /*
54228 * Allocate and initialize a new local port bind bucket.
54229 * The bindhash mutex for snum's hash chain must be held here.
57199397 54230@@ -508,6 +511,8 @@ ok:
ae4e228f 54231 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
58c5fc13
MT		 54232 spin_unlock(&head->lock);
54233
54234+ gr_update_task_in_ip_table(current, inet_sk(sk));
54235+
54236 if (tw) {
54237 inet_twsk_deschedule(tw, death_row);
ae4e228f 54238 while (twrefcnt) {
57199397
MT		 54239diff -urNp linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c
54240--- linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400
54241+++ linux-2.6.35.4/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54242@@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
58c5fc13
MT		 54243
54244 *len = 0;
54245
54246- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
54247+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
54248 if (*octets == NULL) {
54249 if (net_ratelimit())
57199397
MT		 54250 pr_notice("OOM in bsalg (%d)\n", __LINE__);
54251diff -urNp linux-2.6.35.4/net/ipv4/tcp_ipv4.c linux-2.6.35.4/net/ipv4/tcp_ipv4.c
54252--- linux-2.6.35.4/net/ipv4/tcp_ipv4.c 2010-08-26 19:47:12.000000000 -0400
54253+++ linux-2.6.35.4/net/ipv4/tcp_ipv4.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 54254@@ -85,6 +85,9 @@
ae4e228f
MT		 54255 int sysctl_tcp_tw_reuse __read_mostly;
54256 int sysctl_tcp_low_latency __read_mostly;
58c5fc13 54257
58c5fc13 54258+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
ae4e228f 54259+extern int grsec_enable_blackhole;
58c5fc13 54260+#endif
ae4e228f
MT		 54261
54262 #ifdef CONFIG_TCP_MD5SIG
54263 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
57199397
MT		 54264@@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
54265 return 0;
54266
54267 reset:
54268+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54269+ if (!grsec_enable_blackhole)
54270+#endif
54271 tcp_v4_send_reset(rsk, skb);
54272 discard:
54273 kfree_skb(skb);
54274@@ -1654,12 +1660,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
ae4e228f
MT		 54275 TCP_SKB_CB(skb)->sacked = 0;
54276
54277 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54278- if (!sk)
54279+ if (!sk) {
54280+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54281+ ret = 1;
54282+#endif
54283 goto no_tcp_socket;
df50ba0c 54284-
ae4e228f 54285+ }
ae4e228f
MT		 54286 process:
54287- if (sk->sk_state == TCP_TIME_WAIT)
54288+ if (sk->sk_state == TCP_TIME_WAIT) {
54289+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54290+ ret = 2;
54291+#endif
54292 goto do_time_wait;
54293+ }
54294
df50ba0c
MT		 54295 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
54296 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
57199397 54297@@ -1709,6 +1722,10 @@ no_tcp_socket:
58c5fc13
MT		 54298 bad_packet:
54299 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54300 } else {
54301+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
ae4e228f
MT		 54302+ if (!grsec_enable_blackhole || (ret == 1 &&
54303+ (skb->dev->flags & IFF_LOOPBACK)))
58c5fc13
MT		 54304+#endif
54305 tcp_v4_send_reset(NULL, skb);
54306 }
54307
57199397
MT		 54308@@ -2316,7 +2333,11 @@ static void get_openreq4(struct sock *sk
54309 0, /* non standard timer */
54310 0, /* open_requests have no inode */
54311 atomic_read(&sk->sk_refcnt),
54312+#ifdef CONFIG_GRKERNSEC_HIDESYM
54313+ NULL,
54314+#else
54315 req,
54316+#endif
54317 len);
54318 }
54319
54320@@ -2366,7 +2387,12 @@ static void get_tcp4_sock(struct sock *s
54321 sock_i_uid(sk),
54322 icsk->icsk_probes_out,
54323 sock_i_ino(sk),
54324- atomic_read(&sk->sk_refcnt), sk,
54325+ atomic_read(&sk->sk_refcnt),
54326+#ifdef CONFIG_GRKERNSEC_HIDESYM
54327+ NULL,
54328+#else
54329+ sk,
54330+#endif
54331 jiffies_to_clock_t(icsk->icsk_rto),
54332 jiffies_to_clock_t(icsk->icsk_ack.ato),
54333 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
54334@@ -2394,7 +2420,13 @@ static void get_timewait4_sock(struct in
54335 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
54336 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
54337 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
54338- atomic_read(&tw->tw_refcnt), tw, len);
54339+ atomic_read(&tw->tw_refcnt),
54340+#ifdef CONFIG_GRKERNSEC_HIDESYM
54341+ NULL,
54342+#else
54343+ tw,
54344+#endif
54345+ len);
54346 }
54347
54348 #define TMPSZ 150
54349diff -urNp linux-2.6.35.4/net/ipv4/tcp_minisocks.c linux-2.6.35.4/net/ipv4/tcp_minisocks.c
54350--- linux-2.6.35.4/net/ipv4/tcp_minisocks.c 2010-08-26 19:47:12.000000000 -0400
54351+++ linux-2.6.35.4/net/ipv4/tcp_minisocks.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 54352@@ -27,6 +27,10 @@
ae4e228f
MT		 54353 #include <net/inet_common.h>
54354 #include <net/xfrm.h>
54355
54356+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54357+extern int grsec_enable_blackhole;
54358+#endif
54359+
54360 int sysctl_tcp_syncookies __read_mostly = 1;
54361 EXPORT_SYMBOL(sysctl_tcp_syncookies);
54362
57199397 54363@@ -700,6 +704,10 @@ listen_overflow:
58c5fc13
MT		 54364
54365 embryonic_reset:
54366 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
54367+
df50ba0c
MT		 54368+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54369+ if (!grsec_enable_blackhole)
58c5fc13 54370+#endif
df50ba0c
MT		 54371 if (!(flg & TCP_FLAG_RST))
54372 req->rsk_ops->send_reset(sk, skb);
58c5fc13 54373
57199397
MT		 54374diff -urNp linux-2.6.35.4/net/ipv4/tcp_probe.c linux-2.6.35.4/net/ipv4/tcp_probe.c
54375--- linux-2.6.35.4/net/ipv4/tcp_probe.c 2010-08-26 19:47:12.000000000 -0400
54376+++ linux-2.6.35.4/net/ipv4/tcp_probe.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 54377@@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
ae4e228f
MT		 54378 if (cnt + width >= len)
54379 break;
54380
54381- if (copy_to_user(buf + cnt, tbuf, width))
54382+ if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
54383 return -EFAULT;
54384 cnt += width;
54385 }
57199397
MT		 54386diff -urNp linux-2.6.35.4/net/ipv4/tcp_timer.c linux-2.6.35.4/net/ipv4/tcp_timer.c
54387--- linux-2.6.35.4/net/ipv4/tcp_timer.c 2010-08-26 19:47:12.000000000 -0400
54388+++ linux-2.6.35.4/net/ipv4/tcp_timer.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c
MT		 54389@@ -22,6 +22,10 @@
54390 #include <linux/gfp.h>
ae4e228f
MT		 54391 #include <net/tcp.h>
54392
54393+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54394+extern int grsec_lastack_retries;
54395+#endif
54396+
54397 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
54398 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
54399 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
df50ba0c 54400@@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock
ae4e228f
MT		 54401 }
54402 }
54403
54404+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54405+ if ((sk->sk_state == TCP_LAST_ACK) &&
54406+ (grsec_lastack_retries > 0) &&
54407+ (grsec_lastack_retries < retry_until))
54408+ retry_until = grsec_lastack_retries;
54409+#endif
54410+
54411 if (retransmits_timed_out(sk, retry_until)) {
54412 /* Has it gone just too far? */
54413 tcp_write_err(sk);
57199397
MT		 54414diff -urNp linux-2.6.35.4/net/ipv4/udp.c linux-2.6.35.4/net/ipv4/udp.c
54415--- linux-2.6.35.4/net/ipv4/udp.c 2010-08-26 19:47:12.000000000 -0400
54416+++ linux-2.6.35.4/net/ipv4/udp.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 54417@@ -86,6 +86,7 @@
54418 #include <linux/types.h>
54419 #include <linux/fcntl.h>
54420 #include <linux/module.h>
54421+#include <linux/security.h>
54422 #include <linux/socket.h>
54423 #include <linux/sockios.h>
54424 #include <linux/igmp.h>
df50ba0c 54425@@ -107,6 +108,10 @@
ae4e228f
MT		 54426 #include <net/xfrm.h>
54427 #include "udp_impl.h"
54428
54429+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54430+extern int grsec_enable_blackhole;
54431+#endif
54432+
54433 struct udp_table udp_table __read_mostly;
54434 EXPORT_SYMBOL(udp_table);
54435
57199397 54436@@ -564,6 +569,9 @@ found:
58c5fc13
MT		 54437 return s;
54438 }
54439
54440+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
54441+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
54442+
54443 /*
54444 * This routine is called by the ICMP module when it gets some
54445 * sort of error condition. If err < 0 then the socket should
57199397 54446@@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
58c5fc13
MT		 54447 dport = usin->sin_port;
54448 if (dport == 0)
54449 return -EINVAL;
54450+
54451+ err = gr_search_udp_sendmsg(sk, usin);
54452+ if (err)
54453+ return err;
54454 } else {
54455 if (sk->sk_state != TCP_ESTABLISHED)
54456 return -EDESTADDRREQ;
54457+
54458+ err = gr_search_udp_sendmsg(sk, NULL);
54459+ if (err)
54460+ return err;
54461+
ae4e228f
MT		 54462 daddr = inet->inet_daddr;
54463 dport = inet->inet_dport;
58c5fc13 54464 /* Open fast path for connected socket.
57199397 54465@@ -1141,6 +1158,10 @@ try_again:
58c5fc13
MT		 54466 if (!skb)
54467 goto out;
54468
54469+ err = gr_search_udp_recvmsg(sk, skb);
54470+ if (err)
54471+ goto out_free;
54472+
54473 ulen = skb->len - sizeof(struct udphdr);
df50ba0c
MT		 54474 if (len > ulen)
54475 len = ulen;
57199397 54476@@ -1582,6 +1603,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
58c5fc13
MT		 54477 goto csum_error;
54478
54479 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
54480+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
ae4e228f 54481+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
58c5fc13
MT		 54482+#endif
54483 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
54484
54485 /*
57199397
MT		 54486@@ -2007,7 +2031,12 @@ static void udp4_format_sock(struct sock
54487 sk_wmem_alloc_get(sp),
54488 sk_rmem_alloc_get(sp),
54489 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
54490- atomic_read(&sp->sk_refcnt), sp,
54491+ atomic_read(&sp->sk_refcnt),
54492+#ifdef CONFIG_GRKERNSEC_HIDESYM
54493+ NULL,
54494+#else
54495+ sp,
54496+#endif
54497 atomic_read(&sp->sk_drops), len);
54498 }
54499
54500diff -urNp linux-2.6.35.4/net/ipv6/exthdrs.c linux-2.6.35.4/net/ipv6/exthdrs.c
54501--- linux-2.6.35.4/net/ipv6/exthdrs.c 2010-08-26 19:47:12.000000000 -0400
54502+++ linux-2.6.35.4/net/ipv6/exthdrs.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54503@@ -636,7 +636,7 @@ static struct tlvtype_proc tlvprochopopt
58c5fc13
MT		 54504 .type = IPV6_TLV_JUMBO,
54505 .func = ipv6_hop_jumbo,
54506 },
54507- { -1, }
54508+ { -1, NULL }
54509 };
54510
54511 int ipv6_parse_hopopts(struct sk_buff *skb)
57199397
MT		 54512diff -urNp linux-2.6.35.4/net/ipv6/raw.c linux-2.6.35.4/net/ipv6/raw.c
54513--- linux-2.6.35.4/net/ipv6/raw.c 2010-08-26 19:47:12.000000000 -0400
54514+++ linux-2.6.35.4/net/ipv6/raw.c 2010-09-17 20:12:09.000000000 -0400
54515@@ -601,7 +601,7 @@ out:
58c5fc13
MT		 54516 return err;
54517 }
54518
54519-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
54520+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
54521 struct flowi *fl, struct rt6_info *rt,
54522 unsigned int flags)
54523 {
57199397
MT		 54524diff -urNp linux-2.6.35.4/net/ipv6/tcp_ipv6.c linux-2.6.35.4/net/ipv6/tcp_ipv6.c
54525--- linux-2.6.35.4/net/ipv6/tcp_ipv6.c 2010-08-26 19:47:12.000000000 -0400
54526+++ linux-2.6.35.4/net/ipv6/tcp_ipv6.c 2010-09-17 20:23:25.000000000 -0400
54527@@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
df50ba0c
MT		 54528 }
54529 #endif
54530
54531+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54532+extern int grsec_enable_blackhole;
54533+#endif
54534+
54535 static void tcp_v6_hash(struct sock *sk)
54536 {
54537 if (sk->sk_state != TCP_CLOSE) {
57199397
MT		 54538@@ -1641,6 +1645,9 @@ static int tcp_v6_do_rcv(struct sock *sk
54539 return 0;
54540
54541 reset:
54542+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54543+ if (!grsec_enable_blackhole)
54544+#endif
54545 tcp_v6_send_reset(sk, skb);
54546 discard:
54547 if (opt_skb)
54548@@ -1720,12 +1727,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
df50ba0c 54549 TCP_SKB_CB(skb)->sacked = 0;
58c5fc13 54550
df50ba0c
MT		 54551 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54552- if (!sk)
54553+ if (!sk) {
54554+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54555+ ret = 1;
54556+#endif
54557 goto no_tcp_socket;
54558+ }
54559
54560 process:
54561- if (sk->sk_state == TCP_TIME_WAIT)
54562+ if (sk->sk_state == TCP_TIME_WAIT) {
58c5fc13 54563+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
df50ba0c 54564+ ret = 2;
58c5fc13 54565+#endif
df50ba0c
MT		 54566 goto do_time_wait;
54567+ }
54568
57199397
MT		 54569 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
54570 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54571@@ -1773,6 +1788,10 @@ no_tcp_socket:
58c5fc13
MT		 54572 bad_packet:
54573 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54574 } else {
54575+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
df50ba0c
MT		 54576+ if (!grsec_enable_blackhole || (ret == 1 &&
54577+ (skb->dev->flags & IFF_LOOPBACK)))
58c5fc13
MT		 54578+#endif
54579 tcp_v6_send_reset(NULL, skb);
54580 }
54581
57199397
MT		 54582diff -urNp linux-2.6.35.4/net/ipv6/udp.c linux-2.6.35.4/net/ipv6/udp.c
54583--- linux-2.6.35.4/net/ipv6/udp.c 2010-08-26 19:47:12.000000000 -0400
54584+++ linux-2.6.35.4/net/ipv6/udp.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c
MT		 54585@@ -50,6 +50,10 @@
54586 #include <linux/seq_file.h>
54587 #include "udp_impl.h"
54588
54589+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54590+extern int grsec_enable_blackhole;
54591+#endif
54592+
54593 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
54594 {
54595 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
57199397 54596@@ -756,6 +760,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
58c5fc13
MT		 54597 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
54598 proto == IPPROTO_UDPLITE);
54599
54600+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
df50ba0c 54601+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
58c5fc13 54602+#endif
df50ba0c 54603 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
58c5fc13
MT		 54604
54605 kfree_skb(skb);
57199397
MT		 54606diff -urNp linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c
54607--- linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c 2010-08-26 19:47:12.000000000 -0400
54608+++ linux-2.6.35.4/net/irda/ircomm/ircomm_tty.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54609@@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
58c5fc13
MT		 54610 add_wait_queue(&self->open_wait, &wait);
54611
54612 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
54613- __FILE__,__LINE__, tty->driver->name, self->open_count );
54614+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54615
54616 /* As far as I can see, we protect open_count - Jean II */
54617 spin_lock_irqsave(&self->spinlock, flags);
54618 if (!tty_hung_up_p(filp)) {
54619 extra_count = 1;
54620- self->open_count--;
54621+ atomic_dec(&self->open_count);
54622 }
54623 spin_unlock_irqrestore(&self->spinlock, flags);
54624- self->blocked_open++;
54625+ atomic_inc(&self->blocked_open);
54626
54627 while (1) {
54628 if (tty->termios->c_cflag & CBAUD) {
df50ba0c 54629@@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
58c5fc13
MT		 54630 }
54631
54632 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
54633- __FILE__,__LINE__, tty->driver->name, self->open_count );
54634+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54635
54636 schedule();
54637 }
df50ba0c 54638@@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
58c5fc13
MT		 54639 if (extra_count) {
54640 /* ++ is not atomic, so this should be protected - Jean II */
54641 spin_lock_irqsave(&self->spinlock, flags);
54642- self->open_count++;
54643+ atomic_inc(&self->open_count);
54644 spin_unlock_irqrestore(&self->spinlock, flags);
54645 }
54646- self->blocked_open--;
54647+ atomic_dec(&self->blocked_open);
54648
54649 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
54650- __FILE__,__LINE__, tty->driver->name, self->open_count);
54651+ __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
54652
54653 if (!retval)
54654 self->flags |= ASYNC_NORMAL_ACTIVE;
df50ba0c 54655@@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
58c5fc13
MT		 54656 }
54657 /* ++ is not atomic, so this should be protected - Jean II */
54658 spin_lock_irqsave(&self->spinlock, flags);
54659- self->open_count++;
54660+ atomic_inc(&self->open_count);
54661
54662 tty->driver_data = self;
54663 self->tty = tty;
54664 spin_unlock_irqrestore(&self->spinlock, flags);
54665
54666 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
54667- self->line, self->open_count);
54668+ self->line, atomic_read(&self->open_count));
54669
54670 /* Not really used by us, but lets do it anyway */
54671 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
df50ba0c 54672@@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
58c5fc13
MT		 54673 return;
54674 }
54675
54676- if ((tty->count == 1) && (self->open_count != 1)) {
54677+ if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
54678 /*
54679 * Uh, oh. tty->count is 1, which means that the tty
54680 * structure will be freed. state->count should always
df50ba0c 54681@@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
58c5fc13
MT		 54682 */
54683 IRDA_DEBUG(0, "%s(), bad serial port count; "
54684 "tty->count is 1, state->count is %d\n", __func__ ,
54685- self->open_count);
54686- self->open_count = 1;
54687+ atomic_read(&self->open_count));
54688+ atomic_set(&self->open_count, 1);
54689 }
54690
54691- if (--self->open_count < 0) {
54692+ if (atomic_dec_return(&self->open_count) < 0) {
54693 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
54694- __func__, self->line, self->open_count);
54695- self->open_count = 0;
54696+ __func__, self->line, atomic_read(&self->open_count));
54697+ atomic_set(&self->open_count, 0);
54698 }
54699- if (self->open_count) {
54700+ if (atomic_read(&self->open_count)) {
54701 spin_unlock_irqrestore(&self->spinlock, flags);
54702
54703 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
df50ba0c 54704@@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
58c5fc13
MT		 54705 tty->closing = 0;
54706 self->tty = NULL;
54707
54708- if (self->blocked_open) {
54709+ if (atomic_read(&self->blocked_open)) {
54710 if (self->close_delay)
54711 schedule_timeout_interruptible(self->close_delay);
54712 wake_up_interruptible(&self->open_wait);
df50ba0c 54713@@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
58c5fc13
MT		 54714 spin_lock_irqsave(&self->spinlock, flags);
54715 self->flags &= ~ASYNC_NORMAL_ACTIVE;
54716 self->tty = NULL;
54717- self->open_count = 0;
54718+ atomic_set(&self->open_count, 0);
54719 spin_unlock_irqrestore(&self->spinlock, flags);
54720
54721 wake_up_interruptible(&self->open_wait);
df50ba0c 54722@@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
58c5fc13
MT		 54723 seq_putc(m, '\n');
54724
54725 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
54726- seq_printf(m, "Open count: %d\n", self->open_count);
54727+ seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
54728 seq_printf(m, "Max data size: %d\n", self->max_data_size);
54729 seq_printf(m, "Max header size: %d\n", self->max_header_size);
54730
57199397
MT		 54731diff -urNp linux-2.6.35.4/net/key/af_key.c linux-2.6.35.4/net/key/af_key.c
54732--- linux-2.6.35.4/net/key/af_key.c 2010-08-26 19:47:12.000000000 -0400
54733+++ linux-2.6.35.4/net/key/af_key.c 2010-09-17 20:12:37.000000000 -0400
54734@@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
54735 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
54736 else
54737 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
54738+#ifdef CONFIG_GRKERNSEC_HIDESYM
54739+ NULL,
54740+#else
54741 s,
54742+#endif
54743 atomic_read(&s->sk_refcnt),
54744 sk_rmem_alloc_get(s),
54745 sk_wmem_alloc_get(s),
54746diff -urNp linux-2.6.35.4/net/mac80211/ieee80211_i.h linux-2.6.35.4/net/mac80211/ieee80211_i.h
54747--- linux-2.6.35.4/net/mac80211/ieee80211_i.h 2010-08-26 19:47:12.000000000 -0400
54748+++ linux-2.6.35.4/net/mac80211/ieee80211_i.h 2010-09-17 20:12:09.000000000 -0400
54749@@ -649,7 +649,7 @@ struct ieee80211_local {
ae4e228f 54750 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
58c5fc13
MT		 54751 spinlock_t queue_stop_reason_lock;
54752
58c5fc13
MT		 54753- int open_count;
54754+ atomic_t open_count;
54755 int monitors, cooked_mntrs;
54756 /* number of interfaces with corresponding FIF_ flags */
ae4e228f 54757 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
57199397
MT		 54758diff -urNp linux-2.6.35.4/net/mac80211/iface.c linux-2.6.35.4/net/mac80211/iface.c
54759--- linux-2.6.35.4/net/mac80211/iface.c 2010-08-26 19:47:12.000000000 -0400
54760+++ linux-2.6.35.4/net/mac80211/iface.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54761@@ -183,7 +183,7 @@ static int ieee80211_open(struct net_dev
58c5fc13
MT		 54762 break;
54763 }
54764
54765- if (local->open_count == 0) {
54766+ if (atomic_read(&local->open_count) == 0) {
54767 res = drv_start(local);
54768 if (res)
54769 goto err_del_bss;
df50ba0c 54770@@ -215,7 +215,7 @@ static int ieee80211_open(struct net_dev
58c5fc13
MT		 54771 * Validate the MAC address for this device.
54772 */
54773 if (!is_valid_ether_addr(dev->dev_addr)) {
54774- if (!local->open_count)
54775+ if (!atomic_read(&local->open_count))
54776 drv_stop(local);
54777 return -EADDRNOTAVAIL;
54778 }
df50ba0c 54779@@ -308,7 +308,7 @@ static int ieee80211_open(struct net_dev
58c5fc13
MT		 54780
54781 hw_reconf_flags |= __ieee80211_recalc_idle(local);
54782
54783- local->open_count++;
54784+ atomic_inc(&local->open_count);
54785 if (hw_reconf_flags) {
54786 ieee80211_hw_config(local, hw_reconf_flags);
54787 /*
df50ba0c 54788@@ -336,7 +336,7 @@ static int ieee80211_open(struct net_dev
58c5fc13 54789 err_del_interface:
df50ba0c 54790 drv_remove_interface(local, &sdata->vif);
58c5fc13
MT		 54791 err_stop:
54792- if (!local->open_count)
54793+ if (!atomic_read(&local->open_count))
54794 drv_stop(local);
54795 err_del_bss:
54796 sdata->bss = NULL;
57199397 54797@@ -439,7 +439,7 @@ static int ieee80211_stop(struct net_dev
58c5fc13
MT		 54798 WARN_ON(!list_empty(&sdata->u.ap.vlans));
54799 }
54800
54801- local->open_count--;
54802+ atomic_dec(&local->open_count);
54803
54804 switch (sdata->vif.type) {
54805 case NL80211_IFTYPE_AP_VLAN:
57199397 54806@@ -542,7 +542,7 @@ static int ieee80211_stop(struct net_dev
58c5fc13
MT		 54807
54808 ieee80211_recalc_ps(local, -1);
54809
54810- if (local->open_count == 0) {
54811+ if (atomic_read(&local->open_count) == 0) {
ae4e228f
MT		 54812 ieee80211_clear_tx_pending(local);
54813 ieee80211_stop_device(local);
58c5fc13 54814
57199397
MT		 54815diff -urNp linux-2.6.35.4/net/mac80211/main.c linux-2.6.35.4/net/mac80211/main.c
54816--- linux-2.6.35.4/net/mac80211/main.c 2010-08-26 19:47:12.000000000 -0400
54817+++ linux-2.6.35.4/net/mac80211/main.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54818@@ -148,7 +148,7 @@ int ieee80211_hw_config(struct ieee80211
58c5fc13
MT		 54819 local->hw.conf.power_level = power;
54820 }
54821
54822- if (changed && local->open_count) {
54823+ if (changed && atomic_read(&local->open_count)) {
54824 ret = drv_config(local, changed);
54825 /*
54826 * Goal:
57199397
MT		 54827diff -urNp linux-2.6.35.4/net/mac80211/pm.c linux-2.6.35.4/net/mac80211/pm.c
54828--- linux-2.6.35.4/net/mac80211/pm.c 2010-08-26 19:47:12.000000000 -0400
54829+++ linux-2.6.35.4/net/mac80211/pm.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54830@@ -101,7 +101,7 @@ int __ieee80211_suspend(struct ieee80211
58c5fc13
MT		 54831 }
54832
54833 /* stop hardware - this must stop RX */
ae4e228f
MT		 54834- if (local->open_count)
54835+ if (atomic_read(&local->open_count))
54836 ieee80211_stop_device(local);
54837
54838 local->suspended = true;
57199397
MT		 54839diff -urNp linux-2.6.35.4/net/mac80211/rate.c linux-2.6.35.4/net/mac80211/rate.c
54840--- linux-2.6.35.4/net/mac80211/rate.c 2010-08-26 19:47:12.000000000 -0400
54841+++ linux-2.6.35.4/net/mac80211/rate.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54842@@ -355,7 +355,7 @@ int ieee80211_init_rate_ctrl_alg(struct
58c5fc13
MT		 54843
54844 ASSERT_RTNL();
ae4e228f
MT		 54845
54846- if (local->open_count)
54847+ if (atomic_read(&local->open_count))
58c5fc13
MT		 54848 return -EBUSY;
54849
ae4e228f 54850 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
57199397
MT		 54851diff -urNp linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c
54852--- linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c 2010-08-26 19:47:12.000000000 -0400
54853+++ linux-2.6.35.4/net/mac80211/rc80211_pid_debugfs.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54854@@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
58c5fc13 54855
ae4e228f 54856 spin_unlock_irqrestore(&events->lock, status);
58c5fc13 54857
ae4e228f
MT		 54858- if (copy_to_user(buf, pb, p))
54859+ if (p > sizeof(pb) || copy_to_user(buf, pb, p))
54860 return -EFAULT;
58c5fc13 54861
ae4e228f 54862 return p;
57199397
MT		 54863diff -urNp linux-2.6.35.4/net/mac80211/tx.c linux-2.6.35.4/net/mac80211/tx.c
54864--- linux-2.6.35.4/net/mac80211/tx.c 2010-08-26 19:47:12.000000000 -0400
54865+++ linux-2.6.35.4/net/mac80211/tx.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 54866@@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
54867 return cpu_to_le16(dur);
54868 }
54869
54870-static int inline is_ieee80211_device(struct ieee80211_local *local,
54871+static inline int is_ieee80211_device(struct ieee80211_local *local,
54872 struct net_device *dev)
54873 {
54874 return local == wdev_priv(dev->ieee80211_ptr);
57199397
MT		 54875diff -urNp linux-2.6.35.4/net/mac80211/util.c linux-2.6.35.4/net/mac80211/util.c
54876--- linux-2.6.35.4/net/mac80211/util.c 2010-08-26 19:47:12.000000000 -0400
54877+++ linux-2.6.35.4/net/mac80211/util.c 2010-09-17 20:12:09.000000000 -0400
54878@@ -1097,7 +1097,7 @@ int ieee80211_reconfig(struct ieee80211_
ae4e228f 54879 local->resuming = true;
58c5fc13
MT		 54880
54881 /* restart hardware */
54882- if (local->open_count) {
54883+ if (atomic_read(&local->open_count)) {
ae4e228f
MT		 54884 /*
54885 * Upon resume hardware can sometimes be goofy due to
54886 * various platform / driver / bus issues, so restarting
57199397
MT		 54887diff -urNp linux-2.6.35.4/net/netlink/af_netlink.c linux-2.6.35.4/net/netlink/af_netlink.c
54888--- linux-2.6.35.4/net/netlink/af_netlink.c 2010-08-26 19:47:12.000000000 -0400
54889+++ linux-2.6.35.4/net/netlink/af_netlink.c 2010-09-17 20:12:37.000000000 -0400
54890@@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
54891 struct netlink_sock *nlk = nlk_sk(s);
54892
54893 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
54894+#ifdef CONFIG_GRKERNSEC_HIDESYM
54895+ NULL,
54896+#else
54897 s,
54898+#endif
54899 s->sk_protocol,
54900 nlk->pid,
54901 nlk->groups ? (u32)nlk->groups[0] : 0,
54902 sk_rmem_alloc_get(s),
54903 sk_wmem_alloc_get(s),
54904+#ifdef CONFIG_GRKERNSEC_HIDESYM
54905+ NULL,
54906+#else
54907 nlk->cb,
54908+#endif
54909 atomic_read(&s->sk_refcnt),
54910 atomic_read(&s->sk_drops),
54911 sock_i_ino(s)
54912diff -urNp linux-2.6.35.4/net/packet/af_packet.c linux-2.6.35.4/net/packet/af_packet.c
54913--- linux-2.6.35.4/net/packet/af_packet.c 2010-08-26 19:47:12.000000000 -0400
54914+++ linux-2.6.35.4/net/packet/af_packet.c 2010-09-17 20:12:37.000000000 -0400
54915@@ -2093,7 +2093,7 @@ static int packet_getsockopt(struct sock
ae4e228f
MT		 54916 case PACKET_HDRLEN:
54917 if (len > sizeof(int))
54918 len = sizeof(int);
54919- if (copy_from_user(&val, optval, len))
54920+ if (len > sizeof(val) || copy_from_user(&val, optval, len))
54921 return -EFAULT;
54922 switch (val) {
54923 case TPACKET_V1:
57199397 54924@@ -2125,7 +2125,7 @@ static int packet_getsockopt(struct sock
58c5fc13 54925
ae4e228f
MT		 54926 if (put_user(len, optlen))
54927 return -EFAULT;
54928- if (copy_to_user(optval, data, len))
54929+ if (len > sizeof(st) || copy_to_user(optval, data, len))
54930 return -EFAULT;
54931 return 0;
58c5fc13 54932 }
57199397
MT		 54933@@ -2604,7 +2604,11 @@ static int packet_seq_show(struct seq_fi
54934
54935 seq_printf(seq,
54936 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
54937+#ifdef CONFIG_GRKERNSEC_HIDESYM
54938+ NULL,
54939+#else
54940 s,
54941+#endif
54942 atomic_read(&s->sk_refcnt),
54943 s->sk_type,
54944 ntohs(po->num),
54945diff -urNp linux-2.6.35.4/net/sctp/socket.c linux-2.6.35.4/net/sctp/socket.c
54946--- linux-2.6.35.4/net/sctp/socket.c 2010-08-26 19:47:12.000000000 -0400
54947+++ linux-2.6.35.4/net/sctp/socket.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 54948@@ -1483,7 +1483,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
58c5fc13
MT		 54949 struct sctp_sndrcvinfo *sinfo;
54950 struct sctp_initmsg *sinit;
54951 sctp_assoc_t associd = 0;
54952- sctp_cmsgs_t cmsgs = { NULL };
54953+ sctp_cmsgs_t cmsgs = { NULL, NULL };
54954 int err;
54955 sctp_scope_t scope;
54956 long timeo;
57199397
MT		 54957@@ -4387,7 +4387,7 @@ static int sctp_getsockopt_peer_addrs(st
54958 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
ae4e228f
MT		 54959 if (space_left < addrlen)
54960 return -ENOMEM;
54961- if (copy_to_user(to, &temp, addrlen))
54962+ if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
54963 return -EFAULT;
54964 to += addrlen;
54965 cnt++;
57199397
MT		 54966diff -urNp linux-2.6.35.4/net/socket.c linux-2.6.35.4/net/socket.c
54967--- linux-2.6.35.4/net/socket.c 2010-08-26 19:47:12.000000000 -0400
54968+++ linux-2.6.35.4/net/socket.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 54969@@ -88,6 +88,7 @@
58c5fc13 54970 #include <linux/nsproxy.h>
ae4e228f 54971 #include <linux/magic.h>
df50ba0c 54972 #include <linux/slab.h>
58c5fc13
MT		 54973+#include <linux/in.h>
54974
54975 #include <asm/uaccess.h>
54976 #include <asm/unistd.h>
57199397 54977@@ -105,6 +106,8 @@
ae4e228f
MT		 54978 #include <linux/sockios.h>
54979 #include <linux/atalk.h>
58c5fc13 54980
ae4e228f 54981+#include <linux/grsock.h>
58c5fc13
MT		 54982+
54983 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
54984 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
54985 unsigned long nr_segs, loff_t pos);
57199397 54986@@ -322,7 +325,7 @@ static int sockfs_get_sb(struct file_sys
58c5fc13
MT		 54987 mnt);
54988 }
54989
54990-static struct vfsmount *sock_mnt __read_mostly;
54991+struct vfsmount *sock_mnt __read_mostly;
54992
54993 static struct file_system_type sock_fs_type = {
54994 .name = "sockfs",
57199397 54995@@ -1291,6 +1294,16 @@ SYSCALL_DEFINE3(socket, int, family, int
58c5fc13
MT		 54996 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
54997 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
54998
54999+ if(!gr_search_socket(family, type, protocol)) {
55000+ retval = -EACCES;
55001+ goto out;
55002+ }
55003+
55004+ if (gr_handle_sock_all(family, type, protocol)) {
55005+ retval = -EACCES;
55006+ goto out;
55007+ }
55008+
55009 retval = sock_create(family, type, protocol, &sock);
55010 if (retval < 0)
55011 goto out;
57199397 55012@@ -1403,6 +1416,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
58c5fc13
MT		 55013 if (sock) {
55014 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
55015 if (err >= 0) {
55016+ if (gr_handle_sock_server((struct sockaddr *)&address)) {
55017+ err = -EACCES;
55018+ goto error;
55019+ }
55020+ err = gr_search_bind(sock, (struct sockaddr_in *)&address);
55021+ if (err)
55022+ goto error;
55023+
55024 err = security_socket_bind(sock,
55025 (struct sockaddr *)&address,
55026 addrlen);
57199397 55027@@ -1411,6 +1432,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
58c5fc13
MT		 55028 (struct sockaddr *)
55029 &address, addrlen);
55030 }
55031+error:
55032 fput_light(sock->file, fput_needed);
55033 }
55034 return err;
57199397 55035@@ -1434,10 +1456,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
58c5fc13
MT		 55036 if ((unsigned)backlog > somaxconn)
55037 backlog = somaxconn;
55038
df50ba0c 55039+ if (gr_handle_sock_server_other(sock->sk)) {
58c5fc13
MT		 55040+ err = -EPERM;
55041+ goto error;
55042+ }
55043+
55044+ err = gr_search_listen(sock);
55045+ if (err)
55046+ goto error;
55047+
55048 err = security_socket_listen(sock, backlog);
55049 if (!err)
55050 err = sock->ops->listen(sock, backlog);
55051
55052+error:
55053 fput_light(sock->file, fput_needed);
55054 }
55055 return err;
57199397 55056@@ -1480,6 +1512,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
58c5fc13
MT		 55057 newsock->type = sock->type;
55058 newsock->ops = sock->ops;
55059
df50ba0c 55060+ if (gr_handle_sock_server_other(sock->sk)) {
58c5fc13
MT		 55061+ err = -EPERM;
55062+ sock_release(newsock);
55063+ goto out_put;
55064+ }
55065+
55066+ err = gr_search_accept(sock);
55067+ if (err) {
55068+ sock_release(newsock);
55069+ goto out_put;
55070+ }
55071+
55072 /*
55073 * We don't need try_module_get here, as the listening socket (sock)
55074 * has the protocol module (sock->ops->owner) held.
57199397 55075@@ -1518,6 +1562,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
58c5fc13
MT		 55076 fd_install(newfd, newfile);
55077 err = newfd;
55078
55079+ gr_attach_curr_ip(newsock->sk);
55080+
55081 out_put:
55082 fput_light(sock->file, fput_needed);
55083 out:
57199397 55084@@ -1550,6 +1596,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
58c5fc13
MT		 55085 int, addrlen)
55086 {
55087 struct socket *sock;
55088+ struct sockaddr *sck;
55089 struct sockaddr_storage address;
55090 int err, fput_needed;
55091
57199397 55092@@ -1560,6 +1607,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
58c5fc13
MT		 55093 if (err < 0)
55094 goto out_put;
55095
55096+ sck = (struct sockaddr *)&address;
55097+
55098+ if (gr_handle_sock_client(sck)) {
55099+ err = -EACCES;
55100+ goto out_put;
55101+ }
55102+
55103+ err = gr_search_connect(sock, (struct sockaddr_in *)sck);
55104+ if (err)
55105+ goto out_put;
55106+
55107 err =
55108 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
55109 if (err)
57199397
MT		 55110diff -urNp linux-2.6.35.4/net/sunrpc/sched.c linux-2.6.35.4/net/sunrpc/sched.c
55111--- linux-2.6.35.4/net/sunrpc/sched.c 2010-08-26 19:47:12.000000000 -0400
55112+++ linux-2.6.35.4/net/sunrpc/sched.c 2010-09-17 20:12:09.000000000 -0400
55113@@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
55114 #ifdef RPC_DEBUG
55115 static void rpc_task_set_debuginfo(struct rpc_task *task)
55116 {
55117- static atomic_t rpc_pid;
55118+ static atomic_unchecked_t rpc_pid;
55119
55120- task->tk_pid = atomic_inc_return(&rpc_pid);
55121+ task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
55122 }
55123 #else
55124 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
55125diff -urNp linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c
55126--- linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-26 19:47:12.000000000 -0400
55127+++ linux-2.6.35.4/net/sunrpc/xprtrdma/svc_rdma.c 2010-09-17 20:12:37.000000000 -0400
df50ba0c 55128@@ -106,7 +106,7 @@ static int read_reset_stat(ctl_table *ta
ae4e228f
MT		 55129 len -= *ppos;
55130 if (len > *lenp)
55131 len = *lenp;
55132- if (len && copy_to_user(buffer, str_buf, len))
55133+ if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
55134 return -EFAULT;
55135 *lenp = len;
55136 *ppos += len;
57199397
MT		 55137diff -urNp linux-2.6.35.4/net/sysctl_net.c linux-2.6.35.4/net/sysctl_net.c
55138--- linux-2.6.35.4/net/sysctl_net.c 2010-08-26 19:47:12.000000000 -0400
55139+++ linux-2.6.35.4/net/sysctl_net.c 2010-09-17 20:12:37.000000000 -0400
ae4e228f
MT		 55140@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
55141 struct ctl_table *table)
55142 {
55143 /* Allow network administrator to have same access as root. */
55144- if (capable(CAP_NET_ADMIN)) {
55145+ if (capable_nolog(CAP_NET_ADMIN)) {
55146 int mode = (table->mode >> 6) & 7;
55147 return (mode << 6) | (mode << 3) | mode;
55148 }
57199397
MT		 55149diff -urNp linux-2.6.35.4/net/tipc/socket.c linux-2.6.35.4/net/tipc/socket.c
55150--- linux-2.6.35.4/net/tipc/socket.c 2010-08-26 19:47:12.000000000 -0400
55151+++ linux-2.6.35.4/net/tipc/socket.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 55152@@ -1451,8 +1451,9 @@ static int connect(struct socket *sock,
55153 } else {
55154 if (res == 0)
55155 res = -ETIMEDOUT;
55156- else
55157- ; /* leave "res" unchanged */
55158+ else {
55159+ /* leave "res" unchanged */
55160+ }
55161 sock->state = SS_DISCONNECTING;
55162 }
55163
57199397
MT		 55164diff -urNp linux-2.6.35.4/net/unix/af_unix.c linux-2.6.35.4/net/unix/af_unix.c
55165--- linux-2.6.35.4/net/unix/af_unix.c 2010-08-26 19:47:12.000000000 -0400
55166+++ linux-2.6.35.4/net/unix/af_unix.c 2010-09-17 20:12:37.000000000 -0400
55167@@ -736,6 +736,12 @@ static struct sock *unix_find_other(stru
58c5fc13
MT		 55168 err = -ECONNREFUSED;
55169 if (!S_ISSOCK(inode->i_mode))
55170 goto put_fail;
55171+
55172+ if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
55173+ err = -EACCES;
55174+ goto put_fail;
55175+ }
55176+
55177 u = unix_find_socket_byinode(net, inode);
55178 if (!u)
55179 goto put_fail;
57199397 55180@@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
58c5fc13
MT		 55181 if (u) {
55182 struct dentry *dentry;
55183 dentry = unix_sk(u)->dentry;
55184+
55185+ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
55186+ err = -EPERM;
55187+ sock_put(u);
55188+ goto fail;
55189+ }
55190+
55191 if (dentry)
55192 touch_atime(unix_sk(u)->mnt, dentry);
55193 } else
57199397 55194@@ -841,11 +854,18 @@ static int unix_bind(struct socket *sock
58c5fc13
MT		 55195 err = security_path_mknod(&nd.path, dentry, mode, 0);
55196 if (err)
55197 goto out_mknod_drop_write;
55198+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
55199+ err = -EACCES;
55200+ goto out_mknod_drop_write;
55201+ }
55202 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
55203 out_mknod_drop_write:
55204 mnt_drop_write(nd.path.mnt);
55205 if (err)
55206 goto out_mknod_dput;
55207+
55208+ gr_handle_create(dentry, nd.path.mnt);
55209+
55210 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
55211 dput(nd.path.dentry);
55212 nd.path.dentry = dentry;
57199397 55213@@ -863,6 +883,10 @@ out_mknod_drop_write:
58c5fc13
MT		 55214 goto out_unlock;
55215 }
55216
55217+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55218+ sk->sk_peercred.pid = current->pid;
55219+#endif
55220+
55221 list = &unix_socket_table[addr->hash];
55222 } else {
55223 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
57199397
MT		 55224@@ -2161,7 +2185,11 @@ static int unix_seq_show(struct seq_file
55225 unix_state_lock(s);
55226
55227 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
55228+#ifdef CONFIG_GRKERNSEC_HIDESYM
55229+ NULL,
55230+#else
55231 s,
55232+#endif
55233 atomic_read(&s->sk_refcnt),
55234 0,
55235 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
55236diff -urNp linux-2.6.35.4/net/wireless/reg.c linux-2.6.35.4/net/wireless/reg.c
55237--- linux-2.6.35.4/net/wireless/reg.c 2010-08-26 19:47:12.000000000 -0400
55238+++ linux-2.6.35.4/net/wireless/reg.c 2010-09-17 20:12:09.000000000 -0400
55239@@ -50,7 +50,7 @@
55240 printk(KERN_DEBUG format , ## args); \
55241 } while (0)
55242 #else
55243-#define REG_DBG_PRINT(args...)
55244+#define REG_DBG_PRINT(args...) do {} while (0)
55245 #endif
55246
55247 /* Receipt of information from last regulatory request */
55248diff -urNp linux-2.6.35.4/net/wireless/wext-core.c linux-2.6.35.4/net/wireless/wext-core.c
55249--- linux-2.6.35.4/net/wireless/wext-core.c 2010-08-26 19:47:12.000000000 -0400
55250+++ linux-2.6.35.4/net/wireless/wext-core.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c
MT		 55251@@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
55252 */
55253
55254 /* Support for very large requests */
55255- if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
55256- (user_length > descr->max_tokens)) {
55257+ if (user_length > descr->max_tokens) {
55258 /* Allow userspace to GET more than max so
55259 * we can support any size GET requests.
55260 * There is still a limit : -ENOMEM.
57199397
MT		 55261diff -urNp linux-2.6.35.4/net/xfrm/xfrm_policy.c linux-2.6.35.4/net/xfrm/xfrm_policy.c
55262--- linux-2.6.35.4/net/xfrm/xfrm_policy.c 2010-08-26 19:47:12.000000000 -0400
55263+++ linux-2.6.35.4/net/xfrm/xfrm_policy.c 2010-09-17 20:12:09.000000000 -0400
55264@@ -1502,7 +1502,7 @@ free_dst:
df50ba0c
MT		 55265 goto out;
55266 }
55267
55268-static int inline
55269+static inline int
55270 xfrm_dst_alloc_copy(void **target, void *src, int size)
55271 {
55272 if (!*target) {
57199397 55273@@ -1514,7 +1514,7 @@ xfrm_dst_alloc_copy(void **target, void
df50ba0c 55274 return 0;
58c5fc13
MT		 55275 }
55276
df50ba0c
MT		 55277-static int inline
55278+static inline int
55279 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
55280 {
55281 #ifdef CONFIG_XFRM_SUB_POLICY
57199397 55282@@ -1526,7 +1526,7 @@ xfrm_dst_update_parent(struct dst_entry
df50ba0c
MT		 55283 #endif
55284 }
55285
55286-static int inline
55287+static inline int
55288 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
55289 {
55290 #ifdef CONFIG_XFRM_SUB_POLICY
57199397
MT		 55291diff -urNp linux-2.6.35.4/scripts/basic/fixdep.c linux-2.6.35.4/scripts/basic/fixdep.c
55292--- linux-2.6.35.4/scripts/basic/fixdep.c 2010-08-26 19:47:12.000000000 -0400
55293+++ linux-2.6.35.4/scripts/basic/fixdep.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 55294@@ -222,9 +222,9 @@ static void use_config(char *m, int slen
58c5fc13 55295
ae4e228f 55296 static void parse_config_file(char *map, size_t len)
58c5fc13
MT		 55297 {
55298- int *end = (int *) (map + len);
55299+ unsigned int *end = (unsigned int *) (map + len);
55300 /* start at +1, so that p can never be < map */
55301- int *m = (int *) map + 1;
55302+ unsigned int *m = (unsigned int *) map + 1;
55303 char *p, *q;
55304
55305 for (; m < end; m++) {
ae4e228f
MT		 55306@@ -371,7 +371,7 @@ static void print_deps(void)
55307 static void traps(void)
58c5fc13
MT		 55308 {
55309 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
55310- int *p = (int *)test;
55311+ unsigned int *p = (unsigned int *)test;
55312
55313 if (*p != INT_CONF) {
55314 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
57199397
MT		 55315diff -urNp linux-2.6.35.4/scripts/kallsyms.c linux-2.6.35.4/scripts/kallsyms.c
55316--- linux-2.6.35.4/scripts/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
55317+++ linux-2.6.35.4/scripts/kallsyms.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 55318@@ -43,10 +43,10 @@ struct text_range {
55319
55320 static unsigned long long _text;
55321 static struct text_range text_ranges[] = {
55322- { "_stext", "_etext" },
55323- { "_sinittext", "_einittext" },
55324- { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
55325- { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
55326+ { "_stext", "_etext", 0, 0 },
55327+ { "_sinittext", "_einittext", 0, 0 },
55328+ { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
55329+ { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
55330 };
55331 #define text_range_text (&text_ranges[0])
55332 #define text_range_inittext (&text_ranges[1])
57199397
MT		 55333diff -urNp linux-2.6.35.4/scripts/mod/file2alias.c linux-2.6.35.4/scripts/mod/file2alias.c
55334--- linux-2.6.35.4/scripts/mod/file2alias.c 2010-08-26 19:47:12.000000000 -0400
55335+++ linux-2.6.35.4/scripts/mod/file2alias.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 55336@@ -72,7 +72,7 @@ static void device_id_check(const char *
55337 unsigned long size, unsigned long id_size,
55338 void *symval)
55339 {
55340- int i;
55341+ unsigned int i;
55342
55343 if (size % id_size || size < id_size) {
55344 if (cross_build != 0)
55345@@ -102,7 +102,7 @@ static void device_id_check(const char *
55346 /* USB is special because the bcdDevice can be matched against a numeric range */
55347 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
55348 static void do_usb_entry(struct usb_device_id *id,
55349- unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
55350+ unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
55351 unsigned char range_lo, unsigned char range_hi,
ae4e228f 55352 unsigned char max, struct module *mod)
58c5fc13 55353 {
ae4e228f 55354@@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
58c5fc13
MT		 55355 for (i = 0; i < count; i++) {
55356 const char *id = (char *)devs[i].id;
55357 char acpi_id[sizeof(devs[0].id)];
55358- int j;
55359+ unsigned int j;
55360
55361 buf_printf(&mod->dev_table_buf,
55362 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
ae4e228f 55363@@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
58c5fc13
MT		 55364
55365 for (j = 0; j < PNP_MAX_DEVICES; j++) {
55366 const char *id = (char *)card->devs[j].id;
55367- int i2, j2;
55368+ unsigned int i2, j2;
55369 int dup = 0;
55370
55371 if (!id[0])
ae4e228f 55372@@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
58c5fc13
MT		 55373 /* add an individual alias for every device entry */
55374 if (!dup) {
55375 char acpi_id[sizeof(card->devs[0].id)];
55376- int k;
55377+ unsigned int k;
55378
55379 buf_printf(&mod->dev_table_buf,
55380 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
ae4e228f 55381@@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
58c5fc13
MT		 55382 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
55383 char *alias)
55384 {
55385- int i, j;
55386+ unsigned int i, j;
55387
55388 sprintf(alias, "dmi*");
55389
57199397
MT		 55390diff -urNp linux-2.6.35.4/scripts/mod/modpost.c linux-2.6.35.4/scripts/mod/modpost.c
55391--- linux-2.6.35.4/scripts/mod/modpost.c 2010-08-26 19:47:12.000000000 -0400
55392+++ linux-2.6.35.4/scripts/mod/modpost.c 2010-09-17 20:12:09.000000000 -0400
55393@@ -846,6 +846,7 @@ enum mismatch {
55394 ANY_INIT_TO_ANY_EXIT,
55395 ANY_EXIT_TO_ANY_INIT,
58c5fc13
MT		 55396 EXPORT_TO_INIT_EXIT,
55397+ DATA_TO_TEXT
55398 };
55399
55400 struct sectioncheck {
57199397 55401@@ -954,6 +955,12 @@ const struct sectioncheck sectioncheck[]
58c5fc13 55402 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
57199397
MT		 55403 .mismatch = EXPORT_TO_INIT_EXIT,
55404 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
58c5fc13
MT		 55405+},
55406+/* Do not reference code from writable data */
55407+{
55408+ .fromsec = { DATA_SECTIONS, NULL },
55409+ .tosec = { TEXT_SECTIONS, NULL },
55410+ .mismatch = DATA_TO_TEXT
55411 }
55412 };
55413
57199397 55414@@ -1060,10 +1067,10 @@ static Elf_Sym *find_elf_symbol(struct e
58c5fc13
MT		 55415 continue;
55416 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
55417 continue;
55418- if (sym->st_value == addr)
55419- return sym;
55420 /* Find a symbol nearby - addr are maybe negative */
55421 d = sym->st_value - addr;
55422+ if (d == 0)
55423+ return sym;
55424 if (d < 0)
55425 d = addr - sym->st_value;
55426 if (d < distance) {
57199397 55427@@ -1306,6 +1313,14 @@ static void report_sec_mismatch(const ch
58c5fc13
MT		 55428 "or drop the export.\n",
55429 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
57199397 55430 break;
58c5fc13
MT		 55431+ case DATA_TO_TEXT:
55432+/*
55433+ fprintf(stderr,
55434+ "The variable %s references\n"
55435+ "the %s %s%s%s\n",
55436+ fromsym, to, sec2annotation(tosec), tosym, to_p);
55437+*/
55438+ break;
57199397
MT		 55439 }
55440 fprintf(stderr, "\n");
55441 }
55442@@ -1629,7 +1644,7 @@ void __attribute__((format(printf, 2, 3)
58c5fc13
MT		 55443 va_end(ap);
55444 }
55445
55446-void buf_write(struct buffer *buf, const char *s, int len)
55447+void buf_write(struct buffer *buf, const char *s, unsigned int len)
55448 {
55449 if (buf->size - buf->pos < len) {
55450 buf->size += len + SZ;
57199397 55451@@ -1841,7 +1856,7 @@ static void write_if_changed(struct buff
58c5fc13
MT		 55452 if (fstat(fileno(file), &st) < 0)
55453 goto close_write;
55454
55455- if (st.st_size != b->pos)
55456+ if (st.st_size != (off_t)b->pos)
55457 goto close_write;
55458
55459 tmp = NOFAIL(malloc(b->pos));
57199397
MT		 55460diff -urNp linux-2.6.35.4/scripts/mod/modpost.h linux-2.6.35.4/scripts/mod/modpost.h
55461--- linux-2.6.35.4/scripts/mod/modpost.h 2010-08-26 19:47:12.000000000 -0400
55462+++ linux-2.6.35.4/scripts/mod/modpost.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 55463@@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
55464
55465 struct buffer {
55466 char *p;
55467- int pos;
55468- int size;
55469+ unsigned int pos;
55470+ unsigned int size;
55471 };
55472
55473 void __attribute__((format(printf, 2, 3)))
55474 buf_printf(struct buffer *buf, const char *fmt, ...);
55475
55476 void
55477-buf_write(struct buffer *buf, const char *s, int len);
55478+buf_write(struct buffer *buf, const char *s, unsigned int len);
55479
55480 struct module {
55481 struct module *next;
57199397
MT		 55482diff -urNp linux-2.6.35.4/scripts/mod/sumversion.c linux-2.6.35.4/scripts/mod/sumversion.c
55483--- linux-2.6.35.4/scripts/mod/sumversion.c 2010-08-26 19:47:12.000000000 -0400
55484+++ linux-2.6.35.4/scripts/mod/sumversion.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f 55485@@ -455,7 +455,7 @@ static void write_version(const char *fi
58c5fc13
MT		 55486 goto out;
55487 }
55488
55489- if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
55490+ if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
55491 warn("writing sum in %s failed: %s\n",
55492 filename, strerror(errno));
55493 goto out;
57199397
MT		 55494diff -urNp linux-2.6.35.4/scripts/pnmtologo.c linux-2.6.35.4/scripts/pnmtologo.c
55495--- linux-2.6.35.4/scripts/pnmtologo.c 2010-08-26 19:47:12.000000000 -0400
55496+++ linux-2.6.35.4/scripts/pnmtologo.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 55497@@ -237,14 +237,14 @@ static void write_header(void)
55498 fprintf(out, " * Linux logo %s\n", logoname);
55499 fputs(" */\n\n", out);
55500 fputs("#include <linux/linux_logo.h>\n\n", out);
55501- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
55502+ fprintf(out, "static unsigned char %s_data[] = {\n",
55503 logoname);
55504 }
55505
55506 static void write_footer(void)
55507 {
55508 fputs("\n};\n\n", out);
55509- fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
55510+ fprintf(out, "const struct linux_logo %s = {\n", logoname);
55511 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
55512 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
55513 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
55514@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
55515 fputs("\n};\n\n", out);
55516
55517 /* write logo clut */
55518- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
55519+ fprintf(out, "static unsigned char %s_clut[] = {\n",
55520 logoname);
55521 write_hex_cnt = 0;
55522 for (i = 0; i < logo_clutsize; i++) {
57199397
MT		 55523diff -urNp linux-2.6.35.4/security/commoncap.c linux-2.6.35.4/security/commoncap.c
55524--- linux-2.6.35.4/security/commoncap.c 2010-08-26 19:47:12.000000000 -0400
55525+++ linux-2.6.35.4/security/commoncap.c 2010-09-17 20:12:37.000000000 -0400
55526@@ -28,6 +28,7 @@
55527 #include <linux/prctl.h>
55528 #include <linux/securebits.h>
55529 #include <linux/syslog.h>
55530+#include <net/sock.h>
55531
55532 /*
55533 * If a non-root user executes a setuid-root binary in
55534@@ -51,9 +52,11 @@ static void warn_setuid_and_fcaps_mixed(
55535 }
55536 }
55537
55538+extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
55539+
55540 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
55541 {
55542- NETLINK_CB(skb).eff_cap = current_cap();
55543+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
55544 return 0;
55545 }
55546
55547diff -urNp linux-2.6.35.4/security/integrity/ima/ima_api.c linux-2.6.35.4/security/integrity/ima/ima_api.c
55548--- linux-2.6.35.4/security/integrity/ima/ima_api.c 2010-08-26 19:47:12.000000000 -0400
55549+++ linux-2.6.35.4/security/integrity/ima/ima_api.c 2010-09-17 20:12:09.000000000 -0400
55550@@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
55551 int result;
55552
55553 /* can overflow, only indicator */
55554- atomic_long_inc(&ima_htable.violations);
55555+ atomic_long_inc_unchecked(&ima_htable.violations);
55556
55557 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
55558 if (!entry) {
55559diff -urNp linux-2.6.35.4/security/integrity/ima/ima_fs.c linux-2.6.35.4/security/integrity/ima/ima_fs.c
55560--- linux-2.6.35.4/security/integrity/ima/ima_fs.c 2010-08-26 19:47:12.000000000 -0400
55561+++ linux-2.6.35.4/security/integrity/ima/ima_fs.c 2010-09-17 20:12:09.000000000 -0400
55562@@ -28,12 +28,12 @@
55563 static int valid_policy = 1;
55564 #define TMPBUFLEN 12
55565 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
55566- loff_t *ppos, atomic_long_t *val)
55567+ loff_t *ppos, atomic_long_unchecked_t *val)
55568 {
55569 char tmpbuf[TMPBUFLEN];
55570 ssize_t len;
55571
55572- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
55573+ len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
55574 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
55575 }
55576
55577diff -urNp linux-2.6.35.4/security/integrity/ima/ima.h linux-2.6.35.4/security/integrity/ima/ima.h
55578--- linux-2.6.35.4/security/integrity/ima/ima.h 2010-08-26 19:47:12.000000000 -0400
55579+++ linux-2.6.35.4/security/integrity/ima/ima.h 2010-09-17 20:12:09.000000000 -0400
55580@@ -83,8 +83,8 @@ void ima_add_violation(struct inode *ino
55581 extern spinlock_t ima_queue_lock;
55582
55583 struct ima_h_table {
55584- atomic_long_t len; /* number of stored measurements in the list */
55585- atomic_long_t violations;
55586+ atomic_long_unchecked_t len; /* number of stored measurements in the list */
55587+ atomic_long_unchecked_t violations;
55588 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
55589 };
55590 extern struct ima_h_table ima_htable;
55591diff -urNp linux-2.6.35.4/security/integrity/ima/ima_queue.c linux-2.6.35.4/security/integrity/ima/ima_queue.c
55592--- linux-2.6.35.4/security/integrity/ima/ima_queue.c 2010-08-26 19:47:12.000000000 -0400
55593+++ linux-2.6.35.4/security/integrity/ima/ima_queue.c 2010-09-17 20:12:09.000000000 -0400
55594@@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
55595 INIT_LIST_HEAD(&qe->later);
55596 list_add_tail_rcu(&qe->later, &ima_measurements);
55597
55598- atomic_long_inc(&ima_htable.len);
55599+ atomic_long_inc_unchecked(&ima_htable.len);
55600 key = ima_hash_key(entry->digest);
55601 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
55602 return 0;
55603diff -urNp linux-2.6.35.4/security/Kconfig linux-2.6.35.4/security/Kconfig
55604--- linux-2.6.35.4/security/Kconfig 2010-08-26 19:47:12.000000000 -0400
55605+++ linux-2.6.35.4/security/Kconfig 2010-09-17 20:12:37.000000000 -0400
55606@@ -4,6 +4,505 @@
58c5fc13
MT		 55607
55608 menu "Security options"
55609
55610+source grsecurity/Kconfig
55611+
55612+menu "PaX"
55613+
df50ba0c
MT		 55614+ config PAX_PER_CPU_PGD
55615+ bool
55616+
55617+ config TASK_SIZE_MAX_SHIFT
55618+ int
55619+ depends on X86_64
55620+ default 47 if !PAX_PER_CPU_PGD
55621+ default 42 if PAX_PER_CPU_PGD
55622+
57199397
MT		 55623+ config PAX_ENABLE_PAE
55624+ bool
55625+ default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
55626+
58c5fc13
MT		 55627+config PAX
55628+ bool "Enable various PaX features"
57199397 55629+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
58c5fc13
MT		 55630+ help
55631+ This allows you to enable various PaX features. PaX adds
55632+ intrusion prevention mechanisms to the kernel that reduce
55633+ the risks posed by exploitable memory corruption bugs.
55634+
55635+menu "PaX Control"
55636+ depends on PAX
55637+
55638+config PAX_SOFTMODE
55639+ bool 'Support soft mode'
ae4e228f 55640+ select PAX_PT_PAX_FLAGS
58c5fc13
MT		 55641+ help
55642+ Enabling this option will allow you to run PaX in soft mode, that
55643+ is, PaX features will not be enforced by default, only on executables
55644+ marked explicitly. You must also enable PT_PAX_FLAGS support as it
55645+ is the only way to mark executables for soft mode use.
55646+
55647+ Soft mode can be activated by using the "pax_softmode=1" kernel command
55648+ line option on boot. Furthermore you can control various PaX features
55649+ at runtime via the entries in /proc/sys/kernel/pax.
55650+
55651+config PAX_EI_PAX
55652+ bool 'Use legacy ELF header marking'
55653+ help
55654+ Enabling this option will allow you to control PaX features on
55655+ a per executable basis via the 'chpax' utility available at
55656+ http://pax.grsecurity.net/. The control flags will be read from
55657+ an otherwise reserved part of the ELF header. This marking has
55658+ numerous drawbacks (no support for soft-mode, toolchain does not
55659+ know about the non-standard use of the ELF header) therefore it
55660+ has been deprecated in favour of PT_PAX_FLAGS support.
55661+
55662+ If you have applications not marked by the PT_PAX_FLAGS ELF
55663+ program header then you MUST enable this option otherwise they
55664+ will not get any protection.
55665+
55666+ Note that if you enable PT_PAX_FLAGS marking support as well,
55667+ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
55668+
55669+config PAX_PT_PAX_FLAGS
55670+ bool 'Use ELF program header marking'
55671+ help
55672+ Enabling this option will allow you to control PaX features on
55673+ a per executable basis via the 'paxctl' utility available at
55674+ http://pax.grsecurity.net/. The control flags will be read from
55675+ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
55676+ has the benefits of supporting both soft mode and being fully
55677+ integrated into the toolchain (the binutils patch is available
55678+ from http://pax.grsecurity.net).
55679+
55680+ If you have applications not marked by the PT_PAX_FLAGS ELF
55681+ program header then you MUST enable the EI_PAX marking support
55682+ otherwise they will not get any protection.
55683+
55684+ Note that if you enable the legacy EI_PAX marking support as well,
55685+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
55686+
55687+choice
55688+ prompt 'MAC system integration'
55689+ default PAX_HAVE_ACL_FLAGS
55690+ help
55691+ Mandatory Access Control systems have the option of controlling
55692+ PaX flags on a per executable basis, choose the method supported
55693+ by your particular system.
55694+
55695+ - "none": if your MAC system does not interact with PaX,
55696+ - "direct": if your MAC system defines pax_set_initial_flags() itself,
55697+ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
55698+
55699+ NOTE: this option is for developers/integrators only.
55700+
55701+ config PAX_NO_ACL_FLAGS
55702+ bool 'none'
55703+
55704+ config PAX_HAVE_ACL_FLAGS
55705+ bool 'direct'
55706+
55707+ config PAX_HOOK_ACL_FLAGS
55708+ bool 'hook'
55709+endchoice
55710+
55711+endmenu
55712+
55713+menu "Non-executable pages"
55714+ depends on PAX
55715+
55716+config PAX_NOEXEC
55717+ bool "Enforce non-executable pages"
ae4e228f 55718+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
58c5fc13
MT		 55719+ help
55720+ By design some architectures do not allow for protecting memory
55721+ pages against execution or even if they do, Linux does not make
55722+ use of this feature. In practice this means that if a page is
55723+ readable (such as the stack or heap) it is also executable.
55724+
55725+ There is a well known exploit technique that makes use of this
55726+ fact and a common programming mistake where an attacker can
55727+ introduce code of his choice somewhere in the attacked program's
55728+ memory (typically the stack or the heap) and then execute it.
55729+
55730+ If the attacked program was running with different (typically
55731+ higher) privileges than that of the attacker, then he can elevate
55732+ his own privilege level (e.g. get a root shell, write to files for
55733+ which he does not have write access to, etc).
55734+
55735+ Enabling this option will let you choose from various features
55736+ that prevent the injection and execution of 'foreign' code in
55737+ a program.
55738+
55739+ This will also break programs that rely on the old behaviour and
55740+ expect that dynamically allocated memory via the malloc() family
55741+ of functions is executable (which it is not). Notable examples
55742+ are the XFree86 4.x server, the java runtime and wine.
55743+
55744+config PAX_PAGEEXEC
55745+ bool "Paging based non-executable pages"
57199397 55746+ depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
ae4e228f
MT		 55747+ select S390_SWITCH_AMODE if S390
55748+ select S390_EXEC_PROTECT if S390
58c5fc13
MT		 55749+ help
55750+ This implementation is based on the paging feature of the CPU.
55751+ On i386 without hardware non-executable bit support there is a
55752+ variable but usually low performance impact, however on Intel's
55753+ P4 core based CPUs it is very high so you should not enable this
55754+ for kernels meant to be used on such CPUs.
55755+
55756+ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
55757+ with hardware non-executable bit support there is no performance
55758+ impact, on ppc the impact is negligible.
55759+
55760+ Note that several architectures require various emulations due to
55761+ badly designed userland ABIs, this will cause a performance impact
55762+ but will disappear as soon as userland is fixed. For example, ppc
55763+ userland MUST have been built with secure-plt by a recent toolchain.
55764+
55765+config PAX_SEGMEXEC
55766+ bool "Segmentation based non-executable pages"
55767+ depends on PAX_NOEXEC && X86_32
55768+ help
55769+ This implementation is based on the segmentation feature of the
55770+ CPU and has a very small performance impact, however applications
55771+ will be limited to a 1.5 GB address space instead of the normal
55772+ 3 GB.
55773+
55774+config PAX_EMUTRAMP
55775+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
55776+ default y if PARISC
55777+ help
55778+ There are some programs and libraries that for one reason or
55779+ another attempt to execute special small code snippets from
55780+ non-executable memory pages. Most notable examples are the
55781+ signal handler return code generated by the kernel itself and
55782+ the GCC trampolines.
55783+
55784+ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
55785+ such programs will no longer work under your kernel.
55786+
55787+ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
55788+ utilities to enable trampoline emulation for the affected programs
55789+ yet still have the protection provided by the non-executable pages.
55790+
55791+ On parisc you MUST enable this option and EMUSIGRT as well, otherwise
55792+ your system will not even boot.
55793+
55794+ Alternatively you can say N here and use the 'chpax' or 'paxctl'
55795+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
55796+ for the affected files.
55797+
55798+ NOTE: enabling this feature *may* open up a loophole in the
55799+ protection provided by non-executable pages that an attacker
55800+ could abuse. Therefore the best solution is to not have any
55801+ files on your system that would require this option. This can
55802+ be achieved by not using libc5 (which relies on the kernel
55803+ signal handler return code) and not using or rewriting programs
55804+ that make use of the nested function implementation of GCC.
55805+ Skilled users can just fix GCC itself so that it implements
55806+ nested function calls in a way that does not interfere with PaX.
55807+
55808+config PAX_EMUSIGRT
55809+ bool "Automatically emulate sigreturn trampolines"
55810+ depends on PAX_EMUTRAMP && PARISC
55811+ default y
55812+ help
55813+ Enabling this option will have the kernel automatically detect
55814+ and emulate signal return trampolines executing on the stack
55815+ that would otherwise lead to task termination.
55816+
55817+ This solution is intended as a temporary one for users with
55818+ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
55819+ Modula-3 runtime, etc) or executables linked to such, basically
55820+ everything that does not specify its own SA_RESTORER function in
55821+ normal executable memory like glibc 2.1+ does.
55822+
55823+ On parisc you MUST enable this option, otherwise your system will
55824+ not even boot.
55825+
55826+ NOTE: this feature cannot be disabled on a per executable basis
55827+ and since it *does* open up a loophole in the protection provided
55828+ by non-executable pages, the best solution is to not have any
55829+ files on your system that would require this option.
55830+
55831+config PAX_MPROTECT
55832+ bool "Restrict mprotect()"
55833+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
55834+ help
55835+ Enabling this option will prevent programs from
55836+ - changing the executable status of memory pages that were
55837+ not originally created as executable,
55838+ - making read-only executable pages writable again,
57199397
MT		 55839+ - creating executable pages from anonymous memory,
55840+ - making read-only-after-relocations (RELRO) data pages writable again.
58c5fc13
MT		 55841+
55842+ You should say Y here to complete the protection provided by
55843+ the enforcement of non-executable pages.
55844+
55845+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55846+ this feature on a per file basis.
55847+
57199397
MT		 55848+config PAX_ELFRELOCS
55849+ bool "Allow ELF text relocations (read help)"
55850+ depends on PAX_MPROTECT
55851+ default n
58c5fc13
MT		 55852+ help
55853+ Non-executable pages and mprotect() restrictions are effective
55854+ in preventing the introduction of new executable code into an
55855+ attacked task's address space. There remain only two venues
55856+ for this kind of attack: if the attacker can execute already
55857+ existing code in the attacked task then he can either have it
55858+ create and mmap() a file containing his code or have it mmap()
55859+ an already existing ELF library that does not have position
55860+ independent code in it and use mprotect() on it to make it
55861+ writable and copy his code there. While protecting against
55862+ the former approach is beyond PaX, the latter can be prevented
55863+ by having only PIC ELF libraries on one's system (which do not
55864+ need to relocate their code). If you are sure this is your case,
57199397
MT		 55865+ as is the case with all modern Linux distributions, then leave
55866+ this option disabled. You should say 'n' here.
58c5fc13
MT		 55867+
55868+config PAX_ETEXECRELOCS
55869+ bool "Allow ELF ET_EXEC text relocations"
55870+ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
57199397 55871+ select PAX_ELFRELOCS
58c5fc13
MT		 55872+ default y
55873+ help
55874+ On some architectures there are incorrectly created applications
55875+ that require text relocations and would not work without enabling
55876+ this option. If you are an alpha, ia64 or parisc user, you should
55877+ enable this option and disable it once you have made sure that
55878+ none of your applications need it.
55879+
55880+config PAX_EMUPLT
55881+ bool "Automatically emulate ELF PLT"
ae4e228f 55882+ depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
58c5fc13
MT		 55883+ default y
55884+ help
55885+ Enabling this option will have the kernel automatically detect
55886+ and emulate the Procedure Linkage Table entries in ELF files.
55887+ On some architectures such entries are in writable memory, and
55888+ become non-executable leading to task termination. Therefore
55889+ it is mandatory that you enable this option on alpha, parisc,
55890+ sparc and sparc64, otherwise your system would not even boot.
55891+
55892+ NOTE: this feature *does* open up a loophole in the protection
55893+ provided by the non-executable pages, therefore the proper
55894+ solution is to modify the toolchain to produce a PLT that does
55895+ not need to be writable.
55896+
55897+config PAX_DLRESOLVE
55898+ bool 'Emulate old glibc resolver stub'
ae4e228f 55899+ depends on PAX_EMUPLT && SPARC
58c5fc13
MT		 55900+ default n
55901+ help
55902+ This option is needed if userland has an old glibc (before 2.4)
55903+ that puts a 'save' instruction into the runtime generated resolver
55904+ stub that needs special emulation.
55905+
55906+config PAX_KERNEXEC
55907+ bool "Enforce non-executable kernel pages"
ae4e228f 55908+ depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
df50ba0c 55909+ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
58c5fc13
MT		 55910+ help
55911+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
55912+ that is, enabling this option will make it harder to inject
55913+ and execute 'foreign' code in kernel memory itself.
55914+
ae4e228f
MT		 55915+config PAX_KERNEXEC_MODULE_TEXT
55916+ int "Minimum amount of memory reserved for module code"
55917+ default "4"
55918+ depends on PAX_KERNEXEC && X86_32 && MODULES
55919+ help
55920+ Due to implementation details the kernel must reserve a fixed
55921+ amount of memory for module code at compile time that cannot be
55922+ changed at runtime. Here you can specify the minimum amount
55923+ in MB that will be reserved. Due to the same implementation
55924+ details this size will always be rounded up to the next 2/4 MB
55925+ boundary (depends on PAE) so the actually available memory for
55926+ module code will usually be more than this minimum.
55927+
55928+ The default 4 MB should be enough for most users but if you have
55929+ an excessive number of modules (e.g., most distribution configs
55930+ compile many drivers as modules) or use huge modules such as
55931+ nvidia's kernel driver, you will need to adjust this amount.
55932+ A good rule of thumb is to look at your currently loaded kernel
55933+ modules and add up their sizes.
55934+
58c5fc13
MT		 55935+endmenu
55936+
55937+menu "Address Space Layout Randomization"
55938+ depends on PAX
55939+
55940+config PAX_ASLR
55941+ bool "Address Space Layout Randomization"
55942+ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
55943+ help
55944+ Many if not most exploit techniques rely on the knowledge of
55945+ certain addresses in the attacked program. The following options
55946+ will allow the kernel to apply a certain amount of randomization
55947+ to specific parts of the program thereby forcing an attacker to
55948+ guess them in most cases. Any failed guess will most likely crash
55949+ the attacked program which allows the kernel to detect such attempts
55950+ and react on them. PaX itself provides no reaction mechanisms,
55951+ instead it is strongly encouraged that you make use of Nergal's
55952+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
55953+ (http://www.grsecurity.net/) built-in crash detection features or
55954+ develop one yourself.
55955+
55956+ By saying Y here you can choose to randomize the following areas:
55957+ - top of the task's kernel stack
55958+ - top of the task's userland stack
55959+ - base address for mmap() requests that do not specify one
55960+ (this includes all libraries)
55961+ - base address of the main executable
55962+
55963+ It is strongly recommended to say Y here as address space layout
55964+ randomization has negligible impact on performance yet it provides
55965+ a very effective protection.
55966+
55967+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55968+ this feature on a per file basis.
55969+
55970+config PAX_RANDKSTACK
55971+ bool "Randomize kernel stack base"
55972+ depends on PAX_ASLR && X86_TSC && X86_32
55973+ help
55974+ By saying Y here the kernel will randomize every task's kernel
55975+ stack on every system call. This will not only force an attacker
55976+ to guess it but also prevent him from making use of possible
55977+ leaked information about it.
55978+
55979+ Since the kernel stack is a rather scarce resource, randomization
55980+ may cause unexpected stack overflows, therefore you should very
55981+ carefully test your system. Note that once enabled in the kernel
55982+ configuration, this feature cannot be disabled on a per file basis.
55983+
55984+config PAX_RANDUSTACK
55985+ bool "Randomize user stack base"
55986+ depends on PAX_ASLR
55987+ help
55988+ By saying Y here the kernel will randomize every task's userland
55989+ stack. The randomization is done in two steps where the second
55990+ one may apply a big amount of shift to the top of the stack and
55991+ cause problems for programs that want to use lots of memory (more
55992+ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
55993+ For this reason the second step can be controlled by 'chpax' or
55994+ 'paxctl' on a per file basis.
55995+
55996+config PAX_RANDMMAP
55997+ bool "Randomize mmap() base"
55998+ depends on PAX_ASLR
55999+ help
56000+ By saying Y here the kernel will use a randomized base address for
56001+ mmap() requests that do not specify one themselves. As a result
56002+ all dynamically loaded libraries will appear at random addresses
56003+ and therefore be harder to exploit by a technique where an attacker
56004+ attempts to execute library code for his purposes (e.g. spawn a
56005+ shell from an exploited program that is running at an elevated
56006+ privilege level).
56007+
56008+ Furthermore, if a program is relinked as a dynamic ELF file, its
56009+ base address will be randomized as well, completing the full
56010+ randomization of the address space layout. Attacking such programs
56011+ becomes a guess game. You can find an example of doing this at
56012+ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
56013+ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
56014+
56015+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
56016+ feature on a per file basis.
56017+
56018+endmenu
56019+
56020+menu "Miscellaneous hardening features"
56021+
56022+config PAX_MEMORY_SANITIZE
56023+ bool "Sanitize all freed memory"
56024+ help
56025+ By saying Y here the kernel will erase memory pages as soon as they
56026+ are freed. This in turn reduces the lifetime of data stored in the
56027+ pages, making it less likely that sensitive information such as
56028+ passwords, cryptographic secrets, etc stay in memory for too long.
56029+
56030+ This is especially useful for programs whose runtime is short, long
56031+ lived processes and the kernel itself benefit from this as long as
56032+ they operate on whole memory pages and ensure timely freeing of pages
56033+ that may hold sensitive information.
56034+
56035+ The tradeoff is performance impact, on a single CPU system kernel
56036+ compilation sees a 3% slowdown, other systems and workloads may vary
56037+ and you are advised to test this feature on your expected workload
56038+ before deploying it.
56039+
56040+ Note that this feature does not protect data stored in live pages,
56041+ e.g., process memory swapped to disk may stay there for a long time.
56042+
56043+config PAX_MEMORY_UDEREF
56044+ bool "Prevent invalid userland pointer dereference"
df50ba0c
MT		 56045+ depends on X86 && !UML_X86 && !XEN
56046+ select PAX_PER_CPU_PGD if X86_64
58c5fc13
MT		 56047+ help
56048+ By saying Y here the kernel will be prevented from dereferencing
56049+ userland pointers in contexts where the kernel expects only kernel
56050+ pointers. This is both a useful runtime debugging feature and a
56051+ security measure that prevents exploiting a class of kernel bugs.
56052+
56053+ The tradeoff is that some virtualization solutions may experience
56054+ a huge slowdown and therefore you should not enable this feature
56055+ for kernels meant to run in such environments. Whether a given VM
56056+ solution is affected or not is best determined by simply trying it
56057+ out, the performance impact will be obvious right on boot as this
56058+ mechanism engages from very early on. A good rule of thumb is that
56059+ VMs running on CPUs without hardware virtualization support (i.e.,
56060+ the majority of IA-32 CPUs) will likely experience the slowdown.
56061+
56062+config PAX_REFCOUNT
56063+ bool "Prevent various kernel object reference counter overflows"
56064+ depends on GRKERNSEC && (X86 || SPARC64)
56065+ help
56066+ By saying Y here the kernel will detect and prevent overflowing
56067+ various (but not all) kinds of object reference counters. Such
56068+ overflows can normally occur due to bugs only and are often, if
56069+ not always, exploitable.
56070+
56071+ The tradeoff is that data structures protected by an overflowed
56072+ refcount will never be freed and therefore will leak memory. Note
56073+ that this leak also happens even without this protection but in
56074+ that case the overflow can eventually trigger the freeing of the
56075+ data structure while it is still being used elsewhere, resulting
56076+ in the exploitable situation that this feature prevents.
56077+
56078+ Since this has a negligible performance impact, you should enable
56079+ this feature.
56080+
56081+config PAX_USERCOPY
56082+ bool "Bounds check heap object copies between kernel and userland"
ae4e228f 56083+ depends on X86 || PPC || SPARC
58c5fc13
MT		 56084+ depends on GRKERNSEC && (SLAB || SLUB || SLOB)
56085+ help
56086+ By saying Y here the kernel will enforce the size of heap objects
56087+ when they are copied in either direction between the kernel and
56088+ userland, even if only a part of the heap object is copied.
56089+
56090+ Specifically, this checking prevents information leaking from the
56091+ kernel heap during kernel to userland copies (if the kernel heap
56092+ object is otherwise fully initialized) and prevents kernel heap
56093+ overflows during userland to kernel copies.
56094+
56095+ Note that the current implementation provides the strictest checks
56096+ for the SLUB allocator.
56097+
57199397
MT		 56098+ If frame pointers are enabled on x86, this option will also
56099+ restrict copies into and out of the kernel stack to local variables
56100+ within a single frame.
56101+
58c5fc13
MT		 56102+ Since this has a negligible performance impact, you should enable
56103+ this feature.
57199397 56104+
58c5fc13
MT		 56105+endmenu
56106+
56107+endmenu
56108+
56109 config KEYS
56110 bool "Enable access key retention support"
56111 help
57199397 56112@@ -124,7 +623,7 @@ config INTEL_TXT
ae4e228f
MT		 56113 config LSM_MMAP_MIN_ADDR
56114 int "Low address space for LSM to protect from user allocation"
56115 depends on SECURITY && SECURITY_SELINUX
56116- default 65536
56117+ default 32768
56118 help
56119 This is the portion of low virtual memory which should be protected
56120 from userspace allocation. Keeping a user from writing to low pages
57199397
MT		 56121diff -urNp linux-2.6.35.4/security/min_addr.c linux-2.6.35.4/security/min_addr.c
56122--- linux-2.6.35.4/security/min_addr.c 2010-08-26 19:47:12.000000000 -0400
56123+++ linux-2.6.35.4/security/min_addr.c 2010-09-17 20:12:37.000000000 -0400
58c5fc13
MT		 56124@@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
56125 */
56126 static void update_mmap_min_addr(void)
56127 {
56128+#ifndef SPARC
56129 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
56130 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
56131 mmap_min_addr = dac_mmap_min_addr;
56132@@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
56133 #else
56134 mmap_min_addr = dac_mmap_min_addr;
56135 #endif
56136+#endif
56137 }
56138
56139 /*
57199397
MT		 56140diff -urNp linux-2.6.35.4/security/security.c linux-2.6.35.4/security/security.c
56141--- linux-2.6.35.4/security/security.c 2010-08-26 19:47:12.000000000 -0400
56142+++ linux-2.6.35.4/security/security.c 2010-09-17 20:12:37.000000000 -0400
56143@@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
56144 /* things that live in capability.c */
56145 extern void __init security_fixup_ops(struct security_operations *ops);
56146
56147-static struct security_operations *security_ops;
56148-static struct security_operations default_security_ops = {
56149+static struct security_operations *security_ops __read_only;
56150+static struct security_operations default_security_ops __read_only = {
56151 .name = "default",
56152 };
56153
56154@@ -67,7 +67,9 @@ int __init security_init(void)
56155
56156 void reset_security_ops(void)
56157 {
56158+ pax_open_kernel();
56159 security_ops = &default_security_ops;
56160+ pax_close_kernel();
56161 }
56162
56163 /* Save user chosen LSM */
56164diff -urNp linux-2.6.35.4/security/selinux/hooks.c linux-2.6.35.4/security/selinux/hooks.c
56165--- linux-2.6.35.4/security/selinux/hooks.c 2010-08-26 19:47:12.000000000 -0400
56166+++ linux-2.6.35.4/security/selinux/hooks.c 2010-09-17 20:12:37.000000000 -0400
56167@@ -93,7 +93,6 @@
56168 #define NUM_SEL_MNT_OPTS 5
56169
56170 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
56171-extern struct security_operations *security_ops;
56172
56173 /* SECMARK reference count */
56174 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
56175@@ -5428,7 +5427,7 @@ static int selinux_key_getsecurity(struc
56176
56177 #endif
56178
56179-static struct security_operations selinux_ops = {
56180+static struct security_operations selinux_ops __read_only = {
56181 .name = "selinux",
56182
56183 .ptrace_access_check = selinux_ptrace_access_check,
56184diff -urNp linux-2.6.35.4/security/smack/smack_lsm.c linux-2.6.35.4/security/smack/smack_lsm.c
56185--- linux-2.6.35.4/security/smack/smack_lsm.c 2010-08-26 19:47:12.000000000 -0400
56186+++ linux-2.6.35.4/security/smack/smack_lsm.c 2010-09-17 20:12:09.000000000 -0400
56187@@ -3064,7 +3064,7 @@ static int smack_inode_getsecctx(struct
56188 return 0;
56189 }
56190
56191-struct security_operations smack_ops = {
56192+struct security_operations smack_ops __read_only = {
56193 .name = "smack",
56194
56195 .ptrace_access_check = smack_ptrace_access_check,
56196diff -urNp linux-2.6.35.4/security/tomoyo/tomoyo.c linux-2.6.35.4/security/tomoyo/tomoyo.c
56197--- linux-2.6.35.4/security/tomoyo/tomoyo.c 2010-08-26 19:47:12.000000000 -0400
56198+++ linux-2.6.35.4/security/tomoyo/tomoyo.c 2010-09-17 20:12:09.000000000 -0400
56199@@ -235,7 +235,7 @@ static int tomoyo_sb_pivotroot(struct pa
56200 * tomoyo_security_ops is a "struct security_operations" which is used for
56201 * registering TOMOYO.
56202 */
56203-static struct security_operations tomoyo_security_ops = {
56204+static struct security_operations tomoyo_security_ops __read_only = {
56205 .name = "tomoyo",
56206 .cred_alloc_blank = tomoyo_cred_alloc_blank,
56207 .cred_prepare = tomoyo_cred_prepare,
56208diff -urNp linux-2.6.35.4/sound/aoa/codecs/onyx.c linux-2.6.35.4/sound/aoa/codecs/onyx.c
56209--- linux-2.6.35.4/sound/aoa/codecs/onyx.c 2010-08-26 19:47:12.000000000 -0400
56210+++ linux-2.6.35.4/sound/aoa/codecs/onyx.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 56211@@ -54,7 +54,7 @@ struct onyx {
58c5fc13
MT		 56212 spdif_locked:1,
56213 analog_locked:1,
56214 original_mute:2;
56215- int open_count;
56216+ atomic_t open_count;
56217 struct codec_info *codec_info;
56218
56219 /* mutex serializes concurrent access to the device
df50ba0c 56220@@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
58c5fc13
MT		 56221 struct onyx *onyx = cii->codec_data;
56222
56223 mutex_lock(&onyx->mutex);
56224- onyx->open_count++;
56225+ atomic_inc(&onyx->open_count);
56226 mutex_unlock(&onyx->mutex);
56227
56228 return 0;
df50ba0c 56229@@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
58c5fc13
MT		 56230 struct onyx *onyx = cii->codec_data;
56231
56232 mutex_lock(&onyx->mutex);
56233- onyx->open_count--;
56234- if (!onyx->open_count)
56235+ if (atomic_dec_and_test(&onyx->open_count))
56236 onyx->spdif_locked = onyx->analog_locked = 0;
56237 mutex_unlock(&onyx->mutex);
56238
57199397
MT		 56239diff -urNp linux-2.6.35.4/sound/core/oss/pcm_oss.c linux-2.6.35.4/sound/core/oss/pcm_oss.c
56240--- linux-2.6.35.4/sound/core/oss/pcm_oss.c 2010-08-26 19:47:12.000000000 -0400
56241+++ linux-2.6.35.4/sound/core/oss/pcm_oss.c 2010-09-17 20:12:09.000000000 -0400
56242@@ -2966,8 +2966,8 @@ static void snd_pcm_oss_proc_done(struct
58c5fc13
MT		 56243 }
56244 }
56245 #else /* !CONFIG_SND_VERBOSE_PROCFS */
56246-#define snd_pcm_oss_proc_init(pcm)
56247-#define snd_pcm_oss_proc_done(pcm)
56248+#define snd_pcm_oss_proc_init(pcm) do {} while (0)
56249+#define snd_pcm_oss_proc_done(pcm) do {} while (0)
56250 #endif /* CONFIG_SND_VERBOSE_PROCFS */
56251
56252 /*
57199397
MT		 56253diff -urNp linux-2.6.35.4/sound/core/seq/seq_lock.h linux-2.6.35.4/sound/core/seq/seq_lock.h
56254--- linux-2.6.35.4/sound/core/seq/seq_lock.h 2010-08-26 19:47:12.000000000 -0400
56255+++ linux-2.6.35.4/sound/core/seq/seq_lock.h 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 56256@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
56257 #else /* SMP || CONFIG_SND_DEBUG */
56258
56259 typedef spinlock_t snd_use_lock_t; /* dummy */
56260-#define snd_use_lock_init(lockp) /**/
56261-#define snd_use_lock_use(lockp) /**/
56262-#define snd_use_lock_free(lockp) /**/
56263-#define snd_use_lock_sync(lockp) /**/
56264+#define snd_use_lock_init(lockp) do {} while (0)
56265+#define snd_use_lock_use(lockp) do {} while (0)
56266+#define snd_use_lock_free(lockp) do {} while (0)
56267+#define snd_use_lock_sync(lockp) do {} while (0)
56268
56269 #endif /* SMP || CONFIG_SND_DEBUG */
56270
57199397
MT		 56271diff -urNp linux-2.6.35.4/sound/drivers/mts64.c linux-2.6.35.4/sound/drivers/mts64.c
56272--- linux-2.6.35.4/sound/drivers/mts64.c 2010-08-26 19:47:12.000000000 -0400
56273+++ linux-2.6.35.4/sound/drivers/mts64.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 56274@@ -66,7 +66,7 @@ struct mts64 {
58c5fc13
MT		 56275 struct pardevice *pardev;
56276 int pardev_claimed;
56277
56278- int open_count;
56279+ atomic_t open_count;
56280 int current_midi_output_port;
56281 int current_midi_input_port;
56282 u8 mode[MTS64_NUM_INPUT_PORTS];
df50ba0c 56283@@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
58c5fc13
MT		 56284 {
56285 struct mts64 *mts = substream->rmidi->private_data;
56286
56287- if (mts->open_count == 0) {
56288+ if (atomic_read(&mts->open_count) == 0) {
56289 /* We don't need a spinlock here, because this is just called
56290 if the device has not been opened before.
56291 So there aren't any IRQs from the device */
df50ba0c 56292@@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
58c5fc13
MT		 56293
56294 msleep(50);
56295 }
56296- ++(mts->open_count);
56297+ atomic_inc(&mts->open_count);
56298
56299 return 0;
56300 }
df50ba0c 56301@@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
58c5fc13
MT		 56302 struct mts64 *mts = substream->rmidi->private_data;
56303 unsigned long flags;
56304
56305- --(mts->open_count);
56306- if (mts->open_count == 0) {
56307+ if (atomic_dec_return(&mts->open_count) == 0) {
56308 /* We need the spinlock_irqsave here because we can still
56309 have IRQs at this point */
56310 spin_lock_irqsave(&mts->lock, flags);
df50ba0c 56311@@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
58c5fc13
MT		 56312
56313 msleep(500);
56314
56315- } else if (mts->open_count < 0)
56316- mts->open_count = 0;
56317+ } else if (atomic_read(&mts->open_count) < 0)
56318+ atomic_set(&mts->open_count, 0);
56319
56320 return 0;
56321 }
57199397
MT		 56322diff -urNp linux-2.6.35.4/sound/drivers/portman2x4.c linux-2.6.35.4/sound/drivers/portman2x4.c
56323--- linux-2.6.35.4/sound/drivers/portman2x4.c 2010-08-26 19:47:12.000000000 -0400
56324+++ linux-2.6.35.4/sound/drivers/portman2x4.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 56325@@ -84,7 +84,7 @@ struct portman {
58c5fc13
MT		 56326 struct pardevice *pardev;
56327 int pardev_claimed;
56328
56329- int open_count;
56330+ atomic_t open_count;
56331 int mode[PORTMAN_NUM_INPUT_PORTS];
56332 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
56333 };
57199397
MT		 56334diff -urNp linux-2.6.35.4/sound/oss/sb_audio.c linux-2.6.35.4/sound/oss/sb_audio.c
56335--- linux-2.6.35.4/sound/oss/sb_audio.c 2010-08-26 19:47:12.000000000 -0400
56336+++ linux-2.6.35.4/sound/oss/sb_audio.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 56337@@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
56338 buf16 = (signed short *)(localbuf + localoffs);
56339 while (c)
56340 {
56341- locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56342+ locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56343 if (copy_from_user(lbuf8,
56344 userbuf+useroffs + p,
56345 locallen))
57199397
MT		 56346diff -urNp linux-2.6.35.4/sound/pci/ac97/ac97_codec.c linux-2.6.35.4/sound/pci/ac97/ac97_codec.c
56347--- linux-2.6.35.4/sound/pci/ac97/ac97_codec.c 2010-08-26 19:47:12.000000000 -0400
56348+++ linux-2.6.35.4/sound/pci/ac97/ac97_codec.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 56349@@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
56350 }
56351
56352 /* build_ops to do nothing */
56353-static struct snd_ac97_build_ops null_build_ops;
56354+static const struct snd_ac97_build_ops null_build_ops;
56355
56356 #ifdef CONFIG_SND_AC97_POWER_SAVE
56357 static void do_update_power(struct work_struct *work)
57199397
MT		 56358diff -urNp linux-2.6.35.4/sound/pci/ac97/ac97_patch.c linux-2.6.35.4/sound/pci/ac97/ac97_patch.c
56359--- linux-2.6.35.4/sound/pci/ac97/ac97_patch.c 2010-08-26 19:47:12.000000000 -0400
56360+++ linux-2.6.35.4/sound/pci/ac97/ac97_patch.c 2010-09-17 20:12:09.000000000 -0400
ae4e228f
MT		 56361@@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
56362 return 0;
56363 }
56364
56365-static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56366+static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56367 .build_spdif = patch_yamaha_ymf743_build_spdif,
56368 .build_3d = patch_yamaha_ymf7x3_3d,
56369 };
56370@@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
56371 return 0;
56372 }
56373
56374-static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56375+static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56376 .build_3d = patch_yamaha_ymf7x3_3d,
56377 .build_post_spdif = patch_yamaha_ymf753_post_spdif
56378 };
56379@@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
56380 return 0;
56381 }
56382
56383-static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56384+static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56385 .build_specific = patch_wolfson_wm9703_specific,
56386 };
56387
56388@@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
56389 return 0;
56390 }
56391
56392-static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56393+static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56394 .build_specific = patch_wolfson_wm9704_specific,
56395 };
56396
df50ba0c 56397@@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
ae4e228f
MT		 56398 return 0;
56399 }
56400
56401-static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56402+static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56403 .build_specific = patch_wolfson_wm9711_specific,
56404 };
56405
df50ba0c 56406@@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
ae4e228f
MT		 56407 }
56408 #endif
56409
56410-static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56411+static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56412 .build_specific = patch_wolfson_wm9713_specific,
56413 .build_3d = patch_wolfson_wm9713_3d,
56414 #ifdef CONFIG_PM
df50ba0c 56415@@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
ae4e228f
MT		 56416 return 0;
56417 }
56418
56419-static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56420+static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56421 .build_3d = patch_sigmatel_stac9700_3d,
56422 .build_specific = patch_sigmatel_stac97xx_specific
56423 };
df50ba0c 56424@@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
ae4e228f
MT		 56425 return patch_sigmatel_stac97xx_specific(ac97);
56426 }
56427
56428-static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56429+static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56430 .build_3d = patch_sigmatel_stac9708_3d,
56431 .build_specific = patch_sigmatel_stac9708_specific
56432 };
df50ba0c 56433@@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
ae4e228f
MT		 56434 return 0;
56435 }
56436
56437-static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56438+static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56439 .build_3d = patch_sigmatel_stac9700_3d,
56440 .build_specific = patch_sigmatel_stac9758_specific
56441 };
df50ba0c 56442@@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
ae4e228f
MT		 56443 return 0;
56444 }
56445
56446-static struct snd_ac97_build_ops patch_cirrus_ops = {
56447+static const struct snd_ac97_build_ops patch_cirrus_ops = {
56448 .build_spdif = patch_cirrus_build_spdif
56449 };
56450
df50ba0c 56451@@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
ae4e228f
MT		 56452 return 0;
56453 }
56454
56455-static struct snd_ac97_build_ops patch_conexant_ops = {
56456+static const struct snd_ac97_build_ops patch_conexant_ops = {
56457 .build_spdif = patch_conexant_build_spdif
56458 };
56459
df50ba0c 56460@@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
58c5fc13
MT		 56461 { AC97_VIDEO, 0x9f1f },
56462 { AC97_AUX, 0x9f1f },
56463 { AC97_PCM, 0x9f1f },
56464- { } /* terminator */
56465+ { 0, 0 } /* terminator */
56466 };
56467
56468 static int patch_ad1819(struct snd_ac97 * ac97)
df50ba0c 56469@@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
ae4e228f
MT		 56470 }
56471 }
56472
56473-static struct snd_ac97_build_ops patch_ad1881_build_ops = {
56474+static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
56475 #ifdef CONFIG_PM
56476 .resume = ad18xx_resume
56477 #endif
df50ba0c 56478@@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
ae4e228f
MT		 56479 return 0;
56480 }
56481
56482-static struct snd_ac97_build_ops patch_ad1885_build_ops = {
56483+static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
56484 .build_specific = &patch_ad1885_specific,
56485 #ifdef CONFIG_PM
56486 .resume = ad18xx_resume
df50ba0c 56487@@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
ae4e228f
MT		 56488 return 0;
56489 }
56490
56491-static struct snd_ac97_build_ops patch_ad1886_build_ops = {
56492+static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
56493 .build_specific = &patch_ad1886_specific,
56494 #ifdef CONFIG_PM
56495 .resume = ad18xx_resume
df50ba0c 56496@@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
ae4e228f
MT		 56497 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56498 }
56499
56500-static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56501+static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56502 .build_post_spdif = patch_ad198x_post_spdif,
56503 .build_specific = patch_ad1981a_specific,
56504 #ifdef CONFIG_PM
df50ba0c 56505@@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
ae4e228f
MT		 56506 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56507 }
56508
56509-static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56510+static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56511 .build_post_spdif = patch_ad198x_post_spdif,
56512 .build_specific = patch_ad1981b_specific,
56513 #ifdef CONFIG_PM
df50ba0c 56514@@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
ae4e228f
MT		 56515 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
56516 }
56517
56518-static struct snd_ac97_build_ops patch_ad1888_build_ops = {
56519+static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
56520 .build_post_spdif = patch_ad198x_post_spdif,
56521 .build_specific = patch_ad1888_specific,
56522 #ifdef CONFIG_PM
df50ba0c 56523@@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
ae4e228f
MT		 56524 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
56525 }
56526
56527-static struct snd_ac97_build_ops patch_ad1980_build_ops = {
56528+static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
56529 .build_post_spdif = patch_ad198x_post_spdif,
56530 .build_specific = patch_ad1980_specific,
56531 #ifdef CONFIG_PM
df50ba0c 56532@@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
ae4e228f
MT		 56533 ARRAY_SIZE(snd_ac97_ad1985_controls));
56534 }
56535
56536-static struct snd_ac97_build_ops patch_ad1985_build_ops = {
56537+static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
56538 .build_post_spdif = patch_ad198x_post_spdif,
56539 .build_specific = patch_ad1985_specific,
56540 #ifdef CONFIG_PM
df50ba0c 56541@@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
ae4e228f
MT		 56542 ARRAY_SIZE(snd_ac97_ad1985_controls));
56543 }
56544
56545-static struct snd_ac97_build_ops patch_ad1986_build_ops = {
56546+static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
56547 .build_post_spdif = patch_ad198x_post_spdif,
56548 .build_specific = patch_ad1986_specific,
56549 #ifdef CONFIG_PM
df50ba0c 56550@@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
ae4e228f
MT		 56551 return 0;
56552 }
56553
56554-static struct snd_ac97_build_ops patch_alc650_ops = {
56555+static const struct snd_ac97_build_ops patch_alc650_ops = {
56556 .build_specific = patch_alc650_specific,
56557 .update_jacks = alc650_update_jacks
56558 };
df50ba0c 56559@@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
ae4e228f
MT		 56560 return 0;
56561 }
56562
56563-static struct snd_ac97_build_ops patch_alc655_ops = {
56564+static const struct snd_ac97_build_ops patch_alc655_ops = {
56565 .build_specific = patch_alc655_specific,
56566 .update_jacks = alc655_update_jacks
56567 };
df50ba0c 56568@@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
ae4e228f
MT		 56569 return 0;
56570 }
56571
56572-static struct snd_ac97_build_ops patch_alc850_ops = {
56573+static const struct snd_ac97_build_ops patch_alc850_ops = {
56574 .build_specific = patch_alc850_specific,
56575 .update_jacks = alc850_update_jacks
56576 };
df50ba0c 56577@@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
ae4e228f
MT		 56578 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
56579 }
56580
56581-static struct snd_ac97_build_ops patch_cm9738_ops = {
56582+static const struct snd_ac97_build_ops patch_cm9738_ops = {
56583 .build_specific = patch_cm9738_specific,
56584 .update_jacks = cm9738_update_jacks
56585 };
df50ba0c 56586@@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
ae4e228f
MT		 56587 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
56588 }
56589
56590-static struct snd_ac97_build_ops patch_cm9739_ops = {
56591+static const struct snd_ac97_build_ops patch_cm9739_ops = {
56592 .build_specific = patch_cm9739_specific,
56593 .build_post_spdif = patch_cm9739_post_spdif,
56594 .update_jacks = cm9739_update_jacks
df50ba0c 56595@@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
ae4e228f
MT		 56596 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
56597 }
56598
56599-static struct snd_ac97_build_ops patch_cm9761_ops = {
56600+static const struct snd_ac97_build_ops patch_cm9761_ops = {
56601 .build_specific = patch_cm9761_specific,
56602 .build_post_spdif = patch_cm9761_post_spdif,
56603 .update_jacks = cm9761_update_jacks
df50ba0c 56604@@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
ae4e228f
MT		 56605 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
56606 }
56607
56608-static struct snd_ac97_build_ops patch_cm9780_ops = {
56609+static const struct snd_ac97_build_ops patch_cm9780_ops = {
56610 .build_specific = patch_cm9780_specific,
56611 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
56612 };
df50ba0c 56613@@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
ae4e228f
MT		 56614 return 0;
56615 }
56616
56617-static struct snd_ac97_build_ops patch_vt1616_ops = {
56618+static const struct snd_ac97_build_ops patch_vt1616_ops = {
56619 .build_specific = patch_vt1616_specific
56620 };
56621
df50ba0c 56622@@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
ae4e228f
MT		 56623 return 0;
56624 }
56625
56626-static struct snd_ac97_build_ops patch_it2646_ops = {
56627+static const struct snd_ac97_build_ops patch_it2646_ops = {
56628 .build_specific = patch_it2646_specific,
56629 .update_jacks = it2646_update_jacks
56630 };
df50ba0c 56631@@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
ae4e228f
MT		 56632 return 0;
56633 }
56634
56635-static struct snd_ac97_build_ops patch_si3036_ops = {
56636+static const struct snd_ac97_build_ops patch_si3036_ops = {
56637 .build_specific = patch_si3036_specific,
56638 };
56639
df50ba0c 56640@@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
58c5fc13
MT		 56641 { AC97_AUX, 0x1f1f },
56642 { AC97_PCM, 0x1f1f },
56643 { AC97_REC_GAIN, 0x0f0f },
56644- { } /* terminator */
56645+ { 0, 0 } /* terminator */
56646 };
56647
56648 static int patch_lm4550(struct snd_ac97 *ac97)
df50ba0c 56649@@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
ae4e228f
MT		 56650 return 0;
56651 }
56652
56653-static struct snd_ac97_build_ops patch_ucb1400_ops = {
56654+static const struct snd_ac97_build_ops patch_ucb1400_ops = {
56655 .build_specific = patch_ucb1400_specific,
56656 };
56657
57199397
MT		 56658diff -urNp linux-2.6.35.4/sound/pci/ens1370.c linux-2.6.35.4/sound/pci/ens1370.c
56659--- linux-2.6.35.4/sound/pci/ens1370.c 2010-08-26 19:47:12.000000000 -0400
56660+++ linux-2.6.35.4/sound/pci/ens1370.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 56661@@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
58c5fc13
MT		 56662 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
56663 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
56664 #endif
56665- { 0, }
56666+ { 0, 0, 0, 0, 0, 0, 0 }
56667 };
56668
56669 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
57199397
MT		 56670diff -urNp linux-2.6.35.4/sound/pci/hda/patch_hdmi.c linux-2.6.35.4/sound/pci/hda/patch_hdmi.c
56671--- linux-2.6.35.4/sound/pci/hda/patch_hdmi.c 2010-08-26 19:47:12.000000000 -0400
56672+++ linux-2.6.35.4/sound/pci/hda/patch_hdmi.c 2010-09-17 20:12:09.000000000 -0400
56673@@ -670,10 +670,10 @@ static void hdmi_non_intrinsic_event(str
df50ba0c
MT		 56674 cp_ready);
56675
56676 /* TODO */
56677- if (cp_state)
56678- ;
56679- if (cp_ready)
56680- ;
56681+ if (cp_state) {
56682+ }
56683+ if (cp_ready) {
56684+ }
56685 }
56686
56687
57199397
MT		 56688diff -urNp linux-2.6.35.4/sound/pci/intel8x0.c linux-2.6.35.4/sound/pci/intel8x0.c
56689--- linux-2.6.35.4/sound/pci/intel8x0.c 2010-08-26 19:47:12.000000000 -0400
56690+++ linux-2.6.35.4/sound/pci/intel8x0.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 56691@@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
58c5fc13
MT		 56692 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56693 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
56694 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56695- { 0, }
56696+ { 0, 0, 0, 0, 0, 0, 0 }
56697 };
56698
56699 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
57199397 56700@@ -2135,7 +2135,7 @@ static struct ac97_quirk ac97_quirks[] _
58c5fc13
MT		 56701 .type = AC97_TUNE_HP_ONLY
56702 },
56703 #endif
56704- { } /* terminator */
56705+ { 0, 0, 0, 0, NULL, 0 } /* terminator */
56706 };
56707
56708 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
57199397
MT		 56709diff -urNp linux-2.6.35.4/sound/pci/intel8x0m.c linux-2.6.35.4/sound/pci/intel8x0m.c
56710--- linux-2.6.35.4/sound/pci/intel8x0m.c 2010-08-26 19:47:12.000000000 -0400
56711+++ linux-2.6.35.4/sound/pci/intel8x0m.c 2010-09-17 20:12:09.000000000 -0400
df50ba0c 56712@@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
58c5fc13
MT		 56713 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56714 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56715 #endif
56716- { 0, }
56717+ { 0, 0, 0, 0, 0, 0, 0 }
56718 };
56719
56720 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
56721@@ -1264,7 +1264,7 @@ static struct shortname_table {
56722 { 0x5455, "ALi M5455" },
56723 { 0x746d, "AMD AMD8111" },
56724 #endif
56725- { 0 },
56726+ { 0, NULL },
56727 };
56728
56729 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
57199397
MT		 56730diff -urNp linux-2.6.35.4/usr/gen_init_cpio.c linux-2.6.35.4/usr/gen_init_cpio.c
56731--- linux-2.6.35.4/usr/gen_init_cpio.c 2010-08-26 19:47:12.000000000 -0400
56732+++ linux-2.6.35.4/usr/gen_init_cpio.c 2010-09-17 20:12:09.000000000 -0400
58c5fc13
MT		 56733@@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
56734 int retval;
56735 int rc = -1;
56736 int namesize;
56737- int i;
56738+ unsigned int i;
56739
56740 mode |= S_IFREG;
56741
ae4e228f 56742@@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
58c5fc13
MT		 56743 *env_var = *expanded = '\0';
56744 strncat(env_var, start + 2, end - start - 2);
56745 strncat(expanded, new_location, start - new_location);
56746- strncat(expanded, getenv(env_var), PATH_MAX);
56747- strncat(expanded, end + 1, PATH_MAX);
56748+ strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
56749+ strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
56750 strncpy(new_location, expanded, PATH_MAX);
56751+ new_location[PATH_MAX] = 0;
56752 } else
56753 break;
56754 }
57199397
MT		 56755diff -urNp linux-2.6.35.4/virt/kvm/kvm_main.c linux-2.6.35.4/virt/kvm/kvm_main.c
56756--- linux-2.6.35.4/virt/kvm/kvm_main.c 2010-08-26 19:47:12.000000000 -0400
56757+++ linux-2.6.35.4/virt/kvm/kvm_main.c 2010-09-17 20:12:09.000000000 -0400
56758@@ -1284,6 +1284,7 @@ static int kvm_vcpu_release(struct inode
ae4e228f
MT		 56759 return 0;
56760 }
56761
56762+/* cannot be const */
56763 static struct file_operations kvm_vcpu_fops = {
56764 .release = kvm_vcpu_release,
56765 .unlocked_ioctl = kvm_vcpu_ioctl,
57199397 56766@@ -1738,6 +1739,7 @@ static int kvm_vm_mmap(struct file *file
ae4e228f
MT		 56767 return 0;
56768 }
56769
56770+/* cannot be const */
56771 static struct file_operations kvm_vm_fops = {
56772 .release = kvm_vm_release,
56773 .unlocked_ioctl = kvm_vm_ioctl,
57199397 56774@@ -1835,6 +1837,7 @@ out:
ae4e228f
MT		 56775 return r;
56776 }
56777
56778+/* cannot be const */
56779 static struct file_operations kvm_chardev_ops = {
56780 .unlocked_ioctl = kvm_dev_ioctl,
56781 .compat_ioctl = kvm_dev_ioctl,
57199397 56782@@ -1844,6 +1847,9 @@ static struct miscdevice kvm_dev = {
58c5fc13
MT		 56783 KVM_MINOR,
56784 "kvm",
56785 &kvm_chardev_ops,
56786+ {NULL, NULL},
56787+ NULL,
56788+ NULL
56789 };
56790
56791 static void hardware_enable(void *junk)
57199397 56792@@ -2178,7 +2184,7 @@ static void kvm_sched_out(struct preempt
58c5fc13
MT		 56793 kvm_arch_vcpu_put(vcpu);
56794 }
56795
57199397
MT		 56796-int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56797+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
58c5fc13
MT		 56798 struct module *module)
56799 {
56800 int r;
Michael's tree of IPFire 3.x.